Privacy International have published their “2007 International Privacy Ranking” report where they rank how well countries protect the privacy of their citizens.   Ireland does not rate well and according to the report there is “systemic failure to uphold safeguards” within this county. 

One of the key areas that the report highlights with respect to Ireland is our data retention laws implemented under the Criminal Justice (Terrorist Offences) Act 2005.  Despite assurances given by the then Minister for Justice that this data would only be accessed for terrorist and serious crime related incidents, the Data Protection Commissioner revealed last summer that the Gardai have made over 10,000 such requests.  Now either we have major serious crime and terrorist activity going on in the country or the privacy of individuals is being invaded by misuse of this law.

2007 also saw many individuals unknowingly erode their privacy by giving personal details away to corporations each time they go online.  Every Google search, every purchase on Amazon or upload to their social network site can be tracked, cross referenced and collated to paint a picture on an individual.   

2007 also witnessed many major data security breaches, TJX in the US, the UK’s HM Revenue and Customs Service and our Civil Service which have undermined our faith in the ability of private and public organisations to protect our private data.  In fact 2007 was the year with the highest recorded number of Data breaches.

Maybe 2008 will see a swing in attitudes as people begin to take more care in how and who they disclose their personal information to.  Companies with a bad track record in protecting their customer’s private details may soon see a swing in customer loyalty to companies that do.  Compliance efforts such as PCI DSS may also oblige certain companies to make better efforts in securing data.  However, I will not be holding my breath for all or any of the above to happen in any major way this year.

Protecting privacy is the responsibility of both the individual and the organisations who have collected that person’s information.  But as yet there are no major incentives for either party to really care about privacy. 

The individual will still give away their personal details for a more “personalised” web experience or to share their latest escapades within their social network.  Organisations will still gather and share information as easily and conveniently as possible.  Unfortunately “easily and conveniently” often do not sit well with “securely”.

So individuals will have to learn to protect their privacy through educating themselves on the risks they face when giving their data away, conducting business with organisations with a proven record in protecting their clients’ privacy and by lobbying their elected respresentatives to provide better legislation to protect their rights.  Our recent call for Data Security Breach Disclosure laws to be introduced in Ireland is one example of how to change things.

Organisations, both private and public, need to realise that privacy is another piece of the transaction when dealing with customers and they are obliged to protect all the details of that transaction.  Organisations need to realise they are not the owners of the personal data given to them by their clients, instead they are simply the guardians of that information.

UPDATE 4/1/2008

Karlin Lillington has an excellent article on this report in today’s Irish Time’s (subcription required).  Karlin also has an excellent Blog that is well worth a visit.