Personal Data and Disclosure
Paul Morris looks at Data Protection laws, and whether companies use them in order to implement their own safeguards.
It never ceases to amaze me how many data controllers (those people or organisations in charge of your personal data) refuse to let you have copies on the grounds they are protecting your data – protecting them from you! The media are full of stories about organisations both public and private which are nevertheless quite happy to give or sell your data to others or even leave it in skips or on the train.
In the Sunday Times (25 August), we heard of yet another example of the police refusing to provide the name and address (personal data) of the registered keeper of a vehicle which had demolished a wall on the grounds that, “it was against data protection rules”. The owner of the wall or perhaps I should say now, pile of rubble, wanted to sue the driver for the cost of repair. Of course the police have no right to refuse such a request if the requestor is considering legal action (which he was). Section 35 of the Data Protection Act refers. It was a, ‘cop out’; the police must, ‘cough’’.
There is a huge misunderstanding about data protection laws. You may wish to make a change on a holiday booking but the call centre won’t talk to you if you didn’t make the booking even though you are one of the party going on holiday and just want to change your own details. It is quite understandable that they don’t want to make amends which are not approved by the ‘lead name’ but they can talk to anyone providing that the lead name has given permission. In addition, they wouldn’t get into trouble if they talked to someone without permission provided that it was reasonable to do so. In reality, they are just using ‘data protection’ as an excuse for implementing their own safeguards which is a bit naughty.
The main two provisions in the Data Protection Act 1998 which are useful for data subjects (ordinary people) are firstly to obtain your personal data – to see what organisations are holding about you – and secondly, to rectify any inaccuracies.
Providing you send proof of who you are (to make sure it’s not someone else trying to take a peek at your data) and you specify what you want, then data controllers have 40 days in which to reply. If you discover something that is inaccurate, you can ask the data controller to rectify it. If you have proof that the data are inaccurate, then data controllers will make the corrections. If they don’t, then you can ask the Information Commissioner to send an enforcement notice or you can even issue legal proceedings. If the inaccuracies are trivial such as spelling errors, then let them go. Only if the inaccuracies are affecting your life should you pursue rectification – a major blot on your credit record for example (that shouldn’t be there).
Bear in mind that responding to a request for personal data is very tedious for the data controller and so the task is usually delegated to a junior member of staff who is given a set of rules to follow such as redacting (putting a black marker pen) through names of other people (because their name is their personal data). This may sound reasonable but it can lead to a moronic response. One of our correspondents asked for his personal data from the Home Office. He was much amused to find that the name, ‘Jack Straw’ had been redacted. How would he know that this name had been redacted? Because the title, ‘Home Secretary’ was next to the redaction! Of course this was when Jack Straw was Home Secretary so most people would have known the name of the Home Secretary. It was hardly a state secret!
Both the Freedom of Information Act 2000 and the Data Protection Act 1998 are very powerful tools for the individual against an ever-encroaching State. The former revealed the scandal of MPs expenses; the latter is used by individuals to discover what information companies and the Government keep about them and to rectify those data if they are inaccurate and damaging.
It is surprising how often organisations assume powers they don’t have. It’s usually worth checking what legislation they rely on - ask them. We have found that often it is a fiction.
Paul Morris, The Data Protection Society.
Wendy M. Grossman responds to "loopy" statements made by Google Executive Chairman Eric Schmidt in regards to censorship and encryption.
ORGZine: the Digital Rights magazine written for and by Open Rights Group supporters and engaged experts expressing their personal views
People who have written us are: campaigners, inventors, legal professionals , artists, writers, curators and publishers, technology experts, volunteers, think tanks, MPs, journalists and ORG supporters.
Manchester Cryptoparty with FSFE