February 1997

The aim of this working paper series is to disseminate widely papers and short reports produced by the European Commission’s FAIR (Forecast and Assessment of Socio-Economic Impact of Advanced Communications and Recommendations) project. Through this series we intend to make a variety of types of material available ranging from discussion documents to analytical reports and papers. These are intended to stimulate discussion on the important social, economic, political and technological factors which are affecting businesses and people in the transition towards an ‘Information Society’.

FAIR is a horizontal action project in the Advanced Communication Technologies and Services (ACTS) programme of the European Commission. Work began in September 1995 and is expected to continue throughout the ACTS Programme. The project is led by Databank Consulting, Milan and collaborators include Technology Investment Partners, Paris, and the Graduate Research Centre in Culture and Communication, University of Sussex.

This contribution to the working paper series is a joint initiative of the SPRU (Science Policy Research Unit) Centre for Information and Communication Technologies, University of Sussex in the United Kingdom and MERIT (Maastricht Economic Research Institute on Innovation and Technology), University of Limburg in the Netherlands.

SPRU and MERIT are responsible for socio-political and techno-economic analyses of the impact of developments in advanced communication technologies and services.

The views expressed in these papers are those of the authors and do not necessarily reflect those of any institution or organisation.

Additional copies of this paper and others in the series can be obtained by contacting:

The SPRU Publications Office

University of Sussex

Falmer, Brighton BN1 9RF

Sussex, UK

Tel: +44 (0)1273 678176

Fax: +44 (0)1273 685865

email: c.m.little@sussex.ac.uk

This study contributes to the FAIR project by investigating whether in the United Kingdom instances of avoidance or violation of name-linked data legislation can be found with either clear or ambiguous intent that have not come to light as a result of the activities of the UK Office of the Data Protection Registrar and other authorities. The aim of the study was to determine whether any such cases could be found and documented without compromising the confidentiality of the parties.

This study examines some of the reasons for, and the implications of, the results of the study - namely that no such cases were found that could be verified - including the nature of data protection legislation, the risk to would-be interviewees, and the maturity of the name-linked data ‘industry’ in the UK as compared to its original conception when current UK data protection legislation was devised in 1984. The issue area is especially pertinent given current moves to ensure implementation of the European Commission’s Directive on Data Protection by 1998.

This study showed that there are two areas of growing concern in the field of name-linked data and almost all those interviewees contacted for this research mentioned them specifically, and without prompting. These are:

• the largely unrecognised extent of "what is knowable legally" about individuals
• the growing power of the State to integrate its previously separate files on citizens, with a psychological, if not legal diminution of privacy - "Soon we will know more about citizens than they will know themselves".

Each of these is reviewed in turn. Examples are given of the detail and extent of name-linked data that are commercially available and the use of profiling to ‘slide round’ the need to keep name-linked data while still developing a powerful grasp of individuals’ likely behaviour in terms of interests and spending patterns. Some of the varying attitudes to use of close focus name-linked data are presented.

The implications of these concerns for the integration of government databases such as those of Inland Revenue and Social Services is considered and the likely future trends are discussed.

The extensions of name-linkable digital storage such as automatic personal recognition are becoming operational in both commercial and public arenas; these extensions of data into automatic capture systems accentuate questions about whether the public is under-informed about these incursions into areas of activity that are generally believed to be inviolate.

2.1 The UK Data Protection Act is not "strong"

The UK Data Protection Act of 1984 is a weak Act with material penalties of no real significance to any but the smallest organisation, and with intention, an unprovable idea, at the heart of its "Eight Principles". This Act was designed to be weak when it was introduced. The workings of the Act and the Data Protection Registrar were intended to become, and indeed are, in the nature of a repository of ethical practice. The guidelines, consultative relationships built up between practitioners and the Registrar’s experts, and anticipatory warnings all point to this state of operation.

The Act was introduced for the following reasons:

• a Data Protection apparatus was necessary to protect UK-based commercial data-processing interests from international trade restrictions through tariff and other means

• it is good practice, both in narrow business and broader customer relations terms if data subjects can reassure themselves that data held about them is accurate; it is in no data user’s (commercial) interests that any name-linked data held is in error for any reason

• it is also in all parties’ interests for informed data subjects to feel secure in allowing personal name-linked data to be held and processed by computer, at least at a simple level

• commercial organisations believe that they generally function best (i.e. lowest cost/highest speed, all other things being equal) if formal legal constraints are as mild as possible, and the area in question is capable of self-regulation

• the existing legislative machinery satisfies these criteria and was set up quickly in the light of pressures from business to do so.

The Data Protection Act was never conceived by commercial interests as making any significant contribution to freedom of information issues, to the rights of the individual, or other similar principles. These freedoms usually took too great a time to distil and agree, to be practical in 1984.

2.2 Proof and IT

It was recognised from the outset that the burden of objective proof in any data processing issue can be hard to establish; for example, an illegal status could, in principle, exist for only a few machine cycles. How could this be established and proven, perhaps several years later, even if possession of the computer system itself by legal authorities was permitted? This kind of issue would present a major commercial burden with commensurately heavy damages if a State-brought case failed.

In addition, data can be removed or altered rapidly. For example, if the story is to be believed, there was time to transmit the Pretty Good Privacy algorithm from a public phone booth to beyond the reach of the US police while a police car was despatched to prevent exactly this transmission. Principles of repeatable verifiable evidence used in normal legal proceedings over centuries, fail potentially in cases where IT is involved. The evidence simply does not exist to cast IT-related laws in the ‘old’ style and the legal profession has yet to work out how to treat IT-related matters comprehensively or satisfactorily.

However, externally observable consequences and actions arising from processing name-linked data can be covered by legislation. The form of the present Data Protection Act in the UK, and the Data Protection Registrar’s Principles are intended to do achieve this.

2.3 Privacy and damages

The concept of privacy is not clear in all aspects of law. Once a secret is public, it is conceivable that no form of damages or other retribution may compensate the wronged data subject, especially as ‘damage’ has to be shown to have occurred materially under present UK law.

"Loss of good name" is hard to value; for example, did the loss of privacy cause a data subject’s suicide? These are legal deep waters. Only prevention is on safe ground, legally. Retribution raises issues too hard to grapple with. In addition those responsible for enforcing data protection in the UK argue that there is little public demand that things should be different.

However, nobody is sure that this state of affairs will continue and their is little desire to be the test case since the expense, effort and delay would be substantial. This makes the larger organisations even more concerned than are smaller ones although they may be better equipped with sophisticated workers in this Data Protection Act field. The larger organisations are usually in non-legal departments, seeking new ways to extract more value from existing data, and thus in danger of toppling into the new or inadmissible practice.

2.4 Evidence of violations

The foregoing considerations make evidence of violations of the Data Protection Act virtually impossible to gather. For example,

• If a violation is believed to have occurred, either it has been detected, whereupon all reference to it and the details are sub judice, until the case is concluded. Cases cannot be discussed without fear of costs and delays and any indiscretion might precipitate such a state of affairs. In either case everyone denies any knowledge of anything.

• If a violation is suspected and it is serious, rather than an over-enthusiasm which the organisation is working to remedy as fast as possible, the suffering organisation would be expected to use the pressure of slander suits, etc., for those whose livelihoods depend on their Data Protection Act-related expertise and name, which is more than their jobs would be worth.

• An over-enthusiast inadvertently has caused a new idea to step beyond the bounds of the principles. This is usually confessed quickly to the Data Protection Registrar with a remedial plan attached to minimise business disruption.

• New data use ideas are often ‘run past’ the Data Protection Registrar beforehand. This is faster in the long run and cheaper than facing a law case or even re-writing a software system.

The Data Protection Registrar issues guidelines which are well produced and clarify what is expected by ‘well-mannered’ IT use in particular industries. Lengthy experience has refined several of these to a highly sophisticated state.

2.5 Saints, sinners and realists

There is a useful reminder of the wide range of attitudes which have to be taken into account when dealing with potential illegal actions. It hardly merits the term "rule of thumb", nevertheless it is that the world’s population can be divided into three categories in terms of the law:

Most of the interviews with data protection experts who have regular contact with the Data Protection Registrar took the view that there are no problems with respect to data protection, all issues are well-understood, and there are no clouds on the horizon. From their perspectives the possibility of violations or avoidance of the Data Protection Act are almost inconceivable as all the ‘angles’ that can be envisaged have been covered. This view appears rather unjustified in the light of other developments reviewed in this report.

A much smaller group of interviewees recognise that the situation is not so simple and that there is always scope for something to go wrong. However, these observers report no real evidence of violation or avoidance. They often cite a likely-sounding instance but on (often lengthy) investigation this turns out to be akin to a wide variety of Urban Myths. As a result of the investigation of possibilities for this report, no evidence emerged beyond the suspicion stage.

2.6 The range of attitudes to uses of name-linked data

Despite the polarised attitudes of data protection observers and experts, all agreed on the variable subjective attitudes taken to data privacy and the difficulty this creates for legislators and IT systems designers. Variations are dependent on culture, application, user sophistication, and social orientation. Privacy is agreed to be important since, as the most senior data protection lawyers affirmed, ‘everyone has a secret’ that they would rather remained concealed.

Examples of the variable attitudes to privacy include the following:

• The display of full called number identity on telephone bills may infringe the rights of people to keep the telephone identity of the company they choose a secret from the rest of their family. Some accounts were received of UK offers identifying frequently called numbers for discounts resulting in domestic disharmony.

• Many of those identifying themselves as among the ‘time poor’ (but with varying nomenclature) in several cases expressed the view that improved targeting of unsolicited offers saved effort and time in searching out newly available, suitable and appealing ways of spending the results of their increasingly frenetic working lifestyles - "they can know what they want about me if it helps to save me time" said one lawyer.

• Filling in and returning exceedingly tedious and detailed ‘lifestyle’ questionnaires is done with sufficient regularity for this practice to be on the increase among mailing houses.

• If these details are insufficient, listen to the apparently genuine personal detail broadcasts on ‘agony chat shows’ - no detail is too personal to share in the right ambience. Day time television has a number of examples.

• The use of simple biometrics (such as hand span geometry) has been acceptable as part of automatic passport control in some countries for some years.

• Identity cards with photos are strongly resisted in the UK. Yet most people in the UK carry a driving licence (with only thinly disguised date of birth) voluntarily and although there is no requirement to do this it is a useful form of identity, e.g. for credit agreements.

There is much scope for further work to identify what aspects of life are regarded as private, from whom, and why, and what factors cause this answer to vary from person to person. It is clear that few public activities, and many casually regarded as private ones, will shortly form part of a digital record with one’s name and address, etc.- name linked data in all but a legal technicality.

2.7 Techniques to side-step the Data Protection Act legislation

No concrete examples of any vintage of deliberate legislative avoidance have been found as a result of this study. Several slip-ups were noted, but these were all admitted to, the practice stopped and procedures rectified as quickly as possible. The examples all consisted of cross-selling in the financial services, where there are many regulations to compartmentalise activities into separable legal entities, each of which needs its own data use registration. The operational processes can blur these niceties, whereupon the legalities may be overlooked. Nevertheless, interviewees provided a number of suggestions as to how avoidance of restrictions might occur.

• There is considerable scope when a merger or take-over occurs; for example, three companies often trade simultaneously, ie the two previous companies and a third merged entity. Data can be passed from one use registration to another with hardly any trace.

• Keeping data in ‘split records’ allows combinations which are very powerful to appear quite innocent to inspection, e.g. storing on a post-code-plus-house-number key allows two data fields to be recovered and processed as if they were one, and with modern processor speeds this is usually good enough to track ‘the householder’ without a name being used - that comes from a third database of the census or electoral register.

• Use of ‘data havens’ is the approach that the present legislation was set up to avert when there were fears that the UK would allow - or, more accurately, not prevent - data processing which most of the rest of the member states of the Europe Union regarded as potentially unlawful. The illegal records, activities, etc., are located offshore where privacy legislative controls are weak enough to permit the desired action. The activities are re-located to the UK, e.g. as sealed mail shots, on-line access to a database, use by a call centre, etc. This approach falls prey to the cutting off of data at source when the illegal activity is realised, but it may be impossible or impractical to take direct remedial action against the offending company in the country (‘haven’) selected. Diplomatic pressure is slow and too heavy-handed for most imaginable violations to make this remedy worthwhile.

• The Data Protection Act concerns only digital data and manual records are exempt at least until the implementation of the European Commission’s Data Protection Directive. Labour is still very cheap in some developing countries, where, for example, the complex dental charts recording treatment carried out every day by the National Health Service funded UK dentistry sector are faxed to the Philippines every night for data entry. If they had further value, data extracts could be made which might not be traced to this source for some years. At present if the critical operation was carried out manually, it would be legal.

• Do not bother to avoid legislative conflict, just store the data and carry out the actions needed. This approach is judged to be effective at least for several months because it is often hard to tell when a violation has occurred even when one is the data subject in question. So much is known about individuals by the State who outsource the handling of quantities of data, that people are anaesthetised by bombardment, if not lulled into accepting that ‘they’ already know a great deal about each individual. It is hard to be sure that a privacy ‘close encounter’ is not covered by a registered user’s application. Violation has a good chance of remaining unnoticed unless it is blatant and offensive, and has a major adverse effect on an individual or competitor company. There are stiff fines for failing to register applications and data uses, but the view of most of the ‘realists’ is that this approach to a violation could remain under cover for some time.

• Interviewees also noted that the government is exempt from the Data Protection Act to all intents and purposes.

There are doubtless other ways to avoid the law and use of a combination of some of the above ideas could produce a sufficiently tangled defensive web for an activity which is outside the Data Protection Act, but not flagrantly so, to continue for years. Only if individuals were made to suffer from injustice, or error, or the revelation of some embarrassing personal secret (e.g. in credit agency records which affect loan worthiness) would a move to detect the avoidance be set up quickly.

2.8 Individual attacks

Almost all interviewees reported that major ‘hacks’ are of systems not containing name-linked data. The systems attacked do contain such data, individuals do not get attacked through any such ‘hack-enabled’ breach, as generally only the system function is disabled. There is no known case of individuals suffering through a hacking-style attack on a system containing their relevant name linked data.

2.9 The legal control of technology

The relative speed of technological advance in fields such as computer hardware, telecommunication facilities and techniques, and software, including intelligent networks, multimedia, image processing and automatic data capture and digitising, is proceeding at a much greater pace than the rate of development of legal thought about how these processes could be regulated. The legal mechanics of enacting any such controlling ideas, and the subsequent testing of the legal frameworks in the courts, lag technological change by decades and show no sign of closing this gap. In fact, quite the reverse is true.

It is therefore almost a matter of chance that a concept of restraining data processing conceived in the style of the early 1980s’ ICT paradigm happens to fit usefully with the techniques of digital processing in the late 1990s. This is the greatest single weakness in the Data Protection Act, given its original terms of reference and design scope. It is unclear from the point of view of those responsible for implementing the European Unions new Data Protection Directive as to whether this will provide a new measure of control.

2.10 Attacking the weakest link - the insider

Using this principle most instances of gathering name-linked data in specific cases are by impersonating someone with a right to the data. For example, one can ring the Bank and purport to be another branch which needs to know or, alternatively, one can bribe an insider much more easily and quickly than attacking the technology. Thus, it is not just the Data Protection Act of a member state that is relevant as far as the attacker is concerned.

2.11 Protection of Name-linked Data

The legal protection and, in some cases, access to name-linked data, is not governed by the Data Protection Act alone. Other legal processes also bound the set of actions permissible with these data including, in the UK, the Consumer Credit Act, the Criminal Justice Act, Child Support Agency enabling legislation, Medical ethics and the disciplines of the Medical Council, several European Union directives, commonly accepted rights and principles and the Official Secrets Acts. Other legal apparatus also has a bearing in some special cases such as the law of trespass, the Telecommunications Act in the UK and any European Union legislation pertaining to the treatment of data within telecommunication networks.

This legal network will inevitably be imperfect especially when the protection of name-linked data in advanced ICT systems is considered. The legal interweaving with the inevitable loopholes and overlaps, on the one hand, and the changes in technology, on the other, mean that these data will be vulnerable to those who wish to operate outside the principles of the Data Protection Act.

2.12 The present state of avoidance and circumvention

Evidence of clear-cut Data Protection Act avoidance or circumvention is not available. If such activities are occurring in commercial sectors they will remain hard to detect. If clear-cut violations are uncovered even the industry ‘whispers’ would be highly restricted as legal processes take so much time and money to resolve. Jeopardising this resolution, so our interviewees concluded, would be against any informed worker’s self-interest (the legal penalty in a guilty case is relatively unimportant and the mechanics, not the outcome, are regarded as the deterrent.

There is therefore evidence suggesting that, within the scope in which the data protection ‘industry’ has set as its present agenda, practices are mature and violations avoided.

There are ways of avoiding present name-linked data protection against the spirit of the Data Protection Act. Many of these are likely to work if the violations are not too stringent on the individual, or do not confer too great an advantage upon a competitor. As privacy is a subjective matter which is dependent on many parameters not yet identified unequivocally, such illegality would seem to have a good chance of remaining undetected.

Security in commercial organisations is, on average, quite weak. A direct ‘hacking-style attack’ may yield all that is required and skilled hackers can usually delete any traces of entry and data access, thus causing the raided system minimal pain.

Concern in the data protection ‘industry’ is shifting to other areas not so clearly covered by the mechanics of registered applications, permission for name-linked data use, and record searching to verify and, if necessary, correct the accuracy of what is held.

2.13 Important emerging data privacy issues

Two unprompted and unsolicited sets of observations were made by most of those consulted in the course of conducting this review. These were:

• "there is a lot more legally knowable (about individuals) than is generally realised" - with particular reference to the data used in the commercial world

• the State is emerging as a concern among informed data protection workers, and is regarded as getting far too much data together on individuals. "We shall soon know more about citizens than they know themselves" joked a senior civil servant in the course of this study.

It may be that while privacy in the commercial world has become a public matter, in the public sector, events that could impinge on individual privacy are actually becoming more secret or confidential.

A lot more is legally knowable about individuals that is of commercial significance than is generally realised. If the extent of what is known (or deduced) were realised more fully, the sanguine public attitude to matters of data privacy might, perhaps, be resolved with the balance placed differently.

A few major database companies operate in the UK to provide data on a commercial basis for a wide variety of commercial activities of which three are major:

• credit referencing
• mail order lists of name linked data
• use of profiles, avoiding the storage of name linked data (NLD)

Mail order is sometimes called direct mailing and direct telephone selling is also being supported in much the same way.

In view of the commercial importance of these activities and the sensitivity most people feel about their creditworthiness and unsolicited approaches, it is not surprising that the Data Protection Registrar has published extensive Guidelines for both sets of activities and that these issues are being addressed by the European Commission in the context of direct marketing and trans-border selling techniques using electronic media.

The uses of name linked data concern risk reduction, an important commercial principle. A direct mail shot to sell a service or product sent to a carefully selected list of potential respondents may yield 1% response, a level which in scientific circles would produce mirth. Yet the economics of selling are such that techniques with so low a yield are worth using if the cost of the miss-hits is small relative to the value of the sales. Thus if a 1% response is economic, a better list, with a higher response rate, is gold-dust. The marginal yield on a 2% response may be almost all profit. For this reason, list construction and maintenance is a major industry although it is invisible to the general consuming public.

Lists are constructed by taking a basic list of potential candidates and then adding to it new names and details about existing names. The post code, in particular, allows data from several sources to be matched with great accuracy even though details such as Mrs/Ms, initials, and even name spellings may vary from one list to another. In this way, very detailed profiles can be built up from a wide variety of sources that are all completely legitimate. The process of merging lists is called ‘de-duping’ (de-duplicating - to eliminate names appearing more than once).

The use of profiling allows generalisations to be drawn, often with uncomfortable and uncanny prescience. In this technique categories of behaviour are identified and associated with more directly measurable parameters. This approach is used a great deal in advertising, but on a smaller and perhaps more intensive scale. The behaviour cohorts are usually given fanciful names, to placate the client paying for the research.

This approach has highlighted the key significance of a few parameters of which the post code at which an individual lives, his or her first name and age are sufficient to typecast that individual into a psychographic or at least geo-deomgraphic niche from which everything else can be deduced with acceptable accuracy for its use to be worthwhile.

However, the real value of profiling lies in the fact that:

• data do not need to be 100% complete; the generalisations have been found to work and so effort to achieve completeness can be reduced

• the names themselves can be abandoned - the name-linked data are converted to plain data, and the Data Protection Act, etc., no longer applies.

Once patterns emerge from the data, in-depth interviews plus address and related classification techniques can do the job as well and more cheaply.

Many financial organisations contribute to the credit worthiness databases. Defaulting on one credit card means that all issuers can be aware of this quickly, although unless they re-check, the change of credit status will not be signalled to them. The databases are passive, responding only to direct enquiry from authorised (and subscribing) user organisations’ systems.

3.2 What is available now?

The extent of name-linked data commercially available is measurable in several ways including the number of people covered and the scale of detail available. Examples include data available for list building, profile data of agencies, and some examples of lists.

A seeded mailing list contains some bogus but apparently genuine names known only to the agency, so that the use of a list which they sell, rather than use on the user’s behalf, can be monitored by the agency. Use of a seeded name produces a response activity visible to, for example, an employee but with a specific identifier, such as inverted initials.

3.3 Extent of activity

CCN Marketing is a member of the CCN Group, the largest agency in the UK, is owned by General Universal Stores and its database contains details of over 44 million UK citizens, with no duplicates. It offers computer bureau services to the UK direct marketing industry and specialises in all aspects of address management, database marketing and direct mail production for the consumer and business sectors. The CCN Group is also a leading supplier of integrated risk management and account processing services.

The UK census for 1995 puts the total UK population at 58,395,000 and Government-published statistics give the percentages of inhabitants under 16 and over 75 as 20.4% and 7.0% respectively. Thus the population between the ages of 16 and 75 is about 42, 232, 235, and the extent of CCN’s database is clear; in practical terms it includes everybody. It was built using the electoral role as the base, with other lists being added continually to keep it up-to-date.

The other two major players are CACI Information Services, an international high technology services company founded in 1962, which has operated in the UK since 1975 and Equifax Europe (UK) Ltd who provide decision making information for consumer-oriented business transactions. The Equifax ‘Insight’ database holds ‘geo-demographic information about house repossessions either compulsory or voluntary which have been provided by members of the Council of Mortgage Lenders and this information is available only to a closed user group of clients. The records are held for a maximum of six years. These two companies are far less revealing than CCN about their extent, but they must compete with CCN.

3.4 Detail

A brief review of examples of the results produced by these companies gives an insight into what is ‘knowable’. The scope of the detail is breathtaking on first acquaintance and arises from three factors:

• any paper-based list can be scanned and captured for processing quickly under current UK Data Protection legislation, both cheaply and accurately

• almost any name-linked list, particularly one such as a magazine subscription, which indicates interests, is made available to be incorporated into the profiling and direct marketing industry processes.

• selling is big business, and this is an important part of that process

There is a brisk trade in lists (‘broking) in the UK. Continental Europe has larger areas per post code, and less direct mail activity than the UK, but the principles still apply.

Today it is very easy given the necessary finance to contact, for example, the 1279 women priests in the Church of England in England, or the 25,546 women interested in health and fitness, or the 5,311 respondents to a questionnaire who are known to take a walking holiday every year and to enjoy bird watching.

3.5 Data gathering

Data for name-linked data lists are gathered from sources already mentioned, i.e.

• the electoral roll and some census data
• references from subscribing financial institutions, mail order houses
• purchase and matching of other lists, e.g. of magazine subscriptions, customers (rare), holders of senior citizens rail passes (being over 65 may mean reduced spending ability), clubs, professional qualifications such as doctors, lawyers, etc.

Other sources include:

• the existence of any adverse County (regional or local) Court judgements
• phone directories and their reverse engineered versions, particularly helpful with call line identification in call centres
• retail data
• questionnaires of great length and detail distributed and collected by a thinly disguised subsidiary of CCN, and similar questionnaires included with some electrical equipment, whose return almost masquerades as part of ensuring the validity of the guarantee.
• the use of channel-monitors on samples of TV sets
• diaries for shopping and TV viewing habits
• One to one in depth interviews
• focus groups - for profile building and hypothesis testing only, as name-linked data are not generated usually

Other similar methods are used and being devised all the time.

3.6 User attitudes

Does all this matter in practical terms rather than in terms of the abstract principles of individual rights and freedom and the protections that are built into existing (or planned) legislation? Do people care about all these data which are known or could be known about them?

The answer for the UK on the basis of this qualitative survey is that on the whole, ‘apparently not’, or at least not sufficiently for their to be a focused mobilisation on a scale sufficient to cause alarm to public or commercial interests. Nevertheless, the database companies and their affiliates keep a low profile except in the rare cases where the Data Protection Registrar calls one or other of these firms to task over a new processing loophole or tightening of the Data Protection Act and its supporting legislation. It may be that general public indifference stems from ignorance, lack of a focused means of articulating concerns, rather than sophistication or knowledgeable approval.

Somewhat counter-intuitive responses were detected among the very sophisticated, busy people who are aware of the practical detail of the profiles generated about their lives. Their views were generally that such practices are to be encouraged, ever more accurate data supplied and used about them if possible, and other means allowed which enables the marketing people to anticipate the needs of the exceptionally affluent, busy workers. In this way, they assume, their shopping time be reduced and greater efficiency introduced into their lives.

Those in our sample for this study (which is not statistically representative) in somewhat lower income categories generally have a less accepting view. The upper middle classes view institutions and the name-linked data held by them with less trust than was the case a decade ago. Large institutions such as banks were held to be likely to be both right and to have the consumers’ interests uppermost in their decisions. This trusting view is slowly disappearing as a global services sector becomes daily more apparent and service levels become harder to maintain under high and growing cost pressures. This group is now making sure that the ‘no I do not want my personal data used to circulate other offers.’ box is ticked on all return documents.

At a still lower income level, credit difficulties start to become a real issue and refused credit acceptances may highlight data error or confusion. However, the process for addressing these situations now runs fairly smoothly according to the interviewees in this study, by and large.

The lower down the income scale, the more problems start to become a dominant feature of all name-linked data holding as this population may be rather mobile, occupy addresses in confusing, changing multiples, and even change names fairly frequently. But these segments of the population are poor direct marketing or credit candidates and the difficulties of handling the volatile name-linked data are compensated for by the lower profit potential of dealing in this sector.

Nevertheless, highly targeted competition is starting to make even these areas of the population attractive for certain purposes and the higher interest rates charged reflect, in part, the more difficult ‘list navigation’ process involved. Several interviewees commented that it is surprising how rapidly those in this segment ‘learn’ to participate in markets when pressures such as mortgage and consumer loans ratings need to be addressed. The pressure is to play along with the existing system, rather than to kick against it.

In summary, the interviews for this study appear to confirm the observation that views are "layered" throughout society in the UK depending on wealth, confidence and time pressures.

3.7 Checking, redress and correction

The Data Protection Act and the Guidelines in the UK set out fairly straightforward ways of checking what is held against an individual on a credit rating database. For ?1 each, the explanatory leaflets are relatively clear for the English speaker and literate person.

Should some error be uncovered, however, a degree of perseverance and skill is needed to compile what amounts to unofficial written evidence of the change to be made in order to have it corrected. What is much more common is confusion. For example, an unmarried daughter living at home may apply for a mortgage and the credit score might catch a mother’s record of financial weaknesses resulting in major efforts to disentangle the two sets of records. Confusion caused by same-name same address is rife. Apocryphal stories of credit chaos caused by streets full of people with a common family name are often told and there are doubtlessly some grounds for this.

Redress is relatively difficult to achieve and most complainants appear to be happy to get ‘unstuck’ from an erroneous barrier to continuing their lives. However, more serious damage could easily result if there were a major test case. The complainant would need legal help as the issues could be extremely complex and expensive in their prosecution costs.

3.8 Trends

The foregoing discussion suggests that current thinking in the UK concerning the use and protection of name-linked data is bounded by a 1980s model of ‘data processing’ in which records are merely computer-readable versions of documents, a concept which is easy to grasp. But name-linked data records are being compiled that move far beyond this model, and they may therefore outdate the Data Protection Act and its revision in the next year and the public’s familiarity with what might be stored about them.

For example, most major supermarket chains in the UK have introduced versions of an ‘affinity’ card which allows some form of discount or credit to be ‘earned’ for repeated use of a particular chain’s branches - a sort of electronic ‘Green Shield Stamps’. This is how the cards have been positioned to users who have flocked to sign up for an apparently free gift.

All customers have to do is part with their name and address and every shopping detail in terms of day, time and shopping combination becomes apparent. Children home from University? Magazine details? Catering for a cat, a dog, a baby, a granny? Electronic tills can reveal all. The Closed Circuit TV (CCTV) can measure how long one hesitates over choices, whether a person is in a rush, an individual’s hairstyle, dress sense and companion. There are techniques for digital image storage and processing which could allow the shopping videos of selected shoppers to be extracted and analysed. Is this conventional name-linked data or does it fall outside the scope of concerns about privacy?

The increasing use of direct telephone selling is creating domestic intrusion on an unprecedented scale for some. Power dialling from overseas to sell direct to you at home may occur on a much wider scale. This could become even more pressing in an era of UMTS. An individual may not want his or her personal banking access (or whatever else the new applications may be) filled up with unsolicited phone calls (or even massages to be retrieved for a charge to the individual). The idea of a direct image of the product or service holds out the ultimate goal of one-to-one TV targeting. The sales industry is likely to find it hard to resist the application of new electronic services to achieve this, but there are questions as to how much intrusion into people’s everyday lives will be acceptable.

Services (gas, water, electricity, phone, cable TV) are now commercially operating concerns in the UK and they may become so in most of the EU member states. These companies’/organisations’ use of service records for purposes other than their primary purpose have been circumscribed by the Data Protection Act. However, there are issues concerning what will happen if all these records are held in an offshore island and controlled by an information services organisation. The use of remote (radio) meter reading technologies and their introduction for other services including water, increases the scope for being known about in still more intimate detail.

Access to cable TV programme choices and switches, a form of Telemetadata, would also be very tempting to advertisers and marketers.

The Internet and other public networks provide a way of selling with growing potential. Internet addresses, instead of telephone numbers, could lead to mailboxes cluttered with electronic junk and compete with videos and other social, educational, or entertainment content.

A different, but potentially troublesome trend, from the point of view of some interviewees is an attempt in the UK to increase the fees charged for checking individuals’ records. It has been suggested that the ?10 chargeable currently should be increased to ?50 which will impact on the population group for whom the ability to check is of most importance. The Halifax Building Society has suggested, for example, that such reports cost ?1000 to produce!

Almost all those contacted for this study from the summer of 1996 onwards spontaneously mentioned the growing threat to privacy from the State. What has caused this increase of fear of the emergence of a ‘Big Brother’ State? It appears that several factors are combining to create increased awareness of the State’s actions and plans with respect to name-linked data even though most of the uses made by the State are beyond the reach of the Data Protection Act’s guidelines and corrective/redress processes. This may change with the blurring of the boundary between private and public data with the implementation of the European Commission’s Data Protection Directive.

The factors indicated by interviewees include:

• problems with the funds raised by taxation - they are ‘too small’ relative to planning expectations

• problems raised with the size of Government expenditure, especially on Social Services

• a case in which a US outsourcing organisation, EDS, has won contracts for both the Inland Revenue and the Social Services outsourced systems and processing, and now plans to merge the two operations, despite earlier reassurances that this would not happen.

• the increased capacity of IT - it is now possible to have a database record per citizen, containing all his or her State-held data; the task though large is no longer beyond the scope of what can be done

• a new Police Powers act

This conjunction of factors is also creating suggestions that the role of the Data Protection Registrar should be strengthened bringing relevant legislation together in a single Act with the implementation of the European Commission’s directive. The Data Protection Registrar, Liz France, has called for stronger powers of inspection and the need to encourage a culture of protection of individual privacy in all areas of business and government.

