Monday, 25 November 2013

Amberhawk Associates

Who can you turn to when you encounter a data protection problem that needs specialist advice?   

Those with the sharpest pairs of eyes will have noted the recent emergence of a new option.

People who want to be trained by the some of the brightest brains in the business use Chris Pounder and Sue Cullen at Amberhawk, whose record in preparing candidates for the BCS / ISEB data protection exams is second to none. Yes, there are easier data protection qualifications to obtain, and a range of other providers offer them. However, those with a BCS / ISEB qualification really do know their stuff.

As a new service, Amberhawk are now offering hands-on help and assistance from a range of highly skilled and experienced ISEB-qualified data protection practitioners. Naturally,  Amberhawk will continue to offer the usual range of training courses, as well as a suite of new ones. But, there will always be occasions when organisations won’t want (or don’t have the time) to train one of their own staff to deal with a pressing data protection issue.

And when that happens, these organisations can either turn to the usual suspects, or they can enquire about the availability of a Amberhawk Associate.  

Bookmark this site. You never know when it might come in handy.

When I find myself in times of trouble
An Amberhawk Associate will work with me
Sound advice and wisdom
For a very reasonable fee

A century of wisdom
Coming through my office door
Whatever I have to show them
They’ve seen it all before

My workmates are not stupid
They just can’t practice what I preach
Help me, help me, help me
With this awful data breach

Legal details overwhelm me
I cannot spare the time
What measures should be put in place
To avoid an ICO fine?

A management decision
Made only yesterday
Ridiculous deadlines
Will you do this PIA?

Guide me through the path
Of regulatory mayhem
Keep me away from
The wrath of Christopher Graham

You’re a friend I can rely on
When I’ve too much on my plate
Thank you, thank you, thank you
Amberhawk Associate



Friday, 22 November 2013

The Dead Regulation Sketch

Brilliant news to report. The Monty Python team will be performing in London next year, for a one-off show that will surely be followed by a world tour and a boxed set of DVDs.

I understand that they will be reprising some of their most famous sketches, sprinkled with a few topical updates.

In that case, and if they are looking for inspirations to review their marvelous “Dead Parrot” sketch, I’m hoping that they might want to cast their eyes over this version, which I’ve written for the ICO’s Xmas panto.  

Picture this. Set in “the Legislation shoppe” in deepest Brussels, a regulator approaches the European Commissioner’s counter:
Regulator: 'Ello, I wish to register a complaint.
(The Commissioner does not respond.)
R: 'Ello, Miss?
Commissioner: What do you mean "miss"?
R: I'm sorry, I have a cold. I wish to make a complaint!
C: We're closin' for the elections.
R: Never mind that, my girl. I wish to complain about this regulation what I purchased not half an hour ago from this very counter.
C: Oh yes, the, uh, the Data Reg ... What's,uh ... What's wrong with it?
R: I'll tell you what's wrong with it, my girl. It's dead, that's what's wrong with it!
C: No, no, it's uh, ... it's resting.
R: Look, matey, I know a dead regulation when I see one, and I'm looking at one right now.
C: No no it's not dead, it's, it's restin'! Remarkable law, the Data Reg, idn'it, ay? Beautiful articles!
R: The articles don't enter into it. It's stone dead.
C: Nononono, no, no! It's resting!
R: All right then, if it's restin', I'll wake it up!
(shouting at the file of papers)
'Ello, Mister Regulation! I've got a lovely fresh data breach for you if you show ... (Commissioner hits the file)
C: There, it moved!
R: No, it didn't, that was you hitting the papers!
C: I never!!
R: Yes, you did!
C: I never, never did anything ...
R: (yelling and hitting the file repeatedly) 'ELLO REGULATION!!!!!
Testing! Testing! Testing! Testing! This is your Article 29 Working Party Deputy Chairman calling!
(Takes document out of it's file and thumps it on the counter. Throws it up in the air and watches the papers flutter to the floor.)
R: Now that's what I call a dead Regulation.
C: No, no ... No, it's stunned!
C: Yeah! You stunned it, just as it was wakin' up! Data Regs stun easily, Chris.
R: Um ... now look ... now look, miss, I've definitely 'ad enough of this. That regulation is definitely deceased, and when I purchased it not 'alf an hour ago, you assured me that its total lack of movement was due to it bein' tired and shagged out following a prolonged privacy impact assessment.
C: Well, it's ... it's, ah ... probably pining for the fjords.
R: PININ' for the FJORDS?!?!?!? What kind of talk is that?, look, why did it fall flat on its face the moment I got it home?
C: The Data Reg prefers kippin' on it's face! Remarkable law, id'nit, squire? Lovely articles!
R: Look, I took the liberty of examining that regulation when I got it home, and I discovered the only reason that it was in this file in the first place was that it had been NAILED there.
C: Well, o'course it was nailed there! If I hadn't nailed that law down, it would have nuzzled up to those privacy geeks, bent 'em apart with it's beak, and VOOM! Feeweeweewee!
R: "VOOM"?!? Miss, this law wouldn't "voom" if you put four million volts through it! It's bleedin' demised!
O: No no! It's pining!
C: 'It's not pinin'! It's passed on! This law is no more! It has ceased to be! It's expired and gone to meet it's maker!
It's a stiff! Bereft of life, It rests in peace! If you hadn't nailed it in this file it'd be pushing up the daisies!
It’s parliamentary progress is now 'istory! It's off the twig!
It’s kicked the bucket, it's shuffled off 'is mortal coil, run down the curtain and joined the bleedin' choir invisibile!!
C: Well, I'd better replace it, then.
(she takes a quick peek behind the counter)
C: Sorry squire, I've had a look 'round the back of the counter, and uh, we're right out of regulations.
R: I see. I see, I get the picture.
C: But I’ve got a directive ...

