Saturday, 29 September 2012

Three cheers for New Zealand

Brilliant news from the European Commission – soon, it’s likely to publish a decision on whether a country that most of us could actually point out on a globe has got adequate data protection standards.

I appreciate that this is a highly unusual, but very welcome move. Admittedly, it’s probably not a country that many Brits might instinctively export personal data too, but if it’s good enough for the Hobbits, it’s good enough for me.

It appears that the Commission is minded to make an announcement because the Article 29 Working Party adopted a favourable decision on adequacy and New Zealand back in April 2011, and now everyone is beyond embarrassed at the time it’s taken for the Commission to sign it off.

Still, mustn’t carp from the sidelines. Let’s look on the bright side. With a population of 4,400,000, it’s great to appreciate that so much attention has been devoted to a people that might comfortably fit into a city the size of Liverpool.

And let’s wait with eager anticipation for the next set of adequacy decisions to come, probably about countries that many of us would be hard pressed to easily locate (or describe their neighbours).

Who knows who could be next? After all, word is surfacing that the Article 29 Working Party has recently agreed that Monaco (population 37,000, slightly smaller than the English city of Salisbury) has adequate standards. Granted, I would fail my European Citizenship test by being able to confidently point to it on a map today, but perhaps in a few years time the mighty Commission might kindly indicate whether it shares the same view as the Working Party.

One lives in hope.


Image credit:


Friday, 28 September 2012

Flash mob of data protectors hit London

The smarter eyed Londoners would have witnessed a none-too familiar scene yesterday – a flash mob of data protectors on the move around London.

The mob assembled at the offices of Hunton & Williams in the Gherkin for breakfast. It stayed to attend the IAPP’s Knowledge Net, and heard sessions on complying with the Bribery Act and Money Laundering Requirements- is this compatible with Data Protection Law. Then, after morning coffee, considered whether anyone ever read privacy policies, and discussed how to be transparent in practice if no-one wants to read the messages.

Most of the mob remained for a really good lunch, before a group splintered from this crowd and ambled over to the offices of Bird & Bird for an afternoon session on pressing data protection issues. This session was apparently very well received too, (as was the B&B afternoon tea).

The remnants of the mob assembled at the Cinnamon Club later in the evening, having booked a set of tables under the name of the Privacy Officers’ Supper Club, to review what had happened during the day, and to explore the amazing dinner menu. It was here, in the comfort of this grand Westminster establishment, that wonderous tales were told of amazing data protection stories. None of these stories will ever be repeated outside the walls of the Cinnamon Club – what goes on between members of the data protection flash mob stays with the members of the flash mob.

Members of the flash mob are likely to assemble next week for events organised by the Privacy Partnership, Pinsent Masons, Privacy Laws & Business, Linklaters, Speechly Bircham, and Act Now Training. And those are just the ones I’m allowed to mention today.

And yes, before the detractors pile in and comment that data protectors are spending far too much time talking about data protection, and not enough time actually doing any of it, let me remind you that this is not the case. It’s important for all stakeholders to appreciate just what is going on in order that they can offer the best, most cutting edge advice, to their clients, safe in the knowledge that they share a common ethical approach to the broad issues of the day.

This is also why data protectors work such long hours. There is no such thing as a free breakfast, lunch, afternoon tea or supper. Everything learnt is ploughed back to promoting good data protection practices. After the breakfast, lunch, afternoon tea or supper.

Details of forthcoming privacy events are published on my website at while an archive of events reminds you what you may have missed. I can’t guarantee that any of these forthcoming events will be graced with a performance by members of the flash mob, though.

Image Credit:


Thursday, 27 September 2012

DP standards in schools

Regular readers of the ICO’s website will have probably have already read the recently released report which aims to help schools ensure they are handling pupils’ personal information in-line with the law.

It was prompted by a survey of 400 schools across nine local authority areas.

Louise Byers, ICO Head of Good Practice, helped draft the report: “The survey results showed that whilst awareness of the law was broadly good, knowledge on how to comply with it wasn’t always there. In many respects that should come as no surprise – it’s not teachers’ area of expertise – and it is precisely what our report is aiming to address.

“I’d urge teachers and heads to take a look at our recommendations and make sure they’re complying with the law. The sensitive personal data that schools handle means it is crucial they get this right, and we hope the ICO’s report will help them achieve that.”

I thought I would do my bit to encourage schools to read it.

And what could be worse, than attempting it in verse?

So, in honour of the everso helpful Louise, here goes:

Hi - I’m Louise
The ICO’s audit queen
I’ll give your practices a screen
And then report on what I’ve seen

If you’re a school
Then, as a rule
You’ll appear a fool
If you ignore our latest tool

You see, we’ve written a report
On schools' DP compliance
It’s pretty short
It ain’t rocket science

It sets out simple steps
To avoid the almighty mess
That’s likely to result
When the story hits the press

Of it having gone all wrong
And us coming along
And see just how strong
Your standards really ... weren’t

We don’t want to be put in the position
Where an official from the Commission
Does an audit without your permission
And finds evidence of omission

Just remember:

Should you have a data breach
And we get to know of the misdemeanor
You could be fined so hard
You’ll have to sack another cleaner

We’re not trying to be meaner




Wednesday, 26 September 2012

Fancy a career in privacy, or plumbing?

I chuckled when I saw this jobs advert.

It appears that those who obviously know about employment things have worked out that the target market for potential data protectors is related to those who are also interested in plumbing, electrical, gas or green engineering work.

But what’s plumbing got to do with data protection? Or electrical, gas or green engineering work, for that matter, either.

Surely, data protectors work with their minds, rather than their hands.

Anyway, when I attend tomorrow’s Privacy Officers' Supper Club in Central London, I’ll take a good look at the hands of my colleagues. If any are rough and scratched, at least I’ll have a good idea of how else they could be earning their living.

Tuesday, 25 September 2012

How to avoid that immediate ICO fine

Hi Brian,

Many thanks for your recent email. I do hope you were joking when you told me that you’ve lost the data stick I sent you containing all of the policies you’re supposed to have in place to prevent an immediate ICO fine the next time you report a security breach. No policy = almost certain fine. You may well get fined if you don't follow the policy, but you really do need to have a policy in the first place.

Now, listen very carefully, as I’m getting sick of repeating myself.

As a local authority, you must implement a range of security policies, to ensure compliance with the PSN, N3 and GCSx / GCF regimes. Examples of policies covering a wide range of topics are available on a free website – but if I send you the link in this email I’ll almost certainly get collared by the commercial organisations that sell this stuff for serious money.

Anyway, let me know where we can meet for lunch and where I can pass you details of the website.

Any nice restaurant in Central London is acceptable. Remember, after a bit of customisation, you’re going to get your hands on your very own:

Acceptable usage policy
End user awareness training
E-mail usage policy
Use & control of portable media policy
Home & mobile working policy
Secure document printing policy
Manual (paper) document handling policy
Handling of faxes policy
Secure disposal and destruction policy
Information asset valuation policy
Risk management regime
Protective marking policy
Use of personal devices policy
The use of encryption software policy
Incident reporting policy
Incident management policy
Log management policy
Intrusion detection policy
System Access Control policy
Configuration management and change control policy
Business continuity management policy

Just promise me that you’ll try harder not to lose them, this time!


Image credit:

Monday, 24 September 2012

An invitation not to be refused

The letter has finally arrived.

No, I have not been offered an honour in recognition of my services to data protection. Only folk at Wilmslow ever get an honour in recognition of their services to data protection. But I have been offered the next best thing. Which is to become a member of a new advisory group, being set up by the Ministry of Justice, to discuss and advise on the proposed EU data protection Regulation.

I’m excited about this initiative – as I’m determined to ensure that whatever data protection regime we end up with, that its acceptable to individuals, companies and public bodies alike, all of whom have very compelling reasons for insisting on high standards. These standards can’t come at just any price, though. They have to be realistic, and they shouldn’t stifle innovation. Nor should they cause anyone any harm.

This brings my data protection career back to the early days – some of my early data protection memories as an official of the Association of British Insurers involved squeezing into small conference rooms at the (then) Home Office in Queen Anne’s Gate, advising Home Office officials on the implications of some of the wording proposed in the draft text that eventually became the current Data Protection Directive.

That office building, in Queen Anne’s Gate, has now been renamed Petty France. It’s been completely refurbished, and is now occupied by – yes, you’ve guessed it, the Ministry of Justice. So I’m really looking forward to returning to (probably) the same set of rooms where, some 20 years ago, I would have been discussing basically the same set of issues.

Life is a carousel.

What is also exciting, though, is a separate opportunity to do some really hard thinking with some chums on an issue which will certainly not be on any of these agendas, and it’s definitely not in the Panel’s terms of reference. But, it will be on most people’s lips in 2013. The issue is whether Britain will get its data protection powers back after the 2014 Euro referendum.

By 2013, talk amongst the data protection chattering classes may be of little else. The move towards a European superstate, on the part of some current Member States, will require some hard thinking about what powers will be returned to those Member States that decline to be full members of this superstate.

If I were a betting data protector, I would hope that plans would be hatched to ensure that a data protection regime fit for Britain could be swiftly implemented, should it become clear that ‘Blighty will not wish to be a full member of this emerging superstate, and that it will have the opportunity to make its own data protection laws.

Will that matter? If it means that the Brits can continue to develop a pragmatic and risk-based approach to data protection, it’s quite hard to point to any new harms that British citizens may suddenly become subject to. It’s also hard to think of reasons why standards might not become more transparent.

I can’t think of many sensible people who really want shoddy data protection standards. But I sense that there is a genuine debate about how much investment (in terms of people, policies and processes) needs to occur to improve standards in certain areas, and over what time period this investment should take. And, if the state is to invest in the improvements in data protection standards in the public sector, I would love to be involved in the public debate about how public sector resources should be reallocated from existing budgets to pay for a beefed up Information Commission.

Yes, it might well mean a beefed-up British Information Commission, but that may not be too much of a problem. We all need jobs – and if the private sector is facing difficulties creating new ones, then there’s no reason why the public sector shouldn’t invest in a few more enforcers. Actually, this ought (eventually) to increase the number of knowledgeable and experienced British data protection professionals. Soon, local data controllers will realise how useful it is to have someone who understands the issues on their own team.

Anyway, for the record, from now on I will not comment or blog on any aspect of the MoJ Panel’s work that is not already in the public domain, nor will I refer to any of the views expressed in private by any member of the Panel.



Saturday, 22 September 2012

Will EU ministers just get 3 minutes each to negotiate the DP Regulation?

Keen followers of the current debate over the quality of EU decision making, and the size of the EU’s budget for 2014-2020 will know how the current discussions are being handled. And they may be tempted to assume that if this much care is being given to ensuring that all Member States have enough time to comment on a matter as important as the budget, then it may indicate the time that EU ministers will be given when debating other important issues. Like the future of data protection.

Anyway, scholars of this stuff will be impressed that Cyprus has recently tabled a 48 page paper setting out a ‘negotiating box’ for the European Union budget for 2014-2020, to be discussed by European affairs ministers early next week. According to the paper, ministers are requested to limit their presentations to three minutes.

In the meantime, Cyprus has conducted bilateral consultations with the remaining 26 EU members and Croatia, which is expected to join on 1 July 2013, collecting their “wish lists” for the next long-term budget. Apparently, the budget should be smaller, but by how much and who suffers most has not yet been agreed. A special EU summit on 22-23 November will take the budget discussion for the first time at the highest level.

I wonder what this means for the future of the data protection discussions.

Evidently, bilateral consultations will continue with as many people as possible, but what happens then?

I have a bright idea.

Rather than limit each minister to a 3 minute intervention, each Member State should register their position on the Regulation (and the law enforcement directive) by way of a sonnet.

Just 14 lines long, ideally in iambic pentameter style (10 syllables on each line).

Ministers would then get their chance to deliver their sonnet, in true X Factor style, on live eurotelly. The jury would comprise Christopher Graham, Peter Hustinx, Cheryl from Buck’s Fizz and Viviane Reding (occupying Simon Cowell’s chair).

Each week, two losers would be selected who would retire to the sidelines, and the remaining bods would continue the discussions for another week before creating another sonnet.

And this could go on until for as many weeks as is necessary until it’s just France and Germany left. (The Brits will have been defeated in the sonnet shoot out in the quarter finals). I expect that the competition will result in the Germans being crowned “Princes of Datenschultz” and whoever is left doing this stuff can get on and implement whatever it was that the Commission proposed in the first place.

What do you think?

It might make a change from another few years of focused and earnest discussions.

But if this is democracy in action, then I’m not really sure I like it.


Image credit:


Friday, 21 September 2012

Privacy policies – when shouldn’t you bother posting them?

Dear Brenda,

Many thanks for inviting me to such a useful session at the offices of the British Computer Society in Covent Garden last night. It’s so important for bods like me to be able to understand what it’s really like to be an application developer, and what issues are foremost in their minds as they seek to become Britain’s next squillionaire. Failing that, at least to run a profitable internet business.

You’re right – thank goodness there weren’t any officials from the Information Commissioner’s Office in attendance. Or from the European Commission. Had they have been there, blood would undoubtedly have been spilt on the carpet as they would have felt obliged to respond to some of the fascinating points that were made.

Remember though, Brenda, the guys from Wilmslow just have to interpret the law as they see it. It’s not their fault if the law’s unworkable. And, boy, we heard of a few unworkable examples last night.

I like the point that was made earlier on in the evening about the additional difficulties that mobile application developers face. Yes, users are impatient. And, their fingers have to navigate really small screens. And it’s hard to input the right combinations of letters and characters when overcoming the password hurdles etc. And the devices have a relatively weak CPU power. And the internet connections will keep dropping. And the battery life can be pretty dire.

But, all this notice and consent stuff is supposed to be important. Developers will be expected to pepper screens with privacy icons and pop up boxes, and permissions and explanations, all in 8 point type (or smaller). The theory behind this privacy set up is pretty straightforward – give the user something to click on for a few minutes, so they build up their anticipation of the great stuff the application is actually going to deliver. Eventually, they’ll be so relieved to be presented with the actual app that they might not notice it’s a bit ropey.

Anyway. I also chuckled when that speaker said that the best way for application developers to succeed these days was through the use of a “lean technology” philosophy. This means only doing the absolute basics to get the application up and running, so you can see if anyone actually wants to use it – and, more importantly, how they want to use it.

Yes, it also means cutting out the privacy policy etc to get the “day 1 minimum viable product” out in the market place, soonest. Let’s be realistic – the initial release is only going to be picked up by a few people, and most of those are going to be your friends.

I chuckled when another speaker recommended that you shouldn’t worry too much about this privacy stuff at this stage. Just spend a long time closely monitoring how the application is being used. Don’t listen to what the users say about the product. Look at what they are actually doing, and how they are using it. Then, when you’ve got more bugs fixed, and you’ve given the site a bit more functionality, you can dress it up with a privacy policy – because by then you’ll have a better idea as to what this new creation of yours is actually going to do.

I though anther speaker also made a good point when they mentioned that every web application developer goes through a couple of about turns as they realise that what they thought was going to be ultra cool simply won’t fly. So you shouldn’t bother spending money commissioning a privacy policy until you’re far more confident that you have a commercially viable enterprise in your hands. Wait until you’ve got about a thousand users or so.

And don’t worry too much about these fears of Euro fines of up to 2% of your global turnover if you haven’t got all the administrative stuff (and the policies) in place from day 1. Remember, 2% of diddley squat really isn’t that much.

Just make sure you’ve paid your £35 DPA registration fee to the guys at Wilmslow. They’ll be so grateful for that kind gesture that they’ll cut young British innovators a bit of slack, you know. They don’t want to stifle innovation. They are human, after all. And, if your business becomes a roaring success, they might even want to come and work for you.

PS – I’m not sure whether the remarks in my last paragraph apply equally to the bods at the European Commission. But you’re not in a million years going to be seeing them doing a dawn raid in Rivington Street. They’d never find your desk in that cavern of a squat you share with all those other app developers.


Thanks to the Central London branch of the British Computer Society for holding such an interesting session on designing, building and marketing consumer mobile applications on 20 September. Speakers included Tony Fish, the author, entrepreneur and Investor; Dr. Yanguo Jing, Principal Lecturer in Computing at the Faculty of Computing (London Metropolitan) and mobile app specialist; Phil Woodward, co-founder of HipSnip and Alex Berezovisky, CEO of LetoLab.

Tony was supposed to talk about reasons for going mobile, features of a good app, mobile business models and raising rounds of funding. Yanguo was to discuss steps towards building your first app, design considerations and platform choices. Phil was to speak about his experience in the mobile space, the relationship between web and mobile, and mobile web versus mobile app. Alex was to discuss the principals of a Minimal Viable Product (MVP), staying focused on key value propositions and aligning apps with business models and the market. In the event, a variety of views were expressed on a variety of issues from these and other contributors.

References to the speakers in my email to Brenda may have been to the above individuals, or to interventions from members of the audience. You are never going to know – unless, of course, you were there.

Image credit:


Thursday, 20 September 2012

Bar talk

I attended a very interesting session last night at the Young Vic Bar in Waterloo with the ”Privacy After Hours” guys, which was an event most generously sponsored by our chums at Bristows.

Lots of Data Protection Officers, all thirsty and keen to exchange the very latest gossip.

Particularly about some of the financial restrictions that are being placed on individual departments. Conference bans, travel prohibitions, training budget cuts – it’s all happening. And in the private sector, just as much as in the public sector.

The message was pretty clear – the Information Commissioner had better start waving his magic fining stick about a bit more frequently if senior executives really are to be persuaded that they should be paying much more attention to all this data protection malarkey.

I’ll see if the same message comes from those who will be attending next week’s Privacy Officers’ Supper Club.

Meanwhile, let’s eagerly await further developments from Wilmslow.

Image credit:


Tuesday, 18 September 2012

ICO fines – when is it easier just to pay up and keep quiet?

Dear Brian,

Many thanks for your recent email asking for my advice on when it may, on balance, be better for your authority to give in and pay whatever fine the Information Commissioner is going to levy, or when there is much benefit in challenging it.

First, let’s get the facts right. Something pretty awful happened. It shouldn’t have happened, and everyone is sorry that it happened. Thankfully, no real damage has been caused to anyone because the incident was spotted pretty quickly and some remedial action was taken. However, a whistleblower informed the ICO about the incident before anyone in your team managed to tell them.

If past form is anything to go by, your authority will be hit with a civil monetary penalty of about £80,000. If you agree to pay the fine quickly, you’ll get a discount of 20% - so the direct cost will be about £64,000.

If, on the other hand, you challenge the fine, you’ll probably face an unrecoverable legal bill of £20,000, and if the Tribunal finds against you, or even holds you partly responsible, you’ll lose the 20% discount – so the direct cost to your authority could well be £100,000.

Let’s suppose, being charitable, that the ICO will find a few things wrong with the processing systems that are supposed to be in place, and which fell down, causing the incident to occur in the first place. It’s not that hard to find fault with at least one of the policies, training, systems, updates, or for you to lack robust evidence that enough of your staff are aware of all this stuff. There are so many systems that you need to have in place, if you read the official guidance etc (I’ll write separately in relation to this matter if you need chapter and verse), that you’re going to thank your lucky stars if the ICO only finds a few things faulty.

So, what might happen on appeal? Well, let’s suppose the Tribunal disagrees violently with the ICO and decides to slash the fine by 50%. In my view, that’s not really a win. After all, it’s still going to result in a fine of £40,000 plus the £20,000 legal bill – which is not much of a saving on the original £64,000 figure, especially when you think how drawn out this appeal could be and how much awful publicity the authority could continue to generate until the whole thing is resolved.

So, my message to you is pretty clear.

If it’s a fine of less than £200,000, you may be best placed just to pay up and hope the press focuses their attention on another ICO press release, fast. If it’s greater than £200,000, it may be worth challenging – but make sure that your data protection systems are in a pretty decent shape before you do.

Yes, I know it’s a lot of money – money that could be better spent on training and awareness programmes rather than on fewer services. But, you are stuck between a rock and a hard place. We all know the direction that local authority budgets are heading, so we all know that what is being expected of you is increasingly unaffordable and unachievable. But you shouldn’t be seen as an apologist for sloppy standards.

When you next get a carpeting by the Chief Executive of your newly combined local authority for causing them to divert funds from their supply teacher budget to pay the fine, just remind them of the economics of the situation. They deliberately starved you and your team of the funds that could have helped meet the authority’s statutory responsibilities. The Chief Executive ought to thank her lucky stars that it’s just service users, rather than local authority executives, who will feel the direct effect of these disciplinary measures.

Don’t let them grind you down. It’s not all bad news. Keep plugging away – and keep pointing your press team to the ICO’s web site, so they can see for themselves what is down the track and likely to be heading their way some time soon.

PS – If you are going to copy this advice to anyone else in the authority, please please please remember to use the.bcc field in the address section, not the .c c field. It was so hard to recover that last email from those people whose addresses you really didn’t want to share.


Image credit:


Monday, 17 September 2012

What compensation should I ask from British Gas about this incident?

Having recently answered a couple of phone calls from British Gas that left me more than just a little frustrated, I turned to the draft General Data Protection Regulation to work out how much this data controller could be fined, if it behaved like this again.

What do you think, dear reader?

(Hint – it involves compensation for inconvenience following the processing of inaccurate personal data).

Briefly, here are circumstances that should be taken into account by a regulator when deciding how much I should get:

Early August 2012: Standard letter from British Gas inviting addressee to book the annual service appointment.

9 August 2012: British Gas on-line support advised that the earliest appointment is a 2 hour slot on 17 Sept. Slot booked and SMS is sent to confirm the appointment.

14 September 2012: SMS received from British Gas reminding addressee that a service appointment is scheduled for 17 Sept.

16 September 2012: Phone call received from British Gas call centre during the early evening. Too many customers have reported faults with their boilers recently, so the annual service appointment scheduled for the following day needs to be rearranged. The next mutually convenient date is 15 November. Appointment rearranged.

Several hours later: SMS received from British Gas reminding addressee that a service appointment is (still) scheduled for 17 Sept.

17 September 2012: Just before the service engineer is due to arrive, phone call received from British Gas call centre. Too many customers have reported faults with their boilers recently, so the annual service appointment scheduled for that day needs to be rearranged. A quick conversation with the call centre adviser confirmed that the customer's record on their systems had already been updated to note that the appointment had been rearranged, and the adviser agreed that she didn’t know why she needed to call the customer again.

Is this one of those cases where an administrative sanction of up to 1% of the annual worldwide turnover could be imposed, in accordance with Article 79(5)(b)? The group revenue is £22.8 billion, so 1% is a serious amount of dosh. But, let’s get real, here. Who in their right mind would impose a sanction of £22.8 million just for having some sloppy customer service standards?

To be fair to the call centre adviser, she cheerfully acknowledged the mistake and immediately apologised. I don’t need much more than that. Chocolate would help. (Actually, a service engineer turning up at the appointed time would really have done the trick.)

