We believe it’s important to teach children about online safety. Topics like data protection and safe browsing can seem complicated at first glance. To help our members stay safe online, we’ve created this simple guide that you may like to share with your family.
Imagine your parents bought you a shiny new bike and your friend Henry wanted to borrow it. We can agree that Henry should:
- Ask for your permission before using your bike;
- Keep your bike safe and reassure you if you have questions about its safety;
- Let you know and wait for your approval before allowing someone else to use your bike;
- Respect your choices about what he can do with your bike;
- Tell you if something goes wrong with your bike and be held accountable for it.
Sounds straightforward enough, right? Well online data rights are just as simple. Let us walk you through it:
1/ Henry should always ask for your permission before using your bike (just as a company should always ask for your permission before using your data).
Henry cannot just take your bike and ride away with it, because the bike is yours and you get to decide what can be done with it. Well it’s the same with online data.
But what if Henry got permission from your mum? Now he is not doing anything wrong, because your mum has given permission on your behalf. So if your mum tells a company they can use your data, the company is now allowed to do so.
Now imagine a police officer needs to borrow your bike to chase someone. Can he do so without asking for your consent? Yes, because he has legal authority. Similarly, sometimes a court of law might need to see your data for legal reasons, and they can legally do so without seeking your consent first.
To sum up: just as someone should always ask for your permission before using your bike – a company should always seek your consent before using your data.
2/ Henry should keep your bike safe and reassure you if you have questions about its safety (just as a company should always keep your data safe, share its privacy policy with you and reassure you if you have questions).
If you lend your bike to Henry, you expect him to take care of it. You also expect him to be honest with you, by telling you whether he will keep the bike in a secure garage or chained to a pole outside.
In the same way, a company must meet security requirements when storing your data, and their privacy policy must outline the protection in place.
Legally, a company must share their privacy policy with you, and it’s important to read it through and check there are appropriate safeguards in place.
3/ Henry should let you know and wait for your approval before allowing someone else to use your bike (just as a company should let you know and wait for your approval before sharing your data with other companies).
Let’s just say you allow Henry to ride your bike, but now Henry wants to lend it to his friend Rachel. This is only possible if he asks your permission first.
Before you agree, you would want some reassurance that Rachel will take care of the bike in the same way Henry promised he would.
Similarly, a company cannot transfer your data to another company unless they ask for your permission first. They must also make sure the company has the same level of online data safeguards in place – or better!
4/ Henry should respect your choices about what he can do with your bike. If he doesn’t, you have legal rights (just as a company should respect your choices about what can be done with your data).
Now, you have allowed Henry to ride your bike around the neighbourhood and no further. This is your choice and Henry must respect it.
But what if he doesn’t? Luckily, you have legal rights. You also have rights if a company misuses your data. Look at it this way: your bike and your data will always belong to you. If Henry borrows it, he must look after it.
So what rights do you have?
Rights to access
You have the right to know what is being done with your bike: is someone else using it? Where is it stored? Has Henry borrowed something else that you may have not noticed, like your lock?
Same goes for your data: you have the right to know what data a company has borrowed, where it is being stored and if it is being shared with someone else. Just as you can ask Henry these questions at any time, you can ask a company too.
Right to rectification
You also have the right to ask Henry to stop using the bike the way you previously have allowed him to.
For example you could tell him to stop riding it around the neighbourhood and only up and down the street. You can always ask a company to stop using your data the way you first allowed them to, and instruct them on the way you want them to use it.
Right to object
You can always ask a company to stop using your data the way you first allowed them to, and instruct them on how you want them to use it now. Maybe Henry misunderstood what he was allowed to do with the bike in the first place, and you want to re-instruct him. In the same way, you can also object to a company’s use of your data.
Right to erasure
You can also ask Henry to stop using your bike just because you changed your mind, or because there is no good reason left for him to use it.
To be more clear: imagine that Henry borrowed your bike to go home. There is no reason for him to keep it after that, right? Similarly with your data: if the data is no longer needed for the purpose for which a company collected it, then the company must stop using it. You can ask a company to stop using your data at any time.
Right to data portability
Next, you can always ask Henry to give your bike back in the same condition you gave it to him originally. He must do so ASAP, and not 10 years later. Same goes with your data: if you ask a company for your data they must provide you with it as soon as they can.
Right to automated decision making
Imagine you lend your bike to Henry, and when you try to find out what he is doing with it, you keep reaching his answering machine saying “Henry is unavailable to answer your call but he wanted to let you know that he took your bike to the mountains”. That’s not nice, is it?
When you lend something and something is not being done correctly, you must be able to discuss the issue with a real person, and you are entitled to an explanation. It’s not right if a machine makes all the decisions without giving you any say in the decision making, right?
Similarly, with your data: if a company uses machines to make decisions about your data, they must make sure that you can talk to a human about it and be given an opportunity to challenge the decision.
5/ Henry should tell you if something goes wrong with your bike and be held accountable (just as a company should tell you if something goes wrong with your data and be held accountable).
Last but not least, when you lend your bike to Henry you expect him to tell you if something goes wrong with it. If Henry loses your bike for a few minutes and then finds it again and nothing bad happens to it because of this, then he might not need to tell you. But he must tell you about any serious loss or damage.
For example if somebody stole your bike, you would want Henry to not only notify you and the police right away, but to also you’d want him to act responsibly and be held accountable for the theft. Seems fair, no? Well it’s the same for your online data! If something happens to your data, the company that allowed the misuse to happen should notify you about it and be held accountable for any damage.