Friday, 30 January 2015

Getting down to the data protection pitfalls of profiling

As forecast in my last blog, the coolest data dudes in town assembled during the evening of Data Protection Day at Live Nation’s incredible offices in Islington for a session on profiling – and the data protection pitfalls.

Is there another building in town that lets its visitors arrive in the basement meeting rooms by way of a slide, rather than the stairs? I kid you not.

Expertly chaired by Live Nation’s international data governance guru Heike Norris, she really set the room at ease with her opening remarks. You know you’re in safe hands when the host’s first words are “OK, has everyone got a drink?”

I had a good look at the audience and was impressed – perhaps only a third were the usual data protection suspects. The others were from companies that didn’t employ specialist privacy professionals – but they were there because profiling formed an extremely important part of their business models, and they were really concerned at what might happen should the regulatory regime turn against them.

It's really refreshing to report that privacy sessions are (at long last) attracting the interest of people who aren't privacy specialists.

But, to business.

The business of profiling.

And it is a very serious business.

A panel of expert speakers comprised Richard Cumberley from Linklaters, Ticketmaster’s expert in marketing and analytics Sophie Crosbie, The Royal Mail’s Stephen McCartney, and Webber Shandwick’s John Mcleod. These are serious movers and shakers.  And a lot of what they had to say met with violent nods of agreement from the audience – which included a considerable smattering of exICO folk who, having done their time in Wilmslow, had now moved south to ply their trade.

The principal points to take away from the main session, and from the private chats after the formal proceedings had ended, were that:
  • In Europe, the concept of privacy has become an absolute right – but by stealth.  This is wrong. There ought to have been a far more open public debate before it was decided that privacy should be conferred the status of a fundamental right.
  • Europe’s Governments generally believe that profiling is wrong – unless it’s Governments that are doing it. And there are increasing signs that Governments want to do even more profiling of their citizens. Not only for national security purposes, but also for a whole range of other purposes which, because they are not “commercial”, are considered “benign”.
  • With respect to current marketing practices, today’s customers demand relevance. They expect organisations to know enough about their customers to send them compelling offers. To that extent, customers know and (mostly) accept the value exchange that currently exists, when personal information is supplied in exchange for “stuff”. 
  • Most marketing companies behave responsibly and use ethical profiling techniques on the datasets that are available to them. However, a small number of companies have gone further, and in ways that customers are uncomfortable with. So there is a need (for them) to explain the information value exchange in clearer terms.
  • Customers aren’t interested in learning about the complicated business models that require so much personal data to be shared. So, if a customer is unwilling to engage sufficiently with a data controller to offer their informed consent to profiling, there will have to continue to be more circumstances where it is in the organisation’s “legitimate interests” to profile them.
  • Customers generally don’t experience privacy – until they lose it. But when customers have lost it, and object to the processing that caused the loss of their privacy, organisations generally don’t delete the information that the customer was uneasy about the organisation knowing about them in the first place. (But they will stop marketing them.)
Live Nation certainly gave everyone who attended a great memory of this year’s Data Protection Day. They’re serious about respecting the rights of their customers – and about getting profiling right. Let’s hope that no new regulatory obstacles are created that have the effect of making it even harder for them to give their customers what they really, really want.


.

Wednesday, 28 January 2015

The 2015 Data Protection Day ditty

The ICO is always trying out new and innovative ways of celebrating Data Protection Day.

This year, the commemorations commenced with a short video from Commissioner Graham, deep in the nerve centre of the ICO’s news office, explaining that throughout the day his staff will be tweeting about many of the exciting initiatives that are underway within (and beyond) his office to improve our information rights.

I be commemorating the day by attending a meeting of top data dudes at a discussion on profiling, organised by our chums at Live Nation in Central London, about which I’ll report later.

Meanwhile, all I have to offer, prompted by the Commissioner’s appearance this morning, is the following ditty:

Chris Graham’s at the presenter’s desk of ICO news
He’s explaining (in very general terms) just how not to abuse
The trust of individuals who have so much to lose
When, from servers, thanks to breaches, their personal info spews

His mighty team of advisers offer a helping hand
Dishing out compliance advice to folk across the land
Listening to complainants and getting them to understand
That despite a heavy workload, their staffing levels won’t expand

Meanwhile, if you listen, rumours spread about a new law
That the Europeans are drafting but of which many Brits guffaw
Is it a "Di-Regulation" along the lines that they forsaw
In which some of the Articles still contain a fatal flaw?

But on this great occasion, our differences fall away
Respect the privacy loonies, let no smirk display
On our faces as we raise our glass and, as one, pray
That we’ll still be in gainful employment come next Data Protection Day

.



Tuesday, 27 January 2015

Security: addressing the insider threat

A smattering of the usual suspects met under the auspices of the Information Assurance Advisory Council in Covent Garden today to consider the last great frontier – dealing with human aspect of information security.  Just how do companies impose workable constraints on the 'Mark 1' human being?

With great difficulty, came the considered reply.

When dealing with remote access to an organisation’s systems, the “new firewall” is identity management. The challenges of identity verification and privilege management are immense. What realistic controls can be placed on staff (and contractors) when the organisation is at the same time, trying to give the impression that it trusts them?

For the public sector, additional challenges are presented given the aggressive pace of the hugely ambitious digital agenda programme, which simply increases vulnerability every day. This is compounded by a culture of zero tolerance for mistakes by ministers and those with a public accountability role. But this leads to decisions on how to react to data breaches being made in ways that detract from possibly more important issues. The public sector is creating vulnerabilities at an exponential rate because of the way it chooses to do business.

There was not a meeting of minds on the best way of addressing the “human factor”. The security professionals stress the need for managers to ever more closely scrutinize the actions of their direct reports. Often, with scant regard for the legitimate privacy rights and aspirations of staff, who are human beings with human rights in their spare time, if not while at work.

There are some encouraging signs, though.

Government security clearances are being administered less frequently by teams of ex-policemen and former spooks, and more frequently by teams of ex-teachers and social workers. This new breed of clearance officer is likely to be more in tune with the people they will be clearing. And they will be more able to assess an applicant in terms of their ability to conform to norms of today’s generation, rather than compliance with the culture of those of previous generations.    

Technical controls are (oh so gradually) being implemented within organisations, meaning that security is being built into electronic systems, rather than being bolted on to them. Yes, there is a huge distance to travel to security nirvana, but we have to be realistic. Staff (usually) want to do their jobs efficiently, and to a high standard. They expect to be given appropriate tools to do the job, and increasingly resent having to rely on “work arounds” simply because the organisation is not capable of living up to the high standards it espouses in its security policies, etc. 

Today’s principal themes were the usual ones: of awareness, management & culture, and leadership.

But the key message was ominous: that staff expect to be loved, looked after, led and managed effectively.

Organisations that can’t manage to live up to these expectations deserve to fall victim to the insider threat. 

.



Monday, 26 January 2015

ICO slams Victims Services Alliance - with a feather

Voluntary organisations face particular challenges in their efforts to respect data protection laws. 

Often, a dedicated core of professional staff will work with teams of volunteers, many of whom may cease volunteering after a few months, realising that it’s just not for them. Other volunteers remain with the organisation for years – and can feel a far greater sense of affinity with its aims and objectives than do some of its staff. Many volunteers process considerable amounts of sensitive personal information about clients. But, information governance controls can be extremely hard to implement at the local level.

How can the professional staff within such organisations engage with these different types of volunteers and get them to follow good data handling practices?  With some difficulty, according to a recent ICO report.

A quick glace at the ICO’s website enables the casual reader to appreciate that a report has just been published about the data handling practices of a number of charities and voluntary groups that work with either victims of crime or people that are associated with victims of crime.

Evidently, “many organisations” are meeting the difficult challenges that are faced. However, there are still a number of areas where they could be doing “more to keep people’s information secure.” These are “important areas that need addressing.”

What then follows is a list of three areas of best practice and three areas where improvements are required in a number of priority areas. The areas of best practice are described in 61 words. The areas where improvements are required are described in 100 words.

So, no real cause for concern, then.

Or is there?

Because when the committed reader reads the actual report, a slightly different story emerges.

If all were well and good, I might expect the actual report to spend about twice as long referring to the areas for improvement than it does on the areas of good practice. That’s what I’ve been led to assume, after reading the blurb.

Alas, this is not the case.

The areas of good practice can described on a single page.

But it takes 12 pages to set out the areas for improvement, which should be considered as a priority for all VSA organisations.  

The ICO is keen to spell out what is going wrong, but not in a manner that draws too much attention to the casual reader (i.e. the reader that doesn’t read the actual report).

I only hope its message – when expressed directly (and possibly privately) to the VSA organisations - is a lot clearer than the general statement on the website. The public message doesn’t draw sufficient attention to the serious issues that do need to be addressed.


Sources:
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/01/new-report-helps-victims-services-alliance-organisations-meet-data-protection-challenge/
https://ico.org.uk/media/action-weve-taken/audits-and-advisory-visits/1043091/outcomes-report-victims-services-alliance-organisations.pdf

.



Thursday, 22 January 2015

Ebola and privacy – when is it appropriate to track individuals?

Two articles have recently crossed my desk offering very different perspectives on tracking Ebola patients.

The first, from Hogan Lovell’s Daniel J Solove, referred to recent breaches involving US hospital employees snooping on Ebola patients files. Of significance was that the names of all of the patients were available almost immediately in the media. But why was it necessary or ethical for so many in the media to identify these patients? Responsible journalism this certainly aint.

The second, from GSMA’s privacy guru Pat Walshe, referred to the incredible work that he and the GSMA have recently done in swiftly developing a set of guidelines on how mobile communications data could most appropriately be used to fight the Ebola outbreak in Africa. How do you track potential victims of the outbreak, so that they can receive appropriate treatment? The GSMA’s focus was on helping their colleagues at Flowminder ensure that mobile users privacy was respected and protected and that any associated risks were addressed.

A set of pithy, easy-to-follow GSMA guidelines have surely contributed to averting a humanitarian disaster on a far larger scale than has so far occurred. The GSMA’s and Flowminder’s research methods are on the agenda at Davos at the World Economic Forum. It’s highly likely that this technique will be used to deal with similar occasions when relevant anonymised network statistics are urgently required by health and aid agencies.

So its three cheers for Pat Walshe & the GSMA for respecting the privacy rights of individuals affected by Ebola – and two raspberries to the US media for ignoring them.


Sources:
https://www.teachprivacy.com/ebola-privacy-snooping-confidentiality-hipaa/
http://www.gsma.com/mobilefordevelopment/wp-content/uploads/2014/11/GSMA-Guidelines-on-protecting-privacy-in-the-use-of-mobile-phone-data-for-responding-to-the-Ebola-outbreak-_October-2014.pdf
http://www.millicom.com/media/millicom-news-features/blog-mobile-networks-–-using-data-to-help-aid-agency-response/

.