40
A Democratic Licence to Operate
The Public’s Awareness of Data Collection and Use
2.40
It is reasonable to suggest that the public’s perceptions of surveillance, the agencies and
oversight outlined above would change if they were more aware of some of these issues
and, in particular, if they were aware of how much of their data is collected and used.
2.41
As noted also in Chapter I, the public do not fully appreciate the scale of data collection
in our digital society. Much of this data collection occurs without us even realising it.
People unwittingly give away information when they use smartphones; buy things via
PayPal on eBay; post content on Facebook or Twitter; and use Internet search engines,
all of which can be tracked and analysed and the data sold on the open market.38
2.42
One of the primary reasons given by those polled for discomfort with the collection of
data is a sense that it has been carried out without explicit, informed consent. When
subscribing to services offered by private-sector companies, users are presumed to
provide consent by agreeing to T&Cs. To be considered acceptable under the DPA 1998,
the processing of information has to be fair and lawful. In its guide to data handlers, the
Information Commissioner’s Office stresses that ‘fairness generally requires [users of
data] to be transparent – clear and open with individuals about how their information
will be used’. It argues that people should have the means to ‘make an informed decision’
about ‘whether to enter into [the] relationship’.39
2.43
The methods used to seek consent in online transactions are often less demanding
than those used in certain other areas. In clinical medicine and biomedical research, for
example, requirements for informed consent are taken more seriously, and standards
are set out in professional and regulatory requirements. One example of an area where
informed consent is considered to be particularly important is that of medical records
and health data. Although not stored centrally, the NHS holds millions of cradle-to-grave
records of citizens and significant volumes of health-related data. Polling suggests that
we trust health workers (doctors) more than other public figures with our personal data.
Most would agree that analysing this data can be very helpful for both diagnosis and
health management.40 However, there is a risk that consent to the use of medical records
in commercial contexts may be subject to ‘ticking and clicking’ without reading, let alone
understanding, the T&Cs or other content to which consent is ostensibly given. Data
subjects – whether patients or research participants – cannot be expected to understand
large amounts of medical or other technical information of high complexity, or to grasp
all of the ways in which data that pertain to them could be reused. In other words, they
38. The Ditchley Foundation, ‘Intelligence, Security and Privacy’, conference terms of
reference, 14–16 May 2015, <http://www.statewatch.org/news/2015/may/uk-ditchleyintelligence-and-security-conference.pdf>.
39. ICO, ‘Processing Personal Data Fairly and Lawfully’, Guide to Data Protection, <https://ico.
org.uk/for-organisations/guide-to-data-protection/principle-1-fair-and-lawful/>.
40. Parliamentary Office of Science and Technology, ‘Big Data and Public Health’, Postnote, No.
474, 2014.