Businesses warned of profiling dangers

MPs have argued that organisations must be mindful of privacy issues when collecting and using data on people, or risk a public backlash

Businesses and police have been warned of the dangers of profiling by the information commissioner Richard Thomas.

Profiling refers to when companies collect a set of data that identifies a type or category of person or an individual themselves. The data collection is carried out by a business to understand its customers — one example is loyalty card schemes.

Thomas, speaking to ZDNet UK at the e-Crime Congress in London, gave a preview of the evidence that his office intends to present to a Home Affairs Select Committee inquiry into surveillance.

The UK has the most surveillance in the world: the use of CCTV and numberplate- and facial-recognition technology are common, as well as tracking people's electronic footprint. Thomas said that businesses risk "a public backlash" against the building of customer profiles and a loss of public confidence.

"The more technology enables profiling to happen, the more we need data-protection safeguards in place," said Thomas. "If surveillance is not taken seriously there will be a public backlash. Businesses and police risk forfeiting public confidence."

Thomas said that the gathering of information by organisations that use profiling, such as financial institutions, supermarkets and technology service providers, needs to be closely monitored for security and privacy issues. "As we accumulate more information, there is a risk of security breaches," said Thomas.

The information commissioner said that both businesses and police need to avoid false positives and negatives in their data, especially as police start to adopt profiling techniques used in the private sector. Profiles that are built automatically, without human intervention, run the risk of false positives and negatives. "You can't divorce the public and private sectors. Arbitrary profiling has its dangers — you can never replace the human element," he said.

Thomas gave the example of police access to the CIFAS database granted by the Serious Organised Crime and Police Bill 2004 as a potentially problematic profiling area. CIFAS — a UK fraud-prevention service — maintains a database of those convicted of, or suspected of being involved in fraud. Thomas said that data improperly used against those suspected but not convicted of fraud could lead to a loss of public confidence in the police. "If you're a fraud suspect, damage can be done if that information is used improperly. I'm not saying that information shouldn't be available to the police, but we need safeguards," said Thomas.

Labour MP Alun Michael told ZDNet UK that current data-protection legislation was sufficient, but that organisations needed to be transparent in data collection and use. "With data protection, a lot of the time it's not a legislative problem, but of doing things openly and transparently," said Michael. "It's the same thing with profiling — if people feel used or abused in data collection, they get very angry about it." Michael said that while data profiling is useful in anticipating customer and citizen needs, organisations need to be mindful of privacy issues.