Monday 29 October 2012

Uruguay – initial reaction to my blog

Saturday’s blog, on soundbites from the 34th annual privacy conference in Uruguay, has already prompted one of the great data protection minds whose comments I (mis)quoted to contact me.

This is what their email said:

“Saw your blog ... My soundbite was misquoted & some of the things I said did make a difference to the way people thought about some key challenges .... But it's more than a place where we expect earth shattering insights ... It's also a place to network & have conversations we might not otherwise have ...

You're correct that it needs more insightful, analytical & critical approaches.”

So, let’s hope that the next large scale event – the IAAP conference in a couple of weeks time in Brussels – will offer delegates more opportunities for insightful, analytical and critical approaches to the great issues of the day. I have every confidence it will.

If it does not, then I suspect that those who pay to attend these events will start to wonder why so many privacy conferences are currently being staged, and whether a little consolidation might be appropriate, given the constrained resources that everyone is adjusting to.

News about forthcoming privacy events can be found here.


Sunday 28 October 2012

Memo to Helen Grant MP, our new Data Protection Minister

Dear Minister

Welcome to your new ministerial brief, which includes issues relating to data protection. The following guidelines may help you navigate your first few months in the office, as you settle in.

1. Trust your MoJ Data Protection Officials. I know that lots of civil servants get a bad press these days, but this small team is comprised of people who really are trying hard to find new ways of addressing the “consensus void” that has emerged as a result of new ideas proposed by the European Commission to update current data protection laws. For every proposal that has encountered some support, there is (basically) an equal and opposite view shared by a group of people who can get quite passionate and vocal.

2. Don’t expect to generate much press coverage. While every Minister is keen to engage journalists and be seen to be getting things done, this is one of those “worthy but dull” issues where the press only take an interest when something has gone horribly wrong. There are going to be very few incidents when you can expect any press coverage for an incident that has actually gone right.

3. Get over the fact that ever since data protection was invented, no-one has been able to come up with a simple concept of what personal data actually is. Your officials will gladly provide you with briefs that will bore you to death which explain why so many people have different understanding of what personal data is. The key point to remember is that if “it” (whatever is it) is determined to be “personal data”, the full weight of the law will apply. However, if “it” isn’t "personal data", then none of this law will apply.

4. Expect to meet lots of corporate privacy specialists who are keen to explain to their clients how to apply the current law in a range of circumstances that were never envisaged when the law was originally developed. This is not a comment on the quality of the then legislative drafting, it’s more a reflection on the speed of technological change which has and which will continue to occur. In areas of “social policy” like data protection, the speed of technology means that you can expect most of the laws to be out of date before they’ve even been implemented. This is why you need to think in terms of broad concepts, not details that, frankly, even most of these privacy specialists can’t fully appreciate the concepts of.

5. Don’t expect many of these privacy specialists to agree with each other. They tend to group themselves, though, as “pragmatists” (generally Data Protection Officers) and “anoraks” (generally legal advisors, who try as hard as they can to master all the details of their subject matter).

6. Expect to meet fewer privacy advocates – but what they lack in numbers they make up for in passion, determination, and media contacts. For these guys. Privacy (whatever that is) is a fundamental human right, and they are generally determined to ensure that individual tights trump the rights of collective organisations.

7. Try not to meet any representatives from these groups alone. Always ensure you have at least one policy specialist with you. This is not for personal protection, but because whatever you say is important (to them, anyway). The data protection community takes an unhealthily close interest in every data protection word uttered by any figure of significance. All of your utterances (public or private) will be blogged and commented on by a small band of specialists, who will analyse what was said and will compare it to every other utterance ever said by any other official (or regulator) to see if they can detect any signs of movement on anything.

8. Try to avoid using the following phrases:
a. Wow, this is boring.
b. We are committed to legislating to resolve this significant issue once and for all.
c. We are good Europeans, and will implement whatever has been agreed by the European Commission.
d. My officials will let you know precisely what this bit of the legislation means.
e. I have full confidence in ...

9. Instead, try to use the following phrases:
a. Trust me, I'm working as hard as I can on this.
b. ... to achieve a proper balance between the privacy needs of individuals, and the legitimate needs of companies who provide individuals with the services they rely on.
c. Data protection fines for charities and public authorities are a concept introduced up by the last Labour Government, so blame them if you think the outcomes have been a bit perverse.
d. I would hope that such advice could be provided by the Information Commissioner’s Office in due course.
e. Right, that’s enough. Who’s joining me in the bar downstairs for a drink?

