Friday, 20 March 2015

Stratospheric salaries for superstar DPOs

The noise around the GPDR is currently having one remarkable effect.

Fears about the complexity of the final version of the text, together with concerns about the impact of ridiculously high fines on businesses that transgress are rippling through the DP job market.

Today, if you know where to look (in London), you can apply for a part-time privacy officer role for an annual (pro-rated) salary of £70,000 – or if you fancy a full-time job, one organisation is currently prepared to pay up to £150,000 for the right candidate.

Lets put that in context. £150,000 is more than the Prime Minister’s salary. And, yes, more than the Information Commissioner’s salary. Even £70,000 is much, much, more than the salaries of the overwhelming majority of the staff at the ICO.

I’m really not sure if it was intended by the drafters of the upcoming GDPR that the salaries of those who were expected to implement it were likely to be so much greater than the salaries of those who were expected to regulate it.

But that is the consequence of what is happening.

And the more complicated this thing gets, and the more noise that is generated about the new “rights” that citizens are going to have with regard to their own personal data, the more the DPO salaries are likely to rise. 

Responsible controllers – and certainly those in the heavily regulated sectors – will continue to suck up the brightest talent, and will be obliged to offer salaries that, thanks to the current scarcity of experienced data protection practitioners, will compare very favourably with other trades.

Is this really what we want?

As a consultant or an employee, probably yes.

As a business owner, probably not.

As a regulator – well, at least it ensures that the ICO will continue to act as a training academy for those that want to hone their data protection skills before they transfer to the private sector. 


Note:
Experienced DPOs interested in changing jobs may want to contact me (very discretely) to learn more about the roles I’ve referred to in this blog.

.

Monday, 16 March 2015

IOCC frustrates the militant privacy campaigners

Bad news for the militant wing of the privacy lobby who want to believe that the Interception of Communications Commissioner is simply an establishment patsy, an apologist for anything and everything a spook or law enforcement agency wants to get away with.

Sir Anthony May’s latest annual report lays out more evidence of the independent and impartial approach that he and his inspectors take on the thorny question as to what ethical policing means in practice.

Time and time again, the report points not only to areas that require remediation, but it also highlights issues where progress has been made, thanks to recommendations made following earlier inspections.

The militants particularly won't like the next 3 paragraphs, which have been lifted from the report, but I make no apology for reproducing them here:

"My inspectors identified that communications data was frequently relied on to provide both inculpatory and exculpatory evidence. The communications data acquired revealed suspects movements and tied them to crime scenes. It often led to other key evidence being identified or retrieved. Links to previously unidentified offenders and offences were revealed. Dangerous offenders were located and offences were disrupted with the assistance of communications data. Patterns of communication provided evidence of conspiracy between suspects. The data highlighted inconsistencies in accounts given by suspects and corroborated the testimony of victims. The data determined the last known whereabouts of victims and persons they had been in contact with. Similarly, communications data assisted to eliminate key suspects or highlighted inconsistencies in accounts given by victims. [7.65]

In a couple of the operations examined the inspectors concluded that there were potentially gaps in the acquisition process where the investigation teams had not identified the full range of data necessary to achieve the objective. This failure to identify relevant data may adversely impact on the ability to, for example, corroborate the account given by a witness, corroborate the testimony and / or determine the last known whereabouts of a victim or properly determine the role of a suspect in a crime or indicate their innocence. This may present the acquisition process as arbitrary and serious implications could result. This is an area in which it is important for the SPOCs to engage with the applicants to develop strategies to ensure that the appropriate data is sought to fully achieve the investigative objective. [7.66]

In the operations where large elements of the offences, if not all the offences, took place within a ‘virtual world’ e.g. some of the fraud and sexual offences, the requirement for communications data was ever more apparent. It was also apparent from these operations that as technologies have developed police forces and law enforcement agencies have increasingly looked at a wider range of technologies to investigate offences. The inspectors noted that in relation to the investigation of serious and organised criminals, the increasing tactical awareness of criminals means that a larger amount of data, on a potentially wider range of devices and individuals, has to be acquired to meet operational objectives which may have been more simply achieved in previous years. [7.67]


The report also criticizes institutions that have ignored past recommendations: 

"Last year I made the point that the numerous policy documents governing the interception of prisoners communications were fragmented, overlapping and contradictory in places and that this made it difficult for the prisons themselves to understand the requirements fully and for our inspectors to conduct the oversight. I am disappointed that there has not been any progress on these matters. I reiterate that NOMS must get to grips with these issues and put in place clear and defined policy and risk assessment documents for the interception of prisoners’ communications. Our experience shows that the prisons are trying extremely hard to comply with the various policies in this area, but they are in need of clear direction and better quality policy." [p.87]

Interestingly, while SPOCs in general are highly thought of, the report focuses its criticism on some Professional Standards departments (the teams that investigate investigators), where poor practices prevail:

"The inquiry found that an excessively high number of the applications submitted by Professional Standards departments were completed to a poor standard and did not adequately justify the necessity and proportionality justifications. In a number of applications the criminal allegation or the criminal offences suspected were not set out or there was no description as to how they were linked to, and aggravated by, the officer’s misuse of a position in public office. The applications often relied upon vague and dubious descriptions under the ‘umbrella’ of misconduct in public office and my inspectors were not satisfied that the high threshold for the offence of misconduct in public office had been met. There did not appear to be any intention for some of the matters to be subject of a prosecution within a criminal court. Turning to proportionality lengthy periods of traffic or service use data were often sought without sufficient justification and it was not clear whether other lines of inquiry had been considered and if so why they had not been pursued. For example, a number of the applications concerned investigations into officers forming inappropriate relationships with victims of crime. Whilst in some cases the circumstances may justify that it is reasonable to suspect serious inappropriate activity was taking place, for example, the formation of sexual relationships with vulnerable victims; some of the applications examined detailed fairly minor transgressions and did not identify whether serious wrongdoing was suspected, or failed to give convincing reasons to suspect that serious wrongdoing was occurring. In these applications it was also not apparent why other action, such as intervention by the officer’s supervisors or misconduct interviews were not considered, or if they had been why they were not deemed appropriate. In such cases my inspectors concern was exacerbated where there appeared to be little resolve to subsequently pursue a prosecution when evidence was acquired which supported the initial premise of the application." [7.81]

Strong stuff.

However, these criticisms should be read in their context. They should not detract from the Commissioner’s conclusion that, overall, "my office’s inquiries did not find significant institutional overuse of communications data powers by police forces and law enforcement agencies. … However, my office did find that a proportion of the applications did not adequately deal with the question of necessity or proportionality and we found some examples where the powers had been used improperly or where they had been used unnecessarily. Overall the operational reviews showed that the communications data that was acquired was necessary and proportionate to the matter under investigation." [7.94]

So, we won’t be hearing much from the militant wing of the privacy lobby about this report because, frankly, there’s not much for them to complain about.

The more independently minded privacy advocates will probably take some comfort from the report – both in learning how RIPA (and DRIPA) actually work in practice, and in realising what a world-leading supervisory system the UK actually has.


Source:
http://www.iocco-uk.info/docs/IOCCO%20Report%20March%202015%20%28Web%29.pdf


.

Thursday, 12 March 2015

Ethical policing on the internet

The law enforcement community’s response to the question of how the internet should be policed continues to raise a number of significant questions. And it’s leaving some representatives from academia and civil society in a bit of a bind.

Paul Bernal’s recent blog on a meeting organised by the Association of Chief Police Officers on this issue touched on some of these questions. The feedback he’s received is quite revealing.

One respondent was unhappy that various stakeholders had agreed to meet ACPO in the first place. They commented that “real debate between those who disagree on the deepest philosophical and ‘legal’ in the broadest sense matters, is hardly likely to take place at an event organised by (and ultimately for) law enforcement/the state.”

I don’t agree.

Its important for all responsible stakeholders to feel that their voices can be heard in a debate where everyone accepts that what is required is policing by consent. At issue is what everyone (or almost everyone) is capable of consenting about.

With new legislation focusing on how communications data should be retained and used for law enforcement purposes on the horizon, its essential that the Home Office and other interested parties consult as widely as is practicable in order that, when the proposals are presented to Parliament, politicians won’t need to criticize the measures on the grounds that insufficient consultation has taken place.

The dilemma for the representatives from academia and civil society is that, by becoming more aware of the practical problems facing the law enforcement community, they may feel encouraged to support pragmatic proposals that many people would shy away from. So do they risk being ostracized from their more radically-minded colleagues, whose views on issues related to communications data retention are not formed from any significant experience of the distress felt by victims of serious crime, who care less about the techniques used to deliver justice to serious criminals?

Academics and civil society campaigners that want to be reminded of the perils of being associated with a “bad” initiative only need think back to the manner in which Simon Davis from Privacy International was pilloried by some of his contemporaries when his independent research found that, actually, the Phorm initiative wasn’t quite as awful as its critics had wanted it to be.

It’s hard to remain dispassionate and neutral about such issues, and there will always be accusations that various academics have been captured by the law enforcement community if they indicate that they support proposals that benefit the law enforcement community. After all, who wants to make crime fighting easier …

Responsible academics ought to remain engaged with the policymaking process, and express their views from within the tent. It would never be appropriate (nor has it yet happened, to my knowledge) for an academic to take comfort in grandstanding from a distance, or causing so much fuss at meetings that when they threaten to eject themselves from the meeting, their offer is gratefully accepted.


Sources:
https://paulbernal.wordpress.com/2015/03/07/ethical-policing-of-the-internet/#comment-31195
http://en.wikipedia.org/wiki/Phorm


.

Wednesday, 11 March 2015

Facebook looks out for stolen passwords

When a data controller embarks on a great initiative, they should be congratulated. Even Facebook. So today I’m glad to acknowledge the sterling work that has been going on behind the scenes to check whether passwords associated with Facebook accounts have been misappropriated.

Facebook monitor a selection of different 'paste' sites for stolen credentials and watch for reports of large scale data breaches. They collect the stolen credentials that have been publicly posted and check them to see if the stolen email and password combination matches the same email and password being used on Facebook. This is a completely automated process that doesn't require them to know or store actual Facebook password in a plain text, or unhashed form.

To check for matches, Facebook take the email address and password and run them through the same code that is used to check user passwords at login time. If they find a match, they'll notify the Facebook account holder the next time they log in, and guide them through a process to change the password.

Isn’t this a great idea?

And a sign of a responsible data controller acting in the best interests of their customers?

So, Facebook, just in case no one else bothers to say it, please accept my thanks, at least, for providing such a useful service.


Source:

https://www.facebook.com/notes/protect-the-graph/keeping-passwords-secure/1519937431579736

.

Monday, 9 March 2015

Dealing with dementia

What do you do with aging relatives? How can you offer them the care that they might need in the future, by making appropriate arrangements today?

I’m not thinking of booking them one-way tickets to the Dignitas clinic in Switzerland (yet). But, I am thinking of arranging, while they are still of extremely sound mind, the necessary legal powers to act on their behalf and in their best interests should there come a time when their minds are such that they are no longer able to express their best interests themselves.

To whom can you turn to get a decent briefing on the relevant issues? Thankfully, the Alzheimer’s Society has just published some new guidance 'Accessing and sharing information: acting on behalf of a person with dementia'. It explains, in simple terms, how personal information can be shared in compliance with the DPA to help manage the affairs of a person with dementia.

I like the guidance because it uses the sort of language that my relatives can understand. So, l can leave the booklet with them and then discuss it when they’ve read and thought about these issues.

Evidently, only 22% of people affected by dementia feel that businesses and organisations understand a person's rights around a lasting power of attorney. Even fewer can explain the difference between a lasting, an enduring and an ordinary power of attorney. Or a deputyship.

So, I warmly recommend this booklet to anyone who has, and cares about, their aging relatives.


Sources:
http://www.alzheimers.org.uk/site/scripts/news_article.php?newsID=2313
http://www.dignitas.ch