Wednesday 31 July 2013

More evidence of the death of civil monetary penalties?

An interesting enforcement notice has been slapped into the hands of the Chief Constables of the Leicestershire, Derbyshire and Nottinghamshire Police Forces. Usual reason – sloppy data protection handling standards, bordering on the farcical. Here we go again – unencrypted laptops were stolen, containing (among other things) prison records and other details relating to approximately 4,500 offenders from across the forces. 

The subsequent ICO investigation found that an East Midlands Collaboration Unit had been set up for mutual assistance purposes, although it wasn’t clear why the information on the laptops really needed to be pooled. No-one had bothered to carry out a risk assessment to assess what information needed to be pooled to ensure the Unit met its objectives, nor how such information ought to be appropriately protected.

I could go on but I won’t . And I guess that all over the country, some of the more enlightened members of the data protection community are thinking “there but for the grace of God go I”. This unit can’t have been the only one to have been set up, no doubt with the best intentions and with no desire to operate recklessly,  but now something has gone wrong, someone will get a good kicking for having allowed the reputation of the police to get another hammering.

What stands out to me is just why, in this case, the ICO decided that an enforcement notice was more appropriate than a Civil Monetary Penalty. After all, the theft of the laptops occurred in August 2010 – some 4 months after the ICO had the power to award Civil Monetary Penalties. So how can the police not be fined when Health Trusts have been fined when they lost similar amounts (and often much less) sensitive personal data? 

Is the ICO appreciating the futility of fining public sector organisations? Or is it just concerned not to damage the close working relationships that must be maintained with the police forces as it works with them and the Crown Prosecution Service to take effective action against the criminals who commit data protection (and similar) offences? Or is it for another reason?

We may get a better idea of the current attitude to fining public sector bodies when the ICO announces what action it will have taken against the Ministry of Justice following the recent admission that a network server containing 400,000 confidential court files – including the personal details of victims and witnesses, was apparently stolen by a subcontractor in January 2012 during the decommissioning of Salford Magistrate’s Court. No-one noticed the theft for several months – until the server was offered for sale on eBay. 

Will the MoJ be required to pay a Civil Monetary Penalty for this awful incident? Or will the Minister of Justice simply be served with an Enforcement Notice that requires him to ensure his Department follows the laws he is responsible for drafting more carefully? And how will this affect the quality of the working relationship between the ICO and the MoJ?

I can’t wait to find out.



Wednesday 24 July 2013

Surveillance self defence - US style

Americans who are scared – really scared – of having their on-line privacy compromised will enjoy browsing the Surveillance Self Defense website, which is a project of the US-based Electronic Frontier Foundation.

If they want to know more about risk management, protecting data stored on their computer (in terms of what the Government can do and what users can do to protect themselves), data on the wire, information stored by third parties, foreign terrorism and intelligence investigations, and defensive technologies, then this is the website to browse.

For those who can’t wait to get to the payoff, here it is:

  • If you don’t keep it, they can’t get it – so destroy unnecessary records
  • If you do keep it, protect it with file encryption and strong passwords.
  • Encrypt your internet communications to prevent wiretapping
  • Use anonymising tools like Tor when you’re online. 
  •  Always delete your providers’ copies of emails and voicemails as soon as you no longer need them.

All pretty basic stuff, really.



Tuesday 23 July 2013

The Regulation: heading for a slow death

I’m thinking of running a Regulation sweepstake – and the winner will be the first person who correctly identifies the first European Commissioner to predict in public that, because of the range of disagreements over its content, the Data Protection Regulation is not going to be agreed before the June 2014 deadline.

If just a few of the many thousands of data protection aficionados contact me with, say, a ten Euro stake, some lucky person could soon be in possession of an awful lot of money. And for what? Just for nominating the bravest of the brave – ie the person who is prepared to put their head above the parapet and be the first to confirm what is surely obvious to everyone. 

But then again, who would do that? Who would presume to step out of line and confirm that the legislative process that needs to be undertaken can’t be trimmed to suit the needs of the EuroParliamentary calendar?

That would almost be admitting defeat.

That would be akin to admitting that the proposal to introduce an absurdly complicated Regulation (together with a Directive on various data protection issues affecting law enforcement) was not the brightest of bright ideas.  Or admitting that the concept of legislating without knowing the financial effects of the proposals was, perhaps, a little on the silly side. Or admitting that an emphasis on processes, rather than outcomes, to encourage innovation, was perverse.  

Still, in this glorious summer season, when politicians (and some policymakers) are taking a much deserved break, now is the time to let our money start talking. Those of us who have been on this policymaking circuit for some time know what the outcome will be. A glorious own goal. Proof that the privacy community is incapable of collectively knocking its head together and hammering out a shared understanding of what it is that matters to us all, in this data rich world.

Do we have no collective vision? 

Evidently not.  The lack of engagement between some elements of the privacy community is quite staggering -  and I blame the cultural constraints that make it impossible for these sides to embrace ideas deeply held by others.  On the policymaking side, I see so little leadership from the European Parliament. A lot of posturing, yes, but no real leadership. Who are the key players and who are the clowns? And how is it that so many clowns generate so much media coverage? Just because they are so willing to speak at conferences etc doesn’t make them any less a clown.

Perhaps, in a future (and more Eurosceptic) European Parliament, there will be a greater emphasis on ensuring that general policies can be tailored to meet the cultural needs of different communities. There may be fewer “fundamental” rights  - and privacy rights that were suitable in a pre internet age will eventually be tailored to the realities of data rich societies.

And perhaps, in future, there will be a focus on what can be achieved by a data rich society, rather than just on the constraints that policymakers wish to place around those few, those very few, players whose creations will transform our lives very much for the better.  If I were incubating a creator, I really wouldn’t encourage them to set up their operations in a regulatory environment that was as hostile as that which the European Commission is currently proposing. 

But enough of my rant. Today we ought to be thinking of what we can do that will bring us all joy, rather than what rules can be put in place to constrain us.

Greetings to the latest member of the Royal Family. I only hope that he grows up in a world where policymakers do what they can to bring people joy, rather than set petty rules to constrain people from creating stuff they might find really useful. 

Image credit:


Monday 22 July 2013

RIPA: Government “reforms” make it far less likely some criminals will be caught

I doubt that David Davies MP or many of our chums at the privacy campaigning groups will be too keen to highlight a huge problem recently spotted by Sir Paul Kennedy, the former Interception of Communications Commissioner

David Davies is well known for advocating that the procedures about who should be capable of obtaining communications data should invariably involve a judicial warrant, rather than a the signature of a senior law enforcement  official, supported by an experienced SPoC (Single Point of Contact) officer. In his (and their) view, a judge will always be better placed to offer a far better degree of impartial oversight than “the man at the desk next door.”

Accordingly, he was pleased to support a provision in the Protection of Freedoms Act 2012 which meant that since last November, Local Authorities have had to obtain judicial approval before they could acquire any communications data. 

But in his Annual Report, published last week, Sir Paul Kennedy has commented on the consequences – which is a 63% reduction in the number of applications by local authorities in the first 4 months of the legislation being enacted. In his words:“ I do not believe that local authorities have stopped requesting the data because they no longer need it, but I suspect  the reason they have stopped is due to the overly bureaucratic and costly process now in place.”

Sir Paul continued: “Local authorities have reported experiencing lengthy time delays in just obtaining an appointment with a magistrate (in the worst case 6 weeks). Other local authorities have reported that the magistrates were totally unaware of the legislation and as a result they had to provide them with advice and guidance. This is worrying, particularly considering the Home Office gave a commitment to properly train the magistrates to carry out this role. In one case that has been  reported to my office, the magistrate did not ask to see the application form which set out the  necessity and proportionality justifications, or the DPs approval. The application was approved on the basis of a verbal briefing from the applicant and DP. It is extremely concerning that the paperwork in this case was not examined to check that it had been properly authorised. 

Furthermore, in this case the local authority failed to serve the judicial application / order form on the CSP with the associated Section 22(4) Notice, but the CSP disclosed the data without question. There was no evidence that the acquisition of the data has been lawfully approved in the absence of the judicial application / order form and therefore it is worrying that the CSP disclosed the data in this case. 

