This blog was written by our Commissioner, Emma Martins, and first appeared in The Guernsey Press on 29 June 2022.
Biases and assumptions can creep into our lives so easily, mostly without us even realising. I was prompted to reflect on that recently when I heard that someone had made derisory comments about data protection to one of our staff. Of course this is nothing new - data protection has always had a ‘pr’ problem, with many people perceiving it as irrelevant or simply a burden. There is, in my view, a myriad of reasons for this;
- we are not great at linking data to actual human beings (if we called it ‘human protection’ maybe it would get an easier ride?);
- the tick-box compliance approach in some areas has turned people off (who does not hate those ridiculous ’cookie consent’ banners that pop up on each website you go on?);
- so much of modern data processing feels invisible and obscure (data processing has a huge environmental footprint so it’s very far from invisible);
- we generally like the benefits that come with giving our data away, such as social connections, but we turn a blind eye to possible harms, and;
- although the big data breaches we see across the world make headlines, most of the matters that smaller regulators, like our own, deal with do not make the news.
Add all those elements (and a few more) together, you would be right to question why on earth I would be surprised when people express their disregard or disdain (or both!) for what we do. But in the face of these assumptions, we have a choice. One response could be to shrug our shoulders and say ‘well, that’s just the way it’s always been, and will always be’. In seeking an alternative to that rather defeatist option, I am reminded of a quote from Miguel Ruiz - “The way to keep yourself from making assumptions is to ask questions.” In this context, I would like to try and answer some questions to challenge some of the erroneous assumptions and perceptions that so often exist in this area:
Why do we need data protection?
It’s unlikely to be something you think much about, but we all leave behind a huge amount of our personal data in almost every area of our lives. Used properly, that data can be used to benefit us (for example, sending us health screening reminders). But misused, it has the potential to cause harm (for example, if your bank details or medical records are compromised). The law sets out obligations for those who have our data, to make sure it is used in ways which are lawful and fair and with due regard to our rights, and rights for all of us in respect of our own data.
It also ensures that the Bailiwick benefits from largely unhindered data flows across its borders which is critical for our economic health today and in the future.
What does the ODPA actually do?
Our duties include administering and enforcing the law and investigating complaints from individuals concerned their data may have been mishandled. We engage with the community and ensure that personal data breaches are reported. We cover the breadth of the regulatory landscape, dealing with a diverse range of enquiries for such a small jurisdiction.
Our staff juggle enquiries from patients whose confidential health information has been sent to the wrong person, employees whose promotion prospects have been damaged by personal data breaches, multi-nationals looking to shore up their data protection practices in a bid to attract new clients and third sector organisations struggling to fulfil their obligations due to a lack of resources. Every day is different and every day brings new challenges and more people who need help.
While much of our work goes unseen because of the nature of what we do, we publish bi-monthly breach statistics to help us all better understand, respond to, and prevent personal data breaches. As a small team, we have had to think very carefully about how we can fulfil our statutory duties in the most effective way. Certainly it is the case that different regulators approach their duties in different ways – some focussing heavily on enforcement for example.
We have tried to strike a balance, investing as much time and effort into education and awareness as we do into enforcement, in the knowledge that the more we support local businesses get compliance right, the less likelihood there is of things going wrong. We have also developed a wonderful schools programme which we are rolling out with the Youth Commission.
It is more important than ever for young people to understand the digital world they are growing up in. And with data driving so much of our economy, we want young people to engage positively in the legal and ethical dimensions of the data driven world as they look ahead to future career opportunities.
Why should I care?
Data Protection may not be something you give much thought to, but it doesn’t mean that it’s not important. We are so fortunate to live in a jurisdiction that has given us these protections for many decades. It is deceptively easy for us to take our rights and freedoms for granted. But the perception we may have that they are a natural and inevitable part of our lives is a dangerous one. Each and every right and freedom has been fought for and needs to be valued, protected and looked after.
It is our job to encourage all those things and we do so because we recognise that it forms part of the wider foundations of a free and democratic society. On the one hand it is a source of regret that the human value of well protected personal information is often so poorly understood. On the other, it is a source of comfort that we live in a society where those rights are so well embedded that we rarely bring them to mind.
My plea to you against that backdrop – do not assume that these rights do not matter and do not assume that because they are embedded, they are permanent. Recent world events have shown us all too tragically how fragile our rights and freedoms actually are and we should never take them for granted.
&
Indulge