A recent BBC News article highlighted a US judges decision to allow data gathered from a defendants pacemaker to be admissible in court (You can read the article here). The data in question was used by an expert witness to cast doubt on the defendants explanation as to the events surrounding the case in hand. The issue here is the gathering of data for one purpose, to measure the defendants vital conditions in order to aid medical treatment and diagnosis, versus the eventual use of the data to prove what he was doing during a specific period in time in relation to criminal prosecution. Surely data gathered from a device in my body would consistent “my data” and therefore be for me to decide or approve its use.
This incident seems to go against the basic rules of the data protection act and also the upcoming general data protection regulations due to come into effect in May 2018 in that the eventual usage of data did not relate to its original purpose. The required permission for storage and usage of the data would have been limited to this purpose. Now there are exceptions for law enforcement in relation to protecting society which may have come into play, plus the incident happened in the US and I don’t have any experience as the equivalent of the data protection act in the US however I would assume the similarities likely far outweigh the differences.
This case seems to suggest that it may be possible for data gathered to be used for purposes other than that for which it is intended or for which permission was obtained. All that is required is some justification of need. This seems vague and particularly concerning.
So what about the Amazon echo sitting in the front room recording every comment, discussion and noise occurring in my house? What about the camera in a Smart TV equipped with gesture control or the Kinetic device attached to my sons Xbox One? What about the engine management unit or GPS unit in my car, the data my smart watch gathers or info from my FitBit or other fitness tracking device? We may be happy about these devices gathering data for their intended purposes but what about the purposes to which the data could be used, where we as yet can predict this? I am sure the bloke with the pacemaker couldn’t have predicted he might be convicted based on data his pacemaker gathered. How might a hacker or someone else with malicious intent use the data which available?
As we work with students to build them into digitally or technologically literate individuals we need to discuss the above.
Are we happy with so much data being gathered, stored and processed on is by third parties? Do we truly understand how the data is or can be used?