If more Barbadians considered the number of institutions and businesses who are in possession of detailed personal and sensitive information about us, they would take the matter of cyber-attacks more seriously.
This week, we learned from officials of the Queen Elizabeth Hospital (QEH), our primary health care institution, that it had been attacked by hackers, who succeeded in crippling some aspects of the hospital’s operations.
If that was not bad enough, we later learned that the attack had also impacted operations of the Harrison Point Isolation Facility, which was established to care for the sickest patients during the COVID-19 pandemic.
The attacks have not been limited to the public sector.
In order to access the simplest of services in this country, one must produce identification which is often copied and retained by the provider.
A range of financial institutions, from insurance companies to credit unions and commercial banks, mandate that they be provided with two copies of current national identification which are likely to include your passport and national identification card.
Of course, this has been spurred by globally led efforts to comply with anti-money laundering and the countering of financing of terrorism (AML/CFT) efforts.
In fact, people making cash purchases of large appliances from some stores are being asked to show proof of identification, in the event that future checks are required about the source of the funds.
This also extends to the purchase of vehicles, land, and the like.
In an effort to comply with the AML/CFT requirements, very detailed personal information is being stored in any number of institutions across the island.
Recently, a customer of a local store complained that she began receiving emails soliciting sales from a related company with which she had never done business.
To her dismay, she discovered the store she purchased the item from was sharing her name, address and email with the other company.
In places like the United Kingdom, such actions are outlawed as personal customer information cannot be shared without permission and companies face stiff fines for not protecting that personal data.
Earlier this year, many Barbadians were stunned to learn that their names, addresses, age, and national identification numbers were available for anyone around the world to access through the publication online of Barbados’ entire voter information.
We have learned that political actors can pay $50, and they can purchase the entire voters’ list and voters’ personal data.
We place much trust in our political parties and their acolytes to keep that information safely and not use it for nefarious purposes.
But in an age of digital warfare, can individuals afford to have their data “knocking around” in filing cabinets and computers in almost every business place on the island.
For those who believe that we are being paranoid, stop and think about the copies of information you are required to furnish your employer. This is likely to include, not only information on the employee, but on their children and spouses, particularly if that employer offers pension and health insurance benefits.
In fact, your employers are very likely to have in their database, information on your health status and any major illness you may have suffered.
In this connection, we fully appreciate just how damaging a hack on the computer systems of the QEH can be. Apart from impacting the immediate needs of the thousands of people requiring the hospital’s services, a leak of possibly embarrassing health information is a breeding ground for ransom seekers.
The Data Protection Act, and the appointment of Data Protection Commissioner Lisa Greaves, some may argue, should provide us with some peace of mind that there is a watchdog agency in place.
But as many of us know, the presence of an institution may not translate to actionable outcomes. According to the Act, companies are required to appoint a Data Protection Officer where the company’s core functions involved the collection of a great degree of personal and sensitive data.
Importantly, the Act requires that entities needed a record of what data they had in their possession, for what it was used, an audit of the data, an assessment of how the entity was acquiring the information, who had access to it and how was it being shared or manipulated.
The question that must be answered is whether adherence to the Data Protection Act in Barbados is being observed more in the breach.