Author Archives: Jon Baines

August 4, 2014 · 3:10 pm

Lords’ Committee on Social Media and Criminal Offences – lacking a DPA expert?

In its generally sensible report on Social Media and Criminal Offences the House of Lords’ Communications Committee dealt with the subject of “Revenge Porn” (defined as “the electronic publication or distribution of sexually explicit material (principally images) of one or both of the couple, the material having originally been provided consensually for private use” which seems to me worryingly to miss a key factor – that the publication or distribution will be done with harmful intent). The committee considered what criminal offences might be enaged by this hateful practice, but also observed (¶41) that

a private remedy is already available to the victim. Images of people are covered by the Data Protection Act 1988 (as “personal data”), and so is information about people which is derived from images. Images of a person count as “sensitive personal data” under the Act if they relate to “sexual life”. Under the Act, a data subject may require a data controller not to process the data in a manner that is “causing or is likely to cause substantial damage or substantial distress to him or to another”.

This is all true, but the next bit is not

The Information Commissioner may award compensation to a person so affected 

The Information Commissioner (IC) has no such powers, and one wonders from where the committee got this impression (maybe they mistook the IC’s enforcement powers with the powers of the Local Government Ombudsman to make recommendations (such as payment of compensation)). In circumstances where someone wishes to complain about the processing of their personal data their only direct right (regarding the IC) is to ask him (pursuant to section 42) to assess whether the data controller’s processing was likely to have complied with its obligations under the Data Protection Act 1998 (DPA). All the substantive rights given to data subjects under the DPA (such as access to data, rectification, ceasing of processing, compensation etc) are enforceable only by the data subject through the courts. Moreover, in the case of “revenge porn” cases, they would involve the data subject requesting the data controller (who in most cases will be the person who has uploaded the images/content in question) to desist. This could clearly be a course of action fraught with difficulties.

The Committee goes on to point to another civil remedy – “An individual may also apply to the High Court for a privacy injunction to prevent or stop the publication of material relating to a person’s sexual life” – but observes (¶44) that

We are concerned that the latter remedy is available only to those who can afford access to the High Court. It would be desirable to provide a proportionately more accessible route to judicial intervention

Whilst remedies under the DPA are available through the County Court (or Sheriff’s Court in Scotland), rather than the High Court, this still involves expenditure, especially if the case is not amenable to the small claims track, and also involves potential exposure to costs in the event that the claim is unsuccessful.

Furthermore, in the event that the IC were asked to consider a complaint about “revenge porn”, it might be born in mind that he is reluctant to rule on matters regarding publication of private information on the internet. Section 36 of the DPA provides an exemption to the Act where the processing is only for “domestic purposes”. The Committee correctly says (¶41)

Personal data “processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes)” are exempt from this provision but the European Court of Justice has determined that posting material on the internet is not part of one’s “personal, family or household affairs”

And the Committee cites in support of this the Court of Justice of the European Union’s judgment in the case of Lindqvist. But the IC has traditionally been reluctant fully to grapple with the implications of Lindqvist, and, as I have noted previously, its guidance Social networking and online forums – when does the DPA apply?, which says

the ‘domestic purposes’ exemption…will apply whenever an individual uses an online forum purely for domestic purposes

is manifestly at odds with the CJEU’s ruling.

I would greatly hope that, if asked to consider the legality of the posting of “revenge porn”, the IC would not decline jurisdiction on the basis of the section 36 exemption, but his position on section 36 is problematic when it comes to regulation and enforcement of social media.

It is rather to be regretted that the Lords’ Committee was not better informed on these particular aspects of its report.

3 Comments

Filed under Data Protection, Information Commissioner, social media

Tagged as , ,

July 24, 2014 · 2:28 pm

ICO penalty after one million credit card details extracted from vulnerable website

The Information Commissioner’s Office (ICO) has served a monetary penalty notice (MPN) of £150,000 on online travel company Think W3 Ltd.

MPNs (sometimes wrongly described as “fines” *cough* http://ico.org.uk/enforcement/fines) are civil penalties which can be served by the ICO where it has determined that the data controller in question has contravened the Data Protection Act 1998 and the contravention was: serious, of a kind likely to cause substantial damage or substantial distress and the data controller knew or ought to have known that there was a risk the contravention would occur but failed to take steps to prevent it. The ICO classed this contravention as very serious.

The website of Essential Travel Ltd, a subsidiary and trading brand of Think W3, was subject to a major attack under which more than 1 million credit card records were extracted. The attack was the result of an SQL injection enabled by a coding error on a login page which (for the facilitation of home-working) was publicly available over the internet. It appears that the coding error, and the lack of suitable checks since, meant the site had been vulnerable since early 2006 until December 2012 (when the attack happened).

The fact that the MPN was at the lower end of the scale available is probably because of the need (laid out in guidance) for the ICO to consider the data controller’s financial ability to pay a penalty. What I find interesting here is that Think W3 Ltd were a company wholly owned by Thomas Cook Group, who acquired 100% of it in 2010 until January this year. Company law normally provides that liability of a company within a group attaches to that company alone, so the assets of the Group were not available to be taken into account by the ICO, but, given that the seventh data protection principle was already being contravened, in a very serious manner, at the time of the 2010 aquisition, some questions might now be asked of those in charge at the time. And it is noteworthy that Thomas Cook appear to be prepared to pay the penalty, rather than new owners Holiday Extras.

1 Comment

Filed under Data Protection, Information Commissioner, monetary penalty notice

Tagged as ,

July 22, 2014 · 5:37 pm

ICO responds to my concerns about PECR compliance

In assessing one’s own compliance with the law, or in advising a client on the law, or in pontificating on one’s blog about the law, one is well advised to refer not only to the law itself (whether in the form of legislation or precedent at common law), but also codes of practice, and guidance. When the law in question is the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which are enforced and overseen by the Information Commissioner’s Office (ICO), it is natural that one would refer – in addition to PECR themselves, and the European Directive 2002/58/EC to which PECR give domestic effect – to the ICO’s own PECR guidance, and, particularly when it comes to electronic marketing, the guidance on Direct Marketing.

So, when the latter guidance says

Organisations must give the customer the chance to opt out – both when they first collect the details, and in every email or text. Organisations should not assume that all customers will be happy to get marketing texts or emails in future…It must be simple to opt out. When first collecting a customer’s details, this should be part of the same process (eg online forms should include a prominent opt-out box…

it would be reasonable to assume that an organisation which did not do this would be, at least if not in direct breach of PECR, sailing close to the wind. The relevant regulation (22(2)) of PECR says that

a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender

and recital 40 of the originating Directive says that electronic marketing requires that prior, explicit consent be given before electronic marketing can take place.

One could reasonably argue that, until such unsolicited electronic marketing takes place, there is no active breach of PECR, but it should surely be conceded that any practice of collecting email addresses, by – say – a political party, in circumstances where explicit consent to receiving subsequent electronic political marketing, is questionable.

I have blogged a number of times in recent weeks about such harvesting of email addresses, and it was prompted by a “widget” on the Labour Party website. I asked the ICO for a statement specifically about that “widget”, and this is what their spokesman said:

In general terms, if an organisation wishes to retain individuals’ contact details it should make them aware of this before their information is collected.  This appears to be the case in the NHS baby number service. We also advise organisations that web pages should explain how personal information will be used, and this can be via a link to the organisation’s privacy policy. We would also want to ensure that individuals can unsubscribe from emails if they receive them, as appears to be the situation here. 

We have published detailed guidance for political parties for campaigning or promotional purposes. On 1 May 2014, the Information Commissioner wrote to the main UK political parties reminding them of the need to follow data protection and electronic marketing rules. Political campaigning is an area that attracts close public scrutiny. We shall continue to encourage political parties to demonstrate best practice and be open and upfront with people when explaining how their personal details will be used

Now, this is a reasonable and accurate statement about the collection of personal data and compliance with the first Data Protection Principle in Schedule One of the Data Protection Act 1998 – tell people what you are gathering their data for, and how it will be used, and you will probably have broadly complied with the duty to process personal data “fairly”.

However, it seems to overlook – with its reference to “general terms” – the specific requirements of PECR. It seems clear to me that any subsequent email from Labour will have been sent because they have inferred, rather than having received notification of, (explicit) consent.

PECR is not my strongest area. Seriously – am I missing something?

4 Comments

Filed under consent, Data Protection, Information Commissioner, marketing, PECR

Tagged as , ,

July 18, 2014 · 5:11 pm

Big Political Data

I’ve written over the past few months about questionable compliance by the Conservative, Labour, Liberal Democratic and Scottish National Parties with their obligations under the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003. And, as I sat down to write this post, I thought I’d check a couple of other parties’ sites, and, sure enough, similar issues are raised by the UKIP and Plaid Cymru sites

ukipplaid

No one except a few enthusiasts in this area of law/compliance seems particularly concerned, and I will, no doubt, eventually get fed up with the dead horse I am flogging. However, a fascinating article in The Telegraph by James Kirkup casts a light on just why political parties might be so keen to harvest personal data, and not be transparent about their uses of it.

Kirkup points out how parties have begun an

extraordinarily extensive – and expensive – programme of opinion polls and focus groups generating huge volumes of data about voters’ views and preferences…Traditional polls and focus groups have changed little in the past two decades. They help parties discover what voters think, what they want to hear, and how best to say it to them. That is the first stage of campaigning. The second is to identify precisely which voters you need to speak to. With finite time and resources, parties cannot afford to waste effort either preaching to the converted or trying to win over diehard opponents who will never change sides. The party that finds the waverers in the middle gains a crucial advantage.

It seems clear to me that the tricks, and opacity, which are used to get people to give up their personal information, are part of this drive to amass more and more data for political purposes. It’s unethical, it’s probably unlawful, but few seem to care, and no one, including the Information Commissioner’s Office (which has, in the past taken robust action against dodgy marketing practices in party politics) has seemed prepared so far to do anything to prevent it. However, the ICO has good guidance for the parties on this, and in May this year, issued a warning to play by the marketing rules in the run-up to local and European elections. Let’s hope this warning, and the threat of enforcement action, extends to the bigger stage of the national elections next year.

 

 

 

 

2 Comments

Filed under Confidentiality, consent, Data Protection, Information Commissioner, marketing, PECR, Privacy

Tagged as , ,

July 18, 2014 · 4:41 pm

Naming and shaming no shows is a no-no

I know a couple who run a restaurant. And I know how the problem of no-shows can cause great economic damage to restaurants. Failing to show up, or to cancel in advance, is, moreover, incredibly rude. But the response, which I only became aware of today, of naming and shaming the no-show customers on twitter is a risky and probably unlawful one for restaurateurs to take.

In the instance I saw this morning a London restaurant had apparently searched for the twitter account of a person who they thought had failed to show, and had openly tweeted their displeasure. He, however, had email proof that he had cancelled in advance. The restaurant investigated, accepted this, and apologised (and the customer accepted, so I’m not going to name either of the parties).

However, the restaurant was processing the personal data of the customer when it took his booking, and their use of that data would be limited to what the customer was told at the time, or what he might reasonably expect. So, unless they had a very odd privacy notice, their permitted processing purposes would not have extended to the naming and shaming of him for failing to turn up. Thus, it would seem to be a breach of at least the both the first and the second data protection principle. Moreover, the rather cavalier approach to customer data wouldn’t make one confident about other aspects of data protection compliance.

I really do sympathise with restaurateurs: one of the alternative approaches to no-shows and late cancellers is punitive cancellation fees but that also has its drawbacks and detractors. However, there are not many areas of commerce where companies would be able to get away with such apparently unfair and unlawful processing of their customer’s personal data: announcing that someone has failed to attend at a certain restaurant potentially indicates quite a bit about the person’s tastes, means and location. It’s a risky thing for a restaurateur to do, especially when, as with the restaurant I saw tweeting earlier today, they haven’t registered their processing with the Information Commissioner’s Office (which, I would emphasise, is a criminal offence).

 

 

Leave a comment

Filed under Data Protection, Information Commissioner, privacy notice, social media

Tagged as , ,

July 16, 2014 · 7:17 pm

The days of wine and disclosures

I like FOI. I like wine. Here’s an FOI disclosure about wine.

In the early days of the Freedom of Information Act 2000 (FOI) there were frequent attempts to get the government to disclose detailed information about its wine cellar (see for instance this seemingly interminable request). Eventually, the Information Commissioner got fed up with the lack of FOI hospitality from the Foreign and Commonwealth Office (FCO), who seem to be responsible for this sort of thing, and started issuing decision notices requiring disclosure.

I’m pleased to see that disclosure is now, if not a matter of routine, not resisted by FCO (except for some intriguing little redactions – one wonder if they hide things like “this is the Minister for X’s favourite”). So, we now know that the government has reserves of, for instance, 139 bottles of Latour 1961, with a market value of £321,000. This is the highest value wine, but we (sorry, they) also hold 110 bottles of Chateau Margaux 1983 (market value £15k – not the best vintage, after all). And their Pétrus is only the 1978, but even so, the estimated market value of £250 seems very low.

It’s a shame the dataset isn’t in resuable format, but, we’re all in it together, so I’d invite others to search out some other interesting cellar items. Those Krug ’82 magnums look a steal at £125 a pop…

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency, Uncategorized

Tagged as ,

July 16, 2014 · 2:58 pm

ICO v ICO?

UPDATE: 16 July 2014 – in the comments to this piece the ICO adds some further details on the “non-trivial” incident: “We are unable to provide details of the breach at this stage, as the information involved is linked to an ongoing criminal investigation.”

The ICO had a “non-trivial” data security incident last year. Can it “fine” itself? Will/has it?

There was an interesting teaser in the Information Commissioner’s Annual Report. As The Times reports

Christopher Graham, the Information Commissioner (ICO), revealed yesterday that his office had suffered a “non-trivial data security incident” within the last 12 months, which prompted a full internal investigation

The ICO, of course, processes personal data and in doing so assumes the role of the data controller (according to section 1(1) of the Data Protection Act 1998 (DPA)). It also assumes the obligation to comply with the data protection principles, and the liability for contravening them. In 2012 the ICO responded to a Freedom of Information Act 2000 (FOIA) request for its “data breach log” with a document that showed admirable commitment to recording even the smallest of potential data security incidents (“person taking photographs outside building”, “theft of small amount of money”). In that instance there were two incidents identified as “high risk”, but the ICO declined to provide information, and the requester, it seems, did not pursue the matter.

This time, with national media picking the story up, the matter may be pushed further. At the moment the ICO is apparently declining to offer any further comment to the media, advising The Times that

You will have to fill out a freedom of information request

which doesn’t really sit that well with their normal commitment to transparency.

But to what extent can or should the ICO investigate its own compliance with the DPA? The Act does not provide for any derogation for the ICO from its obligations, and nor does it provide for any alternative to “self regulation”. Nor, moreover, does it appear to provide for any delegation to a third party to investigate. When it deals with complaints about its own handling of FOIA requests it habitually issues decision notices about itself (sometimes even finding against itself). It does this by distinguishing between “the ICO” (the entity dealing with the request) and “the Commissioner” (the entity dealing with the complaint). I would imagine that a similar nominal separation would be used if it came to formal enforcement action being contemplated in response to a data security incident.

I emphasis the word “if” in the previous sentence, because, although The Times says

The ICO, which can levy fines of up to £500,000 for data protection breaches, did not disclose whether it had fined itself for the breach

it is clear in fact that no such enforcement action resulted in this instance. This is clear because, firstly, the ICO’s own Monetary Penalty Guidance says that any monetary penalty notice (for which “fine” is a convenient, if not strictly correct, shorthand) will be published on its website. None has been published (believe me – I check these things very regularly). And secondly, and more fundamentally, the ICO’s report says that the incident in question

did not amount to a serious breach of the Data Protection Act [emphasis added]

By section 55A a monetary penalty can only be served for a serious contravention of the data controller’s obligations under the DPA. If the incident was not a serious contravention, the statutory threshold for a monetary penalty is simply not met. So, regardless of what other information about the incident might be winkled out of the ICO, we are not going to have a story of “ICO fines ICO”.

However, on a final point, I note that the ICO expects data controllers to report serious data security incidents to the ICO. So the question arises – did the ICO report this to the ICO, or did the ICO assess this as not serious enough to refer to the ICO?  How did the ICO get to know? Could it have been a leak by the ICO? Or even by the ICO? These questions deserve answers*.

*no they don’t

8 Comments

Filed under Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice

Tagged as , ,

July 13, 2014 · 10:37 am

Political attitudes to ePrivacy – this goes deep

With the rushing through of privacy-intrusive legislation under highly questionable procedures, it almost seems wrong to bang on about political parties and their approach to ePrivacy and marketing, but a) much better people have written on the #DRIP bill, and b) I think the two issues are not entirely unrelated.

Last week I was taking issue with Labour’s social media campaign which invited people to submit their email address to get a number relating to when they were born under the NHS.

Today, prompted by a twitter exchange with the excellent Lib Dem councillor James Baker, in which I observed that politicians and political parties seem to be exploiting people’s interest in discrete policy issues to harvest emails, I looked at the Liberal Democrats’ home page. It really couldn’t have illustrated my point any better. People are invited to “agree” that they’re against female genital mutilation, by submitting their email address.

libdem

There’s no information whatsoever about what will happen to your email address once you submit it. So, just as Labour were, but even more clearly here, the Lib Dems are in breach of the The Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998. James says he’ll contact HQ to make them aware. But how on earth are they not already aware? The specific laws have been in place for eleven years, but the principles are much older – be fair and transparent with people’s private information. And it is not fair (in fact it’s pretty damn reprehensible) to use such a bleakly emotive subject as FGM to harvest emails (which is unavoidably the conclusion I arrive at when wondering what the purpose of the page is).

So, in the space of a few months I’ve written about the Conservatives, Labour and the Lib Dems breaching eprivacy laws. If they’re unconcerned about or – to be overly charitable – ignorant of these laws, then is it any wonder that they railroad each other into passing “emergency” laws (which are anything but) with huge implications for our privacy?

UPDATE: 13.07.14

Alistair Sloan draws attention to the Scottish National Party’s website, which is similarly harvesting emails with no adequate notification of the purposes of future use. The practice is rife, and, as Tim Turner says in the comments below, the Information Commissioner’s Office needs to take action.

snp

7 Comments

Filed under consent, Data Protection, PECR, Privacy, transparency

Tagged as , , ,

July 7, 2014 · 1:23 pm

Police building register of domestic CCTV for crime investigation purposes?

This is a flyer apparently being distributed by Thames Valley Police (TVP).

flyer

It invites householders who have private CCTV systems to register with TVP, who want to use those systems “in order to assist us in future investigations”.

Surveillance camera footage can undoubtedly be of great use in the investigation and prosecution of crime. But there is a potential problem for householders who decided to register with TVP, and I’d be interested to know if the latter have taken this into account.

The problem is this: CCTV cameras involve the processing of data, and where they capture images of identifiable individuals, it is personal data that they are processing. Purely domestic processing of personal data is exempt from all of the obligations under the Data Protection Act 1998, but when the processing is no longer purely for domestic purposes, then legal obligations potentially attach themselves to those doing the processing. The Information Commissioner’s Office (ICO) CCTV Code of Practice (both the current 2008 version and an updated version currently in draft) explains

The use of cameras for limited household purposes is exempt from the DPA. This applies where an individual uses CCTV to protect their home from burglary, even if the camera overlooks the street or other areas near their home

But the corollary of this is that if its use is not purely for the “household purposes” of protecting one’s home from bulgary, then the exemption no longer applies. If householders are determining that the purpose for which they will process personal data is to assist TVP in criminal investigations, then they are data controllers.

This can’t simply be TVP wanting a register of CCTV-operating households to assist them if a crime happens on those specific premises, because that would be pointless: in those circumstances the householder would draw the footage to the police’s attention. No, this must be that TVP want to be able to access footage of relevant incidents outwith the individual household. 

I’ve asked TVP if they have any policy statement or guidelines on this initiative, and will update as and when they reply.

1 Comment

Filed under Data Protection, police, Privacy, surveillance, surveillance commissioner

Tagged as , ,

July 7, 2014 · 7:21 am

Privacy issues with Labour Party website

Two days ago I wrote about a page on the Labour Party website which was getting considerable social media coverage. It encourages people to submit their date of birth to find out, approximately, of all the births under the NHS, what number they were.

I was concerned that it was grabbing email address without an opt-out option. Since then, I’ve been making a nuisance of myself asking, via twitter, various Labour politicians and activists for their comments. I know I’m an unimportant blogger, and it was the weekend, but only one chose to reply: councillor for Lewisham Mike Harris, who, as campaign director for DontSpyOnUs, I would expect to be concerned, and, indeed, to his credit, he said “You make a fair point, there should be the ability to opt out”. Mike suggested I email Labour’s compliance team.

In the interim I’d noticed that elsewhere on the Labour website there were other examples of emails being grabbed in circumstances where people would not be sure about the collection. For instance: this “calculator” which purports to calculate how much less people would pay under Labour for energy bills, which gives no privacy notice whatsoever. Or even this, on the home page, which similarly gives no information about what will happen with your data

homepage

Now, some might say that, if you’re giving your details to “get involved”, then you are consenting to further contact. This is probably true, but it doesn’t mean the practice is properly compliant with data collection laws. And this is not unimportant; as well as potentially contributing to the global spam problem, poor privacy notices/lack of opt-out facilities at the point of collection of email address contribute to the unnecessary amassing of private information, and when it is done by a political party, this can even be dangerous. It should not need pointing out that, historically, and elsewhere in the world, political party lists have often been used by opposition parties and repressive governments to target and oppress activists. Indeed, the presence of one’s email on a party marketing database might well constitute sensitive personal data – as it can be construed as information on one’s political opinions (per section 2 of the Data Protection Act 1998).

So, these are not unimportant issues, and I decided to follow Mike Harris’s suggestion to email Labour’s compliance unit. However, the contact details I found on the overarching privacy policy merely gave a postal address. I did notice though that that page said

If you have any questions about our privacy policy, the information we have collected from you online, the practices of this site or your interaction with this website, please contact us by clicking here

But if I follow the “clicking here” link, it takes me to – wait for it – a contact form which gives no information whatsoever about what will happen if I submit it, other than the rather stalinesque

The Labour Party may contact you using the information you supply

And returning to the overarching privacy policy didn’t assist here – none of the categories on that page fitted the circumstances of someone contacting the party to make a general enquiry.

I see that the mainstream media have been covering the NHS birth page which originally prompted me to look at this issue. Some, like the Metro, and unsurprisingly, the Mirror, are wholly uncritical. The Independent does note that it is a clever way of harvesting emails, but fails to note the questionable legality of the practice. Given that this means that more and more email addresses will be hoovered up, without people fully understanding why, and what will happen with them, I really think that senior party figures, and the Information Commissioner, should start looking at Labour’s online privacy activities.

(By the way, if anyone thinks this is a politically-motivated post by me, I would point out that, until 2010, when I voted tactically (never again), I had only ever voted for one party in my whole life, and that wasn’t the Conservatives or the Lib Dems.)

6 Comments

Filed under Data Protection, Information Commissioner, marketing, PECR, Privacy, privacy notice, social media, tracking

Tagged as , , , , ,