In the U.K., the London mass transit card Oyster has opted for a similar, reasonable, compromise. Records for individuals (or at least their Oyster cards) are kept for eight weeks, during which time the police can (and do) obtain access. After eight weeks, the individual records are anonymised and kept for transport planning and other statistical purposes. Can this privacy compromise be generalised?
If organisations are up front with people, then it can. But suppose the data is more personal than a subway journey or buying a pack of gum? Fingerprints, for example. Well, in the case of Disney theme parks which use a fingerprint admission system, they tell people clearly that the fingerprint scan templates are kept independent of all of any other system and are purged 30 days after the customer’s ticket expires. Again, being up front with the compromise appears to satisfy the public (although I have to say from personal experience of trying to use a similar system at another theme park that the contactless wristband of the kind used for the O2 Wireless Festival works much better). So if people accept this kind of privacy compromise for a theme park, why are they nervous about providing fingerprints to governments? Perhaps it’s because of the inevitable function creep that accompanies government use. In the U.S., the IAFIS (fingerprint system) was designed to 62,500 fingerprint matches daily. As a result of increased demand — especially for background checks mandated by civil laws covering employees in the financial, child-care and educational fields — among others, IAFIS’ busiest day called for the system to process about 114,000 checks, many of them clearly for purposes never intended when the system was commissioned.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]