Data Protection: Missing the Bigger Issue

In this opinion piece, Ian McDougall explains why he believes that the focus on data disasters and the technicalities of processing are obscuring the vision we need for a new way forward for data protection.

One could feel comparable to Winston Churchill during the ‘Wilderness Years’ when speaking on the subject of data protection reform. But often, after a little explanation, the response that follows is usually ‘do you know, I think he might have a point’.

Our understanding of data protection issues in the main are led by disaster. Disaster: someone loses a disc containing the confidential data of millions of people and the cry goes up for stricter data protection laws.  Disaster: the government is reported to have compiled illegal databases and the cry goes up for stricter data protection laws. Disaster: the bank details, maiden names and even signatures of more than a million customers are found on a computer sold for £35 on eBay and the cry goes up for stricter data protection laws. And so on. 

Without dismissing such alarming security breaches, the debate is being skewed by knee-jerk reactions and a lack of clear thought. Of course confidential data needs to be kept secure, nobody seriously disputes that, but that’s not the issue and never has been. The problem we face with the current law on data protection is that it doesn’t achieve its stated purpose. It has become a bureaucratic nightmare that, to use a recently politicised phrase, is not ‘fit for purpose’. The Law is unable to meet the technological and commercial challenges of the 21st Century.  

The 1970s popularisation of computers first prompted concerns about the risks data use posed to privacy. The European Data Protection Directive’s intention was to give ‘privacy’ protection by introducing rules about what can be done with data. The problem is that privacy is not protected by following the data protection rules!  

Complications regarding the law are evident; Ian Huntley was convicted of the terrible murders of Holly Wells and Jessica Chapman. In the aftermath, Humberside police revealed that it had deleted records of previous sexual allegations against Huntley because retention of them was in contravention of the Data Protection Act. The Information Commissioner (in my view rather disingenuously) claimed that the Act did not require the deletion of those records. In fact, the Police Force followed the letter of the law exactly and correctly. To prove it, suppose that, six months prior to the murders, Huntley had made a request for copies of all personal data stored by the police about him, as he is allowed. The Police Force would have been required, even if redacted, to produce the records they held  and failure to comply with the request would have left them open to prosecution by the Information Commissioner. Police forces do get prosecuted under the Act. If Huntley’s next action was to claim that there were no current investigations against him, the information held would be retained in breach of the Act and should be deleted. Such a claim would have been correct. A previous Metropolitan Police Commissioner, Sir John Stevens, pointed out that the Act had hampered attempts by police to build psychological profiles of suspects.  

Here’s another great example; taken as a direct quote, from the website of the ‘Technical Advisory Service for Images’ or ‘TASI’, an advisory site for the use of photographs. It says:

‘They [the Information Commissioners Office] have said to TASI that where a person is the focus of an image, that image is likely to be personal data ……. But where people are incidentally included in an image or are not the focus (eg a busy street scene) the Information Commission's Office believes that the image is unlikely to contain personal data.’ 

 Someone wiser than I must explain how is a person who is only ‘incidentally’ identifiable in a photograph is in a different privacy position to someone who is ‘predominately’ identified in a photograph. The confusing nature of the law is evident and any moment now a big white rabbit will hop out and tell us he is late for a very important date! 

The Way Forward

 What was the object of data protection? Surely the protection against your data being used to damage you. So we need to change the focus from process to outcomes. 

Here is my revolutionary proposal! Merely using data, with or without the permission of the data subject, should be permissible if no damage is caused by such use (ie damage to privacy or financial, reputational or physical damage).  

Wow! Simple, straight forward and meeting the original purpose. The idea that mere processing of data is, in itself, wrong without permission is not only unhelpful but unrealistic. I have no right to tell Google not to allow entry of my name into its search engine, but that seems to be acceptable to our law makers. There is an important commercial reason for this. We live in an information technology age; economies are now more dependent than ever on the efficient use of the information they have at their disposal. There seems no reason why processing of information which causes no damage to anyone can be anything other than beneficial to the community, to commerce, and indeed, to the data subject themselves. That’s why we exempt the Internet Service Providers! 

Let’s move away from data considerations merely being an exercise in bureaucracy. We should not waste time assessing whether any particular act is, or is not, an act of processing. We should make sure that no damage is caused by the use of data. Surely this is a more important principle than whether the data is being processed per se

I don’t think anyone seriously disputes the need for the protection of personal privacy. Although, even here, such ‘protection’ is subject to conflicting rights in a free and secure society; freedom of speech, news reporting, law enforcement. But, ’Security’ and ‘Use’ are two different issues. The knee-jerk outrage I mentioned earlier just confuses the two. If you know you will be sued for causing damage, you will keep the information secure. Who knows, maybe even reckless release of information should attract a severe criminal penalty? 

It was never the intention of ‘data protection’ to protect some abstract and meaningless right against processing. An approach like mine is the real future of data privacy in the modern technological era. 

 

Ian McDougall is a Barrister and Legal Director for LexisNexis in the EMEA region. He was formerly Chief European Counsel for Hughes Electronics and Group Head of Legal for PayPoint Plc. He is a regular speaker at conferences and a widely published author.

 

 

 

Published: 2009-04-24T17:09:33

    3 comments

    • {b}This comment is from the author in response to the first comment.{b/} I am pleased to see that the discussion quickly moves from the principle to the effects. That is good. It is exactly the point of my article; namely that we should be discussing the effects of actions not the bureaucracy of the actions themselves. But there are 2 points to be made here; i) As I think must be clear from the article, it now becomes a question of evidence. But we don’t need to speculate too heavily. We can see what happens now when a Bank releases pin numbers, signatures etc.? If you can prove you suffered loss, and that loss arose as a result of the bank releasing that data then the bank is liable. This is exactly what should happen in the data protection field as well. ii) It is worth noting that it is possible right now to walk into Companies House, or the register and births and deaths and get information and copies of official documents. A person who does this can commit a fraud without the official record authorities being liable. Society seems to accept that without a murmur at the moment! The answer becomes a question of proving loss. So, as I said, if a data holder knows that there is the potential to be sued for releasing information they tend to put in place precautions to prevent its release. But that is a discussion over Security not data processing.”
      Laurence Eastham, 16:15:42 07/05/2009
    • This comment is from the author in response to the first comment. I am pleased to see that the discussion quickly moves from the principle to the effects. That is good. It is exactly the point of my article; namely that we should be discussing the effects of actions not the bureaucracy of the actions themselves. But there are 2 points to be made here; i) As I think must be clear from the article, it now becomes a question of evidence. But we don’t need to speculate too heavily. We can see what happens now when a Bank releases pin numbers, signatures etc.? If you can prove you suffered loss, and that loss arose as a result of the bank releasing that data then the bank is liable. This is exactly what should happen in the data protection field as well. ii) It is worth noting that it is possible right now to walk into Companies House, or the register and births and deaths and get information and copies of official documents. A person who does this can commit a fraud without the official record authorities being liable. Society seems to accept that without a murmur at the moment! The answer becomes a question of proving loss. So, as I said, if a data holder knows that there is the potential to be sued for releasing information they tend to put in place precautions to prevent its release. But that is a discussion over Security not data processing.”
      Laurence Eastham, 16:13:52 07/05/2009
    • The problem is, how do you define "use"? Someone's use of information about me may not cause me immediate or direct damage. But if their use enables others to use my personal information at a later stage in a way which does damage me, what then? Once information is out there it can't be un-known, and it can be propagated infinitely often and infinitely widely at minimal cost. That's why the security of personal data is so important.
      anonymous, 15:01:08 01/05/2009
    Please wait...