Data Protection Act

Data Protection Act (1988)
The following blog will outline the importance of the Data Protection Act and discuss some contemporary issues in an online context.

Act & Commissioner
The Data Protection Act (DPA) is an important piece of legislation aimed at safeguarding the rights of an individual’s personal data. If you collect, store or process any data on living people, you are bound to comply with the Act. The DPA follows eight principles or rules, listed below, which relate to any type of data.

Eight Principles of Data Protection

Eight Principles of Data Protection

Data Controller, Subject & Processor

Data Protection Act Definitions

Data Protection Act definitions

The Data Commissioner is responsible for dealing with complaints and ensuring that legal rights are upheld. Helen Dixon was appointed the Data Commissioner in 2014 and is responsible for not only Irish individuals but data from companies based in the State which include; Facebook, Google and Twitter. The department has been under increased pressure from Europe as it has been viewed as a ‘light touch’ when it comes to data protection regulation. There is also concern that the larger tech multinationals based in Ireland are using the country as a ‘one stop shop’ for European data collection (Weckler, 2015). In the background, the formation of the new European Data Protection Board will bring a pan-European regulator.

EU vs. US Safe Harbour Agreement (2000)
Data protection in the digital age is borderless and this has created much ambiguity when dealing with multinational data. The European Union (EU) and the United States (US) are the powerhouses when it comes to mass data. Europe is seen as social democratic while the US a more liberal model of government. Each have their own privacy laws and there is a need to balance data privacy with business and innovation to flow freely.
The EU and US established to the Safe Harbour Agreement in 2000 for US companies to agree with EU Directives. The agreement has been describes as shaky and the revelations of US surveillance practices caused a rift between the States. Recent negotiations maintained the agreement but the diverging cultural and legal discretions are making the long term effectiveness of the Agreement unlikely. Both States will have to look for a revised agreement to keep up with technological and social norms of data protection (Peltz-Steele, 2015).

Cookies
Cookies are small pieces of data sent from a website from a user’s web browser. Companies use this data to gain insights into the way people interact with websites. This is not only personal data willingly given but also information about user habits gathered through identifiers on web sites. Companies want to know user’s data to target advertising and websites to improve the user’s online experience. This gathering of data has become more sophisticated and user information is now even a commodity to be sold. There has been a push to regulate this practice and for governments to set stricter rules for consumer protection. There have been a number of cases taken against companies’ use of cookie. Adobe Flash Player is a high profile example of surreptitiously collecting data from users. The EU introduces the ePrivacy Directive (2002) which lays down principles to the use of cookies essentially for legitimate purposes and with the user’s knowledge. There is still ambiguity over the collection and storage method and each Member State still has discretion over the interpretation of the directive (Lanois, 2011).

Cloud
The Cloud is a network of remote servers to store, manage and process data. This poses an even bigger threat to traditional desktop computing as all data is stored online. The identified risk relate to security risks and people’s identity. This put additional pressure on Cloud vendors to increase their security. Still the issue of jurisdiction remains and data may not be secure in some countries with less vigorous security measures. Cloud computing is on the rise as a popular, cheap and convenient form of data storage for individuals and businesses. Moving data outside the EU can be considered a breach of the EU Data Protection Directive (Lanois, 2011). Is feasible for multinational organisations to segregate and store such data?

Breaches
There have been a number of high profile data breaches which gained widespread public attention. Data breaches are not a new phenomenon but the increase in digital data has the potential to impact millions of people. The Data Protection Commissioner publishes records of data breaches by year and category. The largest data breach recorded in Ireland was by Loyaltybuild. Personal details and financial data of about 1.5 million customers was hacked described as a ‘sophisticated criminal act’. Though serious, this pales in comparison to some of the worldwide security breaches.

History of Data Breaches

Digital Guardian: The History of Data Breaches (2015)

Conclusion
The Data Protection Act is an important piece of legislation for data collection. There are clear guidelines to follow and the Data Controller is responsible for the implementation of the Act. The EU and US established the Safe Harbour Agreement in 2000 to govern data in the two jurisdictions. Some contemporary issues relating to data protection include Cookies and Cloud computing. Cookies are useful for advertising and improving online experiences but security issues remain. Cloud computing means holding data on cloud servers with security risks a prevalent concern. Data Breaches are a common occurrence in the digital age and concerns over security are impacting millions worldwide.

References
• Data Protection Act (1988 & 2003) ‘A Guide for Data Controllers’, Available at: https://www.dataprotection.ie/documents/forms/NewAGuideForDataControllers.pdf (Accessed on: 31 August 2015)
• Data Protection Commissioner (2015) ‘Data Protection’, Available at: http://www.dataprotection.ie/viewdoc.asp?DocID=4 (Accessed on: 31 August 2015)
• Weckler, A. (2015) ‘Irish Independent – Ireland’s New Data Chief – Forget About the Light Touch’, Available at: http://www.independent.ie/business/technology/news/irelands-new-data-chief-forget-about-the-light-touch-31182694.html (Accessed on: 01 September 2015)
• Peltz-Steele, R.J. (2015) ‘THE POND BETWIXT: DIFFERENCES IN THE US-EU DATA PROTECTION/SAFE HARBOR NEGOTIATION’,Journal Of Internet Law, 19, 1, pp. 1-15, Business Source Complete
• Lanois, P. (2011) ‘Privacy in the Age of the Cloud’, Journal of Internet Law, 15, 6, pp. 3-17, Business Source Complete
• Digital Guardian (2015) ‘The History of Data Breaches’, Available at: https://digitalguardian.com/blog/history-data-breaches Accessed on: 11 September 2015

Data Security (Internet of Things)

Data Security – ‘Internet of Things’ – be careful what you wish for….
We are all aware of the collection of data in our everyday lives. Individuals want to consume a product or service and the provider’s gain a value exchange for this personal data. This is all governed by the Data Protection Act 1998 and amended in 2003. There are clear guidelines for the gathering, storage and usage of data and companies face prosecution for failure to comply.

There has been a shift in direction for data collection and this is known as the Internet of Things (IOTs).

“We define the Internet of Things as sensors and actuators connected by networks to computing systems. These systems can monitor or manage the health and actions of connected objects and machines. Connected sensors can also monitor the natural world, people, and animals.”
(McKinsey Report, 2015)

Essentially machines are collecting and correlating data to improve our experiences. This has positive implications for improved health data, smart home appliances, automated cars and even having umbrellas stocked when rain is forecast or a cold drink on a hot day. So when thinking of our data we must consider how the IOTs will impact on data security.

Innovation for good
There is no doubt the potential benefits of IOTs is extraordinary. The McKinsey report highlights several areas that the IOTs will have a realistic of creating value in the next decade. IOTs not only creates employment in research and projects but for business to emerge and improve with the data output.

IOTs McKinsey diagram

McKinsey Report (2015): IOTs

The monitoring of health is an area where the obtaining of data could improve health and save people’s lives. Smart watches could measure and track people and not only provide data for chronic illnesses but detect a stroke or heart attack before it even happens.
Smart cities are becoming more and more likely with research on improving transportation flow with autonomous cars, power usage from metering and water and air quality with sensors. This not only will produce saving for city authorities but improve life for people in the city too.

But what are the costs?
There is no doubt that the potential benefits from IOTs could transform the way we do things in the future. But there is one big question that needs to be addressed, how do we keep data secure?

This is a consideration that needs a lot of thought as once machines are collecting data we need to focus on another dimension of regulation.
An article on data security by the Guardian (2015), demonstrated some areas where the IOTs may have serious concerns for data security. Regulation can become a problem for example in the use of Smart Maters reducing energy bills. The data may fall under several regulator jurisdictions including; energy regulator, broadband regulator and the data may even be outside of the country.
Security is another big risk and the potential for the data to be hacked is a serious concern. Data may be hacked for say a person’s pacemaker or a terrorist organisation hacking a vehicle.

Conclusion
The potential for the IOTs to shape our future, using data, is a positive step forward. Smart devices will emerge to improve people’s lives and society in general. The McKinsey report highlighted a number of areas that will create value in the next ten years. The potential threat for IOTs data to be used negatively is a grave concern. It is important for the regulator to understand these technological changes and reflect these in Acts to protect consumer’s data. It is important to regulate the access and control of the data and prosecute any breaches that will occur.

References: