On May 20, the RSS Social Statistics Section, together with the Association for Survey Computing, hosted an event that looked at the changing nature of protecting data privacy in social research. The three speakers were from the recent ASC conference on the challenges and opportunities of participant privacy.
Randy Banks, information security manager at the Institute for Social and Economic Research, University of Essex, discussed issues around ISO 27001, the Information Security Management Standard, and the experience of gaining accreditation.
Dan Nunan, from the Henley Business School, University of Reading, focused on EU regulation with respect to protecting privacy, and its unintended consequences for survey research.
Marion Oswald, the Director of the Centre for Information Rights, University of Winchester discussed Trust, Anonymisation and Data Sharing.
The meeting was chaired by Chris Kershaw, chair of the Social Statistics Section.
Referring to the title of his presentation, Randy emphasised that ISO 27001 was an information security management standard, not an information security standard. It provides a framework and process for developing an information security management system and with guidance on you how to go about protecting information, not what should be done to protect it. After discussing some of the details about its structure, Randy focused on the costs and benefits of gaining accreditation. Costs included the impact on personnel such as training, risk assessments and allocation of newly defined responsibilities. However, the benefits outweigh the costs both in terms of competitive advantage where clients are asking for ISO 27001 and the culture change where information security management is seen as everyone’s responsibility. Finally, he provided some useful tips on the process such as understanding that the costs relate mainly to achieving compliance not the actual certification, and acknowledging this is an ongoing process as ISO 27001 expects continual improvement.
Dan discussed the development of EU regulation on data privacy and the likely impact on social research, noting the topical relevance given the recent EU ruling on the ‘right to be forgotten’ which was likely to have unhelpful consequences for survey research. However, the 'European Standard' for data protection is becoming the norm in most parts of the world with privacy laws, but the major exception is the US. Most big companies are US based and their lack of adequate data protection required Europe to act. The European regulation is designed to strengthen privacy rights and boost Europe’s digital economy. The new regulation reflects the changes in online behaviour, and the consequent limitations of national legislation. In addition the ‘Snowden effect’ means data control is an issue of national security. The consequences for market research include the need for a more extensive consent process which could affect response rates but which could be helped by an icon- based privacy notice (equivalent to current food labelling). Although regulations have been delayed, it is clear that they will have a significant impact on the way that online data can be used in research.
Marion’s presentation focused on attitudes to personal data sharing and associated issues. Looking at the positive aspects of data sharing, she gave examples of some of the many instances where sharing or joining up data can contribute to safe running of public services, citing various high profile examples where combining data over time or across people would have identified problems at a much earlier stage. She then presented a set of research findings on trust in handling and sharing of data, showing that, for example, although the NHS was more trusted in using personal data than local or central government, trust in all three decreased for data sharing. Anonymisation did not improve this as much as might be expected because people believe they will be re-identified. She suggested the RSS has a role in discussing the real risk of re-identification. Trust varied according to the purpose of the data use, with sharing with commercial organisations being the least trusted.
The discussion which followed included the following themes: the dichotomy of lofty ideals versus commercial reality; the difficulty of operating the EU ruling on the ‘right to be forgotten’ since in reality total deletion of data is impossible because of copying etc (which legislators need to understand); ‘data sharing’ is too generic a term; the need for more work on anonymisation including comparison with the US; use of privacy ‘icons’ (like food labelling); the positive experience of ISO 27001.
The chair thanked the presenters for a very interesting meeting.
Copies of the slides have been made available on the StatsLife event page.