Thursday 22 August 2013

And the next person to leave the ICO is ...

The Information Commissioner's Office has just published an extremely interesting document showing that it could be having a record year. A record year in terms of staff turnover, that is.  A paper prepared for last month’s meeting of the ICO’s Management Board suggested that the current trend, based on the first quarter’s figures, was for 19% of staff to leave the organisation by the end of the current financial year. 

Given that the 2012-13 actual staff turnover was just 7.7%, should this be of much concern? 

Hopefully, the staff turnover stats for the first quarter of the current year (4.7%) were just an aberration.  And there are plenty of people left – the ICO does have a staff of some 395 (or 363.6 when you count them in terms of full time equivalents).Staff levels do not appear to be reducing.

Perhaps there are good reasons for such a high turnover rate in such a fine organisation. It’s not as a result of much internal disciplinary action. The ICO has only conducted 7 discipline, dignity at work and grievance cases since April 2012. It’s obviously a nice place to work, and packed with people who are nice to each other. It’s also quite a healthy environment. Only 5.46 days a year are lost to sickness, compared with the civil service average of 8 days a year. 

Perhaps more data controllers are realising that they need people who have some hands-on experience of this data protection stuff, and because practitioners are quite thin on the ground, they want people with intimate knowledge of what it as that regulators are really concerned about, so that they can fix those areas of their businesses, first.

Perhaps the local economy is picking up, and some of “Wilmslow’s finest” are being tempted away by employers who can offer better packages than the ICO can. It can’t be pleasant commuting to such an exclusive area, past estate agents and car showrooms that advertise homes and vehicles so far beyond the price range of the average ICO employee. 

But people do still want to work at the ICO. Some 213 applicants responded to some 25 recruitment campaigns, and 55 interviews were held during the first quarter. 

Perhaps part of the answer is the changing nature of the ICO’s work. Fewer staff are required to help organisations register their details and pay their fees, and people with different skills are required in the policy, audit and enforcement teams.  
So, a possible (but, presumably, unlikely) 19% staff turnover rate need not be a cause for undue concern for those of us who are interested in what emerges from the ICO. Essential posts can still be filled when the incumbent leaves. And if Parliament wishes to question the effectiveness of the organisation, it needs to ask itself whether it allocated sufficient resources to the ICO in the first place. 
After all, the revamped financial regulator, the Financial Conduct Authority, has apparently increased its funding requirements by 15% to £432.1 million, following the disbanding of the Financial Services Authority earlier this year.

If it costs that much to regulate the UK’s financial services industry, is it really the case that the ICO can properly regulate all 372,369 organisations who have registered as data controllers, and also to supervise the FOI landscape, on a budget of just £20 million? That’s less than one twentieth (4.6%) of the FCA’s budget. 

Answers to the usual address, please.


Image credit:


Wednesday 21 August 2013

Wanted: A new face at the Home Office’s comms data team

If you thought the Government wasn’t interested in updating its ability to use communications data to fight terrorism and serious crime, think again. Although there’s no sign of a publication date for a revised Communications Data Bill, the Home Office is currently advertising for a senior bod to help run it's Communications Capabities Development Programme. They’re even prepared to pay the lucky person up to £117,800. So, the successful applicant had better be good. 

What’s the role? 

Well, reporting to the Programme Director, someone is needed: “to provide leadership of the business change and associated training aspects of the CCD programme, working in partnership with a wide range of stakeholders including all UK Police forces and the College of Policing.”  They must have: “credibility to effectively represent the views of a complex and diverse stakeholder community and operate in an environment where there have been complex partnerships, with competing and sometimes conflicting priorities.”

The job spec comments that: “this is a challenging role given the complexity of the environment, ongoing changes in telecommunications technologies and services, and changes in policing.” I’m surprised the job spec didn’t also refer to the challenges faced by the current political environment, where politicians are keen to be seen to be supporting the law enforcement community, but not at the expense of removing any fundamental rights from citizens.  

Whoever takes on this task will have to be a master of many skills. They’ll be responsible for:

• Leading the business change and associated training aspects of the CCD programme nationally.

• The development of the business change capability within the CCD Programme and across the stakeholder community, including all UK Police forces and the College of Policing.

• Providing operational community subject matter expertise.

• Ensuring collaboration and communication across the CCD Programme themes in business change.

• Directing CCD stakeholder engagement strategies and engaging with stakeholder community strategic leads at Board level.

• Ensuring decisions are approved via the appropriate governance processes.

• At Board level, actively manage the stakeholders through transition, generating confidence and ‘buy-in’ from those involved, ensuring the capability is embedded and benefits are realised.

• Leading a diverse team of seconded police officers and civil servants deployed across the UK delivering organisational design, business change and associated sustainment on behalf of the Programme.

• Exercising strong governance and risk management, setting a clear vision and strategic direction.

• Accountable for the budget spend on all business change activities delivered through the CCD Programme.

• Ensuring Programme benefits are delivered within the stakeholder community and monitored.

Note all the references to the “stakeholder community”. But who comprises this community? Is it the law enforcement community, together with the communication and internet service providers whose communications records play such a vital role in the process? Or does it also include politicians, journalists, representatives of civil society, other opinion formers and those oiks like you and me, whose communications records also play a vital role in the process? Don’t ask me. I’m not sure. 

Feeling excited about this great opportunity?

Feel the need to lead?

If you’ve got what it takes, then you had better contact the Home Office quickly.  The closing date is 27 August (just after the forthcoming bank holiday).



Tuesday 20 August 2013

The joy of annual CCTV reviews

It’s reassuring to realise that as the UK an awful lot of CCTV systems, we have a range of Commissioners who are tasked with regulating aspects of them. 

It’s less reassuring to realise that these Commissioners have slightly different powers, and overlapping jurisdictions. If you need any enforcement done, then the ICO’s your man. If, however, you’re after a current list of approved which standards may apply to the system functionality, the installation and the operation and maintenance of a surveillance camera system, then the Surveillance Camera Commissioner will show you his list. He can also provide guidance on the bodies that are able to accredit performance against such standards. And the Chief Surveillance Commissioner is always available to advise if the CCTV systems get anywhere near the domain of covert surveillance. 

Got it?

And each CCTV system is supposed to be reviewed each year.

Principle 10 of the recently published Surveillance Camera Code of Practice requires that “There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.” 

The Code goes on to explain that: "Good practice dictates that a system operator should review the continued use of a surveillance camera system on a regular basis, at least annually, to ensure it remains necessary, proportionate and effective in meeting its stated purpose for deployment." [4.10.1]

The code also explains that: "A system operator should make a summary of such a review available publicly as part of the transparency and accountability for the use and consequences of its operation." [4.10.4]

Aficionados of the odd FOI request will be delighted to think that there is yet another reason will be able to flood public authorities with a tusamni of requests, giving public officials lots more work to do.  Just how they will be able to meet their obligations, in the face of heroic budget cuts, is not a matter for discussion today.


The British Security Industry Association estimates that here are between 4 million and 5.9 million cameras in the UK today, and only 1 in 70 of them are controlled by local government.

So, will there be many annual reviews carried out on the vast majority of cameras, which are actually controlled by the private sector?

To be honest, I doubt it. Even though the ICO’s own CCTV Code also recommends annual reviews (and has done so for a very long time).

If responsible private sector data controllers did want to carry out an annual review and needed help in knowing what it was they were supposed to be reviewing, help is at hand. Not only from yours truly, but also from the ICO, who has helpfully prepared an annual check list for smaller data controllers. Thankfully, this check list isn’t one of those awfully complicated documents that take forever to complete. It’s very simple, actually.

I would offer a prize to the first reader who tells me where the check list can be found on the ICO’s website. But I can’t, as all my spare bottles of scotch  prizes have recently been offered to my chums at RBS.

If I were you, I would get reviewing. You never know when the ICO might come along to check whether anyone has done their annual CCTV homework.


Image credit:


Sunday 18 August 2013

A note of correction – and apologies to the Royal Bank of Scotland

I made a silly mistake when posting a blog entry recently, and accordingly offer an unreserved apology to all my chums at the Royal Bank of Scotland.

What happened?

Well, I was so taken with the story that the ICO had fined the Bank of Scotland  £75,000 for continually faxing various documents to two wrong numbers that I blogged about it. Nothing wrong with the text. But there was something wrong with the accompanying image – which was of the logo of the Royal Bank of Scotland, rather than the Bank of Scotland.  Oops. My lack of knowledge of the Scottish banking scene shines through. I ought to have known that there was a Bank of Scotland, as well as a Royal Bank of Scotland.  But if I did, in the heat of the moment in searching for an appropriate image, I forgot.  A more appropriate image (the logo of the Bank of Scotland) accompanies that blog posting, now.

My mistake came at a useful time  - if any time can be considered “useful”, that is. I recently had lunch with a chum had experienced the age-old problem of an inappropriate email having being sent to the wrong address. No harm was done, and the incident was quickly contained. The recipient destroyed their copy without forwarding it to anyone else. The sender was just glad that no incriminating photos accompanied the informal “how nice it was to meet you last night” note. My chum was extremely embarrassed about the incident – but we agreed that it did serve as a reminder about how careful we need to be when communicating anything, these days. It’s so easy to hit the “send” button without checking absolutely everything.  Even now I cringe as I remember some of the typos that were not spotted and still exist in documents I’m associated with that are now in the public domain. Fortunately, most of these documents are evidently so boring that few people have noticed the typos. Of if they have, they have (mostly) been too busy to tell me.

I’m glad that, in this case, my chums at RBS got in touch to tell me about my howler, so that I could correct it. It would have been equally nice if someone at the Bank of Scotland had pointed out that I had used someone-else’s logo  in relation to “their” story – but never mind. We all do the best we can. We all make mistakes, too – but hopefully we can cheerfully correct those that are notified to us, and hope that no offence is taken by our lack of diligence. 

One of the first times I can remember the names of institutions getting mixed up was during the wonderful “Children’s Matinee at the Coliseum” scene in the 1979 movie Life of Brian. Devotees of the film will remember the following exchange taking place:

Brian: Are you the Judean People's Front?

Reg: F*** off!

Brian: What?

Reg: Judean People's Front! We're The People's Front of Judea! Judean People's Front, God!

Rogers: Blighters...

Brian: Can I...join your group?

Reg: No, piss off!

Brian: I didn't want to sell this stuff, it's only a job! I hate the Romans as much as anybody!

All in PFJ except Brian: Ssch! Ssch! Ssch! Ssch! Ssch!

Brian: Oh.

Judith: Are you sure?

Brian: Oh, dead sure. I hate the Romans already.

Reg: Listen! If you wanted to join the PFJ, you'd have to have really hate the Romans.

Brian: I do!

Reg: Oh, yeah, how much?

Brian: A lot!

Reg: Right, you're in. Listen, the only people we hate more than the Romans, are the f****** Judean People's Front.

All in PFJ except Brian: Yeah!

Judith: Splitters!

Rogers: And the Judean Popular People's Front!

All in PFJ except Brian: Yeah! Splitters!

Loretta: And the People's Front of Judea!

All in PFJ except Brian: Yeah! Splitters!

Reg: What?

Loretta: The People's Front of Judea. Splitters!

Reg: We are the People's Front of Judea!

Loretta: Oh. I thought we were the Popular Front.

Reg: People's Front! God...

Rogers: Whatever happened to the Popular Front, Reg?

Reg: He's over there.

All in PFJ except Brian: Splitter!

The movie script for Monty Python’s Life of Brian can be found at


Friday 9 August 2013

“Wilmslow, we have a problem” (Britain's latest big data breach)

Telephone intercepts can sometimes end up in the wrong hands. And, occasionally, technical difficulties mean that only one side of the conversation is intercepted. 

What might have happened if an intercepted conversation like this had been made public by Wikileaks, or some other group that leaks official secrets to the public at large?

Hi, is that the ICO’s Breach Notification Department? It’s Maud at the Serious Fraud Office. We’ve had a bit of an incident over here, and our interim Data Protection Officer thought you might want to know. It’s all a bit hush hush – so you mustn’t tell anyone else about it.

What? Dunno how it happened. Probably some kid on work experience got carried away with the address labelling machine in the post room, and stuck the wrong address labels on some boxes.

How many boxes did you say? Dunno. Enough to hold about 32,000 pages of documents, 81 audio tapes and a load of computer files.

When did it happen, did you say? Dunno. Probably last year between May and October.  We realised that something was wrong about 3 months ago, and we think we’ve recovered about 98% of the material.   So we’re only short of about 1,600 documents, a couple of audio tapes and a handful of computer files.

What were they about, did you say? Dunno – I haven’t read any of them. They came from that team that carried out a 6 year investigation into allegations that British Aerospace had paid bribes around the world to secure lucrative arms contracts. You know, the one that ended with BAE paying out almost £300 million in penalties. Yes, that was the one.

Who were they mistakenly sent to? I can’t tell you that. That’s against data protection.  These recipients have got rights, you know.

Whattdya mean we’ve got to fill in a breach notification form and you’ve going to start an investigation? We’re the ones that do the investigating around here.  

Civil Monetary Penalties? Are you mad? Do you think we’re seriously gonna cough up simply because some prat stuck the wrong labels on some bloody boxes? Don’t you know how many boxes there are, lying around our post room? We deserve medals for making sure incidents like this don’t happen every week.   It’s not that serious, you know. Nowhere near as serious as most of the crimes we’re trying to investigate.

Well, if you’re going to take that attitude, then there will be a problem. All I was told to do was give you a quick call on the sly so you’ve clocked that we’ve ticked the “no publicity” box for this incident. Stuff like this is embarrassing. So keep it quiet, ok?

Whattdya mean it’s all over the papers today?


In that case, the SFO will revert to plan B. We’ve given you an oral report of the incident. So what if it's 3 months late.  If you want one in writing it’ll take us another 3 months – and by the time you guys have had satisfactory answers to every point you raise it’ll be well into autumn 2014. By that time, hopefully some other poor sod will have reported an even more newsworthy data breach, and the heat will be off us. Oh, and our interim Data Protection Officer tells me we’re fast running out of money, so there’s no hope of you slapping a huge fine on us for our sloppy data handling standards. We’ve stopped school kids from getting work experience in the post room, and that’s all that can be done right now.  They’ve been reassigned to the typing pool, instead.

Oh, and don’t go around in public mouthing off about us or telling everyone that you’re investigating us. There must be a law against that, somewhere.

Section 59 of the Data Protection Act prevents the Information Commissioner or his staff from revealing what enforcement action they intend to take, until it has been taken (unless the news is already in the public domain). So we can only dream about what may happen.


Thursday 8 August 2013

25 more data protection movers and shakers

No sooner was yesterday’s list of the top 15 data protection movers and shakers published than my inbox started to receive a host of counter suggestions. Yes, there are many more people who deserve to be recognised as having reached the pinnacle of the UK’s data protection establishment. 

Accordingly, I’ve prepared a second list of other popular nominations. The lucky nominees are, (mostly) in alphabetical order:

(1) Richard Allen, he of Facebook fame

(2) Emma Ascroft, Yahoo!’s european  public policy director

(3) Heather Bignell-Blye at the Post Office

(4) Ruth Boardman of Bird & Bird

(5) Phil Booth, of the No2ID and mediconfidential campaign groups

(6) Ian Brown of the Oxford Internet Institute

(7) Hugo Brown, whose new DP employment service could keep many of us in gainful employment for years to come

(8) Virginia Chinda-Coutts of RSA

(9) Richard Cumbley of Linklaters

(10) Stephen Deadman, Vodafone’s privacy chief

(11) Dave Evans, formerly ICO cookie captain, now at Swiss Re

(12) Nick Graham, data supremo at Dentons

(13) Gus Hosein of Privacy International

(14) Julian Huppert MP, currently leading Lib Dem thinking on privacy

(15) Rosemary Jay, currently at Hunton & Williams, author of a best seller on data protection law

(16) Jim Killock, of the Open Rights Group

(17) Mita Mitra,  BT’s data protection thought leader

(18) Nicola McKilligan at Thomson Reuters

(19) Christopher Millard of Queen Mary College, Professor of Privacy and Information Law at Queen Mary College

(20) Neil Patterson of Tesco

(21) Chris Pounder of Amberhawk Training, and an occasional FOI requester. Surely the tallest data protection professional  in the UK

(22) Suzanne Rodway of the Royal Bank of Scotland

(23) Richard Thomas, former Information Commissioner & the people’s choice for the next data protection peer

(24) Ian Walden, Professor of Communications at Queen Mary College

And finally, surely no list could be complete without a special mention being given to

(25) Stewart Dresner of Privacy Laws & Business, event organiser extraordinaire

Individuals wishing to have their names removed from this list are welcome to contact me, as well as those who feel they also deserve to be included - or at least be invited to the gala awards dinner.


Wednesday 7 August 2013

The UK's top 15 data protection movers and shakers

Last night’s meeting of the Crouch End Chapter of the Institute for Data Protection went on for some time. But, as members staggered out of the pub, they were clutching a document that, for once, everyone could agree on. It contained a list of the top 15 movers and shakers of the UK's data protection establishment.

These individuals will now be scrutinised by an executive committee before a shorter list is announced in the autumn. The committee will be empowered to make additional recommendations, if Google searches of the current nominees reveal too much of a chequered past. 

The ultimate mover and shaker, if a single name eventually emerges from this process, will have the honour of adding this prestigious accolade to their Linkedin profile, and the embarrassment of knowing that everyone else will  comparing their achievements to others who, in their view, have achieved more than our illustrious winner. 

 So, in (mostly) alphabetical order, the top 15 movers and shakers are:

(1)  Bojana Bellamy, shortly to become President of the Centre for Information Policy Leadership at Hunton & Williams, who will always grace a reputable conference platform.

(2)  Robert Bond, Speechly Bircham, for his pioneering work about how children use the internet.

(3)  John Bowman, our man from the Ministry of Justice, determined to persuade his EU chums of the importance of focussing on outcomes, rather than processes.

(4)  Hazel Grant, Bristows, whose steady hand guides government bodies, global IT service providers and national charities.

(5)  Stephen McCartney, always trying so hard to keep Google in the ICO’s good books.

(6)  Nick Pickles, Director of BigBrotherWatch, who can always be relied upon to release a pithy press statement that queries some aspect of the surveillance state.

(7)  Tim Pit Payne QC, frequently seen at the Information Rights Tribunal either supporting or opposing whatever the ICO has recently decided. Based at 11 Kings Bench Walk.

(8)  Anya Proops, barrister, often appearing at the Information Rights Tribunal arguing against Tim Pit Payne, so either opposing or supporting whatever the ICO has recently decided. Spookily, also based at 11 Kings Bench Walk.

(9)  Stewart Room, FFW, mostly in the thick of it, advising clients whose data handling standards have come to the attention of the folk in Wilmsow.

(10)  Melanie Shillito, Promontory, one of the powerhouses behind the Data Protection Forum.

(11)  Eduardo Ustaran , FFW, often quoted in IAPP publications.

(12)  Pat Walshe, GSMA privacy globetrotter, preaching good data protection standards to anyone who will listen.

(13)  Mark Watts, Bristows, aching to defend his clients against any unfair whims of the regulator.

And, of course:
(14)  Christopher Graham and (15)  David Smith, also known as the 'Ant & Dec of the ICO.' These cheeky chappies will continue to appear at conference venues near you, amusing and delighting audiences with their insights about what’s really going on in the world of data protection.

Regular readers are welcome to nominate other outstanding individuals  by writing to me at the usual address. I'll pass them to the executive committee for further scrutiny.