Saturday 30 June 2012

Trust me – I’m a data protector

The bash at the Brewery in the Barbican on Thursday evening went well. So well that I can hardly remember the detailed points that each panelist made to the audience. And no, my lack of memory was not due to the evening ending in a sea of alcohol. It was entirely due to my getting home late, immediately falling asleep and then setting out really early the following morning to attend yet another discussion meeting.

Fortunately, I won’t need to rely just on my memory about what I said on Thursday. Journalists, as well as lawyers, were present, So, I’ll be able to read all about it in The Lawyer magazine in a few weeks time. I’ll post a link to the article when it gets published.

Yesterday’s discussion, on building trust and reputation, touched on a few of the old issues we’ve all grown to love. Can data controllers be trusted to act with honour, or are too many of them a bunch of irresponsible cowboys who need to be whipped into shape by an ultra tough regulator? The discussion moved on to how well intentioned- individuals within an enterprise were able to influence the general behaviour of the firm. What is the tone from the top? To what extent are our “dear leaders” sticking their necks above the parapet to show their own determination and commitment to adhering to ethical business practices?

Given the top stories in the national media, which were focussing on corporate misbehaviour in areas other than data protection, it was probably the wrong time to hold such a discussion, but we continued regardless.

In the end, we agreed, it was about role models. How many great examples of great corporate behaviour exist? And how often is the public’s attention diverted to the “wrong uns”, rather than our shining stars?

Perhaps, within the data protection world, it would be helpful to create our own lists of shining stars and cowboys. (I wonder how many names might find their way onto both lists?) Perhaps, if the new accountability principle is fully embraced, our profession will create its own Data Protection Hall of Fame.


Let’s start with smaller steps. How about a Data Protection Webpage of Fame – a sort of “Who’s Who” in the international data protection community. Or a "Those we have loved" page on LinkedIn.

Or are there too many practitioners who would rather exercise a right to be forgotten, rather than a right to be respected?

Image credit:


Thursday 28 June 2012

Cookies: I’m a hit with the audience at Olympia

A packed audience liked the data protection jokes I cracked at yesterday’s “MarketingWeek Live” event. The venue was the Grand Hall at Olympia – a great big barn of a place that is used for trade fairs, dog shows and the occasional concert.

My theme was compliance with the new cookie rules: “the cookie conundrum” – as I bill the talk. And, judging from the people who queued to have a quiet word with me after my slot, it went down quite well. I had to tailor the language I could have used to explain some of the more technical aspects of this stuff, and, as there were lots of ladies present, I also cut out all the rude words that the Monty Python team used when giving their version of the tale of King Otto (and the cookies). But at least everyone still laughed in all the right places.

I’m not booked to speak anywhere on that subject for a few more months, so I’ll lay that one to rest for a bit. But, if anyone fancies a private performance, please let me know.

Now I’m preparing for tonight’s show – at The Brewery in the City of London, which will be reviewed in a future edition of "The Lawyer" magazine. I’ll be sharing a platform with, among others, the ICO’s Dave Evans. Spookily, Dave helped write most of the great advice that the ICO has published on cookie compliance. But we’ll both be giving cookies a night off. Instead, we’ll aim to have the audience of some 70 senior lawyers rolling in the aisles as we address other issues that are so close to our professional hearts. Tonight’s session, believe it or not, is focused almost entirely on the data protection aspects of transborder data flows.

How on earth can a panel of four seasoned professionals string out a 90 minute session on that subject? And how can so many eminent lawyers in private practice and corporate general counsels feel so compelled to sit through it?

Well, it is being held in an old brewery, you know.

And if I can remember what went on, I’ll report back later.


Wednesday 27 June 2012

Comms Data Bill: Battle lines drawn at the Frontline club

Last night, the think tank Demos and the Frontline Club, the London hub for a diverse group of people united by their passion for the best quality journalism, held a session on cyber snooping and the Communications Data Bill. Originally advertised to take place amidst the grand surroundings of the Royal Institution in Mayfair, at the last minute the venue was switched to the debating room at the Frontline Club –which is situated in a part of Paddington that is evidently not going to witness the Olympic flame being paraded past its front door.

The BBC’s Rory Cellan-Jones chaired the session and introduced the speakers, who were Professor Anthony Glees from the University of Buckingham, Isabella Sankey from Liberty, Jamie Bartlett from Demos, and the Rt Hon David Davis MP.

Anthony Glees introduced himself to the audience as: “the skunk at this picnic,” and pointed out that the debate isn't about the interception of communications as we already have legislation in place for that. Nor is it liberty and freedom. It's really about trustfulness. The real problem is a lack of public trust in the security and intelligence community, despite the fact that in the UK we have good and ethical spooks and policemen who practice their tradecraft in an ethical manner. But, Parliament’s Intelligence and Security Committee has simply not done a good enough job to spread the news about just how good these guys are.

In his view, we don’t live in a surveillance state because we simply don’t have enough spooks to justify such a claim. Certainly when compared to the surveillance states of old.

He was optimistic that the Bill would go through.

Jamie Bartlett spoke next, announcing that he was mildly in favour of the Bill. But, the real issue, in his mind, was how the state regulated the investigation of people’s Twitter postings and Facebook accounts, as this “semi public” information probably harvested information that was even more intrusive than much of the communications data that the service providers were expected to retain. We need laws to regulate this stuff, as without a law there always be the potential for real abuses of power to occur.

Jamie sensed that the politicians often didn’t fully appreciate the service requirements of the security establishment, and that it was often too easy to criticise them and the legislation they worked under. There will be technical problems on how the data will be obtained. But, the spooks can't explain what counter measures will be deployed, nor what safeguards will be designed to prevent abuse.

