Monday 28 November 2011

Data Protection Act - Barrier to Good Customer Service?

The Data Protection Act is designed to protect individuals’ personal data from mis-use by organisations.  There are eight Data Protection Principles, covering such issues as fair and lawful processing of data, collection of data for specified purpose(s), keeping data held accurate and up to date, and not keeping data for longer than needed under its defined purpose.

Problems can arise, however, when organisations misunderstand their duties under the act or, in some cases, wilfully ‘hide behind’ the DP Act to excuse their actions, or justify their lack of action.

There are many examples of this in the press, some of which have gone to court.  For example:

A franchise operation, where the franchisee’s contract said they had to send customer details to the franchise owner, and they said they couldn’t under the DP Act - Court of Appeal ruled this was wrong as they would have had ample time & opportunity to seek the customer’s consent to do so.   Grow With Us Ltd v Green Thumb (UK) Ltd,  2006 (1)

A Panorama programme in Februrary 2011 showed the British Legion complaining that MoD were using DP Act as ‘an excuse’ to not give departing soldiers contact details to them, so they could offer them support.  Surely it would be easy for them to get soldiers to sign a consent form allowing this? (2)

Some equality researchers from the Open University were given DP Act as an excuse for not sharing information about women engineers by Microsoft.  The software giant claimed privacy laws prevented it from saying how many Microsoft-certified engineers were women. The OU got a note from the Information Commissioner to show the defence was nonsense - the researchers were asking for statistics, not names and addresses. (3)


Because of this uncertainty on the behalf of organisations about what the DP Act does, and doesn’t, say they can’t do, the Information Commissioner has issued various guidelines and examples to clarify the situation:

“You should explain why you want to use an individual’s personal data at the outset, based on your intentions at the time you collect it. If over time you devise new ways of using that information, perhaps because of changes in technology, you will be able to use their personal data for the new purpose if it is fair to do so.”
“The Data Protection Act does not impose a blanket ban on the release of personal information. It requires a common sense approach, and should not be used as an excuse by those reluctant to take a balanced decision.” (4)


Another recent example has arisen recently rather closer to home, with CILIP.  A newly joined member of CILIP posted a link to her blog on Twitter.


@bumsonseats Carolin Schneider
What is a new CILIP member to do? wp.me/p1IjjA-en

In her blog post Carolin made a point about new members experiences with Branches & Groups:

“I think for a new joiner going to a branch meeting is daunting. It would be nice to have a buddy, someone to help you take those first baby steps. This could be something you can opt in once your membership pack arrives in the post. With social media it should be easy enough to coordinate, no?”

In a comment responding to this, Jo Alcock said:

“My problem (as a branch committee member) is that I don’t know who our members are or when new members join. I appreciate that there are data protection legalities but I’m sure there must be a way to opt-in so that your branch and groups know that you have joined and can contact you to see if there’s anything you’d like to know or what you would like them to do for you.”

This generated some discussion on Twitter about why CILIP might feel that it shouldn’t share members details internally to allow branch or group committee members to contact new members.

Charles Oppenheim (retired Professor at Loughborough University and now independent copyright and DP consultant) was one of those contributing to the conversation:


@CharlesOppenh Charles Oppenheim
@joeyanne @NicolaFranklin I am aware of CILIP's approach to DP. There is absolutely no reason for it. No idea what its problem is.

Charles later expanded on his Tweet by saying:

“There is an obligation under the DPA that a data controller shall ensure that all necessary technical and administrative measures are taken to ensure unauthorised disclosure, etc.  does not occur.  So yes indeed, [their Data Controller] would be liable if something went wrong, but the law requires them to take such steps as are necessary to ensure no problem arises. Stopping people with a bona fide need from accessing the data is a quite inappropriate response to the problem.  Ensuring B & G officials are properly trained is the correct response.

Equally, the centre is obliged to keep info accurate and up to date.  Again, the onus is on CILIP to put into place procedures to ensure this is the case.”

Carolin has also sent in an expanded statement explaining the service she would hope to receive, as a newly joining member of CILIP:

“I recently re-joined CILIP as an associate member. Having shared on twitter and my blog that I am once again a CILIP member I received a warm welcome from several people on twitter, which was good and showed that these individuals care about new members and how to get them involved. So whilst waiting for my membership pack to arrive in the post, I hoped that my regional branch and my chosen interest groups would get in touch to share what they do and how I can get involved.
After blogging about these expectations I was informed by a colleague on twitter that my regional CILIP branch and special interest groups would not be able to send me a welcome letter as they are not notified when a new member joins their group. She was under the impression that it was due to data protection.

From looking at my online profile I know what my entry in the CILIP Yearbook says. I am able to edit the entry, and therefore have control over the details CILIP stores in their database. This would make it possible for me to not share my home address, for example, or opt out of sharing my phone number. Every member of CILIP is listed in the CILIP Yearbook, with their name, job title and workplace. Through this entry (and with the help of the internet and other resources) it would probably be quite easy to find more details about me, e.g. the address my workplace. Any details I don't want to be shared I could delete from my profile, so why can't my details be shared with a different part of the organisation that I signed up with?
Whatever you do these days, from shopping online to signing up to a newsletter, organisations ask you to opt in or out of sharing your details. If CILIP is worried about sharing something they shouldn't: I suggest that CILIP enables their members to opt-in to sharing personal data with their regional branches/special interest groups/third parties when they first sign up. It just takes a few tick boxes on the membership application form.”


When asked to comment on this situation and CILIP’s approach to sharing member’s data, CILIP’s Head of Customer Services, Francis Muzzu, made the following statement:

“Members’ information and the database are extremely important to us, and we are committed to reviewing how we can share data more effectively with Branches and Groups.”

Perhaps including a simple tick box on the application form along the lines of ‘tick here if you agree to your contact details being shared with the branch and group(s) you have elected to join’, as Carolin suggests, would help enable this process.  Also, if members data were being provided from the centre, then branches and groups would not need to collect their members’ details separately.  This would make keeping the data accurate and up to date easier and more effective and reduce the risks of holding two or more separate data sets.

I understand that CILIP is planning to review its policy over sharing members details internally next year, and sincerely hope that they can adjust their policy, processes and procedures, and have the IT infrastructure, to enable them to manage member’s data more effectively in the future.

As the membership body for librarians and information managers, members and prospective members expect the organisation to embody best practice in its own information management practices.  In this case, where doing so would help new members feel more welcome and possibly also attract more members to join, at a time where CILIP needs to not only reverse its declining membership numbers but also widen its membership base, demonstrating good internal information management practices should surely be a key tactic to achieving its goals.

Footnotes
(1)  http://update.legal500.com/index.php?option=com_content&task=view&id=1247 viewed November 2011
(2)  http://www.bbc.co.uk/news/uk-12386376   Feb 2011, viewed November 2011
(3)  http://www.theregister.co.uk/2006/01/18/medical_academy_privacy_complaint/  viewed November 2011
(4) http://www.ico.gov.uk/for_organisations/data_protection/the_guide/principle_1.aspx viewed November 2011

**Wednesday 30th November - Charles Oppenheim has since submitted an additional statement, outlining which data protection principles are involved and his opinion of CILIP's argument:

CILIP’s Head of Customer services had written to say that, if they distributed members’ data, they couldn’t guarantee that it would be treated confidentially.  Charles’ reply to this contention is “The seventh data protection principle (schedule 1 of the data protection act 1998) requires that appropriate organisational measures shall be taken against unauthorised processing of personal data and against accidental loss or destruction to personal data.  In other words, CILIP already has legal obligations to ensure everyone who handles personal data does so properly.  This principle requires CILIP to educate and train anyone handling personal data.  It is not an excuse to refuse to pass such data to people when they have a bona fide need to use it.”
CILIP’s Head of Customer services had written to say that a second consideration was that, if the Branches & Groups had member’s data they might overload them with information, which could be counterproductive.  Charles’ response to this argument is “This is again a matter of education and training.  CILIP should be training all who handle personal data in good information management practice, including avoiding information overload on members.  This is not a good reason for refusing to pass to branches and groups information they are entitled to.”
CILIP’s Head of Customer services had written to say that, if Branches & Groups had copies of the data as well as the central office, it would be harder to ensure it was kept accurate and up to date.  Charles’ reply to this is “The fourth data protection principle requires CILIP and its branches and groups to keep accurate and up to date personal information.  Francis notes that some branches and groups fail to pass on revised details to cilip centrally.  By definition, CILIP and the branch/group is then in breach of the fourth principle and could be sued/prosecuted as a result. What the data protection act requires is that cilip educates and trains. The act is no reason to refuse to pass information to branches and groups, and vice versa.”
Charles concluded by saying “In short, the legal obligation is on CILIP to ensure that its branches and groups both receive, and handle personal data appropriately.  Branches and groups cannot function properly without master lists of members. At the moment, in my view CILIP is in breach of the DPA.  Best to sort the matter out by releasing the data, and ensuring good information management practices, rather than burying its head in the sand hoping the problem will go away - because it won't!”

Friday 11 November 2011

CILIP Councillor Election Hustings - a virtual experience

As I was unable to get into London yesterday evening, I decided to follow the CILIP 2012 hustings online.  This was possible since CILIP was helpfully livestreaming the event (which has been recorded and can be viewed here) and there was also a twitter hashtag allocated (#CILIP2012).

John Kirriemuir has already posted an excellent review of the evening, from an attendees point of view, so I will try and avoid duplicating any of the points he's already made.

So what was the experience like as a virtual participant?  The video worked really well (although from the twitter stream I believe there were one or two people who had difficulty getting it to run).  The only real problem I experienced was with the sound quality.  There were two table-microphones in view, but Sue Cook on the end of the row (and to a lesser extent Maria Cotera next to her) were virtually inaudible at times. 

The twitter stream displayed alongside the video on the CILIP page didn't seem to be updating without refreshing the screen, so rather than risk disrupting the video stram, I ran my own HootSuite stream in the background and checked it regularly as a substitute, which worked out fine.

Some of the key quotes that I picked up on, and tweeted about last night, included:

Q. How should CILIP increase membership?

Liz Mcgettigan we tell each other how wonderful we are - we should have a conference & invite people from other disciplines

Maria Cotera Start by bringing back those that have left - show them a reason to rejoin

Liz Mcgettigan Create a website or tools for people to use to sell the benefits of having librarians to employers

Mike Hosking Make CILIP seem less 'top down' and more belonging to, and owned by, members

Mike Hosking (Provide) better information career development guidance, less focused on traditional (physical?) library based careers

Sue Westcott Widen Chartership so it's more available (perceived as more available) to non-traditional LIS workers, take more care about the language used so it's more inclusive

Sue Westcott Talking publically about issues of wider public interest (Wikileaks for eg), would make more people want to join CILIP

Sue Westcott It's up to us to go out and find other communities who could be part of our profession and take a positive messasge to them

Maria Cotera The key thing is to listen, to what people's requirements are, not just partner for the sake of it, not just listen to friends but to 'enemies' too so we expand our circle

Q. Should CILIP increase its partnerships?

Sue Westcott We should think of partnerships in two ways; to partner with other information groups & to partner with commercial or other organisations to deliver services

Liz Mcgettigan CILIP needs to be selective about who they partner with

Sue Cook We need to be aware partnerships don't last forever, be flexible, and go for strategic partnerships

Mike Hosking CILIP needs to be in a partnership with organisations in the education sector

Q. How would you make members not in London feel more a part of CILIP?

Sue Westcott CILIP needs to think about having an internal dialogue about how people in the regions want to be included and catered for

Mike Hosking Branches & groups are key but we need to look at them with fresh eye, use new tech to bridge distances & get people to band together

Maria Cotera In other organisation I've been involved with, we used to hold a conference & other meetings at different locations around the country; CILIP needs to establish new models of working

Q. Where are borders of LIS profession, which skill sets are in or out?

Sue Cook There is a core set (of skills), but each job I've had has needed new things as well - so it's varied

Maria Cotera The most important skills are the softer ones like communication or advocacy

Sue Westcott Anyone who puts the right people together with the right information = an LIS professional, wherever they work

Liz Mcgettigan The basic skills (I believe she meant the core technical LIS skills) are important, plus the ability to engage, network and advocate are key

*sorry to any of the candidates if your comments are underrepresented, but as I mentioned above I had difficulty hearing some of the replies, some of the time.

Overall it was great to be able to participate remotely, and to see the candidates reactions in real time, which of course isn't possible with the ehustings. In fact, I believe there were more virtual participants (someone tweeted there were 28 viewing the live stream at one point) than physical attendees. 

Even so, that only makes a total of 38 people taking part, which seems a woefully low proportion of CILIP's 16,000 or so members.  Being somewhat controversial here, is it fair to say that, if people don't take part in the democratic process, then they have less right to complain about how things are run?  Of course some of those members had other engagements last night, or no access to an internet computer, but even so surely a couple of hundred could have shown an interest, at this critical juncture in the organisations life? 

Friday 4 November 2011

Event - NetIKX: Where Next for the Web - Linked Data and Semantic Search

Yesterday saw me at The Energy Institute for a joint event run by NetIKX and the Information for Energy Group.  It was certainly a good workout for the brain, trying to get our head around how linked data is transforming the web from a group of linked text documents into a web of linked objects.

A full report of everything I learned during the afternoons events can be found on the NetIKX blog.