The principles of information and data privacy are well established and have appeared for many years to be straightforward and simple. However the growth of online social media is making this issue more and more difficult to regulate according to these principles. One of the main areas for concern is the publication of digital photographs. We shall therefore re-examine a long-established SABSA attribute – private.
The principles in the European region focus on the concept of the data subject – the person to whom the information refers. Typical examples are medical records – kept by hospitals and doctors for legitimate purposes but not to be disclosed to third parties without the explicit permission of the data subject. However, the rules apply to any organization that keeps names and addresses and other personal data. The range of applicability is very wide indeed, to the extent that all organisations have data subjects and must comply with the national laws that implement the EU directive.
Individual data subjects may themselves divulge any or all of this information if they so choose, and with the surge in social networking on the web it has become popular and fashionable to share personal information that previous generations would have considered very private. Young people don’t just wear their heart on their sleeve, as the saying goes, but they wear their life on their Facebook page and their Twitter account.
So, a family goes on holiday to some tourist destination and they all carry a full arsenal of photographic devices – smart phones, tablets and digital cameras. Digital photos cost nothing so they take hundreds and hundreds of them. As they pose for selfies or group photos they capture a certain amount of the environment around them, including other people unknown to them. Some of these people might possibly be famous celebrities, politicians or similar – people with a desire to segregate their public and private lives.
When the family returns home, or even while they are still travelling, they post selected pictures on Facebook or Tweet them from their Twitter account. They publish these photos for the entire world to see. So if a celebrity or similar person is shown in the picture, it is possibly embarrassing for that person if they would prefer not to be seen at that place on that day and time, or even worse, in the company of another person that suggests a private relationship not to be made public. The consequences might be serious for their private or public lives, depending on the context.
This begs several questions: Who is the data subject? Who is the data owner? Who has primacy over the data? Are there any data stewards involved and what are their responsibilities? Generally speaking it is an accepted principle that where the data concerns a living person that person is the data owner and has primacy over the protection or publication of that data. But in this use case it is not clear whether or not accidental strangers can be considered as data subjects in the photographs. If the photograph was shot in the public place this might be a case for declaring the data to be already in the public domain, but has that been tested in any court of law? If the ‘accidental subject’ complains to Facebook or Twitter, what policy should the management of those web sites adopt, since they could be considered to be ‘data stewards’ with responsibility for protecting the data according privacy principles?
It’s a new emerging area of the digital age and of social networking. It is something about which we information risk and security experts need to get our thinking straight to be able to advise our masters and clients as to what policies they should adopt. As with all SABSA Attributes, it’s about asking the right questions to prompt the right discussions amongst the stakeholders as to which risks are acceptable and which are not.