Wednesday 22 December 2010

Perhaps the dead deserve privacy rights after all

I’ve just read some really disturbing remarks which have been made by a police investigator who surely can’t be one of the brightest of the bunch. This person must have been authorised by someone more senior to have released such really sensitive personal information, but I really wonder whether these blokes in blue truly appreciate the way these stories are likely to hurt many of the innocent victims of personal tragedies.

What am I on about?

I’m referring to stories about the private life of a public servant who was found dead in his flat in August. The press were interested because the public servant was an intelligence officer, and the circumstances of his death were extremely unusual. His body was found in a locked holdall, and investigators were convinced that someone else had been involved in putting him into the bag. But they have not found that person (or people) yet.

From the intensive investigations that appear to have been carried out, there seems to be no reason to suggest that his death was connected to his former profession. There is no evidence of murder. He was on leave when the incident occurred, so whatever he was doing, it was in his own time, with his own money, and on his own terms. And without the intervention of any drugs or alcohol.

So why should the investigators feel that they can be so free with the details that have been unearthed over the past four months? While we know very little about what he did when he was actually at work, the police have released huge amounts of information which have enabled journalists to report on many other aspects of his private life. Details have emerged about his lifestyle in London and Cheltenham, his phone use and internet browsing activity, his shopping and social habits, and even his recent participation in educational courses at Central St Martin’s College, in Clerkenwell.

If similarly titilating details about his working life has been leaked, I'm sure that Detective Chief Inspector Jackie Sebire, who is leading the enquiry, would have been demoted to the rank of Dog Poo Inspector by now.

What rights have the police to feel that they can release such information about his personal life? Have they discussed their plans with the family and colleagues of the deceased? Do they care about how they feel? Or is this all just part of some cozy deal with the press to boast about their investigatory prowess? I really wonder if the media interest would have been of the same hysterical degree if the deceased were to have been a middle aged oil worker living in Aberdeen rather than a young intelligence officer living in Central London.

I, for one, am not at all interested in the personal circumstances of this public servant. But, if I came from a closely knit family, I would feel absolutely humiliated and appalled each time more information about this tragic incident reached the public domain. This public servant is not “public property”. He is part of a family, who love and who grieve for him, and who probably have to start the grieving process almost afresh each time more information (however trivial or true) hits the public domain. When will it end? With the coroner’s inquest, which is due to be held next February? I think not. He may well have been an intensively private person. But surely this does not give anyone the right to assume that, just because he has died, his privacy should be respected any less.

A good friend of mine still grieves each time the press print more details of their relative’s involvement in the tragic events of July 2005. In that incident, fifty-two people in addition to the four bombers were killed, and around 700 were injured.

And, thanks to the internet, this stuff simply won’t go away. These memories, half-truths and experiences, remain stubbornly accessible – and they continue be used by journalists and bloggers to generate media headlines that care not a jot about the effect the news will, yet again, have on those relatives who have been so awfully affected before.

Perhaps the French have had it right all along, affording privacy rights to the recently deceased, partly as a mark of respect to the dignity of those who remain alive. All we seem to have done is create rights for media and investigators to conspire to keep lurid stories in the media.

Stories which do little but embarrass and hurt decent people whose only sin is to have loved or to have been closely associated with one of the victims of this tragedy.


Sunday 19 December 2010

Merry Christmas

So, with the ICO's clock striking quarter past ten -
It's time for my warmest seasonal greetings, then!

Friday 17 December 2010

Support your local ICO

As I browsed through the racks of charitable Xmas cards recently, I wondered why it is that other deserving causes don’t raise money in this way. If public authorities are really facing the financial cosh, then perhaps they’ll be soon employing fundraising officers as well as audit teams.

And then I read the minutes of some recent management meetings held at the Information Commissioner’s Office, and I began to appreciate just how the new budgetary restrictions were likely to hit them.

Take the minutes of the Executive Team's meeting, held on 2 November, for example. This team is responsible for office-wide leadership, articulation of operational policies and ensuring the office is effectively and efficiently managed. Particular areas of responsibility include primary oversight of the ICO's activities, such as development of the Corporate and Business Plans. Heady stuff. What it considers must be significant, then. It noted that a further in-year reduction in grant in aid (for the ICO’s freedom of information work) had been requested by the Ministry of Justice.

Next, the participants considered a couple of issues arising from the Joint Committee meeting with trade union representatives of the 26 October. In particular it was noted that union feedback on plans to withdraw free teabags and milk had been negative but ET considered that these needed to go ahead. In addition there were concerns about the ICO exploring the possibility of charging staff for car parking. This investigative work would go ahead informed by the survey recently launched as part of a travel plan exercise. Decisions had not actually been made on whether to charge or not.

I get free hot beverages from vending machines at work, so I do appreciate the concern that such facilities are not also available to the ICO’s staff. And, as a child of an era before Margaret Thatcher removed it, I also remember drinking (but not necessarily enjoying) my free school milk. Oh, I also get free car parking too. And I would also be pretty miffed if this perk were to be removed without any corresponding increase in salary.

The next item for consideration by the Executive Team raised a smile on my face. Clarification had been sought on the listening to music by staff whilst at work. ET agreed that listening to music was acceptable if it helped staff work better and so long as it did not disturb other staff and was not inappropriate to their work (for example they were not working on a helpline). I must admit that I don’t mind listening to my own music, but other people’s musical tastes can really grate – and really interfere with my thought process. When I’m paid to think, I don’t want to be distracted by sounds I can’t control.

The real scale of the ICO’s budget challenges arise from the minutes of the Executive Team meeting held on 15 November. The Commissioner had agreed a revised paper on budgets which superseded the original financial report. The new paper highlighted that the ICO had been asked for in-year grant in aid savings of originally £160k, and now for a further £170k. This 6% overall reduction in grant in aid had a large impact on the ability of the ICO to deliver its freedom of information work this year, especially as it came late in the financial year and was hence difficult to absorb. Further reductions would be even more difficult, if impossible, to absorb.

To make the full saving it was essential that all staffing changes and recruitment decisions were agreed by Finance before coming to Executive Team, and that once agreed all offers and start dates were also agreed by Finance.

In addition it was agreed that the agency staff budget would remain as is. Other options to reduce freedom of information spend this year could be looked at if needed, in particular the need for a new handrail in Wycliffe House would be raised with the Director of Organisational Development.

Given the difficulty in making the asked for saving the need for accuracy in the apportionment model was essential. Care was needed to ensure that data protection expenditure was not wrongly attributed to freedom of information.

Data protection expenditure was also looked at. The Operations Director reported that bringing the distribution of certain notification documentation in-house was actively being considered. There was also overtime for data protection casework planned, and the possibility of starting recruitment for the new audit team.

So, what should I take from this?

Well, that the Freedom of Information teams are likely to groan under the pressure of an increasing workload and less resource. We need to ensure that not too much “Data Protection money” ends up being spent on stuff that looks awfully like FOI. Perhaps people who are skilled in both areas will end up working for FOI for, say, 50% of the time in practice, despite, say, 80% of their salary being allocated from the Data Protection pot. Just how the ICO will achieve its current vision will be interesting. Do you remember what the ICO’s corporate plan states?

By 2012 we will be recognised by our stakeholders as the authoritative arbiter of information rights, delivering high-quality, relevant and timely outcomes, responsive and outward-looking in our approach, and with committed and high performing staff – a model of good regulation, and a great place to work and develop.

It’s a great corporate plan and full of exciting ideas. Let’s hope that the current – and continuing budget restrictions don’t impede its implementation to a significant extent.

Now please remember - when next visiting Wycliffe House - take your own milk and teabags, and don't mention the handrail.



Sunday 12 December 2010

Advising within a huge arc of legal uncertainty

Stewart Room was on great form, addressing a group of Data Protection Managers at the offices of Field Fisher Waterhouse last Thursday. The conference organisers had certainly saved the best till last. His climactic address to the assembled throng of went down extremely well. As did a couple of measures of gin & tonic at a local hostelry immediately after the event.

And, once the alcohol had started to really clear my thoughts, I fell into a deep discussion with some of the conference stragglers at the drinks session. It was about the role that professional legal advisors can play when clients consider their options over tricky data protection issues. Do we clients have a problem in that we often ask these advisors the wrong question?

What I mean by this is that some Data Protection Managers are required to deal with queries quite beyond which they feel equipped. But does it help, or complicate matters, when an external advisor is engaged?

I have felt sorry for the poor bloody advisor, as they struggle to understand what it is that the client actually wants. As the Legal Manager for the Association of British Insurers a couple of decades ago, I was occasionally asked by members of its Data Protection Panel to seek advice on a particular point. I would explain to a trusted external advisor what the situation was, what sort of advice it was that I required, and that I would go elsewhere and seek other advice if the answer they gave me was not the one I needed to pay to hear. These clear, transparent, instructions worked extremely well. Closely knit teams were forged, with likeminded folk sharing the same vision, passion and prejudices. And sharing drinks, evening meals, and trips to Doncaster races. And, eventually, sharing car journeys to attend the funerals of those we had so greatly loved and respected. I still miss you so much, Shelagh.

What’s brought this on? Well, Stewart used a wonderful phrase in his session last Thursday. He spoke about Data Protection Managers needing to advise and support their business about issues that lay within a huge arc of legal uncertainty.

Significant areas of the law simply aren’t fit for modern day purposes. So, every day, we need to appreciate which bit of the law we are going to ignore - just in order that we can get the day job done. Or we need to appreciate which bit of the law we are going to interpret in a certain way today. It’s not like tax law, where you generally know where you stand. As I earn, some tax professional or other is always able to offer, with a considerable measure of confidence, advice on precisely how much of my income is going to be transferred from my control and off into the hands of Treasury coffers.

Established data protection law is far less precise than that – where it actually exists, that is. It’s not quite reached the level of mere bluster and bravado. That’s for the real charlatans. But, in our every day jobs, we often have to forget about relying on detailed facts and legal presidents (unless you actually want to have to bother about the minutia of, say, legitimising transborder data flows). I mean, we still don’t have settled views law about what the law is actually about. Has any court in the land entered the fray about whether an Internet Protocol Addresses is personal data? Or whether consent which is not “freely give, specific and informed” is really of any lesser quality than the other ways in which it can be assumed that consent has been provided?

Come on, if the tax lawyers are focussing on issues that face those who concern just those at the very summit of taxation law, what sympathy must they feel about their data protection colleagues, who are still scrambling around at base camp level?

What it means, I think, is that Data Protection Managers need to consider themselves as wading chest deep in the business of the management of risk. We are not talking about certainty here, we are talking about levels of confidence. Is the process we are considering sufficiently transparent. Or simple? Or harmless to the individual? How much information really does need to be retained to provide the service efficiently? Are we creating a service that meets the legitimate aspirations of the individual? Did they know we were going to do that? (Or that anyone else was?)

I think that questions such as these can only be met when the business has a clear appreciation of its own integrity and attitude to risk. There’s no point asking a lawyer for “information” about something as vague as data protection law if the lawyer has no appreciation of the degree of risk that the business likes to operate within. Experienced musicians are not engaged to join orchestras for particular concerts unless it’s abundantly clear what music will be played, and which score will be used. In our own sweet way, we experienced data protection professionals can all develop programmes that are tailored to meet the risk profile of their business – but surely only when the business knows what risk profile it wants.

So, professional data protection advisors may well waste lots of their time unless they get the basic question out of the way first. This is “How close do you like to sail to the wind?” Once that answer is known, the rest quite neatly falls into place.

I’m not interested in asking (or paying) for “information about the legal risks” if it means that I’ll receive a thick sheaf of documents which offer finely balanced arguments about the pros and cons of different approaches. In my experience, people working for units within a business don’t really want to know what the law is or what it might be. They want to be told what to do. In a couple of paragraphs, and in words that Homer Simpson, not Albert Einstein, can understand. And I can only tell them what to do when I’m confident that my advice has been calibrated to the degree of risk that the business is prepared to run.

So, if you ever want to work with me, please come armed with a high level of emotional intelligence. And representing a business with a settled sense of its own ethical standards.


Saturday 11 December 2010

... Or the one about the current Information Commissioner and Chris Pounder?

The following day I was off to hear the current Information Commissioner, Christopher Graham address the Data Protection Forum. You should have been there – he followed Dr Chris Pounder to the podium, and delivered an impassioned rebuttal about the gentle ribbing he had received at the hands of this particular data protection giant. Chris tells me that he’s thinking about retiring in 5 years time (probably well before the next Data Protection Directive is in force), so fight to buy your tickets to his events now. His farewell tour will be pretty spectacular. His knowledge of data protection law and the culture of privacy will not easily be replaced.

But I digress.

Christopher Graham made a number of interesting points in his presentation, which explained his vision of the role the ICO would play over the next few years. He began by setting the cultural scene, pointing to a significant shift which few are only now beginning to appreciate, and which the rest of us will latch onto with a vengeance in the coming months.

The issue is one of surveillance and who is carrying it out. Christopher’s thesis was that, previously, citizens have been concerned at the activities of the State. Think about CCTV cameras, the Regulation of Investigatory Powers Act, the Interception Modernisation Programme, GCHQ’s “Mastering the Internet” initiative, the ContactPoint database about all children, the DNA Database, the NHS spine and the information retained for long periods on the Police National Computer. These were all examples of the State developing tools to monitor its citizens. Privacy International and the rest didn’t like it very much. They asked obvious questions, such as “what’s the benefit to society? and what are the safeguards against misuse?” They were not overly impressed with the replies. But there was not much they could do about it. When the State is a monopoly provider of services, it’s not that easy to boycott them.

The interesting development over the recent months has been the transition of public awareness (to be followed by some public concern) to the surveillance activities which are carried out by private companies. And these databases, being global in nature, are significantly larger than some of the national databases I’ve already referred to. Think about behavioural advertising, Google’s Satellite and Streetview service, the data retention obligations that may fall on providers such as Yahoo, Amazon, Facebook, Gmail and the rest. And we don’t see much of an equivalent array of controls (such as those contained in the Regulation of Investigatory Powers Act to monitor the behaviour of these private activities. Where are the equivalents to the Surveillance Commissioners, with experience, audit powers and real sanctions? Is this role adequately addressed by the Privacy Regulators around the world? Why did I bother typing the last sentence?

What interests me is the role that Privacy International and the rest will play in issues relating to the privatisation of the surveillance state, either in stoking up public concern (as, say, they did in the Phorm debate), or in playing a role to reassure citizens that some of these public companies can be trusted to respect the legitimate expectations of people whose records remain in their databases. To a large extent, these companies are not monopoly providers of services (not quite, anyway), so presumably a well organised public boycott would swiftly bring about changes. It didn't take thet many people to crush Phorm. Only a few days ago my nephew told me about the tsunami of change that had recently occurred on Facebook – with people changing their main image to that of their favourite character from their childhood, as a way of identifying themselves with a topical children's campaign.

Is briefly changing your Facebook image the equivalent of wearing a red ribbon to mark World AIDS Day? I think it is. Will this craze catch on next year, perhaps with a special icon for Children in Need?, or for Help for Heroes?, or for imprisoned Nobel Peace Prize Laureates? Again, I think it might.

So, where does this leave us data protection professionals? With jobs for a long, long, time, I guess. As we seek to explain to colleagues within private companies that the “new, innovative, exciting, sticky” (but oh, so slightly intrusive) services they are creating can only work within a culture of transparency and respect for people who don’t want to participate in these new services. Well, they don’t want to participate just yet, anyway. They may come round to it in the end, but we must not be so presumptive as to believe that the citizens of this world will instinctively share the vision of the geeks who try to earn money by exploiting the links they perceive exist between people and commercial services.

As Ken Dodd used to say, “We have to woo our audiences. We can’t just expect them to like us.”


Tuesday 7 December 2010

Have you heard the one about the former Information Commissioner and the accountants?

Last night, former Information Commissioner Richard Thomas delivered the annual lecture to the IT Faculty of the Institute of Chartered Accountants in England & Wales. “Private Lives in a Database World”. Strong stuff – and greatly appreciated by the invited guests. As was the dinner, held afterwards. Can it really be eight years since he took over from Elizabeth France? Well, yes it can. And since that day, when he could remember the ICO in Wilmslow as having just one personal computer that was linked to the internet – and thus to the outside world - things have changed hugely.

A couple of points really stood out from his very thoughtful speech. And I’ve reinterpreted them, giving my own gloss on what those remarks meant to me.

First, in an area where technological advances are developing faster than even the geeks at Google can keep up, we have to be wary of legislators and regulators imposing their views on society. The old privacy controls weren’t designed to deal with the way we presently interact with each other. We have to recognise that social norms are evolving ever faster, especially with regard to the internet, and “we” need to be careful of “them” imposing their values on “us”. There is a disconnect between the digital natives, to whom a laptop is the very lifeblood of one’s existence, and those of an older “mainframe generation” for whom computing is a useful, but not necessarily an essential, part of everyday living. There really is a generational divide out there. People under 30 are far more likely to appreciate the risks associated with poor data processing practices than people over 60.

Given half a chance, legislators will prescribe standards that are unrealistic, outmoded and dated. That’s all they know. So we, the great governed, must be wary of awaiting the imposition of regulations by an elite that reacts with less subtlety than one would normally prefer. Instead, we ought to engage with the legislators before it’s too late. Otherwise, we’ll end up with unenforceable laws that most people ignore, causing the more enlightened regulators nightmares when being told off for allowing sensible people to do what they think is right, rather than rigidly practising what the law prescribes.

If there were to be a single word that accurately reflected the most practical way forward, it would be “accountability”. This digital world has become far too complex, too interdependent and frankly, too global, for national regulators to really think they can regulate it by themselves. The most logical way forward is for the data controllers themselves to step up to the mark, and assumer a greater degree of responsibility for the processes which they themselves cause. It means that they need to face the red-hot anger of the victims when things go wrong. And it means that they will have to accept that, thanks to the internet, campaigns “against” a data controller can spread like wildfire, and cause real harm to that data controller. Let’s just hope that the mob rules with a degree of common sense, then.

Richard was equally passionate about the publication of the European Commission’s recent cunning plan to amend the general Data Protection Directive. It’s fair to assume that a great deal more work will be needed to whip this incoherent shopping list of proposals (my words, not his!) into a regulatory vehicle of which the Commission can be proud. Of course, the cunning plan contained some good ideas. Especially the proposals to replace the current registration scheme with a simpler notification scheme, the promotion of privacy impact assessments and the implementation of a “privacy by design approach”. And possibly the intention to improve and streamline the binding corporate rule concept as a means of legitimising data flows between group companies. And the idea to improve police & judicial co-operation was a worthy, but dull, proposal.

But, will an enhanced breach notification process bring any meaningful redress to victims? And will it reduce the volume or significance of data breaches in future? And what’s this “right to be forgotten”, if it’s not something about ensuring that proper data retention standards exist? And why nothing significant about recognising that global data flows do and will continue to exist and that they can’t be easily regulated? Even King Canute got that point (at least as it concerned tidal flows, rather than data flows) almost exactly one thousand years ago. Or have you heard the one about the EU drafting its own “standard” privacy notice for every controller to use? Or why hardly any mention of the new principle of adequacy?

Hmmmmmm. I sense that the poor official at the Commission who has been charged with getting this Directive “sorted” will be pulling his hair out with frustration at the difficulties inherent addressing the requirements of so many different stakeholder groups. And I believe it is just one Commission official. Or perhaps one and a half. You might have thought that something this significant might have a whole army of European Commission experts busting their guts somewhere in deepest European Commissionland. But no. They’ve obviously got more important stuff to get on with.

Will history repeat itself? I recall that the first version of the original Data Protection Directive was drafted by a German (Frau Una Ihnen). And such was the uproar (mostly from the direct marketing community) that the powers that be took it away from Una and gave it to a lady from France (Madame Marie Georges). The uproar turned into a wail of anguish. And finally, the EU’s rapporteur was a Brit (An politician eager to make his mark, Geoff Hoon). By which time people were getting pretty tired of the whole affair. What a slog that was. I wonder who has the energy to face up to the European Commission this time.

But, this time it’s really important that we get it right. It’s no longer just a division of opinions between some mild mannered academics and the odd firm of international lawyers, or ten. And the direct marketing community. This time the data controllers should be willing to engage as well. The data controllers want sensible regulation – and they sense that, this time, many of the regulators are very much on their side. Many of the regulators know what's wrong with the current regime. But they do have to do what he legislators tell them.

Now, whether the legislators really “get it”, however, is a moot point. I don’t have enough evidence to persuade me that they have “got it” yet – but there is time.


Saturday 4 December 2010

Data Protecting at the IAPP Congress

I had a useful opportunity earlier this week to quiz a bunch of regulators about the different ways they dealt with Google’s wifi affair. I was keen to understand whether there was much of a thirst to adopt a more joined-up approach to either future investigations, or about the penalties. Because of limited budgets, many regulators prioritise their efforts on certain sectors and activities. But are their priotities broadly similar?

The occasion was the first congress of the International Association of Privacy Processionals to be held outside the USA. As the Europeans put it, finally here was evidence that they were putting the I into the IAPP. A couple of hundred of the usual suspects met on January 29 & 30 at an impeccably chic location, Salons de la Maison des Arts at Metiers, just a few yards from the Eiffel Tower itself. Representative bodies included the International Chamber of Commerce (ICC), French Association of Data Protection Correspondents (AFCDP), Federation of European Direct Marketing Associations (FEDMA), German Association for Data Protection & Data Security (GDD), the UK Data Protection Forum, IAPP Canada and IAPP New Zealand.

David Smith, for the UK, answered me by making the point that while the EU Data Protection regulators met frequently under the auspices of the Article 29 Working Group, and discussed issues that were of mutual interest, a very significant amount of proactive regulatory work had to be planned with the domestic climate in mind. And, as regulators had been granted different powers in the different Member States, it was extremely hard to, say, develop a co-ordinated approach on sanctions. It's mainly about local cultures, political priorities and the legal framework. One colleague in the audience murmured to me “be careful about what you wish for”, hinting that if there were to be an EU-wide approach on sanctions, life might be considerable less comfortable for UK-based data controllers than it currently is. But, in circumstances when one controller had acted in the same manner in all relevant Member States, then it made sense for the Commissioners to appoint a “lead investigator” so that at least everyone could agree on the relevant facts.

Gary Davis, Deputy Irish Data Protection Commissioner, and Yann Padova, Secretary General of the CNIL (France)broadly agreed. There didn’t seem to be much of a domestic thirst for greater international co-ordination in matters such as these.

Artemi Rallo, from the Spanish Data Protection Authority however, was more candid in admitting that there was some room for improvement in the performance of the regulators in the Google Wifi affair. He accepted that many observers found it extremely difficult to understand why they had taken such significantly different positions. It was not their finest hour. I could sense he knew what it must have felt for a European operator like Google trying to provide services which customers in a significant number of countries were evidently enjoying, and seeking, and yet which local laws seemed determined to impede.

What lessons did I take away from this as far as aspirations for an enhanced European Data Protection Directive were concerned? Not many positive ones, I fear. While there may be a sense of frustration that some areas of the current law are unwieldy and not fit for purpose , I did not detect a thirst for harmonisation, if such harmonisation was at the price of lowering current local protections.

I sense that a lot of talk is going to happen. But I can't see too many eople actually wanting to listen - and modify their own views. The policy makers are going to love it, as everyone will be talking about stuff. But no-one will be giving way. Meetings will be held. Speeches will be made. And we'll all return home wondering what the point of it all really was.

To me, the fundamental issue is that data protection standards reflect cultural standards in particular countries. But there is no possibility of harmonising data protection standards unless the cultural standards are also harmonised. And, as I am determined not to lose the flexibility which comes from adopting pragmatic approaches to solving problems, I’m as likely to join the rules-based “if it’s not specifically allowed then it’s absolutely forbidden” brigade as I am to be a teenager again.