Delegates on our courses will know that Act Now collect fair processing notices both good and bad and now and again we find a real beauty. This is from a local GP surgery and they’ve gone to great lengths to not actually use the D word or the P word. I suppose they thought it would frighten the natives. Key elements of the fair processing code are also missing but hey! it’s a very polite notice which says er… not much.
Month: June 2014
IAPP Privacy and Freedom: A review by Lawrence Serewicz (@lldzne)
The IAPP has republished Alan Westin’s best-known book, Privacy and Freedom, which was first published in 1967. Despite its age, the new version, it is the same text with several introductory essays, provides context for a reader coming to it for the first time. The introductory essays, which include one by Westin on how he viewed his work and its impact, provide a useful context for the author, the book and its relevance.
Although the introductory essays offer an insight into the book’s impact and the author’s contribution to privacy professional field, a critical essay would have been welcome because the privacy landscape has changed dramatically. The change is more than technological because it includes the change in cultural attitudes to privacy. The cultural and technological changes have undermined his definition.
For most readers, Westin and his book are best known for providing a robust definition of privacy. His book, and his definition, helped start the debate on privacy, in particular, the fair information practices in the United States, which by turn helped influence the Data Protection Directive in the EU. Westin’s definition is the book’s strength and weakness.
“to control, edit, manage, and delete information about them[selves] and decide when, how, and to what extent information is communicated to others.”
The definition has its critics. Roger Clarke for example criticized the definition as favouring businesses and he provides an alternative definition. He defines it as
“Privacy is the interest that individuals have in sustaining a ‘personal space’, free from interference by other people and organisations”
What is common to privacy definitions is the idea of control, which suggests privacy as autonomy. However, neither definition pays enough attention to the context. Westin’s definition is rightly criticized for its focus on business. However, that is not its weakness. Instead, it is the political context. Westin’s first chapter on history of privacy fails to situate privacy within the context of the state system or within a political philosophical tradition. Without that context, we misunderstand the intrinsic limit to any individual’s control and what that control can meaningfully achieve. In this criticism, I suggest something more than a reliance on human rights. His view fails to recognize that far from controlling his or her data, the modern individual is a creature of the state to the extent that they do not own or control their personal data. For example, we do not own our National Insurance Number, nor do we own our birth registration nor our Driver’s Licence number, yet decisions about us and how those are communicated are beyond our influence, let alone our control. These are records created by and for the state. The individual has a claim on them but cannot be said to own or control them in any meaningful sense.
A second limit to the book is its impact. To be sure, the book helped start and shape the debate over privacy. It remains a touchstone for privacy professionals, but it has had little impact on the general understanding of privacy. Despite the book and its definition, privacy has become increasingly problematic and confused. The extent to which businesses have ignored Westin’s privacy definition is clear in the recent debates and concerns over privacy standards at Google and Facebook. Companies today succeed by exploiting privacy, personal data, and limiting the user’s ability to control or access the personal data held by them. Moreover, the right to be forgotten, which suggests the ability to delete data, remains unachieved despite Westin’s definition.
A related concern is Westin’s definition reflects a US perspective as privacy is approached differently in the UK from the US. The contrast between the two systems limits the book’s final section on policy prescriptions. Although he stressed that privacy is not a technological problem, he failed to address the qualitative changes wrought by “big data”. The technological opportunity changes the way that organisations, and states, can exploit, privacy or personal data, which means personal data can become a commodity. What would have been interesting, though beyond the scope of his original book, is a chapter on personal data as a commodity. However, Westin’s definition still resonates.
Westin’s definition still resonates in the way the UK courts now deal with the tort of misuse of personal information. The tension is revealed because Westin’s definition reflects a US approach to individual rights that is closer in spirit to the EU position than the one based on UK common law. We see this tension in the concern over the effect of disclosure, for example seeking an injunction or seeking damages as in the Weller decision for how others have benefitted from the personal information. However, in the cases, the individuals do not control their personal information in a meaningful sense. We may have redress on its use, but that is not control, which the Fairstar decision seems to suggest.
Dr Lawrence Serewicz is a Principal Information Management Officer at Durham County Council. The views expressed in this article are his own and do not represent the views of the Council.
Looking for a Practical DP qualification to enhance your skills and boost your career prospects? The new Act Now Data Protection Practitioner Certificate course is booking up fast.
RJ Krotoszynski Jr – 1990 AUTONOMY, COMMUNITY, AND TRADITIONS OF LIBERTY: THE CONTRAST OF BRITISH AND AMERICAN PRIVACY LAW Duke Law Journal Vol 39 no. 6 1990:1398
 See for example, his summary of the tort and its legal context as well as recent cases exploring it. http://ukhumanrightsblog.com/2014/01/23/new-year-new-tort-of-misuse-of-private-information/
See also this analysis http://www.panopticonblog.com/2014/01/16/the-googlesafari-users-case-a-potential-revolution-in-dpa-litigation/ The Weller decision that is the most recent application of the misuse of personal information tort is here http://www.bailii.org/ew/cases/EWHC/QB/2014/1163.html  EWHC 1163 (QB) The judgement provides a good summary of the case law leading to the decision. Imagine rights, let alone personal information rights, is another field to consider. http://inforrm.wordpress.com/2014/04/30/weller-article-8-and-the-recognition-of-image-rights-hugh-tomlinson-qc/
 http://www.bailii.org/ew/cases/EWHC/TCC/2012/2952.html fairstar  EWHC 2952 (TCC),  Bus LR D73,  2 CLC 795