I was informed by the Home Office that Her Majesty’s Court Service (HMCS), which falls under the remit of the Ministry of Justice, concluded that it would not be possible to manage the judicial process electronically. This is regrettable and has meant that the judicial part of the process has had to be dealt with manually outside of the fully electronic, auditable application system that is in place at the National Anti-Fraud Network (NAFN). This significantly increases the administrative burden. There is also the possibility of more errors occurring as the communications addresses have to be double keyed. Furthermore I have also been informed by the Home Office that HMCS did not think that it would be possible for the judicial part of the process to be managed by the NAFN  SPoCs attending their local courts in the Tameside and Brighton areas, as it would place too  much burden on those courts. As a result each application gets bounced back and forth between the applicant in the local authority, the SPoC at NAFN, the DP in the local authority and the magistrate in the local court, which increases bureaucracy and time delays. Often the applicant is not best placed to advise the magistrate on the communications data process or the conduct that will be undertaken by the SPoC to acquire the data. In other cases, local authorities have actually reported that the courts have tried to charge them directly for attending the court.The figures that have been shared with my office to date show that no requests have yet been refused by a magistrate. 

Taking into account this evidence I question how much value judicial approvals have added to the process. I have long been a proponent of the SPOC system and this ensures there is a robust safeguard in relation to the acquisition and disclosure of communications data. The Joint Committee conducting the pre-legislative scrutiny of the draft Communications Data Bill concluded that “in the case of local authorities it should be possible for magistrates to cope with the volume of work involved in approving applications for authorisation. But we believe that if our recommendations are accepted and incorporated into the Bill, they will provide a stronger authorisation test than magistrates can. Although approval by magistrates of local authority authorisations is a very recent change in the law, we think that if our recommendations are implemented it will be unnecessary to continue with different arrangements applying only to local authorities.” I concur with this sentiment and am very concerned that there is a serious danger that that the types of crime that cause real harm to the public (such as rogue traders and illegal money lenders) will not be investigated properly due to the difficulties with the judicial approval process.”

So the next time David Davies stands up in Parliament to lament the awful fate of those many victims of crime who are unlikely to receive “justice”, I do hope he admits that on this matter he might just have got it wrong, and that SPoC officers can do a better job than magistrates in ensuring investigators access the evidence they need to convict those who deserve to go down.

Section 9.4 Protection of Freedoms Act 2012 (Judicial Approvals for Local Authority Communications Data Requests)

Image credit:


Wednesday 17 July 2013

The RIPA Hokey-Cokey

“What don’t we want?” 


“What do we need?” 

“A RIPA review to fight RIPA abuse”

As the temperature soars this summer, the usual suspects are making the usual noises about the way law enforcement bodies acquire private communications data. 

On the one hand, something must be done about the current RIPA regime, as the legislation really does need updating to make it more easily cover today’s communications technologies.  Thirteen years is a very long time in terms of technological innovation, and the legislation, passed by Parliament back in 2000, was rather technology specific. 

But on the other hand, there is some disagreement over what should replace it. Parliamentarians who have had the usual briefings will be aware of a range of measures that could be introduced relatively quickly to improve the way the current process operates, without needing to concern themselves too much about re defining the range of categories of communications information that ought to fall within the remit of RIPA.
Many pressure groups are concerned that a revised RIPA will give Parliament the opportunity to extend the range to data types to cover many not currently on the radar. However, such a review might also give Parliamentarians the opportunity to narrow the range of data types that are currently available. A couple of pressure groups just appear want to kill RIPA completely, without offering suggestions as to what ought replace it.

I expect the pleas for further investigations into the rules around accessing private communications will continue, especially since Parliament’s Intelligence and Security Committee has just confirmed that it was unable to find any evidence of rule breaking when reviewing the way GCHQ acted in seeking information from the US Prism programme.

I’m sure that some will have deep suspicions of an establishment cover-up – and will disregard the view that, actually, the Brits involved in such operations do behave frightfully well.

The cynic in me suggests that “issues” like this are just what special interest groups within the privacy community need anyway – as it’s a great way to engage with supporters and fly the flag for personal freedoms, etc. Especially when the foe, aka the Home Office, does not appear to respond to the critics. Anyway, in a crisis, it’s more likely that said supporters will donate much needed campaign funds. So I expect many commentators to call this a “crisis” for some time to come.

But many campaigners do hold genuine concerns about the adequacy of the existing safeguards, and refuse to accept that a lack of disciplinary action by the Surveillance Commissioner and the Information Commissioner and the Interception of Communications Commissioner is purely due to a lack of poor behaviour by law enforcers. 

So, where ought we go from here?

Well, I doubt that a review will really change the opinion of those who have their hearts and minds set against the State needing to access private information for law enforcement purposes. Although relatively few in number, they are capable of creating a significant media splash.

Perhaps the Home Office will counter with more examples of occasions when official access to communications data was both necessary and helpful. Perhaps more opinion formers will publish articles supporting the concept of state intrusion into people’s private lives. Perhaps another wholly unwelcome terrorist spectacular (which could have been prevented had our boys in blue acted faster) will change the public debate. 

Or perhaps new voices will emerge, such as those of the current Interception of Communications Commissioner, engaging more frequently on public platforms to convince the doubters of the robustness of his oversight powers. Perhaps the public need to be assured (if they are that bothered in the first place) by the sound of new players on the scene.

I do hope some new voices will emerge.  

Just as I hope that Parliament will shortly do something rather than do nothing, to address the communications capability “gap” that was evidently so important when the Home Office laid its case for action before Parliament last year.

If there really is a significant gap, then when is it going to be filled?


Image credit:


Monday 15 July 2013

Chasing the pseudonymous data tail

Some chump has come up with a brilliant wheeze to take our minds off the fact that, even after all these years, there is no universally agreeable view on the meaning of “personal data”. When does an item of information become “personal data”, and thus subject to the full rigour of the Data Protection Act? Or the Data Protection Directive? Or, even, the proposed General Data Protection Regulation? For, if it is not “personal data”, then the Act / Directive / Regulation does not apply, and a business can treat it just as it would treat any other type of business information.

The wheeze is brilliant in its simplicity – rather than worry about the definition of “personal data”, let’s create another data category, and commence earnest discussions on what elements of data protection legislation be applied to that, instead. Where the connection with an identified (or identifiable) person is weak or slight, the rules could be relaxed.

So, the high priests of data protection have been convening to determine whether different laws ought to apply to a different type of information. To make this different type as obscure as possible, it’s been given the name “pseudonymous”. Aficionados of data protection adore this sort of stuff – they just love dealing with terms that are hard to pronounce, spell and define.

A recent meeting of said aficionados in Central London considered whether a definition of pseudonymous data should be included in the proposed Regulation. And, if so, what it should include.

It goes without saying that after earnest debate, consensus was there none. Not only is it a difficult concept to grasp, any definition really needs to be considered in the context of the entire instrument – which naturally did not currently exist, nor were betting men prepared to countenance might exist in the foreseeable future.  

I don’t think that anyone was prepared to rubbish the concept of pseudonomisation – after all, anything that makes it easier for an individual to protect their privacy should be welcomed. But do such terms really need to be mentioned in legislation? And if they are mentioned, what incentives are on offer to encourage data controllers to adopt pseudonymous techniques?

The discussion continued. But what should happen when data can be readily depesudonymised? (yawn)

And the questions kept coming. Should it be possible to deny individuals their subject access rights would continue to apply to pseudonymous data? Or apply data portability or the ‘right to be forgotten’ to pseudonymous data? (deeper yawn)

I’m sure that all this stuff needs to be debated, earnestly and with great rigour. But not on a hot sunny day.

Even our chums at the ICO have revised their views on whether to support a definition of pseudonymous data. They were keener on the concept than they are today. Given the difficulties in defining the difference between personal data and pseudonymous data, there’s not a lot of point referring to it in the proposed Regulation. Hurrah. It’s always pleasing to note when the ICO supports a risk-based approach to issues such as these.  

Image credit: