Companies store copies of information in multiple locations to minimise the risk of data loss, but does our right to privacy suffer as a result?
Proposed data protection laws would require companies to delete information that could allow an individual to be identified, but existing data storage and duplication practices are at odds with the drive to protect our right to privacy.
The ‘right to be forgotten’ is one of many concepts that could be introduced into new EU legislation on data protection later this year, but according to some within the data processing industry, most firms are still a long way from being able to comply.
Central to the idea of being digitally forgotten is the concept of anonymisation – stripping personally identifiable details out of data such that anyone coming into possession of it would be unable to trace the individuals to whom it refers.
Earlier this year a Harvard professor was able to re-identify individuals in a genetics database by cross referencing with public records, with an accuracy rate of 42% if only three types of information – zip code, date of birth and gender – were present, rising to 97% when first name or nickname – information that could easily be extracted from many email addresses – was added.
The Information Commissioner’s Office has already released guidelines concerning anonymous data, but when the European Commission finishes refining the existing EU Data Protection Directive it is likely that more stringent legislation will be put in place.
The idea of simply deleting personally identifiable information from a database following the initial collection and analysis stage may not seem overly complex, nor would it stop a data processing company from carrying out supplementary analysis on the remaining data. But in reality the data security processes in place at many large organisations can make this task far from straightforward.
Source: The Guardian