Information Commissioner reviews EU data directive

Britain’s Information Commissioner, Richard Thomas, leaves his post shortly after almost seven years. Computing reports on one of his final high-profile actions: the publication of a report he commissioned a year ago which reviews the action of the European data directive. The Press Release from the Information Commissioner’s Office (ICO) refers to “growing fears that the current European Directive is out-dated and too bureaucratic”.

European legislation on data protection and privacy led the world, and in many ways still does. Its implementation into in-country legislation varies from wholehearted to grudging. But it’s established in public awareness and, in particular, in the information professions the need to respect information about individuals and handle data appropriately. None the less, both business and technology have moved on and Richard Thomas believes that regulation needs to catch up.

For example: the directive’s restrictions on cross-border flows of information didn’t push the US to implement full data protection legislation; but it did result in the creation of “safe harbor” provisions. But a work-around is common: notifying data subjects that the data they are providing may be transferred to non-EU countries. If they don’t agree, they can’t get access to whatever service they are trying to sign up for.

The report’s overall conclusion is that the Directive, as it stands, “will not suffice in the long term”. The principles remain good; but implementation needs to be what the authors call “harms-based” – that is, based on an understanding of the damage that can be done – in order to respond to the challenges of globalisation. The authors don’t call for the Directive to be scrapped, but they believe some of the concepts need to be re-thought and better consensus achieved in some areas.

So the report proposes, among other things, that global enterprises should shoulder global responsibility for the data they hold rather than having to work through “outdated” geo-politically based restrictions. The ICO’s Press Release speaks of “stronger focus on the accountability of all organisations for safeguarding the information they handle”, “improved arrangements … for the export of personal data outside the European area”, and “a more strategic approach to enforcement”. There are about four pages of recommendations in the full report, well worth reviewing if it’s in your area.

Thomas believes that “Data protection is too important to be left to data protection specialists talking to each other”. The report isn’t a blueprint for a new directive but is intended to stimulate debate. Let’s see where it goes.

Data protection needs new approach, Computing, 21 May 2009
• Making European data protection law fit for the 21st century, ICO Press Release, 12 May 2009 (PDF document, with links to both the full report and an ICO summary)
• European data directive 1995 (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data)
• For Richard Thomas’s bio see the ICO management Board page

IT professionalism vs the UK’s DNA database

I’ve just finished marking a set of student scripts from an Open University course which links IT and workplace practice. One question concerned the UK’s Data Protection Act, which has eight principles designed to ensure data processing is open, fair and not compromised.

So which organisation do we find flouting at least seven of the eight principles? The UK Government.

For some time in this country we’ve had a DNA database which is supposed to help the police catch offenders in sex cases. It contains DNA profiles not only from everyone convicted of such a crime, but from everyone accused – even if proven innocent. And the “data subjects” don’t have the option about whether to supply the data.

This Government beefed up the role of the Data Protection Registrar, calling it the Information Commissioner’s Office. It’s supposed to enforce compliance.

Now we find that same Government not only maintains data on this database which is not required for the purpose it is supposedly collected. It is also passing the data to commercial research companies and other unconnected bodies. For a purpose which may of itself be admirable, but which is quite clearly not that for which it was collected, and without any authorisation from the data subjects.

If I captured this as a case study for my students, they would have no trouble telling me what was wrong with this practice. Who are the IT practitioners (I won’t call them professionals) who allowed this gross violation of professional practice to happen, and didn’t blow the whistle when it was happening, and didn’t resign in protest?

• UK Data Protection Act: the eight Principles (Schedule 1 of the Act)
• Home Office allowing private companies access to the DNA Database (Liberal Democrat news release, 28 Jul 2008 )
• Information and communication technologies at work: Open University course T121