Sunday, 13 April 2014

DP compliance checks: what to look for

What does “good data protection” look like?

I’ve been asked that question several times over the past few weeks as I’ve carried out data protection health checks for a range of organisations.

It’s caused me to pause and reflect on what controls I’m really looking for in an organisation, and the extent to which these controls deal with real or potential threats that exist with regard to the organisation’s processing of personal data.

It’s also caused me to review a number of the audit methodologies that appear to be in use right now, and to refine my own approach, which appears to have been well received. My own approach now focuses much less on compliance with specific elements of data protection legislation, and much more on helping the client develop an oversight structure to give them the assurance they require when assessing how good they are at data protection.

It’s so nice to visit a client and barely mention the data protection principles. Instead, I’m following the ICO’s current thinking, which is to break data protection compliance down into a number of bite size chunks, and get the client to agree which “chunks” are most significant, as far as their organisation is concerned.

A close read of the audit reports currently published on the ICO’s website gives a good indication of what really really matters. So, organisations that have addressed these issues are going to be in a pretty good shape.

Write to me if you want more information about my methodology.

What has struck me, as I’ve carried out the latest series of health checks, is how insignificant the proposed (well, deceased) Data Protection Directive actually is.  I use the term “insignificant” in the sense that I really can’t see how it might realistically improve data protection standards beyond what might reasonably be expected of anyone who was taking their current obligations seriously.

Putting this thought into a different set of words, current data protection compliance levels could so easily be improved if people just managed to understand and follow the existing rules. I have no confidence that the imposition of an even more complicated set of rules would motivate significant numbers of data controllers to “up their game”, as it were. If they lack the resources to deal with the basics, then all they are likely to do is to fall even further behind, in terms of legal” expectations, if the impossibly high standards commended by the European Parliament ever see the light of day .

Of course, the draft Regulation does have some uses. It gives some people the opportunity to enhance the importance of data protection (and in doing so enhance their own status), by becoming an international talking head on this stuff. It gives teams of professional advisers the opportunity to sell their services to the (relatively small band of) clients that can afford to pay for such data protection wisdom.  Proposals for legislative change also create more noise and opportunity for policymakers to earnestly consider what new rules ought to be put in place. But so many of these proposed changes simply tinker at the edges, rather than seek to fundamentally review what controls are really important for this and the next generation.

The controls that are really important are those that reward good behaviours.

We data protection folk have a lesson to learn from our financial services chums. Try as I can, I find it really hard to identify a link between, say, the volume and intensity of regulation in the financial services sector, and an increase in consumer confidence and trust in the integrity of financial services institutions. To generalise (and most unfairly, perhaps) it seems to me that certain awful standards in the financial services industry exist independent of the rules. I am appalled at the rate of return my (meager) investments are realising, but there is very little I can do about it.

The more I think about it, that Emperor of a Draft Regulation never really had any clothes. And, it had no more realistic chance of changing many data controllers’ behaviours than has the ICO chorus of winning “Britain’s Got Talent”.

So what should be done today?


For a start, organisations should look at their current controls and ask themselves if they are happy with what they see.

And, if they don’t know what they really ought to be looking out for, then all they have to do is drop me a line and ask me to outline my own approach towards pragmatic compliance with the ICO’s expectations.

Image credit:


Thursday, 13 March 2014

Messages from Manchester

Those with a keen pair of ears at last week’s Data Practitioner Conference in Manchester (3 March) would have detected a subtle shift of emphasis of the ICO's enforcement policy. It was a shame that traffic - or business commitments - had prevented some 50 or so delegates from taking their allotted seats in the main conference hall. Yes, they had also prevented some 50 or so others from the opportunity of attending. But, the ICO knows who the miscreants are, and I'm assured that their names will prominently feature on the mailshots that the ICO's audit team will be sending to prospects who may benefit from an ICO advisory visit.

Even a cursory  glance at the delegates indicated that ICO data protection practitioner conferences have been radically transformed since Christopher Graham held his first event at the Lowry Hotel in December 2009. And who remembers attending Richard Thomas's conference on Privacy by Design at the same venue the previous year?

Gone (mostly) is the cohort of what the mighty Eduardo Ustaran has politely termed: "an elite of nerdy specialists". In their wake, a new class of compliance professional has emerged. A class of professional who appears less interested on discussing philosophical issues around various theories of privacy.

Perhaps we now have a more submissive class of privacy professional, a class more willing to be told what good practice is, rather than a class seeking to become intimately involved in designing these practices. Perhaps this is also due to hugely increased burdens of work within the office environment, which prevents so many data protection officers from physically having sufficient time to become more engaged in strategic policy work.

The main message of the day was that responsible organisations should focus on the needs of the customer, and on achieving good privacy outcomes, rather than focusing on compliance with the strict letter of the law. Good practice mattered more than strict compliance with legal requirements. This was not a day for the legal purists.

The second message of the day was that the ICO was not afraid of taking on the public sector, and that accountability for information governance failures would be placed firmly at the door of the political leadership at local government level, rather than at the level of the engine room. If statutory responsibilities were being ignored, resulting in potential harm to individuals, then it should be the officials who took the political decisions to refuse to allocate sufficient resources that should be held accountable.

This message placated a few public servants, but then late int he afternoon David Smith reaffirmed his view that, in light of the personal data breaches that had been reported to the ICO, data handling standards in the public sector were not equivalent to the standards that generally prevailed in the private sector.

That certainly gave many of the delegates something to think about as they returned to their homes.



Saturday, 1 March 2014

Tweaking surveillance laws won’t necessarily lead to many changes


I’ve just declined an invite to attend a keynote speech on surveillance that Yvette Cooper, the Shadow Home Secretary, will be delivering on Monday in Central London. Instead I’ll be with some 700 chums at the Information Commissioner’s Data Protection Practitioner Conference in Manchester.

Evidently, Yvette Cooper’s speech will outline the challenges of navigating a new digital world and the implications for security and privacy.  She will be discussing the role of the police and security and intelligence agencies, as well as the safeguards needed to protect our privacy and liberty.

In the light of recent revelations about the way GCHQ has been collecting images taken from Yahoo! webcam conversations, including very considerable volumes of sexually explicit images of the users, I do hope that Yvette gives some thought as to how such activities should be regulated in future.

I also hope that Yvette makes the point that law reform may not be a necessary or sufficient means of more appropriately regulating such activities. Whatever the law is (or is to become), it will in any event be deliberately drafted in a flexible manner, to cater for future contingencies.  

It is not the law that is necessarily the “problem”.

The “problem” lies in the oversight.

Even though what GCHQ may have doing was “lawful”, the really critical point is that the activity was (or would have been) known to the appropriate oversight bodies, and such techniques would have been carefully discussed and formally approved.

Let me go one step further.

I find it incredibly hard to contemplate sensitive and intrusive techniques, such as the Optic Nerve technique, being considered and approved just at an operational level. They would also have been carefully considered and approved at a very senior political level.  

The “problem” lies in the political oversight.

So, we should not blame RIPA or other surveillance laws  - or just the spooks - for developing sensitive and intrusive techniques. We should place the accountability (if there is to be any accountability) firmly at the doors of those who took the political decision to authorise the deployment of the techniques. Parliament would not have known. But a small group of very senior politicians would. In a decade’s experience of working under both Labour and Coalition Governments, I never saw a difference of view between senior Labour or Coalition ministers when political approval for any intrusive sensitive techniques that I might ever been made aware of was sought.

This is why I’m looking forward to hearing comments from former Home and Foreign Secretaries such as Margaret Beckett, David Blunkett, Charles Clarke, Alan Johnson, David Miliband, John Reid, Jacquie Smith, & Jack Straw about what changes have to Britain’s surveillance laws are appropriate. Oh, and also from the current incumbents, Theresa May and William Hague.

Now, what might actually happen if surveillance laws were to be changed?

Probably, not a lot.

And this is because the really sensitive decisions will still be made by senior Ministers, on the basis of evidence that is presented to them which is sufficiently persuasive of the need to approve whatever is being asked of them.

To think that we Brits might face a less intensive level of surveillance simply because the surveillance laws had been changed is an interesting concept, but perhaps a misguided one.

Given the operational control they have over what does go on, until a small group of senior Ministers change their behaviours (and their attitudes) towards surveillance, no amount of tweaking with the surveillance laws is likely to result in significant change.



Friday, 28 February 2014

Adolph Hitler: his part in’s downfall

The NHS data sharing opponents have implemented a cunning plan to disarm the supporters of the project. It’s called humour, and it comes by means of a genuinely funny video that aims to undermine those who (like me) believe that data sharing within the health sector is a good thing.

How will NHS England respond? Perhaps they’ll come up with something just as funny. I do hope so. Otherwise, I fear that the opponents will continue to win hands down on the publicity front.

NHS England wants to do a great amount of good. But, do enough people trust it? 



Monday, 24 February 2014

Online Reputation Management

How do you maintain a good on-line reputation? What can you do when others post extremely embarrassing comments (or images) about you? How can they be removed – or at least made less visible to search engines, to prevent others from stumbling across the relevant links?

I've recently been advising someone who is very concerned about what has happened to them: "For years there has been an offensive post about me on the internet. It is embarrassing and I have wished for years that it would get removed. However, the website where it was posted has closed down and I have no means of contacting them."

Despite Google's efforts to remove the offending material from its search results, the victim remains concerned that others will find it.

Not even the fabled "right to be forgotten" proposal in the Data Protection Regulation would have been of much help in this instance - as the material was originally posted by an American company that has folded - but who passed their data assets to another US company before  closing down.

How can victims be reassured that embarrassing material won't be shadowing them for  years to come?

Of course I appreciate the tension between freedom of expression, on the one hand, and censorship, on the other. But I also appreciate the anguish that victims feel when it appears (at least to them) that they are being unfairly hounded.

Perhaps, in time, the shadow from the embarrassing material will slip down search rankings, as more favourable information about an individual is posted.

But the internet (and particularly the Internet Archive) does not forget. Somehow we have to come to terms with this reality. Just as we need to accept that data controllers have rights, too. Particularly in terms of the information assets they have legitimately acquired.

What’s most poignant is that the person I’m advising is just 17 years old. Having had the shadow of this material around their neck for a few years already, you can imagine how they might feel if they were told that there was no hope that this material would ever be placed beyond the reach of internet users.  

If you can’t afford the services of reputation management companies like Iginyte, then who can you turn to?

Image credit:


Friday, 21 February 2014

Lies, damm lies, and ICO statistics

Data Breaches. Who’d report them?

Well, over the past 9 months there has been a steady increase in the number of incidents that have been reported to the ICO. Admittedly, is still a miniscule amount. Were it not for our chums in the health, local Government and education sectors, you might be mistaken for thinking that data controllers had, mostly, blown an almighty raspberry in Wilmslow’s direction by ignoring the invitation to report data breaches. When even Britain’s mighty telecommunications companies, who are compelled to make reports, can only think of seven incidents to report in the past 9 months, you get a sense of what is actually going on.

Does it matter?

It probably only matters if people misuse the statistics that are eventually published. It would be awful, for example, if NHS opponents were to misuse the most recently published ICO statistics to infer that data protection standards in the health sector were significantly worse than in other sectors.  No. To my mind, the statistics simply indicate that NHS managers have a pretty good idea of what is going on within their own organisations, and they tend to follow the breach reporting rules more closely than other sectors.

I do hope that the ICO statistics are not going to be misused by NHS opponents to undermine public confidence in the integrity of the NHS. Especially now that a public awareness campaign is being relaunched to commend to patients the potential benefits of greater sharing some of their medical information. Such misuse would be completely wrong. Tempting, perhaps, but completely wrong.

When do we get to a stage, though, where the reported statistics are considered so meaningless that it is not worth carrying out any trend analysis? Are we seeing most of this elephant, or are we merely viewing a pimple on the elephant’s bum?

Perhaps what is helpful is not the volume of breach reports (which contain no information about the number of potential victims affected by each incident), but that these reports can be used to take a snapshot of the types of incidents that have occurred. Was the data disclosed in error? Lost in transit? Was there a technical security failing, or an insecure disposal? Data protection professionals can then turn the reports into “war stories,” for local consumption.

Accordingly, I think the ICO is right to continue to publish these statistics, but I would welcome a more thorough “health warning” to remind the uninitiated that what they are seeing is not the whole picture.



Thursday, 20 February 2014

Hurrah! Two more years!!

Well, it’s happened. Commissioner Graham’s tenure has been extended by two years. He’ll be strapped to the helm of the ICO while it goes through what can only be described as interesting times. It will be another Government that decides who ought to replace him in the summer of 2016.

The recent, and impending, departure of other high profile data protection regulators from the European scene ought make it harder for the those who see data protection more in terms of a tick exercise to thrive. Christopher Graham’s continued presence on the Article 29 Working Party will make it easier for him to spread his more pragmatic vision about how good data protection standards should be implemented across Europe. Those who might have wished for him to be removed from the European scene have had their hopes dashed.

The next few years in Wilmslow (and in Brussels) are not going to be easy. And, it becomes ever harder to expect that institutions like the ICO should do “more” with “less”, but that is the current political ask.  We’ve seen the difficulties that the Environment Agency is experiencing, reconciling savage budget cuts with the need to address our changing climate. Let’s hope that the ICO won’t face a similar debacle should a new data crisis emerge for which we are all woefully unprepared.

Anyway, Commissioner Graham will be the star turn at his Data Protection Practitioner Conference in Manchester on 3 March. I predict that he’ll enter the stage to coloured lights, tumultuous applause, and as the dry ice wafts away, the ICO Chorus will chant:

Two more years, two more years
Well known in international spheres
He who will valliantly persevere
In the fight against the dodgy data racketeer

Meeting conference conventioneers
Drinking wine that rots your teeth veneers
Grazing on canap├ęs, Belgium beer
And a rather fine asparagus spear

While in the office:

Leading teams of pragmatic pioneers
Few officials are wet behind the ears
Then all too soon into a better paid career
And all too frequently they will disappear

Data subjects – some in tears
Setting out their deepest fears
Of sneaky stuff by an internet app engineer
Clueless about any legal frontier

24 more monthly salary payments in arrears
Then salvation reappears
Awarded with a gong as a souvenir
And into another world he’ll disappear

Lighting up the true path through this regulatory mayhem
Let’s raise three cheers for Christopher Graham

Image credit: