Who’s minding your data?
Data: a fancy word for information, but with a slightly disturbing ring to it, somewhat suggestive of digital control and hidden manipuluation by the big beasts of technology and other unsavoury characters.
The sad fact, though, is that you never know who might have your data or how far it might have spread out across the web without you either knowing anything about it or being able to control it.
The same is true on the other side of the fence: if you own a company which operates a busy website, the chances are that you could be in possession of data you know nothing about. Worse, you may be unwittingly passing that data onto others without being aware of it.
Now, there is nothing to say that in most cases, a website holding data on an individual is doing anything illegal. What matters more is the why and the how: why any given website has your data – be that a supplier of goods, such as clothing, music or software, or a for-profit health company you consulted two years ago; and how – what methods and procedures the person or organisation that has your data is doing to keep it safe, and how long they intend to keep that data. The General Data Protection Regulations ('GDPR'), supplemented by the Data Protection Act 2018, provides opportunities for you to contact organisations and get answers to these questions.
First of all, anyone who holds your data must be transparent in how they do that. This means that before they collect data about you, they must tell you they intend to do so, why they are doing so, the security with which they will hold your data and how long they will keep it. Crucially, they must ask for your informed consent. When you request data – such as medical records – it must be released to you as soon as reasonably possible, and it must be in a form that the average person, who is not a data expert, can understand.
For commercial and other organisations buying data services, it is important to know what you are buying. With the wealth of data services out there, you need to understand the contract before you sign it. However, most such agreements are almost always in legal language. As a result, your GP may have little idea of the services they actually bought, as opposed to what they think they bought. Crucially, they may have no idea whether data they have necessarily collected might be monetised by unscrupulous tech companies at a later stage.
For the future, it remains to be seen how helpful the Information Commissioner’s Office will be to consumers, and whether the somewhat opaque legislation the UK now has will benefit the person in the street or, on the other hand, whether big tech will win at our expense. At the moment, nobody is taking any bets: the idea of data being personal is still so new that society has yet to learn the full implications of its control and ownership.
If your company has a data problem, we may be able to help so fill out the enquiry form on this page.