Friday 28 June 2013

Parliamentarians ponder PRISM

It was standing room only in Parliament’s Committee Room 11 yesterday afternoon. People had packed the place to learn more about PRISM and what ought to happen next. Most of these people were Open Rights Group members, though. I saw 2 MPs  and a couple of Parliamentary researchers together with some well respected  journalists who were also covering the event. 

What did we learn?

First, that Parliamentarians knew nothing about PRISM (and the Tempora project) other than what they had read in the papers. Second, that they felt they were unlikely to learn anything  of significance from the Foreign Office or from ministers.  This sort of operational stuff is not for them.  Such matters are usually considered by the Intelligence and Security Committee, members of which are appointed by the Prime Minister, and the Committee reports directly to the Prime Minister.

It is the sort of stuff, however, that the independent privacy researcher Caspar Bowden knows a lot about, and he gave the audience a short lecture on what it is, why cloud computing providers ought to be concerned, and why businesses might increasingly look away from the UK and to other countries, particularly Germany, as a safe harbour for their commercial data assets in future. How do you fight cybercrime and protect privacy in the cloud? Ask Caspar, who will point you in the direction of a number of reports he has helped compile.

As David Davies MP started to speak, it became pretty clear to me that, despite his well known views on the issue, no-one from the Home Office has given him a private briefing about the cunning plans that are being hatched behind the scenes to improve the current scrutiny procedures. Quite why no-one from the Home Office has managed to correct his misconceptions about the current scrutiny procedures is a mystery.  I can only conclude that there is a deliberate campaign to keep him in the dark.

Anyway, David warmed up by criticising the current RIPA safeguards, exclaiming that it’s been apparent that there are pretty poor protective measures in place. He commented that “the man at the desk next door” will readily approve applications for communications data, while a judicial figure would more closely scrutinise each request. He ended with with a flourish:  “Parliament ought to rip up RIPA and start again.”

If anyone from the Home Office had managed to brief him in the past six months or so, he would have realised that what is being proposed in the revised (and so far unpublished) version of the Communications Data Bill is, effectively, a complete re-write of the relevant parts of RIPA. There are plans for a radical ramp up of the regulation of the law enforcement authorities that seek communications data. I won’t say any more, otherwise I’ll feel a need to take refuge in a country that welcomes people like Edward Snowden and Julian Assagne.  

I can end on an upbeat note. I left Parliament yesterday with a couple of bottles of House of Commons triple distilled Speaker Bercow’s vodka. Produced in the heart of Cheshire, and bottled by G & J Greenhall, it’s a smooth spirit with no heavy oil aftertaste.  Marvellous! It's just the stuff that Parliament should be selling. Order some from your local MP today.

Image credit:


Thursday 27 June 2013

ICO enforcements – gone but not forgotten

I’ve found a great website that lists the data breaches that have been removed from the ICO’s enforcement pages. 

I am greatly indebted to a chum who read yesterday’s blog and kindly gave me the address of Breach Watch, a website site operated by John Elliott. 

Breach Watch lists all formal action in response to data breaches taken by the Information Commissioners Office and the Financial Services Authority (recently split into the Financial Conduct Authority and the Prudential Regulation Authority).

Currently, visitors can browse over 260 reports of regulatory action. Updates are usually posted on a weekly basis.

So, if you need to review any FSA enforcement action from 2007 to 2012, or any ICO Undertakings, Enforcement Notices or Monetary Penalty Notices since 2007, you now know where to look.

As John explains, it’s a great site for people who want to learn from other’s misfortune, understand what the regulators are concerned about and get a better understanding of what constitutes appropriate technical and organisational measures. It’s also a great resource for trainers who need examples of real cases to spice up training sessions and internal reports.

And John also makes the following points:

"Over 40% of the undertakings and monetary penalties listed here were the result of the loss or theft of unencrypted data, typically on a memory stick or unencrypted laptop.

Over 50% were the result of insufficient training or education of staff, typically relating to insecure use of personal data, such as transferring it to an unencrypted storage device - notice the strong theme about unencrypted, portable data. Many of these principles also relate to the security of the physical documents.

A major point to appreciate is that in the majority of cases the insufficiently secure data was simply lost as a result of human error - it was the failure to prepare for such an event, rather than the loss of the item itself, that was the issue and the cause of the regulatory action.

In the case of theft it is extremely rare that the data was stolen for its own value, but rather was stolen alongside something else, such as a laptop or a bag containing physical records. Encryption of data in advance is important to prevent access to this data and minimise the danger posed by such unfortunate events.

Ensuring that staff are sufficiently trained in key data protection principles and that encryption policies are actually followed would protect against the primary danger of accidental loss, the most common cause of a breach threat."

This is seriously good stuff, and I commend this website to all responsible data protection folk.


Wednesday 26 June 2013

Should there be a “right to forget” about old ICO enforcement actions?

How should a data controller respond to the question “Has the organisation ever been subject to action by the Information Commissioner regarding complaints and or enforcement notices?”

Should a ”Rehabilitation of ICO Offenders Act” should be created, to set the expectations of people who ask such question?  After all, if an ex-offender can’t be questioned about their criminal convictions after a certain period, perhaps similar standards ought to apply to those who have fallen foul of the folk in Wilmslow.

A quick glance at the ICO enforcement site provides some clues to the answer. If you want to learn who’s been told to stand on the ICO’s naughty step, then this is a good place to start. The good news is that it lists no details of ICO prosecutions before June 2011, Enforcement Notices before December 2011, or Undertakings before May 2011. But it does list all Decision Notices since February 2005, all Monetary Penalty Notices (ie those awarded since it was given powers February 211) and all PECR breaches (ie those awarded since it was given powers in July 2011).

However, even though the old prosecutions, Enforcement Notices and Undertakings no longer appear on the ICO’s Enforcement Pages, details can still be found if you’ve a rough idea of what you’re looking for. Thanks to the mighty internet search engines (and the sterling efforts of a number of journalists and  firms of solicitors), details and occasionally comments about old enforcement actions can readily be found all over cyberspace.

Should a responsible data controller take the ICO’s lead, and assume that it is obliged to reveal details of enforcement actions when they are also available on the ICO enforcement site, but once they have been removed they can forget about having been on the ICO’s naughty step? 

Some would suggest that it’s unfair to expect an ex-offender to be required to reveal information that the Regulator has decided is no longer worthy of mention on the Regulator’s own website.

I’ve had a look at the ICO’s own policy on “Communicating Enforcement Activities” to see if that provided any useful guidance. A policy document was published in January 2010 and contained a commitment that the policy would be reviewed in a 2011. However, it’s not clear if the review took place – and if it did, whether anything changed. 

On the assumption that it has not changed, then (a slightly condensed version of) the ICO’s policy for communicating enforcement and regulatory activities is as follows:

“The default assumption is that we are likely to publicise enforcement and regulatory activities:

  • If it’s already a news story. We would probably also publicise the fact we’re investigating in these circumstances.
  • Where there’s an opportunity for education/prevention.
  • If it’s new, extreme, a first etc (standard news criteria).
  • If it meets a communications, corporate or information rights objective.
  • If it would help an investigation to publicise it.
  •  If there are aggregate stories showing trends etc.
  •  Where publicity is likely to deter others.
  •  Where publicity would be in the public interest.
We are not likely to publicise enforcement and regulatory activities:
  • When releasing information could prejudice a trial. 
  •  When an investigation is underway (and it could be hindered by publicity, or the investigation may come to nothing)
  • When we have several similar cases and time or news constraints mean we have to choose.
  •  If it is too dull or technical to make the news.
  •  Where we would breach S59 of the Data Protection Act.
         Preliminary notices

  •  More suited to aggregate story, unless there is an overriding public interest to publicise it, all parties agree, if it was already in public domain, or if there is a regulatory need.


  • We will publicise undertakings depending on news value and/or if there is a need to address public concerns.
  • Where they relate to section 55 and are given by individuals in lieu of possible prosecution they will normally be put on our website in an anonymised form.
  • Undertakings will normally be kept on our website for two years.

  •  We may inform journalists in advance.
  •  We will adhere to contemporaneous reporting rules.
  •  We may issue a news release.
  •   In some cases we’ll provide the case summary to a journalist.
  •  We will report on prosecutions in our Annual Report to Parliament. This also goes on our website and will normally be kept on our website for three to four years.

  • We may publicise cautions depending on news value.
  •  More suited to aggregate story.


Enforcement Notices
  • We will publicise these depending on news value.
  •  Enforcement notices will be put on our website and reviewed after two years.

Injunction application
  • More suited to an aggregate story.

Application for Enforcement order
  • We may publicise these depending on news value.

  • If publicity is desired, we will work with the relevant authority on communicating international inspections.

Information Notice
  • We are likely to publicise if it’s in the public domain.
  • We may publicise if it helps the investigation.
  • We are likely to publicise if there’s an expectation of an update or we need to show we have taken action.

     Search warrant
  • We will publicise these in aggregate (eg in the annual report).
  • We may publicise if it helps the investigation.
  • We are likely to publicise if it’s in the public domain.
  • We are likely to publicise if there’s an expectation of an update or we need to show we have taken action.

  • We will not normally publicise the notice of intent to serve a monetary penalty. This is more suited to aggregate story, unless there is an overriding public interest to publicise it, all parties agree, if it was already in public domain, or if there is a regulatory need.
  •  We will publicise the serving of a monetary penalty.
Given that the internet hardly ever forgets, I think it’s safe to assume that once a data controller finds themselves on the ICO’s naughty step, people aren’t going to forget about it for a very long time. So it might as well come clean about all of its past misdeeds, just in case someone carries out an internet search and unearths material that leads them to suspect that there has been a cover- up.

There ought certainly be to a right to forgive. I’m just not sure how we can actually enforce  a right to forget.


Image credit:


Tuesday 25 June 2013

European citizens can’t agree on how much privacy matters

An interesting new survey from our chums at Big Brother Watch shows just how differently European citizens feel about their online privacy, even though the privacy laws around Europe are broadly the same.

Of course the laws are not identical. But they’re not hugely different. Most of the differences are administrative in nature and are of limited interest to anyone other than the data protection anoraks.

But what is surprising is how much people’s attitudes to privacy varies – and I’ve been wondering whether identical European privacy laws (which is what those promoting a Regulation want) would alter attitudes to privacy to the extent that the citizens thought more along the same lines. 

And I really doubt it.

The chart I’ve shown today comes from a survey, recently carried out for Big Brother Watch by that reputable research organisation, ComRes.  People were asked: “How concerned, if at all, are you about your privacy online?”

Evidently, Spanish people are most concerned about their privacy online, while Germans are the least concerned. The chart indicates whether respondents have no opinion (grey); are not at all concerned (dark green); not very concerned (light green); fairly concerned (pink); or very concerned (red).

But does this chart actually tell us much? I’d be happy to bet that it would look pretty similar if the question had been changed to: “How concerned, if at all, are you about your national economy?”

Are we to take it, from these statistics, that a generation of Spanish and French regulators have done an awful job to uphold decent privacy standards in their respective countries, and that only concerted action from the Commission can save Europe from a privacy catastrophe?  I think not.

Instead, what I think the survey is shows us is that there are different cultural attitudes towards privacy, despite the work that regulators have done to encourage and cajole data controllers to improve their data handling standards. The current rules have, after all, been in place for a mighty long time.

So, in my humble opinion, people have views on privacy that derive more heavily from national cultures than on the basis of national laws. 

And if, as is my view,  a European Regulation is unlikely to result in a narrowing of European attitudes towards privacy, then not a lot will be lost if there is no Regulation.



Monday 24 June 2013

Searching for the (next) Surveillance Camera Commissioner

Last week I mentioned that I had a cunning plan to increase the prominence of the recently appointed  Surveillance Camera Commissioner.  I wondered what I could do to ensure that the data protection community gets to know him a little better. 

I reported that I would start by inviting him to a forthcoming meeting of the Data Protection Forum and the National Association of Data protection Officers, to give him a public platform where the most pressing issues on his agenda can be explored by professionals who are keen to understand just what it is that concerns him. 

Well, I’ve had a very nice reply from Andrew Renisson, discussing his availability for the next few dates that DPF/NADPO members have set for their meetings. 

He also advised me that his term of office as Surveillance Camera Commissioner will end next February, by which time he will have completed two terms as the Forensic Science Regulator and both posts have to be re-advertised. 

Well, it would be a shame for him to leave the surveillance post so soon after being appointed to it. Perhaps he will re-apply.  

Does anyone else plan to apply for the post? 

If they do, and if appointed, feel like introducing themselves to the data protection community at a joint DPF/NADPO meeting next March, then please get in touch.

Thursday 20 June 2013

Another really busy day on the privacy front


I declare

Privacy issues


Earlier today, I joined the throng of data protectors clamouring for a good seat in Westminster’s Central Hall, where a healthy smattering of the usual suspects had assembled for the launch of the ICO’s latest annual report.

For some of us, it was to be the second time we had heard Christopher Graham today. The first time was before breakfast, live on Radio 4’s “Today” programme, where he was asked to comment on whether ‘data protection’ prevented the Quality Care Commission from naming senior managers apparently involved in a decision to destroy a QCC report criticising its inspections of University Hospitals of Morecambe Bay NHS Foundation Trust, where a number of mothers and babies died. No it doesn’t, in case you didn’t already know. And last night, just before bedtime, Jeremy Paxman had been praising his wise pronouncements on the same issue on  BBC2’s “Newsnight programme.

Now, he was with us in person, complete with a whizzy Prezi  presentation that really puts my trusted Power Point slides in their place.  No lights, smoke, mirrors or a platform. Just an hour of explanations about how his office enforces, educates, empowers, enables, encourages, and is both effective and efficient . Yes, this was an “E-Annual report”. Parliament got the only printed  copy. The rest of us will henceforth rely on the electronic version (or a pdf document which is available from the ICO’s website).

What did we hear that was new?

“We are not an arm of Government” quoth the Commissioner.

“But you are an arm of the state” mumbled a member of the awkward squad, seated nearby.

“Local government is making a pig's ear of data protection at the moment”  quoth the Commissioner. (Presumably he was referring to the amount of enforcement action that had been taken against wayward local authorities, but no-one asked him just what he meant.)

“2013 will be the year that organisations realise the commercial imperative of handling customer data properly” quoth the Commissioner. Well, let’s hope so.

Private discussions among many guests before and after the main event focused on the prospects of a Regulation being agreed by the European Parliament and the Council of Ministers by this time next year. According to my (occasionally reliable) source, it seems that a deal is being hatched that might just about get agreed by our political masters. But, if the European Commission really is determined to get a Regulation next year, then it is likely that the only Regulation that could be agreed would be a simple instrument that introduces a European Data Protection Board, to better co-ordinate the work currently carried out by the Article 29 Working Party. Everything else (which means all the contentious stuff) will need to be put off for another time.

So, If European Commissioner Reding wants to stand on some podium next year, as she did last January when launching the document containing that bunch of words cobbled together to form the text of the draft Regulation, to proclaim once again “Ladies and Gentlemen, we have done it,” then the only thing that might have got done is the thing that many of us didn’t express much of an opinion on, anyway. 

Over lunch, another commentator mused on the way the data protection community was poised to shoot itself in the foot. Here is a great example of a wide range of people who essentially want to do good, but being incapable of agreeing what “good” actually meant, they sadly explained. 

As far as I’m concerned, the near hysterical atmosphere in which “negotiations” are currently being carried out, with some  stakeholders playing to the gallery rather than intent on reaching a deal, really makes me wonder how differently a new round of discussions will need to be managed for there to be any chance of success next time, either.    

Perhaps new faces are required at the negotiating tables.

Perhaps, too, I had better start crafting a lament about the demise of an unloved, fussy colleague.

I’ll call him Reg.