Thursday, January 29, 2009

Yesterday was European Data Protection Day. Did you miss it?

On 28th January 2009 The UK Information Commissioner celebrated European Data Protection Day (Celebrated what? Is there a commemorative postage stamp?) by creating and getting people to sign the Personal Information Promise.


Oh.

Good.

Yes, anything that makes people think about the safe custody of personal information is a good thing.

The Personal Information Promise, eh?

Well, it's on the UKIC's site.

And it has precisely no power. None.  Zilch.

Oh, I expect if anyone complains to the UKIC about one of the signatories they'll be told, "Gosh, you broke the promise as well as the law.  Still, since you have now stopped doing that we'll let you off with a strongly worded letter."

So what does this exciting promise say?

You're going to love it!

I
on behalf of
promise that we will:

1. value the personal information entrusted to us and make sure we respect that trust;

2. go further than just the letter of the law when it comes to handling personal information, and adopt good practice standards;

3. consider and address the privacy risks first when we are planning to use or hold personal information in new ways, such as when introducing new systems;

4. be open with individuals about how we use their information and who we give it to; [that would be "whom".  Dative not nominative.]

5. make it easy for individuals to access and correct their personal information;

6. keep personal information to the minimum necessary and delete it when we no longer need it;

7. have effective safeguards in place to make sure personal information is kept securely and does not fall into the wrong hands;

8. provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or don’t look after personal information properly;

9. put appropriate financial and human resources into looking after personal information to make sure we can live up to our promises;

and

10. regularly check that we are living up to our promises and report on how we are doing.
Ah.  So that's all right, then.  We'll feel so much safer now.  Especially when we read the FAQs on the site.

This is obviously Data Protection in Action.

So why am I so cynical?

Look, the act was made into law in 1998.  This is 2009.  There have been no significant prosecutions or heavily publicised enforcements.  The whole thing has a department behind it that takes for ever to respond to complaints, and either can't enforce or doesn't enforce when it finds a breach.

And there's even a rumour going round Data Protection circles that the incoming UKIC in July was selected in order to be less tough than the current incumbent.

So. let's all sign up for a new badge.  Ah no.  The great signing was yesterday on European Data Protection day!

  • Who's "in" so far?
  • Action for Children
  • Acxiom
  • Astra Zeneca
  • Belfast City Council
  • British Gas
  • BT
  • Callcredit Limited
  • Dudley Primary Care Trust
  • Experian
  • Equifax
  • Field Fisher Waterhouse
  • Greater Manchester Police
  • Informing Healthcare
  • Isle of Anglesey County Council
  • NHS Information Centre
  • Northern Ireland Association of Citizens Advice Bureaux
  • Royal Mail
  • T-Mobile
  • Unison
  • Vodafone
Well, good for them.  I hope that they are in because their data protection team is using the promise to beat up their senior management and make them comply properly.  But this is really a load of puffery about nothing.

Unless, of course, you think different?

Posted by Tim Trent at 10:21 AM

Labels: , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)