Monday 31 December 2012

My data protection predictions for 2013

In homage to the eight Data Protection Principles, I humbly offer eight predictions for 2013. There’s good news for some, and less good news for others. Early in 2014, I hope to revisit this list to see how I’ve fared.

1. The data protection industry will continue to flourish
Data protection is increasingly considered as a profession, rather than a trade. But, the race to professionalise the industry is accompanied by a desire, certainly on the part of those in the ascendant, to over complicate concepts that ought to be readily understood by everyone. The race to develop elaborate data protection laws will increasingly be seen as a form of data protection exclusion, or apartheid. When only the brightest of the bunch can comprehend the relevant laws, data protection salaries will soar for those working in the few sectors that really can afford to care about privacy. Eventually the bubble will be pricked by the pragmatists, who will argue that standards need to be capable of being understood and implemented by people like Homer Simpson as well as Albert Einstein, if they are to be universally applied. But that bubble won’t be pricked in 2013.

2. Minor privacy breaches will become less newsworthy
The public will tire of reading about the same old issues. Just as celebrities are recycled, and reality TV shows generate transient micro celebrities, new stories will emerge to keep data protection in the public eye. Trivial data breaches will become less toxic to brands, as there will be so many more reports of more significant incidents. Commentators will increasingly challenge the regulator to do something about them, while simultaneously calling for further cuts in public expenditure to address Britain’s economic woes.

3. The “fundamental rights” brigade will clash with the “can’t pay, won’t pay” brigade
The financial impacts of the public policy aim to improve data protection norms will result in a public fight between (1) privacy campaigners, who just want higher standards regardless of the costs; (2) data controllers, who concede that data protection standards need improving, but not at the expense of reducing the focus on other, more pressing corporate requirements; and (3) regulators, who will do whatever is necessary to keep their own agenda in the public eye. Frankly, I wouldn’t bet on the changes of the fundamentalists winning this epic battle.

4. More research will be commissioned on the point of regulating privacy
If we know anything from existing research on privacy, it’s that different sections of the community in different countries consider different aspects of their lives to be “private and personal”. They do not care so much about other aspects of their lives.  This will further question the “one rule to rule them all” strategy, which is currently proposed to address EU data protection issues. There will be increasing acceptance that data protection is not a “fundamental right” but a social strategy – and one that will be hard to apply across a group of nation states whose societies and cultures are not aligned. Supporters of the subsidiarity principle will continue increasingly challenge the European Commission about its competence to regulate privacy.  

5. A fundamental review of the ICO’s Civil Monetary Penalty strategy will be announced
Everyone needs a regular review of their practices, to ensure that their strategies are working effectively. An independent analysis will be commissioned on the extent to which the ICO’s current strategy has led to behavioural change and improved data protection standards, especially among local authorities. Can it be right that so many self-reported breaches result in Civil Monetary Penalties? How does this incentivise self incrimination? Will the ICO’s health and safety team have to issue a warning the enforcement team that they could easily strain their back muscles by bending down to collect so much low hanging fruit? 

6. The Ministry of Justice will commission a very discrete search to identify a suitable replacement for Christopher Graham, Information Commissioner, after which a fair and open competition will be announced
Christopher Graham’s term of office expires in June 2014. The next incumbent will probably serve a fixed term of 7 years. It will be interesting to learn whether the new Commissioner is as keen on dealing with internal management issues, compared with policy issues. With an organisation the size of the ICO’s, it’s going to be pretty hard to find someone with an equal interest in both.  Especially if a significant part of their time will be devoted to restructuring the ICO should Parliament decide that the organisation needs to be even more selective to be effective.

7. The ICO’s Management Board will commission a very discrete search to identify a suitable replacement for David Smith, Deputy Information Commissioner, should he decide to retire
David is an extremely experienced and respected member of the data protection community, but even he might wish to retire in the next few years. Finding a replacement will not be easy. But it is critical – for if the new Commissioner is to be seen as the management strategist, then the policy heavy lifting will need to be led by an authoritative expert who can quickly earn respect from all sides of the community. Unlike the fixed term of the Commissioner, though, this very important (and unelected) post could be held by an incumbent for the rest of their working life.   Or, the next jobholder will need to be a management bruiser, capable of delivering organisational change while the Commissioner focuses on policy.

8. Someone with data protection experience will join the ICO
Why should this be such a farfetched prediction? Surely, it’s about time that, rather than merely incubating raw data protection talent that acquires experience and a formal ISEB qualification, before leaving to work elsewhere, someone who already knew quite a bit about the subject joined the regulator.

Image credit:


Sunday 23 December 2012

With seasonal greetings

This is my penultimate blog for this year. The final blog, to be published on New Year’s Eve, will review the most significant developments of 2012, and offer a few predictions about the challenges ahead.

For me, my perspective on data protection has changed considerably during the past 12 months. From being a full time employee of a major company, where the considerations naturally focussed on what was marginally more beneficial for the data controller, I’ve become an independent consultant, where a more evenly balanced view of the needs of the data controller and of the individual has to be taken into account.

While full time employment certainly has its advantages, in terms of a regular income, my new role has opened doors into new worlds that I might well not have stepped through. The communications world has been very familiar territory for well over a decade, but I’ve recently been able to renew my acquaintance with the financial services world, and I’m becoming increasingly familiar with the issues that face utility companies, the health sector and the media.

Other worlds that I do hope to explore in even more detail in future include the worlds of public policy and regulation. Decisions are made by those who turn up – and I do hope to be able to turn up and influence an increasing number of these decisions in 2013. Most of the people I have met in public life share a passion to make this world a better place. They may well have very different views about what a better place looks like, but I can’t, for the most part, fault them for their sincerity and commitment to do good deeds. The disputes will continue to focus on whether their vision is credible and realistic, and on who will provide the resources that will be necessary to build their better world.

There are exciting opportunities ahead. I sill wake up each day with a passion to do my best and to advocate practices that I believe to be fair and transparent. And while this passion remains, I also hope to continue to blog about things that matter to me.

So, many thanks to those who have written to me privately over the past year, commenting on this blog.  I’ll continue to respect your confidences. It is, though, reassuring to know that so many of my opinions are shared with other professionals in this field.

Wishing everyone a great Xmas break.

Happy holidays.

Image credit:

Friday 14 December 2012

Draft Communications Data Bill: soundbites & comments

In the last of this series of blogs on the Joint Committee’s report, I thought I would report on some of the comments I’ve heard. None of them are surprising, and I’m sure that none will be ignored by Home Office officials either, who I expect are working hard to ensure that, when a redrafted Bill id presented for scrutiny, very few of the criticisms that were made about the last version could be made again.

I’m sure that everyone is keen to devise a pragmatic solution that can be accepted by one and all. 

I recently heard a very eminent politician, drawing on his many years of experience, remark: “What is in the public interest doesn’t usually represent the interests of members of the public”.

In this particular case, I very much hope that any legislation ultimately passed by Parliament will indeed represent the interests, and concerns, of all stakeholders.

"Rarely can a parliamentary report have been so thorough and so damming...For those of us who have lamented the lack of rigour in parliamentary scrutiny, the work by the Joint Committee on the Draft Communications Data Bill is a refreshing departure. It dissects each assertion put forward by Theresa May and her manderins. It accepts that there is a case for legislation "which will provide the law enforcement agencies with some further access to communications data", but it adds: "We believe that the draft bill pays insufficient attention to the duty to respect the right to privacy, and goes much further than it need or should for the purpose of providing necessary and justifiable official access to communications data." ... For the moment, parliament has done its job. Credit where it is due. It has held light to ane executive power, and found it cavalier."
John Kampner, The Guardian

"I compliment the Committee for its report  ... incredibly professional."
David Davis MP, speaking at a press conference on 11 December

"Almost exactly 14 days before Christmas, the Joint Committee on the Draft Communications Data Bill has delivered an early present ... It adds up to a damming indictment of the proposals and how they were put together. The cross party Committee examined this draft Bill in extreme detail and with great care over the past six months. And they found the Bill did not bear scrutiny."
Peter Bradwell, from the Open Rights Group

"We are pleased that the Committee has echoed our concerns, particularly about the unsubstantiated costs and benefits of the Bill." 

We are really pleased that the Committee recognised the impact that the Bill could have on business."
 Sarah Kelly, director of the Coalition for a Digital Economy.  

"Finally a grown up debate about communications surveillance." 
Gus Hosein, director Privacy International 

"The first battle may have been won but the war is still very much to come. Any assertion fro the Home Office that a small amount of tinkering and minor changes will be adequate is completely unacceptable. The Committee has exposed weak evidence, misleading statements, and fanciful figures, and the recommendations highlight the very basic errors that have been made."
Emma Carr, the

"T May must rethink Data Comms Bill. Thoughtful report finds it unworkable, uncosted and too much power to Home Sec."
Rt Hon Yvtte Cooper MP, Shadow Home Secretary 

"This is a very difficult issue and I welcome the Committee's thoroughness."
Rt Hon Nick Clegg MP, Deputy Prime Minister

"We recognise this is a difficult issue. We  will take account of what the Committee said."
Prime Minister's spokesman.


Thursday 13 December 2012

Draft Communications Data Bill: surveillance safeguards, supervision, security & sentences

Today, I’m setting out some of the recommendations in the Joint Committee’s report that have not received any significant media attention. 

While this week’s media reports have concentrated on the Bill’s defects, it is accepted that some form of official access to some types of communications data is necessary. 

Accordingly, what measures ought to be in place to maintain an appropriate level of official accountability and public reassurance, once it has been determined what types of data should investigators be able to access?

The authorisation process

The Single Point of Contact process should be enshrined in primary legislation. A specialist centralised SPoC service should be established modelled on the National Anti-Fraud Network service which currently offers SPoC expertise to local authorities. The Home Office should consider allowing police forces to bid to run this service. This new service should be established by statute, and all local authorities and other infrequent users of communications data should be required to obtain advice from this service.

Although approval by magistrates of local authority authorisations is a very recent change in the law, we think that if our recommendations are implemented it will be unnecessary to continue with different arrangements applying only to local authorities.

The Interception of Communications Commissioner

The IoCC should carry out a full review of each of the large users of communications data every year. While sampling is acceptable as a way of dealing with large users, the requests of users making fewer than 100 applications in a year should be checked individually. The annual report of the IoCC should include more detail, including statistics, about the performance of each public authority and the criteria against which judgements are made about performance. It should analyse how many communications data requests are made for each permitted purpose. For this the IoCC will need substantial additional resources, both as to numbers and as to technical expertise. There should be full consultation with him on this. His role should be given more publicity.

The IoCC's brief should explicitly cover the need to provide advice and guidance on proportionality and necessity, and there should be rigorous testing of, and reporting on, the proportionality and necessity of requests made.

The IoCC will be key to public confidence in the Request Filter. The IoCC will need the necessary expertise properly to examine the operation of the Request Filter. He will have to report on the scale of searches via the Request Filter and rigorously test the necessity and proportionality of requests put to the Filter. All this information should be included in the public section of his annual report so that if there are any signs that the Filter is resulting in more intrusive requests Parliament can review the legislation.

The Information Commissioner

If the Government believe that additional safeguards can be provided by the Information Commissioner, they should undertake detailed discussions with him as to what such safeguards might be, how they might be undertaken, and what additional powers and resources he might need. The Bill should make clear that the Information Commissioner will need to be shown all notices issued under clause 1.

Other Surveillance Commissioners

Work should be done to rationalise the number of commissioners with responsibility for different areas of surveillance. This work should aim to simplify the situation and make it easier for the public to understand, while ensuring that all surveillance powers are subject to rigorous oversight. Consideration should be given to a new unified Surveillance Commission reporting to parliament with multi-skilled investigators and human rights and computer experts.

Security and destruction of data

We consider the Home Office's cost estimates may underestimate the cost of security and destruction of data. Since the cost of security and destruction will ultimately be borne by the taxpayer, the Home Office will have to carry out a careful cost/benefit analysis and obtain advice and assurances from a wider body of experts that the companies that stand to earn money from devising secure storage solutions.

Offence of misuse of communications data by a public authority

The House of Commons Justice Committee recommended that the power under section 77 of the Criminal Justice and Immigration Act 2008 should be exercised "without further delay". Nearly a year later the Home Affairs Committee reached the same conclusion. We agree with the Information Commissioner and with both these Committees that this power to allow custodial sentences to be imposed in appropriate cases should be exercised without delay.

The Bill should provide for wilful or reckless misuse of communications data to be a specific offence punishable in appropriate cases by imprisonment.

In the final blog of this short series, I’ll be reviewing some of the immediate reaction to the report’s recommendations.