Privacy’s About Us, Not ‘Me’

As part of this year’s ‘Privacy Week’ (9-14 May), New Zealand’s Office of the Privacy Commissioner (OPC) has designated 12 May as ‘Right to Know’ Day. As described, the day intends to raise awareness of New Zealanders’ legal rights to see the personal information that agencies hold about them. The OPC will also launch its ‘About Me’ app, an online tool that ‘makes it easier for individuals to ask agencies for their personal information by helping to draft a template email with all the details agencies need to respond to information requests.’

The right to access personal data about yourself is granted under Principle 6 of the NZ Privacy Act of 1993. According to the OPC, making data requests is one way people can ‘take control of their privacy.’ The ‘About Me’ tool merely aims to make this process more efficient.

For a data privacy / surveillance nerd like me, May 12^th sounds like Christmas. Certainly, both ‘Right to Know’ Day and ‘About Me’ are sorely needed resources for those of us who care about data privacy. But I’m cautiously optimistic about the efficacy they’ll impart. Here are some reasons why.

For the past three years I’ve assigned over 130 students to make data requests from a wide variety of organisations across New Zealand as part of a course I teach on Media, Technologies & Surveillance at Victoria University of Wellington (see NZ Herald article, ‘Kiwis Intimate Data Kept on File’ from July 2014). To date, over 500 such requests have been made. The most recent batch my students submitted came in just last week and included 6 weeks worth of data requests from Air New Zealand, ANZ, ASB, Farmer’s, Les Mills, Trade Me, Snapper, Spark, Victoria University, Wellington Combined Taxis, Westpac, amongst others.

For some insight to my scepticism, here’s a list of the most common responses dataholders have returned to us over the years when presented with a data access request:

1. No reply.

In most cases, students receive no return communication from the organisations to which they’ve lodged a data access request. Even follow-up emails and phone calls are often ignored. In-person requests can often be more productive, but when told ‘We’ll get back to you,’ organisations rarely do.

2. ‘What kind of data do you want?’

This second most common response puts the burden of the data request back onto the individual, even in cases where students have specified the type of data they wish to receive. To be fair, this response is oftentimes one of pure confusion. Many dataholders don’t know what a data request is or looks like. Others just aren’t sure what fulfilling such a request entails. The whole thing can really be a crapshoot depending on which employee receives your request (it should be the Privacy Officer, but this isn’t always the case). Students have had drastically different experiences obtaining data from the exact same organisation depending on who answers the phone/email.

For example: Last month, one of my students visited three separate Westpac branches before any of the bank clerks would help him; on visit #2, his legal right to obtain the contact details for Westpac’s Privacy Officer was met with a resounding: ‘No.’ Yet another student received multiple pages of her Westpac customer record without any problem or confusion. Meanwhile, a student pursuing her BNZ banking data received reports featuring two totally different sets of information from two different BNZ bank branches. How does that happen?

It isn’t just a matter of staff incompetency. Many dataholders simply don’t know how to aggregate and package data in a way that’s useful for the requestor. This is usually because an individual’s personal record is held in so many different places or systems within a single organisation that ‘what kind of data do you want?’ actually means the requestor must concretely ‘know’ the range and type of data an organisation stores. These are often the most frustrating experiences of all.

I don’t think I need to point out that if we knew what information to request there’d be nothing to ‘know’ in the first place. (And Privacy Policies aren’t always clear on it, either).

As my student Tsehai put it:

In my experiences with obtaining information from Westpac and Spark, I was questioned as to what information exactly I was requiring. This question reinforces ideas that privacy is my responsibility; therefore I should be educated about what information is held by different organisations. But without the ability to access all of this information, how am I to have control over my data?

Let’s face it: the decentralized nature of today’s data flows often means that obtaining all the information a company holds on you is – as they often put it – an ‘unfeasible’ task to fulfil in a fast and efficient way. For example, educational institutions hold personal information across several different departments and systems that don’t speak to one another in any real sense. Student records, health records, computer logins, student ID card, library databases and so on are all stored on their own servers with different access restrictions for different employees. More persistent students have pressed these types of organisations to find ways to acquire the information to which they’re legally entitled. But such persistence usually results in frustrated phone calls to my office from the organisation’s Privacy Officer demanding that I explain the limits of what they should turnover to my students. I’ve been told off on more than one occasion for the workload issues these requests cause, even though those requests have always capped at 10 or less at any given time (Air NZ complained because they had five).

Understandably, data requests have significant workload implications. In the face of already tight budgets, many organisations have limited capacity to access, aggregate and return the wealth of personal data they collect in a reasonable timeframe. Air NZ is the only company that’s ever acknowledged that their inadequacies in handling data requests are an organisational issue. As their legal counsel admitted via email to one of my students, ‘We’ve got some work to do at our end to make this more efficient.’

So if a handful of University students trying to do their homework is a problem for a company as big as Air NZ, what does the OPC expect will happen by making data access a public platform? Or maybe that’s the point.

3. ‘Why do you need your data?’

Dataholders often ask my students to explain why they need a data report or what they need it for. These questions are typically posed in a way that feels disciplinary and threatening. Students describe feeling ‘bullied,’ ‘disciplined’ and ‘ridiculed’ just for making these requests. They report tracing their digital footprint made them feel like they were ‘doing something wrong.’

