OCTOBER 2002

Earlier this year I worked for a directory enquiries service based in Dublin.  During this short period of time I first became aware of data protection, and the rules and regulations governing the provision of data services. During training I was told that if the caller did not give a proper name, and at the very least a street address, then it would not be possible to fill their request. In front of me on a computer screen was a vast computer database, owned and maintained by a private company, containing names and addresses of all telephone and mobile network users in Ireland. This was my first experience of commercial data retrieval and I was rather alienated by that experience. In return for receiving information freely available in our telephone books, the customer is charged a high per-minute rate. The customer is then encouraged to continue paying, as they are connected to numbers paying the directory rate, often without getting the actual piece of information that they were originally looking for. The operator, on the other hand, gets a bonus point for deceiving the customer into this arrangement. I said to myself: "why do people not wake up and start looking at their phone bills." It was perfectly clear to me that everyone in the data provision industry is out to make a killing, regardless of the actual cost of supplying data. The directory enquiries company is effectively "the middle man" in an expensive quest for cheap and basic information. 

More recently, I read in the Guardian about an English database called Experian, which holds detailed information of about 40 million individuals. This service grew out of a customer database of home shopping catalogues and it is now a huge money-spinner of frightening proportions. Apparently Experian is the worst "big brother" nightmare. Experian knows everything about the misfortunate individuals who are completely unaware that their lives are being recorded. Experian makes the directory enquiry database look trivial, containing a much greater amount of highly personal detail, such as addresses, bank records, credit rating, education history, criminal history and all detrimental data supplied to recent employers. For a modest £19.50 per query landlords can find out if you are truthful about why your last apartment burnt down. Your prospective employer can purchase information about you that will supply them with a ready made CV, that is perhaps not quite as glamorous as the one you spent months labouring over. It is also possible to do reverse searches, matching telephone numbers to names. According to the figures put forward in the Guardian newspaper, Experian filled 80 million information requests in the last year. Experian is passed the records of individuals, solely for commercial gain, building a vast private-sector information empire that has the potential to recoup millions in customer profiling and other insidious forms of commerce. While most people worry about ID cards and security services, they are ignorant of the fact that Experian is just round the corner watching every move! This activity is not regulated or controlled by the government, and this company would easily sell your whole life history to the highest bidder. 

Think about how easy it is to create an entire profile of a person's life! For example, I am sitting here in my apartment operating my mobile phone. A nearby mast receives the signal, locating my geographic area near the south bank of the river Lee. A CCTV camera that is pointing at the front gate of the apartment complex recorded me putting the rubbish out yesterday morning. I send an sms text message to a friend, which is undoubtedly recorded somewhere in the phone network system. I log onto the Internet with my dial up modem and visit several websites, which each store a small file (cookie) on my computer's hard disk. These little bytes of information will identify me on my next visit, enabling marketing information in some unknown database. I collect my emails from my POP server, which is probably being monitored by a system that collects and stores suspicious email. It is quite likely that during my browsing session, I will sign up for something, giving out my name and email address, which will further facilitate profiling and endless streams of email advertising. I sign an Internet guest book with some badly thought out and potentially embarrassing comment, which is immediately gobbled by a meta-crawler search engine (robot), and next time somebody does a search with the terms "Rory Braddell", up pops a link to my idiotic statement. 

There are a lot of computer programmes that are quite devious and try connecting and communicating with their manufacturers on a frequent basis, often uploading annoying banners. File share programmes of the Napster generation allow you to download files from other like-minded computer users. Computer users do not realise that these programmes are like leaving the front door to your house wide open! A computer hacker can quite easily gain access to your hard drive and insert a programme that allows them to come and go as they pleases. Likewise, the popular chat software, like ICQ, can create serious security vulnerabilities. In addition, some web sites collect information like your server's ISP number, which is a potential hacking tool. Data is not safe in this digital world and if you have something to hide you are better to write it on toilet paper and hide it somewhere in your shoe.

Citizens often do not realise that they have rights under law to find what data is being stored and if it is correct or not. In Ireland the Data Protection Act 1988, makes several important provisions under law. The right of access allows us to request a copy of information kept on a computer database. Simply make the request in writing to the company concerned, and if you do not get a favourable response, then complain to the Data Protection Commissioner. The right of rectification of erasure allows you to insure that the information held about you is accurate and you have the right to correct it. Your recourse to law is provided by the right to complain to the data protection Commissioner and ultimately the right to seek compensation through the courts. Under the act it is also possible to obtain a register of data controllers, maintained by the Data Protection Commissioner (or in the UK, The Information Commissioner). As I discovered in my job as a customer service representative, the organisations that keep personal data have a responsibility to:
1. Obtain the information legally.
2. To use it only for the purpose provided.
3. To secure information.
4. To maintain its accuracy.
5. To retain it only for the period and for the purpose it was given.
This is kept under the scrutiny of the Data Protection Commissioner and the courts will prosecute offenders. It is the responsibility of every citizen to discover their individual rights and act as a watchdog against these unscrupulous private sector companies. Always ask the "customer service representative" where they got your name from and what type of information they have at their disposal! 

In Ireland the Freedom of Information Act 1997 came into force on 21 April, 1998, establishing further statutory rights:
1. A legal right for each person to access information held by public bodies 
2. A legal right for each person to have official information relating to him/ herself amended where it is incomplete, incorrect or misleading
3. A legal right for each person to obtain reasons for decisions affecting him/ herself 
The Act extends our right to have access to official information, with respect to public interest and the right to privacy of individuals. This gives a person the right to request information from certain state bodies in addition to private sector interests. Under this act you can apply for information related to your social insurance, tax records and social welfare claims. There are obvious exceptions relating to national security and police records.

One major problem is the extension of services that are not actually operated from the country where the customers are actually located. For example, in the UK, both the Data Protection Act and the Official Code of Banking (agreed by the financial institutions) regulates the banking practices. Banks cannot map their customers' spending habits and sell services on the strength of that information. Unfortunately, that is not always the case, as e.g. US credit card companies operate in the UK without signing up to this code. In addition to this, retail companies have created loyalty cards that are able to map out a person's entire spending habits and second-guess what they will buy next. Every person is a potential money spender, and information obtained as to his or her behaviour, is very valuable in this consumer-orientated world. In other words, if I were lucky enough to be granted a credit card, given my bad credit rating, then "big brother" would also know what I eat for breakfast. 

To find out more information on data privacy and your rights under the data protection act (Republic of Ireland) visit: 
http://www.dataprivacy.ie

A person wishing to access their credit rating (Republic of Ireland) at the Irish Credit Bureau should contact the ICB with a simple request in writing. 
Irish Credit Bureau, Clonskeagh Road, Dublin 14. Tel. (01) 260 0388
Other requests can be made to specific government departments, but administrative fees may apply. 

For readers in the United Kingdom visit http://www.uk.experian.com to avail of credit rating repair services and order you credit file (for a small fee). The eight principles of the UK's Data Protection Act 1998, and information about the information commissioner are available at: http://www.informationcommissioner.gov.uk


Please direct comments on this article to: braddellr@eircom.net