Category: Security

GDPR and Employee Surveillance

canstockphoto18907084

The regulatory framework around employee surveillance is complex and easy to fall foul of. A few years ago, West Yorkshire Fire Service faced criticism when a 999 operator, who was on sick leave, found a GPS tracker planted on her car by a private detective hired by her bosses.

At present all employers have to comply with the Data Protection Act 1998 (DPA) when conducting surveillance, as they will be gathering and using personal data about living identifiable individuals. Part 3 of the Information Commissioner’s Data Protection Employment Practices Code (Employment Code) is an important document to follow to avoid DPA breaches. It covers all types of employee surveillance from video monitoring and vehicle tracking to email and Internet monitoring.

When the General Data Protection Regulation (GDPR) comes into force (25th May 2018) it will replace the DPA. The general rules applicable to employee monitoring as espoused by the DPA and the Employment Code will remain the same.  However there will be more for employers to do to demonstrate GDPR compliance.

Data Protection Impact Assessment

One of the main recommendations of the Employment Code is that employers should undertake an impact assessment before undertaking surveillance. This is best done in writing and should, amongst other things, consider whether the surveillance is necessary and proportionate to what is sought to be achieved.

Article 35 of GDPR introduces the concept of a Data Protection Impact Assessment (DPIA) (also known as a Privacy Impact Assessment) as a tool, which can help Data Controllers (in this case employers) identify the most effective way to comply with their GDPR obligations. A DPIA is required when the data processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)). Employee surveillance is likely to be high risk according to the criteria set out by the Article 29 Working Party in its recently published draft data protection impact assessment guidelines.

The GDPR sets out the minimum features which must be included in a DPIA:

  • A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the Data Controller.
  • An assessment of the necessity and proportionality of the processing in relation to the purpose.
  • An assessment of the risks to individuals.
  • The measures in place to address risk, including security, and to demonstrate that the Data Controller is complying with GDPR.

Before doing a DPIA, the Data Protection Officer’s advice, if one has been designated, must be sought as well as the views (if appropriate) of Data Subjects or their representatives. In some cases the views of the Information Commissioner’s Office (ICO) may have to be sought as well. In all cases the Data Controller is obliged to retain a record of the DPIA.

Failure to carry out a DPIA when one is required can result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Our recent blog post and forthcoming DPIA webinar will be useful for those conducting DPIAs.

Article 6 – Lawfulness

All forms of processing of personal data (including employee surveillance) has to be lawful by reference to the conditions set out in Article 6 of GDPR (equivalent to Schedule 2 of the DPA). One of these conditions is consent. Article 4(11) states:

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

As discussed in our previous blog post, consent will be more difficult to achieve under GDPR. This is especially so for employers conducting employee surveillance. According to the Information Commissioner’s draft guidance on consent under GDPR:

“consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.”

Employers (and public authorities) may well need to look for another condition in Article 6 to justify the surveillance. This could include where processing is necessary:

  • for compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c));
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (Article 6(1)(e)); or
  • for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6(1)(f)).

Legitimate interests (Article 6(1)(f)) will be a favourite condition amongst employers as usually the surveillance will be done to prevent or detect crime or to detect or stop abuse of the employers’ resources e.g. vehicles, internet and email facilities etc.

Public Authorities

Article 6 states that the legitimate interests condition shall not apply to processing carried out by public authorities in the performance of their tasks. Herein lies a potential problem for, amongst others, local authorities, government departments, and quangos.

Such organisations will have to consider the applicability of the legal obligation and public interests/official authority conditions (Article 6(1)(c) and Article 6(1)(e)) respectively). We can expect lots of arguments about what surveillance is in the public interest and when official authority is involved. If the surveillance involves a public authority using covert techniques or equipment to conduct the surveillance, it is easy to assume that Part 2 of the Regulation of Investigatory Powers Act 2000 (“RIPA”) applies and so the latter condition is met. However, the Investigatory Powers Tribunal has ruled in the past that not all covert surveillance of employees is regulated by RIPA (See C v The Police and the Secretary of State for the Home Department (14th November 2006, No: IPT/03/32/H),).

More detail on the RIPA and human rights angle to employee surveillance can be found in our blog post here. More on the DPA angle here.

We also have a specific blog post on the legal implications of social media monitoring as well as a forthcoming webinar.

Transparency

All Data Controllers, including employers, have an obligation to ensure that they are transparent in terms of the how they use employee’s information. Consideration will also have to be given to as to what extent general information will have to be supplied to employees in respect for the employer’s surveillance activities (See our blog post on Privacy Notices).

Surveillance of employees can be a legal minefield. Our forthcoming webinar on GDPR and employee surveillance will be useful for personnel officers, lawyers, IT staff and auditors who may be conducting or advising on employee surveillance.

 

Act Now can help with your GDPR preparations. We offer a GDPR health check service and our workshops and GDPR Practitioner Certificate (GDPR.Cert) courses are filling up fast.

Ghost in the machine

By Paul Simpkins

Like any normal UK male I like to watch sport on TV. As the season all over Europe comes to a conclusion the titles and cups are being decided. Exactly the wrong time to take a holiday. Why?

Because despite Sky Go and BT allowing you to watch their products on your laptop or other device while you’re away from home things stop working when you leave the UK. It’s nothing to do with Brexit. Your device works out that you’ve left and suddenly many services that you use frequently start to deny you access for the simple reason that you’re away from home. If you want to watch the destination of the titles and cups you have to hope that you can find a friendly bar with a TV and hope the locals aren’t supporting the team that is playing your team.  You may have to consume alcohol and even sing sporting anthems badly but that’s part of the fun.

If you prefer to sit in the safety of your hotel room or rural gite or caravan there is another solution. Buy a wifi session. Your venue will probably sell you one for a few euros and you can watch in peace with a steaming cappuccino. Trouble is your device may still not allow you to connect to UK channels as it will still think you’re away from home as your IP address identifies your location.

But there’s a solution for that as well. Buy an app that masks your IP address. I’ve used this one.

blg paul 1

And it’s worked well. For free it will tell your computer sitting in Bordeaux that it’s really in Manchester so it will be able to watch iPlayer, Sky & BT without a problem. Yabba dabba doo!

Until recently when I purchased a month’s wifi from the site where I am currently staying. The company concerned is called Ozmosis.

blg paul 2

It’s full of lovely pictures of people enjoying themselves on holiday (the sunglasses give it away) using their wifi on holiday parks throughout Europe. 8 million users no less. So I bought a month’s wifi from them.

When it came to Champions league semi finals I thought I’d watch. It took a while. You have to run Cyberghost and find out that only 2000 free places exist and they count down at about ten a second until wow you’re sorted and watch the IP address emigrating from south west France to Manchester via a slow moving graphic then eventually log on to BT sport. Even then it often doesn’t work.

No problem. It was worth the effort. Until the following morning when you try to log on to the internet as usual. It doesn’t work. Suddenly it dawns on you via series of messages from Ozmosis they’ve identified a streaming service on your computer which violates their terms and conditions and they have terminated your wifi (after 6 of 31 days).

You ring the help line and you have to admit that you’ve been a naughty boy using an IP masking routine; apologise, delete it from your machine and they restore your wifi.

But then you think…

Who are they to say what I can do with their product? I buy it. It connects me to the internet. Can I watch porn channels with it? Can I hack health services all over Europe with it?  If I buy product A that enables me to do many things can the provider of Product A stop  me from doing B, C and D, E and F with their enabling product? 

If I bought a Kindle and loaded it with racist literature could Amazon stop me reading it?

If I bought a car and was told by the salesman that I couldn’t drive to Chipping Sodbury because they didn’t like the name.

If I bought a mobile phone but was limited in the numbers I could call?

(other off the wall examples sought by the author)

So there you are. I can buy wifi and perform normal functions like check my email or look at my bank account or whatsapp my auntie but not watch Atletico Madrid fail to beat Real Madrid without being penalised by a faceless sysadmin near Montpellier who cuts off a service I’ve paid for because I’m doing something they don’t like.  I have no other option on my campsite. Ozmosis have a monopoly.

OK millions of people streaming a major football match might use a lot of bandwidth but that’s what most European males on a campsite want to do. Saying in the T & C that you can’t do it makes buying the wifi worthless. Increase your capability Ozmosis or get out of the sector (

but they’re making zillions of euros so they won’t do that).

I expect a torrent of abuse from normal people who live without watching big sporting events but living in France for several weeks eating quality food and drinking cheap quality wine and beer while enjoying temperatures 10 degrees higher than the UK needs some mitigation otherwise it would be Paradise Lost – buts that’s another story.

RIPA and Communications Data: IoCCo Annual Report

ripa24

 

 

 

 

 

 

 

 

 

 

 

 

In October 2015 the Prime Minister appointed Sir Stanley Burnton as the new Interception of Communications Commissioner replacing Sir Anthony May. Sir Stanley’s function is to keep under review the interception of communications and the acquisition and disclosure of communications data by public authorities under the Regulation of Investigatory Powers Act 2000 (RIPA).

Local authorities, as well as other agencies, have powers under Part I Chapter 2 of RIPA to acquire communications data from Communications Service Providers (CSPs). The definition of “communications data” includes information relating to the use of a communications service (e.g. phone, internet, post) but does not include the contents of the communication itself. It is broadly split into 3 categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by a CSP on a person they provide a service to.

Some public authorities have access to all types of communications data e.g. the Police, the Ambulance Service and HM Revenues and Customs. Local authorities are restricted to subscriber and service use data and then only where it is required for the purpose of preventing or detecting crime or preventing disorder. For example, a benefit fraud investigator may be able to obtain an alleged fraudster’s mobile phone bill. As with other RIPA powers, e.g. Directed Surveillance under Part 2, there are forms to fill out and strict tests of necessity and proportionality to satisfy.

On 8th September 2016, Sir Stanley laid his 2015 annual report before Parliament. The report covers the period January to December 2015. Key findings around communications data powers include:

  • 761,702 items of communications data were acquired during 2015.
  • 48% of the items of communications data were traffic data, 2% service use information and 50% subscriber information.
  • 7% of the applications for communications data were made by police forces and law enforcement agencies, 5.7% by the intelligence agencies and 0.6% by local authorities and other public authorities.
  • Only 71 local authorities reported using these powers. The majority of these used them on less than 10 occasions.
  • Out of the 975 applications made by local authorities in 2015, Kent County Council made 107 of these whilst five councils made just 1 application each.

A big reason for the low use of these powers by local authorities is that, since 1st November 2012, they have had to obtain Magistrates’ approval for even the simplest communications data applications (e.g. mobile subscriber checks).

Another reason may be that since December 2015 last year, the Home Office has required councils to go through the National Anti Fraud Network to access communications data rather than make direct applications to CSPs. This has also made the internal SPoC’s (Single Point of Contact) role redundant. Consequently the Commissioner no longer conduct inspections of individual local  authorities; choosing to inspect NAFN instead.

In March 2015 a new Code of Practice for the Acquisition and Disclosure of Communications Data by public authorities came into force.  It contains several policy changes, which will require careful consideration.

When the Investigatory Powers Bill comes into force it will change the communications data access regime.  Read our blog and watch this space.

Do you make use of these powers and need refresher training? Act Now is running a live one hour webinar on this topic. We also offer a whole host of training in this area. Please visit our website to find out more!

The Investigatory Powers Bill: Implications for Local Authorities

 

canstockphoto17336195

 

 

 

 

 

 

 

 

 

 

The government’s controversial Draft Investigatory Powers Bill was published in early November. Amongst other things, the Bill:

  • Requires web and phone companies to store records of websites visited by every citizen for 12 months for access by police, security services and some public bodies.
  • Makes explicit in law for the first time the Security Services’ powers for the bulk collection of large volumes of personal communications data.
  • Makes explicit in law for the first time the powers of the Security Services and police to hack into and bug computers and phones. It also places new legal obligation on companies to assist in these operations to bypass encryption.
  • Requires internet and phone companies to maintain “permanent capabilities” to intercept and collect the personal data passing over their networks. They will also be under a wider power to assist the security services and the police in the interests of national security.

Much has been written about the civil liberties implications of the new Bill, dubbed “the Snoopers’ Charter.” It has been criticised by the United Nations, the Opposition and civil liberties groups.

A Committee has been formed to consider the key issues raised by the Bill, including whether the powers sought are necessary, whether they are legal and whether they are workable and clearly defined. The Committee is now inviting written evidence to be received by 21st  December 2015 (call for evidence).

Some of the questions the Committee are inviting evidence on include:

  • To what extent is it necessary for the security and intelligence services and law enforcement to have access to investigatory powers such as those contained in the draft Bill?
  • Are there sufficient operational justifications for undertaking targeted and bulk interception, and are the proposed authorisation processes for such interception activities appropriate and workable?
  • Should the security and intelligence services have access to powers that allow them to undertake targeted and bulk equipment interference? Should law enforcement also have access to such powers?

The Committee is due to report back by February 2016.

What will the effect be of the Investigatory Powers Bill on local authorities? Is it true that councils will be given powers to view citizens’ internet history (according to the Telegraph)? The answer is no.

Sam Lincoln has written an in-depth analysis of the bill, detailing and dissecting its various points. Please take a look here.

Sam has designed our RIPA E-Learning Package which is an interactive online learning tool, ideal for those who need a RIPA refresher before an OSC inspection. Our 2016 RIPA workshops will include an update on the Bill.

‘The Great CPS Data-breach!’

canstockphoto6448307

 

 

 

 

 

 

 

 

 

 

 

 

No, this isn’t a new multi-million pound blockbuster, but instead a £200,000 error the Crown Prosecution Service probably wishes it had never made.

On the 4th November 2015 the Information Commissioners Office (ICO) issued a £200,000 monetary penalty notice under the Data Protection Act 1998 on the Crown Prosecution Service (CPS) for the lack of effective security and controls around DVD videos of police interviews after they were stolen (while being stored on laptops) from a 3rd party private film studio.

Imagine the scene, it’s the year 2002 and new technologies are coming in, for the recording & editing of films.  So you, as a modern and practical Crown Prosecution Service, look for a company that can offer these things quicker, better and cheaper than you can do in-house. So you commission an informal 6 month trial with a guy with a studio based in Manchester. After 6 months he seems to do a good job, he’s no George Lucas but you’ll roll with him beyond the 6 months.

Now as these things do, your ‘video editing man’ changes offices to a new location that, by all accounts, is a little bit lacking in basic things (like security and working CCTV). But no matter, we can’t judge those on where they operate and the service isn’t affected – if anything it’s a nice new shiny studio.

However, on a day in September 2014 (the 11th to be precise) a burglar just happens to wonder past and manages to get into the studio, steals 3 laptops that are currently being worked on by your video editor and runs off with them. The police catch up with ‘him’ 8 days later and as luck would have it, they also recover the laptops. But that’s OK, as it’s only 43 data subjects, you got the laptops back and there is a password on each of the laptops right?

Well unfortunately no, that isn’t OK. And the Information Commissioner agrees. In the ICO’s decision notice he outlines that various things were not in place here that really should have been given the level of sensitivity of the data concerned. Below are extracts from the 5 main areas the ICO cites as the mean breaches of the DPA.

  1. Unencrypted DVDs containing the videos were delivered to X using a national courier firm. The sole proprietor used public transport to take the DVDs to X premises if a case was urgent.
  1. The CPS was not aware of any security risks posed by editing videos of police interviews at X premises either in 2002 or 2006.
  1. The CPS had no guarantee that the sole proprietor would store the unencrypted DVDs in a lockable cabinet and return or securely destroy the DVDs at the end of the case.
  1. The CPS failed to monitor the sole proprietor in relation to any security measures taken by him.
  1. The CPS did not have a DPA compliant contract with the sole proprietor in relation to the processing.

All the usual culprits are there;

  • Lack of encryption,
  • Lack of secure transfer of data,
  • Lack of 3rd party auditing and,
  • Lack of 3rd party contract.

But above all what this notice outlines is a fundamental lack of understanding or awareness of what data is being processed here. The DVDs contained information relating to the witness and victims of crimes of a sexual or violent nature. It is reported that at least 1 of the files concerned that was stolen related to a high profile individual. And that’s just on these DVDs. What about all the other DVDs that have entered that studio since 2002?

While there is no evidence in the ICOs decision notice that other losses have occurred, the circumstances around this theft have been in place since 2002. It could be lucky that only one theft has occurred, but then again how we do know that this is indeed the only theft?

I know when these notices come out those of us that have been fighting the good data protection fight for some time will pick apart the incident and indeed say, “If you’d only have done this…” but the points we raise are all valid. This is very much a case of where everything is wrong. Not one aspect of this situation works in the CPS’ favour. Well apart from the fact the laptops were eventually recovered. But as the ICO points out, there is no proof that the DVDs were not accessed as only a password existed on them. So technically that doesn’t really help you either.

To help avoid the loss of any personal data there are a couple of best practice steps that organisations can take.

  1. Write a standard DPA clause or contract for use by and any all 3rd party suppliers and get it inserted in all contracts but current and future. If the current ones already have one then fine, make sure it’s at the same level or better than your template and go from there.
  1. If its sensitive personal data and it’s leaving your premises as a basic rule always ensure it is encrypted to a decent standard at all times. There is rarely an acceptable situation where the sending of sensitive personal data on a DVD out of the business that doesn’t have a decent level of encryption on it. If such a scenario does come up, then guard & monitor it and manage & document the risk.
  1. If you’ve got a 3rd party going anywhere near your sensitive personal data then watch and monitor them closely. They are as much a threat to your information as internal staff, and you wouldn’t (hopefully) leave your internal staff to handle sensitive personal data in any way they see fit so why would you for a 3rd party?

Having worked in the Social Care & legal industries I know how easy it is to become desensitised to the data that you hold and process daily. But always remember and be aware of the sensitivity of the data in your hands. That’s very easier said than done but that principle, once engrained in your thinking, then means you’ll stop and think before commissioning something or sending something that you really shouldn’t have.

Now I’m going to do some jiggery-pokery here, and bear with me on this as it’s not going to be exact but let’s see if we can work out what a fine would be under the new Data Protection Regulation. Now I accept that this is not an exact science as the text is still draft and the exact mechanism for fines is not agreed yet but let’s just imagine.

So, under the current framework the ICO can fine up to £500,000 for such a breach but instead valued the breach at the £200,000 level based on the severity, compensating controls, political nonsense etc. That works out as two fifths or 40% of the full amount he can fine.

Under the GDPR council text, because of the level of failing here in various areas, I believe that this breach would meet the definitions outlined in Article 79a (3a-h). Sections 1 & 2 of Article 79a do outline breaches but article 1 outlines relatively small offences and article 2 only covers some of the breaches outlined here. The limit of such a fine under that section is 1 million Euros or 2% of global annual turnover for the previous year (if an undertaking). If we assume the limit would be 1 million Euros (give the public sector nature of the controller) then let’s apply the same % as the ICO applied here.

40% of 1 million is 400,000 euros. In today’s currency (as of 13th November and according to google) that equates to a fine of £283,556.79 under the GDPR. Not much of an increase when you think about it.

However, if this fine was for an “undertaking” (currently not defined in the GDPR but the link contains the UK definition) the fine value could increase substantially. If we were to take the CPS public finances as an example their turnover for 2014 was £581.9 million pounds. 2% of that is £11,638,000. If we then take 20% of the 11.6 million we end up at a fine of £2,327,600 under the GDPR.

Now the above is not an exact science, as I’ve stated, as the mechanisms for determining fine amount are still to be agreed but those mechanisms will need to be as proportional as possible. By just using the current model (which the ICO seems to defend) the same incident could mean the difference between a fine of just under £300k for a public sector body (not an undertaking) or a fine of £2.3 million for a private sector undertaking.

Seems a little disproportionate does it not?

 

Scott Sammons an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.

Read more about the EU Data Protection Regulation. Attend our full day workshop.

“What’s that Skip? Someone’s got your Metadata? Crikey!” – Subject Access and Metadata in Australia

canstockphoto13858300

While strolling through the web one day,

Outside the very merry month of May,

Oh, look what I should find,

The web is wonderful and kind,

By giving me a case on metadata.

In recognition of National Poetry day last week, that was my shockingly brilliant (!!) effort at a short rhyme in aid of this blog post. I know, stick to the day job right? (And yes, I know that we are in October and not May).

As the rhyme suggests however, I was indeed browsing the web and I did indeed come across an interesting legal case looking at rights of access and metadata in telecoms/internet providers in Australia. Something of particular relevance at the moment in the light of the Australian Government announcing its new Data Retention Law.

In the news article and legal case an Australian citizen, Mr Grubb, exercised his rights under the Australian Privacy Act 1988 to ask for all information Telstra (a phone company) held about him. His request specifically asked for the meta-data associated against him:

“…I’d like to request all of the metadata information Telstra has stored about my mobile phone service (XXX XXX XXX).

The metadata would likely include which cell tower I’m connected to at any given time, the mobile phone number of a text I have received and the time it was received, who is calling and who I’ve called and so on. I assume estimated longitude and latitude positions would be stored too. This is the type of data I would like to receive.”

Although Telstra provided some data to Grubb, it refused to hand over internet protocol address information, edited versions of incoming call records and website URL information stating that retrieving the information would take disproportionate effort and therefore was unreasonable.

An appeal, dated May 2015, was brought to the Office of the Australian Information Commissioner who found in favour of Data Subject in parts and the Data Controller in parts. But in very interesting parts.

The Commissioner supported Telstra in its exemption of some pieces of information to do with telephone numbers of 3rd parties, particularly where those numbers had registered with a Telephone Preference type service in Australia. Telstra argued that it had no effective method of determining those numbers and removing them from the list therefore the entire list of inbound numbers to the Data Subject’s telephone line would be exempt.

The Commissioner did however reject a number of claims made by Telstra about the difficulty in retrieving and linking data to a person’s identity. Telstra relied in part on this submission to argue that certain types of Grubb’s data was not “personal information” because it could not be linked to the Data Subject’s identity. However, the Commissioner in his decision drew attention to Telstra’s provision of data to law enforcement agencies to show that it has (and has used in the past) the ability to process and connect different types of metadata to individuals.

It’s also interesting that since the case was initiated Telstra’s approach to customer access to metadata has shifted significantly. Telstra customers will now be able to access the same metadata about them (save for shared information) that Telstra would provide to law enforcement agencies, on request without a warrant.

Now while Australia is a very long way away from Europe this case does pose some interesting questions. I ran a search online for cases where metadata was refused under a Subject Access Request (SAR) but could not find any in the public domain. As we all know there are a growing number of laws appearing that require telecoms companies to capture and store such metadata for government access but to date I’ve not seen a similar legal challenge whereby the data has been refused in a SAR.

For those that don’t have much experience with metadata the Oxford English dictionary defines metadata as “a set of data that describes and gives information about other data”. In this context, telecommunications data, is data that is associated with an account and its usage (e.g. masts used, websites visited, numbers called) which on their own do not automatically equate to personal data,  but do so when associated with one number form the metadata of that persons account. Therefore it is personal data as it can identify them and/or be associated with them.

The current subject access request code of practice from the UK Information Commissioner’s Office doesn’t specifically talk about metadata being or not being personal data or in scope for a SAR. Based on the principles of the Data Protection Act 1998 (DPA) and the fact that such metadata can and is requested by law enforcement agencies and is used to identify you; I would argue that this is Personal Data, as defined by the Act, and should be provided to a requestor under subject access.

How does this sit under the current proposed EU Data Protection Regulation text(s)? Well, you won’t find the term “metadata” in the Regulation text anywhere so there won’t be a crystal clear stance on it. Instead we will need to look at the definition of Personal Data as proposed.

In the European Council’s text Chapter 1, Article 4 (1) it defines Personal Data as;

 “any information relating to an identified or identifiable natural personal (“data subject an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person).”

So while the new proposed definition doesn’t specifically call out metadata it does seem to imply that it would be. For example, your mobile number and all data that can identify your location (phone mast data for example) would be considered Personal Data under that definition; which isn’t that far removed from DPA definition of Personal Data.

On that note, following a brief search online I have not been able to find any cases on SAR and telecoms in the public domain. I can find plenty of commentaries and a remotely similar financial services case. I would therefore be interested to see if anyone knows of one currently ongoing or that has been tested in the courts / tribunal so far to date?

Currently the UK Government is looking to revive the so-called “snooper’s charter” under the Draft Communications Data Bill. Therefore if government agencies are to spy / monitor / keep / ignore my personal data then I think that we should, at any point, see what that personal data is. I bet mine is really rather dull…but it’s my dull data dammit.

Scott Sammons an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.

Read more about the EU Data Protection Regulation. Attend our full day workshop.

And so, the end is near, and now we face, the final curtain… or do we?

[ File # csp9290038, License # 2694086 ] Licensed through http://www.canstockphoto.com in accordance with the End User License Agreement (http://www.canstockphoto.com/legal.php) (c) Can Stock Photo Inc. / nasir1164In case you missed it over the last week or so it has been confirmed that the European Council have agreed a text of the Draft EU Data Protection Regulation. You would think that would be the final stage but alas no. Instead we now present this version back to the Commission & Parliament for tri-partide discussion and agreement. This really is the final stage of the legal process in which the Council, the EU Parliament and the EU Commission will now negotiate on this document to agree a final text that can become law (promise… it really is the last stage).

However, in typical governmental fashion of not being able to do anything smoothly 2 versions were ‘released’. One is the text of the Council of Minister’s final text agreed on June 15th: Council of Ministers text minus objections from Member States.

The other was a copy of the text of the Council of Minister’s final text agreed on June 15th including the 649 paragraphs of ‘disagreements’ from the member states (oops). Council of Ministers text plus objections from Member States

There is still some discussion to be had however and in the comments version the Council acknowledges this. First up, with regards to police processing of personal data the regulation now includes as a purpose for processing “safeguarding against and the prevention of threats to public security”. Which, at face value, seems rather wide and “loose” in its wording. We all know that defining a “threat to public security” can be open to various interpretations therefore this may meet with some stiff opposition.

The Council has also said that there needs to be some discussion around the “lawfulness of processing” under Article 6 recital (40 and Article 19 (1). The Council is looking to approve final wording on legitimacy of processing data that is incompatible with the original purpose for which it was collected. The current proposal looks to allow such processing but as a condition allows the data subject a means to legitimately object. Again, how this will work in the real world is open to interpretation but given that this is a move away from the current Directive’s standards then it will be interesting to see if the Council and Parliament accept that.

The Council also appears to be looking for further discuss on the right to compensation and liability outlined in Article 77 and recitals (112), (113a), (118), (118b). The current proposal clarifies the roles and liabilities for processing that is not compatible with the regulation. Namely it is looking to narrow the extent of liability for a processor or controller where it can be demonstrated that the controller or processor concerned is not fully liable (IE, it can be clearly demonstrated that it wasn’t their fault). It makes sense but again, how that will go down with the Parliament and Commission will be interesting.

I’ve now had the chance to read through this updated text and in short it smells an awful lot like a beefed up Directive. A lot of the stricter wording that was in the initial draft proposed by the Commission & indeed the Parliament draft have been replaced with general expectations, the finer details of which member state law or local codes of practice are encouraged to work out. Some of the aspects of the regulation even invite member states to write complimentary laws so that those sections can be properly enacted within that member state. (I’m sure that’s the purpose of a Directive you know…).  

Here’s a quick summary for you;

  • Member states can create their own laws on conditions for processing certain types of data (national ID numbers for example). (Article 9 (5)). This also extends to the conditions for processing HR data which can be defined by local member state work agreements.
  • Member states can decide if fines are to be used on public sector bodies.
  • Article 79a – Fines of up to 250,000 euros or 0.5% of previous year global annual turnover for deliberate or negligent breaches & not responding to SARs.
  • Article 79a – Fines of up to 500,000 euros or 1.0% of  previous year global annual turnover for any of the above or;
    • Does not provide information in a timely manner to a data subject
    • Does not provide access or rectify data belonging to the data subject
    • Does not erase personal data belonging to the data subject
    • Processing data in violation of an restrictions on processing outlined in article 17 (Notification obligation regarding rectification, erasure or restriction).
    • Does not communicate any rectification, erasure or restriction requests to 3rd parties
    • Does not provide the data subject with their personal data.
    • Processing of data of objection to processing received and no viable reason for legitimate processing.
    • Does not provide data subject with information about the right to object to processing of information for marketing purposes.  
    • Does not sufficiently determine responsibilities of joint controllers.
    • Does not maintain sufficient documentation pursuant to Articles 28 (Records of categories of personal data processing activities) & 34 (Prior consultation).
  • Article 79a – Fines of up to 1,000,000 euros or 2.0% of  previous year global annual turnover for any of the above or;
    • Processes information without a legal basis for doing so or does not obtain appropriate consent.
    • Does not comply with conditions for automated decision making & profiling.
    • Does not implement measure to demonstrate compliance with articles 22 (Obligations of the controller) and 30 (Security of processing).
    • Does not designate a representative in violation of Article 25 (Representatives of controllers not established in the Union).
    • processes or instructs the processing of personal data in violation of Articles 26 (Processor).
    • does not alert on or notify a personal data breach or does not [timely or] completely notify the data breach to the supervisory authority or to the data subject in violation of Articles 31 (Notification of a personal data breach to the supervisory authority) and 32 (Communication of a personal data breach to the data subject).
    • does not carry out a data protection impact assessment in violation of Article 33 (Data protection impact assessment) or processes personal data without prior consultation of the supervisory authority in violation of Article 34(2) (Prior  consultation).
    • misuses a data protection seal or mark in the meaning of Article 39 (Certification) or does not comply with the conditions and procedures laid down in Articles 38a (Monitoring of approved codes of conduct) and 39a (Certification body and procedure).
    • carries out or instructs a data transfer to a recipient in a third country or an international organisation in violation of Articles 41 to 44 (Transfer of Personal Data to third countries or international organisations).
    • does not comply with an order or a temporary or definite limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 53 (1b) or does not provide access in violation of Article 53(1) (Powers).
  • Article 38 – Member states can create their own codes of practice and standards for data protection for specific sectors. This need approval by the EU Data Protection Board but can be developed per member per sector.
  • Article 54a – One stop shop concept for regulatory action and complaint handling amongst supervisory authorities remains.
  • Article 12 – Removal of charging for SARs remains.
  • Article 70 – Removal of need to register all processing of personal data remains but instead only high risk processing must be registered (at no charge) and will be published by the supervising authority.
  • Data portability now does not apply to the public sector or any processing for the enactment of a contract. (General  Text, paragraph 55)
  • Article 31 – Breach notification to a supervisory authority is now 72 hours or “without undue delay” if longer than that period.  

This Regulation is as close to a final version as we are going to get for the moment. As we’ve seen in recent weeks and months the majority of Data Protection regulators and even the EU Commission are saying that elements of the Regulation should start to be implemented from this point onwards (e.g. Netherlands are implementing a general DP breach notification law from next year). Some are even using the principle of the Regulation in the interpretation of current law (the ‘right to be forgotten’ for example).

I intend to do a few more articles over the coming weeks to look in more detail at some of the wording and what this could mean if the Parliament and Commission accept the current draft (which is a realistic possibility).

Author:

Scott Sammons CIPP/E, AMIRMS

@privacyminion

Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate which is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.

When is wifi free?

clip_image002

Free (friː/) – adjective: free; without charge, free of charge, for nothing, complimentary, gratis, gratuitous, at no cost; for free, on the house.

adverb: free; without cost or payment. (Avoid freely)

Seems obvious when you ask Google for the definition. No payment of any sort means the goods or service is free. It’s an invitation to enter into a contract but nothing is to be given in exchange for the service of providing wifi. But what if you were asked for something in exchange? What if a shop said wifi is free if you give me an ice cream? Would that make the wifi no longer free? An ice cream certainly exists in a solid form (OK I’ll concede that it has a specific half life) but what if the price was a big kiss or a promise to buy something. Do they exist? Are they tangible? Do they have any value? Does it matter? What if the price was your email address? What if the price was your consent to receive marketing material?

I stayed in a hotel recently that presented me with a card on arrival with my free wifi code. Not even bothering to switch on the TV or use the bathroom (usual bored, middle aged businessman preoccupations) I fired up the laptop.

clip_image004

It’s not an easy screen to read but the word free appears four times. All I had to do is tell them my details.

Why?

If no payment is required no bill will be sent. I could use the code without them knowing anything about me. Starbucks manage to do this without any problems but many purveyors of “free” items need to know your name. Worse they need to know my email. Worse than that they had pre-ticked the yes to Marketing box. I unticked it and tried to subscribe without agreeing to terms and conditions but the system prompted me to a) agree the T&C and b) tick the Marketing box.

I complained to reception saying this wasn’t free. No problems Sir. Click on the Conference button at the top of the screen as you’re in a conference here tomorrow aren’t you (wink, wink) and they won’t ask those questions.

I did but just to be sure I decided to read the T&C. First line said by accepting them I would agree to receiving marketing. Trying to buy without ticking them wouldn’t work.

I told reception and she pointed out that all I had to do was use a code and a password and not give any identifiers (like the ones she had taken on the piece of paper I filled in at reception where the code and password was stored next to my personal details).

Feel free to like this article. Just don’t send money. Or ice creams.

What’s the difference between PCC & BCC

The picture that said a thousand suppliers.

Fresh from being elected with less than 10% of the electorate in favour of him a recently appointed Police Commissioner writes to all the suppliers to tell them the email addresses of all their suppliers (and a few extra organisations – such as rape crisis centres, police officers, probation officers and some personal email addresses).  Still no harm done eh? No law broken, no real personal data involved. No brain cells used in the distribution of this list.

Makes me feel like Phillip Schofield. (When I say this it doesn’t mean I feel like him as in desire him – more like feel I’m in a similar predicament…)

Act Now Book Draw Week 6

The winner of this week’s Act Now Book Draw was Peter Dinsdale from Newcastle University.

Next week’s bookGringras: The Laws of the Internet (3rd Edition) is Gringras: The Laws of the Internet (3rd Edition) by Elle Todd.

The next draw will take place on Wednesday 4th April at 9am. Click here to enter the draw.

If you enter the draw and win, you give us permission to let others know that you have won (by e mail, on our website and by Twitter). If you do not want us to do this, please do not enter the draw. Any information we receive through this free draw will not be used for any other purpose.