Charles D. Raab

Theorising the governance of education

Abstract The aim of this article is to move towards the comprehension of education policy processes and change in terms of an expanded sociology of education policy that studies policy networks and employs new perspectives on governance. It comments upon a perceptible conceptual convergence between education policy research and more general policy studies.

Understanding Policy Networks: A Comment on Marsh and Smith

In their article, Marsh and Smith (2000) aim to reformulate the analysis of policy networks by way of a new approach to understanding the relationship between structure and agency. They outline four main approaches to the study of policy networks, and claim that all of them privilege either structure or agency. They say that the ‘anthropological’ approach used by McPherson and Raab (1988) in a book on policy-making in Scottish education ‘sees networks as based on personal relationships between known and trusted individuals who share beliefs and a common culture’ (p. 5). Marsh and Smith acknowledge that this approach is ‘right to stress the role of agents’ (p. 5), but argue that a model is needed which recognizes the role of structures as well. What they call their ‘dialectical’1 approach purports to offer this, and therefore to give agency parity of status in explanations of policy networks and of the policies with which networks are involved.

Privacy principles, risks and harms

The protection of privacy is predicated on the individuals right to privacy and stipulates a number of principles that are primarily focused on information privacy or data protection and, as such, are insufficient to apply to other types of privacy and to the protection of other entities beyond the individual. This article identifies additional privacy principles that would apply to other types of privacy and would enhance the consideration of risks or harms to the individual, to groups and to society as a whole if they are violated. They also relate to the way privacy impact assessment (PIA) may be conducted. There are important reasons for generating consideration of and debate about these principles. First, they help to recalibrate a focus in Europe on data protection to the relative neglect of other types of privacy. Second, it is of critical importance at a time when PIA (renamed ‘data protection impact assessment’, or DPIA) may become mandatory under the European Commissions proposed Data Protection Regulation. Such assessment is an important instrument for identifying and mitigating privacy risks, but should address all types of privacy. Third, one can construct an indicative table identifying harms or risks to these additional privacy principles, which can serve as an important tool or instrument for a broader PIA to address other types of privacy.

Surveillance: Extending the Limits of Privacy Impact Assessment

Privacy impact assessment (PIA) can be used to investigate the impact upon privacy that surveillance, using new information and communications technologies (ICTs) or information systems, might have before these applications are fully developed and implemented. PIA requires that an organisation subject its plans to more or less rigorous screening through the lens of privacy or data protection, to identify weaknesses in the innovation’s compliance with relevant laws or principles, and to indicate how these might be eliminated. Myriad stakeholders potentially affected by the innovation may also be involved in this investigation. In an extreme situation, a project could be abandoned if its PIA indicated irremediable shortcomings.

The Meaning of ‘Accountability’ in the Information Privacy Context

There have been many innovations in the policy world of information privacy and data protection during the past 40 years. These range from the adoption of principles and guidelines, laws and directives, codes of practice, privacy-enhancing technologies, ‘privacy by design’, binding corporate rules, standard contractual clauses, and perhaps other devices. Some innovations are of long duration, universal, respected, and implemented with varying success, while others are adopted by few and scorned by many, perhaps ultimately to be remembered only as fleeting presences on the fashion catwalks of regulatory history. We can only use informed guesswork about whether privacy is better protected through these measures, because such judgements are not easily amenable to quantification. However, gains can be identified in terms of a growth of awareness, specific regulatory or judicial rulings, and instances of success in limiting or preventing the use of information processing and surveillance technologies and systems that would otherwise have enjoyed free rein with our personal information. Meanwhile, academic discourse develops arguments about the relationship between law and technology, about the role of software ‘code’ in embedding rules in information systems, and about how individual property solutions can be brought to bear upon the situation.

Privacy, Surveillance, Trust and Regulation

The paper presented in this issue as part of the series on Privacy, Surveillance, Trust and Regulation is both disheartening and challenging as far as the protection of privacy online is concerned. Ana Viseu, Andrew Clement and Jane Aspinall’s Canadian respondents in their ‘Everyday Internet’ project case-study are passive or resigned in the face of what privacy advocates would argue are serious invasions of privacy. These members of the public are often annoyed by the argument that they should be concerned with ‘privacy’ as defined by those who are actively involved in high-level policy debates. The authors acknowledge that a case study of a few individuals cannot be decisive in gauging public attitudes, but there is ample survey evidence in many countries that shows that there are a great number of people who share the views of these Canadians. Viseu and her colleagues, however, point up the extent to which people simply do not know enough about what happens to their personal data, so their complacency is not surprising when they consider the benefits they feel they gain through online transactions, and when they believe that they can adopt coping strategies to minimize whatever privacy dangers they think there might be. Such ignorance may not be bliss, but for those who are understandably bemused by the abstract concept of ‘privacy’ and simply want to negotiate their way in ‘cyberspace’, it seems to suffice. If this is the situation for a large proportion of the population, it poses several challenges. For researchers, it opens a new page in the research agenda, for too little is known about the sources of these attitudes and how they vary across populations and categories of persons. The authors structure their argument around three overlapping ‘moments’ in the online experience: sitting in front of the computer in private or public spaces, and the difference that makes to one’s trust; the process of giving personal information online, and the knowledge and attitudes that are brought to bear upon one’s decisions and strategies for disclosure; and the aftermath of the disclosure, in terms of the legal other policy instruments that are in play to protect privacy, and the rights and responsibilities that are the main subject of privacy discourse amongst

Networks for Regulation: Privacy Commissioners in a Changing World

Abstract This article discusses the attempt to develop global data protection regulatory activity through the network of privacy commissioners and their agencies at the highest international levels. It describes the trajectory of forming a common outlook, identity, and infrastructure for regulatory enforcement amongst data protection authorities (DPAs) in recent years, and considers the value of analytic approaches to carry research forward.

Right engineering? The redesign of privacy and personal data protection

ABSTRACT The idea of building safeguards for privacy and other fundamental rights and freedoms into ICT systems has recently been introduced in EU legislation as ‘Data Protection by Design’. This article studies the techno-epistemic network emerging around this idea historically and empirically. We present the findings of an ‘extended peer consultation’ with representatives of the emerging network: policy-makers, regulators, entrepreneurs and ICT developers, but also with jurists and publics that seem instead to remain outside its scope. Standardization exercises here emerge as crucial hybrid sites where the contributions and expectations of different actors are aligned to scale up privacy design beyond single technologies and organizations and to build highly interconnected ICT infrastructures. Through the notion of ‘privacy by network’, we study how the concept of privacy hereby becomes re-constituted as ‘normative transversal’, which both works as a stabilizing promise for responsible smart innovation, but simultaneously catalyzes the metamorphosis of the notion of privacy as elaborated in legal settings. The article identifies tensions and limits within these design-based approaches, which can in turn offer opportunities for learning lessons to increase the quality of privacy articulations.

The Governance of Global Issues: Protecting Privacy in Personal Information

The protection of personal information — privacy protection or data protection — has emerged as a major political and social issue in an era of rapid change in business practices, in the conduct of public sector functions, and in information and communication technologies (ICTs). The volume and flow of personal data for use in the processes of business and government takes place within, and increasingly across, territorial borders in ways that pose severe challenges for regulatory policy and practice. Whilst the protection of privacy for personal information is a global issue, there is no universal framework of institutions for regulating the collection, use, storage and communication of personal information, and processes associated with these activities. However, a set of principles is shared by jurisdictions that have developed policies and laws for protecting information privacy, and has gained acceptance within the private sector as well.

Social and Political Dimensions of Identity

This paper points up a number of issues concerning the topic of identity, to stimulate further debate and discussion without, however, solving any of the intellectual and practical problems that are inherent in this subject. It dwells on some conceptual matters and also describes some current policy and legal developments that have important implications for the way in which we understand identity and identification, as well as privacy and other matters that are closely related to these.