can data protection regulation ever keep pace with technological change? jonathan bamford assistant...
TRANSCRIPT
Can data protection regulation ever keep pace with
technological change?
Jonathan Bamford
Assistant Information Commissioner
Are our DP laws stuck in time?
• OECD Privacy Guidelines 1980
• Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No 108) 28 January 1981 & Protocol (ETS No 181)
• What did information handling look like back then?− PC’s…Internet…mobile communications…CCTV…
RFID?
Are our DP laws stuck in time?
• UK Data Protection Act 1984
• European Union Directive 95/46/EC
• UK Data Protection Act 1998
• Even since then there has been substantial changes in personal information handling
All have a similar set of core standards
UK DPA 1998 requires personal data to be− processed fairly and lawfully− obtained only for specified and lawful purposes and further
processed only in a compatible manner− adequate, relevant and not excessive− accurate and up to date− kept for no longer than necessary− processed in accordance with the rights of data subjects− kept secure− transferred outside the EEA only if there is adequate
protection
Are these standards still relevant today?
• ICO Research 2004-“Public attitudes to deployment of surveillance techniques in public places”− Chose privacy rules almost same as the DP
Principles
• IC commissioned research with Small and Medium Sized Enterprises in 2004− 73% think DP principles are good for business− 91% agree that privacy is important to customers
Moves to particularise
• European Union Directive on Privacy and Electronic Communications- 02/58/EC
• UK Privacy and Electronic Communication Regulations
Constitutionalisation of DP
• Articles 7 & 8 – Charter of Fundamental Rights of the European Union – Nice, 7 December 2000
• Proposed EU Constitution
Areas of wear and tear
• Definitions- personal data, transfers, personal use- arsing from Durant and Bodil Lindqvist cases
• Better regulatory powers to deal with telemarketing/spam
• Need for proactive tools such as audit/inspection and privacy impact assessments
The challenge for DP regulators
• Make sure the existing requirements are understood (lessons of ICO ‘Make Data Protection Simpler’ project)
• Work together to clarify and enforce
• Be proactive
• Make sure we have the right tools for the job
Conclusions
• The core of the existing law is still relevant and effective
• Some of the defining terms are struggling to keep pace
• Better tools are needed to deliver compliance
Any Questions?
Information CommissionerWycliffe HouseWater Lane WilmslowSK9 5AFUnited Kingdom
Switchboard. 01625 545 700Helpline. 01625 545 745
Email. [email protected]
www.informationcommissioner.gov.uk