Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

Act Now Book Draw – Week 7

The winner of last week’s Act Now Book Draw was Sue Gilbert from Coventry City Council.

Next week’s book is E-Privacy and Online Data Protection (Second Edition) by Susan Singleton.

The next draw will take place on Wednesday 11th April at 9am. Click here to enter the draw.

If you enter the draw and win, you give us permission to let others know that you have won (by e mail, on our website and by Twitter). If you do not want us to do this, please do not enter the draw. Any information we receive through this free draw will not be used for any other purpose.

Breaking (In) News from Sky


Is the Sky about to fall in on Rupert Murdoch? Yet again another of his news outlets is accused of breaking the law in the pursuit of a good story. Where will it end? Yesterday Sky News admitted in a statement that it had hacked emails belonging to members of the public on two separate occasions.

One incident involved targeting the accounts of a suspected paedophile and his wife. The other one involved the “dead canoeist” John Darwin. His wife Anne collected more than £500,000 in life insurance payouts while he hid in their marital home.  The pair were found guilty of the deception in 2008. In the run-up to the trial former Sky News managing editor Simon Cole agreed North of England correspondent Gerard Tubb could hack into Darwins’ Yahoo! email account. The full story can be read on the Guardian website.

The interesting aspect, from a legal perspective, is the legal repercussions for Sky News. It has stated:

 “We stand by these actions as editorially justified and in the public interest.”

Note that it says editorially justified, not legally.  As will be explained below, the offences involved do not contain a public interest defence.

Accessing a person’s computer (directly or remotely) without their consent to read their emails is a criminal offence under the Computer Misuse Act 1990 which is punishable with a fine or a term of imprisonment of up to 12 months. Section 1 (1) of the Act contains the elements of the offence:

(1) A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer or to enable any such access to be secured ;

(b) the access he intends to secure or to enable to be secured is unauthorised;

and

(c) he knows at the time when he causes the computer to perform the function that that is the case.

There is no public interest defence in the Computer Misuse Act. However section 11 states that no proceedings can be brought for a section 1 offence more than three years after the commission of the offence. Darwin’s emails were accessed in 2008 and therefore a prosecution under S.1 is not possible.

Sky may also have committed a criminal offence under Section 1 of the Regulation of Investigatory Powers Act 2000(RIPA).  Here there is not time limit for a prosecution. The Guardian reports:

“The broadcaster also published a voicemail message on its website, dated 19 May 2007, in which Anne Darwin is clearly heard leaving a message for her husband. The voicemail, part of an interactive graphic, ends with her saying “I’ll try and catch you tomorrow. Love you,” which the broadcaster said showed “she was doing as much of the running as he was”.”

Section 1 makes it a criminal offence to intercept a communication in the course of transmission.  The listening to stored voicemails as well as accessing stored e mails all potentially fall into this category. The maximum penalty for such an offence is two years imprisonment. Again there is no public interest defence.

Once again this case bring into focus the highly dubious tactics of the media when trying to obtain information “in the public interest”. The setting up of the Leveson Inquiry and the inquiry by the House of Commons Select Committee on Culture, Media and Sport meant that at first the primary concern was about allegations of phone hacking by the News of the World.  However it has now become clear that hacking phones was just one part of the unscrupulous journalist’s toolkit. It also included buying information from the police, blagging sensitive personal information from public and private sector organisations and the hacking politicians’ computers to gain access to  their e mails.

There is now a very strong case for tougher regulation of the media especially when it comes to covert surveillance activities. My view is that, amongst other things, they should be subject to more of the RIPA regime as at present they only have to comply with certain aspects (Part 1 Chapter 1 – Interception of Communications). (see my earlier blog post earlier Blog post  for more).

This is a difficult time for the Murdochs and  Sky News. The broadcaster’s parent company, BSkyB, is subject to a “fit and proper” investigation being conducted by the communications regulator, Ofcom, in the wake of the News of the World phone-hacking scandal. Cleveland police say that enquiries are ongoing into how the emails were obtained.

