Category Archives: Privacy

January 25, 2012 · 8:12 pm

STOP BOTHERING US!

I’m a customer of the mobile phone service provider O2. They’re OK. Probably much the same as the rest, but I’ve been with them for a few years now, and I’ve had no real problems with them. And every so often they give me an “upgrade” to a nice shiny new smartphone which half fools me into thinking I’m getting a nice deal.

This morning a corner (my favourite corner) of twitter was buzzing with news of a potential security flaw (or was it deliberate coding?) discovered by a twitter user by the name of @lewispeckover which meant that customers using O2’s mobile network to access the internet were inadvertently revealing their mobile phone number in the headers delivered when they visited a website. As Lewis succinctly put it

So, @O2 send my phone no in an HTTP header to every site I browse. WTF? Is this normal?

No, it’s not normal. Some people have very good reasons for not wanting their mobile numbers handed to third parties, especially when they aren’t aware that it’s being done, and I’m one of them (actually, I haven’t got a “very good reason”, other than I just don’t like it). I had intended blogging about why this incident might involve breaches of the first, second, seventh and eighth data protection principles in the Data Protection Act 1998 (DPA), regulations 6 and 7 of the Privacy and Electronic Communications Regulations 2003 (PECR) and chapter II of the Regulation of Investigatory Powers Act 2000 (RIPA). However, as the news got picked up, first by specialist media then mainstream, and as I realised that people were complaining in numbers to the Information Commissioner (IC), who regulates compliance with both the DPA and the PECR (although not RIPA), I decided that the issue was in the appropriate hands.

But I still intended, when I got home from work tonight, making a complaint to that statutory regulator. This is a) an issue that concerns me, b) one I know something about, c) one that has made me a bit angry, and d) one I’m prepared to rant about. However, I noted, on my bus journey home, browsing the internet on my shiny smartphone via O2’s network, that the IC had updated his home page, and was saying

Today we’ve received a large number of complaints about an alleged data breach on the O2 mobile phone network.

We now have enough information to take this matter further, so there is no need for customers to complain to us.

Great. They’re taking the matter further. But hang on – they don’t want us to complain now, because they have enough information? Well, that’s a bit presumptuous, and risky (how do they know they’ve got enough information?). But also, it’s quite concerning. The IC has many powers available to him if he finds that a data controller has breached the DPA or the PECR. In assessing how bad a breach might be, he has to take into account various factors. For instance, from his own guidance on imposing Monetary Penalty Notices,

The number of individuals actually or potentially affected by the contravention

Hang on a minute.

The number of individuals actually or potentially affected by the contravention

Er.

I just question how can you can properly assess how many people have been affected by an alleged contravention if you discourage people from complaining about that alleged contravention?

And not satisfied with this attempt at dissuasion, the IC took to tweeting the same message, earlier this evening. He clearly doesn’t want any more people to send him complaints, but this could lead to a misleading assessment of the number of people actually affected. I’m sure that O2, in assisting the IC in his subsequent investigation, will tell him how many people were potentially affected, but, if were them, I would say “well, only a small number actually complained, so it wasn’t that bad a breach, after all”.

And this is not the first time the IC has done this. Currently, the first question and answer on his “Data Protection for the Public” FAQs page are

Q: I have received a letter from Welcome Financial Services Limited. What should I do?

We have recently been informed of a data breach involving Welcome Financial Services Limited including its business Shopacheck. We believe they are taking steps to inform those affected. We will be making enquiries into the circumstances of the apparent breach of the Data Protection Act before deciding what action, if any, needs to be taken.

As we are already aware of this issue and in contact with Welcome Financial Services Limited, there is no need to submit further complaints to this office. [emphasis added, as if you needed to know]

I do try to defend the IC and his office, and I know they are always sorely lacking funds, but when a regulator, who is supposed to be receptive to complaints about alleged failures to comply with laws he regulates, actively discourages people from complaining, my enthusiasm for defending falters.

To the IC I ask, do you want me to complain, and say how I have been affected by O2’s handling of my personal data? And if not, why not?

2 Comments

Filed under Data Protection, Information Commissioner, PECR, Privacy

Tagged as , ,

December 8, 2011 · 1:58 pm

Can the ICO Regulate the Internet?

It is…beyond doubt that the DPA was not designed to deal with the way in which the internet now works

says Tugendhat J in a crucial recently-published judgment (The Law Society & Ors v Kordowski [2011] EWHC 3185 (QB)), in which he lays into the Information Commissioner (IC), albeit in a polite, judgely manner.

The case concerned applications for injunctive relief against Kordowski, the publisher of the “Solicitors from Hell” website. The claims were in defamation, under the Protection of Harassment Act 1997, and the Data Protection Act 1998 (DPA). Unsurprisingly, given the focus of the blog, it is the last I focus on, although one must be aware it was only one of the causes of action discussed.

It transpires that the Chief Executive of the Law Society, on behalf of many solicitors who felt aggrieved by the contents of the website in question (which invited people to “rate” and comment on solicitors, with predictably defamatory results) had complained to the IC that the site was in breach of the provisions of the Data Protection Act 1998 (DPA). On 6 January this year the IC replied, in a three-page letter, apparently saying that the exemption at section 36 of the DPA effectively meant he lacked jurisdiction to determine whether there had been a breach:

 The inclusion of the “domestic purposes” exemption in the Data Protection Act (s.36) is intended to balance the individual’s rights to respect for his/her private life with the freedom of expression. These rights are equally important and I am strongly of the view that it is not the purpose of the DPA to regulate an individual right to freedom of expression – even where the individual uses a third party website, rather than his own facilities, to exercise this.

Fellow blogger Tim Turner has already recently criticised the IC’s invoking of s36 to avoid regulating the internet/blogosphere. He will be pleased to see Tugendhat J agreeing with him, in pretty stern and unequivocal language, that using that DPA “domestic purposes exemption” to avoid regulating websites and blogs is not an option open, in general terms, to the IC.

The IC had said in his letter

The situation would clearly be impossible were the Information Commissioner to be expected to rule on what it is acceptable for one individual to say about another be that a solicitor or another individual. This is not what my office is established to do. This is particularly the case where other legal remedies are available – for example, the law of libel or incitement.

The slapdown from Tugendhat J is

 I do not find it possible to reconcile the views on the law expressed in the Commissioner’s letter with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully. The authoritative statements of the law are to be found not only in the cases cited in this judgment (including para 16 above), but also by the Court of Appeal in Campbell v MGN Ltd [2002] EWCA Civ 1373 [2003] QB 633 paras [72] to [138], and in other cases. As Patten J made clear in Murray, where the DPA applies, if processing is unlawful by reason of it breaching the general law of confidentiality (and thus any other general law) there will be a contravention of the First Data Protection Principle within the meaning of s.40(1), and a breach of s.4(4) of the DPA. See also Douglas v Hello! Ltd [2003] EWHC 786 (Ch) [2003] 3 All ER 996 paras 230-239 and Clift v Slough Borough Council [2009] EWHC 1550 (QB) [2009] 4 All ER 756. The fact that a claimant may have claims under common law torts, or under HRA s.6, does not preclude there being a claim under, or other means of enforcement of, the DPA.

This, of course, places the IC in a very difficult situation (actually, according to him, an “impossible” one). In fairness to him, and in fairness to the judge, it is pointed out that IC was not in attendance nor represented in the proceedings, and it might be that he has a killer riposte up his sleeve. If not, he has a problem. Until now he has only had the criticism of mere people like Tim, or me, to lead him to question his approach to s36 and the internet.(Yes, yes, there was also the European Court of Justice, but the Lindqvist judgment was a very long time ago – effectively in pre-history – and therefore easy to sidestep). Now, given that a superior court of record has overruled him, and held that there were multiple breaches of the DPA in this case and that the IC was wrong in his application of the s36 domestic purposes exemption, he may find that his already over-stretched resources will have to cover complaints from people who feel that their rights under DPA have been both engaged, and breached, by other individuals on the Internet. Picking a theoretical example – a complaint from someone who objects to the uploading of a private photo of them to Facebook without their consent.

It also places bloggers, and social media users in general, in a potentially risky position. Tugendhat J distinguishes such internet publication from journalism (as does Hugh Tomlinson QC – who, uncoincidentally, I suspect, acted for the claimants in this case – in two important recent posts on the Inforrm blog). If we non-journalists are potentially subject to the DPA but lack the protection it offers to journalists, we could all find ourselves at risk not just of regulatory action from the IC, but those private actions which can also be brought under the Act.

One would hope that the new draft EC data protection regulation would grapple with “the practical difficulties raised by cases such as the present” but on first viewing I’m not sure it does. Whether the door would be open to the UK legislature to address the problem is a matter for conjecture. In the interim, however, with the publication of this judgment, the IC has some close reading to do.

2 Comments

Filed under Data Protection, Information Commissioner, Privacy

December 2, 2011 · 9:03 am

Mandatory breach reporting and the public interest

In May of this year the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 amended the existing Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “PECR”).

The regulations apply to different bodies in different circumstances (for instance those parts relating to cookies, which apply effectively to anyone using cookies on their website). However, a key amendment applies to specifically to providers of a public electronic communications service (broadly, telecoms companies and internet service providers): regulation 5A(2) of the PECR now says

If a personal data breach occurs, the service provider shall, without undue delay, notify that breach to the Information Commissioner.

This is the first appearance in domestic law of a mandatory requirement to inform the Information Commissioner (IC) of a data breach. “Data breach” itself  is defined as

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service

While a PECR data breach is not, expressly, a breach of the Data Protection Act 1998 (DPA) I cannot imagine circumstances in which a PECR breach would not also involve a breach of the provisions of the DPA (and – specifically and primarily – the seventh data protection principle). How the IC responds to notifications made to him under regulation 5A(2) will, therefore, be of interest to all data controllers.

This is because the imminent new European data protection instrument (either a new Directive or a Regulation) is likely to introduce mandatory data breach reporting into the Data Protection laws. It is not yet clear how far the requirement would extend. In an interview on 16 November with The Washington Post the EU Justice Commissioner, Vivian Reding, said

…we will now have such rules on notification for all sectors so citizens will know when their data has been breached, whether by criminal intent, accidental or other circumstances. We already have this rule for telecom companies but not for other sectors such as e-banking services, private-sector medical records and online shopping. We will extend the telecom rules to the Internet.

So will mandatory notification apply to “all sectors” or just (in addition to telcos/ISPs) “e-banking services, private-sector medical records and online shopping”? We’ll have to wait and see.

I made a Freedom of Information Act 2000 (FOIA) request to the IC asking how many mandatory notifications had been made to this office since the amended PECR came into effect, and by whom and whether the companies involved had informed data subjects of the breach. The IC’s response is that 76 notifications have been made (they don’t say, but I presume this is to the 3 November, the date of my request) and in 64 of these cases data subjects were also informed. By way of explanation for the latter figure the IC says

…it is not a requirement of the regulations for providers to tell the ICO whether or not they have notified data subjects. The service providers only have to inform subscribers where ‘the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user’. If that is the case they have to ‘without undue delay, notify that breach to the subscriber or user concerned.’

When it comes to disclosing the names of the companies involved, however, the IC is scratching his head. He has identified (at least this is how I read his response) that disclosing this information would prejudice the commercial interests of those companies, and that, therefore, section 43 of FOIA is engaged. Having decided this, however, he has to consider (under section 2(2)(b) of FOIA) whether

in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information

Section 10(3)(b) of FOIA allows authorities to extend the time for compliance with a request (from 20 working days) where they need to consider the public interest test. FOIA itslef unhelpfully only says that it can be extended by “such time as is reasonable in the circumstances” but the IC himself advises that the maximum time that should be taken, in total, is 40 working days. His office has advised me that this applies with my request for names of companies, and it

…may take up to an additional 20 working days to take this decision.  We therefore aim to provide you with a response to this part of your request for information by 23 December 2011

This is, of course, completely acceptable, and I’ll update this post when I get the response, but three things occur to me.

First, if or when mandatory breach notification is extended to other organisations, they will need to be aware that people may request information about such breaches from the IC, and that there is a clear public interest in such information.

Second, if the IC is wrestling with the public interest factors this is clearly a finely-balanced point, and if he comes down against disclosure then this might be a case worth appealing.

Third, surely the IC anticipated that he would get such requests? I’m surprised he hadn’t already considered this public interest point.

 

 

1 Comment

Filed under Breach Notification, Data Protection, Freedom of Information, PECR, Privacy

October 3, 2011 · 8:50 am

(Non-) Invasion of the Body-scanners

The writer and broadcaster Victoria Coren wrote in The Observer yesterday that commuters at Bath railway station had recently been “instructed to walk through a 7ft body scanner”:

Since when did we surprise the public with electronic body searches, randomly as they go about their daily lives, without any reason to suspect them of anything? Have search warrants also been abandoned while I wasn’t looking? May the police now turn up on a whim and rootle around in our drawers?

These are serious and current concerns. The use of Advanced Imaging Technology (or AIT) at airports is not without controversy. However, the rolling-out of this technology to other areas, for instance railway stations, would be a major development, and it would raise great concern if it was done without publicity, consultation, and without there being clear reasons for its use. However, the American blogger and privacy activist who goes by the twitter handle of @PogoWasRight has spotted this press release on Avon and Somerset Constabulary’s website, which suggests that in fact what Coren experienced was a metal detector designed primarily to pick up people carrying hidden knives:

The police operation will see people arriving by train being screened by an airport-style metal detector to see if they are carrying knives or other weapons.

These are commonly known as “knife-arches” and are essentially the same metal detector arches we are accustomed to passing through at airports. They are a considerably less intrusive technology than AIT, although their use is not in itself without controversy

Many police forces now set up “knife arches” as part of their drive against knife crime. They have no legal power to compel an individual to walk through them, yet the Met has indicated that refusal to walk through an arch when asked to do so by an officer “may” be grounds for a search. In other words, the police have no explicit power to compel an individual to walk through an arch – if parliament had wished to grant that power, it probably would have – but creative interpretation of the law has given it to them all the same.

Unless any further information is received, it seems safe to assume that what Coren saw at Bath was a knife-arch, about which Liberty‘s James Welch has written some helpful advice.

EDIT: this Daily Mail article confirms the point (via Aaron K. Martin, @WC2A_2AE on twitter).

Leave a comment

Filed under Privacy

Tagged as , ,

September 17, 2011 · 12:57 pm

DNA = data not available?

On 26 July 2011 The Telegraph reported that “Innocent people’s DNA profiles won’t be deleted after all, minister admits”. It said that

“police will retain DNA profiles in anonymised form, leaving open the possibility of connecting them up with people’s names, ministers have admitted”.

In S and Marper v United Kingdom [2008] ECHR 1581 the European Court of Human Rights held that indefinite retention by the police of fingerprints and DNA samples of two people who had been arrested but not convicted of criminal offences was a breach of their rights under Article 8 of the European Convention on Human Rights (overturning a decision upheld at each instance in the English courts).

The Protection of Freedoms Bill proposes, accordingly, to amend the Police and Criminal Evidence Act 1984 (“PACE”) so that – broadly – a lawfully taken DNA sample (and fingerprints) must be destroyed after three (or in some cases five) years if the suspect has not been convicted of an offence to which the sample relates (Genewatch have a helpful detailed explanation of the proposals).

The Telegraph article said that Home Office minister James Brokenshire “had won agreement from the [Information Commissioner’s Office] that the DNA profiles could be retained by forensic science laboratories”. The Information Commissioner’s Office (ICO) has now, following an FOI request for correspondence between his office and the Home Office about this matter, effectively said that, to quote Ben Goldacre, “I think you’ll find it’s a little bit more complicated than that”.

The complicating factor is that a DNA profile is different to a DNA sample, which in turn is different to the raw data derived from the sample. Christopher Graham, the Commissioner, in his evidence to the Public Bill Committee on the Protection of Freedoms Bill said

“Clause 13 [of the Bill] refers to the destruction of DNA profiles and that no copy must be retained by the police except in a form which does not include information which identifies the person to whom the DNA profile relates. It is assumed that this is aimed at addressing issues relating to the raw data, the electro-phoretogram, from which the DNA profile is created”.

Some existing DNA profiling systems process DNA samples in batches of up to 82 (or possibly 96 – I’m unclear which is the correct figure). In these processes it is not possible to isolate and destroy the raw data relating to a single sample without also destroying the whole batch data (which, of course, might contain raw data relating to samples of now-convicted-persons, which need to be retained).

Graham went on to say

“This provision [Clause 13 of the Bill] should be expressed in a way so it cannot be used to perpetuate such batch processing practices in any new systems used to generate DNA profiles and to require deletion of all the DNA profile information as the norm”.

One hopes this proposal is accepted. Even if it is, however, there will still remain a considerable number of batches of raw data derived from the samples of innocent people, and which it will not be possible to destroy. The question then arises as to what measures can be, and are being, taken to ensure that this remaining raw data cannot be linked to identifiable individuals. In response to my enquiries the IC’s office has said

“the Commissioner has stipulated that forensic science providers remove all the names and identifications from their systems to prevent them being able to link an individual with the ‘raw data’.”

But what confidence can we have that this will be sufficient? The IC’s office continues:

“The Commissioner is satisfied that the deletion of the associated records will remove the link between the identity of the individual and the ‘raw data’ which will be retained in the batch. This will effectively put the retained ‘raw data’ beyond practical use as it should be no longer possible to re-link the individual to the ‘raw data’ retained”.

There remains a lingering concern, however:

“given that the ‘raw data’ is used to create a DNA profile, and a DNA profile is unique to an individual, we are relying on the assurances we have been given and cannot say categorically that there is no possibility of the retained ‘raw data’ ever being linked to an individual.”

These assurances have to be balanced against the contents of a letter from James Brokenshire MP (the Home Office minister quoted in the original Telegraph article) to the joint chairs of the Protection of Freedoms Bill Committee . I’m not sure if this letter has been published yet, but was disclosed in response to my request. Brokenshire says

“Members of the Committee will be aware that most existing DNA records…will include the original barcode, which is used by the police and the FSS [Forensic Science Service] to track the sample and resulting profile through the system. It is therefore theoretically possible that a laboratory could identify an individual’s profile from the barcode, but only in conjunction with the force which took the original sample, by giving details of the barcode to the force and asking for the individual’s name”

This doesn’t strike me as a purely theoretical risk, and one might bear in mind that the FSS’s raison d’etre is to work with the police to detect crime by piecing together and analysing evidence.

Brokenshire explains, however

“Such conduct [i.e. trying to re-identify someone in these circumstances from residual DNA evidence], in clear breach of the requirements set out in the [Protection of Freedoms] Bill, would be likely to constitute offences of misconduct in public office and under the Data Protection Act. In addition, new section 63S of PACE (as inserted by clause 16 of the Bill) specifically excludes the use of such material in evidence or as any part of a criminal investigation.”

Given that both misconduct in public office and offences under the Data Protection Act 1998 can be countered in effect by defences of acting in the public interest, it seems to me that clause 16 might be the best assurance we have against any attempts to use any residual information from innocent people’s DNA samples.

Leave a comment

Filed under Privacy

September 17, 2011 · 9:10 am

Whip your information, and beat the messenger

To supplement my random firings on twitter (@bainesy1969) and the occasional guest post on other blogs and sites, I’ve started this blog.

“Information Rights” covers a number of areas, but primarily I’m interested in the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the Data Protection Act 1998.

Like a million bloggers before me, I intend to post regularly on these and related subjects. I hope that, unlike most of those million bloggers before me, I actually manage to do that.

Title of this post is Shakespeare, by the way, and nothing dodgy.

Leave a comment

Filed under Data Protection, Freedom of Information, Privacy