If the British Gas PR team has any useful freebies, though, I would be very grateful if they might be so kind as to send some in my direction.

Do any readers have a “goodie cupboard”, from which trinkets are dispensed to those who complain with sufficient humour (or vigour)? If you have, please let me know.



Sunday, 16 September 2012

Privacy -a laughing stock of a sound bite!

It’s quite hard not to smile when someone mentions data protection and privacy in the same breath, these days. As we have seen from the current international press interest in pictures of a young couple recently on holiday in France, you can pass as many privacy laws as you like, but when push comes to shove, the most determined will do whatever they can to take advantage of your digital assets.

Laws don’t appear to alter basic (and, in the context of the paparazzi, I think basic is the correct term) instincts of people whose mission in life is to turn an image into real money.

The moral of the story is pretty clear.

The concept of “privacy” really needs to be rethought. Those who thought that they could rely on the state to give them legal powers to control their own personal information need to come to their senses. Possession of a digital asset is what counts, these days, not claiming that legitimacy (or morality) trumps physical (or electronic) control.

If we really want total privacy, in future we will have to give the cleaners the day off and close all the curtains. But we probably won’t do this. Instead, we’ll accept that the concept of a “private life” is increasingly inconsistent with that of being known as a “celebrity” – or even a paid up member of the human race.

We are not “sleepwalking into a surveillance society”, as former Information Commissioner Richard Thomas once argued, any more.

We’re there.

I prepared this blog on 14 September and was planning to publish it on 17 September. However, after reading William Foxton’s excellent article in today’s Telegraph, I thought that there was no reason why I should not publish it immediately. My blog wasn’t based on the points that William Foxton had made today, although we evidently share the same thoughts.

Image credit:


Friday, 14 September 2012

At last - official recognition from cyber squatters?

It must be a sign that you have arrived when you get a letter from someone you’ve never heard of explaining that your website’s name is so popular that someone else wants to register a variant of it.

Or perhaps it’s just a cyber squatting con.

Let me explain.

To put this issue in perspective, I ought to confess that I’ve recently dealt with an email from “John Byng” of John originally wrote to me to explain that an internet domain name used by the Data Protection Forum was of interest to someone who wanted to register it in China – but that he could arrange for this to be stopped, if I wanted. As I’m the Co-Chair of the Data Protection Forum, the Forum administrator asked me for advice.

Here’s an example of the sort of stuff John wrote:

“Based on your company having no relationship with them, we have suggested they should choose another name to avoid this conflict but they insist on this name as CN/Asia domain names (.asia/.cn/ and internet keyword on the internet. In our opinion, maybe they do the similar business as your company and register it to promote his company.

According to the domain name registration principle: The domain names and internet keyword which applied based on the international principle are opened to companies as well as individuals. Any companies or individuals have rights to register any domain name and internet keyword which are unregistered. Because your company haven't registered this name as CN/ASIA domains and internet keyword on the internet, anyone can obtain them by registration. However, in order to avoid this conflict, the trademark or original name owner has priority to make this registration in our audit period.

If your company is the original owner of this name and want to register these CN/ASIA domain names (.asia/.cn/ and internet keyword to prevent anybody from using them, please inform us. We can send an application form and the price list to you and help you register these within dispute period.”

My instincts were aroused when John mentioned application forms and price lists – can this be for real, I thought to myself. So, in my capacity as Co-Chairman of the Data Protection Forum, I ignored it.

Today, returning from a meeting in town, I see that another email has arrived in my in box. This time, rather than referring to the Data Protection Forum, it seems that the very same “John Byng” of wants to let me know that my internet domain name “” was of interest to someone who wanted to register it in China. I expect that if I reply to this email, John will write back to explain how he could arrange for this to be stopped, if I wanted.

This is the text of today’s email:

“Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

This email is from China domain name registration center, which mainly deal with the domain name registration in China. We received an application from Hanson Ltd on September 10, 2012. They want to register " martinhoskins " as their internet keyword and China/Asia (CN/ASIA) domain names. But after checking it, we find this name conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards”

So, should I reply, or should I not?

Please send your answers, wrapped around a bottle of gin, to the usual address.


Thursday, 13 September 2012

Explicit consent: The EU’s (potential) new gift to the malware community

A speaker at yesterday’s meeting of the Data Protection Forum made such a blindingly obvious point about a possible consequence of part of the new Data Protection Regulation that I really wonder whether the European Commission quite appreciates the size of the gift that may it may well bequeath to the malware community.

And I’m kicking myself for not having appreciated it before. As you, dear reader, will start to kick yourself shortly, too.

The issue is, when you think about it, pretty simple. It’s an unintended consequence of something that some European official probably thought was a really good idea. If the malware community play its cards right, however, the consequences could be catastrophic for most of the internet using community.

What am I on about?

Well, it’s all about this great idea the European Commission has to “improve” standards of data protection, by setting out the circumstances where users need to “consent” to a processing activity before that activity can commence.

If you think about it quickly, this sounds like quite a good idea. After all, what’s wrong with being asked to “consent” before stuff happens?

But, as soon as you unpick the practicalities of the proposal, Dementors as awful as those that tormented Harry Potter run the risk of being unleashed on an unsuspecting audience.

Zoltan Precsenyi of Symantec pointed out yesterday that, if the new Regulation is adopted even roughly its current form, the onus will probably be on data controllers to seek the user’s explicit consent before certain types of processing activities are carried out. The effect is that the more reputable data controllers are likely to present internet users with a series of “fair processing notices”, accompanied by pop-up boxes, which users will be required to “tick” to show that that they really do consent to the relevant processing that the data controller wants to carry out.

This sounds good in theory.

In practice, the reality is likely to be horribly different – as fears are emerging that malware providers will take advantage of the “security by design” flaw that the Commission could be creating.

Let’s take a minute to imagine what will really happen. Internet users are human beings, not anoraks. They will not read fair processing notices. But, they will be conditioned to expect to see a plethora of “Commission inspired” pop-up boxes appearing before they get to access stuff they really want to be presented with.

So, what will they do? If they’re anything like me, and I do apologise in advance for wanting to act like a paid-up member of the human race, they will work out where they need to place their cursor to click on the “I accept” button, and they will just click it. They won’t read the stuff. No-one really reads this stuff. Life is too short to read privacy notices. I’m sorry, but it just is.

And, as the great unwashed click away at the snowstorm of consent boxes, it won’t be beyond the wit of a malware designer to sneakily insert an “I also accept this malware” box too. And the first time most people will be any the wiser will be after their data has been slurped up, or when their device has become part of a botnet - ironically, “legitimately”, as far as the malware provider is concerned.

How this type of naughty activity is investigated, and how the investigators will get the evidence they need to establish that users didn’t really provide their “consent” even when they clicked a bright blue “I accept” box, is a question that I really can’t answer.

So, obtaining “explicit consent” for various forms of processing may sound good in legal theory, but it also offers very interesting opportunities for new types of misbehaviour to be carried out on the great unwashed.

Image credit:


Tuesday, 11 September 2012

What might Facebook really know about me?

Let’s get it straight. I’m an admirer of Facebook and I find it a great way of keeping in touch with friends. And that’s why many hundreds of millions of us use it. This blog is not meant to knock the organisation.

What I also like about Facebook is the way it is capable of remembering so much about me (so long, of course, as I gave them the information in the first place). As far as I am concerned, this is useful – as I can now forget lots of stuff, clear it right out of my brain, yet always know that if I really did want that nugget of virtually useless information, it just might have been preserved. And, thanks to the great tools that Facebook has developed, it’s astonishingly easy to get hold of it, too.

In honour of our Facebook chums, and the hundreds of millions of Facebook users, I’ve reproduced some helpful guidance from their site which lists the sort of stuff that Facebook may know about us, just in case we had forgotten it and ever needed to know it again.

And to help you memorise the list, the stuff is grouped in alphabetical order, with a gap after every 5 items so you can take another breath:

About Me: Information you added to the About section of your timeline like relationships, work, education, where you live and more. It includes any updates or changes you made in the past and what’s currently in the About section of your timeline.
Account Status History: The dates when your account was reactivated, deactivated, disabled or deleted.
Address: Your current address or any past addresses you had on your account.
Alternate Name: Any alternate names you have on your account (ex: a maiden name or a nickname).
Apps: All of the apps you subscribe to.

Birthday Visibility: How your birthday appears on your timeline.
Chat: A history of the conversations you’ve had on Facebook Chat
Check-ins: All of the places you’ve checked into.
Connections: The people who have liked your Page or Place, RSVPed to your event, installed your app or checked in to your advertised place within 24 hours of viewing or clicking on an ad or Sponsored Story.
Currency: Your preferred currency on Facebook. If you use Facebook Payments, this will be used to display prices and charge your credit cards.

Current City: The city you added to the About section of your timeline.
Date of Birth: The date you added to Birthday in the About section of your timeline.
Deleted Friends: The people you’ve unfriended.
Education: Any information you added to Education in the About section of your timeline.
Emails: Email addresses added to your account (even those you may have removed).

Events: Events you’ve joined or been invited to.
Family: Friends you’ve indicated are family members.
Favourite Quotes: Information you’ve added to the Favourite Quotes section of the About section of your timeline.
Friend Requests: Pending sent and received friend requests.
Friends: A list of your friends.

Gender: The gender you added to the About section of your timeline.
Groups: A list of groups you belong to on Facebook.
Hidden from News Feed: Any friends, apps or pages you’ve hidden from your News Feed.
Hometown: The place you added to hometown in the About section of your timeline (profile).
IP Addresses: A list of addresses where you’ve logged into your Facebook account.

Last Location: The last location associated with an update.
Likes on Other’s Posts: Posts, photos or other content you’ve liked.
Likes on Your Posts from others: Likes on your own posts, photos or other content.
Likes on Other Sites: Likes you’ve made on other sites off of Facebook.
Locale: The language you see on Facebook is based on where you’re located.

Logins: IP address, date and time associated with logins to your Facebook account.
Logouts: IP address, date and time associated with logouts from your Facebook account.
Messages: Archive of messages you’ve sent and received on Facebook.
Name: The name on your Facebook account.
Name Changes: Any changes you’ve made to the original name you used when you signed up for Facebook.

Networks: Networks (affiliations with schools or workplaces) that you belong to on Facebook.
Notes: Any notes you’ve written and published to your account.
Notification Settings: A list of all your notifications and whether you have email and text enabled or disabled for each.
Pages You Admin: A list of pages you admin.
Phone Numbers: Mobile phone numbers you’ve added to your account.

Photos: Any photos you’ve uploaded to your account.
Physical Tokens: Badges you’ve added to your account.
Pokes: A list of who’s poked you and who you’ve poked.
Political Views: Any information you added to Political Views in the About section of timeline.
Your Posts: Anything you posted to your own timeline, like photos, videos and status updates.

Posts by Others: Anything you posted to someone else’s timeline (profile), like photos, videos and status updates.
Recent Activities: Actions you’ve taken and interactions you’ve recently had.
Registration Date: The date you joined Facebook.
Religious Views: The information you added to Religious Views in the About section of your timeline.
Screen Names: The screen names you’ve added to your account, and the service they’re associated with. You can also see if they’re hidden or visible on your account.

Searches: Searches you’ve made on Facebook.
Spoken Languages: The languages you added to Spoken Languages in the About section of your timeline.
Status Updates: Any status updates you’ve posted.
Subscribers: A list of people who are subscribed to you.
Subscriptions: A list of people you subscribe to.

Tag Suggestions Template: A unique number based on a comparison of the photos you're tagged in. Facebook use this template to help your friends tag you in the photos they upload.
Work: Any information you’ve added to Work in the About section of your timeline.
Videos: Videos you’ve posted.


Friday, 7 September 2012

The next data protection Peer is ...

I enjoyed a most agreeable lunch yesterday on the terrace of the House of Lords.

It made me wonder when the second ever peer with real experience in the glorious art of data protection will be created.

In case you had forgotten, it is the Sovereign, on the advice of the Prime Minister, who formally confers all peerages. There is no statutory limit on the number of new peerages, either. The House of Lords Appointments Commission makes recommendations for non-party political peers and vets those nominated by the political parties.

In addition to the life peers, there are 26 Lords Spiritual and a further 92 hereditary peers who are elected to sit in the House by all of the hereditary peers. And, to further complicate matters, there are a few Law Lords who have been appointed under the Appellate Jurisdiction Act 1876.

So, what’s the process?

Well, following the passage of the House of Lords Act 1999, the Appointments Commission commenced work and the first group of non-party political peers became peers in 2001. Since then, some 61 new appointments to the Crossbenches have been made in this way. Is it a respectable number? Well, you decide. Hint - Between the time that Tony Blair became Prime Minister (May 1997) and June 2012, a total of 530 peerages were created.

If the Government is going to take all this data protection malarkey seriously, it will need to consider just how many data protection peers the nation ought to have. One probably isn’t enough. It needs to set a good example to us all. Unless, of course, the message it is really trying to send is that data protection isn’t that important at all really, because if it were then there would be more experts in the House of Lords who could use the platform to impress upon the nation the benefit of their wise experience.

Does it matter?

It matters to me, certainly. We need our ermine-clad Lords of data protection, so that the subject matter can be accorded the status that the European Commission would surely wish it already had.

Who will join the current gang of one? Who will end up keeping Lord Allan of Hallam (yes, he of Facebook fame) company on a long winter night in the chamber? Co-incidentally, Lord Allan’s appointment was announced in the same list that featured former MP John Prescott, former Met Police Commissioner Sir Ian Blair, and former presenter of the BBC's legendary children's programmes, Playschool and Playaway, Floella Benjamin.

And when will this next appointment be made?

If I were a betting data protector, I would bet that this will happen in my lifetime. Or, to phrase it in the style of the Ottowa Express, who mourned the passing of that great actor Nigel Hawthorne, whose portrayal of Sir Humphrey Appleby GCB, KBE, MVO, MA (Oxon) in the British television series Yes Minister and Yes, Prime Minister: “While it would be premature to commit ourselves to a definitive position on the merits or even the existence of such a proposal, a committee is being struck to consider the possibility of a decision, in the fullness of time, to make recommendations , if any.”

And who will it be? Well, I have a few names I would be happy to propose, but I know that any public support from me is likely to greatly blight their chances, so I won’t go on the record just yet.

If anyone else has any bright ideas – please feel free to contact me in the usual manner.

Also, please let me know if you spot a discrete advert in The Times for someone who frequently uses both their mastery of the English language and even their superb grasp of Latin and Greek grammar to perplex their audience and to obscure relevant issues under discussion. It would, apparently, be desirable for the successful candidate to use language as a tool of confusion and obstruction in a way that is so deeply ingrained that they are sometimes unable to speak clearly and directly even in circumstances in which they honestly wish to make themselves clearly understood. They should genuinely believe that they know what the average person needs, and be the most qualified person to run the country.

With more than a nod to those great folk at, whose work I have lovingly plagiarised in the latter part of this article.
House of Lords Library Note LLN 2012/023


Tuesday, 4 September 2012

Exclusive: Information Commissioner not hit by custard pie today

I can exclusively report that, today in the Wilson Room in Portcullis House, Westminster, Christopher Graham was not hit by a custard pie as he gave evidence to the Justice Select Committee of the House of Commons, which held its first evidence session in its inquiry into the EU’s data protection framework proposals.

Actually, it was a pretty good natured event. His wing man, Deputy Commissioner David Smith wasn’t required to protect the Commissioner as Wendi Deng had protected her husband, Rupert Murdoch, back in July 2011. There was no opportunity for “Ninja Smith” to exhibit any of his formidable self defence skills.

There was an opportunity, however, for them both to offer plenty of constructive thoughts on the Commission’s proposals – and the message was that the ICO supported proposals which led to outcomes that promoted good regulation, and good behaviours by data controllers. I was waiting for someone to utter the phrase “selective to be effective”, but today was not the opportunity to hear that one. But there was a considerable emphasis on the point that “prescribing the results is more important than prescribing the forms you need to fill in.” That seemed to go down well with the Committee members.

Those that have a couple of hours free can listen to an audio recording of today’s events here.

We heard a bit of stuff on the right to be forgotten – and the need not to mislead individuals that this “right” was actually giving them rights that they didn’t already have. When particular sound bites are used, it can be so tempting for people to take them literally. The bigger point was to focus on what was consumer friendly and new in the text – like the revised right to object. As we all know, Article 19 reverses the current burden of proof, so if an individual objects to processing, it will be up to the data controller to demonstrate why it is necessary to continue to process the information, not for the individual to prove why the continued processing is so awful.

A new soundbite emerged: A consistence and equivalence of approach is much better than harmonisation.

And, there was a renewed emphasis on the need to negotiate the UK’s position in a reasoned, co-operative way, rather than just grandstanding. We’re all diplomats, now.

Again, all useful stuff.

The showstopper, in terms of evidence, was saved until the last minute. Christopher Graham revealed more details of the compliance cost assessment that his office had carried out, assuming either the least that could possibly be expected of the ICO in terms of carrying out the duties that were to be imposed on his team by the current draft (which would result in a 56% increase in current funding levels), to a more reasoned costing which reflects their “advise & assist” remit, as well as the “enforce & punish” obligation. On this calculation, his funding would need to increase by 187%. And it was evident that there was no thirst to meet such increases in public expenditure.

His message was stark: “You are describing a system that no-one can pay for.”

It was a sombre note to end on. But the Committee was in a sombre mood by that time, too. None had been called by the Prime Minister during the session offering them a job in the newly reshuffled Government.

Sitting, a few moments later in a Parliamentary coffee shop, I spotted a reshuffled MP (no names, that would be rude) receiving some appreciative nods from colleagues – yes, this really was someone who had received the political equivalent of a custard pie today.


Image credit:


Monday, 3 September 2012

Will the Commissioner get hit by a custard pie tomorrow?

On Tuesday morning, the eyes of the data protection world will be focussing on events unfolding the Wilson Room in Portcullis House, Westminster.

Why? What’s happening?

The Justice Select Committee of the House of Commons will hold its first evidence session in its inquiry into the EU’s data protection framework proposals.

The warm up acts will get going around 10.30am, when Ian Readhead, Director of Information, Association of Chief Police Officers, and Merilyne Knox, Head of Public Access Office, Metropolitan Police, will be questioned on the considered views of the law enforcement community. That won’t take long. Twenty five minutes later, Jean GoniĆ©, Director of Privacy EU Affairs, Microsoft, and Sietske de Groot, Senior EU and International Affairs Policy Adviser, Federation of Small Businesses, will occupy the witness seats. They just get 35 minutes.

Then, at 11.30, everyone gets ready to hear from the main men. Yes, for 60 minutes, Christopher Graham, Information Commissioner and David Smith, Deputy Commissioner and Director of Data Protection, get to answer questions put by Committee members without hesitation, deviation, or repetition on some of the most important issues of the moment.

It’s going to be fun. But don’t worry if you can’t get there yourself. It ought to be broadcast live on Parliamentary TV, and a recording of the session will be available for posterity.

I don’t think it’s going to be one of those “custard pie” sessions – you know, where an aggrieved member of the general public becomes so incensed with the evidence given by the principal witness that they try to toss a custard pie in their face. This has happened before - in that very same room - remember what Rupert Murdoch got from Jonnie Marbles when he kindly agreed to share some of his views with politicians in Portcullis House on 19 July 2011. And remember how brilliantly his wife, Wendi Deng had reacted: “with an open palm, she brought down a blow hard and with full fury on to Marbles' head, just as if she was spiking a volleyball.”

I wonder whether Christopher Graham's wing man, David Smith, has been taking any self-defence lessons – after all, Tuesday just might well be his Wendi Deng moment.

Seriously, I hope the Committee gets something out of this session. It ought to give the Commissioner the opportunity to tell the Committee what we all know already (after all, we’re all ICO disciples and all have eagerly devoured every comment that has ever been made by any ICO official about this initiative). But I hope Christopher Graham gets the opportunity to offer some new material too. It would be nice for him to be asked, if he explains that the current proposal is actually too expensive to implement within a reasonable period of time, to set out just what level of investment within what time period ought/could be made by data controllers to improve their current standards.

I also hope he gets the opportunity to make the point that it’s unfair for so many commentators to criticise his officials for failing to be sufficiently proactive in so many areas at a time when he is starved of the resources that are really required to meet the obligations that are imposed on him. His office may, in relative terms, be better resourced than many of the Information Commissioners in the rest of Europe, but is that really sufficient? I think not.

Perhaps, he will need to reduce public expectations about his public role so that the public understand why bad stuff continues to happen. Like spam, mistakes on credit files and data breaches. Why should the ICO be blamed for a series of events that they can’t control, or effectively police? All I tend to hear is that “something must be done” and that “the ICO” must do it, but without any proper discussion about how the resources will be provided (or reallocated) to enable it to do it properly.

I’ll probably be in the audience. But I most certainly won’t have a custard pie in my pocket.

This link also provides a link to a video of that awful event in July 2011:


Sunday, 2 September 2012

The Economist’s approach to privacy

I like The Economist. It’s a good magazine. The articles are just about the right length to keep my attention.

And I like The Economist even more when it reports my views. So, I especially liked reading this week’s edition.

One of its more enterprising journalists had spotted my recent blog on the Midata project – and kindly got in touch for a quick chat, and told me that some of them might end up in his article.

My heart sank when I read the headline: “Shamelsss self promotion” – as I thought for a second that the journalist was referring to me! Thankfully he wasn’t, as you will discover should you read it.

I then did the usual nerdy thing of checking out the Economist’s privacy police and cookie policy. Was there one? Yes there was. Was it any good? Yes, it hit the spot.

So keen, indeed, is the Economist to comply with data protection and the cookie rules that it devotes almost 20% of the Privacy policy (which is, thankfully, just 1481 words long) and a further 864 words in a special Cookies Info site, dedicated purely to those obsessed with the cookie stuff.

It would be nice, in say, a year’s time, to ask some companies how many people (or what percentage of visitors) have ever checked out these pages. If I were to predict the likely results, I would be honestly amazed if many people had every deliberately accessed them. Actually, I would be delighted if lots of people had accessed them. After all, it’s taken some companies a lot of effort to make sure they comply with the rules. I wouldn’t want to feel like a group of performers at the Edinburgh Festival who had carefully crafted a show, rehearsed it extensively, booked a decent sized venue, and then played it every night for 3 weeks to an audience of 2.

I do like the advice on whether their site will work if cookies are disabled, and why the message explaining cookies keeps appearing:

"You can browse The Economist online with cookies disabled, though some interactions may not work. For example, ticking the “Stay logged in” box at login will not actually keep you logged in to the site unless you have enabled cookies.

If you close the banner and it reappears the next time you visit us, you most likely have cookies disabled. We use a persistent cookie to remember that you closed the banner, but this only works when cookies on our site are enabled."