I was pleased to be asked to speak at the launch of Demos’ new report on personal information on Friday. The report’s authors, Peter Bradwell and Niamh Gallagher, gave a solid introduction to the issues and then Information Commissioner Richard Thomas, comedian Natalie Haynes and I got to respond. You can download the report from the Demos website, and it’s well worth reading the whole thing.
These are the notes I spoke from, slightly tidied up.
My name is Bill thompson
My NI number is [redacted]
My mum’s maiden name is [redacted]
And my birth date is [redacted]
I’m telling you this because my kids’ child benefit goes to their mum, and I wanted to feel a connection to the other parents here this morning.
The exposure of personal information by HMRC in its interactions with the NAO, and the other cases that have come to light since, may well be a defining moment in the complex dance between the state and the citizen that characterises modern democracy.
And indeed in the dance between the private sector and the customer that characterises digital capitalism.
The specifics of the data involved are less important than the revelation that the offices of state consider my personal information less important than the lunch menu in the treasury.
The contempt that is now being revealed is breathtaking, and the sense of shock can only grow as we realise the inadequacy of any regulatory response – and of course efforts to strengthen the Information Commissioner’s powers which may result are to be welcomed.
The debate now begun will extend to cover the children’s database, the identity database and of course the myriad of private sector databases held by large companies from Tesco to Google.
We can attempt to opt out, of course.
I have here my Tesco Clubcard…
[at which point I took out the card and tore it in two. Not with one deft movement, of course – they’re stiff plastic. But the gesture was effective].
But we cannot easily opt out entirely. They’ll send me a new card – I’m still on their database, and indeed I’d probably have to go to Richard for a consent order to persuade them to delete my records, just as with Facebook.
I live a lot of my life online, and I expose a great deal of personal information there.
Anyone who cares to ‘friend’ me on Facebook – and yes, it is a verb now – will know that I was in Leicester yesterday, that I’m tired now and that I’m off to Newcastle later today.
This ‘personal’ use of personal data occupies a relatively new zone, subtly different from the ways private companies and the public sector store and use data.
It deserves closer analysis because while businesses and ministries have been collecting and collating data about citizens, subjects and customers for centuries it is only recently that most of us have assembled ‘databases’ – whether christmas card address lists or Google-indexed mailboxes – of information about our friends and family, or published our own structured data on social network sites.
Doing this creates difficulties.
One is the risk of data loss.
I have personal details of a few of you here on this unsecured storage device [waving my iPod Touch around] and there is not even a password to stop them finding Becky’s mobile number. I suspect many of you have the same sort of data storage devices on you right now.
Another is the risk that published data will be used against us.
Unruly Oxford students have been tracked down by the university authorities, a beauty queen in the USA has been blackmailed over supposedly private photos, and employees have been told that their employers may own any profiles or contacts lists they create using work computers.
And recently Facebook users have discovered that the new ‘Beacon’ service is advertising their activities on other websites to Facebook and hence to their networks, although here public pressure seems to have prompted a rethink.
We’ll need to keep a close eye on Mark Zuckerberg, though, since his instincts are clearly all wrong.
A big part of the problem is apparently that we are all giving away too much information that should remain secret, like our date of birth, address and even details of which schools we have attended or where we have worked.
This information should apparently be carefully protected because criminals can use it to fill in applications for credit cards or loans, stealing our identities and causing all sorts of problems.
This seems to be entirely the wrong way around.
I have never kept my birthday secret from my friends, partly because I like to get cards and presents, and I do not see why I should have to keep it secret from my online friends. If that means that other people can find out about it then the systems that assume my date of birth is somehow ‘secret’ need to adapt, not me.
Some things really are private and should be kept confidential, but modern society relies on data sharing, data mining and data use, and building systems which rely on the secrecy of easily available information seems to be foolhardy, as the report points out.
Partly this is about systems design. Any good computer system will ‘degrade gracefully’ – if it stops working then it will collapse elegantly and not simply fall over and display the Blue Screen of Death. The systems – public, private, and personal – that acquire, store, process and transmit data must be designed in the same way.
That means extra work on all sides.
It means extra work for those building hardware and software, for those developing systems and those creating regulatory environments.
It will mean more work for the Information Commissioner, but I’m sure he’s up to the task.
And it will mean more work for all of us, too. I’ll start by putting a password on my iPod.
Peter and Niamh have done us all a service today – now we need to ensure that we take full advantage of the opportunity their skills and HMRC’s ineptness offers us.
For me the key recommendation of this excellent report is that we “lead open discussions and debate to help build more secure, effective and appropriate technology for personal information”.
I’d like to see the Information Commissioner’s Office work with the Department for Children, Schools and Families to take this debate into schools as part of a broader IT literacy strategy, so that children grow up aware of these issues and able to take control of their own data destinies.