Category Archives: PECR

June 6, 2014 · 12:11 pm

Piles of cash for claiming against spammers? I’m not so sure

I am not a lawyer, but I’m pretty certain that most commercial litigation strategies will be along the lines of “don’t waste lots of money fighting a low-value case which sets no precedent”. And I know it is a feature of such litigation that some companies will not even bother defending such cases, calculating that doing so will cost the company much more, with no other gain.

With this in mind, one notes the recent case of Sky News producer Roddy Mansfield. His employer itself reported (in a piece with a sub-heading  “John Lewis is prosecuted…”, which is manifestly not the case – this was a civil matter) that

John Lewis has been ordered to pay damages for sending “spam” emails in a privacy ruling that could open the floodgates for harassed consumers.

Roddy Mansfield, who is a producer for Sky News, brought the case under EU legislation that prohibits businesses from sending marketing emails without consent

The case appears to have been brought under regulation 30 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Those regulations, as the title suggests, give effect to the UK’s obligations under the snappily titled Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. Regulation 30(1) of PECR provides that

A person who suffers damage by reason of any contravention of any of the requirements of these Regulations by any other person shall be entitled to bring proceedings for compensation from that other person for that damage

It appears that Mr Mansfield created an account on the John Lewis website, and omitted to “untick” a box which purported to convey his consent to John Lewis sending him marketing emails. It further appears that in the County Court Mr Mansfield successfully argued that the subsequent sending of such emails was in breach of regulation 22(2), which provides in relevant part that

a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent…

Assuming that this accurately reflects what happened, I think Mr Mansfield was probably correct to argue that John Lewis had breached the regulations: the Information Commissioner’s Office (ICO) guidance states that

Some organisations provide pre-ticked opt-in boxes, and rely on the user to untick it if they don’t want to consent. In effect, this is more like an opt-out box, as it assumes consent unless the user clicks the box. A pre-ticked box will not automatically be enough to demonstrate consent, as it will be harder to show that the presence of the tick represents a positive, informed choice by the user

For a detailed exposition of the PECR provisions in play, see Tim Turner’s excellent recent blog post on this same story.

I’ve used the word “appears” quite a bit in this post, because there are various unknowns in this story. One of the main missing pieces of information is the actual amount of damages awarded to Mr Mansfield. Unless (and it is not the case here) exemplary or aggravated damages are available, an award will only act as compensation. It has been said that

The central purpose of a civil law award of damages is to compensate the claimant for the damage, loss or injury he or she has suffered as a result of another’s acts or omissions, and to put the claimant in the same position as he or she would have been but for the injury, loss or damage, so far as this is possible

So I doubt very much whether the award to Mr Mansfield was anything other than a small sum (so the albeit tongue-in-cheek Register reference to a PILE OF CASH is very probably way off the mark) . I have asked him via his twitter account for details, but have had no reply as yet.

Perhaps the most important aspect of this story, though, is the extent to which it indicates the way the courts might interpret the relevant consent provisions of PECR. As this was a case in the County Court it sets no precedent, and, unless someone decides to pay for a transcript of the hearing we’re very unlikely to get any written judgment or law report, but the principles at stake are profound ones, concerning how electronic marketing communications can be lawfully sent, and about what “consent” means in this context.

The issue will not go away, and, although I suspect (referring back to my opening paragraph) that John Lewis chose not to appeal because the costs of doing so would have vastly outweighed the costs of settling the matter by paying the required damages, it would greatly benefit from some proper consideration by a higher court.

And another important aspect of the story is whether behaviours might change as a result. Maybe they have: I see that John Lewis, no doubt aware that others might take up the baton passed on by Mr Mansfield, have quietly amended their “create an account” page, so that the opt-in box is no longer pre-ticked.

jl

UPDATE: 7 June

In a comment below a pseudonymed person suggests that the damages award was indeed tiny – £10 plus £25 costs. It also suggests that John Lewis tried to argue that they were permitted to send the emails by virtue of the “soft opt-in” provisions of regulation 22(3) PECR, perhaps spuriously arguing that Mr Mansfield and they were in negotiations for a sale.

9 Comments

Filed under damages, Data Protection, Information Commissioner, marketing, PECR

Tagged as

March 15, 2014 · 11:38 am

Analysis prompted by Morrisons “data breach”

Yesterday’s data breach involving Morrisons supermarket and its staff payroll illustrates how difficult it is properly to handle such incidents, and perhaps provides some learning points for the future. But also raises issues about what is a “data breach

What do we mean by “data breach”, “personal data breach”, “data security breach” etc?

The draft European General Data Protection Regulation (GDPR), which continues to slouch its way towards implementation, says in its current form that

In the case of a personal data breach, the controller shall without undue delay notify the personal data breach to the supervisory authority [and]

When the personal data breach is likely to adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay

“without undue delay” is, by virtue of (current) recital 67, said to be “not later than 72 hours” (in the original draft it was “where feasible, within 24 hours”). However “personal data breach” is not defined – it is suggested rather that the proposed European Data Protection Board will set guidelines etc for determining what a “breach” is.What is not clear to me is whether a “breach” is to be construed as “a breach of the data controller’s legal obligations under this Regulation”, or, more generally, “a breach of data security”. Certainly under the current domestic scheme there is, I would argue, confusion about this. A “breach of data security” is not necessarily equivalent to a breach of the Data Protection Act 1998 (DPA). To give a ludicrous example: if a gunman holds a person hostage, and demands that they unencrypt swathes of personal data from a computer system and give it to them, then it is hard to see that the data controller has breached the DPA, which requires only that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” (which clearly cannot be construed as an unlimited obligation) but there has most certainly been a breach of data security.

It is unclear whether Morrisons chose to inform the Information Commissioner (ICO) about their incident, but the wording they’ve used to describe it suggests they are seeing this not as a breach of their obligations under the DPA, but as a potentially criminal act of which they were the victim: on their Facebook page they describe it as an “illegal theft of data” and that they are liaising with “the police and highest level of cyber crime authorities” (a doughnut to anyone who can explain to me what the latter is, by the way). If an offence has been committed under section 55 of the DPA (or possibly under the Computer Misuse Act 1990) there is a possible argument that the data controller is not at fault (although sometimes the two can go together – as I discuss in a recent post). Morrisons make no mention of the ICO, although I have no doubt that they (ICO) will now be aware and making enquiries. And, if Morrisons’ initial assessment was that they hadn’t breached the DPA (i.e. that they had taken the appropriate technical and organisational measures to mean they were not in breach of the seventh DPA principle), they might quite understandably argue that there was no need to inform the ICO, who, after all, regulates only compliance with the DPA and not broader issues around security breaches. There was certainly no legal obligation under current law for Morrisons to self-notify. Plenty of data controllers do, often ones in the public sector (the NHS Information Governance toolkit even automatically delivers a message to the ICO if an NHS data controller records a qualifying incident) but even the ICO’s guidance is unclear as to the circumstances which would trigger the need to self-notify. Their guidance is called “Notification of data security breaches to the ICO” but in the overview at the very start of that guidance it says

Report serious breaches of the seventh principle
Ultimately I see it boiling down to two interpretations: report a data security breach so that the ICO can assess whether it is a serious breach of the seventh principle, or, assess the data security breach yourself, and if you assess it as a serious breach of the seventh principle, report that to the ICO. This is not obligatory under the current domestic data protection law, so to an extent it is an arid discussion, but if the obligation to notify does become obligatory under the GDPR it will become much more important.
There is one domestic law under which it is obligatory to report a “personal data breach”. The Privacy and Electronic Communications (EC Directive) Regulations 2003 amended by 2011 Regulations, require a provider of a public electronic communications service to notify the ICO of
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service
This notably does not specify that the breach has to constitute a breach of the service provider’s DPA obligations, and one wonders if this is the sort of thing that will be specified as a breach once the GDPR is implemented.
Morrisons’ notification to data subjects

The people whose data was apparently compromised in the Morrisons “breach” were its staff – it was payroll information which was allegedly stolen and misused. It appears that Morrisons emailed those staff with internal email addresses (how many checkout staff and shelf-stackers have one of those?) and then, as any modern, forward-thinking organisation might, it posted a message on its Facebook page.However, I really wonder about that as a strategy. The comments on that Facebook page seem to be threatening to turn the incident into a personnel, and public communications disaster, with many people saying they had heard nothing until they read the message. Moreover, one wonders to what extent some staff might have been misled, or have misled themselves, into assuming that the comments they were posting were on some closed forum or network. As was suggested to me on twitter yesterday, some of the comments look to be career-limiting ones, but by engaging on its social media platform, might Morrisons be seen to have encouraged that sort of robust response from employees?