No doubt there is much more to come. As Kay Burley would say, “Stay with us…”

We have a serious of courses on RIPA and Surveillance which also over the changes in the Protection of Freedoms Bill.

See also our RIPA Forms Guidance Document.

Bigger Brother

The Coalition Agreement states that the government “will end the storage of internet and e mail records without good reason.”  This commitment is now in tatters as the Government wants the power to be able to monitor the calls, emails, texts and website visits of everyone in the UK.

The new law, which may be announced in the forthcoming Queen’s Speech in May, will require Internet firms to give intelligence agency, GCHQ, access to communications on demand, in real time. However it will not allow GCHQ to access the content of emails, calls or messages without a warrant. Civil liberties groups including Big Brother Watch have condemned this move as an unacceptable invasion of privacy.

At present Internet service providers are obliged to keep details of users’ web access, email and internet phone calls for 12 months, under the EU Data Retention Directive 2009. While they keep a limited amount of other data already on their own subscribers for billing and other commercial purposes, the new law will require them to store a much bigger volume of third party data such as that from Google Mail, Twitter, Skype and Facebook that crosses their servers every day.

This is not the first time this idea has been floated. In October 2010, the Government announced its intention to introduce the Interception Modernisation Programme, at a cost of  £2billion. This latest announcement seems to be the same project but renamed “the Communications Capabilities Development Programme (CCDP)”. Details of the scheme will be published within weeks and will build on Labour’s abandoned proposal  (which was heavily criticised by the Coalition partners at the time) to require communications service providers (CSPs) to collect and store the traffic details of all internet and mobile phone use, initially in a central database.

The Law

Access to Communications Data in the UK is already governed by Part 1 Chapter 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (sections 21-25). This sets out who can access what type of communications data and for what purposes. This includes the police and security services as well as councils, government departments and various quangos. The legislation restricts access to the different types of communications data depending on the nature of the body requesting it and the reason for doing so.

The definition of “communications data” includes information relating to the use of a communications service (e.g telephone, internet and postal service) but does not include the contents of the communication itself.  Such data is broadly split into three categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by an operator on a person they provide a service to.

Some public bodies already get access to all types of communications data e.g. police, security service, ambulance service, customs and excise. Local authorities are restricted to subscriber and service use data and even then only where it is required for the purpose of preventing or detecting crime or preventing disorder.

At present access to communications data is done on a system of self authorisation. There are forms to fill (signed by a senior officer) out and  tests of necessity and proportionality to satisfy. Notices have to be served on the service provider requesting the data.

Real Time

It is unclear as to how the new proposals will be different from the current system. There is talk of the security services being able to access data in real time. The current system normally gives access to historic data. It does allow real time access to certain organisations (including the police and security services) but only in an emergency to save life or limb or in exceptionally urgent operations. The authorisation forms still have to be completed and signed and served later on though. Maybe they are suggesting that the security services get carte blanche direct access into communications service providers’ systems. This would be unprecedented and certainly “Orwellian” to say the least. The potential for abuse would be massive.

Updating the Law

The Home Office Minister says they are updating the law “in terms of social media and new devices” – it is widely expected to include things like Facebook and phone calls via web-based systems such as Skype. If this means the agencies knowing when an individual visits these sites this is already allowed under the current regime known as traffic data (web browsing information). If the new system goes further and allows agencies to look at actual webpages visited  within a domain (e.g Facebook) and calls made (e.g from Skype) this would be a big extension of existing powers and much more intrusive. It gives the possibility of building up a picture of someone’s lifestyle, their movements, contacts, interests etc.; potentially  vast a amount of information which, if it gets into the wrong hands, can be quite damaging to individuals.

Safeguards

At present the checks and balances are very weak (self authorisation followed by a notice to the CSP). The proposals, which talk of access in “real time” and “on demand”, require much stronger checks and balances.

If it is really necessary for GCHQ to have access to such a vast amount of information, it should be subject to judicial approval. This could be a similar system to the one which councils will be subject to as a result of the changes to the RIPA regime to be made by Protection of Freedoms Bill. In the future any local authority request for communications data (however minor) will have to be approved by a Magistrate. (See my earlier Blog Post for more detail about the Bill.) After all, the powers that the police and intelligence agencies have under RIPA to undertake surveillance and acquire communications data are much wider than those of local authorities.

There are also legitimate concerns about what would happen if the information held and accessed on individuals by GCHQ gets into the wrong hands. Can we really trust the law enforcement agencies not to mishandle such data? Only recently allegations have surfaced that that the police have been misusing their powers under RIPA to assist the tabloids to locate the whereabouts of celebrities and other persons of interest.

The Government needs to think carefully about its plans. If these new proposals are enacted there is a massive potential for misuse. It will provide a rich seem of information which may be bought by journalists from unscrupulous police and intelligence officers. This could lead to further erosion of trust in the police and Government. Of course “the Devil is in the detail” and we wait to see how the Government will address these concerns.

We have a series of courses on RIPA and Surveillance which also over the changes in the Protection of Freedoms Bill.

See also our RIPA Forms Guidance Document.

Open Wide


Popped into the dentist for a filling today. The old one fell out with a chewy caramel bar. On arrival I was given a form to fill in with my personal details and medical history. 
 
“Just an update dear” simpered the receptionist.
 
I read it as I was waiting. Name, OK, address OK, phone, mobile, email. Hmmmm. Occupation? At that moment the dentist called me in so I started quizzing him on the form. It wasn’t easy when he started prodding around in my mouth but afterwards I asked a few obvious questions. 
 
Why do you need my occupation to treat me? 
 
“We don’t actually. Err It’s not my form it’s supplied by a 3rd party. 
 
Sound like a data processor wagging the data controller to me…
 
Why do you need to know the amount of units of alcohol I consume each week?
 
“Alcohol is a major factor in oral cancer”
 
OK I’ll give you that one.
 
Do you share my data with my doctor or the local hospital?
 
“No we don’t. I suspect they don’t talk to each other. ha ha. Why are you asking all these questions?’
 
My job involves working with Data Protection.
 
“Oh it’s OK we have a Data Protection Certificate downstairs in reception. We won’t pass your data to anyone. Ha ha. It’s all just paperwork that we have to fill in”.
 
Not particularly reassuring. No DP statement on the questionnaire. No understanding of Notification or Certification (whatever that is). No idea about the data controller/data processor situation. Some Principle 3 considerations. Who trains dentists? What time do chinese people go to the dentist?
 
We know that one. 2-30.

We have a hole in our programme when it comes to training dentists. However, our basic DP course may be of use.

Act Now Book Draw Week 6

The winner of this week’s Act Now Book Draw was Peter Dinsdale from Newcastle University.

Next week’s bookGringras: The Laws of the Internet (3rd Edition) is Gringras: The Laws of the Internet (3rd Edition) by Elle Todd.

The next draw will take place on Wednesday 4th April at 9am. Click here to enter the draw.

If you enter the draw and win, you give us permission to let others know that you have won (by e mail, on our website and by Twitter). If you do not want us to do this, please do not enter the draw. Any information we receive through this free draw will not be used for any other purpose.

FOI Can Make You Money

Ibrahim Hasan has done a guest blog post for the Save FOI Blog. He says…

“Many public authorities have expressed concerns about the Freedom of Information Act 2000 (FOI) being “abused” by the private sector. They have cited examples of information requests where they are effectively asked to do unpaid research or to supply facts, figures and statistics, which are then repackaged and sold on for profit with little return for the authorities. Many have taken the opportunity to present evidence to the Justice Select Committee  about the cost of dealing with FOI requests. Although some of the figures cited are somewhat dubious, there seems to be groundswell of opinion that the price of openness and transparency is too high. But how many of the same public authorities have considered the forthcoming changes to the FOI regime which may well assist in defraying some of the costs?

The Protection of Freedoms Bill will provide an opportunity for public authorities to raise much-needed revenue from the licensing of some information released pursuant to FOI requests.

READ MORE: http://savefoi2012.wordpress.com/

Freedom of Information Workshops from Act Now Training Ltd
Venues: London, Manchester, Cardiff, Birmingham
Click here for more details

Act Now Book Draw Week 5

The winner of this week’s Act Now Book Draw was

Gill Fildes from Swansea Metropolitan University.

Next week’s book is Surveillance and Intelligence Law Handbook by Dr Victoria Williams, a barrister at 2 Gray’s Inn Chambers. Full annotated text of RIPA 2000 with case law, codes, rules & regulations.

The next draw will take place on Wednesday 28th March at 9am. Click here to enter the draw.

If you enter the draw and win, you give us permission to let others know that you have won (by e mail, on our website and by Twitter). If you do not want us to do this, please do not enter the draw. Any information we receive through this free draw will not be used for any other purpose.

Covert Surveillance and RIPA Update – 1st May 2012, Manchester

The latest changes to Part 2 of the Regulation of Investigatory Powers Act 2000

Click here for more details

FPN & CCTV

Not sure why but when a normally rational DP officer is asked to produce a Fair Processing Notice for a CCTV camera they seem to lose track of reality and forget the basics. Name of Data Controller; purpose of processing, contact details.

Here’s a simple example.

Forgot almost everything and also made the mistake of telling people that they were using hidden cameras. Hidden engages RIPA. Easy mistake to make.

Another fine example of this on the right is a well known police force.

Clearly they thought about what to put on their sign but managed to get it spectacularly wrong.

And while the Act Now staff are abroad they also keep their eyes open for interesting signs. Souriez means Smile. We’ve seen versions of this in the UK.

And a colleague sent the following to me knowing I had a library of CCTV signs collected on my travels.

 

 

 

 

How we laughed… But then we realised… what do our CCTV signs look like? Is anyone snapping ours and showing them off as not actually very good…   Send us your signs.

CCTV and the Law Workshop – Watching You Watching Them More details – http://www.actnow.org.uk/courses/714

Act Now Book Draw Week 4

Information Rights in PracticeThe winner of this week’s Act Now Book Draw was

Donald Maclean from Perth College.

Next week’s book is Information rights in practice by Alan Stead.

The next draw will take place on Wednesday 21st March at 9am. Click here to enter the draw.

If you enter the draw and win, you give us permission to let others know that you have won (by e mail, on our website and by Twitter). If you do not want us to do this, please do not enter the draw. Any information we receive through this free draw will not be used for any other purpose.

R.I.P. Tiddles – A Cat’s Tale

Maybe it was when he realised he couldn’t access his medical data (through his human owner); maybe it was the lack of a satisfactory diagnosis; maybe it was feline immunodeficiency virus that caused the lesions on all limbs and the infection in his nose and ears but Tiddles disappeared Tuesday morning at 8 am after a full pouch of Felix salmon in jelly. His owners spent 88 hours ch chewing at the front door but it looked like he’d run away to die (research on google revealed that this was a likely outcome). Friday evening and he turned up out of the blue looking very weak and bedraggled. Following day he was taken to the second opinion who made an appointment for an emergency FIV and leukaemia test at a local animal hospital. Despite a negative test the vet decided that the best advice was to put him out of his misery. He’d lost 35% of his body weight; had difficulty walking, slept 23 hours a day and was wasting away. He was 5 years old. At 1400 on Saturday 10th March Tiddles moved outside the scope of the Data Protection Act although he never had any Principle 6 rights as he failed most of the Durant tests. This post not tagged DP or privacy or SAR or anything. Just a shaggy cat story.

%d bloggers like this: