We declare one thing and do another. How not to protect personal data

A child has the right to privacy and to protection of personal rights, therefore it is worth 90% of Poles declare that they know how to ensure the security of their personal data. Young people feel most confident. However, despite  the conviction of their knowledge, they are the group that most often makes mistakes such as publishing photos of their documents on the Internet or sharing logins and passwords with third parties. That is the conclusion from the research conducted by the ChronPESEL.pl portal and the National Debt Register under the patronage of the Personal Data Protection Office.

In 2022, compared to previous year, we still define the threats to our data the same way. This year's edition of the report "Knowledge of personal data protection in Poland" presents the latest research results in this area. Every third respondent believes that we should fear most leakages from institutional and company databases. However, we indicated phishing scammers as the most dangerous. Nearly 43 percent of respondents ranked them first. Almost 23 percent of respondents, in turn, are afraid of data theft by hackers.

According to the research, only a little over half of respondents (55%) know what to do in case of phishing of personal data such as: name, surname, address or personal identification number (PESEL number). Young people aged 18–34 have the biggest knowledge on this (65%). The rest of respondents do not have any knowledge on this or have doubts. 

Over 80% of respondents would report a case of personal data phishing to the Police, and nearly three quarters would inform their bank about the incident. 68% of respondents would also change login passwords to the services used. More than 45% of respondents would report a case to the Personal Data Protection Office, and nearly every fourth respondent would check with the credit information bureau whether someone has already tried to use the stolen data.

– It is always worth reminding that the principle of limited trust and the common sense are most important. Despite declaring that we know how to recognise fraud attempts aiming at data phishing, we still make mistakes in our daily life. Only caution and thorough verification of information and online contacts may reduce the risk of cyber criminals, who use more and more sophisticated methods, accessing the content of our computers or smartphones and via them our bank accounts, social media accounts and our e-mailboxes – says Monika Krasinska, Director of the Jurisprudence and Legislation Department, the Personal Data Protection Office.

Young Poles are convinced that it is difficult to deceive them

Most of the respondents declare that they know how to ensure the security of their personal data. This is the opinion of 90 percent of respondents. One in six respondents is absolutely sure about this (17%). Young people feel most confident. Every third person aged 18–24 and every fourth person aged 25–34 is absolutely sure about their knowledge on data protection. On the other hand, people who are over 65 years old have the biggest doubts. Only less than 9% of them say that they know very well how to protect their personal data.  

There is a high level of confidence in one’s own ability to recognise the attempts of personal data phishing. 88% of respondents are convinced that they will know if they are approached by a phishing caller or have to do with fraudulent e-mails and text messages. 20% of respondents are absolutely sure about this.

And again, the highest confidence level is observed in the group of the youngest respondents. Every third respondent aged 18–34 is convinced that she or he would easily recognise a fraud attempt. When asked how they verify the authenticity of the received massages and phone calls, the respondents most often indicate the checking of the caller on the Internet and analysing an email address of the sender (55% of respondents). Then, the respondents pay attention to the graphic form and content of the message received (47%) and carefully check the attached link (44%). These are the rules that we should always remember.

– We should avoid clicking on any links in e-mails or text messages directing us to a website with a payment request or encouraging us to download new programmes. Especially, if we received them from an unverified sender. In such cases, the e-mail address and website to which we are directed should be exactly verified. Fraudsters pretend to be the employees of banks, energy companies, Internet providers or public institutions and try to take advantage of our ignorance. It should be remembered that no consultant or official will ask us for our personal data for verification purposes or encourage us to download programmes that will do this by the phone. Such a request itself should be a warning signal for us. In such situations, it is worth hanging up and calling a helpline or our customer service to verify the case – reminds Bartłomiej Drozd, an expert from the ChronPESEL.pl portal.

Dangerous behaviour – the list of sins

Various types of security measures are of little use if we share our sensitive data ourselves. Every ninth respondent informs that he or she has shared their login data with third parties. The highest percentage of such responses was given by persons aged 18–24 (28%) and 25–34 (16%). At the same time, these are the two groups that most often claimed to know how to ensure the security of their data. This shows that previous declarations are not always reflected in appropriate behaviour.

But it is not only about sharing the login data. 11,5 % of respondents admit that they have once published a photo of their documents on the Internet. In case of people aged 18–24, even every fifth respondent did so. The list of sins is, however, longer. Every fourth respondent admits that she or he completed an online survey that required providing such data as PESEL number or address of residence.

Nearly two-thirds of the respondents declare also that over the last year they have not deleted their social media accounts which they have not been using for a long time. Persons aged 18–24 are an exception. Almost 37% of them have done a clean-up with their social media. Compared to 2021 there are no significant changes here.

Consequences of the loss of personal data

The consequences of loss of personal data may be very serious. Fraudsters, who took possession of the data, have many opportunities of using them. As the research shows, Poles are aware of how criminals use the stolen personal data.      

When asked about it, they most often indicate taking financial obligations in the form of a leasing, loan or purchase credit agreement (86%). Nearly two-thirds of the respondents are concerned about selling data or using them to set up a company that will take on further financial obligations. Therefore, it is all the more important for each of us to know how to react, for example in case of losing documents.

– How to act when our personal data has been stolen or phished depends on what kind of data has fallen into the wrong hands. The basic steps are to report a case to the Police and to inform your bank. In case of the loss of ID card we should in turn go to a municipal office for its cancellation. And in case of leakage from the service that you use, you should definitely change your login passwords and set up a two-factor authentication. You should also remember to monitor your bank accounts, and in particular, carefully analyse any activities detected on them – explains Monika Krasińska, Director of the Jurisprudence and Legislation Department, the Personal Data Protection Office.

Unfortunately, even observing all data protection rules may not be enough to protect us from having our personal data used. For example, we do not know how are safeguarded the databases of websites that we use.

The survey commissioned by the ChronPESEL.pl portal and the National Debt Register under the patronage of the Personal Data Protection Office, was conducted in March 2022 using the CAWI method on a representative group of 1010 respondents by IMAS International.