Whilst details are still emerging over the recent
loss of yet more data, the question then hinges not so much on how individuals ought to protect their personal information, but how organisations secure this data and more precisely, how
individuals will now have to "smarten up" in the non-disclosure of their personal information, unless this is absolutely necessary (do you really need to give your identity to organisations in exchange for this freebie? What if you don't?). Frequent incidents of data loss have "de-sensitised" us into the usual moans/groans (constant whining) and a great deal of apathy, responses from"not again" to "how can we give over our information" to such incompetent bodies but with no adequate solutions (other than resort to the usual route of compensation)? Whilst the Data Protection Act 1998 is being strengthened with more remedies (ie. heavier penalties), it is now up to individuals to
exercise their rights if they have been affected by data losses. The law is there. Even if this is a long, laborious process, ultimately, it will be worth it. In the long-term, it is not simply being alerted to the recent breaches of data losses, but rather a
complete change in the "privacy landscape/culture". In other words, accountability of organisations to account for the loss of their data - this is already happening at a European level, with
data security breach notices being considered in the forthcoming EU legislation, but this is just the beginning. The questions: at a national/local level, the
way organisations handle
databases of personal information will need to be questioned - is it centralised/decentralised?
What security measures are in place?
Who is responsible for the security of personal information? Security questions asked of individuals needs to be changed (forget about mother's maiden name; pet name etc.)? Do they have a privacy policy? We do not want the policy in "small writing" but in "large writing" and be simple (sometimes, the policies can be verbose where only a few people can understand). How about awarding organisations for the best privacy practices they have and highlighting the bad organisations that have lax procedures (no, one is not referring to the work of Privacy International), but have in place simple procedures to ascertain what privacy audits/practices are in place (just simple common sense).
A useful start would be to start questionnaire studies amongst the general public (not so much about the handling of personal information), but rather what they do in protecting their own privacy (or do they care)? Secondly, there has been the frequent discussion to educate others about the protection of their privacy, yet, often, this assumes no knowledge, when there is. Quite clearly, we know something about the Data Protection Act 1998 (for others quite enough), but not enough to make data subject access requests, to consider whether the information is accurate or not etc. There is still a long way to go in utilising other means and methods to protect the privacy of personal information.
In the previous post, the discussion centered on how secure the public databases are and the relative ease in which social networking websites have now made it easier for anyone to obtain information about others, this discussion is now how departments can effectively secure the "trust" of the public to ensure that their personal information is handled properly (even if there is a healthy scepticism).
If you trust your local Tescos and Sainsbury to handle your personal data through the use of reward cards, then what are they doing right that others are not? Another dimension to look at is that if organisations are not handling your personal data correctly, you can theoretically walk away from them (other than resorting to your usual remedies), but not so when we are dealing with those where it is compulsory to give over our data (if this were a business, it would have long lost its custom).
The time for complacency is over. The time for more pro-active dialogue is just the beginning!