Data Protection: are the new EU data loss notification provisions worthless?

So the European Union has enacted changes to the telecommunications directive (Directive 2002/58/EC  on privacy and electronic communications) that require telecommunications companies to notify data subjects about any loss of personal data.  If you read EU spin on this step, this is a great deal for “data subjects”. However, as with most things, the devil is in the detail and I have found nothing new.

One modification provides for measures that shall “ensure that personal data can be accessed only by authorised personnel for legally authorised purposes”. Now pause for a second: this provision is really aimed at telcos when they provide external authorities with secure access to personal data so long as they are “legally authorised”. So ask yourself a question: “is it likely in these circumstances that a telco would provide insecure access?”.

Other recommendations also repeat the obvious. For example, telcos are “to protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure, and to ensure the implementation of a security policy with respect to the processing of personal data”. OK guys, tell me what is not already in the Seventh Data Protection Principle!

The provisions relating to security breach notification add up to less than a string of beans. For example, “in the case of a personal data breach, the provider of publicly available electronic communications services shall, without undue delay, notify the personal data breach to the competent national authority”. However “notification of a personal data breach to a subscriber or individual concerned shall not be required if the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach”. This is arises when the “technological protection measure” renders “the data unintelligible to any person who is not authorised to access it”.

There again – the above is current UK practice – if there is a personal data loss, contact the Commissioner who will issue advice as to whether to contact data subjects; encryption on laptops and memory sticks is now standard advice.

Other provisions also repeat UK practice. For example, the telco if it “has not already notified the subscriber or individual of the personal data breach” can be required by the Information Commissioner to notify the data subjects concerned (e.g. this can happen in the UK under the current enforcement regime).

Rather quirky is the requirement that any notification to the data subject shall “recommend measures to mitigate the possible adverse effects of the personal data breach”. Now tell me what data controller will send a notice to each data subject which effectively says “Hey guys, I have lost your personal data. You are now on your own”.

A provision states that the Commissioner can “adopt guidelines” or “where necessary, issue instructions” concerning the circumstances in which telcos are required to notify personal data breaches. Ok – so let’s have a look at the Commissioner’s “Guidance on data security breach management” issued in late spring of this year

In fact, the only new provision I have found is the power of the Commissioner to audit telcos to see whether “they have complied with their notification obligations”. Note that this audit is limited to the context of a data loss; it is an advance merely because the Government has repeatedly refused to provide the Commissioner with powers of audit with respect to the private sector data controllers.

Do you get the message? There is nothing new to get excited about. So if any Minister or MP trumpets these provisions as part of the forthcoming General Election campaign as a great advance in data protection in the UK, then please reach for that salt bowl. (I was going to say sick bucket but decided at the last minute that this would be inappropriate),

References: see page 74 of: http://register.consilium.europa.eu/pdf/en/09/st03/st03674.en09.pdf and my piece for out-law “Why we don't need a security breach notification law in the UK” (http://www.out-law.com/page-9128).

How “see-through” scanners are subject to data protection rules

According to press reports in Canada, controversial airport scanners that “see-through” the clothes of travellers have received the blessing of Canada's Privacy Commissioner. An assistant Federal Privacy Commissioner has told the press that Canada’s National Air Security Agency has successfully answered all questions about individual privacy.

The proposal has stirred controversy in the UK because the scanners produce a three-dimensional outline of an individual’s naked body. However, under the plans approved by Canada’s Federal Privacy Commissioner, the officer viewing the image would be in a separate room and never see the actual traveller. Only people singled out for extra screening would be scanned, and even then, there would be the option of having a physical pat-down instead.

In the UK, therefore, one can expect similar procedures. Note that the Data Protection Act is engaged because each ghostly image will be associated with other identifying information already in the possession of the data controller (e.g. the boarding card identification details of the data subject). This means the data controller has to be fair – so not only has there to be signage (which alerts each data subject to the purpose of the scan and other information to make the processing fair) but also the outcome of the processing has to be fair (in this case, by allowing travellers an alternative to the scan so that personal data are not processed). In relation to Schedule 2, the processing has to be “necessary” in terms of the legal provisions that surround airport security.

In relation to Third and Fifth Principles, if the scan of a particular individual does not show any airport security problem, one would expect that the images would be deleted expeditiously, if not immediately.  Staff would get the necessary training (Seventh Principle) so disclosures of images to staff other that the observing officer in a separate room would have to be limited to those circumstances where there was a security issue. One would expect a Privacy Impact Assessment to be undertaken by the airport in order to identify other issues prior to implementation of the scanner.

In other words, if any ghostly image of a celebrity appeared in the press, the data controller would have a lot of data protection questions to answer; evidence of malfeasance by a particular member of staff should engage the section 55 offence. If a breach were to be the result of a failure on the part of the data controller to demonstrate that the correct procedures were in place, the risk of a Monetary Penalty Notice (when they eventually arrive) would be considerable.

Check your data sharing protocols

Data sharing – simple isn’t it: “data share” rhymes with “data care” and “nightmare”.

Anyway this is an unashamed plug for a book that contains a chapter on data sharing written by yours truly. To assist the general data protection community, I have placed a checklist of what should appear in a protocol on http://www.amberhawk.com/policydoc.asp   under the heading: “Data sharing protocol checklist – 2009”. The checklist applies to public and private sectors.

The book is entitled “Data Protection for Financial Firms: A Practical Guide to Managing Privacy and Information Risk, Edited By  Tim Gough. Details are on http://riskbooks.com/Operational%20Risk/data_protection_for_financial_firms.php

Resignation issue? National Security watchdog wants more surveillance of UK population

Kim Howells MP knows all about surveillance. Back in 1984, he was one of Mrs Thatcher’s unnamed “enemy within” and played a leading role in the National Union of Miners organising the Miners’ Strike in South Wales. Now, he is trusted ex-Minister who chairs the House of Commons Intelligence and Security Committee which has limited scrutiny role over the very organisations that tapped his phone and monitored his movements those 25 years ago. A curious turn of events to say the least.

Kim Howells is in the news today calling for a phased withdrawal of troops from Afghanistan and replacing it with the enhanced surveillance of the UK population. In today’s Guardian he writes that:

“Life inside the UK would have to change. There would be more intrusive surveillance in certain communities, more police officers on the streets, more border officials at harbours and airports, more inspectors of vehicles and vessels entering the country, and a re-examination of arrangements that facilitate the "free movement" of people and products across our frontiers with the rest of the EU”.

What is missing in Mr Howells’ analysis is any recognition that if there is to more surveillance, then there also has to be more focus on what prevents the misuse of surveillance powers. In his Guardian commentary he makes no mention of the need for a privacy counter-balance, although to be fair, this could be because he is writing a newspaper column of limited word length.

However, Mr Howells neither sees the need for additional checks nor balances in his Committee’s Annual Report published last May (heavily redacted by the Government, as his Committee has to submit its manuscript for editing prior to publication). In fact, over the last year, this Parliamentary Committee did not even bother to take oral evidence from any of the Commissioners who are there to scrutinise surveillance polices. And in its 60 page Annual Report, the activities of these Commissioners are dismissed by the Committee in less than half a page. As far as I can see, under Mr Howell, the Committee's role in reassuring the public that national security policies do not stray beyond the necessary has gone AWOL.

This week we have had the dismissal of Professor Nutt whose views on the risks of horse-riding are well known. We were told by Government that if the Professor wants to campaign to re-categorise cannabis as a lesser risk, he cannot be a Government advisor on drugs policy. Similarly, if Mr Howells wants to support a policy of more surveillance by the national security agencies, he should not do this from his position as Chair of a Committee that is expressly tasked by Parliament to supervise the surveillance policies of the national security agencies.

At the end of the day, Professor Nutt had to go – so should Mr. Howells.

(Readers who are interested in the kind of protective supervision we have in the UK are directed to my blog entries on 6th October: “Can national security agencies disclose communications data or ANPR images to anybody?”;  on 8th September: “Home Secretary spends 90 minutes per day with interception warrants?”; and on 10th September: “Is there is no chance of winning a privacy complaint?”. Also the "Written Evidence: Human Rights Legislation and Government Policy towards national security - 2006" on the download section of www.amberhawk.com).
.

