Sunday 26 June 2011

An un-British way to revise the Data Protection Directive

Saturday – I headed west, out of London, to enjoy an evening of “music for a summer evening”. Coldplay at Glastonbury? Nope, this was the Orpheus Sinfonia at Hungerford. Think of Glastonbury as it ought to be - not too many people, no muddy fields, just glorious and peaceful surroundings in which to enjoy a picnic before the concert and during the interval – and as the food was settling, to hear 60 excellent musicians play a programme featuring some of the best of Vaughan Williams and Elgar. And superstars in attendance? Well, the soloist Tamsin Waley-Cohen was playing her 1721 ex-Fanyves Stradivarius violin. And I don’t think you’ll get much change out of £7 million if you fancy buying an instrument like that.

Fantasia on Greensleeves, English Folk Songs, the Enigma Variations, Pomp & Circumstance. You can picture the sort of evening – and the emotions that were welling up in the audience.

It was all so heroically English that I began to really appreciate the problems that our chums in Brussels are going to face if they really think that they are going to be able to create a legal instrument restating the basic tenants of, and introducing some fundamental tweaks to, European Data Protection Law any time soon. We Brits can be an extremely stubborn lot. We know what we like and what and how much leeway we like to give the State over the lives of its citizens. Rules exist to be honoured (ie not always followed), and British traditions are unlikely to change quickly.

I firmly expect citizens of every other EU Member State to have equal passions about their own local cultures. And why not – they are just as proud of their heritage as we are. So, given the uneven economic circumstances currently prevailing in the EU, I doubt that many people are looking forward to the EU Data Protection change curve with much vigour. What changes could we accept, and what practices will we defend to our utmost?

As far as the "welcome" changes are concerned, I suspect that the only way the EU is going to whip up much support for any changes are those that are designed to put right the injustices that have obviously been dealt against the European public by some of those larger non-European based organisations. Who they? Step forward the social networkers and, naturally, Google (would allege the Eurorcats). Expect some hefty rhetoric about these guys soon. What we could get to agree on is what we don’t like. And how will this be done? Possibly by portraying these guys as having taken taken us for granted, and they will be exposed as having using their sneaky software to spirit away our privacy in return for letting lots of EU citizens have free stuff and just have fun.

What I expect the EU will want is for the fortress walls to be built a bit higher, so that EU citizens could have a safer time – put possibly a more boring time too. Before citizens get to play with the “free stuff” there will be more pages of warnings, information and other regulatory material to “accept”. Citizens will be expected to know what it is they are consenting to. And if anything goes wrong the regulators will have stronger powers to wield against the bad guys. The regulators probably won’t get the extra resources they need to properly exercise these greater powers, but that’s another story.

If I was an eurocrat looking for change in the data protection sphere I would plump for:

1) Greater awareness of how someone’s information is shared on-line.
2) Ways of preventing too much centralisation of information, so that people could maintain as many on-line identities as they required.
3) A way to overcome mistakes, - like a “IP tippex”, so that personal reputations can be rebuilt following a faux pas.

But I’m not that confident that this is what will be achieved.

If we’re not careful we could be looking at a proposal for a revised EU Data Protection Directive which made changes just in terms of the process which data controllers need to follow to ensure that an activity is legitimate. But surely we don’t want to focus on processes; we want to focus on outcomes. People who are quite conservative tend to love processes – and the more processes you can develop, the more you will have to rely on people who can explain these processes to them. But, unfortunately, the more you focus on the process, your mind drifts from concentrating on the fairness of the actual outcome.

I would prefer to think in wider terms – by suggesting that it’s just as important to develop a pragmatic and moral attitude to making sure that the ultimate goal is achieved, rather than trying to micro manage every step which must be taken in order to reach that goal. I don’t feel comfortable in cultures which announce that the steps which have been specified are the only ones which it is legitimate to take. I prefer a more flexible approach.


Thursday 23 June 2011

Should we reply “stop” when we get spam?

Two more unsolicited messages have arrived in my in box. The first, the day before yesterday, from 07591233950 says: URGENT! If you took out a Bank Loan prior to 2007 then you are almost certainly entitled to £2300 in compensation. To claim reply “Yes”.

And that was followed a few hours later by a text from 07934208158. This one says: You have still not claimed the compensation you are due for the accident you had. To claim then pls reply CLAIM. To opt out text STOP.

Someone’s fingernails need pulling out. (Not mine, though).

We all ought to know what we’re only supposed to be receiving this stuff if we’ve previously told someone that we want to have it sent to us. But is it worth responding to these texts? I’ve been chatting to some friends about this, and some of them think replying "stop" is a waste of time.

When we search the Information Commissioner’s website for advice on issues such as these, we are left a bit confused. Guidance about What can I do if I’m getting unwanted marketing texts? is as follows:

If you receive marketing by text message which you think breaches the [Privacy & Electronic Communications] Regulations you should write to or email the organisation concerned (remembering to keep a copy of all correspondence). You may also be able to try and opt out from further messages by texting ‘STOP’ to the telephone number or 5-digit short code shown in the text message. Tell the sender about the problem and allow them time to put things right.

If you are unsure who the message comes from or if the message does not come from a company you are familiar with you should not respond to the message as this may confirm our number is live.

If you continue to receive marketing by text message we may be able to help.

So, the ICO advises that you should try and object by texting STOP - unless the text comes from a company you don’t know – such as this one. But if you don’t text STOP, then how will the ICO take your complaint about being sent unsolicited texts seriously?

Recently, the Information Commissioner has been given powers to fine organisations that send such SPAM messages up to £500,000. I wonder whether he’ll be tempted to consider using his powers in this particular case.

One defence the spammers might put is that they sent the texts in good faith, and have only continue to send messages to people who have not previously objected to receiving them. After all, if the recipients didn’t reply STOP, perhaps they wanted the messages to continue. You can imagine the arguments.

Another defence the spammers might put is that they think that the Commissioner really ought to reissue his guidance on how he will impose any fines, and have this guidance approved by the Secretary of State and laid before Parliament, before he can issue fines to people like spammers. Otherwise, it wouldn’t be cricket. But should the ICO play by these rules, when taking action against those who ignore any rules? I think not. I think the Commissioner should consider a gamble – throw away the regulatory red tape and go for the spammers where it hurts – their bank balances.

Anyway, what I would like to see is lots of people replying STOP, and then complaining as hard as they can to the Commissioner when (we know that) their objections will be ignored.

My cunning plan is to get customers really upset about their inability to stop this awful behaviour – and to make their angst known, in very forceful terms, to the regulator. I disagree with the view that people should not bother sending a text to stop more texts from being sent, “because the bad guys probably won’t take any notice of you”. I think it’s more helpful if large numbers of recipients complain to the Commissioner after having continually taken some steps themselves to stop the mischief. That ought to get him to act, as he will have even more evidence of angry customers– which is what he will need if he is serious about imposing a large fine on the spammer. If the Commissioner feels that customers have not done much themselves to protect themselves, he may not feel entitled to impose a huge fine on the bad guys.

The recently deceased peace campaigner Brian Haw set up camp opposite Parliament and refused to relinquish his patch for nearly 10 years. Perhaps, when Glastonbury’s out of the way, a few of the more intrepid privacy campaigners can set up an anti-SPAM camp opposite the Commissioner's office in Wilmslow. They could demand action, and only move on when these miscreants have been properly dispensed with.

And, while the protesters are enjoying the delights of the Commissioner’s car park, they can while away the days by filling in the ICO’s on-line complaint form at .

Question 12 asks: has the receipt of these messages had any practical effect on you? (eg prevented urgent messages from being received, incurred costs etc) Please be as creative as you can. We could get the Commissioner to award prizes for the best answers. The complainants can then either email the completed form to the Commissioner at, or, as they will be there, they could pop a copy through the letter box.

And, please feel free to cross out the bit in the declaration you are asked to sign which explains that “I ... understand that you have no powers to punish an organisation for any likely breach of the regulations and that you cannot award compensation”. Tell the Commissioner to ignore that bit, and just go for it.

Remember that in most cases the ICO will destroy the documents you send them after 6 months. So if you don’t get a reply within say 4 months, send them a quick reminder. You don’t want your precious complaint to go undealt with, do you?



Cybercrime – whose fingernails should be slowly pulled out?

Returning home on the underground from a fine performance of the opera Simon Boccanegra last night, I spotted a familiar face sitting opposite me. Why, it was no other than Professor Peter Sommer, of the LSE, surely Britain’s greatest legal mind in the field of information system security, digital investigations and digital forensics. Peter is the sort of person you try to engage before he is snapped up by the other side. As his website modestly infers: His criminal instructions have included not only the obvious “hacking” and “computer fraud” cases but also terrorism, harassment, corruption, software piracy and murder. A number of these have made headlines and a few have altered the way in which these crimes were subsequently investigated and charged.

No, he had not been at the opera. But his evening engagement was probably just as sociable, no doubt dining with some other superstars of the cybercrime world. I’m not suggesting for one moment that he was mixing with a bunch of criminals. Oh no, I’m sure that he would have been networking with those whose lives are engaged principally with the academic study of, and the battle against, cybercrime.

For those who don’t know, Simon Boccanegra has a complicated plot. Full of malevolent deeds, threats to the civil society, duplicity, mistaken identity, and evil people working their devious plans, which end in disaster for the key actor. Come to think of it, this is also a pretty apt description of cybercrime today.

I suspect that whatever gathering Peter had attended, it had also attracted some of the senior investigators who would have been well aware of circumstances surrounding the recent detention of an Essex teenager, suspected of masterminding an international computer hacking ring. Apparently, this 19 year old is now hailed “mastermind of the Lulzsec hacker group”.

According to The Telegraph, he has been charged with five offences under the Criminal Law Act and Computer Misuse Act, including an attack on the website of the Serious Organised Crime Agency on Monday. He is also alleged to have attacked the website of the British Phonographic Industry, which organises the annual Brit Awards, last October and the website of the International Federation of the Phonographic Industry last November. And, when the Brits have finished with him, is also wanted for questioning in the US over a cyber attack on the Facebook website.

Who said that British education standards were failing? If our schools can produce people with this ability at the age of 19, I wonder what other software stars are currently lurking in their bedrooms, their skills unbeknownst to their parents. When I was a kid, I could imagine myself to be Dr Who, and fight imaginary space invaders from the comfort of my bedroom. These days, young people are capable of actually engaging in a cyber war from the comfort of their bedrooms. Their individual ingenuity is pitted against the collective experience of teams of programmers many years their senior. Yet they can still win this “unequal” battle – without ever having to go out with their mates.

But whose fingernails ought to (metaphorically) be slowly pulled out as the crime is being investigated? Should they be those of the alleged hacker – or should they be those of the programmers who originally devised the flawed protective security measures? Of course the miscreants shouldn’t hack into stuff that isn’t theirs, but surely so also there is parallel obligation on the software community not to design software which contains the flaws that are evidently so easily exploited by members of the Lulzsec group and their like. If I’m paying good money for cybersecurity, then I want the people whom I bought the product from to suffer when it lets me down. Not just their company - I want individual accountability, here.

Where will it end?

In tears, for the person who proves to be the easiest target. If we’re not careful, we’ll spend too much time going after the individuals in their bedrooms, rather than using our scarce resources to create electronic defences that are robust enough to overcome unusually gifted teenagers.


Image credit:

It’s the logo of the Lulzsec group


Monday 20 June 2011

Internet parental controls: Not in front of the children (or the in-laws)

This afternoon, the usual suspects packed themselves into a Parliamentary Committee room to hear some familiar figures confirm what we had already suspected about parental controls and the internet. It’s not about censorship; instead it’s about giving the people who pay for internet services the ability to decide whether (and when) particular types of services should be supplied to them - and to anyone else who might also use that internet connection.

Sponsor: The Internet Services Providers Association. Venue: Portcullis House, Westminster.

ISPA Chairman Nicholas Lansman skilfully managed to ensure that the usual points were debated in a wide-ranging discussion, characterised by an atmosphere of concern and some respect for the feelings of others.

Ed Vaizey
, Minister for Culture and a load of other stuff, opened the proceedings by pointing out that the forthcoming emergence of internet-enabled TV sets meant that the time had come for genuine action on the part of service providers, to ensure that concerned parents had easily accessible tools which could be used to protect their children. MP’s postbags were heaving with signs of concern from parents, so some form of formal regulation would be a natural consequence to the inability of service providers to devise their own solutions. He was keen to emphasise that this was not a freedom of speech issue - adults should always be able to access legal content. But adults should also be able to control the internet experience they were paying to provide to their children.

What about parents who felt unwilling to utilise these controls for the “benefit” of their children? Or parents who had learning difficulties? Would they be classified as incompetent parents? Is this just about giving parents another tool with which they could abandon parental responsibility? These queries were raised by members of the audience. Apparently, time will tell.

Claire Perry, MP for Devizes, followed Ed by paying tribute to the work that service providers had already done, but pointing out that only about half of families appeared to have implemented any of the current available controls. What was required were controls that were simpler to use, reached all of the devices in a household, and incorporated automatic updates.

Justine Roberts, founder of Mumsnet, explained that her followers believed in the right of adults to do their own thing, but didn’t feel that children should get their first sexual experience from internet porn.

