2012 – The Year of Privacy?

My blunt take is that from 2012 onwards respect for Data Protection principles will increase, largely as a result of organisations having fallen foul of regulations in 2011 but also as a result of organisations not being in a position to waste money defending instances of breach either of security or fair obtaining or fair processing principles. The focus will move to designing privacy in not through regulatory efforts per se but through ‘englightened self-interest’.

Over the course of the first quarter of 2012 this site will be getting a number of small make-overs to improve our own ability to meet or exceed the requirements of the Data Protection regulations within the technical limitations of the software tools we are using and the level of financial or other resource investment required.

1. We will remove the need for anonymous users to have cookies written to their computers. This has been done already in the most recent build of the site.
2. We will implement anonymisation of IP addresses which we process for a variety of technical and business process reasons. Again, this is underway with this build of the site.
3. We will implement a register of Cookies and a clear mechanism by which site visitors can notify us of cookies which have been written from our domain to their computer which are not on the register.

These three first steps are key components of an Information-centric governance model.

• There was no purpose for tracking the actions or interactions of anonymous users. Apart from not adding value it could potentially impact site performance so there was no benefit to doing it. Also it is standard functionality in Drupal 7 which we emulate as an example of good practice.
• There is no need for us, with certain exceptions, to be able to identify a specific user by their IP address. We therefore truncate IP addresses in any analytics or reporting processes.
• Transparency and governance requires that we know where our towel is (to borrow a phrase from Douglas Adams). We need to be able to demonstrate that we know what data is being captured about you. And we need to make sure that we can quickly repond to queries or alerts about cookies we don’t know about being written as that could indicate other problems.

As we develop out more privacy friendly policies, procedures, and practices, we will return to this theme in blog posts to explain how and why we are donig things to build the quality characteristic of Information Privacy into our methods of operation.