GDPR - the end of the private pint?
25 - 06 - 2020
Our public houses may soon be filled with raucous merriment once more, and for some, it may be the first time they have assumed the mantle of a Data Controller under the new data protection regime. There are of course many problems that we will have to overcome, and further guidance is still required from the powers that be, but until then these are the issues that worry me the most and largely remain undetermined.
Voluntary or mandatory?
Big Brother Watch believes that any such scheme should be voluntary, but I would question the efficacy of that approach. If we make the scheme voluntary then it may destroy the benefits we are seeking to achieve whilst still potentially putting individuals data at risk. I would much rather see a mandatory collection being enforced at my local pub and be assured that it at least has a chance at being effective rather than relying upon the good nature of people who frequent that establishment to effectively volunteer (or have to remember to provide) such information. Whilst all known data protection guidance to date will tell you that where you can provide your services without the collection of personal data, you must not make the use of your services conditional upon the provision of that personal data, I disagree that this is an appropriate way to deal with this crisis. We should not forget that Covid-19 is not done, it isn't over, and we are absolutely nowhere near the end. Only by working together and making necessary sacrifices can we hope to leverage technology and data to combat this scourge in any meaningful and effective way. Don't create risks if they barely stand a chance of providing a benefit.
If you are reading this thinking, nonsense, it is still better than nothing! I'd ask you to really consider if it is actually better or preferable than having nothing in place at all. Throughout the course of modern history people have placed too low a value on the importance of keeping their personal information secure and it is only recently that we have realised the true potential for abuse that exists where one person or entity holds a massive amount of data about multiple people. We have seen the increased fines following corporate abuse/disregard of privacy laws, but what hasn’t been made more visible and real is the potential for abuse that exists at an individual level. That is now a real concern. Consider the employees who will now be in a novel position to hold some power over their customers by potentially having access to information that identifies them and where they live, we had better all start tipping better.
Not if it is going to be used and abused by individuals or corporate interests. A woman who has been identified only as Jess (wise-move) has received a barrage of unwanted digital attention from a Subway sandwich maker, who had taken her details from a contact-tracing form.
Jess, told the Newshub website in May: "I felt pretty gross, he made me feel really uncomfortable”
Women such as Jess are clearly at higher risk than men are of such unwanted advances, but there are concerns that other segments of society may face a disproportionately increased risk of similar unwanted attention and harms based on their gender, race, sexual orientation and other characteristics. The risk of putting data into the hands of individuals relies upon their understanding the negative consequences that await them should they breach privacy laws. Unfortunately, I don't think there has been enough media attention to make this risk clear to individuals who may believe, quite mistakenly, that only the big data companies need to worry about that sort of thing. They couldn’t be more wrong and the ICO have their work cut out for them to raise awareness in this area even though they maintain a name and shame list for this purpose. I’ve commented on these fines and summarised some of the facts surrounding them in this article in case you are interested and want to learn more about the fines that individuals tend to face.
Privacy by designation?
Privacy by design is a commonly accepted principle these days, and building privacy into the design of a system from the ground up starts with asking what data you need and why and trying to minimise the amount of data you collect in the first place. One such way that this is implemented is by designating a number or an alphanumeric reference to that individual's contact data and no other data is sometimes referred to as pseudonymisation (as opposed to anonymisation where you wouldn’t be able to track back through data to discover someone's identity). This could be one way in which we overcome the current challenge of reducing the risk of abuse of contact-tracing data, but it has its drawbacks. Namely, that someone has to keep a list somewhere that links all the individuals back to that data.
One of my personal favourites: the QR code! (My marketing guy hates me as I want them on our business cards)… New Zealand have adopted this approach to protect individuals privacy and reduce the man-hours required for small businesses to collect and process data, whilst also reducing the overall risk of providing personal data in the first instance. In late March the New Zealand privacy commissioner had been advocating the use of paper forms for data collection which were to be retained for 8 weeks. It was this system that led to Jess (above) being unfairly pestered and that publicity may have sped up the roll-out of the QR system.
It is unclear as to whether or not it would be sufficient to have one person (a friend) volunteer their contact details whilst they make a note of the others in their party who joined them for a particular meal/drink. This would minimise the overall volume of data collected but it would then rely on individuals to keep records of the friends they visited with at the time.
This scenario demonstrates the inherent conflict that we current face between deciding to take an effective yet intrusive approach vs a patchy but privacy safe approach.
Whilst mature Data Controllers like Facebook and Google may have the processes in place to demonstrate appropriately their assessment of risk in coming to a decision on the apparent dichotomy between these two approaches. The same cannot be said of smaller to medium sized businesses, whose business is not in data, and who do not have the same access to legal advice to ensure that their processing complies with what are arguably some quite complicated and decentralised laws and guidance notes.
The Real Problem
Personal data is a hot potato that no-one wants to hold right now, excluding of course, those whose value has been rather infamously built upon its collation. Whilst a QR code is (really cool) an effective solution, it requires someone to hold all the QR codes and names of individuals to whom they relate in one central database that can be called upon on demand by an app for example. Storing large amounts of data in one place will always produce a risk to privacy if that data contains personal data. Without any prospect of reward, it is doubtful that anyone would willingly take on this burden (and if they do we should carefully examine their motives for doing so).
If such a scheme is voluntary, unless amnesty is provided for by the ICO then why should pubs voluntarily assume an entirely new and significant risk when there is no good commercial reason for them to do so. It will only cost them in the short/long run to comply and the potential costs implications could be very significant.
When you collect personal data you usually become a data controller (someone has to) and that requires you to register with the UK’s Information Commissioners Office. There is a charge for that registration (starting from just £35) and I would expect this to either be waived during the Covid-19 crisis, or the ICO may set up a separate Emergency Controller designation for which registration may be free but where either the ICO or the secretary of state can revoke that status once the Covid-19 crisis is over. That kind of mechanism is very likely to be useful in the future when dealing with similar circumstances.
Registration is crucial to ensuring that some central record is kept for the purposes of the track and trace team understanding the scope of available data. Without any system in place, we would be left with a “suck it and see” system of calling up bars and restaurants to enquire about what data they have, rather than having a database of businesses (with up to date contact details) which would no doubt improve the efficiency of track and trace efforts.
The Government’s guidance on the 23rd indicates that they will set up a system for business to use to help them comply with these requirements and I would expect (hope) further detail to be provided over the weekend in time to allow at least some businesses to read through what will undoubtedly be a long and cumbersome document generally pushing further responsibilities onto already strained small businesses. It may be that private actors are able to respond more quickly and provide suitable solutions to empower businesses to combat this crisis, or at least to offer a helping hand to those who have little or no experience in processing personal data. Having spoken to a few pub landlords, very few are aware of the guidance issued to date, some are unaware of any guidance at all and therefore communications must be improved very quickly to address this and ensure that best practice advice is circulated promptly.
The coming months will test the limits of the new system of data protection that we have put into place, and whilst we may have to sacrifice further freedoms to ensure our short term security, I for one want to see commitments by those in actual control over data (government, corporate, individuals) to ensure that things will revert back to what they were before Covid-19, if and when this crisis passes. Until then, we all have a duty to use personal data in a responsible way and we absolutely must defend those protections as and when the need to erode them has dissipated.