By Michelle Reid, UK Sales Director, Telehouse Europe
In August 2006, AOL endured a very public embarrassment when they accidentally published more than 20 million details of Internet searches made on their sites, complete with enough data to identify the individuals who made those searches. The searches ranged from “movies for dogs” to questions about getting revenge on an unfaithful wife. But as well as amusing and titillating, the incident also shoved the very concept of data into the headlines and made people suddenly question how much of their life and behaviour was out there in the form of scraps of stored information. And some then wondered whose property that data was and how it was being used. Good questions both, and ones which also arose in an industry roundtable discussion that Telehouse organised with seven very different IT industry figures, including myself. Our topic was the extraordinary growth in data – whether that be a business’ confidential financial information or what brand of cheese you bought in Tesco last week – and what is then done with that data. The big question was: who is finally legally responsible for this data? Not surprisingly, there were no simple answers.
This stems from the fact that data ownership is so complex, with so many players involved. As a data centre provider, it is tempting for Telehouse to say that we merely provide a storage space and can’t be responsible for what goes on within it, just as a hotel owner can’t be held responsible for what takes place in their hotel rooms. But we feel a responsibility to go further than that and explore the issues of responsibility and ownership a little deeper.
The first thing to recognise is the many reasons why data is held, and the uses it is put to. A huge amount of the data we store is uncontroversial but critical business information, the information and documentation which underpins the day to day running of an organisation. Businesses need to keep this data because they are subject to a bewildering array of legal requirements, from Sarbanes-Oxley to data protection, requiring they properly record their activities and transactions.
Another motivation for storing this information is disaster recovery: if an IT failure should damage the data on their own servers, they need to know it is backed up elsewhere. Few people are seriously concerned that their bank keeps records of their financial information, and would indeed be worried if they did not. The issue gets murkier when third parties get access to this data, particularly in the course of criminal investigations.
Most people are aware that data they provide can be used for marketing purposes, and more and more people are ticking the box to prevent data being passed to third parties. But they don’t always have a choice. With the events of the last five years, the role that information may play in helping prevent terrorism has become far more significant. The US Government has – controversially – started collecting telephone and Internet data as a core part of its intelligence activities. But few people would seriously suggest that data centre providers or ISPs should not reveal this data if it prevents atrocities. The key thing, as came up repeatedly in our roundtable discussion, was that they should be informed that this was a possibility.
And indeed, our discussion kept coming back to the rights and responsibilities of the individual. How do you and I know that the data we provide, sometimes unwittingly, is not abused or passed on? Any bit of data may pass through many different hands, from the business who originally collects it, to the storage company who backs it up, to web hosting third parties, so how can we pin down a single organisation that will ensure the integrity of that data?
The final conclusion is that we cannot. Everyone involved in data collection and storage should be aware of the importance of data integrity, and take responsibility for it, but no-one has overall control. What this means is that effectively it is up to individuals to protect their interests. If people are concerned about their data – and in an era of identity theft, more and more people are – then they can interrogate the companies they do business with and find out what data they hold and who else may have access to it. The Freedom of Information Act gives them this right.
Of course, it’s not quite as easy as that. Most individuals simply aren’t aware of what is known about them, or of their right to know. As an experiment, one of the participants in our roundtable asked an organisation he works with regularly what information they held on him and was perplexed to find that they had recorded the times he entered and left their buildings to the second. If this man – who works with data all the time – can be surprised, the man on the street surely has even less idea. That’s why the duty of all of us involved in the data industry is to start talking about this issue more, start informing the public – our customers – of what information we hold and how they can find out more. Few people object to legitimate details being kept, but they deserve to know about it.