Data Sharing – Page 2 – Your Front Page For Information Governance News

The Facebook Data Breach Fine Explained

On 24^thOctober the Information Commissioner imposed a fine (monetary penalty) of £500,000 on Facebook Ireland and Facebook Inc (which is based in California, USA) for breaches of the Data Protection Act 1998. In doing so the Commissioner levied the maximum fine that she could under the now repealed DPA 1998. Her verdict was that the fine was ‘appropriate’ given the circumstances of the case. For anyone following the so-called Facebook data scandal the fine might seem small beer for an organisation that is estimated to be worth over 5 billion US Dollars. Without doubt, had the same facts played out after 25^thMay 2018 then the fine would arguably have been much higher, reflecting the gravity and seriousness of the breach and the number of people affected.

The Facts

In summary, the Facebook (FB) companies permitted Dr Aleksandr Kogan to operate a third-party application (“App”) that he had created, known as “thisisyourdigitallife” on the FB platform. The FB companies allowed him and his company (Global Science Research (GSR) to operate the app in conjunction with FB from November 2013 to May 2015. The app was designed to and was able to obtain a significant amount of personal information from any FB user who used the app, including:

Their public FB profile, date of birth and current city
Photographs they were tagged in
Pages they liked
Posts on their time lime and their news feed posts
Friends list
Facebook messages (there was evidence to suggest the app also accessed the content of the messages)

The app was also designed to and was able to obtain extensive personal data from the FB friends of the App’s users and anyone who had messaged the App user. Neither the FB friends or people who had sent messages were informed that the APP was able to access their data, and nor did they give their consent.

The APP was able to use the information that it collected about users, their friends and people who had messaged them, in order to generate personality profiles. The information and also the data derived from the information was shared by Dr Kogan and his company with three other companies, including SCL Elections Ltd (which controls the now infamous Cambridge Analytica).

In May 2014 Dr Kogan sought permission to migrate the App to a new version of the FB platform. This new version reduced the ability of apps to access information about the FB friends of users. FB refused permission straight away. However, Dr Kogan and GSR continued to have access to, and therefore retained, the detailed information about users and the friends of its users that it had previously collected via their App. FB did nothing to make Dr Kogan or his company delete the information. The App remained in operation until May 2015.

Breach of the DPA

The Commissioner’s findings about the breach make sorry reading for FB and FB users. Not only did the FB companies breach the Data Protection Act, they also failed to comply or ensure compliance with their own FB Platform Policy, and were not aware of this fact until exposed by the Guardian newspaper in December 2015.

The FB companies had breached s 4 (4) DPA 1998 by failing to comply with the 1^stand 7^thdata protection principles. They had:

Unfairly processed personal data in breach of 1^stdata protection principle (DPP1). FB unfairly processed personal data of the App users, their friends and those who exchanged messages with users of the APP. FB failed to provide adequate information to FB users that their data could be collected by virtue of the fact that their friends used the App or that they exchanged messages with APP users. FB tried, unsucesfully and unfairly, to deflect responsibility onto the FB users who could have set their privacy settings to prevent their data from being collected. The Commissioner rightly rejected this. The responsibility was on Facebooks to inform users about the App and what information it would collect and why. FB users should have been given the opportunity to withhold or give their consent. If any consent was purportedly given by users of the APP or their friends, it was invalid because it was not freely given , specific or informed. Conseqauntly, consent did not provide a lawful basis for processing
Failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data, in breach of the 7^thdata protection principle (DPP7). The processing by Dr Kogan and GSR was unauthorised (it was inconsistent with basis on which FB allowed Dr Kogan to obtain access of personal data for which they were the data controller; it breached the Platform Policy and the Undertaking. The processing by DR Kogan and his company was also unlawful, because it was unfair processing. The FB companies failed to take steps (or adequate steps) to guard against and unlawful processing. (See below). The Commissioner considered that the FB companies knew or ought to have known that there was a serious risk of contravention of the data protection principle sand they failed to take reasonable steps to prevent such a contravention.

Breach of FB Platform Policy

Although the FB companies operated a FB Platform Policy in relation to Apps, they failed to ensure that the App operated in compliance with the policy, and this constituted their breach of the 7^thdata protection principle. For example, they didn’t check Dr Kogan’s terms and conditions of use of the APP to see whether they were consistent with their policy (or presumably whether they were lawful). In fact they failed to implement a system to carry out such a review. It was also found that the use of the App breached the policy in a number of respects, specifically:

Personal data obtained about friends of users should only have been used to improve the experience of App users. Instead Dr Kogan and GSR was able to use it for their own purposes.
Personal data collected by the APP should not be sold or third parties. Dr Kogan and GSR had transferred the data to three companies.
The App required permission from users to obtain personal data that the App did not need in breach of the policy.

The FB companies also failed to check that Dr Kogan was complying with an undertaking he had given in May 2014 that he was only using the data for research, and not commercial, purposes. However perhaps one of the worst indictments is that FB only became aware that the App was breaching its own policy when the Guardian newspaper broke the story on December 11 2015. It was only at this point, when the story went viral, that FB terminate the App’s access right to the Facebook Login. And the rest, as they say, is history.

