Tuesday, 5 May 2015

Privacy trumps the free flow of personal data

“The free flow of personal data is not a fundamental right. Privacy is a fundamental right.”

So said the ICO’s David Smith at a data protection KnowledgeNet event in London today.

It's a phrase that will be mulled over for some time. But when can data controllers assert rights that are equivalent to those of individuals? What rights do data controllers have (who, after all, also benefit from human rights legislation)? When is it that their right to exercise freedom of expression can be quashed by someone who tries to exercise a right to forget?

And how can the person who wants others to forget actually achieve that aim? What practical steps are really effective? Perhaps the courts will, in the fullness of time, clarify what obligations search engines have to identify and then remove all hyperlinks to data that is considered (by some) to be unacceptable to remain in the public domain.

These are some of the really interesting challenges that are facing those who are brave enough to stick their heads above the policy parapet and propose potential solutions.

And who is it that ought to be leading the discussions on this issue? Should privacy regulators assume that they must take the lead? Are privacy regulators sufficiently dispassionate about the issue, or are they so heavily focused on privacy that their mindset is against the competing rights that others exercise, in the name of self expression?

We’re back to that awful word “balance.” Somehow, the regulators will need to balance fundamental privacy rights with other rights, such as the right of self expression. Fortunately, help was on hand today. Anya Proops of 11 Kings Bench Walk was able to explain to the audience what data protection rights were in the ascendant, and what issues still needed to be addressed by the Courts. My, she’s good. In the fullness of time, she’s going to be on the bench, opining on whatever issues are left to address.

The second half of the event focused more narrowly on the General Data Protection Regulation, and featured Bruno Gencarelli from the European Commission and Wojciech Wiewiorowsk, the Assistant European Data Protection Supervisor.

Bruno will be leading for the Commission as the informal triologue discussions on the GDPR get underway, and it was useful to hear his defence of “the perfect, as always, proposal of the Commission”.  Quite how he and his team will find the time to discuss and find a common approach with the other stakeholders to all of the issues that need to be negotiated and agreed, to meet the Commission’s self imposed deadline of completing the task by the end of the year, is beyond me.

It emerged that the compromise ceiling for financial sanctions against Google & Facebook transgressors could be 3% or 3.5% of global turnover. But then again, I might have been dreaming those figures. Bruno did speak for quite some time.

Wojciech knows how to charm an audience. He started his presentation by emphasizing how the EDPS was not a super supervisor, but simply one privacy supervisor, among many others. Yes, the EPDS had a role to play by offering opinions on a range of proposals published by the European Commission, but he left the delegates in no doubt that it was the role of the EDPS to facilitate the work of the Article 29 Working Party (and possibly subsequently the European Data Protection Board), rather to automatically assume that it would lead it.

Wojciech also paid tribute to the incredible influence that UK courts had on the development of data protection law throughout Europe. We may think that, in other areas, the Brits are widely ignored, but certainly in terms of privacy law, the Europeans do sit up and take notice. The main reason for this is that we operate in a language that is easy to use – so reports of British cases travel further much than, say, cases decided in the Czech, Hungarian, Polish or Estonian languages.

The packed audience was left with plenty to think about. Actually, it makes a change to attend a privacy event and leave with so much to think about. Lots of breaking news – about the Bulgarians trialing an automated pre-PIA tool, and what some companies were doing to undermine data protection professionals within those organisations. But I won't be blogging on those subjects – at least, not yet.


Sunday, 26 April 2015

The awful dilemma of the GPDR and 15 June

First, I should mention that the notoriously indiscreet world of data protection has another document to drool over.

Thanks to our friends at Statewatch, we now have the first draft (of which will be many drafts) of the notorious 4 column document, from which the final GDPR is crafted.

Here, sitting alongside each other, is the original text of the Regulation, as proposed by the European Commission, and the versions that the European Parliament has and the European Council is highly likely to recommend.

