Category Archives: Uncategorized

Up a gum tree

Data protection law doesn’t prevent disclosure of personal data where not doing would be likely to prejudice criminal justice purposes

Theft of a bicycle may not be the most serious crime ever. However, crime it is, and any omission by a person which is likely to prejudice the detection of that crime or the apprehension or prosecution of the thief is, in societal terms, to be deplored. This is why, when the omission in question would be a failure by a data controller to disclose personal data to the police which would be likely to assist in the detection of the crime or the apprehension or prosecution of the thief, the Data Protection Act 1998 (DPA) provides an exemption to the general presumption in the Act against disclosure, which authorises such disclosure.

Section 29 of the DPA is often misunderstood. It is quite common, particularly in certain sectors (social services, housing etc.) for data controllers to be contacted by the police, or other bodies with powers to investigate crime, asking for disclosure of information about people whose personal data the data controller holds. Data protection officers will often talk of a “section 29 request”, but this is really just shorthand for saying “the police etc. have requested disclosure of personal data from this data controller and the section of the DPA which is engaged and under whose provisions we would be authorised to disclose would be section 29”.

With this in mind it is surprising to read in The Daily Record that police are unable to trace a person who had the gall to post an advert on the classified ad site Gumtree purporting to offer for sale a bike stolen from outside a gym in Edinburgh. According to the article police have told the owner of the bike, who spotted the advert, that

…officers could not act because of data protection laws…Due to data protection laws, a warrant must be applied for before police can access personal information held by the site.

The reference to a warrant, however, is surely excessive. The article also refers to the police “waiting to hear back” from Gumtree. Section 29(3) of the DPA allows Gumtree to disclose the details of the person who placed the advert, by exempting them from the general obligation to comply with the first five data protection principles and sections 10 and 14(1) to (3) (collectively referred to as the non-disclosure principles). Failure to exercise this power by a data controller, or a delay in doing so, in circumstances where such a failure would be likely to prejudice the police’s duties is detrimental to the public interest. One hopes that, if the article is correct, Gumtree will now act in that public interest and disclose the details without delay.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under Data Protection, data sharing, police, Uncategorized

Sensitive personal data exposed in Open Datasets

Since August last year I’ve been inviting the ICO to consider the issue of deliberate wholesale exposure of sensitive personal data in local authority open data. It’s still online.

UPDATE: 16.02.15 Well, I was wrong. The ICO says this is not personal data:

The data sets in question are clearly personal data in the hands of the [redacted] because it will retain the full original dataset containing the identifying details of individuals. However, the question is whether the information is still personal data post-publication. In our view it is not.

Although the data relates to particular living individuals, it does not in itself identify any of them and so in of themselves the data sets do not contain personal data.

The issue then is whether it is likely that a third party will come into the possession of other information that will allow an individual to be identified. To do so, such a person would already need prior knowledge of any given individual in order to identify them. However, we believe the publication of the information to have a low risk of individuals being re-identified because only someone with considerable prior knowledge would be able to perform this task.

We note that you have not identified anybody and the [redacted] has stated that it is unaware of any cases of re-identification as a result of publication.

I honestly struggle to fathom this. I accept the ICO’s further point that

the Information Commissioner only has to give his view about the likelihood that there has been a breach [of the DPA]. This view is made on the balance of probabilities and the Commissioner is under no obligation to prove this beyond doubt

but their assessment doesn’t seem to tally with my understanding of the techniques described in the ICO’s own Anonymisation Code. I’m no expert on that subject, but I wouldn’t dream of publishing the datasets in question, in the form they have been published. If anyone has any observations I’d be really interested to hear them.

And I’m still not linking to the datasets – I think they can identify individuals, and their sensitive personal data.

END UPDATE.

Imagine, if you will, a public authority which decides to publish as Open Data a spreadsheet of 6000 individual records of adults receiving social services support. Each row tells us an individual service user’s client group (e.g. “dementia” or “learning disability”), age range (18-64, 65-84, 84 and over), the council ward they live in, the service they’re receiving (e.g. “day care” or “direct payment” or “home care”), their gender and their ethnicity. If, by burrowing into that data, one could identify information that reveals that one, and only one, Bangladeshi man in the Blankety ward aged 18-64 with a learning disability is in receipt of direct payments, most data protection professionals (and many other people besides) would recognise that this is an identifiable individual, if not to you or me, then almost certainly to some of his neighbours or family or acquaintances.

Similarly, imagine the same public authority decides to publish as Open Data a spreadsheet of nearly 7000 individual records of council housing tenants who have received Notices of Seeking Possession or Notices to Quit. Each row tells us the date individual tenant was served the notice, the council ward, the duration of the tenancy, whether it was joint or sole, the age of the tenant(s) in years, their gender, their ethnicity (if recorded), their disability status (if recorded), their vulnerability status (if recorded). If, by burrowing into that data, one could identify that reveals that one, and only one, 40-year-old Asian Indian male sole tenant with a tenancy 2.94 years old, was served a Notice of Seeking of Possession in June 2006, most data protection professionals (and many other people besides) would recognise that this is an identifiable individual, if not to you or me, then almost certainly to some of his neighbours or family or acquaintances.

If these individuals are identifiable (and, trust me, these are only two examples from hundreds, in many, many spreadsheets), then this is their sensitive personal data which is being processed by the public authority in question (which I am not identifying, for obvious reasons). For the processing to be fair and lawful it needs a legal basis, by the meeting of at least one of the conditions in Schedule Two and one in Schedule Three of the Data Protection Act 1998 (DPA).

And try as I might, I cannot find one which legitimises this processing, not even in the 2000 Order which significantly added to the Schedule 3 conditions. And this was why, when the datasets in question were drawn to my attention, I flagged my concerns up with the public authority

Hi – I notice you’ve uploaded huge amounts of data…some of it at a very high level of granularity – ie with multiple and specific identifiers. According to the definitions in recital 26 and Article 2 of Directive 95/46/EC, s1(1) of the Data Protection Act 1998, and the Information Commissioner’s Office guidance (eg “Determining What is Personal Data” and the Code of Practice on Anonymisation) this is very likely to be personal data and in many cases sensitive personal data. I’m curious to know why you are publishing such datasets in such form, and what the legal basis is to do so

Not receiving any reply, I then contacted the Information Commissioner’s Office, saying

It seems to me that they are processing (including disclosing) large amounts of sensitive personal dataI’m happy to elaborate to ICO if you want, but presume I wouldn’t need to explain exactly why I am concerned.

However, when I received the ICO case worker’s reply, I was rather dumbfounded

You have raised concerns that [redacted] is disclosing large amounts of sensitive personal data on…its website. For information to be personal data it has to relate to a living individual and allow that individual to be identified from the information. I have looked over some of the information…and it appears to be sharing generic data and figures. I could not see any information that identifies any individuals. In order to consider your concerns further it would be extremely helpful if you could provide some examples of where the sensitive personal data can be found and possibly provide a couple of screenshots.

Nonetheless, I replied, giving the two examples above, and the case worker further replied

I have now looked at the examples you have provided and agree that there is the potential for individuals to be identified from the information that [they are] publishing. We will now write to [them] about this matter to obtain some further information about its information rights practices. As this matter does not concern your personal data and relates to third party information we do not intend to write to you again about this matter

I thought the last sentence was a bit odd (nothing prevented them from keeping me informed) but took reassurance that the data would be removed or appropriately anonymised.

But nothing seemed to happen. So I chased the ICO at the end of November. No response. And now I’ve been forced to raise it with the ICO as a complaint:

I understand that you said you would not contact me again about this, but I note that the sensitive personal data is still online. I advise several public sector clients about the online publishing of datasets, with reference to the law and ICO guidance, and the lack of action on this…leaves me quite bemused – do I now advise clients that they are free to publish datasets with such specific and so many identifiers that individuals can be identified? If so, what legal basis do I point to to legitimise the processing?

Public authorities are increasingly being encouraged, as part of the transparency agenda, to make their data publicly available, and to make it available in reusable format, so that it can be subjected to analysis and further use. The ICO has produced generally helpful guidance on successful anonymisation which enables datasets to be removed of personal data. If public authorities fail to follow this guidance, and instead disclose sensitive personal data within those reusable datasets they are potentially exposing individuals to considerable and various risks of harm. Moreover, much of the data in question is gathered pursuant to the public authority’s statutory duties – in other words, data subjects have no ability to opt out, or refuse to give consent to the processing.

One has to ask what this does for the confidence of data subjects in Open Data and the transparency agenda.

I asked the ICO’s always very helpful press office if they wanted to comment, and an ICO spokesperson said: “This is an open case, and we continue to work with the council to explain our concerns about the amount of information being published.” Which raises interesting questions – if they have concerns (and I think I have amply explained here why those concerns are justified) why not take enforcement action to get the data taken down?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Uncategorized

The days of wine and disclosures

I like FOI. I like wine. Here’s an FOI disclosure about wine.

In the early days of the Freedom of Information Act 2000 (FOI) there were frequent attempts to get the government to disclose detailed information about its wine cellar (see for instance this seemingly interminable request). Eventually, the Information Commissioner got fed up with the lack of FOI hospitality from the Foreign and Commonwealth Office (FCO), who seem to be responsible for this sort of thing, and started issuing decision notices requiring disclosure.

I’m pleased to see that disclosure is now, if not a matter of routine, not resisted by FCO (except for some intriguing little redactions – one wonder if they hide things like “this is the Minister for X’s favourite”). So, we now know that the government has reserves of, for instance, 139 bottles of Latour 1961, with a market value of £321,000. This is the highest value wine, but we (sorry, they) also hold 110 bottles of Chateau Margaux 1983 (market value £15k – not the best vintage, after all). And their Pétrus is only the 1978, but even so, the estimated market value of £250 seems very low.

It’s a shame the dataset isn’t in resuable format, but, we’re all in it together, so I’d invite others to search out some other interesting cellar items. Those Krug ’82 magnums look a steal at £125 a pop…

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency, Uncategorized

We’re looking into it

The news is awash with reports that the UK Information Commissioner’s Office (ICO) is “opening an investigation” into Facebook’s rather creepy research experiment, in conjunction with US universities, in which it apparently altered the users’ news feeds to elicit either positive or negative emotional responses. Thus, the BBC says “Facebook faces UK probe over emotion study”, SC Magazine says “ICO probes Facebook data privacy” and the Financial Times says “UK data regulator probes Facebook over psychological experiment”.

As well as prompting one to question some journalists’ obsession with probes, this also leads one to look at the basis for these stories. It appears to lie in a quote from an ICO spokesman, given I think originally to the online IT news outlet The Register

The Register asked the office of the UK’s Information Commissioner if it planned to probe Facebook following widespread criticism of its motives.

“We’re aware of this issue, and will be speaking to Facebook, as well as liaising with the Irish data protection authority, to learn more about the circumstances,” a spokesman told us.
So, the ICO is aware of the issue and will be speaking to Facebook and to the Irish Data Protection Commissioner’s office. This doesn’t quite match up to the rather hyperbolic news headlines. And there’s a good reason for this – the ICO is highly unlikely to have any power to investigate, let alone take action. Facebook, along with many other tech/social media companies, has its non-US headquarters in Ireland. This is partly for taxation reasons and partly because of access to high-skilled, relatively low cost labour. However, some companies – Facebook is one, LinkedIn another – have another reason, evidenced by the legal agreements that users enter into: because the agreement is with “Facebook Ireland”, then Ireland is deemed to be the relevant jurisdiction for data protection purposes. And, fairly or not, the Irish data protection regime is generally perceived to be relatively “friendly” towards business.
 
