It is perhaps no coincidence that many dystopian visions of the future in popular fiction, such as Nineteen Eighty-Four, Brave New World and Fahrenheit 451, have breach of data privacy at the core of their plots. With an ever growing level of interaction between humans and a global infrastructure tied together by the internet, there is always the fear that others know more about you than you would like. How can we save ourselves from such a bleak future?
The answer has been to create, over the past 20 years, a number of strict legal obligations and rights when dealing with the personal data of individuals. You will notice that you are increasingly asked for consent for use of your personal data on websites and to allow software to store cookies on your computer. Such legislation is sometimes criticised for generating bureaucracy that gets in the way of “real work”. But for those who work in the data-privacy arena, it is clear that we need to adapt quickly to a rapidly evolving digital environment. What you do, where you go and how long you spend there are valuable assets in the information world.
In 2012 the European Union (EU) proposed new data-protection reforms to strengthen the fundamental rights of citizens. Three years later, EU institutions reached agreement on the rules, and in May 2016 a new regulation was issued called the General Data Protection Regulation (GDPR), which enters into force in all European Economic Area (EEA) countries from 25 May 2018.
You probably haven’t heard much about the GDPR until now, yet it is almost certain to impact the way our field deals with personal data. The central idea is that your personal data is truly yours: it cannot be taken or processed without safeguards to its privacy, and any data collection or processing must have an appropriate legal basis. The new laws offer a very broad interpretation of what “personal data” and “processing” mean, and offer a number of legal bases that must be considered. Personal data is anything that could be used to identify you, including obvious things like name and address but also more subtle information like GPS location or IP address. Processing is equally loosely defined, from storing data in a database to viewing data on a screen and even copying a file.
Although in practice there are many details to be determined, the intention of the regulators is evident: to stop the use of people’s personal data except for well-defined purposes that must be clear when the data are collected to be fair to the individual. Crucially, the new regulations aim to be technology agnostic and therefore apply equally to online databases as well as a filing cabinet full of paper.
All EEA institutions, companies, labs and universities will be subject to the GDPR. Although CERN, as an international organisation, is not directly subject to EU regulations, in light of the coming changes it is reviewing its internal legislation to offer equivalent levels of personal-data protection. Consequently, in January this year CERN established the Office of Data Privacy Protection to assist services that process personal data and to help anyone who is concerned about how their personal data is being handled by the Organization.
Given the broad scope of personal data and data processing, it can be complicated and somewhat burdensome to comply with these new practices. For instance, it will require us to review how passport information should be sent, how records such as medical information and personal attributes are secured, as well as how photos and CCTV are used. At the same time, we need to recognise that protecting privacy is important and that adopting a “nothing to hide, nothing to fear” approach does not protect us from future unknown uses of our personal data.
So, if in any doubt, simply adopt the golden rule of personal data: if you don’t really need it, don’t collect and store it; if you do, delete it as soon as possible.