Sunday 27 November 2011

Off for a clear(er) view in Paris

Today I will be packing my bags – tomorrow I leave for Paris. Not for good, just for the International Association of Privacy Professionals’ congress at the “Salons de la Maison des Arts et Metiers”, during which some 300 of the usual suspects will discuss the latest data protection developments. The strapline for this eagerly awaited event is “A Clear View” - and I expect that when the event was originally planned , it was hoped that Viviane Reding, one of the keynote speakers, might be unveiling all of the Commission’s proposals for a new regulatory framework.

Well, as we all know, that’s unlikely. What will be interesting to note is what new thinking emerges. Recent media reports have hinted at some of the proposed changes, but let’s see if any other ideas are floated. I suspect that much of debating time will actually spent commentating on the changes that have already been suggested.

Hey ho – you never know, though.

I’ll be keeping my ears to the ground to pick up the best bits of gossip as I network furiously between Monday evening and Thursday morning. Yes, I know that the “congress” part of event will only take up Tuesday and Wednesday, but I plan to be one of the first to arrive and one of the last to leave. This means that not only should I avoid most of the chaos that will be associated with the strike by British border control officials (and a very large proportion of other British public sector workers) on Wednesday, but I ought to have more time to root out some of the real data protection issues that are or ought to be of concern to us.

If you know where to go, you may find a group of us in a corner of a Parisian cafe on the Rue Vernet, late on Wednesday evening, singing a quiet refrain to mark the passing of the current data protection directive. And if Bob Dylan were to have had a hand in writing the lyrics, they might sound something like this:

If You See Me, Say Hello

If you see me, say hello, I’ll buy you a cold beer
I checked in Monday afternoon, and you’re OK, I hear
I should tell you that I’m all right, though feeling kind of strange
As the rules which are so familiar are just about to change

We haven’t had a falling-out, like best friends often will
And to think of how I heard that day, it still brings to me a chill
As we discuss our separation, it’s piercing me through to my heart
Old ways still live deep inside of me, but from these we need to part

If you get time enough, we’ll have one last drink on me
I always have respected you, but I’m busting out and gettin' free
Oh, whatever makes you happy, I won't stand in your way
Though the bitter taste still lingers as I know you cannot stay

I see a lot of people as I make the rounds
And I say your name here and there as I go from town to town
I’ve never undermined you, I’ve quoted from you oft
Either I'm too sensitive or else I'm gettin' soft

From morning to night time, I replay the past
I know every article by heart, they all went in so fast
If you’re passin’ back this way, I'm not that hard to find
You can always look me up - I really wouldn't mind

Many thanks to Bob Dylan, whose song “If you see her, say hello” can be found on his “Blood on the Tracks” album. The discussions at the forthcoming IAPP congress should not result in any blood being spilt on Parisian carpets – but, metaphorically, you just never know what might happen.


Friday 25 November 2011

The ICO joins the blogosphere

Welcome! A new blogger has emerged to offer thoughts and insights on data protection and freedom of information issues. This is great news – especially as the new entrant is the Information Commissioner’s Office itself. Yesterday marked their first posting – with Deputy Commissioner David Smith doing the honours, writing the historic first entry.

David focussed on an issue close to my heart, the future of data protection law in Europe. And what he had to say heartened me, as it was very much along the lines that I’ve been blogging about recently, too.

On the date of the release of the Commission’s proposals for a new legal framework, David explained why it was unlikely that it would not be before the end of January. I suggested on 26 September that it was more likely to be published after St Valentine’s Day (even though Data Protection Day, 28 January, would have been a good date to reveal all).

On whether the Commission’s proposals would be for another Directive or a Regulation, David explained that “two instruments would fit with the UK Government’s right to opt out of new EU measures covering the former third pillar [which is the area of crime and justice], but might make it harder to achieve our objective of a single, overarching framework applying to all the processing of personal data carried out in the EU.” He didn’t address the issue I raised on 9 October which suggested that Regulations could only be laid if it were demonstrably impractical for a Directive to be agreed. Remember, Regulations have direct effect in that they do not have to be transposed into member states’ laws.

