Monday 29 March 2010

(When) should authorities share personal information?

There are some people I know who would prefer to share their last Rolo with a business partner rather than share any personal information. Or share the personal information of the people whose details have been entrusted to them.

Does this actually make sense – especially within the public sector, when most ordinary citizens would be mortified to learn of some of the barriers to data sharing that have been created by some of the public sector data barons? Is this because they sincerely believe that the law does not allow them, a respectable public authority, to share information with another respectable public authority? Or is it because they are afraid of the consequences of losing control of that precious information? Or that they have been paralysed by fear of retribution should a data sharing agreement go wrong, resulting in a breach (by someone else) of the very same information that they passed to the that other authority? Or is it that they are on some ego trip where, as masters of their particular universe, they just can’t be bothered to help another authority?

These were some of the issues that were considered by a group of people who were brought together today to consider the vexed matter of whether information sharing should be more forcefully encouraged. Somewhat appropriately, the meeting was held in the palatial surroundings of the Wellcome Trust along Euston Road. For those who love ironies, that organisation is a global charity dedicated to achieving extraordinary improvements in human and animal health. It shares information about treating the diseases that were originally shared between the patients.

I won’t bore you with details of the proceedings of the event, as it’s an issue that I’m sure will keep me and fellow bloggers occupied for many months to come. But I do want to make just a couple of points at this stage. A point about culture and a second, more fundamental point, about the nature of the information that may be shared by consenting authorities in the first place.

First, culture. I think that everyone present today agreed that the problem that faced authorities when deciding whether to associate themselves with a data sharing initiative wasn’t necessarily the law. That can always be changed – and in any case is often quite out of date, as it was created to respond to a set of situations that may no longer exist. Just because a law did not explicitly provide for information to be shared, it didn’t necessarily mean that authorities didn’t have the right, if they chose to exercise a bit of common sense, to participate in a data sharing initiative – especially if it seemed like quite a sensible thing to do. The key brake to the development of data sharing initiatives could me more to do with culture – the culture either of the authority in general, or the culture of the “data protection” or “legal” guru within the authority. These gurus could frequently punch above their weight, as data protection is often dressed up as a dark, complicated and precise science, just like accountancy.

But it needn’t be that complicated, especially if you strip the issues back to their basic principles. However, the holders of the data protection grail, so to speak, have been known to communicate in hushed tongues and use language that hardly anyone else understands, and that can confuse the followers. Who else uses phrases like “transborder data flows”, or “breach notification requirements”? Homer Simpson certainly doesn’t.

But “cultural change” requires a change in people’s attitudes. And that means a change in the way our chums in Wilmslow promote data sharing initiatives. Take a look at the last crop of their press releases. Most of them refer to mistakes – and the dire consequences which flow to those responsible for them. Very few applaud new initiatives. There’s not much of an encouragement – perhaps if data controllers thought it was ok to experiment – and occasionally fail – a new attitude might prevail. “Yes we can.” That’s a good phrase. Not sure if it will catch on in Blighty, though.

Second, personal information. What surprises me is the extent to which so many agencies try and place barriers between those who need, for perfectly honourable intentions, to share information that’s already in the public domain. Names and addresses are on the electoral register. Criminal convictions are published by courts. So if it’s acceptable to visit libraries and courts, and copy out in long hand details of people’s names and addresses, and their criminal convictions, they are so many barriers placed in front of those who wish to share the information electronically?

If the Parliamentary authorities really knew where people like Baroness Uddin lived, then there wouldn’t be so much confusion about whether she was entitled to draw over £100,000 from the public purse, claiming entitlement to certain allowances, to maintain her opulent lifestyle. Today’s “The Times” reported that “the Crown Prosecution Service announced yesterday that it could not bring criminal charges against Baroness Uddin, a Labour peer who received more than £100,000 in allowances by claiming that her main residence was outside London. Her family home is in Wapping, East London, where she has lived for more than a decade.” Or, taking another example, the paper also reported that, “the Labour peer and donor Lord Paul revealed this week that he would not be prosecuted either. He was investigated by police after he admitted that he never slept in the property outside London he called his main home.”

But enough of the Peers, who can surely look after themselves. I’m more worried about the people. And I would cheerfully bet my last Rolo that they are amazed that public authorities find it hard to share details each another (and private authorities for that matter, too). When my mum dies, I want to be able to tell some public official about it, once. I really don’t want to be expected to get a dozen death certificates and send them to a bunch of different public agencies. Similarly, (and before she dies) when she moves, it would be nice if she could just register the new address once. And let that organisation share that news with the authorities that matter – like the local council, NHS, Meals on Wheels, Equifax, British Telecom, British Gas, Police National Computer, TV licence authority, National Identity & Passport Service, HM Revenue & Customs. And, while they're at it, her bank, Facebook, Bebo, Mashi Monsters and LinkedIn etc, etc. Why feel obliged to do it so often when conceivably you could just do it the once?

Will it ever happen? Possibly not in her lifetime. Or in mine.

But perhaps, in someone’s.

Sunday 28 March 2010

Another nail in the voluntary data breach notification coffin?

“It’s full of excellent people with first class brains, engaged in brilliant debates. The trouble is that most of them are completely detached from the real world.”

That’s a quote from former Chancellor of the Exchequer Kenneth Clark, speaking on television yesterday about his old Treasury colleagues.

All well and good. But why am I using that quote in this blog? And why am I using the logo of the Beijing Olympic games, held between 8-24 August 2008?

Here goes. I’ve just read a press release from the folks up in Wilmslow, and can’t quite understand the point of it. I’m obviously missing something very profound, but it doesn’t make much sense to me when you take it at face value.

A few days ago, the Information Commissioner’s Office announced that one of the top bods running the British arm of Zurich Insurance has just signed an Undertaking following a security breach. When was the breach? Err, actually it was back on 11 August 2008. Over 18 months ago. During the Olympics. Can anyone else remember that day? Hint – it was the day that British divers Tom Daley and Blake Aldridge came 8th in the men’s synchronised 10 metre platform diving competition.

But why should the Commissioner decide to take action now, so long after the event? That question really irked me. And it still does.

The official account of the breach seems reasonably straightforward. Apparently, a data processor (Zurich Insurance Company South Africa) lost an unencrypted back-up tape containing financial personal information relating to 46,000 (British) Zurich Insurance policy holders. The loss occurred during a routine transfer to a data storage centre in South Africa. The data processor waited for more than a year before reporting the incident to Zurich Insurance back in Blighty. Red faces all round. Subsequent internal investigations revealed failings in the management of security procedures involving data tapes in South Africa.

So why has it taken so long for the Commissioner to get Zurich to sign an Undertaking to ensure that back-up tapes are encrypted? And why has it taken so long for the Undertaking to commit Zurich to put in place controls to monitor and promptly report potential or actual data loss activity? And for the Undertaking to require that steps are taken to ensure staff and external contractors are made fully aware of security procedures and adequate checks are carried out on contractors’ staff?


Interestingly, Sally-anne Poole, Head of Enforcement & Investigations at the ICO, was quoted in the press release: “I am pleased to see that Zurich Insurance plc has taken remedial steps to ensure individuals’ personal details are protected in future.”

But if Sally-anne’s so pleased with these remedial steps, then why on earth has it been necessary to get Zurich to sign the Undertaking in the first place?

Sally-anne also said: “I encourage all organisations to report any serious data security breaches to us so that the nature of the breach or loss can be considered.”

Some encouragement this is.

Perhaps it’s just another nail in the voluntary data breach notification coffin. After all, it’s hard to fault the British Data Protection team at Zurich for their actions. It appears that very shortly after they heard the awful news from South Africa, they had made a confidential confession to the Commissioner (on 3 October 2009) and had followed it up with a formal notification once they had completed their investigations, on 27 January 2010. They’ve already notified the affected customers (and did so way back in October 2009). And, they’ve already agreed to:

a) tighten up the future movement of backup tapes, and use encryption, as appropriate
b) ensure that staff and external contractors are made fully aware of such security procedures and adhere to them;
c) carry out adequate checks on contractors’ staff; and
d) establish effective controls to monitor and promptly report potential or actual data loss activity.

But what’s the point of notifying the Commissioner of a data breach if you’ve already done everything you can to prevent losses occurring in future? It obviously can’t be to avoid potentially damaging publicity about the breach, as the Commissioner’s Office has just issued a press release about this one.

Has the Commissioner’s “confessional chamber” already been dismantled and replaced by a new “court room cum public whipping post”?

Perhaps I should ask the Commissioner to explain the benefits of voluntary breach notification. Because, on just the facts of this press release, given the regulatory action taken by his officials, it really doesn’t make much business sense.

Oh, and for the record, I don't personally believe that the people in the Commissioner's Office are actually “completely detached from the real world.”

A full copy of the Undertaking from the top bod at Zurich can be viewed here:

Saturday 27 March 2010

RIPA and the naughty step

On 26 January I commented in my blog about the way the Department of Work and Pensions (DWP) had decided not to use the provisions available under the mighty RIPA (Regulation of Investigatory Powers Act) to get information from communication service providers and internet service providers.

I’ve now found 2 other public authorities who have also found RIPA not fit for their purposes, and so I propose to make them sit on the naughty step too.

If things carry on this way, I’ll need a larger naughty step.

So who gets to join the crew from the DWP? Why, it’s our old friends from the Office of Communications (Ocfom) and also the Financial Services Authority (FSA).

Let me try and explain why.

The creators of RIPA tried to make life complicated, by ensuring that various public authorities could only use RIPA powers for certain purposes. But it appears that drafting errors have occurred, which have resulted in Ofcom and the FSA arguing that the powers available to them within RIPA are not wide enough to let them carry out their jobs properly. So they have decided to carry on exercising what are known as concurrent powers (ie powers given to them under other bits of legislation, that they really should have give up if only RIPA was written correctly.)

When was the last time that the RIPA legislation was considered in Parliament? A few years ago? Actually no – believe it or not a raft of RIPA consolidating orders were discussed by Parliament last month. They were considered by the First Delegated Legislation Committee of the House of Commons on 8 February, and on the floor of the House of Lords on 23 February. However, the people who prepared the briefing papers for the debates apparently decided to not to address the thorny problems experienced by Ofcom and the FSA – so no politician mentioned it either.

Lets be clear about the purposes for which communications data can be used (if you get the Home Office to put you on the right list). The Regulation of Investigatory Powers (Communications Data) Order 2010 (SI 2010 No. 480), which will come into force on 6 April, already allows communications data to be used for the following purposes:
(a) in the interests of national security;
(b) for the purpose of preventing or detecting crime or preventing disorder;
(c) in the interests of the economic well-being of the UK;
(d) in the interests of public safety;
(e) for the purpose of protecting public health;
(f) for the purpose of assessing or collecting any tax, duty, levy or other charge payable to a Government Department;
(g) for the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health.
(h) to assist investigations into alleged miscarriages of justice; and
(i) to assist in identifying a person who has died or is unable to identify himself because of a physical or mental condition, other than one resulting from crime, or to obtain information about his next of kin or others connected with him or about the reason for his death or condition.

Section 7 of the explanatory memorandum to the SI (also known as the Ministerial crib sheet) explains that the consolidating order “provides in one place a list of those public authorities which have a legitimate requirement within the regulation provided by RIPA to interfere with an individual’s right to privacy.”

And, a little confusingly, it also mentions both the FSA and Ofcom.

It explains that the FSA “has statutory responsibilities for investigating and prosecuting particular criminal offences to maintain market confidence. Communications data are used mainly in the investigation and prosecution of insider dealing under the Criminal Justice Act1993. Other investigations in which covert techniques have been used include unauthorised collective investment schemes under the Financial Services and Markets Act 2000 (FSMA). The FSA is increasingly involved in detecting criminal activity on the internet. Unless these kinds of professional financial collaboration are addressed effectively they would operate against the consumer’s interests and could damage the integrity of UK financial markets.”

It also explains that Ofcom “is the independent regulator and competition authority for all the UK communications industries, with responsibilities across television, radio,telecommunications and wireless communications services. It acquires communications data to investigate the location and operation of illegal radio broadcasters under the Wireless Telegraphy Act 2006. This essentially means people who buy equipment from the internet and set up hidden studios to broadcast at any frequency in the radio spectrum regardless of whether that frequency is already licensed to a legitimate station. These unlicensed operators pay no taxes, provide unfair competition, interfere with legitimate broadcasters and their audiences, and disrupt vital safety of life emergency services.”

So what is it that the FSA & Ofcom do that isn’t already listed under the permitted purposes above?

Get out the wet towel and stick your head under it.

It appears that the FSA is required, under Article 12(2) of something called the Market Abuse Directive (as implemented in the UK by Section 173(3) of the FSMA) to have powers to obtain communications data in order to enable the investigation of market abuse. And, incredibly, it is argued that this activity is not covered by any of the current statutory purposes.

Ofcom, on the other hand, is required to assess whether companies are or have been misusing and electronic communications network or electronic services. And as, incredibly, it is argued that this activity is not covered by any of the current statutory purposes, it has decided to use powers given to it under Section 128 of the Communications Act 2003.

I do find it odd that the FSA can’t argue that it's investigations into matters of “market abuse” can’t fall within RIPA purposes of

b) preventing or detecting crime or of preventing disorder, or
c) in the interests of the economic well-being of the United Kingdom

And I also find it odd that Ofcom can’t argue that it's investigations into the misuse of an electronic communications network can't fall within the RIPA purpose of

b) preventing or detecting crime or of preventing disorder

Hey ho, we live in interesting times.

But until they do fall properly within the RIPA regime, they can both keep the DWP company on the naughty step.

Tuesday 23 March 2010

They're changing the guard ...

One of the ICO’s straplines is “uploading information rights”. And they’ve been practising what they preach. Yep, in a historic first, I’ve noticed that the team have recently published a chart on their website which sets out the Office’s structure. So now we are better informed as to who is responsible for doing what. It’s pictured on the left. And it can (or it could – depending on whether the link is broken) also be found by clicking on

You may know that there’s been a bit of a reorganisation going on up in Wilmslow. CVs have been polished. Suits have been dry cleaned. Haircuts have been had. Jobs have been re-applied for. And the mists are beginning to clear. And, no doubt things will get even clearer as the year rolls on.

These charts are useful. I remember, about a decade ago, working for a company that experienced a dawn raid which involved some bods from the European Commission and a bunch from the OFT. They arrived at "dawn", continental time, which was actually 8.30am. They didn’t wear combats or balaclavas, or carry any riot gear. One of the gentlemen from the European Commission did bring his own box of sugar substitute to put in his coffee, though, as he wasn’t certain that our canteen would have an alternative to the real thing. This was England, after all.

We did have an alternative, I remember proudly telling him. We had white sugar. And we had some brown sugar. Somewhere.

Anyway, the point of the story is that the first thing the “dawn raiders” did, so to speak, was to ask for an organogram, as they didn’t actually know who they should really be speaking to, now that they had actually got through the front door.

So, to all of my readers who haven’t quite managed to get through the front door at Wilmslow yet, who would you want to speak to if you had a problem?

Or, to plagarise the strapline from a series of iconic TV adverts that were broadcast at the end of the last century, "who would you like to have a one-to-one with?"

If you’re really lucky (or naughty), it will be straight upstairs to met Christopher Graham himself, who is now styled as the Information Commissioner and Chief Executive. But as he's a busy man, its more likely that someone else will offer you some coffee and a selection of jammy dodgers.

The organisation now appears to have been split into seven areas.

Five of these areas are led by named individuals, who are called Directors. And their photos have been published for everyone to see what they look like too. So you may well get to meet one of these instead (or as well as Christopher Graham).

Vicky Best is the Director of Organisational Development. She directs 4 areas: human resources, learning & development, talent & development and facilities.

David Smith is both a Deputy Commissioner and the Director Data Protection. He directs strategic liaison.

Graham Smith is also both a Deputy Commissioner and the Director Freedom of Information. He directs policy delivery.

Susan Fox is the Director of Corporate Affairs. She directs 3 areas: communications planning, online & internal communications, corporate governance.

Simon Entwisle is the Director of Operations. He directs 7 areas: good practice, customer contact, complaint resolution, enforcement, Scotland office, Northern Ireland office and Wales office. Whether he has more staff under his control than say Graham or David Smith is not clear. But as I’m not really a “people person” myself, I can’t say that I envy Simon for appearing to be responsible for more individuals than the Smiths. I much prefer to handle strategic problems, rather than personnel (or personal) problems. Give me a knotty strategic issue any day, compared with a bunch of unhappy team members to deal with!

The remaining 2 areas, Information Services and Finance, don’t yet appear to have Directors.

But these are early days, and it will be interesting to see who else gets what job, and how this helps Christopher Graham transform the Office into the world class organisation to which it aspires.

So, this is “freedom of information” in operation. Let’s congratulate these Directors on their recent appointments, and await further developments with interest, as the organogram mutates.

Monday 22 March 2010

The people speak – say Demos

Hot off the (real and virtual) press is a good read from those clever folks at Demos.

Demos is a London-based think tank which has accommodated thinkers who are capable of clearing their heads and thinking new thoughts. Which is not easy when the builders have been busy tearing down or noisily refurbishing the plots adjacent to their offices for the past four years, non-stop. So now they have a new office block directly in front of them. And a new office building immediately to their right. And, an almost-ready office block immediately behind them. If you were a conspiracy theorist you would assume that the building work has been sponsored by other think tanks who are jealous of its reputation - perhaps the Institute of Economic Affairs, the Adam Smith Institute, or even Chatham House. Probably not, though.

But I digress.

One of their number, Peter Bradwell, has just written up the results of their people’s enquiry into personal information. What’s all that about? Well, as Peter explains:

It’s “about what the public thinks about how personal information is used. It sets out the opinions and ideas expressed by 40 people following a month-long, deliberative ‘people’s inquiry’. Over 13 hours they were informed by a series of expert presentations, and then given the time and space to reflect, debate and decide what they thought about the use of communications data, targeted advertising and the use of medical information.”

And what happened during those 13 hours? Again, in Peter’s words, “they heard from expert representatives from the NHS, search engines, mobile phone companies, from lawyers and from consumer advocates. The aim was to facilitate an informed discussion with participants considering a range of opinions on the risks, benefits, opportunities and challenges of the phenomenal explosion in the means to gather and use personal information.”

And I have to say the people they heard from were good. From what I was told, they told it straight. They weren’t there just to “sell” one particular side of the story. What a waste of time on everyone’s behalf that would have been.

So, what happened?

Well, continued Peter: “Across our three topics inquiry members were asked to consider the legitimacy of personal information use; the extent to which they can control it; and which ‘calls to action’ they demanded regulators, government and businesses listen to.”

And the result – cummon, let’s cut to the chase. What do they really think then, Peter?

“The people’s inquiry indicated that people are not running scared of the database society, but at the same time they care deeply about its governance. They recognise that there are legitimate ways to gather and use information. But over the course of the inquiry they came to require more convincing that the aspirations driving the use of personal information were realistic, or that information would only be used to pursue the intended purposes.”

Oh, that doesn’t sound too welcome for those folks over at BigBrotherWatch, then, who are keen to smash the database state. But what does Peter say that might just accord with their agenda?

“Our participants offer a clear call for more meaningful ways to give their consent and for far stronger regulation to hold data handlers to their word. For example, they want those who mishandle data to be named and shamed, they would like to see regulators develop a kite-marking scheme to help improve awareness of good practice and they want consumers harmed by the misuse or illicit sale of information to be compensated. The findings serve as an insight into the informed attitudes of people who are affected by information use. But equally, they serve as a demonstration of one mechanism for ensuring that the development of personal information use is legitimate and democratic.”

That’s better. So it’s not all good news, after all. Perhaps we should sell some of our shares in the database state, just to be on the safe side. We don’t want to be too heavy in that area when it all goes pear-shaped again.

But it is quite a nuanced report. And since the main text is only spread over 90 pocket sized pages, if I were you, I would better start reading it. You can purchase the paperback for £10, or you can downnload it as a .pdf file free of charge. My, I love .pdf files!!

If you want to download it, you know what to do, don’t you? Just point your browser to . And click.

Sunday 21 March 2010

What’s (really) the buzz then?

Those eagle eyed data protection commentators might well have been slightly confused as they tried to glean any special meanings from the material that that just been released by the highest of the high priests of Data Protection.

Let me try to blow away this fog of mystery.

Over in Brussels, a document has just wafted in from on high. Last Wednesday the Article 29 Working Group, that conclave of privacy wonks, has finally released an opinion on what it thinks really matters. The opinion? - Oh, it’s a document, which it actually agreed back on March 5, commenting on some tweaks to the “standard contractual clauses for the transfer of personal data from data controllers in the EU to data processors outside the EU.” Yep, it really rolls off the tongue. It’s important in that it discusses proposals to update these clauses to accommodate data transfers to sub-processors, in light of increased global outsourcing.

The clauses are quite important for the lawyers and the backroom boys, as they provide a legal basis for transferring personal data from the EU to data processors in other countries, and are often used in, for example, outsourcing contexts. Among the changes proposed as a new clause that for the first time would provide a legal framework for data transfers from one processor to another. This situation can occur, for example, when a data controller in the EU outsources the processing of personal data to a data processing company in the US, which in turn outsources the processing to a company in India. So far, European data protection law has been silent on the conditions under which such a transfer could be made between data processors.

Some of the other clauses proposed by the Working Party have been criticised as appearing to be unrealistic and unworkable, such as requiring audits by data protection authorities in countries outside the EU, or requiring that the contract between the data processor and the subprocessor, be governed by the law of the country of the data exporter in the EU. But this is only an opinion b the Article 29 Working Party. The final decision (which is to be made by politicians following briefings from bureaucrats within the European Commission who naturally know less about data protection than the Working Party) on the clauses is not expected for a few months.

And what guidance do we have from the People’s Republic of Wilmslow on this opinion? Er, not much actually. Or, putting it another way: none at all, actually. The ICO’s press machine has obviously been a bit distracted from these European developments, as it’s been publishing other stories. So I can only assume that these are more important.

The day before the opinion was agreed in Brussels, Christopher Graham took the opportunity to speak at the DMA Conference and announce the publication of updated guidance for political parties and candidates covering a range of communication techniques including direct mail, emails, text messages, phone calling and automated phone calls. The guidance applies to direct market campaigning, such as encouraging individuals to vote for a particular party or candidate, appeals for funds and support for a campaign.

And the next statement to be published by the Press office appeared last Wednesday – but not on the Article 29 Working Party’s initiative. What was more important that this piece of work? Why, the news that that the Royal London Mutual Insurance Society breached the Data Protection Act after eight laptops, two of which contained the personal details of 2,135 people, were stolen from the company’s Edinburgh offices. Michael Yardley, Group Chief Executive Officer of the company, has now signed an official Undertaking to ensure that portable and mobile devices including laptops are encrypted.

Naughty, naughty.

But at least we know where the Commissioner’s priorities lie. In essence, don’t worry too much about the opinions of the learned Article 29 wonks about words in obscure contracts that no-one really reads. Instead, stick to the knitting. And that means that we should all try our best to ensure that:

• Portable and mobile devices including laptops and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, are encrypted using encryption software which meets the current standard or equivalent.
• Appropriate physical security measures are taken to prevent unauthorised access to personal data;
• All staff are made aware of the data controller’s policy for the storage and use of personal data and are appropriately trained how to follow that policy;
• And also, if you get caught, implement such other security measures as the Commissioner deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.

Saturday 20 March 2010

There really isn’t anyone at home

I’ve read a series of almost identical articles recently, all of which are suggesting that people who over enthusiastically blog about themselves – and particularly their movements, might soon face quite dramatic increases in their home insurance premiums, as thieves will quite simply be better able to plan their burglaries, in the sure knowledge that no one is at home.

If your device shows that you are in a specific spot in the middle of a city, then you are unlikely to be at home.


I wonder how long it took the journalists to realise that.

And I wonder how long it will be before these journalists start to predicted that the new wave in social media could eventually lead to big rises in home insurance premiums.

Even the Telegraph has been getting in on the act. As early as 19 February of this year, it covered the story. Apparently Darren Black, the head of home insurance at, said: "I wouldn't be surprised if, as social media grow in popularity and more location-based applications come to fore, insurance providers consider these in their pricing of an individual's risk. We could see rises of up to 10pc for people who use these sites.

"Criminals are becoming increasingly sophisticated in their information gathering, even using Google Earth and Streetview to plan their burglaries with military precision. Insurance providers are starting to take this into account when they are assessing claims and we may in future see insurers declining claims if they believe the customer was negligent."

So, offers the following advice to users of social networking websites:

• Never post your home address or other personal information such as your home phone number on social networking sites
• Don't follow people you don't know on social networks and use block others from seeing your profile if you don't know them
• Turn off location-based services on Twitter and Facebook unless you absolutely need to use them

I wonder how often stock articles such as this one will appear every time a web publisher has a few lines of media space to fill, before the reader’s eye is expected to glance at the next advert. I confidently predict that we will get to see this stuff as regularly as we get warnings that we should disregard advice that its unlawful to photograph your children during the annual sports day or nativity play event at school.

Out will come this basic, basic stuff. Is there still, really, a need for such simplistic advice? Are people really so stupid (or, expressing the question in a more charitable manner, are they really in need of awareness initiatives such as these)?

Or is this the sort of material that really is required in order to teach people the basic digital skills of life – the sort of stuff I blogged about yesterday?

Perhaps I should write a series of short articles entitled “digital skills for dummies”. You read about it here first – so please don’t think you can nick the title. Do all the work, if you like, but give me the credit for creating the strap line. Then we can share the proceeds.

All articles, for publication in this “dummies”, will be gratefully received. And even acknowledged. Let me know if you are interested. My email address is on the left!

Friday 19 March 2010

Learning an essential life skill

I attended an excellent session at the think tank Demos today, where one of the participants said something so profound that I thought I should blog about it as soon as I could. So here it goes:

“Managing your privacy in a digital age is an essential life skill.”

This is a simple, but very profound statement, as it reminds us all that privacy is very much a process that everyone has a role to play in. It’s not simply about an individual, having rights to information about themselves that are inalienable and where they accordingly have an absolute right to veto any uses of that information which they find unacceptable. And nor is about the rights of data controllers to do whatever they want with information they are able to obtain from, say, a range of both private and not-so-private sources.

In a few years time, privacy will turn out to be a “negotiable settlement” that will depend on the various benefits that are available to each of the stakeholders. But we are not there, yet.

Neither people nor businesses should assume that privacy has an apocalyptic future.

It’s a very personal thing that will eventually enable individuals to trade certain information about themselves for certain types of tangible benefits. But we are not there yet – and all he organisations that rely on this personal information still have to develop proper tools that enable them to properly assess its value, in order that it can be properly traded.

What’s the ultimate aim – probably to ensure that individuals can acquire and store two types of information, which could be used for different purposes. The two types of information, putting them crudely, are personally identifiable information, and personally embarrassing information. There may be many times when we wish to control the “identifiable” information, in order that we can share it when we want to access certain services (particularly say financial services. On the other hand, there may also be times when we want to carefully control the information which, in the wrong hands (or servers), could be embarrassing. I may be happy sharing images of me enjoying myself with my friends, but I may not be too keen on other work colleagues or journalists seeing just what I’ve been getting up to.

And who will equip people with the life skills they need in this digital age? I'm not sure yet, but when I know, I’ll certainly be blogging about it!

Monday 15 March 2010

Do we need explicitly consenting patients?

I’ve just had a letter from my local health authority. It tells me that the National Health Service is changing the way my health information is stored and managed.

Apparently, an NHS summary care record is being introduced to help deliver better, safer care. This electronic healthcare record is to be made available to authorised healthcare staff (whoever they turn out to be) so that the clinicians treating me will have immediate access to important information about me. And, over time, the local health authority may add details of any health problems, summaries of my care and the professionals treating me. I’ll even be able to go on line to view my summary care record – and I wonder just how many others will be able to go on line and view my record too.

The nice bit about all of this is that I don’t have to do anything. Not a thing. No forms to fill in. No phone calls to make to confirm I am who the authorities think I am, and that my details are all up to date. It’s not like I’m applying for a postal vote, after all. The wonderful news is that “If your GP practice does not hear from you by 24th May 2010 it will be assumed that you are happy to have a summary care record, and the process of creating a record for you will begin.”

So, in medical terms, in order that the local health service can change the way it deals with my medical information (or sensitive data, as the data protection gods knowingly call it), I don’t need to offer any consent – or even an acknowledgement that the letter that was addressed to me actually reached me. I wonder how many “homes in multiple occupation” will all have had their letters safely delivered to the various addressees. I guess we’ll never know – and the overwhelming majority of us will probably not care.

I don’t think I’ll care about this too much just yet – unless and until, that is, I receive an assessment letter from someone up in Wilmslow indicating that it is their preliminary view that I have taken insufficient steps to notify someone who has complained to them of some new form of processing, and that I’ve been careless in obtaining consents, and accordingly that I have breached a Data Protection Principle.

I would have loved to have been a fly on the wall when the NHS oiks explained to the Commissioner just what it was they were intending to so, and why express consent wasn’t on the cards, so they were going to make it harder for people who get upset about these things to register their objection. After all, the letter I was sent from my local health authority tells me that the form to complete and return to my GP if I do not want them to create a record is not part of the package of literature that is sent explaining the advantages of the new scheme. Instead, you can find it on the internet at Oh no you can’t. That’s the page which basically provides me with the information that was in the letter that I recently received. You have to point your browser to another link,
and then you have to print off the form and return it to the participating GP practice. Apparently this can’t be done on-line – perhaps they don’t trust electronic communications. But I also apparently don’t need to offer any proofs of identity when sending the completed form to my GP’s practice.

I appreciate the way that Tracy, the Chief Executive of my NHS Trust, has made it so easy for me to have one. As she lovingly wrote the end of her letter, “If you are happy to have a summary care record then you do not need to do anything, as this will happen automatically.”

All quite interesting, really. But what’s the point?

If this is a new purpose, then the law would expect a responsible data controller to obtain the consent of an affected individual. And it if related to a new way of processing sensitive data then the data controller would be expected to obtain the explicit consent of the affected individual. As I am not being offered the opportunity to offer any form of meaningful consent (unless we have finally killed off the old mantra “silence does not equal consent”) then surely the only way this scheme is going to work legitimately is if the health authority is not processing my sensitive personal data for any new purpose in the first place. And if the Health Authority is not adopting a new purpose then why on earth is it writing to me to give me the opportunity to object to my data being used for this purpose? The NHS is strapped for cash. Budgets are tighter than ever, and essestial services are increasingly at risk. I would have much preferred the money spent on this exercise to have been diverted to another purpose - like protecting children such as “Baby P” from his parents, and from the overstretched healthcare professionals within my Health Authority who so badly let the little boy down.

If Haringey Health Authority really is to retain credibility, let’s have it spending scarce resources where it most matters - not bothering people about stuff that really isn’t as important as fixing the blindingly obvious basics within our healthcare system. It’s giving Data Protection a bad name!

Saturday 13 March 2010

Comparing the mask(ed privacy policy)

This week, which has seen the world premiere of “Love Never Dies”, the sequal to Andrew Lloyd-Webber’s amazing “Phantom of the Opera”, has set me thinking about privacy policies, and why, in their current form, they appear to be almost useless.

What’s the point of being obliged to provide a notice that almost no one reads? And if they do read it you have to question why they don’t get out more. Is it because the authors of the privacy policies are being deliberately vague and secretive about their privacy practices? Unlikely. Or that there is no generally accepted way of setting them out, so consumers have no real means of being able to compare like with like. Quite possibly. I have not come across too many policies that require the attention span of the sort that Albert Einstein had to comprehend them. But, on the other hand, I have not come across too many policies that Homer Simpson would have easily been able to understand and compare, either.

Even in the same industry, companies have a very different approach to the concept of just how much information needs to be put in a policy. In the telecommunications industry, for example, I can print off an Orange privacy policy on about 4 pages. But I need to stuff 30 pages into the printer if I want a permanent record of Vodafone’s privacy policy. Is one company being any fairer or more transparent than the other? Probably not. They just have a different view about what it is that they would like to say.

And I suspect that the proportions of customers who have read these policies are pretty similar.

Is there another way? – Perhaps a new way of being more informative? After all, when I want to compare flight airline companies, it’s easier – as they set the information out in a more navigable way. Or when I want to know what film to see at the weekend, I know where I can go to compare the reviews (as well as what time each cinema is showing it).

Why can’t we develop the same concept in data protection terms?

If I were a customer, thinking of buying a particular web application or electronic service, I might well want to read material which helped me answer the following questions, in order that I could understand how my privacy was being respected:

Who is providing me with this application/service?
- how can I contact them?
- what will happen as a consequence of my using it?
- how might it cause me any harm?

What information about me or my usage will be created?

With whom may the information be shared?
- how I can exercise any choices about this?

For how long could the records exist?
- how can I access them?
- can I delete any of them?

I quite like the idea of the information being provided simply, and in an easily comparable format. So long as data controllers are transparent in setting “customer expectations”, then presumably customers are capable of looking after themselves. With the exception of “public services”, customers are not generally “forced” to consume many types of electronic services. They generally “decide” to buy or consume these services. Special measures will obviously need to be in place for vulnerable customers, if the service is directed at, or capable of being used by, vulnerable people. But surely these are a minority of services that are now delivered electronically. And I presume that the more socially responsible data controllers will place the electronic services that are more capable of causing harm behind age restriction barriers.

I’m not sufficiently close to the application or electronic service development community to fully appreciate the format in which they all like guidance, or requirements, to be delivered to them. The developers I know prefer working from lists of requirements rather than finely balanced statements – but that may not be a representative sample of the developer community as a whole.

My only other thought in this blog is I’m not sure what governance process might need to be created to monitor compliance with these standards. If businesses have committed themselves to the principles then it follows logically that they have also committed themselves to enforcing the principles. Who, in practice, will be monitoring the standards, and who, in practice, will be removing apps from the stores when they do not meet the relevant standards, is something I may return to in a future blog. Is it the Office of Fair Trading, or the Information Commissioner's Office?

Or, in the event of serious disputes between individuals and data controllers, perhaps someone who used to work at both the OFT and the ICO?

Step forward again, Richard Thomas!

Sunday 7 March 2010

Has the DPA registration fee, like the dog licence, had its day?

We have a new ICO.
It has a fresh mandate.
And a fresh logo. Out with the old. In with the new.
But what will really change?

The new ICO has a new mission, and a series of challenges it has set itself. By 2012 it is to be:

• More committed
• More joined up
• Better integrated
• More focussed
• On the ball
• Alert to the needs of its stakeholders
• World class

It makes you wonder what the previous Information Commissioner, Richard Thomas, was doing all that time then, if this is to be the new focus of the Office. But how will it do this when it has to exist solely on the income it derives from DPA registration fees? It’s not immediately clear how great the additional revenue will be from the larger controllers, who now pay £500 a year. But equally it’s not immediately clear what damage the economic recession has done to the great majority of businesses, or start ups, whose finances are stretched and who may overlook a £35 fee. That’s less than the price of a decent seat to watch a home match featuring Arsenal Football Club. In fact, unless you are a senior citizen or a Junior Gunner, that’s less than the price of any seat for a Category A match at the Emirates Stadium.

So, who will value something that costs just £35 to register for? I’m just about old enough to remember dog licenses, which were abolished in 1987, at which time it stood at it 37½p and was held by only around half of dog owners. The system fell into disrepute as no one could really be bothered to enforce the law. Apparently, the Dogs (Northern Ireland) Order 1983 continues to provide for a licence system in Northern Ireland, because it was felt that there was a greater problem of stray dogs and sheep worrying. But as I don’t visit Northern Ireland very often, I’m really not sure whether its enforcement is currently considered a priority – or whether anyone actually bothers to license their dogs anyway.

Perhaps one of the greatest services performed for the ICO were the old registration scams, where various companies would set up and advertise the requirement to register – and offer a registration “consultancy service” to help people fill in the registration forms – at a significant fee, of course. They probably charged far more than the £35 registration fee for their assistance – but it must have been useful for the teams in Wilmslow to receive boxes of these registration papers, as that would have generated a very healthy income stream. Where is the income stream now, as regulatory action against these “consultancy services” (or cons) has stemmed the flow of new business.

Do I see ICO registration campaigns anywhere, like the TV license fee detection campaigns? Do I see ICO detection vans driving around the country, with its antenna sniffing out unregistered data controllers? I do not.

So how will the ICO manage to deliver on its new mission then? Its new fining powers will simply fill Treasury coffers, as unlike the Spanish Data Protection authority, they won’t get to keep any of the money they manage to get from the miscreants. These hard economic times will continue to reduce the flow of start up companies, and so I suppose the ICO is only left with planting media stories about the horrific consequences of the failure to register. I can’t see it featuring as a main storyline on Eastenders or Coronation Street, though.

The battle lines will be drawn. Will the ICO win through, by publicising the existence of the requirement, and persuading the relevant parties to part with their £35 each year, or will it go the same way as the dog license?

Or will the demise of the registration scheme lead a cunning plan for funding the ICO which will be as clumsy as the Dangerous Dogs Act, which was introduced in 1991, just 4 years after the abolition of registration? Registration didn’t address the problem of dangerous dogs. Nor did the Dangerous Dogs Act, for that matter.

If data controllers are to truly value the ICO, I would presume that it would greatly help if the registration fees they will be expected to pay will at least exceed the administrative costs of dealing with an annual demand for £35.

If I were the relevant bod at the Ministry of Justice, I would recommend that the standard fee be raised to £50 with immediate effect. The fee has remained constant since 1998. Unlike any other bill I have to pay. Otherwise, I do fear it will suffer the same fate as the dog licence did.

Friday 5 March 2010

Yet another drink in the “Last Chance” saloon ...

I’m sure that if there wasn’t an election in the offing, politicians of all hues would be falling over themselves to condemn various elements of the gutter press – and the editors of a few broadsheets, for their disgraceful behaviour recently.

What do I mean?

Well, I’ve recently become much more informed about the current lifestyles of (both) the killers of Jamie Bulger, a 10 year old who was snatched the Strand shopping centre in Bootle, Merseyside in 1993. Despite the strictest press curbs, which ought to have prevented me from learning anything new about those who were convicted of the offence, I now know a considerable amount about their current lifestyles. One of them has apparently been back in prison after breaching the conditions of his freedom, while the other has apparently committed no further offence since his release – and yet the media are still printing stories about both of them.

If there ever were a reason for an internet censor to say “stop now," surely this is it.

And yet the decision to place so much information in the public domain can only have been made by journalists who had consulted some of the finest (and probably most expensive) legal minds in the country. They must feel that, so long as they make no technical breach by positively identifying either of the two individuals, it must be all right. Yet I’m sure that the information which has been placed in the public domain has been sufficient to identify both – perhaps not only to their closest acquaintances, put possibly to a larger group of people who, with this additional information, have put two and two together and have arrived at the correct conclusion.

Can this be healthy? I don’t think so. While the killer whose behaviour has caused him to be rearrested may be more deserving of harsh treatment following his return to prison I see no reason at all why I should know anything about the other killer.

And I feel quite sick that I live in a country whose media barons appear to try every trick in the book to feed me with information about them. I want it to stop. Media stories aren’t treated like chip paper, as they were when the offences were committed. They don't disappear from public view the following day. Thanks to the internet, iconic images such as the one I’ve published will never die away, and nor will the gruesome details of not only the crime but also the newly released details of the lifestyles of the offenders.

We used to be able to rely on the provisions of the Rehabilitation of Offenders Act to erase some of our former transgressions. Perhaps the internet has prohibited us from being able to erase even the most minor of those transgressions for good. But it’s not good. It’s evil – just as evil as the journalists who are trying to rake up information that really ought to be ignored.

What price privacy for those who have served their sentence and are trying to rebuild their lives?

And when will anyone have the courage to put the media barons back into their boxes?

Monday 1 March 2010

What does it take to become a hereditory Peer?

I was chatting away to (the current) Lord Selsdon (born Malcolm McEacharn Mitchell-Thomson) after the BigBrotherWatch bash last week, and then had a quick squint at his Wikipedia entry to learn a little more about him, in order that I could understand just how, having inherited his title, he has been trusted to become one of the nation’s legislators.

I did this because I was so intrigued by his closing remarks during the Second Reading of his Powers of Entry Bill in the House of Lords on 15 January: My father spent his life motor-racing and died at a young age. He always said, "You must never run out of petrol and you mustn't ever get stuck in the mud or snow". And his closing call to those attending the House of Lords debate indicated that he was determined to steer his Bill through Parlaiment: “Finally, I should just like to advise your Lordships that it is very important to have a starting handle. If you do get stuck in mud or snow you should always have a starting handle. The reverse gear in a car is the slowest gear. So you take the plugs out of your car, you put in the starting handle and you turn it in reverse gear, and you will get yourself out of any snow or any other mess. But on this particular project I do not have a reverse gear, so we will go on going forward.”

Just what sort of man is he, I thought to myself, and what did you (well, what did your your ancestors) have to do to get into the House of Lords in the first place?

It appears that his grandfather who was a very distinguished politician, serving as Chief Civil Commissioner during the General Strike of 1926, and who was subsequently given a hereditary peerage. (Life peerages just didn’t exist back in 1932). That Lord Selson then chaired the committee which enquired into the viability of setting up a public television service. So, he became one of the founders of the BBC, and appeared on the first day of BBC television broadcasts, on 2 November 1936, in his new capacity as Chairman of the Television Advisory Committee.

I’ve done some digging and have found an image of the first Lord Selsdon at the opening ceremony at Alexandra Palace, which can be seen from the top of my road. The text accompanying the photo, describing the event, uses the sort of language that can surely only be heard these days in the House of Lords: “Lord Selsdon, judicial chairman of the Government's television committee, the Post Master General, and the chairman of the BBC governors were joined by Adele Dixon, singing, and by a coloured pair known as Buck and Bubbles, dancing. But viewers possibly had better entertainment from the second edition of "Picture Page" which followed the ceremony, and introduced them to airman Jim Mollison, Miss Kay Stammers, Algernon Blackwood, a pearly king and queen from Blackfriars, and -for their first off-duty appearance- Elizabeth Cowell and Jasmine Bligh, the announcers.” If you want more of this priceless stuff, point your browser at

Anyway, back to the history lesson. Following his death in 1938, the peerage was transferred to the second Lord Selson, whose main claim to fame was as a racing driver. With co-driver Luigi Chinetti , he won the 24 hours Le Mans race in 1949. In 1963 the peerage passed to this current Lord Selsdon, who has spent much of his working life in the financial services sector.

So perhaps all I need to do to be created the “Count of Crouch End” is to have a grandfather who founded the BBC and a father who was a Le Mans winner. Not much to ask for ... but perhaps I ought not hold my breath. My father and grandfathers had a naval background. They didn’t found a single broadcaster between them, nor did they ever drive racing cars. I won’t make it through patrimony. Fortunately, not many others make it simply by inheriting such privileges these days, either.

... As an afterthought, I’ve just stumbled across one other person who is likely to preferred by patrimony thanks to a father with a motor racing background and a grandfather with political associations. This one is Michael Thatcher, who celebrated his 21st birthday yesterday. Michael is heir apparent to the honour currently conferred on his father, the 2nd Baronet Mark Thatcher, who achieved some notoriety when getting lost in the Sahara desert during the Paris – Dakar rally in January 1982. Mark Thatcher has also been asociated with other stuff, but I don't intend to refer to that here. Michael’s grandfather is Denis Thatcher, husband of Margaret Thatcher, who served as British Prime Minister between 1979 and 1990, and who was awarded the original hereditary peerage. Does Michael, like Malcolm, deserve a place in the House of Lords simply because his ancestors were associated with politics and fast cars? You decide.