Another "first" with the ICO

I had another memorable experience with someone from the Information Commissioner’s Office today. Is this an especially memorable experience that is likely to be splashed across the centre pages of a Sunday newspaper? I think not. It was my first such experience, but it was all carried out in the best possible taste.

What am I on about?

I’m referring to the Commissioner’s latest plan to manage the volume of assessments his Office is required to deal with. Try as hard as we might, there will always be the odd occasion in which mistakes are made- and the victims of those mistakes may, also on occasion, relay their experience to the ICO. And these complainants, quite justifiably, will expect the ICO to examine the mistakes which have been made and to ensure that those responsible - and perhaps the wider data protection community - learn the relevant lessons.

In the past, it’s been the ICO’s practice to write to the data controllers, seeking written responses to points when it appeared that there may have been a breach of the Data Protection Act. Now, a new trend is emerging. As one of the leading exponents of modern technology, the ICO has taken to phoning data controllers, rather than writing to them (or perhaps as a precursor to writing to them), seeking their views and commitments on issues that are well known to one and all.

I had my first experience of such a telephone call today. And I have to report that it was a very welcome sensation. Quite a thrill, actually. It enabled me to understand the root cause of the complainant’s problem, and it gave me the opportunity to emphasis my commitment to continually reviewing and enhancing the customer service standards that my employer tries so hard to provide. And it also gave me an opportunity to explain to the ICO’s assessor just how much effort it takes to ensure that such regrettable errors are kept to the absolute minimum.

I quite enjoyed the call. It allowed me, rather than asserting my written commitment to high data protection standards, to demonstrate my passion in words. It enabled me to engage in a constructive, friendly and meaningful discussion with someone who, I hope, also formed the opinion that I truly care about trying to get things right.

And, just as importantly, it also enabled us both to deal with the assessment, and the underlying cause of the problem, then and there. In one phone call, rather than a series of letters which might have taken weeks to properly deal with.

I do hope to receive more such calls. They’re just as effective as written correspondence with the ICO. They let me show that I care, and they give me an opportunity to advise the assessor of other facts that they might also need to bear in mind when dealing with similar issues. They also give the assessor the opportunity to clear up any supplementary points that might arise during the conversation, in order that they they can make a better informed decision about the action they should subsequently take.

So, given the chance, I hope you might also enjoy a one-to-one with one of the Commisisoner’s complaints handling staff. We don't always have to do it in writing. Remember - it's good to talk!

.

Dining with the Privacy Advisors Supper Club

Another day, another (data protection) dinner. Yesterday’s event was organised by Robert Bond for the Privacy Advisor’s Supper Club. He certainly knows how to throw a marvellous party. It was held this time at the newly opened Mint Hotel in the City of London. We congregated in the Sky Lounge on the 12th floor, which hosts the private dining areas. Stunning views of the Tower of London (just look at the image!) and of the Shard. And such wonderful company. Mr Bond, you really are spoiling us!

I like these events. It’s great to meet data protection colleagues socially, in an atmosphere where no-one is selling their services to anyone else. It’s just a bunch of like minded individuals who enjoy each other’s company. And a group of people who can just check their data protection compasses so to speak. We leave, well fed and refreshed, feeling just that everso little bit more confident that we are doing the right thing, and steering our organisations in the right data protection direction.

If you want to come along some time then find the group on Linkedin. It’s not one of those “exclusive” supper clubs. No-one has to be proposed or seconded by current members before they can join. No annual fees are payable. No formalities. The only pre-requisites are a passion for data protection (ok, an interest - and a sense of humour - will do just as well) and being available that evening to join fellow colleagues for an evening of great conversation and great food. No organiser makes a profit, we just share the bill.

The first event was organised by Nicola McKilligan and was held last May at Babylon, above the Kensington Roof Gardens. Last night’s event was the second. The arrangements for the next do will soon be announced by that event’s organiser.

It is a great way to visit a restaurant that you may have heard of, but never actually had an opportunity to visit.

And, on the strength of the successes of the first two, I will certainly trying to make myself available to attend the next one.

Hope to see you there as well. It’ll be fun.


Source:
http://www.linkedin.com/groups?mostPopular=&gid=2897227

.

A quest for privacy theory

Charles Darwin did it with a sketch. And Michael Birnhack did it last night with a public lecture at the Institute of Advanced Legal Studies. What did they both do? They tried to explain what they meant to an audience of people who were (with a few notable exceptions) not as bright as them.

Charles Darwin’s famous Tree of Life sketch, jotted down in 1837-8 shows his insight of how a genus of related species might originate by divergence from a starting point.

Michael Birnhack’s presentation, delivered to some 40 students, scholars and academics, was based on the premise that something is going on in the privacy realm that bothers us. Something may be going wrong – so something must be done. But what?

The emergence of recent technologies suggested that there was a greater need to forecast the implications of future technologies that will impact on privacy – both for the good and for the bad. Advances in computing suggests that the privacy focus in future may be more on reacting immediately to events that are currently happening, rather than relying on huge databases of stored information to help predict the shape of new events.

Yes, privacy is a vague, elusive and contingent concept, and it remains a fundamental human right. But just what is it that comprises this human right? Is it just privacy as control? Or is it something else?

As Michael quickly took us through the usual legal concepts of privacy, the brilliance of the earliest work shone through – the concept of the right to be let alone, developed by Warren and Brandeis over 120 years ago, still remains pretty valid. But, increasingly, in the modern world, the rights of groups of people trump the rights of individuals who want to be let alone.

So where are we now? Is it just about control?

The tectonic plates are turning against Westin’s contention (1967) that it’s about the claims of individuals, groups, or institutions to determine for themselves when, how and to what extent information about them is communicated to others. Privacy is not the same as a property right. Information control, in the privacy concept, should not just be about a right for an individual to withhold information. The real challenge lies in transparency, since it’s so hard to for an individual to control their personal information which is no longer held by them. The EU's proposed new concept of a right to be forgotten is about as dead as the dodo - which was the point I made in yesterday’s blog about my night with the Sex Pistols.

As Michael suggested, privacy is not only a legal right, but it’s also a social norm. Privacy is technology-dependent, and technology both affects us and also changes our perceptions. Richard Thomas famously said in 2004 that “we are sleepwalking into a surveillance society”.

"But", Michael concluded last night, “theory can wake us up”.

Source:
birnhack@post.tau.ac.il

.

My night with the Sex Pistols

The European Commission’s idea of a “right to be forgotten” sounds a bit daft. Their cunning plan for a revised Directive containing this concept may sound fine in theory, but how on earth will it actually work in practice?

This thought occurred to me as I sat reading yesterday’s edition of the London Metro. John Lyndon (aka Johnny Rotten of the Sex Pistols) had been interviewed by Andrew Williams. He had been asked: "What’s the worst gig you’ve ever done?"

John replied: "Brunel University with the Sex Pistols. Sid was so out of his mind it took hours to get him anywhere approaching sobriety, there were no monitors on stage so we couldn’t hear what we were doing and the PA couldn’t cope with the hall. There was a huge lack of communication between ourselves, management and the public perception of us. It resulted in us walking into a huge, big f***-up."

John may well want to forget about that night, and remove all traces from the internet.

I don’t.

Actually, I was there.

Picture it. 16th December 1977. Anticipation about the event was at fever pitch, as many local authorities had banned them from performing following the release of their album “Never Mind the Bollocks”. It was a bit rude. And the audiences were known to spit at each other, as well as at the band on the stage. To avoid Uxbridge council from also banning them, details of the gig were only released to us Brunel students the day before it actually happened. This was probably to make sure that as many students as possible attended, rather than lots of local punks. As member of the Student Union, we were well aware that something “big” was in the offing, and that some band or other was going to be playing in that barn of a sports hall, We just didn’t know who it was going to be. I remember joining the hour-long queue for gig tickets even though no-one in that queue actually knew who we were going to be seeing. All we had been told was that tickets would go on sale at 10am (that was really really early for us students) on the Thursday, and that we could buy a maximum of 4 tickets – at £1.75 each – and that the band’s name would be on the tickets. So until the ticket desk actually opened, no-one had a clue about what was really going on. I queued, bought my 4 tickets (for the grand total of £7 - which was a lot of money back then), and got extremely excited when I saw the band's name printed on those precious tickets. I phoned some friends and they joined me the following day to witness the first night of the ‘Never Mind the Bans’ tour, the band’s last ever UK tour. It also turned out to be their final London show.

In his autobiography No Irish, No Blacks, No Dogs John Lydon remembered the shambles: The PA wasn’t good enough for a small nightclub let alone an aircraft hanger with four thousand screaming people. You couldn’t hear anything except fuzzy noise. No monitors and no lights. No music playing in the hall beforehand so the audience grew very angry and impatient. Everything ran late. This was apparently the fault of the band’s manager, Malcolm McLaren, for wanting to create a sense of chaos rather than putting money into what should have been a pivotal night in the band’s career.

My memory of the show itself is still pretty clear. I also remember shivering outside in the queue as the doors opened late, and I remember my disappointment that the stage set was just a sheet, spray painted with the slogan ‘Sex Pistols Will Play’. And then they did play. What a noisy, tuneless racket. Talk about mayhem. Their set might even have been cut short. You couldn’t really tell. But I still remember it.

And as I still remember that gig, I really wonder how an EU Directive might be able to require me or anyone else to forget about that event, simply because someone else wants to forget about it.

Like someone who played a much more prominent role in the events of that night.

Even someone like Johnny Rotten.


Sources:
The image, taken that night, (copyright unknown) was found on the Sex Pistol’s website. http://www.sexpistolsofficial.com/index.php?module=photos_videos&pv_gallery=photo&gallery_list_id=17¤t_page=5
http://www.metro.co.uk/music/854340-john-lydon-i-enjoyed-doing-those-butter-adverts
Images of the tickets – and of T shirts bought at the event (by a fellow gig goer) are at http://www.philjens.plus.com/pistols/pistols/brunel_t.html

.

Winning the (legislative) war of attrition

I spotted a pair of the brightest stars in the legal firmament at last night’s lecture at the Institute of Advanced Legal Studies. In terms of “A listers”, they don’t get much better than Michael Zander and Gavin Drewry. Google their names if you’ve never heard of them. I first came across Professor Michael Zander as a first year law student – his book was “the” legal text book to buy. Expensive (then) but oh so comprehensive. While Professor Gavin Drewery is one of the leading authorities on public administration, and one of our greatest experts on the workings of Parliament.

What had persuaded then to pop out for the night then? It was to hear Paul Regan, a Home Office civil servant, giving his perspective on enacting legislation. The audience – members of the pubic, and members of the Statute Law Society. And boy, was he qualified to give this presentation. To give you an idea of his background, he worked on Lord Justice Scott’s hugely sensitive enquiry into the sale of defence equipment to Iraq. Paul led the Home Office’s Bill team on the War Crimes Act 1991, the Terrorism Act 2006, fox hunting legislation in 2000, as well as the Extradition Act 2003 – the first major piece of legislative reform in that area since 1870. He knows more than a thing or two about how Parliament works, and he knows just what needs to be done to get legislation onto the Statute Book. And, with his work in the Office for Security and Counter Terrorism, he knows how to get stuff done discretely. (His image does not appear to be on the internet, either).

One phrase Paul used last night (several times) sticks in my mind. He constantly referred to “winning a war of attrition” between the various players in the legislative process. You can’t take your eye off the main purpose of the bill, and it’s so important to save the important bits from being sacrificed during the horse trading that often accompanies the dying days of a Parliament, as a series of bills are savaged during the game of “Parliamentary ping pong”. It can only be hours to go before Parliament is prorogued, but both Houses of Parliament still have to agree on an identical text. Grubby politics and political expediency becomes the order of the day, and this is an art in which a few people – like Paul, excel.

What’s that got to do with data protection?

Well, it got me thinking about the tactics that will need to be adopted when the European Commission gets to propose its cunning plan for a revised Data Protection Directive. Will the British team have officials who excel in that art of grubby politics and political expediency? Or will a delegation from another Member State have the upper hand and force a political deal that’s more suited to their cultural needs, rather than then cultural needs of British interests?

I guess we’ll have to wait and see. Fellow students of the art of European legislation gestation appreciate how frequently what appears to be a sensible measure is shafted by a last minute amendment which introduces a set of words that skews the delicate balance between the competing interests that had previously been negotiated. And we all know how little interest politicians seem to take in legislation once it has been passed. Passing laws and implementing laws are entirely different things. Their focus will have shifted by that time, to a new and knotty problem, one which requires urgent action and ... yep, you’ve guessed it, new legislation. Politicians appear to relish in the sense of immediacy, and in the need to have something to show for the time they’ve been in office. If I had my way I would encourage our political masters to pass less legislation, and instead take more care in trying to make it actually work.


Note:
The image is of a large arms cache discovered by US Marines during a sweep through Iraq some 6 years ago. I’m not suggesting that these were the arms which were the subject of Lord Justice Scott’s enquiry, nor that Paul Regan had anything to do with them.

.

Dog poo and the DPA

We all know that dog fouling is an anti-social behaviour. And we all know that the powers that be take a dim view of officials using their surveillance powers under the Regulation of Investigatory Powers Act to investigate the stuff. Well, to monitor the owners of the pooches who poo, anyway.

Our local council officials have come up with a cunning plan. Will they use the mighty RIPA to investigate such offences? Oh no. To do so would obviously be disproportionate. But, they have found another piece of legislation that can be flexed to serve their needs. Instead, they will use the Data Protection Act to bring the miscreants to justice.

I saw this sign earlier today, clearly warning that CCTV may be used to gather evidence against individuals who allow their dogs to foul the land. This “fair processing notice” was fixed to a lamp post – but far too high for any small or medium sized dog to read. Anyway, hidden at the top of the lamp post, I thought I saw a tiny CCTV camera.

So, you dog walkers of Crouch End. You have been warned.

Our council officials have ways and means of tracking down the offenders.

Even when they’re not allowed to use RIPA.

.

The MoJ gets our views on a new DP Directive

I celebrated Data Protection Day 2011 the same way as I did 2 years ago – by attending an event at One Great George Street. That first bash was hosted by the Information Commissioner, who used the occasion to launch the Personal Information Promise. I was so determined to ensure that my company was recorded as the first to sign the thing that I made sure that the document our Chief Executive signed was actually dated the day before the date of the formal launch!

This year’s event was hosted by our chums at the Ministry of Justice, who use the occasion to publish the response to their Call for Evidence on the current data protection legislative framework in the UK. That consultation exercise ran from July to October 2010, generating a series of workshops, 163 responses and an awful lot of paperwork. The event was also used to gather more views on the position the MoJ should take as it embarks on the latest review of the Data Protection Directive. Well done MoJ. It’s got those officials well up to speed, and they must be better briefed than any other national delegation.

What worries me slightly is what happens next. Our team may know what they want, and the priority in which they want to negotiate the points away, but who will they be negotiating with, and what demands will those other teams be bringing to the table?

I sense that there is just one other national team that’s gearing up for the review, and that’s the Germans. Why? – Because German politicians have only recently reviewed German Data Protection Law, and no doubt they will be very keen to ensure that whatever European Directive is passed will allow them to keep the very high standards that the Bundestag (German Parliament) has legislated for. These standards are not the same as British standards. Oh no. I think it’s fair to suggest, though, that many responsible German data controllers are finding it hard to adopt their business systems to meet these new standards. I sense a growing unwillingness among my German colleagues to introduce new types of information services simply because it’s so hard to work out how to make them comply with the new law. But how hard will the Germans negotiate to protect something they can’t work with already?

Why does this stuff matter? Because surely it would be in no-one’s interest (in the EU) to make compliance so burdensome that the only people to benefit were global companies based outside the EU. Thanks to cloud computing and the internet, you don’t need a physical presence in a Member State to do business there. We know what the trend is. We know what happens when internet betting companies realise its more tax efficient to operate from Gibraltar rather than Glasgow. They transfer their operations there. And the same could happen in a global context should the Data Protection review result in another legal instrument that wasn’t fit for its purpose.

This point was brought home to us all very clearly at the MoJ’s event on Friday. In a brilliantly astute move, both David Smith (Assistant Information Commissioner) and Baroness Sarah Ludford MEP had been invited to address the assembled gathering of about 100 of the usual data protection suspects.

David was his usual self, demonstrating his deep understanding of the fault lines in the current legislation, but taking care to point out its considerable strengths too. We often gloss over the extent to which the current Directive has helped raise standards, influenced other jurisdictions to develop similar standards, with rules that have (generally) been capable of being applied to new technologies, and how it has even encouraged EU regulators to harmonise their opinions about many issues. And David was also crystal clear in what the ICO wanted in future: greater clarity (and simplicity) in the scope of the law, a high level of protection, a better level of accountability by data controllers, with a focus on risk reduction not bureaucratic form filling, and simple but effective rights for individuals, and (finally) sensible rules on international data transfers.

The regulators have got it.

Job done? No. No way.

As Baroness Ludford spoke, I sensed a new atmosphere in the room. We were now hearing from an MEP, a person who passionately believed that the European Parliament had a voice in these things too. It is clear that we ignore these creatures at our peril. My most valuable insight into the day was the extent to which we all have to redouble our efforts to make sure that these powerful people actually know what they are talking about, and that they fully appreciate the consequences of any amendments they may propose. Sarah freely admitted that she and her fellow European Parliamentarians needed more assistance as they crafted amendments that could well make their way into the final text of European Directives. They don’t have parliamentary draftsmen available to help them get the words right. "We are amateurs and there is not good enough impact assessments of amendments put by MEP’s, only the Commission", she said.

So, the prospects of the European Parliament creating a legal instrument that is clear and simple, given the political bargaining that will inevitably go on until the very last minute, are slight. Let alone a legal instrument that will meet the needs of both people who wish to have greater control of their own personal information, and companies who also see this very same information as their own property (because it they acquired it in a fair and transparent manner).

Our call to arms is simple. Support our MoJ negotiators. Because if we don’t, we could have an awful lot to lose. Our political masters may glide through the Ministry of Justice en route to another political appointment every now and again. But Belinda Crowe, the MOJ’s Information Director, and Kevin Fraser, the Head of EU/International Data Protection, are unlikely to be so lucky. They should be in their posts for the whole ride – so let’s make sure we brief them until we’re blue in the face.

And at the same time we need to brief the other national delegations about our concerns. Oh yes, and we must not forget the importance of briefing the MEP’s, who think they already know a bit about data protection, too.


Source:
http://www.justice.gov.uk/consultations/call-for-evidence-060710.htm

.