data protection
TRANSCRIPT
DATA PROTECTION
COMPUTER CONFERENCING AND DATA PROTECTION
INTRODUCTION Modern electronic techniques means that data can be generated in one place, stored on a computer somewhere else, and accessed from anywhere in the world. Countries that are very much concerned with personal privacy and/or freedom of information will want to protect their nationals against improper data use taking place over international communications lines. Without some international agreements it is possible to envisage "dirty data" havens in the same way that there are "flags of convenience" for merchant ships. A significant reason for the UK Data Protection Act 1984 was to allow the United Kingdom to remain part of the international commercial data networks. HICOM is a conferencing system designed to allow the free interchange of information among members of the Human- Computer Interaction Community. It consists of a series of open and closed conferences on a range of topics, and also provides electronic mail and other support facilities. Some of these conferences are mainly for information while others serve as electronic debating chambers. Co-operating professional bodies can set up their own conferences which may be open or restricted to their own members. The stored texts contain frequent references to named living scientists, usually associated with their research or publications, in addition to references to the readers and writers of the texts themselves. (See Appendix 1) Because the HICOM files contain personal information it was necessary to register the system, and the author took on the role of honorary data protection officer. Control information about the membership of HICOM is very easy to register, as it is similar to the problems of running a club or a bureau. In addition HICOM contains many features common to other open information exct~ange networks from simple electronic mail, via conferencing systems, to open bulletin boards. It was hoped to be able to simply adapt other registrations. Unfortunately a look at published registrations suggested that most existing registrations were almost certainly defective in terms of what research workers actually do. For instance a spot check on a sample of UK Universities showed that none of them included a registration allowing their staff to exchange information on a conferencing system accessible via international academic or public communication networks. This article looks at the problems of applying the Data Protection Act to the activities associated with the electronic communication of information within the research community. These problems arise because those drafting the Act did not consider such activities. The approach taken is to consider a possible request for information from an aggrieved academic and look at some of the technical
problems posed by the Act if such a request is considered reasonable by the courts.
DEFINITIONS The following informal definitions highlight the key areas which are relevant to this paper. Special cases are omitted except where relevant. Data subject: A living identifiable individual about whom data is held. They may be identified by name, or by any other unique means, such as their email address. Even references such as "The author of ...." could be interpreted as a unique reference to a data subject if the data user knows who the author actually is. Personal Data: Information about a data subject which is (or may be) processed by reference to the subject. Searching a text file for passages relating to a data subject would make that file personal data. Data User: The data user is the person or organization which controls the personal data. The moderator of a computer conference, who has the right to add, amend and delete messages, would be a data user - while somone who simply reads a bulletin board is not. However, if anyone downloads a text containing personal data, they immediately become the data user of that copy. Registration: The data user is required to register the nature of the personal data held, the sources of this data, the use to which the data is put, and the ways in which it will be disclosed to third parties. It should be noted that it is the existence and control aspects of the data which is registered, and the location of the data is irrelevant. There are a number of predefined classes of data suggested for registration, including academic record, publications and the more sensitive criminal intelligence and sexual life. Most personal data in a free text system is likely to come under the catchall "uncategorised information". Exemptions: There are a small number of exemptions, but these are tightly defined to avoid loopholes. The only relevant exemption concerns word processing where the text is not retained in machine readable form after use. The transmission of texts is also not considered to be "processing" and online conversations and electronic mail are not covered by the Act. Conferencing systems and bulletin boards are not.covered by this exemption, and even electronic mail is not covered if file copies are retained for future reference. Subject Access: A data subject has a right to approach the registered data user and request copies of all personal data for a fee (maximum £10) and this must be provided within 40 days. The registration process requires there to be a person in the data user organisation who will be responsible for servicing such enquiries. Overseas Transfers: On registering the data user is asked to list all overseas countries to which data transfers can take place. A worldwide registration can be claimed, but is not recommended as circumstances might arise which place restrictions on transfer to particular countries. The Data Protection Principles: There are eight principles that apply to the computer processing of personal data. They relate to the professional standards appropriate to the maintenance of computerized personal data.
THE KEY PROBLEM There are serious difficulties in applying the Act to communal
19
text based electronic systems. This arises because the Act is drawn up assuming a formatted commercial data base architecture designed and controlled by full time computer professionals. To avoid loopholes (such as holding data on a vast network of personal computers rather than a centralized database) the definitions have been made very wide. This means that the Act catches up a variety of fringe computer applications. A simple example is relevant.
The author markets a teaching package which includes a database retrieval package in the English monarchs. All but one are dead, but it reveals that Queen Elizabeth II came to the throne in 1952. As she is still alive this is a piece of personal information covered by the Act. (There is no exemption for trivially small amount of information, or for widely known information in the public domain). As I sell the package I am a dealer in personal information (and my sales mean I need to register as an international dealer in personal information). Schools which use the package would, strictly speaking, need to be registered, and if there is a possibility that the information might be disclosed to a parent on a visit to the school the registration should cover this situation to avoid unintentional disclosure. All these legal difficulties would vanish if the package deliberately misrepresented the country as being a republic since 1952.
Of course it is very unlikely that Her Majesty will complain that unregistered data is being processed - but the problem is that the above example represents a strict interpretation of the Act. Until there have been some prosecutions it is a matter of guesswork to know exactly where the boundary between the trivial and the prosecutable offence lies. In the meantime the law means that almost anyone who has a personal computer will unintentionally be breaking the law in trivial ways, and this makes it hard to get many people to take the law seriously.
A TEST CASE If the law is uncertain an alternative approach is to work out what kind of case is likely to generate complaints, or to reach the courts. A suitable case would involve an individual who believes that the processing of inappropriate or incorrect data put him at a disadvantage. The Act already had specific provisions for exam marking, which is an area where requests for information could be expected. In addition the Data Protection Registrar's 1988 annual report reveals a large number of complaints, have concerned the refusal of credit and/or the inappropriate disclosure of credit information. The academic equivalent of the refusal of credit, especially relevant under the current university political environment, is the rejection of papers, or the refusal of research .funds. Such action could easily mean the lack of promotion, or the assignment of less pleasant duties. A possible scenario of the near future is as follows:
Mellowbrick University decides to organize an international symposium on "Electronic Communications." As all interested parties can be expected to have access to electronic mail, all "paperwork" is to be carried out using electronic mail and computer conferencing. In particular, authors submit their papers by electronic mail, these are forwarded by the paper editor to referees (who are scattered all over the world), who email back their observations. The editor emails Dr Jeckel, saying that his paper has been rejected, but gives no reason. Dr Jeckel has already had several papers rejected this year, and is under considerable pressure to improve this publication record. He believes (probably wrongly) that there is a conspiracy against him and decides to invoke his subject
access rights under the Data Protection ,4ct in order to s(,~ what the referees have said about him
In terms of the overall aims of the Data Protection Act thn~, is a reasonable request as it is quite clear that personal data, relating to D~ Jeckel's professional ability, has been processed on the system, if only to collate various electronic texts referring to Dr Jeckel's submission. Processing would definitely be involved if, for example, a spreadsheet was used to keep track of submitted papers and referee "scores" used to make the final selection. It is therefore quite possible that the courts would find that he has a right to see such information, in the same way that he has a right to the information which might lead to him being refused credit, tf this is the finding, what are the implications for the management of electronic research conferencing in the UK?
WHAT IS PERSONAL DATA Formatted data, such as age, job title etc., which is obviously personal data, is covered by the Act. However there are problems with text files, where it is essential to know whether the data is processed by a personal identifier. Thus the text of an electronic book which contains personal information about living individuals is NOT personal data with respect to these individuals if the text is not processed for this information. However, the existence of personal names in a keyword index would clearly indicate an intention to process the text as personal information, even if the index had never been used. The complications occur when the system holding the book contains a text search system (or even a simple word processor with search facilities). Under these circumstances the book CAN be used as a source of personal data, and whether the Act applies is a matter of record (i.e. have such texts ever been searched?) and intent (would such texts be searched if it was useful to do so?). In Dr Jeckel's case there are other complications. A scientific paper is not primarily a piec e of personal data about the author, and a referee's report could confine itself to non- personal aspects of the research work described. However the analysis of the paper using a spelling or syntax checker to help to criticise the author's command of English would be a clear case of processing to extract personal data, while it would be unusual if a referee's report did not contain statements relating to the author's professional ability. It should be noted that the reviewer need not know the identity of the author, as the paper reference number is a unique identifier which links the paper to the author on the symposium organiser's file. Information used to determine Dr, Jeckel's "popularity" by searching online citation indexes would also come into the personal data field. To complicate matters the Data Protection Registrar is very unhappy about "personal data" which is really guilty by association. This has come up in connection with credit agencies, but could be equally relevant to the use of statistics on Dr Jeckel's department or institution as a guide to Dr Jeckel's competence, etc. There is another subtle problem. Facts and opinions are data - but the Act excludes intentions. Thus a referee's disapproving opinion is data, as is the fact that the paper has been rejected. However a record of the intention to reject Dr Jeckel's paper is not data. This suggests that a field indicating "intended action" is not personal data, but would become so once it had been used to mail out the rejection letter to Dr Jeckel, although the data has not been modified in any way.
WHERE IS THE DATA? Before any personal data can be retrieved and supplied to
20
the data subject it has to be located. As mentioned earlier, the location of data is not the concern of the Act, but the registered data user must know where such information is held in order to be able to satisfy subject requests. Personal data relating to Dr Jeckel's enquiry might be in the file store on the central main frame computer at Mellowbrick University, or on a departmental mini, or on a personal computer on an office desk, or even in a pile of floppy discs at the home of a member of staff. It may be that the conference's paper editor is not a member of the university, and may even be situated overseas. It may also turn out that various members of the programme committee have copies of the parts of the personal data (not necessarily identical) on a variety of computer systems in various parts of the world. In each location the organization of the data may be highly idiosyncratic, reflecting the working techniques of a single academic. In many cases it may be associated with data which is not connected with either Mellowbrick University or with the international symposium. There are likely to be problems in actually locating such data within the legal limit of 40 days, at least if the activity is registered.
W H O O W N S THE DATA? One of the key problems in this situation is to identify the data user who has, or should have, registered the data. In a university environment it may well be very difficult to be certain who is legally in control of the information. A typical academic will be handling personal data about his students and students from other institutions through external examining. He will have bibliographic files relating to his research, and will be involved in refereeing activities for conferences, publishers and sometimes research councils. He may well have other information relating to external consultancy activities, and in some cases his research may also involve personal data. In some cases it is obvious that he holds data on behalf of his employer, while in other cases he may hold data for third parties, or on his own account. It may well be that some data falls into more than one category. Of course the Data Protection Act only relates to data held on a computer and at the present time few academics will be completely computerised. On the other hand the trend is to move towards more electronic mail and computer conferencing, so any problems can only get worse as more and more academics get personal computers with communication facilities. In practice the only person who actually controls the data is the individual academic, although it may be held by him on behalf of his employer, or some third party. How should this be registered? In the case of Dr Jeckel's hypothetical enquiry, does the personal data which undoubtedly exists belong to Mellowbrick University, which hosted the symposium, to the symposium (whatever legal status that has), to the members of the programme committee, either collectively, individually, or on behalf of their employers, etc? It is only necessary to look at the various registrations for British Universities to realise that different organizations have taken very different approaches to the overall problem of registration. Some have registered applications on an overall basis, others on a faculty basis, while there is a surprisingly small number of registrations to cover research projects which involve personal data, such as medical trials and social surveys. It is also apparent that, at the time of drafting this paper, personal data of the kind being considered here was not currently covered by any of the registrations sampled. It seems unlikely that this deficiency is covered by, for example, hoards of individual academics registering at £56.00 a time. It seems very likely that the information Dr Jeckel wants will
not be covered by a registration, and he will undoubtedly want to pursue this further. It has been suggested to the author that bulletin boards with no easily identifiable "data user" might be exempt, but it is possible that anyone using such a board specifically to avoid the effects of the Act would be in breach of the data protection principles.
W H A T H ICOM HAS DONE In view of these uncertainties it is difficult to register a computer conferencing system such as HICOM and be certain that everything is within the law. In preparing the registration, the main activities were examined to help to identify problem areas, particularly in the case of difficult data subject enquiries.
1. Routine data on members, such as names and addresses, usage statistics, a simple who's who, etc., falls under standard registration headings appropriate to societies and bureau who have to keep track of their "customers."
2. Public conferences, such as CALENDAR and ABSTRACTS are similar to many library oriented online services, with most personal data linking researchers with their research and related activities. OPEN FORUM is also a public conference where any topic may be raised, some of which contain personal data. REVIEWS combines aspects of ABSTRACTS (in the form of book reviews) and OPEN FORUM (allowing members to comment freely the topics raised). Some of these conferences, such as ABSTRACTS and REVIEWS, will be keyword indexed. In conferences where all members are encouraged to contribute it is important to have proper control of what is said. For such conferences there is a moderator, who controls the data and effectively looks after the conference on behalf of HICOM. The "public" nature of the data means that is should be sufficient to give the data subject listings of all relevant entries as they stand (if he cannot be persuaded to carry out the searching himself).
3. Because the executive of HICOM comes from many different organisations in different parts of the country, it is managed almost entirely via management conferences. These may contain personal data. Data in these conferences should be considered the sole property of HICOM, irrespective of the affiliation of the authors, and any data protection registration made by their employers. These conferences will need to be searched in the case of any request from a data subject. The HICOM system supports a number of privat~ conferences. These might, for example, represent a programme committee for a symposium, or a group of scientists carrying out joint research on an extended geographical basis. In such cases HICOM is no more than a bureau which provides the computing facilities for these conferences, and it is the responsibility of the owner of the conference to ensure that it is covered by an appropriate data protection registration if necessary. These conferences would not be searched in the case of a data protection enquiry to HICOM unless some prior arrangement had been made with the owner of the conference that it should be adopted as an official HICOM conference.
Electronic mail and private files can be a problem. For normal members any messages or files they keep on HICOM are their own responsibility, as HICOM is simply acting as a bureau. They are also responsible for the data protection implications of any data that they download from the public conferencing systems onto HICOM. There
.
.
21
is no way in which HICOM can take responsibility for these files as it is not the data user. For executive members of HICOM the situation is far more difficult. For instance the electronic mail system does not distinguish between messages sent to them in their capacity as a representative of HICOM, and messages sent to them as a normal member. In addition they may have HICOM information on, for example, their personal work- station which may, or may not, duplicate information on the main system. The only way that this information may be searched when a data subject enquiry is made is to circulate all executive members and ask them to report back on the relevant portions of their own files. It is to be hoped that it will never be necessary to carry out such a search.
CONCLUSIONS Computer networks that handle stored free text accessed by academics and other researchers from disparate institutions on an international basis do not conform to the data processing model implicit in the Data Protection Act. It appears that most systems used for informal research communications between scientists are not registered on the assumption that the Act does not apply. However, as the test case shows, it is possible for such a system to hold data which, if held within a single organisation, would undoubtedly be covered by the Act. It may well be that the actions taken by HICOM are over- protective, and that an over-strict interpretation of the Act has been applied. This will only become clear once there have been some prosecutions. In the mean time the following points need to be considered
1. If the courts were asked to decide a case along the lines suggested, and found that data should have been processed under the control of a responsible registered
data user, there could be very difficult implications on the current academic research networks.
2. The framing of the Act is so wide that almost anyone networking information could be involved in unintentionally breaking the law in trivial ways. Because of the lack of case law and relevant published guidelines, it is very difficult to produce simple practical advice to the researchers at the keyboard, and expect it to be taken seriously.
3. Should the law be such that requests from a data subject can include the searching of relevant files of individual members of the network, there will be considerable expense for what is likely, in practice, to be no more than a partially successful exercise.
4. In many ways the real problem in such cases relates to the need for prior registration. It would be much easier if the Act had said that anyone who controls access to a computer must respond to reasonable subject access requests, most of which might be answered by a simple "no relevant data." Only organizations with large files or especially sensitive data would need to register. This would keep the register to a manageable size, while saving an enormous amount of time for small businesses and individuals, with trivial quantities of data, who are unlikely ever to get a data subject request.
Chris Reynolds Data Protection Officer for HICOM
ACKNOWLEDGEMENT I would like to thank Dr J N Woulds, Assistant Data Protection Registrar, for his helpful comments on the draft of this paper. The paper was presented at the Information Technology and the Research Process conference, held at Cranfield Institute of Technology in July, 1989, which was sponsored by the British Library, the University of Pittsburgh, and the U.K. Computer Board."
22