The Office of Information and Data Protection Commissioner contributed for the first time this year in the operation Sweep Privacy GPEN. In this project, controls were carried out to devices/applications being used in IoT networks. It is implemented during April 2016, simultaneously by 25 Privacy Law enforcement Agencies worldwide and was guided by Information Commissioner’s Office. .
The Commissioner’s Office controlled 3 smart phone applications of Albanian controllers and a IoT fitness tracker device of an outsider controller. The results are compiled based on a form with 34 questions separated in 5 indicators, which assess privacy policies. One of the applications (Albanian controller) has serious deficiencies for these 4 indicators:
- Explanations on collection/processing and data disclosure;
- Storage and safeguards;
- Contacts in case of infringements of privacy;
- How the data is destroyed.
Meanwhile, three other applications have more information in privacy policies, but other elements should be improved in order to provide consumers the guarantee on fair processing of personal data.
Information obtained after the control to 314 devices/applications worldwide is provided in the final report, where key data are the following:
- 59% do not provide information on the use of data;
- 68% do not provide information on data safeguarding;
- 72% do not give information on deletion of data;
- 38% do not provide contacts to communicate infringements of privacy;
- 43% of companies do not provided a timely, appropriate and clear response.
Medical devices are also a concern, which report non encrypted data via mail. Data Protection Authorities shall consider the possibility to impose sanctions for any service or device, when processing is not in line with data protection principles.
The Commissioner’s Office, as part of GPEN, shall join other initiatives in the future on the surveillance of controllers for the fulfillment of obligations stipulated in the data protection law. Furthermore, awareness-raising remains important in order to inform citizens on their data processing.