Internet of Things




The public and private sector now have the ability to store some of our most personal information. The legislation that governs the collection and storage of this information is the Data Protection Act 1998 (DPA). In recent years it has become increasingly clear that the Act is not up to the task of deterring the illegal disclosure of our information.

Under the legislation the sanctions available to the courts are, in many cases, trivial. When compared to the scale of the losses and the financial rewards which can be gained by selling personal data the current range of punishments is grossly disproportionate.

Reports, Research and Briefings

[ic_add_posts showposts=’5′ post_type=’bbwreports’ tax=’research-and-briefings-category’ term=’internet-of-things’ template=’posts_loop_template-report.php’]



Policy Recommendations

1. The introduction of custodial sentences under Section 55 of the Data Protection Act.

This is one process which would require minimal effort, but would yield results. Under Section 77 of the Criminal Justice and Immigration Act 2008 a Secretary of State can implement a custodial sentence of up to 2 years for serious breaches of the DPA. No new primary legislation would be required and it would send a clear message that the Government takes the security of personal information seriously.

As technology expands further into our everyday lives, devices will be reaching further into our personal and private lives. The grab of granular information, creating big data documents of our health, home and work life, energy use, transport preferences and finances will be greater than ever before. It is critical that effective deterrents for those with access to this highly valuable personal information are established. Privacy and security should be seen as a positive requirement of the future economic wellbeing of the country.

2. The Data Protection Act should be extended to cover information that has been anonymised.

The DPA provides little protection for anonymised information. Currently the definition of what is personal data precludes anonymised information from being included. This should be rectified to pre-empt future concerns regarding the creation of large data sets and Big Data projects which will become a greater part of the public and private sector over the coming years. Studies, such as Robust De-anonymisation of Large Sparse Datasets (How to Break Anonymity of the Netflix Prize Dataset), is one of many that show the ease with which it is possible to combine separate databases to re-identify individuals.