Regular readers may be aware that my organisation, CILIP, has recently announced a UK-wide inquiry into the role of Information Professionals in protecting and promoting user privacy in an increasingly connected world. As part of this, I have been giving some thought to how best to define a functional model of the dynamics at play. This post is my attempt to develop this model.
The model itself is pretty simple – it looks at the dynamics between 3 agents:
- The State
At the heart of the model is the question of what rights and responsibilities each of these agents has in respect of one another. It presumes that there is an hierarchy which puts the citizen at the top (since they are assumed to ‘own’ their personal data) and companies and the State in a subordinate position. It also presumes the agents are ‘rational’ and that they can be either ‘good’, ‘bad’ or a combination thereof.
The model therefore looks like this:
The idea is essentially that an informed and empowered citizen ought to be in control of their privacy, which in practice means that they are informed about and have the unmitigated ability to control the collection, storage, sharing and reuse of their personal data.
In turn, the State ought to be accountable to the private individual, only collecting, storing, using and sharing personal data to the extent that is absolutely necessary and proportionate to the delivery of public services and related transactions between the State and the individual.
Similarly, private enterprises ought only to collect, store, use and share personal data to the extent that is necessary and proportionate to the fulfilment of transactions and the provision of services to the user. This usage of data ought to be transparent and accountable to the user, who should similarly be empowered to control the relationship (up to and including withdrawing from it, and with it, their data).
Ideally, the behaviour of private enterprise ought to self-regulate through corporate ethics. In practice, the State needs to regulate the behaviour of private enterprise to mitigate the abuse of user privacy.
Much as the State needs to operate as a control mechanism on private enterprise to avoid abuse of personal data, citizens and companies need to exercise their democratic franchise and influence to ensure that the State remains accountable for its use of user data (and associated policies on surveillance and intervention).
The role of the information professional
The role of the Information Professional is to provide an ethical framework and practical solutions to ensure that the actual operation of these dynamics is transparent and accountable and that citizens are appropriately informed and empowered (ie. ‘information literate’).
The role of the Information Professional in the model is proposed below:
Under this model, the Information Professional has three specific roles:
- To support the citizen in becoming ‘information literate’ – informed about their rights and responsibilities with respect to data and information and empowered with behaviours and tools to enact these rights and responsibilities in their transactions with each other, with the State and with private enterprise;
- To support the State in designing systems and processes which enable the empowered citizen to control access to and use of their personal information and in implementing legislation, regulation and policy which protects these rights of control;
- To support companies in designing systems and processes which enable the empowered citizen to control access to and use of their personal information and in implementing policies which protect these rights of control
Essentially, then, Information Professionals are needed to ensure that each agent is able to behave in a way that is compatible with the overall ambition to protect user data transparently and accountably.
Public libraries as a specific use case
Due to their role as trusted civic institutions attached to the state but responsible for empowering the individual citizen to manage their own privacy (under the Ethical Principles of librarianship), public libraries occupy an unique space (and have an unique dual accountability) in this model.
A revised version of the model which incorporates the role of the Public Library as a civic institution would be:
In this revised view, the citizen uses the services of the Public Library, which involves the transaction of some user data. On the basis of professional ethics, the library is accountable not only to ensure that they respect the privacy of the user, but also that they educate the user about their privacy and equip them with tools to manage it.
Also on this basis, despite the fact that the public library is part of the state infrastructure, its chief accountability is to the privacy of the user. This raises an interesting dynamic in relation to, for example, the Prevent strategy, government surveillance and the normal operation of state security infrastructure.
Problems with the model
The chief issue with the model is that each of the agents (citizens, Information Professionals, companies and the State) can be either ‘good’ or ‘bad’ or a combination thereof. For example, ‘bad’ behaviours may include:
- A citizen may seek to defraud the State
- A company may fail to comply with regulation in the pursuit of profit
- The State may seek to extend its powers of surveillance and access to personal data
- Information Professionals may fail to behave in accordance with their ethics (or may be prevented from doing so by the policy of their employer institution)
Not only this, but it is by no means universally accepted that the interests of the State or private enterprise ought to be subordinate to the rights of the individual citizen. There are those, for example, who would argue strongly for the expansion of State intervention into personal data on the basis of national security. Equally, there are those in the private sector who would argue (and have argued) that ‘privacy is for guilty people’.
In addition to the model itself, then, there is a need to decide ‘who watches the watchmen’ what are the practical and regulatory checks and balances by which these dynamics will be kept in balance, and what sanction is available if each of the agents over-steps the scope of their mandate?
The answer to this question may suggest a more fundamental role for Information Professionals not simply as facilitators of privacy but as its guardians. If this is to be the case, work will need to be done to establish by what mandate Information Professionals could act to mitigate incursions into the privacy of individual citizens.
Problems with ‘Privacy activism’
A further issue with this model is that the observer may presume motives on behalf of the citizen, companies or the State which means that their perception of the dynamics of user privacy are inherently biased in favour of one or more of the agents.
For example, there are those who presume that the natural instinct of the State is totalitarian – that it will always seek ever-greater powers of surveillance over the individual citizen. Similarly, there are those who presume that the natural instinct of private enterprise is profit, irrespective of ethical or regulatory considerations, and that this unfettered profit motive will drive businesses increasingly to seek to commoditise user data and limit the regulatory basis of user privacy.
In general, the responsibility of the reflective and ethical Information Professional ought to be to maintain dynamic between citizen, state and private enterprise so that it is transparent and accountable. We ought not to presume that the motives of any agent are inherently ‘bad’.
However, this does raise the question of what duty of opposition and resistance the Information Professional has under circumstances where there is clear evidence of State or private-sector incursion into the rights of the citizen – particularly where the Information Professional is working in a State-funded organisation such as a Public Library. Under these circumstances, ought the Information Professional to abide by their personal and professional ethics, or by those of their employer?