SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

House of Commons Justice Committee Related to The European Union's Data Protection-Retention Directives


Just this past week on Tuesday afternoon (a link to video of Parliament online, please forward to about half way through), the United Kingdom's Information Commissioner Christopher Graham spoke in the Wilson Room for the House of Commons Justice Committee.  He was flanked by Stephen McCartney, Head of Data Protection Promotion, from the Information Commissioner’s Office. As mentioned in a previous post just last month, the ICO has been lobbying extensively for fines to deter serious data breaches - and it gives the impression of working quite well, since on their front page, the ICO "expects its new power to issue monetary penalties to come into force on 6 April 2010, allowing the ICO to serve notices requiring organisations to pay up to £500,000 [$1M approx.] for serious breaches of the Data Protection Act." In other words, HUGE fines: finally some real deterrents to the list brokers/reseller industry.

In the Committee, it was being recommended that the European Union enforce data protection, but not to jump into it without a comprehensive approach, in other words, reculer pour mieux sauter as Mr Graham states; take a step back first, analyse the nuances/realities of how data is exploited, and then codify the law fittingly. The HOC Justice Committee met to avoid the patchwork of current legislation involved, as well as taking into consideration the fact that [Roman and Napoleonic Civil] Codified Law are very different from Common Law practiced in Great Britain. Civil versus Common Law have very different approaches to managing data too, the former being considered in Common Law countries as unnecessarily pragmatic – too literal, too much bureaucratic overhead, whilst Canada and the United States tend to take too much of a freely flowing data approach without thinking of privacy and security considerations from the onset. In fact, the European Commission went to the extreme as to sue Sweden for its lack of action regarding the E.U. Data Retention Directive.

The Face of Data Protection in the United Kingdom: Christopher Graham - see him at the Data Protection Officer Conference on March 3rd, 2010


 As one can see in the video footage (forward to 26 minutes), Information Commissioner Graham is a man of candour as was his Grandfather Lance. Sir Lancelot Graham was known as idealistic, indefatigably hard-working and self-disciplined. He was not only a Governor of Sind (Pakistani province where Karachi is the capitol) before the partitioning of India, but also President of the Commonwealth Society.

It is clear action must be taken to discourage serious breaches of the Data Protection Act, but one of the first fundamental questions (referred to in the List of Data Protection Principles), as mentioned by Mr Stephen McCartney, Information Commissioner Graham’s experienced colleague, should be what is the data being used for? Ultimately the goal is to prevent carelessness (i.e. not encrypting, or at the least putting a password on a backup placed on easily readable media) with respect to the management of personal data within organisations, a space where the ICO has been very active lately, and even provides A Guide For Data Protection in Plain English on its site. 

In sum, in the European Union, there is a need to clarify laws that are related to the management of information, and it is great to see Information Commissioner Graham giving guidance openly. We have to treat Data as the precious resource it deserves in our information-based society, merely because its mismanagement can cost us all, and not just in the E.U. With respect to a certain pension fund data management disaster I witnessed firsthand, it led, in part, to the loss of billions of dollars.  


Posted by Steve Jones on 11 January 2010

I think we definitely need to codify this better, and be more responsive. Not cover every case, but pass restrictions that help to protect individual rights, even if that means less opportunities for companies to sell the data.

Posted by tvantonder on 15 January 2010

I think that the company that uses the data should also be fined for not verifying the data in the first place. This will discourage sales companies from buying the data. If no one is buying no one can be selling. The company that is selling is much easier to track down. People / Companies that sell illegally obtained data or data they are not authorized to sell are very difficult to track down.

Posted by jyates on 15 January 2010

In the US, government entities sell lots of personal data.  In most cases, the public can opt out from having their data sold, but the process should be reversed.  Government should have to request the opportunity to sell data and the public should not have to read all websites or fine print to find out how/when they need to opt out.  With reliance on such revenue streams, it will now be hard to convince government to change.

Posted by bwillsie-842793 on 15 January 2010

There also needs to be some thought as to content.  We think of name/address/social security number combinations automatically.  

But what about other things like consumer related content such as what over the counter medications you buy, where you went on vacation last year, etc?

I believe there have been several studies done on this that show that seemingly non-personal data can be easily used to identify an individual out of a fairly large group.

In short, how "personal" does data have to be to define you as a person?

And where is cutoff line on what is acceptable to sell as demographic versus personal data?

Posted by Hugo Shebbeare on 15 January 2010

tvantonder: true, there's no source identifier often - when data is collected it should have a source field associated at least. Ideally what sub-product it was collected for.

jyates: I can agree with that, the fine-print and click to agree to policies often take advantage of the user giving the information.

bwillsie: it's for sure there has to be a clear distinction between generic and distinct personal data.  When you are getting calls from a competitor to switch over, as the ICO noticed with T-Mobile in GB, then you know something is wrong.  In the end T-Mobile employees were passing on the data, but a real way to avoid this would be through better control over sensitive data and risk management.

Leave a Comment

Please register or log in to leave a comment.