• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Can we keep your data please?

Can we keep your data please?



Presentation from BILETA 2011

Presentation from BILETA 2011



Total Views
Views on SlideShare
Embed Views



1 Embed 1

http://paper.li 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Autonomy by design?
  • Autonomy by design?
  • Again, autonomy by design. And bring in the concept of collaborative consent (refer them to the paper)
  • Can talk about the other rights – the right to roam with privacy: ‘Can we gather your data please?’

Can we keep your data please? Can we keep your data please? Presentation Transcript

  • ‘ Can we keep your data please?’ ….and other necessary questions
    • Paul Bernal – University of East Anglia
  • Personal data on the internet
    • Massive amounts are held
    • Current commercial models rely on it
    • The data that is held is vulnerable – and may be increasingly so
    • The existence and use of that data is something that concerns people – and rightly so
    • It’s our data, isn’t it??
  • Personal data in the new internet
    • The Google/Facebook model
    • Behavioural tracking
    • Commercial data gathering
    • The market in personal data
    • Government/private sector cooperation
  • Data vulnerability
    • Physical loss – e.g. HMRC/MOD data losses
    • Hacking
    • Vulnerability to government action:
      • Subpoenas, USA PATRIOT act, Data retention
      • Swiss banking data/Chinese Google hackers
    • Commercial vulnerability
      • T-Mobile data-selling scandal
      • Changes of ownership etc
    • Leaking
      • For good reasons.. (Wikileaks??)
      • … and bad (ACS: Law??)
  • What can be done?
    • Systematic culture change – emphasis on data security
    • More powerful, better resourced and better supported data protection systems
    • Better use of technological protection – encryption etc
    • More community awareness of the issue
  • But there will always be problems:
    • Human errors
    • Human malice
    • Technological errors
    • Community pressures
    • New technological and business ideas
  • The only way for data to be truly safe…. … .is for it not to exist
  • Data minimisation
    • Already a principle within data protection, but one that is effectively paid only lip-service
    • It needs to be better enforced – both better detected and more harshly punished.
    • Punishment for data protection breaches are generally for losses or inappropriate processing, not for failures of data minimisation
    • Needs to be put more in the hands of the data subjects
  • New business models
    • The drive behind the current web model has been the business concepts of Google and Facebook
    • New business models could bring about new changes – but how to get them to happen?
    • We need a change in assumptions – that unless you have a strong NEED to hold data, you should not hold that data
    • Data holders need to ask ‘Can we keep your data please?
      • … ..and respect the answer!
  • A right to delete?
    • Currently it is the business that decides whether data should be held, anonymised or deleted
    • If that decision is put in the hands of the data subject, businesses would think twice before using business models that rely on the data being held
    • Instead, they might look for ways to use the data immediately, then discard it
  • A right to delete?
    • Not the same as a ‘right to be forgotten’ – qualitatively different
    • ‘ Forgotten’ is an emotive word, the right can be misunderstood, and opposed unnecessarily
    • This is not re-writing history, or restricting journalists
    • Not a tool for the rich and powerful to retain their power – though that risk is always present
  • A right to delete
    • A change in paradigm. The assumption is that data can and should be deleted if the data subject wants it, unless there are pressing reasons the other way
    • The right needs to be made easily applied – access to data and then the ability to delete it directly on the web
    • Part of a shift in the nature of data protection – putting the focus on the rights of the individual, not on the obligations of the data controllers
  • When can data be held?
    • Paternalistic reasons – for the benefit of the individual (e.g. medical data)
    • Communitarian reasons – for the benefit of the community (e.g. criminal records)
    • Administrative or economic reasons – for the benefit of society (e.g. tax records, electoral rolls)
    • Archival reasons – for a good, accurate and useful historical record (e.g. newspaper records, British Library ‘right to archive’)
    • Security reasons – for national security or criminal investigations (e.g. data retention laws)
  • Business reasons…. … .are not enough
  • Deletion and anonymisation
    • Closely related – and complex
    • Data can relate to more than one individual
    • Data controllers might offer the option to anonymise rather than delete – but it should be the data subject’s option
    • Anonymisation in itself is contentious and more often reversible than people suspect
  • Data protection principles
    • The right to delete extends and improves implementation of data protection principles
    • First point is better data access rights
    • Second is putting data minimisation in the hand of the data subject
    • Important to ensure that this right does not replace the data controller’s responsibility for data minimisation, but adds to it
  • Implications
    • Gives individuals more control and autonomy
    • Forces those holding data to justify why they’re holding it – in such a way that users understand
    • Encourages the development of better business models
    • Could end up supporting individuals even in places where data protection doesn’t apply – because the big businesses develop global business models
  • … and other necessary questions
    • ‘ Can we gather your data please?’
      • … a right to roam the internet with privacy
    • ‘ Can we do THIS with your data?’
      • … collaborative consent
    • ‘ Do you mind if we watch you?’
      • … a right to monitor the monitors
    • [email_address]