Monday, 30 July 2012

What is the right data protection qualification?

I’ve just been reading the PDP’s press release announcing a record increase in newly qualified data protection professionals. The blurb explains that the DPD’s Practitioner Certificate in Data Protection gives organisations the ability to demonstrate commitment to protecting customer and employee information in this increasingly challenging area of legal compliance.

Congratulations to all involved.

The only thing that’s concerning me is that the UK now boasts (at least) 3 different organisations setting privacy qualifications, but I’m not sure where I can turn to obtain any independent advice as to what would be the most appropriate (or easiest or cheapest)qualification for a data professional to obtain.

My qualification, the ISEB Certificate in Data Protection, offered by the British Computer Society, was hard work, as it required me to take a really deep look at the Data Protection Act as Parliament and British Courts intended it to be, and to be very mindful of the occasions when the ICO’s compliance advice strayed past the legal minimum and into the realm of best practice. Of course, there’s nothing wrong with best practice. But it is not the legal minimum.

The DPD qualification, according to a footnote in the press release, is accredited by The Law Society, The Bar Council, and was devised in conjunction with the Information Commissioner’s Office. Clever use of the phrase “devised in conjunction with”. It doesn’t claim that staff from the ICO currently seek DPD accreditation.

And then there’s the qualification offered by the Association of International Privacy Professions, of potential interest to privacy officers working for international groups of companies. This is the qualification for those who apparently need to show that they really know their stuff about comprehensive principles-based framework, pan-European and national data protection laws, the European model for privacy enforcement, key privacy terminology, and practical concepts concerning the protection of personal data and trans-border data flows.

Not having carried out any significant research into the PDP and IAPP qualification (yet), I simply don’t know of the extent to which they supply data protection officers with the practical tools that are necessary to help them do their jobs. Many of us practitioners know what most of the laws (we need to know)state, but the critical thing to know, surely, is the extent to which particular laws are enforced, either by regulators or others, in particular circumstances, and that the consequences are likely to be if data controllers, for various reasons, breach any of the principles.

And where will I find this from? Perhaps our chums at Which? might commission a guide to Professional Data Protection Qualifications, to get some dispassionate advice out there for the benefit of increasing numbers of people who sense that they need to obtain some form of qualification, but are unsure which, and how much effort would be required to get it.

No-one wants to be sold a pup – unless he looks as endearing as the dog in today’s picture.


Image credit:


Saturday, 14 July 2012

A week in the data protection detox chamber

It’s been a great week. I’ve been so busy on a particular issue that I’ve hardly had any time to think, or read press releases, about the usual range of data protection stuff.

I have had time to think about something else, though.

Last Monday evening, at the Hampstead Theatre, Edward Hall’s Propeller company staged a brilliantly effective production of Shakespeare’s Henry V.

Very shortly after the play begins, the King asks for advice from the Archbishop of Canterbury. But not just any advice. On this advice will rest the lives of an awful lot of people. Privately, he has already resolved to declare war on France, but seeks a reason, or a justification, for this momentous decision from a trusted advisor. This is so that the Archbishop can be blamed if the advice turns out to be poor. If the campaign is successful, the King will accept the credit. But if a failure, the Archbishop will carry the blame.

Sound familiar? Aren’t a number of us asked constantly for a view of a situation which, in reality, those posing the question have already settled their minds as to the answer? And, when this is the case, how many of us resist the temptation to facilitate their view, rather than tell it as it really is?

Well, for those that are tempted to compromise their own principles, let’s just remember the advice that the Bard gave, through the words of the King. We data protectors are under a duty, really, to tell it straight. It’s not just about us imposing our own values on the decision makers. It’s our job, as impartial subject experts, to ensure that the facts are properly set out to these decision makers, in order that they can reach a just and balanced conclusion.

If I can carry on with that purpose in mind for the next few years, or until I’m charged with the burden of being a decision maker myself, I’ll be happy.

So, to those who are tempted to get out the soap box every time they’re asked for a view, let them first consider the following lines, before they start to spout their usual stuff:

My learned lord, we pray you to proceed
And justly and religiously unfold
Why the law Salique that they have in France
Or should, or should not, bar us in our claim:

And God forbid, my dear and faithful lord,
That you should fashion, wrest, or bow your reading,
Or nicely charge your understanding soul
With opening titles miscreate, whose right
Suits not in native colours with the truth;
For God doth know how many now in health
Shall drop their blood in approbation
Of what your reverence shall incite us to.

Therefore take heed how you impawn our person,
How you awake our sleeping sword of war:
We charge you, in the name of God, take heed;
For never two such kingdoms did contend
Without much fall of blood; whose guiltless drops
Are every one a woe, a sore complaint
'Gainst him whose wrong gives edge unto the swords
That make such waste in brief mortality.

Under this conjuration, speak, my lord;
For we will hear, note and believe in heart
That what you speak is in your conscience wash'd
As pure as sin with baptism.


Next week, I’m off to see Propeller’s version of The Winter’s Tale. I wonder what words of data protection wisdom I’ll be able to glean from that.


Image credit:
Speakers Corner, London, August 2010.


Wednesday, 11 July 2012

Working in Westminster

Regular readers will have noticed that, recently, I have not been blogging as frequently as I used to.

I am not on strike. Nor on a go slow. It’s just that other tasks have got in the way, and this has required me to think even more carefully about what I say about various matters.

No, I haven’t been threatened by anyone.

But I have recently been appointed Specialist Adviser to the Joint Parliamentary Committee on the draft Communications Data Bill. Accordingly, I will not be commenting on anything that anyone could remotely link with the work of that Joint Committee. People anxious for an up-to-date briefing on the Joint Committee’s work should check out the Committee’s website.

But I’ll still, no doubt, find plenty of time to write about other issues over the rest of this year.

Wish me luck.



Tuesday, 10 July 2012

Is this the world’s most daring privacy policy?

How often have you ever thought about writing a privacy policy which just tells it as it is? You know, the sort of policy that really shows your true feelings for those individuals who are likely to actually read the thing?

Well, a good friend has passed this one along, and it really deserves an award as the world’s most daring privacy policy.

It says stuff like this:

“ has adopted a policy of occasional compliance with the data protection laws of the United Kingdom and takes reasonable care to prevent any unauthorised access to your personal data. Actually, I take great care to prevent any unauthorised access to your personal data, but that sounds pious and self-congratulatory. Also, I'm asking for trouble if I say that I do fantastic things better than most, so I restrict myself to the modest claim of "occasional compliance" and "reasonable care".

If you want to know exactly what information holds on you, you can obtain it by requesting a Subject Access Request Form from at its registered office. A fee will be payable for such access. I have set the fee at £999.99 (including VAT), because, frankly, it will take me weeks to get it all together and I want to make a few quid from you.

By supplying me with information, you confirm that you do not consider use of your information in accordance with this Privacy Statement to be a breach of any of your rights under the Telecommunications (Data Protection and Privacy) Regulations 1999. Or your human rights. By entering information on forms or providing me with any personal information you are consenting to me processing that data for my own business use and holding it on my server. The problem with all these clauses in this Privacy Policy (and others) is that you never read them before you use my website, which is both stupid and sensible. It's stupid because you are giving away all your rights, but sensible because if you read every Privacy Policy you would never have time to surf the web or view any porn. Time is money!”

If you want to read any more, just browse over to this site.

If you know of any sites that are more worthy of the “world’s most daring privacy policy” award, please let me know!



Thursday, 5 July 2012

A banking scam so stupid surely no-one falls for

I’ve recently had this email from some kind folk who want to look after my money for me.

"Dear Lloyds TSB Online customer,

Your account is suspended due to multiple number
of incorrect login attempts.

For your protection, we've suspended your account.

To reactivate your login access please download the
form attached to your e-mail and update your details.

Note: If not completed until July 02, 2012,
we will be forced to suspend your account .

Thank you,
Customer Support Service.

Copyright (c) Lloyds TSB Bank | for the journey..."

The form (pictured) even contains a tip – “We’ll never ask you to enter your security details on a pop-up window” – which is a little bit strange, as the genuine Lloyds Bank website usually asks me to populate certain details in at least three pop-up windows, as part of the sign on process.

And where do I have to email the completed form, containing all of the relevant security details?

Oh yes, I‘ve been instructed to email the form to

I don’t think so.

Hopefully, by the time you read this, our chums at Hotmail will have already locked the email address. And, hopefully, our chums at will be well on their trail.


Tuesday, 3 July 2012

Isn’t it exciting!

Another document has emerged from the European Council, outlining some thoughts on possible amendments to the draft Data Protection Regulation.

Just to recap, the original version, published on 25 January, had 139 Whereas clauses, 93 Articles and some 112 pages of text. This version has lost one Whereas clause (there are now just 138) and 2 articles (just 91 remain).

If only those were the only changes. Actually, you really need a brain the size of a planet to even begin to appreciate the significance of some of the other textual changes. The odd word and phrase has been proposed, which fundamentally changes the thrust of the relevant bit of the text. And, so many Member States have logged reservations about so many different parts of the text that it’s really hard to work out how seriously we are to take some of these proposed amendments. Last week, Chris Pounder, he of Amberhawk fame, blogged about the significance of some of these changes, so thankfully, I don’t have to.

And this is where you see the political game really begin.

For those that still have the energy to care, what will go on for the next year or so is a war of attrition. Directives as significant as this don’t come along that often. When they do, they are initially accompanied by a hysterical amount of attention from the media and conference-going classes.

But for how long can the attention of the public (and the budgets of the conference-going classes) remain focused on this issue? What generally happens is that after a few months, protestors lose the will to protest, as the negotiations get so prolonged they bore the pants off normal people, leaving only the true anoraks to stay the course.

I wonder when boredom will set in about this proposal. Already I’m detecting a glazed look in people’s eyes, as I excitedly point out the implications of a minor change to some obscure Whereas clause or phrase in an Article. This stuff may be important, but it’s really boring to be involved in the minutiae of the discussions, especially when conclusions are so many months off.

But, as we all know, decisions are taken by those who are present. Not by those who made their apologies or just don’t turn up. So, as some of the lightweights peel off, the heavy lifting will need to be done by a core of hardy anoraks whose, prejudices, I hope, will be similar to my prejudices.

I appreciate that even the European Commission wants to hold a healthy debate about its proposals, and I wonder what steps it will take to encourage greater participation by European data controllers and members of European Civil Society over the months ahead. Or will the discussions be influenced by an unhealthy amount of lobbying from non-EU Data Controllers, simply because these controllers have the deep pockets that will be required to engage data protection diehards who can afford to spend time in Brussels and elsewhere, pointing out the significance and likely impact of the proposals?

Do we really live in a democratic society when its institutions make it so hard to allow concerned citizens to engage fully in the consideration of initiatives such as this? Perhaps the folk at DG Justice should consider offering bursaries to concerned people (like me) to participate in the consultation process in a more meaningful way.

Or, if there are any other organisations out there, who have funding in place and who need a helping hand to get their points across to the relevant bods, please feel free to get in touch.

Chris Pounder blogged about the significance of the proposed changes on 26 June. See


Monday, 2 July 2012

How much does a typical English DP Officer earn?

According to the CBI, “recent job advertisements typically show that a qualified DPO in the South-East of England could earn anything between £30,000 and £75,000 per annum.” That’s a pretty large spread. And I happen to know a number of people who are earning well in excess of that upper figure.

This amount is important because the Ministry of Justice has recently been working out what additional costs might be incurred on British businesses if all enterprises that employed more than 250 employees had to have one. The results of this research were published in its “Summary of Responses on the Call for Evidence on the Proposed EU Data Protection Legislative Framework,” published on 28 June 2012.

First off, then, how many large companies are there? No one is precisely sure, as statistics aren’t kept centrally. What is known is that in 2010/11, around 5,900 data controllers notified the ICO as large organisations (i.e. over 250 employees and have a turnover of over £25.9m employees).

But what do we really know about the number of people who currently are data protection officers? If the ICO’s applications to attend its annual conference indicate anything, there at least 1,000 who are sufficiently keen to travel to Manchester every year for some free continuing professional education. But are there really significantly more than that?

The best guess of the MoJ, ticked away in paragraph 39 of Annex A of the document, is that some 50% of organisations already have someone undertaking the role of a DPO, even though their job title may not accurately reflect that. So, even if this guess is correct (and personally I think it’s a bit optimistic) there must be a need for quite a few more, and pretty soon, if the European Commission’s proposal to mandate a DPO goes ahead. On the basis that the cost of employing a data protection officer is £50,000 a year, the MoJ calculates that the additional cost will be £147m per year. These costs are far higher than the Commission’s estimated costs to businesses of around €320m per year across all Member States.

The MoJ also suggests that “the costs are likely to be greater for small public bodies (such as arms-length bodies) and small firms who undertake large amounts of data processing, such as hi-tech start-ups and medical research organisations, where the annual cost of £50,000 would be a considerable burden.”

This is one of the reasons why the MoJ is not supporting the Commission’s proposal. But, lots more companies are likely to be sufficiently concerned at their current state of data protection compliance to want to invest in additional help, once its clear where this help might be coming from.

My advice to current Data Protection Officers is not to retire just yet. Instead, be prepared to accept a portfolio of data protection responsibilities – and be glad that you’ve got the formal qualifications that will push your CV to the top of the pile when worried HR Directorates sift through the piles of papers from experienced professionals who want to carry on working until they drop dead with exhaustion.

The CBI's statistic appears in paragraph 41 of Annex A.


Sunday, 1 July 2012

Do I spy special EU data protection tanks in Cyprus?

I heard a great rumour a few days ago. It was far too good to keep to myself, so I’m sharing it with you today, the first day of the Cypriot presidency of the EU.

A friend, whose credentials I have trusted for a long time, murmured that the European Commission is very determined to see progress on the proposals for a data protection Regulation while the Presidency of the EU is in the hands of Cyprus for the next 6 months. This will be the first EU presidency for Cyprus, which joined the EU in 2004 and became a eurozone member in 2008.

The word from unnamed EU officials is that the Cypriots will provide political leadership to the Union but “not in the traditional way”. Rather, it will be a “Brussels-based presidency”, with most of the country's officials operating from the European capital and focusing on EU affairs.

What this means is that Commission’s data protection directorate will make available to the President of Cyprus a number of temporary advisors for Nicosia providing knowledge and support, so that all the right decisions can be made during his presidency. It could be a fun six months. After all, Cyprus is the only country represented at EU summits by a Communist. President Demetris Christofias has reportedly remained true to his values since he joined the Communist AKEL party in his youth. He studied in Moscow and speaks Russian fluently. Russia's political presence and economic penetration in Cyprus has no equivalent in any other EU country – so they ought to be happy to put their hands really deep in their pockets to offer assistance to Nicosia during their current financially troubled times.

I don’t think I know what the communist approach to data protection actually is. But whatever it is, I’m sure that the Commission’s tanks will focus some minds and get the relevant officials to knuckle down and deliver steady progress by the end of the year.


Image credit: