Tuesday, 22 July 2014

Why DRIP differs from the Dangerous Dogs Act

Given the events of last week, it hasn’t been long before various wags have been comparing the passage of the Data Retention and Investigatory Powers Act through Parliament with another example of hasty legislation, the Dangerous Dogs Act.

A few are already calling DRIP the ‘Dangerous Logs Act’ – but I think that’s wrong.

Having been (slightly) involved in the discussions that led to the drafting of the DDA, almost exactly 23 years ago, (I was the Association of British Insurers’ Legislation Manager at the time) I thought I should explain why.

The Dangerous Dogs legislation was prepared in great haste during the early part of the summer of 1991, following a spate of dog attacks on young children. The ensuing media commotion and the cry that  “something should be done” led to Parliamentary draftsmen being given almost no notice with which to create a legal instrument that would have the effect of assuring the public that sufficient was being done before Parliament rose for its summer holidays. With minimal debate, a short (10 clause) bill was rushed through both Houses of Parliament, and it received Royal Assent on 25 July 1991.

Significantly, the DDA sought to cover four types of dog, and cross breeds of these types. The were the pit bull terrier, the Japanese tosa, dogo argentina and fila Brasiliero. The problem, in classifying the prohibited animals by “type” rather than breed label caused huge problems. No-one had thought about whether, on the face of the bill, there should be a provision to set out who had sufficient expertise to assess whether an animal that was brought before them actually had the relevant offending physical characteristics. So chaos ensued as the initial attempts were made by courts to decide which animals should be put down, and which owners should be prosecuted for acting unlawfully.

The RSPCA criticised the act as like using “a sledgehammer to crack a nut,” and argued that it was wrong to criminalise individual breeds of dog: “Demonising individual breeds does not achieve anything as all breeds can attack people, just as all breeds can produce wonderful dogs.”
In hindsight, this was rushed legislation which was an overreaction to a transient public mood.

Now, lets turn to recent events.

The Data Retention and Investigatory Powers Act was prepared in less haste during the early part of 2014, following an adverse judgment in cases heard by the European Court of Justice, which declared the Data Retention Directive (2006/24/EC) invalid. This was the legislation that provided the statutory underpinning for the data retention obligations that had been imposed on European telecommunications service providers. It became necessary to ensure that the UK providers could have a degree of legal certainty as to what records should be kept and for how long, in order that they could be subsequently made available to law enforcement investigators (when it was necessary and proportionate for them to demand it).

Accordingly, Parliamentary draftsmen created a legal instrument that would have the effect of assuring providers that sufficient was being done before Parliament rose for its summer holidays. With minimal debate, a short (eventually 8 clause) bill was rushed through both Houses of Parliament, and it received Royal Assent on 17 July 2014.

Significantly, DRIP was designed as a short-term measure that would offer some immediate protection to providers, while at the same time enabling Parliament to embark on a longer-term review of the issue of how communications data is used for law enforcement purposes. The longer-term nature of the review means that the major decisions will be made by the Government that is to be formed after the next general election.

Accordingly, this controversial issue has been “parked” by politicians who currently have at least one eye on forthcoming election. Whatever proposals are to emerge from their review of the current legislation will generate a huge degree of media attention. But no political party wants to deal with potentially divisive issues (particularly when elements of the media hold entrenched positions that don’t accord with Home Office views), when their main aim is appearing united and focused on what will really inspire an electorate.

Unlike the DDA, I really don’t think that, in hindsight, commentators will view DRIP as an overreaction to a transient public mood.


Image credit:


Sunday, 13 July 2014

How should you carry out a data protection audit, or health check?

Bearing in mind the audit points that the ICO auditors tend to raise when they visit an organisation, what issues should you focus on, bearing in mind that businesses have many things to worry about, in addition to worrying about not getting on the wrong side of the regulator?

And, just as importantly, how much is the busy data protection professional prepared to pay to get a set of decent audit questions?

Well, if you are prepared to pay as little as £5.99 to learn more about my audit methodology, then read on.

I’ve just published a short guide for the busy data protection professional who needs to ensure that their organisation operates practices and procedures which meet their legal obligations. People who follow the advice in this guide will significantly improve the likelihood that, should their organisation be examined, the ICO will determine that there is a high level of assurance that effective controls are in place. 

Data protection professional, beware - this is not a book designed for people who are obsessed with complying with absolutely every aspect of data protection law. Some may think that I've set the bar far too low in terms of what needs to be done do demonstrate that organisations take data protection issues sufficiently seriously. 

Please, reader, please feel free to part with £5.99 of your own money and decide for yourself as to how robust my audit methodology is. If you have, and can also monitor, the controls that I've outlined in my guide, then as far as I’m concerned, you're well on the way to data protection nirvana.

I’m always open to suggestions proposals about publishing this methodology in an alternative format. I’m embarking on the digital format first.  Once I’ve learnt whether others are just as excited about it as I, and my clients who have submitted themselves to this audit methodology, am, then I’ll consider revising it and publishing it as a paperback, too.


Tuesday, 17 June 2014

NGOs to test the Home Office’s stance on communications data retention

Lawyers from the Open Rights Group, Liberty and Privacy International have met to discuss what sort of intervention might be appropriate, given the European Court of Justice’s views on the EU’s Data Retention Directive. What steps should be taken by the Home Office, in light of the way the UK has implemented what is now a defunct Directive?

More specifically, what alternative legislation would be deemed acceptable by Parliament if it were felt that the UK’s data retention legislation, which predates the Data Retention Directive, was currently inadequate? What communications records should now be retained, for how long, by whom, and for use in what types of investigations?

According to the ORG, there is no legal basis for continuing data retention in the UK. But, given the very muted adverse public reaction to the publication of Vodafone’s recent transparency report, outlining, where it is permitted, the volumes of law enforcement requests it receives in its various operating countries, it will be interesting to monitor how the public displays their concern at current retention and investigation standards.

I’m also wondering how, given the state’s presumed capabilities in this area, the NGO’s lawyers will manage to control the flow of sensitive communications between themselves, to prevent any unwanted snooping before they are ready to reveal their hand.

If I were advising the NGO’s legal teams, I wouldn’t bother with anything too fancy when it comes to encrypting the communications. I’m confident that the Home Office will play the game, and that it won’t authorise any attempts to access any confidential material that may be shared between these parties. After all, they’re only testing the current law. It’s not as though anyone is planning an armed uprising, or are in any way threatening the British national interest.

Can there be any better way for the Home Office illustrate its adherence to British values than to wait until these NGOs have shown their hand, rather than seeking to learn in advance what they’re up to?  


Monday, 16 June 2014

David Smith gets his MBE

Congratulations, David Smith, for your magnificent achievement in being awarded an MBE in this year's  Birthday Honours List. I'm sure its to mark a lifetime of devoted and public service, and it must be most richly deserved.

For those that don't know, David is a Board Member of Robust Details Ltd, and President of the Consortium of European Building Control. His citation commemorates his services to building control and voluntary service in Suffolk.

I wondered why the powers that be were minded to offer a gong to "that" David Smith, rather than to the Deputy Commissioner with responsibility for the data protection supervisory functions of the ICO.

Could it be the case that the Consortium of European Building Control is a more respected body than the ICO? According to its website, the CEBC focuses on the Directives and Regulations issued by the European Union concerning all topics related to buildings, building products, building standards, professions or regulations about professions. Impressive stuff. Or perhaps it is the case that his voluntary work has made a real and lasting contribution to the local community. 

The ICO’s David Smith probably hasn’t had sufficient time to devote much voluntary service to citizens in the North West, given the time he spends travelling to meetings all over the UK on domestic data protection matters, the current demands of representing the UK on the Article 29 Working Party, and the extremely demanding task of chairing the data protection and supervisory body for Europol between October 2006 and October 2009.  

Hopefully the ICO’s David Smith won’t have to wait too much longer before he gets that all important letter from one of the Committees that meet to consider suitable applicants.

After all, it’s been ages since anyone from the ICO has been given a gong – and it is only former ICO staff that ever get public honours in recognition for their services to data protection. DP practitioners have never been deemed worthy of any official recognition.


Image credit:


Thursday, 12 June 2014

The case for publishing (redacted) surveillance warrants

The Home Secretary was asked yesterday if she would consider publishing anonymised versions of the applications that are prepared for surveillance warrants, to reassure the public that appropriate checks and balances were in place.

Apparently, there was a sharp intake of breath from the intelligence experts in the audience, and Mrs May preferred to leave a question mark over that particular issue.

If I were Home Secretary, I would welcome such a suggestion, and I would actually apologise for not having implemented such an excellent suggestion sooner.

In a previous working life, I was the responsible officer for T-Mobile's law enforcement team. You would expect a company the size of T-Mobile to receive lawful interception warrants, so I don’t think I am guilty of breaching the Official Secrets Act by admitting that, yes, in the past, I have seen some.

The usual practice at T-Mobile would be for the company to receive advance notice of an application for an interception warrant and then, before the interception actually commenced, it would receive verbal confirmation that the relevant minister had signed the warrant. Shortly afterwards, the warrant would be delivered to the company.

Once the interception had ceased, the warrant would be returned to the sender.

Very occasionally, there might be a problem with the paperwork that the company received. The company would expect to receive just the interception warrant. It would not expect to receive any of the supporting documentation, such as the application form containing the extremely sensitive material that was presented to the minister to support the application for the warrant. This paperwork should have been separated from the warrant before it was sent. So should any extra paperwork arrive, it was immediately returned. If my curiosity got the better of me, I might quickly read some of it.

Of course I’ve forgotten the identities of the targets – I often ignored that part of the application form anyway, as I was really worried that it would be hard for me to make myself forget details I didn't need to know in the first place. The less I knew about a particular target, the less I needed to forget. Other members of my team needed to read that part of the document – and act on it. But not me.

What did impress me, and what has stayed in my mind, during these intervening years, is an appreciation of the care and attention to detail that the author of each lawful interception application form was required to present to the minister. The paperwork (which might relate, say, to a request to intercept a suspected drug dealer's communications) could run to over 20 pages in length, summarising the latest progress of the investigation. Substantial chunks of prose would outline the potential risks, in terms of necessity and proportionality, of intercepting people who were unconnected with the target. Other, equally substantial, chunks of prose would outline why it was unlikely that operationally vital intelligence could not be obtained by using less intrusive techniques.

I’m sure that most privacy wonks would be mightily impressed if they were ever allowed to read what I was able to read.

There is a good news story that the Home Office must not let the “intelligence experts” veto. It would be a relatively easy exercise to anonymise some of the application forms to the extent that (probably) only teh relevant drug dealer might recognise that the application related to them. Samples of suitably redacted application forms could be published by the Interception of Communications Commissioner, once he was satisfied that publication would not prejudice the course of justice.

While a few spooks might mutter how disgraceful it is to give any part of the surveillance game away, I would reply that even the spooks have an obligation to assure the public – their paymasters – that high standards of probity are always maintained. 

If the Home Secretary were bolder, perhaps she might allow Chanel 4 to commission a new TV series on surveillance. After all, if consenting parents are happy to feature on “One Born Every Minute”, leaving nothing to the imagination during the birth of their children, perhaps new stars might emerge with the transmission of a series provisionally entitled “Can You Hear Me, Mother?”  – where the cameras would follow the working lives of a team of intrepid lawful interception analysts during their shift.

I'm sure that some TV cop would be happy to present the series for an extremely modest fee.


Image credit:


Wednesday, 11 June 2014

Pointless data protection practices

The Crouch End Chapter of the Institute for Data Protection held its summer party yesterday.  Tall tales of data protection heroism were recanted, then as the alcohol continued to flow, the conversation turned into a good-natured argument about the most pointless bit of data protection practice.

Could anything beat the futility of registering all of your data protection processing purposes with the ICO, and creating lists of classes of recipients for each purposes?

After about half an hour, there was general agreement on what was the most pointless bit of data protection practice. Someone mentioned that when contracts were negotiated at their workplace, the data protection team ensured that, stuffed inside one of the schedules, were the EU model clauses that relate to data controller – controller or data controller – processor relationships.

Just in case anyone has forgotten why these clauses are considered important, they are used, in Eurospeak,  “to ensure that the contracts provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals as regards the exercise of their corresponding rights.

Yeah, right.

Let’s put it another way.

The Controller / Controller clauses were originally introduced in 2001, and were revised in 2004. The Controller / Processor clauses were originally introduced in 2002, and were revised in 2010. They involve the creation of a standard template, which then (usually) needs to be formally agreed by way of an exchange of paper documents, as lots of lawyers don’t trust the authenticity of the electronic versions.


I’m not sure who reads them before they are agreed, or who audits them to offer an assurance about compliance after they have been agreed. I’m actually not sure if there has ever been any litigation that tested or was based on any of these clauses.

If anyone knows of any occasion where anyone has ever taken action to enforce compliance with any of these clauses, please let me know and I’ll ensure that their fame spreads across the globe.

It was the unanimous view of everyone still standing at the end of the summer party that the clauses were, in practice, worthless. They might well have given someone the impression that the relevant protections were in place, but these protections are virtual, rather than real.

There was a grudging acceptance, though, that the standard contractual clauses were of value in that they gave data protection teams something to do. If clauses were required, then they needed to be inserted into contracts, and formally agreed. All good work for the working man to do. Anecdotal evidence suggested that some global companies actually employed teams of people whose sole purpose was to ensure that the right words were in place for the relevant agreements between all subsidiary companies, and others. Is this a complete waste of money, or simply a cost of doing business in the EU?

Given the lack of any evidence of any effort to do anything once the contracts have actually been signed, it appears that the administrative burden of inserting the relevant clauses in the relevant contracts is simply a cost of doing business in the EU.


Thursday, 29 May 2014

2 more privacy qualifications announced

Those who want formal privacy qualifications and are bemused by the range of certificates on offer, will shortly be able to choose between two more.

The IAPP has announced a new Certified Information Privacy Technologist (CIPT) certification. The text book will be published in July, while the first accreditation exams will be held in the US in mid-September. If you are an IT professional who needs training on how to embed privacy into a company’s IT programme including establishing privacy practices around data collection and transfer, understanding consumer privacy expectations and responsibility, as well as developing privacy notifications, then this could be of interest to you.

This qualification compliments the IAAP’s other privacy certifications – the Certified Information Privacy Professional (CIPP) which focuses on addressing privacy laws and regulations, and the Certified Information Privacy Manager (CIPM) which focuses on how to operationalize privacy throughout an organisation.

The British Computer Society, on the other hand, has just announced that it will soon launch its Foundation Certificate in Data Protection – which appears to be of a standard equivalent to that of the IAAP’s CIPP qualification. If you apply for the BCS’s Foundation Certificate, you’ll sit an hour long exam, dealing with 40 multiple choice questions. No mini essays to write. Just tick 40 boxes. The pass mark is 65% (26 out of the 40 questions).

Candidates that successfully complete the BCS’s exam will then hold a recognised qualification in data protection, appreciate the way in which the Data Protection Act and the PECR (marketing) regulations work, understand individual and organisational responsibilities under the DPA, and generally be better placed to support organisations in managing and handling customer data properly.

The Foundation Course will also provide a stepping stone for those who decide at a later stage to undergo more rigorous training to obtain the BCS’s Practitioner Certificate in Data Protection. This is the famous ISEB, the gold standard of data protection qualifications. Beware – the ISEB exam does require candidates to write mini and longer essays, as well as complete a set of multiple choice questions.

So what factors might influence a candidate who was faced with a choice of the IAPP’s CIPP qualification or the BCS’s Foundation Certificate?

Cost might be a factor, as I understand that the BCS is keen to ensure that its fees are extremely competitive. The public exam fee is just £145, and accredited trainers (if you decide to seek the support of any accredited training, that is) are likely to charge reasonably low fees, too, as the BCS estimates that candidates only need undergo some 16 hours of study before sitting the exam.

But unlike the IAPP, I understand, there is no requirement to undertake continuing professional education to keep the certification up to date. In other words, Foundation Certificate holders won’t be required to spend a minimum number of hours attending data protection courses – or conferences – throughout the year, or to pay an annual association membership fee. That might well appeal to some cash-strapped employers who are interested in paying for their employee’s professional qualifications, but don’t want to tie themselves or their employees into longer term financial commitments.

As far a as the exam format is concerned, both the IAAP and the BCS will require candidates to visit an exam venue, sit in front of a computer screen, and tick various boxes. There is no need for candidates to display any of their poor handwriting, spelling or punctuation skills.

Whatever certification you go for (or whatever certification you go for first), I do wish you all the best. Let’s hope that employers will find the certificate to be of sufficient value that it suitably enhances the earning potential of certificate holders.

While I’ve referred to the BCS and the IAAP in this blog, privacy certificates are available from other providers. Google will help those who need to understand who’s selling what. I’m not aware of any independent work that has been carried out on the relative value of these certificates.

Buyer, beware!


Image credit: