Tuesday, 23 March 2010

"Private lives: a people’s inquiry into personal information" - Demos report

The ICO website mentioned the publication of "Private lives: a people’s inquiry into personal information", a 146-pg report by Peter Bradwell of thinktank Demos, which was supported by the UK Information Commissioner and Consumer Focus.

This paper, published on 21 March 2010, deals with what people think about the use of their personal information and privacy, looking specifically at the use of communications data, targeted advertising and the use of medical records information:

"It sets out the findings of Demos' 'People's Inquiry into Personal Information', revealing the opinions and ideas expressed over 13 hours of deliberation."

It's new enough even to mention Google's Buzz privacy fiasco as an example of the privacy challenges identified.

Some excerpts from the conclusions, which affirm the focus on consent and transparency advocated by the Article 29 Working Party in their Future of Privacy paper (emphasis added):

"The desire for transparency and the meaningful capacity to choose shows that the use of personal information becomes problematic, and is seen to involve a problematic transfer of power, where it is used by others either in ways that are unknown to the people that it affects or that deny them a chance to accept or reject it. Our participants were data pragmatists to the extent that they considered information personal wherever there was a perceived harm. That included cases where the consequences were unknown or opaque. Transparency was important not just to improve consent but also to alleviate fears of the unknown.

The presence of transparency and the ability to make informed choices were the conditions under which participants accepted personal information use. The members of this People’s Inquiry into Personal Information have sent a clear message about the best way to take advantage of the benefits of personal information use at the same time as dealing with significant uncertainty about the potential risks involved. They wanted an emphasis on transparency, the capacity to control and mitigate for possible and sometimes unforeseen harms, coupled with more guarantees about security. Our findings suggest that organisations should presume that people want the means to make informed decisions, based on clear and easily understood information about the consequences, about when information about them is shared and how it is used.

The participants’ demands are largely for the robust applications of existing principles of data protection….

The findings have a number of implications for decisions about how to govern the database society. Firstly, it is time to take the need for greater clarity and transparency seriously. One example would be the relationship between pubic and private sector. The inquiry did not cover the extent to which public and private sectors overlap in practice. But the attitudes to the two, dependent as they were on perceptions of motive, suggests that there is a need to clarify the relationship between government and private sector in the context of personal information use, especially where data handling is undertaken by the private sector on behalf of a public sector body. Not doing so puts at risk the faith people place in the public sector’s motives and undermines their ability to decide whether information use is acceptable.

This means being clear about contractual relationships where the private sector is carrying out personal information processing, and it extends to many areas in which public and private overlap, for instance in the case of personal medical records. We did not cover the question of alternative providers for electronic medical records explicitly, but the findings on control and consent suggest that providing access to the private sector in this context should be based on an explicit choice by the patient for those organisations to have access to the records…"

The finding that private individuals want control and transparency in relation to their personal data doesn't seem to be anything startling, but it won't hurt to confirm this and remind policy makers about it!

The need for more "robust application of existing principles of data protection" is exactly what I've suggested before - current principles do I feel largely cover what people need and expect, but the problem is that the laws still have yet to be policed and enforced properly, with meaningful sanctions for non-compliance, in order to be effective. The focus needs to be more on that, rather than on bureaucratic filings and registrations.

I've only had time to skim the pamphlet so far, but it certainly looks like a worthwhile and well-written read.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.