The (discrete) search for the new Information Commissioner

The (discrete) search to appoint a successor to David Smith, soon-to-retire Deputy Information Commissioner and Director of Data Protection is over.

Shortly, the successful candidate will be unveiled. Don't worry, it’s not me. And a (discrete) search will commence to find a suitable replacement for Chris Graham, soon-to-be outgoing Commissioner.

How secret should this process be, and when is it appropriate to extend the selection process?

Given the transparency and manner in which people can participate in elections for leaders of political parties, perhaps the time is ripe for a larger group of people to be involved in selecting public officials who will be involved in determining information rights enforcement strategies.

After all, in the UK, we generally police by consent. So, given the resource challenges that the ICO faces, surely it is right that a significant body of people help determine the identity of the “independent” person who subsequently determines the enforcement priorities that his officials will adopt.

Otherwise, what checks are available? Can we always trust the “backroom bods?”

When even a person as eminent as the Chairman of the House of Lords Privileges and Conduct Committee can be alleged to have behaved as badly as he has, why should it be assumed that the current appointment system is perfectly fit for purpose?

But, more to the point, why should Data Protection Officers, who actually play a very significant role in ensuring that organisations comply with their data protection, be disenfranchised from a compliance process they play such an integral part in?

If I had my way, the DPOs of all registered data controllers would be able to register their interest in participating in the selection process by paying a £3 fee to the ICO – just as the Labour Party currently allows interested individuals to participate in elections for party leader.

Hopefully, it won’t be too long before it is more generally realised that the Office of the Information Commissioner is, in many respects, a political office. In determining how precisely how laws will be enforced, the Commissioner currently exercises his own judgment (supported, presumably, by the ICO Board and his Executive Committee). But he plays a political role – and this is a role for which he’s pretty unaccountable to the data controllers he’s regulating.

Future Commissioners will get one term to rule. And as they won’t need to concern themselves with the need to remain on good terms with those who would (previously) have extended their initial appointment, there is a risk that they will adopt enforcement strategies that will really rub people up the wrong way.

Accordingly, to give the incoming Commissioner a greater sense of legitimacy, the selection process really needs to be made more transparent.

The days are numbered where a meek group of regulated organisations will simply accept the whim of whomever will be selected to step into a senior office.

So an election – or even hustings from a selection of the more promising applicants - would do nicely, thank you.

Source:

http://www.blacklistednews.com/Britain%3A_Chairman_of_the_Lords_Privileges_and_Conduct_Committee_Filmed_Snorting_Cocaine_with_Prostitutes/45224/0/38/38/Y/M.html

Image credit:

Today’s image is that of the ballot machine used in Florida during the 2000 Presidential election – many votes were disputed because incompletely punched holes resulted in “hanging chads.”

.

Do privacy laws prevent police forces from naming suspects?

I was asked this question at 6.15 am today. And, if I knew the answer, was I available for a BBC radio interview immediately after the 7.00 am news?

No and Yes were my answers – so I subsequently had a chat with BBC Radio’s Adrian Goldberg.

The question arose because the Birmingham Mail had asked West Midlands Police to disclose the names and images of ten suspects it had been hunting for at least a decade for crimes including rape and murder.

Initially, the force had refused to name any of the suspects, pointing to the relevant exemptions in the Freedom of Information Act. The Mail reported that the force had explained that naming them would be an unfair breach of their privacy.

This decision was criticized by local MP Khalid Mahmood as being “utterly bizzare.”

But lets get real, here.

The media has no automatic right to be informed by the police of the name of a person who is under investigation or who has been charged with a criminal offence.

While not naming nine of the ten suspects, the police did provide background information on them, and they indicated that there were operational reasons for withholding their identities.

So I’m not joining the rush to condemn the police for their behaviour. There are often extremely good reasons why suspects should not be named – particularly when there is no serious public interest at stake.

The National Police Chief’s Council (formerly known as ACPO, the Association of Chief Police Officers) currently considers that:

• Those who have been charged should be named.
• For those who have been arrested, there is a presumption that they should not be named;

But, that presumption can be displaced where (and only where): 

• Releasing the name promotes the prevention or detection of crime; and/or
• There is a serious public interest in releasing the name.

Suspects should not routinely be named. And media organisations must be careful not to identify suspects at this stage, as they would be able to sue the organisation for libel if the police investigation does not lead to a criminal prosecution.

Many suspects are never arrested or charged – for a variety of reasons including lack of evidence of their guilt or positive evidence of their innocence. Remember the witch-hunt against Christopher Jeffries, the retired Bristol teacher arrested on suspicion of the murder of his tenant Joanne Yates in 2010. His life was turned upside down following the news of his arrest, even though he was later publicly exonerated. He was able to recover substantial damages from the media organisations that had unfairly named him, but no amount of money can properly account for the impact to his reputation.

As Lord Leveson recommended in his 2012 report on the culture, practices and ethics of the press:

“…Police forces must weigh very carefully the public interest considerations of taking the media on police operations against the rights of the individuals who are the subject of such an operation… I think that it should be made abundantly clear that save in exceptional and clearly identified circumstances (for example, where there may be an immediate risk to the public), the names or identifying details of those who are arrested or suspected of a crime should not be released to the press or the public.”

I won’t be encouraging vigilantes to join this particular witch-hunt.

Sources:

http://www.birminghammail.co.uk/news/midlands-news/west-midlands-police-u-turn-9835858

http://www.west-midlands.police.uk/latest-news/news.aspx?id=3406

http://www.bailii.org/ew/cases/EWHC/Admin/2011/2074.html

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/270941/0780_ii.pdf  (Volume 2, p.984, paragraph 3.3)
http://www.inbrief.co.uk/media-law/media-identification-of-suspects.htm

.

Not a lot of news from Big Brother Watch today

What are we to make of today’s Big Brother Watch report which claims that local authorities commit 4 data breaches every day?

In the words of TV magician Paul Daniels: “Not a lot.” 

At first glance, it looks impressive. It’s almost 200 pages long. But, and this is a big but, there are only a few pages of analysis – once you get past page 12, a series of annexes contain the responses from each local authority, revealing how minor the vast majority of the reported incidents (occurring between April 2011 and April 2014) actually were.

BBW started work on this report by submitting FOI requests to each local authority in June 2014. Quite why it has taken so to publish the results, bearing in mind that FOI requests should be returned within 20 days, is beyond me.  Although BBW claims to have received a 98% response rate, some 212 authorities either declined to provide information, or claimed that they had experienced no data breaches between 2011 and 2014.

Evidently, the safest place to live these days is Northern Ireland, where 21 of the 25 Northern Irish District Councils did not report a single data breach. 

The report’s recommendations, unfortunately, don’t reflect too deep an understanding of the improvements to information handling procedures that are already currently likely to emerge in the foreseeable future.

BBW calls for “proper punishments for the misuse of personal information,” without acknowledging that (even) magistrates courts are already capable of levying unlimited fines for DPA offences. Instead, BBW joins the chorus for custodial sentences, but it failed to point out whether any of the data breaches featured in the report would have been cases where a jail term, rather than a fine, would have been a more appropriate punishment.

BBW calls for anyone who knowingly commits a data protection breaches to receive a criminal record. Currently, offences are classed as civil offences. BBW is concerned that this raises the potential for an individual to gain further employment that allows them to access personal information, despite the fact they have been punished for committing a data protection offence in a previous job.

Perhaps in a future report, BBW will also advocate sending miscreants to the stocks for a couple of days.

BBW calls for mandatory data protection training for members of staff with access to personal information – but it does not appear to know how many of the reported data breaches had occurred despite the DPA training that was in place.

BBW calls for the mandatory reporting of a breach if it concerns the public – but it failed to mention the breach reporting standards advocated by the GDPR.

BBW calls for standardised reporting systems and approaches to handling a data breach – but it failed to mention the work the ICO has already done in this area to encourage standardised breach reporting.

BBW also echos the ICO’s calls for it to be able to audit local authorities.

But enough of all this negative stuff – the report does some examples of poor data handling practices that will be useful for DPOs to feature in future presentations. They include:

• A CCTV operator watched part of the wedding of a member of the CCTV team.
• An officer wrote down his contact details on what he thought was a scrap of paper but contained personal details of a complainant.
• A care agency left 23 black sacks of paperwork behind after an office move. 100s of clients in several authorities were affected.
• A child report was sent to wrong recipient. The recipient used Facebook to track down correct client and passed report on. The client reported this.
• An advisor recorded incorrect details for noise complaint which resulted in an officer visiting the person being complained about rather than the complainant.

Happy reading.

Source:
http://www.bigbrotherwatch.org.uk/wp-content/uploads/2015/08/A-Breach-of-Trust.pdf

.

How effective is the Telephone Preference Service?

I don't know, either.

The TPS’s website provides individuals with an easy way to register their objection to receiving unsolicited direct marketing calls, but no information on how effective it is at stamping out these practices.

There’s no information on the volume of complaints it receives, and how these are trending over time.

There’s no information on the work it does to investigate these complaints, before handing them to the Information Commissioner’s Office.

There’s no information the disciplinary action it has taken against companies who fail to properly screen their lists.

Well, actually that's not quite right. The "make a complaint" page does explain that  “we are not the body responsible for enforcement and we are unable to take enforcement action against companies complained about.”

So what does it do?

Ah, that’s easy. “Complaints handled by TPS and CTPS are included in a regular report sent to the Information Commissioner's Office (ICO) who are the body responsible for enforcement. This enables them to identify trends in complaints being made and supports their investigation when taking enforcement action deemed necessary by them.”

And that’s it.

No wonder I’m getting sick and tired of reading about the ICO fining organisations that breach the PECR regulations. They appear to be the only body that generates headlines as they try to stop nuisance calls.

It might well be the case that the TPS is just as determined to deter miscreants – but it is evidently doing so in mysterious ways.

If the TPS were a public authority, I expect that the usual suspects would have made FOI requests by now, demanding to know just what it is doing and how effective it thinks it is.

What do we learn from it's website about the “TPS in the news and press releases?” 

Not much, considering that there’s only one link for 2015 - and that's over 4 months old. The next link is almost a year old. The TPS really needs to curate it's website more carefully if it is to avoid accusations that it's press officer, and the service itself, could be more proactive.

Perhaps the TPS really is being proactive. Perhaps it shares a great deal of information with the direct marketing industry, through the Direct Marketing Association.

And if that is the case, why shouldn't it share more information with consumers, too?

So, I’m looking forward to the TPS adding a new Frequently Asked Question on it's website soon: "How effective is the TPS?"

Sources:

https://complaints.tpsonline.org.uk/consumer
http://www.tpsonline.org.uk/tps/contactandpressenquiries.html


.

Why are so many privacy professionals driven to despair?

Why are so many privacy professionals driven to despair?

Don’t worry. It’s not that unusual for privacy professionals to be driven to despair by the demands of their job. It’s just a mindset that most of them go through when business “requirements” and legal “restrictions” continually clash.

As Tom Fletcher, the UK’s former Ambassador to the Lebanon recently put it: “You think you’re reached rock bottom – then you hear a noise from below.”

But there is hope at the end of the tunnel. That mindset can pass, to be replaced with a more productive phase of professional life.

Tom Fletcher recently blogged about the eight stages of his (professional) life. Seduction. Frustration. Exhilaration. Exhaustion. Disaffection. Infatuation. Addiction. Resignation.

He knew them all, often simultaneously.

I’ve known them, too.

The work of a privacy pro isn’t easy, when you’re dealing with clients who have little concept of current data protection requirements, let alone the added complexities that are being contemplated by those that are currently negotiating the compromise text of the General Data Protection Regulation. But why should the negotiators care about complexity? Hardly any of the people currently involved in the tripartite discussions will ever have a job that actually requires them to implement it. Many will simply move on to reaching consensus in other policy areas.

Talking about it is not the same as doing it.

So, and as apparently happens so often with Lebanese politics, the tripartite negotiators can needlessly overcomplicate issues with layers of conspiracy, creative fixes, and intrigue. They can undermine leaders working in the national interest of Member States, rather than the collective interest of the EU. And they can proclaim that there is no substitute for this unrelenting, maddening, political process.

Roll on 2016 when, in a fit of exhaustion, something will be churned out of the EU’s legislative sausage machine, and hordes of consultants can feast for years thereafter. Whatever finally emerges is unlikely to significantly enhance the privacy of the average EU citizen – but it ought to significantly enhance the bank balances of the armies of consultants who will be called upon for guidance as to which elements of the Regulation should be implemented, and how, and which bits can be safely ignored, and why.

But why do I care?

Simply because I care about the implementation costs. When most small and many medium-sized businesses can barely begin to demonstrate compliance with the current rules, my eyes roll when I think of the difficulties that they will face in coming to terms with the new rules.

Of course the larger organisations will do what it takes to remain on the right side of their regulators – assuming, that is, that the regulators have a large enough stick to require compliance. Under-resourced regulators will be left in the unenviable position of being held accountable for not enforcing the new rules. They’ll be blamed for allowing some businesses (and some public sector bodies, no doubt) to get away for years with shockingly poor data handling standards.

Perhaps my current mood will improve when all the privacy pros return from their summer holidays.

I do hope so.

Source:

http://blogs.fco.gov.uk/tomfletcher/2015/07/31/19389/

How to cope:

http://www.samaritans.org

http://www.martinhoskins.com

.

Surveillance after Snowden

Students of surveillance and counter terrorism have another (81 page) report to add to their summer reading list. The Henry Jackson Society has recently published "SurveillanceAfter Snowden: Effective Espionage in an Age of Transparency."

The report, written by Robin Simcox, looks at the ways the actions of Edward Snowden have impacted the US and the UK, particularly with regards to safeguarding national security.  As well as the usual sources (including me), a number of senior intelligence officers from both countries were interviewed, and the usual findings have emerged.

The main findings are that:

• Terrorists and other criminals have benefited from Snowden’s actions. Some have altered their communication methods, while others have taken advantage of new encryption tools.
• There is a fear that hostile states are increasingly deploying GCHQ’s or the NSA’s own cyber strategies against them.
• Despite the Snowden allegations, US and UK intelligence agencies are legally intercepting communications on order to prevent attacks from terrorists, cyber criminals and a host of other state and non-state actors.

To my mind, the key conclusion is that, in future, intelligence agencies must aspire for translucency, not transparency. The report explains that: “States need secrets, for intelligence and military purposes, criminal investigations and a host of other reasons. Yet, they also need public consent in order to operate with credibility. This means agencies must open up further than they have in the past. Yet, it also means civil society accepting that unalloyed transparency is not a positive and that there are good reasons for state secrets.

Despite the damage that Snowden’s actions caused, the public expectation that intelligence agencies should stop terrorist attacks and serious crime remains. Yet, at the same time, there are calls for them to reform and be more transparent in order to rebuild trust. The intelligence agencies are in a particularly unenviable position: asked to be less intrusive; more transparent; and yet, just as effective.”

Quite how the new surveillance legislation, currently being developed by Home Office officials, will meet the tests of necessity, proportionality, public accountability and, most importantly, effectiveness, is an issue that can’t yet be addressed.

I gather that there are still major difficulties to be resolved between policy officials and various communication service providers about the effectiveness of some of the requirements that are being floated by the Home Office / law enforcement community. I’m looking forward with interest to a statement from the Home Secretary along the lines that “all providers have been fully engaged. They all know and are all willing to accept the technical and operational requirements that will be placed upon them.”

Following the Snowden disclosures, a significant gap has emerged between the government and some CSPs, who were outraged at the intelligence agencies’ ability to access their data.

US-based CSPs are now claiming that the UK has no jurisdiction over them and that they are bound by US law. Intelligence officials view the CSPs’ stance as being unreasonable, as other foreign companies wishing to deliver a service in the UK are obliged to comply with UK law. This was partially why the Data Retention and Investigatory Powers Act 2014 was introduced.

CSPs’ use of ubiquitous encryption has also increased exponentially since Snowden’s leaks, meaning that companies are automatically providing encryption for users, rather than the user having to encrypt the data themselves.

Robin Simcox considers that escalation is inevitable, as the NSA and GCHQ step up their efforts to break into these networks.

Politically, the Home Office’s problem is that whatever legislation is passed by the House of Commons, it also has to get through the House of Lords. And the privacy / human rights lobby is much stronger in this parliamentary chamber.

However, just as the Lords bowed to the will of the Government by reviewing the Data Retention & Investigatory Powers Bill in record time last year, perhaps the Peers will give the Government’s new surveillance legislation an easier passage than the Home Office currently fears.      

So, before the new legislation commences its passage through Parliament, I’m looking forward to an indication from the communication service providers that, technically, the proposals are (likely to be) fit for purpose.

But I’m not holding my breath.

Source:

http://henryjacksonsociety.org/wp-content/uploads/2015/06/Surveillance-After-Snowden-16.6.15.pdf

.