Friday, December 07, 2007

Demos report: the new politics of personal information

I heard on the BBC radio news this morning that Demos has published a new report today: We no longer control what others know about us, but we don’t yet understand the consequences... The new politics of personal information compiled by Peter Bradwell and Niamh Gallagher.

"Aims of the study

This report has three aims:

1 to connect the value people gain from an information rich society with the challenges that arise from giving away personal information

2 to raise awareness of the consequences of the increasing reliance on personal information by institutions in the public and private sector

3 to provide a framework within which policy-makers, businesses and individuals can address these challenges in the long term.

This report is intended to push the debate on personal information
beyond the legal and technical language associated with data
protection and identity management. The debate must move towards
something that people – through day-to-day experiences in their own
lives – have a stake in. New trends of communication, customer
services, personalisation, and issues of social inclusion and privacy
are helping to create a new framework for the discussion of personal
information.

Our argument

Personal information has become central to how we live – from
banking online and supermarket shopping, to travelling, social
networking and accessing public services. The visible result of this is a
trend towards personal, tailored services, and with this comes a
society dominated by different forms of information gathering. This
is not just something people are subjected to. They are more and
more willing to give away information in exchange for the
conveniences and benefits they get in return, and are often keen for
the recognition and sense of self it affords.

But there is a tension here. By sharing personal information we
surrender control in the longer term by leaving ourselves open to
judgement by different groups in different ways. The drive to
personalise or tailor services, which is shaped by those judgements,
can lead to differences between what people experience and have
access to. This can mean a narrowing of experience, can lead to social
exclusion, and has significant implications for how we live together as
a society. We argue that these problems can only be resolved by a
more open understanding of and better democratic debate about the
boundaries, rights and responsibilities that regulate the use of
personal information. That debate should focus on developing the
collective rules that determine individuals’ ability to negotiate how
personal information is used...

Recommendations

People themselves must be put at the centre of information flows.
Our findings suggested a number of measures that government, the
private sector and individuals could follow to improve the relationship
between people, personal information and the institutions that
use that information.

For individuals, we recommend:

 The first step is for individuals to take measures to protect
their personal information – for example, by securing
wireless networks. Second, they must recognise the
connections between the benefits of sharing information,
and the often less tangible costs and dangers that can
result. A better understanding of this relationship is the
necessary step towards bottom-up policy driven by
collectively negotiated norms and rules, rather than policy
driven by the narrower needs and interests of government
or business. However, this does need considerable support
from government and the private sector to start the
process.

For government, we recommend:

 The government should develop a more coherent strategy
around personal information use. This strategy should
clarify the links between how government will use
personal information, in specific contexts, and what the
potential benefits or costs might be for individuals. Each
government department using personal information must
say how they are accessing personal information, for what
purpose, and how it affects people. They should also
employ ‘cash-handling’ disciplines for dealing with
people’s personal information.

 The government should begin long-term research and
thinking into increasing levels of information about
individuals, coupled with personalising services and
experiences. Segmentation and increasing knowledge of
individuals will create markets that exclude in ways that
current uses of information do not. That will have a
significant impact on what is meant by equality. For
example, will a new frontier of the welfare state be
providing life insurance for certain types of people who
are deemed bad investments by private insurance
providers?
 The Information Commissioner’s Office (ICO) needs
greater capacity to cope with the range of demands of an
information society, which continue to extend away from
just security of data towards data use and the nature of
information sharing. For example, that could include the
ability for the ICO to audit organisations’ use of personal
information without needing their consent.
 ‘Privacy impact assessments’ should be used for major
projects across public and private sectors to assess the use
of personal information early in development, led by the
ICO.

 There needs to be a serious, renewed debate about the
identity card scheme, with the kind of engagement that
should have happened at the start of the process.
Otherwise, the scheme should be dropped. There needs to
be more open consideration of what kind of information
the cards would hold, why, and in what circumstances
they will be used.Meaningful engagement with the
public about how the technology should work must be
foremost in shaping what the cards do, if they are to go
ahead.

For business and the private sector, we recommend:

 The rights of access individuals have to information held
about them in the private sector should be extended,
including the right to know what groups people have been
‘segmented’ into, and allow greater ability for individuals
to challenge and change existing information about themselves
that they believe to be invalid, incorrect or unfair.

 Information holders should engage in an open debate
about where responsibility for personal information lies,
with a view to clarifying the rights and responsibilities of
businesses and individuals.

 There should be a common sense test for privacy
statements and personal information policy. The private
sector must provide simple, accessible explanations of
why personal information is gathered. It is too easy
currently to adapt and rely on established legalistic
policies. A move away from jargon is needed. This means,
for example, requiring businesses to follow the legal
concept of the ‘reasonable person’ when drawing up
policy statements on personal information.
 Banks should consider a ‘no claims bonus’ for customers
who successfully protect their personal information.
 Technical distinctions used by business – between
authenticators and identifiers, for example – should be
binned. As for government, private sector involvement in
digital identity should be grounded in the ways that
people use and value their digital identities. That should
imply a move away from using information people are
likely to divulge – such as family maiden names, dates of
birth – as ‘authenticators’ instead.

 As a bridge between people, policy-makers and
technologists, a body such as the ICO should be given the
remit and resources to lead open discussions and debate
to help build more secure, effective and appropriate
technology for personal information."

No comments: