Thursday 13 March 2014

Messages from Manchester

Those with a keen pair of ears at last week’s Data Practitioner Conference in Manchester (3 March) would have detected a subtle shift of emphasis of the ICO's enforcement policy. It was a shame that traffic - or business commitments - had prevented some 50 or so delegates from taking their allotted seats in the main conference hall. Yes, they had also prevented some 50 or so others from the opportunity of attending. But, the ICO knows who the miscreants are, and I'm assured that their names will prominently feature on the mailshots that the ICO's audit team will be sending to prospects who may benefit from an ICO advisory visit.

Even a cursory  glance at the delegates indicated that ICO data protection practitioner conferences have been radically transformed since Christopher Graham held his first event at the Lowry Hotel in December 2009. And who remembers attending Richard Thomas's conference on Privacy by Design at the same venue the previous year?

Gone (mostly) is the cohort of what the mighty Eduardo Ustaran has politely termed: "an elite of nerdy specialists". In their wake, a new class of compliance professional has emerged. A class of professional who appears less interested on discussing philosophical issues around various theories of privacy.

Perhaps we now have a more submissive class of privacy professional, a class more willing to be told what good practice is, rather than a class seeking to become intimately involved in designing these practices. Perhaps this is also due to hugely increased burdens of work within the office environment, which prevents so many data protection officers from physically having sufficient time to become more engaged in strategic policy work.

The main message of the day was that responsible organisations should focus on the needs of the customer, and on achieving good privacy outcomes, rather than focusing on compliance with the strict letter of the law. Good practice mattered more than strict compliance with legal requirements. This was not a day for the legal purists.

The second message of the day was that the ICO was not afraid of taking on the public sector, and that accountability for information governance failures would be placed firmly at the door of the political leadership at local government level, rather than at the level of the engine room. If statutory responsibilities were being ignored, resulting in potential harm to individuals, then it should be the officials who took the political decisions to refuse to allocate sufficient resources that should be held accountable.

This message placated a few public servants, but then late int he afternoon David Smith reaffirmed his view that, in light of the personal data breaches that had been reported to the ICO, data handling standards in the public sector were not equivalent to the standards that generally prevailed in the private sector.

That certainly gave many of the delegates something to think about as they returned to their homes.



Saturday 1 March 2014

Tweaking surveillance laws won’t necessarily lead to many changes


I’ve just declined an invite to attend a keynote speech on surveillance that Yvette Cooper, the Shadow Home Secretary, will be delivering on Monday in Central London. Instead I’ll be with some 700 chums at the Information Commissioner’s Data Protection Practitioner Conference in Manchester.

Evidently, Yvette Cooper’s speech will outline the challenges of navigating a new digital world and the implications for security and privacy.  She will be discussing the role of the police and security and intelligence agencies, as well as the safeguards needed to protect our privacy and liberty.

In the light of recent revelations about the way GCHQ has been collecting images taken from Yahoo! webcam conversations, including very considerable volumes of sexually explicit images of the users, I do hope that Yvette gives some thought as to how such activities should be regulated in future.

I also hope that Yvette makes the point that law reform may not be a necessary or sufficient means of more appropriately regulating such activities. Whatever the law is (or is to become), it will in any event be deliberately drafted in a flexible manner, to cater for future contingencies.  

It is not the law that is necessarily the “problem”.

The “problem” lies in the oversight.

Even though what GCHQ may have doing was “lawful”, the really critical point is that the activity was (or would have been) known to the appropriate oversight bodies, and such techniques would have been carefully discussed and formally approved.

Let me go one step further.

I find it incredibly hard to contemplate sensitive and intrusive techniques, such as the Optic Nerve technique, being considered and approved just at an operational level. They would also have been carefully considered and approved at a very senior political level.  

The “problem” lies in the political oversight.

So, we should not blame RIPA or other surveillance laws  - or just the spooks - for developing sensitive and intrusive techniques. We should place the accountability (if there is to be any accountability) firmly at the doors of those who took the political decision to authorise the deployment of the techniques. Parliament would not have known. But a small group of very senior politicians would. In a decade’s experience of working under both Labour and Coalition Governments, I never saw a difference of view between senior Labour or Coalition ministers when political approval for any intrusive sensitive techniques that I might ever been made aware of was sought.

This is why I’m looking forward to hearing comments from former Home and Foreign Secretaries such as Margaret Beckett, David Blunkett, Charles Clarke, Alan Johnson, David Miliband, John Reid, Jacquie Smith, & Jack Straw about what changes have to Britain’s surveillance laws are appropriate. Oh, and also from the current incumbents, Theresa May and William Hague.

Now, what might actually happen if surveillance laws were to be changed?

Probably, not a lot.

And this is because the really sensitive decisions will still be made by senior Ministers, on the basis of evidence that is presented to them which is sufficiently persuasive of the need to approve whatever is being asked of them.

To think that we Brits might face a less intensive level of surveillance simply because the surveillance laws had been changed is an interesting concept, but perhaps a misguided one.

Given the operational control they have over what does go on, until a small group of senior Ministers change their behaviours (and their attitudes) towards surveillance, no amount of tweaking with the surveillance laws is likely to result in significant change.