![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
I have to confess to being extremely hacked off this evening and I am writing this entry to vent so please excuse me.
A little background perhaps.....my Grandmother is 86 years old and lives on her own in a house that has far too many stairs for her knees' liking. She has also not left this house in almost 20 years, the furthest she has strayed in that time is to the end of her back garden and the front gate. Imagine my father's concern this evening when between 5pm and 8pm he was unable to get a hold of her...the phone just kept ringing out.
We were not able to get a hold of a neighbour to pop in and check on her, so at 7pm my father did the next sensible thing...he rang BT to find out if there was a fault on the line. He explained the situation....old, on her own, never leaves the house, not answering etc...could they please check the line. They did so and then informed him that they would be in violation of not only the Data Protection Act but of my Grandmother's human rights if they were to tell him the results of the line check.
Now I didn't find out about the worries until my father accidentally dialed my number, my parents had obviously decided not to worry me but in his fluster he told me in a hurry that he could not get in contact and hung up. I waited 15 minutes in panic before calling my mother on another line, she told me about the 'BT issue' and...voila....instant angry Kate. I in turn hung up to give BT a call myself and give them a piece of my mind and find out the status of my grand mothers line.
I never got to make the call because 5 minutes later my father called to tell me that the police had dropped by my Grandmother's house and found her in good health, if not a little perplexed at finding a couple of coppers on her door step at 8.30pm.
Now, I am exceptionally glad of course that my grandmother is ok, but I would have loved the opportunity for a bit of an argument on the sheer DANGER of being over zealous when dealing with matters of data protection.
Firstly, the D in DPA legislates for the protection of personal data, whether a person's phone line has a fault on it is NOT PERSONAL DATA. I already know her name, address, phone number, maiden name... that is PERSONAL DATA.
Secondly, the DPA makes clear allowances for the disclosure of data where a) a person's welfare is in question and b) when it can be reasonably thought that the person would not object to the disclosure. So to address exemption a) an old lady who only ever leaves the arm chair beside her phone to either use the bathroom, make a cup of tea or to eat has not answered her phone in 2 hours...yes I think that we can safely say her welfare is in question, b) Can it reasonably be said that an 86 year old woman would object to BT telling her son if there is a fault on her telephone line?
In 2004 (I think) a man was hit by a car, the police and ambulance were both called and the police arrived first, they checked the guys pockets and found his wallet which contained his driving license with his name and address on it. When the ambulance crew arrived they asked the police for the name of their patient. The police, citing data protection issues refused to disclose the name of the individual. The patient died because he had a chronic health problem that the medics were unable to take into account when treating him because they were unable to pull his medical records because they didn't have his name. Had he been given the chance, I don't think this poor chap would have objected to the police giving his name to the paramedics, do you?
Let me tell you another story...until 2 years ago, my father payed for my car insurance, the policy was in my name and he set it up with no input from me, the payment details were in his name and each month some money was taken from his Mastercard. The very last time he tried to renew it with the original company, 3 years ago, they refused to speak to him, they wanted to here from me that I wanted to renew my policy. Well apparently a female voice claiming to be Kate ********* was enough for them to satisfy what they deemed to be their DP policy. Then came the matter of payment, 'As you know it's my father's card.' I said to them....'and if you could read me the long number across the front of it.' came the reply. I was gobsmacked. They insist on speaking to me before taking the instruction to renew the policy but are quite happy to take his card details from me????
The Data Protection Act is a generally sound and necessary piece of legislation, but it has to be applied with a bit of common sense. Can my gas company pass my details on to another retailer? No. Can an employment agency sell my CV to another agency? No. Is it ok for a bank to employ lax security measures in their online banking system? No. Can the police give a hospital my name if I'm unconscious? Hell yes! Can I assume that it is ok for me to give my father's name and address as part of my next of kin details? Yes (although cases vary, you can probably assume that your parents will not mind you giving out those details).
It is evident to me that most companies do not know whether they are coming or going when it comes to the Data Protection Act, they employ what they see are the easy parts (no, never, do not give out any information to a customer, ever, if the person doesn't immediately claim to be the person to whom the account relates). When it comes to making money, well thats another story (DVLA: 'criminal gangs want to buy personal information that we hold about UK citizens who have driving licenses...they'll like, give us money and stuff? Where do I sign???') When it come to corporate-individual relations, companies love to tow the DP line, when it comes to corporate-corporate however the story is very different and very scary. It gets even scarier when you start talking government-corporate or even worse government-public services.
A little background perhaps.....my Grandmother is 86 years old and lives on her own in a house that has far too many stairs for her knees' liking. She has also not left this house in almost 20 years, the furthest she has strayed in that time is to the end of her back garden and the front gate. Imagine my father's concern this evening when between 5pm and 8pm he was unable to get a hold of her...the phone just kept ringing out.
We were not able to get a hold of a neighbour to pop in and check on her, so at 7pm my father did the next sensible thing...he rang BT to find out if there was a fault on the line. He explained the situation....old, on her own, never leaves the house, not answering etc...could they please check the line. They did so and then informed him that they would be in violation of not only the Data Protection Act but of my Grandmother's human rights if they were to tell him the results of the line check.
Now I didn't find out about the worries until my father accidentally dialed my number, my parents had obviously decided not to worry me but in his fluster he told me in a hurry that he could not get in contact and hung up. I waited 15 minutes in panic before calling my mother on another line, she told me about the 'BT issue' and...voila....instant angry Kate. I in turn hung up to give BT a call myself and give them a piece of my mind and find out the status of my grand mothers line.
I never got to make the call because 5 minutes later my father called to tell me that the police had dropped by my Grandmother's house and found her in good health, if not a little perplexed at finding a couple of coppers on her door step at 8.30pm.
Now, I am exceptionally glad of course that my grandmother is ok, but I would have loved the opportunity for a bit of an argument on the sheer DANGER of being over zealous when dealing with matters of data protection.
Firstly, the D in DPA legislates for the protection of personal data, whether a person's phone line has a fault on it is NOT PERSONAL DATA. I already know her name, address, phone number, maiden name... that is PERSONAL DATA.
Secondly, the DPA makes clear allowances for the disclosure of data where a) a person's welfare is in question and b) when it can be reasonably thought that the person would not object to the disclosure. So to address exemption a) an old lady who only ever leaves the arm chair beside her phone to either use the bathroom, make a cup of tea or to eat has not answered her phone in 2 hours...yes I think that we can safely say her welfare is in question, b) Can it reasonably be said that an 86 year old woman would object to BT telling her son if there is a fault on her telephone line?
In 2004 (I think) a man was hit by a car, the police and ambulance were both called and the police arrived first, they checked the guys pockets and found his wallet which contained his driving license with his name and address on it. When the ambulance crew arrived they asked the police for the name of their patient. The police, citing data protection issues refused to disclose the name of the individual. The patient died because he had a chronic health problem that the medics were unable to take into account when treating him because they were unable to pull his medical records because they didn't have his name. Had he been given the chance, I don't think this poor chap would have objected to the police giving his name to the paramedics, do you?
Let me tell you another story...until 2 years ago, my father payed for my car insurance, the policy was in my name and he set it up with no input from me, the payment details were in his name and each month some money was taken from his Mastercard. The very last time he tried to renew it with the original company, 3 years ago, they refused to speak to him, they wanted to here from me that I wanted to renew my policy. Well apparently a female voice claiming to be Kate ********* was enough for them to satisfy what they deemed to be their DP policy. Then came the matter of payment, 'As you know it's my father's card.' I said to them....'and if you could read me the long number across the front of it.' came the reply. I was gobsmacked. They insist on speaking to me before taking the instruction to renew the policy but are quite happy to take his card details from me????
The Data Protection Act is a generally sound and necessary piece of legislation, but it has to be applied with a bit of common sense. Can my gas company pass my details on to another retailer? No. Can an employment agency sell my CV to another agency? No. Is it ok for a bank to employ lax security measures in their online banking system? No. Can the police give a hospital my name if I'm unconscious? Hell yes! Can I assume that it is ok for me to give my father's name and address as part of my next of kin details? Yes (although cases vary, you can probably assume that your parents will not mind you giving out those details).
It is evident to me that most companies do not know whether they are coming or going when it comes to the Data Protection Act, they employ what they see are the easy parts (no, never, do not give out any information to a customer, ever, if the person doesn't immediately claim to be the person to whom the account relates). When it comes to making money, well thats another story (DVLA: 'criminal gangs want to buy personal information that we hold about UK citizens who have driving licenses...they'll like, give us money and stuff? Where do I sign???') When it come to corporate-individual relations, companies love to tow the DP line, when it comes to corporate-corporate however the story is very different and very scary. It gets even scarier when you start talking government-corporate or even worse government-public services.
