Tuesday 18 August 2015

In praise of David Smith

As Deputy Commissioner David Smith completes his last lap of the data protection conference circuit, various speakers are extending their hastily-prepared remarks to include a short homily on his contribution to data protection over the decades. Yes, he really has been at the ICO for decades.

It's a convention that public servants are never presented with anything other than small tokens of appreciation from grateful hosts. It’s the ICO’s practice for gifts to be declared in a central register and, to the extent that is practical, for them to be used as prizes at the ICO’s annual Xmas raffle.

At it's summer party last night, the Crouch End Chapter of the Institute of Data Protection decided not to present David with a physical token of their appreciation of his work. Instead, a toast was proposed by the Chairwoman of the Dagenham Data Practitioners, who had been invited to the party along with all the other members of the DDP.

To round off the evening, we sang an ode in David’s honour. The words are reproduced below, in case the ICO Chorus fancy sending David off in song, too.

Eternal David, strong to save,
We thank you for advice you gave,
You bidd'st the mighty Google deep
Its own appointed limits keep;
Oh, hear us when we cry to Thee,
For those in peril because of me

O Dave! Whose voice we always heard
And hushed our raging at Thy word,
Your temper never would explode,
Just point us to a data Code;
Oh, hear us when we cry to Thee,
For those in peril because of me

Most gentle Smithie! Who didst brood
Upon the chaos dark and rude,
And bid its angry tumult cease,
And give, for wild confusion, peace;
Oh, hear us when we cry to Thee,
For those in peril because of me

And now you’re off! It is the end
Of kind words from a distant friend;
We hope and pray the next one in
Will forbear us should we start to sin,
Support us when we cry oh ****
Our data’s gone, we’re out of luck


Monday 17 August 2015

The (discrete) search for the new Information Commissioner

The (discrete) search to appoint a successor to David Smith, soon-to-retire Deputy Information Commissioner and Director of Data Protection is over.

Shortly, the successful candidate will be unveiled. Don't worry, it’s not me. And a (discrete) search will commence to find a suitable replacement for Chris Graham, soon-to-be outgoing Commissioner.

How secret should this process be, and when is it appropriate to extend the selection process?

Given the transparency and manner in which people can participate in elections for leaders of political parties, perhaps the time is ripe for a larger group of people to be involved in selecting public officials who will be involved in determining information rights enforcement strategies.

After all, in the UK, we generally police by consent. So, given the resource challenges that the ICO faces, surely it is right that a significant body of people help determine the identity of the “independent” person who subsequently determines the enforcement priorities that his officials will adopt.

Otherwise, what checks are available? Can we always trust the “backroom bods?”

When even a person as eminent as the Chairman of the House of Lords Privileges and Conduct Committee can be alleged to have behaved as badly as he has, why should it be assumed that the current appointment system is perfectly fit for purpose?

But, more to the point, why should Data Protection Officers, who actually play a very significant role in ensuring that organisations comply with their data protection, be disenfranchised from a compliance process they play such an integral part in?

If I had my way, the DPOs of all registered data controllers would be able to register their interest in participating in the selection process by paying a £3 fee to the ICO – just as the Labour Party currently allows interested individuals to participate in elections for party leader.

Hopefully, it won’t be too long before it is more generally realised that the Office of the Information Commissioner is, in many respects, a political office. In determining how precisely how laws will be enforced, the Commissioner currently exercises his own judgment (supported, presumably, by the ICO Board and his Executive Committee). But he plays a political role – and this is a role for which he’s pretty unaccountable to the data controllers he’s regulating.

Future Commissioners will get one term to rule. And as they won’t need to concern themselves with the need to remain on good terms with those who would (previously) have extended their initial appointment, there is a risk that they will adopt enforcement strategies that will really rub people up the wrong way.

Accordingly, to give the incoming Commissioner a greater sense of legitimacy, the selection process really needs to be made more transparent.

The days are numbered where a meek group of regulated organisations will simply accept the whim of whomever will be selected to step into a senior office.

So an election – or even hustings from a selection of the more promising applicants - would do nicely, thank you.


Image credit:
Today’s image is that of the ballot machine used in Florida during the 2000 Presidential election – many votes were disputed because incompletely punched holes resulted in “hanging chads.”


Wednesday 12 August 2015

Do privacy laws prevent police forces from naming suspects?

I was asked this question at 6.15 am today. And, if I knew the answer, was I available for a BBC radio interview immediately after the 7.00 am news?

No and Yes were my answers – so I subsequently had a chat with BBC Radio’s Adrian Goldberg.

The question arose because the Birmingham Mail had asked West Midlands Police to disclose the names and images of ten suspects it had been hunting for at least a decade for crimes including rape and murder.

Initially, the force had refused to name any of the suspects, pointing to the relevant exemptions in the Freedom of Information Act. The Mail reported that the force had explained that naming them would be an unfair breach of their privacy.

This decision was criticized by local MP Khalid Mahmood as being “utterly bizzare.”

But lets get real, here.

The media has no automatic right to be informed by the police of the name of a person who is under investigation or who has been charged with a criminal offence.

While not naming nine of the ten suspects, the police did provide background information on them, and they indicated that there were operational reasons for withholding their identities.

So I’m not joining the rush to condemn the police for their behaviour. There are often extremely good reasons why suspects should not be named – particularly when there is no serious public interest at stake.

The National Police Chief’s Council (formerly known as ACPO, the Association of Chief Police Officers) currently considers that:

  • Those who have been charged should be named.
  • For those who have been arrested, there is a presumption that they should not be named;

But, that presumption can be displaced where (and only where): 

  • Releasing the name promotes the prevention or detection of crime; and/or
  • There is a serious public interest in releasing the name.
Suspects should not routinely be named. And media organisations must be careful not to identify suspects at this stage, as they would be able to sue the organisation for libel if the police investigation does not lead to a criminal prosecution.

Many suspects are never arrested or charged – for a variety of reasons including lack of evidence of their guilt or positive evidence of their innocence. Remember the witch-hunt against Christopher Jeffries, the retired Bristol teacher arrested on suspicion of the murder of his tenant Joanne Yates in 2010. His life was turned upside down following the news of his arrest, even though he was later publicly exonerated. He was able to recover substantial damages from the media organisations that had unfairly named him, but no amount of money can properly account for the impact to his reputation.

As Lord Leveson recommended in his 2012 report on the culture, practices and ethics of the press:

“…Police forces must weigh very carefully the public interest considerations of taking the media on police operations against the rights of the individuals who are the subject of such an operation… I think that it should be made abundantly clear that save in exceptional and clearly identified circumstances (for example, where there may be an immediate risk to the public), the names or identifying details of those who are arrested or suspected of a crime should not be released to the press or the public.”

I won’t be encouraging vigilantes to join this particular witch-hunt.

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/270941/0780_ii.pdf  (Volume 2, p.984, paragraph 3.3)


Tuesday 11 August 2015

Not a lot of news from Big Brother Watch today

What are we to make of today’s Big Brother Watch report which claims that local authorities commit 4 data breaches every day?

In the words of TV magician Paul Daniels: “Not a lot.” 

At first glance, it looks impressive. It’s almost 200 pages long. But, and this is a big but, there are only a few pages of analysis – once you get past page 12, a series of annexes contain the responses from each local authority, revealing how minor the vast majority of the reported incidents (occurring between April 2011 and April 2014) actually were.

BBW started work on this report by submitting FOI requests to each local authority in June 2014. Quite why it has taken so to publish the results, bearing in mind that FOI requests should be returned within 20 days, is beyond me.  Although BBW claims to have received a 98% response rate, some 212 authorities either declined to provide information, or claimed that they had experienced no data breaches between 2011 and 2014.

Evidently, the safest place to live these days is Northern Ireland, where 21 of the 25 Northern Irish District Councils did not report a single data breach. 

The report’s recommendations, unfortunately, don’t reflect too deep an understanding of the improvements to information handling procedures that are already currently likely to emerge in the foreseeable future.

BBW calls for “proper punishments for the misuse of personal information,” without acknowledging that (even) magistrates courts are already capable of levying unlimited fines for DPA offences. Instead, BBW joins the chorus for custodial sentences, but it failed to point out whether any of the data breaches featured in the report would have been cases where a jail term, rather than a fine, would have been a more appropriate punishment.

BBW calls for anyone who knowingly commits a data protection breaches to receive a criminal record. Currently, offences are classed as civil offences. BBW is concerned that this raises the potential for an individual to gain further employment that allows them to access personal information, despite the fact they have been punished for committing a data protection offence in a previous job.

Perhaps in a future report, BBW will also advocate sending miscreants to the stocks for a couple of days.

BBW calls for mandatory data protection training for members of staff with access to personal information – but it does not appear to know how many of the reported data breaches had occurred despite the DPA training that was in place.

BBW calls for the mandatory reporting of a breach if it concerns the public – but it failed to mention the breach reporting standards advocated by the GDPR.

BBW calls for standardised reporting systems and approaches to handling a data breach – but it failed to mention the work the ICO has already done in this area to encourage standardised breach reporting.

BBW also echos the ICO’s calls for it to be able to audit local authorities.

But enough of all this negative stuff – the report does some examples of poor data handling practices that will be useful for DPOs to feature in future presentations. They include:

  • A CCTV operator watched part of the wedding of a member of the CCTV team.
  • An officer wrote down his contact details on what he thought was a scrap of paper but contained personal details of a complainant.
  • A care agency left 23 black sacks of paperwork behind after an office move. 100s of clients in several authorities were affected.
  • A child report was sent to wrong recipient. The recipient used Facebook to track down correct client and passed report on. The client reported this.
  • An advisor recorded incorrect details for noise complaint which resulted in an officer visiting the person being complained about rather than the complainant.

Happy reading.



Monday 10 August 2015

How effective is the Telephone Preference Service?

I don't know, either.

The TPS’s website provides individuals with an easy way to register their objection to receiving unsolicited direct marketing calls, but no information on how effective it is at stamping out these practices.

There’s no information on the volume of complaints it receives, and how these are trending over time.

There’s no information on the work it does to investigate these complaints, before handing them to the Information Commissioner’s Office.

There’s no information the disciplinary action it has taken against companies who fail to properly screen their lists.

Well, actually that's not quite right. The "make a complaint" page does explain that  “we are not the body responsible for enforcement and we are unable to take enforcement action against companies complained about.”

So what does it do?

Ah, that’s easy. “Complaints handled by TPS and CTPS are included in a regular report sent to the Information Commissioner's Office (ICO) who are the body responsible for enforcement. This enables them to identify trends in complaints being made and supports their investigation when taking enforcement action deemed necessary by them.”

And that’s it.

No wonder I’m getting sick and tired of reading about the ICO fining organisations that breach the PECR regulations. They appear to be the only body that generates headlines as they try to stop nuisance calls.

It might well be the case that the TPS is just as determined to deter miscreants – but it is evidently doing so in mysterious ways.

If the TPS were a public authority, I expect that the usual suspects would have made FOI requests by now, demanding to know just what it is doing and how effective it thinks it is.

What do we learn from it's website about the “TPS in the news and press releases?” 

Not much, considering that there’s only one link for 2015 - and that's over 4 months old. The next link is almost a year old. The TPS really needs to curate it's website more carefully if it is to avoid accusations that it's press officer, and the service itself, could be more proactive.

Perhaps the TPS really is being proactive. Perhaps it shares a great deal of information with the direct marketing industry, through the Direct Marketing Association.

And if that is the case, why shouldn't it share more information with consumers, too?

So, I’m looking forward to the TPS adding a new Frequently Asked Question on it's website soon: "How effective is the TPS?"



Friday 7 August 2015

Why are so many privacy professionals driven to despair?

Why are so many privacy professionals driven to despair?

Don’t worry. It’s not that unusual for privacy professionals to be driven to despair by the demands of their job. It’s just a mindset that most of them go through when business “requirements” and legal “restrictions” continually clash.

As Tom Fletcher, the UK’s former Ambassador to the Lebanon recently put it: “You think you’re reached rock bottom – then you hear a noise from below.”

But there is hope at the end of the tunnel. That mindset can pass, to be replaced with a more productive phase of professional life.

Tom Fletcher recently blogged about the eight stages of his (professional) life. Seduction. Frustration. Exhilaration. Exhaustion. Disaffection. Infatuation. Addiction. Resignation.

He knew them all, often simultaneously.

I’ve known them, too.

The work of a privacy pro isn’t easy, when you’re dealing with clients who have little concept of current data protection requirements, let alone the added complexities that are being contemplated by those that are currently negotiating the compromise text of the General Data Protection Regulation. But why should the negotiators care about complexity? Hardly any of the people currently involved in the tripartite discussions will ever have a job that actually requires them to implement it. Many will simply move on to reaching consensus in other policy areas.

Talking about it is not the same as doing it.

So, and as apparently happens so often with Lebanese politics, the tripartite negotiators can needlessly overcomplicate issues with layers of conspiracy, creative fixes, and intrigue. They can undermine leaders working in the national interest of Member States, rather than the collective interest of the EU. And they can proclaim that there is no substitute for this unrelenting, maddening, political process.

Roll on 2016 when, in a fit of exhaustion, something will be churned out of the EU’s legislative sausage machine, and hordes of consultants can feast for years thereafter. Whatever finally emerges is unlikely to significantly enhance the privacy of the average EU citizen – but it ought to significantly enhance the bank balances of the armies of consultants who will be called upon for guidance as to which elements of the Regulation should be implemented, and how, and which bits can be safely ignored, and why.

But why do I care?

Simply because I care about the implementation costs. When most small and many medium-sized businesses can barely begin to demonstrate compliance with the current rules, my eyes roll when I think of the difficulties that they will face in coming to terms with the new rules.

Of course the larger organisations will do what it takes to remain on the right side of their regulators – assuming, that is, that the regulators have a large enough stick to require compliance. Under-resourced regulators will be left in the unenviable position of being held accountable for not enforcing the new rules. They’ll be blamed for allowing some businesses (and some public sector bodies, no doubt) to get away for years with shockingly poor data handling standards.

Perhaps my current mood will improve when all the privacy pros return from their summer holidays.

I do hope so.


How to cope: