Data protection - Who's watching you?

Link: Data protection: Are accountancy firms breaking the law?

The amount of personal data being collected and analysed means that more is known about us than ever before. According to the University of Berkeley, California, storage of data is growing annually by a whopping 34%.

Our emails, phone calls, shopping habits, debit and credit card transactions and actions on CCTV are all available for scrutiny. We are monitored to such an extent that campaign group Privacy International estimates that information about the average working adult is stored in about 700 databases.

Legislation such as the Regulation of Investigatory Powers Act and the US Sarbanes-Oxley Act means that even if a company feels it has no business hoarding excessive amounts of data, it must. The demands of corporate governance, compliance and security are apparently leaving little breathing space for privacy. Along with a government thrust to keep further tabs on individuals with a national identity card, it is little wonder that many are asking: is there any privacy in the information age?

‘Privacy, defined historically by Justice Louis Brandeis as the right to be left alone, is dead,’ says Gartner vice-president Richard Hunter. ‘In a modern information society, and with the growth of automated information processing, you can’t be left alone.’

But Hunter believes a new definition of privacy – the right to control and specify how information is used – is rising phoenix-like from the ashes, and heralding new business opportunities for people who grasp its significance. As individuals are subject to near-constant data gathering, Hunter says they will demand more control over how their information is used – backed by laws such as the Data Protection Act 1998 (see box) and the right to privacy enshrined by Article 8 of the Human Rights Act.

The information commissioner’s 2004 annual report, published last month, shows growing concern over privacy issues. ‘The increasing demands on our office for advice about privacy and access issues have necessitated various improvements in our service delivery,’ it says.

The office has opened more phone lines to deal with ‘a significantly larger number of calls’, which have risen from an average of 5,098 per month during April to November 2003 to 6,630 per month during the period December 2003 to March 2004.

‘Interest in privacy and who has access to information is rising,’ says Iain Bourne, senior compliance manager at the information commissioner’s office. ‘If people are more aware and questioning, that is healthy, as they are more conscious of their rights,’ he says.

Hunter says companies that tackle privacy concerns and build a relationship of trust with their customers or business partners will win the right to use information, and stand to gain as a result. ‘Privacy is changing from anonymity to control,’ he says. ‘There will be a new economics of information.

‘Businesses that collect data from a transaction but have no permission to use that data have a sunk cost, as there can be no return. A lot of money is tied up in databases, and businesses need to develop a relationship of trust and loyalty so they have permission to use data for other purposes.’

He points to two examples of businesses getting it right and wrong respectively – online auction site eBay and the US telemarketing industry.

‘Getting into the position of being a trusted provider is very valuable. Ebay’s whole business is based on trust – it is a worldwide community of trust,’ he says. ‘On average, only 10% of website users are aware of privacy policies, but 90% of eBay customers are aware of eBay’s privacy policy. It has a privacy department, and any change in its business model will be discussed to see if changes must be made to its privacy policy. Any company hoping to do business as a trusted adviser should adopt a strong, clear privacy policy.’

Conversely, failure to secure trust and control over data use can mean failure of the business. The US Federal Communications Commission set up a do-not-call registry last year for people who did not want to be contacted by telemarketing companies. Already it has 56 million numbers, representing 50% of the US domestic market for telemarketing. ‘The industry’s revenues are declining precipitously,’ says Hunter.

Sometimes businesses may violate privacy while still complying with privacy legislation, denting both customer trust and its reputation. This summer, Tesco traced a customer mistakenly suspected of stealing from one of its stores to her home through her loyalty card after watching her on a CCTV system.

But Tesco has no intention of changing its privacy policy. ‘An exemption in the Data Protection Act allows details to be used in the prevention and detection of crime,’ says a spokeswoman. ‘We were wrong, but stand by the action we took.’

Difficult decisions that balance rights against privacy with business necessity have to be made all the time. If the wrong decision is made, it can have tragic consequences – as in the case of the Soham murders. The chief constable of Humberside Police, David Westwood, blamed compliance with the Data Protection Act for his lack of searchable records after allegations of sexual offences against Ian Huntley were deleted.

‘The Act allows the police to keep such information where retention is justified by an ongoing police need,’ says the information commissioner’s annual report.

But it acknowledges that Westwood’s original statement blaming the Data Protection Act ‘did considerable damage to the reputation of data protection’.

‘One of the problems with data protection is that people think the guidelines provide a set of rules for every difficult decision,’ says Bourne. ‘They don’t.’

Beatrice Rogers, senior private sector programme manager at IT trade association Intellect, says such tough decisions in the private sector are commonly left to the IT function, and often privacy comes off worse.

‘There has always been written information about us, but now it is easier to accumulate, and the IT department is often held responsible for data management,’ she says. ‘Data protection laws and electronic communication laws have good privacy rights in them but are they being adhered to? We do take privacy for granted sometimes.’

To stop the rot, Rogers believes that ‘businesses must create a culture where privacy is respected’. This can be helped if companies ‘have a definite privacy policy and promote best practice. It is no good letting a policy sit on the shelf. It must be updated and communicated to employees,’ she says.

Rogers agrees with Gartner’s Hunter that, although some businesses may think privacy compliance is a pain in its bottom line, managing it properly has an economic advantage. ‘If there is no trust, business doesn’t get taken up,’ she says.

As a rule of thumb, Professor Jim Norton, a senior policy adviser at the Institute of Directors, says directors should treat data on staff and customers as they would data on themselves. ‘The key is, it’s not just about technology – it’s about people and processes.’

Putting the right processes in place to protect data, and communicating them to employees, is taken very seriously at the Land Registry.

Mick Lewis, head of public affairs at the government department, which holds more than 19.5 million property titles in its database, says: ‘Privacy is still alive and kicking at the Land Registry. We have a data-protection policy on our website, we inform staff about data protection and point out that it’s a criminal offence to pass on information they shouldn’t, and we run presentations to staff.’

Since 1990, the registry has been open to public inspection. ‘The information is not sensitive personal data,’ says Lewis. ‘But accuracy is an important part of data protection, and it is one of our key performance targets. Privacy and security also go hand in hand. We must demonstrate that we keep the information secure and have BS7799 accreditation. We would not allow our database to be maintained by a third party because of the risks involved.’

The department is running trials to capitalise on its data, but is liaising with the information commissioner. ‘We have the ability to pass or sell on data. For example, it could be used in a credit-checking environment to establish ownership of property,’ says Lewis.

Bringing the public on board will be critical to any data sharing. ‘We will let customers know and get the consent of the general public,’ he says. ‘It is part of best practice to bring people along with you. The more people know why information is being used, the more credibility an organisation has.’

Norton does not believe that the government is doing enough to inform people over its plans for data sharing. ‘There is a lack of debate, and in a vacuum people fear the worst,’ he says. ‘The onus is on the public servant to say why data sharing is beneficial to the individual and to society as a whole. If that can’t be shown, data shouldn’t be shared.’

But if the private and public sector are not willing to be upfront over how they use information, they risk a privacy backlash, says Gartner’s Hunter. ‘Privacy will become a make or break issue,’ he warns.

‘We are living in a much more complex world than George Orwell’s 1984,’ Hunter warns. ‘It’s not just the government that has access to the technology that can invade privacy. The commercial sector, public institutions and individuals all have access to technology at low cost, and everyone needs to make adjustments to find what’s permissible. Culture must catch up with technology.’

• This is an edited version of an article that was first published in our sister title Computing.