Friday 31 August 2012

Another nail in the Digital Economy Act’s coffin?

Crouch End is a wonderful place to live. It’s full of coffee bars where you can overhear media and entertainment industry types having a not-so-quiet moan. Some of these luvvies are actually pretty loud. Yesterday, I overheard a couple of record industry execs having a bit of a moan.

I didn’t have to try that hard to listen to them - we were sharing a table in one of Crouch End’s nicer (and more crowded) establishments, yet they made no attempt to use veiled speech, or talk about stuff that might not be of interest to anyone in their immediate vicinity.

These execs started their chat by reminiscing about the old days, when they and all their friends used to swap songs they had recorded on cassette tapes. Yes, they really were that old. Did that stop them from buying new music? No – it simply opened their ears to different types of music which they would, subsequently, consume legitimately.

And what were their thoughts on the bits of the Digital Economy Act that would, as they put it, require internet providers to pass on customer information to the copyright holders, in order that warning letters could be sent to people whom, in normal circumstances, the holders were trying to develop warm, cuddly, relationships with?

This is a family website, so it’s not appropriate to faithfully record their comments – nor to comment on just how many asterisks would be required to mask (most of) the rude bits.

Let’s just put it this way. They don’t feel it will work, nor do they think that it deserves to work. Young (and not so young) people will continue to consume their digital entertainment in whatever way they like. Especially if they can get it for free, given the current economic climate. Digitally (and economically) speaking, these people are pretty switched on, you know. They know that the very best way to consume music these days is through You Tube, rather than iTunes or CDs. Which is free. They know that artists really make the big money by tours and merchandising these days, not directly by their music.

If you want more evidence of this, pop down to Canary Wharf and prepare to be amazed at the prices that are being charged for signed posters of Ronnie Wood’s latest artworks. He’s doing all right, that guy. Should the Rolling Stones ever fold, he’s got another very lucrative career to fall back on.

Still, what do these record execs know about the politics of copyright (or internet) regulation? They’re not in the “regulatory affairs” departments of the record industry companies, so they don’t need to toe the corporate line. These guys can call the issues as they see them. And what they see, they don’t have much confidence that regulation will put right.

But it made me think.

Can we really change social (and internet) behaviours simply by passing laws? Especially when the resources may not exist to enforce the laws? And when the citizens whose behaviours Parliament has decided to change don’t share that same vision?

I don’t think so, either.

When it comes to the internet, we probably need to change social expectations and behaviours first, and then get the law to catch up – rather than expect to get faster results by changing the law and hope that people’s behaviour on the internet will, naturally, alter.

Image credit:


Wednesday 29 August 2012

A new way to present privacy policies

It’s taken me almost a year to do something I used to do all year.

Yes, I’ve finally finished a modern novel.

And no, it’s not 50 shades of anything. It’s a modern novel with a data protection theme – which was highly recommended by some chums I ran into at the IAPP congress when it was held in London, late last year.

The title – “Super sad true love story”. The author - Gary Shteyngart. I’m not going to give away the ending – other than to reflect on the plot, which is to ask whether, in an information rich world, it is possible to survive an economic collapse. An information superhighway will not necessarily lead to liberty for all.

Enough said about the book. It must have taken the author a long time to write it, and I don’t want to affect its commercial impact.

But it did bring home a point that I’m becoming firmly aware of.

And that is about how I consume literature, or knowledge, these days.

Perhaps I read too much for professional purposes – but at the end of the day I really can’t face sitting down to read another, physical, book. I’ll go to a theatre at the drop of a hat to experience live entertainment, or to a concert or the cinema, and I love reading short, punchy, material when it’s presented to me on-line, but I find it so hard to sit down and pick up an actual book. What gets most thumbed in my household is my Penguin rhyming dictionary, not some piece of modern literature. Books are getting too long, there aren’t enough pictures, and when I put it down, I like the device to remember where I left off.

So if I can’t be bothered to read long texts anymore, why should real people feel bothered to read the privacy policies that are so carefully crafted on-line? Surely, if you’ve enough time to read a real novel (or even something ghosted for Katy Price), you’ve got time to look at the fascinating stuff that lurks just beyond the “privacy policy” tab.

Oh no?

How might we be able to bring this stuff to public attention, then?

The answer came to me as I was flicking through the You Tube web site to catch a few more truly horrific, car-crash TV style, examples of auditions by X Factor contestants. Why can’t major corporations commission short, punchy videos featuring well known personalities to explain the privacy policies to their users?

I’m sure some of the corporations would jump at the idea. I can already imagine Sir Richard Branson dressing up as an airline pilot, train driver, ISP engineer or holiday rep to front his airline, rail, ISP and holiday ventures.

Data controllers wanting to remain respectable could hire Stephen Fry. The Queen could do it for the Royal Mail.Or Rolf Harris for the RSPCA. Date controllers at the dodgier end of the spectrum, equally, could book Del Boy and Rodney to tell it straight.

Who says that privacy policies have to be boring?

(Or even, actually, written down?)

Special prizes will be awarded to contestants who send me ideas as to the most appropriate personality for presenting a particular data controller’s privacy policy.

Image credit:

It took almost a year, but I’ve finally read it from cover to cover.


Monday 27 August 2012

Even “Spike” can’t control his online privacy. Tough.

So, that’s it then. While we await for Lord Leveson to report on the relationship between the media and the police, the elephant in the room has reminded us all that we really need to redefine the term “privacy” if individuals are to every have any meaningful control over their own on-line privacy.

The Human Rights Act, as currently drafted, has probably had it. No-one really knows how draw a firm line between the right to self expression and the right to privacy in respect of one’s family life, home and correspondence. And, worse, the controls which do exist don’t appear to be very effective

It has been reported that poor “Spike Wells” has recently had to delete his Facebook account because of media speculation that he wasn’t actually born with that name. Apparently, he’s an army officer – and the army really don’t like it when their officers behave in a way that tarnishes the reputation of other servicemen. When I attended the Royal Military Academy at Sandhurst, the message was pretty clear. When you become an army officer, and are presented with your Commission, signed by The Queen, you are required to adopt behavioural traits that others might not necessarily wish to follow, but they would certainly respect.

Does this mean that much will happen as the usual suspects continue to review the proposals to revise the current Data Protection Directive? Increasingly, I’m turning to the view what whatever emerges from Europe probably won’t have much of an impact on the way we all lead our lives, anyway. Those that wish to comply with whatever legal requirements are passed probably will. And those that don’t understand the requirements (possibly because they are too complicated), and those that see view the requirements as an irrelevance and can’t be bothered to comply (possibly because they interfere with a more pressing business need) probably won’t.

And the regulators? Well, given the huge pressure on the public finances all over Europe, I can’t see that they will actually be granted the resources that really will be sufficient to enable them to properly carry out their statutory functions. But they'll continue to exist so that they can be blamed if anything really awful goes wrong.

So who will really control those who occasionally "misbehave"?

I suspect that what will happen is, first, that people will be given the benefit of the doubt. They are nice people, really. Then, occasionally, something awful will go wrong. Facts (and images) will emerge about individuals and events which put them in a different light from the perception that people may previously have had about that individual or event. Journalists will continue to expose material that entertains, informs and outrages the public. And this continued exposure may well help prevent some of the more unruly bunch from acting so outrageously anyway. Neither money, privilege nor even a threat of violence will prevent the oxygen of publicity that Facebook, twitter or the press can generate when data finds its way into the internet. Think of the Arab Spring. It’s how citizens have changed whole systems of government.

Eventually, the more enlightened individuals will realise that it was largely their own fault that their reputations have been affected by the digital information which had been created about them. So often, they created this information themselves. And, in time, they will learn lessons from this - either by trying to remove the more embarrassing parts of their digital lives from the internet, or by ensuring that such behaviours occur in an analogue world, rather than a digital world.

Camera phones will be left in coat pockets.

And the unenlightened souls will continue to behave in a way that occasionally entertains or shocks the public, as some of their exploits become known to a much wider group of people than they ever originally anticipated.

Dai Davies, a former head of royal protection for Scotland Yard, has recently been reported as saying: “From a security point of view I would never recommend anyone high-profile to have a Facebook account because, depending what you have on it, it is indicative sometimes of where you are going, what you are doing, and more importantly, who your friends are.”

I would go one step further than that, and remind people of the dangers of storing their most private digital information in the cloud, or in any electronic environment that they can’t themselves control. You are only going to get true peace of mind when you can physically lay your own hands on those digital assets. And no amount of European data protection regulation is likely to convince me that others really can be trusted to look after my most highly cherished assets.



Saturday 25 August 2012

The unintended consequences of passing vague privacy laws

The comedians at the Edinburgh Fringe Festival don’t make many jokes about data protection. The best one I've heard over the last few days was: “Four data protection officers go into a pub. Eventually, one of them laughed.”

And yet here I was, attending a parallel event called the Turing Festival, sitting through a session on security and freedom. Surely, I thought, if anyone was going to raise a smile about surveillance and the sort of stuff we care about, then one of these speakers might.

And, actually, they did. But they were referring to a Government initiative that I’m taking a Trappist vow of silence on, so that material will be embargoed for a couple of months.

The surveillance session itself took place in a great location – it was in a lecture theatre in a building which was also used as the Edinburgh Fringe performers’ central base – so the morning coffee break involved meeting (and queuing behind) what can only be described as “comic royalty”. Sue – yes, she of Mel and ... – smiled at me and even said a few words. Then, I removed my bag from the spare seat, received another smile, and she ambled away, with said chair, back to join her friends.

Now, what did I learn today data protection-wise that I’m comfortable about talking about? Perhaps the most important thing was about precision and privacy law. And why many lawyers prefer statutes where the drafting is precise, like computer code, so that everyone knows just what it is that needs to be enforced, and what the output will be in specified cases.

But, and it is a big but, the problem with precision and issues as broad as privacy and technology is that the technology always evolves much faster than the law. So the law often struggles (and frequently fails) to keep up. And what we are left with is living in a world where new concepts constantly have to be tested against legal rules that were probably never designed to cover that eventuality in the first place.

Does this mean that privacy laws that are less specific should be feared? Should we welcome laws that are deliberately designed to be flexible? Or should they be resisted, not because of their sinister intent, but because of the unintended consequences that could result when they are applied to circumstances that those drafting (or reviewing) it never seriously intended?

I’ve usually advocated an approach that allows stakeholders to exercise a healthy dose of pragmatism, as I’ve previously taken the view that people go to work with best intentions, and apply an approach that is designed to benefit the community as a whole, rather than just enrich them personally. But what if I’m wrong? What if there really are lots of people in authority who are just out for themselves? People who adopt sneaky, unethical business practices that cause real harm to their fellow citizens? How should I recalibrate my view on the extent to which such people ought to be able to adopt a pragmatic approach to respecting fundamental values?

I’ve got a lot of thinking to do on the return train to London.

Image credit:

Today’s image is of a notice board in the performer’s central base at the Edinburgh Fringe. It’s littered with post cards from creatives requiring assistance, or just passing on general advice:

“Don’t forget to be awesome” said one.

“Breaketh leggeth [William Shapespeare]”quoth another.

“Our first show had an audience of 12 – awesome” said a third – under which someone had written: “Wow, you got an audience! We’re still working on it”. Under which, in much smaller print, someone else had scrawled: “And so are we.”

The best advice, probably, was the most direct: “Don’t forget to flush.” Or, as another wag put it, “Flush once for moaning Myrtle.”

And finally - sad but true:
According to The Stage, this year saw a record 536 different comedy shows eligible for the three Edinburgh Comedy Awards. That’s more comedy shows than the number of Data Protection Officers who attended the ICO’s Data Protection Officer’s event in Manchester on 6 March.


Friday 24 August 2012

Security and Freedom @ the Turing Festival

I travelled to Edinburgh yesterday to enjoy a couple of days of laughs and bonhomie. Yes, you’ve guessed it. I’m attending a session at the Turing conference on security and freedom. Boy, will that be a bundle of joy.

Co-incidentally, the Edinburgh Festival is in full swing too, which is also a bit of a mixed blessing. I sat behind a well-known comic on the train to Edinburgh, and was subjected to a torrent of new material he was trying out on his fellow travellers, all of whom were screaming with laughter at each punch line. I didn’t think the gags were that funny, actually.

Anyway, after dinner, I popped over to one of the festival venues so see a show. Bad mistake. The headliner introduced, for one night only, a special guest to share the spotlight with him. Yes, you’ve guessed it. It was the comic I had the pleasure of hearing rehearse for 4 ½ hours earlier.


Wednesday 22 August 2012

Midata: here we go again

Have you heard the one about a Government Department actually being interested in giving the public greater access to customer data?

The BBC today carried a great story about a proposal to the Midata project, which is a proposal to require utilities, web firms and shops to provide "machine-readable" records of transactions.

Consumer Minister Norman Lamb was quoted as remarking: "It's clear to me that giving consumers the right to access their own transaction data promises huge opportunities for both consumers themselves and UK businesses."

You may have heard of this idea before, as it was originally launched last November. At that time, Information Commissioner Christopher Graham said: “Midata presents an innovative and empowering opportunity for consumers. It goes without saying that privacy and data security principles must continue to be upheld and I’m pleased that consumer data security has been a key strand from the outset. I look forward to continuing to work with the government and businesses to ensure the scheme complies with the Data Protection Act."

Evidently, not that much progress has been made, so another effort has been made to engage the public’s attention to a new consultation exercise, which was actually announced (and virtually totally ignored) on 27 July. You may not remember much about what you did at work on 27 July – other than it was the day of the opening ceremony of the London Olympics. What chump would have launched a consultation process on a serious proposal on that day?

Everyone has until 10 September to respond to the proposals which might become compulsory. So I hope you’re not planning on taking too much time off during the upcoming Paralympics, which end the previous day.

If ever there were a prize for the “consultation exercise that most people were likely to ignore”, this is a contender.

To my mind, the project is similar to making a Subject Access Request on steroids. We all know what access is provided when an individual makes a Subject Access Request. The significant difference with the current law appears to be a requirement on the data controller to provide information in a certain technical format, so that people who will be selling machine-readable technologies will be able to create software to process these reports and the people buying these machine-readable technologies will be able do something meaningful with them.

How much will it cost data controllers to turn their records into the new electronic format (whatever it is going to be)? Not sure.

Does this matter? Well, given the stink that data controllers have made about the European Commission’s compliance cost assessment of the draft Data Protection Regulation, it certainly does.

How much force will be required to get all the large supermarkets to be more open about the purchases made by their customers, so that those customers can compare the prices with competitors and get cheaper deals? And how many small businesses might this put out of business, if a vicious price war were to take place? And who would stick up for these small suppliers? Will that include the Consumer Affairs Minister? Again, I'm not sure.

But, in the end, let’s concentrate on what matters. Consumer rights and promises about how much better life might be if everything was machine readable. And let’s not worry too much about the awful consequences of what happens when large datasets are accidentally made available to third parties. It’s a good news story, focusing on a customer-friendly initiative. Surely, that’s enough?

Incidentally, I wonder how many public authorities will be joining the Midata project? Given the regulatory action that is increasingly taken against them in respect of their data breaches, which will be the first to stick their head above the parapet and give the ICO yet another reason to fine them when something foreseeable goes badly wrong?



Tuesday 21 August 2012

Accessing exam marks and comments

It was good to see the ICO offer such timely advice last week to the students who were about to receive their A level results.

As David Smith, Deputy Commissioner and Director of Data Protection, said: “Results day can be an exciting time for many students; however it can also be a time of great stress for those who don’t get the marks they require. That is why we are reminding students that they have a right under the Data Protection Act to see information held about how their marks were arrived at, before deciding whether to re-sit an exam or pursue a particular subject at college or university.”

My A level results day was tinged with both huge excitement and stress. I was excited, my parents were stressed.


Because Elvis Presley had died that day. And my overriding memory was that my parents were so stressed about Elvis’s fate that they forgot to think of mine!

Perhaps, to be fair to my parents, that’s a false memory. But it is what I remember.

My nephew has just had his A level results – and he has done really well – so he’ll soon be heading to London to become an undergraduate. And, I’m happy to report, his family’s celebrations were of the “excitement” kind rather than “stress”.

What would bring a huge smile to my face is to see a similar press release next time the ISEB data protection exam results are published – just to remind the data protection professionals of their subject access rights, too. After all, some of those failing could be doing so with pretty awful marks, so they probably need just as much practical advice as the current crop of school leavers.


Image credit:


Monday 20 August 2012

Setting goals, or bumming around?

I like this image. It represents a winner who has achieved his goals. But take a close look at the expression on the winner’s face. It doesn’t look that celebratory to me. In the winner’s words, during an interview the day after his incredible achievement, he spoke about the predicament he was in. Yes, he was on the top of the world. But so many talented youngsters were sprinting hard on his heels. After winning a third gold medal in the London Olympic games, the mighty Usain Bolt pointed out that he now needed to reassess his athletic career: "I've done what I wanted to do. My coach and I will discuss what we need to. But right now I have no goals, I'm just like a bum."

I wonder how many data protection officers face a similar predicament. Not the predicament that global megastardom is guaranteed after having reached the pinnacle of an exceptional career, but the predicament that its actually quite hard to motivate yourself every day, especially when the regulatory future is pretty uncertain. And, when you’ve just returned to work after enjoying a relaxing summer holiday.

So what ought data protection officers do, as this mega juggernaught of a European Data Protection Regulation slowly makes its way through the intestines of a number of European institutions, attended by teams of policy officials from each of the Member States, each stakeholder trying to fashion this monster more in their own image than that of anyone else.

Do we believe the recent claim that under the Cypriot Presidency, the EU is moving into fifth gear, rather than first gear, as it works on the proposals, or is that just another sound bite from a Commission official?

It’s not easy for data protection officers at the moment. Until everyone has a better understanding of the likely outcome, it’s really hard to plan to turn a corporate data protection policy around so that it faces the same direction of the new European policy, or at least, so that, in a few years time, their trajectories will cross.

Given the virtual policy vacuum that this has created, how do data protection officers get their daily inspiration to ensure that their companies, in data protection terms, perform even better each day? What juice exists to power the consciences of this band of few, this special group of souls, these hearty heroes, to get to work and deal with the “same old, same old”. What stops us from turning into the type of bum that even Usain Bolt fears?

Perhaps Sir Paul McCartney had it right, as he sang that wonderful refrain from the end of the Beatles album, Abbey Road, at the end of the opening ceremony of the London Olympics. Only he was talking about love.

As for me, I’m talking about inspiration, motivation, drive, willpower, determination, stamina, desire, endurance, motivation, passion and good old-fashioned niceness. It comes down to knowing what it is that you really want to achieve, with ought necessarily waiting for the regulatory juggernaught to overtake you. It’s about adopting the right attitude to work:

And in the end, the pride you take
Is equal to the pride you make

Or, as Sergeant Stan Jablonski used to say at the beginning of every episode of the 1980’s American television cop show Hill Street Blues:

“Let’s do it to them before they do it to us.”



Friday 17 August 2012

Cookie enforcement: An opportunity for an unjust swipe at the ICO?

If you point your browser to pcpro today you won’t get much of a surprise. You’ll see a recent article by Nicole Kobie reporting that later this month, a team at the Information Commissioner’s Office will start to analyse the on-line submissions that have been sent to them setting out concerns about the way some 320 websites are following the new cookie rules.

This news has polarised those who have posted their own comments on the article.

Most commentators appear shocked that the ICO has not acted sooner (but they have not commented on where the enforcement resources would have come from, and what the ICO should not have done in order that cookie analysis could start earlier). Only a few commentators have pointed out the gap between expectation and funding, or have pointed out that there is a huge difference between a, independent regulator established to oversee compliance with the law (which is what the ICO is) and a privacy watchdog /activist with the aim of enforcing individuals rights above the rights of other stakeholders (which the ICO is not).

So many people have such high expectations of the ICO. But the ICO’s budget is not limitless. Given current funding levels, it simply can’t react to every issue that emerges. And when it does decide to investigate an issue, it can take some time. After all, how many months has the investigation into SPAM texts been going on – you know, the ones which tell you that you are probably eligible for compensation following a recent accident or a Payment Protection insurance miss-selling on your credit card or loan? And how many more months will go by before we stop getting these texts?

Full marks, though, to the ICO for what appears to have been some nifty footwork. So many organisations are obsessed with hitting targets and performance indicators these days. So what has happened to the 320 cookie reports that have been made to the ICO? Have each of these been treated as an individual complaint, meaning that they each need to be resolved within a fixed period, otherwise someone at the ICO gets a kicking?


According to Nicole Kobie: The ICO added that sites reported via the online tool may not necessarily be investigated, saying they "are not being taking forward as individual complaints", adding that "the purpose of this feedback form is to help us to monitor organisations’ adherence to the rule relating to cookies, and identify sectors where further advice or enforcement activity may be required".

So that’s all right then. They are not individual complaints. If you want to submit a complaint to the ICO about cookies, rather than just register a concern, you shouldn’t expect to do so using this form. And, in fairness to the ICO, when you complete the online submission form, you are given no expectation that they will be treated as an individual complaint, either. Here’s the relevant text on the splash page:

Please use this form to report your concerns about specific cookies or similar technologies being used by websites. We will use the information you provide to:

• Monitor organisations’ adherence to the rule relating to cookies, including the provision of appropriate information about cookies to users;
• Identify sectors where ICO contact or enforcement activity may be required; and
• Identify areas where further ICO guidance may be required.
We will not collect your contact details as our intention is to analyse and use the information collated to inform our broader (audit, policy and enforcement) activities. We will update our website with details of any action we are taking.
• Once you click ‘submit’ at the end of the form, the information you have provided will be forwarded to us.
• We will not respond to you individually as a result of the information you provide on the form.
• To ensure we have enough information about a website’s use of cookies, you will need to answer all of the questions in full. Please do not leave part way through answering these questions.

This raises the very interesting question of the ICO’s future complaints enforcement strategy.

May it be tempted to extend the range of issues on which individuals can be invited to register concerns, rather than complaints? And might this move make it easier for the ICO to report ever better stats on resolving complaints quickly (as, presumably, there could be fewer of them)? After all, you can give yourself an awful lot of flexibility over what action to take when you just invite expressions of concern.

Let’s see what happens.

UPDATE: 21 August:

The following link reports that the ICO has disputed the report published by pcpro. The ICO has said that it has reviewed the 331 responses collected from its online cookie concern reporting tool, and its next step is to write to all of the websites highlighted.

It said: “It should be noted that a significant number of the responses do not provide any intelligence that can be analysed, while a proportion also highlight websites that rely on implied consent, which is in line with the EU law.

“A progress update, including a list of all the websites contacted, will be published on our website in November, six months after the cookie concern reporting tool was established.”

If you want to register a cookie concern, rather than make a cookie complaint, use


Wednesday 15 August 2012

Data Protection as an Olympic (and Paralympic) sport

During a recent barbeque, conversation turned to how the Olympic (and Paralympic) Games were likely to be organised in Rio in 2016. Everyone was really hopeful that the Brazilians might pull off a few stunning coups. Will their President open the games after jumping from a helicopter? Will their beach volleyball tournament really live up to expectations? Will the Organising Committees rest a few tired sports, in order that time and space can be given to promoting some new ones?

And if a tired sport is to be replaced, then I have a cunning plan.

