Archive for the ‘Data ownership’ Category

Will access to midata work?

Posted on November 19th, 2012 by

Midata – the story so far

As part of its Consumer Empowerment push, the UK Government wants to give consumers – you and me – more control and access to our personal information. This is the stated purpose behind midata, an initiative (launched in 2011) which encourages suppliers to make available to consumers the information that the suppliers hold on a consumer’s transactions. The hope is that this will then give individual consumers insight into their own behaviour so that they can make more informed choices. Some big players have already signed up including Lloyds Bank, RBS, Visa and Mastercard, but the current arrangement is voluntary and relies on the goodwill of organisations to continue to participate. With its emphasis on putting the individual in control of their consumer data it chimes in well with the draft EU Data Protection Regulation’s focus on strengthening the rights of individuals.

Concerns of business

However, it is understandable why some commercial enterprises that have invested heavily in their consumer data analytics may not want to make such information available. Where you operate in a keenly competitive industry that uses loyalty cards or similar, there is little incentive to make this information available particularly if your competitors do not collect the same amount of information as you do. Unsurprisingly, some respondents to the consultation expressed concerns about midata’s likely costs to business (particularly for large businesses dealing with thousands of consumer records) and their view that insufficient time had been given to allow the voluntary approach to develop.

The Government’s position

The Government has been making more noises about the midata initiative in the past few days and today published its response to its earlier consultation seeking views on whether it should regulate to require organisations to fall into line with midata. The main message in the Government’s response is ‘we’re not going to wield the big stick (of legislation) yet – so long as you cooperate’.

The key points from the Government’s response are:

* The midata initiative will continue as a voluntary project in the short term and the Government will seek to accelerate progress by broadening the sectors that are engaged.

* The Government will use primary legislation to give itself a power to impose a duty (by way of secondary legislation) on businesses in the future should it consider it necessary to do so. This duty is likely to fall on suppliers of goods/ services to compel them to supply, at a consumer’s request, personal transaction data relating to the consumer’s purchase/ consumption of products and services from that supplier in an electronic, commonly used machine readable format.

* If the Government considers that progress in expanding midata on a voluntary basis is not sufficiently quick, it expects to bring forward regulations on the basis of the legislative power (although this will happen no earlier than autumn 2013).

* Certain core sectors – energy supply, mobile phones, current accounts and credit cards – are particularly in the Government’s sights and the Government will move more quickly to regulate such sectors.

* For other sectors the Government will consider certain key factors and engage in further consultation investigating issues such as the likely impact and costs for a sector or product group before imposing any duty.

* The data that will be available through midata will be ‘transaction data’. This is data about a consumer’s purchase/ consumption of products and services from the supplier. Specifically transaction data does not include any subsequent analysis that the supplier has undertaken on the information. Any Government regulations will only apply to businesses that hold the information electronically in a way that links the data to an individual consumer e.g. purchase history, interest charges and penalty charges on a credit/ debit card.

* Although midata data should be disclosed in a commonly used machine readable format the Government will not specify a particular format.

* Third parties can have a role in accessing and analysing data on behalf of consumers provided a third party is properly authorised. However, this brings with it concerns about data security and privacy as well as increased compliance costs for business. The Government has set up a working group to help ensure that where a consumer wishes to provide its midata data to a third party, (i) the consumer retains control over the data and how it is used, (ii) their privacy remains fully protected, and (iii) the consumer does not become subject to data misuse and exploitation. The place of trusted, reputable third party services to assist vulnerable consumers to access midata and act as advocates was recognised.

* Government may introduce charges for access to midata and a timeframe for responding as part of any regulations under secondary legislation.

* The ICO is the lead enforcer of the midata regime although the Government is considering granting concurrent enforcement powers to sector regulators e.g. the FSA.

* The Government argues that midata will increase competition since it will give consumers the ability to compare available options from suppliers.

Will it work?

While the Government’s aim to help consumers enjoy better access to their data may be laudable it is not clear how effectively midata will work in practice. At this stage it is evident that it depends on Government encouraging other big players – such as other banks or MNOs – to sign up. But in a time of economic fragility, what incentives are there for organisations to develop systems to facilitate midata access? In all likelihood, the Government’s big stick will come out at some point. First in line for regulation are likely to be the core sectors identified in the Government’s response – energy, mobile and banking.


What to do when you can’t delete data?

