Select a region
Assessing, prioritising, filtering, retaining, discarding – when you list them out, it’s quite surprising the number of actions your brain is performing every minute, to process the volume of data you are being confronted with.
Variously described as an avalanche, a tsunami, a firehose – whichever noun you prefer, the point is, the scale of information circulating about us, because of us, or to tempt, inform, categorise, entertain or process us is immense.
Pictured: "With more data comes greater risk, so managing that risk and increasing public awareness of those risks has always been at the forefront of any data protection regulator’s agenda."
Harnessing it all is the goal of entrepreneurs, governments and private companies across the world – those who can gather, filter, protect and share most effectively will succeed.
Just as the importance of your data has grown, so have the restrictions designed to protect it from abuse – the man taking charge of doing just that in Jersey is Paul Vane, who will be appointed as the island’s new Information Commissioner next month.
Express asked him what challenges and opportunities lay ahead...
PV: I think it’s fair to say that there have been significant challenges to privacy and data protection throughout my career.
If you think about where we were technologically even just 15 years ago, the world has changed dramatically in that time. The growth of the internet, social media, cloud computing, the Internet of Things and Big Data have always posed challenges to privacy in terms of the sheer quantities of personal data being processed.
With more data comes greater risk, so managing that risk and increasing public awareness of those risks has always been at the forefront of any data protection regulator’s agenda.
Pictured: "From my experience, many people think data protection is just about computers, and something ‘IT’-related, so it doesn’t affect them. The stark truth is data protection impacts upon just about everything we do as a society."
Now, we’re seeing greater use of technology in the financial services, medical and even regulatory spaces to assist with compliance, improved customer service and improved medical diagnoses.
Of course, these are all extremely important, and in many cases save lives, but as with all technology use, it comes with increased use and connectivity of personal information - much of it goes on behind the scenes without the individual really having any idea how or where their information is being used or stored, or how safe it is.
In addition, more people live their lives via their devices and applications. We live in a surveillance society with CCTV cameras monitoring our every move, and when combined with facial recognition technology, individuals can be easily identified, even when part of a large group.
More recently, the covid-19 pandemic has changed the way we live and work, with more people working from home and reliant upon video conferencing websites to communicate with colleagues.
Pictured: "... the use of Artificial Intelligence-based systems are growing rapidly, and quantum computing, which is not that far away, will dramatically increase the speed of our day-to-day transactions online and automated decision-making systems."
This brings with it many data protection and security considerations. For example, where personal information is stored, who has access to it and how it is transported to and from the office or home. Staff training and organisations adopting a ‘privacy first’ culture and approach from the very top at board level, is vital here.
As for the future, the use of Artificial Intelligence-based systems are growing rapidly, and quantum computing, which is not that far away, will dramatically increase the speed of our day-to-day transactions online and automated decision-making systems.
This will happen against the backdrop of concepts such as data stewardship, data dignity and ‘own your data’ technology platforms designed to put the individual back in full control of what happens to their personal information. It is early days, but this is an area in which I expect to see a huge amount of progress in the coming years and where I see some significant and exciting opportunities arising for us here in Jersey.
From my experience, many people think data protection is just about computers, and something ‘IT’-related, so it doesn’t affect them. The stark truth is data protection impacts upon just about everything we do as a society.
It’s about protecting personal privacy, and specifically aims to ensure the organisations who collect personal information from you – and let’s be honest here, many people give away their personal information quite freely without giving it proper thought and consideration – do so in a manner that is fair, transparent and within your expectations as an individual.
Pictured: "It’s about protecting personal privacy, and specifically aims to ensure the organisations who collect personal information from you... do so in a manner that is fair, transparent and within your expectations as an individual."
The Data Protection (Jersey) Law 2018 places obligations on organisations who collect and use personal information, and they must be accountable for what they use it for, who they share it with and how they store that information.
That certainly used to be a regular complaint I experienced in my early years working in data protection. I don’t hear so much of it now, but I have no doubt it still happens.
Although I’m not sure it’s strictly ‘weaponising’ data protection in the true sense of the word. Rather, such responses like “I can’t tell you that because of data protection” are generally borne out of an ignorance or lack of awareness of the rules, and laziness, because the person doesn’t want to take the time or recognise the importance of making that effort to find out the correct answer, so defaults to an unhelpful reply.
The ‘weaponising’ of data these days is more about how methods of communication are used to mislead and influence the general public. Disinformation has been a hot topic in recent years, particularly in relation to political campaigning whereby this new adaptation of propaganda is used to undermine democracy and persuade individuals or even whole communities to vote in a particular way, or take a particular course of action.
Pictured: Mr Vane will be taking over as Information Commissioner from next month.
Knowing what is true and what is not has become increasingly difficult such is the proliferation of information out there for all to absorb, albeit tailored to what the publisher wants you to read. The big tech companies are not helping the situation, and the manipulation of societies on a mass scale means our choices are being limited to create a different view of the world to others, thus shaping our morals, changing our perceptions and skewing the norms of society that we live by.
That’s a difficult question, as technically speaking we don’t write the Law, we regulate it. But if I was charged with changing the Law in any way, then the one area I would look at is in relation to the scope of protection the Law offers to deceased persons. The Law as it stands only applies to personal data relating to living natural persons.
There are some interesting arguments for and against the Law protecting deceased individuals, the most obvious being that a deceased person cannot exercise their rights under the Law.
Pictured: "Is it right that once a person passes away then their personal information becomes unprotected, to do with as you like?"
But just because that is not physically possible, is it right that once a person passes away then their personal information becomes unprotected, to do with as you like? A significant amount of damage can still be done to an individual after they have died, particularly with respect to their reputation, for example. I would like to see some fulsome consideration around how this position can be addressed.
Historically, data protection laws across Europe have only applied to living individuals, however some countries have enacted provisions that do address this concern. For example, Denmark’s data protection Act applies to deceased persons for 10 years after the time of death.
In France, there is a provision which allows individuals to establish instructions for their personal information is handled after death. Hungarian data protection law includes a provision which allows an individual to appoint a person, such as a close relative to exercise their data subject rights after their death. So, Jersey would not be the first to consider this addition to the Law, and as other jurisdictions have shown, there are already a number of options as to how this issue could be addressed effectively locally.
Absolutely, categorically and without hesitation, yes, there is a commercial benefit to having sound data protection practices within your business. One of the fundamental principles underpinning data protection is accountability.
This sits hand-in-hand with consumer trust. Individuals are more likely to interact and do business with an organisation they feel they can trust, so will naturally gravitate to organisations they feel confident will look after their personal information correctly.
Pictured: "It means organisations must think about data protection from the very outset of the design of any new processes or systems that involve the collection and use of personal information."
This is why clear, succinct privacy notices are essential, underpinned by robust policies and procedures around data handling and security. You only need to look at the reputational damage suffered by organisations who have been the subject of huge data breaches to understand the benefits of a good data protection regime within the business.
Our office also talks a lot about organisations ‘baking in’ data protection to their everyday activities. Data protection by design is a core principle of the Law and is the starting point of good data protection practice.
It means organisations must think about data protection from the very outset of the design of any new processes or systems that involve the collection and use of personal information.
Of course, there will also be occasions where an organisation does ‘think privacy’ but still suffers a breach. In those situations, the controls they have in place will serve as mitigation in terms of any enforcement action we may choose to take. So, in answer to your question, sound data protection policies and procedures are important in both contexts.
Comments
Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.