Select Committee on Home Affairs Written Evidence


APPENDIX 29

Memorandum submitted by the Identity Trust

INTRODUCTION

  1.  Identity Trust is a proposed initiative to create a Community Interest Company[192] (CIC) initiative focused on building tools and processes that enable transparency and more equitable user/ supplier relationships. Identity Trust is member of the ITU-T Focus group on Identity Management, a member of the Internet Governance Forum: Dynamic Coalition on Privacy at the UN, and the US based Identity Commons. Currently identity Trust is being consulted by the OECD focus group on Identity Management for input into guidelines to facilitate the development of regulatory standards for national identity management.

  2.  Identity Trust is in the process of raising investment funding to facilitate and extend the development of commercial guidelines for the emerging Identity Industry. This emerging industry is being compared to the Telecommunications Industry crossed with the Credit checking industry and will prove to be a commercial example to which the government surveillance practices will be measured by.

  3.  it is the intention of this submission to advise on the role of transparency and the use of transparency in a reciprocal manner to the use of surveillance over people and their identity data. The more surveillance and the greater the scale and use of that transparency of people and their identifiers, the greater the need transparency, and user visibility needed over the management, manipulation, purpose, and sharing of that data. Eg User Identity Management logging, with read, write, aggregate, and

  4.  For instance a citizen needs to see who has accessed, for what reason, what their data is being data mined for—etc. This would be consistent with commercial and international developments in international Identity Management standards.

  5.  The United Kingdom is in significant danger of becoming a laggard country in terms of its approach to privacy, data protection and "identity" due to issues of trust. This will become an economic issue as well as a privacy one in that individuals will have options to take at least some of their "business" to other countries with more robust and user centric Identity Management approaches in place.

  "Legitimate governance is inextricably linked to the larger problem of trust on the Internet. Market forces alone have proven insufficient to build trusted public networks. Trust is essentially a political problem rather than a technology or legal issue. For greater trust, the millions of individual participants in the Internet must find some vehicle for co-operation. Their own ability to trust will depend on the choices made by others on the network. A `trusted' network goes beyond engineering concepts and requires a system that allowed users to feel confident that data and messages were confidential, unmodified and linked to an identity. Progress in building secure and trusted public networks requires asking what are the policies and legal and regulatory structure needed for trust; how would these be coordinated among nations; and who is best placed to undertake these actions." Jamie Lewis, Perils and Prospects for Internet Self-Regulation, Center for Strategic and International Studies, June 2002.

  6.  Surveillance and inappropriate identity management can erode trust and undermine the overall UK governance infrastructure .

  7.  Risks of this could include the dispersion of commerce (Banking, Legal, Intellectual Property, etc.) to other countries where more favourable conditions exist.

  8.  This contribution to this inquiry is intended to highlight solutions to the systemic issues surveillance creates in society. Surveillance and IdM practices that occur today that minimise user/customer/citizen transparency and thus create lack of trust and ultimately commercial disadvantage can in turn stimulate an open marketplace and drive commercial innovation in the UK.

BACKGROUND

  9.  The quote below from the National Consumer Council in 2004[193] neatly summarizes the dilemma being addressed in this consultation exercise.

    (a)  Personal information is one of the most valuable commodities in society today. Government and public service providers gather a wealth of information from taxpayers, car owners, benefit recipients, patients, clients, customers and voters. Businesses too, are intent on developing ever more sophisticated ways of capturing and using data about individuals.

    (b)  Consumers have much to gain from these developments. But whenever personal data is collected and stored it may also be abused. Wrong information may be passed on to third parties, privacy invaded, or individuals besieged by marketers. Trust is hard won and necessarily fragile. If the information age is to develop on secure foundations, it is vital that those who collect and use personal data maintain the confidence of those who are asked to provide it.

Source: National Consumer Council, 2004.

  10.  That's the theory; but the reality is that individuals have an ever-growing body of evidence that suggests they should be very wary of what they provide and who they provide it to when they are asked to share personal information. In recent years individuals have been increasingly exposed to:

    (a)  The rapid increase in the use of surveillance and tracking technologies with little in the way of "opt out" possibilities.

    (b)  An ever-growing mountain of irrelevant junk mail on their doormats, and other forms of direct marketing messaging grabbing their precious time.

    (c)  Cold-call tele-marketers blatantly using hard sell "slamming" tactics to sell products and services that are not in the individuals' best interests.

    (d)  Their personal data being sold, bought, rented and swapped for money, in which they get no share (even public sector bodies such as the DVLA have managed to justify to themselves and their pay-msters that selling personal data is within their remit).

    (e)  Inaccuracies in personal data stored by the information industry that take individuals significant amounts of time and effort to correct; if, of course they even find out about them.

    (f)  The increased risk identity theft, with all that this entails, from organizations taking less care of personal data than they should.

  11.  In order to map a positive way forward for all parties, as suggested in the above quote, we must articulate the strategic weaknesses in the current state, and then put new modus operandi in place that are un-encumbered by these outdated mind-sets and processes.

SPECIFIC CURRENT STATE PROBLEMS

  12.  Specific problems with the current state include.

  13.  The Data Protection Act, and the various add-ons of recent years are articulated at too high a level to be meaningful. The various acts fail to enable meaningful transparency around:

    (a)  Precisely what data are being stored (split by sensitive and non-sensitive data).

    (b)  Precisely how long are they being stored for, and how is there accuracy maintained.

    (c)  Precisely what are these data being used for.

  14.  The answers to all of the above are largely available to organisations, through processes typically relating to data audits for major IT projects (e.g. CRM, business intelligence, analytics). An example of such as audit is shown belo.[194] But, the Data Protection Act does not demand disclosure at this detailed level, allowing organisations to hide behind obscure, high level descriptions enshrined in privacy policies that are specifically designed not to be read by end users.

  15.  This current scenario is best summed up by quoting from a top UK-based data protection lawyer about how they engage/support their business colleagues—`the business people tell us what they wish to do, and we tell them how to do it to avoid getting caught out by data protection law'. This start point is wrong—the personal right to privacy is not a priority for organisations, whether they be private or public sector.

  16.  Most organisations have in-built structural reasons for not wishing to be transparent about data content stored, and data uses deployed. In the private sector the motive is profit (driven by shareholders), in the public sector it is reducing "cost to serve". (driven by stakeholders) If customers or citizens actually knew, through transparent approaches, what was being done with their personal data, then they would minimise sharing and usage using existing legal vehicles and further steps available (eg the various suppression files). Until this barrier is overcome, then we won't move beyond the current mess.

  17.  There is no mandatory requirement for notification of a data breach (USA used to be regarded by Europe as having weak privacy laws, yet in Califiornia they are streets ahead in how they handle the inevitable data breaches).

  18.  Data Protection legislation has not kept pace with the developing internet and e-commerce world. Web 1.0 is stretching enough, but the far more personal data-intensive web 2.0[195] will be the straw that breaks the camel's backs of the current approaches.

  19.  In light of web 2.0 and what will come next (see below), the right to subject access must be modernised in a number of respects.

  20.  Success rates for crime detection via CCTV are low in practice due to the inadequacies of the current state technology.

  21.  Current approaches show no respect for the time of the individual. Time is increasingly a more scarce commodity than money and should be treated as such.

SUGGESTIONS

  22.  Update the Data Protection Act (an equivalents) to articulate data content and data usage at a meaningful level of detail.

  23.  Introduce Privacy Impact Assessments as an overlay for new projects—but based on this new, lower level of detail. At the high level, PIA's would be meaningless (and thus an un-necessary layer of bureaucracy).

  24.  Mandatory, value-added data breach notification... a "no-brainer"—don't debate, just deploy.

  25.  Further research and educate on the principles of minimal disclosure (ie only gather and store the data required rather than take the opportunity to grab more).

  26.  Investigate revenue sharing with individuals whose data is being sold (start with DVLA).

  27.  Investigate the impact on the time of the individual wasted by data related weakness.

  28.  Publishing of success rates by CCTV camera and having each installation justified would minimise un-necessary deployment.

  29.  Improvements to the subject access process should include:

    (a)  The data subject should be provided with the data relating to them in electronic format should they wish.

    (b)  Cost of subject access should fall to expand usage (which in turn will aid the whole eco-system).

    (c)  Frequency of subject access should be targeted at "any time, and almost real time".

    (d)  Automated use of agents (electronic and manual) to aid individuals in subject access requests should be encouraged.

  30.  Fund research into the use of digital rights management around personal data—one of the few ways in which privacy legislation can actually be enforced. Pilot such schemes in government databases to track/ make transparent data sharing and data use.

  31.  Accept that without much of the above, individuals will gain transparency anyway through the much more aggressive deployment of Privacy Enhancing Technologies (PET's).

April 2007







192   http://en.wikipedia.org/wiki/Community_interest_company Back

193   The Glass Consumer, 2004. Back

194   This data audit process (one of many available), breaks data content down into 75 data types, data quality into 10 components (eg completeness, compliance), and the use of data into 90 types (eg customer lifetime value analysis for marketing, data mining for fraud management). Back

195   A good summary can be found in the book The Digital Person http://docs.law.gwu.edu/facweb/dsolove/Solove-Digital-Person.htm Back


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2008
Prepared 8 June 2008