Friday 9 July 2010

When will they say “Oui”? ... Je ne sais pas!


I’ve come up with a stunning way to delay worthy projects which huge corporations want to embark on – and all in the cause of Data Protection. Oh, to be given the opportunity to work for some of the EU regulators.But I’m not an EU regulator and I am very happy where I am just right now, thank you.

What on earth do I mean?

Well, I was lucky enough to attend a presentation earlier this week given by the Chief Privacy Official of the Graduate Management Admission Council. That’s the American educational testing organisation, which delivers the majority of its on-line tests to people who live in one of 111 countries outside the USA. Given the doors that are opened to a student with good GMAC scores, how does the Council ensure the integrity of its applicant process, to deter people from hiring others to take the exams for them?

To cut a (very) long story short, the answer seemed to lie in inviting candidates to undergo a biometric test to indicate whether the candidate was also known to the GMAC under a different name. And, most importantly, the answer lie in developing a test which could not be used by others for other purposes. For example, if a fingerprint was taken, it was possible that the print might later be matched against other fingerprint records for, say, law enforcement purposes. Woops. Big “no no” from the privacy wonks.

But could a no-trace, no-touch test be created which gave both applicants and examiners a sufficient degree of confidence that it would only be used for GMAC authentication? Yes it could. It’s all to do with photographing hands. I won’t give anything away in case the really keen ones start to cheat by turning up with spare hands.

Ok. So if a data controller has the technology, and a valid reason to carry out the biometric testing, how long might it take the regulators to approve the concept?

If I were you, I might think carefully about rolling the concept out in every EU state simultaneously.

The GMAC took about 6 months to carefully prepare their case before formally seeking the blessing of the French Data Protection Authorities. The CNIL had to approve the application as it involved the processing of biometric data and some of the personal information was going to transferred out of the European Union (to America - evidently a pariah state, in the minds of some people). The CNIL received the request in October 2008 and authorised it in June 2009.

That’s right. To take a photograph of a handprint from a (consenting) applicant, simply to see if it’s characteristics were different to those of all the other (consenting) applicants, GMAC undertook a process that lasted 14 months.

I’m not sure if I should laugh aloud or cry with exasperation.

But 14 months does seem an awfully long time to wait for the much longed for “Oui”.

I wonder if the wait for the results of the France regulators might have been siginficantly shorter if the GMAC had first chosen to persuade other EU Member States to introduce the test in their countries, to demonstrate that even though the concept looked a bit challenging in theory, it actually worked really well in practice.