Saturday 19 December 2009

Should the ICO be presumed to have the competence to fine miscreants?

I’ve spent some time over the past few months mulling over whether the ICO should be given powers to fine miscreants, and if so, what maximum fining powers should be available.

My first inclination was to assume that the ICO should be viewed in a manner similar to that of the Financial Services Authority. But I quickly realised that they were very different organisations. Citizens of Canary Wharf and and the People's Republic of Wilmslow are not the same. Lots of bling in both locations, but different breeds of regulators. In Wilmslow, you can expect to see the WAG driving the Porsche. Around Canary Wharf, it’s more likely to be the bread winner.

The FSA plays two quite different roles simultaneously. On the one hand, 750,000 individual complaints are assessed by the Financial Ombudsman Service each year, by the staff of some 860 people, who can deal with cases up to the value of £100,000. And on the other hand, the FSA itself can deal with cases that may not be raised by a specific individual, for example when an unencrypted lap top is lost, and can fine the miscreant £ millions. I have heard complaints that the FOS does not understand the issues it judges on and lacks suitably qualified and experienced staff. Former Chief Ombudsman Walter Merricks has explained that the service employs professionals and graduates from different backgrounds and moves them between different areas to build experience.

I’ve often wondered whether it’s much easier to recruit and employ qualified and experienced professionals and graduates from a central London pool of talent than it is to attract people with the necessary range of skills to Wilmslow. But people obviously do wish to work in Wilmslow. And the “Wilmslow culture” is certainly different to that of Canary Wharf. Think “Guardian reader” rather than “The Financial Times”.

Whether the ICO can keep people for a sufficiently long period in Wilmslow (so they can make a really significant contribution to the organisation) before other employers make them offers they would find hard to refuse is another matter. In a recession, private industry may feel constrained in making too many generous pay offers. But, when the consequences of getting Data Protection “wrong” are as serious as they currently are, the market for Data Protection professionals is comparably strong. (Most companies fear the loss of their reputation following a data breach far more than any ICO sanction). And, given pressures over budgets within the public sector, will the ICO really be able to compete with the demand for people who think they know what they are doing?

So, this takes me back to my original point. Financial institutions have come to accept the jurisprudence of the FSA, and have come to accept that it has the competency to fine miscreants £ millions when mistakes are made. They also accept the awards made by the FOS, generally without question. And this is because a bond of trust and competence has been built up between the regulators in the FSA’s compliance function and the regulated.

I don’t think that a similar bond exists in the Data Protection world. I have not had (believe it or not) a particularly high level of interaction with the compliance function of the ICO. I’ve been deeply involved in the policy development function for many years, but I can honestly say that I have not yet had the time to build up a comparable level of trust with the ICO’s compliance team. I’ve dealt with a wide range of people who make assessments, but none of them appear to have remained in their post for very long. Perhaps they get promoted or are relieved of the duty to deal with me when they have completed their probationary period...

Anyway, for that reason, I won’t yet be supporting suggestions that the ICO be given powers to fine miscreants at a level which is similar to that of the FSA. I first need to have confidence in their experience and competence. Let them start with a maximum of £500,000 and let’s see what they do with that. For these days, it’s someone’s track record, rather than their promise or potential, which is so very important.

Sunday 13 December 2009

"It’s time to behave more like Jim", commands the Commissioner

Whats all this about?

Last week I attended the Commissioner’s conference at the Lowry Hotel in Salford (a suburb of Manchester), which launched the public consultation stage of the ICO's proposed "Personal Information Online Code of Practice". The first speaker was Christopher Graham, who reminded us of the achievements of a former local MP, Hilaire Belloc. Between 1906 and 1910 he represented the constituency of Salford South.

More commonly remembered as the Roald Dahl of his day, Belloc’s cautionary tales serve to remind us all of how we ought to behave. And Christopher Graham took the opportunity to refer to the regulatory landscape and to remind us of two elephants in the room, the Article 29 Committee and the European Commission, both of whom were struggling to apply an outmoded Data Protection Directive to the business needs of a world which simply did not exist when the Directive was agreed.

The inference was that the pragmatic approach adopted by the ICO was at risk of being challenged of it, or UK data controllers, were to be seen to be overstepping the mark too blatantly. So, it appears that, as a body, we all need to agree which parts of the law we should apply rigorously, and which parts deserve to be glossed over (because they are unduly onerous, burdensome and simply don't make any sense any more). The inference was that unless we moved as a body in deciding which bits to ignore, the Commission might well take it upon themselves to pick off the stragglers.

So we have been warned. We must all pull together – and then we’ll be permitted (as they say in sailing terminology) to shift our course away from that adopted by the rest and tack away in another direction.

But Christopher Graham didn’t use nautical terms. Instead he used medical terms, by referring to the story of “Jim” – which advises us that we should

“Always keep a-hold of Nurse
For fear of finding something worse”

So, if the main players within the ICO are to be cast in medical terms, then just who are the key characters at the re-jigged Wilmslow Information Hospital? I hear that there’s just been another reorganisation up there, and perhaps soon we’ll learn who’s now in charge of what. But, in the meantime, my suggestions for new job titles are:

Information Commissioner --- Matron
Chief Operating Officer --- Midwife Higher Level (Research Projects)
Director of Human Resources --- Health Visitor Specialist
Deputy Commissioner Data Protection --- Health Visitor
Director of Comms and External Relations --- Nurse Team Manager (Learning Disabilities)
Assistant Commissioner Freedom of Information --- Theatre Nurse
Head of Regulatory Action --- Nursery Nurse (Communities)
Corporate Governance Manager --- Clinical Support Worker

Other suggestions would be welcome until the official structure is known.

Oh, and by the way, for those really interested in “Jim”, Hillaire Belloc’s poem about the boy who ran away from his nurse and was eaten by a lion is set out below:

There was a Boy whose name was Jim;
His Friends were very good to him.
They gave him Tea, and Cakes, and Jam,
And slices of delicious Ham,
And Chocolate with pink inside
And little Tricycles to ride,
And read him Stories through and through,
And even took him to the Zoo--
But there it was the dreadful Fate
Befell him, which I now relate.

You know--or at least you ought to know,
For I have often told you so--
That Children never are allowed
To leave their Nurses in a Crowd;
Now this was Jim's especial Foible,
He ran away when he was able,
And on this inauspicious day
He slipped his hand and ran away!

He hadn't gone a yard when--Bang!
With open Jaws, a lion sprang,
And hungrily began to eat
The Boy: beginning at his feet.
Now, just imagine how it feels
When first your toes and then your heels,
And then by gradual degrees,
Your shins and ankles, calves and knees,
Are slowly eaten, bit by bit.
No wonder Jim detested it!
No wonder that he shouted ``Hi!''

The Honest Keeper heard his cry,
Though very fat he almost ran
To help the little gentleman.
``Ponto!'' he ordered as he came
(For Ponto was the Lion's name),
``Ponto!'' he cried, with angry Frown,
``Let go, Sir! Down, Sir! Put it down!''
The Lion made a sudden stop,
He let the Dainty Morsel drop,
And slunk reluctant to his Cage,
Snarling with Disappointed Rage.
But when he bent him over Jim,
The Honest Keeper's Eyes were dim.
The Lion having reached his Head,
The Miserable Boy was dead!

When Nurse informed his Parents, they
Were more Concerned than I can say:--
His Mother, as She dried her eyes,
Said, ``Well--it gives me no surprise,
He would not do as he was told!''
His Father, who was self-controlled,
Bade all the children round attend
To James's miserable end,
And always keep a-hold of Nurse
For fear of finding something worse.

Saturday 5 December 2009

How can we ditch EU data protection standards in favour of global standards?

It looks as though more and more people are asking this question, and it’s possible that quite a bit of background work has already been done.

And the more I think about it, the more sympathy I feel for the regulators, who are charged with creating solutions to problems that are extremely hard to resolve.; These people must know that the more complicated they make the solution, the greater will be the likelihood that it will fail. All of us dread solutions that are so convoluted you need a brain like Albert Einstein’s to understand them. And we all know that we’re basically doomed unless we can develop an approach that even Homer Simpson can grasp.

So I was really surprised recently to come across a document that actually managed to spell out, in simple language, a set of principles which might well have global application. They were developed by stakeholders from some 50 countries, and first saw the light of day at the recent international privacy conference in Madrid. For those who want to have a close look at them, try the following link -

The text uses reasonably plain language and tries to avoid the trap that the EU dug itself into, by focussing on ensuring transparency and fairness, rather than convoluted procedures that so few of us really understood in the first place. Could it result in the demise of the ridiculously complicated contracts that were created to “regulate” international data flows? I have a feeling they might.

The problem, though, will be that there will be countries who pride themselves on high internal data protection standards, either for local cultural reasons (say, to protect people from what is perceived to be a pressing harm in that local country) or for purely protectionist reasons, as they are frightened of the globalisation of trade and hope their initiatives will prove to be more effective than King Canute’s gestures in turning the tide back (which occurred almost exactly one thousand years ago).

Will these countries give up their gold plating, or will they finally acknowledge that they need to live in a real world? I’m sure that some will try to hang onto their gold plating for as long as they can, while many of the companies operating inside them will be finding it ever harder to develop commercially attractive propositions to their customers. Thanks to the globalisation of the internet, if customers don’t like local rules they can simply download a service from a country that operates under more favourable rules. It’s just like the climate change debate – these carbon particles don’t respect political boundaries any more. And neither do the acquirers of electronic services. If it’s hard to download from Germany, you might as well get it from Sweden.

An interesting emerging principle is one of accountability. The Madrid Resolution requires “the responsible person” to make available verifiable evidence that they have actually taken the measures necessary to meet their obligations – and this evidence should be made available both to regulators and individuals. It’s a neat idea – as it now places a greater onus on the company to establish it is behaving responsibly, rather than await an allegation that it had not behaved responsibly.

And this new “accountability principle” might well give the Data Protection Officers the stick they need to remind their companies that, in the event of transgressions, there will be fewer places to hide. And it might also give them an opportunity to point out to regulators that mistakes sometimes happen in spite of the efforts that the companies make to behave properly.

Saturday 28 November 2009

Time for a DPA Detox – or a Wii

It’s the beginning of the festive season, and it's also been an exceptionally busy week, with my usual DPA work being augmented by two drinks receptions and two launches. And one of those events has spawned an idea that might make my fortune. Well, someone’s fortune, anyway.

Before I turn to that idea, I ought to point out that one of the receptions I attended this week was a real challenge if you were dyslexic. It was held in a building that was hosting a slightly different reception on the concourse above, and members of both groups spent sometime rather wistfully wondering if they should have been mingling with the other lot. The event I attended was signed “ICO reception”, and the star guest was the new Information Commissioner, Christopher Graham. Just above and behind us, party guests were attending an event signed “IOC reception”, where the star guest was the Princess Royal. We appeared to be enjoying our food and drink to a much nosier extent that that crowd upstairs, so every now and again disapproving glances were sent in our direction. We didn’t care, though. Hardly any of that lot appeared fit enough to actually participate in the Olympics – I think they must have been the Olympic accounts teams, or something. They were eating a lot of pies. But if you wanted to mingle with real royalty, rather than DPA royalty, you had (literally) to be above us rather than on our level.

Both launches I attended this week were significant. Stewart Room’s book on “Data Security : Law & Practice” (attended by Lords, Ladies and the great and the good of the data protection world at the offices of Field Fisher Waterhouse) should give us all some very useful indicators as to the possible direction of regulatory travel. Designed for the professional, I do hope that it's going to be a very useful place for me to start from to locate that reference to that thing that’s on the back of my mind. It ought to be an essential piece of kit for everyone who regularly attends data protection events. The second launch, in the River Room at the Millbank Tower, by the Tate Gallery, was for the ICO’s new plain English guide to data protection, this time a more down-to-earth look at the principles of the Act, using practical business-based examples. It’s the sort of publication designed for those who don’t usually attend ICO or data protection events, but who still ought to know a bit about the legislation.

But my mind was most taken this week by another event – this one where I must have been invited to by mistake, as there were hardly any data protection folk there at all. At this particular party, though, a group of extremely highly paid solicitors were laying Wii golf. And this is where I had my idea. Why Wii golf, I thought to myself? Why don’t those good folk a Nintendo develop a Wii DPA game? Surely that would be a best seller.

On the train back home I started to develop a few basic concepts for the game. Were the players to be people fighting to get their Subject Access Rights, or perhaps they were DPA Officers dealing with an ICO Assessment – or trying to register all their processing purposes, etc. Then every now and again we could have a new set of DPA policies suddenly descend upon us all, or a job offer from another company, where we could start again and create a data protection concept from new. Points could be awarded for attending DPA conferences, double points for speaking at these conferences, and triple points for actually saying something new at the conferences. Points could be deducted for each data breach (for which there was an element of corporate responsibility), and they could be won for creating new measures what made it harder for data breaches to occur, but which actually let the business carry on and do some business.

Yes, I thought to myself. A DPA Wii would be a brilliant way of guiding people through the data protection maze. Let me give more thought to the concept. And if it ever hits the streets – watch the date of this posting – as I’ll be demanding my IP rights, if any IP lawyer wants to help me out (on a conditional fee basis, of course).

Saturday 21 November 2009

Falling like Lucifer

I’ve been reflecting recently on what happens to people in public life who have made serious mistakes and attempted to resurrect their careers. And I wasn’t thinking about Lord Jeffrey Archer, or what Jonathan Aitken did with his “simple sword of truth”, either. Nor any other of the current crop of hapless politicians, for that matter.

What started me off was being reminded of the exploits of a British politician from a very different age. My memory was jolted when I saw an old copy of his memoir “To Fall Like Lucifer” for sale in a Crouch End charity shop. I remembered first reading it some 30 years ago. He really had class – and was a true gentleman. Ian Harvey was educated at Fettes College and Oxford University (just like former Prime Minister Tony Blair), a former distinguished army officer, married with 2 children, who turned to politics and by 1958 was a junior Foreign Office Minister.

As Wikipedia tells it, in November 1958, Harvey and a Guardsman from the Coldstream Guards were found in the bushes in St James’s Park; Harvey tried but failed to escape, and attempted to give a false name on arrest. Both were charged with gross indecency and breach of the park regulations. The indecency charge was dropped at the trial and both were fined £5. Harvey subsequently resigned his ministerial post and his seat, and paid the guardsman's fine as well as his own.

Then, after a period of a few years, he returned to public life, becoming Chairman of his local Conservative Association and a senior board member of the Inner London Education Authority. He died in 1987.

My thoughts then turned to Bob Quick, the Metropolitan Police’s former Head of Counter-Terrorism, who resigned in April of this year after he had accidentally revealed details of a covert investigation, which forced police to bring forward anti-terror raids. He was photographed by the press outside 10 Downing Street holding documents that were clearly visible marked SECRET.

He was about to brief cabinet ministers on Operation Pathway, spearheaded by MI5 and Special Branch, which was apparently designed to thwart a series of suicide attacks at shopping centres in Manchester over the Easter weekend, dubbed the “Easter spectacular.” The unintended leak, technically a breach of the Official Secrets Act, caused authorities to speed up their timetable, making raids across North-West England.

While the police apparently did manage to arrest all their suspects without much trouble, no bomb factory was found, no evidence leading to indictments was published, and all 12 suspects were subsequently released without charge. That shows what happens when you rush an investigation, I suppose. By allowing sensitive material indicating the existence of a very serious criminal investigation to pass prematurely into the public domain, the chances of a successful set of prosecutions were fatally undermined.

But I don’t expect a proficient copper will be kept down for good. As James Cleverley, Deputy Leader of the London Assembly’s Conservative Group and the Mayor of London's Ambassador for youth, put it in his blog on 9 April, “Bob made a serious mistake and took responsibility for his actions. You don't see that very often these days, do you?”

Having been roundly praised for doing the decent thing and actually resigning, I’m sure it won’t be too long before we see Bob Quick returning to prominent policing or security roles. Or perhaps he’s already working on the 2012 Olympics, and I've just not noticed.

I wonder who will be the next celebrity to fall - but then arise again - after a decent interval.

It's unfair to change the rules without any warning

I’ve just returned from the gym and am still really wound-up with frustration.

Let me explain.

I live in North London and am proud to be a citizen of Crouch End. Until recently, we have had a very benevolent local council (Haringey) who have very kindly allowed us, the mere rate-payers, to use a car park at the rear of the local public library every Saturday so that we can do our local shopping (and use the library). During weekdays, the car park is reserved for local authority workers. But at weekends, for the past 15 years or so, it’s been freely available for anyone to use. This arrangement has not caused any problems with council workers, as they don’t use those car park spaces on weekends anyway.

So you can imagine my mood change when I arrived at the car park this morning to see a new set of signs by the entrance gates. We ratepayers are now only permitted to use a fraction of the par park, and even then we can only park for 2 hours. That’s not sufficient time for the many Crouchenders like me who first use one of the local gyms and then queue for ages at the check outs in Budgens and Waitrose before we can return to our cars. So we’re annoyed. Really annoyed. In fact, we’re so annoyed that we’re even blogging about it...

The signs at the car park entrance are pretty shamefully worded too. They explain that “Wheel clamps and vehicle removals are in operation”. Parking is not permitted in spaces now reserved for library staff. The clamp fee is £100. The tow fee is £100. Storage charges for these towed vehicles are £30 a day. And all patrons are warned that there could be long delays in unclamping vehicles. Finally I read the statement; “Library staff have no involvement in parking issues and do not call Wing Security to clamp or tow vehicles – for all enquiries regarding these matters call the number above”.


No prior warning was given that the parking rules were to be changed. Nor is there any explanation for this radical change of policy. Nor are there any contact details for those responsible for this matter. All we locals can do is vent our frustration at the security contractors who are are hardly going to be sympathetic as they likely to benefit financially as a result of this new policy. A lot of people were caught unawares and are very angry.

We can all live with situations where we are given fair warning that the rules are about to be changed, as we can then plan ahead and make other arrangements. But, when no warning at all is given about an abrupt change in strategy that costs victims a possible penalty of £230, it really does erode the confidence I have (or had) in my local council.

Saturday 14 November 2009

“Am I bovvered?” (Setting a maximum penalty for data breaches)

Has the Ministry of Justice embarked on yet another attempt to undermine the Information Commissioner’s Office?

That was the first thought that came into my head when I read the “consultation document” the MoJ has recently rushed out on setting the maximum penalty the Commissioner will be able to impose for serious breaches of data protection principles.

To be brutally honest though, it’s not really a proper consultation document. Those awfully clever mandarins at the MoJ have managed to publish something which has 22 pages. But, it really is a dead cert to win the annual “Don’t tell him, Pike” award (sponsored by the BBC's "Dad's Army programme) for the crassest attempt to provide as little evidence as possible from which consultees can base their views.

What would an uneducated reader learn from the consultation document itself? Hardly anything. The proposal is set out (on page 8) in 123 words. The background to the issue is sketched out in 198 words, while the “evidence” on which views are sought is covered (on pages 8 and 9) in just 190 words. And that’s it. There’s nothing else to read, really. Blink and you’ve missed it.

The real evidence – and the really interesting stuff, is tucked away elsewhere, about which there is just one single reference in the entire consultation document, This is the "Impact Assessment", which is 33 pages in length and contains some very interesting assumptions about just how the Information Commissioner’s Office would really use the powers it was given.

In a nutshell, the MoJ mandarins have worked out what the Information Commissioner might do if he were able to award maximum fines of £50,000, £500,000 or £2.5million per offence. If the maximum fine were to be just £50,000, then 12 data controllers would be in for the chop each year. If the maximum fine were to be raised to £500,000, then just 8 data controllers would be up before the beak. But, if the maximum fine were to be a whopping 2.5 million, only 6 data controllers would need to stiffen themselves for a whacking every year. These assumptions appear on pages 4,6 and 8 of the analysis.

Somewhat confusingly, page 17 of the analysis reports that the ICO estimates that monetary penalties are imposed approximately 25 times each year for serious contraventions. I can only explain the difference in these statistics by assuming that this larger figure refers to court fines, rather than the new penalties that are being discussed in this consultation document.

The bean counters have also done their sums in anticipation of the income that would be generated from those caught in the firing line. Should the maximum penalty be £50,000, the working presumption is that each of the 12 will be fined £25,000 (raising some £300,000). If the maximum fine were to be £500,000, the 8 unfortunates will be fined £100,000 (raising £800,000). Finally, if the maximum fine were to be £2.5 million, the 6 miscreants will be fined £1 million (raising £6 million).

In 2009 there were about 319,000 data controllers registered on the public register of data controllers. So if they all behave alike, they can’t each expect to get caught that often. If the maximum fine were to be set at £500,000 then they might expect their own £100,000 fine to be levied once every 39,875 years. So if I were a data controller’s accountant, I would suggest that they set aside £2.50 each year for the “ICO statutory fine” pot.

And what would the benefits be to society? It’s been assessed that if the maximum fine were £50,000 or £500,000, then controllers would take additional precautions that would result in 4 serious data breaches being prevented every year. And if the maximum fine were to be increased to £2.5 million, then the additional controls might ensure that 6 serious data breaches would be prevented every year. These really are the assumptions that appear on pages 4,5 and 7 of the analysis.

That does not appear (to me) to be much of a deterrent. Nor, is it assessed (by me), will it have much of an impact.

Custodial sentences, on the other hand, might concentrate the minds of some of the more reckless data controllers. But that's my view - not the stated views of any of the MoJ mandarins, as far as I have been able to glean from the two MoJ documents I've referred to in this blog.

I was interested to understand whether the MoJ felt that larger companies would feel more motivated to improve their data protection standards if larger fines were likely. After all, the Financial Services Authority is able (and willing) to fine banks and other financial institutions millions of pounds for inadequate security controls, yet it appears that the ICO is not to be allowed to aware similar fines when data controllers allow other breaches to occur. It's not at all clear why the protection of someone's financial information is apparently more important than the protection of their “sensitive” personal information about matters such as their health, sexuality, religious views, political persuasions or criminal background.

And I’m still none the wiser.

So, what messages should the reader be picking up from the MoJ, as it strives to find a slogan that most adequately sets out its aspirations? Having recently re-read (bits of) Jonathan Swift’s “Gulliver’s Travels”, I think it’s fair to assume that, as power is steadily devolved from Westminster to the “People’s Republic of Wilmslow”, visitors to that new land should expect to be greeted by natives who are as friendly as those who lived in Lilliput, rather than as fearsome as the gigantic beasts that Gulliver encountered during his later voyage to Brobdingnag.

Friday 13 November 2009

Behavioural Blogging: My 12 simple rules of internet etiquette

Am I writing this blog simply to promote me as the sage of all data protection wisdom? Or to stimulate debate on issues I get passionate about? A bit of both, really. So, I thought, before I go off the rails and get ignored by just about everyone I know (or knew), I had better create a dozen simple rules to follow as I blog. Feel free to let me know when I overstep these marks.

1 Tell the truth.

2 Write short blogs.

3 Publish them regularly.

4 Focus on a single issue for each blog.

5 Respect everything supplied in confidence.

6 Stick to what I know (or what I think I know).

7 Use plain language, not technical gobbledegook.

8 Make serious, as well as trivial, points in each blog.

9 Develop my own ideas, in my own time, using my own equipment.

10 Change the text when I write something that causes unnecessary offence or embarrassment.

11 Credit everyone I plagiarise.

12 Try to look on the brighter side of life. (I think I sense a song coming on...)

Defending the Realm

On Wednesday, in London, I paid my respects to those who had sacrificed their lives defending the realm, by visiting the Cenotaph in Whitehall and reflecting on the wreaths that had recently been laid there by those who are so much braver than me.

Also on Wednesday, my work colleagues gathered around me to sing “Happy Birthday”, and I was presented with the book token I had been hoping to get which enabled me to pop out and exchange it for a copy of the first edition of “The Defence of the Realm: the authorized history of MI5” by Christopher Andrew. Covering 100 years (and 1,000 pages), it’s an account that I can’t wait to delve into. And to complete my birthday celebrations, yesterday Jonathan Evans, the Director General of MI5, very kindly signed it for me!

This morning, I woke to hear Evan Davies questioning the Prime Minister on Radio 4 on the Government’s strategy in Afghanistan, where lives continue to be lost as our servicemen seek to further protect our country.

These events have helped reinforce the point that some of what I do (at work) really matters. I remain absolutely convinced that communications records should be available to those who are on the front line, and to those whose role it is to support those who are on the front line, in the fight against terrorism and in defence of national security.

But this does not automatically mean that communications records should also be available to those who just want to see whether I’ve been voting each week for my favourite X Factor contestant. My preferences as to whether I want Stacey Soloman, the Jedward twins or Olly Murs to win really ought to be just a private matter between me and Simon Cowell.

For the record, however, I recon it’s a shoo-in for Olly.

Despite raising it in a somewhat flippant manner in this blog, I do appreciate it is actually an extremely serious question, and one which I’ll reflect and report back on later.

Wednesday 11 November 2009

Whither the Interception Modernisation Programme?

For the past couple of days, journalists have been trying to decipher the signals that have emerged from the Home Office about the fate of its proposals to “protect the public in a changing communications environment”.

Earlier on in the year the story appeared to be that some outfit called the “Interception Modernisation Programme” had been created to devise ever more ingenious ways of requiring the retention of records relating to phone, text, email and internet communications. This was to ensure that the law enforcement community could continue their vital role in preventing and detecting crime. In April, when the Home Office’s much awaited consultation paper was published, the big story was that whatever was going to happen, it would not include a gigantic central database, where all these records would be carefully stored. “The Register” was the runnaway winner in the “name-that-database” competition: “Wacky Jacquie’s Uberdatabase” was born” – in honour of the then Home Secretary Jacquie Smith.

The trouble was that the consultation paper didn’t give much else away as to any options that remained on the table. Comments were invited on any ideas as to what to do in place of the central database. Where was “Plan B”?

A couple of days ago, the Home Office published its summary of responses to the consultation paper – amid so much confusion that some commentators reported that all of the proposals had been shelved, while others warned that the plans were merely to be delayed. Shami Chakrabarti of “Liberty” called for “A bold alliance of phone companies who fear losing public trust and concerned citizens to come together in opposition to these plans”. (London Metro, 10 November)

The last person to lead the alliance against "Wacky Jacquie’s Uberdatabase" was Richard Thomas, the then Information Commissioner. Richard has done more to raise awareness about the significance of protecting personal information, and at the same time to focus public attention on the need to publish information our public officials would like hidden away, than all of his predecessors put together. Funnily enough, and despite victories that parliamentarians will rue for decades, he wasn't knighted when his term of office ended. Surely some mistake?

So what’s the truth about the IMP? And how should I know? Have those awfully clever members of the Interception Modernisation Programme really been told to pack up their pencils and head back to their other jobs? In the words of the disciples who implored their brave leader in the musical (and film) Jesus Christ Superstar, “What’s the buzz – tell me what’s a happening....”

Well, as Gerry Adams once said of the Provisional IRA, "They've not gone away you know."

And how do I know? Yesterday, I accompanied a well dressed (and frightfully well mannered) bunch of telecoms oiks to a Central London location to learn from the authors of the consultation document just what they thought the Government meant when it published its summary of responses. These Home Office officials were (almost certainly) the same bunch that wrote the original consultation document, so I’m confident they know what they are talking about.

The telecoms oiks who accompanied me to this meeting comprise what can only be described as a very junior telecoms equivalent to the Advisory Council on the Misuse of Drugs. They are a bunch of experts from various providers, all of whom give freely of their time to give honest advice on what is technically feasible on their networks. They are all trusted individuals who are sworn to secrecy. But,they have in the past found it really hard to remember what the IMP has told them in confidence, and therefore must not be shared with anyone who doesn’t know the golden password, and what the IMP has told everyone else in public, and therefore can be discussed in polite company.

Unlike some members of the Advisory Council on the Misuse of Drugs, these telecoms oiks continue to attend meetings convened by the IMP even if they appear to disagree with Government policy. A few have left the group over the years – but that’s because they’ve been made redundant from their respective companies. I’m certain that such redundancies have had nothing to do with their differences of views on the issues the IMP has ever wanted to discuss.

I won’t give away the location of the last meeting in case that’s protected by the golden password. Suffice to say, it’s in Westminster. You have to enter a building up one small flight of stairs, and nod to a doorkeeper to your left, whispering “IMP” just loud enough for him to hear. You then get pointed to an unmarked door under the stairs, which you enter, turn sharp right and are faced with a locked door which has a window. If the next doorkeeper likes the look of you, you are let in and relieved of your electronic equipment. Your credentials are checked, then you are issued with a coloured pass, and you then wait for a grown up with a differently coloured pass to carefully escort you out the door you had just entered, across the corridor, through another locked door and down the special staircase to the special conference rooms below. You are then warmly greeted by people who you’ve met before (and on lots of occasions) but who seem to have arrived at these special conference rooms via another route. To get out, you need to leave a few minutes earlier than you would do in any other type of office building. But that’s another story.

So, what’s the buzz?

The view from the “Provisional” wing of the IMP is that “Doing nothing in the face of challenges from rapidly changing technology was not an option”. (See page 23 of the Summary of Responses)

The view from the “Real” wing of the IMP is that “The Government will continue to develop the approach it proposed in the consultation document with a view to bringing forward the necessary legislation”. And, “The Government will also continue to work closely with communications service providers to ensure that any additional requirements will be feasible and reasonable, and to minimise, as far as possible, any impact on the industry”. (See page 16 of the Summary of Responses)

So, its clear. Something will be done. Dunno what, though.

And nor do they.

Watch this space.

So let’s see who joins Shami and her colleagues in forming “A bold alliance of phone companies who fear losing public trust and concerned citizens to come together in opposition to these plans”.

And in our spare time, please we can all search for Richard's lost knighthood.

Saturday 7 November 2009

Chasing the (data protection) dragon ...

“I’m not indispensible, you know...”

I’ve been giving some thought recently about the role I ought to play should a data breach occur. Is it appropriate for me to throw myself forward, take full control and keep the contents of the Information Commissioner’s guidance on data breach management all to myself? Or should I assume the role of a coach, pointing those involved in the breach to the various corporate policies that (ought to) exist and ensure that they accept accountability for the consequences of any mishaps that had corrupted their own processes?

This question was prompted by a very thoughtful article which appeared in the Times online edition a few days ago, on 5 November. The journalist Philip Delves Broughton was reflecting on the development of a social revolution in Japan. He described the revolution as being led by a group of as many as 40 per cent of all Japanese men currently aged between 21 and 34. This new generation believe that life is far more important than work. They don’t accept that their fate is to suffer silently in Japan’s vast corporations and bureaucracies. Work should occupy a discreet rather than overwhelming place in their lives. Family and friends matter far more than shopping or travel. They reject the culture of the macho Japanese salarymen. They do not believe companies will look after them. They do not respect job titles or hierarchies, only those who control resources and produce obvious outputs. They abhor office politics and do not respond to traditional motivational tools such as promotion, pay rises and the promise of job security.

Strong, revolutionary stuff. I reflected on whether many of my friends refuse to dress or behave like older employees in their respective workplaces. I wondered how many of them just believed that at work and in life, doing OK is OK. That there was no need to show everyone how much effort you’re making. Friends who challenged the conventional models of success. Friends who could honestly say “All I want to feel is that my work has a sense of purpose".

And yes, there are a few. And, growing in number.

So, back to the point. Just what role should I play should a data breach occur?

My cunning plan is to ensure that the breach handling process that I should have helped create works just as well in practice as it did in theory. It’s going to be to ensure that those who were responsible share the pain. And it’s going to be to ensure that the pain is sufficiently harsh to encourage effective steps to be put in place to prevent such mishaps occurring in future. My cunning plan is unlikely to include me cancelling any (much needed) holidays, or working 20 hours a day, grabbing a few hours sleep in the hotel nearest to the office, grazing on pizzas and peanuts, or living on my nerves until all the fuss has completely died down. My cunning plan is to design a breach handling process that engages all the relevant people in the business, not to adopt a set of behaviours which signify a personal infatuation and obsession about me, to the exclusion of everyone else. My cunning plan ought not reflect the ruthless pursuit of my own gratification, dominance and ambition.

Yes, it’s going to be a bit of “tough love”. Some people may see it as an uncaring approach. But that’s not the case. If I am not personally accountable for the business process that have failed, then it’s not necessarily going to be “my” mess. And I don’t want to develop a reputation as someone who simply sorts out other people’s mess. Instead, I want to be seen as someone who helps them put their own house back in order. That way, they may feel grateful for my support, but also quietly glad that they were empowered to resolve the situation for themselves.

I hope that I’ll always be on hand to assist with the external PR work, to throw myself at the mercy of the Commissioner’s confessional chamber, and to let all those affected know that we’ll be treating any incident with the utmost gravity. And I hope that I’ll try and stop the greedy few from demanding compensation for innocent mistakes that have not caused them any real harm, perhaps by ensuring they know that those responsible will be making charitable donations to atone for their actions.

But above all else, I expect that I’ll want my colleagues to share the full horror of the incident - because if they don’t, then they may never appreciate just how personally betrayed an innocent victim of a data breach might actually feel.

Friday 6 November 2009

Another battle hymn for the (data protection) republic

According to my dictionary, an "ode" is "a lyric poem marked by lofty feeling and dignified style". So the following bit of doggerel is not an ode. But it is (somewhat) respectfully written - in homage to Google’s new “Dashboard” control panel, which enables people to more easily access and adjust their own privacy settings. The Dashboard was launched a couple of days ago, at a Data Protection conference in Madrid on 4 November.

I also (very) respectfully pay tribute both to Alma Whitten, Google’s software engineer for privacy & safety, while immitating the style (and using many of the phrases) of Julia W Howe who, during the American Civil War, wrote the original verses of the "Battle Hymn of the Republic" in single evening at the Willard Hotel, Washington DC, on 18 November 1861. That's almost exactly 148 years ago.

This blog was crafted during the course of a single evening, too. And it shows.

I hope Alma won't be offended. I certainly don't mean to offend her. I met Alma last week at the Demos event in Bradford (which sparked my 2 November blog) and really enjoyed her easy manner, professionalism and deep commitment to fairness and transparency. She's one of Google's shining stars!

Mine eyes have seen the glory of the coming of the Board;
It’s a simple way of knowing how your preferences are stored;
And soon it will be winning every privacy award;
It’s truth is marching on.
Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! The truth is marching on.

I've heard Alma speaking softly to a hundred data champs
They have builded her a platform for the evening dews and damps;
I can view her presentations by the dim and flaring lamps;
Her day is marching on.
Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! Her day is marching on.

I have read a fiery press release which really makes you feel
“You journalists are ignorant and just don’t get the deal”;
Let the Hero, born a woman, crush the serpent with her heel,
Since Alma’s marching on.
Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! Since Google's marching on.

Alma's helped to build a Dashboard where the picture is complete;
She is sorting out the hearts of men before they start to tweet;
Oh, with self control, now plead with her: Come photograph my street;
Our Alma’s marching on.
Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! And Google marches on.

In the beauty of the lilies she was born across the sea,
With a glory in her bosom that transfigures you and me:
As she works to make men useful, let us work to make men free;
While Alma marches on.
Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! While Google marches on.

She is coming like the glory of the morning on the wave,
She is wisdom to the mighty, She is honour to the brave;
I will start to use her Dashboard if you promise to behave,
As Alma marches on.
Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! Yes, Google marches on.

Thursday 5 November 2009

Wednesday 4 November 2009

If you need a cure for insomnia, try counting Statutory Instruments (rather than sheep) ….

The anoraks among us will have noted that my last blog contained a piece of information that could have been more precise.

I reported that “some” 15,694 Statutory Instruments had been nodded through Parliament since the last General Election. Have I counted them all? No, not individually. But I don’t actually know if anyone else has counted them all either. In fact, where can you go to get an accurate answer?

I’m quite confident that 135 Public Acts received Royal Assent between May 2005 and yesterday, as the Office of Public Sector Information helpfully appends a new “Chapter Number” to each Act as the Royal Signature is appended to the legislation. So I was able to refer to their website and learn that the Appropriation (No. 3) Act 2005 c.21 received Royal Assent on 20th July 2005, while the Parliamentary Standards Act 2009 c.13 received Royal Asent on 21 July 2009.

But Statutory Instruments are different beasts. Each SI is allocated a different number. But. like my sock drawer, some are missing from the final list. So they are either “secret SIs” or they’ve somehow gone AWOL between being initially allocated and completing their passage through Parliament. But I couldn’t be bothered to count them all individually. Instead, I started at the first SI to be passed since that election, “The Health and Safety at Work etc. Act 1974 (Application to Environmentally Hazardous Substances) (Amendment) Regulations 2005, SI 1308". This was made on 9th May, laid before Parlament on 12th May and came into force on 3 June 2005.

And I finished with “The A3(M) Motorway (Junction 5, Carriageways) (Temporary Prohibition of Traffic) Order 2009, SI 2901". This was made on 26th October and came into force on 31st October 2009.

Bored yet? I am. So I’ll wait for someone else to explain where a researcher can go to learn just how many Statutory Instruments do make their way onto the statute books.

Tuesday 3 November 2009

Consent – and the mess the EU Data Protection Burghers are going to get themselves into

Last week, on 29 October, the European Commission announced that it had moved to the second phase of an infringement proceeding over the UK to provide its citizens with the full protection of EU rules on privacy and personal data protection when using electronic communications.

Apparently, there is a gap in the law. The Regulation of Investigatory Powers Act 2000 (RIPA) authorises interception of communications not only where the persons concerned have consented to interception but also when the person intercepting the communications has ‘reasonable grounds for believing’ that consent to do so has been given. However, the “EU Data Protection Burghers” have declared that these provisions do not comply with EU rules which define consent as “freely given specific and informed indication of a person’s wishes”.

Unless a satisfactory response is received, the UK may be referred to the European Court of Justice.

What a load of rubbish. When was the last time that the British Government really observed such a narrow definition of “consent”?

I thought I would test this definition by comparing the legislation that has been nodded through Parliament with the commitments made to the electorate in the Labour Party’s last manifesto, published in April 2005, which set out their programme should they win the General Election in May 2005. If we have to live within the confines of our “privacy policies”, then perhaps so ought they.

But a 112 page pocket size booklet is a lot harder to read than most of the privacy policies out there.

What did it say about the Europe and the new Constitutional Treaty? Oh yes - page 84 explains that “It strengthens the voice of national parliaments and governments in EU affairs. It is a good treaty for Britain and for the new Europe. We will put it to the British people in a referendum and campaign whole-heartedly for a “Yes” vote to keep Britain a leading nation in Europe”.

And we all know what happened to that commitment. It was ignored.

Perhaps the Conservatives realised that they didn’t really stand a chance of winning, which is why their manifesto was only 29 pages long. Not much point in issuing a detailed explanation of promises you know you aren’t going to be expected to keep. Their "privacy policy" was much more succinct. At the very bottom of the last page (page 29) they proclaimed that “Within the first day, we will set a date for the referendum on the European Constitution, in which we will campaign for a “no” vote".

And we all know what happened to that commitment. Today, after the leader of the Czech Republic had signed the treaty, the commitment was annulled.

I then decided that there was more to life than looking at political manifestos, and will await the publication of a learned article from a political scientist who has looked more closely at the 135 Acts and some 15,694 Statutory Instruments that have appeared since May 2005. How many of these were anticipated in the Labour Party’s manifesto? And, to what extent has the consent of the British electorate been “fairly obtained” in all of those cases?

But my point is a serious one. Why should these “Burghers” be allowed raise the bar so high in creating a concept of “consent” if they so blissfully ignore similar standards when national politicians seek a mandate to rule us more generally?

If the EU thinks it’s on a winning streak by criticising our RIPA provisions, then it’s going to have its work cut out should it ever be invited to examine some of the other pieces of legislation that Parliament has recently nodded through.

Monday 2 November 2009

Consent and (the relative comfort of) State Control

Why have a lie-in on a Saturday morning in the comfort of your London flat when instead you can be up at the crack of dawn and travel with Demos Researchers Peter Bradwell, Dan Leighton and Max Wind-Cowie up to Bradford to help out their “People’s Enquiry” into Personal Information? Well, I fell for that argument, and was really glad that I did.

Having previously addressed the group that had met at the Demos HQ in London on Wednesday 28th October, I was ready to speak to a group of people that I expected to be engaged, dispassionate, keen to ask probing questions, and very accepting of the fact that others should feel free to express views that were quite different to their own. And I was not disappointed. What a pleasure it was to meet such a friendly bunch who welcomed me into their midst and treated me, a newcomer, to their deliberations with such courtesy and respect.

Returning to Leeds Station later that afternoon, my mood changed from one of elation to one of despair. The main route to the railway station had been sealed off by West Yorkshire Police who were striving to contain a small bunch of mindless thugs, mostly extremists from the English Defence League, who had congregated in Leeds city centre to campaign against what they saw as the perils of Islamic fundamentalism. Opposing them, a few hundred yards away, were a small group of rival demonstrators from Unite Against Fascism. And the police were stuck in the middle, trying both to record the scenes on film and also to gently remind the crowd of onlookers (who greatly numbered either group of demonstrators) not to encourage the thugs to partake in any more acts of mindless vandalism.

Just what sort of society are we living in? The police were trying their hardest to be professional and dispassionate, and to reduce the tension that was evidently in the air. At the same time, they were being required to respect the rights of a bunch of bigots who were screaming messages of hate and intolerance to anyone who would listen, and who were threatening violence to anyone they could get close enough to lay their hands on.

So, I have a message for Peter, Dan and Max. Next Saturday, as you travel to Bradford for the next session of the “People’s Enquiry”, don’t bother travelling much past Leeds Railway station. The pleasant, thoughtful and considerate group that meets in Bradford doesn’t really need your assistance. They can do the work very well by themselves. It’s that small group of fascist thugs you really need to turn your attention to, many of whom were barely out of their teens. Why should they be afforded police protection to enable them to spread their vile message, when what they so desperately need is to be educated in the ways of expressing different ideas and values in an atmosphere of mutual tolerance and respect?

First Blog of the Year (Not bad considering it's November)

First Blog of the year!