Helen Grant MP has recently been appointed Parliamentary Under-Secretary of State, Minister for Victims and the Courts. Her responsibilities, in addition to data protection, are:
• Victims and criminal injuries compensation
• Courts, tribunals and administrative justice
• Women in the justice system, including women’s prisons
• Judicial policy (including diversity)
• Civil law and justice
• International business (non-EU)
• Law reform and sponsorship of the Law Commission
• Legal services and claims management regulation
• Coroner and burial policy
• The National Archives
• Devolution
• Sponsorship of the Office of the Public Guardian, Office of Court Funds, Office of the Official Solicitor and Public Trustee, and the Parole Board
• Better regulation and growth
• Sustainability
• Equalities
• Support to Maria Miller, Secretary of State for Women and Equalities.

Image credit:


Saturday 27 October 2012

Soundbites from the 34th Annual Privacy Conference in Uraguay

Your very own Dataprotector was not able to attend this year’s annual privacy conference. My travel budget does not (yet) stretch to a few days in Uruguay. I’d happily pop over to Ulster, but Uruguay really is just a step too far.

Anyway, the conference focused on the theme Privacy and Technology in Balance”. And what was said that was absolutely revolutionary and that had never been said before? Well, from what I can gather, here are just some of the most important soundbites to emerge from that event from a random selection of a few of the greatest data protection minds in the business. These quotes focus on insights that have never been offered before:

Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority: “Blah blah blah blah blah bhal blah – blah blah blah blah.”

Eduardo Ustaran, Partner at Field Fisher Waterhouse: “Blah blah blah blah blah bhal blah – blah blah blah blah.”

Florence Raynal, Head of International and European Services at the CNIL: “Blah blah blah blah blah blah bhal – blah blah blah blah.”

Pat Walshe, Director of Privacy at the GSMA: “Blah blah blah blah blah blah bhal – blah blah blah blah.”

Gus Hosein, Executive Director at Privacy International: “Blah blah blah blah blah blah bhal – blah blah blah blah.”

UK Information Commissioner's Office: “Blah blah blah blah blah blah bhal – blah blah blah blah.”

Bruno Gencarelli, Head of International Relation at the European Commission: “Blah blah blah blah blah blah bhal – blah blah blah blah.”

José Luis Rodríguez Álvarez, Director of the Spanish Data Protection Authority: “Blah blah blah blah blah blah bhal – blah blah blah blah.”

Peter Schaar, Federal Data Protection Authority of Germany: “Blah blah blah blah blah blah bhal – blah blah blah blah.”

Peter Hustinx, European Data Protection Supervisor: (Concerning the draft EU Regulation) “Blah blah blah blah blah blah bhal – blah blah blah blah.”

If you were there and think that, actually, I’ve missed one of the earth-shattering announcements, please do get in touch.

(On the other hand, this article could just be me letting off steam at not being able to enjoy a few days in the company of these great minds in Uruguay, chewing the fat and mulling over the great data protection issues of the day. Had I have been able to attend the event last week, I do appreciate that some of the quotes I’ve used might have been slightly different.)

Image credit:


Wednesday 24 October 2012

Even more undressing data protection – a legal brief

If you thought my last article on undressing data protection had touched a raw nerve, you would be proud at the reaction from my friends in the legal community.

You will recall that my last blog featured the views of someone who had agreed with my view that employers have, basically, lost the plot if they think that the provision of data protection advice is a task that can only be undertaken by a qualified lawyer.

I’m so grateful to the lawyers who offered an alternative view.

This email was typical:

I think we need to move to a world where we recognise that privacy ought not to rest in the domain of any one profession. Compliance folk have their role, as do IT/IS personnel, HR, product design and, yes, even lawyers. The truth is that, even though it's such a seemingly simple concept - don't do stuff with people's information that they don't like - privacy has many different facets. Lawyers are most certainly NOT the best people to tell product engineers how to design a cool new product. But, equally, product engineers are not the best people to talk to liabilities and legal compliance. Nor are HR people the best people to advise on implementing information security for a new HR system. We're part of an interconnected privacy ecosystem and all need to work together.

Believe it or not, even though I'm a lawyer I don't "lick my lips" at the thought of increasingly burdensome data protection regulation. Lawyers are an important and necessary part of the solution, but we're not the whole solution and nor is any other profession. As for your respondent's comment that most lawyers are unable "to write in plain English and to make decisions", what can I say? They're using the wrong firm - feel free to send them over to me :-)

So, the offer’s there. If readers want to be put in touch with a lawyer who knows his place, please feel free to get in touch with me, and I’ll arrange the necessary introductions.

Image credit:
Spencer Tunik,Netherlands 8 (Dream Amsterdam Foundation) 2007


Monday 22 October 2012

Data Protector wins the Nobel Peace Prize

I understand that we in the European Union have all won this year’s Nobel Peace Prize. As there are rather a lot of us, we’re not all going to fit into Oslo’s City Hall for the award ceremony. I expect most of us won’t even get an invite to any of the parties in Norway, either. Never mind.

But, in the (unlikely) event that I am selected to travel to Oslo to receive the prize on behalf of all European citizens, this is an early draft of my acceptance speech:

Mr Chairman of the Norwegian Nobel Committee, Members of the Committee, Your Majesties the King and Queen of Norway, Members of the Norwegian Government, Storting representatives and friends assembled in this audience.

As a member of the European Union, I wish to thank the Committee for their recent decision to award the 2012 Nobel Peace Prize to me and to my fellow citizens. I humbly accept the compliment on behalf of all Europeans. I will use the publicity and any financial share of the prize to continue to do what I do best – which is to make the case for even high data protection standards to protect our citizens and our economies from the abyss.

I gather that the award also celebrates six decades of advancing peace in Europe – that’s not bad, either. We have to be fortunate that most of the wars we Europeans have recently waged have been in places you wouldn’t really want to call Europe. Like the Falkland Islands, Bosnia, Serbia, Iraq, Afghanistan, or in cyberspace.

But enough of that. Let’s all look on the bright side of life.

We’ve got a shiny bright European Commission, stuffed with lots of clever people who will happily administer our affairs until the cows come home.

And we’ve got a wonderful opportunity to tweak our data protection laws, to make it even harder for non EU data controllers to mess around with the precious digital trails we are all creating.

Let’s continue to celebrate freedom, Facebook, Twitter and Tor.

And wo betide any internet trolls who want to rain on our parade. We have ways and means, you see, of knowing who they are and where they come from. We’re not likely to be able to prevent the data protection taleban from visiting them in the middle of the night to chop off a couple of the fingers they so rudely waved in our direction when we told them how to behave.

That’s how you advance digital democracies in Europe.

A good dose of fear as to the consequences of your actions always concentrates a few minds and encourages compliance.

So, let’s all recommit ourselves to getting tough with those who don’t see much point in maintaining tough data protection standards.

Comments and suggestions for textual improvements should be sent to me at the usual address.


Image credit:
The lucky Europeans eventually selected to receive the prize on behalf of the rest of us will make their acceptance speeches from this podium in Oslo’s City Hall.

Saturday 20 October 2012

Article 29 WP to tweet its latest opinion on the draft Regulation?

If I were an oik employed by Article 29 Working Party, I might be thinking how I can get more people to read the great stuff that the Working Party churns out. Hardly anyone reads formal opinions these days – we’re all too busy tweeting. So, if I were charged with reviewing all 45 pages of its latest opinion and ordered to translate it from eurobabble into twiterature, this is what a (very) rough draft might look like:

We’ve had yet another meeting to see what we can do to flog a bit of life into this dead horse of a legislative proposal. No one’s that keen on the current law, and we’re all pretty divided on the new proposal, too.

We quite like the concept of a level European playing field. But, half of us think the proposed standards are too high, while the other half are never in a million years going to reduce their current standards – even if a new law tells them to.

Some of us feel quite sorry that small companies are caught up in all the new red tape that’s being proposed – but that’s their own fault for wanting to play around with personal information. Perhaps next time they’ll leave more of this stuff to the big boys.

We’re still not happy with the definition of personal data. There are rumours of at least one American academic who actually understands the proposed definition. So we’ll try to propose some changes to make it less clear.

We’re even less happy about the position on consent. These muppets had better get used to the concept of explicit consent wherever possible. We’ll need to fudge the legitimacy other types of consent, just like we’ve done with the new(ish) cookie law. But not everyone’s going to be clever enough to understand what they are expected to be consenting about. So, we might need to see what we can do on the “legitimate interests” front – until enough innocent (or media savvy) victims complain, that is.

But we’re most unhappy about this ridiculous proposal for the Commission to take on so many new powers to create new laws and data protection standards whenever it wants. They’re an unelected bunch of overlords who aren’t close enough to the plebs. It’s our right to set new data protection standards, as we’re much closer to those who should be ruled. So, if there are any new powers going begging, then we want them.

We’ll offer the Commission a deal – they can have just a couple of new law making powers, if they promise to make some of the important bits of the draft Regulation a bit clearer, and if they also promise to bequeath the majority of the reserved law making powers to us. Take it or leave it. If they’re not happy with the deal, we’ll start a new campaign against the Commission.

They had better make their mind up quick – as if they don’t, we’ll attend every privacy conference we can find over the next year and get all the delegates to wear a badge which express just how we feel.

We’ve even agreed on a campaign logo:
“You’re doin’ our head in, Viviane Reding”

This is a very early draft translation of Opinion 199. The original versions were adopted by the Working Party on 5 October. To be honest, you might be better served by reading the original text yourself, as I did had to leave out quite a few things when squeezing 45 pages into just 450 words. And, as you well know, when you translate stuff from eurobabble into twiterature, the subtlety of some of the meanings are sometimes lost.


Thursday 18 October 2012

Hooray – more data protection compliance diagrams

Those of us in the know appreciate that it is one thing to do it, and another thing to produce a diagram about doing it.

So today, I present to you, a data protection compliance diagram which has been kindly supplied by Alexander Alvaro, MEP, a Vice-President of the European Parliament. You’ve probably heard of him. He’s quite influential in German data protection circles.

Anyway, his latest wheeze, in his own words, is as follows: “I have developed the concept of “Lifecycle Data Protection Management (Lifecycle DPM)”, based on a simple stick and carrot principle: Invest from the outset in a sustainable data management framework, follow it up with a comprehensive compliance mechanism and you will be rewarded with an effective implementation and enforcement architecture.”

For those of us that like carrots and sticks, all we need (if we are allowed) is to use Google's mighty search machine to locate a document that goes under the snappy title of “Lifecycle data protection management – a contribution on how to adjust European data protection to the needs of the 21st Century.”

Are you still with me?

If you are, I’ll just make the point that his paper also suggests that data controllers present a privacy policy to customers in a common format – as it is apparently the case that some consumers choose on-line services on, among other things, the privacy policies that the various competing data controllers have.

You could have knocked me down with a feather when I read that bit. I must be missing out on something. My on-line choices are focussed on availability, price and delivery dates. I honestly can’t remember if anyone’s privacy policy has ever influenced my choice of whatever it was I was planning to buy. Then again, I have been in this game for a long time. Perhaps younger generations do read the stuff I so despair of.

Anyway, for those that are really keen to be on the ball, here is a set of the latest privacy icons that responsible data controllers could use when tempting potential customers with their irresistible wares.

The snag is, what happens when you are honest about your intentions, or capabilities, with regard to each of these icons? For a number of the (extremely honest and reputable) companies I have had the pleasure of getting to know, I really doubt if their privacy policies would have achieved more than 1 tick (or perhaps 2 ticks) in the relevant icon boxes. So, if every data controller (for perfectly legitimate reasons) is always going to feel forced to provide their potential customers with a sea of red crosses when they use these icons, I can’t really see the concept taking off too readily.

What do you mean a sea of red crosses?

Well, What happens when data collected and processed for a controller’s legitimate business needs just might need to be acquired by a law enforcement agency for law enforcement purposes? Or when personal data in paper files can’t be encrypted?

How many ticks does that leave you with, then?

Anyway, let’s look on the bright side. It is a nice try – and it makes a great slide for a data protection PowerPoint presentation.



Monday 15 October 2012

My everso cunning “privacy by design” plan

“Ladies and Gentleman, I have done it.”

With similar words, EU Commissioner Viviane Reding unveiled her proposals for a comprehensive reform of Europe’s data protection at a press conference in Brussels, back in January. My announcement, made at noon today at the Clock Tower in Crouch End, heralded a totally brilliant idea that might be just as important as anything she could be saying this year.

My revolutionary concept offers those who are concerned about such stuff a total guarantee of privacy. It protects people’s digital assets, has been designed to be absolutely fool proof, and has been tested by teams of privacy auditors, all of whom have arrived at the same conclusion.

I do have one warning about its use, though. Because it works so brilliantly well, there are powerful side effects that users have to be prepared to deal with. These side effects aren’t harmful (or immediately life-threatening), but over time the risks to the user’s health and happiness may deteriorate to such an extent that their quality of life may be adversely affected. If this is the case, it is my recommendation that users withdraw from the plan.

What is this brilliant idea? And why hasn’t anyone thought of it before?

Well, plenty of people have probably thought of it before, but I expect that it’s been dismissed out of hand. Like the time when the dragons in the BBC TV series “Dragons Den” dismissed as ridiculous the concept of selling wine in plastic glasses, rather than in bottles, so they could be readily consumed at picnics and other outdoor parties. It’s the dragons that are looking a bit ridiculous today, not the very successful entrepreneur whose pitch was so readily trashed.

Anyway, pack to the plot.

My cunning plan enables everyone to safeguard their digital assets. No more nasty behavioural advertising, or pointless cookie policies to click through. In fact, nothing more to click through at all. No clicks.

It’s an off switch.

Yes, after years of research, my team of crack researchers have realised that they only way to safeguard ones privacy in a digital age is to leave it. Do not live your life on-line. Return to the good old analogue days, where you mowed the lawn, washed the car, and popped down to the pub, rather than spend hours searching for satisfaction on an electronic screen.

Let’s be honest with each other. The thought that people can both live in a digital age and expect their privacy to be fully respected is, well really, pretty improbable.

Almost as improbable as the thought that the European Commission might propose a Regulation on the issue, and believe that everyone would respect it.

Image credit:


Friday 12 October 2012

A very close call with the NCO

I had a very close brush with the NCO a few days ago. You see, I was carrying some documents home in my case. Yes, they were sensitive papers. Nothing to do with sensitive personal data, it was all about another project I’m currently working on.

Anyway, en route home, I popped into a tie shop, bought a couple, had them bagged up, and took them with me.

There was an “incident” on the train between Moorgate and where I usually get off. Some old gent got on the train, with his pipe still lit, but concealed in his hand. The fellow passengers couldn’t see the smoke, but we all began to smell it.

And you could smell the fear spreading in the carriage too. As soon as we could, each passenger (other than the old gent with the pipe) found an excuse to leave the carriage – and it was only after I saw the train pulling away from my station that I realised that my newly bought ties were taking a trip of their own up to Stevenage. I hadn’t been thinking properly. My concentration had lapsed.

Thank goodness I didn’t have to report the loss of the ties to the Neckwear Commissioner’s Office. I would have been stuffed. After all, I had given myself no training about how to carry ties home safely, and certainly had never written a policy document on the dangers of carrying such objects.

Then I thought to myself, wow – there aren’t many people I know who have received training in carrying paper files, either. It’s a bit like lunch – you instinctively know what to do around noon, you don’t need a policy document to tell you how to able over to the canteen, to eat nicely and to keep your mouth closed while chewing.

Perhaps I should carry out a survey – how many data controllers really, honestly, have developed training packages on the safe transportation of manual records? Not that many, I presume. But, given a recent ICO fine of £70,000 to a social care charity for mishandling papers relating to the care of four young children, I expect a lot more people to take a renewed interest in trying to document the very basic tenants of data protection around their organisation.

Who needs to worry about the DPA dangers of cloud computing, etc, when there exists the ever present danger of leaving sensitive documents outside someone’s front door?

If I were to have a wish that could come true, I would wish that next year could be called the year of data protection basics. Let’s all try to get the basics right, before turning our minds to any of this new fangled stuff. Like cookie compliance. Or getting a project off the ground to begin to assess the costs of the ever changing proposals in the General Data Protection Regulation thingey.

Come to think of it, it must be about time we heard some more from our chums in Wilmslow, reporting on the current state of cookie compliance. “We use cookies – get over it” seems to be the most common way of complying, these days. Or am I getting too cynical? Perhaps there are some webmasters around, waiting to unleash even more wonderful cookie explanations, with brilliantly inventive ways of enabling people to object to cookies and still receive oodles of stuff for free.

When I see any, I’ll let you know.


Image credit:


Wednesday 10 October 2012

Spam texters: almost time to face the music?

It’s not going to be long before that curtain of privacy is lifted and we all learn of the identity of the two illegal marketers who have been notified that the Information Commissioner’s Office intends to fine them well over £250,000 for distributing millions of spam texts.

At the beginning of the month, the ICO wrote to both individuals, and they have 28 days to respond and prove that they were complying with the law, otherwise final penalty notices will be issued.

I’m getting quite excited as I want to know who these plebs are.

I wonder if they are associated with the outfit that sent me a spam text last Friday (sender 07787 687813) saying: “URGENT you are owed £3350 for the PPI you took out, time is running out to claim, please visit ti claim, thank you. To opt out reply STOP.”

Or, perhaps they are associated with the outfit that sent me a spam text last Sunday (sender 07824 647090) saying: “Records passed to us show you’re entitled to a refund approximately £2130 in compensation from mis-selling of PPI on your credit card or loan. Reply INFO or stop.”

Or, perhaps they are the associated with the outfit that sent me a spam text earlier today (sender 07733 883889) saying “We are trying to contact you about your refund. £2304.76 is paid on average for mis-sold PPi. For a claim pack to be sent out reply PPi or reply STOP to opt out.”

That was a bit cheeky, I thought to myself. No sooner do our chums in Wilmslow announce significant action against illegal marketers, than more dubious text campaigns commence.

Perhaps it’s someone’s last desperate dash for dosh before they are closed down for good.

Or, perhaps not.

Time will tell.


Image credit


Tuesday 9 October 2012

(Not) another message from the Commission?

If I were an oik working in the offices of DG Justice at the European Commission’s offices in Brussels, constantly on the lookout for inspirational things that Commissioner Reding might want to say to members of the Article 29 Working Party, this is the sort of draft I might be working on at the moment:

Right, listen in:

You need to know that I’m not very happy. I keep looking for media stories of horrific tales of data protection disasters all over Europe, and there just aren’t very many of them. This is absolutely not good enough. How am I supposed to ram through a fundamental restructure of European data protection legislation if you lot can’t keep up by supplying the stories as to why these reforms are necessary?

Top marks are currently being awarded to the Brits where, thanks to the cuts in public expenditure, hospital units are being closed down, and people are forgetting to chuck away the old hospital records when they wheel the patients away from the old wards. Enterprising journalists pop in a few weeks later, and bingo! This gives the ICO the brilliant opportunity to issues press releases and consider fining them, etc, which puts further pressures on public finances, and probably results in even more hospital units being closed.

So, if the Brits can do it, then why can’t the rest of you?

I want action and I want it fast. I want to see you all issuing press releases and taking whatever regulatory action local rules allow. I want everyone to feel the pain that the great unwashed must evidently be suffering as their fundamental human rights get trashed in this awful way.

I’m fulfilling my side of the bargain. I’m trying to keep the new data protection rules as complicated as I can, so you can justify the call for additional resources for your own teams to work out what effect the new rules are actually going to have, and how you can best apply these new rules in your own countries. I’m spearheading a data protection job creation scheme to reduce levels of unemployment in Europe. But for that to work I need masses of grateful voters. National Governments have plenty of other priorities to fund. Like healthcare, education, housing and the economy.

The data controllers are already squealing about the costs of implementation of the current proposals, so it’s time for Europe to experience a counter protest from voters.


There must be more stories out there – I want photos and I want victims and I want publicity and I want them soon.

The IAPP Brussels conference is coming up next month – and I don’t want anyone querying our cunning plans at that event. You’ve all got to head off allegations that we’re over extending ourselves, by finding more reasons for us to be right.

You have been warned.

I don’t want people spreading awful rumours to the effect that the only real problem European data protection has is that there are a bunch of clueless plebs trying to regulate it.

That is vile and wicked and plain wrong.

We’ve all got lots of bright ideas and we’re all going to work together to implement as many of them as is humanly possible.

So, in the meantime, I want at least one really bad news story to be printed in at least one of your national newspapers in each country each month – otherwise you will be hearing from me.



PS. After re-reading this draft motivational speech, I do appreciate that a few lines may well need to be tweaked before anyone in DG Justice would consider offering it to Commissioner Reding. But I’ll leave it to others to remove the less acceptable bits. She is, after all, a marvellous lady with a great sense of humour.


Saturday 6 October 2012

More on undressing data protection

My last article on undressing data protection has evidently touched a raw nerve. A number of people have been kind enough to write to agree with my view that employers have, basically, lost the plot if they think that the provision of data protection advice is a task that can only be undertaken by a qualified lawyer.

This email was typical:

I read your latest blogpost with interest as I have regularly raged against this idea that you have to be a lawyer to do data protection. You didn't quite get into this in the blogpost though so I don't know whether you agree, but what we need is more job ads looking for those with not just practical experience, but the ability to interpret law and apply it in practice, to see all sides of an issue, to come to conclusions based on evidence, to write in plain English and to make decisions - the latter two are beyond most lawyers I know.

I have also noticed that of late all the jobs want legal qualifications and it does worry me. There are those who are clearly up the job but need to start somewhere, so always needing prior experience doesn't help them either. I am thinking particularly of those at the ICO who often leave to go into their first in-house role. Why don't companies see the value in someone who can think and lead strategically, as well as knowing the law?”

If there are any lawyers around, who wish to offer alternative views, then I’ll gratefully acknowledge them. But my post bag is currently exclusively on one side of the argument.

Perhaps we should develop a campaign to remind those bods in HR departments about the skills that a data protection officer really needs to have. A broad mind, an intuitive feeling for what’s fair and transparent, an ability to offer a view, to be capable of expressing it in terms that normal people understand, and a determination to invite people to be personally accountable for their actions should they take a decision to hold a different view. A polite manner with a willingness to understand and appreciate the views of others, before making their decision. And a sense of humour.

What should we call this campaign?

"Data protectors against the legal machine?"

"Common sense not legalese?"

"Rage against the law?"

Image credit: This image, by the artist Spencer Tunic, was created in Peel Park in Salford in 2010. Spencer has not commissioned to create any images of the ICO’s staff, whose office is just up the road in Wilmslow – yet.


Thursday 4 October 2012

Undressing data protection

I foresee a problem in the not too distant future. I see teams of lawyers and consultants salivating over everso more complicated data protection laws. I see these people licking their lips with anticipation at the fee income that will be earned. And I see worried data controllers wondering what the world is coming to. I see ever more strident articles announcing the latest set of data protection fines for the latest data protection blunders, and I see more and more people worried at the apparent failures of current data protection regulation.

I see a privacy mob baying for more press coverage at what they perceive to be privacy breaches. The worried few will want so hard to become the worried many. But I really wonder how many of these few there actually are.

I regularly review the lists of data protection job vacancies, many of which refer to a requirement for candidates with legal qualifications. Far fewer job vacancies refer to the desirability that candidates should have practical experience of actually working with the data protection regulators, and developing solutions that make common sense, rather than simply met legal theory.

Is this a problem?

I think it is certainly turning into a problem.

Basically, a demand is being created for a type professional that currently does not exist in sufficient numbers. But nor do there appear to be any plans to increase the pool of potential candidates. Professional experience takes time to acquire. It’s much easier to obtain a professional legal “qualification”.

What will we be left with?

Perhaps, with a tiny cohort of highly paid data protection professionals. Hooray, if you are fortunate to be among that cohort, and you are lucky enough to find an employer who can afford your services.

But what about the other organisations that need professional assistance?

Especially, presumably the public sector, where salary caps are likely to act as a significant impediment to the career progression of anyone who has much knowledge of data protection. To whom will public officials turn for advice?

Is it right that we should expect to live in such a complicated world? Or would it be better if we all strived for a simpler set of data protection rules? And then we probably wouldn’t need to pay data protection professionals so much for the advice they struggle to provide.

Just think for a minute.

How many people would, really, notice the difference?

Image credit:


Wednesday 3 October 2012

Tracking people who chew

Dear Brian

Many thanks for your email inviting me to comment on the data protection aspects of the proposal that your company hide a tracking device inside several sticks of chewing gum, so you can reward some purchasers with a starring your very own TV add and a £10,000 prize. I’m not sure what advice Nestle received when they thought of trying the same trick with people who bought Kitkats, but here are a few of my thoughts, anyway.

To comply with the fair obtaining principle, please use a huge notice to warn people that they may be tracked down if they purchase and open this stick of gum. Lots of people get really excited when they are told that they live in a surveillance society, so you’ve got to deal with their fears as directly as you can. Tell them that the whole purpose of the exercise is to give them £10,000 (and you lots of publicity), and that it’s not to track them down simply because they might have done something wrong.

Next, make sure when that you stage the “gotcha” stunt, you keep the media away from any embarrassing location – such as an STD clinic or a needle exchange. Some people get awfully sniffy about being caught in the wrong place.

If the person you actually locate is a minor, though, be really careful. It might not be lawful to give them the money, as they might not have given sufficiently valid consent to be tracked in the first place. Think about giving the prize to their parents (who may also be quite pleased that they finally know where their kids get to in the evenings, anyway). Or, to a lawyer of the children’s choice, so they can defend a counter claim from the parents for their share of the cash.

Be very careful at staging the “gotcha” stunt anywhere near where the target lives. British judges are pretty cool these days with the prospect of homeowners using whatever force they can muster to fight off robbers. So make sure those boom microphones look nothing like rifles. If they do, the on-site medic’s likely to be pretty busy. I wouldn’t like it if my front door was smashed in by a team of what I took to be professional thugs. Or by people dressed in boiler suits with your corporate logo tastefully sewn into the breast pocket. I might think it was an ICO dawn raid – again.

And whatever you do, keep the GPS-enabled packets of gum well away from the Germans. Actually, you need to abort the exercise if the target makes it past the German border. Their regulators can get really upset with location services. It doesn’t seem to matter that much whether German customers want location services – if German regulators don’t think they’re acceptable, and especially they the users haven’t read and signed long enough consent forms, then it’s all over. So, make sure the label contains a prominent “Not to be bought by Germans” notice. That will cause a bit of fuss – but think of the attendant publicity! You’re not acting in a racist manner, but simply to protect their best interests.

Finally, when you’ve completed the stunt, please turn the tracking devices off. There’s nothing more embarrassing than collecting huge amounts of information for no purpose whatsoever. This additional information will never be useful “just in case”. Just move on to the next project.

PS. Please also include a prominent notice on the packet warning customers of the dangers of swallowing GPS tracking devices. They contain metals which, if injected in significant volumes, cause the Health & Safety teams get quite excited.


Image credit:


Monday 1 October 2012

ICO staff to become TV megastars?

I’ve had this great idea about how our chums at the ICO could prepare a brilliantly fresh way of putting their message across that data protection standards really do need to be improved.

It’s clear that media interest in reporting the press releases that announce yet more fines against data controllers that can’t afford to comply with the current set of rules is waning.

So, deep in the bowels of my think tank, a focus group has given my idea the green light. Next, I need to attract the help of some media-thingy interns that have been let go from the BBC when it had to make budget cuts following the hugely expensive move from London to Manchester. Why? Because my cunning plan involves the ICO creating its own in-house TV production company to develop and distribute a new TV series.

Provisionally called “The Only Way is Wilmslow”, it will feature a team of Wilmslow’s finest, going about their daily work, armed with head cams to capture all those special moments.

Like the time someone put rabbit food rather than coffee grounds in the coffee machine on the second floor, and it actually tasted better.

Or the time when the inspectors visited the data protection desk grunt at some borough council in the midlands, and the door handle came off in their hands when they left. Some security measure that was.

I think this is a really promising idea.

The public need to know what good standards look like, and why so many shoddy practices are permitted to continue. If it’s all about the protection of personal data, then we ought to personalise it a bit more.

We could see worried local authority Chief Executives, surrounded by budget projections predicting imminent doom and gloom, discussing the finer points of where to site the Council’s only remaining fax machine. We could see the effects of co-locating the child support teams with the grants, repairs and insulation teams. And what happens when a part time administrator covers for both.

And we could have a You Tube spin off, featuring 30 second snippets of the greatest-ever out takes. Like the time when a senior investigator was sick after having coughed down a curry too quickly. At their desk. Or, when an angry pensioner superglued their hands to the front door of the office, in protest that the ICO wouldn’t fine a data controller that had been behaving badly and hadn’t fully replied to a Subject Access Request within the statutory period.

Of course, these events won’t have happened yet – the producers need to wait until the cameras start to roll before the more outrageous behaviour starts.

The focus group also considered whether the filming should take place just a few days before transmission, or whether it should be a “fly on the wall” model that follows particular issues from start to finish. I prefer the “few days before transmission” technique. I mean, can you imagine how long we would have to wait if the producers were, say, to do a programme based on the discussions about the proposed General Data Protection Regulation? Think of the continuity problems. Not only do fashions (and haircuts) change as the years go by, but so do so some of the ICO’s colourful characters.

The next step, I suppose, will be for my media-thingy interns to get the concept signed off with Andrew Rennison, the newly appointed Surveillance Camera Commissioner. If Andrew feels a bit unhappy that TV producers hadn’t thought of approaching him for a series first, he could always be offered a spin off in the event that “TOWIW” is a roaring success. Anyway, as he was only appointed on 14 September, hardly anyone knows him. Lots of people have heard of the Information Commissioner and his team.

Suggestions on who should be approached the perform the song for the opening credit, originally released by Otis Clay in 1980 but re-released eight years later by Yazz and the Plastic Population, should be forwarded to me at the usual address.

... My money is on Gareth Malone and the ICO Choir.

Image Credit: