Comments on: Data Protection Strategy

By: Harry Metcalfe

Harry Metcalfe — Wed, 26 Sep 2007 18:30:01 +0000

I really like this idea in principle, although fixing appropriate criteria for such accreditation would be difficult. If that could be done, though, it would be brilliant:

“Only have your gas appliance serviced by a CORGI registered engineer”
“Only supply your personal data to an ICO accredited data controller”

Marvellous!

By: Harry Metcalfe

Harry Metcalfe — Wed, 26 Sep 2007 18:27:49 +0000

Yes — this is really important. See earlier comment on informed choice.

By: Harry Metcalfe

Harry Metcalfe — Wed, 26 Sep 2007 18:25:52 +0000

Both!

By: Harry Metcalfe

Harry Metcalfe — Wed, 26 Sep 2007 18:17:43 +0000

The ability for people to make an informed choice is very much dependent on the information available to them when they supply personal data.

For example, are Nectar/Tesco et al complying with DPA Schedule 1 2.1(1)? This says that personal data must be processed fairly, and that regard must be given to whether information was obtained from a person who was deceived or misled as to the purpose for collecting the information. Are Tesco/Nectar really explaining clearly what they do with cardholders’ personal data? Are they misleading their customers by couching such explanations in small-text marketing lingo that doesn’t really describe what they are actually doing?

I suspect that most people are completely unaware of the scale of the data mining undertaken by these companies. Perhaps data controllers should be obliged to be a bit more forthcoming? Freedom of choice is very important, but is rather meaningless unless an informed choice can be made.

By: Harry Metcalfe

Harry Metcalfe — Mon, 24 Sep 2007 16:59:47 +0000

Two things come to mind:

As noted by Becky, the ICO should have the power to inspect data controllers at will — like the HSE. This is crucial.

Second, where companies are involved in violations of the DPA which are egregious — like leaks of large amount of personal information — there should be a duty to disclose this to the ICO. See the HoL Personal Security Online report.

By: Becky Hogge

Becky Hogge — Mon, 24 Sep 2007 15:18:17 +0000

No mention of US in this paragraph, which is weird since it is such a data protection black hole.

By: Becky Hogge

Becky Hogge — Mon, 24 Sep 2007 15:16:38 +0000

This request should be noted in the response and, as far as possible, ORG should provide evidence as well as argument ;)

By: Becky Hogge

Becky Hogge — Mon, 24 Sep 2007 15:14:58 +0000

How realistic is this expectation? Has it proved unrealistic in the past?

By: Becky Hogge

Becky Hogge — Mon, 24 Sep 2007 15:10:04 +0000

ICO penalties are weak and weakly enforced. Public and private sector should be penalised when they expose people to data protection risk.

By: Becky Hogge

Becky Hogge — Mon, 24 Sep 2007 15:08:14 +0000

Or should we emphasies that no technology ensures privacy?