The government has published a short list of candidates for the Information Regulator to be established in terms of the Protection of Personal Information Act. It looks like the data protection law will finally come into force after sitting on the shelf for three years waiting for regulations and a regulator. This was, you may remember, the law we promised to introduce before the 2010 FIFA World Cup. I can’t help wondering (like the clients of a now well-known Panamanian law firm) how much help the law is going to be. In 1671 Sir Matthew Hale, the Lord Chief Justice of England, decried the printing press as ‘the rolling of a snowball’. What would he have said about the internet? Google the word ‘internet’ and you will get nearly four billion results in 0.43 seconds. It is a snowball that never melts.
Our new data protection law will be useful to those who hate being spammed and will give recourse to people whose private information is revealed. But most of us are powerless in the sights of even the average hacker. If people can hack into the FBI and into the most secret accounts of the rich and famous how do you and I protect our stored data.
If you are a person responsible for processing personal information of others (and if you have an interactive business website or use the email system in the course of your business you probably are) you have to secure the integrity and confidentiality of the information in your possession by taking appropriate, reasonable, technical and organisational measures to protect unlawful access to the information. What is appropriate and reasonable? No amount of money spent on computer systems could have firewalled the Panamanian lawyers’ client information against the attentions of the International Consortium of Investigative Journalists. We have to do our best with available resources.
An increasing number of people are doing their shopping online. An online fashion retailer in Germany was recently fined for allowing the unlawful processing of customers personal information. They put a ‘Like’ button on their website probably not appreciating that whether customers click on the button or not their personal information gets given to the social network provider.
The Protection of Personal Information Act provides special protection for information that is sent to a foreign country. But if you are storing things in the cloud you probably have no idea where the information is going or how it is being protected. And, for instance, if you type the names on the short list for employment at the Information Regulator into an internet search it will instantly reveal some interesting personal information about them. Type in your own name and you might find out some surprising things about yourself.
Let’s hope the regulator can concentrate on positive things. We don’t need more heavy-handed regulation. The success of the law depends on it being administered in a way that recognises its limitations and the limitations of all of us in the face of technology that moves as fast as the speed of light.