On the content of the new framework, David was very firmly of the view that it must be “clear in what it does and does not cover and is easy for businesses to understand and apply. Regulation that is hard to understand and even harder to apply will not be followed in practice and does not serve the interests of those we are trying to protect.” Great stuff. Just what I said on 21 November.

David also emphasised that individuals need to have rights that are “clear, effective and simple to use.” On the “right to be forgotten” argument he suggested that: “the position of the individual could be strengthened simply by changing the existing right to object to processing from one where the individual has to provide compelling legitimate reasons for deletion to one where it is the data controller who has to provide the compelling legitimate reasons for retention.” This seems like a useful idea, and will encourage data controllers to be clearer about why data is retained (but doesn’t address the issue I raised on 13 September about the ease with which data controllers outside Europe can archive and retain data).

David was also a keen supporter of an “accountability” principle: “The law should be less prescriptive about means but business should be able to account for how they deliver data protection in practice. Concepts like privacy impact assessments and in house data protection officers are important, but should not be mandatory in all cases. This approach should extend to international transfers of personal data so that businesses take their own decisions on “adequacy” but can be challenged if they get this wrong.” I like this principle too, and am sure I have mentioned it once or twice in the 257 posts I have published since January 2010.

On the role of Data Protection Authorities, David was keen to preserve the British model: “We need to be independent, have a clear role and be armed with effective powers but we should supervise, enforce and advise rather than give prior approval or authorisation to a data controller’s activities.”

Interestingly, David also commented that much of the Commission’s current thinking is influenced by “large multi-national, mainly US based, businesses”. There was a relatively low level of engagement from those representing European business and citizens’ interests. Perhaps this is because, given these harsh economic times, European businesses and consumer groups simply have not been able to allocate sufficient resources to enable those who would have liked to have had their say to actually engage more fully in the lobbying process. I expect this may change slightly when the first draft of the Commission’s proposals have been published. I blogged on 8 October about the likely political impact of these proposals, and am amazed that no-one has yet posted that impact assessment on the web. We data protectors are obviously better at respecting confidences than English rugby players (or English rugby administrators, or whoever else it was)!

One thought has just occurred to me – given the similarity of views between yours truly and the Commissioner’s Office, perhaps I ought to apply for the post of Information Commissioner when the present incumbent’s term expires ...

I’ll certainly watch out for future ICO blog postings. But remember folks – don’t stray too far away from my blog. You might read about most of it here, first!



The BBW data breach report – a tsunami of trivia

There’s an interesting report out from the folk at Big Brother Watch. It highlights research revealing more than 1035 data breaches across 132 local authorities, including at least 35 councils who have lost information about children and those in care. At least 244 laptops and portable computers were lost, while 98 memory sticks and more than 93 mobile devices went missing.

Only 55 breaches were reported to the Information Commissioner’s Office. And, only 9 incidents resulted in termination of employment. BBW were very concerned that “highly confidential information has been treated without the proper care and respect it deserves”.

Is this report really as shocking as it appears? Let’s unpack it a little.

First, the time frame over which the breaches occurred – the report covers breaches over a 3 year period, from July 2008 to July 2011.

Second, the breaches report include losses of encrypted as well as unencrypted information. So its really hard to unpack the reports to work out how many breached related to unencrypted sensitive information – of the sort that really could cause harm or embarrassment to those whose information was compromised.

Third, and as we can expect from a report of local authority data breaches, a small proportion (less than 10%) of breaches related to information about some 3100 children, young people or students.

Fourth, the incidents included cases where council staff had lost information which had been downloaded onto personal laptops and computers. It highlights the risks involved when data is moved around by staff to enable them to work on a different machine: “Where council information has been transferred to a personal machine, there is no guarantee that personal devices contain the same security and encryption protection. Indeed, several incidents have been highlighted where malware has been discovered on machines, a risk of using personal machines where virus and anti-malware is often not at the same level as a corporate machine.

And, of course, the report repeats the advice on the use of portable memory storage and mobile devices that all security professionals know off by heart, yet can’t quite get their businesses to fully implement: “Policies and procedures should reflect not only how information is stored, but the grounds for which it should be moved in the first place. As soon as information is held on a portable device, the risk for that information to be compromised significantly increases and so much more needs to be done to restrict the transfer of data occurring in the first place.”

So where does this leave us? Well, the report does offer some fine (or tongue in cheek) examples of the lengths to which a local authority will (apparently) go to contain a data breach. For example, in Bolton, a smartphone containing internal contact details of council employees slid off a car bonnet and fell into a shaft. The phone was assessed to be irretrievable without dismantling the car park. Instead, it was sent a remote wipe command within one hour and the owner of the car park subsequently sealed the cavity with concrete. My, they take the security of their staff seriously in Bolton!

Sometimes when paper documents were mislaid or wrongly addressed, the breach was reported to the ICO. Mostly, they were not.

And does it really matter that the ICO was not formally advised of all security breaches?

Frankly, I think it supports the case that reports of all data breaches would have served no useful purpose, as so many of them were trivial in nature or they occurred despite the usual steps being taken to safeguard against loss. For example, Bromley council reported that 2 USB sticks were stolen from a Council-run youth centre. The USB sticks were inside a security safe which was itself stolen.

Buckinghamshire council reported that a disk containing data on vulnerable children was left in the hard drive when a personal computer was taken away to be replaced – but the repairers were immediately contacted and the data was retrieved. In another breach, it reported that a social worker lost client notes in their office – but access to that site is controlled and no outsiders are permitted to visit that area.

In other cases, global emails were sent, without blind copying. Simple mistakes – we’ve all done that. Oh yes. Yes, even (unnamed) experienced and award winning data protection solicitors have done that.

Actually, what I would have loved to have read about was not the data beaches, but a frank assessment of whether anyone was actually harmed as a result of the breaches. The report’s authors did not address this point, and I think that’s a lost opportunity.

What we have is evidence of system failures, but not evidence of system failures that caused harm.

So we should be careful not to scare the readers of these reports by suggesting that, in light of these incidents, that data handling standards are necessarily unacceptably low. Of course there’s always room for improvement, but until real harm can be seen to have been caused, I would expect many council officials to be wary at spending a greater proportion of their diminishing budgets on enhanced security measures.

Perhaps, of the 1035 incidents, there really were only 55 that merited the attention of the ICO. In that case, they have been saved reading through an awful lot of reports of trivial breaches.

Let’s hope that the new data protection directive also contains proposals that require data controllers to report the serious breaches to the regulator, rather than get them to wade through a tsunami of trivia.



Monday 21 November 2011

“Frictionless” – the new buzz word from Silicon Valley

Attending a meeting in Central London tonight, someone used a brilliant phrase she had picked up while out doing stuff in Silicon Valley, California. The conversation was about how customers viewed the products and services that were offered to them. And the key feature was, these days, the way the product or service answered the question “how frictionless was that?

I think it’s a brilliant phrase – as the very best brands have products or services which, quite simply, just work. Think of anything we buy from Apple. Who ever pulled out the user manual before getting it to work for the first time? Their products are just so intuitive that you feel that you know how to use them as soon as you take them out of the box.

I can’t imagine me always saying the same thing about a piece of flat pack furniture from Ikea.

So, as it considers the changes it will propose, I’m determined to lobby the European Parliament to create a “frictionless” data protection directive. I mean, wouldn’t it be nice to have a piece of legislation that simply was intuitive and worked. One that met the needs of both individuals and bodies that used personal information. One that didn’t need an expensive “translation layer” in which our learned friends spent years disagreeing with each other about what the words actually meant, and therefore how they could be implemented without the European Commission feeling minded to take infraction proceedings against Member States on the grounds that they hadn’t got the domestic legislation quite right.

Perhaps we should lobby for a new, 9th Data Protection Principle – that personal data should be regulated by a set of frictionless rules, readily understood by all parties.


Sunday 20 November 2011

Whose personal data is it anyway?

The current “debate” over the “right” to be forgotten reminds me of the plot of Whose Life is it Anyway?, a television play first transmitted in 1972. The play brilliantly raised issues that were so profound that the television version was turned into an award winning stage play starring Tom Conti in the West End in 1978, transferring to Broadway the following year. The film version, starring Richard Dreyfuss, was released in 1981.

What’s it about? Basically, the central figure is a profoundly handicapped sculptor. Left a quadriplegic after a car accident, he feels utterly useless, as both an artist and a human being. He doesn't want his family's love, or his doctor's care, or his nurse's ministrations. He simply wants to die-but this is impossible, given the legal state of things in the 1970s. It’s one of the few plays/films in which a person's right to self-destruction is regarded as a happy ending. Actually, it’s not as depressing as it sounds, and contains some wonderfully funny lines.

It’s reminded me (as if I ever needed reminding) that Human Rights Act legislation ended up conferring rights on bodies that aren’t even human. In a data protection context, data controllers have rights, too, and these need to be balanced against the rights of individuals.

How can these individuals assert, say, their rights to have their data deleted, when it is held by data controllers over which they have no control? How long will the European Commission try to assert that individuals within the European Union should actually have the power, say to force the Internet Archive, which is not based in the European Union (nor does it have any equipment or offices within the European Union), to delete “their” personal data on demand?

I gather tempers got quite heated during a recent meeting of Data Protection Commissioners as they discussed such things. What may be nice to have in theory can be impossible in practice.

So my advice to those who wish to continue this argument is to agree that, rather than exchanging views in ever more strident tones, they order a copy of the Whose Life is it Anyway? DVD and appreciate that the problem wasn’t totally resolved when it was debated 40 years ago. The protagonists should not get too hot under the collar when it dawns on them that they can’t totally resolve it now – but they will have a really enjoyable 118 minutes.


Saturday 19 November 2011

What sort of Directive will emerge from this fundamental divergance of views?

The more I think about these things, the more I thank my lucky stars that I’m not going to be accountable for proposing a new Data Protection Directive. The closer we get to European Data Protection Day (28 January 20112) the happier I am that my DNA won’t be too closely associated with (perhaps) the first publicly available draft of the new proposals.

The battle lines have already been drawn up and if you know where to look, you can read about the tectonic policy plates grinding along the usual fault lines. The principal fault line seems to be the extent to which common rules will be imposed on data controllers and on citizens across the entire Community, and the extent to which Member States will be able to implement the main rules in ways that sympathetically address local cultural traditions.

I’ve recently been reading the comments made by prominent ladies on the different sides trotting out their positions – and I am really not sure which side will eventually win.

On the “One law to rule them all” side, we have people who share the views expressed by Commissioner Viviane Reding. She was recently interviewed by the Washington Post, and made it pretty clear that her preference is for a highly harmonised set of binding regulatory rules for all data controllers. In her words:

"Today in Europe, if you are an American company, you have to abide by 27 different interpretations of the EU law data protection. This makes no sense for a business and is absolutely cumbersome. Our reforms are aimed at getting rid of this fragmentation and providing consistency and coherence for the whole of the continent. That means providing services to 500 million people, which presents a fantastic business opportunity for companies.

Q: What do you think of self-regulation? Is it a good idea?

A: Self-regulation can be little more than a fig leaf. It works only if there is strong, legally binding regulation in the first place. Otherwise self-regulation means that everyone does whatever he or she has in mind. Just look at the instability that self-regulation in the financial markets brought us. The financial markets, through personal greed and irresponsibility, failed to effectively regulate themselves. This is why I do encourage codes of conduct for businesses in Europe provided that they are fully in line with our European data protection law.

Q: Explain your philosophy behind individual privacy.

A: It is clear that every citizen has a right to their own data. Before a company can use your data they should ask for permission. This is a basic rule of the European Union.

We do have a set of rules today that is not always being applied and controlled in the way it should be. That has led to fragmentation and different interpretations of the rules.

For example, with Google’s StreetView last year, seven countries took seven different decisions on how to deal with a case of e-mails being collected and stored without people knowing it. Divergent interpretations of the same rules in the same situation is not good -- neither for citizens nor for companies.

Q:Is there a divergence between the U.S. and Europe in terms of the approach to data privacy?

A:It is clear that we have different approaches between the two sides of the Atlantic. The American people and their representatives understand that the question of data protection is not a theoretical one. These are not questions by idealists but bipartisan issues that are directly linked to the way we see the individual, the citizen, in our society. But I also want to say that we are heartened to see proposals such as the one by Senators John Kerry (D-Mass.) and John McCain (R-Ariz.) for new online privacy rules."

And, on the other side, we have people who share the views expressed by commentators such as Janet Daley. Writing in the Daily Telegraph recently she made her distaste of detailed centralist European regulation very clear. As far as she is concerned:

"What you hear in the grandiose speeches of European leaders and the bumptious pronouncements of EU officials is precisely this: we have an ideal system which can guarantee infinite security and wellbeing, provided that everyone behaves in ways that are consistent with the rules of life as we describe them.

The great irony of the [economic] mess we are now in is that this concept of a totally rational, perfect society which must be imposed on actual people, each with his own distinct experience and perception of life, was the same delusion that wreaked havoc in Europe for generations. From one Terror to another, Robespierre to Stalin, the enforced experiments ran their course. And virtually every one required the “temporary” expunging of democracy.

... However repugnant the present generation of capitalists may be, and however much personal disrepute they may incur, it is not capitalism that is about to destroy the prosperity of the populations of modern Europe. It is the folly of enforced uniformity – yet another dream of enlightened perfection – that will accomplish that."

It’s an argument that will run for a long time. And the deeper I think about these issues. The more sympathy I feel with the need to respect local cultural traditions, rather than have rules imposed that will generally be ignored locally precisely because they conflict with local cultural traditions. If I were ever to work for a multinational, or global, data controller, I might be more sympathetic to the practical problems they deal with as they offer services across continents. But, currently, I don’t, so I’ll focus on developing an approach that respects local, or national, needs, rather than a more centralist approach.

Should I change my employer in the New Year, I may revisit this view. But, right now, this is what I think.



Friday 18 November 2011

ICO to change its name

I am not making this up. The hunt is on to dream up a new name for the Information Commissioner’s Office in Wilmslow.

What? Does that mean we could see the Office of the Information Commissioner (aka “the OIC”), or perhaps the Information Rights Commissioner?

No way. Actually what is on the cards is a new name for Wycliffe House the office building that houses the Information Commissioner’s staff in Water Lane in Wilmslow.

The ICO’s staff have been invited to submit ideas for a new name for the building. I haven’t, but that won’t stop me thinking up something appropriate. And even if you haven’t been specifically asked, please consider this as an extended invitation to join in the fun.

Let’s set some ground rules here:

1) No profanities in any of the working languages of the European Community.
2) Try and get the name to reflect the work that goes on there.
3) Include an homage to previous leaders. A quick hint – the former leaders were Eric Howe, Elizabeth France, Richard Thomas, while the current incumbent is Christopher Graham.

Surely, there must be better ideas than these:

Using the first letter of the surnames of Eric Howe, Elizabeth France, Richard Thomas and Christopher Graham, and adding I for Information and R for Rights you get Fright, so perhaps Fright House?

Or, using the first two letters of the forenames of Eric Howe, Elizabeth France, Richard Thomas and Christopher Graham, and D for Data, P for Protection and A for Act you get Charred Pile, and Harped Relic. No, I don't like those very much.

Or, using the first two letters of the forenames of Eric Howe, Elizabeth France, Richard Thomas and Christopher Graham, and I for Information C for Commissioner and O for Office you get Heroic Relic. No, that's not right, either.

Or, using the first two letters of the forenames of Eric Howe, Elizabeth France, Richard Thomas and Christopher Graham, and U for Upholding, D for Data, and P for Protection you get Crier Upheld and Epic Hurdler. Still not very impressive.

And finally for today, using the first letter of the surnames of Eric Howe, Elizabeth France, Richard Thomas and Christopher Graham, and adding U for upholding, I for Information and R for Rights you get Frig Hut. Come on readers, you ought to be able to do better than this!

Fellow entrants are welcome to use a clever website to help them create their own anagrams once they’ve decided what letters to use – take a look and try out the wonderful I would get your entries over to your usual contact at the ICO sharpish, if I were you.

(See Item 7.1 of the minutes of the ICO’s Executive Team Meeting, held on 3 October 2011) (Frig is not a rude word, actually it’s of Germanic origin, meaning peaceful ruler or peacekeeper – which is what the ICO tries to do, an awful lot of the time).


Thursday 17 November 2011

Cloud Computing: reviewing the risks

I’ve just attended an excellent private discussion forum on cloud computing and consumerisation. Attendees considered the benefits, as well as the possible pitfalls, of this emerging technology, as it might be used by public authorities, private companies, and individual consumers. No, I won’t be reporting in detail on what was discussed under the Chatham House rules. All I’ll say is that the event was held by the Information Assurance Advisory Council and that it took place at the offices of the British Computer Society in Covent Garden. Now then, those who read this blog and who know about the IAAC will be able to appreciate who might have attended.

What I will say, however, is that some of the discussions might have been oddly familiar to those who can access the minutes of the meetings of the Royal Society in the Victorian era. During the early part of that era, Michael Faraday read before the Royal Society a series of 30 papers about his experimental researches in electricity. Gradually, private companies created their own Directors of Electricity, as each company generated its own power. It was only at the very end of the Victorian era that the concept of a high voltage integrated electrical power distribution system was created in the UK, and private companies made their Directors of Electricity redundant as they joined what was to become the National Grid.

It occurred to me on the tube home that many of the issues that needed to be considered as companies were faced with the choice of continuing with their own power generation capabilities, or moving towards a shared power service were oddly familiar with those of us who are thinking deeply about the cloud computing conundrum. What is also oddly familiar is the venue for some of the dinners held by the IAAC – after all, Simpson’s in the Strand rose to prominence in the mid Victorian era, too, and would have been frequented by members of the great and the good and by those who were sufficiently interested in modern matters (such as members of the Royal Society).

One key message emerging from today’s meeting that I am free to share is the need for people to be aware of what the cloud computing risks and rewards actually are. Easy to say, actually very hard in practice to deliver. After all, we all think we know what we are talking about, but is our knowledge level really that deep?

To demonstrate (just to you) how flaky your own knowledge might be, I’ve come across this really handy on-line test which asks a series of questions about what is legal, and what is not legal, when you use Twitter, Facebook, upload material, blog, get involved in on-line discussions or sell anything on the internet. You may think you know the law – but is that really the case?

Feel free to take this on-line test, at hosted by Nominet (so it is a credible website), and marvel at your own results. It will only take a few minutes to complete, and no-one else ought to be able to know how knowledgeable you really are.

And it makes you wonder that if normal people are as ignorant about the basic elements of the current law as those of us who take this straightforward test, then what hope is there of getting them to appreciate the possible consequences of allowing their own material to be stored or processed in a cloud environment?


Tuesday 15 November 2011

So, even Cabinet Office Ministers have to comply with Cabinet Office rules, these days

Ouch. But we ought commend Oliver Letwin, the Minister of State for Policy at the Cabinet Office, for agreeing so quickly to accept the regulatory action that the ICO has considered appropriate after the media reported on his somewhat strange data handling practices last month.

What did he do? Well, last month he was photographed by a newspaper tossing more than 100 documents into bins during morning walks around St James’ Park, close to Parliament. Letwin admitted throwing the papers away but denied that any were sensitive.

"None of them of course were classified and none of them were papers that originated from government," he told the BBC.

"I was walking around dictating responses and simply wanted to make sure the pieces of paper were not weighing me down."

The documents were dated between July 27, 2010 and September 30, 2011 and contained correspondence with parliament's Intelligence and Security Committee, the body which oversees Britain's spy agencies, the newspaper report said.

Others included references to the European Commission, Ministry of Defence, Home Office, Treasury and London's Metropolitan Police, it said.

Letwin had ripped some of the documents in half and handed others directly to a rubbish collector, the paper said. Some had details of people living in his parliamentary district of West Dorset. The material supplied to the ICO by a Daily Mirror journalist revealed that the letters and emails contained the names, addresses and contact details of approximately 20 individuals. One email also included a limited amount of information relating to an individual’s recent hospital treatment.

So, in disposing of his constituent’s correspondence in such a manner, he breached the Data Protection Act.

His penalty? To sign an undertaking that he shall:

(1) only dispose of documents containing personal data in a secure manner, such as shredding, pulping or incineration;

(2) take note of, and comply with, the latest standards of data handling issued by the Cabinet Office for use in central government departments; and

(3) implement such other security measures as he deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.

I did chuckle when I read undertaking 2 – after all, as a Cabinet Office Minister, it is rubbing it in a bit to get him to undertake that he will comply with the standards that are issued by his own Office, and thus presumably under his own signature!

His penalty, obviously, is also to endure no end of public ridicule, while many of us think “there but for the grace of God, go I.”

But brilliant timing by the ICO – especially after my last blog, which remarked on the length of time it took the folks in Wilmslow to publicise a series of recent breaches. This time, the ICO’s enforcement team worked at the speed of greased lightening to publicise the penalty within one month of the offence actually coming to light! Mightily impressive. Well done.

I wonder which politician will be next in the firing line. Despite the cuts to the ICO’s budget, it seems that the Commissioner will still find time to address the failings of public figures.



Sunday 13 November 2011

Breach notification: What have we done to deserve this?

Each time I open the data protection press I read about yet another data breach. In fact there seem to be so many right now that it’s hard to care too greatly about many of them. Should we worry about the sad incident involving Rochdale Metropolitan Borough Council whose employee. Last May, lost an unencrypted memory stick containing the details of over 18,000 residents. The data included, in some cases, residents’ names and addresses, along with details of payments to and by the council. But the device did not include any bank account details. Six months later, the ICO issued a press release about the affair.

Or should we worry about Newcastle Youth Offending Team, which managed to have an unencrypted laptop contained personal data relating to 100 young people stolen from a contractor’s home in the Northumbria area last January. Ten months later, the ICO issued a press release about the affair.

Or perhaps we should worry about University Hospitals Coventry & Warwickshire NHS Trust, who lost records relating to the treatment of 18 patients in February and then some more patients last May. And the ICO’s press release was issued at the end of October.

Should we worry about the breaches themselves or the time it has taken the Information Commissioner's Office to publicise the breaches? Or indeed should we worry that the vast majority of the stuff we read about relates to the public sector, rather than the private sector?

I have to say that there may be a bit of special pleading here, as of course Communication Service Providers have been required to report breaches to the ICO for several months now, so perhaps it won’t be too long before their transgressions are more generally known, too.

Should I worry myself? Well, given the fact that the breaches which the communication service providers have to report include those where no-one has been harmed, where the loss has related to encrypted information, where the breach of even a single record is sufficient to warrant a notification, and the breach can involve the accidental alteration of information, as well as the loss of information, I would expect the Commissioner’s staff to have a healthy stream of notifications through which to wade. And these notifications have to be made “without undue delay”. We are talking of weeks here, not months. So, on current form, the initial wave of ICO Press Releases could be getting drafted sometime soon. With luck, they might simply say that the Service Providers are meeting the obligations that have been imposed on them by SI 2011 No 1208. With more luck, they might say that a number of the incidents that have been notified to them were probably not intended to have been notified to them by those who drafted the initial legislation, so it hopes to hold a workshop in the new year to consider, in the light of the experience of actually operating the current mandatory personal data breach notification scheme, what it actually means and what purposes are being served.

After all, if there is confusion now about what is required and who is expected to do what and when, how will the ICO manage when the mandatory breach notification process is extended to cover, say, all 300,000 UK data controllers?

What has the delay, though, in the breach notification and the decision by the ICO to publicise the breach achieved? Presumably it’s given the offending party an opportunity to get its house in order, to understand the cause of the breach and an opportunity to raise a project to address the cause of the breach. So hopefully thay type of breach won’t happen again. At least to that data controller, anyway.

But can this actually be the case? Many of the incidents I see arise not as a result of technical failures (although of course systems will always encounter the odd weakness every now and again) but because individuals have not exercised the personal behaviours that you might wish of them.

So the incident involving Rochdale Metropolitan Borough was obviously avoidable, as it involved the loss of an unencrypted memory stick. Likewise, the incident involving Newcastle Youth Offending Team, and the unencrypted laptop. But are we really going to be able to avoid incidents involving the inappropriate disposal of paper records (even if they relate to confidential medical information)? Such matters won’t be resolved by new IT security policies, or central controls. No, they relate to human behaviours – like which bin to dispose confidential waste in - and we’re all human, after all.

And if the medical profession can’t quite master the disposal of paper copies of confidential personal files, then I dread to think what will happen when the rest of us are invited to realise just what employees of other data controllers have been up to!



Wednesday 2 November 2011

Cloud computing – do the data protection jurisdiction problems really matter?

Dr Julia Hornle and Kuan Hon are not very confident that all the legal problems surrounding cloud computing will be resolved in the foreseeable future. They were speaking last night at the Institute of Advanced Legal Studies at the University of London. They ought to know – as they are both academics at the Centre for Commercial Law Studies at Queen Mary, University of London, and have helped write a series of papers on the underlying issues. Whether enough people in the European Commission have the time and energy to adequately address the main legal issues is far from clear.

Their presentation was focused on the problems that are familiar to anyone who invents and tries to apply a new concept (in this case, cloud computing), to laws where those drafting the relevant laws had no idea that it would ever be expected to cover such matters. So what we are left with are teams of awfully clever lawyers explaining why, in certain circumstances, current laws don’t quite work (or don’t work at all). Does this really matter? Not if you’re an anarchist. But it would be helpful if decent folk might agree on a few basic ground rules, so that no-one gets hurt.

What are we talking about? In a nutshell, it’s mostly to do with what rules should apply when the different building blocks of scalable IT resources are provided from inside and outside the EEA to people inside and outside the EEA. I hope I’m not boring you yet.

If you really want to get bored, you can immerse yourself in the details of the issue, which means that you have to get familiar with the concepts of who holds the user’s data and where. To add to the complexity, you can throw in issues of multiple providers; data being replicated and deleted in different centres; data being sharded, chunked or fragmented; issues where the multiple locations data was being held in were constantly changing; and our old favourites encryption issues and the use or dependence on shared resources.

Still with it?

Julia and Kuan pointed to examples where EC data protection laws applied to different providers differently in different jurisdictions, as Member States occasionally interpreted the terms “establishment”, “context”, “use of equipment” and “transit” in different ways, depending on whether they wanted to attract cloud providers (which is what the French appear to want to do) or deter cloud providers (which is what at least one German Lander appears to want to do).

I won’t get any more technical – I promise.

But is there a relatively sensible way to unravel the complexity or fill in the gaps in the legislative drafting?

Julia and Kuan think there is, and suggested that some of the Article 29 Working Party’s ideas might work. These ideas follow the principles that the Commission has developed when regulating consumer contracts (ie when a consumer buys a product or service in one Member State for consumption in another Member Sate) or, say, in trademark infringement actions.

On the other hand, more commentators are thinking that it’s not the location of the data which is the key issue. After all, even if it’s all agreed in a contract with a cloud provider, how many people in their right minds are really ever going to read that contract, or know whether any of the parties are always adhering to that contract? There is more to life than contracts.

No, the real answer probably lies in encryption. What really matters is who can access the data in an intelligible form. If the encryption were strong enough, the data could be safe anywhere. What we really need to concentrate on is understanding whether the cloud provider can get at the data, and who can force the cloud provider to get at the data.

So, the lawyers will continue to comment on the limitations and adequacy of the current legal regimes for so long as clients have money to offer them.

And EEA Member States will continue to embark on their shrill campaign against (basically) American cloud providers, whose Patriot Act obligations occasionally cause people to wince. Does the location of the data really matter anymore? Not really. Let’s encourage the European Commission to focus on issues of security accountability and transparency instead.

Finally, Julia and Kuan commended the European lawmakers to adopt an awfully European negotiating line in this “phony war” against non EEA based cloud providers. The Commission should take a broader view, and cave in quietly, while protesting loudly, about these really tricky location/transborder data flow issues.