Jamie’s bright idea was that the spooks should be regulated not only by teams of politicians, but also by security cleared members of the public, who can represent independent voices. After all, if the public were entitled to sit on juries, why should they also not be entitled to have a say in how this type of behaviour should be regulated.

Isabella Sankey was up next, announcing that Liberty’s view of the Bill was that it is “rotten to the core.” She made one interesting technical point - what's unclear is whether the technology requires an interception of the content of various communications in order to get the traffic data, which is the only stuff they should really be accessing.

Isabella admitted that it's really hard to measure whether any damage has been done to an individual as a result of the current (and projected) regulatory environment, but even so, Liberty had been inundated with letters from members of the public and its membership has soared as a result of the public debate over the issue. So, even they have seen something good come out of the proposals!

Finally, David Davies spoke. He had considerable political and practical experience of the security agenda, having once served as: “the minister for weapons of mass destruction.” He was really concerned at what can happen when the agencies have relatively unfettered access to giant databases. In his view, the agencies broadly do a good job and they have a problem with this in that they don't have the kit to properly sift through the material that is already available to them. He was worried about the implications of false positive results. He was also worried that the Government was overseeing the creation of a honeypot that would be of interest to practically every divorce lawyer in the country.

David was also concerned at the potential costs of the initiative, and the potential for a breach of security by miscreants hacking into these giant and sensitive on-line databases, which, after all, are opposed in Germany, the Czech Republic and Romania. So, he expects the Bill to get squashed in Parliament. What he might accept was a “fully up fronted warranted Bill” - whatever that is. In his view, the more power you give the agencies, the tougher the oversight needs to be.

His last remark was also pretty telling – “A lot of those who are against the bill are the experts in this business.” And he expected these experts to have their say, later. Personally, I’m not sure just how accurate that assertion is. But we’ll all find out in due course.

The 90 minute debate was streamed live on the web and is currently available on the Frontline Club’s upstream channel at

Tuesday 26 June 2012

Who really falls for internet scams like these?

There obviously has to be one born every minute, but I really do wonder just how many people are foolish enough to be taken in by emails such as this one, which has recently landed in my spam box. My old English teacher would be turning in her grave, if she were to realise how people write these days. Mrs Bramble really was a stickler for punctuation and the correct use of capital letters:


Hello My Dearest,

I know how surprise this email might appear to you but i want you to consider it as a request for an assistance from a dying woman. My Name is Mrs. Elizabeth Wilson. from Israel but now undergoing medical treatment in Abidjan the capital city of Ivory Coast.

I am married to late Mr Benson Wilson, who worked with Israeli Embassy in Ivory Coast for Eleven years before he died in the year 2008, after a brief illness that lasted for only Ten days.

We were married for Eighteen years without any child. After the death of my husband i vowed to use our wealth for the down trodden and the less privileged in our society.

Recently, My Doctor told me that I may not last for the next seven months due to cancer problem, though what disturbs me most is my stroke and deaf problem.

Haven known my condition i decided to Serve God with our wealth. When my late husband was alive we kept the sum of ($7.6 Million U.S. Dollars) Seven million six hundred thousand united states dollars Having known my condition I decided to Give out this fund to a church or an individual or better still a God fearing person who will utilise this fund the way I am going to instruct here in.

I want an individual that will use this fund to provide succour to the poor and indigent persons, orphanages, widows around him or her and Schools etc. As soon as I receive your response I shall give you the contact of the Bank where the said fund is deposited I will also issue you the documents that will prove you the present beneficiary of this fund.

Any delay in your reply will give me room in searching for an individual or this same purpose, always be prayerful all through your life.

Please assure me that you will act accordingly as I Stated herein. Hope to receive your reply soon.please reply me through this email

Thanks and Remain Blessed.
Mrs.Elizabeth Wilson.

Image credit:


Monday 25 June 2012

Accounting for good data protection

With apologies for the awful pun, today’s blog celebrates our chums in the accounting profession, who have recently launched a report on building trust in the digital age. The report was published in November 2011, but the formal launch occurred on 19 June 2012. Sometimes, accountants take their time.

The broad thrust of the report, on rethinking privacy, property and security, is pretty clear: “Today’s good practices are not enough.” What is required is “an accepted framework of social expectations and laws.” And, because digital technology is disrupting and challenging, we “need to encourage widespread engagement, understanding and debate of the issues to build a social and legal framework which is broadly accepted and can underpin individual business actions.”

Top tip – if you don’t fancy paying £45 for your own ICAEW (Institute of Chartered Accountants of England and Wales) bound copy, you can download it for free from here.

By the time you’ve read this 98 page report, you will, according to the blurb, have benefited by:

• Helping management make better decisions about digital information and improve the business performance in relation to information risks; and
• Informing the widespread public debate about digital information and thereby support the development of a variety of regulatory, industry and social solutions.

OK, I think I get it. But, everyone cries, how are we going to do it? Or, as I reported about the question my nephew asked me last week, what does good data protection look like?

Well, I’ve recently given my own reply three times so far. Once to my family and the other times, to audiences of different types of professionals. Each audience laughed in different places as I made my pitch. Do professional stand-up comics get such a varied reaction to their material, too? I really ought to follow someone around the comedy circuit for a while, just to find out.

Anyway, the good news is that everyone told me that they liked what I had to say. I’m delivering it once more, next week, to yet another audience of another type of professional, and then I’ll stop taking and I'll be blogging about it.

Apparently, as some professional comics keep telling me, there’s only so long you can trot out the same old stuff on the comedy circuit before you have to refresh your material.

Obviously, they’ve never heard of Ken Dodd.



Sunday 24 June 2012

Let’s focus on a little less spam, please

Two texts were sent to my mobile last week, within hours of each other. The first, from 07923 098061 said: "Due to new legislation, those struggling with debt can now apply to have it written off. For more information text the word ‘INFO’ or to opt out text stop."

