Opinion Uncategorized Grave concern over leaked data Barbados Today Traffic06/01/20220486 views Disclaimer: The views and opinions expressed by the author(s) do not represent the official position of Barbados TODAY. By Dwight Robinson On December 29th, 2021, a preliminary list of all eligible voters in Barbados was posted on the Barbados Government Information Service (GIS) website. The list included the surname, first & middle names, national registration number (NRN), gender, date of birth, residential status, constituency, polling station and address of over 264,000 individuals. The 5,520 paged Adobe PDF document could be downloaded by anyone with access to the internet, and not just Barbadian citizens and residents. The list was made public ahead of the general elections on January 19th, 2022. Section 18(1) of the Representation of the People Act of 1991 allows for 16 days within which changes to the preliminary list of eligible voters may be made before an election. Changes to the preliminary list may be made up 21 days after an election date is declared, after which a final register for elections will be created. The Act further states the name, address, occupation and electoral number of every eligible person must be included. These details were updated with the revision of Section 13 of the Act, by its 2015 amendment, which requires the current list of personal details included in the voters list, ahead of the 2022 general election. Section 3 of the 2019 amendment to the Act allows the Electoral and Boundaries Commission to publish the register “in a format which the public can read and search electronically.” The 2020 amendment to the Act updates Section 71 of the Act with stiffer penalties if a “member of the public alters, changes, or modifies any list, register or document which is published or transmitted by means of electronic technology for use by the public is guilty of an offence and is liable on summary conviction to a fine of $10,000, or to imprisonment for six months or to both.” No restrictions were added for any unintended or otherwise unauthorised use of the information. The Data Privacy Act of 2019 defines the information published in the voters list as personal information, the disclosure of which may have a significant negative impact on the lives of citizens and residents of Barbados. The availability of the full names, date of birth, national registration number and address of all eligible voters in Barbados on the internet exposes them to significant risks of financial fraud, stolen identity, stalking, home invasion and assault. The preliminary list of voters online was quickly removed after being online for a few days, however, the downloadable PDF file was quickly shared multiple times locally via social media and instant messaging platforms and was uploaded to online platforms such as Reddit. It should be assumed this information is in the hands of criminals and may be used to launch general or targeted attacks against individuals. Despite the requirements stipulated by the regulations, it is hoped the government will seek to minimise the level of information included in the publicly available voters list to not include the national registration number and date of birth. Since the initial disclosure of the preliminary voters list, the Electoral and Boundaries website has been updated to allow persons to search for the names via a chatbot. Though it should be noted, the details of all persons deleted from the voter registrar list are still available for download, including their full name, national registration number, address and constituency. During a press conference held by the Electoral and Boundaries Commission on January 1st, 2022, a question was asked by a reporter about the concerns associated with the disclosure of the personal information included in the preliminary voters list online. In their response, the transition of having the list being made electronically instead of being limited to the public library, electoral office and other public areas was decided to no longer be practical and by a legal statute of the law was also published in January 2021. Mr Leslie Haynes QC, Chairman of the Electoral and Boundaries Commission indicated during the conference that personal information such as names and national registration numbers are “not really anything that is private,” because they have always been published in the past. It is recommended that citizens and residents of Barbados stay vigilant for any financial fraud or personal attacks which may result from the disclosure of their personal information to both locals and persons internationally. The general concern is with this disclosure is the creation of fake IDs which may be used to open lines of credit, change legal titles, withdraw funds from financial organisations, obtain new passports at foreign consulates or otherwise solicit business services illegally. It is advised that persons monitor their mail and telephone for any correspondence from financial organisations regarding any bills, debt collection calls and loan applications. Similarly, financial organisations are advised to ensure that adequate KYC (“Know Your Customer” or “Know Your Client”) procedures are followed to properly validate customers as part of the onboarding process or while performing transactions of significant value or repercussions. Additionally, persons are asked to secure any other personal information such as passport, banking and credit card information, login account details. Review your bank account and credit card statements and compare receipts with account statements. Promptly report any unauthorised transactions. Shred receipts, credit card offers letters, account statements, and expired credit cards to prevent any accompanying personal information from being stolen. If you believe you have been the victim of identity or financial fraud, report it to the police and relevant authorities immediately. Similarly, if you feel you are in physical danger due to stalking or persons monitoring your home or personal whereabouts, report it to the police immediately. The disclosure of the full voters list with the current level of detail is not in line with established data privacy best practices. Either the requirements as stipulated by the amended Representation of the People Act need to be revised to exclude details such as the national registration number and date of birth from the list, or the methods used by the Electoral and Boundaries Commission for the review of the list, should be adjusted to limit the information available both in print and on the internet. The risks posed by the recent disclosure of this information may be looming and immeasurable for quite some time. However, both the public and private sectors need to learn from this incident, acknowledge the importance of protecting the personal data they are entrusted with and recognise that Barbadians will hold them accountable if they fail to do so. Dwight Robinson is president of the Information Systems Security Association (ISSA) Barbados Chapter.