Business should 'use privacy laws, not abuse them'

Privacy legislation need not hold back the deployment of CRM systems or other data-centric business plans, the information commissioner, Elizabeth France, told the CRM Summit in Warwickshire yesterday. "The Data Protection Act provides a fair processing framework that makes business sense," she said, adding that, "we have never seen a business plan that could not be operated within the legislation." "Where people do come unstuck is when they come to us after the event and try to retro-fit compliance," she said. As information commissioner, France heads up the independent supervisory authority for both the Data Protection Act and Freedom of Information Act. Recent UK legislation in the area of privacy is "common framework" legislation with other EU countries and forms part of the UK compliance with EU directives. The need to comply with EU directives, compounded by a recent furore over data handling details of anti-terror emergence legislation, has put France's office in the spotlight. Despite a perceived complexity in much of this legal framework, France insisted that common sense is the best guide, and urged business managers and IT directors to understand the framework of the law and its key principles -- while leaving the fine technical details to compliance officers and legal departments. Common sense is the best guide to working within the law in the delivery of customer-facing IT systems. "Treat other people's data in a way you would have them treat your data," she said. Speaking to ZDNet UK after her keynote address, France outlined details of her differences of opinion with the home secretary, David Blunkett, over emergency terror legislation following the 11 September attacks and the Al Qaeda terrorist threat. "We made quite a series of comments about our concerns over whether what he was doing was necessary and proportionate...," said France. "In the end there was a minor amendment in that the home secretary did include a duty on himself to include a code of practice on which he would consult us." The code of practice is still in draft and being considered by the Information Commission staff, yet France does not sound totally convinced that all of her concerns are addressed by this. "I'm happy with the idea of it...it's better than nothing...what I'm still worried about it is it can't give a lawful basis to the ISPs to hold it (user data) longer than they need for their for their own purposes. The step they didn't take is to give a legal basis to the ISPs." France also identifies the use of real-time data processing techniques and session tracking systems as being a cause for concern to regulators. "There is a difference between session cookies and systems that profile your activities, and those are much more worrying." "We are there to make sure that companies explain what they are doing and customers have choices about what's happening to their information." Throughout her keynote address France stressed her preference for companies to embrace the principles of the legislation and to self-police and follow best practice, creating what she describes as a "climate of compliance". Later she conceded that as more real-time data processing technologies are deployed, it may be necessary to take a tougher regulatory line. "We will have to take more enforcement action than we have in the past," she said. "As communities become more mature in understanding the higher level requirements of the law, and the risks to privacy, then we should expect a higher level of compliance than we've had before... and the citizen will have the rights to go to the courts for compensation damage and distress."

---