Joint Data Controllers

The Commissioner decided that Facebook Ireland and Facebook Inc were, at all material times joint data controllers and therefore jointly and severally liable. They were joint data controllers of the personal data of data subjects who are resident outside Canada and the USA and whose personal data is processed by or in relation to the operation of the Facebook platform. This was on the basis that the two companies made decisions about how to operate the platform in respect of the personal data of FB users.

The Commissioner also concluded that they processed personal data in the context of a UK establishment, namely FB UK (based in London) in respect of any individuals who used the FB site from the UK during the relevant period. This finding was necessary in order to bring the processing within scope of the DPA and for the Commissioner to exercise jurisdiction of the two Facebook companies.

The Use of Data Analytics for Political Purposes

The Commissioner considered that some of the data that was shared by Dr Kogan and his company, with the three companies is likely to have been used in connection with, or for the purposes of, political campaigning. FB denied this as far as UK residents were concerned and the Commissioner was unable, on the basis of information before her, whether FN was correct. However, she nevertheless concluded that the personal data of UK users who were UK residents was put at serious risk of being shared and used in connection with political campaigning. In short Dr Kogan and/or his company were in apposition where they were at liberty to decide how to use the personal data of UK residents, or who to share it with.

As readers will know, this aspect of the story continues to attract much media attention about the possible impact of the data sharing scandal on the US Presidential elections and the Brexit referendum. The Commissioner’s conclusions are quite guarded, given the lack of evidence or information available to her.

Susan Wolf will be delivering these upcoming workshops and the forthcoming FOI: Contracts and Commercial Confidentiality workshop which is taking place on the 10th December in London.

Our 2019 calendar is now live. We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now.

Need to prepare for a DPO/DP Lead role? Train with Act Now on our hugely popular GDPR Practitioner Certificate.

Google v Lloyd- Representative action for damages fails under the DPA 1998

As more individuals become aware of the way in which organisations such as Facebook, and Google have used their personal data unlawfully, then the prospect of litigation, and class actions, seems increasingly likely. However, the recent case of Lloyd v Google [2018] EWHC 2599 (QB) demonstrates that it doesn’t necessarily follow that a clear breach of data protection legislation will result in a successful claim for damages. The case shows that even if claimants can prove that there has been a breach of data protection legislation (now the GDPR and DPA 2018) they need to identify what harm the breach has caused and how the damage has been caused by the breach. This will inevitably be a fact specific exerciser.

The background-the Safari Workaround and DoubleClick Ad Cookie

The case concerned the use, by Google, of a cookie known as the “DoubleClick Ad cookie” between 2011 -2012. Google allegedly used the cookie to secretly track the internet activity of iPhone users in the US and the UK. Ordinarily the Safari browser (developed by Apple) had a default setting that blocked the use of third-party cookies, such as the DoubleClick Ad cookie. However, Google was able to exploit certain exceptions to this default blockage and implement the so called “Safari Workaround” which enabled Google to set the cookie on an iPhone, when the user used the Safari browser. This gave Google access to a huge amount of browser generated personal information, including the address or URL of the website which the browser is displaying to the user. It was claimed that this information enabled Google to obtain or deduce other sensitive information about individuals, such as their interests and habits, race ethnicity, class, political or religious view, health, age, sexuality and financial position. Google was also alleged to have aggregated this information to create lists of different types of people, such as “football lovers’, and offered these lists to subscribing advertisers.

Regulatory action was against Google in the USA with Google agreeing to pay US$25.5 million civil penalty to settle charges brought by the US Federal Trade Commission, and a further US$17 million to settle state consumer-based actions. No such regulatory action as taken by the Information Commissioner even though the breach clearly affected UK iPhone users.

The representative claim

The action against google was brought by Mr Lloyd who was the only named claimant. However, he brought this action as a representative of a much larger class of people. This is a novel type of litigation that allows a representative to sue in a representative capacity on behalf of a class of people who have “the same interest” in the claim. It was not entirely clear how big the class was, but estimates ranged between 5.4-4.4 million people. Google not surprising was keen that permission was denied, bearing in mind it estimated its potential liability (if the case was successful) of between £1-3 billion.

Mr Lloyd argued that he and each member of the group/class he represented had a right to be compensated “for the infringement of their data protection rights”. Specifically, it was alleged that Google had carried out the secret tracking and collation of personal data without the data subject’s consent or knowledge; that this was a breach of Google’s duty under s 4(4) of the DPA 1998 and that the data subjects were entitled to compensation under s 13 DPA 1998.

In other words, the fact of the contravention gave them a right to be compensated. Neither Mr Lloyd or any member of the group alleged or gave evidence about any financial loss, distress or anxiety. There were no individual allegations of harm. In fact, Mr Lloyd asserted that the claim was generic and claimed an equal, standard “tariff” award for each member of the class (the claim was for £750 per person). This turned out to be fatal to the claim.

Litigation against a US based company

Any litigant, or group of litigants, considering an action against Apple or Google or any other such company that is based outside the UK first need the permission of the High Court in order to serve a claim against a defendant outside of the jurisdiction of the domestic courts. Before the court will grant permission, the claimant must prove three things. First that the case falls within one of the listed “jurisdictional gateways”; second, that the case has a reasonable prospect of success and finally that England is the appropriate place to deal with the case. The High Court had no difficulty deciding that England would be the natural jurisdiction for the case since the claimants were all in the UK and the alleged damage had been incurred in the UK. However, the High Court Judge found that Mr Lloyd’s case failed on the remaining two issues and denied permission for the case to proceed.

The Court identified that the relevant gateway in this case was that the claimant had to prove they had a good arguable claim in tort and the damage was sustained in England & Wales. The Judge was clear that a claim for damages under the DPA 1998 is a claim in tort. He was also satisfied that each member of the class was (for at least some of the relevant period) within the jurisdiction when they connected to the internet using the Safari browser.

However, the real and substantial issue in this case was whether the Safari Workaround had caused “damage” within the meaning of the DPA 1998. The Court engaged in a lengthy analysis of the case law on DPA damages and concluded that the claimants had not sustained damages in this case. On this basis the court decided that Mr Lloyd did not have a good arguable case or a reasonable prospect of success.

Damages under the DPA 1998

Section 13 of the DPA 1998 provided that an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of the DPA 1998 is entitled to compensation from the data controller for that damage.

The High Court decided that giving the words their natural meaning, this statutory right to compensation arises where

(a) there has been a breach of the DPA; and

(b) as a result, the claimant suffers damage.

These are two separate events connected by a causal link. In short, the breach must cause the damage. Based on this logic, it necessarily follows that some breaches will not give rise to damages. The High Court judge suggested some examples where a data controller processes personal data in breach of the DPA, but where the breach may not warrant an award of compensation, such as:

recording inaccurate data, but not using or disclosing it
Holding, but not disclosing, using or consulting personal data that are irrelevant
Holding data for too long
Failing, without consequences, to take adequate security measures.

Of course, this is not to say that these types of breaches could never give rise to a successful claim for damages, as much will depend on the context and facts of the case. However, the Court did suggest that data subjects had alternative remedies such as rectification, erasure and objection.

One of the key arguments presented by Lloyd was that the claimants had incurred damage because they lost control of their data. According to the Court, there will be circumstances where the loss of control may have significantly harmful consequences, such as in Vidal Hall. (Google in v Vidal-Hall and others & The Information Commissioner [2015] EWCA Civ 311) The focus in that case was on the significant distress caused to the claimants by the delivery to their screens of unwanted advertising material. However, decision was very fact specific; it seemed that the type of information that had secretly been tracked and used to send targeting advertising was of a particularly private and sensitive nature, such that it would have caused harm to the claimants had any one else seen their computer screens.

The High Court in Lloyd v Google also accepted that delivery of unwanted commercial advertising can be upsetting in other ways, for example where repeated or bulk unwanted communications:

Is so distressing it constitutes harassment even if the content is inherently innocuous
Infringes a person’s right to respect for their autonomy
Represents a material interference with their freedom of choice over how they lead their life.

However, on the facts of the case the Court concluded that the claimants had not provided any particulars of any damage suffered. Rather the claimants seemed to be relying on the fact that the claimants were entitled to be compensated because of the breach alone. The judge rejected this as a possibility.

A Court cannot award compensation just because the data protection rules have been breached. The Court also rejected the idea that the claimants should be compensated in order to “censure” the defendant’s behaviour. The Court also rejected any argument that damages under the DPA should be awarded in order on a sort of “restitutionary” basis, that is ‘calculated by reference to the market value of the data which has been refused’.

Representative action cases- what lessons can be learnt?

This was a novel litigation, it involved one named claimant bringing an action on behalf of a large group. The cation faced difficulties right from the start, not least in trying to identify the group. The Judge identified three real difficulties with this type of action:

The representative (Lloyd) and the members of the class do not all have the “same interest” which is an essential requirement for any representative action. Some people may have suffered no damage and others different types of damage. Consequently, they did not all have the same interest in the action.
Even if it was possible to define the class of people represented, it would be practically impossible to identify all members of the class.
The court would not exercise its discretion to allow this case to go forward, particularly given the costs of the litigation, the fact that the damages payable to each individual (were the case to succeed) would be modest, and that none of the class had shown any interest in, appeared to care about in the claim.

Anyone contemplating pursuing this type of claim in future would be well advised to carefully consider and take on board the judge’s criticisms and seek to address them before pursing an action.

Susan Wolf will be delivering the forthcoming GDPR workshop in Birmingham on the 19th November. Book your place now!

The Subject Access Right Under GDPR

When the General Data Protection Regulation (GDPR) comes into force on 25^th May 2018, it will introduce a number of new obligations on Data Controllers which will require them, amongst other things, to review their approach to personal data breaches, privacy notices and overall GDPR compliance responsibility. Some new Data Subject rights, including the right to erasure and the right to data portability, will also be introduced.

So there is a lot to learn and do within a short space of time. However the good news is, whilst GDPR will replace the UK’s Data Protection Act 1998 (DPA), it still includes familiar concepts such the right of the Data Subject to request a copy of his/her data, known as a Subject Access Request (SAR) in DPA parlance.

In brief, Article 15 of GDPR gives an individual the right to obtain:

confirmation that their data is being processed;
access to their personal data; and
other supplementary information

The supplementary information mentioned above is the same as under section 7 of the DPA (e.g. information about the source and recipients of the data) but now also includes, amongst other things, details of international transfers, other Data Subject rights, the right to lodge a complaint with the ICO and the envisaged retention period for the data.

Fees

Under the DPA, Data Controllers can charge £10 for a SAR (£50 for a health record). GDPR allows most requests to be made free of charge. This is a significant change and will hit the budgets of those who receive voluminous or complex requests e.g. local authority social services departments. However, a “reasonable fee” can be charged for further copies of the same information and when a request is manifestly unfounded or excessive, particularly if it is repetitive. The fee must be based on the administrative cost of providing the information.

Time Limit

The DPA allows Data Controllers 40 calendar days to respond to a SAR. Under GDPR the requested information must be provided without delay and at the latest within one month of receipt. This can be extended by a further two months where the request is complex or where there are numerous requests. If this is the case, the Data Subject must be contacted within one month of the receipt of the request and explain why the extension is necessary.

All refusals must be in writing setting out the reasons and the right of the Data Subject to complain to the ICO and to seek a judicial remedy.

Format of Responses

Where the Data Subject makes a SAR by electronic means, and unless otherwise requested by the Data Subject, the information should be provided in a commonly used electronic format. Before providing the information, the Data Controller must verify the identity of the person making the request using “reasonable means”.

The GDPR (Recital 63) introduces a new best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information This will not be appropriate for all organisations, but there are some sectors where this may work well e.g. local authorities may look to providing secure online access to social work records.

Article 15 makes it clear that the right to obtain a copy of information or to access personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of others. Therefore, as is the case under section 7(4) of the DPA, careful thought will need to be given to whether third party personal data needs to be redacted before disclosing information.

Exemptions

Data Protection Officers will be familiar with the exemptions in the DPA, set out in Part 4 and Schedule 7, some of which allow a Data Controller to refuse a SAR. There is currently no such list in the GDPR. However Article 23 allows national governments to introduce exemptions to various provisions in GDPR, including SARs, by way of national legislation based on a list set out in that article. This contains the same categories as in the DPA e.g. national security, crime prevention, regulatory functions etc. My guess is that the UK Government will enact the same exemptions as currently exist in the DPA.

Recital 63 states the purpose of the SAR is to make Data Subjects aware of and allow them to verify the lawfulness of the processing of their personal data. This seems to suggest that requests for other purposes e.g. to assist in litigation may be rejected. Compare this to the recent case of Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74 in which the Court of Appeal said that there was nothing in the EU Data Protection Directive (which the DPA implements into UK law) which “limits the purpose for which a data subject may request his data, or provides data controllers with the option of not providing data based solely on the requestor’s purpose.” (More on this case here.)

The GDPR does not introduce an exemption for requests that relate to large amounts of data, but a Data Controller may be able to consider whether the request is manifestly unfounded or excessive. Recital 63 also permits asking the individual to specify the information the request relates to.

Subject Access and Data Portability

How different is the Subject Access Right to the Right to Data Portability set out in Article 20? The latter also allows for Data Subjects to receive their personal data in a structured, commonly used and machine-readable format. In addition it allows them to request it to be transmitted to another Data Controller.

Unlike the subject access right, the Data Portability right does not apply to all personal data held by the Data Controller concerning the Data Subject. Firstly it has to be automated data. Paper files are not included. Secondly the personal data has to be knowingly and actively provided by the Data Subject. By contrast personal data that are derived or inferred from the data provided by the Data Subject, such as a user profile created by analysis of raw smart metering data or a website search history, are excluded from the scope of the right to Data Portability, since they are not provided by the Data Subject, but created by the Data Controller. Thirdly the personal data has to be processed by the Data Controller with the Data Subject’s consent or pursuant to a contract with him/her.

In contrast, the subject access right applies to all personal data about a Data Subject processed by the Data Controller, regardless of the format it is held in, the justification for processing or its origin.

It is important to note that both rights do not require Data Controllers to keep personal data for longer than specified in their retention schedules or privacy polices. Nor is there a requirement to start storing data just to comply with a request if received.

To discuss this and other GDPR issues, come and say hello to us on stand 15 at the ICO Conference on Monday 6^th March in Manchester.

Make 2017 the year you achieve a GDPR qualification? See our full day workshops and new GDPR Practitioner Certificate.

New Data Sharing Powers in the Digital Economy Bill

Much has been written about the complexities of the current legal regime relating to public sector data sharing. Over the years this blog has covered many stops and starts by the government when attempting to make the law clearer.

The Digital Economy Bill is currently making its way through Parliament. It contains provisions, which will give public authorities (including councils) more power to share personal data with each other as well as in some cases the private sector.

The Bill has been a long time coming and is an attempt by the Government to restore some confidence in data sharing after the Care.Data fiasco. It follows a consultation which ended in April with the publication of the responses.

The Bill will give public authorities a legal power to share personal data for four purposes:

To support the well being of individuals and households. The specific objectives for which information can be disclosed under this power will be set out in Regulations (which can be added to from time to time). The objectives in draft regulations so far include identifying and supporting troubled families, identifying vulnerable people who may need help re tuning their televisions after changes to broadcasting bands and providing direct discounts on energy bills for people living in fuel poverty.
For the purpose of debt collection and fraud prevention. Public authorities will be able to set up regular data sharing arrangements for public sector debt collection and fraud prevention but only after such arrangements have been through a business case and government approval process.
Enabling public authorities to access civil registration data (births, deaths and marriages) (e.g. to prevent the sending of letters to people who have died).
Giving the Office for National Statistics access to detailed administrative government data to improve their statistics.

The new measures are supported by statutory Codes of Practice (currently in draft) which provide detail on auditing and enforcement processes and the limitations on how data may be used, as well as best practice in handling data received or used under the provisions relating to public service delivery, civil registration, debt, fraud, sharing for research purposes and statistics. Security and transparency are key themes in all the codes. Adherence to the 7^th Data Protection Principle (under Data Protection Act 1998 (DPA)) and the ICO’s Privacy Notices Code (recently revised) will be essential.

A new criminal offence for unlawful disclosure of personal data is introduced by the Bill. Those found guilty of an offence will face imprisonment for a term up to two years, a fine or both. The prison element will be welcomed by the ICO which has for a while been calling for tougher sentences for people convicted of stealing personal data under the DPA.

The Information Commissioner was consulted over the codes so (hopefully!) there should be no conflict with the ICO Data Sharing Code. The Bill is not without its critics (including Big Brother Watch) , many of whom argue that it is too vague and does not properly safeguard individuals’ privacy.

It is also an oversight on the part of the drafters that it does not mention the new General Data Protection Regulation (GDPR) which will come into force on 25^th May 2018. This is much more prescriptive in terms of Data Controllers’ obligations especially on transparency and privacy notices.

These and other Information Sharing developments will be examined in our data protection workshops and forthcoming webinar.

Illustration provided by the Office of the Privacy Commissioner of Canada (www.priv.gc.ca)

The revised ICO Privacy Notices Code and GDPR

Earlier this month the Information Commissioner’s Office (ICO) published its revised Privacy Notices Code of Practice.

Under the Data Protection Act 1998 (DPA), a Data Controller should issue a privacy notice to Data Subjects whenever personal data is gathered from them. This should be done at the point of collection or as soon as reasonably practicable after that. The notice should (at the very least) include:

The identity of the Data Controller
The purpose, or purposes, for which the information will be processed
Any further information necessary, in the specific circumstances, to enable the processing in respect of the individual to be ‘fair’ (in accordance with the 1^st DP Principle).

The ICO says that organisations need to do more to explain to service users what they are doing with personal personal data and why. The code includes examples of compliant notices as well as suggested formats for online notices, in apps and even a sample video privacy notice.

As we know the General Data Protection Regulation (GDPR) will be in force in May 2018 (and still relevant despite the Brexit vote). The GDPR specifies further detail to be included in privacy notices. It also requires notices to be issued even where personal data is received from a third party. The code briefly explains these new requirements including a useful table. The ICO says that by following the good practice recommendations in the code, organisations will be well placed to comply with the GDPR regime. Read Scott’s blog post on the new requirements here.

This code has been issued under section 51 of the DPA. The basic legal requirement is to comply with the DPA itself. Organisations may use alternative methods to meet the DPA’s requirements, but if they do nothing then they risk breaking the law. When considering whether or not the DPA has been breached the Information Commissioner can have due regard to the code.

The code includes a helpful checklist, covering key points and tips on how to write a notice.

Privacy Notices need to be regularly reviewed and updated to reflect any changes. The ICO is considering other practical ways of supporting organisations in achieving greater transparency such as the feasibility of a privacy notice generator!

Want to know more about privacy notices under GDPR? Attend our full day GDPR workshop.

GDPR Practitioner Certificate (GDPR.Cert) – A 4 day certificated course aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

New Data Sharing Consultation

In February the Government launched a consultation on introducing laws to allow more citizens’ data to be used for ancillary purposes by the public sector. It says:

“Proportionate, secure and well-governed information sharing between public authorities can improve the lives of citizens. It can also support decisions on the economy which allow businesses to flourish, and improve the efficiency and effectiveness of the public sector. The government aims to do more to unlock the power of data.

The consultation runs till 22^nd April 2016. It looks at enabling information sharing between public authorities to improve the lives of citizens and support decisions on the economy and society.”

The proposals fall into 3 categories:

Improving public services

allowing public authorities to share personal data in specific contexts to improve the welfare of a specific person (e.g. automatically providing direct discounts on energy bills of people living in fuel poverty)

enabling public authorities to access civil registration data (births, deaths and marriages) (e.g. to prevent the sending of letters to people who have died)

Addressing fraud and debt

helping citizens manage their debt more effectively and reduce the overdue debt that they owe to government (i.e. allowing sharing of information for public sector debt collection)
helping detect and prevent the losses government currently experiences due to fraudulent activity

Allowing use of data for research and official statistics

giving the Office for National Statistics access to detailed administrative government data to improve their statistics
using de-identified data in secure facilities to carry out research for public benefit

Cynics may say that the proposals are really about allaying public sector fears that Government initiatives such as the Troubled Families Programme, require them to share personal data which may well breach the Data Protection Act 1998 (DPA).

A new criminal offence for unlawful disclosure of personal data is proposed to be introduced. Those found guilty of an offence will face imprisonment for a term up to two years, a fine or both. Certainly the prison element will be welcomed by the Information Commissioner who has recently reiterated his call for stronger sentencing powers for people convicted of stealing personal data under the DPA.

It is proposed that the new measures will be supported by a statutory Code of Practice, which will set out if, how and when data can be disclosed under each power. Primary legislation will set out the requirement to consult the Information Commissioner, and where appropriate Ministers in the Devolved Administrations and other relevant experts before issuing or revising these Codes. Compliance with these Codes would be a requirement for any public authority seeking to participate under the proposals; failure to abide by the Codes may result in a public authority being removed from the relevant schedule and losing the ability to disclose or receive data under the power.

The whole law on information sharing needs examining. To echo the words of the Government:

“We need to go further and update the legal regime to provide simple and flexible legal gateways to improve public sector access to information in key areas which impact the whole public sector in a systematic and consistent way so that citizens can have confidence that their data is being used for the right purposes and remains securely held.”

In 2014 the Law Commission reported on the outcome of a consultation on the law around sharing of personal information between public sector organisations. It set out its recommendations, which included a full law reform project to be carried out in order to create a principled and clear legal structure for data sharing, which will meet the needs of society. I have not come across the Government’s response to the recommendations. May be this latest consultation is it!

Of course any new laws will have to be consistent with the new EU General Data Protection Regulation (GDPR), expected to come into force in 2018 and, which will replace the DPA.

These and other Information Sharing developments will be examined in our forthcoming full day workshops and webinars.

Illustration provided by the Office of the Privacy Commissioner of Canada (www.priv.gc.ca)

SMILE! You’re on our Mailing List!

Charity envelope time again. And yet again another organisation I had no relationship with at all. This time it was a big one with offices in…are you ready…

UK, USA, India, China, Philippines, Latin America, Mexico, Brazil, Africa, Indonesia, Vietnam, Middle East & North Africa and Bangladesh.

Surprisingly in all these locations they couldn’t find a data protection expert to run his eye over their Privacy Policy. This is puzzling as you can find good information about their accounts and activities quite easily on the web. (£7m donations in 2014 and over 125,000 children helped all over the world). They look like they’re doing a good job except for the unsolicited mailing that dropped through my door today.

They sent 2 full colour glossy A4 double sided leaflets. 10 sticky gift tags to attach to Xmas presents, an A5 double sided full colour leaflet, an eight page A6 booklet about their work, a donation form to return and an envelope. If they’d not spent their money on these pieces of coloured paper, 2 of which were customised to say my name and address they might have had more in the kitty to help the children they featured in their leaflets. Nowhere on any of these pieces of paper is there a mention of the Data Protection Act. Nor is there a phone number so I could tell them quickly I didn’t want their unsolicited mailing. Presumably their marketing expert advised them not to offer this simple mechanism of objecting as it might result in people using it. So I found their website and had a look.

After a while I found their Privacy Policy. It was extensive and told me a lot about the cookies it used. No mention of the Data Protection Act again. Some of the interesting sections were

Your acceptance of this policyBy using our site, you consent to the collection and use of information by XXXXXXX in accordance with our Privacy Policy. If you do not agree to this Policy, please do not use our site. In order to fully understand your rights we encourage you to read this Privacy Policy.

(Mmm a good one to start with. You have to use the site to find the policy before you can read it, but by using the site you have already agreed with their policy even though you haven’t read it, which they want you to do).

Changes to this privacy policyXXXXXXXX reserves the right at any time and without notice to change this Privacy Policy simply by posting such changes on our site. Any such change will be effective immediately upon posting. Your subsequent use of this website after we have made changes to this policy (including the submission of information on our donation form) will be deemed to signify your acceptance of any variations that we make.

(So when they change something and before you find out about the changes by reading their policy you have already agreed to the changes you haven’t yet read about).

3. Sharing your information with third parties

From time to time, XXXXXX allows other worthy organisations to send communications to our donors via direct mail. We carefully screen these organisations to ensure their services may be of interest to our supporters. If you do not wish to hear from these organisations, please let us know by contacting us.

(Wow what a good one. Firstly that great phrase “from time to time” I thought this had died out but here it is again and what it really means is whenever we feel like it…”. The following few words shows the staggering arrogance of the organisation. We ALLOW other worthy organisations to send communications to OUR donors. Despite the fact that there is a law that prohibits this they ALLOW it and the donors aren’t any free thinking individuals – they belong to the organisation and the organisation can do with their personal data what they want. Did the Slavery Abolition Act of 1833 have a clause in it exempting charities. Er… no And there’s more – what is a worthy organisation? One that helps children? One that only uses recycled paper? One that pays their directors in bit coins? We have no idea what this cute little phrase means. It implies that Data Controllers don’t have to bother with Principle 2 if you’re passing data to ‘worthy’ organisations.

It gets worse. The last element is giving you the right to write to them and object to receiving communications from what they think are worthy organisations that have been through a screening process although you don’t know much about their screening methods if they do in fact exist, and ended up on a list of organisations they sell your data to but which they may not keep).

It seems they are relying on the mythical but desirable exemption in the Act that says Charities are completely exempt from the DPA and also it seems exempt from writing simple Privacy Policies in Plain English.

Read more about how EU Data Protection Regulation will change the DP landscape. Attend our full day workshop.

“What’s that Skip? Someone’s got your Metadata? Crikey!” – Subject Access and Metadata in Australia

While strolling through the web one day,

Outside the very merry month of May,

Oh, look what I should find,

The web is wonderful and kind,

By giving me a case on metadata.

In recognition of National Poetry day last week, that was my shockingly brilliant (!!) effort at a short rhyme in aid of this blog post. I know, stick to the day job right? (And yes, I know that we are in October and not May).

As the rhyme suggests however, I was indeed browsing the web and I did indeed come across an interesting legal case looking at rights of access and metadata in telecoms/internet providers in Australia. Something of particular relevance at the moment in the light of the Australian Government announcing its new Data Retention Law.

In the news article and legal case an Australian citizen, Mr Grubb, exercised his rights under the Australian Privacy Act 1988 to ask for all information Telstra (a phone company) held about him. His request specifically asked for the meta-data associated against him:

“…I’d like to request all of the metadata information Telstra has stored about my mobile phone service (XXX XXX XXX).

The metadata would likely include which cell tower I’m connected to at any given time, the mobile phone number of a text I have received and the time it was received, who is calling and who I’ve called and so on. I assume estimated longitude and latitude positions would be stored too. This is the type of data I would like to receive.”

Although Telstra provided some data to Grubb, it refused to hand over internet protocol address information, edited versions of incoming call records and website URL information stating that retrieving the information would take disproportionate effort and therefore was unreasonable.

An appeal, dated May 2015, was brought to the Office of the Australian Information Commissioner who found in favour of Data Subject in parts and the Data Controller in parts. But in very interesting parts.

The Commissioner supported Telstra in its exemption of some pieces of information to do with telephone numbers of 3^rd parties, particularly where those numbers had registered with a Telephone Preference type service in Australia. Telstra argued that it had no effective method of determining those numbers and removing them from the list therefore the entire list of inbound numbers to the Data Subject’s telephone line would be exempt.

The Commissioner did however reject a number of claims made by Telstra about the difficulty in retrieving and linking data to a person’s identity. Telstra relied in part on this submission to argue that certain types of Grubb’s data was not “personal information” because it could not be linked to the Data Subject’s identity. However, the Commissioner in his decision drew attention to Telstra’s provision of data to law enforcement agencies to show that it has (and has used in the past) the ability to process and connect different types of metadata to individuals.

It’s also interesting that since the case was initiated Telstra’s approach to customer access to metadata has shifted significantly. Telstra customers will now be able to access the same metadata about them (save for shared information) that Telstra would provide to law enforcement agencies, on request without a warrant.

Now while Australia is a very long way away from Europe this case does pose some interesting questions. I ran a search online for cases where metadata was refused under a Subject Access Request (SAR) but could not find any in the public domain. As we all know there are a growing number of laws appearing that require telecoms companies to capture and store such metadata for government access but to date I’ve not seen a similar legal challenge whereby the data has been refused in a SAR.

For those that don’t have much experience with metadata the Oxford English dictionary defines metadata as “a set of data that describes and gives information about other data”. In this context, telecommunications data, is data that is associated with an account and its usage (e.g. masts used, websites visited, numbers called) which on their own do not automatically equate to personal data, but do so when associated with one number form the metadata of that persons account. Therefore it is personal data as it can identify them and/or be associated with them.

The current subject access request code of practice from the UK Information Commissioner’s Office doesn’t specifically talk about metadata being or not being personal data or in scope for a SAR. Based on the principles of the Data Protection Act 1998 (DPA) and the fact that such metadata can and is requested by law enforcement agencies and is used to identify you; I would argue that this is Personal Data, as defined by the Act, and should be provided to a requestor under subject access.

How does this sit under the current proposed EU Data Protection Regulation text(s)? Well, you won’t find the term “metadata” in the Regulation text anywhere so there won’t be a crystal clear stance on it. Instead we will need to look at the definition of Personal Data as proposed.

In the European Council’s text Chapter 1, Article 4 (1) it defines Personal Data as;

“any information relating to an identified or identifiable natural personal (“data subject an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person).”

So while the new proposed definition doesn’t specifically call out metadata it does seem to imply that it would be. For example, your mobile number and all data that can identify your location (phone mast data for example) would be considered Personal Data under that definition; which isn’t that far removed from DPA definition of Personal Data.

On that note, following a brief search online I have not been able to find any cases on SAR and telecoms in the public domain. I can find plenty of commentaries and a remotely similar financial services case. I would therefore be interested to see if anyone knows of one currently ongoing or that has been tested in the courts / tribunal so far to date?

Currently the UK Government is looking to revive the so-called “snooper’s charter” under the Draft Communications Data Bill. Therefore if government agencies are to spy / monitor / keep / ignore my personal data then I think that we should, at any point, see what that personal data is. I bet mine is really rather dull…but it’s my dull data dammit.

Scott Sammons an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.

Read more about the EU Data Protection Regulation. Attend our full day workshop.

Sell your friend’s email for £25!

It’s quite simple. You’ve just bought a product and the company who just sold it to you asks for a friend’s email so they can market to them. If they buy then you (and them) get a cheque for £25. What a great idea!

Unfortunately they seem to have chosen to breach some regulations. To market electronically by email requires prior consent or consideration of the soft opt in option as defined in Section 22 (3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

To market by email three conditions should apply.

a) You must have obtained the email address in the course of a sale or negotiations for a sale

b) You should only market similar products

c) You should offer an opt out with every message.

They clearly miss the first one as they have made no sale nor negotiated with your friend. The second one falls by the wayside for the same reason as your friend won’t have bought anything from them, so there is no “similar” test. Finally, we’ll credit them with offering an opt out (although based on their understanding of email marketing so far that’s being generous).

There is a safety valve. If your friend, after being sold down the river does not buy from the company, then their email will never be used by the company. In fact it will be destroyed securely within 30 days. And of course it will never be passed to any other organisation or sold to a list broker.

Unfortunately the company doesn’t offer any of the guarantees in the previous paragraph. They may well do so but they don’t bother with any concept of a fair processing notice. How do you feel about sending your friend’s email to this organisation? If they’re happy to pay £25 to buy an email address that makes a sale what price do they put on a prospect?

I’m not a hacker. I’ve started an online course to learn how to be one. There is no course literature or reading list. The exam which can be taken at any time has one task. “ Your grade is held in a secure area at Hacker’s University. Change it to Pass and email yourself a PDF of your certificate”.

But if I was a hacker I’m sure I could find a way to flood this business that’s trying to buy email addresses with a few long lists of emails. All those on JISCmail data protection list; All people with NHS.net; I have many lists that people have sent me by accident.

Paul Simpkins is a Director and trainer at Act Now Training Ltd.

No time to attend our PECR courses? Try our on demand PECR webinars. One hour of learning for only £39 plus vat.

Our survey said…

I bought a new car. On delivery day it was in the showroom draped in a royal blue cloth with a sign saying Reserved for Mr Onassis. The salesman before handing me the keys mumbled in an apologetic fashion “The Sales Manager likes to talk to every customer when they take delivery…”

The Sales Manager didn’t waste much time. He said that I’d shortly be receiving a call from a company who surveys new car buyers to find out what they thought of the dealership. Then he slipped in the hard sell. “They’ll ask you to mark us on a scale of 1 to 10. Only 9 and 10 are positive; anything below that is negative.”

The survey duly arrived. I declined to answer even though I was very happy with the car and the dealership.

Days later my bank called me. I was probably going to be asked to rate my bank. From a list of phrases from very displeased to very pleased I had to choose the phrase that best described my experience. “Please be sure to say you’re very pleased with our service. Anything else is considered negative”. Again I declined to do the survey even though my bank is pretty awful.

Last week a hotel that Act Now Training uses did the same thing. Please let us know what you think of our hotel. This time the hotel manager foolishly put his suggestion “Actually it’s a yes/no question; anything under 8 is negative. We need 9s and 10s” in an email. Now we have the evidence that the practice exists. Previously the conspiracy had only survived by word of mouth.

I haven’t answered yet.

What value does a survey have when the surveyees are primed to deliver the response the company wants? Is every survey result is the product of a self selecting group – the group of people who like to give high scores in surveys? Or is there another group like me who never participate in the survey who feel there’s no value in a survey where the traditional Likert scale has been morphed into a 50/50 shot? Most brits are stiff upper lip types who won’t take a survey if their views would have been critical in case someone contacted them afterwards.

Is the information age producing better information or is the value or a survey subjective, objective or merely the result of a carefully orchestrated customer manipulation.

This article already had 12,500 likes before I posted it. Find them on Ebay.

Paul Simpkins is a Director and Trainer at Act Now Training Ltd. He will be delivering the internationally recognized BCS certificate in Data Protection in June. If you are interested in this or any other Act Now training courses on Information governance, please visit our website www.actnow.org.uk

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: