Well, HM Revenue & Customs have certainly proved the point in my last blog about privacy moving up the consumer agenda by mislaying two discs, with personal and financial details of 25 million people, going missing in the post.
Is the 'tipping point', at least for the UK, which will make organisations really take data protection law seriously? I think it is. Of course, there are plenty of reputable companies who already do. But why does it take something as mindboggling as HMRC's recent action to shake up the public and private sector alike? I suggest three reasons:
Arcane nature of data protection law and terminology: Terms such as "Data Controller", "Data Subject", "Structured Filing Systems" and even the term "data protection"make the subject sound technical and more concerned with the protection of the data itself rather than that of citizen's privacy. The language of the law needs to be simplified and demystified.
Lack of teeth: Penalties for non-compliance are derisory and the Information Commissioner lacks a number of key enforcement powers, including the right to enter premises to inspect where serious breaches are suspected.
The value of information: For many online businesses, its customer database is one of its most valuable assets. In co-branding deals, joint ventures and other online deals, the contractswill talk about ownership of that data and the parties' rights to use it. So there is an inherent tension between the ownership and exploitable value of customer data on the one hand and the privacy rights of those customerd on the other. This is not an irreconcilable conflict. It can - and should - be dealt with contractually, through privacy policies and proper data protection compliance policies.
The HMRC debacle is a timely reminder about the core principles on which data protection compliance is built. It's not just a matter of writing a well-drafted Privacy Policy. It's more about having the right technical and organisational processes in place to manage the risks associated with handling personal information.
So here's a quick reminder of the Data Protection Principles > Download Intro.DPPrinciples.doc
Whilst on the subject of privacy, one of my reader's has just raised an interesting point arising from my October 26th post about the Sheffield Wednesday case and the circumstances in which a Judge will order an ISP or other host to disclose the identity of its users where, for example, someone wants to sue for an allegedly defamatory statement posted by a user. My reader pointed out the Judge's comment that "I take into account also that the Defendant does not appear to have had any policy of confidentiality for the benefit of his users" and asks whether including such a provision in the terms and conditions for the Forum might have made the Judge decide not to order disclosure. Hhhm. Interesting point. Well, it seems to me that the inclusion of such a provision - which is not uncommon - would help the host to argue against the demand for disclosure but personally I don't think it would provide guaranteed immunity from disclosure. Just a personal view though, and definitely not formal advice.
Laurence Kaye
ps Happy Thanksgiving for our US readers!
pps If the disaster which has befallen HMRC has prompted you into thinking about a data protection audit, please let me know. We'd be pleased to help.
Recent Comments