During the 1990's it was recognised that cross-border trade required free movement of information and this was vital to create a strong EU. This led to the EU directives on privacy which were intended to enable free interchange of personal information around Europe while protecting the privacy of individuals. There are two principal EU directives which cover privacy: 95/46/EC on personal data processing, and 2002/58/EC on privacy of electronic communications. While these directives provide a common approach, laws vary in detail from country to country.
What is the Problem?
Firstly - it is difficult to understand how obtaining the information described above can be explained as being in the public interest. Secondly, the fact that reporters and investigators were able to get hold of some of the information raises the question of how well the information was being cared for. So the problem is one of information governance.
When an organisation in the UK obtains personal information about individuals, it should do this with the consent of the individual and for a clearly defined purpose. If the information is held on a computer it should register the fact with the Information Commissioner. It should allow individuals to have copies of the information that it holds on them and it should correct errors. It should use appropriate techniques and technology to secure the information from misuse.
If an organisation obtains or holds information about individuals but does not know that this is happening - there is a clear failure of information governance. Equally if an organisation holds information about individuals and discloses this information to unauthorised people, then that is also a failure of information governance.
Now it may be argued that the news media are a special case; and there is some merit in this argument. If the objective of an organisation is to penetrate criminal gangs and corrupt enterprises in order to reveal the wrongdoing - it can hardly be expected to act like a retail marketing organisation. However, we will have to await the results of the new police investigation to find out whether or not the law has been broken.
The ease with which it was able to obtain some of the information raises the question of how well this information was being managed by the individuals and organisations holding it. It is alleged that that mobile phones did not have voicemail security codes set, and that reporters were able to "blag" information by calling organisations holding information and pretending to have a legitimate right to the information. (Even though this may be difficult to believe by anyone who has attempted to negotiate the questions posed by call centres in the name of data protection).
Sign up for CIO Asia eNewsletters.