Then, as if by magic, another cowboy, this time using 07926 047555, spookily sent me exactly the same message.

Could these cowboys be related, perhaps?

It’s surely more than a bit naughty to send messages like this to vulnerable people. Would an ethical debt-defying service provider stoop as low as this to scoop up the details of people in financial difficulties, so that they could (probably) make some money out of them too? But there must be enough folk around who are tempted to respond, and who subsequently get sucked into these information flows, otherwise there would be no financial incentive for the original sender of the message to make the investment that is required to send the messages.

For the record, I’m sure I have not consented to these messages. But that’s not really the point.

The point, I think, is that our regulators have got a huge task on their hands trying to decide how to allocate their investigative resources to enforce all of the data protection rules.

I appreciate that, recently, the political focus has been on the implementation of the cookie rules. Which is obviously why we have seen so many websites start to become more transparent about the way cookies are used on their websites. Quite whether this has changed users’ behaviours is another story. Perhaps, in a few years’ time, some research will be published on the extent to which users have changed their cookie preferences following the initiative to deliver greater transparency. My guess, for what it’s worth, is that there will be little change in the overall pattern of preferences that are currently set, and that users will continue to pay as much attention to their right to set cookie preferences as they do to all the other sections of the privacy policies, and rest of the regulatory blurb that various industries are required to publish.

My plea to our enforcement chums in Wilmslow today is quite simple. Let’s not forget we do need to go after the cowboys behind this type of spam, even though their brands won’t have the same high profile as those that are trying to me more transparent about their cookies. It’s these guys that are probably capable of causing far more harm to individuals than those who are setting inappropriate cookies on people’s electronic devices.

And my plea to our chums who are overly concerned about non compliance with the cookie requirements is to loosen up a bit, and remember that the ICO also calibrates its enforcement strategy on the likely harm that is being caused, or is capable of being caused, to victims, rather than just technical breaches of any of the rules that data controllers are required to follow.


Saturday 23 June 2012

Best data protection quote of the week

There can only be one winner for my latest “best data protection quote of the week competition”.

It is awarded to Phil Jones, who is currently a special advisor in Promontory’s global privacy and data protection practice in London. Almost everyone who is anyone in British data protection will have benefited from Phil’s advice – for it is he who spent 20 years at the Information Commissioner’s Office, playing a key role in the authoritative practical implementation of British data protection law.

What he has to say matters. It mattered then and it still matters. So it’s especially important to listen when he speaks about the draft Regulation.

Phil was a panelist this week at a conference organised by PDP, held at the impressive offices of SNR Denton in Central London. He referred to accountability as a excellent data protection principle, but stressed that the European Commission, by proposing that all data controllers adopt overly bureaucratic structure to demonstrate just how accountable they were, were weakening the very principle the Commission was trying to promote.

The levels of detailed prescription in the draft Regulation, together with the reserved powers for the Commission to impose more detailed requirements on data controllers, comprised: “an awful attempt to impose harmony through prescription. It undermines and makes it very difficult to sell the reason for doing it.”

I absolutely agree.

I can understand the desire for policymakers to make policy. But they have to have more than half an eye on the practicalities of implementing the policy. In the regulatory culture I have been brought up in, new data protection policy is not something you can wave a magic stick act and assume that everyone will follow whatever whim passes through Parliament (or the Regulator’s offices). Politicians – and regulators - need to think how they can woo their audience of data controllers, not tie them up with obscure rules and red tape, especially if they intend to develop long lasting relationships with them, based on mutual respect and trust.

I fully understand that the regulatory culture may be different elsewhere within Europe. And that in some countries, people prefer to be told precisely what to do. But that doesn’t work in ‘Blighty. If British citizens react so vigorously against the concept of ID cards, I really don’t think that British enterprises will take that readily to an over complex system of requirements, controls and audit tools.

Let’s refocus the debate back to transparency – and to fairness. And let’s continue to ensure that whatever data controllers do, they would always feel comfortable explaining it to the mighty Jeremy Paxman on BBC’s Newsnight programme, if they were ever required to do so.

Image credit:


Thursday 21 June 2012

ISEB Accreditation: The result

Well, I may not have had a letter recently from the Royal Household announcing that Her Majesty was minded to award me an honour in her recent Birthday Honours List, but in data protection terms I’ve received the next best thing.

I’m now certified. I’m not insane, but I evidently do possess a sufficiently wide body of data protection knowledge to convince the British Computer Society that I do know what I am talking about.

Sincere thanks go to my tutors, Chris Pounder and Sue Cullen of Amberhawk Training. Their mastery of the subject gave me the confidence I needed to put myself forward for an exam that I was seriously concerned I might fail. Their patience and good humour gave me all the help I needed to enter the exam room fully prepared.

For those that are thinking of taking the ISEB plunge, I can only offer encouragement. It is not an easy exam - but it shouldn’t be easy. It’s about showing examiners that you are capable of exercising discretion in a variety of circumstances. Which is what we should all be doing in our day jobs.

And remember – with the increasingly optimistic employment prospects for data protection professionals, our HR chums love to see a candidate with a relevant set of qualifications on their CV. So go for it – I believe the investment really will pay dividends!

Monday 18 June 2012

Is this another scam for the regulators to get their teeth into?

I was chatting today to someone on my mobile phone and I noticed that an unsuccessful attempt had been made to contact me while I had been on the line.

So, I dialled the calling party (0203 476 2608) and this recorded message was played back to me:

"Hello, please hold for an important message. If you’ve been involved in a road traffic accident in the last 3 years, please press 1.

To have your number removed and not be called again, please press 2."

So, I pressed 2 and heard the message:

"Thank you."

And that was it. I don’t know who these people were, what business they had with me, or how they felt that I had given them permission to call me, presumably using an automated dialer.

That’s more than a tiny bit naughty – but fortunately the enforcement team from the Information Commissioner's Office has powers to go after these guys and give them a good regulatory going over. And impose enormous fines if they’ve been causing misery to lots of people. I wasn’t made miserable by the encounter – mildly inconvenienced at most, I suppose. And the inconvenience soon turned into a sense of relief when it dawned on me that I had some new material for my blog!

It’s always possible that others who were contacted were inconvenienced - and that they were having their hopes improperly raised by someone who might have been harvesting details of people who could subsequently be "sold on" by means of introduction fees to someone else.

Anyway, I hope that these guys get what they deserve.

Whoever they are and whatever they were after.

Image credit:

Chris Ison/PA On 5 November 2011, a large number of cars and articulated lorries were involved in the devastating crash near Taunton in Somerset, described by emergency workers as “the worst road traffic collision anyone can remember.”

Another great way to use Google’s Street View service

I’ve found another great use for Google’s Street View service. Whenever I get emails advising me that I’ve been carefully selected to assist someone who is trying to launder some money, I can look up the address that’s been supplied and work out how genuine this particular offer appears to be.

For example, a few days ago the following email hit my inbox:

Dear Sir/Madam,

My Name are: James Francis from Florida USA I was the personal account officer of late Libyan Leader Omar Muammar al Gaddafi for 25year, before his dead last year 2011 he ask me to transfer a very huge amount of money about $20m (Twenty Million US Dollars) to a Commercial Bank in Malaysia (Chase Bank) for a twenty five story’s building he wanted to buy in SARAWAK MALAYSIA without a beneficiary name because of the nature of his country, Since after his death no one has come for the claim of the money due to the fact that there was no beneficiary to the fund.

Now the Bank (Chase Bank) is asking me to present the beneficiary of the money that they need to transfer the money back to the owner since the account is dormant for a long time now. After going through your profile and that of your company I believe you are the right person for this job since your company’s business correlates with a kind of business I would like to invest my own share of the money when is finally transferred.

But right now my healthy condition and security in my country I can’t transfer this fund to my personal account rather I want you to assist me to receive this fund"
If you would assist me with this I will compensate you with 30% of the total sum and at the same time invest my own money in your company’s business. More details will be sending to you when I receive your interest response.

You are free to call me for more information.

Thanks & Best Regard
James Francis,
5050 South Florida Ave, Suite 200-B
Lakeland, FL, 33813
H/P: +1-732-659-5513

Does this proposal sound convincing to you?

And are you any more convinced when the Google Street View image (pictured) suggests that, at least at the time the image was taken, James Francis lives in an empty shopping mall?

I wasn’t that convinced, either.

Who else has had any similar emails from less-than convincing addresses recently?


Saturday 16 June 2012

My initial view of the draft Communications Data Bill

In my experience, some of the most pressing political issues of the day aren’t debated rationally. The big decisions are often taken on a tide of emotion, rather than a dispassionate analysis of the supporting arguments advanced by the proponents and detractors. Why? Because they are taken by people in the public eye who are mindful of the political consequences of the decisions they are required to take. And when an election is around the corner, politicians are generally not that keen on promoting causes that will result in their own political demise.

I think we can apply this analysis to the current debate around communications data. How can the State save lives, prevent crime and maintain public order, while at the same time not snoop on the private lives of innocent people? The big beasts will be rolled out from each side, while the politicians will review the Government’s proposals with one eye on their own electoral futures. It’s not an edifying thought.

I can appreciate both sides of the argument – and I can see holes in the cases that each side are advancing, too. And I want to hear the counter arguments for these holes before I really make my mind up.

I can absolutely appreciate the genuine desire of the law enforcement community to fight crime, using all legal powers at its disposal. But I do not understand, then, why is appears to be the case that law enforcement officials in other EC Member States appear not to rely so much on communications data. If we are to believe a recent press article, the Czech police manage quite well despite the severe constraints on the types of communications data they are allowed to use.

It was reported that, in March 2011, the Czech constitutional court decided that operators did not need to store traffic and location data about customers' electronic communications, leaving the police to rely on data kept for other purposes, such as billing. Yet, amazingly, according to information requested by privacy protection watchdog Luridicum Remedium from the Special Tasks Department of the Czech police, the Czech Republic detected an increase in the crime detection rate from 37.55 percent to 38.54 percent, despite a 10-fold drop in the number of requests for information.

I can also appreciate the genuine sense of outrage, felt by many opponents of the Government’s proposals, that the huge increase in the types of internet records that are to be required to be retained represent an illegitimate and disproportionate grab by the State for the soul of every British citizen.

But if these opponents, or their families, had been closer to recent terrorist outrages, or had been personally affected by awful crimes that might have been able to have been prevented, I wonder how greatly their outrage would be muted.

I expect a considerable debate to occur about the purposes for which communications data can be obtained by an investigator. After all, there are a range of “good reasons” why an investigator might need it which are not at all connected to criminal behaviour. For example, a vulnerable person may have gone missing, and their next-of-kin will want them located. Or someone may die in the street (of natural causes) and there are no forms of identification on the body - but there is a mobile phone. So how else will a policeman contact their family? Or, a public authority may want to track someone who owes them money, and all they have to go on is a mobile phone number.

Whatever the purposes are set out on the face of the legislation, we can expect the list to be reviewed in due course. And possibly extended – by Statutory Instruments that won’t attract anything like the sort of publicity (or public scrutiny) than this Bill will get. It’s happened before. And hardly anyone complained (or probably noticed). Get over it.

Public confidence over the Bill may be affected by a quirk of data protection law, which means that individuals whose personal data have been disclosed to public officials exercising statutory powers to obtain it have no right to be told that their information has been so disclosed. (In technical terms, there is an exemption to the Subject Access Right for such disclosures.) So, if you don't know what or whether any information about you has been disclosed, how will you satisfy yourself that no improper disclosures have occurred?

It would be deeply ironic if citizens only realised that something inappropriate had occurred when a police force contacted them to apologise for the fact that, due to a data breach, the police had managed to lose the personal information the citizen didn't know had been disclosed to the police in the first place.

In the end, I expect the issue is going to turn on the extent to which British citizens will trust those who will be accountable for ensuring that the new system, however it is designed, is not abused. And this could be a hard sell. To a large extent, public confidence could be affected by other (unrelated) charges of official misbehaviour. Or public confidence could be affected by an apparent unwillingness by the relevant overseers to make themselves known, accessible, and appreciated, by the British public.

I also expect that the issue is going to turn on the extent to which (a very much smaller number of) British citizens will trust those who are designing and operating the magic internet filters that will evidently make sense of all these encrypted internet communication records. These are the records which have not previously been kept by traditional internet and mobile providers, but which apparently will furnish investigators with precisely the right answer to their queries, using just the right amount of internet data, and guaranteeing that absolutely everything not required will be securely destroyed.

I don’t know who these designers are, and I don’t know how (or if) these magic filters actually work. Hopefully, unlike the magic equipment used by Penn & Teller, Derren Browne, and Paul Daniels, technical experts that British citizens trust will be invited to give them a thorough investigation, rather than a cursory glance, and confirm that they only do what they are supposed to do. Perhaps British citizens would feel better if these magic filters were also certified by national luminaries such as J K Rowling, Stephen Fry, and Cheryl from Bucks Fizz.

Finally, we should not forget the elephant in the room. We are talking, after all, about technology. And when it works, I expect that every Government (of every persuasion) will take every step to ensure that these technologies are embedded in the communications infrastructure of every State.

But, at least we Brits will be able to feel secure in the knowledge that, in our magnificent country, our public servants and our national Governments will take a greater pride in observing principles of decency and fundamental human rights than will be the case in many places elsewhere.



Friday 15 June 2012

One view of the draft Comunications Data Bill

The Open Rights Group has just released a short video about the Government's draft Communications Data Bill.

What do you think?

Brilliant choice of music - it so reminded me of a haunting, American TV serial drama, Twin Peaks.

For the record, I have not yet formed my own view on the Government's proposals - as I have not yet finished reading them.


Thursday 14 June 2012

The dangers of applying SOCMINT too literally

Have I died and gone to Heaven? I felt like asking myself that question today, after reading the Google Alerts that had just been sent to me.

For those not in the know, Google Alerts is a great way of being sent information about specific things. So, a few months ago, I arranged for Google Alerts to alert me each time “Martin Hoskins” was mentioned on the internet. This was not (really) for vanity purposes, but to find out just what would happen. After all, I knew what this Martin Hoskins had been up to, but I didn’t necessarily know what other Martin Hoskins had been doing.

Is this important? Well, for those trawling the internet for various purposes, yes it can be. It’s always nice to know that you are collecting information about the right Martin Hoskins. If you want to dress up the exercise and cloak it with a fancy title, you would probably come up with SOCMINT – the gathering of Social Media Intelligence about someone. The think tank Demos have recently published a paper about it.

So, have I just learnt about Martin Hoskins, then?

First, courtesy of the Telegraph Online, that he had commented yesterday on the Information Commissioner’s Office’s proposals to reopen the Google Street View investigation. Yes, I remembered this – the quote appeared in the on-line version of the publication within hours of my speaking to their (excellent) journalist.

Second, courtesy of the Mail Online, that: “An article on 14 February 2012 incorrectly stated that Martin Hoskins had frozen to death on an overnight fishing trip in sub-zero temperatures. In fact, he died of natural causes. We apologise for this mistaken report and for the consequent distress caused to Mr Hoskins's family.” No, I wasn’t aware of this one. I didn’t know that Martin Hoskins, nor do I think I am related to any of his family.

But, it got me wondering how effective the internet trawls are for snippets of information about anyone in particular. Just how confident are we that the gossip that is being scraped about us really does relate to the correct person? A thought for those corporate HR teams who like to use the internet to scrutinise the moral characteristics of potential employees.

The moral of this tale is pretty obvious – we need to carefully manage our on-line reputations, by making sure that the searcher gets to see what we would like to have said about ourselves. Are we all doing enough for charity? Or for sick animals? Or are we attending enough parties with the Lord Lieutenant of the County?

And if we weren’t before, we might start posting this sort of stuff on our Facebook accounts, pretty soon.


Image credit:


Wednesday 13 June 2012

The strange case of all these preserved text messages

I don’t know about you, but I’m a bit confused. You see, I’m following the proceedings of the Leveson Inquiry, and am constantly amazed at the amount of evidence that gets unearthed whenever someone wants to ask a significant question.

Take, for example, the current line of questioning about the links that exist between members of the media and the political classes. I’m enthralled at the torrent of detail that gushes out each day about precisely who sent what text message to whom – but I don’t really understand how someone has been able to preserve (and subsequently provide) the content of the text messages we are hearing so much about.

I’m absolutely certain that the requesting parties wouldn’t have been able to use RIPA powers to demand that the content of these messages be handed over by the mobile phone companies, as they don’t keep them. All they are required to know is when a message was sent, not what was in the message.

So, who is storing this stuff?

Do our politicians have special phones, with huge memories, that retain them? Or are they forwarded to some central political database, to ensure that regulatory authorities can access them when investigating political misbehaviour? Does everyone who uses this special database make sure that all their friends don’t sent them incriminating messages, which would prove incredibly embarrassing should they be required to be produced to people like Lord Leveson?

I really would like to know.

It’s especially important, I think, because soon the Government will be unveiling its own cunning plans to require communication and internet service providers to retain more information about how people use their services. I hope no-one gets confused, and assumes that the Government will be requiring these providers to retain the content of their communications.

So, the sooner we all understand just where the evidence about the content of these text messages is coming from, the faster we will be able to trust the Government when it assures everyone that it is not going to be requiring communication and internet service providers to keep this stuff.

Image credit:


Tuesday 12 June 2012

Cookies: Thank goodness we operate from ‘Blighty!

Not only can we Brits celebrate the Queen’s Diamond Jubilee, England’s (relative) success in the Euro 2012 Football Championships and the impending Olympics, we now have another reason to cheer.

Information Commissioner Christopher Graham was on sparking form when speaking to the assembled crowd at the Evidon Empower II summit in Central London today. In typical no-nonsense style, he set out to bust three “cookie myths” that had emerged, and left everyone impressed with his determination to apply fairness and common sense to a community that is in a pretty fragile state right now.

Christopher Graham only made one tactical mistake. Had he not have had to leave half way through the proceedings, he would almost certainly have been carried, shoulder high, around the audience to wild acclaim at the end of the event. Why? Because the audience was also treated to a view of the cookie conundrum from the perspective of German and French privacy regulators, and from a Dutch lawyer who spoke about the Dutch regulatory climate.

Believe me, ‘Blighty is the place to do data protection business in.

The German data protection regulators evidently can’t even decide if their Government has enacted a sufficiently wide cookie law – and they are so concerned about the matter that all 18 of them will hold a meeting in September (yes, in September) to consider the issue. Turning to the Netherlands, all Dutch webmasters are expected to comply (already) with a law that came into force last Tuesday, with (apparently) no period for reflection as to what it actually means. At least the Brits had a year to think about things before the ICO got tougher. And the French – well, let’s just be glad that British webmasters aren’t expected to take the steps evidently required by our chums at the CNIL.

Very tellingly, though, a CNIL official paid the ICO an extraordinary compliment, indicating that perhaps even they accept that French webmasters were likely to face significant compliance issues if they were to follow the letter of the French law: “If all of the companies in France followed even the ICO’s guidance, we would be very happy”. So, even our French chums are capable of displaying that touch of pragmatism that is so often necessary in data protection land.

Christopher Graham was on sparkling form when he put his (metaphorical) myth-busting pants on to slam allegations (1) that this cookie stuff is all the ICO’s fault, (2) that at the last minute the ICO changed its mind on the consent rules, and (3) that no-one takes any notice about cookies. All good stuff. He then dropped the bombshell that the Article 29 Working Party had, very recently, reached an agreement (yes, a unanimous agreement) as to which cookies, under certain conditions, can be placed without the requirement of informed consent. The opinion also gives guidelines for deciding whether a cookie is exempt from the principle of informed consent.

Personally, given the huge difference of views that those speaking for the French, German and Dutch regulators expressed, I’m looking forward to reading it to work out just what it is that everyone can agree on, for it does seem to be the case that there is a lot that regulators can’t quite agree on just yet. However, as I’m a “glass half full” rather than a “glass half empty” blogger, I want to celebrate the bright side of things.

Here is a link to the actual document, and the press release. Let me know what you think. It might just be one of those that really is worth reading!


Monday 11 June 2012

Looking at good data protection

One of my nephews asked me a very challenging question during a family lunch over the weekend.

“What does good data protection look like?” he asked.

“Shut up and finish your trifle” I felt like replying – but I didn’t. It’s a question that I’ve been asked on more than one occasion, recently, so I’ve been developing an answer which I hope won’t sound too rehearsed each time that deceptively hard question is raised.

I must confess that, until very recently, I was not fully aware at the extent of public knowledge about data protection issues. You see, I’ve obviously led too sheltered a life. When you surround yourself with data protection professionals, and spend lots of time answering hard questions posed by people who need reassurance on data protection matters, you tend to forget what a small world this can actually be.

I’m now spending increasing amounts of time with people whom I might previously just have criticised as “not getting it”. I now need to spend far more of my time trying to paint a picture of what it is that good data protection standards will actually achieve, so that these people can do the maths for themselves and work out whether the investment needed to reach this standard will actually pay off.

Individually, we may feel worried about losses of personal information when responding to ICO surveys’ etc, but how many people actually do anything about it? How many of us have waited for an email from our chums at LinkedIn to advise us that, very regrettably, our passwords may have been compromised due to a recent security incident, so, as a precautionary measure, we should change the password? And how many of us have actually changed these passwords, regardless of whether we received an email?

And yet we are the privacy professionals. So when enough of us can’t get sufficiently concerned about our own security to carry out basic password-changing routines, we should hardly complain when the great unwashed haven’t the faintest idea about what good data protection actually looks like.

Anyway, as my nephew finished his trifle, I explained to him what good data protection looks like. He liked it. Both the trifle and my explanation. And then he spent the rest of the afternoon making funny images and playing games on my iPad, demonstrating a far higher level of technical proficiency on the thing than I’ve ever managed.

If you want to hear my explanation about what good data protection look like, it looks as though you’ve got two choices. You can either invite me to Sunday lunch, and slip the (data protection) question into the conversation, preferably as we’re enjoying our pudding. Or, you can pop along to one of the information governance networking events sponsored by the British Standards Institute and hear me talk about this very subject. I’ll be speaking at the BSI’s offices in Milton Keynes on 14 June and in West London on 3 July.

My next challenge will be to turn this explanation into a popular ditty, that can be sung to the tune of a well loved song. But I won’t work on that project that until I’ve had some audience feedback on whether what I see as good data protection practice is considered credible in their eyes.


Image credit:


Friday 8 June 2012

How many events can a data protector reasonably attend each year?

I left the Hampstead Theatre last night on a high. It was a brilliantly exhilarating production of Chariots of Fire, which will shortly be heading its way to London’s West End for a season. That haunting tune by Vangelis is still buzzing in my head. And as the production developed, I really began to engage with the lead characters. They were sprinting in front of me, behind me, right through the audience, in wonderfully choreographed episodes that really made me feel part of, rather than just watching, an event.

Who were these characters? Basically, they were a bunch of people who enjoyed running around in circles, developing an unremitting routine that would involve exposure to the “same old, same old”, each and every day. It reminded me very much of today’s data protection practitioner, who trudges wearily (and occasionally joyfully) to event after event, hoping for inspiration or a nugget of wisdom from some practitioner in the field who has actually spotted a new angle on stuff that’s gradually developing and which may become something important at some stage.

Since the end of February, I’ve kept a list of data protection events that are of likely to be interest to British data practitioners. The upcoming ones are listed here, while an archive contains brief details of those that have already been held. Of course, I’m not counting them all – only those I become aware of. But, I have become aware of 45 events that have already happened, and my list contains details of another 33 that are on their way. Most of these events occurred in London – so I must be missing out on many of them.

Even so, that’s an awful lot of events. Basically, if you had nothing better to do, I think you could almost live off the canap├ęs and wine which are in abundance, up to three times a week. The trouble is, I don’t think that there’s really enough news out there to fill all of the presenting space that is now available. And I ought to know. I am finding it ever harder to find fresher ways of showing how much I care about data protection stuff. But, I will be speaking at a number of events over the next few weeks, so I really should not bite the hand that offers me so much public exposure. Especially since I am now be available for private consultations as well as public performances.

Unlike athletics, though, data protection isn’t a race. No one wins. Ever. It just never ends. Just when you think you’ve dealt with one event, another one crops up. Or, there’s media pressure for the regulator to open up an issue that almost everyone had thought had already been settled. And everyone is only as good as their last win (or speech). Few people care about celebrating the great work that has already been achieved, the focus always appears to be on finding new ways of addressing the fresh challenges ahead.

All hope is not yet lost. A really clever bod at the Data Protection Forum has had a brilliant idea. Perhaps, just once a year, we data protectors could relax for a few hours and celebrate some of the highlights of the last season. Something like an awards ceremony. Awards could come in the form, say, of “ICO Indulgences”, ie a “get out of regulatory hell free” token for the next awful incident that the poor Data Protection Manager experienced.

Data Protection Hero of the Year could expect to have lunch with Commissioner Viviane Reding. Data Protection Villain of the Year could expect 2 lunches with Commissioner Reding.

Let me know what you think. Tell me if you have any bright ideas for categories (or recipients) of suitable awards.

And, please, let me know if you also think that there are too many data protection events currently being organised in ‘Blighty. (Or, alternatively, if you want to book someone like me as a motivational speaker for your own event!)

Image credit:


Wednesday 6 June 2012

Wanted: a (British) patron saint for data protection

A very impressive crowd comprising the usual suspects attended the summer meeting of the Data Protection Forum today. I had the honour of chairing the proceedings, and thanks to the usual Data Protection Forum –style democracy, the Annual General Meeting went off without a hitch. Yours truly has been duly returned to Chair the Forum meetings for the next twelve months, and I am extremely lucky to be able to rely on the everso impressive Jenny Gallagher to share the Chairing duties with me.

If the cunning plans that I revealed to the membership, following some intensive brainstorming work by the other Committee Members, come to fruition, the Forum will be in a very different shape this time next year. Copies of these plans are available to anyone – well, anyone who fancies joining the Forum, anyway.

The main part of the day, though, was spent considering the data protection implications of “emerging technologies”. We data protection folk need to be as cool and as savvy as the current crop of school leavers. We need to understand what’s happenin out there, so we can advise on ways of remaining cool & wiv it.

Actually, this is hard. The pace of change is bewildering. This is both in terms of the computing technologies that are being developed, and the electronic toys that we will – and increasingly already can - buy to exploit these technologies.

Anthony Nagle from the London office of Morrison & Foerster gave delegates some extremely useful tips about the pitfalls of the way companies currently feel obliged to use social media. Olivier Proust had kindly travelled from the Brussels office of Morrison & Foerster to provide an update on the cookie issue, and how the key debates were being played out by different Member States. (Top tip – ask your friends what the Bulgarian implementing legislation provides, and then ask yourself how long it will be before the Data Protection Taliban wakes up to what they’ve done!) In my view, the international data protection community has excelled itself, and has created a monster even more complicated than transborder data flows to implement.

John Morrison, of Sapphire reminded us of the insatiable demand for employees, at all levels, to bring their own devices to work, and the security implications that follow. Finally, Gail Crawford, of Latham & Watkins, reminded us that most of this stuff was likely to end up being processed “in the cloud” , and the implications of this were still unknown. It made me think whether, given the trajectory of the pace of technological change currently taking place, we should actually first try and understand the implications of these technologies before designing laws that are supposed to regulate them. Or should we continue on our current path, which is to amend current laws before we really know how the new technologies will be capable of being applied to them?

Fear not, I suggested. We data protection folk are hardy folk, and we’ll all enjoy careers for life – and this ought to bode well for the future of institutions like the Data Protection Forum.

One issue was nagging me throughout the day. It’s been mooted that the British data protection community needs a patron, someone to whom everyone could look to for inspiration and guidance. Should we extent invitations to the established legends of the British data protection world? People like Eric Howe, the first Data Protection Registrar? Or Elizabeth France or Richard Thomas, both former Commissioners? It would not be fair to invite current ICO folk as they are currently too close to the game.

My view, for what it’s worth, is that our first patron ought to be someone like the legendary actress Thelma Barlow. Why? Because of her catch phrase as the incomparable Mavis Riley in Coronation Street. That lingering phrase, raising to a crescendo and then tailing off into ... futility ... “I don’t really know” –is one that is likely to cross our lips with increasing frequency, especially when we are asked if we know whether the European data protection regulators are likely to develop a common position on so many of the important emerging issues of the day.

The September session of the Data Protection forum, scheduled for 12 September, promises to be a cracker. Get in touch if you want some advance news on those who will be astounding the delegates with their amazing insights into the way regulators develop opinions – and then have their minds changed.

Image credit:


Monday 4 June 2012

Branching out

After over twenty years of having enjoyed the honour of being an employee for various companies, and being paid for doing the data protection work I love, I’ve branched out on my own.

The next twelve months – at least – will be a period during which I will be determined to prove to myself that I can create a bespoke consultancy practice, where likeminded people will congregate to help each other out and find solutions that fit the lives of British – and European - citizens.

I hope that I’ve picked up enough skills along the way to demonstrate to potential clients that I care about this data protection stuff. I do care about fairness and transparency, and I care about being able to deliver solutions that are ethical and far-sighted.

I’m reminded of the advice that Aaron Sorkin gave to this year’s graduates when delivering his Commencement Speech at Syracuse University. I know that there will be times when I’m going to fall down. But I’m not going to care about how many times I fall down, so long as it’s one fewer than the number of times I get back up again.

I sense I’m going to rock the boat along the way, too. Not everyone will approve of the way I work, or of the way I (occasionally) speak out about the issues that grip me each day. But, like Aaron Sorkin, I’m well aware that decisions are made by those who show up. And I intend to keep on showing up, on the conference circuit and around the Westminster village, and beyond, to gently remind the principal decision makers of the consequences of particular choices that they feel need to be taken.

I’m also determined to remain on the best of terms with everyone I’ve previously worked with. We are all people with a passion, and all we have our own opinions – and I’m far too modest to suggest that my current opinion is the only one worth listening to. In a way, that’s the challenge that I’m most looking forward to – I know my current clients extremely well, and so I know what advice best suits their particular risk appetites. And, I hope to continue to develop the great working relationship I have with them. Equally, I’m really looking forward to understanding just why it is that new clients will have slightly different desires, different challenges and different risk appetites. Critically, the customers of these new clients are likely to be the same individuals whose interests I've been protecting for the past two decades anyway, so I'm confident that I know what they need.

Starting a business for the first time, dealing with lawyers and accountants on issues about which until recently I had no understanding, is invigorating and great fun. Lots more decisions need to be taken before I can fully apply my thoughts to the creative side of data protection advice. But I’m so glad to have taken the opportunity to see what creating a business is all about. And I do hope to continue to show up, as it were, on this blog, to offer a slightly different take on data protection than one would get just by reading the professional journals.

My blog may well offer a less serious approach than other commentators adopt, but who ever said that data protectors shouldn’t be allowed have fun as they worked!

Saturday 2 June 2012

The tale of King Otto and the cookies

I’ve been preparing a presentation on cookies for a bunch of marketing professionals. I’m guessing that they will already be bored stiff of hearing about the legal minutiae, and will switch off almost as soon as I mention either of the dreaded phrases “European Commission” or “data protection”.

So, how should I craft something new that makes a few serious points, while at the same time keeping an audience like this engaged? I’ve formed a cunning plan. I’ve be wearing a pair of red specs and will use linguistic terms that these guys get. And when I’ve told them the tale of King Otto, I’ll explain the relevance it has to the development of cookie regulation over the past few years. Then, they might understand what I’m on about.

Some of the language used by those who told the original tale of King Otto is quite rude, so I’ll clean it up, but I will let them know where they can read the unexpurgated version. The original tale was narrated by John Cleese in a 1972 episode of the amazing Monty Python’s Fliegender Zirkus.

The tale is of a wise old king called Otto (pictured), who played strange songs on his Hammond Organ up in the beautiful castle where he lived with the gracious Queen Syllabub (also pictured), and their lovely daughter Mitzi Gaynor. One day, Mitzi suddenly fell in love with the most beautiful young man she had ever seen. Luckily he was a prince. So she looked him up in the Observer's Book of Princes, learned his name, and went and introduced the subject of marriage to her father.

King Otto, as was his want, before giving permission to marry, always set the same task to princes, which, if they succeed, proved them worthy of his daughter's hand. At nine o'clock the next morning, armed only with their sword, they had to go to the highest tower in the castle, and jump out of the window. Invariably, dressed in a beautiful white robe, and gripping their magic sword, they would plummet to a painful death.

One day, when Princess Mitzi was out hopefully kissing frogs, she spotted a flash of gold beneath a weeping willow tree, and there, sure enough, was a prince. His name was Walter. He was rather thin and spotty, with a long nose and bandy legs, and nasty unpolished plywood teeth, and bad breath, and a rare foot disease, 'But', thought Mitzi, 'a prince is a prince,' and she fell in love with him without another thought and rushed into his arms. And after a time, or a few times anyway, he too fell in love with her, and very soon they were on their way to ask King Otto's permission to wed.

This time, giving into pressure from Queen Syllabub, King Otto changed the task. Prince Walter was excused of jumping out of the tower, and instead the following exchange took place:

“King Otto: Uh, oh, you must, oh... go down to the town and get me twenty Rothmans.

Prince Walter: What, now?

King Otto: No, tomorrow morning!”

And what’s all this got to do with cookies?

Well, are all old enough to remember the dire warnings of an impending disaster as web masters protested that were to be required to ask internet users to “consent” to something that everyone believed would be far too hard to explain. And yet, what’s happened since the ICO’s recent compliance milestone passed? Have internet users miraculously become better educated? Or has someone changed the task?

All will be revealed should you amble along to my presentation during the Marketing Week Live exhibition at London’s Olympia later this month.