David Ellis discusses – data laws, data governance and data ethics…
The Baltic country of Estonia was part of the USSR for half of the 20th century. For Estonians, this felt like an occupation, and they had to live under a Soviet regime that felt alien to their ways of life. It meant that generations of Estonian citizens became very suspicious of how Government and State agencies behaved towards them; if people expressed opinions contrary to the regime, the State could detain them, and Soviet-style police and enforcement agencies had sweeping powers to pry into everyday life, accessing a wide range of personal information. For many in the West in the 20th century, “Big Brother” was a work of dystopian fiction by George Orwell; for Estonians, it was a very real part of life.
With the break-up of the USSR, the independent state of Estonia was recreated in 1991. Estonia embraced the new freedoms this brought, and, in many ways, has become one of the most liberal states in Europe; it joined the EU in 2004. At roughly the same time as independence, the Internet emerged as another liberating force. Estonians, in the mood for the freedoms the 1990’s provided, embraced this; it now has one of the largest internet penetrations of any country in the world.
As we have all found, the Internet has transformed the world in creating personalised experiences, and to do this, it has used data. Over time, it has captured more and more data about people. After a while, for Estonians, this sounded worryingly familiar; Big Brother was back, just in another form.
As a member of the EU, Estonia’s Government had to implement GDPR laws about how to control data usage. However, the Soviet era cast a very long shadow, and any suggestion that surveillance methods would be legalised would break the trust and bond between state and people. For the Government, it was vital to build trust between Government agencies and citizens.
Data Laws
To do this, Estonia needed to create an open and transparent relationship between Government and citizens about personal data. It has resulted in the most liberal, citizen-focused data laws in the world, and so many lawmakers are looking at Estonia to see what they can learn. It makes the current spat in the UK’s House of Commons about the deletion of police records of biometric data seem antiquated.
By Estonian law, the police, and other Government agencies, can only access sensitive personal information with the explicit consent of the individual citizen. This is done to ensure personal information is protected and only processed with permission, and to ensure the public can trust the government with their data. Indeed, citizens can alter the level of consent for certain types of personal data, so their consent can be only partial or conditional on other factors.
Sensitive personal information includes biometric data (fingerprints, DNA, face recognition), ethnicity, sexual orientation and health, for example. To repeat, in Estonia these can only be used by Government agencies, including the police, if the individual explicitly agrees to the usage; silence does not count as consent. To all intents and purposes, Estonia has applied the GDPR requirements for marketing consent to all aspects of personal digitally-stored data for all areas of Government; Estonians have to provide an explicit opt-in to the data usage.
This is almost shockingly forward-thinking, and Estonia, and its citizens, should be praised for making this decision and for making it work; this is data ethics in action. In most countries, it’s only marketing and data departments of businesses who have to tend with the new restrictions GDPR has (rightfully) placed on them. In Estonia, this affects everyone in Government on a daily basis, and perhaps most of all, the police.
In contrast, Read a Sky News report here in January in the UK, the police deleted, by accident, 400,000 records of biometric and arrest data on people who had been arrested but then subsequently released without charge. There’s another word for these people – innocent. There was a data governance error, in that an untested deletion script was used without testing or a back-up or roll-back option, and it wiped the records. All other aspects of the correct process appear to have been followed; this is not a hack or breach of security – it’s a governance process error.
However, questions have been asked in the House of Commons. Whilst clearly lessons should be learned and the UK is allowed to process data according to its laws, the contrast with the Estonian approach is informative. In Estonia, this data would only be available and permitted to be stored in the first place with the consent of the individual to whom they relate. In reality, I suspect that would mean that most of the data would not be stored, so the UK police find themselves getting in political hot water while in a similar place their Estonian counterparts find themselves every day.
I believe we need to change the narrative. Data governance is hard, often thankless, work – for most people, data breaches are the biggest downside risk; losing data out of the organisation, putting them at risk. At the moment, it seems you can also get in trouble with deleting data – putting people at no risk. We need to get the balance right; of the two, clearly the latter is the better, or least worst, option. We should eliminate mistakes, certainly, but err on the side of caution. Data and data usage will become more central to businesses and organisations over the next few years, so having a robust process, including a Plan B and Plan C should mistakes happen and need addressing before they cause real issues, will be crucial.
What really matters is what you do about it; what are your back-up plans? What’s Plan B, or Plan C, for certain scenarios? Such data operations “war gaming” will be a vital part of how Chief Data Officers and their departments will add value over the next few years, as well as eliminating such mistakes. Talk to Jan Piedrahita to find out more.
So in conclusion, I think there is also a lesson in data ethics. What sort of society do we want to be when it comes to data? I pose this as a genuine question; there are pros and cons with all approaches. Join David in the debate click here to comment.