Acting for Accuracy
I received this question on Twitter today:
@daraghobrien Interesting contention by speaker at @iia event yesterday that data subject is responsible for accuracy. Any thoughts?
— Elaine Edwards (@ElaineEdwards) April 9, 2014
It is an interesting contention and one that bears a little bit of scrutiny from the perspectives of Data Protection, Information Quality, and Data Governance. And as I know a bit about all three, I thought it worth giving it a whirl.
To answer the question properly we first need to look a what we mean by “accurate” and “accuracy” as a concept. And this is the first problem. The Data Protection Acts don’t actually define what “accurate” is.
Section 1(2) of the Data Protection Acts 1988 and 2003 tell us that, for the purposes of the Data Protection Acts, “data are inaccurate if they are incorrect or misleading as to any matter of fact”. This means that the test in the Data Protection Acts is not actually a test of accuracy but a test of inaccuracy .
Under the Data Protection Acts 1988 and 2003, the obligation under Section 2(1)(b) is placed on the Data Controller that “data shall be accurate and complete and, where necessary, kept up to date”.
So, on the literal interpretation of the legislation the onus is on the Data Controller to ensure accuracy of data. Not the Data Subject, and the obligation that is placed on the Data Controller is actually to ensure that data is not incorrect or misleading as to any matter of fact and complete and, where necessary, kept up to date. This is an underwhelmingly complete definition though. It doesn’t provide any insight as to how this duty might actually be exercised.
As the Acts implement into domestic law EU Directive 95/46/EC, when in doubt as to what is going on in the domestic law we must look to that text to figure out what the actual intention of the legislature was. The Directive is actually a lot more helpful with regard to clarifying the duty that exists. Article 6 (1)(d) of the Directive says that
“Member States shall provide that personal data must be:
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; “(emphasis is mine)
Again, there is no duty placed on the Data Subject to ensure Accuracy. Article 6(2) makes it clear that it is a duty that falls to the Data Controller. But the nature of the duty is not one of absolute accuracy. It is a duty to take “every reasonable step” to ensure that if data is inaccurate or incomplete that it can be corrected or deleted. The duty is not to ensure accuracy per se but to ensure that appropriate systems, processes, governance, and other control mechanisms are in place to allow inaccuracy to be identified or reported, and once it has been identified or reported for the data to be corrected or deleted.
But it is a duty on the Data Controller to do this. Not the Data Subject. It is a choice for the Data Subject to request that data be corrected if it is inaccurate, but it is a duty for the Data Controller to take action once they are aware of an inaccuracy. And the level of that inaccuracy is defined in the context of the proposed processing purpose.
The Data Controller has a duty to ensure that, for example, conistency checks are applied to data so that titles are consistent with genders (“Mr Daragh O Brien, Male” versus “Ms Daragh O Brien, Male”) and to provide appropriate mechanisms for errors to be corrected.
It’s been a point of great interest to me over the last twenty years that the architects of the Directive chose to label the subject matter of Article 6 not as “Principles for Data Protection” but rather “Principles for Data Quality”. Because that is what they are.
Accuracy is a key quality characteristic of information. It’s also one of the trickiest to define and to define an effetive operational definition to measure. In part this is due to the fact that there are (at least) two different types of “accuracy”.
The first is what is known as “Accuracy to a Surrogate Source“. This is where an organisation decides to use a trusted or trustworthy reference data set to validate or enrich their data. For example, clashing a set of addresses against the Post Office’s address reference file is a check against a surrogate source for the accuracy of an address. Other potential surrogate sources for the same fact would include the Registry of Deeds or a Gazeeteer of street names. They are not the actual thing however. Different surrogate sources might have different values. Equally, the residents in a given area might disagree with “officialdom” about the actual correct address.
This leads us to the second form of accuracy – “Accuracy to Reality“. This is where the accuracy of the record of the thing is checked against the real world instance of the thing. For people this might be checking the spelling of a name, verifying a date of birth, correcting an address, verifying a marketing communnications preference, or checking medical symptoms. Key for all of them is the process of doing it by asking the individual themselves to verify the data. This is the most accurate form of accuracy, but is the most difficult and costly to verify and correct, hence reliance in many cases on consistency checking and validation of data against surrogate sources.
However it is the context in which the Data Subject has a role to play in ensuring the not-inaccuracy of the data that a Data Controller holds about them. By engaging in processes or procedures to quality assure their data (e.g. keying in email addresses twice, reading back phone numbers to check them, or using a “correct my data” form to update personal data) the Data Subject takes their active role in the management of their own data.
However it isn’t the duty of the Data Subject to create the mechanisms by which they can identify inaccuracies and report them. Indeed, it is the right of the Data Subject to create horrendously inaccurate data if they wish to do so. If it is found to be inaccurate through use of surrogate sources or consistency checking it can be erased or suggested corrections can be suggested to the Data Subject for approval (validation of accuracy against reality).
It is the Data Controller’s job to put those systems and processes and controls and ‘quality culture’ in place and ensure they can operate effectively.
And that is Data Governance.
The Summary Answer
The short answer to Elaine’s question is that the person making that statement is wrong in terms of the legislation but may be correct in terms of the roles and responsibilities each participant in the processing should play. However the DPC will not prosecute a Data Subject because an organisation hasn’t corrected their data. They’ll prosecute an organisation for not having mechanisms to identify and correct errors when they arise.
Anyone saying anything to the contrary has an incomplete understanding of Data Protection rules and Information/Data Quality principles and practices. And any organisation relying on that interpretation of the Data Protection Acts does so at their peril.