This post was first published in the Irish Computer Society Data Protection blog. I’m republishing it here as it is my original work and I am putting my Data Protection musings in one place.
A recent news story in the Irish Times about the data protection compliance problems faced by the Irish Insurance industry serves as a timely reminder of one of the mantras for Data Protection compliance:
Just because you can, doesn’t mean you should.
In this instance, a perfectly legitimate process existed for sharing data in certain circumstances (when a claim was being made) to help flag instances of insurance fraud etc. All of that processing is legitimate and legal.
The problem arose where the information was being shared when a claimmight be made, resulting in disclosures of personal data between insurance providers without any legal justification. It was these disclosures that the Commissioner has flagged as being in breach of the Data Protection Acts.
Technology is great. It allows for the analysis of data quickly to find important nuggets of information. However, only if you have obtained that source data legally will you be able to legitimately act on the facts you uncover.
Just because you can, doesn’t mean you should.
This case also highlights another aspect of Data Protection Compliance – it is not all about technology or the IT department. In this case, business decisions were taken to share information. Without business rules to restrict or permit disclosure of information (e.g. “only disclose if a claim is in progressâ€), information was disclosed without due cause. Business managers need to step up to the mark and be proactive about how they manage their core business asset (information) in a way that ensures and assures compliance, trust and, at the end of the day, their ability to keep using that information.
To paraphrase Bill Clinton – “It’s the Information, Stupidâ€.