Data Protection in the Wild West of the internet

Saturday 25 May 2019

A year on from the introduction of GDPR, Guernsey's Data Protection Commissioner talks about the increasing importance of the office in the digital age and the changes coming into full effect this weekend.

Emma Martins was appointed to the role in 2018 after having worked across Jersey and Guernsey for several years.

Although it felt like a paradigm shift of sorts this time last year with the introduction of GDPR and the Guernsey equivalent legislation, the industry is nothing new. We’ve been in a transition period since the law was brought about last year and as of 25 May there are a few changes which will ensure individuals have more control over the data held at various organisations.

A daily shifting digital landscape means data protection stories are a regular occurrence in the news. Even locally we’ve reported perceived failures in the States online tax provision concerning the security of personal data held, similarly with the HCT bus group as well as the online age verification checks due to come in on pornographic websites in July.

More seriously there have been breaches with a Deputy’s loss of sensitive paperwork and the mishandling of personal data by an employee of Health and Social Care. The latter was dealt with through the criminal courts after an investigation by the Office for Data Protection Authority (ODPA). In a rousing introduction to data protection for employers and practitioners last month the newly appointed Data Protection Commissioner warned about a new frontier of potential rights infringements.

 “There’s facial recognition software now which can claim to identify whether or not a person is male or female – and technology is being developed which claims to be able to tell by your face if you are a homosexual – think about the implications in countries where homosexuality is illegal…” she said.

Pictured: Emma Martins (photos by Ben Fiore).

The work of the Data Protection Authority in today’s world, where just this week a man taking the South Wales Police to court for capturing his face in facial recognition surveillance was described as operating in a “legal vacuum”, feels like the role of a modern-day sheriff operating in the Wild West. In the past, the Commissioner has talked about the “imbalance of power” represented by recent data breaches.

“Our local law is clear – it exists to protect the individual from harms due to misuse of their personal data. And make no mistake, the harms that can be caused by data being compromised are very real. Anyone with first-hand experience will tell you it is not an overstatement to say that mishandling personal data can ruin lives, ruin careers, ruin reputations, and destroy organisations. Wider international conversations about the potential individual and social harms of data misuse are testament to this.

“We would like to reassure everyone in the Bailiwick that we are here to empower individuals and to protect their legal rights as much as we are here to support active engagement and compliance by industry. We want to ensure everyone has a voice and is  respected regardless of the power or status of the individual or organisation who may have mishandled data. Protection of data is not a luxury, it is an essential part of living a dignified life in a democracy.”

One-to-one, Mrs Martins who worked pan-island across Guernsey and Jersey before being appointed solely to the Guernsey role, is engaging and enthusiastic about the growing importance of her work.

“Data is us, it’s everything we do, there is surely a moral imperative to this. It makes sense for businesses to educate themselves too and doing things well takes time, we’re working very hard, we want to help them to do that.“I often get people to think about the data that they leave behind without even realising it, every time you buy something online or fill out a form you are giving away data.

“If you look at some of the top performing companies at the moment, Apple, Facebook…they are very data rich. When you talk about business assets now, it’s data,” said Mrs Martins.

‘Data’ might sound like it refers to indecipherable code, something related to us but way out of the realm of our understanding and often out of our interest. But the data that some companies want is as simple as our age and location, our likes and dislikes or as we’ve seen in one such sinister application, our political affiliations.

“It’s worth looking at your search history, people conduct a lot of their life online, it’s really important to think of how valuable your data is,” she said.

Common complaints trickling into the Guernsey headquarters in the Bordage come from employees concerned about former employers use of their data. Its website gives a helpful update about what the changes mean going forward:

“From 25 May, this legal right allows islanders to request an organisation that holds their data to transport it to another organisation. This must be provided in a format that is easy to download, transfer between systems and be machine readable.

Pictured: The Office for Data Protection Authority staff. 

“This could include moving medical records from one doctor’s surgery to another, transferring insurance policy information or retrieving a contact list from a web application. It is expected that the type of local organisations receiving data portability requests will include insurance companies, banks, travel agents, along with medical practices such as doctors’ surgeries and dentists.”

In recent months the DPA in Guernsey has been offering workshops to businesses so that they can become data protection compliant before it comes to individuals taking action. This takes the format of voluntary workshops rather than training for points purposes. “The breadth and depth of the data protection – it covers every business – other regulatory authorities are industry specific – this is a much broader remit which is why we have to be smart about this,” she said. “If we give a company our data we expect them to look after it. It’s important we as the DPA respond differently, we want to get everyone to look after data and it’s about embedding it into the culture, a shift of focus.

“We’re not talking at them, we’re talking to them.

“When the GDPR was introduced there was all this talk of huge fines but there are certain stages of charges, people thought for a time you’d be able to sue your friends for having a picture of your face on Facebook but that’s slightly detached,” she said.

Social media has certainly changed how we see our digital fingerprint and has thrown into question issues surrounding informed consent in how the information we provide intentionally or otherwise is used.

“We’re seeing a big shift in the big social media companies they are getting better at things like consent which is tighter now,” she said.

Taking care of your own data and beginning to foster a culture where we are more guarded about who we are talking to and why with our personal information can be as simple as asking a question.

“You will always be playing some form of catch up with the environment, it’s moving at such a pace it’s often quite an education. “Ultimately, if you can teach someone to drive in a safe way, you don’t need to attend the accident,” she said.

Pictured above: L-R: Tim Loveridge (Chief Operating Officer), Emma Martins (Data Protection Commissioner) and Rachel Masterton.