Past EED rants


Live leaderboard

Poker leaderboard

Voice of EED

Friday 18 June 2004

Data Protection is a waste of space [slim]

I recently saw a copy of a letter where someone was requesting some information they thought they were entitled to see under the Data Protection Act.
It was interesting to me to see the Data Protection act in action, I'd never seen anyone request anything using it a reason before. What it did was demonstrate just how useless the act actually is. The reply the bloke allegedly got was that he wasn't entitled to see the information because it wasn't in a relevant filing system. They expanded the act a couple of years ago to include paper filing rather than just computer data, useing the following definition:
'A “relevant filing system” means any set of information relating to individuals, not processed automatically but which can be manually processed by reference to the individual or by reference to criteria relating to the individual so that specific information is readily accessible. Whether manual information, such as paper files and non-automated microfiches, falls within the definition is a question of fact in each case. There must be a set of information about individuals grouped together by reference to a distinct identifier, for example, a set of information on customers or employees. The information and the ease of access to it should be assessed, rather than whether the information is part of a physical file.'
As I understand from that definition, if an invoice about was filed under 'Mr Flanders Invoices' it would be covered by the act, and retrievable on request if you were Mr Flanders. If it was filed under '1 Springfield Road', it wouldn't be because the filing system doesn't identify you as an individual. So instead of the act protecting people as it's supposed to, every company just changes their filing systems to something cryptic and becomes immune. Top eh?
ODPR should just be binned. Anyone ever seen an example of it working in someones favour? There's plenty of high profile cases where it's worked against the public interest (Soham for a start).


  1. I've heard it say a good many times that the DPR isn't actually about empowering the people whome the private data is being retained on, it's about protecting the firms from liability concerning it. Seems to be in line with what you've said too?

  2. Yeah, DPA absolutely sucks ass, because once again it's a 'one size fits all' bit of legislation with morons tacking bits on as new stuff comes on the scene.
    It's the same with Accessibility; watching government try and foist what is essentially Disabled Access Rights onto the internet. Piss off.
    We, like your crowd, have to do the whole DPA thing; but I have *never* seen it actually enacted in terms of someone asking to see something with the Act as their basis of rights.
    Yet another fucked up useless bit of shite from Central Government; bravo!

  3. I dunno, i think it's a rather good thing, not perfect but can have great effect (btw, under the filing by address, i could be mistaken but im pretty sure that falls under the remit - so long as something is personally identifiable (eg database tables keyed by an id against your name are covered, i dont see how postal addresses are any different, i reckon the company in question was trying to bluff their way out of it).
    the great thing about the DPR is a lot of businesses dont have a clue about what they are supposed to do about it, or largely care, which can be used to your advantage to put the fear of god into them.
    I've seen it used several times against employers to positive effect - for example at my last workplace a work collegue was sacked due to gross misconduct (he wasnt a bad lad, not perfect but it basically came down to the managing director not liking him and wanting a cheap way of getting rid of him). he was going to take it lying down, but i was concerned that he'd find it hard to get a job leaving in such a way, so persuaded him to submit a data protection request (along with talk to citizens advice). at first they send round an email (incorrectly) just asking people to forward emails he'd sent them (which i kept schtum about cos he could use it to complain to the DPR about them), in the end the company realised they didnt know what they were doing and bottled it and offered him proper paid redundancy with no comeback.
    Seen it used at a university i used to work at quite effectively over unfair dismissal cases (infact unison cottoned on to it's major power - it costs businesses a *lot* more money to process than the £10max you have to pay, simply because business arent used to having to do them, so theres nothing in place... and because of that the combined man hours of first searching for stuff, and secondly collating and editing stuff to remove irrelevant information (eg if you're mentioned in an email and someone else is also mentioned in it, that other persons name should be blanked out).i belive at the university it was estimated at something daft like 10 grand cos of the sheer amount of lost man hours spent on it - theres the personel systems, email systems, employees have to check their pc's for piddly access databases and spreadsheets they haven't deleted etc.Used to amuse me at the uni students protesting, when all it would have taken was all the students to place a DPR request at the same time and it could have sent the place bankrupt (for a start theres no way they could have processed them in the stipulated timelimit!)

  4. 'Yet another fucked up useless bit of shite from Central Government; bravo!'
    Wish they would stop passing shite laws like this and sort out the licencing laws (like they have been talking about for years) so we can actually have a drink in a pub after its dark :)

  5. Load of shite being talked here readers. The DPA is a very good piece of legislation that is a considerable look out for us all. You lot are whingeing about the fag of supporting it which might be a pain in the ass if you have to do a DPA request for businesses (and it is), but the Act itself is top stuff.
    Think about it, all those nasty little club-up sackings and prejudiced dismissals which are not justified in any way shape or form suddenly blown out the water because you can search the records under a DPA application.
    On the specific point about person and address, the DPA isn't capable of being circumvented like that. Sounds like a back of the coffee machine theory from someone who's reet fooked off with DPA requirements :). As to the DPA protecting firms not individuals that's about as arse as tit as you can possibly get. It's a major imposition on firms and creates huge rights of information access that previously simply were not available under simple process of law.
    Yes the DPA is a pain in the arse to have to comply with from an effort point of view when you're running a business, but the purpose and possible product of it is excellent.

  6. Yes Am a load of shite is being talked here....
    I'm not saying the Act doesn't have good intentions, but it's nowhere near as effective as you make out, and has proved to be very very damaging indeed. You say the DPA isn't capable of being curcumvented like that, I'm afraid it is. It's famously vague and unspecific and allows people to get away with shit like this all the time. You have to make your own interpretation, like in the section I listed above, which means companies comply with it to different degrees. Examples of this we've seen to great cost, the police deleting records of Ian Huntly to comply, British Gas cutting off gas supply to an old couple, killing them. Small businesses are hammered by scams because they find the act so hard to understand and comply with.
    It would definately be far more effective if it was simplified. The information commissioners site is riddled with best practices and guides to help people understand the thing. I've been on courses to learn the fucker and still parts of it are vague. It's pish, many, many people agree that it's pish, and you're the one that's talking shite!

  7. Gerrof, is your name Afty? Total rogue's practice that attacking a good act as fundamentally flawed due to a couple of high profile instances of incorrect interpretations of it. Previously no right of access to information about what evil fucks were saying about you. Now rights of access. As to the ability to circumvent on a correct basis (rather than a company trying to justify to itself it's non-compliant actions) that's just wrong. I do know whereof I spake. Alternatively I could tell you how to program in C. It's a lot like PERL.