Sunday 18 December 2011

The Subject Access Request Xmas Ditty

It’s that time of the year when we can let our guard down a little and enjoy awful puns and think more about the lighter side of life.

Data protecting can be a depressing game if you let it, as all we data protection folk seem to see these days are the bad news stories. It’s not that easy to find shining examples of things going right.

And I’m sure that plenty of things are going right. Indeed, I like to think that there is far more going right than is actually going wrong. When measured against the vast majority of things that do go right, I hope that these bad incidents will be seen, in proportion and siginificance, as just as important as a pimple on an elephant’s bottom.

Let’s accentuate the positive, for once, and not just focus on the negative. I’m a glass half full man, not a glass half empty one.

Anyway, with that in mind, may I offer seasonal greetings to all my readers, and send my very best wishes for what’s likely to be a really busy New Year.

A is for Aaaaaaaaaagh, when I read today’s email
From that blighter of a customer whose threatening me with jail

Deaf to my protestations that we haven’t kept eny
Hold on – he’s still writing, claiming there are many

Of his facts and opinions, information galore
Lurking unnoticed in our digital store:

Go and hunt for it and now, or Mistress Justice will play her part
In stringing you up by the knackers, until you look less smart

“Let this be a lesson, from a man who’s never wrong
About how you should observe a personal information ding dong”

[Later, after the ICO investigation]

Quelle surprise, it’s really simple, and according to tradition
It seems I’ve shown him all that’s in the statutory definition

There’s no need to sign any undertakings, victory is in sight,
Wilmslow says “happy Xmas! this yokel of a zealot is wrong and you really right.”


Saturday 17 December 2011

What is the Commission really trying to achieve?

I’ve been very quiet this week as I’ve been trying to get to grip with a number of very different issues, all of which demand some pretty intensive focus and all of which have resulted in my needing to ask the same basic question. This question related not to the immediate and intimate details of each problem, but the bigger issue – ie what was it that the client actually wanted to achieve?

It’s the same with the leaked proposals for a new legislative framework – many of my legal and data protection friends have been pouring over the leaked text, and have been producing ever more detailed analyses of the proposals. Many of them must be rubbing their hands with glee. After all, given such a complicated set of proposals, what self respecting data controller could now not afford to pay heavily to ensure that they were moving to a state of compliance. As for data protection officers, well, they have a job for life – so long as all they want to do is turn into an auditor and enter an environment where the ticked box is king.

But I didn’t enter the data protection world just to tick a series of boxes. To me, fairness and transparency are qualitative concepts, not quantitative concepts. I love music, not mathematics.

My main problem with the proposals (yes, having read them, not just having read summaries of them) is that I really don’t fully understand the background narrative. Before we all get too bogged down in the detail, I want to have the bigger picture much clearer in my mind. After all, the very detailed proposals contained in the text (and to be further particularised in legal instruments to be created by the newly formed European Data Protection Board) have to be assessed in terms of the sort of society that the European Commission feels its citizens should live in.

And this is where I feel lost, as I simply don’t understand the Commission's vision about how this society will look like and feel like. I fear that bad things will come from an over-centralised, distant, powerful body, like the Commission or a European Data Protection Board. My heart tells me that this body will be staffed with people who care and who are just as honourable and decent as the friends I like to associate with. But my head tells me that it’s always possible that it will be perceived as an unloving, disengaged institution that fails to take sufficient time to show its stakeholders just how much it cares.

Perhaps, just as Mr Putin must today be fearing that a Russian Spring does not have similar outcomes to the recent Arab and African Springs.

But, back to the plot. The more I get lost in the detail of the draft proposal, the more I forget what the answers to the most basic questions ought to be.

They include:
• What is to be the role of the state and of public institutions in holding information about people it is responsible for, or accountable too? When can these people exert a “right to be let alone” from the state (if at all).
• What rights are data controllers to have, if they are not to be allowed rights that are equivalent to that of individual people?
• How can we expect society to function under a regime of extremely complicated data protection rules that will be ignored by huge numbers of citizens and controllers? Can this really be termed effective government? Is this a desirable outcome to the process?
• In quantitative and qualitative terms, what will the benefits to society be if these rules were to be fully implemented? Are the costs that will be imposed on all stakeholders fully commensurate with the perceived benefits?
• How will local practices and cultures be respected, given the fact that the overwhelming majority of data controllers are likely to provide services to a very restricted (in terms of geographic reach or social mix) set of customers.

I’m sorry that this blog makes such heavy reading as we're getting focused on the forthcoming holiday season. But that’s what happens when we only see half the story – what’s been leaked is really the roadmap to “Data Protection Nirvana”, not a proper description of what this Nirvana actually is, nor an explanation of what we will feel when we actually get there.

So where do we go from here?

I suspect that many people will disengage themselves from the process that will roll on for the next few years, as groups of people earnestly huddle together and try to build political alliances that will leverage changes to the texts that we see before us. I expect the campaign of attrition to continue for a few years, as ever more weary teams of negotiators try to keep their political masters interested in the tedious minutia of the subject.

But I also wonder, in practical terms, how this initiative is ever going to be passed, given the huge emotion that will be built up by stakeholders from all sides of the debate. If I were an MEP, I would want an easy ride, to be honest. I would not want to be too personally involved in a controversial legislative proposal, as I would expect to be vilified and abused as a result of being associated with it. I would expect my own character to be called into question, and for vested interests to do whatever they considered necessary to further their own objectives. So I would not want to be the Rapporteur or a committee member, or have my fingerprints anywhere near it. MEPs go to the European Parliament to do good, not to find themselves on the wrong side of a set of very public attacks.

I heard European Commissioner Viviane Reding speaking a few weeks ago, in Paris, describing a late Christmas present that the Commission will be delivering to the European Parliament. If this is it, then it’s some present.


Sunday 11 December 2011

How do the Commission’s proposals square with its Impact Assessment?

I’ve recently learnt that fellow blogger Markus Kastelitz read my posting about the Commisison’s impact assessment on the data protection reform (published on 8 October), and tried to get a copy from the Commission.

A couple of weeks ago, he received a letter from the Director-General, Ms Le Bail, of the Directorate-General Justice of the European Commission refusing the request. The explanation was as follows :“First, I have to clarify that the Commission has not yet issued any staff working document on the impact assessment for the future EU legal framework. Even though, the impact assessment document we possess has not been disclosed yet. The document is covered by one of the exceptions provided for by the policy relating to access to documents and therefore it cannot be made available to you. The exception which applies to the document you requested is that laid out in Article 4 (3) of the above-mentioned Regulation (...) In the case of your request, granting access to the said document would prejudice the ongoing intra-Commission decision-making process on the future data protection regulatory framework. Access to this document may be granted once the decision-making process on this matter is completed. (...)”

That, of course, was before the current draft proposals (let’s call them “Version 56”) were leaked onto the internet. I’m not sure whether this changes anything – but it might. How much more prejudice can publication of that document now cause to the ongoing consultation, since the text of the document containing the actual proposals is so readily available on the internet?

Back in October I described three quite detailed options that the Commission was considering, to make the changes it thought appropriate. I also explained that the Commission had analysed the impacts of these options. The analysis included an appreciation of how well each option addresses the problems that were originally identified, their political feasibility / acceptability by stakeholders, financial & economic impacts, social impacts, impact on fundamental rights and their impact on simplification.

It appears to me that the authors of Version 56 have basically gone for the option which the Commission considers has a low risk of political feasibility / acceptability: this option would be too unbalanced as it would highly strengthen data subject rights but at great costs for data controllers. Most stakeholders would find it too radical.

Now, I have not heard of any Commission attempts to take down Version 56 from the internet – so perhaps the ground is shifting. Oh, the power of publishing information on the internet. Long gone are the days when all Governments had to worry about were what was published by newspaper barons. But I wonder how Governments will manage, in future, to discuss sensitive issues. What new communications technology will they use which prevents the average internet user from finding out what they are up to?

Perhaps they’ll start to communicate via Blackberry Messenger – after all, if the security of BBM is hard for national authorities to break when the great unwashed are indulging in a spate of rioting, it could also prevent us oiks from learning what the Commission is up to when the Commission wants to keep something quiet.

What I had not expected was a Regulation for the oiks and a Directive to take care of issues relating to police and criminal justice. Given the ever increasing co-operation between the (state) law enforcement regime and the (private) security and anti-fraud networks , it really ought to be possible for both groups to operate using broadly equivalent rules. Given the ever increasing privatisation of the administration of law and order, it would be a shame if state actors were to enjoy significantly greater freedoms should equivalent responsibilities be devolved to actors in the private sphere.

Let’s see if the next draft of a new regulatory framework, to be released sometime next year, will be more balanced and less radical.



Saturday 10 December 2011

Save us from a secretive Data Protection Board

We’ve all had a good laugh at some of the Commission’s proposals contained in the infamous “Version 56” – the document recently leaked on the internet which is currently being reviewed within the Commission before a (presumably heavily) revised version of its proposals for a new legal framework is unveiled sometime next year.

My favourite bit is the part of the text which tries to create more effective co-ordination between the data protection supervisors of each Member State (and of course the European Data Protection Supervisor). The Article 29 Working Party is to be rebranded as the European Data Protection Board.

It is either to be chaired, or have as one of its 2 deputy chairs, the European Data Protection Supervisor. Its secretariat will be co-located with that of the European Data Protection Supervisor. It is to act independently and arrive at decisions by a simple majority of its members. Board discussions are to be confidential, as are documents and papers submitted to the Board. Similarly, all experts and others who support the Board are to have confidentiality requirements imposed on them.

So much for freedom of information and our own Government’s transparency agenda.

My next favourite bit is the proposal that its decisions, recommendations, guidelines and best practice notes are to have greater weight than before.

Currently, of course, the Article 29 Working Party issues opinions – and many of us are grateful for that as that is all they are. I’m happy to listen to anyone’s opinion, so long as they don’t always expect me to act in accordance with it. Let’s be honest, how many of the opinions that have been adopted by the Article 29 Working Party are on our “memorise” list? I find that too many of them are written in language that is quite difficult to understand, over long, and very hard to engage with. At least I can ignore the more tedious stuff.

But, please, spare us data protection officials from feeling that we may be more formally bound by standards or systems that will emerge from these new documents. Is there to be any political accountability on the part of the Data Protection Board – or a means of appeal when data controllers feel that this body has simply got it wrong?

Will we have to wait for decisions to be made in secret and then just unconditionally accept, in some sense of Papal infallibility, the correctness of this decision?

Please help us.

We all enjoy hearing about some of the personal characteristics of the current crop of Data Protection Supervisors, and to some extent we can forgive their foibles, after all they are only human. But what happens when their views start to radically diverge from the “norm”?

This was the thought that occurred to me last night, as I was enjoying the sensational new musical Matilda in London. One of the key figures is Miss Agatha Trunchball, played by the outrageous & brilliant Bertie Carvel (pictured). A former Olympic hammer thrower, she is now the Principal of Crunchem Hall Elementary School. Surreal and psychotic, she utters the phrases “Children are maggots” and “You’re heading for the chokey” whenever she wants to cast terror into the hearts and minds of the pupils (and their teacher).

How might European data controllers prevent a latter day Miss Agatha Trunchball from becoming Chairman of the European Data Protection Board and then running amok? How might they be able to stand up to her, as Maltilda did last night, when they haven’t got special powers to change things? In terms that Roald Dhal would have appreciated, how might the data controllers manage to divert her attention, if they can’t slip a newt into her knickers?

Perhaps the only way to ensure that sanity prevails will be to ensure that someone like me gets to be elected its first Chairman. Well, if it’s a choice between me, Agatha Trunchball or Edna Turnblad, I think I ought to win, hands down.

Articles 73-72 of Version 56
A musical version of Roald Dhal’s novel, Matilda: A Musical, written by Dennis Kelly and Tim Minchin and commissioned by the Royal Shakespeare Company, opened at the Cambridge Theatre on 24th November 2011, after a run the previous year in Stratford-upon-Avon.
Edna Turnblad is a character from the award winning film and musical Hairspray. Another larger-than-life individual, she also has a lot to teach her fellow citizens in terms of dignity and mutual respect.


Thursday 8 December 2011

The Interception of Communications Commissioner shows us his independence

In a visit that astonished and inspired many members of the Data Protection Forum last Tuesday, Sir Paul Kennedy, the Interception of Communications Commissioner, spoke about his role and, in discussing a few topical issues of the day, showed just how independent a person he actually is. Most of the members of the Forum had never met a retired Lord Justice of Appeal before – well they have now, and they can now better appreciate the care, discretion, dedication, humility and integrity that Sir Paul brings to the job.

The full text of his speech will shortly be loaded onto his website – which is the impressively named www.intelligence What a great title for a website. But I expect he won’t be sorry that he will have to relinquish it when his term of office ends.

The day had started with a minor calamity for the first speaker, the award-winning lawyer, barrister, blogger and tweeter Stewart Room. All the IT in the well equipped conference room could not open the PowerPoint presentation he had carefully prepared – so he played a blinder. In a masterly display of oratorical powers, he spoke without hesitation, repetition or deviation for 45 minutes on the interface between security and data protection. He quickly got everyone up to speed on the relevant issues, so they could better appreciate the world that Sir Paul regulated.

The final speaker of the day was Martin Smith of The Security Company. And yes, he blogs too. It’s obviously the new way of communicating to the masses. Whereas in the past, people would have polished off a pamphlet, got it printed and then sent around the coffee houses of London, these days we press a few buttons and, hurrah, our jottings have been published for the whole world to consume. Anyway, if you have not heard Martin Smith speak, then you are in for a treat. He certainly sympathised with the lot of the Data Protection Officer. It may not be sexy, and it may not be the job that attracts the greatest attention from the Board, but it’s certainly one of the really worthy ones. He had us eating out of his hands in minutes.

And what was also inspirational about the day was Sir Paul’s nomination of the beneficiary of another innovation the Forum tried last Tuesday – to hold a charitable raffle just before the Christmas lunch. He nominated the Charlie Waller Memorial Trust. The Trust was set up in 1998 in memory of a 28 year old professional who had committed suicide whilst suffering from depression. His family and friends formed the Trust to raise awareness of depression, reduce the stigma attached to seeking help and to ensure help was available when needed.

Charlie’s death had an impact which continues to affect those who knew him. Yet, Charlie’s case is not an isolated one. Each year around 1,760 young men commit suicide and a recent report from the Royal College of Psychiatrists highlighted the impact of stress and work pressures.

Stress and work pressures are both issues I have struggled with, as have people with whom I am and have been very close too. I’m so pleased to learn about this charity. And I’m honoured to recommend it to others who want their charitable donations to really make a difference.

Further reading:§ionID=4&type=blog


Monday 5 December 2011

Woops- jail time for non-registration?

Dan Worth, that excellent IT journalist from must have been kicking some poor copywriter last Friday. What a misleading headline: ”Estate agent avoids jail time after breaching Data Protection Act” to accompany Dan’s article!

Dan was right to report that the miscreant was “given a six-months conditional discharge and ordered to pay £614 towards prosecution costs in a hearing at Caernarfon Magistrates' Court” for a Section 17 offence (ie failing to register with the ICO). But, failure to register is not a custodial matter. Surely, a custodial offence could only have been considered appropriate if the estate agent had beaten up the ICO’s inspectors with some old For Sale boards.

A conditional discharge simply means that the miscreant does not receive a punishment if they comply with certain rules (eg stay out of trouble) for a fixed period of time. So the penalty for non registration is, actually, nothing, other than to pay the prosecution costs if you get caught. Some penalty that is.

These bloopers, and others (remember, the European Commission has just threatened to place 16 Member States on the naughty step for failing to fully implement a Telecommunications Data Protection Directive that was due to take force from 25 May) are bound to be discussed when the great and the good of the Open Rights Group gather for their Christmas drinks in Paddington tonight. So, if you’re passing by the Wood Marylebone pub in Balcome Street later, and hear a strange “12 days of Christmas” refrain, do pop in and join the songsters. You never know who you might meet there.

The Member States vying for a spot on the naughty step are Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, France, Germany, Greece, Hungary, Italy, The Netherlands, Poland, Portugal, Romania, Slovenia and Spain. Not the UK, this time.


Saturday 3 December 2011

The ICO’s twelve days of Christmas

It’s getting to that special time of the year when differences are set aside and we data protection folk gather together for the Christmas parties. People whose views are usually rejected with distain are treated in a wholly different light when they congregate with various beverages in their hands.

Old arguments are forgotten as we all realise that, within this data protection community, what binds us together is that we do all care. OK, we may care about slightly different things, but the main thing is that we do care.

Fundamental rights, respecting each other, dignity and a broad outlook on life. That’s what binds us data protection folk together.

We also like a good sing song once in a while, to relieve the tedium of working out whether Binding Corporate Rules will be a truly effective and scalable way of legitimising international personal data flows. Or how we are going to get the people we advise to take data protection issues as seriously as we do.

As its getting close to the holiday season, here’s one little ditty that is only appropriate when there are a group of people whose throats have been generously lubricated and no-one has any inhibitions left:

On the twelfth day of Christmas,
Our chums in Wilmslow sent to me
Twelve audit recommendations,
Eleven blogs on breaches,
Ten more assessments,
Nine press releases,
Eight FOI reminders,
Seven voicemail messages,
Six monetary penalties,
Five SAR’s
Four draft undertakings,
Three renewal reminders,
Two codes of practice,
And an email that I wasn’t supposed to see!

Image credit:

For those of you who won’t be traveling to Paris to enjoy the Xmas decorations along the Champs Elysees this year, they look like this!


Thursday 1 December 2011

Behavioural advertising: Scrap “do not track”. Try “do not target”

Gwendal Le Grand, head of the IT Department of the French data protection regulatory authority CNIL, made a remark, in passing, at the International Association of Privacy Professionals European congress on Paris on Tuesday, which I think could be very significant.

During a session on on-line behavioural advertising, he used words that may well resonate for a few years to come. The issue is, of course, about how individuals can (or should) object to the use of their personal information for behavioural advertising. Many of the delegates had attended an earlier presentation by Ilana Westman from the Create with Consent organisation, and were thus aware that most internet users really had no idea how their information was shared by web publishers, nor how web publishers actually found the money to pay for the content that the user, typically, was enjoying for free.

Gwendal suggested that, rather than using the phrase "do no track", individuals should really be saying “I beg you not to target me".

This is because an awful lot of tracking is going to go on, regardless of the user's stated tracking preferences. Cookies and other device features will always be monitoring how someone is navigating between the web pages, or remembering what items are in their shopping basket, but have not yet been paid for or despatched. Other forms of tracking will inevitably go on for traffic management, analytics and law enforcement purposes.

So, responsible organisations should not even think of using words and phrases that might mislead a user, such as “do not track”. There is no "cloak of invisibility" that would result in all internet usage to being unmonitored. So we should be careful not to use words or phrases that are incompatible with the legitimate expectations of Internet users.

I think this is a very sensible and practical suggestion. I'll see what I can do to encourage more people to start using this phrase.


Freebies: The kindness of (not so) strangers

“Whoever you are, I have always depended on the kindness of strangers”. It’s a brilliant final line from the play Streetcar Named Desire. And it’s one that frequently comes to mind when accepting corporate hospitality when data protecting.

The sponsors of the International Association of Privacy Professionals European congress in Paris certainty pulled out all the stops this week. [Note to the sponsor's expenses departments: None of the expenditure was inappropriate, nor of a kind likely to interest local fraud and corruption teams. No money changed hands. One iPad was won, some really nice chocolates, football shirts and card holders were proffered, and we all now must have enough spare pens and paper pads to enable us to start to restock the stationery cupboard when we return to the office.]

But, and this is a big but, the conference venue was within a few yards of the Arc de Triumph. Local hotels were not cheap, people (like me) who were not travelling on expenses we were all very grateful for the drinks and dinners that were so kindly laid on for all those who were considered sufficiently deserving. Data protecting is thirsty and hungry work. And all of the sponsors laid on wonderful events.

The largest drinks event was held at the ultra fashionable night club L’Arc, just across the road from the Arc de Triumph. Every conference delegate had been invited for IAPP cocktails sponsored by our chums at Yahoo!, and a fashionably chic time was had by all. Apparently, George Clooney was there last week. I doubt they will be talking for long in such hushed tones about the way in which I worked the room and smashed a glass of champagne, but I did have a quiet word with some old friends – and take the opportunity to make some really nice new friends. It’s a club I would heartily recommend – and its website advises that there are just a few tickets left for the New Year bash, each priced at £330 (excluding drinks).

The most historic event occurred on Wednesday night, after the congress had actually finished. Trevor Hughes, Chief Executive Officer of the IAPP had a brilliant idea and had invited the heads of the principal national European data protection associations to a special dinner at the Hotel Vernet, one of the most distinguished hotels in Paris. It was the first time that the representatives from these bodies had been formally invited to meet each other. Personal relationships were quickly cemented. And agreements were reached to deepen these relationships.

Hopefully, for example, next March will see senior figures from both the French and the German privacy associations addressing members of the Data Protection Forum in London, giving their own national perspectives on the European Commission's proposals for a new legal framework. The aim is that we Brits will get a better understanding of what concerns French and German citizens (and data controllers) have about the measures which really ought to have been published by then, and vice versa. A bientôt! Bis Bald! The Data Protection forum really will adopt an international flavour that day.

If this is the sort of event that might be of interest (the Forum meeting, not the dinner!), and you are free on Tuesday, 13 March 2012, then please feel free to contact the Forum’s secretary and ask her nicely about how to become a member of the Forum. Guidance on becoming a DPF member is at

And what about the weighty matters discussed by those who attended the dinner? Well, enough business was transacted for us to unanimously declare the occasion a great success. Privacy, as a profession, has well and truly arrived. So, through the IAPP, another international network of privacy professionals is being created, which will enable members to engage both with their contemporaries, and with the hierarchies of the privacy regulators.


Commissioners commenting at the IAPP Congress

European Commissioner Viviane Reding made a great impression on the delegates at the International Association of Privacy Professionals' European congress in Paris on Tuesday. She swept into the conference room just a few minutes before her carefully prepared speech to Europe’s data protection elite was billed to start. She majestically read it, and then glided away, protected by a posse of flunkies, well before any members of the awkward squad in the audience could ask her any questions.

What did she say?

Well, were promised a late Christmas present. It is to be a simpler way of legitimising global data flows, and it is to be delivered in the form of an easier way for Binding Corporate Rules to be approved by regulators in all Member States. Oh, we’ll also get consistent enforcement across Europe, and some innovation. This, apparently, will increase levels of confidence, as it is evidently confidence which is what lacks today in the digital world.

And that was about it. Introduced as "the most important person in Data Protection in Europe today" this really was about all she had to say to an audience that included Jacob Kohnstamm (Chairman of the Article 29 Working Party), Peter Hustinx (European Data Protection Supervisor), Peter Scharr (Federal Commissioner for Data Protection & Freedom of Information Germany, Richard Thomas (former UK Information Commissioner), Peter Fleisher (he of Google), and Richard Allen (of Facebook fame). Some late Christmas present we’ve got to look forward to. But, let’s give Viviane her due. She is the most important woman in Data Protection in Europe today, and she did very kindly agree to speak.

The audience were left a little bemused, but there were lots of really important issues that were discussed last Tuesday and Wednesday. There was the inevitable speculation about what else might be in the Commission's proposals for a new legal framework. The Commission is either keeping its proposals a very closely guarded secret, or it hasn't yet got much to unveil. There were murmurs of an announcement about the framework during "data protection week" next year. Excuse me. Data Protection Day is quite enough for me, thanks. There's only so much fun a data protector can have. This fun can be squeezed into a day, but I think it would be really hard to stretch it to cover a whole week.

The announcement from the platform (just before Viviane Reding swept into the building) was that the new legal instrument would take the form of a Regulation, not a Directive. But I'm not sure I believe that announcer (so I won't identify her, to save potential blushes later). Peter Hustinx pointed out that there can be various kinds of Regulations, and that Directives can also take different forms, too. It left the audience little the wiser as to what was really likely to happen.

I managed to raise a laugh among delegates when I asked Peter Scharr a question. It was related to his support for rules which had Community-wide application. He had commented, in his keynote speech, that Data Protection authorities need to think on a global basis, yet they were organised and were obliged to react locally. I pointed out that, recently, on economic matters, the Germans had been really helpful to the Greeks and others who were facing local economic difficulties, in order to strengthen confidence in the Euro. I asked Peter if he thought that the Germans might be so kind as to consider lowering their own current data protection standards, if this would result in the prize of the possibility of common data protection rules applying across the European Community, in order to strengthen confidence in data protection.

Significantly, Peter did not rule this out. He accepted that everyone needed to adopt a flexible approach, if common standards were to apply across a wider geographic area. You heard it here, first! No-one laughed at Peter's response - and many were mightily relieved.

It was left for Richard Allen to make the really significant point that in future, data protection regulation is only likely to be effective if the applicable law is to focus on where the data controller is based, not where the data (or copies of the data) is being processed. After all, the data, thanks to the wonders of cloud computing and the internet, is likely to be all over the globe and constantly on the move. Everyone appeared to supported this suggestion. These Facebook chaps talk a lot of common sense.

The full text of Viviane Reding’s speech can be found at


Sunday 27 November 2011

Off for a clear(er) view in Paris

Today I will be packing my bags – tomorrow I leave for Paris. Not for good, just for the International Association of Privacy Professionals’ congress at the “Salons de la Maison des Arts et Metiers”, during which some 300 of the usual suspects will discuss the latest data protection developments. The strapline for this eagerly awaited event is “A Clear View” - and I expect that when the event was originally planned , it was hoped that Viviane Reding, one of the keynote speakers, might be unveiling all of the Commission’s proposals for a new regulatory framework.

Well, as we all know, that’s unlikely. What will be interesting to note is what new thinking emerges. Recent media reports have hinted at some of the proposed changes, but let’s see if any other ideas are floated. I suspect that much of debating time will actually spent commentating on the changes that have already been suggested.

Hey ho – you never know, though.

I’ll be keeping my ears to the ground to pick up the best bits of gossip as I network furiously between Monday evening and Thursday morning. Yes, I know that the “congress” part of event will only take up Tuesday and Wednesday, but I plan to be one of the first to arrive and one of the last to leave. This means that not only should I avoid most of the chaos that will be associated with the strike by British border control officials (and a very large proportion of other British public sector workers) on Wednesday, but I ought to have more time to root out some of the real data protection issues that are or ought to be of concern to us.

If you know where to go, you may find a group of us in a corner of a Parisian cafe on the Rue Vernet, late on Wednesday evening, singing a quiet refrain to mark the passing of the current data protection directive. And if Bob Dylan were to have had a hand in writing the lyrics, they might sound something like this:

If You See Me, Say Hello

If you see me, say hello, I’ll buy you a cold beer
I checked in Monday afternoon, and you’re OK, I hear
I should tell you that I’m all right, though feeling kind of strange
As the rules which are so familiar are just about to change

We haven’t had a falling-out, like best friends often will
And to think of how I heard that day, it still brings to me a chill
As we discuss our separation, it’s piercing me through to my heart
Old ways still live deep inside of me, but from these we need to part

If you get time enough, we’ll have one last drink on me
I always have respected you, but I’m busting out and gettin' free
Oh, whatever makes you happy, I won't stand in your way
Though the bitter taste still lingers as I know you cannot stay

I see a lot of people as I make the rounds
And I say your name here and there as I go from town to town
I’ve never undermined you, I’ve quoted from you oft
Either I'm too sensitive or else I'm gettin' soft

From morning to night time, I replay the past
I know every article by heart, they all went in so fast
If you’re passin’ back this way, I'm not that hard to find
You can always look me up - I really wouldn't mind

Many thanks to Bob Dylan, whose song “If you see her, say hello” can be found on his “Blood on the Tracks” album. The discussions at the forthcoming IAPP congress should not result in any blood being spilt on Parisian carpets – but, metaphorically, you just never know what might happen.


Friday 25 November 2011

The ICO joins the blogosphere

Welcome! A new blogger has emerged to offer thoughts and insights on data protection and freedom of information issues. This is great news – especially as the new entrant is the Information Commissioner’s Office itself. Yesterday marked their first posting – with Deputy Commissioner David Smith doing the honours, writing the historic first entry.

David focussed on an issue close to my heart, the future of data protection law in Europe. And what he had to say heartened me, as it was very much along the lines that I’ve been blogging about recently, too.

On the date of the release of the Commission’s proposals for a new legal framework, David explained why it was unlikely that it would not be before the end of January. I suggested on 26 September that it was more likely to be published after St Valentine’s Day (even though Data Protection Day, 28 January, would have been a good date to reveal all).

On whether the Commission’s proposals would be for another Directive or a Regulation, David explained that “two instruments would fit with the UK Government’s right to opt out of new EU measures covering the former third pillar [which is the area of crime and justice], but might make it harder to achieve our objective of a single, overarching framework applying to all the processing of personal data carried out in the EU.” He didn’t address the issue I raised on 9 October which suggested that Regulations could only be laid if it were demonstrably impractical for a Directive to be agreed. Remember, Regulations have direct effect in that they do not have to be transposed into member states’ laws.

On the content of the new framework, David was very firmly of the view that it must be “clear in what it does and does not cover and is easy for businesses to understand and apply. Regulation that is hard to understand and even harder to apply will not be followed in practice and does not serve the interests of those we are trying to protect.” Great stuff. Just what I said on 21 November.

David also emphasised that individuals need to have rights that are “clear, effective and simple to use.” On the “right to be forgotten” argument he suggested that: “the position of the individual could be strengthened simply by changing the existing right to object to processing from one where the individual has to provide compelling legitimate reasons for deletion to one where it is the data controller who has to provide the compelling legitimate reasons for retention.” This seems like a useful idea, and will encourage data controllers to be clearer about why data is retained (but doesn’t address the issue I raised on 13 September about the ease with which data controllers outside Europe can archive and retain data).

David was also a keen supporter of an “accountability” principle: “The law should be less prescriptive about means but business should be able to account for how they deliver data protection in practice. Concepts like privacy impact assessments and in house data protection officers are important, but should not be mandatory in all cases. This approach should extend to international transfers of personal data so that businesses take their own decisions on “adequacy” but can be challenged if they get this wrong.” I like this principle too, and am sure I have mentioned it once or twice in the 257 posts I have published since January 2010.

On the role of Data Protection Authorities, David was keen to preserve the British model: “We need to be independent, have a clear role and be armed with effective powers but we should supervise, enforce and advise rather than give prior approval or authorisation to a data controller’s activities.”

Interestingly, David also commented that much of the Commission’s current thinking is influenced by “large multi-national, mainly US based, businesses”. There was a relatively low level of engagement from those representing European business and citizens’ interests. Perhaps this is because, given these harsh economic times, European businesses and consumer groups simply have not been able to allocate sufficient resources to enable those who would have liked to have had their say to actually engage more fully in the lobbying process. I expect this may change slightly when the first draft of the Commission’s proposals have been published. I blogged on 8 October about the likely political impact of these proposals, and am amazed that no-one has yet posted that impact assessment on the web. We data protectors are obviously better at respecting confidences than English rugby players (or English rugby administrators, or whoever else it was)!

One thought has just occurred to me – given the similarity of views between yours truly and the Commissioner’s Office, perhaps I ought to apply for the post of Information Commissioner when the present incumbent’s term expires ...

I’ll certainly watch out for future ICO blog postings. But remember folks – don’t stray too far away from my blog. You might read about most of it here, first!



The BBW data breach report – a tsunami of trivia

There’s an interesting report out from the folk at Big Brother Watch. It highlights research revealing more than 1035 data breaches across 132 local authorities, including at least 35 councils who have lost information about children and those in care. At least 244 laptops and portable computers were lost, while 98 memory sticks and more than 93 mobile devices went missing.

Only 55 breaches were reported to the Information Commissioner’s Office. And, only 9 incidents resulted in termination of employment. BBW were very concerned that “highly confidential information has been treated without the proper care and respect it deserves”.

Is this report really as shocking as it appears? Let’s unpack it a little.

First, the time frame over which the breaches occurred – the report covers breaches over a 3 year period, from July 2008 to July 2011.

Second, the breaches report include losses of encrypted as well as unencrypted information. So its really hard to unpack the reports to work out how many breached related to unencrypted sensitive information – of the sort that really could cause harm or embarrassment to those whose information was compromised.

Third, and as we can expect from a report of local authority data breaches, a small proportion (less than 10%) of breaches related to information about some 3100 children, young people or students.

Fourth, the incidents included cases where council staff had lost information which had been downloaded onto personal laptops and computers. It highlights the risks involved when data is moved around by staff to enable them to work on a different machine: “Where council information has been transferred to a personal machine, there is no guarantee that personal devices contain the same security and encryption protection. Indeed, several incidents have been highlighted where malware has been discovered on machines, a risk of using personal machines where virus and anti-malware is often not at the same level as a corporate machine.

And, of course, the report repeats the advice on the use of portable memory storage and mobile devices that all security professionals know off by heart, yet can’t quite get their businesses to fully implement: “Policies and procedures should reflect not only how information is stored, but the grounds for which it should be moved in the first place. As soon as information is held on a portable device, the risk for that information to be compromised significantly increases and so much more needs to be done to restrict the transfer of data occurring in the first place.”

So where does this leave us? Well, the report does offer some fine (or tongue in cheek) examples of the lengths to which a local authority will (apparently) go to contain a data breach. For example, in Bolton, a smartphone containing internal contact details of council employees slid off a car bonnet and fell into a shaft. The phone was assessed to be irretrievable without dismantling the car park. Instead, it was sent a remote wipe command within one hour and the owner of the car park subsequently sealed the cavity with concrete. My, they take the security of their staff seriously in Bolton!

Sometimes when paper documents were mislaid or wrongly addressed, the breach was reported to the ICO. Mostly, they were not.

And does it really matter that the ICO was not formally advised of all security breaches?

Frankly, I think it supports the case that reports of all data breaches would have served no useful purpose, as so many of them were trivial in nature or they occurred despite the usual steps being taken to safeguard against loss. For example, Bromley council reported that 2 USB sticks were stolen from a Council-run youth centre. The USB sticks were inside a security safe which was itself stolen.

Buckinghamshire council reported that a disk containing data on vulnerable children was left in the hard drive when a personal computer was taken away to be replaced – but the repairers were immediately contacted and the data was retrieved. In another breach, it reported that a social worker lost client notes in their office – but access to that site is controlled and no outsiders are permitted to visit that area.

In other cases, global emails were sent, without blind copying. Simple mistakes – we’ve all done that. Oh yes. Yes, even (unnamed) experienced and award winning data protection solicitors have done that.

Actually, what I would have loved to have read about was not the data beaches, but a frank assessment of whether anyone was actually harmed as a result of the breaches. The report’s authors did not address this point, and I think that’s a lost opportunity.

What we have is evidence of system failures, but not evidence of system failures that caused harm.

So we should be careful not to scare the readers of these reports by suggesting that, in light of these incidents, that data handling standards are necessarily unacceptably low. Of course there’s always room for improvement, but until real harm can be seen to have been caused, I would expect many council officials to be wary at spending a greater proportion of their diminishing budgets on enhanced security measures.

Perhaps, of the 1035 incidents, there really were only 55 that merited the attention of the ICO. In that case, they have been saved reading through an awful lot of reports of trivial breaches.

Let’s hope that the new data protection directive also contains proposals that require data controllers to report the serious breaches to the regulator, rather than get them to wade through a tsunami of trivia.



Monday 21 November 2011

“Frictionless” – the new buzz word from Silicon Valley

Attending a meeting in Central London tonight, someone used a brilliant phrase she had picked up while out doing stuff in Silicon Valley, California. The conversation was about how customers viewed the products and services that were offered to them. And the key feature was, these days, the way the product or service answered the question “how frictionless was that?

I think it’s a brilliant phrase – as the very best brands have products or services which, quite simply, just work. Think of anything we buy from Apple. Who ever pulled out the user manual before getting it to work for the first time? Their products are just so intuitive that you feel that you know how to use them as soon as you take them out of the box.

I can’t imagine me always saying the same thing about a piece of flat pack furniture from Ikea.

So, as it considers the changes it will propose, I’m determined to lobby the European Parliament to create a “frictionless” data protection directive. I mean, wouldn’t it be nice to have a piece of legislation that simply was intuitive and worked. One that met the needs of both individuals and bodies that used personal information. One that didn’t need an expensive “translation layer” in which our learned friends spent years disagreeing with each other about what the words actually meant, and therefore how they could be implemented without the European Commission feeling minded to take infraction proceedings against Member States on the grounds that they hadn’t got the domestic legislation quite right.

Perhaps we should lobby for a new, 9th Data Protection Principle – that personal data should be regulated by a set of frictionless rules, readily understood by all parties.


Sunday 20 November 2011

Whose personal data is it anyway?

The current “debate” over the “right” to be forgotten reminds me of the plot of Whose Life is it Anyway?, a television play first transmitted in 1972. The play brilliantly raised issues that were so profound that the television version was turned into an award winning stage play starring Tom Conti in the West End in 1978, transferring to Broadway the following year. The film version, starring Richard Dreyfuss, was released in 1981.

What’s it about? Basically, the central figure is a profoundly handicapped sculptor. Left a quadriplegic after a car accident, he feels utterly useless, as both an artist and a human being. He doesn't want his family's love, or his doctor's care, or his nurse's ministrations. He simply wants to die-but this is impossible, given the legal state of things in the 1970s. It’s one of the few plays/films in which a person's right to self-destruction is regarded as a happy ending. Actually, it’s not as depressing as it sounds, and contains some wonderfully funny lines.

It’s reminded me (as if I ever needed reminding) that Human Rights Act legislation ended up conferring rights on bodies that aren’t even human. In a data protection context, data controllers have rights, too, and these need to be balanced against the rights of individuals.

How can these individuals assert, say, their rights to have their data deleted, when it is held by data controllers over which they have no control? How long will the European Commission try to assert that individuals within the European Union should actually have the power, say to force the Internet Archive, which is not based in the European Union (nor does it have any equipment or offices within the European Union), to delete “their” personal data on demand?

I gather tempers got quite heated during a recent meeting of Data Protection Commissioners as they discussed such things. What may be nice to have in theory can be impossible in practice.

So my advice to those who wish to continue this argument is to agree that, rather than exchanging views in ever more strident tones, they order a copy of the Whose Life is it Anyway? DVD and appreciate that the problem wasn’t totally resolved when it was debated 40 years ago. The protagonists should not get too hot under the collar when it dawns on them that they can’t totally resolve it now – but they will have a really enjoyable 118 minutes.


Saturday 19 November 2011

What sort of Directive will emerge from this fundamental divergance of views?

The more I think about these things, the more I thank my lucky stars that I’m not going to be accountable for proposing a new Data Protection Directive. The closer we get to European Data Protection Day (28 January 20112) the happier I am that my DNA won’t be too closely associated with (perhaps) the first publicly available draft of the new proposals.

The battle lines have already been drawn up and if you know where to look, you can read about the tectonic policy plates grinding along the usual fault lines. The principal fault line seems to be the extent to which common rules will be imposed on data controllers and on citizens across the entire Community, and the extent to which Member States will be able to implement the main rules in ways that sympathetically address local cultural traditions.

I’ve recently been reading the comments made by prominent ladies on the different sides trotting out their positions – and I am really not sure which side will eventually win.

On the “One law to rule them all” side, we have people who share the views expressed by Commissioner Viviane Reding. She was recently interviewed by the Washington Post, and made it pretty clear that her preference is for a highly harmonised set of binding regulatory rules for all data controllers. In her words:

"Today in Europe, if you are an American company, you have to abide by 27 different interpretations of the EU law data protection. This makes no sense for a business and is absolutely cumbersome. Our reforms are aimed at getting rid of this fragmentation and providing consistency and coherence for the whole of the continent. That means providing services to 500 million people, which presents a fantastic business opportunity for companies.

Q: What do you think of self-regulation? Is it a good idea?

A: Self-regulation can be little more than a fig leaf. It works only if there is strong, legally binding regulation in the first place. Otherwise self-regulation means that everyone does whatever he or she has in mind. Just look at the instability that self-regulation in the financial markets brought us. The financial markets, through personal greed and irresponsibility, failed to effectively regulate themselves. This is why I do encourage codes of conduct for businesses in Europe provided that they are fully in line with our European data protection law.

Q: Explain your philosophy behind individual privacy.

A: It is clear that every citizen has a right to their own data. Before a company can use your data they should ask for permission. This is a basic rule of the European Union.

We do have a set of rules today that is not always being applied and controlled in the way it should be. That has led to fragmentation and different interpretations of the rules.

For example, with Google’s StreetView last year, seven countries took seven different decisions on how to deal with a case of e-mails being collected and stored without people knowing it. Divergent interpretations of the same rules in the same situation is not good -- neither for citizens nor for companies.

Q:Is there a divergence between the U.S. and Europe in terms of the approach to data privacy?

A:It is clear that we have different approaches between the two sides of the Atlantic. The American people and their representatives understand that the question of data protection is not a theoretical one. These are not questions by idealists but bipartisan issues that are directly linked to the way we see the individual, the citizen, in our society. But I also want to say that we are heartened to see proposals such as the one by Senators John Kerry (D-Mass.) and John McCain (R-Ariz.) for new online privacy rules."

And, on the other side, we have people who share the views expressed by commentators such as Janet Daley. Writing in the Daily Telegraph recently she made her distaste of detailed centralist European regulation very clear. As far as she is concerned:

"What you hear in the grandiose speeches of European leaders and the bumptious pronouncements of EU officials is precisely this: we have an ideal system which can guarantee infinite security and wellbeing, provided that everyone behaves in ways that are consistent with the rules of life as we describe them.

The great irony of the [economic] mess we are now in is that this concept of a totally rational, perfect society which must be imposed on actual people, each with his own distinct experience and perception of life, was the same delusion that wreaked havoc in Europe for generations. From one Terror to another, Robespierre to Stalin, the enforced experiments ran their course. And virtually every one required the “temporary” expunging of democracy.

... However repugnant the present generation of capitalists may be, and however much personal disrepute they may incur, it is not capitalism that is about to destroy the prosperity of the populations of modern Europe. It is the folly of enforced uniformity – yet another dream of enlightened perfection – that will accomplish that."

It’s an argument that will run for a long time. And the deeper I think about these issues. The more sympathy I feel with the need to respect local cultural traditions, rather than have rules imposed that will generally be ignored locally precisely because they conflict with local cultural traditions. If I were ever to work for a multinational, or global, data controller, I might be more sympathetic to the practical problems they deal with as they offer services across continents. But, currently, I don’t, so I’ll focus on developing an approach that respects local, or national, needs, rather than a more centralist approach.

Should I change my employer in the New Year, I may revisit this view. But, right now, this is what I think.



Friday 18 November 2011

ICO to change its name

I am not making this up. The hunt is on to dream up a new name for the Information Commissioner’s Office in Wilmslow.

What? Does that mean we could see the Office of the Information Commissioner (aka “the OIC”), or perhaps the Information Rights Commissioner?

No way. Actually what is on the cards is a new name for Wycliffe House the office building that houses the Information Commissioner’s staff in Water Lane in Wilmslow.

The ICO’s staff have been invited to submit ideas for a new name for the building. I haven’t, but that won’t stop me thinking up something appropriate. And even if you haven’t been specifically asked, please consider this as an extended invitation to join in the fun.

Let’s set some ground rules here:

1) No profanities in any of the working languages of the European Community.
2) Try and get the name to reflect the work that goes on there.
3) Include an homage to previous leaders. A quick hint – the former leaders were Eric Howe, Elizabeth France, Richard Thomas, while the current incumbent is Christopher Graham.

Surely, there must be better ideas than these:

Using the first letter of the surnames of Eric Howe, Elizabeth France, Richard Thomas and Christopher Graham, and adding I for Information and R for Rights you get Fright, so perhaps Fright House?

Or, using the first two letters of the forenames of Eric Howe, Elizabeth France, Richard Thomas and Christopher Graham, and D for Data, P for Protection and A for Act you get Charred Pile, and Harped Relic. No, I don't like those very much.

Or, using the first two letters of the forenames of Eric Howe, Elizabeth France, Richard Thomas and Christopher Graham, and I for Information C for Commissioner and O for Office you get Heroic Relic. No, that's not right, either.

Or, using the first two letters of the forenames of Eric Howe, Elizabeth France, Richard Thomas and Christopher Graham, and U for Upholding, D for Data, and P for Protection you get Crier Upheld and Epic Hurdler. Still not very impressive.

And finally for today, using the first letter of the surnames of Eric Howe, Elizabeth France, Richard Thomas and Christopher Graham, and adding U for upholding, I for Information and R for Rights you get Frig Hut. Come on readers, you ought to be able to do better than this!

Fellow entrants are welcome to use a clever website to help them create their own anagrams once they’ve decided what letters to use – take a look and try out the wonderful I would get your entries over to your usual contact at the ICO sharpish, if I were you.

(See Item 7.1 of the minutes of the ICO’s Executive Team Meeting, held on 3 October 2011) (Frig is not a rude word, actually it’s of Germanic origin, meaning peaceful ruler or peacekeeper – which is what the ICO tries to do, an awful lot of the time).


Thursday 17 November 2011

Cloud Computing: reviewing the risks

I’ve just attended an excellent private discussion forum on cloud computing and consumerisation. Attendees considered the benefits, as well as the possible pitfalls, of this emerging technology, as it might be used by public authorities, private companies, and individual consumers. No, I won’t be reporting in detail on what was discussed under the Chatham House rules. All I’ll say is that the event was held by the Information Assurance Advisory Council and that it took place at the offices of the British Computer Society in Covent Garden. Now then, those who read this blog and who know about the IAAC will be able to appreciate who might have attended.

What I will say, however, is that some of the discussions might have been oddly familiar to those who can access the minutes of the meetings of the Royal Society in the Victorian era. During the early part of that era, Michael Faraday read before the Royal Society a series of 30 papers about his experimental researches in electricity. Gradually, private companies created their own Directors of Electricity, as each company generated its own power. It was only at the very end of the Victorian era that the concept of a high voltage integrated electrical power distribution system was created in the UK, and private companies made their Directors of Electricity redundant as they joined what was to become the National Grid.

It occurred to me on the tube home that many of the issues that needed to be considered as companies were faced with the choice of continuing with their own power generation capabilities, or moving towards a shared power service were oddly familiar with those of us who are thinking deeply about the cloud computing conundrum. What is also oddly familiar is the venue for some of the dinners held by the IAAC – after all, Simpson’s in the Strand rose to prominence in the mid Victorian era, too, and would have been frequented by members of the great and the good and by those who were sufficiently interested in modern matters (such as members of the Royal Society).

One key message emerging from today’s meeting that I am free to share is the need for people to be aware of what the cloud computing risks and rewards actually are. Easy to say, actually very hard in practice to deliver. After all, we all think we know what we are talking about, but is our knowledge level really that deep?

To demonstrate (just to you) how flaky your own knowledge might be, I’ve come across this really handy on-line test which asks a series of questions about what is legal, and what is not legal, when you use Twitter, Facebook, upload material, blog, get involved in on-line discussions or sell anything on the internet. You may think you know the law – but is that really the case?

Feel free to take this on-line test, at hosted by Nominet (so it is a credible website), and marvel at your own results. It will only take a few minutes to complete, and no-one else ought to be able to know how knowledgeable you really are.

And it makes you wonder that if normal people are as ignorant about the basic elements of the current law as those of us who take this straightforward test, then what hope is there of getting them to appreciate the possible consequences of allowing their own material to be stored or processed in a cloud environment?


Tuesday 15 November 2011

So, even Cabinet Office Ministers have to comply with Cabinet Office rules, these days

Ouch. But we ought commend Oliver Letwin, the Minister of State for Policy at the Cabinet Office, for agreeing so quickly to accept the regulatory action that the ICO has considered appropriate after the media reported on his somewhat strange data handling practices last month.

What did he do? Well, last month he was photographed by a newspaper tossing more than 100 documents into bins during morning walks around St James’ Park, close to Parliament. Letwin admitted throwing the papers away but denied that any were sensitive.

"None of them of course were classified and none of them were papers that originated from government," he told the BBC.

"I was walking around dictating responses and simply wanted to make sure the pieces of paper were not weighing me down."

The documents were dated between July 27, 2010 and September 30, 2011 and contained correspondence with parliament's Intelligence and Security Committee, the body which oversees Britain's spy agencies, the newspaper report said.

Others included references to the European Commission, Ministry of Defence, Home Office, Treasury and London's Metropolitan Police, it said.

Letwin had ripped some of the documents in half and handed others directly to a rubbish collector, the paper said. Some had details of people living in his parliamentary district of West Dorset. The material supplied to the ICO by a Daily Mirror journalist revealed that the letters and emails contained the names, addresses and contact details of approximately 20 individuals. One email also included a limited amount of information relating to an individual’s recent hospital treatment.

So, in disposing of his constituent’s correspondence in such a manner, he breached the Data Protection Act.

His penalty? To sign an undertaking that he shall:

(1) only dispose of documents containing personal data in a secure manner, such as shredding, pulping or incineration;

(2) take note of, and comply with, the latest standards of data handling issued by the Cabinet Office for use in central government departments; and

(3) implement such other security measures as he deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.

I did chuckle when I read undertaking 2 – after all, as a Cabinet Office Minister, it is rubbing it in a bit to get him to undertake that he will comply with the standards that are issued by his own Office, and thus presumably under his own signature!

His penalty, obviously, is also to endure no end of public ridicule, while many of us think “there but for the grace of God, go I.”

But brilliant timing by the ICO – especially after my last blog, which remarked on the length of time it took the folks in Wilmslow to publicise a series of recent breaches. This time, the ICO’s enforcement team worked at the speed of greased lightening to publicise the penalty within one month of the offence actually coming to light! Mightily impressive. Well done.

I wonder which politician will be next in the firing line. Despite the cuts to the ICO’s budget, it seems that the Commissioner will still find time to address the failings of public figures.



Sunday 13 November 2011

Breach notification: What have we done to deserve this?

Each time I open the data protection press I read about yet another data breach. In fact there seem to be so many right now that it’s hard to care too greatly about many of them. Should we worry about the sad incident involving Rochdale Metropolitan Borough Council whose employee. Last May, lost an unencrypted memory stick containing the details of over 18,000 residents. The data included, in some cases, residents’ names and addresses, along with details of payments to and by the council. But the device did not include any bank account details. Six months later, the ICO issued a press release about the affair.

Or should we worry about Newcastle Youth Offending Team, which managed to have an unencrypted laptop contained personal data relating to 100 young people stolen from a contractor’s home in the Northumbria area last January. Ten months later, the ICO issued a press release about the affair.

Or perhaps we should worry about University Hospitals Coventry & Warwickshire NHS Trust, who lost records relating to the treatment of 18 patients in February and then some more patients last May. And the ICO’s press release was issued at the end of October.

Should we worry about the breaches themselves or the time it has taken the Information Commissioner's Office to publicise the breaches? Or indeed should we worry that the vast majority of the stuff we read about relates to the public sector, rather than the private sector?

I have to say that there may be a bit of special pleading here, as of course Communication Service Providers have been required to report breaches to the ICO for several months now, so perhaps it won’t be too long before their transgressions are more generally known, too.

Should I worry myself? Well, given the fact that the breaches which the communication service providers have to report include those where no-one has been harmed, where the loss has related to encrypted information, where the breach of even a single record is sufficient to warrant a notification, and the breach can involve the accidental alteration of information, as well as the loss of information, I would expect the Commissioner’s staff to have a healthy stream of notifications through which to wade. And these notifications have to be made “without undue delay”. We are talking of weeks here, not months. So, on current form, the initial wave of ICO Press Releases could be getting drafted sometime soon. With luck, they might simply say that the Service Providers are meeting the obligations that have been imposed on them by SI 2011 No 1208. With more luck, they might say that a number of the incidents that have been notified to them were probably not intended to have been notified to them by those who drafted the initial legislation, so it hopes to hold a workshop in the new year to consider, in the light of the experience of actually operating the current mandatory personal data breach notification scheme, what it actually means and what purposes are being served.

After all, if there is confusion now about what is required and who is expected to do what and when, how will the ICO manage when the mandatory breach notification process is extended to cover, say, all 300,000 UK data controllers?

What has the delay, though, in the breach notification and the decision by the ICO to publicise the breach achieved? Presumably it’s given the offending party an opportunity to get its house in order, to understand the cause of the breach and an opportunity to raise a project to address the cause of the breach. So hopefully thay type of breach won’t happen again. At least to that data controller, anyway.

But can this actually be the case? Many of the incidents I see arise not as a result of technical failures (although of course systems will always encounter the odd weakness every now and again) but because individuals have not exercised the personal behaviours that you might wish of them.

So the incident involving Rochdale Metropolitan Borough was obviously avoidable, as it involved the loss of an unencrypted memory stick. Likewise, the incident involving Newcastle Youth Offending Team, and the unencrypted laptop. But are we really going to be able to avoid incidents involving the inappropriate disposal of paper records (even if they relate to confidential medical information)? Such matters won’t be resolved by new IT security policies, or central controls. No, they relate to human behaviours – like which bin to dispose confidential waste in - and we’re all human, after all.

And if the medical profession can’t quite master the disposal of paper copies of confidential personal files, then I dread to think what will happen when the rest of us are invited to realise just what employees of other data controllers have been up to!