Although it’s now almost three years since the European Commission published their proposed General Data Protection Regulation, it seems unlikely that a final text will be agreed even in 2015. That means we’ll be stuck for at least another year with the 1995 Directive, whose inability to deal with the world of 2015 is becoming increasingly apparent. In 1994 my job was to create Cardiff University’s first official web server: it’s little wonder that what legislators drafted then struggles to cope with the global Internet and multi-layered cloud services of today.
Although the principles of data protection set out in the Directive and our UK Data Protection Act still seem sound, applying the literal wording of old law to modern technology is producing increasingly odd and impractical results. Aiming for perfect “compliance” is no longer a particularly good guide to what will actually protect our, and our users’, information. Instead we should be talking a broader view of what the real risks to privacy are and how we can best defend against them.
A lot of the headlines in the past year have concerned invasions of privacy by Governments, including our own. However it’s important to remember that there have also been very large breaches of privacy committed by criminals and activists. An article I read recently pointed out that if you think the biggest threat to you is a government then the only chance of defending yourself is to adopt government-style defences to protect against electronic, physical and human intrusions. So no connecting your information to the Internet, or allowing unvetted visitors to your building! While it might be possible for universities to approximate those measures for small, specialised research areas, applying them more generally would bring the normal business of research and education to a halt.
Against criminals and activists, however, it seems that the best of common security practices do still provide reasonably good protection. That requires care from everyone with access to information and systems: identifying and adopting the appropriate behaviour, technology and systems for handling information in order to protect it against the most likely threats. However those measures aren’t incompatible with research and education. Indeed one of the security techniques that seems to have been “discovered” by the commercial world in the past couple of years is incident response: something we’ve been doing pretty well for even longer than the Data Protection Directive has existed.
So even if I expect to continue to struggle to find clear answers to “what does the law require of X?”, I do think we have good, and practical, answers to “how do I do X sufficiently securely?”.