Saturday 31 January 2015

CDs lost in the post (again)

I was interviewed last Thursday evening on Radio 5 Live.  I had been asked to comment on the news that CDs containing information from three sensitive police inquiries, two of which involved‪ highly controversial shootings in London, have gone missing after being sent through the post.

The information covers probes into the role of the police in the deaths of three men – Mark Duggan, Azelle Rodney and Robert Hamill.

Ministry of Justice officials realised the discs had gone missing three weeks ago. A member of staff has since been suspended.

Duggan was shot by police in 2011 while Rodney died in similar circumstances back in 2005. The third case related to the 1997 murder of Hamill by loyalists in Northern Ireland, which his family and campaigners claim involved police collusion.

Each case involved testimony from witnesses, including police officers, who were offered anonymity. It's unclear whether or not copies of the missing documents included the personal information of witnesses.

Preparing for the interview, the only useful background information I could find was contained in a BBC news report. Subsequently I noticed that the Ministry of Justice had released an official statement, providing a little more material – but answering none of the questions that the privacy community really wants to raise.

Were the discs encrypted? If they were, I would have expected the MoJ to have said so by now. Instead, the official statement ominously comments that: “It is essential to take the most precautionary view and to take all necessary steps to safeguard the interests of anyone whose information could be disclosed. Police and other agencies have undertaken their own risk assessment, and have identified and taken any steps necessary to ensure the protection of officers.”

From this, I am assuming that the material was not encrypted. It might have been password protected, but that’s not the same as encryption.

I also asked why it was decided to send such sensitive information by post, given that anyone with even basic security training would be well aware of at least some of the secure file transfer technologies that have been available for many years.

Just what sort of risk assessment took place before the material was sent?

And even if the discs had to be physically delivered, why were they not couriered to the recipient?

My final point was that the cost of a courier was highly unlikely to exceed £180,000, an amount that the ICO has, on two occasions in the past year, fined the Ministry of Justice and the Department of Justice in Northern Ireland for their poor data protection handling practices.

Given the huge array of security policies that Government Departments have in force that make whatever happened indefensible, I struggle to understand why, on this occasion, public officials were not given the right tools to enable them to do their job properly.

Yes, I understand that someone has been suspended over the incident. But is this person just the poor wonk that popped the discs in the post, or is it their manager, who is (quite possibly) much more accountable for the incident, because they failed to ensure that their staff had the tools that were necessary to enable them to do their job?

Lots of questions. The privacy community (and the victims of this deeply troubling incident) are looking forward, with considerable interest, (and no doubt a certain amount of trepidation) to learning the answers.



Friday 30 January 2015

Getting down to the data protection pitfalls of profiling

As forecast in my last blog, the coolest data dudes in town assembled during the evening of Data Protection Day at Live Nation’s incredible offices in Islington for a session on profiling – and the data protection pitfalls.

Is there another building in town that lets its visitors arrive in the basement meeting rooms by way of a slide, rather than the stairs? I kid you not.

Expertly chaired by Live Nation’s international data governance guru Heike Norris, she really set the room at ease with her opening remarks. You know you’re in safe hands when the host’s first words are “OK, has everyone got a drink?”

I had a good look at the audience and was impressed – perhaps only a third were the usual data protection suspects. The others were from companies that didn’t employ specialist privacy professionals – but they were there because profiling formed an extremely important part of their business models, and they were really concerned at what might happen should the regulatory regime turn against them.

It's really refreshing to report that privacy sessions are (at long last) attracting the interest of people who aren't privacy specialists.

But, to business.

The business of profiling.

And it is a very serious business.

A panel of expert speakers comprised Richard Cumberley from Linklaters, Ticketmaster’s expert in marketing and analytics Sophie Crosbie, The Royal Mail’s Stephen McCartney, and Webber Shandwick’s John Mcleod. These are serious movers and shakers.  And a lot of what they had to say met with violent nods of agreement from the audience – which included a considerable smattering of exICO folk who, having done their time in Wilmslow, had now moved south to ply their trade.

The principal points to take away from the main session, and from the private chats after the formal proceedings had ended, were that:
  • In Europe, the concept of privacy has become an absolute right – but by stealth.  This is wrong. There ought to have been a far more open public debate before it was decided that privacy should be conferred the status of a fundamental right.
  • Europe’s Governments generally believe that profiling is wrong – unless it’s Governments that are doing it. And there are increasing signs that Governments want to do even more profiling of their citizens. Not only for national security purposes, but also for a whole range of other purposes which, because they are not “commercial”, are considered “benign”.
  • With respect to current marketing practices, today’s customers demand relevance. They expect organisations to know enough about their customers to send them compelling offers. To that extent, customers know and (mostly) accept the value exchange that currently exists, when personal information is supplied in exchange for “stuff”. 
  • Most marketing companies behave responsibly and use ethical profiling techniques on the datasets that are available to them. However, a small number of companies have gone further, and in ways that customers are uncomfortable with. So there is a need (for them) to explain the information value exchange in clearer terms.
  • Customers aren’t interested in learning about the complicated business models that require so much personal data to be shared. So, if a customer is unwilling to engage sufficiently with a data controller to offer their informed consent to profiling, there will have to continue to be more circumstances where it is in the organisation’s “legitimate interests” to profile them.
  • Customers generally don’t experience privacy – until they lose it. But when customers have lost it, and object to the processing that caused the loss of their privacy, organisations generally don’t delete the information that the customer was uneasy about the organisation knowing about them in the first place. (But they will stop marketing them.)
Live Nation certainly gave everyone who attended a great memory of this year’s Data Protection Day. They’re serious about respecting the rights of their customers – and about getting profiling right. Let’s hope that no new regulatory obstacles are created that have the effect of making it even harder for them to give their customers what they really, really want.


Wednesday 28 January 2015

The 2015 Data Protection Day ditty

The ICO is always trying out new and innovative ways of celebrating Data Protection Day.

This year, the commemorations commenced with a short video from Commissioner Graham, deep in the nerve centre of the ICO’s news office, explaining that throughout the day his staff will be tweeting about many of the exciting initiatives that are underway within (and beyond) his office to improve our information rights.

I be commemorating the day by attending a meeting of top data dudes at a discussion on profiling, organised by our chums at Live Nation in Central London, about which I’ll report later.

Meanwhile, all I have to offer, prompted by the Commissioner’s appearance this morning, is the following ditty:

Chris Graham’s at the presenter’s desk of ICO news
He’s explaining (in very general terms) just how not to abuse
The trust of individuals who have so much to lose
When, from servers, thanks to breaches, their personal info spews

His mighty team of advisers offer a helping hand
Dishing out compliance advice to folk across the land
Listening to complainants and getting them to understand
That despite a heavy workload, their staffing levels won’t expand

Meanwhile, if you listen, rumours spread about a new law
That the Europeans are drafting but of which many Brits guffaw
Is it a "Di-Regulation" along the lines that they forsaw
In which some of the Articles still contain a fatal flaw?

But on this great occasion, our differences fall away
Respect the privacy loonies, let no smirk display
On our faces as we raise our glass and, as one, pray
That we’ll still be in gainful employment come next Data Protection Day


Tuesday 27 January 2015

Security: addressing the insider threat

A smattering of the usual suspects met under the auspices of the Information Assurance Advisory Council in Covent Garden today to consider the last great frontier – dealing with human aspect of information security.  Just how do companies impose workable constraints on the 'Mark 1' human being?

With great difficulty, came the considered reply.

When dealing with remote access to an organisation’s systems, the “new firewall” is identity management. The challenges of identity verification and privilege management are immense. What realistic controls can be placed on staff (and contractors) when the organisation is at the same time, trying to give the impression that it trusts them?

For the public sector, additional challenges are presented given the aggressive pace of the hugely ambitious digital agenda programme, which simply increases vulnerability every day. This is compounded by a culture of zero tolerance for mistakes by ministers and those with a public accountability role. But this leads to decisions on how to react to data breaches being made in ways that detract from possibly more important issues. The public sector is creating vulnerabilities at an exponential rate because of the way it chooses to do business.

There was not a meeting of minds on the best way of addressing the “human factor”. The security professionals stress the need for managers to ever more closely scrutinize the actions of their direct reports. Often, with scant regard for the legitimate privacy rights and aspirations of staff, who are human beings with human rights in their spare time, if not while at work.

There are some encouraging signs, though.

Government security clearances are being administered less frequently by teams of ex-policemen and former spooks, and more frequently by teams of ex-teachers and social workers. This new breed of clearance officer is likely to be more in tune with the people they will be clearing. And they will be more able to assess an applicant in terms of their ability to conform to norms of today’s generation, rather than compliance with the culture of those of previous generations.    

Technical controls are (oh so gradually) being implemented within organisations, meaning that security is being built into electronic systems, rather than being bolted on to them. Yes, there is a huge distance to travel to security nirvana, but we have to be realistic. Staff (usually) want to do their jobs efficiently, and to a high standard. They expect to be given appropriate tools to do the job, and increasingly resent having to rely on “work arounds” simply because the organisation is not capable of living up to the high standards it espouses in its security policies, etc. 

Today’s principal themes were the usual ones: of awareness, management & culture, and leadership.

But the key message was ominous: that staff expect to be loved, looked after, led and managed effectively.

Organisations that can’t manage to live up to these expectations deserve to fall victim to the insider threat. 


Monday 26 January 2015

ICO slams Victims Services Alliance - with a feather

Voluntary organisations face particular challenges in their efforts to respect data protection laws. 

Often, a dedicated core of professional staff will work with teams of volunteers, many of whom may cease volunteering after a few months, realising that it’s just not for them. Other volunteers remain with the organisation for years – and can feel a far greater sense of affinity with its aims and objectives than do some of its staff. Many volunteers process considerable amounts of sensitive personal information about clients. But, information governance controls can be extremely hard to implement at the local level.

How can the professional staff within such organisations engage with these different types of volunteers and get them to follow good data handling practices?  With some difficulty, according to a recent ICO report.

A quick glace at the ICO’s website enables the casual reader to appreciate that a report has just been published about the data handling practices of a number of charities and voluntary groups that work with either victims of crime or people that are associated with victims of crime.

Evidently, “many organisations” are meeting the difficult challenges that are faced. However, there are still a number of areas where they could be doing “more to keep people’s information secure.” These are “important areas that need addressing.”

What then follows is a list of three areas of best practice and three areas where improvements are required in a number of priority areas. The areas of best practice are described in 61 words. The areas where improvements are required are described in 100 words.

So, no real cause for concern, then.

Or is there?

Because when the committed reader reads the actual report, a slightly different story emerges.

If all were well and good, I might expect the actual report to spend about twice as long referring to the areas for improvement than it does on the areas of good practice. That’s what I’ve been led to assume, after reading the blurb.

Alas, this is not the case.

The areas of good practice can described on a single page.

But it takes 12 pages to set out the areas for improvement, which should be considered as a priority for all VSA organisations.  

The ICO is keen to spell out what is going wrong, but not in a manner that draws too much attention to the casual reader (i.e. the reader that doesn’t read the actual report).

I only hope its message – when expressed directly (and possibly privately) to the VSA organisations - is a lot clearer than the general statement on the website. The public message doesn’t draw sufficient attention to the serious issues that do need to be addressed.