Sunday, 21 March 2010

What’s (really) the buzz then?

Those eagle eyed data protection commentators might well have been slightly confused as they tried to glean any special meanings from the material that that just been released by the highest of the high priests of Data Protection.

Let me try to blow away this fog of mystery.

Over in Brussels, a document has just wafted in from on high. Last Wednesday the Article 29 Working Group, that conclave of privacy wonks, has finally released an opinion on what it thinks really matters. The opinion? - Oh, it’s a document, which it actually agreed back on March 5, commenting on some tweaks to the “standard contractual clauses for the transfer of personal data from data controllers in the EU to data processors outside the EU.” Yep, it really rolls off the tongue. It’s important in that it discusses proposals to update these clauses to accommodate data transfers to sub-processors, in light of increased global outsourcing.

The clauses are quite important for the lawyers and the backroom boys, as they provide a legal basis for transferring personal data from the EU to data processors in other countries, and are often used in, for example, outsourcing contexts. Among the changes proposed as a new clause that for the first time would provide a legal framework for data transfers from one processor to another. This situation can occur, for example, when a data controller in the EU outsources the processing of personal data to a data processing company in the US, which in turn outsources the processing to a company in India. So far, European data protection law has been silent on the conditions under which such a transfer could be made between data processors.

Some of the other clauses proposed by the Working Party have been criticised as appearing to be unrealistic and unworkable, such as requiring audits by data protection authorities in countries outside the EU, or requiring that the contract between the data processor and the subprocessor, be governed by the law of the country of the data exporter in the EU. But this is only an opinion b the Article 29 Working Party. The final decision (which is to be made by politicians following briefings from bureaucrats within the European Commission who naturally know less about data protection than the Working Party) on the clauses is not expected for a few months.

And what guidance do we have from the People’s Republic of Wilmslow on this opinion? Er, not much actually. Or, putting it another way: none at all, actually. The ICO’s press machine has obviously been a bit distracted from these European developments, as it’s been publishing other stories. So I can only assume that these are more important.

The day before the opinion was agreed in Brussels, Christopher Graham took the opportunity to speak at the DMA Conference and announce the publication of updated guidance for political parties and candidates covering a range of communication techniques including direct mail, emails, text messages, phone calling and automated phone calls. The guidance applies to direct market campaigning, such as encouraging individuals to vote for a particular party or candidate, appeals for funds and support for a campaign.

And the next statement to be published by the Press office appeared last Wednesday – but not on the Article 29 Working Party’s initiative. What was more important that this piece of work? Why, the news that that the Royal London Mutual Insurance Society breached the Data Protection Act after eight laptops, two of which contained the personal details of 2,135 people, were stolen from the company’s Edinburgh offices. Michael Yardley, Group Chief Executive Officer of the company, has now signed an official Undertaking to ensure that portable and mobile devices including laptops are encrypted.

Naughty, naughty.

But at least we know where the Commissioner’s priorities lie. In essence, don’t worry too much about the opinions of the learned Article 29 wonks about words in obscure contracts that no-one really reads. Instead, stick to the knitting. And that means that we should all try our best to ensure that:

• Portable and mobile devices including laptops and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, are encrypted using encryption software which meets the current standard or equivalent.
• Appropriate physical security measures are taken to prevent unauthorised access to personal data;
• All staff are made aware of the data controller’s policy for the storage and use of personal data and are appropriately trained how to follow that policy;
• And also, if you get caught, implement such other security measures as the Commissioner deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.