Road ahead

Data Privacy Day 2014 – the road ahead

The UK’s Information Commissioner marked this year’s European Data Protection Day by tweeting a day in the life of the Information Commissioner’s Office (ICO) – available on Storify.

A group of researchers at City University London decided to mark the day in their own way by running a research seminar on data privacy issues.  The three papers presented by researchers in the School of Informatics at City reflect the diversity of current interest in data privacy.

My colleague Cher Devey provided an excellent overview of the relationship between privacy and security.  As well as covering some of the technical issues she highlighted European and UK legislation that is in place or being developed to address privacy issues.

Jonathan Turner talked about the impact of data privacy on his research in health informatics.  He particularly focused on anonymisation and pseudonymisation of personal data following the code of practice issued by the ICO in 2012.  Anonymisation is an irreversible process to separate the identity of an individual from other data associated with them (which may be biometric, or survey responses for instance).  Pseudonymisation gives the personal data an alternative identity so that all the data associated with that individual can be connected.

My paper on privacy in social networks identified some of the risks that individuals face when they put personal profiles up on services such as Facebook, LinkedIn or Twitter.  The risks identified include: bullying, fraud, nuisance, loss of dignity, and discrimination.  The focus of my most recent research has been on identifying personal risks and development of a typology of risk which can be tested through the peer review process.

The idea that “the age of privacy is over” (reputedly said by Mark Zuckerberg in 2010) has largely been discredited.  Some surveys suggest that privacy is still a real concern, especially among young adults.  We can respond to these challenges in a number of ways which can be broadly classed as forms of regulation.  Baldwin Cave and Lodge in their excellent book Understanding Regulation identify three forms of regulation:

I.            As a specific set of commands

II.            As deliberate state influence

III.            As all forms of social or economic influence

Building on Lessig’s model of internet regulation my own research has identified four main modes of regulation in the UK for personal data on social networks (with reference to Baldwin et al’s definitions above):

  • Legislation (I) – the Data Protection Act and associated regulations, and the proposed European Data Protection Regulation
  • Self-regulation (III) – measures taken by the social networking service providers, such as industry codes of practice, privacy policies and EULAs
  • Privacy by design (II & III) – privacy defaults on SNSs, encryption of personal data, privacy settings, privacy by design initiative promoted by the ICO
  • User behaviour (III) – user education and expectations, a ‘highway code’ for internet users, initiatives by the ICO are an example of this

This will be the focus of my next tranche of research when I start to look at attitudes to regulation by different stakeholder groups.  I plan to use this as one means of comparing the different regulatory modes.

A slide set for each presentation (pdf) can be found here:

Privacy and security: same beast? Cher Devey

NHS and clinical records privacy. Jonathan Turner

Privacy and Risk in Social Networks. David Haynes

About the author

David Haynes

David Haynes

David is a Director of Aspire². His interests lie in metadata, information taxonomies and information governance. He is an experienced PRINCE2 practitioner. David leads courses on his specialist areas and is author of ‘Metadata for Information Management and Retrieval’. Currently he is researching on the regulation of information at City University, London.