Sunday, April 11, 2010

House of Commons Justice Committee Related to The European Union's Data Protection-Retention Directives

In the first week of January this year, (a link to video of Parliament online, please forward to about half way through), the United Kingdom's Information Commissioner Christopher Graham spoke in the Wilson Room for the House of Commons Justice Committee. He was flanked by Stephen McCartney, Head of Data Protection Promotion, from the Information Commissioner’s Office. As mentioned in a previous post just last month, the ICO has been lobbying extensively for fines to deter serious data breaches - and it gives the impression of working quite well, since on their front page, the ICO "expects its new power to issue monetary penalties to come into force on 6 April 2010, allowing the ICO to serve notices requiring organisations to pay up to £500,000 [$1M approx.] for serious breaches of the Data Protection Act." In other words, HUGE fines: finally some real deterrents to the list brokers/reseller industry.

In the Committee, it was being recommended that the European Union enforce data protection, but not to jump into it without a comprehensive approach, in other words, reculer pour mieux sauter as Mr Graham states; take a step back first, analyse the nuances/realities of how data is exploited, and then codify the law fittingly. The HOC Justice Committee met to avoid the patchwork of current legislation involved, as well as taking into consideration the fact that [Roman and Napoleonic Civil] Codified Law are very different from Common Law practiced in Great Britain. Civil versus Common Law have very different approaches to managing data too, the former being considered in Common Law countries as unnecessarily pragmatic – too literal, too much bureaucratic overhead, whilst Canada and the United States tend to take too much of a freely flowing data approach without thinking of privacy and security considerations from the onset. In fact, the European Commission went to the extreme as to sue Sweden for its lack of action regarding the E.U. Data Retention Directive.

The Face of Data Protection in the United Kingdom: Christopher Graham - see him at the Data Protection Officer Conference on March 3rd, 2010

As one can see in the video footage (forward to 26 minutes), Information Commissioner Graham is a man of candour as was his Grandfather Lance. Sir Lancelot Graham was known as idealistic, indefatigably hard-working and self-disciplined. He was not only a Governor of Sind (Pakistani province where Karachi is the capitol) before the partitioning of India, but also President of the Commonwealth Society.

It is clear action must be taken to discourage serious breaches of the Data Protection Act, but one of the first fundamental questions (referred to in the List of Data Protection Principles), as mentioned by Mr Stephen McCartney, Information Commissioner Graham’s experienced colleague, should be what is the data being used for? Ultimately the goal is to prevent carelessness (i.e. not encrypting, or at the least putting a password on a backup placed on easily readable media) with respect to the management of personal data within organisations, a space where the ICO has been very active lately, and even provides A Guide For Data Protection in Plain English on its site.

In sum, in the European Union, there is a need to clarify laws that are related to the management of information, and it is great to see Information Commissioner Graham giving guidance openly. We have to treat Data as the precious resource it deserves in our information-based society, merely because its mismanagement can cost us all, and not just in the E.U. With respect to a certain pension fund data management disaster I witnessed firsthand, it led, in part, to the loss of billions of dollars.

No comments:

Post a Comment