Mid-Atlantic Privacy: Our Community Needs a Data Protection Social Contract
Note: This post is part of a series on the Mid-Atlantic Privacy Compass. Over the following weeks, Commissioner White will explore each of its Compass Points in greater detail.
All parties are interconnected. We must exchange ideas and learn from each other. Too often, fear of regulatory action or negative public opinion prevents an organisation from discussing its mistakes or misfortunes.
Both individuals and oversight groups should recognize that no one is perfect, and organisations must reward that trust by prioritizing community as highly as self-interest.
We must develop a new Data Protection Social Contract to recognize common interests and ensure we work together effectively, not only in the use or analysis of data for the public good, but also in learning and improving.
Organisations should be driven by a sense of Community. Collectively, we may achieve more than is possible on our own, and that includes successfully protecting rights. We must seek to share our knowledge and experience so that the community can benefit from the sum total of it all.
Our current incentives often reward hiding mistakes or misfortunes from the community, for fear of inviting regulatory actions or public criticism. Mistakes are the best teacher, especially when we can learn from others'. We must encourage and incentivise the sharing of lessons learned and hard-won knowledge about cybersecurity and data usage.
We too often try to isolate or compartmentalize responsibility and blame. Many of the mechanisms to do so derive from long legal or business tradition, or even philosophies of individual responsibility. Lawsuits or regulatory punishments may seek to assign fault on one side or the other.
But data protection blends the categories and contributions. When data is misappropriated or misused, the organisation may be a victim alongside the individual, albeit with a different spectrum of harms. Mistakes may have occurred or harms accrued despite their due diligence, and rushing to point fingers will do nothing but obscure the true lessons to be learned.
Protection of a community's data can only succeed collaboratively, with society investing in the necessary security infrastructure, with organisations accepting responsibility for the data they collect, with each individual taking steps to protect their own data, and with oversight bodies working to provide expertise on best practices.
The need for all these different groups to work together implies the need for a new guiding philosophy, a Data Protection Social Contract. I don't mean this term in the sense that we should identify who has the "divine right" to use personal data. Rather, it is to redress the fact that with all of us operating separately, with organisations amassing data for their own interests and individuals largely unable to monitor or control what happens, we find ourselves in a state of anarchy.
Instead of allowing rules or norms to develop ad hoc, we should make conscious decisions about what community we want to build, what responsibilities should fall on each of the various stakeholders, and how they should interact and collaborate to meet their obligations.
In addition to learning from others' lessons, organisations should keep front of mind their sense of community when making decisions about how we choose to operate, asking how data or experience can be used for the public good. The decisions we make should focus on creating a better village, both global and local, for us all.
Alexander McD White
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.