Those Were the Days!

Martin Gibson, of Buckinghamshire County Council, reflects on the challenges facing a Data Protection Officer and how relationships with the Information Commissioner’s Office have changed over the years.

Read more here

Cloud Computing and Data Protection

The issue of cloud computing has been getting huge coverage in recent years for a number of reasons – like the new cookie rules, the word ‘cloud’ offers journalists the opportunity to come up with easy punning headings about “storm clouds” or “cloudy outlook”. Moreover, with a myriad of different companies large (Apple, Microsoft, Google) and small offering a variety of cloud products to both organisation and consumers, the horizon is clouded (see what I did there?) with press releases, interviews and advertorials, all designed to persuade people to part with their data. What are the Data Protection implications?  This article focuses on the practical issues that an organisation needs to take into account when thinking about cloud computing.

Read More Here

DP & FOI. Coming to a school near you.

It may have sneaked under the radar in and around Xmas but an FOI request in Wales to schools produced some alarming stats.

There are at least 2,840 cameras in schools across Wales, one school in Cardiff has 40 cameras for around 190 pupils. Just over a third of all the schools in Wales responded to the Freedom of Information Act request asking about CCTV use on their premises. That means that two thirds don’t do CCTV or worse than that they didn‘t realise they had to reply to FOI requests.

Of the 602 that replied, 519 provided some or all of the information requested while 83 refused to answer any of the questions.

Of those surveyed, 54% admitted they had not given full information about the location of cameras and times they were filming to parents.

This is neither rocket science nor brain surgery. If you use CCTV cameras you tell people likely to be filmed that you are doing it. It’s called fair processing and is Principle 1 of the Act. The simple solution is putting up signs at every entrance to the school grounds saying that filming is taking place and why. Design them yourself if you feel like it or you can buy them cheaply from many office suppliers. What you don’t do is not tell parents & pupils that you’re filming. Failure to comply with a principle can lead to a criminal offence. Principle 1 says processing should be Fair and Lawful.

Furthermore if someone asks a question using Freedom of Information about a process (CCTV) that should be part of a fair processing notice and 83 schools refuse to answer some-one somewhere should ask to see their refusal notices (sounds like FOI request to me) as there are no real grounds for refusing as the information should already supplied to Parents & Pupils. Doesn’t the commissioner have the power to issue an enforcement notice without a complaint if he feels there is an issue that needs addressing? Is 83 schools a big issue?

See the report and the spreadsheets that support this at

But before we all harrumph at the standard of compliance with Information Law in welsh schools let’s ask our local school some simple questions.

  • Can I see your Publication Scheme?
  • Please give me a copy of your Privacy policy.
  • Do you use CCTV in the school?
  • Can I see a copy of your Notification?

You should get 4 answers by return all reassuring you that your local school knows what it’s doing. One missing or a long delay and you know something just ain’t right.

If you want to be more sneaky you can see if your local school has notified their processing to the ICO by searching the register of Data Controllers. You may be surprised. At a course in the North East a few years ago we had over 30 schools in the audience. I suggested that at coffee break we could get online and check a few schools to see if they were on the ICO’s register. We tried 6 before we found one who had done it. (An offence – Section 17 followed by Section 21).

Act Now has a briefing for schools on DP & FOI. Half a day at venues throughout the UK. We also have online courses in this area. See

RIPA it up and start again?

At a time when the phone hacking scandal has shone a spotlight on the murky world of police and tabloid surveillance, the Government, through the Protection of Freedoms Bill, is choosing a soft target in local authorities rather than focusing on the real culprits.

The Bill is currently proceeding through the Committee Stage in the House of Lords. If passed in its current form, it will require local authorities to have all their surveillance authorisations under the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, CHIS and the acquisition of Communications Data) approved by a magistrate before they take effect.

Most local authorities feel that this is a disproportionate response to inaccurate media stories about their “overzealous” use of RIPA. When the the Coalition Government published the Bill in February 2011, the Home Secretary, announced:

“The first duty of the state is the protection of its citizens, but this should never be an excuse for the government to intrude into peoples’ private lives. Snooping on the contents of families’ bins and security checking school-run mums are not necessary for public safety and this Bill will bring them to an end. I am bringing common sense back to public protection and freeing people to go about their daily lives without a fear that the state is monitoring them.”

The reality is that most authorities only use their powers in a handful of cases each year and only when there is no other viable means of investigating offences and then in a reasonable and proportionate manner. The latest annual report by the Office of Surveillance Commissioners (2010/2011) states:

“Generally speaking, local authorities use RIPA/RIP(S)A powers sparingly with over 50% granting five or fewer directed surveillance authorisations during the reporting period. Some 16% granted none at all.”

By contrast, it seems that there is a much more convincing case for stronger regulation of media (especially the tabloids) and police surveillance. The setting up of the Leveson Inquiry and the inquiry by the House of Commons Select Committee on Culture, Media and Sport meant that at first the primary concern was about allegations of phone hacking by the News of the World. However it has now become clear that hacking phones was just one part of the unscrupulous journalist’s toolkit. It also included buying information from the police, blagging sensitive personal information from public and private sector organisations and the hacking politicians’ computers to gain access to their e mails.

Allegations have also surfaced that that the police have been misusing their powers under RIPA to assist the tabloids to locate the whereabouts of celebrities and other persons of interest. Working with mobile phone companies, the police have the ability to pinpoint a phone by monitoring which signal masts it is using and triangulating its location. This involves the acquisition of “traffic data” under Chapter 2 of Part 1 of RIPA and has to be properly authorised in writing by a senior police officer. The technique is known as “pinging”. It is meant to be used in the most serious cases e.g. kidnap and murder cases to locate the whereabouts of victims and suspects. It is not designed to help journalists locate a celebrity or to track a premiership footballer “playing away from home.”

From the various media reports it seems that the police have a serious case to answer about RIPA misuse. Why were powers which were enacted to assist the police to investigate serious criminal offences being abused for commercial gain? Surely, if the reports are true, there is a stronger case for judicial approval of police RIPA communications data powers than those of local authorities who occasionally use them to obtain the identity of a rogue trader or fly tipper? It may be time to amend the Bill to include the police in the requirement to seek Magistrates’ approval?

At present Part 2 of RIPA (covert surveillance) only covers public authorities. The tabloids often use questionable covert surveillance tactics which are unregulated. In November 20011 the BBC reported that The News of the World hired an ex-police officer in 2010 to carry out surveillance on two prominent lawyers, Mark Lewis and Charlotte Harris, who were representing phone hacking victims. The investigator is reported to have filmed members of Mr Lewis’s family, including his teenage daughter, on a shopping trip. These allegations were subsequently confirmed by both lawyers when giving evidence to the Leveson Inquiry.

It’s fair to say that the tabloids, by doing covert surveillance, have had more of an impact on individuals’ privacy than local authorities. Currently there is no law, which comprehensively regulates these activities. Some may lead to trespass, harassment or a breach of the Data Protection Act 1998. The government would do more to protect peoples’ civil liberties by turning its attention to media surveillance than local authority surveillance, which is already properly regulated. There is now a very strong case for bringing the media within the scope of the RIPA regime. Local authorities should be left alone, without further regulation, to continue what they have, in the majority of cases, been doing in a necessary and proportionate manner.

We have a series of courses on RIPA and Surveillance which also cover the changes in the Protection of Freedoms Bill. See also our RIPA Forms Guidance Document.

My Car talks to another car. Where’s the personal data?

Black CarI attended a conference in Spain at Easter 2010 – the Easter when Ash Wednesday actually meant something. A speaker stood up and described an EU project whereby cars would talk to each other in some way yet to be determined so in the event of congestion (a significant period of slow progress) or a sudden stop (interpreted as an accident) the car would contact a central control room and pass information about these situations. In extreme cases the car would dial 112 and request police or fire or ambulance to attend. At the time the hypercritical audience pooh-poohed the idea pointing out that there was no personal data involved if two cars talked to each other. But is it an intrusion into our private life?

The European Commission recently announced that it would like to see emergency transmitters in all new cars by 2015 – that’s under 3 years away. This “eCall system” is the subject of a new Recommendation from the Commission, which is non-legislative but will be followed by a legislative proposal later. Installation of the eCall system is expected to cost less than €100 per new car. It will be compulsory. The Commission has decided to take legislative action to introduce eCall because voluntary deployment has been insufficient. The Commission had previously called for eCall to be rolled out voluntarily across Europe by 2009 (that’s before planes failed to fly due to the ash cloud of a volcano who’s name is worth 675 points at scrabble) but adoption has been very slow.

Obviously it would help in road safety matters and the early arrival of emergency services also allows the crash site to be cleared more quickly thus reducing the risk of secondary accidents, decreasing congestion times and cutting fuel waste.

The eCall system is activated automatically as soon as in-vehicle sensors detect a serious crash. Once set off, the system dials the European emergency number 112, establishes a telephone link to the appropriate emergency call centre and sends details of the accident to the rescue services, including the time of incident, the accurate position of the crashed vehicle and the direction of travel (most important on motorways and in tunnels). An eCall can also be triggered manually by pushing a button in the car, for example by a witness to a serious accident.

The eCall system is estimated to cost less than €100 per new car to install. To rule out privacy concerns, the eCall system does not allow the tracking of vehicles because it ‘sleeps’ and does not send any signals until it is activated by a crash. However there are a few other issues to bear in mind. It’s a GPS system. There’s a button in every new car labelled SOS which is pre-activated so unless you ask for it to be turned off it’s already on. Some mysterious data controller (maybe a fat one) knows where every car in the EU is at any given time.

Spookily the car’s audio system is linked to the fat controller so he can speak to you with simple sound bites such as “Would you like a big mac while you’re waiting for help – there’s a truck stop 2 clicks away and we can blue tooth your order there”.

I’m pleased I drive a Mk IV Golf. It doesn’t have a cat; it’s not trackable by a fat man sitting in Brussels eating chips with mayonnaise on and it plays 8 track cassettes at maximum volume while I sit in traffic jams on the M25.

Read all about it.

BooksChristmas is coming; the geese are getting weight challenged. Nothing better than to curl up with a good book about privacy issues. Many authors have dabbled in this type of thriller.

Here’s a top ten list for the festive season. Note an e book is not the same as e government (whatever happened to that?)

1. 1984 by George Orwell. The date of the first UK DP Act and blairites will all know the first line – “It was a bright cold day in April, and the clocks were striking thirteen”. If you haven’t read it yet then shame on you. If you haven’t now is the season to be jolly.

2. Digital Fortress is a techno-thriller novel written by Dan Brown in 1998.The book explores the theme of government surveillance of electronically stored information on the private lives of citizens, and the possible civil liberties and ethical implications using such technology. Bit of a potboiler but uses the date of the current UK DP Act.

3. Jeffrey Deaver hits you with a double whammy with The Blue Nowhere and The Broken Window. Both to do with cyber crime and the latter to do with data warehousing. Lots of the usual violence, sex and car chases thrown in but interesting nonetheless.

4. Two authors who combine their surnames to become Lury Gibson have published 3 books in this field – Need to Know, Dangerous Data and Blood Data all in 2002 (FOISA) and the last 2 feature a data detective called Arthur C Dogg (don’t ask me why) who seems to be able to hack into anything.

5. Not read this one but recommended is Jennifer Government, a novel written by Max Barry. Published in 2003. (Same as PECR). In it people take the surnames of the corporations they work for, and a person with two jobs hyphenates their name (e.g. Julia Nike-McDonalds). USA seems to have taken over the world and privacy is suddenly a big issue.

6. The Dying Light by Henry Porter is set in Britain in the near future, where the tentacles of the surveillance state have been extending their reach throughout society. The heroine is thrown into a dangerous attempt to uncover the rotten-ness of the government after her estranged best friend is killed. Henry has written several other books in the same genre and seems to be more bomb expert than a privacy expert. Good rollicking read as they say in the cheap sundays.

7. The Traveller by John Twelve Hawks is the story of visionaries who fight against an organisation seeking world dominance through control of information. Travellers live off the grid and avoid the glare of the techno state. Harlequins protect Travellers and it’s a jolly good read. There is a follow up but the author seems to have lost his original drive with the sequel.

All of these benefit from being good reads as well as having a privacy angle.

Movies? OK. You might struggle to find some of these.

1. Absence of Malice. Paul Newman and Sally Fields star in this film about privacy rights and the press. The film is not interested in a balanced assessment of conflicting rights; instead it accentuates the sorts of concerns that led to Louis Brandeis’s seminal article on privacy almost a century earlier.

2. The Truman Show. Can you imagine a situation in which every moment of your life from birth to the present is filmed by hidden cameras? That’s what happens to Truman Burbank, the leading character in this movie. For thirty years he has no inkling of what is going on. Then one day he begins to discover the truth. Privacy – you don’t say.

3. Twenty three. The movie’s plot is based on the true story of a group of young computer hackers from Hannover, Germany. In the late 1980s the orphaned Karl Koch invests his heritage in a flat and a home computer. At first he dials up to bulletin boards but soon he and his friend David start breaking into government and military computers. Pepe, one of Karl’s rather criminal acquaintances senses that there is money in computer cracking – he travels to Berlin and tries to contact the KGB.

4. Pirates of Silicon Valley An intriguing character study of two of the most extraordinary individuals of our modern technological era. The movie is historically inaccurate. Nevertheless, it manages to capture the essence of how much of modern computing came to be: the cluelessness of Xerox about what its own computer scientists were doing; Steve Jobs’ artistic vision at Apple; and Bill Gates’ ruthless business practices at Microsoft. And you will be fascinated by how these men got where they are today.

5. The Net. When Angela Bennett played by Sandra Bullock wakes up, she finds that all records of her life have been deleted: She was checked out of her hotel room, her car is no longer at the parking lot, and her credit cards are invalid. Now read on.

6. Enemy of the State. Will Smith played by Will Smith finds that all records of his life are on hold and his credit cards are invalid. Now read on. (Actually quite good stuff this one – if you have to watch only one movie this Xmas…)).

7. Minority Report. In the future, criminals are caught before the crimes they commit actually occur. Good ole boy Tom Cruise gets into hot water and somehow gets to the end of the movie and saves the world.

All you have to do now is convince your line manager you have 10 books and 7 movies to study to keep up to date with your job and you need time off in lieu to get on with it. No doubt colleagues will suggest others.

Cable Management from Wiki

Cable management refers to an important step during the installation of building services (i.e. electrical services) and the subsequent installation of equipment providing means to tidily secure electrical, data, and other cables.

Cables can easily become tangled, making them difficult to work with, sometimes resulting in devices accidentally becoming unplugged as one attempts to move a cable. Such cases are known as “cable spaghetti”.

No further comment is needed.

%d bloggers like this: