Friday, 19 September 2014

BCS holds first public exam for its new Foundation Certificate

There were huge queues snaking around Covent Garden this morning. Television crews were also covering the great event. People had evidently been queuing for days to be one of the first to have what will become a very treasured possession.

I, on the other hand, wasn’t queuing for a new iPhone.

I was in a shorter queue, just a hundred yards away. I was waiting patiently to sit the very first public exam for the British Computer Society’s new Foundation Certificate in Data Protection at the BCS’s offices in Covent Garden.

To be fair, it wasn’t really a queue. After all, there was no-one on front of me, and there was no-one behind me, actually. I was the first (and quite possibly the only) candidate for this first public exam session.

How was it for me?

Well, I sat the 40-question multiple choice paper, laughed at some of the questions, and found it quite hard to understand just what the examiners were trying to get at with one or two of the questions.  It was all over in less than an hour.

And my impression?

I think it’s a really good introduction into the (occasionally mysterious) world of data protection.  Most data protection officers will find it a useful grounding – and a recognised qualification like this ought to place many people in good stead. It provides candidates with the basic framework around which the really complicated bits of data protection hang.

Candidates don’t need to have a brain the size of the planet to pass this exam.  And, rather than just testing the law, it also tests a candidate’s knowledge of what is best practice, as advocated by the ICO.

Candidates also don’t need to undertake a formal training session before sitting the exam.  It would certainly help if they were to attend one of the accredited training courses, though (that is, once the trainers have got their formal training accreditation from the BCS to deliver an appropriate training course). 

Candidates also don’t need deep pockets to keep the qualification. The BCS does not require certificate holders to subscribe to or to continue to subscribe to the BCS in order to keep it.  That may be of considerable interest to employers. 

I’m so keen on the concept that I’ve a good mind to apply to the BCS myself to become an accredited trainer. I’ve got my exam notes. I’ve prepared coursework that ought to entertain and educate students for the time that the BCS considers necessary to study for the qualification. (Which is just 16 hours). I’ve even sat the exam. What more could a group of motivated students want?

Those who pass this exam may feel that they’ve had enough data protection training for a while, and not feel a need to step up to the next level, which is the qualification more fondly known as the ISEB Certificate in Data Protection.   The ISEB has a reputation as the hardest data protection exam around.

Do make sure you’ve got ISEB’s little brother under your belt. That really will stand you in good stead during the initial phases of your data protection career. When you've more experience of the data protection world, then feel free to take the "full fat" ISEB data protection exam.

By launching this Foundation Certificate, candidates now face a choice between the BSI’s certification scheme and that operated by the International Association of Privacy Professionals.

As I have not taken any of the IAPP’s exams, I’m not qualified to express a preference between them. 

I’m just pleased that the CIPP/E exam potentially faces some stiff competition from the BCS.


Friday, 1 August 2014

How effective are Civil Monetary Penalties?

The ICO has recently, and without much publicity, published on its website a report it had commissioned on the effect of Civil Monetary Penalties.  It uses CMPs as both a sanction and a deterrent against a data controller or person who deliberately or negligently disregards the law. The overarching aim, according to the ICO, is to promote compliance and improve public confidence.

Given that this (19 page) report supports CMPs, I’m surprised that it has not attracted more attention.  Perhaps, if it were accompanied by an ICO press release, the privacy panoptican more fondly known as the IAAP daily digest might have drawn more attention to it. But no.

The document was formally published the week after many of the UK’s data protection finest had gathered in Central London to mark the launch of the ICO’s Annual Report for 2013-14. But I don't think that anyone at the event mentioned its forthcoming release.

The document contains the output from a team of independent researchers who had interviewed representatives from 14 organisations who had received a CMP. The researchers had also canvassed the views (by means of an online survey) of 85 organisations that had not received a CMP. It’s not clear whether any of the researchers who were involved in this exercise had received any formal data protection training. It might have added to the credibility of the report if the text had contained a section describing what data protection experience and qualifications the researchers actually had.

In the absence of this, we are left to ponder the impact of a report that summarises the views of a small number of respondents.

The key findings included the following:

  • Organisations that had been issued with a CMP subsequently took their data protection obligations more seriously, as a result of greater senior management buy-in.
  • This greater focus on compliance extended to peer organisations, especially those who appreciated that they shared a range of the shortcomings that had attracted the ire of the ICO’s enforcement team. 
  • There remains a lack of understanding of just what poor practices trigger the CMP threshold, particularly around the meaning of the terms “serious” and “substantial damage and distress”.
  •  Some respondents felt there was a lack of transparency about how CMPs were calculated. These could be linked to some organisations expressing discontent about the clarity of the Notice of Intent.

What we don’t know – because the report did not set out to inquire, was how these findings compare with the views (and subsequent behaviours) of data controllers who were subject to other ICO enforcement tools.

Have organisations that have received Enforcement Notices, or who have made Voluntary Undertakings, also taken their data protection obligations more seriously, as a result of greater senior management buy-in? And has this greater focus on compliance extended to peer organisations, especially those who appreciated that they shared a range of the shortcomings that had attracted the ire of the ICO’s enforcement team?

Once we understand the answers to those questions, we might be in a better position to appreciate the relative value of CMPs as an appropriate enforcement tool.

In these circumstances, I think the ICO is to be congratulated for not drawing too much attention to the report.


I am grateful to Janine Regan of Speechleys for drawing this report to my attention.


Thursday, 31 July 2014

Another hero leaves the stage

Well well well.

John Bowman, winner of the Data Protection Hero of the Year award for 2013, has moved on.

Lauded for his outstanding service to the country as the Ministry of Justice’s lead negotiator, overseeing the negotiations on the European Commission’s data protection proposals, John has left the MoJ and the Civil Service. His departure will leave a huge gap which, at this delicate stage in the DAPIX data protection discussions, will be extraordinarily difficult to fill.

John was appointed Head of EU and International Data Protection Policy at the MoJ in November 2011. He had completed a review of Claims Management Regulation, and previously led MoJ’s engagement with Muslim communities on raising awareness of domestic and matrimonial law.  He also headed the UK delegation to the 2011 Special Commission on the practical application of the Hague Conventions on international child abduction. So his has a huge range of experience that I’m sure most organisations would do anything to take advantage of.

All eyes will be focused on his LinkedIn account for the official announcement of his next role.

I’m sure I join many UK data protection professionals in wishing John the very best for the future.



Wednesday, 30 July 2014

The UK’s influence at the European Commission: “A lost cause”

Last Monday, some prominent European data protection commentators, each with links deep within European Commission institutions, predicted that we would see fewer EU officials travelling to the UK to discuss and negotiate EU positions in future.


Because, increasingly, the UK is judged as “a lost cause”.

Monday’s workshop on the Data Retention and investigatory Powers Act, held at the Free Word Centre in Central London, with proceedings conducted (mostly) under Chatham House rules, was attended by a fair smattering of the UK’s data protection finest academics, practitioners and campaigners, together with some of the greatest of the good of the land.

While the focus of the meeting was on what ought to happen next in light of the speedy passage of DRIP through Parliament, and what preparations needed to be made to facilitate a more fundamental review of the Regulation of Investigatory Powers Act, 2000, a number of key observations were made which illustrate just how significantly the tectonic plates which frame the relationship between the UK and the European Union are shifting.

From a data protection perspective, this shift has some key implications.

Most importantly, the debate within the UK as to whether the new legal instrument setting out new data protection rules should be cast as a Regulation or a Directive becomes less significant.


Because by the time the deadline arrives for the new legal instrument to be implemented by EU Member States, the UK needs to plan for the possibility that it won’t be an EU Member State any more. In light of the “in-out EU referendum”, whenever that is held, some very smart minds now need to plan for the contingency that the UK will have cast itself away from the EU, and will therefore expect to be treated as a non-EU country with “adequate” data protection safeguards. Just like Andorra, Argentina, Guernsey, the Faroe Islands, the Isle of Man, Israel, Jersey, Uruguay and Israel – to mention but a few.

In this scenario, the UK’s revisions to the current 1988 Data Protection Act need not be as radical and as dogmatic as the changes that might be imposed on the data controllers situated elsewhere in the EU. The UK could even keep its DPA registration fee – which might well come as a relief to the MoJ bods currently struggling with the task of inventing a scheme similar to (but not called the same as) the current ICO funding process. This will allow data controllers, rather than public funds, to continue to meet the lion’s share of the ICO’s budget.

In this scenario, the UK won’t need to adopt all of the provisions in a Regulation to be accepted as having “adequate” data protection arrangements. Remember, after all, what the Article 29 Working Party had to say about the Faroe Islands back in 2007:

“While Faeroese law may not meet every requirement imposed upon the Member States by the Data Protection Directive, the Working Party is aware that adequacy does not mean complete equivalence with the level of protection set by the Directive. Thus, on the basis of the above mentioned findings, and the additional information given by the Faroe Islands, the Working Party concludes that the Faroe Islands ensure an adequate level of protection within the meaning of Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.”

Another really significant insight from the workshop came from someone who suggested that a huge amount of the blame for the UK needing to pass its emergency DRIP legislation actually lay at the door of the Irish Government. 


Because had the Irish Government not have so spectacularly delayed the proceedings (it really not have needed to have taken some 7 years for the relevant cases to have been heard by the European Court of Justice), the legal arguments would have been assessed by judges in a “pre-Snowden” climate, where public “interest” (and press “outrage”) at the alleged activities of various national security agencies would have registered at a much lower level.

The Irish Government originally opposed the data retention proposals as it wanted communications data to be retained for 3 years, rather than the maximum of 2 years that was eventually agreed.  So, it is ironic that much of the credit for striking down the Data Retention Directive has been taken by an Irish digital rights organisation.

The topic of drafting fresh EU-wide communications data retention legislation for law enforcement purposes seems currently far too toxic for the policymakers of EU Member States and for EU officials to want to visit again.

Before they do, they will need to possess more credible sets of cojones.


Image credit: