icm2re logo. icm2:re (I Changed My Mind Reviewing Everything) is an 

ongoing web column edited and published by Brunella Longo

This column deals with some aspects of change management processes experienced almost in any industry impacted by the digital revolution: how to select, create, gather, manage, interpret, share data and information either because of internal and usually incremental scope - such learning, educational and re-engineering processes - or because of external forces, like mergers and acquisitions, restructuring goals, new regulations or disruptive technologies.

The title - I Changed My Mind Reviewing Everything - is a tribute to authors and scientists from different disciplinary fields that have illuminated my understanding of intentional change and decision making processes during the last thirty years, explaining how we think - or how we think about the way we think. The logo is a bit of a divertissement, from the latin divertere that means turn in separate ways.

Chronological Index | Subject Index

Let's close in on privacy crimes

About the sudden naivety of special data protection laws

How to cite this article?
Longo, Brunella (2014). Let's close in on privacy crimes - and leave data collections to libraries and archives. About the sudden naivety of special data protection laws. icm2re [I Changed my Mind Reviewing Everything ISSN 2059-688X (Print)], 3.2 (February).

How to cite this article?
Longo, Brunella (2014). Let's close in on privacy crimes - and leave data collections to libraries and archives. About the sudden naivety of special data protection laws. icm2re [I Changed my Mind Reviewing Everything ISSN 2059-688X (Online)], 3.2 (February).
Full-text accessible at http://www.brunellalongo.co.uk/

March, 4 2014 - In a recent article Craig Mundie states that "the current approach to protecting individual digital privacy and civil liberties, focusing on limiting data collection and retention, is obsolete. The time has come for a new approach focused on controlling data use" (Privacy pragmatism. Focus on Data Use, Not Data Collection, Foreign Affairs, March/April 2014).

I could not agree more - though Mundie works for Microsoft and writes against the backdrop of a possible imminent new american law on cyber security (CISPA), whereas my views are essentially from a record management and information management perspective, aimed at making the most of data assets possibly without waste of other important resources.

After the halt to the new European Data Protection Regulation and pause for reflections last autumn (that followed the new OECD privacy guidance), it seems to me that the very idea of having Independent Authorities governing with special laws the collection and treatment of electronic archives of personal data has reached its tipping point - a point in which it has revealed all its naivety.

It sounds bitter, surprising news, that I came to such thoughts. In fact, I have been in many ways an advocate of special data protection legislation since 2003. About ten years ago, I remember myself giving passionate talks to sceptical marketing people about why data protection legislation should be a matter of basic education about treatment of personal data in electronic forms, as a way to build trust and develop rapports in the digital market-spaces.

The same belief has underpinned my work on how to prevent and early detect distorted usages of personal data within corporate crime scenarios and how to develop robust data policies for cyber security.

But, to be sharply frank as per the prerogative of this column, the idea that we could govern collection and treatment of personal data through general rules given by special laws and with Independent Authorities issuing guidelines and fines, wellÉ it suddenly seems to me just aleatory and utopian, as in other big data pioneers' dreams.

That perfect cybernetic world does not exist. There is no independent super power able to govern an inevitably global jungle of mistakes made by employees and users along the digital supply funnel, whilst gangs of organised fraudsters deliberate fake errors for the most incredible "immaterial" (though very real) online frauds.

We are all in the digital data soup together: everybody should be accountable on his or her decisions about data exactly as it happens in respect of the use of other material personal belongings - like your car, bike or passport.

Many recent cases surely influenced my perception of the effectiveness of the current data protection laws:

But what really made me think we should completely change approach to data protection legislation was the prolonged misuse of my own personal details and other records in connection with a property case I went through in England - that started with false and inaccurate data within public and private registers where I was simply called 'Maria Longo' instead of 'Maria Brunella Longo' (that is my full legal name, though the common and preferred forename has always been just Brunella).

There are few doubts that my personal case was exploited on purpose with substantially fraudulent scope in some circumstances (British Gas landlord gas safety certificates and other false insurance documents, for instance - or the use of my credentials to login into the British Library wi-fi and into Sharepoint calendars at the Royal Court of Justice Advice Bureau, where I volunteered as an intranet facilitator appointed by a member of the Association for Project Management who was employed as Director of Operations at the time. To understand more you may need to learn about the role of volunteers and trainees within charitable companies and the legal system in England and Wales.) and with futile, libellous or even simply "social" engagement intentions in others (social media accounts and communities hosted by CILIP and other information and IT professionals circles, where I myself initially thought it was even funny not to pay such obsessive attention to the correct spelling of my name through social media - since I was absolutely certain nobody could really mistake me for someone else, having left digital traces all around the internet world since the early 1990s and having other immensely more important priorities between September 2008 and March 2009, when I moved to England). In no way the ICO was able to intervene and to stop such chain of mistakes, considered in some circumstances ahead of the regulations and in others simply irrelevant (i.e., formally correct, even if substantially abusive). It was only when I was declared bankrupt in 2013 and my appointed trustees clearly said there was no money to litigate all the collaterals that things finally started to be put right.

Another substantial contribution to treat my personal data right, in a functional and correct way, came from the initiatives I took to experiment collaborative whistle blowing for cyber security audits within public processes and to contrast risks of further fraudulent usages in gas, water and phone bills. For instance, I succeeded in making traceable and visible the transactions that all together showed a bizarre anomalous pattern of recurrent irregularities within DWP processes - an important achievement in terms of understanding of new possible policy making and data management skills. But for the implicit confirmation that there is no chance for the current data protection legislation to help in preventing or sanctioning misbehaviours.

False accounts, wrong associations and inferences, malicious mis-representation of people through notes in medical records, mistaken qualifications, exploitations of procedures to alter financial situations and credit reports, and even misleading search engines references (as I wrote in Those Brunellas are Google's delusions) can destroy in a matter of seconds the public perception of a person identity, history, activities. Cui prodest?

That false representations are particularly damaging when we mostly need to rely on our own personal data because we are changing country, community, career, job, bank or surgery or we undertake any other personal important step. Chains of recurrent mistakes in a person's digital records follow a fabricated fraudulent pattern that is always strongly evident from the side of the victims and their communities while the criminals remain behind the curtains of digital anonymity and lack of certainty of computers' authentication mechanisms. There is absolutely anything that an independent authority can do to prevent the misuse of personal details at this level.

Conversely, there is also the farcical adjunct possibility that the actual crimes remain hidden behind the foggy configuration of emotional offences (such as cyberstalking, 'wounded feelings', internet trolling, family feuds or other interpersonal quarrels). In such scenario, independent authorities risk to become engulfed with instrumental complaints, fabricated to confuse possible investigations and to feed the media, surely not in the interest of the victims nor in the interest of the public purse neither.

"Proper disclosure and the organisation of proper arrangements for disclosure - I am quoting Arlidge & Parry on Fraud, 4th ed, 2014 here - will advance the interests of justice to all the parties to the trial rather than hinder it by burying the real issues beneath mountains of paper, accompanied by satellite skirmishing, is fundamental".

So, all in all, I asked myself if it is not the case that a collective cognitive fallacy led us to believe that Independent Data Protection Authorities with their innocuous and mostly unread tidy codes of practices could govern the immensely complex maze of electronic records containing representations of people lives and interests. It seems so naive after all.

Time has come for privacy laws and authorities to afford the world of adulthood. Institutions, organisations and individuals are responsible for the usage they have made, they make and they could make of personal data within a certain context. If something is intentionally mismanaged or goes unintentionally wrong, both individuals and organisations must be accountable.

Malfeasance and wrong usages of personal data should be brought to the ordinary courts and not to special tribunals nor special commissioners, whilst collection and treatment of data should be matters - as it has always been - for archivists, librarians and historians.