In our opinion, demanding a reason for accessing one’s personal data is a dissuasion technique, and an effective one at that. Rather than cause any trouble or feel like they’re inconveniencing an organisation they do business with, students often opt to just drop the issue altogether. No one wants to be a nuisance or a nag; we simply want to act upon our ‘right to know’ so we can make better decisions and/or protect ourselves. But that can’t happen if we don’t know what we’re protecting ourselves from, or if we’re made to feel guilty for trying to figure it out. Hopefully ‘About Me’ automates the communication between the dataholder and requester so that it can provide more transparency in a way that doesn’t feel so punishing.

4. Here’s your ‘data’

Occasionally, dataholders do respond without issue. In most cases, however, they merely feedback basic user profile information. Sometimes, such as in the case of Snapper, the response is: ‘All the info we hold can be accessed by logging into your online account.’

But is that really all? A quick skim through a company’s Privacy Policy will tell you, but it varies from site to site. Few data reports returned without hassle rarely include metadata (the valuable ‘data about data’ that’s used to locate users in time and place); also excluded are the contents of communications, past promotional offers, targeted marketing initiatives, customer notes and other items that privacy policies claim to collect but don’t return. We know that bank managers, for instance, take quite detailed notes of personal interactions with customers; these notes assess a client’s value over time and often inform decisions about what loans, products and services they’re offered or denied later on down the line. Yet none of this data appeared in any of the bank reports returned to students.

Other places (like banks and telecoms) charge exorbitant hourly fees for printing costs; yet they won’t indicate how many hours printing will take. At $50-70 and hour, it’s not a risk most students can afford to endeavour. Some organisations also require a subpoena or notarised affidavit, that in turn, requires a special trip to the Justice of the Peace or some other court. Hopefully the OPC’s ‘About Me’ tool addresses these costly printing and identity verification services as they’re otherwise a significant deterrent for those who struggle financially or are time-poor (like students).

Summary Thoughts:  Why Privacy isn’t ‘About Me,’ it’s About Us

‘From going through this process, it seemed like I was not truly entitled to my own data’ – Kyra

‘Maintaining privacy is considered a personal [responsibility], but obtaining our personal information from corporations can be a difficult, costly and exhaustive process’ – Tsehai

‘Maintaining control of one’s data goes hand in hand with maintaining control of one’s privacy. In order to control their data individuals must be aware of who they are giving data to and with whom those entities will share it’ – Phill

Privacy Week, Right to Know Day, About Me…all of these initiatives maintain that privacy is our personal responsibility, and accessing our data is the means by which we take control of it. Yet in reality, data access is an arduous process that depends on ticking the right boxes, talking to the right person, extensive correspondence, having a priori knowledge about what information is already held, expensive payments, obtaining the appropriate court-certified legal documents and, most significantly, finding the time to do it all.

As my student Briege notes:

While it has become increasingly necessary to engage with surveillance technologies in our daily lives, we are disconnected from the data generated through our interactions with these technologies, and this lack of connection is exacerbated through the many hindrances that structure the process of making personal data requests.

We both look forward to seeing how the ‘About Me’ tool resolves these issues. However, even if it does eliminate such obstructions, there’s still a danger in assuming privacy is our responsibility alone. Putting the burden of responsibility onto the individual obscures the fact that our submission to data collection systems is now a compulsory part of functioning in the modern world. As government services, online banking and everyday communications increasingly move online, ‘opting out’ is not an option. And the more data we submit, the more valuable a client we become.

Accessing data is one thing; understanding how it’s used and valued is another. As another student put it, ‘We know our rights. But that’s only the first part of the equation.’ The personal responsibility argument ignores the second part: how our data is used. The fact is, personal data is a valuable currency for the organisations that collect it; this is why it’s often used or sold for profit-generating purposes. Our data – and thus our privacy – is commodified by the organisations putting it to use in ways that are not made transparent yet remains our responsibility to control. As Sam observed after traversing the city of Wellington to find out what data Westpac collects on him:

Rather than paying full price for a coffee at Mojo or the services of Westpac I am subsidising the cost through paying in the transfer of my privacy…[P]rivacy is traded like cash but is not treated in the same way…If privacy is replacing cash in society, then I should have avenues to find where my privacy has been spent.

What needs to change is the way we value privacy. Re-conceptualising privacy as a public or social good (as opposed to a private good) reframes the debate as a right to which we’re all equally entitled above and beyond the rights of the institutions collecting it. Certainly that’s what the Privacy Act intends to protect but in practice, myriad loopholes designed to protect ‘commercially sensitive’ data that includes vital info about how we’re marketed to, the services we’re offered or denied. The reality is, the data a company collects is a much different issue from how that data is used. The latter – data use – remains generally inaccessible. Yet it’s also the dataset that has the most likely implications for privacy and our everyday lives.

My intention in raising these observations and critiques here isn’t to criticise the OPC or any of its Privacy Week initiatives. To quite the contrary, I commend their dedication to raising awareness around privacy and data rights. Such programmes are sorely needed in a society based on the constant circulation and capture of personal data. And perhaps the OPC’s already anticipated these issues and built the solutions into the app. I hope so. But if not, there’s still time to build ‘About Us 2.0.’ – the app that frames data privacy as a social good, demands full transparency and holds organisations to account. It’s an app that doesn’t just say what data’s collected, but how that data’s used. Most importantly, ‘About Us 2.0’ shifts the burden of responsibility for data management onto the institutions benefitting most from the data we now have but little choice to submit.