The US-basedCentre for Democracy and
Technology(CDT) has published a
compendium of prevailing legislationin the
US, UK and Europe on "sensitive" personal information, how it is
collected, stored and used.
The organisation aims to help people address the growing
interest in privacy issues prompted by data breaches in the US, UK
and elsewhere in the past year.
In the UK, breaches were led by the reported loss by HM Revenue
and Customs of the personal and banking details of 25 million child
benefit recipients in November 2007.
More recently, the
Information Commissioner's Office took evidence from Phorm, a
company that has developed software to track users' movements on
the internet. Phorm has sold this software to BT, Virgin Media and
Talk Talk so they can serve advertisements to users based on their
interests as revealed by their internet searches, website visits
and e-mails.
And on the eve of opening Heathrow Airport's new Terminal 5,
BAA stopped using a fingerprint-scanning system to identify
passengers because of fears over infringement of privacy.
The House of Lords, in two separate reports, expressed its
disquiet over the status quo of privacy legislation and practice.
In May it
objected strongly to the proposed sharing of personal data of
criminal suspects in circumstances set out under the Prum
Treaty, and in August it described
the internet as "the Wild West" as regards protection of
personal data.
The UK government is currently negotiating with other European
countries to share personal data on criminal suspects. This is
despite the European Data Protection Supervisor expressing
serious doubts over the adequacy of protection for such data,
especially once it has been shared.
In November 2007, the US Federal Trade Commission held a "town
hall meeting" to discuss behavioural targeting of internet users,
and in December it published a
set of
recommendations for self-regulation by marketers. In May it
will hold another meeting, this time to discuss targeting based on
mobile phone use.
CDT's analysis divides legislation into three groups: one covers
companies that collect, store and use data another covers what
information may be considered "sensitive" in relation to an
individual the third covers the protection of data flows between
individuals and/or organisations.