JISC Access Management Team

One of the most impressive presentations at Educause2009 was given by Lawrence Lessig. Not surprising really, given his track record for being brilliant, but it really was a very refreshing view of the world we live in. Lessig of course played a critical role in the establishment of Creative Commons and still argues strongly and favourably for the ethos of Commons. The core points being:

• Copyright law was established in a world that was not impacted by the capabilities of the Internet. UK Copyright Law for example was established in 1710, and the latest version is the Copyright, Designs and Patents Act of 1988. That’s 21 years without any significant changes.
• Copyright law has a time and place to protect the rights of individuals. Lessig does not believe that educators and scientists should try and enforce copyright in the same way that performing artists do - it is inappropriate to our field.

It struck me immediately that there were many similarities between his arguments regarding Copyright Law, and the arguments being had in the FAM community at the moment around Data Protection. The Data Protection Act in the UK is somewhat newer that copyright laws, having been established in 1998. I don’t think that the basic concepts and key principles of data protection are wrong - you can read up on them on wikipedia if you are interested in a crash course. It is important that our personal information is protected. However, in a world where people will give away all their personal information to Facebook without a bat of an eyelid, is our current law - or the typical interpretation of our current law in some areas - forcing our institutions to offer a service to its users that can’t compete with the Web 2.0 world?

There are two things that worry me:

1. The definition of what personal data actually constitutes. It is often argued that an IP address - with no other data attached to it - is still personal data, or personally identifiable information (PII) to use the lingo. This seems bewildering and I wonder if a bunch of lawyers merely saw the name ‘address’ and decided it was the same as my postcode?
2. Issues around consent. The crux of the DPA is that if you want to pass PII, then you must have explicit consent from the end user. Again, it is argued that educational institutions cannot pass PII because they simply cannot prove that they have consent, or provide tools that will allow users to effectively remove consent. This is a real bind for organisations wanting to make good use of the personalisation possibilities of federated access. The commercial world operates very well with simple tick boxes at the end of forms - we seem to be making this much more difficult for educational institutions than we need to.

Lessig’s excellent presentation is available on the Educause website (it starts a good half hour in so fast forward!) and if you would like to know more about consent management please do come along to the session at #FAM09!