4.1 Separate departments and identities

Until recently, a citizen’s dealings with the Government were slow, inefficient, paper-based and carried on in organisational compartments, each with separate identities corresponding to the Government department involved. The scale of government, and the need to be seen to be fair even in complex exceptional cases, were partly the cause of this behaviour. However, information management inefficiency was at the heart of much of the traditional practices. The drive to privatise and introduce management in the place of administration, is changing this, as is the use of IT.

Individuals have been used to having separate identities issued by the State for registration of birth, marriage, divorce, death, passport, driving licence, car registration, income tax, value added tax, national insurance/social services payments and benefits, departments concerned with issues of national security, national health, and car registration.

Individuals are also used to a situation in which the Departments of State have been unaware of, or unable to access, each others’ records and have adapted their expectations accordingly. The exception is the Secret Service whom, it is generally believed, will find their way anywhere on a case-by-case basis.

4.2 Tax holes and shrinking State Department aegis

An issue of recent concern mentioned in a few Government statistics is a phenomenon labelled as a ‘tax hole’, which refers to the fact that tax revenues are starting to fall significantly behind previously reasonable expectations. There is considerable debate as to why this is occurring at present, though the endogenous scale of error in State statistics is well known and significant. However, the tax hole is beginning to be regarded as the start of a new feature of late 20^th century life in which large tax contributions are simply disappearing. The following possible contributing factors are being considered:

• self-employed staff no longer pay VAT on the value added component of their output up to about ?40,000. Previously this had been taxed as part of a large organisation’s output. When their output exceeds this threshold there are ways of operating as two companies below the threshold. For senior executives in large organisations such strategies were not of importance, but now, operating as one person consultancies or freelancers these personnel must be familiar with and master these strategies.

• use of overseas-based outsourcing agencies allows the use of cheaper labour, avoids National insurance inputs (and raises unemployment claims)

• increase in number of temporary and part-time workers causes contributions from ‘conventional’ employment to dip beneath tax thresholds

• the black or at least grey economy may be growing

• unemployment is higher than it used to be

• ‘downscaling’ - in which ‘high-flyers’, i.e. high earners and tax payers, deliberately scale down their consumption and earning in return for more time and a different way of life. e.g. from trader in stocks and shares to raisers of stock and users of ploughshares.

• a growing proportion of economic activity involves immaterial information transactions which remain largely hidden and invisible. An increasing proportion of the surplus generated is not being taxed and the gains from the application of ICTs may not be being reflected adequately in lower prices or higher salaries or profits. There is as yet no research which explores the issue of a ‘bit tax’ or other measures that might be needed to generate public revenues as the economy ‘dematerialises’ to an ever greater extent.

As a result, the Government is shorter of cash than it thought it would be. This, in turn, causes cost pressures on civil servants who also see their ‘empires’ shrinking in the face of the 90s’ trends such as outsourcing, first of IT functions and now of whole clerical and operational functions and the 80s’ initiatives of which privatisation is the most important.

This set of factors puts the legislature in conflict with the executive arm of Government; ministers in tension with their under-secretaries. Administrators see their numbers dwindling, their direct influence waning, and the scope for a career diminishing, while competition for the top slots intensifies.

Government wants to deliver better service faster from lower budgets and is sensitive to demands for reductions in crime, increases in ‘open Government’, freedom of information, and increased citizen’s rights, and, in the context of this study, improved and more explicit rights of privacy and redress.

4.3 Merging and outsourcing

The issue of the UK Government’s role in protecting the privacy of the individual has been brought into sharp focus by the merging of the data processing of the Social Services and the Inland Revenue departments under a contract with EDS, the US outsourcer, which has grown from being the IT department of General Motors, and done pioneering work in the IT outsourcing/facilities management business.

This merging of activities by EDS has stimulated great controversy because rumours of this step have been denied frequently until they were agreed as fact. This story brings several issues into view:

• will the (quite normal for this scale of system) on-line access to the mainframes for maintenance and diagnostics represent an international loss of control over ‘sovereign data’?

• what control over data will there be once staff are from the US rather than being civil servants bound by work ethics of public service? Will any US staff of EDS or Oracle be bound by the Official Secrets Act and the Finance Act 1989? How will this be achieved and enforced?

• how is the admitted and important change in Inland Revenue security to be verified independently?

• what level of protection will the Inland Revenue records have accorded to them when the changes are complete?

• what safeguards are to be applied to the cross-access of Inland Revenue records by the Department of Social Security if staff are aware of ‘potential infringements of civil liberties’?

• will the public remain generally unconcerned about the Government’s proposal to act in a way which is currently unlawful and requires new legislation to protect the rights of citizens?

4.4 Checking, redress and correction

How will any Government action based on erroneous data or data which has been misinterpreted by one Department having been gathered and entered by another for its own use, be noticed and corrected? What are the redressing processes? Conversely, a mandatory print-out of everything held complete with explanatory leaflets would be an enormous undertaking of unknown cost. The scale of what is proposed in terms of data holding and correction procedures appears to be unmanageable by traditional standards. Data systems are becoming too large to be checked - not as a computer program - but as an exercise in ‘clean’ data.

A Data Protection Registrar, perhaps with more power, could be given the responsibility for protecting individual rights in this highly complex data environment. In the UK, there is slowly growing realisation of the complex data environment and its potential to infringe accepted individual rights and freedoms. There are moves being taken to correct this via the design and implementation of revised legislation.

4.5 Trends

The shorter term trends outlined above will have been resolved before many of the new information society services supported by advanced information and communication technologies are in place. The longer term trends with respect to State-held name-linked data could include:

Medical data

In the name of greater efficiency advanced communication technologies and services are being applied to health records. The short term track record of the National Health Service in IT implementation is being investigated at escalating levels of the government administration in the UK, but the underlying trend is toward a situation in which everyone has a unique identifier capable of IT processing with records held at General Practitioner’s surgeries, but accessible from hospitals and health laboratories, e.g. for emergency treatment away from the home base. The security of such a scheme has received close attention and no solution has been reached. This scheme has the potential to contain a great deal of highly personal data given on the understanding that the relationship between doctor and patient is confidential.

The potential could exist for a hacker to threaten to reveal an individual’s embarrassing health secrets unless payment is made rendering many people vulnerable to blackmail. There are other imaginable scenarios - for example, information on drug use could imply illegal activity and the police may be able to access and organise a scan for such information.

Health-related data are destined to become still more revealing with the ability to pinpoint virus details, DNA profiles, and propensities for particular health problems which would greatly influence the insurance industry. How are such complex, possibly multi-media, files to be shown to the data subject and explained? There is little available in the public literature about this issue.

Public activity monitors

The use of a wide variety of automatic monitors used in public which produce records that can then be processed automatically to distil information about the actions of an individual named possibly by the equipment itself, creates a new version of name-linked data. Most large shopping centres are covered by CCTV. Where towns are surveyed in this way, crime is reported to decrease considerably; and image-processing cameras are under development which can match faces to pre-loaded images of known criminals faces, then track the actions of the matched data in greater detail.

Cameras can record the details of car number plates as they exceed the speed limit or the time limit at traffic lights. At present in the UK the images have to be read manually and the car details transferred to headquarters for driver/owner name and address. The penalty is fixed unless the charge is challenged. This translating and transcribing workload is so great that some police forces report that they are discontinuing the use of such cameras. Before long either image processing and systems integration will eliminate this bottleneck, or transducers - automatic identifiers, such as are used for automatic payments, e.g. on bridges, or for road pricing more generally - will allow letters to be e-mailed to drivers.

Police surveillance powers are to be increased in the UK to include such devices as bugs. Voice recognition technology, still under development at present, will soon bring speech which is presently an ‘analogue’ public activity not covered by data protection legislation into the realm of digital name-linked data.

All such ‘data’ it can be argued is public - it is available now to anyone at the site in question with the exception of the automatic face recognition. But its 100% capture, storage and processing is a new aspect not covered by present legislation concerning name-linked data. It represents ways in which IT will intrude into what is regarded de facto, if not de jure, as the individual’s private domain. Public debate and realisation of what could be implied by this have only just started.

Other extensions of the State’s data reach

For most people, there is scope for private-activity monitoring by the State to protect national security interests or to prevent or punish criminal activities. The Child Support Agency in the UK is already able to force banks to divulge data which have traditionally been regarded as private. This is a trend which could be extended with speed to many other commercial activities using versions of the "why worry, what have you got to hide, if you are innocent?" argument.

It is rumoured that UK currency itself can be detected remotely by ‘reading’ the metallic strips embedded in it, but this has not been confirmed by this study. This is an example of the kind of report which can be taken up by lobbyists as claimed evidence of incursions into citizens’ private lives. Remote reading of chip cards is already feasible when the on-card security is broken, to read the last twenty numbers phoned from one’s mobile telephone or if the chip be used for any purportedly private data, health, bank balance, cash in hand.

The scope for government use of developing advanced communication technologies and services to monitor the activities of citizens in ways which give rise to name-linked data and to anxiety about the erosion of individual rights seems, on the basis of the present review, likely to increase.

It would be useful to undertake a detailed study of CCN, CACI, Equifax, together with other representative organisations in the credit and mailing business in order to determine the extent to which the scale of their data has led to increases in the specificity of profiling and how these changes have coincided with developments in ICT systems. Such research would begin to show how much new practices are keeping pace with the leading developments in advanced communication technologies and services.

Studies could be undertaken to develop scenarios of new forms of commercially collectable name-linkable data gathering and processing which could be used to help to focus discussion of the potential social impacts on realistic likely developments over the next decade. Special attention should be given to the role of name-linked data in the UMTS area.

The characteristics of ‘institutional trust’ and they way it is changing in response to the provision of information society services, needs considerably more systematic study across sectors and countries than appears to have been the case to date. This issue will be of enormous importance to the likely future of user interest in these services and in the extent to which the market will be responsive to user considerations with respect to privacy. Such studies may be instrumental in preventing expenditure on services for which their is no prima facie case for early commercialisation except on the part of those on the supply side of the services industry.

There is also a need to monitor the outcomes of changes in data management practices that lead to the potential for increased cross-fertilisation of name-linked data and related files containing information required by departments of government. Implications of the outsourcing of these data need to be analysed by investigating the nature of the protection undertaken and implemented by outsourcers. The recent UK case of EDS, the Inland Revenue and Department of Social Services is an example of the kinds of issues that need to be explored on a Europe wide basis.

The encouragement of activities and co-ordination between institutions throughout Europe charged with implementation of the European Commission’s data protection legislation might include a systematic and comprehensive on-going debate about the scope of commercial and government incursions into individual privacy focusing particularly on the implications of publicly and privately gathered name-linked data and especially those organisations which collect images and link them to Telemetadata generated data.