Today is the 10th birthday of the Data Protection Act 1998. The question is whether we should be having a party - or perhaps a wake.
Sadly, for all its promise and its successes, the DPA's decade has also seen notable failures. From public organisations misusing it as a smokescreen - as appears to have happened in the Soham murder case, for instance - to bodies which still don't take seriously their responsibility to protect their customers' identities.
The result has been data not being shared when it ought to have been, and more often, data being shared or lost when it ought not to have been - as in the HMRC's lost CDs and sundry other reports of lost or stolen laptops and USB sticks.
To be fair, part of the problem is that the volume of data that needs protection has grown enormously over the last decade, as have the number of ways in which that data could be compromised. As one industry figure, Jamie Cowper of encryption specialist PGP, puts it:
"The world of electronic information has changed almost completely since the enactment of the DPA. The sheer proliferation of data within both public and private sector organisations in terms of stored records and transactions is mind-boggling. As a result, I'd be surprised if nearly all companies aren't in some way contravening the Act as it currently stands, whether they realise it or not."
Cowper's proposed solution is to give the DPA and the Information Commissioner - the civil servant charged with enforcing the DPA - sharper teeth. Customers have become distrustful of both big business and the government and need to regain that trust, he argues.
That last point is debateable - I'd argue that people now trust business more than they trust government. There's many reasons for that, ranging from the scale - when HMRC screws up it affects far more of us than when a single bank screws up - to the fact that private businesses must find ways to persuade us to share our data voluntarily, whereas the government lazily uses the law to compel us to obey.
But on the larger point, the perceived need for 'sharper teeth' could also be a sign that the DPA is not the right solution. Whenever anyone says the penalties for something aren't severe enough, it usually suggests that underlying issues are not being addressed - or that they're targeting the wrong problems.
One underlying issue is financial. The HMRC debacle appears to have stemmed in large part from the technical team being refused the resources they needed to do the data extracts requested of them, so to save money they simply sent - and lost - the whole dataset. Similarly, companies may not adopt encryption due to 'cost issues'.
The solution to that one is easy - when things go wrong, the accountants go to jail alongside the board directors responsible. There really is no excuse for refusing the financial resources needed to meet your DPA obligations.
But there's more. For a start, how much data does an organisation actually need to hold on an individual? How much could things be improved by adopting a federated identity model, such as the one espoused by the Liberty Alliance, for example?
The principle behind federated identity is simple - organisations hold only the data they need - and rather than actual personal information, that could simply be a pointer to a trusted third-party who can say "Yes, this person is who they say they are", or "Yes, they're over 18" - or whatever.
Trust is a challenge, of course, as is trying to persuade businesses that it's in their interest to co-operate with their rivals - at certain levels, anyhow. Trusted agents are a risk too, as security services know only too well.
These are all problems with potential solutions though, and they could yield a result far better than the legalistic mish-mash we have today.