210 likes | 342 Views
Private Lives in a Database World. Richard Thomas CBE Adviser - Centre for Information Policy Leadership @ Hunton & Williams ICAEW - IT Faculty Annual Lecture 6 December 2010. Surveillance Society 2010 >. Devices - smaller, cheaper, more powerful, more connected, more storage
E N D
Private Lives in a Database World Richard Thomas CBE Adviser - Centre for Information Policy Leadership @ Hunton & Williams ICAEW - IT Faculty Annual Lecture 6 December 2010
Surveillance Society 2010 > Devices - smaller, cheaper, more powerful, more connected, more storage New tools for aggregating, analyzing, and distributing data Surveillance equipment with biometric capabilities Ubiquitous computing; Internet of Things; Sensor networks Smart buildings, Smart transport, Smart healthcare Total amount of data connected to the Internet – 2001: One petabyte (1015) – 2006: One exabyte (1018) – 2010: One zetabyte (1021) By 2020: Billion+ computers, 10 Billion+ communications appliances, 100s of Billions of sensors embedded in other machines
2010 Political Developments Election Manifestos ID Cards ContactPoint Independent Safeguarding Authority Intercept Modernisation Programme
Harms and Risks Threats to fundamental rights and freedoms Harm to individuals – economic, social, autonomy/dignity Harm to organisations – reputational, financial, operational Harm to society – relationships, trust Risks – how likely, how serious?
Benefits of Technology • For Individuals – access, information, choice, lower prices, personalisation, safety, quality of life, “remembering” • For Society – public protection, law enforcement, public services, research • For Prosperity - innovation, efficiency • Popularity of technology: virtual world = real world • Dangers of legislators and regulators imposing their views
Regulatory approaches to avoid Ineffective at delivering objectives Unduly burdensome Unintended consequences Vague or unintelligible Excessively prescriptive Discredited or widely ignored
For example…… Notification Excessive reliance on Notice and Consent Uncertainties over definition of “personal data” Convoluted and prescriptive conditions for processing Controller / Processor distinction Unrealistic approach to international transfers
2020 Vision - Criteria for modernised and globalised regulatory framework Based on clear objectives - Outcome based Reflecting - and “gently” leading - social norms Ensure balance between benefits and harms Cast in relevant / accessible language Technologically neutral and forward-looking Imposing minimum standards; encouraging good practice Internationally compatible or inter-operable
2020 Vision – Components More focus on use than collection Tough line on non-compliance with privacy claims Priority for public sector Not beyond “reasonable and legitimate expectations” Emphasis on Information Governance Accountability
Legitimate and reasonable expectations Security Accuracy Confidentiality / non-sharing where that is the norm Time-limited retention Common sense / proportionality / balance Transparency, but not overload No mis-information Trust
Information Governance Governance and Accountability Technology Privacy by Design Policies Procedures Contracts Compliance People
Accountability – A Global Trend OECD Principles APEC Privacy Framework Binding Corporate Rules (BCRs) CIPL Galway and Paris Initiatives Article 29 WP Opinions Future of Privacy (Dec 2009) Accountability (July 2010) EC Communication (Nov 2010)
Essential Elements of Accountability Organizational commitment to tailor-made internal policies which elaborate general Principles Mechanisms to develop and put policies into effect, including procedures, technologies, training and education Systems for ongoing internal oversight, assurance reviews and external verification Focus on risks and outcomes Transparency Ready to demonstrate chosen approach to compliance
Article 29 WP’s July 2010 Opinion “Data protection must move from theory to practice. Legal requirements must be translated into real data protection measures.” Accountability seen as key reform alongside Privacy by Design and more effective powers and sanctions “One size does not fit all” Internal / external audits / certification 2nd “voluntary” tier – going above and beyond minimum legal requirements
Regulatory Implications Focus on implementing – not replacing – existing Principles Shift from ex ante towards ex post regulation Substitutes for Notifications and Prior Approvals Enables prioritisation and better use of resources Brings subtlety to sanctions Brings sanity to international transfers
Accountability in Practice Answerable for decisions,behaviours and results in practice, not box-ticking Policies, Procedures, IT, People Policies and procedures: Binding written data protection policies and procedures Bespoke - Right for organisation, reflecting actual risks Reflecting applicable laws, regulations and industry standards.
Accountability in Practice Executive Commitment • CEO, COO or General Counsel • Risk or Audit Committee • Statements of Internal Control Responsibility and delegation • Chief Privacy Officer (CPO) with real influence • Staff / advisers who know the business Education and awareness programmes
Accountability in Practice Risk assessment and mitigation Understand and mitigate the privacy risks raised by on-going and new products, services, technologies and business models Privacy Impact Assessments and Privacy by Design Event management and complaint handling Procedures for responding to inquiries, complaints and security breaches. Consumer Care Plain English Privacy Notices (see ICO Code) Websites; Customer help-lines Redress Remedies for those whose privacy has been infringed Internal enforcement Internal enforcement and discipline for non-compliance.
Validation and certification Intent and implementation Internal validation / assurance essential External validation or certification: Regulator? “Trusted 3rd Party”? Self-certification? Traffic Lights?
From BCRs to Binding Global Codes 63,000 multinational corporations, with 821,000 subsidiaries Countless more SMEs involved daily in international transfers of personal data BGC Framework built on an explicit foundation of Accountability Organisation accepts responsibility for fulfilment of its BGC BGC tailored to business model, but must meet minimum requirements, e.g. International DP Standards Approved? Certified? Self-certified? Domestic application