Year: 2015

The New EU Data Protection Regulation: Key Points

canstockphotoeditedThe future of Data Protection throughout the EU has now been decided. The text of the new EU Data Protection Regulation has been finalised. This will be formally adopted by the European Parliament and Council at the beginning of 2016. It will come into force two years thereafter.

Most of the big talking points over the last few years have been survived in one form or another but with some surprises. In this blog post I’ll give you and overview of some of these, then over the next few months we’ll start looking at individual areas in subsequent posts and see what this means for us here in the UK.

Scope:

The Regulation does indeed apply to any entity offering goods or services (regardless of payment being taken) and entity monitoring the behaviours of citizens residing within the EU. There is still the requirement to establish a representative within the EU but it means that entities are now directly responsible for compliance with this regulation (and not just their EU based entity) if they are processing in any way EU citizen personal data.

Definitions:

Pseudonymisation, Profiling, Genetic Data, Biometric Data are all specifically defined in the regulation and very much as you would expect. There is however a new definition for health data that now outlines not only that health data is anything relating to the mental or physical health of a person but also any information that can reveal information about their health status. This means that it is very clear that, for example, if a list of email addresses on a mailing list for people who receive HIV treatment is disclosed that is a definite and clear disclosure of health data and not just personal data.

Principles:

There are now six Data Protection principles which broadly cover the same themes as previously. Personal data must be:

1. Processed fairly, lawfully and in a transparent manner. Now as previously discussed this transparent manner now requires controllers to provide more information to the data subject at point of collection but also when any changes to that processing occurs as well. For example, if the information is used for a purpose other than that for which it was originally collected (which doesn’t go against other rules of the regulation of course)?

2. Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with the original purpose. Which some exceptions for further processing for archiving, public interest or research purposes.

3. Adequate, relevant and limited to what is necessary in relation to the purposes. This now brings in the talked about “data minimisation” principle which we have already seen, but not quite as explicit as this new regulation lays out.

4. Accurate & kept up to date. No real changes here, this remains the same.

5. Kept in a form that permits identification no longer than is necessary. Again with exceptions for archiving and research purposes.

6. Processed in a way that ensure appropriate security of the personal data. So no major change here except an explicit reference to “integrity and confidentiality” of the personal data.

Consent:

Where consent is required in order to legitimise the processing (which is limited under the regulation) then the controller must be able to demonstrate clearly that he has clear & unambiguous consent for each purpose that consent is required.

The regulation now also states that for “Information Services” if information is to be processed on a child of under 16 years of age then consent must be obtained from the parent. The regulation does however allow member state laws to lower this threshold where appropriate but not below the age of 13 years.

Special Categories of Personal Data:

So the “Sensitive Personal Data” as known under the Data Protection Act as a term has now gone and instead been replaced with the term that a few EU countries use which is “special categories”. These are broadly similar to the current list however the definition is now any data “revealing” racial or ethnic origin, political opinions, religions or philosophical beliefs, trade-union membership, genetic or biometric data (processed for the purpose of identifying someone), data concerning health or sex life and sexual orientation.

Data Subjects Rights:

The list of rights that a Data Subject can exercise has been widened (sort of). There are some new things in here but most of this is a reshuffling of existing rights. It’s also worth noting that controller must also provide clear, transparent and electronic methods of the data subject exercising said rights. The list now includes;

Access,

Rectification,

Erasure,

Restriction of processing,

Data Portability

Right to object (to marketing, profiling, research)

Right to object to automated individual decision marking (including profiling).

Right to lodge a complaint with a supervisory authority

Data Protection by design & Data Protection Impact Assessments:

Data Controllers are expected to include data protection controls at the design stage and can certify that they have such controls via approved certification schemes.

Where a new technology etc is looking to collect personal data that poses potentially high risks to personal data the controller shall, prior to the processing, carry out a Data Protection Impact Assessment. Supervisory Authorities can then also produce lists as to what sort of processing would warrant such an assessment and what ones would not. These assessments, where appropriate, may also need the input from Data Subjects and indeed the supervisory authority.

Notification:

While notification to a regulator has gone Article 28 now requires controllers to keep a similar record of all purposes, joint controllers, data categories, recipients (can be categories), transfers to third countries, time limits for erasure and a general description of the technical & organisational measures in place protecting this data.

Breaches:

That highly discussed breach notification point has finally come down to 72 hours. So the regulation now outlines that controllers have 72 hours from being made aware of the breach to notify the supervisory authority. You can however notify later providing you have a “reasoned justification”.

And now the really juicy stuff. Fine amounts. As predicted these are “staggered” so that not all breaches will result in 20 million Euros.

For breaches / non-compliance of the following you can receive a fine of up to 2% of global annual turnover (for undertakings) or 10 million euros. The regulation doesn’t outline automatic fines for single breaches but instead allows supervisory authorities (through their cooperation mechanism) to agree a framework for ‘qualification’ for fine amounts based on the extent of the non-compliance.

  • Consent for children’s data (article 8)
  • Processing not requiring identification (article 10)
  • Data Protection by Design (article 23)
  • Joint Controllers (article 24)
  • Representatives of the controller within the EU (article 25)
  • Processors (article 26)
  • Processing under the authority of the controller and processor (article 27)
  • Records of processing activities (article 28)
  • Co-operation with the supervisory authority (article 29)
  • Security of processing (article 30)
  • Notification of the breach (article 31)
  • Communication to data subject of the breach (article 32)
  • Data Protection Impact Assessment (article 33)
  • Prior consultation (article 34)
  • Designation of the Data Protection Officer (article 35)
  • Position of the Data Protection Officer (article 36)
  • Tasks of the Data Protection Officer (article 37)
  • Certification (article 39)

For breaches of the following you can receive a fine of up to 4% of global annual turnover for undertakings or 20 million euros.

  • Principles of Data Protection (article 5)
  • Lawfulness of processing (article 6)
  • Conditions for Consent (article 7)
  • Processing special categories of personal data (article 9)
  • Rights of the Data Subject (articles 12-20)
  • Transfer of personal data to third countries (article 40-44)
  • Powers of the Supervisory Authority (article 53)

Data Protection Officer:

Good news DPOs we have a future! Our future isn’t as “all powerful” as the first text but it does pretty much cement the Data Protection Officer as a key role within a public body and medium to large private enterprises. Key points are;

  • Controllers can have 1 appointed to multiple entities taking into account their structure and size.
  • Officer shall have expert knowledge in Data Protection law & practices.
  • Can be a staff member or contractor.
  • Their contact details must be published to data subjects and the supervisory authority.
  • Should be involved in all matters affecting personal data.
  • Shall be protected from being dismissed / coerced while performing their duties under the regulation.
  • DPOs are to inform staff of the controller of their responsibilities under the regulation & monitor the controller’s compliance with its responsibilities.

International Data Transfers:

So, no major changes here but some key emphasis that is worthy of being aware of. The Commission retains the right to decide on the “adequacy” of third countries and will continue to publish and control the safe list. Standard Model Contract Clauses are also a viable method for transfer and now Binding Corporate Rules are explicitly outlined as a method of transfer too.

Supervisory Authority:

The bulk of the wording here is nothing new. They need to be independent, monitor compliance, and be proactive in producing guidance and standards etc. but there are some subtle changes. The authority has the powers to;

  • Order the controller, processor or representatives of either to provide information in relation to its objective.
  • Carry out investigations in the form of audits.
  • Review certifications
  • Notify of infringements
  • Obtain from the controller / processor access to any personal data in relation to its objective
  • Obtain access to premises including access to equipment (in line with local law)
  • Issue warnings, reprimands, orders to comply, order controller to inform a subject of a breach, impose a ban on processing, order a rectification, issue a fine and order a suspension of international data flows

That’s it for this post but there is a lot more content in the DP regulation and I should imagine a few more discussions and blogs to come looking at specific areas and what this means for the future. As always it will be a practical discussion on what this means in real terms.

All that’s left is to wish you a peaceful and restful festive period and I very much look forward to discussions and working with you as we go into 2016 and ever closer to the regulation being here!

Scott Sammons is an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.

Read more about the EU Data Protection Regulation. Attend our full day workshop.

We don’t hold your data! (well… not for long anyway).

temp pic

 

 

 

 

 

 

 

 

Dear Sir or Madam:

I recently received a mailing from you.

I’d like you to send me a copy of the personal data you hold on me.

I am particularly interested in where you obtained my name and address from.

The numbers on your mailing are

8666U501J01101

XA4416175

I’d like you to explain what these mean.

Regards etc

Dear Mr xxxx

Thank you for your email. Firstly, we can confirm that we do not have any of your personal data on our records of any kind.

The recent Christmas appeal which you received, was sent out as part of our Christmas campaign. During this campaign, we purchased some contact details from a third party supplier for temporary use – these details are not stored on our database and are no longer in our possession.

In this instance, your details were selected for The Christmas Appeal – which also includes a Christmas appeal reminder which you are likely to receive in the next 2-3 weeks, and, unfortunately, as the mailings are selected far in advance, it is not currently possible to prevent this mailing from being sent. Please accept our sincere apologies for any inconvenience this may cause you. However, we confirm that we do not hold any of your data on our database.

The DM code you have listed below indicates that your details were temporarily given to us for a one-off use.

The XA code you supplied is your reference number is not stored on our own system in any way.

What a great reply! We don’t have any data on you; we did have a while ago to send you an unsolicited letter but it was only held temporarily and besides we bought it from someone else. We’ve checked the reference numbers you gave us even though we don’t have them on our systems.

 And we won’t be processing your data while we hang onto it for 2 to 3 weeks so we can send you a reminder about the unsolicited begging letter we just sent.

Am I the only person who finds this unacceptable? Or is this the norm for the charity sector?  Just for clarity the ICO says

“Processing in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data”

So that’s 3 processing operations at least – obtaining, mailing and holding. Maybe even destruction if in fact they do delete it. (Next Xmas will tell me this). The ICO doesn’t give an exemption for ‘temporarily” processing it.

When Christmas (the season of good cheer and peace to all data subjects) arrives, is it part of the festive spirit (or even lawful?!) to buy a wodge of names and addresses that you have no relationship with and then mail them two (count them) begging letters; and when someone makes a subject access request say, “We do not hold any data on you – we did last week but it’s disappeared. We might hold it again in a week or two but only for a short time and then it will disappear again.”

This organisation is a good organisation. I support their aims and like listening to their brass bands outside supermarkets in the run up to Christmas, but I find their marketing activities dubious. It may just affect my giving to them this year.

The Investigatory Powers Bill: Implications for Local Authorities

 

canstockphoto17336195

 

 

 

 

 

 

 

 

 

 

The government’s controversial Draft Investigatory Powers Bill was published in early November. Amongst other things, the Bill:

  • Requires web and phone companies to store records of websites visited by every citizen for 12 months for access by police, security services and some public bodies.
  • Makes explicit in law for the first time the Security Services’ powers for the bulk collection of large volumes of personal communications data.
  • Makes explicit in law for the first time the powers of the Security Services and police to hack into and bug computers and phones. It also places new legal obligation on companies to assist in these operations to bypass encryption.
  • Requires internet and phone companies to maintain “permanent capabilities” to intercept and collect the personal data passing over their networks. They will also be under a wider power to assist the security services and the police in the interests of national security.

Much has been written about the civil liberties implications of the new Bill, dubbed “the Snoopers’ Charter.” It has been criticised by the United Nations, the Opposition and civil liberties groups.

A Committee has been formed to consider the key issues raised by the Bill, including whether the powers sought are necessary, whether they are legal and whether they are workable and clearly defined. The Committee is now inviting written evidence to be received by 21st  December 2015 (call for evidence).

Some of the questions the Committee are inviting evidence on include:

  • To what extent is it necessary for the security and intelligence services and law enforcement to have access to investigatory powers such as those contained in the draft Bill?
  • Are there sufficient operational justifications for undertaking targeted and bulk interception, and are the proposed authorisation processes for such interception activities appropriate and workable?
  • Should the security and intelligence services have access to powers that allow them to undertake targeted and bulk equipment interference? Should law enforcement also have access to such powers?

The Committee is due to report back by February 2016.

What will the effect be of the Investigatory Powers Bill on local authorities? Is it true that councils will be given powers to view citizens’ internet history (according to the Telegraph)? The answer is no.

Sam Lincoln has written an in-depth analysis of the bill, detailing and dissecting its various points. Please take a look here.

Sam has designed our RIPA E-Learning Package which is an interactive online learning tool, ideal for those who need a RIPA refresher before an OSC inspection. Our 2016 RIPA workshops will include an update on the Bill.

SMILE! You’re on our Mailing List!

world map

Charity envelope time again.  And yet again another organisation I had no relationship with at all. This time it was a big one with offices in…are you ready…

UK, USA, India, China, Philippines, Latin America, Mexico, Brazil, Africa, Indonesia, Vietnam, Middle East & North Africa and Bangladesh.

Surprisingly in all these locations they couldn’t find a data protection expert to run his eye over their Privacy Policy. This is puzzling as you can find good information about their accounts and activities quite easily on the web. (£7m donations in 2014 and over 125,000 children helped all over the world). They look like they’re doing a good job except for the unsolicited mailing that dropped through my door today.

They sent 2 full colour glossy A4 double sided leaflets. 10 sticky gift tags to attach to Xmas presents, an A5 double sided full colour leaflet, an eight page A6 booklet about their work, a donation form to return and an envelope. If they’d not spent their money on these pieces of coloured paper, 2 of which were customised to say my name and address they might have had more in the kitty to help the children they featured in their leaflets. Nowhere on any of these pieces of paper is there a mention of the Data Protection Act. Nor is there a phone number so I could tell them quickly I didn’t want their unsolicited mailing. Presumably their marketing expert advised them not to offer this simple mechanism of objecting as it might result in people using it. So I found their website and had a look.

After a while I found their Privacy Policy. It was extensive and told me a lot about the cookies it used. No mention of the Data Protection Act again. Some of the interesting sections were

  1. Your acceptance of this policyBy using our site, you consent to the collection and use of information by XXXXXXX  in accordance with our Privacy Policy.  If you do not agree to this Policy, please do not use our site. In order to fully understand your rights we encourage you to read this Privacy Policy.

(Mmm a good one to start with. You have to use the site to find the policy before you can read it, but by using the site you have already agreed with their policy even though you haven’t read it, which they want you to do).

  1. Changes to this privacy policyXXXXXXXX  reserves the right at any time and without notice to change this Privacy Policy simply by posting such changes on our site. Any such change will be effective immediately upon posting.  Your subsequent use of this website after we have made changes to this policy (including the submission of information on our donation form) will be deemed to signify your acceptance of any variations that we make.

(So when they change something and before you find out about the changes by reading their policy you have already agreed to the changes you haven’t yet read about).

3. Sharing your information with third parties

From time to time, XXXXXX allows other worthy organisations to send communications to our donors via direct mail.  We carefully screen these organisations to ensure their services may be of interest to our supporters. If you do not wish to hear from these organisations, please let us know by contacting us. 

(Wow what a good one. Firstly that great phrase “from time to time” I thought this had died out but here it is again and what it really means is whenever we feel like it…”. The following few words shows the staggering arrogance of the organisation. We ALLOW other worthy organisations to send communications to OUR donors. Despite the fact that there is a law that prohibits this they ALLOW it and the donors aren’t any free thinking individuals  – they belong to the organisation and the organisation can do with their personal data what they want. Did the Slavery Abolition Act of 1833 have a clause in it exempting charities. Er… no  And there’s more – what is a worthy organisation? One that helps children? One that  only uses recycled paper? One that pays their directors in bit coins? We have no idea what this cute little phrase means. It implies that Data Controllers don’t have to bother with Principle 2 if you’re passing data to ‘worthy’ organisations. 

It gets worse. The last element is giving you the right to write to them and object to receiving communications from what they think are worthy organisations that have been through a screening process although you don’t know much about their screening methods if they do in fact exist, and ended up on a list of organisations they sell your data to but which they may not keep).

It seems they are relying on the mythical but desirable exemption in the Act that says Charities are completely exempt from the DPA and also it seems exempt from writing simple Privacy Policies in Plain English.

Read more about how EU Data Protection Regulation will change the DP landscape. Attend our full day workshop.

 

‘The Great CPS Data-breach!’

canstockphoto6448307

 

 

 

 

 

 

 

 

 

 

 

 

No, this isn’t a new multi-million pound blockbuster, but instead a £200,000 error the Crown Prosecution Service probably wishes it had never made.

On the 4th November 2015 the Information Commissioners Office (ICO) issued a £200,000 monetary penalty notice under the Data Protection Act 1998 on the Crown Prosecution Service (CPS) for the lack of effective security and controls around DVD videos of police interviews after they were stolen (while being stored on laptops) from a 3rd party private film studio.

Imagine the scene, it’s the year 2002 and new technologies are coming in, for the recording & editing of films.  So you, as a modern and practical Crown Prosecution Service, look for a company that can offer these things quicker, better and cheaper than you can do in-house. So you commission an informal 6 month trial with a guy with a studio based in Manchester. After 6 months he seems to do a good job, he’s no George Lucas but you’ll roll with him beyond the 6 months.

Now as these things do, your ‘video editing man’ changes offices to a new location that, by all accounts, is a little bit lacking in basic things (like security and working CCTV). But no matter, we can’t judge those on where they operate and the service isn’t affected – if anything it’s a nice new shiny studio.

However, on a day in September 2014 (the 11th to be precise) a burglar just happens to wonder past and manages to get into the studio, steals 3 laptops that are currently being worked on by your video editor and runs off with them. The police catch up with ‘him’ 8 days later and as luck would have it, they also recover the laptops. But that’s OK, as it’s only 43 data subjects, you got the laptops back and there is a password on each of the laptops right?

Well unfortunately no, that isn’t OK. And the Information Commissioner agrees. In the ICO’s decision notice he outlines that various things were not in place here that really should have been given the level of sensitivity of the data concerned. Below are extracts from the 5 main areas the ICO cites as the mean breaches of the DPA.

  1. Unencrypted DVDs containing the videos were delivered to X using a national courier firm. The sole proprietor used public transport to take the DVDs to X premises if a case was urgent.
  1. The CPS was not aware of any security risks posed by editing videos of police interviews at X premises either in 2002 or 2006.
  1. The CPS had no guarantee that the sole proprietor would store the unencrypted DVDs in a lockable cabinet and return or securely destroy the DVDs at the end of the case.
  1. The CPS failed to monitor the sole proprietor in relation to any security measures taken by him.
  1. The CPS did not have a DPA compliant contract with the sole proprietor in relation to the processing.

All the usual culprits are there;

  • Lack of encryption,
  • Lack of secure transfer of data,
  • Lack of 3rd party auditing and,
  • Lack of 3rd party contract.

But above all what this notice outlines is a fundamental lack of understanding or awareness of what data is being processed here. The DVDs contained information relating to the witness and victims of crimes of a sexual or violent nature. It is reported that at least 1 of the files concerned that was stolen related to a high profile individual. And that’s just on these DVDs. What about all the other DVDs that have entered that studio since 2002?

While there is no evidence in the ICOs decision notice that other losses have occurred, the circumstances around this theft have been in place since 2002. It could be lucky that only one theft has occurred, but then again how we do know that this is indeed the only theft?

I know when these notices come out those of us that have been fighting the good data protection fight for some time will pick apart the incident and indeed say, “If you’d only have done this…” but the points we raise are all valid. This is very much a case of where everything is wrong. Not one aspect of this situation works in the CPS’ favour. Well apart from the fact the laptops were eventually recovered. But as the ICO points out, there is no proof that the DVDs were not accessed as only a password existed on them. So technically that doesn’t really help you either.

To help avoid the loss of any personal data there are a couple of best practice steps that organisations can take.

  1. Write a standard DPA clause or contract for use by and any all 3rd party suppliers and get it inserted in all contracts but current and future. If the current ones already have one then fine, make sure it’s at the same level or better than your template and go from there.
  1. If its sensitive personal data and it’s leaving your premises as a basic rule always ensure it is encrypted to a decent standard at all times. There is rarely an acceptable situation where the sending of sensitive personal data on a DVD out of the business that doesn’t have a decent level of encryption on it. If such a scenario does come up, then guard & monitor it and manage & document the risk.
  1. If you’ve got a 3rd party going anywhere near your sensitive personal data then watch and monitor them closely. They are as much a threat to your information as internal staff, and you wouldn’t (hopefully) leave your internal staff to handle sensitive personal data in any way they see fit so why would you for a 3rd party?

Having worked in the Social Care & legal industries I know how easy it is to become desensitised to the data that you hold and process daily. But always remember and be aware of the sensitivity of the data in your hands. That’s very easier said than done but that principle, once engrained in your thinking, then means you’ll stop and think before commissioning something or sending something that you really shouldn’t have.

Now I’m going to do some jiggery-pokery here, and bear with me on this as it’s not going to be exact but let’s see if we can work out what a fine would be under the new Data Protection Regulation. Now I accept that this is not an exact science as the text is still draft and the exact mechanism for fines is not agreed yet but let’s just imagine.

So, under the current framework the ICO can fine up to £500,000 for such a breach but instead valued the breach at the £200,000 level based on the severity, compensating controls, political nonsense etc. That works out as two fifths or 40% of the full amount he can fine.

Under the GDPR council text, because of the level of failing here in various areas, I believe that this breach would meet the definitions outlined in Article 79a (3a-h). Sections 1 & 2 of Article 79a do outline breaches but article 1 outlines relatively small offences and article 2 only covers some of the breaches outlined here. The limit of such a fine under that section is 1 million Euros or 2% of global annual turnover for the previous year (if an undertaking). If we assume the limit would be 1 million Euros (give the public sector nature of the controller) then let’s apply the same % as the ICO applied here.

40% of 1 million is 400,000 euros. In today’s currency (as of 13th November and according to google) that equates to a fine of £283,556.79 under the GDPR. Not much of an increase when you think about it.

However, if this fine was for an “undertaking” (currently not defined in the GDPR but the link contains the UK definition) the fine value could increase substantially. If we were to take the CPS public finances as an example their turnover for 2014 was £581.9 million pounds. 2% of that is £11,638,000. If we then take 20% of the 11.6 million we end up at a fine of £2,327,600 under the GDPR.

Now the above is not an exact science, as I’ve stated, as the mechanisms for determining fine amount are still to be agreed but those mechanisms will need to be as proportional as possible. By just using the current model (which the ICO seems to defend) the same incident could mean the difference between a fine of just under £300k for a public sector body (not an undertaking) or a fine of £2.3 million for a private sector undertaking.

Seems a little disproportionate does it not?

 

Scott Sammons an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.

Read more about the EU Data Protection Regulation. Attend our full day workshop.

Sainsbury’s and Data Protection – They have your number (and it’s not on your nectar card).

Sains

It shocked me on Sunday morning (a few months ago) when driving into our local Sainsbury’s car park. Through bleary eyes I suddenly saw my registration number flash up on a display in front of me. It also said my 2 hours of free parking would end in precisely 1 hour and 59 minutes. After parking and doing a bit of investigating I found that they’d fitted cameras at the only entrance (which was also the exit) so they could snap you on the way in and on the way out and thereby obtain evidence (or not) of your length of stay. This isn’t new. Many car parks have been doing this for years but it does raise a few issues.

Filming and collecting personal data is OK as long as a Schedule 2 condition of the Data Protection Act is fulfilled. (I suppose going off on one for a moment that filming at a hospital car park might require a Schedule 3 condition but that’s an argument for another day). The simplest one is Schedule 2 condition is consent as the other 5 require a necessary element. Do Sainsbury’s have your consent? Did you know that filming was going to happen before you attempted to enter their car park or did it only register when your number plate was staring back at you. If you were filmed before you knew you’d been filmed the consent is out of the window.

Once inside the car park you could see signs that told you more about the filming. Looks good to start with but the small print really is small and is also 8 feet up in the air (that old joke again!). I couldn’t actually read the small print. Basic fact remains that the Fair Processing Notice whatever the quality of it was only available after the processing took place.

So far we’ve missed out on an obvious Schedule 2 condition and missed the fair processing element of Principle One. What else could go wrong? If the sensible Sainsbury’s shoppers don’t overstay their welcome they won’t be troubled by a bit of DPA non-compliance. But if they do go over their limit will Sainsbury’s do nothing or will they take the registration number they acquired unlawfully and unfairly and further process it by finding out more personal data about the driver and sending him/her a penalty notice?

It may be that they’ve explained all this very well somewhere but as an everyday shopper in a rush I didn’t see it. It may also be that holding the information about a car than its owner and its address is proportionate if by so doing they allow you to stay a couple of minutes extra checking out the different brands of Prosecco but it could also be argued that it is not. A recent court judgment about parking is interesting:

https://www.supremecourt.uk/cases/docs/uksc-2013-0280-judgment.pdf

It seems to come down in favour of disproportionate penalties for parking and while it may be appealed the current climate is not very temperate.

The fact remains that Sainsbury’s have obtained your car’s number plate without giving you fair warning and are holding it and probably further processing it.

The old joke? What lies on its back 8 feet up in the air.

Answer: A dead spider!

The Act Now Data Protection Practitioner Certificate is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.

Freedom of Information: The Future

canstockphoto3157426

Is the future bright for Freedom of Information?

In July the Commission on Freedom of Information was established by the Cabinet Office (which now has responsibility for FOI). Its terms of reference are:

“[To] review the Freedom of Information Act 2000 (‘the Act’) to consider whether there is an appropriate public interest balance between transparency, accountability and the need for sensitive information to have robust protection, and whether the operation of the Act adequately recognises the need for a ‘safe space’ for policy development and implementation and frank advice. The Commission may also consider the balance between the need to maintain public access to information, and the burden of the Act on public authorities, and whether change is needed to moderate that while maintaining public access to information.”

The Commission will be chaired by Lord Burns, and will comprise the Rt Hon Jack Straw, Lord Howard of Lympne, Lord Carlile of Berriew and Dame Patricia Hodgson. The motivation/credentials of the panel members have been questioned by some who argue that they are establishment figures who are not interested in openness or transparency. Jack Straw, in particular, has previously called for FOI to be rewritten. The Commission’s, recently published, consultation paper does suggest that it is considering sweeping restrictions to the legislation. The questions seem to be based around the misconceptions that FOI is harming the decision making process and costing public authorities too much. (See Ben Worthy’s analysis in his excellent blog post.)The Commission will publish its findings by the end of November but here are my predictions.

Strengthening the ministerial veto under section 53 is a “dead cert” (in betting parlance). In March the Guardian’s successful challenge to the application of the veto to the disclosure of Prince Charles’ letters to government departments, was confirmed by the Supreme Court. Hours before publication of the letters, Downing Street said David Cameron would to try to build up a cross-party consensus with the aim of guaranteeing that ministers will be able to veto the publication of documents under FOI requests in exceptional circumstances.

It is also very likely that the FOI Fees Regulations will be amended to make it easier to refuse requests for information on costs grounds. In July 2012, the Justice Select Committee published its Report into Post-Legislative Scrutiny of the Freedom of Information Act 2000. The Committee concluded that FOI was working well. It had “contributed to a culture of greater openness across public authorities, particularly at central Government level” and “is a significant enhancement to our democracy… [It] gives the public, the media and other parties a right to access information about the way public institutions… are governed.”

The Committee recommended that consideration be given to reducing the amount of time an authority needs to take in searching for and compiling information:

“We would suggest something in the region of two hours, taking the limit to 16 hours rather than 18, but anticipate the Government would want to carry out further work on how this would affect the number of requests rejected.”

The Government, in its official response, said that it doubts that much will be achieved through the reduction of the costs limit. Though it was in favour of allowing additional factors to be taken into account in deciding whether the 18/24 hour cost limit has been reached:

“The Government does not share the assessment of the Committee that it is unfeasible to develop an objective and fair methodology for calculating the cost limit which includes further time spent dealing with information in response to a request. As such, the Government is minded to explore options for providing that time taken to consider and redact information can be included in reaching the cost limit.”

So whilst the Committee rejected the suggestion that reading, consideration and redaction time should also be taken into account when deciding whether the 18/24 hour limit has been reached, it could be that the Fees Regulations are amended to allow this.

At present the costs of different FOI requests can be aggregated only where the requests relate to the same or similar information and have been received within a 60 consecutive working day period. The Government may change this to make it even easier to aggregate costs. At paragraph 19 of its response, it stated:

“We will also look at addressing where one person or group of people’s use of FOIA to make unrelated requests to the same public authority is so frequent that it becomes inappropriately or disproportionately burdensome.”

According to the Telegraph an up front fee of up to £20 could be proposed for making an FOI request. This could lead to a large drop in requests as happened when Ireland introduced a €15 charge (which was eventually dropped).

Other matters on the table for discussion in the consultation paper include making it more difficult to obtain public authorities’ internal discussions (or excluding some from access altogether) and changing the way FOI is enforced. The case for strengthening the Act does not seem to be on the Commission’s agenda. The Campaign for Freedom of Information is coordinating the fight against possible restrictions to FOI. Over 140 media bodies, campaign groups and others have written to the Prime Minister.

In a separate move, the consultation paper and the impact assessment on tribunal fees were recently published on the Ministry of Justice website. The deadline for responses ended on 15th September. In future it could cost £100 to appeal, against an Information Commissioner Decision Notice, to the First Tier Tribunal (Information Rights) or the Upper Tribunal (if the case is transferred), and £500 for an oral hearing.

Tribunal fees will have a big impact on the number of challenges to public authority decisions. Overworked FOI Officers may initially see cause for celebration. However, if fewer appeals are heard the quality of FOI case-law on important matters of interpretation will suffer. Consequently application of the FOI exemptions, as well as other provisions, will become more difficult.

Interesting times for FOI Officers (and trainers!).

Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshops  which are delivered in online sessions and at his public courses.

“What’s that Skip? Someone’s got your Metadata? Crikey!” – Subject Access and Metadata in Australia

canstockphoto13858300

While strolling through the web one day,

Outside the very merry month of May,

Oh, look what I should find,

The web is wonderful and kind,

By giving me a case on metadata.

In recognition of National Poetry day last week, that was my shockingly brilliant (!!) effort at a short rhyme in aid of this blog post. I know, stick to the day job right? (And yes, I know that we are in October and not May).

As the rhyme suggests however, I was indeed browsing the web and I did indeed come across an interesting legal case looking at rights of access and metadata in telecoms/internet providers in Australia. Something of particular relevance at the moment in the light of the Australian Government announcing its new Data Retention Law.

In the news article and legal case an Australian citizen, Mr Grubb, exercised his rights under the Australian Privacy Act 1988 to ask for all information Telstra (a phone company) held about him. His request specifically asked for the meta-data associated against him:

“…I’d like to request all of the metadata information Telstra has stored about my mobile phone service (XXX XXX XXX).

The metadata would likely include which cell tower I’m connected to at any given time, the mobile phone number of a text I have received and the time it was received, who is calling and who I’ve called and so on. I assume estimated longitude and latitude positions would be stored too. This is the type of data I would like to receive.”

Although Telstra provided some data to Grubb, it refused to hand over internet protocol address information, edited versions of incoming call records and website URL information stating that retrieving the information would take disproportionate effort and therefore was unreasonable.

An appeal, dated May 2015, was brought to the Office of the Australian Information Commissioner who found in favour of Data Subject in parts and the Data Controller in parts. But in very interesting parts.

The Commissioner supported Telstra in its exemption of some pieces of information to do with telephone numbers of 3rd parties, particularly where those numbers had registered with a Telephone Preference type service in Australia. Telstra argued that it had no effective method of determining those numbers and removing them from the list therefore the entire list of inbound numbers to the Data Subject’s telephone line would be exempt.

The Commissioner did however reject a number of claims made by Telstra about the difficulty in retrieving and linking data to a person’s identity. Telstra relied in part on this submission to argue that certain types of Grubb’s data was not “personal information” because it could not be linked to the Data Subject’s identity. However, the Commissioner in his decision drew attention to Telstra’s provision of data to law enforcement agencies to show that it has (and has used in the past) the ability to process and connect different types of metadata to individuals.

It’s also interesting that since the case was initiated Telstra’s approach to customer access to metadata has shifted significantly. Telstra customers will now be able to access the same metadata about them (save for shared information) that Telstra would provide to law enforcement agencies, on request without a warrant.

Now while Australia is a very long way away from Europe this case does pose some interesting questions. I ran a search online for cases where metadata was refused under a Subject Access Request (SAR) but could not find any in the public domain. As we all know there are a growing number of laws appearing that require telecoms companies to capture and store such metadata for government access but to date I’ve not seen a similar legal challenge whereby the data has been refused in a SAR.

For those that don’t have much experience with metadata the Oxford English dictionary defines metadata as “a set of data that describes and gives information about other data”. In this context, telecommunications data, is data that is associated with an account and its usage (e.g. masts used, websites visited, numbers called) which on their own do not automatically equate to personal data,  but do so when associated with one number form the metadata of that persons account. Therefore it is personal data as it can identify them and/or be associated with them.

The current subject access request code of practice from the UK Information Commissioner’s Office doesn’t specifically talk about metadata being or not being personal data or in scope for a SAR. Based on the principles of the Data Protection Act 1998 (DPA) and the fact that such metadata can and is requested by law enforcement agencies and is used to identify you; I would argue that this is Personal Data, as defined by the Act, and should be provided to a requestor under subject access.

How does this sit under the current proposed EU Data Protection Regulation text(s)? Well, you won’t find the term “metadata” in the Regulation text anywhere so there won’t be a crystal clear stance on it. Instead we will need to look at the definition of Personal Data as proposed.

In the European Council’s text Chapter 1, Article 4 (1) it defines Personal Data as;

 “any information relating to an identified or identifiable natural personal (“data subject an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person).”

So while the new proposed definition doesn’t specifically call out metadata it does seem to imply that it would be. For example, your mobile number and all data that can identify your location (phone mast data for example) would be considered Personal Data under that definition; which isn’t that far removed from DPA definition of Personal Data.

On that note, following a brief search online I have not been able to find any cases on SAR and telecoms in the public domain. I can find plenty of commentaries and a remotely similar financial services case. I would therefore be interested to see if anyone knows of one currently ongoing or that has been tested in the courts / tribunal so far to date?

Currently the UK Government is looking to revive the so-called “snooper’s charter” under the Draft Communications Data Bill. Therefore if government agencies are to spy / monitor / keep / ignore my personal data then I think that we should, at any point, see what that personal data is. I bet mine is really rather dull…but it’s my dull data dammit.

Scott Sammons an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.

Read more about the EU Data Protection Regulation. Attend our full day workshop.

Surveillance under RIPA: neither a strict legal framework nor rigorously overseen – Sam Lincoln

Interesting post from Sam Lincoln, an ex OSC Chief Inspector. Sam is the author of our RIPA E Learning course: http://www.actnow.org.uk/content/185