Transport Systems Catapult CEO Paul Campion talks Data security, ownership, privacy and GDPR and how they effect data use in the transport sector.
A commentator on my recent blog post about the need for transport data sharing made an important observation. He commented: “So long as there are no bad actors attempting to misuse the data this would be perfect. Any thought about how to benefit from technology should consider how it could be abused, and how to safeguard against such abuse.” Well said, and a good challenge. So let me try to respond to that.
Simon Bradley’s excellent 2015 book “The Railways. Nation, Network and People” taught me many things, not least just how dangerous the railways were in their early years. The first and most famous casualty, the Liverpool MP Sir William Huskisson, who was killed in 1830 on the opening day of the Liverpool and Manchester Railway, is perhaps to be compared to the unfortunate pedestrian killed by an Uber autonomous car on trial recently; it is understandable, if not excusable, that new transport technologies may have unrecognised dangers on first introduction.
Thirty years later, the railways were still taking a heavy toll. Between 1860 and 1864 there were an average of 53 train crashes a year, growing to 145 by 1870-74 and in 1861. That represented 141 fatalities to passengers and bystanders (railway workers deaths not included.) The UK rail network over the last ten years, by contrast, has not suffered a single passenger fatality, despite a significantly greater number of journeys and passengers miles than 150 years ago.
What happened in that century and a half is that society came to better understand the risks of the new technology and, through the political process, caused the industry to seek ways to ameliorate those risks. The risks were managed in a variety of ways, not least engineering and the way that the technology was used and managed through processes, procedures, protocols and rules.
The widespread use of data about the consumers of goods and services is, very roughly speaking, about twenty years old (a simplification, of course, but the sort of collection and use of data that my commentator was concerned about can, I think, be associated with the use of the internet, whose widespread use is about two decades old). The techniques of data collection and use, their commercialisation and the abuses, deliberate, indirect and unintended of the use of that data are only now being to come to the notice of society as a whole (although warning voices have been heard for many years).
I am a technological optimist. I believe that the many, highly talented engineers working in the IT, communications and transport industries are perfectly capable of coming up with the technical tools and techniques to enable the safe and secure use of data – if the social, commercial and legal requirements request them so to do.
Who owns data?
Let us think, then, about what the constraints and safeguards might look like in a shared transport data future.
Firstly, a few words about words. Data can be tricky to think about because it behaves differently to a lot of the usual, physical stuff that we are comfortable thinking about in the transport world. Let me make a statement that might be too obvious to be helpful: if I own a car you do not. That is in the nature of physical things: if a car is on my drive it is not on yours. Of course, that is a simplification of the actual real-world situation because the car on my drive is quite likely to be leased which means that I have the beneficial ownership rights to the car even though the legal rights reside somewhere else. That is fine by me: I am happy that I get to drive the car around at my discretion) knowing that someone else had the right to sell the car after, say, three years. But, anyway, at least it is unequivocally on mydrive.
But what does it mean to say I ‘own’ data? When I sign up to the loyalty scheme of a chain of coffee shops I agree to tell them certain things about me – in return for payment. Specifically, I tell them my email and perhaps my birthday, and allow them to send me emails, and to collect data about when I visit their stores and what I buy there, in return for free coffee.
They pay for costs of collecting that data and for holding and processing it and they are doing so because that makes them more money. In other words, the coffee shop thinks they ‘own’ the data about me. But the data is about me, so why don’t I own it? Where data is concerned the word ‘own’ can be a false friend. There is a bundle or rights and obligations that can be distributed amongst a set of different people, and the data can be in multiple places at the same time. It is different from a car.
The Impact of GDPR
Society’s growing awareness and concerns about this new technology is causing the lawmakers to take action (thankfully more quickly than in the historical case of the railway). The EU’s GDPR legislation is a major step forward and is likely to be the de facto common denominator in the western world.
GDPR sets out some basic rights and obligations on the various players. In the example I just gave I have the right to enter into a contractual relationship with a third party (e.g. the coffee shop) to agree that they can collect data about me in return for payment. They have the obligation to tell me how they are going to use that data (and with whom they are going to share it), and to respond to my requests to correct or erase the data if I so choose.
This sounds simple and fair but is, in fact, a dramatically different situation to where we have been. GDPR will force some companies to radically re-engineer their businesses to be able to comply.
Now I am not saying that GDPR is the final word, or that GDPR magically makes the world of data safe. My commentator’s use of the phrase “bad actors” is a reminder that passing laws is one thing and enforcing them another. Speed limits on roads are a safety measure intended to limit the number of people killed and maimed on the roads (24,101 seriously injured or killed in 2016 in the UK makes the 1861 railway look very safe) but speed limits are regularly flouted and measures to enforce them (like safety cameras) are resented by many people.
Click here to read more
TSC Catapult are ongoing supporters of MCAV and longstanding partners of our working eco system. To find out how to be part of our working eco system, please contact Hayley at firstname.lastname@example.org for further information