The big data protection story of 2012

Normally, stories about privacy and data protection have limited impact on the mainstream media. However, throw in a princess, the next heir to the British crown, and a tragedy and you have enough interest even for the tabloids to put it front page. The timing was also significant, coming just after the Leveson inquiry had published its report into the press and its illegal activities in relation to phone hacking and other methods of obtaining personal information. There seem to a lot of key issues which have been lost in the emotion and tabloid treatment of the story.

The story begins with a "prank" call which is an attempt to obtain personal information without a legitimate purpose (entertainment is not a legitimate purpose). The guilty parties have put up two invalid defences. The first is that they did not think they would get that far. Oh that's alright, then. If I was to set out to assassinate a president or monarch, I would not expect to get very far, but I would expect to be prosecuted for the attempt. The second is that it was only a joke. Many computer hackers are not interested in the actual information they seek to obtain, but are motivated by the challenge of breaking into sensitive computer installations. Still unethical, still illegal and particularly in the USA, still enough to get you locked up for a very long time.

There was a complete breakdown of procedure at the hospital itself. The hospital said no action would have been taken against the member of staff. May be not by them, but there was a serious breach of the professional code of conduct by the nursing staff involved in not protecting the personal information of their patients which would surely have led in other circumstances to disciplinary action by the Nursing and Midwifery Council. The hospital itself is surely in breach of most of the Data Protection principles, but crucially Principle 7:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

But the British media also has questions to answer. The phone conversations were continually replayed on broadcast media including the BBC, ITN and Sky News. Whose permission did they have to play these tapes? It seems likely that this continual reminder of the incident had a negative impact on the nurse who took her own life. Data protection breaches are not a victimless crime. Just a few weeks after Leveson, it seems like business as usual in the media. It is unclear to me how this constant repetition can be justified with the usual "public interest" defence.

In spite of the media generally reporting the ICO as highlighting concerns for the free press over implementing the Leveson recommendations, in reality the ICO response is much more about fulfilling their responsibility as the legal guardians of personal information and privacy. Many of his recommendations, they had already started to implement anyway. Read the full response here.

And if this doesn't shock organisations into looking after our personal information better, then roll on the incoming European laws on data protection which provide for penalties up to 5% of global turn over, which may concentrate the minds better.