Friday 25 May 2012

Cookies: The ICO’s "Man in Black" lays it on the line

Many thousands of people will be flocking to the movies this weekend to see the new Men in Black 3, starring the amazing Will Smith and Tommy Lee Jones. A slightly smaller number will be roaming over to the Information Commissioner's website to see its latest video - starring its own man in black - the incomparable Dave Evans from the ICO's Business & Industry Team. Dave’s video only lasts 11 minutes 45 seconds. Not the 1 hour 46 minutes of the MIB3 version. And, Dave’s video has fewer jokes. And, no aliens. But, it’s still one of those “must watch” events for data protection folk – as he sets out the tone of the ICO’s cookie compliance enforcement programme.

What enforcement action will be taken by the ICO? Who is first in the firing line? How large will the fines be? These are the sorts of things that you’ll learn if your cursor ends up at

A very clever move by the ICO – as this sets a bit of a marker down to those other EC Member States that haven’t yet got around to doing much – or anything – about this cookie compliance stuff. Presumably the Article 29 Working Party will be far too polite as to criticise the ICO’s approach, and it means that other regulators who feel an urge to act tougher than our chums in Wilmslow may be persuaded to think again. After all, if regulators are to be encouraged to speak with a single regulatory voice, then the ICO’s approach ought to be commended to every EC Member State. It will be a pretty awful state of affairs if some other regulator slags the ICO off for being first to implement but not as purist as they would like to be when it comes to enforcing this part of a European Directive.

Oh well, at least I have something to congratulate the ICO for this week. I had announced that I would be donating £100 to the Help for Hero’s charity if the ICO staff were to upload a video to You Tube featuring various members of the ICO’s team singing the Cookie Warp, but that money seems destined to remain in my pocket. See my blog posting of 9 March for further details. Never mind, Dave’s starring role in this ICO production brought a wry smile to my face. He was speaking a lot of common sense. But that’s not necessarily what the more strident members of the Data Protection Taliban expect of a regulator. What out for him – he’s either going far, or he’s a marked man!

Image Credit:
Scraped from the ICO’s website. Watch out for Dave being interviewed on telly soon – he’s a natural communicator.


Saturday 19 May 2012

When will the ICO fine itself following a data breach?

In this regulatory bear market, we’ve been marvelling at the increasing use of civil monetary penalties by the Information Commissioner's Office to take action against organisations whose data handling systems are sufficiently shoddy to cause harm or distress to people.

Talking the ICO’s powers to extremes, I wonder when we’ll be reading an ICO News Release like this:


The Information Commissioner’s Office has issued itself a penalty of £20,000 for losing paper records containing personal information, including the names, job titles, beverage preferences, tastes and dietary habits of the ICO’s Executive Team.

The loss occurred when an administrator took some paper records to Wilmslow’s Sainsbury’s to buy the Executive Team sandwiches and snacks for a working lunch. The administrator’s car was burgled while they had popped to the Wilmslow public library to return some DVDs, and a bag, containing the records and an encrypted data stick, was stolen. This meant that the Executive team had to eat what they were given, rather than what they had asked for.

The ICO’s investigation found that it had failed to take appropriate organisational measures against the accidental loss of personal data held on paper records. Although the ICO had an information security policy and some guidance for staff on handling important papers, the measures failed to explain how the information should be kept secure when being transported in a private vehicle.

Today’s penalty comes after the ICO had required many public authorities to sign undertakings following earlier incidents, during which personal data, both in an encrypted and an unencrypted form, had been stolen from an employee’s home and/or vehicle. While many authorities later introduced a paper handling policy following the undertaking, this policy was not in place at the time of the ICO’s loss, nor had all staff been fully trained on the policy.

Simon Entwisle, the ICO’s Director of Operations, said:

“The potential for distress in this case is obvious. No-one wanted the Commissioner to eat egg and cress sandwiches, when his favorite cheese and ham bap could have been provided. It is therefore extremely disappointing, and embarrassing, that I had not put in place sufficient measures in time to avoid this mishap.

While I am pleased that I have now taken action to keep the personal data we use secure, it is vitally important that all organisations have the correct guidance in place to keep paper records taken outside of the office safe. This includes storing papers containing personal information separately from data sticks.

The effect of the penalty is that we will no longer be able to subsidise our annual ICO Data Protection Officer’s conference for everyone, so from now on all delegates from the private sector will be required to pay a £100 attendance fee.

We are aware that if an ICO administrator loses any more personal information, the effect is likely to be a much larger fine, which will probably mean that we would be required to charge everyone to attend our annual ICO Data Protection Officer’s conference. Given pressures on the public purse, we do appreciate, and greatly regret, that this will probably prevent public sector DPOs from ever being allowed to attend this event again.

But, if we are big enough to hand out the fines, then we ought to be big enough to accept a fine when we get things wrong, too.”

Actually, I’m not making all of this up. Section 107 of the Protection of Freedoms Act 2012 does give the ICO the right to charge delegates to attend ICO training events or conferences. They've got to recover their costs somehow, you know. And I’ve already seen one ICO consultation exercise commence on the extent to which private sector companies ought to pay to attend the ICO’s Data Protection Officer’s Conference. For my part, I’m very happy to pay a fee that represents the costs of staging the event. In my opinion, they represent brilliant value for money, and they give us all an opportunity to catch up with old friends. And have a laugh, or two.

Finally, for the anoraks among us, Section 105 of the Protection of Freedoms Act 2012 also changes the period for which the Information Commissioner is appointed. In future, rather than a (renewable) term of 5 years, the Commissioner will be appointed for a single period of 7 years.

Image credit:


Thursday 17 May 2012

A DPA debacle facing SMEs?

I’ve been spending the past few months thinking about, and then setting up, a small business. Wow, it’s exhausting. So much to think about – and it’s so hard to know just where to turn to get reliable advice. Like everyone else embarking on a new enterprise, I’ve been progressing slowly, learning from my mistakes (and hoping they were rectified before anyone important spotted them).

Interestingly, of the many people to whom I have turned for assistance, not one person has mentioned data protection. I know of no-one running a small business that has the slightest clue about the stuff I’ve spent almost a quarter of a century living and breathing. Apart from the merry band of data protection consultants, that is. No-one has mentioned to me, as they explained how they went about creating their company, selecting a logo, building a website, engaging a book keeper (or accountant), working out whether to register for VAT, or what standard contracts to use, anything about any data protection issues that needed to be addressed.

I found that quite remarkable, especially given the recent media coverage of organisations with poor data protection standards.

I think I know why. In my view, it’s down to two main reasons.

First, it’s because data protection is an arcane and inaccessible subject that is so hard for a business owner to focus on, given the pressing need to understand other, much more important, aspects of setting up a business, and it’s actually quite hard to find independent professionals who can be trusted to offer pragmatic, no-nonsense advice. I’m not attacking the data protection professionals who offer great advice to sophisticated, established, businesses. What I’m pointing out is a dearth of advisors who are known for providing practical advice to start-ups and the smaller enterprises. Yet, these small enterprises, especially if their business activity involves the internet, are capable of generating large amounts of personal information which, if handled incorrectly, could cause very considerable embarrassment if the information were to be inappropriately disclosed to third parties.

Second, it’s because data protection is regulated by a small body of dedicated professionals who would find it impossible to cope if they were approached for help by all of the small businesses that really need advice. When you compare the size of the ICO’s budget with that of, say the (failed) Financial Services Authority, you really wonder what bunch of politicians were naive enough to impose huge obligations on an organisation like the ICO that was then vested with so few resources. Or perhaps the politicians were trying to imply – “here’s a set of ideas for businesses that want to follow good data handling practices, but we don’t really care if businesses ignore them.”

The European Commission can propose what it wants, as that Regulation continues its European Parliamentary scrutiny. The reality, currently, is that whatever will be passed will most likely be ignored by a huge majority of small businesses who simply don’t have the will to understand what they will need to do to comply. These businesses will be assuming that the regulators will be so under resourced that the likelihood of an SME being held accountable for an unfortunate incident will be much less than the likelihood of their star employee winning the X Factor.

So, what’s the answer?

In part, I think it’s about making it easier for SMEs to get decent, pragmatic advice, at an early stage in their development. If they’re a small business, say, developing web apps, working in the Silicon Roundabout area of London, it ought to be possible to find a data protection consultant working nearby for a coffee and a (free) chat. I have a cunning plan to help fill what appears to be a gap in the market. All will be revealed on 1 June.

In part, I also think it’s about making it easier for SMEs to appreciate the consequences of getting it wrong. But this is not an area that I’m currently interested in playing, as I’m not a regulator.

Now, I’m off to the bank to complete the process to open a corporate bank account. Later today, I’ll be off to Shoreditch to work out just how much stubble I would need to grow if I wanted to blend in with the surrounding community.

Image credit:
To be revealed on 1 June!


Saturday 12 May 2012

Data protection at the Olympic opening ceremony

I dreamt of a disaster, last night.

In my dream, discussions with Danny Boyle, the chief organiser, deteriorated to such an extent that I formally withdrew from the Olympic Games Opening Show Committee. I had been contracted to help create one of the segments that illustrated something that the Brits do brilliantly, so that we could show ourselves off to a global audience in the best possible light, before that special torch enters the Olympic Stadium in East London on 27 July.

My idea, which had originally been accepted, was that we should show off something that we Brits do brilliantly badly pragmatically – ie data protection. Danny Boyle was keen to fill the arena with people being monitored on CCTV, with large teams of officials in X –ray specs rushing over to groups of, say, spectators, to give them a thorough search before grudgingly allowing them on their way. But everyone else pointed out that this would be happening both inside and outside the Olympic Stadium anyway, so why not show something slightly different to the world?

My idea was that we should create a short musical to commemorate the goings on in Wilmslow these past few years. After all, if a TV soap opera like Coronation Street can have musical made out of it that fills arenas, then why not Wilmslow’s greatest asset? To some (all right, not many), the reputation of the ICO towers over that of the celebrities that have recently been spotted in Wilmslow’s Sainsbury’s – such as Liam Gallagher, Patsy Kensit and Cristiano Ronaldo. Admittedly, celebrity spotting in Sainsbury’s is a lot rarer now that Waitrose has opened a store in the town.

Anyway, with more than a nod to the brilliant composer and lyricist Irving Berlin, who was born exactly 124 years ago yesterday, here are the lyrics I submitted – and which, to my great disappointment, have been rejected:

It started with a wow
When they appointed Eric Howe
The next advance
Came with the arrival of Liz France

A touch of class
Accompanied Richard Thomas
Right now, overseeing the mayhem
Is Christopher Graham

Doing one of the hardest jobs in town

There's no business like DPO business
Like no business I know
Everything about it is revealing
Everything that IP traffic will allow
Everyone can hear that awful squealing
When a breach has occurred somehow

There's no people like DPO people
They smile when they are low
Even with a project that you know will fold
Your colleagues will leave you out in the cold
It was never really meant for a family household
Let's go on with the show

Search for a butcher, a baker, a grocer, a clerk
They’re secretly unhappy because
A butcher, a baker, a grocer and a clerk
Must pay for their adds, but get no applause
They'd gladly bid their current practices goodbye
For anything more legal and why, oh why?

There's no business like DPO business
Like no business I know
You get fair notice before the processing has started
That the server farm is based in Oregon
Your partner’s facebook page shows they and you have parted
You're broken-hearted, but you go on

There's no people like DPO people
They smile when they are low
Yesterday they told you you would not go far
You put that in your blog, now here you are
This morning on your office chair
They've hung a star
Let's go, on with the show

All hail, hail the DPO!


Image credit:


Friday 11 May 2012

Cookies: Last minute guidance from the great man himself

Not long to go now as nerves are stretched to virtually breaking point. Just two more weeks. Will the regulators take action, or won’t they? The tension will climax immediately after the world has learnt the identity of the winner of the Eurovision Song Contest. Then, attention will focus on the great cookie compliance saga. Yes, it will have been year (in the UK) that data controllers will have been given an opportunity to pay attention to rules that were supposed to take effect last May.

We Brits, being the great euro compliers that we are, naturally feel ready to occupy the moral high ground. It’s not that often that we can gently mock other EC Member States (I’ll try hard not to mention Germany) for not even bothering to get the basic legislation passed to implement the relevant part of the relevant Directive into German law.

Germany does have a good reason for their state of unpreparedness, after all. Just like Flash Gordon, they’ve been doing their very best to save the world (well, the Euro) from collapse this past year. And I’m really grateful to them for concentrating on the big picture. Like propping up entire economies and democracies. They’ve put the whole cookie debacle well down their list of priorities.

Anyway, I’m about to hit the conference trail, offering audiences my take on what they need to do to comply (when they feel that they can get round to complying, that is). I’m hearing a range of views on this matter, and am aware of the huge resources that are currently being devoted within some companies who are trying not to bankrupt themselves in the process of giving users what they think they probably want. Which is not necessarily what the rules appear to require that users actually want.

Today, I’ve turned to Bob Marley for inspiration, and trust that his estate won’t be too unhappy at the way I have messed around with his legendary lyrics.

So, enjoy working through your own cookie compliance programme – and enjoy the weekend, too.


here's a little song about cookies I’ve wrote,
you might want to sing it note for note,
don't worry, be happy

when you get rules like this that are so hard to apply
and web users don’t bother reading explanations you supply
don't worry, be happy

ain’t got no idea about what to do,
your IT department’s based in Timbuktu,
don't worry, be happy

the Commissioner say your website is late,
he may have to litigate,
don’t worry (small laugh) be happy,

look at me I’m happy,
don't worry, be happy

I give you my IP number,
and I get back adds to learn me how to rumba,
it makes me happy

don't worry, be happy

can’t get no help, compliance is futile
If I see the Commissioner coming then I’ll have to run a mile
but don't worry, be happy

might need to rethink this strategy if anyone see the big man frown,
‘cos that could bring everybody down,
so don't worry, be happy

don't worry, be happy now...

so, here’s this little song about cookies I wrote
I hope you learned it good note for note
like good web masters

don't worry be happy

listen to what I say
in your internet life you must expect some trouble
but if you worry you will only make it double
don't worry be happy
be happy now

don't worry, don't worry, don't do it,
be happy, I’ll put a smile on your face,
we’ll all ignore internet rules that are a disgrace

don't worry about the guidance in this verse
soon we’ll all be facing stuff that’s much more worse
don't worry, be happy,
I'm not worried

Image credit:


Wednesday 9 May 2012

Whither the Data Protection Officer?

If you put your ear really close to the ground, you can detect a growing sense of unease with the proposal in that Regulation to require enterprises over a certain size to appoint Data Protection Officers. The unease is growing at such a pace that soon, I predict, more people will be openly questioning the Commission’s proposal, as we know it and apparently love it.

Today’s Queens Speech during the State Opening of Parliament, for example, mentioned proposals that the British Government has to reduce more of the red tape that surrounds businesses. And all over Europe, people are wondering whether the German model, which sets out strong requirements for Data Protection Officers if firms employ more than 10 staff, really is appropriate in this day and age.

As is so eloquently expressed in that popular quote: "You can put lipstick on a pig, but it’s still a pig."

Let me explain.

The argument runs that what is really required is that enterprises take data protection really seriously. In other words, it should be a duty of someone at the highest level of the enterprise to manage. Board members should be regularly held accountable for the data protection practices used in the organisation.

The argument also runs that some Boards evade their proper data protection responsibilities, by delegating the data protection stuff to a junior employee who is hardly ever in contact with people at Board level, or even to people who report to people at Board level. So these DPOs are, in effect, used as firewalls, enabling the enterprise to carry on regardless, while some poor inoffensive fall guy carries the can each time something goes wrong.

Accordingly, while enterprises ought not be prevented from appointing DPOs, if that’s what they want and its possible to find someone who has done more than read the odd ICO press release, the appointment of a DPO should not in any way reduce the level of accountability that the enterprise’s Board has to ensure that proper data protection practices prevail.

I predict that there will be moves from some of the more enlightened Member States to allow data controllers the option of appointing DPOs, but not to require them to make such appointments. I, for one, think that’s an extremely astute idea. It ought to cement the accountability principle at the highest level, and make enterprises fully accountable for their actions and also responsible for the way they decide to assess how they are accountable.

This option also has the flexibility of allowing the Board more discretion when assigning the data protection compliance responsibility to someone. It means that, rather than being a mere technocratic functionary, they are more likely to be a very senior person within the organisation. When we look at the American model, the US laws don’t require the appointment of a DPO, but very senior Chief Privacy Officers are all over the place. Compare that with the UK – how many DPOs are that senior in British companies? Even in Germany, the legal requirement to appoint a DPO has, in practice, resulted in individuals with very different levels of experience or seniority being appointed to carry out the role. Yes, some are senior. But, equally, others are not.

So, battle lines are forming. Both sides share the same objective – that of delivering high standards of data protection. But, the argument runs, how should these standards be delivered? By employing someone who is seen as the Regulators’ nark, as their role is extremely specific, and enshrined in law? Or, would it be preferable to enable Boards to decide for themselves how to comply, perhaps by employing the services of “a guide on the side?” This option appeals to my more pragmatic nature.

Let’s see how this argument unfolds. We data protection professionals may well have a variety of options available as we consider how to develop what is fast turning into a career (but not necessarily a job) for life.

Image credit:


Tuesday 8 May 2012

The news from Berlin

This week's premiere data protection conference has just been held in Berlin . An impressive event, attracting the cream of European data protection society. A useful opportunity to catch up with old friends and to spread the latest gossip. We data protection folk can be quite indiscreet, when we want to be.

Let’s start with the round up from the European Commission. Vice President Viviane Reding couldn't attend, but she kindly sent us a video message. Perhaps she was tired of meeting the many familiar faces that were there. Lots of familiar and welcome stuff. Modern rules for a modern age that are easy to understand and easy to apply. The new rules are, evidently, to allow local rules, in particular areas, as well as the mythical one rule to rule them all. It's going to save us all billions of Euros and its going to cut red tape. Yes it will. Honest!

The message was repeated by the author of that Regulation, Thomas Zerdick. But he also admitted that he did not expect, to see data controllers enjoy a reduction in their legal fees as, in his words, “the concepts are not simple." You can say that again. However, he also stressed that "we will cut red tape for businesses".

European Data Protection Supervisor Peter Hustinx
was up next, emphasising the need for more effective and consistent data protection - on the ground. We must keep an eye on the big picture to understand if the protection is working. Not on the details. And only intervene when it is necessary, and do this effectively. Be selective to be effective. Not micro management.

If you closed our eyes, for a moment it could have been Richard Thomas who was speaking. And then Peter explained that data controllers have to take reasonable efforts to haul back data once it has been unleashed on the Internet. To my mind, this is an awful lot harder than it sounds. But then again, everyone knows this.

In a more outspoken section of his speech, Peter noted (without mentioning names) that some regulators are courageous and strong, but in other countries they are weak and virtually invisible. He wants a single answer to create regulatory consistency.

Information Commissioner Christopher Graham then announced that the ICO had done its sums and had worked out that his office might realistically require additional budget resources of an additional £27 million (an increase in resources of some 180%) if it were to expect to carry out all of the tasks that are currently specified in that Regulation. And, as this is not going to happen, the Regulation has to be less interventionist. The answer is staring us in the face. Data controllers should be held account in ways determined by the data controller, not simply by ticking lots of items on lists prescribed by the Commission.

More worryingly, Christopher Graham pointed out that all of this stuff needed paying for by someone. And who? Presumably by data controllers who wanted special services. Like Binding Corporate Rules. Or, perhaps, by conference organisers who wanted regulators to speak at such glamorous events.

Unfortunately, the point about the very prescriptive nature of that Regulation was not really echoed by Axel Voss, one of the 7 key European Parliamentarians who will play a critical role in scrutinising the proposal. But then again, of these 7 parliamentarians, 5 are Germans, while a 6th (a Greek MEP) also speaks fluent German. So I would not be surprised to learn of pretty intensive efforts to ensure that the European solution retained a good dose of German characteristics. Although keen to distance himself from the "German Data Protection Taliban", Axel seemed to be in favour of the concept of reducing the text to concentrate on principles, while simultaneously aligning everything with sanctions and controls. I have no idea how you can reconcile both concepts at the same time.

More was said, in private, about the real timetable that is being set for the Regulation. And it would be really rude of me to be too indiscreet in this blog. All I'll say is that I'm not holding my breath. I've still got plenty of time to make my points.

As always, the real value of events such as these came during the refreshment breaks, when quiet chats cemented valuable friendships that had been sparked in the conference hall. So, roll on the next big data protection event.

Which, for me, takes place first thing tomorrow morning, in Central London.

There really is no rest for the wicked.

Travel credit:
All credit to the BAA crew at Heathrow's Terminal 5. The flight touched down at 9pm and with 35 minutes I was on the tube, heading home. I did get do a TV vox pop today on airport delays - but this was for German TV, at Berlin’s Tegel Airport. Over there, the airport authorities have just been told that they are not allowed to close the place down as scheduled, because Berlin's new International Airport now won't actually be ready on time. Apparently, the new airport authorities haven't done enough to get the right type of safety certificates. If German athletes are as fast as these German safety workers, then they aren't likely to be returning home with many Olympic medals later this summer!

Image credit:
While German regulators may be less than enthusiastic about Google's street view service, German artists evidently have no issues commemorating Berlin's cartography.


Saturday 5 May 2012

Berlin calling

An email arrived recently. Did I want to attend a data protection conference in Berlin on Monday, which is a May Day bank holiday in the UK? And did I want to help out by running a workshop on Tuesday to explore whether it would be practical for common personal data breach reporting rules to be drawn up? Common rules in that they were rules that were commonly understood, accepted and actually added value to people’s lives. Not common rules in that they were universally ignored because they were too complicated, burdensome and actually added nothing to people’s lives.

Yes, I thought to myself. I’m up for a bit of that.

Consequently, I am attending the 2nd European Data Protection Day conference. Yes, I know that Data Protection Day is really celebrated on 28th January. But, we data protection folk evidently can never have enough of a good thing.

So, I’m all packed and I’m literally dreading the UK Border Control queues when I return to Heathrow's Terminal 5 on Tuesday evening. I’ve a fun packed day next Wednesday, you see, and I really want to be fresh for those meetings, not exhausted because I’ve been up all night queuing with what may well have become several thousand of my closest friends.

Will I learn anything new next week? I do hope so. And, if I do, naturally I’ll be blogging about it, so you can keep up to speed with the latest gossip too. Given the impressive cast list, I expect a few indiscretions to emerge as the evening proceedings unravel.

What I really want to hear is something different from the usual speakers. These include Florence Raynal, CNIL, France; Christopher Graham, Information Commissioner, United Kingdom; PeterHustinx, European Data Protection Supervisor, Belgium; Prof Dr Juan Antonio Travieso, Professor of International Law at Universidad de Buenos Aires, Argentina, and National Director for Personal Data Protection, Argentina; Axel Voss, European Parliament, France; Dr Wojciech WiewiĆ³rowski, Inspector General for Personal Data, Poland; Thomas Zerdick, European Commission, Belgium. And of course, Lord Richard Allen of Facebook fame and Peter Fleischer from Google.

What I would really love is for the speakers to tear up any pre-prepared speeches and start a fresh exchange of views. I don‘t want to hear what I’ve heard a good many times before. Perhaps I get out and about a bit too much, these days. What I really want to know is just how the thinking has moved on from the initial reactions to the Commission’s proposals. Everyone has had a good time to make their initial comments. And the political sands are shifting, too. Member States are continuing to hold their usual cycle of domestic elections, and increasing numbers of politicians, everywhere, are questioning the future of independent EC nation states within a governance structure that tries to create an overarching European super state. Increasing numbers of politicians seem to think that local democracy is actually quite a good idea. Subsidiarity and all that stuff. But that’s not necessarily the message that the European Commission officials like to hear. It doesn't chime in with the concept of one Regulation to rule them all.

If I were a betting data protector, I would suggest that the Euro has a greater chance of remaining in existence by the end of 2013 than many of the key changes proposed in that Regulation.

But let’s see.

So, if you see me prowling around the conference floor or reception rooms, please pop over and say hello. I’ve been developing some cunning data protection plans of my own, recently, and am getting ready to share them with just about anyone who will listen.



Thursday 3 May 2012

The folly of fining public authorities for data breaches

I just don’t get it. Is it just me? Or are others concerned at the implications, in these straightened financial times, of instructing public authorities to use less of their budgets for public services because they have been responsible for a data breach?

Perhaps the Information Commissioner should have his powers tweaked a bit – so rather than being able to issue Civil Monetary Penalty Notices against public authorities, he should be able to issue a Financial Reallocation Notice, which could force the authority to spend part of their budget on, say, DPA training and awareness schemes, rather than just returning money to the Treasury. It might have a much more powerful effect.

If this seems a stupid idea, then perhaps a group of committed Data Protection Officers might like to join me in running the London Marathon next year, to raise funds for those authorities whose funds were stripped by the ICO. Or we could, say, push a hospital bed around the course, to highlight the fact that a patient was denied use of the bed because a Health Authority had sloppy data handling practices.

Hey, warming to this idea, perhaps we could encourage the Chief Executive of the relevant Health Authority either to join the marathon runners, or to allow themselves to be wheeled around the course in the very hospital bed that had been denied to patients!

If we got the media interested, we could even relocate the charity run from London to Wilmslow. Teams of brightly dressed athletes could start at the Wilmslow flyover, and follow a course to the football player’s homes in Alderly Edge, back past a few run-down schools and a (recently closed) emergency services unit of a local hospital, then finishing in the Commissioner’s car park. And, it being Wilmslow, I expect that minor TV celebrities would be falling over themselves trying to get in on the act too.

Let’s be frank. The novelty factor of fining public authorities is surely wearing off – and it’s really hard to find any evidence which demonstrates a renewed determination on the part of public officials to improve data handling standards just because some of their service users will now have to suffer just that little bit more, since less money will be spent on them.

Does anyone else have any cunning plans that might deliver behavioural change to public authorities faster than a Civil Monetary Penalty? If so I would be delighted to know.


Image credit:


Tuesday 1 May 2012

Another SPAM sting

My latest SPAM message has just arrived. It’s from +44 7544 3043, and reads “We have been trying to contact you regarding your accident, we now know how much you are owed. Visit to confirm a time for us to call you.”

Hmmm, how gullible am I? Should I respond to this text? Or should I wait until I’m advised that these cowboys actually “have” the money that is due to me and that all I now need to do is send them my banking details so that they can deposit it in my account?

The trouble is, I’m torn between wanting these cowboys caught, and money being spent on other public services, too. And I know that the public purse is not big enough to meet all of my needs, or the needs of everyone in this country. There aren’t enough enforcers to go around.
In usual times, I would use this blog as an opportunity to get on my soapbox to cry for more resources for investigators. But, these are not usual times. Next week I’ll be travelling back through London Heathrow after a working trip to Berlin. The flight arrives around 8pm and I really want to have cleared the UK Border Control desks in Terminal 5 by 11.30pm. Why? Because I want to take the underground home, and I don’t fancy having to pay a huge taxi bill – which is what will happen if the queues really are as awful as some have claimed.

Spookily enough, I was chatting about the Border Control delays with some American chums who had popped over to London for the International Association of Privacy Professionals conference last week. Their queues exceeded 90 minutes, apparently. I was only joking when I explained that I was happy for the delays to be so long, as it was a covert way of helping tire some of the visiting athletes out before they compete in the summer Olympics, which will be taking place over in East London. I want our country to give our athletes as much help as it can, and in as many ways as it can.

But that was before I realised how those same delays would affect me, too.

So, today’s special pleading is for emergency additional resources for those who staff the Border control desks at Heathrow.

After next week, it’s possible that my normal pleading will have resumed, and that I’ll be caring more about the plight of data protection victims, rather than weary travellers.