Posted on October 2nd, 2012 by

How many lawyers have written terms into data processing contracts along the following lines:  “Upon termination or expiry of this Agreement, the data processor shall delete any and all copies of the Personal Data in its possession or control“?

It’s a classic example of a legal clause that’s ever so easy to draft but, in this day and age, almost impossible to implement in practice.  In most data processing ecosystems, the reality is that there seldom exists just a single copy of our data; instead, our data is distributed, backed-up, and archived across multiple systems, drives and tapes, and often across different geographic locations.  Far from being a bad thing, data distribution, archival and back-up better preserves the availability and integrity of our records.  But the quid pro quo of greater data resilience is that commitments to comprehensively wipe every last trace of our data are simply unrealistic and unachievable.

Nevertheless, once data has fulfilled its purpose, deletion is seemingly what the law requires.  The fifth principle of the Data Protection Act 1998 (implementing Article 6(e) of Directive 95/46/EC) says that: “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.“  So how to reconcile this black and white approach to data deletion with the reality of modern day data processing systems?

Thankfully, the ICO has the answer, which it provides in a recently-published guidance note on “Deleting personal data” (available here).  The ICO starts off by acknowledging the difficulties outlined above, commenting that “In the days of paper records it was relatively easy to say whether information had been deleted or not, for example through incineration. The situation can be less certain with electronic storage, where information that has been ‘deleted’ may still exist, in some form or another, within an organisation’s systems.

The sensible answer it arrives at is to say that, if data cannot be deleted for technical or other reasons, then it should instead be put ‘beyond use’.   Putting data ‘beyond use’ has four components, namely:

  1. ensuring that the organisation will not and cannot use the personal data to inform any decision in respect of any individual or in a manner that affects the underlying individuals in any way;
  2. not giving any other organisation access to the personal data;
  3. at all times protecting the personal data with appropriate technical and organisational security; and
  4. committing to delete the personal data if or when this becomes possible.

Broadly speaking, you can condense the four components above into: “Delete it if you can and, if you can’t, make sure it’s stored securely and don’t let anyone use it”. Which is, of course, entirely sensible advice.

It does raise one interesting problem though:  what to do when the individual data subject requests access to his or her data that has been put beyond use?  Here, the ICO again takes a business-friendly view saying simply that “We will not require data controllers to grant individuals subject access to the personal data provided that all four safeguards above are in place.“  In other words, the business does not need to instigate extensive (and expensive) searches of records that have been put beyond use just because an individual requests access to his or her data – for the purposes of subject access, this inert data is treated as if it had been deleted.

But the ICO does issue a warning: “It is bad practice to give a user the impression that a deletion is absolute, when in fact it is not.” So the message to take away is this: make sure you do not commit yourself to data deletion standards that you know, in all likelihood, you can’t and won’t meet.   And, by the same token, don’t let your lawyers commit you to these either!

More indications about the new EU data protection rules

Posted on November 17th, 2011 by

In an interview with the Washington Post, Viviane Reding, the EU Justice Commissioner, gave more indications about what we can expect from the tougher European regime that is in the pipeline.

The key points are:

* “Our reforms are aimed at getting rid of the fragmentation and providing consistency and coherence for the whole of the continent”. This is the clearest sign yet that we can expect a Regulation directly applicable in all Member States, as opposed to a Directive, which is subject to national implementation.

* “Self-regulation can be little more than a fig leaf. It works only if there is strong, legally binding regulation in the first place”. Not only tougher substantive rules, but also more heavy-handed regulation are likely to be on their way. If so, we can expect more disputes and litigation.

* “We do have a set of rules today that is not always applied and controlled in the way it should be. That has led to fragmentation and different interpretations of the rules”. The proposals may also include a mechanism to ensure at least some degree of consistency in the application of data protection rules across Member States; a supra-national data protection regulator perhaps?

* “It is clear that every citizen has a right to their own data. Before a company can use your data they should ask for permission. This is a basic rule of the European Union”. As expected, the new instrument will attempt to further empower consumers, particularly by imposing a requirement for explicit consent before their data are used and by introducing a right to have their data deleted at any time.

* “Data breaches is one of the questions that is very high on the agenda [...] We will extend the telecom rules to the Internet”. As expected, the mandatory breach notification obligations currently applying to Telcos and ISPs will be extended to internet services, online traders and private-sector medical records, and possibly to the broader economy.

The interview can be found here: