Dancing to the beat of the Google drum

With rather wearying predictability, certain parts of the media are in uproar about the removal by Google of search results linking to a positive article about a young artist. Roy Greenslade, in the Guardian, writes

The Worcester News has been the victim of one of the more bizarre examples of the European court’s so-called “right to be forgotten” ruling.

The paper was told by Google that it was removing from its search archive an article in praise of a young artist.

Yes, you read that correctly. A positive story published five years ago about Dan Roach, who was then on the verge of gaining a degree in fine art, had to be taken down.

Although no one knows who made the request to Google, it is presumed to be the artist himself, as he had previously asked the paper itself to remove the piece,  on the basis that he felt it didn’t reflect the work he is producing now. But there is a bigger story here, and in my opinion it’s one of Google selling itself as an unwilling censor, and of media uncritically buying it.

Firstly, Google had no obligation to remove the results. The judgment of the Court of Justice of the European Union (CJEU) in the Google Spain case was controversial, and problematic, but its effect was certainly not to oblige a search engine to respond to a takedown request without considering whether it has a legal obligation to do so. What it did say was that, although as a rule data subjects’ rights to removal override the interest of the general public having access to the information delivered by a search query, there may be particular reasons why the balance might go the other way.

Furthermore, even if the artist here had a legitimate complaint that the results constituted his personal data, and that the continued processing by Google was inadequate, inaccurate, excessive or continuing for longer than was necessary (none of which, I would submit, would actually be likely to apply in this case), Google could simply refuse to comply with the takedown request. At that point, the requester would be left with two options: sue, or complain to the Information Commissioner’s Office (ICO). The former option is an interesting one (and I wonder if any such small claims cases will be brought in the County Court) but I think in the majority of cases people will be likely to take the latter. However, if the ICO receives a complaint, it appears that the first thing it is likely to do is refer the person to the publisher of the information in question. In a blog post in August the Deputy Commissioner David Smith said

We’re about to update our website* with advice on when an individual should complain to us, what they need to tell us and how, in some cases, they might be better off pursuing their complaint with the original publisher and not just the search engine [emphasis added]

This is in line with their new approach to handling complaints by data subjects – which is effectively telling them to go off and resolve it with the data controller in the first place.

Even if the complaint does make its way to an ICO case officer, what that officer will be doing is assessing – pursuant to section 42 of the Data Protection Act 1998 (DPA) – “whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of [the DPA]“. What the ICO is not doing is determining an appeal. An assessment of “compliance not likely” is no more than that – it does not oblige the data controller to take action (although it may be accompanied by recommendations). An assessment of “compliance likely”, moreover, leaves an aggrieved data subject with no other option but to attempt to sue the data controller. Contrary to what Information Commissioner Christopher Graham said at the recent Rewriting History debate, there is no right of appeal to the Information Tribunal in these circumstances.

Of course the ICO could, in addition to making a “compliance not likely” assessment, serve Google with an enforcement notice under section 42 DPA requiring them to remove the results. An enforcement notice does have proper legal force, and it is a criminal offence not comply with one. But they are rare creatures. If the ICO does ever serve one on Google things will get interesting, but let’s not hold our breath.

So, simply refusing to take down the results would, certainly in the short term, cause Google no trouble, nor attract any sanction.

Secondly (sorry, that was a long “firstly”) Google appear to have notified the paper of the takedown, in the same way they notified various journalists of takedowns of their pieces back in June this year (with, again, the predictable result that the journalists were outraged, and republicised the apparently taken down information). The ICO has identified that this practice by Google may in itself constitute unfair and unlawful processing: David Smith says

We can certainly see an argument for informing publishers that a link to their content has been taken down. However, in some cases, informing the publisher has led to the complained about information being republished, while in other cases results that are taken down will link to content that is far from legitimate – for example to hate sites of various sorts. In cases like that we can see why informing the content publisher could exacerbate an already difficult situation and could in itself have a very detrimental effect on the complainant’s privacy

Google is a huge and hugely rich organisation. It appears to be trying to chip away at the CJEU judgment by making it look ridiculous. And in doing so it is cleverly using the media to help portray it as a passive actor – victim, along with the media, of censorship. As I’ve written previously, Google is anything but passive – it has algorithms which prioritise certain results above others, for commercial reasons, and it will readily remove search results upon receipt of claims that the links are to copyright material. Those elements of the media who are expressing outrage at the spurious removal of links might take a moment to reflect whether Google is really as interested in freedom of expression as they are, and, if not, why it is acting as it is.

 

 
*At the time of writing this advice does not appear to have been made available on the ICO website.

2 Comments

Filed under Data Protection, Directive 95/46/EC, enforcement, Information Commissioner, Privacy

You can’t take it with you

A paralegal has been convicted for taking client data with him when he left his role. Douglas Carswell MP denies taking Tory Party data, but what of his civil obligations with the data he has retained?

I blogged recently about the data protection implications of the news that Douglas Carswell MP was resigning his seat and seeking re-election as a UKIP MP. I mused on the fact that UKIP were reported to be “purring” over the data he was bringing with him, and I questioned whether, if this was personal data of constituents, his processing was compliant with his obligations under the Data Protection Act 1998. Paul Bernal blogged as well, and Paul was quoted in a subsequent article in The Times (which now seems to have been moved, or removed), in which Carswell defended himself against allegations of illegality

“Any data that the Conservative Party gathered while I was a member of the Conservative party is, was and must remain the property of the Conservative party.” He said that the suggestion that he had taken such information was “desperate briefing from within the Tory machine” and was extremely regrettable. The former MP did say, however, that he planned to use his own private data gathered during nine years as a Conservative MP. He insisted that he would not be sharing this with UKIP

With respect to Mr Carswell, this still doesn’t convince me that no data protection concerns exist. If by his “own private data”, he means information about constituents which is their personal data, then I would still argue that such use could potentially be in contravention of his civil obligations under the first and second principles in Schedule One to the Data Protection Act 1998. As I said previously

If constituents have given Carswell their details on the basis that it would be processed as part of his constituency work as a Conservative MP they might rightly be aggrieved if that personal data were then used by him in pursuit of his campaign as a UKIP candidate

Even if he didn’t share such data with UKIP, data protection obligations would clearly be engaged.

It seems to me that his quote to The Times was perhaps to refute any possible allegations that his use of data was criminal. A recent prosecution by the Information Commissioner’s Office (ICO) illustrates how taking personal data from one job, or one role, to another, without the consent of the data controller, can be a criminal offence. The offender was a paralegal at a Yorkshire solicitor’s practice who, before he left the firm, emailed himself (presumably to a private address) information, in the form of workload lists, file notes and template documents. However, the information also contained the personal data of over 100 clients of the firm. Accordingly, he was convicted of the offence at section 55 of the DPA, of (in terms) unlawfully obtaining personal data without the consent of the data controller. The fine was, as they tend to be for section 55 offences, small – £300, plus a £30 victim surcharge and £438.63 prosecution costs – but the offender’s future job prospects in the legal sector might be adversely affected.

The ICO’s Head of Enforcement Steve Eckersley is quoted, and though he talks in terms of “employees”, his words might well be equally applicable to people leaving elected posts

Employees may think work related documents that they have produced or worked on belong to them and so they are entitled to take them when they leave. But if they include people’s details, then taking them without permission is breaking the law

Mr Carswell was wise not to retain data for which the Conservative Party was data controller. But I’m still not sure about the (non-criminal) implications of his use of data for which he is data controller.

Leave a comment

Filed under crime, Data Protection, Information Commissioner

Helping the ICO (but will ICO accept the help?)

I think the ICO should consider operating a priority alert system when well-informed third-parties alert them to exposures of personal data. They certainly shouldn’t leave those third parties to do in-depth investigation.

My attention was recently drawn to the existence of sensitive personal data being made available online. Google’s bots are brute things, and will effectively cache anything they can, such as data exposed by an unsecured ftp server, and that is what appears to have happened in this case. I looked at the names of the files and folders exposed, and I felt very uncomfortable. I don’t want to see this information, and the people involved certainly wouldn’t want me to. Furthermore, neither would the data controller – a voluntary service organisation. And section 55 of the Data Protection Act 1998 (DPA) creates, in terms, an offence of obtaining personal data knowingly, without the consent of the data controller. Admittedly, if one does so and it is justified as in the public interest, then the elements of the offence are not made out, but my feeling was very much that, having seen very briefly the extent of the inadvertent exposure, I should go so far, and no further.

But what to do then? The short answer, is, to alert the data controller and refer the matter to the Information Commissioner’s Office (ICO). The ICO’s duties are to regulate and enforce the DPA, and promote the following of good practice by data controllers. Although their website is predicated on the basis that a person reporting a concern will have a direct interest in the situation, it is still possible to report a third party concern. However, when I recently reported the fact that a local authority was exposing huge amounts of personal data as open data, firstly, the case officer could not understand why the data in question allowed individuals to be identified, and secondly, asked me to explain why, by providing screenshots. (I should add that I never received a reply from the local authority.) And I know of two other people who have been asked by the ICO to provide specific and detailed examples, such as screenshots, of exposed personal data. The problem with this is that it is dragging concerned third parties directly into potential illegality: taking and emailing screenshots of personal data is processing, without the consent of the data controller, and will (or should) involve encryption (although the ICO doesn’t appear to offer this to third parties) and issues about retention. I’m not suggesting that people will be prosecuted for doing a beneficial civic act, but it is far from ideal.

As always, I understand and accept that the ICO is woefully underfunded. They can only afford to pay new case officers about £4.5k above the annual minimum wage, but I do think they should have a system in place for people to report serious exposures of personal data, and for these reports to be treated and investigated with some urgency. In my recent “open data” case, I didn’t receive any acknowledgment of receipt of my concerns (other than an automated one indicating my email had been received) and the case officer, when I did get a reply, rather impatiently explained that their service standards mean “that if you have reported a concern to us you can expect to receive a response within 30 days”. But I noted that the MS Word doc. that was sent to me was called “ICO to DS raising concerns”. I presume “DS” means “data subject”, but, of course, that is not what I was in this case. A data subject raising concerns is, in the vast majority of cases, not going to be reporting the public exposure of large amounts of sensitive personal data (most often they will be complaining about a discrete incident involving their own data).

I have spoken to people who have reported what were quite clearly horrendous exposures of personal data, but by the time the ICO looked at the case the problem had either been rectified by the data controller, or, for instance, the Google cache links had expired. Of course, that is good on one view, but when it comes to the ICO’s regulatory role, it effectively means that delays in considering these reports allow evidence of serious contraventions by data controllers to be erased.

Almost a year ago I was alerted to a horrendous exposure of highly sensitive personal data (I understand that, again, an unsecured ftp server was to blame). And I remember the frustration and consternation that I and others felt at the apparent delay by Newcastle Citizen’s Advice Bureau in getting the data removed from the web. I’m rather amazed we never heard anything from the ICO about that incident – did they complete their investigation? did they take action? if not, how on earth did the CAB manage to persuade them there wasn’t a serious DPA contravention warranting enforcement action? And, as far as I know, the CAB branch never acknowledged what had happened, nor apologised for it, nor thanked those who had alerted them to the situation.

There are many expert and well-informed people who are prepared to alert data controllers and the ICO to potentially harmful exposures of personal data. Could there not be some sort of priority alert system? (If necessary, it could be through some sort of “trusted third-party” list.) If data controllers, but particularly if the ICO, are not willing to embrace the sort of public-spiritedness which identifies and alerts them to exposures of personal data, then it’s a poor lookout for data subjects.

3 Comments

Filed under Breach Notification, Data Protection, Information Commissioner

Blackpool Displeasure Breach

I like watching football, but any real interest I had in following a club waned around the time David Hirst stopped scoring for fun for Sheffield Wednesday. I also came to be disillusioned by the advent of big money, with clubs run more and more as business concerns aimed at boosting the investments of shareholders.

So I hadn’t appreciated that convicted rapist Owen Oyston was still listed as Director of Blackpool F.C. Nor that his son Karl Oyston is Chairman. Nor that Karl’s son Sam runs the club’s hotel. It appears that at least some fans are highly critical of the Oyston dynasty, and this manifested itself in a rather puerile twitter exchange which was drawn to my attention this morning

Bw61QjoCAAEWYxL

To explain what’s going on here, a fan replies to a news item about the club’s manager, and calls the Oyston family “wankers”. Sam Oyston responds by identifying the seat the fan – presumably a season-ticket holder – occupies, and implies that if he continues to be rude the ticket will be withdrawn.

This is all very unsavoury, but it also raises concerns about the club’s handling of its fans’ personal data. The publishing of the seat number is not particularly worrying in itself: it refers to the fan’s physical place in a very public arena, and I doubt he would be bothered about it being publicised (he might even be proud, as it implies he is a dedicated fan). However, one must ask how, and why, the manager of a hotel run by the club has such ready access to customer details.

The first data protection principle of the Data Protection Act 1998 (DPA) requires that personal data be processed fairly (and lawfully) and the second principle requires that personal data “shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes”. If fans’ details are being accessed by the club’s hotel manager, in order to implicitly threaten them with removal of their right to attend matches, it would be difficult to see how this would be compatible with purposes for which they were obtained by the club, as data controller. I suppose it is just possible that the terms of the tickets explain that, say, abusive behaviour could lead to cancellation, but even so, it would be unlikely that this would cover what happened in the twitter exchange. One might also question whether, if someone apparently unconnected with the running of the club membership can access ticket data, the club has – in accordance with the seventh data protection principle – appropriate organisational measures in place to safeguard against unauthorised processing of personal data.

A data controller has a statutory obligation to comply with the data protection principles – a failure to do so opens it up to the possibility of civil claims being made against it, and civil enforcement action being taken by the Information Commissioner’s Office.

5 Comments

Filed under Data Protection, Information Commissioner, social media

Data protection implications of MPs crossing the floor

Douglas Carswell MP is a data controller.

It says so on the Information Commissioner’s register:

carswell

(I hope he remembers to renew the registration when it expires next week  it’s a criminal offence to process personal data as a data controller without a registration, unless you have an exemption).

But, more directly, he is a data controller because as an MP he is a person who determines the purposes for which and the manner in which the personal data of his constituents is processed.  Sensible guidance for MPs is provided by Parliament itself

A Member is the data controller for all personal data that is handled by their office and they have overall responsibility for ensuring that this is done in accordance with the DPA.

I have already written recently raising some concerns about Carswell’s alleged handling of constituents’ personal data. But this week he decided to leave the Conservative Party, resign his seat, and seek re-election as a member of the UKIP party. James Forsyth, in the Daily Mail, talks about the constituency knowledge Carswell will bring to UKIP, and reports that “one senior Ukip figure purrs: ‘The quality of Douglas’s data is amazing'”.

As a data controller an MP must process constituents’ personal data in accordance with the eight data protection principles of the Data Protection Act 1998 (DPA). Failure to do so is a contravention of the data controller’s obligation under section 4(4). Data subjects can bring legal claims for compensation for contravention of that obligation, and for serious contraventions the ICO can take enforcement action, including the serving of monetary penalty notices to a maximum of £500,000.

The second data protection principle requires that

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes

A person’s political opinions are “sensitive personal data”, afforded even greater protection under the DPA. It is not difficult to understand the historical basis for this, nor, indeed, the current basis for its still being so. Data protection law is in part an expression of and development of rights which were recognised by the drafters of the Universal Declaration of Human Rights and European Convention on Human Rights. Oppression of people on the basis of their politics was and remains distressingly common.

If constituents have given Carswell their details on the basis that it would be processed as part of his constituency work as a Conservative MP they might rightly be aggrieved if that personal data were then used by him in pursuit of his campaign as a UKIP candidate. As Paul Bernal tweeted

If I gave my data to help the Tories and found it was being used to help UKIP I’d be livid
Such use would also potentially be in breach of the first data protection principle, which requires that personal data be processed fairly and lawfully. It would not be fair to share data with a political party or for the purposes of furthering its aim in circumstances where the data subject was not aware of this, and might very reasonably object. And it would not be lawful if the data were, for instance, disclosed to UKIP in breach of confidence.

An interesting twitter discussion took place this morning about whether this apparent use of constituents’ data might even engage the criminal law provisions of the DPA. As well as Carswell, there may be other data controllers involved: if some of the data he was in possession of was for instance, being processed by him on behalf of, say, the Conservative Party itself, then the latter would be data controller. Section 55 of the DPA creates, in terms, an offence of unlawfully disclosing personal data without the consent of the data controller. However, as was agreed on twitter, this would be a complex knot to unpick, and it is unlikely, to say the least, that either the ICO or the CPS would want to pursue the matter.
Notwithstanding this, there are serious questions to be asked about the DPA implications of any MP crossing the floor. The use of personal data is likely to be a key battleground in the forthcoming general election, and throw even sharper focus on European data protection reform. I would argue that this is a subject which the ICO needs to get a grip on, and quickly.

 

UPDATE: Paul Bernal has written a superb piece on the broader ethical issues engaged here.

4 Comments

Filed under Confidentiality, Data Protection, human rights, Information Commissioner

Due to data protection, an apology

Earlier today I noticed a tweet from British Airways, in response a query from someone who had apparently tweeted their booking reference number. BA said

Hi…for data protection we must ask you remove the booking ref from your feed. We’ll look into this and get back to you.

I thought it was mildly amusing and irritating that “data protection” was being cited as the reason for the request to delete the tweet. “Data protection” sometimes seems like a catch-all term companies trot out when they’re asked for any sort of information which they’re reluctant to disclose. This time it seemed like BA were extending this to a paternalistic oversight of people’s twitter feeds.

In this instance, though, BA responded politely to my tweet, explaining why they discourage customers from posting booking numbers on social media, and others politely rallied to their cause.

So I’m just posting to say to BA – I’m sorry. I think you’re right to discourage the public posting of private information, and I understand why you sent that tweet. It was puerile of me to pick it up and tweet about it.

But, even though the issue is related to the processing of personal data, I do still think it was a bit silly to use “data protection” to justify your sensible suggestion to a customer to delete one of their tweets.

6 Comments

Filed under Data Protection

Some observations on the MoJ £180,000 data protection “fine”

1. It wasn’t a fine: section 55A of the Data Protection Act 1998 (DPA) gives the Information Commissioner’s Office (ICO) the power to impose a monetary penalty notice (MPN) to a maximum of £500,000 on a data controller which has made a serious contravention of its obligation to comply with the data protection principles, and the contravention was of a kind likely to cause substantial damage or substantial distress (and the data controller knew or should have known about the risk). There is often confusion over the civil and criminal sanctions in the DPA, perhaps not helped by the fact that the main criminal sanction is at section 55, and the main civil sanction at section 55A. However, although the incorrect use of the term “fine” is understandable in some circumstances, I don’t think the ICO themselves should use it.

2. The money goes straight back to the government: this is true – monetary penalties do not get paid to the ICO. Rather, they are paid into the Consolidated Fund – the government’s bank account. While this does have an element of absurdity (and similar complaints are sometimes made when the ICO serves MPNs on other public bodies, such as the NHS, or local authorities) recent research (and personal anecdotal experience) suggests that the MPNs are effective in improving data controller compliance. One wonders if alternative methods, like individual liability for data controller failings (which would require major primary legislation), would have similar effects.

3. The Ministry of Justice funds the ICO: in part, at least. The MoJ funds the ICO for its freedom of information work. Its data protection work comes from the fees data controllers pay the ICO to appear on its register. Nonetheless, penalising the MoJ could be seen as biting the hand that feeds – it is commendable that the ICO is not afraid to do so.

4. The MoJ is data controller for prisoner data within prisons: being the person or persons who determine the purposes for which and the manner in which any personal data are, or are to be, processed. That’s a heck of a lot of highly sensitive personal data to be responsible for. And such responsibility carries potential huge liability for errors.

5. This is not the first MPN the MoJ has received: less than 12 months ago the MoJ received an MPN of £140,000 for a remarkably similar set of events to those which prompted the latest MPN. Both MPNs involved insecure processes to safeguard prisoner databases – in the first an unencrypted database file was emailed to a member of the public, and in the second a hard disk containing a prisoner database, which should have been encrypted but wasn’t, has been lost. As MPNs are often served (as these were) for contraventions of the obligation to have appropriate organisational and technical measures in place to safeguard against loss of data, one might argue that a second such serious contravention might have warranted even more severe sanctions. The ICO even notes that the second contravention was because of a botched attempt to put right what happened in the first, and deems the second contravention “very serious” (as opposed to the first’s “serious”). I am not the only person I have spoken to who is surprised this latest MPN was not higher.

and finally

6. Data security is not just about technology: it’s also about people. In this instance the MoJ, after its first MPN (see above), sent hard drives to all relevant prisons which were capable of holding data in encrypted format.

But they forgot to tell the prison staff to switch encryption on.

1 Comment

Filed under Data Protection, Information Commissioner, monetary penalty notice

Follow

Get every new post delivered to your Inbox.

Join 156 other followers