BCS Personal Data Challenge

BCS Personal Data Challenge

by Policyhubadmin

We have developed an open consultation to shape the BCS Personal Data challenge and we believe that the goals within the challenge need to be co-produced, we want to harness the passion and expertise of everyone that has an interest in making personal data work for all.

Please comment on the goals, considering whether they are the right principles to unify the interests of all, what they mean to you as an individual and what they mean for your organisation, using the comment section below.

The BCS Personal Data Challenge

We are committed to making personal data work for everyone: organisations, individuals and society alike. We want to put people in control and at the same time empower organisations to use data in more beneficial ways, with genuine trust on both sides. Our goal is to achieve the full potential of data by seeking the best possible public benefit. We want to get the best outcomes for the most people with the least risk and harm. We believe this is not only desirable, not only achievable but essential to the future of our society. To achieve that goal, we believe the following are essential ambitions:



Individuals and organisations should be able to safely share and use personal data without fear or anxiety. We want to work together to minimise risks and impacts, and increase public confidence in use of personal data.



Personal data that can be linked and integrated around people and organisations is powerful and useful. The full potential of personal data will only be realised when both individuals and organisations can use it to inform decisions, simplify and improve life and work.



Personal data terms of use should be a conversation not an ultimatum. We want personal data use to support a dynamic and balanced relationship between individuals and organisations. These relationships should support trust, foster innovation and lead to maximum mutual benefit.




by Richard Beaumont (unregistered user)

It is good to see BCS taking some initiative in this area. I suggest that it will be important to recognise the other work that has and is going on in this field, and look to supplement/support/validate this as appropriate. This also means looking beyond membership and into the wider UK development community.

One area where BCS could take a lead - which is missing elsewhere - is really in helping to translate both principles and legal/regulatory requirements, into actionable standards/practices/guidelines that software developers can understand and incorporate into their activities. The current gap that exists between the legal and technical players in this field is both significant and damaging. BCS could play a significant role in closing this.

Richard Beaumont, Privacy Services Manager, Governor Technology.

by Policyhubadmin
Thanks Richard & kudos for being the first to comment. This is a societal challenge, we want to hear from everyone that cares about personal data. The draft principles are our starting point - we want to use them to consult as widely as possible and find people who care about taking on this societal challenge.

Do you have any thoughts directly relating to the principles? Is there anything you would change or improve at this stage?

BCS Policy Team
by Julian Schwarzenbach

The objective to 'do something' in this area is sound. I would be interested to know what the anticipated outputs would be:

  • A White Paper or similar
  • A Publicly Available Specification (PAS) which could provide significant leverage to implementation
  • Legislation
  • Training courses
  • Certification/accreditation
  • other

It would also be valuable to clarify who the audience for these outputs would be:

  • Government, regulators etc.
  • Software/service providers
  • Members of the public

  • Julian Schwarzenbach, Chair, BCS Data Management Specialist Group
by Leonard Clark (unregistered user)

The aims of the Challenge are clearly praiseworthy and I hope genuine progress can be made.

It seems to me that one area that will need to be addressed is the potential commercial disadvantage placed on a business or organisation by being a good citizen. It is clear that incorporating and recognising personal rights in the use of data will come with a price tag, even if that is only the need to develop systems that will implement such an approach. With the best will in the world, organisations will be reluctant to adopt such an approach if competitors are likely to continue working without the same constraints.

A separate comment: we want to see ... "appropriate usage rights that are open, shared and understood" - specifically "understood". Good luck with that. Within the BCS this ought to be a manageable target but it seems to me that if these principles are to be applied to the world at large, that little phrase will define a major project in itself - a project, to be fair, that BCS has already embarked on but which probably needs greater definition and prominence (I note the previous comment included "Training courses").

by David Evans
Hi Julian - those are all potential outputs in the future; for now we're building the map of the issues. What we're looking to do first off is build the societal objectives that are as universally acceptable as possible. This will give us a base from which we can look at that future goal and how we get there. We're not looking to repeat work but define a goal and place the good things others are doing on that roadmap - and where appropriate lend support. There is a community with lots of ideas out there... ...speaking of which, I'd love to come and talk to you and your specialist group about this topic and broader strategy at BCS. David - Policy & Community Director @ BCS
by Denise Cook (unregistered user)

This is a really interesting topic, with customer trust and GDPR amongst other things being increasingly talked about. For me education is key here. Our media focus on the negative stories around data use and data loss and maybe if we could educate the general public on the benefits of data sharing and data integration then organisations could be comfortable and truly transparent about how they use personal customer data then people would feel a lot more comfortable about data safety. I predict the the morality and ethics of using customer's data will soon become a hot topic.

by Alan Day (unregistered user)

The principles are actually much lighter than the proposed GDPR. How can there be genuine trust between controllers and data subjects when the latter's personal data is an asset that can be (and frequently is) exploited and traded? It is a lucrative and murky trade that can only be tackled through forced transparency and a granular informed consent model. I guess the reall issue for me is whether BCS is the tail trying to wag the commercial dog here. We are not short of data protection principles, and the GDPR will add welcome controls. BCS should focus on a response to the data protection by design and default agenda. I have nothing against the principles, but would prefer a campaign that was less lofty and more focused on delivering principles outlined in the GDPR which are better articulated and more focused on informed consent of individuals against stated purposes. Not sure what this campaign is trying to achieve from whom or more importantly, why start on the cusp of a new EU legal framework (GDPR)? ... just implementing GDPR is going to be a major challenge!

by David Evans
Hi Alan - Understand your point, and you're right that there are a lot of ways BCS could approach this. We're starting something here, and the implications won't be immediately apparent. Glad to hear, however, that you think the principles are reasonable. If you've any further comment on them then do let us know!
by Geoff Sharman (unregistered user)

I must confess a certain scepticism about the value of this exercise. Given that government, the EU, and big social media companies are the ones shaping the overall future, it's not clear whether invdividuals - or even BCS - can have a major impact.
The whole field of personal data is best with ambiguity. In the world of 19th Century business, personal service (which involved knowing a great deal about an individual customer) was considered highly desirable. In 20th Century business, the maxim "know your customer" was considered the hallmark of a successful company. In the 21st Century, some people doubt the motives of those know things about them and this attitude is characteristic of behaviour of people who live in totalitarian states or who are exposed to exploitation by the press: the "trust no-one" mentality. So the existence (or not) of a trust relationship is more important than the possession of individual facts about an individual.
In relation to the "principles", these too are remarkably fuzzy. Safety may seem obvious but how can "integration" be a principle? Integating data usually increases its value, which is advantageous for some purposes. However, Data Protection laws are intended to have the effect of reducing opportunities for integration by restricting data to particular usages. So is integration good or bad? "Relationships" are likely to be very asymmetric: the rights of individuals vs. the power of corporations and governments. Is there any likelihood that such data relationships will be negotiated on a one-to-one basis?
To add one more element of scepticism: laws are often misused: they provide a convenient smokescreen for some, whilst having the effect of increasing costs for small organisations and providing no great restraint on the big players. I can't help feeling that BCS needs to be much clearer about what it wants to achieve and how it thinks this might be done.

by David Evans
Geoff - an interesting set of comments! You set out a good picture of the 21st century challenge - to ensure that trust and relationships are in place rather than taking a compliance-led approach that does nobody any good. You're right that impact on these issues is difficult, but there are good reasons to believe that the UK is an important place for personal data. The legitimate point of contention is whether we as a community can make any difference. I believe we'll only find out by trying. If you frame these principles in the context of current data protection approaches and conventional thinking then of course they are problematic. The point is to start looking at the societal goals and then benchmark the environment against them. I also agree that BCS does need to be clearer about what it wants to achieve and how it thinks this might be done - but BCS is not some vague disconnected persona, it si the community, and these principles are setting out what we want to achieve - so we're going through that process in an open way. So let's get clear about our objectives, and have faith that we can make a difference.
by Kevin Chamberlain (unregistered user)

I think there's a major omission - Accuracy.
If the data's inaccurate Integration becomes difficult/impossible, it's unsafe as may lead to false decisions and will depend on good relationships to correct.

by Julian Ranger (unregistered user)

This area is one we term the "Internet of Me" where we are at the centre of our digital lives and we own & control our own data. The Internet of Me need not be a dream as we at digi.me, and others, are making it a reality now - for example please see http://digi.me/video.

A lot of the personal data issues do drop away if we own and control our own data and if businesses come to us direct - they get Rich data vis poor Big data - orders of magnitude better data at orders of magnitude less cost. A true win-win, fully compliant with the new EU GDPR as well - it just takes that switch in perspective - see the following links as examples:

1. https://www.linkedin.com/pulse/sharing-change-control-needed-julian-ranger
2. http://www.politico.eu/article/meet-digi-me-a-personal-data-librarian-an...
3. http://www.capx.co/putting-consumers-at-the-heart-of-the-personal-data-e...

So the question is, how do we in businesses solving this issue today, with real clients (multi-nationals and Governments) and real users (hundreds of thousands in our case) engage with the BCS on this issue?

by Ann Wrightson (unregistered user)

It's not just about trust and safe sharing - it's also about ensuring that data collection is no more than required for a particular purpose. As a simple example, there are many Web retail sites that do not allow a simple purchase without creating an account, which means that data is retained for longer, and often more data is collected, than is needed for the purpose of a simple purchase.

by Andrew Baldwin (unregistered user)

There are several aspects which I feel are societal/cultural issues wrapped up in technological capability. How they're solved is a BIG question (if indeed they can be).

Asymmetry - large bodies (companies, governments...) can easily overpower the individual -- even if the courts are available, the cost of lawyers is prohibitive -- and even if you got a judgement in your favour, enforing it is nigh on impossible (if governments can't get basic things like tax settled, what hope does the man on the Clapham omnibus have?).
Also the 'benefits' are often trumpeted, but realistically who does benefit? Companies and advertisers gain a lot but the customer gives out personal data and gets nothing much in return (maybe the occasional money off voucher, but not much else [apart from increasing junk mail]).

Permanence - I can lend you my car to make a journey, when you finish you return it to me, I have what I started with and so do you; I give you my details to perform a transaction, you can keep them, I've apparently lost nothing but you have gained a great deal which you don't return and can use again and again.

Data vs Opinion vs Information - 'Hard data' [name, address, date of birth...] is easily verifiable and can be corrected on demand; it's widely available and is generally not controversial.
'Information' such as buying patterns and inferred purchasing power is a slightly more tricky area. The algorithms used are often a trade secret and so the individual concerned rarely has the chance to challenge and/or correct them.
'Opinion' and reputation - especially from social media sources - is a real minefield and is possibly the most damaging and hardest to correct. Once something is published about an individual it is permanent - the Internet never forgets. Getting it removed is virtually impossible (see the 'right to be forgotten' debacle - technical challenges about backups, defining scope, opposition from "freedom of speech" advocates and the big corporations who see it as a challenge to their business model...) yet it has the potential to destroy lives; people have had their reputation shredded, been ostracised and denied work and in some societies hints about religion or sexuality can literally be a matter of life or death. Getting corrections is difficult (see asymmetry above) plus the "no smoke without fire... the lady doth protest too much, methinks" syndrome kicks in.

Policing - it's fine to lay down rules (such as in the Data Protection Act 1998) about data only being used for purposes stated but enforcing this is difficult. Multinational companies simply move data around; smaller companies can go bust and reappear a few days later; there is no effective sanction. And, as above, once they have the data it is impossible to get it back.

Other strategies - anonymisationis hard, very hard. Studies have shown how it is relatively easy to pice together different pieces of information to reveal identities. In some cases (police work chasing down criminals) this is good - in others (organised crime, journalists, people with a vendetta, abusive ex-spouses...) this is a real danger.

I applaud the BCS taking this initiative and I genuinely hope to see it make some progress (any steps forward is good - let's not wait for perfection) but let's not kid ourselves - it's a tough job.

by Steve Batchall (unregistered user)

this is great and has numerous of well informed strategies

by Rebecca (unregistered user)

Hello my name is Rebecca and I just wanted to send you a quick note here instead of calling you. I came to your BCS Personal Data Challenge | BCS Policy Hub page and noticed you could have a lot more hits. I have found that the key to running a popular website is making sure the visitors you are getting are interested in your subject matter. There is a company that you can get keyword targeted visitors from and they let you try the service for free for 7 days. I managed to get over 300 targeted visitors to day to my website. http://goovernow.com/1v

Post a comment