Thursday 29 May 2014

2 more privacy qualifications announced

Those who want formal privacy qualifications and are bemused by the range of certificates on offer, will shortly be able to choose between two more.

The IAPP has announced a new Certified Information Privacy Technologist (CIPT) certification. The text book will be published in July, while the first accreditation exams will be held in the US in mid-September. If you are an IT professional who needs training on how to embed privacy into a company’s IT programme including establishing privacy practices around data collection and transfer, understanding consumer privacy expectations and responsibility, as well as developing privacy notifications, then this could be of interest to you.

This qualification compliments the IAAP’s other privacy certifications – the Certified Information Privacy Professional (CIPP) which focuses on addressing privacy laws and regulations, and the Certified Information Privacy Manager (CIPM) which focuses on how to operationalize privacy throughout an organisation.

The British Computer Society, on the other hand, has just announced that it will soon launch its Foundation Certificate in Data Protection – which appears to be of a standard equivalent to that of the IAAP’s CIPP qualification. If you apply for the BCS’s Foundation Certificate, you’ll sit an hour long exam, dealing with 40 multiple choice questions. No mini essays to write. Just tick 40 boxes. The pass mark is 65% (26 out of the 40 questions).

Candidates that successfully complete the BCS’s exam will then hold a recognised qualification in data protection, appreciate the way in which the Data Protection Act and the PECR (marketing) regulations work, understand individual and organisational responsibilities under the DPA, and generally be better placed to support organisations in managing and handling customer data properly.

The Foundation Course will also provide a stepping stone for those who decide at a later stage to undergo more rigorous training to obtain the BCS’s Practitioner Certificate in Data Protection. This is the famous ISEB, the gold standard of data protection qualifications. Beware – the ISEB exam does require candidates to write mini and longer essays, as well as complete a set of multiple choice questions.

So what factors might influence a candidate who was faced with a choice of the IAPP’s CIPP qualification or the BCS’s Foundation Certificate?

Cost might be a factor, as I understand that the BCS is keen to ensure that its fees are extremely competitive. The public exam fee is just £145, and accredited trainers (if you decide to seek the support of any accredited training, that is) are likely to charge reasonably low fees, too, as the BCS estimates that candidates only need undergo some 16 hours of study before sitting the exam.

But unlike the IAPP, I understand, there is no requirement to undertake continuing professional education to keep the certification up to date. In other words, Foundation Certificate holders won’t be required to spend a minimum number of hours attending data protection courses – or conferences – throughout the year, or to pay an annual association membership fee. That might well appeal to some cash-strapped employers who are interested in paying for their employee’s professional qualifications, but don’t want to tie themselves or their employees into longer term financial commitments.

As far a as the exam format is concerned, both the IAAP and the BCS will require candidates to visit an exam venue, sit in front of a computer screen, and tick various boxes. There is no need for candidates to display any of their poor handwriting, spelling or punctuation skills.

Whatever certification you go for (or whatever certification you go for first), I do wish you all the best. Let’s hope that employers will find the certificate to be of sufficient value that it suitably enhances the earning potential of certificate holders.

Note:
While I’ve referred to the BCS and the IAAP in this blog, privacy certificates are available from other providers. Google will help those who need to understand who’s selling what. I’m not aware of any independent work that has been carried out on the relative value of these certificates.

Buyer, beware!


Sources:

Image credit:


.

Wednesday 28 May 2014

ICO hits the mark with its new quiz

Yesterday I criticised the ICO for missing a golden opportunity to show just how radical, innovative and helpful it can be.

And today?

Hurrah! I read news of an initiative that really is radical, innovative and helpful.

What am I referring to?

I’m referring to the ICO’s attempt to remind us about the differences between data controllers and data processors. If you point your browser to the right part of the ICO’s website, you’ll find updated guidance, together with a short, on-line, quiz that reminds you why you do need to read the (20 page) guidance.

Rocket science? No its not – and this is to be welcomed. You don’t have to be a lawyer to understand the concepts that the ICO has set out. Which is a great help to those organisations for whom the cost of obtaining legal advice on data protection matters is becoming overly burdensome.

Here’s a hint – do read the ICO’s guidance before taking the test. Otherwise you could be kicking yourself when you realise that you’ve made (at least) one basic error when answering the (7 question) quiz.

Hopefully, the ICO will be fired up with the success of this initiative and will commission a series of short on-line quizzes on essential themes. The initiative may well reduce the potential fee income to be earned by the commercial training providers, but it does provides society with a very valuable service, by removing some of the mysticism and debunking some of the data protection myths that have developed over the past few years.

I’m certainly looking forward to taking the next on-line quiz.

Sources:


.

Tuesday 27 May 2014

ICO’s revised CCTV Code misses a trick

The ICO has missed a golden opportunity to show just how radical, innovative and helpful it can be.

Why?

Because it’s consulting on revisions to its CCTV Code of Practice, which was last revised in 2008.

Yes, technology has moved on since the publication of that Code. But so, importantly, has the regulatory environment.

Back in 2008, the ICO basically monopolised the CCTV regulatory market. Of course it didn’t regulate the use of CCTV for sneaky stuff – that was a task for the Surveillance Commissioner. But as far as non-covert regulation was concerned, the ICO ruled.

Now, let’s shift forward to 2012 – which was significant in that the post of the Surveillance Camera Commissioner was created by the Protection of Freedoms Act. This Commissioner didn't regulate the use of CCTV (or other camera systems) for sneaky stuff either. But the Act did carve out a special role for someone to promote good standards concerning the use of some camera systems operated for the benefit of public authorities, particularly with regard to parking and policing, and in a few cases where the ICO’s remit might not quite have stretched.

The 2012 Act also provided that the SCC must publish a Code and, despite having no enforcement or inspection powers, he should encourage compliance with it. This document, published in June 2013, is some 22 pages long and contains 12 guiding principles. The Act didn't, however, prohibit the Commissioner from working with like-minded Commissioners to craft a joint Code.

Significantly, the introductory blurb to the Code explains that: “In order to fulfil these functions effectively, the commissioner must work closely with other regulators including the Information Commissioner and the Chief Surveillance Commissioner. It is for the commissioner and other regulators to determine how best to maintain and formalise these relationships, to agree gateways through which issues flow between the public and the commissioners and how best to publicise and report on arrangements to support these relationships which will be critical in ensuring the success of the code in meeting its purpose.”

Now, let’s shift forward to 2014, and look at the ICO’s revised CCTV Code. Let’s be clear – not much has changed. This document, some 31 pages long, contains a useful “Checklist for users of limited CCTV systems monitoring small retail and business premises”.  Fancy that! The checklist contains 12 key points, almost any of which could be swapped with one of the SCC’s 12 principles, and hardly anyone would notice.

So why on earth should we require two regulators to publish independent Codes on basically the same subject?

Why can’t we require, in a spirit of joined-up Government – and joined-up regulation, the ICO and the SCC to work together to publish a single document, containing a single set of standards, on the subject?

Now, that would be really radical, innovative and useful.

One set of standards that accommodates the considered views of different regulators. One code to rule them all!

Bring it on.


Technical Note:
For the anoraks who like to digest the subtle differences of view between different regulators, I set out below the different sets of principles promulgated by each regulator. They are so similar it really makes sense for a single set of points to be published in a single document.

If we want a simple life, that is.

SCC Guiding Principles

  1. Use of a surveillance camera system must always be for a specified purpose which   is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
  2. The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
  3. There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
  4. There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
  5. Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
  6. No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.
  7. Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
  8. Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
  9. Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
  10. There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
  11. When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
  12. Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

ICO Guiding Principles

  1. Notification has been submitted to the Information Commissioner and the next renewal date recorded. 
  2. There is a named individual who is responsible for the operation of the system. 
  3. The problem we are trying to address has been clearly defined and installing cameras is the best solution.
  4. A system has been chosen which produces clear images which the law enforcement bodies (usually the police) can use to investigate crime and these can easily be taken from the system when required. 
  5. Cameras have been sited so that they provide clear images. 
  6. Cameras have been positioned to avoid capturing the images of persons not visiting the premises. 
  7.  There are visible signs showing that CCTV is in operation. Where it is not obvious who is responsible for the system contact details are displayed on the sign(s). 
  8. Images from this CCTV system are securely stored, where only a limited number of authorised persons may have access to them. 
  9. The recorded images will only be retained long enough for any incident to come to light (e.g. for a theft to be noticed) and the incident to be investigated.  Except for law enforcement bodies, images will not be provided to third parties
  10. The potential impact on individuals’ privacy has been identified and taken into account in the use of the system.
  11. The organisation knows how to respond to individuals making requests for copies of their own images. If unsure the controller knows to seek advice from the Information Commissioner as soon as such a request is made. 
  12. Regular checks are carried out to ensure that the system is working properly and produces high quality images. 
   
 Source:


Wednesday 21 May 2014

Great jobs available at the ICO! (Shame about the pay)

The ICO is currently recruiting for a Lead Intelligence Officer. On paper, it looks like an important position. It is, after all, a “Level D” role. The jobholder will be: “responsible for liaising with stakeholders, undertaking detailed research and analysis to build intelligence pictures, developing and completing intelligence collection plans, creating and interpreting intelligence products, and identifying new and emerging threats to enable and support enforcement and wider ICO activity.”

And there’s more: “As well as a degree, equivalent qualification or relevant work experience, you’ll need to be a confident communicator who can deal with both customers and internal stakeholders. Your judgement, intellect and initiative will give you the ability to handle your casework autonomously and confidently. And as legislation changes, you’ll develop your expertise accordingly.”

They’re even going to pay the successful applicant. The starting salary is £22,330 (which works out, at 37 hours a week for 52 weeks a year), some £11.60 per hour – well above the statutory minimum wage of £6.31.

Alternatively, job applicants may wish to cast their eyes to vacancies being advertised in the City of London. One that recently caught my eye was for a Head of Data Protection for a large insurance broker. This jobholder will need to demonstrate:
  • Previous experience of senior Data Protection roles in other large financial services company (broker, bank, insurer).  Likely to have approximately 6+ years  experience;
  •  Experience of setting up and monitoring a comprehensive data protection environment is preferred;
  • Good understanding and working knowledge of current data protection practices & techniques;
  • A strong knowledge of corporate governance practices and EU / national legislation relating to data protection; and an
  • In-depth working knowledge of data protection legislation and practical application;
They’re also planning to pay the successful applicant – but at a level of around £70,000, somewhat more than the going rate in Wilmslow. Actually, that’s almost £20,000 greater than the starting salary of some of the most senior people in Wilmslow, who occupy “Level H” roles.

Admittedly, the cost of season tickets to commute to Wilmslow / London are not the same – the London commute probably costs double that of the equivalent Manchester/Wilmslow annual season ticket (£1,384). But can it be said that the cost of living / working in Manchester / Wilmslow is really that much lower than in London?

We should be grateful that there are sufficient people who have sufficient means that enable them to survive on an ICO wage.


Sources:


.

Tuesday 20 May 2014

More evidence that the GDPR is mortibund emerges

What are we to make of the following comment by one of Europe’s better known, and better respected, Data Protection Regulators:

“Our audits of State organisations have, in too many cases, shown scant regard by senior management to their duty to safeguard the personal data entrusted to them – a duty that is all the greater because of the legal obligation to provide such personal data to the State. Laudable objectives such as fraud prevention and greater efficiency must meet a test of proportionality in the manner in which personal data is used. Failure to treat personal data with respect can only lessen the trust that should exist between the individual and the State. It will also lead inevitably to more formal enforcement action by my Office unless system-wide action is taken to improve current practice.”

To me, it indicates that this national regulator is getting pretty sick and tired of the low data protection standards that are currently practiced by a significant number of public bodies he is required to oversee. And that this regulator will continue to take enforcement action against these public bodies, when appropriate.

So would a national Government, when faced with criticism of this nature, really be prepared to support the notion of a new General Data Protection Directive, which heralds higher data protection standards and therefore a much greater risk of enforcement action against public bodies? Especially in an economic climate where really hard choices will need to be made about public spending priorities for many years to come?

There’s nothing wrong with good standards – so long as they are affordable. But if a Government cannot afford to invest sufficiently to reaching data protection standards that are already some 14 years old, do I really think that such a Government would have the political will to be seen to be failing to reach even higher (ie GDPR) standards?

I think not.

So, in my view, the message from the author of the above text is that Governments who fail to provide state institutions with the resources that are necessary to meet Government-mandated data protection standards should think very carefully before raising the bar even further.

For those who have not yet guessed, the author of the above remarks is Billy Hawkes, the extremely well-respected Irish Data Protection Regulator.

Read his latest Annual Report. It's a cracker. What's really depressing is that any of the detailed 19 case studies in the document could so easily have been included in the Annual Report of another national regulator. The issues that face Irish data controllers really are no different to the sorts of issues that face other data controllers. And I have no reason to suspect that the behaviour of data controllers in Ireland is, generally, any different to that of data controllers in other jurisdictions.

Source:

http://www.dataprotection.ie/docimages/documents/Annual%20Report%202013.pdf

.

Monday 19 May 2014

Mass surveillance: time for another speech


In the forthcoming hotly contested (yawn) elections for the European Parliament, London will be represented by 8 MEPs. In the last elections (2009), it returned three Conservative MEPs, two Labour, one Liberal Democrat, one UKIP and one Green.

Without offering any comments on my own political beliefs, I do think it inconceivable that London will not return at least one Labour MEP in 2014. Given that the Labour list is headed by Claude Moraes, who is currently a Labour MEP, it is as dead a cert as you can get that he will be, once more, selected by a grateful electorate and returned to continue to do whatever he does within the European Parliament.

One of the things he will continue to do is to comment on mass surveillance, EU citizens and the state. Indeed, the Centre for Research into Information Surveillance and Privacy (CRISP to its chums) has already invited Mr Morales to speak on that very subject at the London School of Economics next month. They know a dead cert when they see one, too. They didn’t even wait until he was re-elected before inviting him to speak.

So, expect a crop of the usual suspects at the Wolfson Lecture Theatre on 17th June. Admission is free, but you must register in advance. I’m not sure why. It’s probably got something to do with data protection. But there’s no fair processing notice readily available, so no-one knows what will happen to whatever particulars they choose to submit.  I do hope the irony of having to register in advance (without a fair processing notice) won’t be lost on the event organisers, especially since it is bound to attract people who aren’t keen on surveillance.  And since the speaker is an MEP who is so passionate about promoting really strict data protection standards.

Anyway, expect the usual stuff to be trotted out by the usual suspects. When will anyone change their tune? When will someone have anything new to say about the subject? When will some bright spark have an answer to the key question "what is less dreadful, but about as effective, as mass surveillance?"

If you want to hear people (possibly) drone on about drones, or whine until the wine is served, feel free to register to attend.

Me?

Yes, I expect I’ll be there. I don’t think I’m doing anything else that evening. I will be attending a really good seminar on privacy and data protection at one of the Oxford colleges sometime that week, but even so, there ought to be time to slip down to the LSE and witness yet another exchange of views on a subject that used to grip Guardian readers (among others). 

.

Thursday 15 May 2014

More legal gobbledegook from the Article 29 Working Party

Hmmmmm. The Article 29 Working Party has recently, without ceremony (or much publicity), slipped another document containing some 21 pages of dense legalese onto the internet. 

The document could comprise some form of consultation exercise on model clauses that might be necessary when an EU based data processor wants to use the services of a non-EU based sub-processor (yawn). 

But the document does not explicitly say that it is a consultation exercise. It is, however, a “working document”, and its purpose is to provide advice to the Commission should any work commence on standard contractual clauses between EU based data processor and non-EU-based data sub-processors. Now, why would the Article 29 Working Party go to the trouble of publishing this stuff on its website if it were not interested in the views of those who may find themselves affected by these draft clauses? 

If we’re not careful, we’ll all get the blame for not having read or commented on these draft clauses soon, should they suddenly re-emerge as a set of fully formed clauses.

If anyone can readily understand this document, please step forward. There must be someone with a brain the size of this planet who can offer some commentary or guidance to us mere mortals (and perhaps to the legal geeks at the Article 29 Working party).  Unfortunately, the document contains no helpful commentary or explanatory notes (in plain English or in technical jargon), describing precisely what the legal clauses are actually intended to do. So it’s really hard to assess whether the draft clauses are fit for purpose. But there must be someone who knows whether these draft clauses are any good.

Eventually, such clauses might be useful - to those that read complicated clauses, that is. After all, there must be many non-EU based sub-processors who are already carrying out a wide range of data processing services for EU-based processors. But whether many people passionately care about the legality of the existing arrangements is something I have absolutely no knowledge about.

Do I want to comment on the document?

Not really.  As I’ve said, I don’t fully understand it. 

I’m going to mow the lawn, instead.


Source:
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp214_en.pdf

.

Wednesday 14 May 2014

ICO report on protecting personal data in online services

Increasingly, DPOs need to collaborate with others to implement appropriate privacy controls. So, I’m impressed with the ICO’s latest attempt to explain to data protection professionals (and other compliance officers) what it is that information security geeks need to do to ensure that the most common security vulnerabilities are being addressed.  It’s a really welcome attempt to use less technical jargon to highlight issues that are capable of causing substantial embarrassment and harm to individuals, should the controls fail and data breaches subsequently occur.

The language that is often used by data protection and information security professionals can be impenetrable to most mortals. So three cheers to the ICO for translating some of the technical terms into plain English. If a data protection or compliance officer ever wanted a conversation opener with their security team, this report contains a list of some 39 questions that could easily be asked by ICO auditors in the event they decide to carry out a formal information security audit on the organisation. 

The report helps the less technically gifted professionals appreciate what sorts of questions they need to ask of their security teams, even if they won’t necessarily understand the answers. The key issue is that the officer can (hopefully) rest assured that someone within the organisation understands this stuff, and that they are dealing with it. Which is a lot better than realising that no-one is dealing with it.  


Source:
http://ico.org.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/Data_Protection/Research_and_reports/protecting-personal-data-in-online-services-learning-from-the-mistakes-of-others.pdf


.

Saturday 10 May 2014

Top tips for chairing great conferences – 20 golden rules

I’m still buzzing from a recent data protection conference I was recently associated with. It was held in Central London and involved over 200 delegates and a decent crop of speakers, some with global reputations as privacy gurus.

However, I was faced with a bit of a problem.

The chairman for the first half was responsible for introducing just three speakers and for holding two Q&A sessions.  Under his chairmanship (and despite a couple of good speakers), the session overran by 20 minutes, the mid-morning coffee break was severely delayed and the audience was wilting.  

It was my job, as the incoming chairman for the final part of the event, to introduce no less than 10 speakers and run 2 Q&A sessions. And, crucially, to finish on time. By lunch time.

How did I get on?

These are some of the very kind messages that were sent to me after the event:

“Just had to thank you for not only rescuing a moribund conference, but turning it round and making that second half into one of the best sessions I’ve been to in a long time (including my own conference sessions). Sorry I had to leave before the end of the Q&A.”

“What a barnstorming performance! Your enthusiasm and energetic timekeeping lifted the second half, whilst also demonstrating a  keen understanding of the issues.”

“You were the best moderator ever today!! It was great seeing you. Hope to see you soon!

“I just wanted to thank you for coordinating the conference this morning, it was not only interesting but also very lively (and on time!). And I can say that, yes, this time I did learn some things as opposed to other conferences, so thanks for your input on that. 

“I was at the conference today and very much enjoyed your rather different approach to chairing.” 

And, perhaps most kindly, the professional conference organiser praised me: “Martin, you come from the more militant wing of the Fierce Chair Party and it was very, very much appreciated”.

So, what do you need to do to get it right?

Follow these golden rules, and you won’t go far wrong:

  1. Start the session confidently, setting the tone for the day. Briefly refer to a couple of the themes that will emerge. The audience and the speakers want to be assured that they are in capable hands, and that you know what you are doing. So make a point of standing up for this part of the show.
  2. If you’re sufficiently confident to make an opening joke, make sure it’s funny and not derogatory.
  3. To inject the right note of respect into the proceedings, introduce each speaker by their surname.
  4. Avoid making a fool of yourself by making sure you can pronounce the speaker’s names.
  5. Agree in advance with each speaker just what is expected of them, including whether they will use slides, a prepared text, a lectern and how long they may speak for.
  6. Briefly introduce each speaker (without repeating the biographical information that has already been sent to delegates) and explain to the audience how long each contribution will last. This sets expectations about how long they will need to concentrate for.
  7. Make the speaker introductions from a personal perspective, briefly explaining why you admire them for whatever it is that they do / did. But make it short. The audience has paid to hear them, not you.
  8. Explain to delegates when they should applaud, ie after the speaker has concluded their remarks, or after the Q&A session.
  9. When the speaker has overrun their allotted time, announce to the audience they have one more minute.
  10. When the speaker overruns that minute, announce they have 30 seconds.
  11. Only ignore steps 9 & 10 if the speaker is saying something really interesting that spellbinds absolutely everyone.
  12. Briefly thank each speaker, perhaps referring to just one point they made, before introducing the next speaker. Respect each speaker’s contribution, without criticising it (unless the urge is strong and you are confident that the audience will appreciate your intervention).
  13. Speakers ought to have informed, educated and entertained the audience. If they did not, use this occasion to reenergise the audience. You should only “show off” if the speaker has failed to deliver. But you do have an obligation to the next speaker to ensure that the delegates are as fresh and as receptive as possible to the next presentation.  
  14. Before the Q&A session, announce to the delegates how the questions will be taken. For larger events, I usually explain that the questions will be grouped in 3s and that delegates should direct short questions to a particular speaker. Invite each delegate to identify themselves, even if (they think that) they are well known. Cut them off, mid flow, if appropriate, if the question drifts or gets boring.
  15. Take a note of each question, and after the final question in a group of questions has been asked, announce to the audience which speaker will be selected to respond to what (part of a) question. As Chairman, you have the discretion to ignore particularly detailed queries, and to rephrase questions. Make sure every speaker has an opportunity to comment about something, and, make sure that every speaker's contribution is  short. Cut them off, mid flow, if appropriate.
  16. Use the period provisionally allocated for the Q&A session to get right back on time.
  17. Wrap up the session you are chairing by rephrasing some of the key themes and refering to one or two quotes uttered by contributors. You are there to tell a story, and to assure delegates that what was promised has been delivered. Thank again the speakers – and thank especially the audience for their rapt attention. Remind everyone what a great event it’s been. Again, make a point of standing up for this part of the show.
  18. If you’re sufficiently confident to close the event with a joke, make sure it’s funny (and still not derogatory).
  19. Thank the event organisers but avoid referring to the hard work, effort and concentration you have personally expended to ensure the success of the event. If you’ve been any good, someone will let you know.
  20. Finish on time. Delegates have paid to attend a timed event. They should not feel that they are being held against their will, and they'll be happy to attend another event you will be asked to chair.

Wednesday 7 May 2014

I'm still quite keen on care.data

I suspect that most people are unlikely to change their minds about the care data initiative.  

I suspect that most people, unprompted, really couldn't be that bothered about the initiative – after all, there was precious little consternation in Parliament when the relevant enabling legislation was considered - but those that are bothered are likely to remain very bothered about it.

As the ICO has helpfully explained when commenting on the enabling legislation (the Health & Social Care Act 2012): "This law gives NHS England the right to direct the Information Centre to collect certain sorts of data from the medical records. The law is a statutory enactment which requires the disclosure of the data, which means the data becomes exempt from the main parts of the DPA.

Because the main parts of the DP are exempt it means that neither GPs (as data controller) or patients (as data subjects) have the right to stop that information being taken into the Information Centre - there is no legal 'opt out' under the DPA.

But while the DPA doesn't give patients a right to object, the Secretary of State for Health has offered patients an option not to have their information used in this way. But as this option isn't covered by the DPA, we can't regulate it, and we don't set the rules on how it works."

So that's it. Slam dunk. There is an avenue for people who are sufficiently motivated to object. There ought be no further argument about the matter.

But of course there is and will continue to be because some people are extremely concerned at the impact of the adverse consequences should anything go wrong and data sharing go awry. And the "No, Never" brigade are of course determined that it should be made much easier for patients to be able to object to having their details shared.

And let's be clear about this. Of course things will go wrong, and of course some data sharing initiatives may go awry. But this does not mean that the initiative is a bad initiative, or indeed that it should not be allowed to proceed. What is likely to be of general concern are the practical steps that should be taken to provide the necessary degree of public assurance that data is being shared appropriately, but that is not an issue I am setting out to address today. (If it wee, I would be arguing for the ICO to play a more meaningful role in the assurance process.
But is it really wrong, in a democratic society, that as a condition of receiving a vital (and free at the point of delivery) service, citizens should be encouraged to reveal to third parties information about their health that might improve health outcomes among the general population?
As far as I am concerned, no. The care data initiative is a necessary and proportionate response to a growing problem, which is that the costs of health care are significantly outstripping the ability of commissioning bodies to be able to purchase enough of it. I am a grateful recipient of the health care that the NHS is able to provide to me and my family, and I certainly wouldn’t want to erect any barriers that made it inappropriately harder for care professionals to devise the most appropriate treatments, or to benchmark health outcomes to ensure that dodgy doctors couldn’t practice with impunity.
In a nutshell, the right to privacy is a qualified right, and accordingly public authorities are able to interfere with this right so long as the interference is:
·         In accordance with the law;
·         In pursuit of one of the legitimate aims set out in Article 8(2) of the European Convention of Human Rights; and
·         Necessary in a democratic society.

As far as the law is concerned, this test is met by the Health & Social Care Act 2012.

As far as meeting any legitimate aims of the European Convention on Human Rights are concerned, this test is met by the reference to initiatives “for the protection of health”.

As far as the meaning of “necessary in a democratic society” is concerned, there have now been a number of cases before the European Court of Human Rights that have all referred to one or more of the following tests:
·         Pressing social need - Does the interference correspond to a pressing social need?
·         Proportionality – Is the interference caused by the measure proportionate to the legitimate aim being pursued?
·         Relevant & Sufficient Reasons – Were the reasons given to justify the interference relevant and sufficient?


·       We can all argue until the cows come home as to how “necessary” the initiative is, but I’m not sure what would be required to change my personal view that the initiative meets these tests.

I do pay tribute to the remarkable work going on behind the scenes to ensure that whatever does happen is done in a way that is as safe and as secure as possible. I’m also somewhat concerned at the potential threat to my privacy by the inappropriate disclosure of information that consequently caused me a great deal of embarrassment. But, I would be much more concerned if I were to be living with a particularly debilitating medical condition and it subsequently transpired that my own treatment plan could have been significantly improved if only a core of conscientious objectors had not been successful in withholding from researchers vitally important details about their own health issues. 

Finally I do hope, although I am by no means confident, that the care data initiative actually does proceed. It only takes a small, but vocal, group of detractors to derail it. And they do seem to have a remarkable ability to grab the headlines.

As in so many things data protection, this initiative is less about the law and more about the politics of the process.

.