Much of this still has to play out – notably whether there was any contravention of the DPA by Morrisons – but, in a week when their financial performance came under close scrutiny, their PR handling of this “data breach” will also be looked at very closely by other data controllers for lessons in case they are ever faced with a similar situation.

4 Comments

Filed under Breach Notification, Data Protection, employment, Information Commissioner, PECR, social media

Tagged as , ,

February 23, 2014 · 11:10 am

Conservative Party website – unfair processing?

The Conservative Party website is hosting a survey, but I question whether it complies with data protection and associated laws.

The first principle of the Data Protection Act 1998 (DPA) requires that any processing of personal data be fair (and lawful). If an organisation is collecting data from individuals then the person from whom it is obtained must be told the identity of the data controller, and the purpose or purposes for which the data are intended to be processed. These legal provisions (Schedule 1, DPA) are the source of the privacy notices (sometimes called “fair processing notices”) with which we are all familiar when we, for instance, make purchases, or submit forms, or, indeed, complete online surveys. As the Information Commissioner himself says, in the introduction to the ICO Privacy Notices Code of Practice

As a minimum, a privacy notice should tell people who you are, what you are going to do with their information and who it will be shared with

the Code goes on to stress that

the requirement…is strongest…where the information is sensitive

One of the things that makes personal data “sensitive” is if it consists of information as to a person’s political opinions (section 2(b), DPA) – the reasons for this barely need spelling out, but I would just note that history tells us much about the potential for abuse of information about the political affiliations or inclinations of individuals.

With all this in mind it is concerning to note that the website of the Conservative Party invites people to complete and submit an online survey, which includes, among other things, questions about the political opinions of those completing it, but whose privacy notice consists merely of

By entering your email address you agree to receive communications from us, from which you can opt-out using the “unsubscribe” link in each email we send. We will not share your details with anyone outside the Conservative Party
This is inadequate in a number of ways, but primarily because it gives no indication whatsoever what the purposes for which the (sensitive) data are to be processed. One assumes, noting the reference to receiving emails in the future, that it is for the purposes of marketing (and the ICO has made clear that political parties do engage in marketing).  Failure to gather data fairly will mean that such future marketing use would also be in default breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
Searching the rest of the website I do see that there is a generic privacy policy, which does refer to “online polls and surveys”, but that merely says that
in addition to your answers, we collect your Internet Protocol (IP) address…[to] to help validate the results and help prevent multiple entries from individuals
It is difficult to imagine that the people responsible for this survey have had regard to the ICO’s invaluable guidance for political parties for campaigning or promotional purposes, which advises, for instance that parties should be
transparent about your use of the individual’s information
In the field of market research there is a practice known as “sugging” which the Association for Qualitative Research describes thus

Sugging (selling under the guise of market research) …[occurs] when organisations building databases, or generating sales leads, claim to be conducting market research

One does wonder if that is what is going on here, but in the absence of an adequate privacy notice, it is not possible to tell.

UPDATE: 23.03.14

It looks like they’ve amended the survey now, with a link to a privacy policy. Whether it’s a coincidence they did so around the time The Independent ran a story on the issue is difficult to say.

Anyway, it seems the ICO is investigating, so watch this space.

2 Comments

Filed under Data Protection, marketing, PECR

Tagged as ,

July 19, 2013 · 12:11 pm

Bank-bashing by the Court of Appeal

The conduct was…intimidatory and controlling…If that amounts to good banking practice, that is a very sorry misassessment by the banks of what commercial morality and indeed legality requires

The Court of Appeal has held that the Bank of Scotland is liable for harassment in making hundreds of calls to  someone who exceeded her overdaft limit.

With the Information Commissioner taking recent robust action we all know that the making of unwanted calls by commercial organisations can be a breach of The Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998.

However, a recent Court of Appeal judgment has held that this practice can also constitute harassment, even when the calls are made by one’s own bank, in pursuit of a debt.

In Roberts v Bank of Scotland the claimant – a valiant litigant in person – had sought and was awarded damages in the County Court in the sum of £7500, under section 3 of the Protection from Harassment Act 1997. The Bank appealed, both on liability and quantum, and I suspect they wish they hadn’t.

The claim was made after the Bank made 547 calls in little more than a year, arising from minor instances of exceeding overdraft limits. Ms Roberts did not want to speak to call centre operatives, and had apparently sought unsuccessfully to speak to her local branch manager. Many of the calls were intimidatory, albeit couched in polite language. Despite Ms Roberts repeatedly asking for them to cease, she was told the calls would continue.

The Appeal Court had no hesitation in dismissing the Bank’s appeal, and did so in extraordinarily disapproving terms.

This was, undoubtedly, a course of conduct which amounted to harassment and which the bank knew or ought to have known amounted to harassment:

…the bank’s conduct in the present case easily crosses the threshold. It was harassment which could have been prosecuted in the criminal courts. In the event, and fortunately for the bank, this matter simply comes before the civil courts as a claim for damages [¶45]… The bank must have been perfectly well aware of the phone calls which it was making [¶47]

and the Bank could not fall back on the fact that it was pursuing a debt – there were other ways to do this, given that Ms Roberts had repeatedly asked for calls to cease. Although initially “it made perfectly good sense for the bank to write to the claimant and also to telephone her” this did not mean that all future calls were legitimised

The existence of a debt…does not give the creditor the right to bombard the debtor with endless and repeated telephone calls. The debtor is fully entitled to say that he does not wish to talk to the creditor. In those circumstances, the creditor is thrown back upon his full legal remedies. That is what the courts are there to provide…the claimant made it abundantly plain that she did not wish to receive telephone calls from the bank. She was perfectly entitled to adopt this position. Once the bank had tried to telephone the claimant a few times and had received the same response on each occasion, it was obvious that telephoning the claimant would achieve nothing. Thereafter, there was no possible justification for continuing to ring the claimant up [¶32-33]

All three judges were clearly very unsympathetic to the Bank’s arguments. A selection of their asides:

If [counsel for the Bank] is right in saying that the only practicable means by which a bank can contact defaulting customers is the method adopted in this case, then banks had better build into their costings the damages which from time to time they will be called upon to pay to those customers.[¶50]

The conduct was, as the judge said, intimidatory and controlling. In short, it was, in my judgment, obviously unlawful harassment. If that amounts to good banking practice, that is a very sorry misassessment by the banks of what commercial morality and indeed legality requires [¶62]

The bank should respect the rule of law and therefore it should, in the light of the judgments of this court, revise its systems and desist from any tortious conduct, and not simply factor into its working and operating costs the fact that from time to time the bank will have to pay damages for harassment [¶65]

That last comment, and indeed the judgment as a whole,  is pretty ominous for any organisation seeking to pursue and persuade debtors by a process of repeated phone calls (for which, now read “potential harassment”) when the recipient has asked them to desist. Lord Justice Jackson suspects his comments might be greeted with “derision in the boardrooms of the banks”: I suspect they may be also be greeted with consternation, and concern about the future of an element of banking practice which has effectively gone on unchecked for years. They would hardly have brought this appeal, over for what is for them a minute sum of money, unless they thought the case had wider implications which threatened their business practices.

They now will need to lick their wounds, and reconsider their approach to commercial morality and legality.

postscript

From this post on the excellent choptheknot blog it appears that similar principles were followed in another case involving the Bank of Scotland: Johnson v Bank of Scotland plc [2013] All ER (D) 193

2 Comments

Filed under damages, Data Protection, harassment, nuisance calls, PECR, Privacy

July 10, 2013 · 5:48 pm

Substantial distress or just a nuisance?

Can a large number of nuisance calls to a large number of people, none of whom inidividually suffers substantial distress, still equate to cumulative substantial distress, for the purposes of the PECR (and the DPA)?

I blogged recently in praise of the enforcement action taken by the Information Commissioner’s Office (ICO) against nuisance-caller companies, and I see that a further penalty notice has been served this week, on a “marketing company”. With considerable reluctance, though, I am drawn to a view that the ICO might be taking a flawed, or at least questionable approach to the enforcement. I say “reluctance” because I think the problem of nuisance calls is one that calls out for strong enforcement powers and the will to exercise those powers (I also think it’s a problem, by the way, that the BBC should, without apparent comment, continue to broadcast a programme which provides a platform for two companies who have received penalties totalling £225,000 for engaging in the practice).

The enforcement action is taken under the ICO’s powers conferred the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. The latter imported into the former the powers conferred on the ICO by the Data Protection Act 1998 (DPA) to serve, in appropriate circumstances, a civil monetary penalty notice (MPN) on a data controller where

there has been a serious contravention of section 4(4) by the data controller,

(b)the contravention was of a kind likely to cause substantial damage or substantial distress, and

(c)subsection (2) or (3) applies.

(2)This subsection applies if the contravention was deliberate.

(3)This subsection applies if the data controller—

(a)knew or ought to have known —

(i)that there was a risk that the contravention would occur, and

(ii)that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but

(b)failed to take reasonable steps to prevent the contravention.

(emphasis added)

What all this means, effectively, is that the ICO has two powers available to serve an MPN (to a maximum of £500,000): firstly, for a qualifying breach of the DPA, secondly for a qualifying breach of the PECR. He has exercised the former several times over the last three years, but has only exercised the latter more recently (the first time was in November last year). MPNs under the DPA have been for egregious breaches (e.g. highly sensitive information faxed numerous times to the wrong recipients, loss of unencrypted memory stick with details of people linked to serious crimes). In these circumstances it has not been difficult for the ICO to be satisfied that

such a contravention would be of a kind likely to cause substantial damage or substantial distress

However, what about when hundreds of nuisance calls have been made to hundreds of individuals? It is surely in the nature of nuisance calling that it is rarely (although not never) going to cause an individual substantial distress. The ICO says, in what appears effectively to be standard wording in PECR MPNs

The Commissioner is satisfied that the contravention is of a kind likely to cause substantial damage or substantial distress as required by section 55 (1) (b) because of the large numbers of individuals who complained about these unsolicited calls and the nature of some of the complaints they gave rise to…Although the distress in every individual complainant’s case may not always have been substantial, the cumulative amount of distress suffered by the large numbers of individuals affected, coupled with the distress suffered by some individuals, with some receiving multiple calls, means that overall the level was substantial.

In adopting this “cumulative distress” approach the ICO refers to his own guidance about the issuing of monetary penalties issued under section 55C (1) of the DPA. This guidance (which applies to PECR as well as DPA) says

The Commissioner does…consider that if damage or distress that is less than considerable in each individual case is suffered by a large number of individuals the totality of the damage or distress can nevertheless be substantial.

As far as I am aware this approach has only been used in when issuing PECR MPNs, not DPA ones. But is it the correct approach? I’m not so sure. The law requires the contravention (of the PECR or DPA) to have been of a kind likely to cause “substantial distress”, not “substantial instances of distress” and one could argue that, if the latter is what Parliament intended, Parliament would have said that (although, as is often the case, one can turn that around and say, if Parliament had not intended the ICO to cumulate instances of distress it would have restrained him from so doing). To me, though, the ICO’s approach seems wrong. But when I put the scenario to two lawyers, they agreed with the ICO, and to two lay-people, they agreed with me. I’m not sure what the lesson to be drawn there is.

I suspect this will be tested, and I note that Christopher Niebel’s appeal of his PECR MPN is listed for a five-day hearing before the First-tier Tribunal in October. And Sony’s appeal of their DPA MPN is listed for a four-day hearing before the First-tier Tribunal in November. Although the “cumulative distress” approach was not explicitly cited by the ICO in Sony’s MPN, one could argue that finding out that a data controller has lost one’s name, address, email address, date of birth and account password is unlikely to be capable of causing individual substantial distress.

I should stress that I think there should be sanctions for organisations which commit serious contraventions affecting large numbers of people, even where individual distress is not subtantial. I think that nuisance caller companies are, er, a nuisance, and deserve to be targetted robustly by a regulator. And I actually hope I’m wrong on the meaning of “substantial distress”.

Postscript:

Very interestingly (well I think so) there are reports that the government is considering proposing legislative changes to alter the threshold whereby substantial damage or substantial threat must be demonstrated. Whether this is simply to bring larger numbers of nuisance-calling companies into the ICO’s sights, or whether it is to address perceived weaknesses in current legislation remains to be seen (it might be both, of course).

Postscript 2:

Recently-published minutes from the ICO’s Management Board of 22 July support my view. They say

Civil monetary penalties for offences under PECR were discussed further. There are concerns about the requirement to show substantial damage and distress when what was happening was minor inconvenience to many people; ie in receiving spam texts.

Niebel’s appeal is happening this week (Sony dropped theirs). We will know soon whether the laudable attempts by the ICO to punish nuisance calling will be defeated by what was perhaps inadequate legislative drafting.

9 Comments

Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, monetary penalty notice, PECR, Uncategorized

June 18, 2013 · 12:10 pm

Cold Comfort for Cold Callers

In which I praise the ICO, and implore people to report nuisance callers.

I was in conversation with a group of friends recently, and the topic of nuisance calls came up. Each of my friends described continually receiving  unsolicited, often agressive, calls, despite the fact that they were registered with the Telephone Preference Scheme. I said they must complain to the Information Commissioner’s dedicated service because the ICO was now taking breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) seriously (actually, I didn’t say it in quite those terms, because although my friends like to deride me, I try not to give them too much ammunition). I got a lot of replies of “I might”, but also some of “it won’t do any good”. In support of the fact that it might do some good I was able point to the three recent civil Monetary Penalty Notices (MPNs) for breaches of PECR issued to Christopher Niebel and Gary McNeish, joint owners of Tetrus Telecoms and DM Design Bedroom Ltd.

And today, two more MPNs have been issued, to two companies owned by “Save Britain Money Ltd” a company which, in what appear to be rather embarrassing circumstances for the BBC, is currently featuring in a fly-on-the-wall documentary series about call centres.

We need a regulator to take firm and public action for breaches of privacy laws, and it is pleasing to see the ICO doing so with nuisance callers. However, in order for practices to really change, nuisance callers need to be reported to the ICO, at every opportunity. The principle of a penalty pour encourager les autres only works if les autres are scared about what legal non-compliance can lead to.

And I note from a recent internal ICO report that, as at 10 June, both the DM Design and the McNeish MPNs were overdue for payment (Niebel has appealed his Notice). Penalties in the tens of thousands of pounds can potentially be ruinous for businesses. The ICO statutory guidance on MPNs provides that

a monetary penalty notice will not impose undue financial hardship on an otherwise responsible person

But this leaves open the possibility that an MPN might some times impose due hardship, on an otherwise irresponsible person. If future nuisance callers wilfully act irresponsibly, a financially-crippling MPN might not constitute undue hardship.

As someone who works in the public sector, and who trains other public sector partners in their obligations under the Data Protection Act 1998 (DPA), I can attest to the beneficial effect MPNs for DPA breaches (added to the willingness of the ICO to impose them) have had on data security and knowledge (it doesn’t half focus the minds of senior managers when you remind them that security vulnerabilities carry a risk of a £500,000 “fine”). Enforcement of the law does change things, and we should praise the ICO for what he is doing with nuisance callers, while continuing to report miscreants.

Now, how about some FOI enforcement…?

1 Comment

Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, monetary penalty notice, PECR

Tagged as , ,

August 31, 2012 · 10:22 am

Data Security and Churnalism

On the lazy reporting of a silly story about increases in data breaches

Over the past couple of days the following have all published stories on the fact that data breaches in the UK have “rocketed” or “spiked” by an “alarming” 1000% over the last five years.

Computer Business Review
Techweek Europe
The Nextweb
Public Service
Help Net Security
V3.co.uk
Computing.co.uk
SC Magazine
UKAuthority.com
The Register
Computer World UK
The BBC

These are mostly well-respected news sources, serving either the tech industries or the public sector. All of them report this story as though the news that self-reporting to the Information Commissioner of serious data breaches is a bad thing. I’ve given the links to the stories not because I want to increase their clicks, but to show the remarkable similarity between them. This is not surprising, as they are all picking up on a press release by Imation (ironically, as a non-hack, I don’t have access to it) which was issued following an FOI request to the Information Commissioner. The response to the request showed that, indeed, in 2007-08 the number of breaches reported to the ICO was 79, and in 2011-12 it was 828. But does that really mean that “Data breaches in the UK have increased tenfold in the past five years” as the BBC put it?

The answer, certainly, is “no”.

The reporting of breaches has increased by that proportion. But that is not particularly surprising. As far as I recall the first guidance issued by the ICO on reporting serious breaches was only issued in July 2010.  Before that while there may have been an inferrable assumption that serious breaches should be reported, there was not much in the way of clear direction or expectation until relatively recently. This expectation has become much more explicit since the ICO gained powers to issue civil monetary penalties for serious breaches. Now, all major data controllers know that when there is a serious breach of data security it needs to be reported to the ICO (and for telecoms providers, there is a lawful requirement to do so under the Privacy and Electronic Communications (EC Directive) Regulations 2003).

