Friday, 6 November 2015

Tuesday, 18 August 2015

In praise of David Smith

As Deputy Commissioner David Smith completes his last lap of the data protection conference circuit, various speakers are extending their hastily-prepared remarks to include a short homily on his contribution to data protection over the decades. Yes, he really has been at the ICO for decades.

It's a convention that public servants are never presented with anything other than small tokens of appreciation from grateful hosts. It’s the ICO’s practice for gifts to be declared in a central register and, to the extent that is practical, for them to be used as prizes at the ICO’s annual Xmas raffle.

At it's summer party last night, the Crouch End Chapter of the Institute of Data Protection decided not to present David with a physical token of their appreciation of his work. Instead, a toast was proposed by the Chairwoman of the Dagenham Data Practitioners, who had been invited to the party along with all the other members of the DDP.

To round off the evening, we sang an ode in David’s honour. The words are reproduced below, in case the ICO Chorus fancy sending David off in song, too.

Eternal David, strong to save,
We thank you for advice you gave,
You bidd'st the mighty Google deep
Its own appointed limits keep;
Oh, hear us when we cry to Thee,
For those in peril because of me

O Dave! Whose voice we always heard
And hushed our raging at Thy word,
Your temper never would explode,
Just point us to a data Code;
Oh, hear us when we cry to Thee,
For those in peril because of me

Most gentle Smithie! Who didst brood
Upon the chaos dark and rude,
And bid its angry tumult cease,
And give, for wild confusion, peace;
Oh, hear us when we cry to Thee,
For those in peril because of me

And now you’re off! It is the end
Of kind words from a distant friend;
We hope and pray the next one in
Will forbear us should we start to sin,
Support us when we cry oh ****
Our data’s gone, we’re out of luck


Monday, 17 August 2015

The (discrete) search for the new Information Commissioner

The (discrete) search to appoint a successor to David Smith, soon-to-retire Deputy Information Commissioner and Director of Data Protection is over.

Shortly, the successful candidate will be unveiled. Don't worry, it’s not me. And a (discrete) search will commence to find a suitable replacement for Chris Graham, soon-to-be outgoing Commissioner.

How secret should this process be, and when is it appropriate to extend the selection process?

Given the transparency and manner in which people can participate in elections for leaders of political parties, perhaps the time is ripe for a larger group of people to be involved in selecting public officials who will be involved in determining information rights enforcement strategies.

After all, in the UK, we generally police by consent. So, given the resource challenges that the ICO faces, surely it is right that a significant body of people help determine the identity of the “independent” person who subsequently determines the enforcement priorities that his officials will adopt.

Otherwise, what checks are available? Can we always trust the “backroom bods?”

When even a person as eminent as the Chairman of the House of Lords Privileges and Conduct Committee can be alleged to have behaved as badly as he has, why should it be assumed that the current appointment system is perfectly fit for purpose?

But, more to the point, why should Data Protection Officers, who actually play a very significant role in ensuring that organisations comply with their data protection, be disenfranchised from a compliance process they play such an integral part in?

If I had my way, the DPOs of all registered data controllers would be able to register their interest in participating in the selection process by paying a £3 fee to the ICO – just as the Labour Party currently allows interested individuals to participate in elections for party leader.

Hopefully, it won’t be too long before it is more generally realised that the Office of the Information Commissioner is, in many respects, a political office. In determining how precisely how laws will be enforced, the Commissioner currently exercises his own judgment (supported, presumably, by the ICO Board and his Executive Committee). But he plays a political role – and this is a role for which he’s pretty unaccountable to the data controllers he’s regulating.

Future Commissioners will get one term to rule. And as they won’t need to concern themselves with the need to remain on good terms with those who would (previously) have extended their initial appointment, there is a risk that they will adopt enforcement strategies that will really rub people up the wrong way.

Accordingly, to give the incoming Commissioner a greater sense of legitimacy, the selection process really needs to be made more transparent.

The days are numbered where a meek group of regulated organisations will simply accept the whim of whomever will be selected to step into a senior office.

So an election – or even hustings from a selection of the more promising applicants - would do nicely, thank you.


Image credit:
Today’s image is that of the ballot machine used in Florida during the 2000 Presidential election – many votes were disputed because incompletely punched holes resulted in “hanging chads.”


Wednesday, 12 August 2015

Do privacy laws prevent police forces from naming suspects?

I was asked this question at 6.15 am today. And, if I knew the answer, was I available for a BBC radio interview immediately after the 7.00 am news?

No and Yes were my answers – so I subsequently had a chat with BBC Radio’s Adrian Goldberg.

The question arose because the Birmingham Mail had asked West Midlands Police to disclose the names and images of ten suspects it had been hunting for at least a decade for crimes including rape and murder.

Initially, the force had refused to name any of the suspects, pointing to the relevant exemptions in the Freedom of Information Act. The Mail reported that the force had explained that naming them would be an unfair breach of their privacy.

This decision was criticized by local MP Khalid Mahmood as being “utterly bizzare.”

But lets get real, here.

The media has no automatic right to be informed by the police of the name of a person who is under investigation or who has been charged with a criminal offence.

While not naming nine of the ten suspects, the police did provide background information on them, and they indicated that there were operational reasons for withholding their identities.

So I’m not joining the rush to condemn the police for their behaviour. There are often extremely good reasons why suspects should not be named – particularly when there is no serious public interest at stake.

The National Police Chief’s Council (formerly known as ACPO, the Association of Chief Police Officers) currently considers that:

  • Those who have been charged should be named.
  • For those who have been arrested, there is a presumption that they should not be named;

But, that presumption can be displaced where (and only where): 

  • Releasing the name promotes the prevention or detection of crime; and/or
  • There is a serious public interest in releasing the name.
Suspects should not routinely be named. And media organisations must be careful not to identify suspects at this stage, as they would be able to sue the organisation for libel if the police investigation does not lead to a criminal prosecution.

Many suspects are never arrested or charged – for a variety of reasons including lack of evidence of their guilt or positive evidence of their innocence. Remember the witch-hunt against Christopher Jeffries, the retired Bristol teacher arrested on suspicion of the murder of his tenant Joanne Yates in 2010. His life was turned upside down following the news of his arrest, even though he was later publicly exonerated. He was able to recover substantial damages from the media organisations that had unfairly named him, but no amount of money can properly account for the impact to his reputation.

As Lord Leveson recommended in his 2012 report on the culture, practices and ethics of the press:

“…Police forces must weigh very carefully the public interest considerations of taking the media on police operations against the rights of the individuals who are the subject of such an operation… I think that it should be made abundantly clear that save in exceptional and clearly identified circumstances (for example, where there may be an immediate risk to the public), the names or identifying details of those who are arrested or suspected of a crime should not be released to the press or the public.”

I won’t be encouraging vigilantes to join this particular witch-hunt.

Sources:  (Volume 2, p.984, paragraph 3.3)


Tuesday, 11 August 2015

Not a lot of news from Big Brother Watch today

What are we to make of today’s Big Brother Watch report which claims that local authorities commit 4 data breaches every day?

In the words of TV magician Paul Daniels: “Not a lot.” 

At first glance, it looks impressive. It’s almost 200 pages long. But, and this is a big but, there are only a few pages of analysis – once you get past page 12, a series of annexes contain the responses from each local authority, revealing how minor the vast majority of the reported incidents (occurring between April 2011 and April 2014) actually were.

BBW started work on this report by submitting FOI requests to each local authority in June 2014. Quite why it has taken so to publish the results, bearing in mind that FOI requests should be returned within 20 days, is beyond me.  Although BBW claims to have received a 98% response rate, some 212 authorities either declined to provide information, or claimed that they had experienced no data breaches between 2011 and 2014.

Evidently, the safest place to live these days is Northern Ireland, where 21 of the 25 Northern Irish District Councils did not report a single data breach. 

The report’s recommendations, unfortunately, don’t reflect too deep an understanding of the improvements to information handling procedures that are already currently likely to emerge in the foreseeable future.

BBW calls for “proper punishments for the misuse of personal information,” without acknowledging that (even) magistrates courts are already capable of levying unlimited fines for DPA offences. Instead, BBW joins the chorus for custodial sentences, but it failed to point out whether any of the data breaches featured in the report would have been cases where a jail term, rather than a fine, would have been a more appropriate punishment.

BBW calls for anyone who knowingly commits a data protection breaches to receive a criminal record. Currently, offences are classed as civil offences. BBW is concerned that this raises the potential for an individual to gain further employment that allows them to access personal information, despite the fact they have been punished for committing a data protection offence in a previous job.

Perhaps in a future report, BBW will also advocate sending miscreants to the stocks for a couple of days.

BBW calls for mandatory data protection training for members of staff with access to personal information – but it does not appear to know how many of the reported data breaches had occurred despite the DPA training that was in place.

BBW calls for the mandatory reporting of a breach if it concerns the public – but it failed to mention the breach reporting standards advocated by the GDPR.

BBW calls for standardised reporting systems and approaches to handling a data breach – but it failed to mention the work the ICO has already done in this area to encourage standardised breach reporting.

BBW also echos the ICO’s calls for it to be able to audit local authorities.

But enough of all this negative stuff – the report does some examples of poor data handling practices that will be useful for DPOs to feature in future presentations. They include:

  • A CCTV operator watched part of the wedding of a member of the CCTV team.
  • An officer wrote down his contact details on what he thought was a scrap of paper but contained personal details of a complainant.
  • A care agency left 23 black sacks of paperwork behind after an office move. 100s of clients in several authorities were affected.
  • A child report was sent to wrong recipient. The recipient used Facebook to track down correct client and passed report on. The client reported this.
  • An advisor recorded incorrect details for noise complaint which resulted in an officer visiting the person being complained about rather than the complainant.

Happy reading.