This page contains a Flash digital edition of a book.
MANAGEMENT PRIVACY


privacy under UK law. Instead, individuals’ privacy is protected by the European Convention on Human Rights, and the Data Protection Act. The Data Protection Act already gives individuals some important protections: The Information Commissioner’s Office can impose fines of up to £500,000 on organisations that breach the Act through the unauthorised release of data. Individuals also have the right to see


there is the good of the general public, and the rights of the individual on the other hand,” he says.


“What is of legitimate public interest


needs to be debated,” agrees Peter Gooch, a privacy expert at Deloitte. “The role of media organisations will need to be addressed; that is an exemption that will need to be discussed.” Another concern is for businesses that engage with their customers by encouraging them to contribute user-generated content. Brands with a strong following among consumers, or a loyal user base – in areas as diverse as hobbies, health and parenting – use online forums to allow consumers to share advice and ideas, and to build up a body of knowledge. Then there are sites that take some, or


even all, rights of ownership of information or data contributed by the public. YouTube, the world’s largest video-sharing site, claims the right to resell material posted by users. All could face some serious, practical issues, if the right to be forgotten – in its proposed form – becomes part of data protection law. Then there are technical issues. If to


‘forget’ an individual’s personal data is to delete it, then something as mundane as restoring backup data to a failed server could fall foul of the new rules, if the backup tape contains details of a ‘forgotten’ individual.


22 INFORMATIONAGE APRIL2011


Privacy in the UK: a refresher U


nlike other European countries, such as France, there is no general right to


the data that is held on them – a subject access request – although businesses and organisations are allowed to charge £10 for a request, or up to £50 for health or education records. Organisations have 40 days to respond to a valid request, and must do so even if the data is held or processed by a third party, such as a marketing agency. Companies can decline subject access


requests if they would be very time consuming to grant, but guidance from the Information Commissioner’s Office


As Charlotte Walker-Osborn, TMT sector leader at law firm Eversheds, has warned: “If the right extends to data held on any medium, there will be widespread havoc.” Perhaps the most challenging issue is the


degree to which the right to be forgotten will extend into an organisation’s internal


says that this is likely to be legitimate “only in the most exceptional of cases”. The ICO would usually expect the organisation to provide access to the data in another form.


Although specific details on how the


right to be forgotten will be implemented have yet to be issued, it is likely that UK regulations governing any right of individuals to have their information deleted from databases or websites will follow similar procedures to rights under the existing Act.


purposes. The complexities of ‘the right to be forgotten’ in the context of social networks are just the tip of the iceberg. Assuming that the EU proposals are not


watered down – and that might still happen – it will fall to the local legislators, who will have to turn the EU directive into law,


“If the right extends to data held on any medium, there will be widespread havoc”


database systems. In their current form, the proposed amendments appear not to distinguish between public-facing systems, such as social networks, and internal systems, such as CRM databases. This is a potential minefield, as businesses


routinely rely on customer data to perform even the most basic of functions. Could a company’s own customers, for whatever reason, withdraw their consent for it to use their data internally? Could companies be certain that all traces of customer data were removed if requested? Furthermore, government departments and healthcare providers will clearly need some exemptions from the right to be forgotten, as well as organisations such as banks, which will need to retain some information for compliance and tax


national information commissioners, who will have to police the new legislation, and companies’ own data guardians and legal advisers, who will have to interpret it, to make sense of these complexities. But until the detail of the regulations is known, the best advice for businesses, as Deloitte’s Peter Gooch suggests, is to ensure their own houses are in order. “The first step is to understand what the implications might be for your business. Understanding what data you have is vital if you are to know if you are compliant.”


Article by Stephen Pritchard


IAeditorial@vitessemedia.co.uk Further reading:


www.information-age.com/im www.information-age.com


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52