This gave Dido Harding, CEO Talk Talk, the opportunity to announce that its new, Homesafe service, had been used by 50,000 customers in the first six weeks. Certain categories of sites could be blocked, (and individual sites could be unblocked, lists, of course), Peer to Peer protocols could be disconnected, and all browsing could be halted during the “homework hour”, if that was what the bill payer chose. Dido was keen to emphasise though that whatever service providers were able to offer, this was part of the solution – by no means not the whole solution. The service was free, despite the company having spent tens of millions of pounds installing probes throughout its network to make sure it knew just where its customer’s browsers were pointing.

John Carr, Secretary of the UK Children’s Charities’ Coalition on Internet Safety welcomed the concept as a way of enabling a family to protect what it saw when watching the TV together in the living room: We don’t want Mickey Mouse and Hustler magazine a click away on the same screen, he thundered.

Mike Galvin from BT announced the work being carried out by BT, Sky, Virgin and Talk Talk (representing a very large rump of UK consumer internet bill payers) to publish a Code of Practice for parental controls within the next four months. The aim would be to improve take-up by parents, improve the consistency of advice offered by service providers, and then extend an invitation to the smaller providers to join the parental control train. The smaller providers won’t be able to exert much influence on the Code, but they ought to let their own customers take advantage of the standards that the bigger players will have developed.

Dr Clarissa Smith, from the University of Sunderland, spoilt the atmosphere somewhat by pointing out that the lack of proper research in this area: We need proper studies before we start regulating the issue. We should ask what do people do with sexual media. It’s too early to start taking freedoms away from young people until we understand what we’re denying them. Young people have rights to sexual education and sexual imagery.

But it didn’t take too long before Middle England had its say. Sheila Eaton, President of the National Council of Women of Great Britain, quickly put the academics back in their place. Sheila didn’t need research to tell her what she felt in her bones. And she repeated some of the other points that had been made by previous speakers, too.

Returning home, I warmed to the idea of the internet payer being able to “tune” the service they allowed others to consume.It needn't just be for parents to protect their children from accessing unlawful sites. As the configuration software offered by the service providers matured, perhaps good Christian families could ban ungodly sites on Sundays. Fundamentalist families could select the internet sites that were acceptable to their followers. And, perhaps when my own parents come to visit, I could retune my internet to block them from accidentally logging onto a euthanasia site, or, or any of those sites which help you write your children out of your will.

Yes, configuring the internet to allow service payers (rather than service providers) to reflect their own interests may well have its advantages.

Image credit:


Sunday 19 June 2011

Mulling over a close call? Sleep on it.

I’m often asked easy data protection questions, those where the answers just trip off the tongue. But what really like are the hard questions, those where you can’t just act on instinct – but instead, like a chess player, you need to think though the consequences of each of the many possible alternatives, before announcing what the preferred option is, and why. You know that, when you provide your answer, you will be passing unwelcome news to at least one of the stakeholders. But offering data protection advice is not the same as entering a popularity contest. A professional person is used to offering advice, even then they know that its stuff that some of the recipients may not want to hear.

I’ve been wondering what spiritual guidance John Lennon & Paul McCartney might have sought if they had ever been required to mull over a thorny data protection issue. It probably wouldn’t have been Mother Mary that they would have turned to, as I don’t think she would have known much about data protection legislation back in 1969, when most of the album from which the song which features her name so prominently was recorded. It was a time when The Beatles were asking themselves hard questions - the band broke up less than a year later.

Perhaps if Lennon and McCartney were to write a song about the pressures faced by data protection managers when being asked hard questions, they might have written lyrics like these:

When I find myself in times of trouble
Commissioner Graham comes to me
Speaking words of wisdom, from some conference in Dundee.
And in my hour of darkness
He is standing right in front of me
Speaking words of wisdom, from a conference in Dundee.
Let it be, let it be.
Whispering words of wisdom, from that conference in Dundee.

And when the broken hearted people
Confide that they’re stuck up a gum tree,
There will be an answer, but not just yet from me.
From their data they’ve been parted but there is
Still a chance that they will see
There will be an answer, but not just yet from me
Let it be, let it be. Yeah
There will be an answer, but not just yet from me

And when my customers get rowdy,
There is still a light that shines on me,
Shine on until tomorrow, let it be.
I wake up to the sound of music
Common sense comes through to me
Speaking words of wisdom, to those who pay my fee
Let it be, let it be.
I’ll speak those words of wisdom - Hey, it’s time to hear from me.

Image source:
From the album cover of Let it Be, produced by Phil Spector and released in May 1970.


Saturday 18 June 2011

Waiting for “the man” to sort it out

We’re all waiting for the European Commission’s proposals to amend the Data Protection Directive.

I was waiting for something else earlier today – I was waiting for one of my heroes - Bob Dylan - to step onto the stage at Finsbury Park, to remind the audience that, just for 90 precious minutes, we were in the presence of a legend. He’s been singing some of his songs for so long that the tunes have been totally reinterpreted, Same lyrics, but these days they come with a completely different musical arrangement.

And, as I was waiting for the minutes to tick away before his set began, I wrote a sort of a "data protection” protest song that Bob might perform today. I guess he would want us to think, in an ironic way, that it really would not be sensible just to wait for the man to wave his magic wand, and all would be ok. After all, what if the man actually had feet of clay, rather than wings of greatness?

Perhaps Bob might rework the lyrics of one of his most famous protest songs, and give us something like this:

How many miles must those Streetview cars drive
Before they call in the man
How many packs must those antennas crack
Before they know its not gone to plan
How many times must these Google guys goof
Before they are forever banned
The answer, my friend, is blowing in the wind
The answer is blowing in the wind

How many years can some people resist
Before they learn how to disagree
How many years must a cookie exist
Before we know how to set them free
How many times can the man turn his head
And pretend that he just doesn't see
The answer, my friend, is blowing in the wind
The answer is blowing in the wind

How many times must the man look up
Before he can see the frost
How many apps must a person have
Before they realise the cost
How many breaches will it take till they know
That too much data has been lost
The answer, my friend, is blowing in the wind
The answer is blowing in the wind


If you want to sing along to the correct tune, point your browser to


Friday 17 June 2011

Wilmslow Bound

After posting yesterday’s compulsory breach notification ode, I wanted to draft some doggerel which celebrated the work of the Information Commissioner's Office, rather than gently criticised it.

My mind slipped back to what I know – or at least a team at Wilmslow I’ve got to know pretty well over the past few years.

Step forward the ICO’s enforcement team.

And, having spent many a happy hour in their company recently, I thought would post a few lines which commemorates the work that Sally-anne Poole and her team do, as they rush all over the country, trying to do good before anyone else suggests otherwise.

I must thank Mr Paul Simon and Mr Art Garfunkel for giving me the basic idea, which I have lovingly ripped off, and am honoured to dedicate this ditty to Karl, Steve, Janice, Aminah - and the truly amazing Sophie.

According to Wikipedia, the original lyrics were written by Paul Simon late in 1965 as he was stranded overnight either at Farnworth railway station (in Widnes) or at Warrington Railway Station. Paul can’t remember which station it was, although for sentimental reasons I would like to think he was stranded overnight on the platform at Warrington Railway Station. Don’t ask why – it’s too personal! The song debuted on the Billboard Hot 100 Chart on February 12, 1966, peaking at #5. It remained on the charts for 12 weeks.

My version won’t be anything like as successful.

Anyway, Mr Commissioner – these guys really do deserve a bonus.

Wilmslow Bound

I'm sittin' in a railway station, got a ticket for my destination
Visiting some awful towns, just case notes and my phone at hand
And every stop is neatly planned for an investigator and a one-man band

Wilmslow bound, I wish I was Wilmslow bound
The ICO, where my thoughts escape, the ICO, getting others into shape
The ICO, where a friendly face waits silently for me

Every day's an endless dream of cigarettes and magazines
Each incident feels the same to me, the mistakes and apologies
And every press release I see reminds me that I long to be


Tonight I'll write a breach report, I'll play the game and pretend
But all my words come back to me, in shades of mediocrity
Like emptiness and harmony, I need someone to comfort me

[Chorus repeats 2x]

Silently for me

Image credit:

Homeward Bound was originally featured on Simon & Garfunkel’s 3rd album Parsley, Sage, Rosemary and Thyme, released in October 1966.


Thursday 16 June 2011

Comprehensive compulsory data breach notification? That’s not the way to do it.

I nearly choked while sipping the celebratory drinks at the end of an excellent Security Forum meeting at the offices of Field Fisher Waterhouse, sponsored by Sophos, this evening, on being told that some of the more controversial remarks I had made during my presentation had already been widely reported on the internet. Dan Worth from V3 was present, as was Warwick Ashford (Computer Weekly) and Dan Raywood (SC Magazine). They were explaining what the press write about following a data security breach or data loss. I hadn't expected Dan Worth to be so kind as to write about me. Let alone, to publish it so quickly!

I had a real problem with my presentation, as I knew that I was following James Lyne, the Director of Technology at Sophos. He’s a fantastic and motivational speaker, and had the audience in the palms of his hands as he brilliantly explained how data can go walkies.

My slot, just before lunch, was billed to be all about how the company I work for is handling the first Pan-European breach disclosure regime, and I needed my presentation to land just as well as James's. But how?

Well, I went for broke. I threw caution to the winds, and first explained how passionate my company was about reducing the incidence of data breaches, and much I cared about our customers. I also explained that I was far more interested in making sure that our customers were aware of serious data breaches that affected them, rather than focussing on creating a process which diverted scarce resources to ensuring that even the smallest data breach, even one affecting just a single customer, was routinely reported to the Information Commissioner's Office. I don't want to get bogged down in trivia. My preferred approach, of reporting only serious breaches to the ICO, is also one that the ICO has been advocating ever since August 2007. And, from what I can tell, that’s also been the Government’s position too.

At least it was the Government's position until a few weeks ago, when it had to implement an EU directive that requires communication service providers to report all breaches to the regulator, not just the serious ones.

The ICO’s current guidance on implementing these regulations is hard to follow. While it is determined to consider imposing fixed monetary penalties on providers if they don’t meet their obligation to notify the ICO of breaches without undue delay from 26 June (just ten days to go), it’s really hard to work out whether a notification threshold still exists, or not. The ICO’s guidance on Enforcing the revised Privacy and Electronic Communications Regulations (PECR) published on 25 May, set out the Commissioner's position: Following consultation with service providers, he will be issuing guidance on their detailed application, but the basic requirements are clear from the 2011 Regulations. They are also in line with the voluntary breach notification system currently operated by the Commissioner.

So I take it from this that the Commissioner expects service providers to adhere to the new PECR requirements, which are to notify all data breaches, while at the same time respecting the current voluntary breach notification requirements, which are basically to notify him only of data breaches involving at least 1,000 victims (or fewer than 1,000 if any sensitive information is included in the breach).

So, is there a threshold or not?

The guidance also carefully explains that: The Commissioner will ... continue to ... adopt a targeted, risk-driven and proportionate approach to the use of his powers. It also means being selective with the key driver for action being concerns about significant actual or potential detriment caused to individuals by a failure to comply with the requirements of PECR. Perhaps this means that the Commissioner will expect, but will turn a bind eye to failures, to notify the non-serious breaches.

I also explained to the extremely attentive audience that I was most concerned that some people may make Freedom of Information requests of the ICO to ask about the volumes of data breaches reported by service providers – and they could use this data to write wholly misleading stories if the information from the ICO failed to break down the notifications into “trivial” and “serious” breaches. Service providers have many millions of customers, so of course there are occasions when minor mistakes are made, say when an automatic envelope stuffing machine mistakenly pops two marketing letters, addressed to different people, in the same envelope. But is that really a reportable breach? And might it not paint a wholly incorrect picture if FOI statistics revealed the numbers of breach reports made, rather than the potential harm that could have been caused to people as a result of these breaches?

Dan Worth quite brilliantly drew attention to this lunacy in one of his recent articles, reporting that Barnet NHS Trust was responsible for 187 data breaches in past three years. And, apparently, the best performing Hospital Trusts in London were the Royal National Orthopaedic Hospital Trust, NHS Croydon and NHS Havering, all of which suffered no data breaches in the past three years. Is this really the case – or could it be more accurate to suppose that Barnet NHS Trust really has got a grip on things, and it has a proper breach notification system in force, while NHS Havering have just swept all its breaches under the carpet?

I concluded my presentation today by suggesting a pithy way that Stewart Room and his colleagues at Field Fisher Waterhouse could highlight the problems that are posed by the mandatory notification of all breaches to the ICO’s enforcement team. Many responsible data controllers have internal reporting systems in place, proper breach notification registers and policies, as well as excellent training and awareness programmes for all their staff. If the ICO wants to visit them to audit their standards, they may be very pleasantly surprised about the levels of awareness and maturity that exist in these organisations.

So, I suggested that Stewart might like to invite the ICO’s enforcement team to London in December to attend the FFW’s Data Protection Pantomime,. Here, they would witness a scene - in Act 1 - where the eponymous hero (played by Stewart), delivers an Ode to the Pantomime Dame, which lays out the issue in a way that even the enforcement team can understand.

The Pantomime Dame can be played by Mick Gorrill, formerly Head of the ICO’s enforcement team, and is now an FFW Consultant.

This piece of data protection doggerel is entitled:

Roll up, Roll up
Take a butchers at my breaches, and all will be revealed

We’ve been working on our systems
Now we think we’ve got a grip
On meeting the requirements
And still running a tight ship.

It’s all legal and transparent -
You can see just what’s gone on.
It’s in this register before you
Have a look – it’s not a con.

It’s all in hand, dear enforcement team:
I would really be so bold
As to say that most of our mishaps
Fall below your reporting threshold.

Now, don’t memorise our records
Or take pictures from your phone,
Because if we catch you doing this
We’ll be sending you straight home.

Do we trust you? ... Well, of course we do ...
Not much has gone awry.
But these breach reports are serious -
And what we fear is the FOI.



Tuesday 14 June 2011

Was it easier when DPA miscreants faced the Chester Hangman?

I was spending a couple of days around the old Roman city of Chester towards the end of last week (don’t ask why) when I overheard a group of what I took to be journalists talking about fines and confiscation orders for Data Protection Act offences. Ah, I thought to myself, here’s some useful research material here for my blog. But they seemed a bit confused as to what the process and the rules were, so I thought that I should do a little digging myself so that I can advise a potential DPA criminal about the downside of getting caught.

I hope the following points make sense to any would-be miscreant:

1) Don’t even think of stealing personal information and selling it to someone else.

2) If you are that stupid, keep a record of what you stole, who you sold it to, when you sold it to them, and for how much.

3) Keep all your receipts – as it saves so much time in the end. It also helps you work out how much, in financial terms, you have benefited from the criminal activity.

4) Find a way of declaring this income to the tax authorities – as its also going to save so much hassle in the end.

5) When you are caught, which you will be, make a full confession at the earliest opportunity. This gets you the greatest discount on your sentence. Express remorse and act ever so humble.

6) Try to get yourself legally aided, as these solicitors can eat up lots of court time – and if you change your legal representatives during the case, you can drag out the proceedings even longer.

7) Expect your case to start at a magistrate’s court, but then to be transferred to the Crown Court – as Section 55 DPA offences really are quite serious offences, these days. The prosecutor will probably be the Information Commissioner, rather than the Crown Prosecution Service. But unlike some CPS lawyers, the ICO retains a team of brilliant barristers. So, be warned. You're in for a rigorous ride.

8) See what your legal representatives can do by negotiating away at the offences you could be charged with. But steer clear of pleading “not guilty” – because then it’s going to mean a jury trial, and all hope of a reduced sentence flies out of the window. It’s a lot more time, effort and expense for everyone – and in the end we all know you’ve been a naughty boy.

9) Don’t expect to be working during the period of the commencement of court proceedings and the outcome of the case (and probably for a long time after that, too). You’ll spend the time being bored, depressed and increasingly worried about what's going to happen next. You might expect your marriage to fall apart, too.

10) Make sure your legal representatives spend as much of the legal aid budget as they can get away with, querying every last detail of the prosecution case. Remember, it’s a war of attrition and legal process, not a war of right and wrong. The longer it drags on, the more disinterested people may get. Conversely, the more they may stick their heels in.

11) Try getting the case moved around different courts at different stages of the legal process - it’s always nice to visit new towns, and most “Premier Inns” charge the same room rate, wherever you go.

12) Don’t appear too cocky, as this can really rile the prosecution team, and they might retaliate by working even harder to make sure they unearth all the available evidence. And if they’re really good, they may even unearth evidence about other misdeeds that you thought you had hidden away for good.

13) Don’t think that pleading guilty is the end of the process. It’s not. There could be another year to go before it’s all over.

14) Once you have pleaded guilty, expect a nasty surprise. You’re not going to face a custodial sentence for a Data Protection Act – yet – but your pockets could be about to be ripped open. The Assets Recovery Agency may come after you, to recover all the money you have benefited from (see point 3). The ICO likes this approach as they get to keep 18% of the money you hand over to the Agency. But beware, oh so very aware of the fact that if you're found guilty of a Computer Misuse Act offence, you had better take your toothbrush - you can get locked up for those.

15) Fill in lots of forms and explain, in considerable detail to the Assets Recovery Officer, just what funds you have at your disposal, and how much you are worth.

16) Don’t even think about lying to the Assets Recovery Officer. He’s got powerful friends (see point 25) and it can take a very long time to check that you’re not lying about your true wealth.

17) If you’ve actually got fewer assets than the amount you have benefited from crime, think very carefully about what to do next. Consider making an offer to the prosecution – hoping that they will accept a lower amount that the amount you have benefited from. But, remember, they’ll probably only accept an offer if they’re sure that you’ll have little more than your bus fare home once the Court has dealt with you.

18) It’s acceptable to look a bit poor and downtrodden come the final sentencing hearing, when you’re told what’s really going to happen to you. But keep plenty of eye contact with the judge and, again, act ever so humble and contrite. This is not the time for playing the big man.

19) Don’t worry about prosecution costs if you do have to make an offer to the Assets Recovery Agency which reduces you to penury. The Agency has first dibbs on your money. But, if there’s no money left over, then you can’t be made to contribute towards the (probably quite considerable) costs which the ICO, as a prosecution agency, will have to meet. However, as the ICO will get 18% of the money you hand over to the Assets Recovery Agency, they probably won’t mind that much. Remember, you're not usually told to pay prosecution costs in Crown courts, anyway. That’s more likely a matter that will only trip you up if your case remains confined to the magistrate’s court.

20) Don’t worry about any fines if you do have to make an offer which reduces you to penury. Again, once the Assets Recovery Agency has taken all your money, that’s your lot. So the court can't require you to pay any. (Especially if you have no prospect of work for the foreseeable future.)

21) Expect to go to prison of you can’t pay the money you’ve previously offered or agreed to pay the Assets Recovery Agency. You’ll probably get 6 months to pay the Agency, and if you don’t pay within the agreed time, you could face an automatic prison sentence of up to 18 months.

22) Expect to get a conditional discharge at the end of the proceedings. This means that, if you misbehave in the next few years, that court will take into account the gravity of the offence you are currently being sentenced with – and life will get much, much tougher. But, if the papers have recently covered security breach-type stories, your Computer Misuse Act offences might well get you locked up, so that the bench can set an example to the rest of us.

23) Expect to get a reasonable amount of press coverage. The Information Commissioner’s Office likes to make examples of criminals – even if it’s just to throw some fresh meat to the “custodial sentence” brigade. The less people are fined, the greater is the clamour for custodial penalties. Or perhaps community sentences. You could end up clearing litter from the ICO’s car park for 250 hours, something like that.

24) Remember to smile each time you enter a court building – the press photographers love to get decent snaps of the criminal fraternity – and you just never know which court you’re going to be photographed in. But you are going to get photographed.

25) Try to change your name after the case has closed – as the internet has a long memory, and full details of just what you’ve been up to are going to be plastered all over it. If you do change your name, make sure you don’t publish any more self pics on Facebook – as your old and new pictures will be tagged and everyone will know what an oik you’ve really been.

26) Don’t think it’s all over yet. Remember, that man you upset at the Assets Recovery Agency? Well, he’s got some friends who work for the Inland Revenue, so you might encounter an early wake-up call from the tax inspectors some time soon. And their powers of civil recovery are far more draconian than those of the Assets Recovery Office. They won’t just be looking for any DPA-type misdemeanours. Oh no, they’re going to go through your previous life with a very fine toothcomb.

27) Remember point 1 - don’t even think of stealing personal information and selling it to someone else.

At least, when the Chester Hangman did his stuff, it was all over in a few minutes. These days, the authorities could have you dangling about for years.

These conjectures are entirely imaginary and bear no direct resemblance to any recent incidents which may I may have encountered in my professional work. Any would-be miscreant would be well advised to seek their own advice about the consequences of their actions, and they should not rely on anything that has been posted in this article. It could be all lies and totally incorrect.


Monday 13 June 2011

MEPs and the cloud

I spent a very interesting evening at the offices of Covington & Burlington last Wednesday. Dan Cooper, a data protection blogger who must be even more prolific than me, had organised a session with the European Privacy Association. Who are they? They’re the first European independent organisation dealing with personal information. They see themselves as a gateway to European privacy experts, policy-makers, and a primary place for discussion, debate and education/information, EPA is structured to facilitate effective decision making, working up positions and developing new solutions and strategies.

A couple of the key EPA players, who attended and spoke at the event, were Paulo Balboni, and Pietro Paganini. Also present was EPA Chairwoman, Karin Riis Jorgensen, a former Danish MEP. With an executive Board comprised of Christopher Kuner (from Hunton & Williams), Jules Polonetsky (Co-chair and Director of the Future of Privacy Forum) and Richard Purcell (President & Executive Director of the Privacy Projects and the CEO of Corporate Privacy Group, and Microsoft’s original privacy officer), they are a force to be reasoned with. They occupy a slightly different space to that of the International Association of Privacy Professionals, and it will interesting to see how both groups fare as they seek to extend their reach throughout Europe.

But back to the plot. The focus of the evening (before wine and cheese broke our concentration) was on cloud computing. In particular what it was, and what it was likely to become, given favourable investment conditions and a fair regulatory wind.

This is where the fun really began. We can all see the economic advantages in cloud computing, so long as the regulatory climate is proportionate and can straddle the conflicting demands of local cultures and global infrastructures.

One of the former MEPs at the session made an extremely significant intervention in a debate among some of the legal wonks about whose responsibility it was to ensure that an appropriate legal environment could exist to legitimise all this cloud computing. His message was direct and simple. It was that we should not assume that MEPs either knew about or necessarily cared about these matters. Cloud computing wasn't on the European Commission’s packed agenda for 2011, and even if it could be squeezed in, he feared being swamped in a tsunami of briefing documents that would both overwhelm his electronic in-box and totally confuse him as these abstract legal concepts were so hard to get your head around.

So, in short, if we are to expect help from the European Commission, we are likely to be towards the end of a very long queue.

Instead, what was needed, was for industry to develop its own solutions. We should not expect public servants to be capable of always serving our needs. They can be just as bewildered as the rest of us. And as for getting a workable solution from a team of people, each representing special interests that need to be bartered away in a corner of a Committee room in the Berlaymont building in Brussels, well think on. We’ve seen what’s happened to legislation on “cookies”. And we really think that we can rely on the EU to offer us a stable legal structure when their heads are thinking of clouds?

Perhaps the EPA is one of the organisations to lead on such complicated issues – and let’s hope they find simple solutions before we all wake up and smell the reality. Which will be that the technologists have beaten the lawyers to it. And so we’ll work with the technical reality well before we can be told that, actually, its legally legitimate.

No change from what we've all been doing for years, really.



Sunday 12 June 2011

Join the Data Protection Forum!

In an election that FIFA would have been proud to have organised, I was duly elected Chair of the Data Protection Forum last Tuesday. I was the only candidate. And there were as many retiring members from the Management Committee as there were individuals who had previously indicated a desire to be elected onto it. So I ran a very fast ballot. I shall try not to let this rush of popularity, privilege, or power, go to my head. Nor shall I wilt in my campaign to encourage other institutions to become ever more democratic, accountable and transparent.

Election pledge over.

You really ought to consider joining the Forum, if you have not already done so. And if you need bullet points to put on a Power Point presentation to justify the annual £150 fee to your finance team, here they are:

• Cost effective
• Good quality speakers at the quarterly events
• Brilliant networking opportunities
• Passive membership – with exception of committee members
• Wide range of interests across membership (public and private sector)
• Professional secretariat/administration

Did I make a typo when I referred to the fact that it only costs £150 a year to attend the 4 sessions that are held at an extremely comfortable conference venue in Central London (plus a free 3 course Christmas lunch with a considerable amount of wine to celebrate yet another year of data protecting)? Actually not. The membership fees just about cover the catering costs of each event, plus our small administrative overheads. So, if you want to take a look at the roster of previous speakers – point your browser in the direction of the Forum’s website, maintained by our gloriously efficient administrator, Tina. If you’re one of those who need to maintain a log of your continuing education, your £150 subscription could also earn you 18 CPD points.

I do urge you to consider membership. Even people who organise other data protection conferences attend – so the Forum must be doing something worthwhile!

The next meeting – to be held on Tuesday 6 September, should include a presentation by Christopher Graham, the Information Commissioner himself. He tries to attend – or to send a Deputy Information Commissioner, at least once a year.

And the following event – to be held on Tuesday 6 December, should include a presentation by another UK Commissioner – whose data protection-type work is constantly referred to in the media, but whom many in the data protection field have not have the pleasure of meeting. I won’t say any more about this person for the time being. But, you will be glad say that you have actually been able to have seen, heard and questioned that person! And I know that they have not spoken at any public data protection-type conference before...



Friday 10 June 2011

Spam update (the 4th message)

A fourth text arrived today from this Spam outfit last Monday. They’ve ditched the old numbers (07591233106 & 07522075587) and are now using 07591221820. The other numbers must have been disconnected by the service provider, in an attempt to disrupt their dubious behaviour.

This one says, just like the previous one: you still have not claimed the compensation you are due for the accident you had. To claim then pls reply CLAIM. To opt out text STOP.

I replied 3 minutes later by texting: STOP.

I’ve heard nothing more – yet – but I expect they’ll be back.

If it could be established that this outfit were making any money out of this scam, then wouldn’t it be nice if the Information Commissioner's enforcement team could arrange for a confiscation order to be made to strip away all their assets ...

The ICO is entitled to keep 18% of all funds obtained through confiscation orders, unlike the 0% it can keep when fines or other monetary penalties are awarded (which goes straight back to the Treasury), so watch out for more action on this front!


Saturday 4 June 2011

Communications data retention – yes but no but yes but no but ....

A couple of developments recently on the Communications data retention front – one EU institution is unhappy that the case has not yet been comprehensively made for a EU-wide retention standard, while another EU institution is planning to take legal measures against the Member States that have not yet implemented it. The 2006 Data Retention Directive requires telecoms operators to store traffic and location data of the communications of all EU citizens for possible law enforcement purposes.

It’s a familiar argument – one where individual EU Member States question the wisdom of a measure that has been passed by the mighty EU itself. Interestingly, in this case, Sweden is on the naughty step for not having implemented it, which is ironic as it was one of the four Member States (along with the UK, Ireland and France) who actually proposed the initiative back in April 2004. And, the national constitutional courts of the Czech Republic, Germany and Romania have not yet ruled that the Directive is in accordance with their respective constitutions.

So, in the Not sure corner, step forward the European Data Protection Supervisor, Peter Hustinx, who has recently drawn attention to the Commission’s evaluation report, published on 18 April. As far as he is concerned, despite the obvious attractions of the measure, in that it is a useful instrument in the fight against terrorism and serious crime, some serious privacy and fundamental rights issues have yet.

On various occasions, Peter Hustinx has said that the availability of traffic and location data can play an important role in criminal investigations. However, he has also repeatedly expressed serious doubts about the necessity for retaining data on such a large scale in light of the rights to privacy and data protection.

After careful analysis of the evaluation report, Peter takes the view that the directive does not meet the requirements imposed by the fundamental rights to privacy and data protection, mainly for the following reasons: - the necessity for data retention as provided in the directive has not been sufficiently demonstrated; - data retention could have been regulated in a less privacy-intrusive way; - the Directive leaves too much scope for member states to decide on the purposes for which the data might be used, and also for establishing who can access the data and under which conditions.

Peter says: Although the Commission has clearly put much effort into collecting information from the Member States, the quantitative and qualitative information provided by the Member States is not sufficient to draw a positive conclusion on the need for data retention as it has been developed in the Directive. Further investigation of necessity and proportionality is therefore required, and in particular the examination of alternative, less privacy-intrusive means.

So, it is not clear whether this report will have much of an impact on those who are working on various options that will amend the Directive. Although Peter has called for the Commission to seriously consider all options, including the possibility of repealing it, whether or not combined with a proposal for an alternative, more targeted EU measure, I really wonder whether many will heed his views. He has exercised his right to speak. But, of course, the European Commission is not obliged to act in accordance with his views.

And, in the Get on and implement it corner is Cecilia Malmström, European Commissioner for Home Affairs. Several weeks ago she announced that Austria, Sweden, the Czech Republic, Romania and Germany would face legal action if they did not implement the law.

Our evaluation shows the importance of stored telecommunications data for criminal justice systems and for law enforcement, she said in a statement in April. But the evaluation report also identifies serious shortcomings. We need a more proportionate, common approach across the E.U. to this issue.

So there you have it. The Directive is likely to be changed, but despite that, some Member States may well face sanctions from the European Commission for not having already implemented a not-fit-for-purpose version of it.

It’s a topsy turvey world.


Image credit:
Many thanks to Vicky Pollard, from the hit BBC television comedy show “Little Britain” whose catchphrase is “yes but no but yes but no but ...”

Let’s not expect too much from a revised data protection directive

I’ve recently been engaged in an on-line exchange of views which started with me commenting on whether Google and Facebook should be regulated to protect our privacy, but it quickly turned into a commentary on the futility of believing that a formal Directive was all that was required to achieve change.

I started my intervention by commenting that: If we are really worried about Google or Facebook then we should just stop using them. These companies should regulate themselves, and allow the market (ie us citizens, us individuals, us consumers) to decide if we want to use them. There is no law that compels me to use them - so I should be allowed to use them at my own risk. And if I feel they can't be trusted to protect my privacy then I will just stop using them. It’s as simple as that. Will regulation work? Ask King Canute - or King Lear.

A chum of mine then wrote back: From 30 years of working in data privacy, governance, information risk management and law — with many very well educated people in some amazing client companies — it continues to be evident that people from all generations, income levels, and educational levels and abilities are generally ignorant of data protection issues and risks, and of privacy laws and what to do about them. That includes people in government and private sector organizations large and small, many of whom are responsible for access and privacy for their organizations — and despite the fact that privacy legislation has been in force in Canada for many years now. A survey done for Canada’s federal Privacy Commissioner said the same thing: "almost 3 in 5 are not aware of their rights in relation to how governments and companies collect and disclose personal information" and "only 1 in 5 express an above average amount of knowledge" of privacy and access laws.

How many parents and teachers (and legislators and bureaucrats and ) are capable of advising children about the privacy risks? Do they understand the issues, the technology, or the laws well enough to teach children what to do (or not do) or how to protect the privacy of their own data?

So how likely is it that children will avoid using social media? The pervasive message is that ‘everyone’ has joined Facebook and other social networking sites; and the silent message is that having a Facebook account and many ‘friends’ is validation of one’s existence.

While adults and children have the same fundamental need for acceptance, few adults I've met are capable of teaching the facts, and fewer still are courageous enough to demand that these topics be included in their children's curriculum. Meantime, children are told to “stay safe online” while school districts are adding iPads to their lists of mandatory kindergarten classroom items.

From an economic perspective it’s easy to see the imbalance between the revenue to be earned from worthwhile education about the risks and consequences, and the billions of dollars being spent – and being earned – by encouraging children and adults to sign up, log on, and join in. So the situation is being perpetuated as the next generation is being groomed (through ignorance and/or omission) to be an entire target market to be fleeced and exploited.

Looking further into the future are the additional benefits to our national economy that come from the new industry of cybercops, reputation defenders, technology vendors, legislators, bureaucrats and lawyers – all of whom are assured job security while individuals see their identities stolen, their insurance voided, and their futures and careers put at very real risk of significant harm.

This very thoughtful reply caused me to stop and think for a bit, before posting the following: I must say that I agree with many of your sentiments, but I was making a more fundamental point. It comes from my school experience - I vividly remember going to boarding school during a period of industrial action known then as the 3 day week, where striking workers caused widespread power cuts, post delays (horrific for a child waiting for his daily letter from his parents!), and disruption all around. Were we turning into an ungovernable society, commentators thought. It was certainly clear that the Government was not able to govern effectively, and eventually that Government fell.

My professional background in self, mutual, co and formal regulation tells me that calls for more laws to regulate the behaviour of internet actors is unlikely to be very effective. What I think we really need to do is work from the other direction - ie changing the expectations of individual consumers (perhaps, unfortunately, by allowing a few of them to suffer some form of mild harm so that others realise the potentially horrific results of poor data protection standards). Then the consumers themselves ought to be able to group together to demand change.

As far as the private sector is concerned, I believe that it is only really going to be customer behaviour that will influence the minds of the Board Members of the major data controllers. I don't think regulatory action is necessarily going to do the trick. There fear has to be the fear of the market - that customers are so unhappy that they move with their feet (or cursors) to other competitors.

Regulators have done little to address the war on drugs. Or the war on anti-social behaviour. Many young people find it hard to keep their jeans around their waists without exposing their underwear. Why - because they wish to behave that way.

So lets not expect regulators to have powers that, in these financially straightened times, they will never get. Or that data controllers will naturally respect the views of regulators. Not all of them are independent from the governments of all EU Member States. And, given the global reach of the internet (evidenced only recently in the UK by the failure of English courts to prevent news about celebrities from leaking - despite injunctions in England), that their wishes/opinions will automatically be respected by many people.

Of course regulators have a role to play, in championing the rights of the individual - but for them to be really effective there has to be a robust tide of public opinion behind them. If they are not careful, regulators will spend increasing amounts of time considering technical issues in an introverted manner that does not reach out to the individual. So they will be ignored by the data controllers of social networks and the internet search engines who are more concerned about the aspirations of their customers than they are of the regulators.

We are on the same side - honest!

And peace broke out as my chum graciously replied: I agree that we are on the same side. I do not think that regulation is the answer. How can it be when the regulators, bureaucrats, legislators and their minions are among those I've dealt with who are ignorant of data protection and privacy. Too often they make, debate, and create laws without understanding the real need (if any), the impact, and the unintended consequences. I've seen it first-hand with laws created by the Government of Canada and provincial governments. And it was spectacular to see how "consultation" is apparently disregarded, short-sighted legislation is passed, and the creator(s) are hailed and promoted as the victims (citizens) are left to keep their nose above the muddle munificently created on their behalf. Then there's the whole regulatory nightmare and unintended consequences of the negotiated-in-secret Anti Counterfeiting Trade Agreement, but that's another discussion entirely.

So, the moral of this blog posting is that we should not expect too much from formal regulation. Let’s adopt a common sense approach first of all, embracing the principles of transparency and choice – and help the individual appreciate the benefit of trading some of their privacy for a tangible reward.

Image credit:
The first English Edition (1954) of the play “Waiting for Godot”.

Friday 3 June 2011

Spam update (their 3rd message)

A third text arrived today from this Spam outfit. It must be them, but they’ve ditched the old number (07591233106) and are now using 07522075587. Presumably the earlier number had been disconnected by the service provider, in an attempt to disrupt their dubious behaviour.

This one says, just like the previous one: “our records indicate you still have not claimed compensation for your accident. You may be entitled to claim up to £3650. To find out more reply “CLAIM” Thanks.

I’ve replied by texting: stop and will let you know whether they send me any more communications.


Wednesday 1 June 2011

Is Ken Clarke talking sense - or a load of cobblers?

Justice Secretary Ken Clarke delivered a carefully crafted speech on the danger of making the wrong data protection rules to the British Chamber of Commerce, in Brussels, last week. Let’s hope that enough decision makers understood the points he was trying to make. British pragmatism tends not to go down awfully well in the more extreme rule-based societies. Was he talking sense? Or a load of cobblers?

As Ken tactly remarked at the beginning of his speech : We have had first-hand experience in the United Kingdom of how all too easy it is for a democratic Government to move into a kind of authoritarianism which stifles democracy and of course, if taken too far, provides succour to our enemies. And the new Government is certainly going to guard against this risk. But we must also guard against regulations or reactions which just invert this old order, that become obsessed with privacy or data protection without recognising the harm that also results to citizens from failure to share information, as well as careless stewardship of data. Detailed prescription will not in itself make our citizens safer, or more free, in this complex, modern world.

He also said: Imposing an inflexible, detailed data protection regime on the whole of the EU, regardless of the peculiarities of different cultures and legal systems, carries with it serious risks. I am optimistic that there’s a common sense solution on this. Our experience in the UK is that security, freedom and privacy are possible. We do not agree with those who say that we have to choose between being safe, being free and being private. We must protect all these basic rights.

Strong stuff.

But I have heard this sort of stuff before, coming from the most unlikely of sources.

This weekend, for example, I sat through a performance of Die Meistersinger von Nürnberg at Glyndebourne, and as the opera unfolded over 6 ½ hours, it became very clear that this was the very same theme that the composer Richard Wagner had been developing some 143 years ago.

For those who can wait to see the show, let me explain that one of the key plot lines involves Hans Sachs, the cobbler, explaining the horribly complicated rules of a singing contest to Walter, a young knight and the love interest of Eva, the heroine. Walter needed to win one of the contests if he were to be allowed to marry Eva. Hans Sachs is also in love with Eva, but eventually explains to her that he knows she is really in love with Walter, and so does what he can to ensure that Walter will win the contest. A few sub plots later, Walter eventually wins the singing contest, but with a song that breaks most of the traditional rules of the competition, and then refuses to join the guild of mastersingers. However, Sachs intervenes again, and explains that art, even ground-breaking, contrary art like Walther's, can only exist within a cultural tradition, which tradition the art sustains and improves. Walther is convinced, he agrees to join, and the opera ends with Eva (and everyone else on stage) showing their deep gratitude Sachs.

As far as Richard Wagner was concerned, it’s OK to break the rules so long as your heart is in the right place and you respect the cultural traditions of the institution that created the rules in the first place.

It’s a very nationalistic opera (although you can read a lot more into it if you really want).

So, why does this remind me of Ken Clarke?

Because Ken, too, was warning against too heavy a reliance on a rule-based regime. What’s important is for your heart to be in the right place, and for you to be able to respect the different cultural (and legal) traditions of reach of the peoples who comprise the Members Stares of the EU. Not to follow rigid rules that are soul destroying and suck the very lifeblood out of what out to be a very pleasant experience.

He was speaking just like Hans Sachs, the cobbler.

For all of those who feel that I’m talking a load of cobblers, we’ll chat – but only after you’ve sat through this stunning 6 ½ hour production, too.


Image credit:
From this year’s production of Die Meistersingers, starring Gerald Finlay as Hans Sachs and Johannes Martin Kren Kranzle as Beckmesser.