User login

Data ownership-What you need to know

Data ownership-What you need to know

Briefing: Data ownership-What you need to know

The row between the Labour leadership and Virgin Trains, named with a singular lack of imagination ‘Traingate’, was seen by many journalists and politics aficionados as a welcome filler during the Westminster summer slump.  Be this as it may, there is an infinitely better reason to take another look at ‘Traingate’: The question of data ownership. In the aftermath of the unfortunate incident, the Information Commissioner’s Office (ICO) launched an inquiry into whether Virgin Trains East Coast was in breach of Data Protection rules. The findings of the report, published on the 12th of July 2017, exonerate Virgin Trains of these allegations with regard to images of Jeremy Corbyn but found it breached the rules when publishing pictures which included other passengers. The incident highlighted the uncertainty surrounding ownership of data. 

The following briefing will set out a few key facts about the current rules of data ownership as well as some observations under the heading ‘Where next?’

·         First tell, then show

Organisations are obliged to publish specifics on how they will process personal data obtained from clients. If data obtained is used for purposes other than the initially stated one, the company might be in breach. However, the current rules permit rather far-reaching terms and conditions, thus undermining the notion of informed consent, as nobody actually reads them.


·         What is personal data?

As a rule of thumb, data is personal data when the holder of the data is able to identify individuals based on the data alone. For instance, information on your driver’s license is personal data, a statistic on how many UK citizens hold drivers licenses is not personal data.


·         What does ‘processing’ data mean?

The Data Protection Act 1998, which is currently still the law of the land for anything relating to personal data, applies an extremely broad definition to ‘processing’ of data, meaning that in effect any company holding client’s data will be de facto processing it. The stickier point is to define when personal data ceases to be personal data, i.e. when it has been altered to such a degree that it is no longer the individual’s data but a commodity in its own right. An expert panel at our Policy Connect Event ‘Digital Identity and Data Fraud’ will explore precisely this question.


·         Your rights

In legalese, persons about whom data is held or produced are ‘data subjects’ This category comprises most of us. The other group are so called ‘data controllers’. Data controllers are any group or organisation that holds data of ‘data subjects’. In the example used in the introduction to this briefing, Jeremy Corbyn and his fellow travellers are all data subjects whereas Virgin Train East Coast is the data controller.  Data subjects have the following rights regarding their personal data, namely that is must be

o   used fairly and lawfully

o   used for limited, specifically stated purposes

o   used in a way that is adequate, relevant and not excessive

o   kept for no longer than is absolutely necessary

o   handled according to people’s data protection rights

o   kept safe and secure

o   not transferred outside the European Economic Area without adequate protection


Some of these are rather self-evident, like the requirement that data must be handled lawfully. Other rights are rather opaquely worded. Take the requirement for data to be kept no longer than ‘absolutely necessary’. Necessary means different things to different people and companies are bound to apply more liberal interpretations of this than many individual ‘data subjects’ would like or approve of. Another instance of ambiguity is the right to have your personal data kept ‘safe and secure’. Does this, conversely, mean that data breaches and instances of hacking make the company holding the data liable to compensation? This is not currently the case.

To sum up, the Data Protection Act does not transfer many significant rights to consumers, making them subjects indeed. The issue here is not that the Act withholds rights from consumers, but that the wording is so broad and ambiguous as to render it difficult to enforce in practice.

There are two caveats to this: First, the company holding your data can either be a data controllers or data processors. Due to the very broad definition of processing, it is a case of all thumbs being fingers but not all fingers being thumbs, i.e. all data controllers are data processors but not all data processors are data controllers. Data controllers have stricter rules for data protection than data processors, but due to the broad and ambiguous wording the practical difference is marginal.

Second, the law further distinguishes between personal data and sensitive personal data. The latter refers to personal data containing information about race, religion, gender, political views and metal and physical health. In these instances, slightly more stringent rules apply.

Where next?

The Data Protection Act was not exactly a bold and visionary piece of legislation at its inception in 1998. The emphasis reflects the dominant zeitgeist in that it gives companies significant powers over a commodity they themselves did not create. Mediating this somewhat harsh assessment is the fact that at the time, in 1998, data ownership was a less controversial and certainly economically less important issue.

Almost 20 years on, it is time for a new law, reflecting a fundamentally new political paradigm. To be clear, the need to ‘put consumers in the driver’s seat’ when it comes to their personal data is not only voiced by data protection charities and pressure groups, but increasingly by industry representatives themselves, as transpired during Policy Connect’s ‘Big Data and FinTech’ event. Market leading companies increasingly argue for new legislation to provide more legal clarity on their rights and obligations in processing their customer’s data.

The shortcomings of the current legal framework for companies and customers alike are likely to increase in the aftermath of Brexit. The implementation of the GDPR (General Data Protection Regulation) will have a profound impact on British companies doing business with the continent.  In order to achieve at least a resemblance of the ‘frictionless trade’ the UK government is aiming for, data protection needs to be augmented to EU standards. This is not solely for the benefit of consumers. The GDPR specifies that any UK company processing EU citizen’s data will have to comply with its rules.

Hence, to have more stable economic interactions with the EU, we need stronger data protection laws for the consumer. It is also worth noting that if the government does not act, the regulatory gap would widen even further, as there are currently legislative proposals in the EU pipeline that would further strengthen EU citizens’ rights to data protection. It is therefore reassuring and timely that Theresa May’s administration has announced a digital charter and a new Data Protection law in this year’s Queen’s Speech: ‘A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online’.