Sunday 29 March 2015

When should employers be told about information provided in confidence to doctors?

The awful events of last week have generated a considerable amount of comment about the extent to which an employer is, to ought to be, aware of the mental health of key employees.

Does data protection legislation prevent the disclosure of critical information which, if withheld from an employer, permit the employee to carry out acts that potentially have heinous consequences?

In the UK, certainly not. Data controllers can always protect the vital interests of other people in cases where it would be unreasonable to expect the data subject to consent to the disclosure of sensitive personal data, or when the consent of a data subject has been unreasonably withheld.

The debate ought to focus less on any perceived failings of data protection legislation and more on the obligations of confidence that doctors (and others) have with those who are being counseled.

This is why I’m looking forward to contributions to this debate from members of BMA’s Medical Ethics Committee. The Committee debates ethical issues on the relationship between the medical profession, the public and the state. It also liaises with the General Medical Council on all matters of ethics affecting medical practice. Other members of the BMA's secretariat produce detailed guidance and discussion papers on a wide range of medico-ethical issues, and offers individual ethical advice to BMA members over the phone or by email.

The BMA's confidentiality and disclosure health information tool kit is a great start to those who are keen to understand the current guidelines. On the issue of disclosing medial data in the public interest, for example, it says: Health professionals should be aware that they risk criticism, and even legal liability, if they fail to take action to avoid serious harm. Advisory bodies, such as the BMA, cannot tell health professionals whether or not to disclose information in a particular case, but can provide general guidance about the categories of cases in which decisions to disclose may be justifiable (see below). Guidance should be sought from their Caldicott guardian, professional body or defence body where there is any doubt as to whether disclosure should take place in the public interest.”
I’m looking forward to more specific guidance from the BMA, in light of recent events. Many patients are unlikely to be fully forthcoming to medical professionals if they feel that the effect of their most candid confessions would be to curtail the careers they have fought so hard to forge.
Somehow, the BMA is going to have to reassure the public that the confidentiality obligations which currently exist between doctor and patent and are sufficiently strong to encourage patients to continue to open their souls to their doctors. At the same time, doctors may well need additional assurance that they will not be held legally liable when it is necessary to disclose information that really ought to be made more widely available.  



Friday 20 March 2015

Stratospheric salaries for superstar DPOs

The noise around the GPDR is currently having one remarkable effect.

Fears about the complexity of the final version of the text, together with concerns about the impact of ridiculously high fines on businesses that transgress are rippling through the DP job market.

Today, if you know where to look (in London), you can apply for a part-time privacy officer role for an annual (pro-rated) salary of £70,000 – or if you fancy a full-time job, one organisation is currently prepared to pay up to £150,000 for the right candidate.

Lets put that in context. £150,000 is more than the Prime Minister’s salary. And, yes, more than the Information Commissioner’s salary. Even £70,000 is much, much, more than the salaries of the overwhelming majority of the staff at the ICO.

I’m really not sure if it was intended by the drafters of the upcoming GDPR that the salaries of those who were expected to implement it were likely to be so much greater than the salaries of those who were expected to regulate it.

But that is the consequence of what is happening.

And the more complicated this thing gets, and the more noise that is generated about the new “rights” that citizens are going to have with regard to their own personal data, the more the DPO salaries are likely to rise. 

Responsible controllers – and certainly those in the heavily regulated sectors – will continue to suck up the brightest talent, and will be obliged to offer salaries that, thanks to the current scarcity of experienced data protection practitioners, will compare very favourably with other trades.

Is this really what we want?

As a consultant or an employee, probably yes.

As a business owner, probably not.

As a regulator – well, at least it ensures that the ICO will continue to act as a training academy for those that want to hone their data protection skills before they transfer to the private sector. 

Experienced DPOs interested in changing jobs may want to contact me (very discretely) to learn more about the roles I’ve referred to in this blog.


Monday 16 March 2015

IOCC frustrates the militant privacy campaigners

Bad news for the militant wing of the privacy lobby who want to believe that the Interception of Communications Commissioner is simply an establishment patsy, an apologist for anything and everything a spook or law enforcement agency wants to get away with.

Sir Anthony May’s latest annual report lays out more evidence of the independent and impartial approach that he and his inspectors take on the thorny question as to what ethical policing means in practice.

Time and time again, the report points not only to areas that require remediation, but it also highlights issues where progress has been made, thanks to recommendations made following earlier inspections.

The militants particularly won't like the next 3 paragraphs, which have been lifted from the report, but I make no apology for reproducing them here:

"My inspectors identified that communications data was frequently relied on to provide both inculpatory and exculpatory evidence. The communications data acquired revealed suspects movements and tied them to crime scenes. It often led to other key evidence being identified or retrieved. Links to previously unidentified offenders and offences were revealed. Dangerous offenders were located and offences were disrupted with the assistance of communications data. Patterns of communication provided evidence of conspiracy between suspects. The data highlighted inconsistencies in accounts given by suspects and corroborated the testimony of victims. The data determined the last known whereabouts of victims and persons they had been in contact with. Similarly, communications data assisted to eliminate key suspects or highlighted inconsistencies in accounts given by victims. [7.65]

In a couple of the operations examined the inspectors concluded that there were potentially gaps in the acquisition process where the investigation teams had not identified the full range of data necessary to achieve the objective. This failure to identify relevant data may adversely impact on the ability to, for example, corroborate the account given by a witness, corroborate the testimony and / or determine the last known whereabouts of a victim or properly determine the role of a suspect in a crime or indicate their innocence. This may present the acquisition process as arbitrary and serious implications could result. This is an area in which it is important for the SPOCs to engage with the applicants to develop strategies to ensure that the appropriate data is sought to fully achieve the investigative objective. [7.66]

In the operations where large elements of the offences, if not all the offences, took place within a ‘virtual world’ e.g. some of the fraud and sexual offences, the requirement for communications data was ever more apparent. It was also apparent from these operations that as technologies have developed police forces and law enforcement agencies have increasingly looked at a wider range of technologies to investigate offences. The inspectors noted that in relation to the investigation of serious and organised criminals, the increasing tactical awareness of criminals means that a larger amount of data, on a potentially wider range of devices and individuals, has to be acquired to meet operational objectives which may have been more simply achieved in previous years. [7.67]

The report also criticizes institutions that have ignored past recommendations: 

"Last year I made the point that the numerous policy documents governing the interception of prisoners communications were fragmented, overlapping and contradictory in places and that this made it difficult for the prisons themselves to understand the requirements fully and for our inspectors to conduct the oversight. I am disappointed that there has not been any progress on these matters. I reiterate that NOMS must get to grips with these issues and put in place clear and defined policy and risk assessment documents for the interception of prisoners’ communications. Our experience shows that the prisons are trying extremely hard to comply with the various policies in this area, but they are in need of clear direction and better quality policy." [p.87]

Interestingly, while SPOCs in general are highly thought of, the report focuses its criticism on some Professional Standards departments (the teams that investigate investigators), where poor practices prevail:

"The inquiry found that an excessively high number of the applications submitted by Professional Standards departments were completed to a poor standard and did not adequately justify the necessity and proportionality justifications. In a number of applications the criminal allegation or the criminal offences suspected were not set out or there was no description as to how they were linked to, and aggravated by, the officer’s misuse of a position in public office. The applications often relied upon vague and dubious descriptions under the ‘umbrella’ of misconduct in public office and my inspectors were not satisfied that the high threshold for the offence of misconduct in public office had been met. There did not appear to be any intention for some of the matters to be subject of a prosecution within a criminal court. Turning to proportionality lengthy periods of traffic or service use data were often sought without sufficient justification and it was not clear whether other lines of inquiry had been considered and if so why they had not been pursued. For example, a number of the applications concerned investigations into officers forming inappropriate relationships with victims of crime. Whilst in some cases the circumstances may justify that it is reasonable to suspect serious inappropriate activity was taking place, for example, the formation of sexual relationships with vulnerable victims; some of the applications examined detailed fairly minor transgressions and did not identify whether serious wrongdoing was suspected, or failed to give convincing reasons to suspect that serious wrongdoing was occurring. In these applications it was also not apparent why other action, such as intervention by the officer’s supervisors or misconduct interviews were not considered, or if they had been why they were not deemed appropriate. In such cases my inspectors concern was exacerbated where there appeared to be little resolve to subsequently pursue a prosecution when evidence was acquired which supported the initial premise of the application." [7.81]

Strong stuff.

However, these criticisms should be read in their context. They should not detract from the Commissioner’s conclusion that, overall, "my office’s inquiries did not find significant institutional overuse of communications data powers by police forces and law enforcement agencies. … However, my office did find that a proportion of the applications did not adequately deal with the question of necessity or proportionality and we found some examples where the powers had been used improperly or where they had been used unnecessarily. Overall the operational reviews showed that the communications data that was acquired was necessary and proportionate to the matter under investigation." [7.94]

So, we won’t be hearing much from the militant wing of the privacy lobby about this report because, frankly, there’s not much for them to complain about.

The more independently minded privacy advocates will probably take some comfort from the report – both in learning how RIPA (and DRIPA) actually work in practice, and in realising what a world-leading supervisory system the UK actually has.



Thursday 12 March 2015

Ethical policing on the internet

The law enforcement community’s response to the question of how the internet should be policed continues to raise a number of significant questions. And it’s leaving some representatives from academia and civil society in a bit of a bind.

Paul Bernal’s recent blog on a meeting organised by the Association of Chief Police Officers on this issue touched on some of these questions. The feedback he’s received is quite revealing.

One respondent was unhappy that various stakeholders had agreed to meet ACPO in the first place. They commented that “real debate between those who disagree on the deepest philosophical and ‘legal’ in the broadest sense matters, is hardly likely to take place at an event organised by (and ultimately for) law enforcement/the state.”

I don’t agree.

Its important for all responsible stakeholders to feel that their voices can be heard in a debate where everyone accepts that what is required is policing by consent. At issue is what everyone (or almost everyone) is capable of consenting about.

With new legislation focusing on how communications data should be retained and used for law enforcement purposes on the horizon, its essential that the Home Office and other interested parties consult as widely as is practicable in order that, when the proposals are presented to Parliament, politicians won’t need to criticize the measures on the grounds that insufficient consultation has taken place.

The dilemma for the representatives from academia and civil society is that, by becoming more aware of the practical problems facing the law enforcement community, they may feel encouraged to support pragmatic proposals that many people would shy away from. So do they risk being ostracized from their more radically-minded colleagues, whose views on issues related to communications data retention are not formed from any significant experience of the distress felt by victims of serious crime, who care less about the techniques used to deliver justice to serious criminals?

Academics and civil society campaigners that want to be reminded of the perils of being associated with a “bad” initiative only need think back to the manner in which Simon Davis from Privacy International was pilloried by some of his contemporaries when his independent research found that, actually, the Phorm initiative wasn’t quite as awful as its critics had wanted it to be.

It’s hard to remain dispassionate and neutral about such issues, and there will always be accusations that various academics have been captured by the law enforcement community if they indicate that they support proposals that benefit the law enforcement community. After all, who wants to make crime fighting easier …

Responsible academics ought to remain engaged with the policymaking process, and express their views from within the tent. It would never be appropriate (nor has it yet happened, to my knowledge) for an academic to take comfort in grandstanding from a distance, or causing so much fuss at meetings that when they threaten to eject themselves from the meeting, their offer is gratefully accepted.