Wednesday, 28 January 2015

The 2015 Data Protection Day ditty

The ICO is always trying out new and innovative ways of celebrating Data Protection Day.

This year, the commemorations commenced with a short video from Commissioner Graham, deep in the nerve centre of the ICO’s news office, explaining that throughout the day his staff will be tweeting about many of the exciting initiatives that are underway within (and beyond) his office to improve our information rights.

I be commemorating the day by attending a meeting of top data dudes at a discussion on profiling, organised by our chums at Live Nation in Central London, about which I’ll report later.

Meanwhile, all I have to offer, prompted by the Commissioner’s appearance this morning, is the following ditty:

Chris Graham’s at the presenter’s desk of ICO news
He’s explaining (in very general terms) just how not to abuse
The trust of individuals who have so much to lose
When, from servers, thanks to breaches, their personal info spews

His mighty team of advisers offer a helping hand
Dishing out compliance advice to folk across the land
Listening to complainants and getting them to understand
That despite a heavy workload, their staffing levels won’t expand

Meanwhile, if you listen, rumours spread about a new law
That the Europeans are drafting but of which many Brits guffaw
Is it a "Di-Regulation" along the lines that they forsaw
In which some of the Articles still contain a fatal flaw?

But on this great occasion, our differences fall away
Respect the privacy loonies, let no smirk display
On our faces as we raise our glass and, as one, pray
That we’ll still be in gainful employment come next Data Protection Day


Tuesday, 27 January 2015

Security: addressing the insider threat

A smattering of the usual suspects met under the auspices of the Information Assurance Advisory Council in Covent Garden today to consider the last great frontier – dealing with human aspect of information security.  Just how do companies impose workable constraints on the 'Mark 1' human being?

With great difficulty, came the considered reply.

When dealing with remote access to an organisation’s systems, the “new firewall” is identity management. The challenges of identity verification and privilege management are immense. What realistic controls can be placed on staff (and contractors) when the organisation is at the same time, trying to give the impression that it trusts them?

For the public sector, additional challenges are presented given the aggressive pace of the hugely ambitious digital agenda programme, which simply increases vulnerability every day. This is compounded by a culture of zero tolerance for mistakes by ministers and those with a public accountability role. But this leads to decisions on how to react to data breaches being made in ways that detract from possibly more important issues. The public sector is creating vulnerabilities at an exponential rate because of the way it chooses to do business.

There was not a meeting of minds on the best way of addressing the “human factor”. The security professionals stress the need for managers to ever more closely scrutinize the actions of their direct reports. Often, with scant regard for the legitimate privacy rights and aspirations of staff, who are human beings with human rights in their spare time, if not while at work.

There are some encouraging signs, though.

Government security clearances are being administered less frequently by teams of ex-policemen and former spooks, and more frequently by teams of ex-teachers and social workers. This new breed of clearance officer is likely to be more in tune with the people they will be clearing. And they will be more able to assess an applicant in terms of their ability to conform to norms of today’s generation, rather than compliance with the culture of those of previous generations.    

Technical controls are (oh so gradually) being implemented within organisations, meaning that security is being built into electronic systems, rather than being bolted on to them. Yes, there is a huge distance to travel to security nirvana, but we have to be realistic. Staff (usually) want to do their jobs efficiently, and to a high standard. They expect to be given appropriate tools to do the job, and increasingly resent having to rely on “work arounds” simply because the organisation is not capable of living up to the high standards it espouses in its security policies, etc. 

Today’s principal themes were the usual ones: of awareness, management & culture, and leadership.

But the key message was ominous: that staff expect to be loved, looked after, led and managed effectively.

Organisations that can’t manage to live up to these expectations deserve to fall victim to the insider threat. 


Monday, 26 January 2015

ICO slams Victims Services Alliance - with a feather

Voluntary organisations face particular challenges in their efforts to respect data protection laws. 

Often, a dedicated core of professional staff will work with teams of volunteers, many of whom may cease volunteering after a few months, realising that it’s just not for them. Other volunteers remain with the organisation for years – and can feel a far greater sense of affinity with its aims and objectives than do some of its staff. Many volunteers process considerable amounts of sensitive personal information about clients. But, information governance controls can be extremely hard to implement at the local level.

How can the professional staff within such organisations engage with these different types of volunteers and get them to follow good data handling practices?  With some difficulty, according to a recent ICO report.

A quick glace at the ICO’s website enables the casual reader to appreciate that a report has just been published about the data handling practices of a number of charities and voluntary groups that work with either victims of crime or people that are associated with victims of crime.

Evidently, “many organisations” are meeting the difficult challenges that are faced. However, there are still a number of areas where they could be doing “more to keep people’s information secure.” These are “important areas that need addressing.”

What then follows is a list of three areas of best practice and three areas where improvements are required in a number of priority areas. The areas of best practice are described in 61 words. The areas where improvements are required are described in 100 words.

So, no real cause for concern, then.

Or is there?

Because when the committed reader reads the actual report, a slightly different story emerges.

If all were well and good, I might expect the actual report to spend about twice as long referring to the areas for improvement than it does on the areas of good practice. That’s what I’ve been led to assume, after reading the blurb.

Alas, this is not the case.

The areas of good practice can described on a single page.

But it takes 12 pages to set out the areas for improvement, which should be considered as a priority for all VSA organisations.  

The ICO is keen to spell out what is going wrong, but not in a manner that draws too much attention to the casual reader (i.e. the reader that doesn’t read the actual report).

I only hope its message – when expressed directly (and possibly privately) to the VSA organisations - is a lot clearer than the general statement on the website. The public message doesn’t draw sufficient attention to the serious issues that do need to be addressed.



Thursday, 22 January 2015

Ebola and privacy – when is it appropriate to track individuals?

Two articles have recently crossed my desk offering very different perspectives on tracking Ebola patients.

The first, from Hogan Lovell’s Daniel J Solove, referred to recent breaches involving US hospital employees snooping on Ebola patients files. Of significance was that the names of all of the patients were available almost immediately in the media. But why was it necessary or ethical for so many in the media to identify these patients? Responsible journalism this certainly aint.

The second, from GSMA’s privacy guru Pat Walshe, referred to the incredible work that he and the GSMA have recently done in swiftly developing a set of guidelines on how mobile communications data could most appropriately be used to fight the Ebola outbreak in Africa. How do you track potential victims of the outbreak, so that they can receive appropriate treatment? The GSMA’s focus was on helping their colleagues at Flowminder ensure that mobile users privacy was respected and protected and that any associated risks were addressed.

A set of pithy, easy-to-follow GSMA guidelines have surely contributed to averting a humanitarian disaster on a far larger scale than has so far occurred. The GSMA’s and Flowminder’s research methods are on the agenda at Davos at the World Economic Forum. It’s highly likely that this technique will be used to deal with similar occasions when relevant anonymised network statistics are urgently required by health and aid agencies.

So its three cheers for Pat Walshe & the GSMA for respecting the privacy rights of individuals affected by Ebola – and two raspberries to the US media for ignoring them.



Wednesday, 21 January 2015

Privacy perspectives from different tribes

Two separate groups of data protection folk gathered together last night.

In Brussels, a (relatively) younger data protection crowd were assembling for the Computers, Privacy & Data Protection conference. This three day event attracts a wide range of folk, perhaps more inclined to view privacy through the prism of an academic or regulatory perspective, rather than a practitioner’s perspective. There’s a lot of theory – and tweeting, so its relatively easy to be kept informed of the conference highlights. Am I missing very much by not going this year and just relying on regular updates from the opinionated tweeters? I'm certainly missing something. There’s also a free bar.

In London meanwhile, a selection of Britain’s data protection crusties packed the main chamber at the Institute of Advanced Legal Studies to hear James Michael offer some views on 30 years of data protection and 15 years of freedom of information legislation.  This 90 minute event attracted many of Britain’s most eminent data protection folk.  It would be uncharitable to identify any of them, as others might be annoyed if I left them off my list.  Suffice to note that, in terms of the relevant legislation, some people present had helped write it. Others had regulated it, judged it, practiced it, complied with it, studied it or had otherwise written about it. After the formal proceedings, some attendees enjoyed a few very useful exchanges of privacy news and gossip. However, there being no free bar, or bar of any description, most swiftly left for their next engagement.

What did I learn at the IALS event that I can report on?

First, that there are no prospects for information rights legislation to become less complicated in the forseeable future.

Second, that prospects for common global information rights standards, perhaps enforced by a UN Convention on rights of access to information and privacy are impossibly remote. It’s certainly not going to happen in my lifetime.

Third, that the forthcoming Data Protection Direguation (to the extent that it will be forthcoming) is unlikely to ease the lives of data protection practitioners. It may help them to remain in remunerative employment, but it’s not clear how any new standards currently under consideration will drive behavioural change among data controllers in ways that that will result in a significant uplift of the privacy rights that European citizens currently enjoy.  

Anything else that I learnt last night will remain confidential – at least for the time being, that is.