The personal blog of Ralph Broenink
Seven weeks ago, I started my privacy research. I sent a letter to 33 organizations asking what the know about me. Legally, they had four weeks to respond, so it’s about time to make a first progress report.
It’s striking to see how long it takes for some organizations to send a response, and if they finally send something, it is mostly only nonsense, referring to some privacy statement or suggesting that I travel to Amsterdam to identify myself. Obviously, it’s great to see that they take privacy seriously, although I sensed that they just didn’t want to take the time to respond to me seriously.
In total, I’ve received 590 grams of responses, had two privacy-related real-life conversations, received 9 emails and had 2 phone calls concerning my privacy.
The most weighty of them are the 50 pages from the wages administration from my university. They printed out screenshots from several mostly duplicating systems. Part of this large print is my ‘first day notification’ to the tax authorities, a copy of my passport, several auto-generated confirmations of being accepted on a job, all hour declarations (which is a lot of pages), my employee number (which is actually functioning as an ICT account, although I haven’t received the login data for this account formally) and some wages specific tax information I don’t really care for. Nothing shocking here, apart from the fact that the data model in the Oracle database is really crappy.
Another satisfying result was provided by the Dutch police force. As I crashed in another car (apparently) at November 14, 2008, one of the documents I received was the official report of the accident, containing ASCII-art of my car, Fun fact is that it was apparently really important to note that I had my blinker was on. Furthermore, I received a transcript of my internet reports.
The result of my bank, ING, was also somewhat satisfying. They provided me with the information they have about me, including my bank accounts with balances (which do not add up), the date of my last received receipt and my insurances. The provided documents seem to be incomplete, though, as neither my creditcard is listed, nor is my car insurance. Furthermore, my name missed my birth names, which is quite weird.
From several responses it became clear that the sender has read the Wbp. Unfortunately, the law was misinterpreted several times. Article 39 notes that it is possible for an organization to ask a compensation for my request, up to a by implementing regulation (in Dutch: ‘Algemene Maatregel van Bestuur’) determined amount of at most 5 euros. Some organizations didn’t understand ’implementing regulation’ and ignored it, asking me for 5 euros. However, the ‘Besluit kostenvergoeding rechten betrokkene Wbp‘ is the referred implementing regulation, providing a maximum of 22 cent per page.
The Dutch credit registration (BKR) has another – unfortunately valid – interpretation. They request € 4,50 for any inspection of their data. It seems that they’re using the exception clause in the ‘Besluit’, as they have a ‘complicated information system’. The authority governing the Wbp has declared this legal. I haven’t yet paid the requested amount.
With the letter I sent, I only included my name and address. However, some organizations responded via email or telephone. This isn’t that bad, although that most emails weren’t sent via a secure connection at the sender’s side nor were encrypted. I will not make a big problem of that, but it’s striking to see how some organizations handle my personal data.
My former secondary school responded via telephone, but told me that they only had my parent’s address in their system. Other data was lost in the conversion to a new administrative system. However, my telephone number should then not be in their system. It appears that it wasn’t; the caller got my phone number from some information service, which apparently had my phone number listed. It appears that my previous phone provider, Hi, provided that information. I can’t remember I gave permission for that, but it’s some time ago.
Speaking of Hi: I’ve sent them a letter too. The response I received some days ago, was “Since June 2009 you aren’t a customer with us anymore, and therefore we don’t process any of your personal data.” However, I still don’t get how they know that I’m not a customer anymore when they don’t have any information about me.
Other weird responses include the Albert Heijn supermarket notifying me that I haven’t worked for them (duh!) and the ‘Ralph Onderwijs’ song from study association Inter-Actief.
Most organizations responded in some way to my request for information. However, the Dutch tax authorities, the municipality of Enschede and the Dutch central student administration (DUO) are the most striking missing organizations. Furthermore, Google, Trans Link Systems (operator of the Dutch transport card), Thuisbezorgd.nl (food ordering website), T-Mobile (previous telecom provider) and my primary school failed to respond. Many responses, however, aren’t satisfying, so I’m far from ready from my research.
Yet, insofar the responses are satisfying, the stored information isn’t that shocking. Are they hiding some information for me, or is there just no shocking information available about me?
This website is the personal weblog of Ralph Broenink. He studies Computer Science at the University of Twente and is lead software engineer at Antagonist webhosting. Furthermore, he was member of the board of study association Inter-Actief. More information about him can be found at the 'About me'-page.
Leave a reply