(Lights fade, curtains close )

All credit to the Monty Python team for the inspiration for the above sketch. Whatever you do, try your hardest to get a ticket for their show next year. And if they are not available, then see if you can get one for the ICO’s Xmas panto instead. 


Sunday, 17 November 2013

The Regulation: Time to make our minds up

Last night’s meeting of the Crouch End Chapter of the Institute for Data Protection focused on the Regulation, and more specifically, on the rousing speech that our Minister will make at the next meeting of the Justice & Home Affairs Council in early December. Those present at that meeting will finally decide whether it’s likely that there will be time for a new legal instrument on data protection to be agreed before the European Parliament is dissolved and a new crop of parliamentarians are elected next year. Yes we plucky Brits may be outvoted at the December meeting, but that's a small price to pay for living in this topsy turvey Euro world.

After much discussion, and just before “last orders” were called, a communiqué was agreed, which will be sent to the Ministry of Justice in the usual manner.  Hopefully, the Minister will find it helpful as a speaking note.

For those who are not suffering from too much data protection regulation fatigue, here is the text:

We are making this declaration

On behalf of the British nation

It should be the intent

Of our Parliament

To say: “no” to this Regulation

To:  the Euro Queen of data

We cannot say we hate her

But at her plans we’ve looked

And they’re not fully cooked

So it’s: “not just now, but later”

We’ve heard from many a petitioner

The proposed rules can’t be followed by a practitioner

We must end this perversion

And agree a new version

Under the reign of a new Commissioner

Into a surveillance society we may well have stepped

And, yes, there are fundamental rights to protect

But it is reprehensible

If we can’t develop sensible

Laws we can all respect

Image credit:


Saturday, 9 November 2013

Admitting a new Information Commissioner

How should an incoming Information Commissioner start his first day at work in Wilmslow?

I pondered over this question as I sat in London’s Guildhall yesterday, witnessing the famous silent ceremony, when the Lord Mayor of London is formally admitted into this historic office. The only words that were spoken were those by the Lord Mayor Elect as she (yes, it was a she for only the second time in history) made her promissory oath. What then followed was a rather elaborate ballet where formally attired dignitaries advanced to the Lord Mayor’s chair, made silent reverences and offered tokens of the City of London, and then retired with said tokens, after having made further silent reverences.

After the ceremony, I was allowed to hold the Lord Mayor’s sceptre (pictured, along with the current seal of the City of London) – which contains, in the centre, a piece of rock crystal that was carved in the Anglo Saxon period. This 18” baton is over 1,000 years old. The shaft is spiral, inlaid with gold with pendant pearls, uncut rubies and sapphires. Before there was a King of England, this was the staff of office of the ruler whom Londoners elected each year. It really was a great privilege to hold such a historic (and priceless) object.

So what ceremony ought accompany the Information Commissioner on his first working day in Wilmslow?  

If ever asked by the Lord Chamberlain’s Office for some ideas, I would probably offer something like this:

The incoming Information Commissioner is admitted to Wycliffe House on the Friday next preceding the second Saturday after his appointment has been ratified by the Secretary of State for Justice.

On the morning of the admission, senior member of the ICO’s management team meet the incoming Commissioner at the Slug & Lettuce bar in Water Lane (just across the road from Wycliffe House), where drinks are served.

At 11.25am, the Commissioner, wearing a hat, leaves the Slug & Lettuce for Wycliffe House, in state, attended by the Deputy Commissioners, who are carrying their hats, other members of the Executive Team and the Management Committee, who don’t have hats.  The Commissioner’s Macebearer, who wears the best hat of all, also carries the Commissioner’s warrant.

The route from the Slug and Lettuce to Wycliffe House is lined by ICO staff, 5 paces apart, in order of seniority.

At 11.28am the Commissioner is greeted at the door of Wycliffe House by the Head of Security who, after making three reverences, receives the Commissioner’s hat, and invites the Commissioner to sign for his personal locker key, and then sign a declaration to confirm adherence to the organisation’s clear desk policy.

The Commissioner signs for his personal locker key and the clear desk policy declaration, and is given back his hat. The Head of Security retires, making three reverences.

The Head of IT then advances, making three reverences, and presents, on a velvet cushion, the encrypted data stick which belonged to the former Information Commissioner, to the incoming Commissioner.

The Commissioner commands the Head of Security to destroy the data stick with the Francis Aldhouse Memorial Hammer.

The data stick is placed on the floor, and is given a mighty whack with the hammer, smashing it into pieces. 

This signifies that all secrets held by the former Information Commissioner will remain, for evermore, secret.

The Head of Head and Safety then advances, making three reverences and clears away the data stick shards with a dustpan and brush before retiring, making three more reverences.

The doors of Wycliffe House are now flung open and the Commissioner, preceded by his Macebearer, the Deputy Commissioners and the Management Committee, advance and walk up the stairs to the Commissioner’s desk in a corner of an open plan office on the first floor.

As the Incoming  Commissioner’s left foot lands on the first tread of the stairs, members of the ICO chorus, accompanied by the massed bands of Wilmslow’s Boys Brigade and the Girl Scouts Association, begin singing the first 5 verses of  “There’s no business like ICO business”.

When the Commissioner, the Commissioner’s Macebearer, the Deputy Commissioners and other members of the Executive Team and the Management Committee can no longer be seen by anyone standing in the ground floor reception area, the doors to Wycliffe House are locked shut to keep the oiks out.

And the town of Wilmslow returns to its usual state.


Friday, 8 November 2013

British spooks

I’ve avoided commenting on matters relating to the Snowden revelations.

But, having sat through yesterday’s session of Parliament’s Intelligence & Security Committee, where the heads of our foremost intelligence agencies were politely questioned for an hour and a half, I’m ready to break my vow of silence.

I’ll do it by drawing attention to a recently published paper on “mass surveillance of personal data by EU Member States and its compatibility with EU law.” It was commissioned as a briefing paper by the European Parliament’s LIBE Committee in the wake of the Snowden revelations.  The paper is remarkably brief too – just 65 pages long, which is virtually nothing by European data protection standards.

I’m very grateful to Volodymyr Kozak, the Deputy Head of the State Service of the Ukraine on Personal Data Protection, for drawing my attention in to it.

If you want to know just what the Swedish, French, German and Dutch Governments (but not the Ukrainians) have got up to, then this is the place to start. I’m not sure anyone will learn anything new about what the Americans or we Brits have been alleged to have got up to, as that material has already been subject to a lot of publicity. The capacities of Sweden, France and Germany (in terms of budget and human resources) are low compared with the operations launched by Britain and the USA – but then again, I venture to suggest, so is the national security threat to those countries. When it comes to intelligence capabilities, we plucky Brits lead our European colleagues by a country mile. But we are not the only Europeans who are engaged in such activities.

The authors (a small team of academics) make some decent points – in that there has recently been a reconfiguration of surveillance that enables access to a much larger scale of data, that it’s the purpose and scale of surveillance that are at the core of what differentiates democratic regimes from police states, and that in turn this raises the issue of the accountability of intelligence services and their private sector partners.

I disagree, however, with their recommended remedy – which is that, inter alia, that the European Parliament has a role to play in ensuring sufficient trust and confidence among European citizens.


The remedy has to lie at the national level, and with the integrity of the actors who are involved at all levels of spookery. As the Head of GCHQ said yesterday in Parliament, his staff would refuse to listen to intercepted conversations if they felt that what they were doing was wrong. I believe him. In an earlier part of my working life, I spent over a decade working with people involved in this area.  The overwhelming majority have struck me as behaving with the utmost integrity. I’ve met lots of genuinely nice folk who care about the work they do and respect the different cultural and social values they are protecting. What we need are stronger mechanisms to assure citizens that the appropriate controls are in place – and I have far more confidence in controls that can be implemented at a Nation State level than at an EU level.

British national security laws are firmly based on the European Convention on Human Rights. I’m really not sure what added value could be offered by greater legislative controls emerging from the European Parliament.  I don’t feel sufficiently qualified to offer similar assurances about the legislative and procedural controls that currently exist in Sweden, France, and Germany.  

And I’ll keep my views on the controls that govern the NSA’s activities to myself for the time being.


Thursday, 7 November 2013

Public authority data leaks: poor standards or good reporting habits?

Someone attending this week’s London Information Rights Forum made an interesting observation about data leaks in public authorities. The real issue, he proposed, was not that public authorities were bad at handling personal data. Actually, the real issue was that, compared with the private sector, local authorities were really good at reporting data breaches.

There was general murmuring in agreement.

I thought about this when reading Dawn Monaghan’s excellent blog on the ICO’s website. In her view:

“The breaches reported to us are preventable and it is up to councils to make sure they are stopping them before a serious breach occurs. Failure to do so not only leaves a council in line for a potential fine of up to £500,000, but also shows that they have failed to play their part in breaking a damaging cycle of data protection failings within the local government sector.”

But what else could be done to break this damaging cycle of data protection failings?

Perhaps the ICO should refocus its enforcement attention away from council officials and towards the elected officials, under whose supervision these breaches have occurred. Why have they failed in their duty to ensure either that appropriate systems were in place to ensure good data handling standards? Was it, perhaps, because they had failed in their duty to ensure that adequate resources were actually available in the first place to promote and facilitate good handling standards?

Is does strike me as ironic how, when things go wrong, it’s always the public servants, rather than the elected officials, who shoulder the blame.

But given the ever changing services that public bodies are expected to provide, and the increasingly limited funds available to public sector officials for them to do it, is it any wonder that decisions are taken to prioritise resources in directions other than data protection?

It may be a familiar refrain, but I don’t think it’s any less relevant – surely politicians need to recognise that good data protection standards (and fundamental rights) come with a price tag attached.  And you can only squeeze budgets so much before people of good faith get close to breaking point.  No decent professional sets put to do a bad job. But, these days, so many seem to be not waving but drowning.

In some areas, I suspect the breaking point is upon us. When I hear public servants involved with data protection privately confide that they don’t expect to get another pay rise in their lifetime, I wonder whether their heart is really in this game.  

And how might they respond? 

Perhaps by continuing to point out the data protection failings in their own organisations, in the hope that, at some stage, someone will conjure up the resources required to fix the problem as easily as you can whip rabbits out of a hat.

Where are you, Paul Daniels, when your country needs you?


Image credit:


Monday, 4 November 2013

Blah blah blah

Here we go again. 

The usual suspects were strutting their usual stuff at a panel session on communications data, surveillance and privacy in Westminster last week. Me included. I joined a panel that featured Assistant Chief Constable Martin Beautridge from Kent & Essex police, Jamie Bartlett, Head of the Violence & Extremism programme at Demos, and Gus Hosein from Privacy International. Chaired by Chi Onwurah MP, we all agreed that there was a lot we shared in common, and only a few issues where there were key differences in opinion.

Will anything change as a result of this exchange of views? Unlikely, I fear. Just as very little will change following the meeting tonight at the Royal Institution of British Architects on mass surveillance. A few livers will feel the effects of dealing with an awful lot of alcohol in an awfully short period, but that’s what you get when you get a load of policy wonks in a pub after an earnest night agreeing with everyone else in the room.

Too many of these meetings are too one sided. No-one really changes their opinion. Indeed their whole purpose seems to be to bind people together and make them realise just how wrong the other side actually is. If only “they” could see things from “our” perspective.

Regardless of the side you’re on, everyone appreciates that the spooks occasionally need to access information that would normally be considered private, and that there ought to be checks and balances in place to make sure that they don’t abuse their privileged position. But who guards our guardians? Some think it ought to be the judiciary. Others think it ought to be a crack team of poachers turned gamekeepers. 

I still think it should be me.

Since no minds will be changed tonight, I won’t be attending the event at RIBA. I’ll pop over to a friend’s fireworks party instead.

Then, I’ll finish my preparations for London’s great event of tomorrow – where members of the London Information Rights Forum will be assembling to hear a range of dynamic speakers present on a range of topics that are on the tip of every data protection professional’s tongue. And me.

My theme, tomorrow, is not on communications data or mass surveillance. Instead I’ll be focussing on an initiative the ICO has been banging on about for a few years – that of privacy impact assessments. But, rather than bore everyone to death with detailed instructions on how to do them, I’ll be telling them the spooky tail of some cunning plans that are being hatched deep within the European Commission. These plans could turn PIAs into a tool that will keep us data protection folk gainfully employed for a long time to come. 

Much longer than we probably want to be gainfully employed for, come to think of it.

And they’re likely to keep some of us awake all night, too.

But I’ll expand on that theme in a later blog. 

Image credit: