Wednesday 27 February 2013

Surely this can’t be because of data protection ...

If the Daily Mail is to believed (and I appreciate that’s a big “if”), then today I have come across another piece of evidence which indicates that European policy makers may well be incapable of agreeing on the meaning of some of the most important concepts of data protection law, like fairness and consent.

This blog is not designed to criticise the policy makers themselves – more it’s to point out that various communities within Europe have very different social and cultural expectations as to what is considered appropriate behaviour. And I’m all for local communities being able to respect their own cultural sensitivities.

The evidence is the report that policy makers in Berlin have recently decided that it is not appropriate for a German TV company to copy the format of the British TV series One Born Every Minute”, which follows  staff and patients on a busy maternity ward. Why? Well, evidently, because it was an invasion of privacy for newborn babies.

Given that, in the UK, the viewers only get to see each baby for a few seconds after their birth, it’s really hard to appreciate why their fundamental rights can take precedence over the rights of the nursing staff and the patients, who really are the focal points of the programme, and who would certainly have signed as many consent forms as any conscientious broadcaster would have created.

I do hope that this story is inaccurate. I do hope that the inference – which is that “German data protection rules ” have prevented potentially great TV programmes being made in Germany, is incorrect. 

And I am so glad that the bods at the Information Commissioner's Officce are evidently happy that the British version of One Born Every Minute” doesn’t breach any sensible UK data protection rules.

If the German viewers aren't allowed to see their own stories, hopefully they can pick up the British version, so that they can enjoy what they have been forbidden to create themselves.


Image credit:


Sunday 24 February 2013

Another wild claim about "that" Regulation?

The Dutch MEP Sophie In 't Veld has high hopes for the forthcoming General Data Protection Regulation (or whatever it will end up being called). 

Apparently, new rules can force companies into innovating, and could give the EU a competitive advantage. I’m not sure over whom, but I suspect that what is meant behind the claim is that those data hungry non EU -based organisations (mentioning no names, of course) would find their services less compelling if only EU the EU organisations got their regulatory acts together.

Well, if that happens, then I’m all in favour of the new  rules. 

But is it likely to happen? 

How much additional red tape usually results in a company obtaining a competitive advantage?
Answers, please, on a postcard, to the usual address.

And make the handwriting legible this time. Too much time at the keyboard kills those essential handwriting skills. 

Source & Image credit:


Wednesday 20 February 2013

Decision time at the European Parliament

Glancing at a recent news report, I see that, coincidentally, some European Parliamentary Committees are voting on a wide range of amendments to the proposed General Data Protection Regulation at almost the same time that various European regulators are threatening (again) to take action against Google for apparently behaving in an awful manner.

Presumably, these events are not linked.

Presumably, there is no attempt on the part of certain regulators to keep stories about awful overseas-based data controllers in the minds of the public (and their MEPs) at the very time that some MEPs are supposed to be wading through documents stuffed with impenetrable data protection amendments. 

If the rules were changed to allow European parliamentarians only to take part in votes on amendments and issues that they understood, I expect that the number of politicians eligible to take part in votes on the Regulation would drop quite substantially.

As it is, I’m sure that lots of amendments will be waved through by people who may not fully appreciate the financial implications of what they are doing.

But never mind.

Perhaps when the Member States have had their say on what the instrument should look like, the text will have radically changed again.



Monday 18 February 2013

ICO fires more shots at the Regulation

At 82 pages in length, some people will be grateful that the ICO has just decided to publish in full its views on the proposed General Data Protection Regulation. Many more people will hope that someone else will read it for them, and produce a note summarising the highlights.  

(Top tip – if you can’t stomach all 82 pages, there are a 2 pages of similar stuff elsewhere on the ICO’s website.)

Well, this blog is not a note about any of the highlights.

But it does cast some light into the debate about two of the controversial areas – one of which I suspect that many Data Protection Officers will not have been unduly concerned about. However, the issue still deserves careful thought by Member States. It concerns the structure of the European Data Protection Board. This is evidently what enough members of the Article 29 Working Party are planning to call themselves, although I’ve recently heard that not all members of the Article 29 Working Party could agree on a new name for that august body.  

Anyway, the issue concerns the European Data Protection Supervisor, and the role that person has to play in future. As we all know, the EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. He does so by monitoring the EU administration's processing of personal data; advising on policies and legislation that affect privacy; and cooperating with similar authorities to ensure consistent data protection.

And, as we all know, Article 2.2(b) of the proposed Regulation does not apply to the processing of personal data by the Union institutions, bodies, offices and agencies;.

So why should the proposed European Data Protection Board have to include someone who is not tasked with regulating any relevant institutions? The concept is hard for some people to accept.

But, it gets better.

Article 69 of the Regulation provides that: “The European Data Protection Board shall elect a chair and two deputy chairpersons from amongst its members. One deputy chairperson shall be the European Data Protection Supervisor, unless he or she has been elected chair.”

The ICO has commented: “We are not clear how this can provide for an election if one of the deputy chairpersons has to be the EDPS.”

I commend the ICO for its restraint. Others may well protest at the absurdity of a situation where a democratic election may need to be “fixed” to guarantee the election of a regulator who is responsible for institutions that are exempted from the regulation he is supposed to be supervising.

If this is European democracy in action, then I’m a banana.

In the UK, rotten boroughs in Parliamentary elections were abolished in the 19th Century. The most notorious borough was Old Sarum in Wiltshire. At one election, the electorate comprised 3 houses and just 7 voters, yet they had the responsibility of electing 2 Members of Parliament. It would be deeply ironic if the Regulation were to effectively propose their reintroduction.  

The second controversial area I want to highlight in this blog are the ICO’s very wise comments on Article 63, which provides that: For the purposes of this Regulation, an enforceable measure of the supervisory authority of one Member State shall be enforced in all Member States concerned.”

In a masterpiece of understatement, the ICO has suggested that: “We need to think through the implications of this degree of harmonisation. It could lead to the prohibition of a processing operation which is acceptable to the citizens of the UK – or – on the other hand – to unacceptable processing being legitimised on the basis of a simple majority vote.”

Just wait until those gentle folk in UKIP get to hear about this one. Other commentators might have preferred to shout “Keep your towels off our lawns.” We Brits don’t mind harmonisation when it makes sense, but we do bristle when we are required to adopt practices that go against the grain of our culture and national identity.



Thursday 14 February 2013

Former regulators as lobbyists and consultants – a good idea or not?

I understand that the European Ombudsman has just launched a formal investigation into allegations that the European Commission is failing to clamp down on conflicts of interest amongst staff who leave the EU executive to take up jobs as lobbyists and consultants.

An original complaint was filed to the Ombudsman in October last year by NGOs Corporate Europe Observatory, Greenpeace, Lobbycontrol and Spinwatch, claiming that the Commission is unwittingly allowing private interests undue influence in public policymaking.

The Ombudsman is due to launch a formal investigation, and will seek previously undisclosed details of all cases in the last three years where Commission staff have left to take up jobs in the private sector where conflicts may occur.

I think the Ombudsman needs to tread carefully. These people can be of considerable value once they have left their previous post, as they can often offer information which, thanks to a defective communications strategy, was missed even by those who try to follow relevant developments very closely.

Let’s hope the investigation isn’t widened so that it includes former members of Data Protection Authorities too. 

I’ve frequently found their advice and instincts to be extremely astute. They certainly help a data controller understand the likely concerns that a Commissioner will have. I say that it would not necessarily help matters if attempts were made to muzzle them for a fixed period after leaving their former posts.


Image credit:


Monday 11 February 2013

Smart metering could be of more value to plebs than professionals

Who benefits most when utility companies replace existing gas and electric meters with what is becoming known as "smart meters"?  These new meters are the next generation of meters, which can offer a range of benefits for both the individual electricity and gas consumer and for the electricity and gas systems in general. 

For consumers, I guess the principal issue is whether their introduction will result in financial savings, by reducing consumption of gas and electricity.

The answer, at least from a pilot study carried out in Ireland in 2011, is evidently yes. On average, the saving could amount to 2.9%. Naturally, some people will save more than others. But surprisingly (to me at least), those who are likely to save the most don’t belong to social classes A and B. 

According to the report: “Participants with the highest and lowest education and social grade education are least likely to reduce usage. This may reflect motivation (among those with AB social grade) and communication (among those with lower social grades C2 and DE). While efforts were made in the communications strategy to be inclusive, the difference may reflect more fundamental barriers to engagement among those with lower levels of educational achievement.” 

Marketing professionals will be aware that social class A contains the upper middle classes (higher managerial administrative or professional people), while class B contains the middle classes (intermediate managerial, administrative or professional people). Such people only saved some €13.27 during the year-long trial. Less than anyone else. 

Their savings were trumped by those from social class C1 (the supervisory or clerical and junior managerial, administrative or professional staff), who saved 25.07. They were also trumped by those in social classes D &E (the casual or lowest grade workers, pensioners and others who depend on the welfare state for their income) who saved €18.22. And they were even trumped by the skilled manual workers (the C2 class) who saved €16.42. 

So, while I’m expecting that the professional classes will create more of a fuss about ensuring the data protection aspects of any smart metering programme fully comply with any regulation that can be thrown at it, those who may ultimately stand to benefit most from the process will be the plebs, who deserve an equal opportunity to get fully engaged in the relevant data protection debates. 
Smart Metering Information Paper: Gas Customer Behaviour Trial Findings Report CER11180a, published by the Commission for Energy Regulation, October 2011.


Sunday 10 February 2013

Cookies: Perhaps this is what the fuss was all about

Now the cookie rules have been in force for so long that many of us have moved on to deal with more pressing issues, I’ve been asking myself what the fuss was really all about.

There have been benefits. New careers have been forged in the compliance industry, and webmasters are (probably) more aware of what “their” websites do than before. Compliance professionals have developed a new vocabulary of terms which have been posted on the pages of websites that are accessible by those few, yes those happy few, users who click on the links to learn more about cookies.

The more frequently I click on these links, the more frequently I smile. I read down long lists of cookies, carefully explained and categorised, and I think to myself ‘surely I can’t be the only person not to understand much about this stuff.’ If ever we have found a way of not engaging with users, then surely this is it. 

But then again, I don’t remember any specific campaigns mounted by the privacy brigade demanding better transparency about cookies at the time the e-Privacy Directive introduced the new rules, nor do I recall reading any letters from customers of the companies I used to work for mentioning that they wanted to have the right to opt out of certain types of cookies. Yes, people wanted the right to object to personalised advertising, but I can’t think of a single letter from a customer that ever mentioned cookies.

Moving on to the present, however, and thanks to the way we lead out current lives, what we have is a situation where, thanks to the efforts of the privacy lobby and some of the regulators, people are much better informed about the electronic trails that they leave.

But has this changed user behaviours? Or user preferences? 

Have many people taken advantage of their ability to obliterate some of these electronic trails by objecting to certain types of cookies?

I’m really looking forward to seeing evidence that many people have.  

What I do see are renewed efforts buy the regulators to encourage greater transparency – particularly in the mobile arena, where the focus is now shifting to mobile application developers. Yes, these developers need to become far more transparent about what they do with the data that is hoovered up. But, I don’t think this will necessarily damage their business models. 

The point, after all, is simply to explain what is being done with the data that is being obtained. In larger organisations, yes this will be a challenge – a challenge of information accountability. Many more organisations seem to have an information security officer than they have someone accountable for the information that actually populates these databases. The challenge, therefore, is to understand just who is accountable for the information that is being processed, so that they can be accountable for the cookie explanation.

I don’t think that these explanations, once published, will necessarily cause users to object to what is being done. So I don’t think they have much to fear.

The only thing for businesses to fear is not making these explanations available in the first place.

To my mind, the greatest thing to have emerged from the great cookie saga has been to highlight the role of effective information governance in an organisation.

And it’s been highlighted, I think, by pointing out how hard it is to find it within so many organisations.


Wednesday 6 February 2013

Communications Data Retention – The ISC’s report

The Intelligence and Security Committee has published its eagerly awaited (28 page) report on how the proposals in the Government’s draft Communications Data Bill might affect the use of communications data by the intelligence and security agencies.

It complements the more wide-ranging (101 page) report that was published last year by a Joint Parliamentary Committee that I worked with.

It won’t come as a surprise to anyone to learn that the conclusions are very similar.  Both reports considered that the Bill should be much more specific about the records that providers should (generally) be required to retain. 

The ISC, naturally, is keen that people who may be of interest to the agencies are not given an opportunity to learn precisely where the gaps in capability are. If targets knew where the gaps were, they might be exploited to evade detection. Accordingly, the ISC considers that notices to particular providers, requiring them to retain particular date types, should remain secret. 

That may be highly desirable as far as the agencies are concerned, but in many cases the records, if they exist, will eventually be produced as evidence in legal proceedings that relate to criminals who are of no interest to these agencies. How can a capability by a provider to retain particular records remain a secret for the agencies, but be public knowledge for other parts of the law enforcement community, the courts – and also for customers when the exercise their subject access rights under data protection legislation?  

It is not at all easy, in an internet age, to tinker with the transparency agenda. Perhaps there is a trade off between short term dips in operational capability and greater public pressure on a provider (or providers) to start to keep records that, for commercial, technical or legal reasons, are not currently kept.  

I would expect the Government to adopt an approach that allows a greater, rather than a lesser, degree of transparency. All citizens expect the State provide a certain degree of public security, and for that the State needs the tools that are necessary to enable it to carry out this role. But citizens also want to be confident that the State is only doing what is necessary and what is proportionate. 

Now that this report has been published, it shouldn’t be long before we hear about the Government’s revised plans to ensure that those who have the capability to inspect our communications remain fully accountable.

Access To Communications Data By The Intelligence And Security Agencies, Cm. 8514


Sunday 3 February 2013

ICO’s 2013 conference programme revealed

Those who applied to attend the ICO’s conference, to be held at the Manchester Central Convention Centre next month, ought to have received their official confirmations by now. If you are among the lucky ones to have been accepted, then I look forward to seeing you there. 

The agenda is packed with an impressive range of seminars to attend – as well as keynote speeches by the usual suspects, and perhaps a surprise or two. 

 What will be the overarching theme of the day? What crumbs of comfort will stressed data protection officers be getting? Will it all be bad news?

Using the phrase so cleverly twisted by Graham Smith last year, when opening the event as the first of “The Smiths” to speak, it wasn’t his aim for everyone to leave thinking “Heaven knows, I’m miserable now”.

That joke isn’t funny any more. 

Stop me if you think you’ve heard this one before.  I’ve set out, in my usual way, what I think the theme of the conference will be:

The speakers are confirmed
It’s been trending on Twitter
If you’ve got your invitation
Then you must be a big hitter

From the many who applied
To the few who were chosen
From the warmth of an office
To the conference centre frozen

But we are there, we are ready
We are waiting to cause mayhem
To a storm of applause
The chairman calls Chris Graham

He tells it as it is
To an audience quite hushed
Starting with an annual round up
He does not care to be rushed

Some thoughts from the heart
Into his soul he will reach
For his true opinions
On the latest data breach

Then a few words of comfort
For those seeking information
About who is saying what
On the draft regulation

Then it comes – the big announcement
Which gets us all in a tizzy
For our special entertainment
Will be some songs by Thin Lizzy

Who cares about The Smiths
Despite their renown
As we all sing the chorus
‘The boys are back in town’

Why a Irish group that imploded
Some 21 years ago?
What’s the link to the conference?
That’s what we wanted to know

That band started in the 70’s
And it surely is a fact
Their greatest hits were well before
The Data Protection Act

Perhaps the themes of the event
Are relax and don’t get stressed
If you have no bad intent
Try your hardest, do your best


Do it your way if you must
But should there be a time
When you really come a cropper
You might face a stonking fine

(Please note, I am joking when I suggested that Thin Lizzy would be performing at the event. But they are still touring, you know)

Image Credit:


Saturday 2 February 2013

Another fraud from abroad

One of my email accounts has just received a communication from someone with a Yahoo.Japan email address:

This is Miss. Charlote Siegloff from Trinidad &Tobago. I am writing from the hospital in Cote D'Ivoire, therefore this mail is very urgent as you can see that I am dying in the hospital. I was told by the doctor that I was poisoned and has got my liver damaged and can only live for some months.

I inherited some money ($2.5 Million) from my late father and I cannot think of anybody trying to kill me apart from my step mother in order to inherit the money, she is an Ivorien by nationality. I want you to contact my servant with this informations below:

Mr. Mathins Henry.
Address: Rue De La Princess L/G 152 Cocody
Abidjan, Cote D'Ivoire.

He will give you the documents of the money and will direct you to a well known lawyer that I have appointed to him, the lawyer will assist you to change the documents of the money to your name to enable the bank transfer the money to you. This is the favour I need when you have gotten the money :-

(1) Give 10% of the money to my servant Mathins Henry, as he has been there for me throught my illness and I have promised to support him in life. I want you to take him along with you to your country and esterblish him as your son.

(2) Give 10% of the money to Charity Organisations and Churches on my name so that my soul may rest in peace.

Note;This should be a code between you and Mathins in this transactioin "Hospital" any mail from him, the barrister he will direct you to, without this code "Hospital" is not from the barrister, Mathins, the bank or myself as I don't know what will happen to me in the next few hours.

(3) the lawyer's name is Mc Lambert Adams. And Let Mathins send you his National ID or his passport to be sure of whom you are dealing with. Mathins is so little therefore guide him. May God bless you and use you to accomplish my wish.

Pray for me always.
Thank you
Miss. Charlote Siegloff.

Surely, if anyone falls for this stuff, they have no one to blame but themselves. 

Hopefully, by now, our chums at Yahoo! will have received enough complaints to block both Charlotte’s Japanese email account and the address that people were invited to contact Mathins on.

Image credit:
The world (as it was known and ruled in 1910)


Friday 1 February 2013

Displacing dodgy data protection training

How do you know whether someone has an appropriate level of experience in data protection?
This question is becoming quite important, as a variety of organisations are currently offering various types of certification of data protection proficiency. 

But are these certificates actually worth much? What assurance do they give that the bearer of the certificate is any good at applying legal principles in a manner that is acceptable to an employer or to a regulator? Which is the best one?

Given the increased level of public interest in data protection, I expect that it won’t be too long before the spotlight falls on the training organisations that currently operate in the UK. Does each organisation really offer the trainee an adequate level of knowledge, and is the certificate that is subsequently acquired of much practical use to a British data protection officer? 
Yes, employers like people who are qualified. But qualified in what respect? If they are not careful, employers will just rely on the publicity that is churned out by the certification providers. But publicity about how good their own certification is cannot really be taken as a sufficiently objective measure. 

What qualifications really are appropriate? Those issued by the British Computer Society/ISEB? PDP? Act Now? or the IAAP?

Here, there might be a role for National Occupational Standards. These are standards which describe what an individual needs to do, know and understand in order to carry out a particular job role or function.  As the NOS website helpfully points out, they are:
"National because they can be used in every part of the UK where the functions are carried out;

Occupational because they describe the performance required of an individual when carrying out functions in the workplace, i.e. in their occupation (as a plumber, police officer, production engineer, etc); and

Standards because they are statements of effective performance which have been agreed by a representative sample of employers and other key stakeholders and approved by the UK NOS Standards Panel.”

Trainers in the policing and law enforcement area have recently created a standard with the snappy title of “SFJ ZA11 Ensure organisational compliance with Data Protection legislation”.

Perhaps what we need is for more industries to create suitable standards, and then for an independent regulator to assert whether the certificates offered by the major training providers adequately meets these standards. 

Otherwise, we might see training organizations taking advantage of the growing fears that organizations have when they realise that they need to get data protection right, by delivering inadequate training to students.

If ever there were a need for regulation to protect the public against dodgy standards, then perhaps there is a case for the data protection training market to be more formally regulated.