The Information Commissioner's Office - the UK public body tasked with protecting ordinary individuals from abuses by the rapidly-multiplying organisations which hold personal data - has today "published new guidance to help individuals understand how and why their personal information may be shared by organisations." As the …
because the ICO won't
Protect your own data, because the ICO won't. If you contact them detailing a breach of the law, they never act. Occasionally they'll ask the company, who respond "we're not breaking the law", and the ICO says "they said they weren't doing anything wrong", and believes them. It is, without a shadow of a doubt the most pathetic, toothless, idle excuse for a regulator in existence today.
Another paper tiger, like the FSA
Alas, judging from my own recent experience, the Information Commissioner's Office seems to be just another toothless quango, much like the Financial Services Authority, lacking either the will or the power to tackle big business or government agencies on behalf of the ordinary citizen.
Back in February, I filed a request with the ICO for an adjudication on whether my bank's published terms and conditions exempted it from Section 10 of the Data Protection Act, which is the section that allows data subjects to forbid data holders from using personal data in certain ways.
I waited six months to receive a terse response which said, in effect, that the ICO couldn't make any judgement on that kind of question, and that I would have to take my bank to court to settle the matter.
If the ICO cannot rule on the application of the very Act which it was created to enforce, then what is the use of the ICO?
no real surprise but no real help either!
The data protection laws are vague and difficult to enforce as a citizen / consumer.
Almost any company is going to fob you off when you ask for data or just say yes to that list to get rid of you.
This approach can only work when WE OWN OUR OWN DATA.
Only when the rights to information about me lies with me rather than the person who collected it will we stand any chance of getting companies to play by the rules. Until then there is absolutely no incentive for them to do anything other than they please.
For examples pick any large scale data lose of recent times, the situation with Swift (they didn't even have to agree not to do it, they just carried on!) or our own Government (with ID cards and the sale of the data they will bring).
Just give me a sodding number and be done with it.
ICO = waste of space
"Protect your own data, because the ICO won't. If you contact them detailing a breach of the law, they never act."
Spot on. Ask the ICO about Plusnet, who as a plc didn't bother registering and even after the takeover by BT STILL didn't bother until the fiasco (hard to keep up with them all I know) whereby current and ex-customers had email addresses exposed to spammers. My email address (which I now realise they held illegally) was held from when Plusnet bought Metronet, so around January 2006 or so. Not only would that be a contravention of the toothless rules about how long you can store such data from ex-customers, they shouldn't have stored it ever as they never registered as data processors.
Biggest waste of space EVER = ICO
We own our data
Yes, jeremy, that's the way it should be. But this is the genie-lamp problem. The only way we will ever be able to get control of our own data involves a massive EMP. All we can do is legislate for more say on how it's used. Gramm-Leach gives me some control over my financial data in the US, but doesn't do much for the rest of it. And then there are countries that have seen a lot of call center business go to over the last few years that have NO data protection laws, even those that are ignored by our governments.
1998 Data Protection Act
Just for info; there is one major loophole in the 1998 data protection act. After contacting the ICO myself re. my employer passing on my personal details to one of the so-called "civil parking enforcement" b*st*rds (sorry - COMPANIES!) after accidentally over-staying my time at a private car park (despite the fact I was a customer of the firm at the time!) whilst I was on a driving job and not actually telling me, I had a reply to the effect that if a person or company who has personal details on record thinks that any legal action may be forthcoming against the individual, it appears that they are quite at liberty to disclose addresses, personal information, etc; to third parties without falling foul of the act. This also seems to be the loophole whereby the DVLA passes on information to these private parking companies in order for them to pursue drivers for a "civil parking fine". I think this is outrageous. What is the point of the act, if it`s left to an individual to make a decision?..........."oh yeah.......that`s possibly going to be followed up with legal action, therefore it`s perfectly OK fo me to tell the world what my employee`s address is" . An outrage, if ever there was one. I find it difficult to contain my anger about this.
Need to know
Why is the Oyster card - basically as I understand it a glorified underground ticket - holding or referring to a person anyhow ? It should just hold anonymised points or 'travel rights' or pounds and pence.
Maybe this is one reason why the UK still hasn't got the ability to store anonymised cash on our chip&PIN cards like they can in Europe - they like being able to track us too much.
ICO = Toothless Wonder
The ICO love to posture rather than bite.
A while back I complained to the UK Information Commissioner over a privacy issue relating to my email address with Orange. The email address in question comprised my initials (i.e firstname.lastname@example.org).
To my great surprise the ICO ruled that an email address like this could not be considered to be "personal data". Therefore, they claimed, their hands were tied (or they preferred to "sit on them" I suspect). I was told that "personal data" is defined in the DPA as "information that identifies a living individual" and my email address failed this test (although I find that claim completely counter-intuitive. If you have my email address you have a direct route to my desktop). Had my email address been of the form "email@example.com" I understand they might have been prepared to take action on my behalf.
Of course only a tiny proportion of email addresses are of the form firstname.lastname@example.org. So at a stroke this ruling excludes the vast majority of personal email addresses from data protection regulations!
That's good news for spammers and email list traders - bad news for the rest of us poor suckers, eh?
Not so fast
"I had a reply to the effect that if a person or company who has personal details on record thinks that any legal action may be forthcoming against the individual, it appears that they are quite at liberty to disclose addresses, personal information, etc; to third parties without falling foul of the act."
Oh yeah - try getting the phone details of a malicious caller, that the police can't be bothered to tick off, out of BT then !
Rock and a hard place
Being told to "protect your own data" is nothing new. I would think it fair to say that people's awareness, due to reported incidents of information security breaches, has ensured that as a nation we're better informed as indivduals. Though you could argue strongly that the private and public sectors have a considerable way to go before the same could be said.
However your "data footprint" as I like to call it, is far larger than that which you have any control over. i.e your home environment. As a citizen, employee or customer we are expected to trust those we give our data to. That trust is not based upon any level of common respect but sadly is forced upon many through the DPA.
What is more sad though is that having identified the problem, which justifed the expense of creating legislation and an enforcement body, the fact is that data protection within the UK is A) under valued B) Mis-represented C) Barely existent in many cases until it hit's the headlines.
On a final note. I'm confident that I can take care of my own information which I hold. I do the things most would expect to do to keep your details secure. However I expect those that hold information about me, for their own purposes, to ensure that the information is managed in a way which does not pose a threat to me. Unfortunatley that makes me reliant upon legislation. Currently without appropriate, timely, affordable and effective legislation and enforcement achieveing my "self management" of my own personal information finds me between a rock and a hard place called "no chance".
As far as I'm aware, Oyster's aren't ted to individuals until you sign up for a season ticket on them, which seems to be anything longer than a week travel card. Just buying a card and using cash pre-pay top ups should be anonymous (although the card itself can still be tracked). I'm not sure how easy it is to tie a card to a person if you buy it by switch or credit card or similar without signing up for a season ticket though.
Been thinking about some sort of Oyster exchange pool where people top up a card to a pre-set amount then you all put them in a pool once a week and take a lucky dip for a new card. Or could just pony up the extra £3 a week for a new card I guess.
ICO = Waste of oxygen
From personal experience, a member of my family served in HM Forces for 40 years. He recently retired and shortly afterwards the wonderfull civil servants in Glasgow lost ALL of his records (that's 40 years of his entire life including medical documents, bank details, employment history, etc). When he tried to lodge a complaint with the ICO, the reply from this glorius office was they weren't going to do anything...they weren't even going to investigate it. They didn't want to know about it. Toothless Tiger doesn't even come close to describing this useless shower of ****. Another shing beacon of ineptitude and bureaucracy.