Sunday, July 21, 2013
More data protection questions
Over at Politics Home, Helen Goodman MP has outlined a fairly disturbing case which she says highlights the inadequacy of the UK's data protectoin laws:
On 12 May, The Sunday Times reported that EE had sold to Ipsos MORI the personal data of 27 million mobile phone users, including their gender, age and postcode, the websites they visited, the time of day texts were sent, and the location when the texts were sent. Customers were clearly not aware that their data were being handed on and used in this way. Ipsos MORI then met with the Metropolitan police to discuss selling the data on. These data go beyond anything the police can get without an application under the Regulation of Investigatory Powers Act 2000, of which in 2011 only 2,911 such orders were given.
The day after reading that article, I wrote to Ed Vaizey asking whether he had had a report from the Metropolitan police, whether the Government believe that it is right that a larger range of data are being used and sold than is allowed under RIPA, and what action the Government are taking to protect our citizens.
Because I did not receive an answer for two months, I wrote to the mobile phone companies and the Information Commissioner’s Office, most of which provided full responses. All the companies said they believed that their practices fell within the Data Protection Act 1998 and that the data had been anonymised as defined in that Act. The ICO said that having datasets with names or addresses stripped out and aggregated into groups of 50 “does not enable particular individuals to be identified”.
Unfortunately that is not the case. By combining these data with other datasets—for example, those of the Land Registry—individual people can be identified. In March this year, Nature published a report by academics which concluded that:
“in a dataset where the location of an individual is specified hourly…four spatio-temporal points are enough to uniquely identify 95% of the individuals...”
The current law is inadequate to protect people’s privacy, partly because there has been significant technological change since 1998. Furthermore, the current consent rules are completely inadequate. For consent to be meaningful, it needs to be explicit, informed and freely given, not buried somewhere in paragraph 157 of the terms and conditions.
I think Helen Goodman is right. 1998 is an age away in new technology terms. Things have moved on significantly. We need a full expert review and a new Act of Parliament that gives people back control over their own data, especially that held by private companies.
On 12 May, The Sunday Times reported that EE had sold to Ipsos MORI the personal data of 27 million mobile phone users, including their gender, age and postcode, the websites they visited, the time of day texts were sent, and the location when the texts were sent. Customers were clearly not aware that their data were being handed on and used in this way. Ipsos MORI then met with the Metropolitan police to discuss selling the data on. These data go beyond anything the police can get without an application under the Regulation of Investigatory Powers Act 2000, of which in 2011 only 2,911 such orders were given.
The day after reading that article, I wrote to Ed Vaizey asking whether he had had a report from the Metropolitan police, whether the Government believe that it is right that a larger range of data are being used and sold than is allowed under RIPA, and what action the Government are taking to protect our citizens.
Because I did not receive an answer for two months, I wrote to the mobile phone companies and the Information Commissioner’s Office, most of which provided full responses. All the companies said they believed that their practices fell within the Data Protection Act 1998 and that the data had been anonymised as defined in that Act. The ICO said that having datasets with names or addresses stripped out and aggregated into groups of 50 “does not enable particular individuals to be identified”.
Unfortunately that is not the case. By combining these data with other datasets—for example, those of the Land Registry—individual people can be identified. In March this year, Nature published a report by academics which concluded that:
“in a dataset where the location of an individual is specified hourly…four spatio-temporal points are enough to uniquely identify 95% of the individuals...”
The current law is inadequate to protect people’s privacy, partly because there has been significant technological change since 1998. Furthermore, the current consent rules are completely inadequate. For consent to be meaningful, it needs to be explicit, informed and freely given, not buried somewhere in paragraph 157 of the terms and conditions.
I think Helen Goodman is right. 1998 is an age away in new technology terms. Things have moved on significantly. We need a full expert review and a new Act of Parliament that gives people back control over their own data, especially that held by private companies.
Labels: ID