These jurisdictional issues are by no means clear cut – in 2013  a German data protection authority tried to exercise powers to stop Facebook imposing a “real name only” policy.
 
Furthermore, as the Court of Justice of the European Union recognised in the recent Google Spain case, the issue of territorial responsibilities and jurisdiction can be highly complex. The Court held there that, as Google had
 
[set] up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State
 
it was processing personal data in that Member State (Spain). Facebook does have a large UK corporate office with some responsibility for sales. It is just possible that this could give the ICO, as domestic data protection authority, some power to investigate. And if or when the draft European General Data Protection Regulation gets passed, fundamental shifts could take place, extending even, under Article 3(2) to bringing data controllers outside the EU within jurisdiction, where they are offering goods or services to (or monitoring) data subjects in the EU.
 
But the question here is really whether the ICO will assert any purported power to investigate, when the Irish DPC is much more clearly placed to do so (albeit it with terribly limited resources). I think it’s highly unlikely, despite all the media reports. In fact, if the ICO does investigate, and it leads to any sort of enforcement action, I will eat my hat*.
 
*I reserve the right to specify what sort of hat

Leave a comment

Filed under Data Protection, Directive 95/46/EC, enforcement, facebook, journalism, social media, Uncategorized

Data Protection for Baddies

Should Chris Packham’s admirable attempts to expose the cruelties of hunting in Malta be restrained by data protection law? And who is protected by the data protection exemption for journalism?

I tend sometimes to lack conviction, but one thing I am pretty clear about is that I am not on the side of people who indiscriminately shoot millions of birds, and whose spokesman tries to attack someone by mocking their well-documented mental health problems. So, when I hear that the FNKF, the Maltese “Federation for Hunting and Conservation” has

presented a judicial protest against the [Maltese] Commissioner of Police and the Commissioner for Data Protection, for allegedly not intervening in “contemplated” or possible breaches of privacy rules

with the claim being that they have failed to take action to prevent

BBC Springwatch presenter Chris Packham [from] violating hunters’ privacy by “planning to enter hunters’ private property” and by posting his video documentary on YouTube, which would involve filming them without their consent

My first thought is that this is an outrageous attempt to manipulate European privacy and data protection laws to try to prevent legitimate scruting of activities which sections of society find offensive and unacceptable. It’s my first thought, and my lasting one, but it does throw some interesting light on how such laws can potentially be used to advance or support causes which might not be morally or ethically attractive. (Thus it was that, in 2009, a former BNP member was prosecuted under section 55 the UK Data Protection Act 1998 (DPA 1998) for publishing a list of party members on the internet. Those members, however reprehensible their views or actions, had had their sensitive personal data unlawfully processed, and attracted the protection of the DPA (although the derisory £200 fine the offender received barely served as a deterrent)).

I do not profess to being an expert in Maltese Data Protection law, but, as a member state of the European Union, Malta was obliged to implement Directive EC/95/46 on the Protection of Individuals with regard to the Processing of Personal Data (which it did in its Data Protection Act of 2001). The Directive is the bedrock of all European data protection law, generally containing minimum standards which member states must implement in domestic law, but often allowing them to legislate beyond those minimum standards.

It may well be that the activities of Chris Packham et al do engage Maltese data protection law. In fact, if, for instance, film footage or other information which identifies individuals is recorded and broadcast in other countries in the European Union, it would be likely to constitute an act of “processing” under Article 2(b) of the Directive which would engage data protection law in whichever member state it was processed.

Data protection law at European level has a scope whose potential breadth has been described as “breath-taking”. “Personal data” is “any information relating to an identified or identifiable natural person” (that is “one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”), and “processing” encompasses “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction”.

However, the broad scope does not necessarily means broad prohibitions on activities involving processing. Personal data must be processed “fairly and lawfully”, and can (broadly) be processed without the data subject’s consent in circumstances where there is a legal obligation to do so, or where it is necessary in the public interest, or necessary where the legitimate interests of the person processing it, or of a third party, outweigh the interests for fundamental rights and freedoms of the data subject. These legitimising conditions are implemented into the Maltese Data Protection Act 2001 (at section 9), so it can be seen that the FKNF’s claim that Packham requires the hunters’ consent to film might not have legs.

Moreover, Article 9 of the Directive, transposed in part at section 6 of the 2001 Maltese Act, provides for an exemption to most of the general data protection obligations where the processing is for journalistic purposes, which almost certainly be engaged for Packham’s activities. Whether, however, any other Maltese laws might apply is, I’m afraid, well outside my area of knowledge.

But what about activists who might not normally operate under the banner of “journalism”? What if Packham were, rather than a BBC journalist/presenter, “only” a naturalist? Would he be able to claim the journalistic data protection exemption?

Some of these sorts of issues are currently edging towards trial in litigation brought in the UK, under the DPA 1998, by a mining corporation (or, in its own words, a “diversified natural resources business”), BSG Resources, against Global Witness, an NGO one of whose stated goals is to “expose the corrupt exploitation of natural resources and international trade systems”. BSGR’s claims are several, but are all made under the DPA 1998, and derive from the fact they have sought to make subject access requests to Global Witness to know what personal data of the BSGR claimants is being processed, for what purposes and to whom it is being or may be disclosed. Notably, BSGR have chosen to upload their grounds of claim for all to see. For more background on this see the ever-excellent Panopticon blog, and this article in The Economist.

This strikes me as a potentially hugely significant case, firstly because it illustrates how data protection is increasingly being used to litigate matters more traditionally seen as being in the area of defamation law, or the tort of misuse of private information, but secondly because it goes to the heart of questions about what journalism is, who journalists are and what legal protection (and obligations) those who don’t fit the traditional model/definition of journalism have or can claim.

I plan to blog in more detail on this case in due course, but for the time being I want to make an observation. Those who know me will not have too much trouble guessing on whose side my sympathies would tend to fall in the BSGR/Global Witness litigation, but I am not so sure how I would feel about extending journalism privileges to, say, an extremist group who were researching the activities of their opponents with a view to publishing those opponents’ (sensitive) personal data on the internet. If society wishes to extend the scope of protection traditionally afforded to journalists to political activists, or citizen bloggers, or tweeters, it needs to be very careful that it understands the implications of doing so. Freedom of expression and privacy rights coexist in a complex relationship, which ideally should be an evenly balanced one. Restricting the scope of data protection law, by extending the scope of the exemption for journalistic activities, could upset that balance.

7 Comments

Filed under Data Protection, Europe, human rights, journalism, Privacy, Uncategorized

The FOI ministerial veto – why not?

The Court of Appeal has ordered disclosure of private correspondence between Prince Charles and the government. The judgment is potentially a triumph for transparency, but I have my doubts whether it reflects Parliament’s intentions when passing the FOI Act. And there will be a further appeal…

In September 2012 the Administrative Appeals Chamber of the Upper Tribunal (UT) handed down a judgment which struck me then, as it does now, as a remarkable work of research and scholarship. It was ruling on requests by the Guardian journalist Rob Evans – made as far back as April 2005 – under the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 2004 (EIR) for disclosure of information in private letters sent by the Prince of Wales to government ministers on matters of official policy. The UT’s judgment ran to 65 pages with three annexes, went into detailed analysis of constitutional conventions regarding the heir to the throne, and its decision was that the correspondence should be disclosed (overturning the prior decisions of the Information Commissioner (IC)). Subsequently, the Attorney General issued a certificate under section 53 FOIA – a “ministerial veto” – whose effect was to disapply the UT’s decision. The Attorney General’s certificate, in rather wider-spaced text, ran to ten pages.

Section 53 requires only that the accountable person (a minister)

gives the [Information] Commissioner a certificate signed by him stating that he has on reasonable grounds formed the opinion [that there had not been a failure to comply with the FOIA]

It is, as I’ve argued before , a bludgeon of an executive weapon, but it is, as are all acts of public authorities, potentially amenable to judicial review. So it was that, despite any statutory right of appeal, the Guardian made such an application. However, in July 2013, the High Court effectively decided that, although the ministerial power to override a superior court of record (let alone the statutory decision-maker, in the form of the IC) appeared to be a “constitutional aberration”, the proposition that “the accountable person is not entitled simply to prefer his own view to that of the tribunal” must be rejected. As Davis LJ said (para 111)

why not? It is inherent in the whole operation of s.53 that the accountable person will have formed his own opinion which departs from the previous decision (be it of Information Commissioner, tribunal or court) and may certify without recourse to an appeal. As it seems to me, therefore, disagreement with the prior decision (be it of Information Commissioner, tribunal or court) is precisely what s.53 contemplates, without any explicit or implicit requirement for the existence of fresh evidence or of irrationality etc. in the original decision which the certificate is designed to override

However, Davis LJ refused to accept that the wording of section 53 (“…stating that he has on reasonable grounds formed the opinion…”) permitted of an interpretation that:

the accountable person can, as it were, self-certify as to the availability of reasonable grounds

rather,

In my view, the language chosen clearly is sufficient to connote that an objective test is to be applied

But how to conduct that objective test? For Davis LJ, it must be that the reasonable grounds are “cogent”:

if an accountable person is to interfere, by way of exercise of the power of executive override, with the decision of an independent judicial body then that accountable person must be prepared and able to justify doing so. I am reluctant to talk in terms of burden of proof. But in terms of burden of argument the burden is in practice on the accountable person to show that the grounds for certifying are reasonable

Lord Dyson in the Court of Appeal has taken issue with this, saying (para 38) that

I do not consider that it is reasonable for an accountable person to issue a section 53(2) certificate merely because he disagrees with the decision of the tribunal. Something more is required […]
Examples of “something more” are given as
a material change of circumstances since the tribunal decision or that the decision of the tribunal was demonstrably flawed in fact or in law
Accordingly, as the Attorney General failed to give this “something more” but “simply disagreed with the evaluation made by the UT”, he failed to give reasons amounting to “reasonable grounds”. Thus (putting to one side a crucial other ground on which the appeal succeeded, relating to the EIR and European law, which I will deal with in a later blog post) the certificate had to be quashed.

As Dr Mark Elliot argues Lord Dyson here “adopted a significantly more exacting conception of reasonableness” than had the High Court and I would commend Dr Elliot’s piece to you as an expert analysis I am not competent to give.

However – and it pains me to say it, because I really don’t like section 53 – wasn’t it precisely Parliament’s intention that the accountable person did “merely” have to state that he had formed – on reasonable grounds – a different opinion to the preceding tribunal? If he cannot arrive at a different opinion, in the absence of “something else”, isn’t section 53 fundamentally weakened, even sidestepped? Indeed, Lord Dyson in my view arrives at this point, when he says

On the approach of the Divisional Court to section 53(2), the accountable person can override the decision of an independent and impartial tribunal which (i) is reasonable, (ii) is the product of a detailed examination (fairly conducted) of the issues after an adversarial hearing at which all parties have been represented and (iii) is not challenged on appeal. All that is required is that the accountable person gives sensible and rational reasons for disagreeing with the tribunal’s conclusion. If section 53(2) has that effect, it is a remarkable provision not only because of its constitutional significance (the point emphasised by the Divisional Court), but also because it seriously undermines the efficacy of the rights of appeal accorded by sections 57 and 58 of the FOIA
to which I am tempted to respond, adopting Davis LJ’s rhetorical device, “why not?” – that seems to have been what Parliament intended.

No doubt we shall see this explored more – the Attorney General is reported to have sought, and been given, leave to appeal to the Supreme Court.

1 Comment

Filed under Environmental Information Regulations, Freedom of Information, Information Commissioner, Uncategorized, Upper Tribunal

The Windmills of Mr Cameron

The Prime Minister revealed recently that, when it comes to justifying the introduction of disproportionately intrusive surveillance legislation, he draws comfort from fictional depictions of crime detection:

In the most serious crimes [such as] child abduction communications data… is absolutely vital. I love watching, as I probably should stop telling people, crime dramas on the television. There’s hardly a crime drama where a crime is solved without using the data of a mobile communications device

Although this relevation has drawn some criticism, I think such criticism is unfair. Mr Cameron’s policy approach has a precedent. Hansard shows that, more than forty years ago, his predecessor adopted similarly populist bullshit robust research. Harold Wilson, in a debate on proposed changes to laws regarding investigation of serious crimes

image

is recorded as saying

The Prime Minister: In the most serious crimes a spectral assistant is absolutely vital. I love watching, as I probably should stop telling people, crime dramas on the television. There’s hardly a crime drama where a crime is solved without a private detective consulting his dead partner who has returned as ghost whom no one else but he can see. If we don’t modernise the law to permit this sort of practice we will never know how many dead people could still have fulfilled their calling to support their surviving crime-busting partners while wearing dandyish white suits

So, Loz Kaye, Paul Bernal, OnlyOneIssue et al…enough with your cynicism. Get out your history books and recognise that there’s a venerable tradition of people with too much time and money on their hands imagining that fiction is reality.

Leave a comment

Filed under satire, surveillance, Uncategorized

Staffs Police to drop controversial naming “drink drivers” twitter campaign

ICO confirms hashtag campaign prior to conviction was unlikely to be compliant with the Data Protection Act. Other forces to be advised via ACPO of issues raised by the case

Over the Christmas period Staffordshire Police ran a social media campaign, in which drivers arrested and charged with drink-driving offences were named on twitter with the “hashtag” #drinkdriversnamedontwitter. It seemed to me, and others, that this practice arguably suggested guilt prior to any trial or conviction. As I said at the time

If someone has merely been charged with an offence, it is contrary to the ancient and fundamental presumption of innocence to shame them for that fact. Indeed, I struggle to understand how it doesn’t constitute contempt of court to do so, or to suggest that someone who has not been convicted of drink-driving is a drink driver

and I asked the Information Commissioner’s Office (ICO)

whether the practice is compliant with Staffordshire Police’s obligations under the first data protection principle (Schedule 1 of the Data Protection Act 1998 (DPA)) to process personal data fairly and lawfully

The ICO have now issued a statement. Their spokesman says

The ICO spoke to Staffordshire Police following its #DrinkDriversNamedOnTwitter campaign. Our concern was that naming people who have only been charged alongside the label ‘drink driver’ strongly implies a presumption of guilt for the offence, which we felt wouldn’t fit with the Data Protection Act’s fair and lawful processing principle.

We have received reassurances from Staffordshire Police that the hashtag will no longer be used in this way, and are happy with the procedures they have in place. As a result, we will be taking no further action. We’ve also spoken with ACPO about making other police forces aware of the issues raised by this case.

I think this is a very satisfactory result. The ICO have, as I said previously, shown that they are increasingly willing to investigate contraventions of the DPA not limited to security breaches. No one would defend drink driving (and it was not the naming itself that was objectionable, but the tweeting of the names in conjunction with the hashtag) but the police should not be free to indicate or imply guilt prior to conviction – that is quite simply contrary to the rule of law.

What I still think is disappointing though, is that after an initial prompt response from the Attorney General’s twitter account (which missed my point), there has been no word from them as to whether the practice was potentially prejudicial to any forthcoming trial. Maybe they’d like to rethink this, in light of the statement from the ICO?

1 Comment

Filed under Data Protection, human rights, Information Commissioner, police, Uncategorized

A Wrong Petition?

Who exactly is a newspaper targeting with its petition, and is it gathering personal data fairly?

The Northumberland Gazette, in a no doubt well-intentioned campaign, is urging its readers to petition the Information Commissioner (IC)

to do more to stop robocalls

“Robocalls” being

unwanted, automated, recorded calls, which are a blight in [sic] people’s lives

There are a couple of problems with this. Firstly, as Tim Turner pointed out, the IC cannot increase his own powers: that is a matter for Parliament, and, indeed, he would, er, be exceeding his powers if the IC increased his own powers. Christopher Graham (or, rather, the role he fills) is a creature of statute, not a superhero. Moreover, the IC has himself been lobbying for Parliament to increase his powers to deal adequately with contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 . If the newspaper wants the IC to have greater powers it should certainly assist the IC in seeking them, but I think it should do so with better information, and by encouraging people to lobby their MP, rather than by submitting their details into a google doc.

In my experience people often end up on spammers’, and “robocallers'”, lists, because they submit their personal details to meaningless and unclear websites. Privacy notices, where given, are a pain to read, but if fine properly, they should tell you who is collecting the data, and for what purposes, and what your rights are.

In fact, failure to provide such information when gathering personal data is likely to constitute a contravention of the first data protection principle in the Data Protection Act 1998 (DPA). It’s notable, and ironic, that the Northumberland Gazette seems to provide no privacy notice whatsoever in connection with its petition. One hopes that those submitting a form don’t end up on more spammers’ lists, and find themselves complaining to the IC about an apparent breach by the newspaper of their rights under the first DPA principle.

Leave a comment

Filed under Uncategorized

The Kids all have Rights

Chapter 2 of Part 1 of The Protection of Freedom Act 2012 was commenced on 1 September this year, to little publicity. It contains quite radical provisions regarding use of children’s biometric information.

(…One for the no doubt thousands of younger readers of this blog…)

Hey kids – want to annoy your teachers and your parents while at the same time asserting your rights to autonomous decisions about your privacy? Then put down your tamagotchis, or whatever it is you play with these days, and have a look at Chapter 2 of Part 1 of The Protection of Freedoms Act 2012 (POFA). Bear in mind (as I know you will, as you guzzle your ginger beer) that, by virtue of The Protection of Freedoms Act 2012 (Commencement No. 9) Order 2013, sections 26, 27 and 28 of POFA are now in effect.

And note that, if your school processes your biometric information (for instance, if you have to provide your fingerprints in order to register, or to access libraries (to read the latest Enid Blyton, no doubt) or get school meals) then (after September 1 this year) the school has to have informed your parents that it is going to do this (or continue to do this). If your parents object, then the school has to stop (and almost certainly give you an alternative way of registering/accessing the library/getting school meals etc). The school

must ensure that a child’s biometric information is not processed unless—

(a)at least one parent of the child consents to the information being processed, and

(b)no parent of the child has withdrawn his or her consent, or otherwise objected, to the information being processed….

The relevant authority must ensure that reasonable alternative means are available by which the child may do, or be subject to, anything which the child would have been able to do, or be subject to, had the child’s biometric information been processed.

But also note (here’s the totally rad bit) that, even if your parents are OK with it, you have the right to object, and if you do, that trumps what your parents, and your school, think. Cool eh?

if, at any time, the child—

(a)refuses to participate in, or continue to participate in, anything that involves the processing of the child’s biometric information, or

(b)otherwise objects to the processing of that information,

the relevant authority must ensure that the information is not processed, irrespective of any consent given by a parent of the child

Now, kids, you will have your own views, and some of you may approve of administrative systems which rely on the gathering, use and retention of personal information. You may think that the potential time- and costs-saving benefits are the most important factors at play. But some of you might well object, on perfectly reasonable grounds. You might be worried about what might happen if, for instance, this information fell into the wrong hands, or was simply kept too long, and was misused to your detriment. You might even object in principle to this sort of private information being used in this sort of way, when there are less intrusive methods available.

And you might want to consider that, if sufficient of your classmates object, under what is an admirable and rather radical statutory scheme which gives priority to the wishes of children, then the whole purpose of having this sort of system (convenience and cost benefits for the school) might fall away.

12 Comments

Filed under Uncategorized