Greetings from Brussels!
Much of Europe is on the Ascension long weekend as I write. Brussels is eerily sleepy, contrary to the usual bustle of folk getting on with the business of Europe. Still, we are having plenty of sunshine, and if you know Brussels well, you know that is always welcome!
A couple of stories this week caught my eye that reflect a number of ongoing debates in the field of privacy and data protection.
Firstly, an article concerning a UK citizen’s challenge to the retention of his DNA profile “indefinitely" in police databases versus an individual’s right to privacy under Article 8 of the European Convention on Human Rights. In this particular case, the UK Supreme Court ruled that the data retention was a proportionate interference to the greater benefit of the public—far outweighing the individual right.
Such a ruling might not have been upheld in other European jurisdictions, and it is true that national supreme courts have a certain leeway in the application of Article 8 of the European Convention on Human Rights; a delicate balancing act.
The extrapolated question to be asked here is: What should be the right level of proportionate interference by the state upon citizen rights? Moreover, how does one apply similar consideration to organizations at large, with regard to withholding indefinitely consumer and customer data? Perhaps there should be a mechanism whereby organizations need repeated cycles of consent. The question of effective independent enforcement also comes into play here.
On a last note, and with particular regard to the above mentioned case, the newly elected Tory government in the UK has declared they are looking to withdraw from the European Convention on Human Rights. A withdrawal from the convention could jeopardize UK membership in the EU, which is separate to the Council of Europe. Membership of the Council of Europe is a requirement for EU member states.
A second article of interest this week involves an undertaking handed down by the ICO in the UK to the Northumbria Healthcare NHS Foundation Trust concerning a series of “repeated" data breaches by fax; yes, "very dated technology," I hear you say. The ICO undertaking, rightly so, commits Northumbria Healthcare NHS Foundation Trust to introducing clear procedures so that any data breaches reported to the trust are acted upon promptly and remedial measures are introduced across the entire organization.
Such incidents should serve as a stark warning to organizations. A minor administrative task often executed by a lower-level, ill-trained employee can lead to a calamitous blunder, undermining organizational reputation and trust. Particularly in the healthcare industry, where patient data is highly sensitive as well as private.
I think it’s likely that we will hear of more high-profile cases of a similar ilk in the future, unless organizations both private and public prioritize their privacy programs by default and acknowledge them as strategic components within their operations.
I leave you with a final thought: The UK NHS (National Healthcare Service) is the world’s third-largest employer. The potential for data breach is astronomical if you think about it, simple reality.
If you want to comment on this post, you need to login.