Thursday, 27 August 2015
Ashley Madison and the Data Protection Act
More than a few eyebrows were raised earlier this year when hackers revealed they had breached the Ashley Madison adult dating site and stolen personal data relating to tens of millions of subscribers. Things were made worse when that data was finally dumped online a couple of weeks ago. The data dump has already led to two possible suicides as well as plenty of PR trouble for celebrities, politicians, and business professionals. It has even led the Information Commissioners Office to issue a warning to journalists.
The Information Commissioners Office’s (ICO) Group Manager for Technology, Simon Rice, published a blog post on the agency's website on August 21 letting it be known that accessing and publishing the Ashley Madison data dump may not be allowed simply by claiming the journalism exemption of the 1998 Data Protection Act. The Information Commissioners Office offers a detailed explanation of how and when the journalism exemption can be applied to personal data.
Rice says that in cases where the journalism exemption cannot be claimed, and that will be the case most of the time, accessing the data dump information becomes a violation of individual privacy and the Data Protection Act. Any publication of that data would be a further violation of the law. Rice encourages any journalist who believes the exemption applies to their activities to consult with the Information Commissioners Office before accessing or publishing the data.
When the government implemented the Data Protection Act in 1998, the purpose was to bring the UK data protection laws in line with earlier European directives from 1995. The goal of lawmakers was to prevent the invasion of privacy through the investigation, analysis, or publication of personal data by parties with no legal or legitimate need for that information. The Data Protection Act applies across the board to individual data communications, website data mining, data centres and their day-to-day operations, and every other instance in which personal data is collected and stored.
The Information Commissioners Office is currently working with Canadian officials to make sure the Data Protection Act is strictly adhered to in the UK in light of the Ashley Madison breach. They are determined that no illegal exhibition of data will go unanswered. Hopefully, they will be able to make good on this commitment.
On a broader scale, the Ashley Madison hack should be a wake-up call to consumers all across the UK and, for that matter, the world. Although some may disagree with the intent and content of the Ashley Madison website, the activities of both the site's owners and members is legal under Canadian law. A moral or philosophical disagreement with the content of the website is not sufficient reason for hackers to steal and publish personal information having to do with upwards of 37 million people.
This attack is less about Ashley Madison and more about the fact that we are all vulnerable to such malicious activity. If this can happen to Ashley Madison users, it can happen to each and every one of us.
1. Daily Mail – http://www.dailymail.co.uk/news/article-3208907/The-Ashley-Madison-suicide-Texas-police-chief-takes-life-just-days-email-leaked-cheating-website-hack.html
2. ICO – https://iconewsblog.wordpress.com/2015/08/21/personal-data-in-leaked-datasets-is-still-personal-data/