The Cabinet Office and BIS have released a new paper relating to Consumer Rights, and specifically ‘mydata’ which gives consumers rights to view the data held on it by business
The concept behind this is not new. For years citizens have had the ability to request what information has been held by public organisations on them. Freedom of Information requests have become the norm in Local Government, with the likes of Birmingham City Council even publishing the costs of FoI requests. This proposal takes this to its next logical step, by offering the public the ability to question in depth what data is held by them by private organisations. The idea is that intermediaries can interpret this data (‘mash’ as the report refers to) and use it to offer consumers the best possible deals and relevant information
There are a number of questions which this all poses.
The report itself comments that most people still do not understand their rights today as to what they can question over data held by organisations. Extending these powers may offer a superficial boost to access, but one has to question whether it actually will help. Additionally, there has been much talk about targeted advertising on websites, and one has to wonder if this is not merely legitimising this process?
The other problem is similar to the OpenGov agenda within Government. By its very nature, pushing data towards the boundary of organisations so that it is accessible means that it is more likely to be accidentally released, or that it is more easily hacked by the bad guys. So it absolutely requires a more stringent approach to data security. Repeated data breaches over the last few years have demonstrated that even inadvertently, companies and public bodies lose data. Legislation that forces companies to move even more data to the extremities of their control needs to be accompanied by coherent security policy. This involves strict policies regarding interaction by staff, policy and procedure for release, and software deployed to ensure all of these controls are adhered to. Sophos advocates a clear and unambiguous directive issued to ensure that lack of clarity does not result in inadvertent release
It is worthy of note as to whether this announcement could potentially conflict with the ICO’s role, with the ICO trying to control information disclosure, and this policy pressing for its release. One wonders how the two will balance out over time, and what the implications are. If the ‘mydata’ approach results in many breaches, then it would remain to be seen how much pressure the ICO can bring to bear on the Cabinet Office to rescind the policy