This could be the opportunity for data protectors to become true Olympians.

After all, who really needs to see another steeplechase event? All that running around in circles for what seems to be an eternity, jumping over the same horrible hurdle every lap, landing in some gungy mess, carrying on regardless, and then realising that hardly anyone’s that interested in what you are doing.

Yes, I am talking about steeplechasing. Not data protecting – honest!

So how might it work?


Elite data protectors would work in singly, and in teams of 4, and the competition would be held in the main stadium. The task would be simple – to learn as many fabulous facts about the spectators sitting in particular blocks of seats in the stadium in, say, ten minutes. The blocks would be selected and allocated to the competitors randomly, just as the competition commenced.

Data protectors would be required to work from a pen in the middle of the athletics field. They would be provided with an Olympic / Paralympic laptop, ensuring that all competitors used the same digital configuration, and that everyone had the same data upload and download speeds. No other electronic toys would be permitted, and any spectators discovered to be secretly helping the data protectors would be expelled.

Some points would also be awarded for technical merit. If, say, someone found a really cool way to take a digital image of the people they were profiling, and overlay the information in the public domain that was available about them through their Twitter, Facebook, Gmail and Spotify accounts, as well as any of the more unusual social networking sites currently around, then all well and good. Bonus points could be awarded if these people’s digital archives were (somehow lawfully) accessed, and really fabulous facts were to emerge.

Teams would be assessed by international judges, perhaps those with recent experience of working for Google, Facebook, Mossad, the American, Brazilian, Russian and Chinese security services, and MI6. The more deeply hidden the facts, the more points would be earned.

In the event of a tie, the two leading teams of data protectors would hold a Data Off, which would comprise a search of the backgrounds of the judges, rather than members of the audience. That would really separate the true “protectors” from the rest.

What do you think?

I like it, too. So any thoughts for the music tracks, to entertain the audience while their souls are being searched for the world to see? I quite like a mash up involving themes from:

The Sweeney
The Bill
The Killing
Inspector Morse
The Levison Inquiry

And, of course, Prime Suspect

If anyone knows how to influence the Brazilian Olympic & Paralympic Organising Committee (or, failing that, if anyone knows how to get London Olympics supremo Seb Coe to read this), please let me know!

Image Credit:


Monday 13 August 2012

Privacy: How to inspire a generation?

I’ve really enjoying being among the crowds who have been attending so many happy and glorious Olympic events in London over the past few weeks. And I’ve enjoyed watching athletes you’ve never heard of excel at lots of sports you barely knew existed, as well of course as the sports we all know and love.

I’ve also enjoyed witnessing the emergence of true sporting heroes. People whose exploits are going to be talked about for a long, long time to come.

Event director Danny Boyle certainly hit the mood spot on when he ensured that, during the opening ceremony, the music switched to David Bowie’s epic anthem Heroes as soon as Sir Chris Hoy led the British team into the arena.


But, turning to more prosaic matters, where are the data protection heroes of this world? Who can we rely on to inspire the current – and next - generation of data protection officers? Or individuals, who are concerned that their fundamental rights have been abused? Who does the media turn to each time there is another data protection incident? Is the big man in Wilmslow the only one with a voice in this country?

It frequently seems so.

If you search the media for data protection stories, what comes through is an unrelenting narrative of failure. The reports focus on things have gone wrong, and people are demanding explanations. So people are put up to apologise for their actions. You’ve really got to search quite hard for the good news stories.
But how often do things actually go right? And why is it that the good news stories, say those relating to initiatives by the industry to improve standards, get so little publicity? How can we turn (but not spin) media attention around, so that people’s good deeds are given their rightful attention?

I’ve got so bound up in the Olympic spirit that I want to focus more public attention on the good things in data protection life, as we do have a lot to be proud of.

So I’m developing a cunning plan as to how this could be achieved.

Watch out for an announcement about a possible data protection awards ceremony in the not too distant future.

And how should you limber up for the great occasion?

By polishing a few privacy policies, and by making sure that those cookie explanations hit the spot.

And by showing to the rest of us that, in ‘Blighty, there are data protectors who are bold enough to stand ahead of the crowd, who care about fairness and transparency, and who prefer a simple approach to life. Protectors who look on the bright side of life, even.

Data Protectors who develop an approach that embraces the attention span of characters like Homer Simpson, as well as those as clever as Albert Einstein.
If you’ve got a great idea for an award category, or a nomination for an unsung hero, then feel free to get in touch.

Image credit:
The podiums for the London Olympic games were designed by a team of students from the Royal College of Art.

Friday 10 August 2012

Leaving the Article 29 Working Party

It’s summertime. The weather is glorious and the Brits are performing so magnificently at the Olympic Games, which are being held in London.

If ever there were a time for everyone to learn all the words to Rule Britannia, now is it.

Anyway, in my relaxed mood, it’s time to think the (virtually) unthinkable. I’ve been wondering what sort of memorandum might be written by Christopher Graham, our own Information Commissioner, to his colleagues on the Article 29 Working Party, advising them of the consequences of the European Commission getting the politics of European integration horribly wrong and forcing the British Government to decide that it’s in the best interests of Britain for it to go its own way. Yes, and to tear up the “social contract” bits of the European treaties that have been signed. Including the data protection bits.

I wonder if such a memorandum might read like this:

Hi Guys.

I’m afraid it’s not good news. Just like the owl and the pussycat, we’re all at sea. As Edward Lear might have said:

We’ve been negotiating away for a year and a day
In a land where the Commission’s influence steadily grows.
While in a wood a Nationalist stood
With a ring at the end of his nose,
His nose, his nose,
With a ring at the end of his nose.

"Dear regulators, are you willing to sell for one shilling
Your national interests?" Said one plonker, "I will."
So they took him away to get married next day
To a turkey who lives on the hill.

You’ve dined on slogans, soundbites and quotes
Snorted Euro power through rolled up Euro notes;
Hand in hand you’ve created a new vision in sand.
You’ve advanced by the light of the moon,
The moon,
But, for the Brits, you’ve gone too far, too soon.

What does this all mean?

Well, I’m afraid the Euro project is over for us Brits. We’ve been painted into a corner. Yes, we absolutely understand that a consequence of further financial European integration is that everyone in the Euro Zone will get to love each other even more and to follow the exact same rules. But, we Brits aren’t in the Euro zone, and the social rules that you Euro Zoners want to bind yourself together with are occasionally so alien to our British way of life that it would be political suicide for any British politician to say anything nice about them right now.

So, I’m told that we’ll be pulling out. Otherwise the British people will vote for Prime Minister representing the nationalist UKIP party, as the electorate won’t stomach anything else.

Yes, it’s been an absolute pleasure attending all these Article 29 Working Party meetings, and trying to forge common visions of data protection issues. It’s been almost as good as watching the 100 yard dash for people with no sense of direction at the London Olympics. However, there’s only so much fun a regulator can have. Consequently, I’ll be retreating to Wilmslow for a bit, while my political masters work out what data protection landscape awaits a country for whom pragmatism, simplicity, transparency and fairness is more important than impossibly complicated Euro rules that hardly anyone can understand.

Before I go, let’s all have just one last chorus of one of my favourite anthems:

If you see me, say hello, I’ll buy you a cold beer
I’m checking out Monday afternoon, and you’re OK, I hear
I should tell you that I’m all right, though feeling kind of strange
As the rules which have been so familiar are just about to change

We haven’t had a falling-out, like regulators often will
And to think of how I heard that day, it still brings to me a chill
As we complete our separation, it’s piercing me through to my heart
Old ways still live deep inside of me, now from these we need to part

If you get time enough, we’ll have one last drink on me
I’ve always almost respected you, now I’m busting out and gettin' free
Oh, whatever makes you happy, I won't stand in your way
Though that rigid taste still lingers as I know I cannot stay

I see many, many people as I make my rounds
And I’ve said lots of nice things about you, as I’ve gone from town to town
I’ve tried not to undermine you, I’ve quoted from you oft
Either I'm too sensitive or else I'm gettin' soft

When I return to Wilmslow , I will replay the past
I know every article of the Data Directive by heart, they all went in so fast
If you’re passin’ back this way, I'm not that hard to find
You can always look me up - I really wouldn't mind

Best Regards,


Seriously, I will be doing some hard thinking over the late summer and early autumn on the (frankly, extremely remote) likelihood that the British Government decides that, on balance, it would be more appropriate for 'Blighty to develop its own data protection rules, rather than implement whatever might emerge from the current European proposals. After all, the argument will run, if the Americans can get away with it and do their own thing, like the Canadians, and the BRIC countries, then why can’t the Brits?

Let’s be honest, I can’t think why new British rules might harm British citizens, either. Especially if I have a hand in drafting some of them!

Apologies to Edward Lear, who would be turning in his grave if ever he were to have realised what I have done to his poem about the "Owl and the Pussycat."
Also, many thanks to the inspiration of Bob Dylan, whose song “If you see her, say hello” can be found on his “Blood on the Tracks” album. I published an earlier version of this anthem on 26 November 2011.

Image credit:


Thursday 9 August 2012

An elevator pitch for data protectors

My business mentor tells me that it’s really important to have a good elevator pitch.

What’s one of those?

Well, it’s a very short presentation which tells people who you are, where you come from, what you do, what sorts of clients you am looking for, and how you can help them.

It’s not really a sales pitch, it’s more of a way of introducing yourself at a networking event. You don’t meet many people who know they have an immediate compliance need. But people do want to know who to turn to when the need arises. Especially people running small and medium sized enterprises, for whom data protection exists as a really obscure concept - one which, they think, if they keep their head down, will never attract any interest from our chums in Wilmslow.

So, my elevator pitch explains how I might be able to help once someone has realised that they actually do need to have a confidential chat with a friendly face.

Here it is.

Let me know what you think. After all, I don’t want to waste anyone’s time telling people stuff they don’t need to know.

Hello everyone.

I’m Martin Hoskins from Privacy Consulting, based in Central London.

If you are concerned about the way your customer records are held, I can help. If you are concerned about the way your staff records are kept, I can help. And, when there’s a complaint that those records have been misused, I can help.

As we live our lives ever more on-line, we are increasingly affected by issues of privacy and trust. But what rights do people have when they share some of their personal information? What are your legal duties when you handle personal information? How can you legitimately exploit it for your own business purposes? And what could the consequences be if things go wrong?

No-one wants to have their passwords compromised, or for the wrong information to be made available to the wrong people. But it happens.

Privacy mishaps are making headlines worldwide. More and more people are being told that they’ve lost control over some of their personal information.

Data security and privacy issues have now moved from the backroom to the boardroom. Regulatory action is becoming more common. So, if you need to know what acceptable standards of data protection look like, then I can help.

Finally, should things go awfully wrong, and you get referred to the Information Commissioner’s Office, then I can help some more.

You can find me at and

Image credit:


Wednesday 8 August 2012

Nothing to confess

According to a recent media report, Oracle and Google have been ordered to reveal the names of reporters, bloggers and other commentators they have paid. The demand, made by a US judge, follows an intellectual property battle the firms fought in court.

Well, you’re not going to find my name on any of those lists. I comment on current events as I see fit, rather than from the perspective of a paid commentator.

Yes, I have in the past enjoyed some of Google’s famous hospitality when visiting their London offices while working for a previous employer. All that free food. But no cash has ever exchanged hands. Nor have any of Google’s services ever been slipped in my direction.

Is this because I’m a “holier than thou” kind of data protector, or simply because I’ve never been asked?

Yes, you are right. I’ve never been asked!



Tuesday 7 August 2012

A healthcare nightmare

There’s a really nice picture on the front page of the website of the Torbay & South Devon Healthcare NHS Trust today. It features a group of people most generously donating £1,018.57 to the Make a Wish Foundation to improve the lives of local sick people. I know the area. It’s quite close to where I was born. And charities like this need all the support they can get.

How ironic it is that, yesterday, an ICO press release announced that the Trust will face a Civil Monetary Penalty of £175,000 (reduced to £140,000 if it pays before 31 August) because sensitive personal details of 1,373 staff was inadvertently published on their website.

As the ICO explains, the information was published in April 2011, but the mistake was only spotted when it was reported by a member of the public 19 weeks later. The data covered the equality and diversity responses of the staff and included individuals’ names, dates of birth and National Insurance numbers, along with sensitive information about the person’s religion and sexuality.

The Monetary Penalty Notice acknowledges that during the 19 weeks, the Trust’s website received 21,000 visits, and the web page containing the sensitive information received approximately 300 visits. While it was not possible to establish how often the actual spreadsheet was accessed by the public, some 32 of the visits were from unidentified IP addresses.

So, in this case we have a situation where something has evidently gone wrong, but it took 19 weeks before anyone in authority realised. All affected staff received an apology and compensation was evidently offered. No member of staff has apparently complained. The Trust voluntarily disclosed the incident, a full investigation took place and remedial action was taken, and the Trust was fully co-operative with the Commissioner’s Office.

And still, the Trust gets a fine of this size. I just don’t understand how the ICO can argue that the incident was “of a kind likely to cause substantial damage or substantial distress” - which is the statutory test which must be applied - when, evidently, no victim did complain. And these victims have had some 10 months to complain since the incident was reported. Give me evidence-based regulation any time.

But, every cloud has a silver lining.

Hopefully, it will inspire people in similar situations to pick up the phone and call me to explain that they’re in a bit of a mess and they want some help improving their data protection standards before they dare phone the Information Commissioner’s Office. Bad news like this is always good for business.

Also, it will act as an additional incentive to those plucky charity workers in the Torbay and South Devon area to inspire Devonians to dig even deeper in their pockets to replenish the funds that, if spent on healthcare, would certainly have gone some way to improve the lives of local sick people.

Sources: (And no, the website doesn’t mention the ICO’s Civil Monetary Penalty - yet)


Monday 6 August 2012

“Exit that draft Regulation, pursued by an ungovernable crowd”

I must thank our chums at Statewatch for keeping me up all night – they’ve kindly published on the internet a leaked copy of the initial responses of Member States to first 10 Articles of the proposed new Data Protection Regulation.

The document is 170 pages long, so make sure you're not going to be disturbed for a long, long time.

It makes really interesting reading, and it makes you wonder how on earth all Member States are going to be able to accommodate each other’s positions. If I were a betting data protector, I would assume that the only way that this current proposal is going to see the light of day is if the German Government makes it a condition of any future financial assistance from the Federal Republic in respect of a Euro bailout that the recipient Member State immediately appoints a German Data Protection Troika to oversee that Member State’s data protection laws.

And remember, even the Germans (on page 24) are insisting that "Member States must be able to retain their national rules – in particular where they provide a higher level of data protection than that provided in the legislative act – or to enact new ones."

In German eyes, it seems that reform can only be achieved by an upward revision of current data protection standards to the highest that are currently available. Then, we may get somewhere.

But, I mean, how do you reconcile a range of views like this? Talk about a shotgun wedding. I’ve seen less savage exchanges of views at Glaswegian wedding receptions.

So where is the way forward?

In no particular order, I guess we’ll see next proposals floated that support

• a Directive, rather than a Regulation;
• less formal co-ordination from the Commission;
• more (but still relatively informal) co-ordination from a College of Information Commissioners;
• the introduction of an accountability principle, but
• with lots of flexibility as to how controllers will be required to demonstrate their accountability;
• stronger penalties against those who transgress
• and different regulators exercising their disciplinary muscles in different ways
• failed attempts to control non EU based data controllers (blah, blah blah);
• another attempt at the central co-ordination of European data protection policy in, say, 5 years time, when our national leaders have worked out whether the future political path of Europe is leading to the central control of everything, or the re-emergence of nation states.

We, in Blighty, should all rejoice that we will be able to rely on our chums at the Ministry of Justice to carry out the heavy negotiating. Now, we’ll just have to wait and see what emerges from the background deals that will inevitably be offered as someone – presumably the Irish diplomats – assesses the chances of agreement during the Irish Presidency of the Commission in the first half of next year. After all, no Presidency ever wants to feel that theirs was a wasted opportunity to make a mark on the international scene.

But, really, just what does Euro-data protection actually look like?

After reading this report, frankly, I’m none the wiser.


The document comments on the first 10 Articles. The draft Regulation contains 91 Articles, so we can look forward to a few more documents this size being uploaded onto the internet in the fullness of time.


Sunday 5 August 2012

Data Protection Crime (and Punishment)

When you’re a Data Protection Officer, writing a business case for something or other, it’s always useful to have the odd fact up your sleeve to help emphasise the need (and urgency) for action.

For some time, many of us have been using the ICO’s “£500,000 fine” line, assuming that the possibility of a civil monetary penalty as enormous as this would inspire the business to start to invest in data protection at a level that really was commensurate with the risk that was being run.

Of course, it’s worked – to a limited extent. And, with each new Civil Monetary Penalty, some businesses get even more concerned that their dodgy practices might come to light.

The trouble is, of course, that fines are only money. And, in the public sector, removing money from public authorities it simply means less public funding for essential services.

If I had my way, I would have the Chief Executive Officer of the relevant authority washing cars in the Commissioner’s car park for a day, to atone for his sins. Or I would have the ICO having the power to aware an order requiring the authority to invest £x in enhanced data protection safeguards, rather than having that £x returned to the Exchequer.

Perhaps there’s another line that Data Protection Officers can use, which might be even more effective in delivering higher standards.

How about jobs!

A little while ago, our chums at BigBrotherWatch did some work to learn how many policemen were misbehaving, data protection wise. Police authorities were asked to provide a clear, itemised list of the offences committed by the individual in question i.e. "Abusing privileged access to the Police National Computer" or "Passing information to an unauthorised third party”.

The research revealed that, between May 2008 and May 2011:
• 243 police officers and staff received criminal convictions for breaching the Data Protection Act;
• 98 police officers and staff had their employment terminated for breaching the DPA;
• 904 police officers and staff were subject to internal disciplinary procedures for breaching the DPA.

These are quite impressive figures – not only have the police authorities actually collected this information, but they indicate a level of internal HR activity which shows that the police do recognise that such behaviour really is unacceptable.

Such levels of internal HR activity possibly explain why the ICO has not found it appropriate to take court action against individuals in many cases. The last 3 ICO annual reports contain relatively few examples of action being taken against offenders.

The 2011/12 annual report contained one report of a prosecution action at Reading Magistrates Court against an employee of Slough Borough Council Benefits Office in March 2012 and two company directors. The employee had obtained and sold personal data to associates who were directors of a letting company, which was used by that company to chase up their tenants’ outstanding debts. Both company directors were each fined a total of £260 for two offences under the Data Protection Act. The Slough Borough Council employee was fined £690 for three offences under the Act.

The 2010/11 annual report noted that the ICO took prosecution action in five DPA cases, two of these relating to offences for unlawfully obtaining personal data. Both defendants in these cases pleaded guilty in the Crown Court. Due to the unlawful sale of data taking place over the course of a year and the amount of money involved, confiscation proceedings under the Proceeds of Crime Act 2002 were started and £78,000 was recovered.

The other three cases, involving two estate agents and one private investigator, were prosecuted in the Magistrates Court for failing to notify the Commissioner that they were processing data electronically. All three defendants had failed to respond to correspondence from the office reminding them of their requirement to notify.

The 2009/10 annual report noted that seven bodies (a mix of individuals and organisations) were prosecuted for failing to notify as data controllers with the ICO. Two were prosecuted in the Crown Court and one received a fine of £5,000. In another, a director was also convicted in his individual capacity and received a separate penalty to that of the organisation. Two other organisations were prosecuted for failing to respond to enforcement notices. One was an individual who was prosecuted for not notifying and was dealt with in the Crown Court. The other individual received fines totalling £5,200.

The ICO also investigated suspicions that a covert blacklist was operating in the construction industry. The custodian of the list was the Consulting Organisation. Ian Kerr (on behalf of the CA) was sentenced to a £5,000 fine and ordered to pay £1,187.20 in costs.

OK. What about recent Computer Misuse Act offences? Is a pattern emerging here? Can we use these prosecutions to support the need for greater data protection standards?

Well, these figures are not easy to decipher. Between 2006 and 2010, there were some 100 prosecutions involving the Computer Misuse Act, but the number of prosecutions may well have declined over recent years. As John Leydon of The Register explained: “It would be rash to read too much into the figures, especially since the stats only cover prosecutions where computer hacking offences were the principal offence under consideration by the courts. So if a suspect was convicted of banking fraud or phishing as well as computer misuse, and received a harsher sentence for the fraud, then the computer hacking prosecution would go unrecorded. In addition, the figures supplied provide no breakdown on the number of UK computer hacking prosecutions that actually resulted in a conviction.”

So what does this tell us?

Not much, admittedly.

It tells me, at least, that there are some people who are getting prosecuted for data protection offences. But there aren’t many of them. Whether the whispered additional powers (yes, criminal sanctions for more types of offences) that are to be added to the Data Protection Act will have much effect, only time will tell. After all, who knows when this will happen. And even when it does, who knows what appetite the authorities will have to actually use them. With ever fewer resources being made available to the Crown Prosecution Service, I expect that they will be hard pressed to continue to make full use of the existing powers they have, let alone have the resources to apply new sanctions to new categories of miscreants.


Image credit:


Friday 3 August 2012

A plea for simple data protection rules

The first day back from my summer holiday was celebrated by having lunch with a prominent data protection academic / practitioner in the City of London.

The conversation touched on the different perspectives that practitioners and academics had to data protection. From my perspective, practitioners were those who tried to adopt relatively simple rules, so that compliance teams could more easily understand what was required. This involved having to make complex judgments about what language to use to ensure that normal people could understand what was meant by the difficult language that data protection law was so frequently cloaked in.

Some members of the academic community appear to focus on more on the balancing exercise that is necessary to ensure that the fundamental rights of individuals are fully observed, and that data controllers respect these fundamental rights as completely as possible. So, they can be less tolerant of the use of accessible language. For them, precision is king. And if that meant that the language has to contain a certain degree of complexity, then so be it.

I’m in the simple camp, myself. I reminded myself of this as I tried to refresh my memory by re-reading chunks of “that” Regulation, to get myself up to speed to develop some possible amendments to the current text. It’s amazing how quickly you can forget what some of the obscure drafting actually means, when you take a short break.

The realist, rather than the optimist, in me accepts that what the European Parliament will probably pass is a text that only the finest minds in the data protection community will actually understand. The largest and the most complex data controllers will inevitably have the resources to implement it, but I do worry how the vast majority of Europe’s data controllers (let alone Europe’s citizens) will react.

What can we do? Can we force European Parliamentarians to take a data protection test before they vote on the text, so we European citizens can be reasonably sure that they know what it is that they are actually doing? Probably not. They’re all busy people and it’s not possible to expect them to fully understand the implications of every legal instrument they are expected to vote on.

What we can do, hopefully, is expect that our chums in Wilmslow might prepare some Plain English versions of the new rules. They do have a great track record here. After all, remember the recent fears that the cookie rules as prescribed by the ePrivacy Directive were gobbledygook?

Well, take a look at the ICO’s blog, posted on 25 May, with its guidance which clarifies the following points around implied consent:

• Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
• If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
• You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
• In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

Brilliant. Normal people (and SMEs) can understand that sort of language.

What a pity there isn’t a Plain Language Directorate within the European Commission, which might ensure that all proposals can generally be understood by those to whom they are intended to apply.


Image credit: