Not a very private affair

The protection of personal data is being ignored and we are all at risk

To the untrained ear, Richard Thomas, the UK's Information Commissioner, may sound a little shrill. At the launch of his office's annual report, he proclaimed himself "horrified" at the lax attitudes of business and public sector leaders to the handling of their customers' personal information. "How can laptops holding details of customer accounts be used away from the office without strong encryption?" he demanded, in mock bafflement. This is the man who not only claimed, in 2004, that the UK was "sleepwalking into a surveillance society", but who concluded two years later that we had in fact woken up in one.

Those used to well-spun platitudes that involve "challenges" and "innovative solutions" might find Thomas's language shockingly emphatic. But if the government decides to locate your office in Wilmslow, it follows that you need to shout that little bit louder to be heard in Westminster. And the situation is such that quasi-hysterics are fairly appropriate.

As the computer security guru Bruce Schneier put it: "Data is the pollution of the information age." Everyday actions are mediated increasingly by electronic communications devices - mobile phone calls, credit card purchases, internet searches - and the resulting transaction records leave an "electronic footprint". What's more, the growing use of "smart technologies" - Oyster cards, CCTV cameras enabled with number-plate recognition, big stores that use radio-frequency identifying devices embedded in their products - means that those footprints create a trail deep into the forest of your private life.

Such data could be relatively easily destroyed. But as the cost of data storage gets closer and closer to zero, companies and public sector bodies keen to know as much as possible about their customers have been tempted to hang on to it. The legislation that governs what they can do with it is the Data Protection Act, a piece of legislation that is the envy of many in the US, where personal data routinely changes hands between commercial and state sector bodies. But the DPA has a dismal record of enforcement.

When, as a direct result of investigations by, among others, the BBC, several high street banks were reprimanded by the Information Commissioner's Office (ICO) for dumping their customers' data in outdoor rubbish bins, many were surprised that their only punishment was to sign a formal undertaking that they would not be so careless again. It remains to be seen whether those involved in the recent debacle involving an unsecured database containing personal information of hundreds of junior doctors will be punished properly using the DPA. But if the ICO really wants people to get serious about protecting our data, it needs to get serious about punishing people who don't.

Becky Hogge is a writer and technologist. She was formerly the technology director of award-winning current affairs website, and Executive Director of the Open Rights Group, a grassroots digital civil liberties organisation.

This article first appeared in the 23 July 2007 issue of the New Statesman, Pink Planet