But is it a bad thing that numbers of reported incidents has increased? Of course not. All breaches of data security are to be regretted, and lessons learnt to avoid they don’t recur. But data controllers need to be encouraged to recognise breaches, and put their hands up when they happen. The ICO even considers self-reporting to be a mitigating factor when assessing what action he should take.

I doubt that many, if any of the people writing for the websites I link to above really think that data security breaches (rather than reports of breaches) have increased 1000% over five years. I’m sure their writers and reporters are very busy, and an eye-catching press release makes for easy copy. But these websites (with the execption of the BBC) are important and specialist sources of information. For them to resort to “churnalism” (a form of journalism in which press release…are used to create articles…without undertaking further research or checking) at the expense of common-sense, especially when it might lead to greater reluctance to self-report, is greatly to be regretted.

 

 

 

 

 

 

 

 

1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner, PECR

Tagged as ,

January 25, 2012 · 8:12 pm

STOP BOTHERING US!

I’m a customer of the mobile phone service provider O2. They’re OK. Probably much the same as the rest, but I’ve been with them for a few years now, and I’ve had no real problems with them. And every so often they give me an “upgrade” to a nice shiny new smartphone which half fools me into thinking I’m getting a nice deal.

This morning a corner (my favourite corner) of twitter was buzzing with news of a potential security flaw (or was it deliberate coding?) discovered by a twitter user by the name of @lewispeckover which meant that customers using O2’s mobile network to access the internet were inadvertently revealing their mobile phone number in the headers delivered when they visited a website. As Lewis succinctly put it

So, @O2 send my phone no in an HTTP header to every site I browse. WTF? Is this normal?

No, it’s not normal. Some people have very good reasons for not wanting their mobile numbers handed to third parties, especially when they aren’t aware that it’s being done, and I’m one of them (actually, I haven’t got a “very good reason”, other than I just don’t like it). I had intended blogging about why this incident might involve breaches of the first, second, seventh and eighth data protection principles in the Data Protection Act 1998 (DPA), regulations 6 and 7 of the Privacy and Electronic Communications Regulations 2003 (PECR) and chapter II of the Regulation of Investigatory Powers Act 2000 (RIPA). However, as the news got picked up, first by specialist media then mainstream, and as I realised that people were complaining in numbers to the Information Commissioner (IC), who regulates compliance with both the DPA and the PECR (although not RIPA), I decided that the issue was in the appropriate hands.

But I still intended, when I got home from work tonight, making a complaint to that statutory regulator. This is a) an issue that concerns me, b) one I know something about, c) one that has made me a bit angry, and d) one I’m prepared to rant about. However, I noted, on my bus journey home, browsing the internet on my shiny smartphone via O2’s network, that the IC had updated his home page, and was saying

Today we’ve received a large number of complaints about an alleged data breach on the O2 mobile phone network.

We now have enough information to take this matter further, so there is no need for customers to complain to us.

Great. They’re taking the matter further. But hang on – they don’t want us to complain now, because they have enough information? Well, that’s a bit presumptuous, and risky (how do they know they’ve got enough information?). But also, it’s quite concerning. The IC has many powers available to him if he finds that a data controller has breached the DPA or the PECR. In assessing how bad a breach might be, he has to take into account various factors. For instance, from his own guidance on imposing Monetary Penalty Notices,

The number of individuals actually or potentially affected by the contravention

Hang on a minute.

The number of individuals actually or potentially affected by the contravention

Er.

I just question how can you can properly assess how many people have been affected by an alleged contravention if you discourage people from complaining about that alleged contravention?

And not satisfied with this attempt at dissuasion, the IC took to tweeting the same message, earlier this evening. He clearly doesn’t want any more people to send him complaints, but this could lead to a misleading assessment of the number of people actually affected. I’m sure that O2, in assisting the IC in his subsequent investigation, will tell him how many people were potentially affected, but, if were them, I would say “well, only a small number actually complained, so it wasn’t that bad a breach, after all”.

And this is not the first time the IC has done this. Currently, the first question and answer on his “Data Protection for the Public” FAQs page are

Q: I have received a letter from Welcome Financial Services Limited. What should I do?

We have recently been informed of a data breach involving Welcome Financial Services Limited including its business Shopacheck. We believe they are taking steps to inform those affected. We will be making enquiries into the circumstances of the apparent breach of the Data Protection Act before deciding what action, if any, needs to be taken.

As we are already aware of this issue and in contact with Welcome Financial Services Limited, there is no need to submit further complaints to this office. [emphasis added, as if you needed to know]

I do try to defend the IC and his office, and I know they are always sorely lacking funds, but when a regulator, who is supposed to be receptive to complaints about alleged failures to comply with laws he regulates, actively discourages people from complaining, my enthusiasm for defending falters.

To the IC I ask, do you want me to complain, and say how I have been affected by O2’s handling of my personal data? And if not, why not?

2 Comments

Filed under Data Protection, Information Commissioner, PECR, Privacy

Tagged as , ,

December 2, 2011 · 9:03 am

Mandatory breach reporting and the public interest

In May of this year the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 amended the existing Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “PECR”).

The regulations apply to different bodies in different circumstances (for instance those parts relating to cookies, which apply effectively to anyone using cookies on their website). However, a key amendment applies to specifically to providers of a public electronic communications service (broadly, telecoms companies and internet service providers): regulation 5A(2) of the PECR now says

If a personal data breach occurs, the service provider shall, without undue delay, notify that breach to the Information Commissioner.

This is the first appearance in domestic law of a mandatory requirement to inform the Information Commissioner (IC) of a data breach. “Data breach” itself  is defined as

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service

While a PECR data breach is not, expressly, a breach of the Data Protection Act 1998 (DPA) I cannot imagine circumstances in which a PECR breach would not also involve a breach of the provisions of the DPA (and – specifically and primarily – the seventh data protection principle). How the IC responds to notifications made to him under regulation 5A(2) will, therefore, be of interest to all data controllers.

This is because the imminent new European data protection instrument (either a new Directive or a Regulation) is likely to introduce mandatory data breach reporting into the Data Protection laws. It is not yet clear how far the requirement would extend. In an interview on 16 November with The Washington Post the EU Justice Commissioner, Vivian Reding, said

…we will now have such rules on notification for all sectors so citizens will know when their data has been breached, whether by criminal intent, accidental or other circumstances. We already have this rule for telecom companies but not for other sectors such as e-banking services, private-sector medical records and online shopping. We will extend the telecom rules to the Internet.

So will mandatory notification apply to “all sectors” or just (in addition to telcos/ISPs) “e-banking services, private-sector medical records and online shopping”? We’ll have to wait and see.

I made a Freedom of Information Act 2000 (FOIA) request to the IC asking how many mandatory notifications had been made to this office since the amended PECR came into effect, and by whom and whether the companies involved had informed data subjects of the breach. The IC’s response is that 76 notifications have been made (they don’t say, but I presume this is to the 3 November, the date of my request) and in 64 of these cases data subjects were also informed. By way of explanation for the latter figure the IC says

…it is not a requirement of the regulations for providers to tell the ICO whether or not they have notified data subjects. The service providers only have to inform subscribers where ‘the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user’. If that is the case they have to ‘without undue delay, notify that breach to the subscriber or user concerned.’

When it comes to disclosing the names of the companies involved, however, the IC is scratching his head. He has identified (at least this is how I read his response) that disclosing this information would prejudice the commercial interests of those companies, and that, therefore, section 43 of FOIA is engaged. Having decided this, however, he has to consider (under section 2(2)(b) of FOIA) whether

in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information

Section 10(3)(b) of FOIA allows authorities to extend the time for compliance with a request (from 20 working days) where they need to consider the public interest test. FOIA itslef unhelpfully only says that it can be extended by “such time as is reasonable in the circumstances” but the IC himself advises that the maximum time that should be taken, in total, is 40 working days. His office has advised me that this applies with my request for names of companies, and it

…may take up to an additional 20 working days to take this decision.  We therefore aim to provide you with a response to this part of your request for information by 23 December 2011

This is, of course, completely acceptable, and I’ll update this post when I get the response, but three things occur to me.

First, if or when mandatory breach notification is extended to other organisations, they will need to be aware that people may request information about such breaches from the IC, and that there is a clear public interest in such information.

Second, if the IC is wrestling with the public interest factors this is clearly a finely-balanced point, and if he comes down against disclosure then this might be a case worth appealing.

Third, surely the IC anticipated that he would get such requests? I’m surprised he hadn’t already considered this public interest point.

 

 

1 Comment

Filed under Breach Notification, Data Protection, Freedom of Information, PECR, Privacy