by Deputy Data Protection Commissioner, Rachel Masterton
"I did not set out to make data protection my career. It was not an option suggested by my school’s careers teacher or the computerised questionnaire I answered in an effort to gain some idea of what might suit me; something that would turn out to be my first foray into the world of profiling now encompassed in the latest iteration of data protection legislation.
I first encountered data protection when the 2001 Law was being developed as I sat in the same open-plan office as the team tasked with its implementation. It would be fair to say it did not make much of an impact on me at that stage and such it may have remained had I not, in a new role at a new organisation, been asked if I wanted to take on responsibility for data protection. This was much more due to me already having the word ‘data’ in my job title than anything to do with an aptitude for the topic or any kind of ‘calling’. If anything, I liked the idea as it meant I could connect with old friends from the data protection implementation team on the company’s time.
Shortly after taking on this new area, a job advert for a data protection and information security officer appeared in the local paper; a new role at Guernsey Police. Having dabbled in IT, amongst other things, and armed with my newly gained experience in data protection, I thought I would give it a shot and applied. Following an interview in which a senior police officer, after looking at my CV, declared I had ‘been around a bit’, I was given the job, as it turned out, totally unaware of just what I had gotten myself into.
On my first day in my new role, I was handed the Bichard Inquiry Report to read. This report emanated from the inquiry commissioned by the UK's Home Secretary in the wake of the conviction of Ian Huntley, in December 2003, of the murder of Holly Wells and Jessica Chapman in Soham in August 2002. The Inquiry was to review the child protection measures within two UK police forces Huntley had had prior contact with and in particular to assess the effectiveness of the relevant intelligence-based record keeping, the vetting practices in those forces and information sharing with other agencies. It identified failings in these practices, some of which were attributed by one force, in a press release on the day of Huntley’s conviction, to the data protection legislation in place at the time, although this ‘excuse’ was discounted by the Report’s author, Sir Michael Bichard.
The recommendations of the Inquiry focused on improvements to the way personal data held by police forces was used, in an effort to ensure that the
right information was available to the right people, at the right time in order to protect the most vulnerable in society. It found that the UK Data Protection Act 2018 was
not, in itself, a blocker. However, a
lack of understanding of the legal requirements around data processing and a
fear of the repercussions for using personal data had adversely impacted operations and put people at risk.
Contrary to the oft quoted narrative, data protection is
not just about locking data away and the seemingly default use of padlocks and binary to illustrate data protection stories or articles is a damaging trope that needs to be consigned to the past. As I took my initial steps into the world of policing and the data that underpins it, it became clear that personal data is not just something stored in a computer language we cannot read on servers with which we would prefer to have no dealings. Data is information and personal data is information about people.
And just as people are many and varied, personal data is about as broad as any definition can be, with impacts and implications that are wide reaching beyond measure.
My takeaways from reading that Report were that not using personal data can be as harmful as misusing personal data and data protection is rarely a reason for not doing something that is reasonable, appropriate and proportionate. It does not prevent something happening that is common sense; it balances the rights of individuals with the needs of the organisation; providing a framework which, at its heart, seeks to prevent data harms.
Data harms can occur when personal data is used in good faith; or when used in bad faith. Data harms can occur when personal data is misused or
when it is not used at all. Data harms can occur when personal data is used as intended and when it is used in ways incompatible with those intentions.
Data harms are many and varied.
- A medical referral going missing can mean a delay in someone receiving vital treatment and have longer lasting health and wellbeing implications.
- A failure to match new intelligence with the correct person’s record can result in vital risk factors being missed and safeguarding measures falling short.
- The disclosure of a vulnerable person’s contact details can put their safety at risk.
- Inaccurate recording of someone’s address can lead to errors with their credit report and them being refused credit.
What my time in this field has taught me, both when I worked at the Police and now that I am here at the ODPA, is that data harms are real, affect real people and can have real outcomes, whether they be tangible or intangible. Despite not setting out to have a career in data protection, I know that preventing harms is not just a legal imperative but a moral one too. That is what drives me and that makes me realise that much like Gandalf (though with a little artistic licence) I have arrived precisely where I mean to be."
&
Indulge