Wednesday, 11 July 2018

Your data privacy is important

Technological change in the last fifty years has transformed our social and economic relations more than the whole of history which preceded it. You only need to consider some of the tools we use throughout the day – for instance, mobile phones, access to the internet – and then reflect on how different our lives today would be like without them.
The digital era has not just brought new opportunities and new ways of doing things and an ability to do some things we simply couldn’t do before, it has also brought new threats to our civil liberties and opportunities for the less scrupulous to try to take advantage of us.
Hardly a week goes by now, when most households don’t experience some sort of attempted scam through text, e-mail or phone call, all centred around disclosure of your personal data. And, certainly, police forces throughout the world are struggling to address both the scale and nature of this new criminality.
One significant aspect of crime prevention – and it goes hand in hand with our privacy rights – is the backdrop of data protection legislation. At its very heart is the principle that personal data we disclose to another party for one purpose should not be disclosed to other parties without our consent.
Over the years, the Information Commissioner – responsible for securing compliance with legislation and initiating investigations and action in the event of failure – has got better at identifying and tackling those individuals and companies which break the law. But, as technology developed, so the legal protections need to be updated.
UK law in this regard is based in the 1998 Data Protection Act. In recent weeks, many of the protections have been overtaken by the European General Data Protection (GDPR) provisions. The former has a penalty cap of £500,000 whereas, under GDPR the fines’ cap is Eu20m or 4% of global turnover.
GDPR was the reason why we all recently received communications, from just about every organisation and company with which we have some relation, asking us to confirm or update our agreements to the use of our data for the future.
All that provides a background to today’s reports by the Information Commissioner1 2 in to events at the time of the EU Referendum and the US Presidential Election which confirms that, amongst other things, the ICO:
  • has fined Facebook £500,000 – just over five minutes’ Facebook revenue - for data breaches under the 1998 Act (and it could have been up to £1.4bn under the GDPR). (Facebook was fined £95m in 2017, and Google was fined £2.1bn by the EU in 2017)
  • it is bringing criminal proceedings against some companies and individuals
  • has stopped some companies from processing data about UK citizens
  • has written to the UK's 11 main political parties compelling them to have their data protection practices audited
  • has served enforcement notices on and is continuing investigations in to a number of data-broking companies
  • is undertaking an investigation into allegations that an insurance services company illegally shared customer data with a Leave.EU group and used its call centre staff to make campaign calls
  • is probing data misuse by various organisations, including a university department, the official Remain campaign - Britain Stronger In Europe - and a data broker
The ICO expects its next report to be complete by the end of October.
One thing that I have noticed is that a number of the prominent individuals (company directors, funders, managers and senior staff, campaigners) identified in the ICO investigations to date were also prominent in campaigns and in funding and managing organisations against bio-metric, secure identity cards in the UK, which would have assisted in protecting our data, managing our borders, and in ensuring that only UK citizens entitled to receive particular services did actually receive them.
I hope our investigative media does a lot more to highlight the hypocrisy of those who campaigned against secure ID cards, whilst apparently having little regard for the law to protect our data as they pursued their personal and commercial objectives.