On Thursday 5 July, the Information Commissioner will launch his Annual Report 2011/12 in the form of a webcast – available from 14:00 on Thursday 5 July, when you will be able to watch the webcast from this link. So we thought that this would be a good moment to give an airing to the views of our favourite survey practitioner Dan Wardle of Surveylab who asks the simple question – Who’s got your Data Now, Baby?
Taking Security for Granted
When we are “processing” data, we like to think that we are following that well-known guideline – do no evil – but as access to and sharing of data gets easier and more efficient with advances in technology, how many of us take security for granted?
without looking it up, how many principles of the Data Protection Act are there? Answer here. The eighth principle of the Act says thou shall not store personal data in a country outside the EEA or where they have privacy laws that don’t quite stack up. So, question two:
The U.S.A, does it:-
- have adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data?
- Answer: No, it does not (Canada does).
Now look at all those “cool” services and apps you have in the “cloud”. Where are they physically hosted (located)?!
Have you ever read websites’ terms and conditions? On a document collaboration website a while back I read this:
if you submit any other information to us, including any data, variables, comments, remarks, suggestions, ideas, notes, drawings, graphics, concepts, or other information, you are giving that information, and all your rights in it, to us free of charge, and that information will be treated as non-confidential and non-proprietary and may be used by us for any purpose, without your consent or any compensation to you or anyone else.
We didn’t use the service – I find what they’re entitled to do with the contents of our documents scary.
The important action to take is to check or ask someone before blindly ticking the Agree box, and think a moment about security. It isn’t easy to see which websites are tin pot (not that size is any guarantee) or run database backups to a computer under the programmer’s bed (true story from the dot com bubble, not me). And having raised the alarm on US practice, I have to add that many companies/websites in the US are enrolled in the EU SafeHarbor scheme which satisfies the eighth principle of the Data Protection Act. Not everyone is on the list, but you can check who is currently certified here.
Thanks Dan for these thoughts – it would be ironic given the strenuous efforts that the NHS makes to safeguard our data, if when it goes overseas – think of your next ‘free’ survey – it is treated in ways suggested by the quote above.