Monday, 29 June 2015

Top tips for preparing PIAs

I’ve recently had one of my PIAs placed on the public record in Ireland, so I’m free to speak more generally about it. The assessment was on a programme the Irish Government hopes to implement – shortly, all postal addresses in Ireland are to be given a unique postcode.  This gave me the opportunity to assess how the programme addressed the particular challenges of Irish data protection legislation.

In a nutshell, I recommended that the Irish law be changed to reflect the obligations that would be imposed on organisations that processed Eircodes. This recommendation was accepted, and legislation is currently making its way through the Irish Parliament. It has completed its stages in the lower chamber and is now before the upper chamber.

As the Minister reported to Parliament:

“The final significant element of the project is the enactment of this legislation. It will ensure members of the public can have absolute confidence in regard to data protection. The primary purpose of this legislation is to enshrine the highest levels of data protection within the postcode system. It also provides the clearest possible reassurance that all personal data will remain secure. My Department has consistently taken a strong line on data protection in the design, implementation and operation of the project. The contract we have with Capita reflects this approach. As Minister, I have decided that this approach must be confirmed in primary legislation to ensure the greatest level of protection for citizens. My Department has had ongoing engagement with the Data Protection Commissioner.

My Department has also completed and published a comprehensive privacy impact assessment even though it is not a statutory requirement. The purpose of the privacy impact assessment is to ensure any potential privacy impact on individuals as a result of the introduction of Eircode postcodes is recognised and addressed. The assessment has concluded that the introduction of Eircode postcodes is unlikely to have any significant adverse effect on the right to privacy. All the recommendations contained in the assessment have been incorporated into this Bill. The Bill represents a sensible and pragmatic approach to data protection as it relates to postcodes. It sets out the high level principles underpinning a protective framework and strikes a balance between ensuring the commercial viability of postcodes while at the same time underpinning data protection.”

As the (36 page) executive summary of the PIA is now available, I thought it might be useful to share some thoughts with fellow practitioners who are charged with the requirement to write PIAs.

1.     Who is your audience?
a.     If the data controller is a public authority, the language used in the report should not be too technical, as Freedom of Information provisions mean that it may be made available to members of the public, and they would expect to understand it.
                                               i.     Consider incorporating in the report an annex that explains the project in non-technical language.
                                              ii.     Consider incorporating in the report an annex that defines technical terms and acronyms in plain language.
                                             iii.     Be careful when listing in an annex, the names/ job titles of individuals who were consulted as the assessment was being written – these individuals have privacy rights, too, and the more junior employees may not expect to be publicly identified with the project.
                                            iv.     Take care to ensure that the language used in describing the potential privacy risks is written in ways that make it difficult for other parties to use extracts from the PIA out of context.
b.     If the data controller is not subject to Freedom of Information provisions, the language used should still be sufficiently clear that senior managers can understand the process that was followed to reach the conclusions and recommendations in the assessment. The author can be more frank in their assessment of the project if it is clear that the document is for internal purposes only.

2.     Who should be consulted?
a.     If the data controller is a public authority, there may be a greater need to ensure, if citizens rather than employees are to be impacted by the project that is under assessment, that the concerns of citizens are properly taken into account. This is also to ensure that the project under assessment not only meets the legal conditions that are set out in the data protection legislation, but also that from a more general fundamental rights perspective, the project is likely to be socially acceptable in that it meets the legitimate expectations of the community.
b.     If the data controller is a not a public authority, there is less of an obligation to consult customers or potential customers.

3.     What role should project managers play in carrying out effective assessments?
The role of project managers is to provide factual information to the assessor. It should not be assumed that these managers have a significant amount of privacy experience. Accordingly, the task of analyising the facts from the perspective of compliance with privacy obligations and data protection legislation should be left to suitably qualified and experienced privacy professionals.

4.     How frequently should the PIA be revised?
a.     PIAs can be viewed as snapshots that are taken at a particular stage of the project. If the assessment is carried out at an early stage in the project, it is possible that quite a wide range of issues which need to be addressed will be highlighted. As the project matures, many of these issues ought to be resolved, so a PIA review mid-way through the project is useful to ensure that not only have existing risks been addressed, but that no new issues have emerged.  If new issues do emerge, these should be captured in subsequent versions of the assessment.

5.     What summaries of the PIA should be prepared?
The Article 29 Working Party has recommended that Privacy Impact Assessments should include a section to demonstrate more generally compliance with the privacy targets. Since the privacy targets are mandatory and not negotiable, assessments should describe how each target is being implemented, or explain why it has not been implemented.

Accordingly, it is useful to consider incorporate a one or two page table summarizing the issue.



Tuesday, 5 May 2015

Privacy trumps the free flow of personal data

“The free flow of personal data is not a fundamental right. Privacy is a fundamental right.”

So said the ICO’s David Smith at a data protection KnowledgeNet event in London today.

It's a phrase that will be mulled over for some time. But when can data controllers assert rights that are equivalent to those of individuals? What rights do data controllers have (who, after all, also benefit from human rights legislation)? When is it that their right to exercise freedom of expression can be quashed by someone who tries to exercise a right to forget?

And how can the person who wants others to forget actually achieve that aim? What practical steps are really effective? Perhaps the courts will, in the fullness of time, clarify what obligations search engines have to identify and then remove all hyperlinks to data that is considered (by some) to be unacceptable to remain in the public domain.

These are some of the really interesting challenges that are facing those who are brave enough to stick their heads above the policy parapet and propose potential solutions.

And who is it that ought to be leading the discussions on this issue? Should privacy regulators assume that they must take the lead? Are privacy regulators sufficiently dispassionate about the issue, or are they so heavily focused on privacy that their mindset is against the competing rights that others exercise, in the name of self expression?

We’re back to that awful word “balance.” Somehow, the regulators will need to balance fundamental privacy rights with other rights, such as the right of self expression. Fortunately, help was on hand today. Anya Proops of 11 Kings Bench Walk was able to explain to the audience what data protection rights were in the ascendant, and what issues still needed to be addressed by the Courts. My, she’s good. In the fullness of time, she’s going to be on the bench, opining on whatever issues are left to address.

The second half of the event focused more narrowly on the General Data Protection Regulation, and featured Bruno Gencarelli from the European Commission and Wojciech Wiewiorowsk, the Assistant European Data Protection Supervisor.

Bruno will be leading for the Commission as the informal triologue discussions on the GDPR get underway, and it was useful to hear his defence of “the perfect, as always, proposal of the Commission”.  Quite how he and his team will find the time to discuss and find a common approach with the other stakeholders to all of the issues that need to be negotiated and agreed, to meet the Commission’s self imposed deadline of completing the task by the end of the year, is beyond me.

It emerged that the compromise ceiling for financial sanctions against Google & Facebook transgressors could be 3% or 3.5% of global turnover. But then again, I might have been dreaming those figures. Bruno did speak for quite some time.

Wojciech knows how to charm an audience. He started his presentation by emphasizing how the EDPS was not a super supervisor, but simply one privacy supervisor, among many others. Yes, the EPDS had a role to play by offering opinions on a range of proposals published by the European Commission, but he left the delegates in no doubt that it was the role of the EDPS to facilitate the work of the Article 29 Working Party (and possibly subsequently the European Data Protection Board), rather to automatically assume that it would lead it.

Wojciech also paid tribute to the incredible influence that UK courts had on the development of data protection law throughout Europe. We may think that, in other areas, the Brits are widely ignored, but certainly in terms of privacy law, the Europeans do sit up and take notice. The main reason for this is that we operate in a language that is easy to use – so reports of British cases travel further much than, say, cases decided in the Czech, Hungarian, Polish or Estonian languages.

The packed audience was left with plenty to think about. Actually, it makes a change to attend a privacy event and leave with so much to think about. Lots of breaking news – about the Bulgarians trialing an automated pre-PIA tool, and what some companies were doing to undermine data protection professionals within those organisations. But I won't be blogging on those subjects – at least, not yet.


Sunday, 26 April 2015

The awful dilemma of the GPDR and 15 June

First, I should mention that the notoriously indiscreet world of data protection has another document to drool over.

Thanks to our friends at Statewatch, we now have the first draft (of which will be many drafts) of the notorious 4 column document, from which the final GDPR is crafted.

Here, sitting alongside each other, is the original text of the Regulation, as proposed by the European Commission, and the versions that the European Parliament has and the European Council is highly likely to recommend.

The bunfight will focus on the 4th column. What text will the drafters develop that is satisfactory to all the negotiators in the room? For that is what will be slipped into the 4th column.

Eventually, when all 630 pages of the document have text in the 4th column, someone will announce “Ladies and gentlemen, we have done it”. Then, data protection professionals outside the magic circle of trusted advisors / lobbyists / privacy advocates and geeks who have already seen it will get their change to work out whether they can both understand and implement what it is that has been agreed.

The current fly in the ointment is the obtaining of the final agreement of the European Council to their draft (ie final agreement on the contents of the 3rd column). 

The pragmatic Brits have a teeny weeny problem over the 3rd column right now. Although we still have a Minister for Data Protection, and although the general election next month may herald a new Minister, replacing Simon Hughes, its going to be really hard to find anyone really important who is prepared to travel to attend a Council Of Ministers meeting to finalize the bloody thing.

Why? Because the European Council appears to be pulling out all the stops to reach final agreement on the 3rd column on 15th June. Representatives are due to be locked into a room and told that they can’t emerge until agreement has been reached. Their iPads will be confiscated, refreshments will be gradually withheld, and the translation channel featuring winning songs from the past ten years of the Eurovision Song Contest (the other channels translate the current speaker into all the tongues of the European Union for the delight of all delegates) will be disenabled.

15th June is a big day for the European Council. It has been decreed that, come what may, agreement will be reached on this day.

But, and this is a big but, the most senior British privacy Ministers have no intention of being anywhere near that meeting on 15th June. Instead, they want to be at the Royal tea party that will be held in the middle of a field in Runnymede, near Windsor. With HMQ - and our very own Information Commissioner. 


Because 15th June 2015 marks the 800th anniversary of the agreement of the Magna Carta. A huge celebration is planned. There will be speeches – and possibly even a reenactment of the great event. Our own Queen Elizabeth could play the part of King John, while our new data protection Minister would represent the rebel barons.

So, Minister, what would you prefer? Cucumber sandwiches with HMQ, or being stuck in a basement room in Brussels hammering out a document that will then be torn apart by a year worth of triologues?

I know what I would prefer.

[Most of my chums at the Crouch End Chapter of the Institute of Data Protection) expect the Council of Ministers to start an extended debate on 15th June, but to delay the final vote until our most important privacy Minister has taken their tea with HMQ at Runnymede and has then travelled (economy class) to Brussels. This ought to enable agreement to be formally reached the following day.] 



Sunday, 29 March 2015

When should employers be told about information provided in confidence to doctors?

The awful events of last week have generated a considerable amount of comment about the extent to which an employer is, to ought to be, aware of the mental health of key employees.

Does data protection legislation prevent the disclosure of critical information which, if withheld from an employer, permit the employee to carry out acts that potentially have heinous consequences?

In the UK, certainly not. Data controllers can always protect the vital interests of other people in cases where it would be unreasonable to expect the data subject to consent to the disclosure of sensitive personal data, or when the consent of a data subject has been unreasonably withheld.

The debate ought to focus less on any perceived failings of data protection legislation and more on the obligations of confidence that doctors (and others) have with those who are being counseled.

This is why I’m looking forward to contributions to this debate from members of BMA’s Medical Ethics Committee. The Committee debates ethical issues on the relationship between the medical profession, the public and the state. It also liaises with the General Medical Council on all matters of ethics affecting medical practice. Other members of the BMA's secretariat produce detailed guidance and discussion papers on a wide range of medico-ethical issues, and offers individual ethical advice to BMA members over the phone or by email.

The BMA's confidentiality and disclosure health information tool kit is a great start to those who are keen to understand the current guidelines. On the issue of disclosing medial data in the public interest, for example, it says: Health professionals should be aware that they risk criticism, and even legal liability, if they fail to take action to avoid serious harm. Advisory bodies, such as the BMA, cannot tell health professionals whether or not to disclose information in a particular case, but can provide general guidance about the categories of cases in which decisions to disclose may be justifiable (see below). Guidance should be sought from their Caldicott guardian, professional body or defence body where there is any doubt as to whether disclosure should take place in the public interest.”
I’m looking forward to more specific guidance from the BMA, in light of recent events. Many patients are unlikely to be fully forthcoming to medical professionals if they feel that the effect of their most candid confessions would be to curtail the careers they have fought so hard to forge.
Somehow, the BMA is going to have to reassure the public that the confidentiality obligations which currently exist between doctor and patent and are sufficiently strong to encourage patients to continue to open their souls to their doctors. At the same time, doctors may well need additional assurance that they will not be held legally liable when it is necessary to disclose information that really ought to be made more widely available.  



Friday, 20 March 2015

Stratospheric salaries for superstar DPOs

The noise around the GPDR is currently having one remarkable effect.

Fears about the complexity of the final version of the text, together with concerns about the impact of ridiculously high fines on businesses that transgress are rippling through the DP job market.

Today, if you know where to look (in London), you can apply for a part-time privacy officer role for an annual (pro-rated) salary of £70,000 – or if you fancy a full-time job, one organisation is currently prepared to pay up to £150,000 for the right candidate.

Lets put that in context. £150,000 is more than the Prime Minister’s salary. And, yes, more than the Information Commissioner’s salary. Even £70,000 is much, much, more than the salaries of the overwhelming majority of the staff at the ICO.

I’m really not sure if it was intended by the drafters of the upcoming GDPR that the salaries of those who were expected to implement it were likely to be so much greater than the salaries of those who were expected to regulate it.

But that is the consequence of what is happening.

And the more complicated this thing gets, and the more noise that is generated about the new “rights” that citizens are going to have with regard to their own personal data, the more the DPO salaries are likely to rise. 

Responsible controllers – and certainly those in the heavily regulated sectors – will continue to suck up the brightest talent, and will be obliged to offer salaries that, thanks to the current scarcity of experienced data protection practitioners, will compare very favourably with other trades.

Is this really what we want?

As a consultant or an employee, probably yes.

As a business owner, probably not.

As a regulator – well, at least it ensures that the ICO will continue to act as a training academy for those that want to hone their data protection skills before they transfer to the private sector. 

Experienced DPOs interested in changing jobs may want to contact me (very discretely) to learn more about the roles I’ve referred to in this blog.