Andrew Charlesworth on 12 February 2003 at 22:06 said:-
>
> This is correct, but the Commission's review of the Directive included
> asking whether the Directive should be amended or even replaced - this
> would allow for removal of notification - however, this seems highly
> unlikely to happen.
>
A starting scenario then should be - do away with the directive and the DPA
leave it to the individuals.
Support for that:-
Data Protection provides controls for a persons data once it has been given
out by them. This facilitates an initial illusion to the individual that
their privacy is being protected effectively, in an attempt to build trust
between the parties involved.
Individuals make mistakes in protecting their privacy much the same as
organisation do; The difference being that individuals become rapidly aware
when they personally have made a privacy compromising mistake, whereas there
is nothing to indicate to them when an organisation has made a mistake
affecting them. (Indeed many organisation go to great lengths to
hide/disguise the fact - the exceptions being few and widely reported in the
press - and who paradoxically must be the ones to trust) The individual
merely gets left with the fallout from an organisational mistake with little
or no indication of who made it. So is data protection more about assuring
accuracy of a data subjects data and then giving control to an organisation
as a means of facilitating organisational efficiency and social cohesion
than protecting individual privacy?
If data protection did not exist - Individuals would protect their own
privacy more vigorously, rather than trying to rely upon some ethereal law
which has so far publicly failed on many occasions to protect them. An
unfortunate outcome of course would be that commercial and governmental
activity would become more difficult, because of the false information being
fed into the system. But organisational structures are more able to deal
with difficulties than an individual is, are they not?
Of course - the above is an individualistic viewpoint, which others may
disagree with; An exercise in free speech I suppose, which needs frequent
exercise to assure retention. :-)
In my opinion notification provides one of the few relatively stable points
within this general morass, which the data subject, and their legal
representatives may refer to if necessary. A great problem with the
register is that neither the commissioners office, the data subjects, or the
legal profession appear to take sufficient notice of the changes which may
occur to a notification over a period of time. So what may not have been in
compliance with a notification entry when an offence was committed, may well
be shortly afterwards, but I suppose that supports the softly softly
approach.
> What are the alternatives (and their potential costs)? I guess periodic
> compulsory audits might fall under that heading - and they would be more
> costly - although they might fit more effectively into the avarge medium
to
> large company's auditing schedule - is that the kind of alternative you
> mean? I think you're probably right that those wanting notification
> abolished often don't envisage it being replaced by some other mechanism,
> and as others have pointed out, notification does serve some useful
> purposes.
Businesses are required to have regular audits conducted by the
accounting/consultancy profession, who have in the past very clearly
indicated some attraction to the DP area. Perhaps they think they can
provide a more effective and cost efficient answer to the needs? I would
say - provide the person who is responsible with the automated auditing
tools and skills and audit the audit methodology. Provided some
reliance/confidence can be placed in the effectiveness/ethical
independence/stance of those individuals some improvement should be
achieved.
But ensure the DPO is not heavily focused on data audit, as the other DP
principles suffer as a direct result. I found it useful, and still do, to
look at the DPO job descriptions to see how much of a focus on data audit
the DPO is expected to have. That says alot about probable DP compliance
within an organisation.
> In my case, from OIC representatives, with regard to the
> specific nature of
> registration adopted in the Directive, but I'm willing to be persuaded
> otherwise - perhaps, on the basis of the quote (suggesting
> the registration
> was partial in some cases) the UK provided the concept of registration
> across the board for both private and public sectors - I'm
> pretty sure that
> both Canada (until recently) and the US only applied such a
> system to the
> public sector - I can't say for the others.
>
Yes, certainly some of the early overseas legislative frameworks appeared to
cover only one sector or the other (public/private) with variations in
registration/notification techniques. You are correct in that there are
many answers to any one query, and many ways of skinning a cat.
Regards
Ian W
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|