The 2015 hack on the Ashley Madison site, has become notorious. In fact, the privacy watch dogs in Canada and Australia are investigating the dating site’s security system.
From a report issued in August 2015, it has transpired that Avid Life Media (owner of Ashley Madison) has violated laws both in Canada and Australia due to the lack of adherence to data protection laws and regulations.
The failings found include system passwords being held in plain text on easy-to-access internal servers and in emails and text files that were regularly passed around within the company.
Companies handling sensitive data are obliged to abide by data protection rules and regulations.
In terms of Maltese law, sensitive personal data means personal data that reveals race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health or sex life.
As a general rule, sensitive personal data shall not be processed, unless the data subject:
(i) has given his explicit consent to processing; or
(ii) has made the data public.
Furthermore, sensitive personal data may be processed in the following circumstances:
a) Necessary processing- where appropriate safeguards are adopted and the processing is necessary in relation to:
(i) the compliance by the controller with his duties or the exercise of his rights under any law regulating the conditions of employment;
(ii) the protection of the vital interests of the data subject or of some other person where the data subject is physically or legally incapable of giving his consent;
(iii) legal claims will be able to be established, exercised or defended.
b) Processing by foundations etc. – In the execution of the legitimate activities of any body of persons or other entity not being a commercial body or entity with philosophical, religious or trade union objects, in relation to sensitive personal data concerning the members of the respective body or entity. Appropriate guarantees may have to be provided in such circumstances.
c) Processing concerning health or medical purposes- Where the data is processed by a health professional (regulated by the Medical and Kindred Professions Ordinance) or other person subject to the obligation of professional secrecy and is necessary for health and hospital care purposes for:
(i) Preventive medicine and the protection of public health;
(ii) Medical diagnosis; health care or treatment; or
(iii) Management of health and hospital care services.
d) Processing concerning research and statistics- Where the data is processed for research and statistics purposes and is necessary for the public interest. Satisfaction of these requirements may be obtained in advance of the research or statistical exercise by obtaining the Commissioner’s approval.
The Maltese Data Protection Act provides that the following security measures need to be undertaken:
The controller shall implement appropriate technical and organisational measures to protect the personal data that is processed against accidental destruction or loss or unlawful forms of processing thereby providing an adequate level of security that gives regard to the:
(a) technical possibilities available;
(b) cost of implementing the security measures;
(c) special risks that exist in the processing of personal data;
(d) sensitivity of the personal data being processed.
It is always suggested that best practice is adhered to, together with observance to the local laws and regulations. It is also suggested the company handling a large amounts of data, to have policies and procedure internally in place to be able to guide the employees accordingly.