The bunfight will focus on the 4th column. What text will the drafters develop that is satisfactory to all the negotiators in the room? For that is what will be slipped into the 4th column.

Eventually, when all 630 pages of the document have text in the 4th column, someone will announce “Ladies and gentlemen, we have done it”. Then, data protection professionals outside the magic circle of trusted advisors / lobbyists / privacy advocates and geeks who have already seen it will get their change to work out whether they can both understand and implement what it is that has been agreed.

The current fly in the ointment is the obtaining of the final agreement of the European Council to their draft (ie final agreement on the contents of the 3rd column). 

The pragmatic Brits have a teeny weeny problem over the 3rd column right now. Although we still have a Minister for Data Protection, and although the general election next month may herald a new Minister, replacing Simon Hughes, its going to be really hard to find anyone really important who is prepared to travel to attend a Council Of Ministers meeting to finalize the bloody thing.

Why? Because the European Council appears to be pulling out all the stops to reach final agreement on the 3rd column on 15th June. Representatives are due to be locked into a room and told that they can’t emerge until agreement has been reached. Their iPads will be confiscated, refreshments will be gradually withheld, and the translation channel featuring winning songs from the past ten years of the Eurovision Song Contest (the other channels translate the current speaker into all the tongues of the European Union for the delight of all delegates) will be disenabled.

15th June is a big day for the European Council. It has been decreed that, come what may, agreement will be reached on this day.

But, and this is a big but, the most senior British privacy Ministers have no intention of being anywhere near that meeting on 15th June. Instead, they want to be at the Royal tea party that will be held in the middle of a field in Runnymede, near Windsor. With HMQ - and our very own Information Commissioner. 


Because 15th June 2015 marks the 800th anniversary of the agreement of the Magna Carta. A huge celebration is planned. There will be speeches – and possibly even a reenactment of the great event. Our own Queen Elizabeth could play the part of King John, while our new data protection Minister would represent the rebel barons.

So, Minister, what would you prefer? Cucumber sandwiches with HMQ, or being stuck in a basement room in Brussels hammering out a document that will then be torn apart by a year worth of triologues?

I know what I would prefer.

[Most of my chums at the Crouch End Chapter of the Institute of Data Protection) expect the Council of Ministers to start an extended debate on 15th June, but to delay the final vote until our most important privacy Minister has taken their tea with HMQ at Runnymede and has then travelled (economy class) to Brussels. This ought to enable agreement to be formally reached the following day.] 




Sunday, 29 March 2015

When should employers be told about information provided in confidence to doctors?

The awful events of last week have generated a considerable amount of comment about the extent to which an employer is, to ought to be, aware of the mental health of key employees.

Does data protection legislation prevent the disclosure of critical information which, if withheld from an employer, permit the employee to carry out acts that potentially have heinous consequences?

In the UK, certainly not. Data controllers can always protect the vital interests of other people in cases where it would be unreasonable to expect the data subject to consent to the disclosure of sensitive personal data, or when the consent of a data subject has been unreasonably withheld.

The debate ought to focus less on any perceived failings of data protection legislation and more on the obligations of confidence that doctors (and others) have with those who are being counseled.

This is why I’m looking forward to contributions to this debate from members of BMA’s Medical Ethics Committee. The Committee debates ethical issues on the relationship between the medical profession, the public and the state. It also liaises with the General Medical Council on all matters of ethics affecting medical practice. Other members of the BMA's secretariat produce detailed guidance and discussion papers on a wide range of medico-ethical issues, and offers individual ethical advice to BMA members over the phone or by email.

The BMA's confidentiality and disclosure health information tool kit is a great start to those who are keen to understand the current guidelines. On the issue of disclosing medial data in the public interest, for example, it says: Health professionals should be aware that they risk criticism, and even legal liability, if they fail to take action to avoid serious harm. Advisory bodies, such as the BMA, cannot tell health professionals whether or not to disclose information in a particular case, but can provide general guidance about the categories of cases in which decisions to disclose may be justifiable (see below). Guidance should be sought from their Caldicott guardian, professional body or defence body where there is any doubt as to whether disclosure should take place in the public interest.”
I’m looking forward to more specific guidance from the BMA, in light of recent events. Many patients are unlikely to be fully forthcoming to medical professionals if they feel that the effect of their most candid confessions would be to curtail the careers they have fought so hard to forge.
Somehow, the BMA is going to have to reassure the public that the confidentiality obligations which currently exist between doctor and patent and are sufficiently strong to encourage patients to continue to open their souls to their doctors. At the same time, doctors may well need additional assurance that they will not be held legally liable when it is necessary to disclose information that really ought to be made more widely available.  



Friday, 20 March 2015

Stratospheric salaries for superstar DPOs

The noise around the GPDR is currently having one remarkable effect.

Fears about the complexity of the final version of the text, together with concerns about the impact of ridiculously high fines on businesses that transgress are rippling through the DP job market.

Today, if you know where to look (in London), you can apply for a part-time privacy officer role for an annual (pro-rated) salary of £70,000 – or if you fancy a full-time job, one organisation is currently prepared to pay up to £150,000 for the right candidate.

Lets put that in context. £150,000 is more than the Prime Minister’s salary. And, yes, more than the Information Commissioner’s salary. Even £70,000 is much, much, more than the salaries of the overwhelming majority of the staff at the ICO.

I’m really not sure if it was intended by the drafters of the upcoming GDPR that the salaries of those who were expected to implement it were likely to be so much greater than the salaries of those who were expected to regulate it.

But that is the consequence of what is happening.

And the more complicated this thing gets, and the more noise that is generated about the new “rights” that citizens are going to have with regard to their own personal data, the more the DPO salaries are likely to rise. 

Responsible controllers – and certainly those in the heavily regulated sectors – will continue to suck up the brightest talent, and will be obliged to offer salaries that, thanks to the current scarcity of experienced data protection practitioners, will compare very favourably with other trades.

Is this really what we want?

As a consultant or an employee, probably yes.

As a business owner, probably not.

As a regulator – well, at least it ensures that the ICO will continue to act as a training academy for those that want to hone their data protection skills before they transfer to the private sector. 

Experienced DPOs interested in changing jobs may want to contact me (very discretely) to learn more about the roles I’ve referred to in this blog.


Monday, 16 March 2015

IOCC frustrates the militant privacy campaigners

Bad news for the militant wing of the privacy lobby who want to believe that the Interception of Communications Commissioner is simply an establishment patsy, an apologist for anything and everything a spook or law enforcement agency wants to get away with.

Sir Anthony May’s latest annual report lays out more evidence of the independent and impartial approach that he and his inspectors take on the thorny question as to what ethical policing means in practice.

Time and time again, the report points not only to areas that require remediation, but it also highlights issues where progress has been made, thanks to recommendations made following earlier inspections.

The militants particularly won't like the next 3 paragraphs, which have been lifted from the report, but I make no apology for reproducing them here:

"My inspectors identified that communications data was frequently relied on to provide both inculpatory and exculpatory evidence. The communications data acquired revealed suspects movements and tied them to crime scenes. It often led to other key evidence being identified or retrieved. Links to previously unidentified offenders and offences were revealed. Dangerous offenders were located and offences were disrupted with the assistance of communications data. Patterns of communication provided evidence of conspiracy between suspects. The data highlighted inconsistencies in accounts given by suspects and corroborated the testimony of victims. The data determined the last known whereabouts of victims and persons they had been in contact with. Similarly, communications data assisted to eliminate key suspects or highlighted inconsistencies in accounts given by victims. [7.65]

In a couple of the operations examined the inspectors concluded that there were potentially gaps in the acquisition process where the investigation teams had not identified the full range of data necessary to achieve the objective. This failure to identify relevant data may adversely impact on the ability to, for example, corroborate the account given by a witness, corroborate the testimony and / or determine the last known whereabouts of a victim or properly determine the role of a suspect in a crime or indicate their innocence. This may present the acquisition process as arbitrary and serious implications could result. This is an area in which it is important for the SPOCs to engage with the applicants to develop strategies to ensure that the appropriate data is sought to fully achieve the investigative objective. [7.66]

In the operations where large elements of the offences, if not all the offences, took place within a ‘virtual world’ e.g. some of the fraud and sexual offences, the requirement for communications data was ever more apparent. It was also apparent from these operations that as technologies have developed police forces and law enforcement agencies have increasingly looked at a wider range of technologies to investigate offences. The inspectors noted that in relation to the investigation of serious and organised criminals, the increasing tactical awareness of criminals means that a larger amount of data, on a potentially wider range of devices and individuals, has to be acquired to meet operational objectives which may have been more simply achieved in previous years. [7.67]

The report also criticizes institutions that have ignored past recommendations: 

"Last year I made the point that the numerous policy documents governing the interception of prisoners communications were fragmented, overlapping and contradictory in places and that this made it difficult for the prisons themselves to understand the requirements fully and for our inspectors to conduct the oversight. I am disappointed that there has not been any progress on these matters. I reiterate that NOMS must get to grips with these issues and put in place clear and defined policy and risk assessment documents for the interception of prisoners’ communications. Our experience shows that the prisons are trying extremely hard to comply with the various policies in this area, but they are in need of clear direction and better quality policy." [p.87]

Interestingly, while SPOCs in general are highly thought of, the report focuses its criticism on some Professional Standards departments (the teams that investigate investigators), where poor practices prevail:

"The inquiry found that an excessively high number of the applications submitted by Professional Standards departments were completed to a poor standard and did not adequately justify the necessity and proportionality justifications. In a number of applications the criminal allegation or the criminal offences suspected were not set out or there was no description as to how they were linked to, and aggravated by, the officer’s misuse of a position in public office. The applications often relied upon vague and dubious descriptions under the ‘umbrella’ of misconduct in public office and my inspectors were not satisfied that the high threshold for the offence of misconduct in public office had been met. There did not appear to be any intention for some of the matters to be subject of a prosecution within a criminal court. Turning to proportionality lengthy periods of traffic or service use data were often sought without sufficient justification and it was not clear whether other lines of inquiry had been considered and if so why they had not been pursued. For example, a number of the applications concerned investigations into officers forming inappropriate relationships with victims of crime. Whilst in some cases the circumstances may justify that it is reasonable to suspect serious inappropriate activity was taking place, for example, the formation of sexual relationships with vulnerable victims; some of the applications examined detailed fairly minor transgressions and did not identify whether serious wrongdoing was suspected, or failed to give convincing reasons to suspect that serious wrongdoing was occurring. In these applications it was also not apparent why other action, such as intervention by the officer’s supervisors or misconduct interviews were not considered, or if they had been why they were not deemed appropriate. In such cases my inspectors concern was exacerbated where there appeared to be little resolve to subsequently pursue a prosecution when evidence was acquired which supported the initial premise of the application." [7.81]

Strong stuff.

However, these criticisms should be read in their context. They should not detract from the Commissioner’s conclusion that, overall, "my office’s inquiries did not find significant institutional overuse of communications data powers by police forces and law enforcement agencies. … However, my office did find that a proportion of the applications did not adequately deal with the question of necessity or proportionality and we found some examples where the powers had been used improperly or where they had been used unnecessarily. Overall the operational reviews showed that the communications data that was acquired was necessary and proportionate to the matter under investigation." [7.94]

So, we won’t be hearing much from the militant wing of the privacy lobby about this report because, frankly, there’s not much for them to complain about.

The more independently minded privacy advocates will probably take some comfort from the report – both in learning how RIPA (and DRIPA) actually work in practice, and in realising what a world-leading supervisory system the UK actually has.