Category: Uncategorised

Posted on

A radical proposal to keep your personal data safe

By Richard Stallman who is president of the Free Software Foundation.

Journalists have been asking me whether the revulsion against the abuse of Facebook data could be a turning point for the campaign to recover privacy. That could happen, if the public makes its campaign broader and deeper.

Broader, meaning extending to all surveillance systems, not just Facebook. Deeper, meaning to advance from regulating the use of data to regulating the accumulation of data. Because surveillance is so pervasive, restoring privacy is necessarily a big change, and requires powerful measures.

The surveillance imposed on us today far exceeds that of the Soviet Union. For freedom and democracy’s sake, we need to eliminate most of it. There are so many ways to use data to hurt people that the only safe database is the one that was never collected. Thus, instead of the EU’s approach of mainly regulating how personal data may be used (in its General Data Protection Regulation or GDPR), I propose a law to stop systems from collecting personal data.

The robust way to do that, the way that can’t be set aside at the whim of a government, is to require systems to be built so as not to collect data about a person. The basic principle is that a system must be designed not to collect certain data, if its basic function can be carried out without that data.

Data about who travels where is particularly sensitive, because it is an ideal basis for repressing any chosen target. We can take the London trains and buses as a case for study.

The Transport for London digital payment card system centrally records the trips any given Oyster or bank card has paid for. When a passenger feeds the card digitally, the system associates the card with the passenger’s identity. This adds up to complete surveillance.

I expect the transport system can justify this practice under the GDPR’s rules. My proposal, by contrast, would require the system to stop tracking who goes where. The card’s basic function is to pay for transport. That can be done without centralising that data, so the transport system would have to stop doing so. When it accepts digital payments, it should do so through an anonymous payment system.

Frills on the system, such as the feature of letting a passenger review the list of past journeys, are not part of the basic function, so they can’t justify incorporating any additional surveillance.

These additional services could be offered separately to users who request them. Even better, users could use their own personal systems to privately track their own journeys.

Black cabs demonstrate that a system for hiring cars with drivers does not need to identify passengers. Therefore such systems should not be allowed to identify passengers; they should be required to accept privacy-respecting cash from passengers without ever trying to identify them.

However, convenient digital payment systems can also protect passengers’ anonymity and privacy. We have already developed one: GNU Taler. It is designed to be anonymous for the payer, but payees are always identified. We designed it that way so as not to facilitate tax dodging. All digital payment systems should be required to defend anonymity using this or a similar method.

What about security? Such systems in areas where the public are admitted must be designed so they cannot track people. Video cameras should make a local recording that can be checked for the next few weeks if a crime occurs, but should not allow remote viewing without physical collection of the recording. Biometric systems should be designed so they only recognise people on a court-ordered list of suspects, to respect the privacy of the rest of us. An unjust state is more dangerous than terrorism, and too much security encourages an unjust state.

The GDPR makes much of requiring users (in some cases) to give consent for the collection of their data, but that doesn’t do much good. System designers have become expert at manufacturing consent (to repurpose Noam Chomsky’s phrase). Most users consent to a site’s terms without reading them; a company that required users to trade their first-born child got consent from plenty of users. Then again, when a system is crucial for modern life, like buses and trains, users ignore the terms because refusal of consent is too painful to consider.

To restore privacy, we must stop surveillance before it even asks for consent.

Finally, don’t forget the software in your own computer. If it is the non-free software of Apple, Google or Microsoft, it spies on you regularly. That’s because it is controlled by a company that won’t hesitate to spy on you. Companies tend to lose their scruples when that is profitable. By contrast, free (libre) software is controlled by its users. That user community keeps the software honest.

Copyright 2018 Richard Stallman. Released under Creative Commons No Derivatives Licence 4.0

First published in The Guardian. 3/4/2018

Posted on

General Data Protection Regulation 2018 – Ready? Set? Go?

(This article was first published thanks to Research Libraries UK )

Benjamin White, Head of Intellectual Property, British Library, writes about steps libraries should take now to prepare for new legislation:

The General Data Protection Regulation (GDPR) comes into force across the European Union on May 25th 2018. Despite this the UK’s Data Protection Bill is still being debated in the Houses of Parliament. This creates a challenging  situation for organisations because  the details of UK implementation of the new data protection legislation remain unconfirmed. Given this, organisations such as libraries should ideally plan to implement the GDPR itself, and once the Bill comes into law revisit your activities in its light.

After the Snowden revelations, and the realisation in the public psyche that privacy is a limited commodity in an online world, we can see a huge rise in awareness of privacy issues. Organisations not only need to demonstrate how they use people’s personal information 1 responsibly, but they need to protect themselves from the financial and reputational harms of being found to be non-compliant with data protection law. For example, higher penalties of up to €20 million or 4% of global turnover, are possible for more serious infringements of core principles of the Regulation.

One of the common misconceptions around data protection law is that personal data only relates to sensitive information. This isn’t the case, it also regulates “simple” forms of personal data such as names, email addresses, telephone numbers etc.

The aim of this article is to suggest some of the activities a library should undertake to ensure compliance with the GDPR.

A Possible Checklist

All educational establishments in the UK are likely to have a Data Protection Officer. If you are subject to Freedom of Information requests you will need a Data Protection Officer independent of senior decision makers 2 . If they have not already been in touch with the library, you should proactively contact them to find out whether they have incorporated the work of the library into their activities. The types of personal data a library might manage can range from library membership information and the research datasets it holds, through to personal data on institutional repositories, marketing information, as well as personal data in analogue and digitised collections. Unique archival collections are another important area that can hold much sensitive personal data and that any university data protection officer should be made aware of.

Data protection law places many obligations on organisations that hold personal data (called data controllers in the law) but some of the main activities that should be undertaken to prepare for the GDPR coming into force include:

1.  Data Security

Arguably, in terms of data protection law, one of the most important things for any library to focus on is the security of personal data. Recent findings in Kroll’s 10th annual Global Fraud and Risk report stated that 86% of those surveyed reported a cyber incident, with 70% reporting some type of security incident – up by 2% on the previous year.  The types of personal data a library may keep are also changing. Alongside traditional areas, with many funders requiring or encouraging that research datasets are archived, the security of this type of information should be an important consideration for library managers.

A recent article on the BBC News website 3 highlighted how some Amazon Web Services users (including companies, universities and governments) were finding in their data lockers messages from independent security researchers warning them that their lockers were insecure and could be targeted by hackers. Misconfigured settings, forgotten data stores, and not keeping patches up to date are common issues that create vulnerabilities for data controllers. In short, staying on top of your data security should be at the top of your GDPR To Do List.

2.  Information Auditing

In order to comply with the GDPR it is highly advisable to understand more about the personal data you currently hold and how you use it. Many organisations are therefore undertaking what is called an information audit. This can include:

  • Checking IT and any other data sharing contracts to ensure they reflect the GDPR. (The European Commission is expected to issue model contract clauses which will help with this, but currently none have been forthcoming.)
  • Map where data comes from, where it is held, who has access to it and who you share it with.
  • Record the type of personal information you hold, and establish your legal basis for using these different personal data types. (N.B. As part of a university, while performing a “public task” a university library cannot rely on the  “legitimate interests” legal basis for holding and using personal data – this may mean that you now have to establish new legal grounds for processing information in certain situations. If an activity is outside your public task “legitimate interests” may be possible to  rely on.Universities, like cultural heritage institutions, are in this respect known as “hybrid bodies”.)
  • Make decisions around how long you should keep different types of personal data. You should not hold more personal data than you strictly need, and it should also not be kept for longer than is strictly necessary. There is a general obligation to ensure the data is up to date, so having processes to ensure the data is accurate need to be established.
  • Check how robust your policies and processes are around data security, destruction of personal information you no longer need, and maintaining the currency of personal data.

3. Privacy Statements

Having undertaken an information audit, all organisations should review their public facing privacy statements, as the Regulation brings about  quite a step-change in the requirements of your privacy notices. These need to be intelligible and as easily understandable as possible by anyone of  teenage years and up. They should outline your specific legal grounds for using personal data in regards to named activities, why you are using personal information, where the data comes from and with whom it is shared, as well as your contact details and the types of personal data you hold.

To kill two birds with the same stone, and therefore discharge a number of your legal obligations (such as those that relate to subject access requests) in one go, it would be sensible to also cover in the privacy statement how long you intend to keep the data, and the types of rights people have in the law to control how their personal information is being used. Any profiling or automated decisions made about people should also be clear in the privacy statement.

4. Record Keeping

The GDPR requires data controllers to create and retain information in certain situations and also to provide specific information to data subjects, for example when responding to subject access requests. Your library should establish with the university’s Data Protection Officer what information, if any, you will need to keep in order that the university can comply with the law.

5. Time Sensitive Activities

The period with which a subject access request has to be responded to is reducing from forty days to one month. A data breach may need to be reported to the Information Commissioner’s Office within 72 hours and in certain cases to data subjects as well. Ensuring that the library is able to comply within these demanding time frames and liaise quickly with the university’s Data Protection Officer will be vitally important.

6. Transfers of Personal Data Particularly Beyond the EU

Access to and sharing of personal data is strictly regulated by Data Protection Law. People have the right to know exactly how their personal data is being used, and with whom it is shared. Data protection law also has particular rules regarding exporting personal data beyond the European Economic Area (EEA, the states of the EU plus Iceland, Norway, and Liechtenstein)  so any activities, such as collaborative research projects or use of cloud-based services, that involve personal data travelling beyond the EEA will require additional checks and safeguards.

7. Training

An important principle in the GDPR is what is known as “privacy by design”. This means thinking about protecting people’s personal information should be at the forefront of what you do. In order for the university to show it is complying with this principle, as a minimum training should be given to staff. In terms of library staff, it will be important that they have a basic understanding of data protection law. For those involved in giving access to collections, it is also important that they are familiar with arguably three of the most relevant exemptions in the GDPR for libraries:

  • Archiving in the Public Interest (Art 89)
  • Scientific / Historical Research and Statistical Purposes (Art 89)
  • Freedom of Expression and Information (Art 85)

8. Legal Underpinning for Archiving

Data protection law, allows for certain activities to be undertaken that otherwise would not be legally possible. These are called “derogations” or “exemptions”.

In order that libraries can enjoy the wide exemptions that are given to organisations “archiving in the public interest” there must be a legal basis that puts obligations on them to undertake various activities relating to collecting, and disseminating the historical record. Recital 158 of the GDPR states (emphasis added):

Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest. 

Unlike some other European countries, the UK does not have a single Act of Parliament that creates such an obligation on organisations that hold historical records. Neither has the government thus far included this requirement in the Data Protection Bill. In order to enjoy this exemption, therefore, a cultural heritage institution will either have to look to an Act of Parliament that regulates their organisation, or towards documentation that creates a legal obligation in UK law. According to certain lawyers, this could include documentation that outlines your public task, or similar constitutional documents that regulate how your organisation is run.

It would therefore be advisable to establish what the legal basis is that  allows your institution to “archive in the public interest”. If this is not clearly defined in statute, constitutional documentation that sets out the function and role of your organisation should be revisited and updated to create archival obligations on the library, archive or museum. In the event of a legal challenge around the exercise of this derogation, and in the absence of a statutory underpinning, clear constitutional documentation is likely to be your best defence as to the basis for exercising the archival exemptions provided for in the Act.

9. Understanding the Exemptions

Archiving in the Public Interest

This exemption enables the keeping of historical materials (published and unpublished) by removing the obligation to ensure personal data is accurate and kept up to date  and by ensuring that material, irrespective of why it was first collected, can be retained for archival purposes. The obligation to inform people you are holding their personal data is also removed where this would not be practicable, as are the rights of individuals to have their data erased (“right to be forgotten”) or amended. Other rights, such as being able to prevent someone’s data being used by an organisation, the right to find out what data is being held on a person, and the right to have data transferred to another person or organisation, are also not relevant if asserting the archiving exemption.

Scientific / Historical Research and Statistical Purposes

These exemptions are closely linked to the archiving in the public interest exemption, and appear in the same Article. They allow research to be undertaken using personal information that was collected for a different purpose and relax the prohibitions around keeping personal data for as short a time as possible. The obligation to inform people you are holding their personal data is also removed where this would not be practicable, as are the rights to have your data amended, and to object to your data being used.

What “scientific” and “historical” actually mean have not been defined in the GDPR or the Bill, but perhaps thinking of science in the Latin sense, “scienta”, meaning knowledge, is something that our community should consider.

Freedom of Expression and Information

This exemption has been expanded from the similar exemption under the Data Protection Act 1998 to cover work of  academics as well as journalists  in undertaking research and publishing of information relating to a living person. The GDPR allows Member States to implement this provision relatively freely, and it is likely that oddities in the current draft of the Data Protection Bill will change. A couple of the anomalies currently seen in the draft include that an academic publishing materials using personal data would be subject to newspaper codes of practice. There is also currently a gap relating to the issue of legal underpinning of archiving activities as highlighted above. Whereas an academic or journalist may have the rights to use personal data as part of “freedom of expression” exemptions, the archive may not be able to supply the information, given the question marks over the lack of statute based legal underpinning for organisations archiving in the public domain.

10. Engagement with your Data Protection Officer

Data protection law can seem overwhelming and difficult to get to grips with. Luckily in a university you will have a DPO with whom you can consult and work with on GDPR implementation requirements. By engaging positively with them, you will not only be protecting the university from potential action by the Information Commissioner’s Office, you will be demonstrating to students, university employees as well as people further afield that the library is a responsible place that sensitively handles personal data and privacy. Reputationally this is likely to serve you well now and in the long run.

  1. The law refers to personal data as something that can identify, either directly or in combination with other information a living individual – this includes opinions also. Examples include names, emails, library card numbers, medical and religious information etc.
  2. If you are not subject to FOI, you will need a Data Protection Officer if you are undertaking systematic monitoring of people on “a large scale”, or if using sensitive personal data / criminal conviction data on a “large scale.” “Large scale” is not defined but some people suggest that a hospital processing patient data would constitute large scale.
  3. http://www.bbc.co.uk/news/technology-42839462