Rowenna Fielding is a self-confessed privacy nerd and Information Governance (IG) geek who began her IG career by coming out of the server room and taking an interest in information security before moving on to data protection.
Rowenna works as a data protection consultant and is also on the executive committee of the National Association of Data Protection and Freedom of Information Officers (NADPO) as well as being a member of a variety of professional associations related to privacy and information security.
In this part one of two, we caught up with Rowenna to chat about her journey into the privacy space, the difference between the terms data protection, data privacy and the differences between the US & UK…
Andy: Could you tell me a little bit about yourself and how you got into the privacy space?
Rowenna: I started off in information technology (IT) in my early twenties and then became fascinated with IT security. Moving into more general information security management, I started working as an information security manager where I realised that most of the questions I was being asked weren’t anything to do with security, but more to do with record management and privacy law. So I did a data protection qualification and then moved into information governance (IG) instead and then I focussed more on data protection and now that’s what I do full time.
Andy: Why does data privacy matter?
Rowenna Fielding: In the information age your data is as much a part of you as your physical self. Someone monkeying around with that data can cause as much harm and distress as someone interfering with you physically. More so with the fact that there are many ways to interfere with somebody through their data. And the consequences of that may not be apparent for quite a long time.
“Your data is as much a part of you as your physical self”
Since the rise of automation, profiling and algorithmic decision making, the idea that we should be treating data in the same respect as a physical person is a very necessary one. Otherwise you’re going to be sliding into a sort of dystopian hellhole that is China or America right now.
Andy: For many, giving up an email address or a few details here and there is not a huge deal. Is this something to do with abstract nature of data, or simply a lack of understanding?
Rowenna: I think the abstract nature is definitely a big factor, as what happens to data and how it gets put together with other data is not really clear to people. People have been conditioned by the marketplace to give up their data as they don’t realise the interconnected nature of the data they’re providing and how little power they have over this.
“What happens to data and how it gets put together with other data is not really clear to people”
There is also a degree of cognitive dissonance. When somebody wants something they’re going to consider the ‘price’ they had to pay with their data as less significant than the qualification of getting what they want. Humans, as creatures, are rubbish at risk management, particularly when it gets really abstract and complex. For example, trying to explain third-party ad-networks to people gets them all horrified so that their first instinct is to reject what you’re saying as a massive conspiracy theory. Then there’s a whole load of cultural and behavioural precedents that have been set, that really would be to our benefit to try and unpick because they put the average person in a position of great vulnerability.
Andy: What do you make of the new data legislations such as the General Data Protection Regulation (GDPR)? Would it possible to have a global data privacy initiative?
Rowenna: That’s a difficult one because there are lots of cultural differences. I think even the GDPR has around fifty two derogations for domestic law to be taken into account. That’s just across the European Union. Having a global legislation would be pretty tough to enforce — we can hardly enforce on nuclear proliferation let alone data. It’s a big ask but, having said that, the fundamental principles of privacy law are all based on the United Nations Convention of Human Rights and that is supposedly a globally recognised standard.
Having local and national legislation that reflects those principles can only be a good thing. Obviously how useful those regulations are going to be depends on how robustly and consistently they are enforced. It’s a kind of a marketplace of ideas and it’s good to have a standard that everyone can agree on. Or at least for everyone to agree on. Many countries in Africa and also in the Caribbean, such as the Bahamas, are working on their data protection legislation.
I think the saying ‘the rising tide lifts all boats’ is appropriate here. If you have a big commercial marketplace and economic system like the EU and they say in order to be able to do stuff with us you need to meet certain standards, then it’s obviously worth it to other nations to be able to do that. After all we all benefit as well, as the whole principle is that it’s about human rights and respecting each other.
Andy: Is privacy treated differently between the United States and Europe?
Rowenna: Yes, that’s part of the big problem with the privacy issue. There’s a massive cultural difference in how America as a nation views privacy and rights to how they view it in Europe. In America privacy is primarily viewed as part of a commercial relationship between the individual and the corporation, and second to that will be the rights of government over the individual, and then third will be the impact on freedom and happiness for the individual. In Europe it’s not quite the same, possibly because they’ve had more unpleasant experiences in recent history where you’ve let people just do anything they want with data.
Andy: What’s the difference between data protection and data privacy?
Rowenna: Well the main drawback with the title data protection is that people think it is about the protection of data. Actually data protection is shorthand for ‘the protection of individuals from unfair bad stuff that might happen from the use of their data’
Another inherent danger is seeing data protection and data privacy solely in terms of infosecurity. Infosec has a very different focus, as the idea is to protect the confidentiality, integrity and availability of information assets. The risk management model is focused primarily on the risk to the organisation.
On the other hand data protection is both narrower and broader. It’s narrower because the risk management is focused on the the rights and freedoms of the individual. There’s so much more to it than keeping data secure. There’s fairness, lawfulness, minimisation and accountability.
For example, the really significant part of the Cambridge Analytica story was nothing to do with security, security wasn’t the issue. It was the fact that it revealed that Facebook’s entire business model was dependent on covert and highly intrusive commercialisation of data. People who have known that in an abstract and intellectual way, were pretty horrified about the extent that that could be used to manipulate and provide knock on effects. In terms of data breaches they happen all the time. Which is one reason why GDPR has made breach reporting on serious breaches necessary. It’s good because it has caught up with health and safety law.
“The privacy conversation should be about rights, freedoms, passwords and access control”
Focusing on infosec is a red herring because no one disputes that information needs to be protected and confidential. What happens is that you have massive privacy abuses that are going on in companies, and the public sector, that are diverting attention by turning the topic to infosec and how good the companies security is. That’s all very nice that those companies are not letting anyone else access it. The key question to ask is what are they doing with it?
I think the news coverage of info security breaches is unhelpful in a lot of ways because it conflates data protection and information security. The conversation should be about rights, freedoms, passwords and access control.
Andy: Could data be treated as labour rather than capital?
Rowenna: As a concept I have mixed feelings around the idea of data being treated as labour. I am the classic middle class worried liberal, so it’s something that makes me very uncomfortable when it comes to human rights. What could happen if data is treated as labour rather than capital is that people in less advantageous socio-economic conditions will just be exploited. Actually the whole thing about respect for freedoms and rights should apply to anybody no matter how rich, poor or able they are. There’s a part of commercialising privacy that makes me really, really uncomfortable.
And it’s things like paying for ad-free services, on the one hand I can see it has led to the development of a lot of innovation, made a lot of people money and improved the economy. On the other hand, it means that the people that are most subjected to profiling and manipulation are people who have even more vulnerability in their offline lives. That just seems really wrong to me.
A huge thank you to Rowenna Fielding for chatting to us. Keep tuned for part two in the series, where we talk about ‘jargonerics’, sloppy privacy policies, data as public infrastructure and what the future of privacy might look like. Check out our blog for more interview with privacy pros.