Pages

Thursday, 25 September 2008

Stupid Aid: misuse of "security", "data protection", "health & safety"






In a separate post I had a moan about security questions asked by banks and the like being too easy for bad guys to answer, and identification requirements not making much sense.

But, many of us have also experienced the opposite syndrome.

Unnecessary security questions

Most of us have had to deal with organisations whose security policies (or their implementation) result in unnecessary security measures, insisted upon by jobsworth staff in certain businesses, who seem to delight in forcing time-poor customers to recite their name rank & serial number (& even more) before they'll deign to answer any questions about the company's products, services or terms.

Yes, even when the question is clearly very general and could be answered (by someone who knows what they're doing, at least) without any access to a customer's account or personal details - e.g. what are their current interest rates?

Then the jobsworth acts like they're the injured party if you try to point out that it's unnecessary to go through all that before they can deign to answer your particular question. (They'll insist it's "data protection" or "standard procedures", usually.)

UPDATE: of course, how could I forget, a friend just reminded me - once you've managed to get through one raft of security questions before they'll condescend to put you through to the right department, you guessed it: the next department then makes you go through all the same questions, all over again. And so on for the next department. Why on earth can't they just have one security check per call or contact? It's the same with credit card enquiries where you have to enter your long credit card number, date of birth etc on the telephone keypad first before they'll even add you to the queue of calls waiting to be answered. And when you finally get to speak to a real human being, they make you give exactly the same details all over again (including your credit card number and birthday that you'd already input before). Stupid, and exasperating.

Data protection

A related problem is when jobsworth call centre employees refuse to give out information about a customer to any third party, not even the parent of a child, or the close relative of a sick elderly person, "because of data protection". A friend has to deal with matters on behalf of a seriously ill family member who isn't physically capable of it, and the hoops that some people try to make my friend jump through are unbelievable.

A silly but true recent incident, which got some media publicity and was cited by the UK Information Commissioner's Office as an example of misunderstanding data protection, was when Marks & Spencer's staff refused to talk to a mother about a missing belt on her 7 year old son's Superman outfit "because of data protection" - forcing her to get him to come to the phone to give his mum permission to talk on his behalf!

As the ICO pointed out (my emphasis): "Whilst it right for organisation to be careful before releasing personal information, this case demonstrates an absence of common sense. In the circumstances it was obvious that the seven year old child would not have ordered the Superman suit himself. Marks & Spencer were not being asked to release any personal information: they were simply being told that a belt was missing from the order."

The ICO also pointed out some other examples of data protection rules misuse when urging organisations (my emphasis) "not to hide behind the Data Protection Act unnecessarily when dealing with individuals" - what the ICO calls "data protection duck outs" like "parents not being allowed to take photos of their child at a nativity play; teachers unable to promote the successes of pupils in the local media and priests prevented from praying for an ill person by name during mass", insurance companies refusing to send out a claim form if requested by someone other than the policy holder, and exam boards refusing to give a child's exams results to the parent (or indeed the child herself - only to the teacher, who'd entered the child for the exam!)

The ICO "data protection duck-out" note is worth a read as it points out some other data protection myths - it seems to be an update of an earlier ICO note on data protection myths and realities, also worth a look as it gives some other examples not in the later note (though unfortunately it's undated).

Now usually the stupid data protection duckout is probably not as bad as security questions which are too easy for bad guys to find out the answers to, as most of the time it's more annoying, irritating and time-wasting for consumers than outright dangerous.

However, there have been cases where it has had dire real life consequences. In 2003, 2 pensioners, George and Gertrude Bates, who had funds but were forgetful, died after British Gas cut off their gas for non-payment - and didn't tell social services about the disconnection because they thought the Data Protection Act didn't allow it. The ICO myths and realities note also noted complaints that "a gas or electricity company will not tell them whether their elderly relative or neighbour is in arrears and in danger of being cut off" using data protection as the excuse.

Another example (see e.g. Out-Law article) which is also well known - in 2004, Humberside police blamed the Data Protection Act for their failure to record information about 9 prior allegations against Ian Huntley, school caretaker and convicted murderer of schoolgirls Holly Wells and Jessica Chapman, who may not have been given that job if that information had been known.

The ICO have at least since produced a "Data Protection Good Practice Note: Providing Personal Account Information to A Third Party" which gives some examples of good and bad practice in this context, as part of a drive to produce more practical and user friendly guidance etc, but in my view a lot of it is just down to using common sense.

"Data protection" has also been used as an excuse by some public bodies hide information about their position or actions from the public. The European Ombudsman has expressed concern that European data protection rules were "being diverted from their proper purpose of helping to ensure respect for the individual right to privacy.. Instead, they are being used to undermine the principle of openness in public activities."

While that letter was written in 2002, it still holds true today: "data protection" should not be used to prevent the public from finding out information to which they are entitled. (In that context, the relationship between data protection and freedom of information is not an easy one, and in the UK the tension between them was considered in July 2008 by the House of Lords in Common Services Agency (Appellants) v Scottish Information Commissioner (Respondent) (Scotland) [2008] UKHL 47. I've not read it yet but it seems that it isn't necessarily much clearer how the balance between the two can be struck.)

National security

Another type of unnecessary restriction "for national security" relates to "security" guards and the like preventing people from taking photos in perfectly public places, notably transport hubs - train stations, bus stations etc. Recently I witnessed London Transport staff stopping a tourist in Liverpool Street Station from taking a photo of their companion outside the Tube barriers! (And see this Guardian comment on the difficulties faced by a white female photographer openly trying to take publicity photos of a (non-white) man in central London.)

That's really stupid. The smart way for a real terrorist to take pictures of intended targets would be to use a small concealed camera, hidden "spy cameras" are easy and not expensive to buy, ,and so tiny these days that no one would notice. And I've no doubt a lot of terrorists are smart. If someone is openly snapping pics, why on earth assume they must have some evil purpose in mind? And how would fuzzy pics of a Tube barrier help a bad guy, honestly?

(Digressing further, I also think it's stupid that because of the UK Criminal Justice & Immigration Act 2008 section 63 you can now be a criminal for just possessing "extreme pornographic images" of things which, if you did them, would be perfectly legal to do, even if others might think they were grossly offensive, obscene or disgusting. How can merely having a photo of something be worse than actually doing it? Though I'm not advocating evening it up by criminalising "obscene" acts! On the contrary, I think what adults do in private with informed consent is their business. Possibly, even if it's potentially life-threatening - look at dangerous "manly sports", they're perfectly legal aren't they? Double standards still rule.)

Does technology or modern life make you stupid?

Now on to stupidity and technology / the complexities of modern life and living.

The ICO had thought it appropriate to mention the DP duckout at the start of "Stupid Aid Week" (1-5 September in 2008), whose slogan is "Make Stupidity History".

Stupid Aid Week was started in 2007 by public relations consultant Andy Green after he "asked [in a restaurant] for a slice of lemon in my water and was told I couldn't have one because it would involve using a knife and that would mean carrying out a risk assessment... Stupidity is not about low intelligence, it's about inflexible thinking without asking questions... Whether it's being told 'the computer says 'No', facing an unhelpful call centre hiding behind 'data protection', or just inflexible 'jobsworths'. I'm trying to get people to stand up for themselves more and not be fobbed off."

Other examples he's given: a car running into another car because "the sat nav didn't show the T-junction"; and not being able to make a doctor's appointment more than 2 weeks in advance because the computer only allowed scheduling for up to a fortnight. And top 6 excuses for stupid decisions or stupid thinking (including "it's health and safety"!)

As he puts it, is technology (to which I'd add complex "data protection" laws and the like) getting in the way of common sense?

While his "Flexible Thinking Forum" is billed as a "not for profit social enterprise enabling businesses and organizations improve their people’s creative thinking skills", it doesn't seem to involve more than 1 person; there's not been much mass takeup of his Stupid Aid campaign (e.g. as I write no one has suggested even one example of stupid thinking on his submission page yet) but it's certainly an excellent way for him to promote his consultancy practice and his new book Overcoming Stupidity in the World Around You: The Stupid Aid Survival Guide, which is described as aiming to provide "practical tools, tips, ideas and inspiration of what to do when you are faced with examples of bureaucracy gone mad, daft decisions, or inflexible ‘jobsworths’". (No, I haven't got a copy.)

It's very clever indeed of Andy Green to get free publicity not just from the ICO but also from the AA and from the Institution of Occupational Safety and Health for his Stupid Aid Tour 2008 and book launch, but then he's a PR expert! (Though what's less clever is that he hasn't directly linked from the book's page to where to buy the book, and the press release for the book launch is only available in full in DOC format.)

By the way, I like the AA stupidity examples like councils wasting employee time and money painting double yellow lines in spaces so small that only toy cars could park there. And the IOSH is sponsoring, for a second time, the World Conker Championships on 12 October 2008 at Ashton, near Oundle, Northants to make the point about "health & safety" stupidity.

But is it really technology that's making people "stupid"? I don't think technology as such can be blamed. While it does seem that lots of computer use (as opposed to reading) can affect brain, personality and identity, in this context personally I wonder if the seemingly increasing abrogation of responsibility and refusal to think beyond rigid literal rules are partly due to information overload - there's too much you need to know about these days, it's too difficult to understand most of it, so the path of least resistance is just to stick your head in the sand, stick to reciting the rulebook, and not have to think about anything.

If modern society is to achieve a sensible balance between security and freedom / convenience, a lot more people will need to start putting on their thinking hats and taking their common sense pills!

No comments: