There is some scepticism about the effectiveness of the Data Protection Act for regulating access to personal data on social networks. I recently conducted two short surveys (April and May 2011) as part of my research at City University London. The surveys set out to identify the main issues that concerned users of social networks and the views of data protection and information governance professionals about the use of social network services in the work place.
For the full 8-page report see Social_Networks_Haynes_ 2011.
Risks
The results of the surveys showed that while individual users and potential users of social network services were concerned about protection of personal data, workplace respondents were primarily concerned with risk to the organisation. Workplace respondents identified the following risks:
- Reputation risk to the organisation
- Liability for the actions of people posting on the site
- Accidental disclosure of information that could lead to loss of intellectual property
- Security breaches by exposing the organisation to malware
- Non-compliance with the Data Protection Act and other regulations
- Time wasting during work
Individual users (and potential users) identified the following personal risks:
- Harassment (e.g. stalking)
- Identity theft and fraud
- Abuse of personal data by advertisers (e.g. spamming)
- Loss of privacy (where personal data is shared beyond the original intended audience)
Protecting personal data
A variety of measures was considered for protecting personal data on social networks and indeed several respondents suggested that more than one regulatory method would be needed:
- Educating users or providing guidelines on use of social networks were the most frequently mentioned precaution.
- Monitoring and moderation of social network sites
- Technical measures such as software filters, or time-limited access
- Service providers taking greater responsibility for data security
- Personal responsibility for what personal data they reveal
- Social network providers should take responsibility for protecting privacy
Data Protection Act
Legislation is a major part of the regulatory landscape. Many respondents felt that the UK’s Data Protection Act (DPA) was ineffective or only partially effective for protecting personal data on social networks. One expert suggested in an interview that the Section 30 (domestic use) and Section 36 (freedom of the press) exemptions excluded social networks from the provisions of the Act. Other concerns were about inability to enforce the Act where the social network service is outside the EU. Ignorance about the provisions of the Act among users was also seen as a limiting factor.
In contrast, some respondents felt that the Data Protection Act was an effective tool for protecting personal data on social networks, especially in light of the Information Commissioner’s recently increased powers of enforcement.
Further work is proposed to look at how the legislation is applied in the workplace and to compare it to other means of regulating access to personal data.
David Haynes
August 2011
Thank you for sharing your report – it was very interesting.
I thought the suggestion from some respondents about social network providers improving their security and making the default of their security settings more protective was an interesting one. And also the realisation, how we are all facing the same challenges with regard to how to protect data, and in fact that most of the solution comes from education and behavioural change.
Reading the comments – a gut reaction feels like we are still in our infancy around this area, and a lot more needs to still shake down. I think option 1 of your possible next steps for investigation will be fascinating.