Thursday 29 November 2012

Leveson Inquiry: data protection soundbites

Still no jokes today.

There’s lots for us to take out of the 2,000 report, so here are my suggestions as to the more significant comments about the ICO and the press. I make no apologies for reproducing this stuff – it needs our very careful consideration – because I don’t agree with it all.

My first impression is that had Lord Leveson managed to transport himself back in time by a decade, and had “smelt” both the environment within the ICO and the public expectations of the ICO at that time, I feel that some of his comments about the ICO might not have been made:

As an independent statutory regulator, the ICO has a prerogative to set its own priorities within the overall scheme of the powers and duties entrusted to it by Parliament. For the behaviour of the press to have no part in those priorities is not, on the face of it however, easy to understand. The ICO was created to have custody of the issue of the law and practice of information privacy as articulated in the data protection regime. This Inquiry was established to address arguably the greatest crisis in public confidence in information privacy since the creation of the data protection regime. A great deal of the evidence received by the Inquiry about press misconduct related to personal information privacy (including inaccuracy). The persistence of the ICO, even in the face of the commissioning of the Inquiry and the evidence received by it, in seeking to recuse itself from any proactive engagement in addressing the crisis in public confidence was troubling. Even allowing for the inevitably particular perspective that the Inquiry has, I do not find it easy to accept the proposition that the lack of priority which the ICO accorded to the press issue is obviously reconcilable with its overall public responsibilities.

The additional procedural thicket which the DPA erects in the way of anyone attempting to find out whether the press is complying with the law, that is to say whether their activities are genuinely covered by exemptions and if not whether they are complying with what is legally required of them, is for practical purposes near-insuperable. The press, so this analysis goes, is effectively beyond the reach of law enforcement. In that regard, the legal regime can be and is disregarded for any practical purposes. Whether what the press are doing with people’s information is or is not specifically exempted from the regime hardly matters in practice since the question is effectively prevented from arising.

More specifically, in relation to the ‘special enforcement regime’ provided in the 1998 Act in relation to the press, there are good grounds to conclude that it has had an unintended and damaging effect on the ability of the ICO to perform its functions. Exceptionally complex and largely unworkable in practice, it appears to have had a chilling effect on reasonable law enforcement and, equally, to have a high risk of impacting unfairly on individuals. In my judgment ... its removal would promote the overall public interest and a balanced improvement in the culture, practices and ethics of the press in its approach to personal information.

I accept that the current state of the legal framework in relation to the ICO’s civil law enforcement powers goes some way to explain the indications of reluctance by the ICO to take an active, or any significant, interest in the formal exercise of their regulatory functions in relation to the press. I do not, however, accept that as a complete explanation. In reality, there is a lack of evidence that the ICO has, over the years:(a) regarded the symptoms of deficiencies in the culture, practices and ethics of the press in relation to personal information as a serious operational priority;(b) shown a will to test in practice the powers and procedures conferred by law specifically for the purposes of ensuring compliance with the legal obligations of the regime by the press – however attenuated those obligations and however difficult those procedures; or(c) drawn attention politically to any perceived shortcomings in the legal framework in this respect. This raises questions about a possibly deeper reluctance to accept an active role in relation to the press. Neither do I accept that other operational priorities must be accepted without more as an explanation for ICO inactivity in an area which the very existence of this Inquiry demonstrates to be a matter of acute public concern.

A final issue to be considered within the framework of formal criminal law enforcement is the matter of sentencing. When dealing with the criminal law generally,I recommend that the Sentencing Council of England and Wales be asked to prepare guidelines in relation to information privacy and misuse offences (including computer misuse): for the sake of completeness, it is sufficient simply to repeat the recommendation and refer to the reasons for it.

The evidence before the Inquiry suggested that the constitution of the ICO as a corporation sole may, in at least some of these dimensions, have risked its ability to discharge effectively its functions in relation to the press. Unresolved questions must remain, for example, as to whether:(a) the informal approach adopted by the ICO to its regulatory functions (partly a matter, perhaps, of presiding over a regime struggling for a profile, also possibly a matter of personal leadership style) has contributed to a reluctance to bring issues to a head through the use of regulatory powers, and has allowed inaction to be an unremarked default within its own structure;(b) the tendencies of Information Commissioners to see themselves as having a major, even dominant, outward-facing role with a political or campaigning dimension has been at the expense of their ability to provide clear, engaged, understood and accountable leadership in the decisions made within their office, to the detriment of the quality of those decisions, and has posed some risk to the regulatory reputation of the ICO, including in relation to its quasi-judicial functions; and(c) its current constitution leaves the ICO with insufficient strength to match major business sectors with power and influence, such as the press.

The only questions I want to ask today are:

What regime does the Government honestly think it’s going to get if it allocates such a small amount of resource to a regulating such an important activity?

How much better resourced has been the Financial Services Authority?

And just how much more effective a regulator has that body turned out to be?

In the words of our Prime Minister: “Get Real.”



Leveson Inquiry: ICO to be reconstituted and to get a much bigger stick

No jokes today. There were grim faces at the Ministry of Justice first thing this morning, and then over in the Queen Elizabeth II Conference Centre when Lord Justice Leveson finally unveiled his report.

At 2000 pages, it’s so long that many of the detailed criticisms, however justly (or unjustly) made, will be read by just a handful of people.

But I want to focus on his recommendations on the the Data Protection Act and the Information Commissioner's Office. Here are the recommendations I think we really need to focus on:

• The procedural provisions of the Data Protection Act 1998 with special application to journalism in:(a) section 32(4) and (5)(b) sections 44 to 46 inclusive should be repealed.

• In conjunction with the repeal of those procedural provisions, consideration should be given to the desirability of including in the Data Protection Act 1998 a provision to the effect that, in considering the exercise of any powers in relation to the media or other publishers, the Information Commissioner’s Office should have special regard to the obligation in law to balance the public interest in freedom of expression alongside the public interest in upholding the data protection regime.

• Specific provision should be made to the effect that, in considering the exercise of any of its powers in relation to the media or other publishers, the Information Commissioner’s Office must have regard to the application to a data controller of any relevant system of regulation or standards enforcement which is contained in or recognised by statute.

• The necessary steps should be taken to bring into force the amendments made to section 55 of the Data Protection Act 1998 by section 77 of the Criminal Justice and Immigration Act 2008 (increase of sentence maxima) to the extent of the maximum specified period; and by section 78 of the 2008 Act (enhanced defence for public interest journalism). [ie the implementation of custodial penalties]

• The prosecution powers of the Information Commissioner should be extended to include any offence which also constitutes a breach of the data protection principles.

• A new duty should be introduced (whether formal or informal) for the Information Commissioner’s Office to consult with the Crown Prosecution Service in relation to the exercise of its powers to undertake criminal proceedings.

• The opportunity should be taken to consider amending the Data Protection Act 1998 formally to reconstitute the Information Commissioner’s Office as an Information Commission, led by a Board of Commissioners with suitable expertise drawn from the worlds of regulation, public administration, law and business, and active consideration should be given in that context to the desirability of including on the Board a Commissioner from the media sector.

Source: 1112)


Saturday 24 November 2012

Judging people through the prism of the internet

I’m careful not to be too judgmental on people I’ve never met. Reputation is a precious commodity, hard won and so easily lost, thanks to the way information can spread so quickly on the internet. I can think of a number of people whose reputations have been transformed recently, and have noticed how the internet has, for some of them, greatly enhanced their reputation, while in the case of others, reputations have been trashed.

Occasionally, these trashings have been for good reasons. But at other times, the gossip that was spread, or tweeted, was ill judged and plain wrong.

The point of this introduction is to explain how my impression of someone changed very quickly, and very radically, when I met him for the first time.

I had never wanted to go out of my way to meet him. After all, his reputation, in my mind, was one of some grubby sleaze merchant , the sort of man that even Del Boy, from the BBC TV comedy series Only Fools and Horses, might steer clear from.

But when I met him, a few days ago, my image was transformed. What I saw before me was an inspirational speaker, whose warm and engaging manner made you realise what a clever entrepreneur he was, Not a gambler, but a very shrewd businessman. And a very likeable businessman, too.

He looks you in the eye when he speaks. He adopts no manner of superiority. Instead you get the benefit of his experience in the world of commerce, where he has successfully run a group of companies, and is keen to talk about his great mistakes, as well as his successes. You feel that you are in the presence of someone who treats others as fellow human beings, not simply rabble whose opinions and views can be ignored.

(For the record, signing Emile Heskey for Birmingham City Football Club ranks as one of his greatest mistakes. Apparently, Emile’s CV described Emile as a “striker”. The description would have been more accurate if it had said “Striker who doesn’t score many goals”.)

Who am I talking about?

Obviously, I’m talking about David Gold, whose commercial interests currently include Ann Summers, Gold Aviation, Knickerbox, Greenwich House Properties, York Place and West Ham United Football Club. Formerly better known for his businesses in the field of adult publishing (and the Sunday Sport), it’s fair to say that his products might well have entertained many of us over the years – although few of us would wish to publicly refer to any particular product.

From beginnings of extreme poverty, shrugging aside numerous setbacks along the way, David Gold is now one of Britain’s most successful businessmen- and I was keen to understand why.

What struck me was that this man was keen to understand the commercial landscape within which he was working, and to take measured risks. Not to act in a reckless manner, but to knowingly adopt a particular risk threshold – and not to over step that threshold.

What’s any of this got to do with data protection?

If anything, it’s got to do with a theme that I’ll be expanding on in later blogs. It’s about the importance of developing the narrative. In other words, everyone likes a compelling story, and the critical thing, these days, is to ensure that everyone’s story is as credible as it needs to be. The internet can greatly help support these stories – but it can also act with brute force when malicious (or na├»ve) actors use the web to trash someone’s reputation.

Once published, (and, thanks to the Internet Archive), this material simply won’t go away.

A right to be forgotten does not exist in this context. And it never will. Whatever the European Commission or the European Parliament has to say about it. Regulators can’t control the contents of people’s hard drives. Or the contents of clouds. Or the impressions that are formed in people’s minds.

So, I am so glad to be reminded so vividly this week that the internet is not always right. And nor are my impressions of people, either. It’s only when you get to meet them in person that you can realise just how wrong about a person you really were.

Image credit:


Thursday 22 November 2012

My edited comments on the ICO’s Anonymisation Code

Yesterday, I explained that I had been asked by a professional journal to comment on the ICO’s recently published Code of Practice on Anonymisation, and that I would report back on the extent to which my comments were finally quoted.

Well, today I can report that they’ve been published. An extremely skilled editor has carefully reduced my text by 50% and has come up with something clean, crisp and compelling. It’s certainly better than my original version – and it targets a more professional audience, too.

For those who are keen to know just what was cut, here is what happened:

"The document may be 108 pages long, but it is quite easy to read
. There’s plenty of white space and nice photos, with key points highlighted in coloured boxes. Readers with a statistical background will get more out of the Annexes than Data Protection Officers who gave up maths at school as soon as they possibly could.

It’s refreshing to learn how to anonymise data effectively, thus ensuring that it falls outside the ICO’s remit. No breach reporting requirements, here!

My only quibble is whether the document really is a Code of Practice. I’ve been brought up to believe that Codes are relatively short regulatory mechanisms that set out what it is that needs to be done. Not a lot more, not a lot less.

But this document is far more than that [a Code of Practice] – it’s quite a comprehensive (and extremely useful) briefing manual on anonymisation, setting out the regulatory landscape, and drawing attention to a range of techniques to anonymise data, with case studies illustrating how this anonymised data can subsequently be used.

A number of pages are deliberately blank, and some are coloured gold. So ask yourself whether you really need to print the entire document, before doing so."

I like it. So I do hope I get asked to comment again, in this manner. My views always seem better when given a decent pruning.



Wednesday 21 November 2012

Commenting on the ICO’s Anonymisation Code

I’ve been asked by a professional journal to comment on the ICO’s Code of Practice on Anonymisation, which has just been released. I’ll report later on the extent to which my comments were finally quoted.

The full text of my response appears below.

But I will develop just one point, which niggled me as I was reading the thing.

In his introduction, Information Commissioner Christopher Graham explained that: “This code of practice is not a security engineering manual, nor does it cover every anonymisation technique. The Anonymisation Network will provide greater access to more detailed expertise and advice. But it does contain clear, practical advice and a straightforward explanation of some very tricky legal concepts. This code of practice will be of use to freedom of information and data protection practitioners, and to all those who are contributing to the creation of one of the world’s most transparent and accountable economies.”

So, is the document a Code of Practice, a Guidance Manual, a Briefing Note or what?

Having been involved in the creation of a few Codes myself (admittedly over a decade ago), I thought I knew what a Code was. But this document performs a slightly different function. Just a quibble, nothing major.

Anyway, for what its worth, here is what went to the requesting editor:

"The document may be 108 pages long, but it is quite easy to read. There’s plenty of white space and nice photos, with key points highlighted in coloured boxes. Readers with a statistical background will get more out of the Annexes than Data Protection Officers who gave up maths at school as soon as they possibly could.

It’s refreshing to learn how to anonymise data effectively, thus ensuring that it falls outside the ICO’s remit. No breach reporting requirements, here!

My only quibble is whether the document really is a Code of Practice. I’ve been brought up to believe that Codes are relatively short regulatory mechanisms that set out what it is that needs to be done. Not a lot more, not a lot less.

But this document is far more than that – it’s quite a comprehensive (and extremely useful) briefing manual on anonymisation, setting out the regulatory landscape, and drawing attention to a range of techniques to anonymise data, with case studies illustrating how this anonymised data can subsequently be used.

A number of pages are deliberately blank, and some are coloured gold. So ask yourself whether you really need to print the entire document, before doing so."



Tuesday 20 November 2012

Cookies: Revised ICC Guidance and the Spice Girls

Just another week to go before everyone gets very excited about the revised cookie guidance, which is due to be published by the UK Chapter of the International Chamber of Commerce, at a conference in Central London on 27th November.

Tension is mounting – what will be new and transformative?

Hopes are running high that the ICC won’t have altered their advice to a significant extent. The last thing data controllers are likely to want is the insertion of the word “not” in a piece of guidance that they have been using since last April.

Have I seen the latest draft? Not really. So I am now going to speculate on what it might contain.

I’m hoping it may offer a little more guidance on suggested wordings that data controllers could use if they don’t feel inclined to create their own text. Whether the actual words will matter is another issue. I’m getting too used to seeing a cookie button and instinctively clicking on it to get to the content I was trying to access in the first place. No, I don’t read these notices. Nor do I opt out of cookies, either. I actually find them useful. They present me with adverts that are embedded in a website that I’m slightly less likely to ignore than might otherwise be the case.

Of course, I do clear up my browsing history every once in a while by popping over to The Vatican’s website and seeding an electronic trail through some of their more interesting material. I do hope that whoever is monitoring my online behaviour understands what is happening. But I doubt it.

Given the general apathy that appears to exist about accessing the information that so many data controllers have sweated buckets over trying to provide, I’m wondering what cunning wheeze will next be created to force users to be interested in this stuff.

In the UK, voters have shown a remarkable reluctance to vote for Police and Crime Commissioners, so what is it that will get them more engaged in this process? Before it’s formally called a huge failure, that is. Perhaps most people really don’t want to know, after all. What an uncomfortable truth that might me.

My proposal is that all webmasters should be required to adopt a “Spice Girls” approach to consent. This approach requires the webmaster to present a series of choices to the user before they get to access the stuff they really wanted to see.

So, in my world, the user would be presented with a notice advising, in effect, that: “We use cookies, get over it. Click here if you’re sure you want to get to the free content.”

When the user clicks to get to the content (let’s be honest, the overwhelming majority will), another message will pop up which asks, teasingly: “Are you really sure?”

And, it’s only when the user clicks the second time to indicate that they’re really sure, that they get what they were after.

[If they’re after adult-related material, perhaps third step could be added which asks: "Are you really, really sure?”]

If anyone has any evidence that the newly introduced cookie consent measures have led either to users who are better informed, or, more significantly, users who have actually changed “their” preferences after having been prompted about the choices that are available to them, please get in touch. I would be delighted to hear about it.

More information about the conference which will launch this revised ICC UK guidance is on my website.

Others who feel similarly inclined to readjust their browsing pattern every once in a while to confuse the marketing community could also pop over to

Monday 19 November 2012

(Virtual) soundbites from the IAPP Conference in Brussels

Your very own Dataprotector was not able to attend the latest IAPP privacy conference. A conflicting set of obligations, working on a report that will receive some publicity shortly, meant that it was not possible to be both in London and Brussels at the same time.

However, thanks to the magic of the internet, which has been not-so thoroughly researched, I’ve managed to glean the most important quotes of that great occasion, which I present to you now.

To preserve the modesty of those who have quite a lot to be modest about, I’ve disguised the identities of the contributors. This simply because although I was able to read their Facebook posts, I’m not sure how many others were able to read them – so in the event that they were only published to a restricted audience, I’ll try hard not to breach any confidences.

You know who you are, anyway!

By the way, if anyone who was actually there feels that I’ve missed any (or their) vital contribution, please do let me know and I’ll add it to the following list.

Presenter (and politician): “We are working very hard on the Regulation to ensure that everyone is disappointed in the end.”

Despondent (and perhaps would-be) delegate: “I am truly expecting to be disappointed. I would be disappointed if I wasn't.”

Bemused delegate:
“Wow there are a lot of lawyers here! Now, where are the practitioners?”

IAPP staffer: “How do you celebrate an amazing IAPP conference in Brussels? Liegeoise waffles in front of the Manneken Pis!”

Jealous (perhaps would-be) delegate in reply:
“Just assume that every IAPP member who follows these globetrotting "Roughing It For Privacy" travelogs of stunning photos in spectacular locations wishes they were an IAPP staffer!”

Thirsty delegate:I SAID two pints of larger and a packet of crisps, PLEASE

Exhausted delegate (arriving back in ‘Blighty after the event, and having spent quite some time recently the other side of the world doing lots of privacy stuff): “ Sooooo looking forward to getting home.”

Warning Note:
Please do not tweet or re-tweet any of these comments. The law on libelous tweeting in the UK is both interesting and potentially expensive (for the defendant) and lucrative (for the plaintiff). I am publishing my comments in good faith and have no reason to believe that they are libelous. But, just in case someone gets awfully upset (and you know how upset people can get when things are published on the internet), please don't put yourself at risk of litigation by associating yourself with the sort of stuff I publish. On the other hand, if any readers are also libel lawyers, do feel free to get in touch and we'll see whether any of the juicer stuff that I've withheld from today's blog could ever be published!

Facebook & friends


Friday 16 November 2012

Exclusive: New Data Protection Carol

Continuing yesterday's religious theme, I've been wondering whether now is the time for the ICO chorus to learn a new Christmas carol.

They always give the impression that they love to sing words of encouragement to the great unwashed, so I've come up with a fresh version of an old standard.

For those itching to get tickets for the ICO's 2012 carol service, I understand that plans are afoot to ask the vicar of the local Church of "Oh Mother Mary what have this lot managed to do now" for an evening event featuring a bit of a sing song, before everyone pops to the pub across the road to celebrate Christmas in a less traditional manner.

Feel free to join in if you know the tune.

We three oiks of Wilmslow are
Spreading the message near and far
Slowly, gently, but intently
Raising the standards bar

Firm but fair, we aim to delight
Assisting data folk get it right
Some we know are not that bright
And need help to get of their plight

Our audit team will visit if asked
It will go wherever it's tasked
All set up to reacting fast
As poor practices are unmasked


We're enforcers, we're not fools
We don't make up the rules
Wielding our compliance tools
Against health trusts and some schools


Guiding all through the legal maze
Out of the office for days and days
Often giving firm OK's
Yet never getting much praise


We will hear in a week or so
About that fine from Wilmslow
Who will win - bet if you must
On Chris Graham or the NHS Trust


Image credit:
This image, of the cross at the top of Cross Mountain in Medjugorje, Bosnia & Herzegovina, was taken by Sean MacEntee on May 31, 2011.


Thursday 15 November 2012

Exclusive: New Data Protection Hymn

In honour of the recent announcement of the appointment of Justin Welby as the next Archbishop of Canterbury, I thought I would prepare a new data protection hymn for those of us who open our eyes each day and thank the Lord for allowing us to get away with whatever it is we've done.

As you know, I’m not that good at creating anything new. Given half the chance, I tend to turn to something old and familiar and give it a bit of a tweak.

Anyway, if James Edmeston were still alive (which is highly improbably as if he were, he would be 221 years old, and actually he died back in 1847), he might be tempted to rummage through some of the nearly 2000 hymns he wrote to see if there was one that could be suitably refreshed. In 1821, at the age of 30, he wrote the hymn that I have lovingly ripped off today.

Sung to Friedrich Filitz’s original tune, I’m confident that my version would gladden the heart of any data protection congregation. Indeed, I would be honoured to conduct the choir if it were ever to be aired on the BBC TV programme Songs of Praise.

Failing that, perhaps the ICO choristers could add it to their repertoire and perform it at the ICO's annual carol service (more details of which will be revealed in tomorrow's blog).

Lead us, Heavenly Father, lead us
To a better life on line
Help us, Father, help us sinners
(Make sure my data stays mine)
Lead us, lead us, lead us, lead us
To a better life on line

Give us, Heavenly Father, give us
Tools to stop the on-line spies.
Let us surf the web in private
(Keep me from all prying eyes)
Give us, give us, give us, give us
Tools to stop the on-line spies

Grant us, Heavenly Father, grant us
Fundamental human rights
Banish all embarrassing pictures
(Of me drunk and wearing tights)
Grant us, grant us grant us, grant us
Fundamental human rights

Spare us, Heavenly Father, spare us
From yet more data regulation drafts
Can’t you see that we are beaten
(Overwhelmed by what’s been published in the past)
Spare us, spare us, spare us, spare us
From yet more data regulation drafts

Bless us, Heavenly Father, bless us
As we build our new regime
Look with favour on our lady
(Viv is Europe’s Data Queen)
Bless us, bless us, bless us, bless us
As we build our new regime

Image credit:
This image, of the cross at the top of Cross Mountain in Medjugorje, Bosnia & Herzegovina, was taken by Sean MacEntee on May 31, 2011.


Wednesday 14 November 2012

Losing it with the Regulation

We are, I fear, well past the stage where normal data protection officers can follow the current debate on the proposals for a General Data Protection Regulation. It’s easier to understand Google’s privacy policy than it is to fully comprehend just what is going on, right now. Where are the egg heads, with brains the size of planets, when you want them?

Every few days comes news that yet another interested group of well meaning stakeholders have submitted comments, or produced a report on the thing. And then you’ve got to read it. Or at least a summary of it, if you want to keep on top.

One of the more recent contributions was a report commissioned by the European Parliament’s Committee on Internal Market and Consumer Protection. Published in September (and 88 pages long), it contains a series of quite detailed technical and policy recommendations, many of which will result, if implemented, in the text being more comprehensive and even less accessible to data protection officers without professional assistance.

The key recommendations were set out in an Executive Summary, which itself is 6 pages long. The usual things were mentioned – along with a couple of quite bright ideas too. I’ll leave the link at the bottom of this blog if anyone’s sufficiently motivated to read a copy for themselves.

It was a shame, I think, that when the Committee met to consider this important issue, a number of other issues were also on the agenda – and these may have attracted more interest from the Committee members. They do work hard though – as well as reviewing this issue, agenda items that day included

• the transparency of measures regulating the prices of medicinal products for human use and their inclusion in the scope of public health insurance systems;
• harmonisation of the laws of the Member States relating to the making available on the market of pyrotechnic articles (ie regulating fireworks); and
• harmonisation of the laws of the Member States relating to making available on the market of measuring instruments (ie regulating rulers).

Compared with that lot, the item on harmonising data protection laws must have been a doddle.

Guess what?

I’ve been advised by a chum that following the public part of the recent Data Protection and Privacy Commissioners in Uruguay, a closed session was held, following which 3 declarations - on cloud computing, profiling and the future of privacy were issued. My chum has set me a task – which I now pass on to you:

In all these years of issuing declarations, I wonder if any data protection officer has ever cited them as authority to do or not do anything?

I must admit that I racked my brains and realised that I couldn’t remember having cited anything. Then again, I’m not one of the high priests of data protection. I like an easier life. But that’s just me. There must be plenty of folk who hang on their every word.

So, a special prize (an image of a data protection anorak) will be winging its way to the first of these folk who can offer me evidence that they have actually cited anything in any of the declarations that have been issued by this most important group of experienced regulators. In the event that multiple entries arrive in my in-box at the same time, the prize will be awarded to the earliest citation.

Please note that staff of said Data Protection and Privacy Commissioners are excluded from entering this competition on the basis that they, at least, ought to cite these declarations every once in a while.

Ready, get set, write.



Tuesday 13 November 2012

Fines for UK data breaches: the great appeal

A landmark case will be heard shortly in ‘Blighty. It might clarify a few misgivings about whether it is right for organisations that depend on public funds to be deprived of public funds when their funds were not spent with sufficient speed to prevent a personal data breach.

What am I talking about?

Of course, I’m referring to the Information Commissioner's ability to award civil monetary penalties to various public authorities following personal data breaches.

I don’t want to say much about the appeal – other than to confirm that it won’t be held in the Supreme Court, which is the subject of today’s image. It will, however, be held in an equally historic venue, and I suspect that Data Protection Officers – and regulators – will be discussing the ramifications of the decision (or the appeal of the decision, if it comes to that), for many months to come.

Remember remember
The third of December
An edifying spectacle – not
As the parties assemble
At least one may resemble
By the end, a bit of a clot

Roll up, roll up
For an experience quite surreal
Will the parties do a deal
Before facts that are quite unreal
(Which some might well prefer to conceal)
Are laid before judges most genteel
The Tribunal hears the great appeal

Reserve your seats now
For the fight of the night
As the tension gets tight
And the witnesses might
Talk well past sunlight
And then highlight
Whether it’s really right
To expedite
The flight
Of the cash
For service users
To feel quite bright

Its passion and speeches
On data breaches
The ICO preaches
Against data leaches

What will all this teach us?
What will we all discuss?
Whom will we all cuss?
(And aren’t we all so grateful it didn’t involve us)

Image credit:


Saturday 10 November 2012

The chant of the Sado Dataprotectionists

My last blog has generated quite a bit of interest from people who have written to me to ask if I know of a local chapter of the Sado Dataprotectionists, as that they can apply to join it.

I’ve had to reply along the lines that I’m overly familiar with the way that sect organises itself. Indeed, I expect it thrives on a reasonable element of disorganisation, in order to prevent infiltrators from disrupting their activities to a significant extent.

I also understand that the membership lists are in a pretty grotty shape, as the paranoia of a data breach involving the membership lists, which might identify (probably former) high profile individuals is considered so significant that, rather than write the names down, the lists are simply committed to the memory of the local sect secretary.

What I can advise, however, is that there is a special chant that forms an important part of the initiation ceremony. The chant has been handed down from generation to generation, and oddly manages to remain quite relevant.

For what it’s worth, and for the first time in print, I am able to present to you their chant:

Come - share in our dream
Of rules ever more extreme
Beyond whatever has been so far forseen
From those in the current European regime

Rise up and be a pest
Make your first Subject Access Request
And see if you will be blessed
With any news of interest

Protect us from the menace of data retention
We need standards that are fit for today’s generation
Not data controllers that are too awful to mention
Tie them up in red tape with a new Regulation

We will preach from the pulpits: the rules are defective
With safeguards that are not sufficiently protective
The fines for public bodies have ceased to be effective
Oiks should get beaten on the bottom with the Data Directive

Come join us – let’s change the law

I must thank Victoria Wood for her wonderful inspiration for the penultimate line of this chant.

Image credit:


Thursday 8 November 2012

Save us from the Sado Dataprotectionists?

Move over, the Data Protection Taleban. A new movement is forming to take your place on the extreme edge of the privacy spectrum.

In practical terms, they are the irreconcilable. They are the people for whom privacy is an inalienable right. They will enforce their right be let alone at all costs. They don’t need to compromise their standards. They are purists who want to live in a world that I’m not sure exists any more.

They rely on abstract rules which are so complicated that you can only begin to understand them when you read the original German texts.

This quasi religious order doesn’t appear to be large. But, when you operate on the internet, you don’t need to be large to be effective. Sometimes, you don’t even need to be a grown up to be effective. Just search the net for reports of adolescents who have caused havoc on the internet, by being cleverer than the IT security engineers who are paid oodles of money to prevent cyber attacks.

So what should the pragmatic wing of the data protection community do to combat the challenges posed by these folk?

Not that much, to be honest. I don’t see why the mainstream element in the community needs to be blown of course by feeling obliged to respond to all of the demands of the irreconcilable. And, let’s be honest, the irreconcilable corner can be a pretty safe place to be. You don’t need to make messy pragmatic balancing decisions. You don’t need to take account of competing communities. Your aim is to remain pure – and to expect people to respect you for your purity.

In data protection terms, I like my policy making a little grittier than that. I quite like appreciating that different interest groups have their own agendas, and that the role of an honest broker is to exert leadership by laying down a roadmap which contains a path to a more utilitarian future. The greatest happiness for the greatest number. It’s a bit like democracy, but with proper safeguards to prevent abuse. I won’t use the term “fundamental rights”, as that term as become devalued recently. What’s “fundamental” to some is anathema to others.

So, my rallying call today is not “save is from the Sado Dataprotectionists”. Actually it’s “bring on the Sado Dataprotectionists”. I want to encourage the common-sense section of the data protection community to challenge these people and their purist nature. It is only in confronting this philosophy that we will gain strength in applying reasoned judgements which do not align with the thoughts of that community.

To be fair, I’m sure that a good number of these Sado Dataprotectionists are mild mannered people who wouldn’t harm a fly, and have no reason to impose their convoluted privacy views on the wider community. They just want to live their own lives in a way that suits them. I can respect that view, so long as it does not frustrate the needs of the (much more) mainstream community, for whom compromise is a way of life.

Unfortunately, a much smaller section of the Sado Dataprotectionst community are not so mild mannered. These hard liners could do damage, unless they are stopped. But how can they be stopped? How can they be traced? I’m sure their electronic vapour trails are very carefully obscured, and I expect it’s hard for their inner core to be infiltrated by sleepers. They don’t attend many commercial data protection conferences, so it’s quite hard to engage with them. I have found, however, that many of them are social animals who congregate in groups, enjoy a good drink and, mostly, have the same prejudices as me.

I think we need to deal with them by attacking their philosophy head on. We should use reason, mild mannered arguments, and humour to challenge them. There’s nothing like a good joke to break down a few barriers. Some people can take data protection so seriously. I know that, for many of them, their jobs depend on it. But please – lighten up just once in a while.

Wouldn’t it be nice to read the data protection trade press (well, you know what I mean) and learn about the good news stories that must abound. All I ever seem to get to read about is conflict, confusion and things that have gone wrong.

That’s why I try in this blog to keep things on the lighter side. Those who just want the serious data protection stuff needn’t browse to this site too often. I do have a sense of humour and I’m determined to share it with anyone who fancies a smile every now and again.

I must thank Ambrose Evans-Prichard for his phrase “sado monetarists”, which inspired this blog.

Image credit:


Monday 5 November 2012

Spotlight on the Brussels iapp conference

Privacy folk who have just unpacked their bags after their long trip to Uruguay will shortly be packing them again in preparation for the next big privacy conference, which will be held next week in Brussels.

I won’t be attending as I’ve got another commitment in London, which is a shame.

I do enjoy these international events as they do give me an opportunity to reassure people that I do care about this data protection stuff, and that I don’t just blog on privacy issues for cheap laughs.

Given that this event will be organised by the International Association of Privacy Professionals, I thought I would mark the event by proposing that the opening speaker do something just a little bit special. If I had my way, I would get everyone seated, then I would lock all the exit doors, pull down a big screen and bound onto the stage to advise everyone that this year’s ice breaker would be a spot of community singing.

Just a quick chorus of something that everyone might identify with.

A typical Broadway melody.

And if Cole Porter were involved with the lyrics, they might sound something like this:

Another op'nin, another show
This time it’s Brussels, well what d’ya know
A chance for DP folk to say hello!
Another op'nin of another show.

“Global interoperability: a goal within reach”
It’s what the speakers are billed to preach
But I bet I’ll hear the usual suspects teach
Us how to deal with another data breach

Another draft Regulation that I hope will last
The earlier version left us all aghast
Increasing pain as my ulcers grow
Another op'nin of another show.

For your speech: you rehearse and rehearse
For weeks, and it couldn't get worse
Your body language is much too tight
Then climb on to the stage and it goes all right

The conference seats are way too hard
People always asking for your visiting card
It's curtain time and away we go -
Another op'nin
Just another op'nin of another show!

Anyway, I send all good wishes to the speakers and to the delegates. Have a great time. And if you learn anything new, do let me know!

Image credit:

Sunday 4 November 2012

Working in the shadows of data protection

If you have not yet seen the brilliant new James Bond film, Skyfall, I urge you to make the effort.

In one tremendous, action-packed scene, it enables the magnificent Judie Dench to offer her thoughts on what she does to keep the nation safe. What concerns her most is what’s in the shadows. Not what people you can see, and are aware of, but those hidden actors whose menace and intent has yet to be fully revealed.

For just a second, I thought I was listening to EU Commissioner Viviane Reding. I’m not suggesting for a moment that VR would be a better M than JD. For a start, she would have to disrobe herself of all that bling. But both VR and JD share a common passion, which is to root out the evils that are being hatched in the shadows of cyberspace.

JD was lucky – she could rely on James Bond to (virtually) single-handedly confront one of the greatest menaces that ever emerged from Spain to threaten global domination. I’m not referring to Cesc Fabregas, or to David Silva. Just wait and enjoy whatever happens when Javier Bardem appears on the screen. But it means that JD can rely on a cunning human agent, whose instinct to know when to fire – and when not to – is quite remarkable. I don’t think I’m giving much away by pointing out that, at the end of the film, James Bond lives to fight another day.

Who is VR’s nemesis? Rather than baddies within the EU, I think we need to cast our eye a little more to the west. Perhaps to California. The trouble is that VR can’t rely on James Bond. She prefers to rely on an EU Regulation, developed by her team of officials. So, she is left with relying on what appears to be a complicated set of mechanical rules, which can, in certain circumstances, result in a pretty perverse set of outcomes. And I don’t think I could be accused of giving anything away if I were to predict that the next draft of this proposal will undoubtedly look very different to the current version. At the end of the process, this draft Regulation will turn into quite another beast, and will almost certainly return to amaze us all in quite a different form.

Now, if I were given a choice of seeing another 007 movie, or a movie featuring the mighty draft General Data Protection Regulation, I know in which direction I would be heading. I like the British sense of humour and the witty comments (no evidence of which appears in today’s blog). I like the casual way that both James Bond and JD deliver their often self-depreciating lines. You don’t get that when you listen to VR and you read the draft Regulation. Those grandiose sound bites and overlong texts are designed for a larger stage. I like my action a little bit grittier.

Don’t get me wrong. I also want to root out the evils that are being hatched in the shadows of cyberspace. But, in terms of effectiveness, I feel the assets that JD had available to her in Skyfall last night are vastly superior to anything that might ever be made available to VR.

Image Credit:


Thursday 1 November 2012

Rumours of a new timetable for “that” Regulation

First the good news: the House of Commons Justice Committee has just published its opinion on the European Union Data Protection framework proposals.

And what does it say?

“As currently drafted, the Regulation does give data subjects essential rights that must not be compromised during negotiations, and it has the potential to make data protection compliance easier for businesses, especially small businesses, which trade across the European Union. However, we do not believe that in its present form it will produce a proportionate, practicable, affordable or effective system of data protection in the EU.”

Also: "We regard as authoritative the UK Information Commissioner's assertion that the system set out in this draft Regulation "cannot work" and is "a regime which no-one will pay for", and we believe that the Commission needs to go back to the drawing board and devise a regime which is much less prescriptive, particularly in the processes and procedures it specifies." (paragraph 43)

No surprises there. When you take a closer look at the opinion (which many of us will), there are a few comments that are going to be challenging to data controllers, if they are to be implemented in their current form. Like the proposal to abolish the £10 Subject Access Fee (paragraph 77). I’ll leave it to you to find some of the others.

Now, the not so good news, depending on where you stand on the matter. It was not mentioned in the Committee's opinion, but it concerns the timing of the new initiative.

Yes, we all know how determined everyone is to move mountains to ensure that something is implemented in 2014. Of course this is what Commission officials are saying, and of course this is what Irish officials are saying, and it is the Irish that will be in the negotiation driving seat during the first half of 2013.

Well, I’m closing my book on taking bets that this initiative will be implemented in 2014. I just can’t take anyone else’s money and look them directly in the eye. I just think that too many heads need to be banged together in too short a time frame for 2014 to remain a realistic target.

The most perceptive players appear engaged in a different game. And when you assess their intentions, it’s likely that 2016 is a more realistic target than 2014.

I expect there to be howls of anguish that anyone would be so bold (or stupid) as to predict that the new initiative won’t see the light of day until 2016, as this really isn’t what anyone is supposed to be saying right now. But, let’s see if I am wrong – and how wrong I am.