Can publishing personal data on the Internet be unfair?

I wonder whether a Tribunal Decision confirming the Commissioner’s views in an obscure FOI Decision Notice indicates how data protection law could impact on the wider Internet? Of course, reliance on such an extrapolation has its dangers – but, the logic the Tribunal applied to this FOI request seems to apply to posting personal details on the Internet.

The FOI case involved access to Court records after a trial. An applicant (who was a relative of an individual prosecuted for a criminal offence) made a FOI request to details of the Court’s own records about the "charges" and "verdict" in order to help that individual anonymously. Note that all the applicant requested was the details that he would have learnt in open court (if the requestor had attended the Court) or in a newspaper (if a journalist had reported the Court proceedings in the local press). The request was denied by the Courts service, a decision that was upheld by the Commissioner and Tribunal.

The Tribunal recognised that there was an anomaly in that if the applicant had attended the Court or if the Court proceedings had been published by the media he would have all the information that was subject to the FOI request. However “to reveal to the whole public whether someone was subject to a court case would be unfair” processing as the release of sensitive personal data (e.g. details of a conviction) into the public domain will only be fair in exceptional circumstances. In addition “even if there was sensitive personal data disclosed in open court at the time of prosecution/sentencing, it would not be in a defendant’s reasonable expectations that there will be a later disclosure to the general public”.

So publishing details, even those that could have been in the public domain, can be unfair.

Now consider publishing on the Internet?  Well many postings report matters involving another individual's personal life (e.g. photos of a drunk friend being sick) and these have the potential to be “Googled for ever and ever, amen”. Often, such reports are published after a fairly public event (e.g. an office party) without any reference to the individual concerned. As the domestic purpose exemption cannot be claimed (see Lindqvist), this means the obligations in the Act are engaged.

In other words, if the act of publishing personal details by FOI is unfair, it seems to me that publishing similar details by the Internet would also be unfair. It follows that posting personal data can constitute unfair processing and this prospect should be actionable wherever the European Data Protection Directive applies.

References: Information Tribunal Decision EA/2009/0037 and ICO Decision Notice FS 50165494. The position according to the Tribunal “is supported by the reasoning of the Information Tribunal’s decision of David Armstrong and the Commissioners for Her Majesty’s Revenue and Customs [EA/2008/0026] paragraph 84. The Lindqvist case is a decision of the European Court of Justice in Case C-101/01, made in 2003; see for example, “Baby battle woman can’t claim data protection exemption for YouTube video, warns expert” on http://www.out-law.com/page-8401 ).

See also; Reclaiming Privacy on the Internet; http://www.amberhawk.com/uploads/IPSTREETVIEW.pdf

Data Protection: applying the Principles to the surveillance of a demonstration

Does it breach the Data Protection Act to process personal data about all demonstrators in order to identify those demonstrators who are also “domestic extremists”?  To answer this question, it is instructive to apply the Data Protection Principles to the photographing of a demonstration by the police.

The relevant explanation of the term “domestic extremism” is found on the website of National Extremism Tactical Coordination Unit (NETCU is the Unit that is at the centre of the controversy (http://www.netcu.org.uk/de/default.jsp). Its website states that “Clearly, the majority of people involved in animal rights, environmentalism and other campaigns are peaceful protesters and are never considered extremist” and that “The term only applies to individuals or groups whose activities go outside the normal democratic process and engage in crime and disorder” – for example - “criminal acts of direct action in furtherance of a campaign”.

The web-site continues: “Domestic extremism is most commonly associated with 'single-issue' protests, such as animal rights, environmentalism, anti-globalisation or anti-GM crops. Crime and public disorder linked to extreme left or right wing political campaigns is also considered domestic extremism”.  This is because “these people and activities usually seek to prevent something from happening or to change legislation or domestic policy, but attempt to do so outside of the normal democratic process”.

So, have you got the picture? “Domestic extremists” are those people who we have all seen on TV engaging in a range of criminal damage (e.g. pulling-up GM crops or smashing shop windows) or in a range of public disorder events (e.g. throwing smoke bombs or having a punch-up). Anything more serious would probably fall within the UK’s wide definition of “terrorism” (e.g. using Molotov cocktails).

However, note NETCU’s admission that demonstrations form part of the normal democratic process and most demonstrators are not “domestic extremists” and that the “extremist” is the exception rather than the norm. Hence, it follows that in terms of the Fifth and Third Principles, that the undue retention of personal data on law abiding demonstrators is likely to be excessive. In terms of the First Principle, the mere presence at a demonstration should not be sufficient grounds to legitimise the undue retention of personal data on those who are not connected with “extremists”. Fair processing obligations (e.g. signage) similar to that which is familiar with CCTV should be employed and visible to demonstrating data subjects.

Yes, I think that under the Act, it would be deemed lawful and legitimate for NETCU to process images of all data subjects for a reasonable period of time in order to identify any “domestic extremist”, but once that reasonable time has elapsed, that legitimacy expires in the context of those who aren’t domestic extremists.

In addition, for most law abiding demonstrators, the section 29 subject access exemption will not apply to these personal data because there is no prospect of prejudice to any criminal matter. It follows that data subjects on demonstrations should be able to exercise their right of access to personal data (i.e. the police photographs). Indeed, for a mere £10, you should be able to get high quality mementos of your participation in any demo. (However, you should keep a record of where you were and at what time to help locate the personal data obtained by the police photographer or CCTV operator who took your picture). Finally, I see no reason why the right to object to the processing of personal data should also not be applied if a demonstrating data subject considers that the personal data should not have been retained.

The policing of demonstrations requires a difficult balancing act – we all know that. The Data Protection Act can help make that balance transparent and fair to both sides. So I conclude that if the NETCU have nothing to hide, it will have nothing to fear from the application of the Data Protection Principles to the policing of a demonstration.

Finally, it is possible that the Home Secretary could sign one of those all embracing National Security Certificates in order to make the data protection issues “go away”. Arguably such a Certificate could be applied to most demonstrations on the grounds that a demonstration would be ideal cover for terrorists (hence the need to photograph everyone). However, this approach would merely expose the unacceptable and unaccountable nature of these National Security Certificates.

 

Police surveillance of demonstrators misses Congestion Charge angle

This week, the Guardian has run a major exposé of police surveillance of demonstrations and of the fact that the police have amassed a photo-library of individuals, many of whom do not possess a criminal record, but who involve themselves in lawful protest.

The photo-library is used to make “spotter cards”. This spotter card is a police version of those I-Spy games I used to have as a child; spot the demonstrator (or “domestic extremist” to use the official description) and call the Metropolitan Police’s Public Order Intelligence Unit to see how many points you get.

According to the newspaper, police surveillance also uses Automated Number Plate Readers (ANPR) to track cars driven by the leading “domestic extremists” of the day. As most demonstrations occur in London, it is possible that the pivotal role played by London’s Congestion Charge Cameras has been overlooked.

In an earlier blog ( “Can national security agencies disclose communications data or ANPR images to anybody?", 06/10/2009), I explained that the exemption described by the National Security Certificate that relates to the Congestion Charge Cameras permits the disclosure of ANPR images to anybody on the planet (e.g. any national government agency including the unsavoury ones) for any purpose (e.g. for a purpose that has nothing to do with crime and national security).

As most demonstrations occur in London, the Certificate is likely to apply to cars driven by “domestic extremists” as they make their way to a demo. The breadth of this exemption would thus permit a list of “extremists” attending a particular demo to be compiled and circulated (perhaps with relevant driver information from the DVLA) to interested national governments, perhaps as some kind of good will gesture. As the ID Card Act 2006 permits wide disclosures from the National Identity Register, it is easy to see that in future, the photograph of the ID Card holders could also be attached.

The policing of demonstrations calls for checks and balances. Such balance should be achieved by detailed legislation which has an independent regulator that can act as arbiter; that is why you have a Parades Commission in Northern Ireland and that is why it is important that the Information Commissioner investigates properly. It will be an interesting test of the new Commissioner who has just gone public with his “information rights” agenda (see yesterday’s blog).

However, in the case of these National Security Certificates such as the one signed in relation to the Congestion Charge ANPR cameras, there is a constitutional problem that is beyond the Information Commissioner. The Tribunal’s decision to chuck out the Privacy International’s Appeal limits such hearings to case-by-case circumstances when an individual tries to exercise data subject rights, and fails. Yet this Certificate, in data protection terms, legitimises mass surveillance of all those who drive into London.

All mass surveillance should be subject to detailed primary legislation. Yet these National Security Certificates are not even subject to the low standard of Parliamentary scrutiny that occurs when Secondary Legislation is enacted (e.g. by Statutory Instrument). In effect, the Certificate system established under the Data Protection Act substitutes administrative fiat for legislation and public debate.

Such a prospect, in my view, is simply unacceptable – especially when one considers these Certificates in the context of the Guardian revelations.

Information Commissioner contemplates unpopularity

At yesterday’s Update session in Manchester, Stephen McCartney, Head of Data Protection Promotion, at the Commissioner’s office outlined several changes to the structure of the ICO’s office and in the ICO’s modus operandi.

First the Office of the Information Commissioner is being reorganised and the division between Data Protection and Freedom of Information is being removed. Instead, staff at the ICO will be expected to deal with both subjects. The new focus will be on “information rights” rather than DP or FOI and in this context, the name of the Tribunal will change. From mid-January, the Information Tribunal will be known by the catchy title of "First Tier Tribunal (Information Rights)” (of the General Regulatory Chamber) as it will become a part of the First Tier Tribunal established by the Tribunals, Courts and Enforcement Act 2007.

In this context, appeals from the First Tier Tribunal can be heard by an Upper Tribunal. This Upper Tribunal will take over from the courts when arguments arise from the decisions of the First Tier Tribunal (e.g. when there are judicial review considerations). In the FOI context, this is likely to mean there will be more appeals from the decision of the lower First Tier Tribunal  (the old Information Tribunal) as the costs of a further legal appeal are reduced significantly (e.g. it is likely that each side will carry its own costs).

Cases of significance (e.g. a FOI request that raises a matter of significant public interest) can be heard by the Upper Tribunal (thus avoiding the lower Tier).

The focus of the ICO’s office will be on operational aspects, using powers where this is necessary to enforce information rights laws. The ICO will make the reduction of operational backlogs (e.g. assessments, Decision Notices) a priority. Policy matters, for example, delving into the Surveillance Society will still continue where appropriate but with a lower priority.

The Commissioner is to be known as the Chief Executive of the ICO to reflect the Information Rights agenda. When asked about the overlap between data protection and other Commissioners (e.g. in the context of access to communications data), the response was that if personal data were processed, then the Commissioner would have a remit to use his powers where appropriate.

The Commissioner is pressing for his ability to audit data controllers in the public sector to be extended to the private sector.

The ICO mission is to “uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals”. This statement says nothing about educating data controllers or public authorities in their obligations.

In anticipation of the power to fine (e.g. Monetary Penalty Notice) or imprison (e.g. custodial Section 55 offences) and the increasing use of signed undertakings when data protection matters go significantly awry, the ICO is expecting to become “less popular” with data controllers. As a result, I expect that more Information Notices to be served as data controllers (and public authorities) might be reluctant to confess all to a Commissioner that has significant powers and an information rights agenda to push.

In short, “no more Mr Nice Guy”. These new powers, when implemented, will result in a more normal relationship between the regulator and regulated.

Note: there are still places on our Edinburgh Update next Monday - details on www.amberhawk.com.

Data Protection: Is the 2011 census the last one of its kind?

Yesterday’s BBC news website carried a story headlined “Bedroom snooper row over census”.

“For the first time”, the report says “people will be asked to provide details of the number of bedrooms they have as well as the names, sex and birth dates of any overnight guests in their homes”. “Other new questions”, the report adds “include how well people can speak English, the date overseas nationals entered the UK, how people define their national identity and whether they are in civil partnerships”.

Nick Hurd, a Shadow Cabinet Office minister is quoted as saying “An increasingly invasive and intrusive census will erode public support ”

However, the BBC has probably missed a more controversial aspect of its story as the National Identity Register (NIR) -  the ID Card database - is intended to act as a population register so that it can deliver a rolling census in future. The current Government intends that the 2011 Census is the last one of its kind.

Back in 2004, the Office of National Statistics had promoted a separate adult population register as part of the Citizen Information Project (CIP). However by early 2005, the Government had decided that all CIP functionality (including the census and population register) would be incorporated into its plans for the wider use of the NIR. A draft Written Answer was prepared for Ministers in July 2005 so that the changes could be made public. However, political expediency meant that the actual statement was only given to Parliament after the ID Card Act 2006 had received Royal Assent.

There is a telling paragraph in the document that contained the delayed Written Statement. Civil servants advised Ministers: "Home Office believe there would be advantages in making an announcement before Parliament rises on 21st July (2005)" as "that would confirm the Government's intention to use the ID Cards register in this way while the ID Cards Bill is still being debated and so avoid subsequent criticism, say from the Information Commissioner, that the ID Cards register is subject to 'function creep' ".

Minutes released in relation to the CIP (dated 2004 and 2005) show that the NIR will be used in conjunction with the Census and could check that citizens are eligible to vote at elections. These Minutes show the Home Office:

• "should design the take-up profile of the NIR to be such that population statistics can be realised for the 2021 census".

• "has responsibility for delivering an adult population register that enables basic contact data held on NIR to be downloaded to other public sector stakeholders" (The "Treasury and Cabinet Office should ensure that NIR delivers CIP functionality as planned");

• "takes responsibility for ensuring from around 2021 basic contact data held by stakeholders can be up-loaded to the NIR";

The CIP's final report states (at page 17) that secondary legislation will allow "public services to be provided with NIR data without the need to obtain specific citizen consent".

I think this attitude towards data protection says it all – no further comment is needed.

Note: if readers are interested in knowing what else was withheld from Parliamentary scrutiny of the ID Card Act, see my Written Evidence to the Constitution Committee on the “policy download” pages of www.amberhawk.com

 

Data Protection: Enforcement action for making false Safe Harbor claims

In a way that mirrors the undertakings signed by UK data controllers, six U.S. businesses have agreed to settle Federal Trade Commission (FTC) charges that they deceived consumers by falsely claiming they were abiding by the EU/U.S. Safe Harbor framework. 

According to six separate complaints filed by the FTC, the six companies deceptively claimed they held current certifications under the Safe Harbor framework. The framework is a voluntary program administered by the U.S. Department of Commerce in consultation with the European Commission. To participate, a company must self-certify annually to the Department of Commerce that it complies with a defined set of privacy principles.

The FTC complaints charge World Innovators, Inc.; ExpatEdge Partners LLC; Onyx Graphics, Inc.; Directors Desk LLC; Collectify LLC; and Progressive Gaitways LLC with representing that they held current certifications to the Safe Harbor program, even though the companies had allowed their certifications to lapse.

Under the proposed settlement agreements, which are subject to public comment (unlike the UK type undertakings), the companies are prohibited from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party. Each violation the final agreement may result in a civil penalty of $16,000 (there again unlike the UK undertakings).

The interesting point arising from the USA action is the link to unfair processing if this kind of claim were to made by a UK based data controller. So suppose a UK data controller made a claim that its USA business partners were in Safe Harbor with respect to any transfer of personal data, then this claim would open the UK data controller to a breach of the First Principle if the USA self-certification certificates had lapsed. In general, therefore, if you are making claims to reassure data subjects in fair processing notices about the processing of personal data (e.g. on your web-site), then make sure such claims are justified and up to date.

The agreements can be accessed from http://www.ftc.gov/opa/2009/10/safeharbor.shtm and will be finalised after a period of public consultation. If you want to make a comment, be my guest; just download http://www.ftc.gov/os/2009/10/sixcasespubliccomment.pdf. Details of Safe Harbor on http://export.gov/safeharbor).