Privacy Lessons to be learned over Phone Hacking

On Sunday 10th July the News of the World published its last edition.  Old news.  The paper had been printing for 168 years and was established as the UK’s top seller.  The closure came due to reputational loss – revelations around allegedly obtaining personal information using illegal methods known as “voicemail hacking”.  Dialling remotely into voicemail and listening in on recorded messages.  It seemed that people were willing to let this slide for politicians and celebrities, but when it held up the investigation of the search for a missing young girl (the police thought that she was still alive due to voicemails being checked), the public (and media) rallied against the paper  in droves.

So what are we to learn from this?  Indeed the paper had been investigated for this type of activity back in 2005, when information on Prince William’s health was published, resulting in the jailing of two journalists.  The institution of the wider paper and Rupert Murdoch media empire, of course had claimed that these were acting alone.  The amount of people that have come out in recent times confirms this type of activity was, however, institutional.

So what is privacy?

Privacy has no broad legal definition, and is hard to define.  It is a balance of the individual’s right to keep information about themselves to themselves, and the wider need to have a lawful society, commercial businesses to operate, the government to operate etc.  Privacy is indeed, different in different peoples’ eyes, as some believe that all our activities should be open to the state, and others that we should be protected from the prying eyes.  It is therefore a difficult area to legislate for. 

Personally, I believe that we cannot have privacy, in today’s age where we have a huge internet footprint, companies hoard huge amount of data upon us and we are on CCTV everywhere we go, privacy is next to impossible, less you wish to live in a hermits life of solitude in the wilderness.  My thoughts are more about the individual being informed on when and where their data is taken and used, and given control (where possible) over its usage and further disclosure.

This “balancing act” is a difficult line to cross.  Newspapers can claim that it is their duty to expose corruption in business and politics and exposing wrongdoing in the public interest, holding to account those who we raise to heights of office or fame.  To do this they must effectively gather information on these individuals – however, they are not the police, nor government, but occupy a middle ground in between “public interest” holding these groups to account.  A strange and difficult line to walk.

The law

The law begins with Article 7 of the European Convention on Human Rights (ECHR).  This was mostly incorporated into UK law by the Human Rights act 1998 and grants;

“Everyone has a right for his private and family life, his home and correspondence”

And further;

“There shall be no interference from a public authority…except in accordance with the law… in the interests of national security, for the prevention of crime and disorder, for the protection of health or morals, or for the protection of the rights and freedoms of others”

I find “private and family” the interesting words here, as there is a clear sense that you have a greater right to privacy at home and in your family life, than you would do if you adopt a “business or public“ life.  For example your employer has a right to publish your work contact details, but not your home ones, and if you profit from being a celebrity, such as publishing an autobiography, you have less expectation to a private life than those who choose not to be in the public eye.

A further two European directives on privacy were published in the 90s across Europe to allow EU member states to make sure peoples information could freely move to all EU member states on personal data processing and electronic communications, incorporated into UK law with the 1998 Data Protection Act [DPA] (as since amended!) and the privacy and electronic communications regulations 2000.  In international Data Protection law, varying EU countries operate to common principles, but the details vary across jurisdiction.  These along with the Freedom of Information Act 2000 and the Regulation of Investigatory Powers Act 2000, now forms the heart of what some now deem “privacy law”.

Information Governance.

The heart of the issue for most organisations is good information Governance.  Too many people look at the DPA as a problem, a compliance issue to overcome, rather than an effective information management model.  The requirements of the DPA are simply around making sure you notify people how and why you will use their information (ethical, trust building steps), make sure it is accurate and up to date (good housekeeping, reduces complaints), not keeping it for longer than you need (economical), keeping it with “appropriate” security (risk based and reputational advantageous), and making sure you consider the laws that you may encounter if you move out of the EU countries who adopt this approach (again good practice to notify people on how and where their data moves).

Nothing in the act really says “no”, instead it says “yes, as long as you think and put in appropriate safeguards”.  The main problem of the act is that it cannot say for sure, to every situation, what these safeguards are – instead it places the burden back on the organisations to determine this.  The law here is on a case by case basis, with no hard and fast rules.  Organisations must “know themselves” and react appropriately to their legal, regulatory, business and contractual requirements and obligations.

Sometimes, organisations have simply not paid attention to the information they have, how they get it and where it goes to.  Mapping these “information lifecycles” and putting in appropriate controls and checks can be a key area of initial work.  These organisations should be warned however, that the Ostrich approach does not fare well when they find themselves next in the firing line of a data breach or unethical practice.  “We didn’t know” is a much worse position than to identify the bad practices and to have started working on the areas that require improvement.

Most solutions here are human in nature, rather than technological.   This is due to organisational weaknesses being exploited from “blaggers”, social engineers who can aggregate small bits of information from customer facing departments to find out increasingly more and more personal information.  Training, education and awareness are the best tools to actively defend your organisation here.

At the heart of good information governance lies a management assurance regime, where management actively assess what is required, deliver this into the business, and then receive regular reports and updates, measuring and monitoring to see what can be improved and then delivering appropriate improvement – without evolution, we perish.  To do this a consistent approach to risk management, common procedures and practices, appropriate organisational structures and good identification and reporting of information issues can all contribute to a Personal Data management system that delivers only business benefit and is tailored to (and embedded in) the culture of the organisation.