Category: Personal Data

New Data Sharing Powers in the Digital Economy Bill

illust_01_e

Much has been written about the complexities of the current legal regime relating to public sector data sharing. Over the years this blog has covered many stops and starts by the government when attempting to make the law clearer.

The Digital Economy Bill is currently making its way through Parliament. It contains provisions, which will give public authorities (including councils) more power to share personal data with each other as well as in some cases the private sector.

The Bill has been a long time coming and is an attempt by the Government to restore some confidence in data sharing after the Care.Data fiasco. It follows a consultation which ended in April with the publication of the responses.

The Bill will give public authorities a legal power to share personal data for four purposes:

  1. To support the well being of individuals and households. The specific objectives for which information can be disclosed under this power will be set out in Regulations (which can be added to from time to time). The objectives in draft regulations so far include identifying and supporting troubled families, identifying vulnerable people who may need help re tuning their televisions after changes to broadcasting bands and providing direct discounts on energy bills for people living in fuel poverty.
  2. For the purpose of debt collection and fraud prevention. Public authorities will be able to set up regular data sharing arrangements for public sector debt collection and fraud prevention but only after such arrangements have been through a business case and government approval process.
  3. Enabling public authorities to access civil registration data (births, deaths and marriages) (e.g. to prevent the sending of letters to people who have died).
  4. Giving the Office for National Statistics access to detailed administrative government data to improve their statistics.

The new measures are supported by statutory Codes of Practice (currently in draft) which provide detail on auditing and enforcement processes and the limitations on how data may be used, as well as best practice in handling data received or used under the provisions relating to public service delivery, civil registration, debt, fraud, sharing for research purposes and statistics. Security and transparency are key themes in all the codes. Adherence to the 7th Data Protection Principle (under Data Protection Act 1998 (DPA)) and the ICO’s Privacy Notices Code (recently revised) will be essential.

A new criminal offence for unlawful disclosure of personal data is introduced by the Bill. Those found guilty of an offence will face imprisonment for a term up to two years, a fine or both. The prison element will be welcomed by the ICO which has for a while been calling for tougher sentences for people convicted of stealing personal data under the DPA.

The Information Commissioner was consulted over the codes so (hopefully!) there should be no conflict with the ICO Data Sharing Code. The Bill is not without its critics (including Big Brother Watch) , many of whom argue that it is too vague and does not properly safeguard individuals’ privacy.

It is also an oversight on the part of the drafters that it does not mention the new General Data Protection Regulation (GDPR) which will come into force on 25th May 2018. This is much more prescriptive in terms of Data Controllers’ obligations especially on transparency and privacy notices.

These and other Information Sharing developments will be examined in our data protection workshops and forthcoming webinar.

Illustration provided by the Office of the Privacy Commissioner of Canada (www.priv.gc.ca)

DPO or not to DPO: The Data Protection Officer under GDPR

clip_image002

The General Data Protection Regulation (GDPR) is nearly upon us and one of the elements is the requirement for certain organisations to have a Data Protection Officer.

This throws up some interesting issues. A qualified, experienced data protection officer is a valuable commodity. They do exist but command salaries approaching £50,000 in large organisations (stop laughing at the back) and if you’re a small organisation they’re not going to work for you for peanuts. So where do you find a qualified, experienced DPO?

Secondly will there be a requirement upon you to have one? It looks like there will be three clear cases.

  1. processing is carried out by a public authority,
  2. the core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring
    of data subjects on a large scale
  3. the core activities consist of processing on a large scale of special categories of data.

But to go back to the DPO what does qualified mean? Yes there are qualifications out there. The accepted gold standard in the UK is the BCS certificate which has 40 hours of training plus a testing 3 hour exam. There are other firms in the sector who offer their own versions and most of them involve significant study (30 or 40 hours) plus exam. Other qualifications exist, like our GDPR Practitioner Certificate and CIPP certification from the International Association of Privacy Professionals – some for US and some for UK professionals – but the question everyone wants answering is which qualifications will satisfy the GDPR?

Do training providers have to apply for acceptance or endorsement from the EU or their national regulator? Will the content of these courses be examined or will a standard be set and the training providers tailor their material to a certain level or will it be a free for all with no standard to work to? Do you want a DPO who knows how to conduct a Privacy Impact Assessment or who knows about International Data Transfers or one with an understanding of the history of Data Protection? Or will there be a requirement to study a certain (large) number of hours to demonstrate competence? At the moment it looks like all the DPO will need is “sufficient expert knowledge” which doesn’t in itself mean a qualification.

Other skills required by a good DPO are those of Diplomat, Trainer; Advisor, Confidante; Interpreter; Persuader; Listener; Friend to requestors; Policy & procedures writer. They have the ability to talk to the top level of the organisation yet explain complex law in Plain English. Not your run of the mill person.

It looks like the route map will require the DPO to be an employee but one with a different type of outlook. Privacy is becoming a big vote winner; organisations who don’t respect customers privacy will feel the backlash of disgruntled consumers. It really needs someone who is part of the organisation who is present at all times and understand the data processing systems of their employer but is detached enough to be able to criticize his own organisation.

There is a way out for small organisations who think they need a DPO to ensure their organisation is fully compliant with the new regulation. Don’t give the job to an existing member of staff and expect them to learn it on the job; Don’t appoint a knowledgeable, qualified, experienced but expensive DPO – bring in an external one you can use as and when you need them.

Externals have significant benefits. They don’t work full time so the on costs disappear; You can bring them in as required for short term task and finish assignments; You can save the costs of training and continuing education for an internal data protection officer; your staff will react better to an external who appears to have the status of a “consultant”.

Externals also won’t have any political or organisational baggage and can act in an unbiased manner without fear for their job. An external data protection officer also has no worries about favouring certain departments or individuals in the company. Many organisations appoint their Head of Legal as their DPO which brings with it the ethical/legal/best course of action conflict. An external won’t need to bother with this.

You can concentrate on your core business and the external can take care of your data protection.

Once you have appointed an external DPO they will compile a detailed data protection audit on your data protection compliance. They will then identify possible data protection issues and legal risks and explain what is required to remedy them. Then you can start making the necessary changes.  Your business will soon be in full compliance with current data protection laws.

But it doesn’t stop there. The external DPO will be on call and can discuss day-to-day DP issues by phone or email for a small fee. If more detailed work is required further fees and timescales can be agreed.

Working with an external data protection officer is based on a consulting agreement. There may be a retainer fee plus an hourly or daily rate to follow. If your Data Protection needs are low you may not have to consult your EDPO too often.

Not surprisingly EDPOs are starting to appear on the web. They’re quite common in Germany and it’s likely they will become a staple in the UK. Various UK law firms advertise such a service but unsurprisingly the rates they charge are not on view. It might end up costing more than you think especially if you opt for a ’big’ name.

There’s also the scope however for sharing a DPO. This has already happened in various parts of the country as cash strapped rural councils pay for a percentage of a DPO and have them on site part of a week.

At a recent educational conference a group of 30 schools in the same region kicked around the idea of each contributing to buy a DPO for all of them who would fulfill their information law obligations. Sounds quite a good idea until you realise there’s only about 240 working days in a year so each school would have 8 of those days to themselves and the shared DPO would have a significant petrol expenses tab. A few rural councils with a shared DPO would have a much better deal.

Sadly GDPR is not well understood and there are those who think Brexit will derail it (though not true) but a wise organisation should be thinking now if and when they will need a DPO, what qualification they will have and how do they find one.

An external who is called on infrequently might appear be the cheapest option but might have further hidden costs and a part share of a DPO might be a good short term solution but would they be as good as the expert knowledge and day to day hands on work of a full timer.

Good news for Data Protection Officers…

We are running a series of GDPR webinars and workshops and our team of experts are available to come to your organisation to deliver customised data protection/GDPR workshops as well as to carry out health checks and audits. Our GDPR Practitioner Certificate (GDPR.Cert), with an emphasis on the practical skills required to implement GDPR, is an ideal qualification for those aspiring for such positions.

Privacy Notices under #GDPR: Have you noticed my notice?

DPA2Please also read our updated blog on privacy notices here.

As you all know by now the General Data Protection Regulation (GDPR) is here and it is (as predicted) starting to get various people fired up ready for its 2018 implementation date. (Dear reader, it is still relevant despite the Brexit vote.) We’ve been exploring various aspects of the GDPR and in this particular blog I want us to look at the concept of privacy notices and what they will need to start looking like under the Regulation.

Data Protection Act 1998:

Under the current Data Protection Act 1998, and indeed the Information Commissioner’s Office Privacy Notices Code of Practice, privacy notices should be on any collection point where personal data is being collected from a Data Subject. Especially if being collected for a new purpose. In that notice Data Controllers should (at the very least) include the following;

  • The identity of the Organisation in control of the processing;
  • The purpose, or purposes, for which the information will be processed;
  • Any further information necessary, in the specific circumstances, to enable the processing in respect of the individual to be ‘fair’ (in accordance with the 1st Principle).

The requirements also outline that this information must be clear and in ‘plain English’ and your purposes cannot be too vague. The less vague the purpose the less likely it’s going to be a valid consent (or indeed a valid notification if you are not relying on consent).

While privacy notices vary most of them aren’t that much longer than your average paragraph (the paragraph I’ve just written for example) and that, providing it’s clear, concise and meets your legal grounds for processing, is generally how privacy notices work under the Data Protection Act 1998. Further information on a Controllers processing is then often outlined in Terms and Conditions either in the contract paperwork or online.

The New World:

The GDPR builds on the current expectations around privacy notices but expands on the requirements based on the widened first principle which now specifically requires controllers to be transparent with their processing.

Article 13 Paragraph 1 (a-f) of the GDPR outlines that the following information should be provided to the data subject at the point of data collection;

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

Depending on what processing is going on, Article 13 Paragraph 2 (a-f) states that controllers will also need to provide some of the following;

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(d) the right to lodge a complaint with a supervisory authority;

(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Now if you are engaging in some quite complicated processing, like in the insurance industry for example, your new notices under GDPR are going to need to strike a balance between being ‘too much information’ and being far too simple and high level that they don’t actually meet your transparency requirements to demonstrate effective notice or consent.

Article 13 Paragraph 3 also outlines that should a controller seek to process personal data for purposes different to which it was collected the controller shall project the subject (prior to that processing commencing) information on that purpose and any other relevant information from paragraph 2.

I’ve attempted to ‘mock up’ what one of these new notices could look like. Now this is very much an imaginary one but if we assume that a controller is processing Personal Data for complex purposes their notice may look something like this;

Your Personal Data:

What we need

The A Notice Ltd will be what’s known as the ‘Controller’ of the personal data you provide to us. We only collect basic personal data about you which does not include any special types of information or location based information. This does however include name, address, email etc.

Why we need it

We need to know your basic personal data in order to provide you with notice writing and analysis services in line with this overall contract. We will not collect any personal data from you we do not need in order to provide and oversee this service to you.

What we do with it

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information is located on servers within the European Union. No 3rd parties have access to your personal data unless the law allows them to do so.

We have a Data Protection regime in place to oversee the effective and secure processing of your personal data. More information on this framework can be found on our website.

How long we keep it

We are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after which time it will be destroyed. Your information we use for marketing purposes will be kept with us until you notify us that you no longer wish to receive this information. More information on our retention schedule can be found online.

What we would also like to do with it

We would however like to use your name and email address to inform you of our future offers and similar products. This information is not shared with third purposes and you can unsubscribe at any time via phone, email or our website. Please indicate below if this is something you would like to sign up to.

Please sign me up to receive details about future offers from A Notice Ltd.

What are your rights?

If at any point you believe the information we process on you is incorrect you request to see this information and even have it corrected or deleted. If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter.

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).

Our Data Protection Officer is Notice McNoticeface and you can contact them at mypersonaldata@anotice.com.

This example is working on the assumption of a simple data processing arrangement. The more complex your data processing the more complex that notice and consent capture will need to be. But this must be comprehensible to the average consumer and cannot be a work of ‘legal-ee brilliance’ that makes no sense to those not trained in law.

I suspect that notices will allow ‘outlines of categories’ of types of processing and third parties however we shall see how big these categories can be. After all, the bigger the ‘bucket’ the less you are actually giving a robust ‘informed’ notice to a data subject.

In addition to all of this, Article 14 states that should you obtain Personal Data via a means not direct from the Data Subject themselves you also need to provide a notification to them (with some exceptions);

(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;

(b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or

(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

The requirement is to provide them with very similar information that you would provide to them if you collected the data directly. How you do this will be a matter of some discussion to come but excluding the reasons outlined in Article 14 (5) (a – d), if you aren’t collecting directly you will now need to take steps to advise and ‘notify’ the Data Subject of what you are up to.

Now that is quite a long list of things to notify a data subject of, especially if you are delivering various services to the data subject (and collecting data on them) via various means. But Paragraph 4 does say that all of the above shall not apply if the data subject already has the data. So, for example, if a customer is simply renewing a service and nothing about the provision of that service (the processing) has changed then there is no obvious requirement here to re-issue the original notice at that point of renewal.

We will delve into the concept of consent at another time (very soon) but the requirement to be transparent as well as the requirement to ensure you have a clear and documented consent means that privacy notices are going to have to become more than just a long legal document but that far away from what we are doing today (assuming we are doing them correctly that is).

More on privacy notices here.

Scott Sammons CIPP/E, AMIRMS is an experienced Data Protection & Information Risk practitioner and a consultant with Act Now Training.

If you need to raise awareness about GDPR, our GDPR e learning course is ideal for frontline staff. Advice and guidance on GDPR is available through our GDPR helpline.

GDPR Practitioner Certificate – A 4 day certificated course aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

DP and #GDPR after #Brexit

brexit-1477615_1920

For the last six months, Data Protection experts, novices and agnostics have talked of little else but the General Data Protection Regulation, the new version of Data Protection law that will hold sway consistently across the 28 members of the European Union from the 25th May 2018.

Well, about that. 28 now becomes 27, as the United Kingdom has decided on a slim margin to vote ourselves out of the European Union, and sail off into the Atlantic. So what does this mean for the GDPR? Do we wave goodbye to the mandatory Data Protection Officer, the Right to Be Forgotten and the joys of impact assessments?

The short answer is no. The Information Commissioner has already announced that the only way forward for the UK’s creaking Data Protection legislation and its relationship with Europe is UK legislation as close to the GDPR as we can get. Every serious commentator in the Data Protection world (and all the others) are saying the same thing. The consensus is impressive but unsurprising – the redoubtable Max Schrems has proved how much creative mischief can be wrought if a country does not have a sound data protection relationship with the EU. Some of the comments coming out of the EU today make it clear how difficult it will be to achieve that relationship, so the one thing we cannot be certain of is when things will become certain.

Sooner or later, the GDPR or a close relation of it will replace the DPA in the UK. However, it is impossible to say when. Every business that offers services to EU citizens will be caught in limbo from the moment the Regulation goes live in the EU, struggling to balance the DPA in the UK and the GDPR abroad, or just succumbing to the GDPR on the basis that operating the higher GDPR standards will not cause them problems here.

In the meantime, what should organisations do? Our advice – keep your eyes peeled for the timetable for GDPR’s inception here, but look to your DP compliance now.

Consent

Whether you’re UK based or operating across the EU, the version of consent popular in the UK (implied, opt-out, buried in terms and conditions) isn’t consent. The ICO has taken enforcement action under both the DPA and the Privacy Regulations to this effect. Look everywhere that you rely on consent – you need freely given, specific and informed consent.

Fair processing

Linked to this is the issue of privacy policies and fair processing. It’s clear that the ICO does not think that long, legalistic fair processing notices are acceptable, so concentrate on communicating clearly with your customers, clients and service users.

Impact assessments

The difference between the ICO’s code on Privacy Impact Assessments and the Regulation’s requirements on impact assessments are very thin. Although the Regulation’s bold demands for Data Protection by Design (bold but not especially well explained) will only bite when we implement it, the ICO has been advocating for pro-active impact assessments in advance of new projects for a long time. We strongly advise you to look the ICO code now – it’s current good practice (and sometimes the ICO will enforce if you don’t). Moreover, it’s a dry run for the impact assessments and design principles that the GDPR will ultimately require.

Data Processors

Find every contractor and agent that your organisation does business with. Make sure there is a binding legal agreement between you and them. Like other steps we are mentioning here, this is self-preservation for the present as much for the future. If cloud computing is “your data on someone else’s computer”, then processors are “your data in the hands of someone who isn’t covered by the Data Protection Act”. Find them. Get contracts in place. Make sure they’re being followed.

Deletion

The GDPR Right to be Be Forgotten is a different beast to anything that the European courts have created under the current regime, and it is underpinned by a need to delete data from systems that process personal data. It’s well worth looking at how you might delete data and finding out where deletion / overwriting of data is difficult. When the GDPR lands, deletion will be a massive headache, but if you can’t delete now, you can’t comply with the existing Data Protection principle on retention.

Security

Every organisation needs a viable, appropriate, effective and validated security framework. Data Protection compliance under the DPA and the GDPR isn’t about incidents, it’s about effective and verified methods to prevent them, whether technical or organisational. Security isn’t everything that Data Protection is about, but there is no question that the highest penalties will still apply to poor security frameworks. The extra detail in the GDPR about security – especially what good security requires – is essential guidance and well worth implementing.

And that’s definitely not now!

BUT WHAT ABOUT….

Act Now is not predicting when the GDPR will come to the UK. Anyone who predicts confidently when it will arrive is fooling you, or themselves. The GDPR also contains a mandatory Data Protection Officer, mandatory breach notification and a whole lot else besides. It might be that the UK Government acts quickly to bring in legislation to introduce the whole package. However, while we might be confident that the GDPR is on its way, we’re not certain about when. Our advice is to work on the foundations now, and get ready to put the new GDPR structures on top when the timetable is a little clearer.

And that’s definitely not now!

Act Now continues to receive bookings for its GDPR workshops for which new dates and venues have been added. Our Data Protection Practitioner Certificate is ideal for those who want a formal qualification in this area. The syllabus is endorsed by the Centre for Information Rights based at the University of Winchester.

We don’t hold your data! (well… not for long anyway).

temp pic

 

 

 

 

 

 

 

 

Dear Sir or Madam:

I recently received a mailing from you.

I’d like you to send me a copy of the personal data you hold on me.

I am particularly interested in where you obtained my name and address from.

The numbers on your mailing are

8666U501J01101

XA4416175

I’d like you to explain what these mean.

Regards etc

Dear Mr xxxx

Thank you for your email. Firstly, we can confirm that we do not have any of your personal data on our records of any kind.

The recent Christmas appeal which you received, was sent out as part of our Christmas campaign. During this campaign, we purchased some contact details from a third party supplier for temporary use – these details are not stored on our database and are no longer in our possession.

In this instance, your details were selected for The Christmas Appeal – which also includes a Christmas appeal reminder which you are likely to receive in the next 2-3 weeks, and, unfortunately, as the mailings are selected far in advance, it is not currently possible to prevent this mailing from being sent. Please accept our sincere apologies for any inconvenience this may cause you. However, we confirm that we do not hold any of your data on our database.

The DM code you have listed below indicates that your details were temporarily given to us for a one-off use.

The XA code you supplied is your reference number is not stored on our own system in any way.

What a great reply! We don’t have any data on you; we did have a while ago to send you an unsolicited letter but it was only held temporarily and besides we bought it from someone else. We’ve checked the reference numbers you gave us even though we don’t have them on our systems.

 And we won’t be processing your data while we hang onto it for 2 to 3 weeks so we can send you a reminder about the unsolicited begging letter we just sent.

Am I the only person who finds this unacceptable? Or is this the norm for the charity sector?  Just for clarity the ICO says

“Processing in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data”

So that’s 3 processing operations at least – obtaining, mailing and holding. Maybe even destruction if in fact they do delete it. (Next Xmas will tell me this). The ICO doesn’t give an exemption for ‘temporarily” processing it.

When Christmas (the season of good cheer and peace to all data subjects) arrives, is it part of the festive spirit (or even lawful?!) to buy a wodge of names and addresses that you have no relationship with and then mail them two (count them) begging letters; and when someone makes a subject access request say, “We do not hold any data on you – we did last week but it’s disappeared. We might hold it again in a week or two but only for a short time and then it will disappear again.”

This organisation is a good organisation. I support their aims and like listening to their brass bands outside supermarkets in the run up to Christmas, but I find their marketing activities dubious. It may just affect my giving to them this year.

The Investigatory Powers Bill: Implications for Local Authorities

 

canstockphoto17336195

 

 

 

 

 

 

 

 

 

 

The government’s controversial Draft Investigatory Powers Bill was published in early November. Amongst other things, the Bill:

  • Requires web and phone companies to store records of websites visited by every citizen for 12 months for access by police, security services and some public bodies.
  • Makes explicit in law for the first time the Security Services’ powers for the bulk collection of large volumes of personal communications data.
  • Makes explicit in law for the first time the powers of the Security Services and police to hack into and bug computers and phones. It also places new legal obligation on companies to assist in these operations to bypass encryption.
  • Requires internet and phone companies to maintain “permanent capabilities” to intercept and collect the personal data passing over their networks. They will also be under a wider power to assist the security services and the police in the interests of national security.

Much has been written about the civil liberties implications of the new Bill, dubbed “the Snoopers’ Charter.” It has been criticised by the United Nations, the Opposition and civil liberties groups.

A Committee has been formed to consider the key issues raised by the Bill, including whether the powers sought are necessary, whether they are legal and whether they are workable and clearly defined. The Committee is now inviting written evidence to be received by 21st  December 2015 (call for evidence).

Some of the questions the Committee are inviting evidence on include:

  • To what extent is it necessary for the security and intelligence services and law enforcement to have access to investigatory powers such as those contained in the draft Bill?
  • Are there sufficient operational justifications for undertaking targeted and bulk interception, and are the proposed authorisation processes for such interception activities appropriate and workable?
  • Should the security and intelligence services have access to powers that allow them to undertake targeted and bulk equipment interference? Should law enforcement also have access to such powers?

The Committee is due to report back by February 2016.

What will the effect be of the Investigatory Powers Bill on local authorities? Is it true that councils will be given powers to view citizens’ internet history (according to the Telegraph)? The answer is no.

Sam Lincoln has written an in-depth analysis of the bill, detailing and dissecting its various points. Please take a look here.

Sam has designed our RIPA E-Learning Package which is an interactive online learning tool, ideal for those who need a RIPA refresher before an OSC inspection. Our 2016 RIPA workshops will include an update on the Bill.

SMILE! You’re on our Mailing List!

world map

Charity envelope time again.  And yet again another organisation I had no relationship with at all. This time it was a big one with offices in…are you ready…

UK, USA, India, China, Philippines, Latin America, Mexico, Brazil, Africa, Indonesia, Vietnam, Middle East & North Africa and Bangladesh.

Surprisingly in all these locations they couldn’t find a data protection expert to run his eye over their Privacy Policy. This is puzzling as you can find good information about their accounts and activities quite easily on the web. (£7m donations in 2014 and over 125,000 children helped all over the world). They look like they’re doing a good job except for the unsolicited mailing that dropped through my door today.

They sent 2 full colour glossy A4 double sided leaflets. 10 sticky gift tags to attach to Xmas presents, an A5 double sided full colour leaflet, an eight page A6 booklet about their work, a donation form to return and an envelope. If they’d not spent their money on these pieces of coloured paper, 2 of which were customised to say my name and address they might have had more in the kitty to help the children they featured in their leaflets. Nowhere on any of these pieces of paper is there a mention of the Data Protection Act. Nor is there a phone number so I could tell them quickly I didn’t want their unsolicited mailing. Presumably their marketing expert advised them not to offer this simple mechanism of objecting as it might result in people using it. So I found their website and had a look.

After a while I found their Privacy Policy. It was extensive and told me a lot about the cookies it used. No mention of the Data Protection Act again. Some of the interesting sections were

  1. Your acceptance of this policyBy using our site, you consent to the collection and use of information by XXXXXXX  in accordance with our Privacy Policy.  If you do not agree to this Policy, please do not use our site. In order to fully understand your rights we encourage you to read this Privacy Policy.

(Mmm a good one to start with. You have to use the site to find the policy before you can read it, but by using the site you have already agreed with their policy even though you haven’t read it, which they want you to do).

  1. Changes to this privacy policyXXXXXXXX  reserves the right at any time and without notice to change this Privacy Policy simply by posting such changes on our site. Any such change will be effective immediately upon posting.  Your subsequent use of this website after we have made changes to this policy (including the submission of information on our donation form) will be deemed to signify your acceptance of any variations that we make.

(So when they change something and before you find out about the changes by reading their policy you have already agreed to the changes you haven’t yet read about).

3. Sharing your information with third parties

From time to time, XXXXXX allows other worthy organisations to send communications to our donors via direct mail.  We carefully screen these organisations to ensure their services may be of interest to our supporters. If you do not wish to hear from these organisations, please let us know by contacting us. 

(Wow what a good one. Firstly that great phrase “from time to time” I thought this had died out but here it is again and what it really means is whenever we feel like it…”. The following few words shows the staggering arrogance of the organisation. We ALLOW other worthy organisations to send communications to OUR donors. Despite the fact that there is a law that prohibits this they ALLOW it and the donors aren’t any free thinking individuals  – they belong to the organisation and the organisation can do with their personal data what they want. Did the Slavery Abolition Act of 1833 have a clause in it exempting charities. Er… no  And there’s more – what is a worthy organisation? One that helps children? One that  only uses recycled paper? One that pays their directors in bit coins? We have no idea what this cute little phrase means. It implies that Data Controllers don’t have to bother with Principle 2 if you’re passing data to ‘worthy’ organisations. 

It gets worse. The last element is giving you the right to write to them and object to receiving communications from what they think are worthy organisations that have been through a screening process although you don’t know much about their screening methods if they do in fact exist, and ended up on a list of organisations they sell your data to but which they may not keep).

It seems they are relying on the mythical but desirable exemption in the Act that says Charities are completely exempt from the DPA and also it seems exempt from writing simple Privacy Policies in Plain English.

Read more about how EU Data Protection Regulation will change the DP landscape. Attend our full day workshop.

 

Sainsbury’s and Data Protection – They have your number (and it’s not on your nectar card).

Sains

It shocked me on Sunday morning (a few months ago) when driving into our local Sainsbury’s car park. Through bleary eyes I suddenly saw my registration number flash up on a display in front of me. It also said my 2 hours of free parking would end in precisely 1 hour and 59 minutes. After parking and doing a bit of investigating I found that they’d fitted cameras at the only entrance (which was also the exit) so they could snap you on the way in and on the way out and thereby obtain evidence (or not) of your length of stay. This isn’t new. Many car parks have been doing this for years but it does raise a few issues.

Filming and collecting personal data is OK as long as a Schedule 2 condition of the Data Protection Act is fulfilled. (I suppose going off on one for a moment that filming at a hospital car park might require a Schedule 3 condition but that’s an argument for another day). The simplest one is Schedule 2 condition is consent as the other 5 require a necessary element. Do Sainsbury’s have your consent? Did you know that filming was going to happen before you attempted to enter their car park or did it only register when your number plate was staring back at you. If you were filmed before you knew you’d been filmed the consent is out of the window.

Once inside the car park you could see signs that told you more about the filming. Looks good to start with but the small print really is small and is also 8 feet up in the air (that old joke again!). I couldn’t actually read the small print. Basic fact remains that the Fair Processing Notice whatever the quality of it was only available after the processing took place.

So far we’ve missed out on an obvious Schedule 2 condition and missed the fair processing element of Principle One. What else could go wrong? If the sensible Sainsbury’s shoppers don’t overstay their welcome they won’t be troubled by a bit of DPA non-compliance. But if they do go over their limit will Sainsbury’s do nothing or will they take the registration number they acquired unlawfully and unfairly and further process it by finding out more personal data about the driver and sending him/her a penalty notice?

It may be that they’ve explained all this very well somewhere but as an everyday shopper in a rush I didn’t see it. It may also be that holding the information about a car than its owner and its address is proportionate if by so doing they allow you to stay a couple of minutes extra checking out the different brands of Prosecco but it could also be argued that it is not. A recent court judgment about parking is interesting:

https://www.supremecourt.uk/cases/docs/uksc-2013-0280-judgment.pdf

It seems to come down in favour of disproportionate penalties for parking and while it may be appealed the current climate is not very temperate.

The fact remains that Sainsbury’s have obtained your car’s number plate without giving you fair warning and are holding it and probably further processing it.

The old joke? What lies on its back 8 feet up in the air.

Answer: A dead spider!

The Act Now Data Protection Practitioner Certificate is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.

“What’s that Skip? Someone’s got your Metadata? Crikey!” – Subject Access and Metadata in Australia

canstockphoto13858300

While strolling through the web one day,

Outside the very merry month of May,

Oh, look what I should find,

The web is wonderful and kind,

By giving me a case on metadata.

In recognition of National Poetry day last week, that was my shockingly brilliant (!!) effort at a short rhyme in aid of this blog post. I know, stick to the day job right? (And yes, I know that we are in October and not May).

As the rhyme suggests however, I was indeed browsing the web and I did indeed come across an interesting legal case looking at rights of access and metadata in telecoms/internet providers in Australia. Something of particular relevance at the moment in the light of the Australian Government announcing its new Data Retention Law.

In the news article and legal case an Australian citizen, Mr Grubb, exercised his rights under the Australian Privacy Act 1988 to ask for all information Telstra (a phone company) held about him. His request specifically asked for the meta-data associated against him:

“…I’d like to request all of the metadata information Telstra has stored about my mobile phone service (XXX XXX XXX).

The metadata would likely include which cell tower I’m connected to at any given time, the mobile phone number of a text I have received and the time it was received, who is calling and who I’ve called and so on. I assume estimated longitude and latitude positions would be stored too. This is the type of data I would like to receive.”

Although Telstra provided some data to Grubb, it refused to hand over internet protocol address information, edited versions of incoming call records and website URL information stating that retrieving the information would take disproportionate effort and therefore was unreasonable.

An appeal, dated May 2015, was brought to the Office of the Australian Information Commissioner who found in favour of Data Subject in parts and the Data Controller in parts. But in very interesting parts.

The Commissioner supported Telstra in its exemption of some pieces of information to do with telephone numbers of 3rd parties, particularly where those numbers had registered with a Telephone Preference type service in Australia. Telstra argued that it had no effective method of determining those numbers and removing them from the list therefore the entire list of inbound numbers to the Data Subject’s telephone line would be exempt.

The Commissioner did however reject a number of claims made by Telstra about the difficulty in retrieving and linking data to a person’s identity. Telstra relied in part on this submission to argue that certain types of Grubb’s data was not “personal information” because it could not be linked to the Data Subject’s identity. However, the Commissioner in his decision drew attention to Telstra’s provision of data to law enforcement agencies to show that it has (and has used in the past) the ability to process and connect different types of metadata to individuals.

It’s also interesting that since the case was initiated Telstra’s approach to customer access to metadata has shifted significantly. Telstra customers will now be able to access the same metadata about them (save for shared information) that Telstra would provide to law enforcement agencies, on request without a warrant.

Now while Australia is a very long way away from Europe this case does pose some interesting questions. I ran a search online for cases where metadata was refused under a Subject Access Request (SAR) but could not find any in the public domain. As we all know there are a growing number of laws appearing that require telecoms companies to capture and store such metadata for government access but to date I’ve not seen a similar legal challenge whereby the data has been refused in a SAR.

For those that don’t have much experience with metadata the Oxford English dictionary defines metadata as “a set of data that describes and gives information about other data”. In this context, telecommunications data, is data that is associated with an account and its usage (e.g. masts used, websites visited, numbers called) which on their own do not automatically equate to personal data,  but do so when associated with one number form the metadata of that persons account. Therefore it is personal data as it can identify them and/or be associated with them.

The current subject access request code of practice from the UK Information Commissioner’s Office doesn’t specifically talk about metadata being or not being personal data or in scope for a SAR. Based on the principles of the Data Protection Act 1998 (DPA) and the fact that such metadata can and is requested by law enforcement agencies and is used to identify you; I would argue that this is Personal Data, as defined by the Act, and should be provided to a requestor under subject access.

How does this sit under the current proposed EU Data Protection Regulation text(s)? Well, you won’t find the term “metadata” in the Regulation text anywhere so there won’t be a crystal clear stance on it. Instead we will need to look at the definition of Personal Data as proposed.

In the European Council’s text Chapter 1, Article 4 (1) it defines Personal Data as;

 “any information relating to an identified or identifiable natural personal (“data subject an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person).”

So while the new proposed definition doesn’t specifically call out metadata it does seem to imply that it would be. For example, your mobile number and all data that can identify your location (phone mast data for example) would be considered Personal Data under that definition; which isn’t that far removed from DPA definition of Personal Data.

On that note, following a brief search online I have not been able to find any cases on SAR and telecoms in the public domain. I can find plenty of commentaries and a remotely similar financial services case. I would therefore be interested to see if anyone knows of one currently ongoing or that has been tested in the courts / tribunal so far to date?

Currently the UK Government is looking to revive the so-called “snooper’s charter” under the Draft Communications Data Bill. Therefore if government agencies are to spy / monitor / keep / ignore my personal data then I think that we should, at any point, see what that personal data is. I bet mine is really rather dull…but it’s my dull data dammit.

Scott Sammons an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.

Read more about the EU Data Protection Regulation. Attend our full day workshop.

Jumping on the charity bashing gravy train.

Returned from holiday to a mountain of mail. Usually this is good fun but recently it’s turned into a nightmare of more and more charity mailings. First off today was British Heart Foundation. A good cause and I walk voluntarily into their charity shops regularly to find bargains and do my bit. But because of recent publicity about charity mailings I took a hard line. I rang them up and asked to be taken off their mailing list. The operator was polite and efficient. She asked for the code next to my address beginning 52A so she could add me to their suppression list but when I quoted it she said I wasn’t actually on their mailing list. Strange – I am looking at a letter addressed to me at my address asking for money from BHF.

She was quick to explain however that it was a one off mailing using data supplied by a 3rd party so they didn’t actually process my name and address. They just used it. I trotted out the well worn definition of processing that all BCS certificate holders know and she did admit that it looked as if they were processing after all. I asked who was the 3rd party and it turned out to be Senior Rail Card.

clip_image001

(as an aside these are managed by ATOC Ltd which manages the contract for the issue and use of the Senior Railcard on behalf of the Train Companies. Reference to a ‘Train Company’ or the ‘Train Companies’ means those Train Companies which, pursuant to a franchise agreement, operate Passenger Railway Services in Great Britain. Their website has a cookie policy but no privacy policy. Nowhere on their website do they assure you that they will only use your personal data to supply you with a senior railcard. Nowhere do they inform you that they will pass it on to anyone else.)

To be honest it wasn’t Senior Rail card who gave my details to BHF it was Media Lab group; BHF told me at the same time they told me about Senior Rail card.

clip_image002

Media Lab has a website where it says

“The media landscape may have changed, but the need for data hasn’t. That’s why at Medialab, we live and breathe data. It’s at the centre of everything we do. Our data-driven approach allows us to develop successful multi-channel media plans that are built on econometric analysis, innovation and a passion for our clients’ results. As a leading integrated direct response agency, we plan campaigns for the UK’s leading brands including National Trust, Post Office and Macmillan.”

Bizarrely for a data driven company they don’t have a privacy policy either. They were the company that gave my data to BHF. They got it from ATOC. I’m not sure how the transfer of data was made or whether money changed hands. We just don’t know. But I thought when I bought my senior rail card that my personal data would only be used or me to get cheap rail fares not donate to Heart charities or end up in the hands of List brokers.

The efficient BHF operator said she couldn’t delete me from their mailing list as I wasn’t actually on it. The list really belonged to Media Lab Group. They only used it to mail me. (Did someone at the back say Data Processor agreement and breach of Principle 7?).

However she had a solution to my predicament. She would add me to their database and immediately add me to their suppression list. Brilliant.

Next Alzheimers. Not as we first thought the Alzheimers Society (See comments) but another organisation working in this sector.

They also asked for money (or any donation will do) and they did have a privacy policy and also an undertaking issued by the ICO. They also gave me my Supporter reference number which was why they were contacting me. Because a year ago I filled in an online quiz to see if I was presenting any of the symptoms of dementia. At no time before, during or after the quiz did they give me any indication they would tap me up for money nor I asked if I wanted to become a supporter of theirs.

I rang them up to ask them to remove me from their mailing list but not a lot happened. When I say not a lot there was a recorded message saying “we apologise for the delay” then there was silence for the next 10 minutes at which point I gave up. They could have whistled a tune or even played a song but nothing. It was as if they  had forgotten to answer or they were hoping (like Doc Martin) that I had no patience.

They were right so I used the system they provided to communicate with them.  This time they supplied an SAE and a form where I could inform them of my preferences so I did. They’d used a jocular style to contact me without my consent so I replied in the same vein.

PS

Only 20 more charity letters to deal with… How I hate coming home from holidays.

The Act Now Data Protection Practitioner Certificate is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.