May 29, 2014 · 8:31 am

Data Protection rights of on-the-run prisoners

Does data protection law prevent the disclosure under the FOI Act of the identities of prisoners who have absconded?

The Mail reported recently that the Ministry of Justice (MoJ) had refused to disclose, in response to a request made under the Freedom of Information Act 2000 (FOIA), a list of prisoners who have absconded from open prisons. The MoJ are reported to have claimed that

under Freedom of Information laws, there is a blanket ban on releasing the criminals’ identities because it is their own ‘personal data’

but the Justice Secretary Chris Grayling was reported to be

furious with the decision, which was taken without his knowledge. He is now intending to over-rule his own department and publish a list of all on-the-run criminals within days

and sure enough a few days later the Mail was able to report, in its usual style, the names of the majority of the prisoners after Grayling

intervened to end the ‘nonsense’ of their names being kept secret…[and stated] that data protection laws will not be used to protect them, arguing: “They are wanted men and should be treated as such. That’s why on my watch we will not hold back their names, unless the police ask us not to for operational reasons”

Regarding the initial article, and in fairness to the MoJ, the Mail does not publish either the FOI request, nor the response itself, so it is difficult to know whether the latter was more nuanced than the article suggests (I suspect it was), but is it correct that disclosure of this information was prevented by data protection law?

More information was given in a follow-up piece on the Press Gazette website which cited a spokeswoman from the MoJ’s National Offender Management Service’s Security Group:

She said the department was “not obliged” to provide information that would contravene the Data Protection Act, adding, “for example, if disclosure is unfair”, which also meant that it did not have to consider “whether or not it would be in the public interest” to release the information

This is technically correct: FOIA provides an exemption to disclosure if the information requested constitutes personal data and disclosure would be in contravention of the Data Protection Act 1998 (DPA), there is no “public interest test” under this exemption, and whether disclosure is unfair is a key question. The reference to “fairness” relates to the first data protection principle in Schedule One to the DPA. This provides that

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—

(a)at least one of the conditions in Schedule 2 is met, and

(b)in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met

As the Information Commissioner’s Office says (page 13 of this guidance) “fairness can be a difficult concept to define”, and assessing it in a FOIA context will involve whether the information is “sensitive personal data” (it is in this instance – section 2 of the DPA explains in terms that data about prison sentences is included in this category); what the possible consequences of disclosure are on the individual; what the individual’s reasonable expectations are; and the balance of the interests of the public against the rights of the individual (this last example shows that there is, in effect, if not in actuality, there is a kind of public interest test for the FOIA personal data exemption).

With this in mind, would it really have been “unfair” to disclose the identities of on-the-run prisoners? The consequences of disclosure might be recapture (although I concede there might also be exposure to risk of attack by members of the public), but does an absconder really have a reasonable expectation that their identity will not be disclosed? I would argue they have quite the opposite – a reasonable expectation (even if they don’t desire it) that their identity will be disclosed. And the balance of public interest against the absconders’ rights surely tips in favour of the former – society has a compelling interest in recapturing absconders.

But this doesn’t quite take us to the point of permitting disclosure of this information under FOIA. If we look back to the wording of the first data protection principle we note that a condition in both Schedule Two (and, this being sensitive personal data) Schedule Three must be met. And here we note that most of those conditions require that the processing (and FOIA disclosure would be a form of processing) must be “necessary”. The particular conditions which seem to me most to be engaged are the identically worded 5(a) in Schedule Two, and 7(1)(a) in Schedule Three:

The processing is necessary for the administration of justice

What “necessary” means, in the context of a balance between the FOIA access rights and the privacy rights of individual has been given much judicial analysis, notably in the MPs’ expenses case (Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 (Admin)), where it was said that “necessary”

should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends

In this way “necessary” in the DPA, accords with the test in Article 8 of the European Convention on Human Rights, which provides that any interference with the right to respect for private and family life etc. must be

necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others [emphasis added]

Deciding whether there was a “pressing social need” to disclose, under FOIA, the absconders’ identities to the Mail was not straightforward, and no doubt the civil servants at MoJ erred on the side of caution. I can imagine them thinking that, if it was necessary in a democratic society to publish these names, they already would be published as routine, and the fact that they hadn’t meant that it would not be proportionate to disclose under FOIA (I happen to think that would be wrong, but that’s not strictly relevant). But this is an interesting case in which the subsequent intervention by the Justice Secretary created the justification which perhaps did not exist when the FOIA request was being handled: after all, if the Justice Secretary feels so strongly about publishing the names, then doing so must be necessary in the interests of public safety etc.

As it was, five of the names (out of eighteen) were not disclosed, no doubt for the police operational reasons that were alluded to by Grayling. And this, of course, points to the most likely, and the most strong, exemptions to disclosure of this sort of information – those relating to likely prejudice to law enforcement (section 31 FOIA).

 p.s. I am given to understand that the Information Commissioner’s Office may be contacting the MoJ to discuss this issue.

2 Comments

Filed under Data Protection, Freedom of Information, human rights, police

Tagged as , , ,

May 28, 2014 · 8:37 am

Letting the data protection genie out of the bottle

Ireland police tweet a picture of a distinctive car they pulled over…social media speculates as to the owner…police warn of data protection implications…

 Recital 26 to the 1995 European data protection Directive explains that

the principles of protection must apply to any information concerning an identified or identifiable person [and] to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person

The Directive was transposed into Irish domestic law by amendments to the Data Protection Act 1988 which defines personal data as

data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller

What this means is that, as the Ireland Data Protection Commissioner says

There are different ways in which an individual can be considered ‘identifiable’.  A person’s full name is an obvious likely identifier.  But a person can also be identifiable from other information, including a combination of identification elements

With that in mind it was instructive to note a brief exchange on Twitter this morning involving the An Garda Síochána official account which is set up to provide “information on traffic and major events”. The exchange began with a tweet containing a photograph of a car pulled over for having “overly tinted windows”, and this was followed by a couple of tweets from another twitter user  alluding to the identity of the driver of the car. Finally, the Garda tweeted

Please do not post name, data protection issues, we want to raise awareness, we do not want to cause embarrassment

Some of the tweets have since been deleted, but @anyabike helpfully took a screengrab, which I have edited to remove any identifying information (except the picture of the car, which is still on the Garda timeline):

image

This is interesting (well, to me at least) because the concerns from the Garda about data protection should perhaps more properly have been addressed at themselves, for tweeting the picture in the first place. I have previously written about the practice of emanations of the state using social media to “shame” people, or to pursue campaigns and the fact that this almost inevitably engages data protection and human rights laws. The fact that the Garda published a picture from which an individual could be identified (either from that data or from that data in conjunction with other information in their possession) meant that they were, by definition, processing personal data (uploading a picture to the internet is certainly “processing”). And it is at least arguable that, in doing so, they should have been alive to the possibility of third parties being able to identify the individual, which would go to the heart of whether the initial processing was “fair” (section 2(1)(a) Data Protection Act 1988). Any complaint arising out of identification would perhaps be made not only about the person naming the individual, but also, and more strongly, about the public authority who initiated the identification.

This is not a huge issue, and I’m not saying the Garda were wrong to tweet the picture, merely that it is some kind of irony that, having done so, they then seek to restrain speculation as to the identity of the car owner: on social media, once the data protection genie is out of the bottle, it can be very hard to get him back in.

1 Comment

Filed under Data Protection, human rights, police, social media

Tagged as ,

April 25, 2014 · 1:28 pm

The slings and arrows of FOI

“…investigation by and even adverse comment from the Ombudsman is one of the slings and arrows of local government misfortune with which broad shouldered officials have to cope…” (Feld v London Borough of Barnet [2004] EWCA Civ 1307)

Ombudsmen loom over the actions of many public authorities. Particularly, the NHS and local authorities are subject to the scrutiny of respectively, the Parliamentary and Health Service Ombudsman (PHSO), and the Local Government Ombudsman (LGO). The Ombudsmen themselves must have broad shoulders, subject as they are to the oversight of both parliament, and, because they are public authorities subject to the Freedom of Information Act 2000 (FOIA), the Information Commissioner’s Office (ICO).

The PHSO was recently asked, under FOIA, for the email address and telephone number of the Ombudsman herself, Dame Julie Mellor. The request was refused, on the basis of the exemption at section 40(2) of FOIA – namely that the requested information was Dame Julie’s personal data, and disclosure would breach the first data protection principle in the Data Protection Act 1998. This refusal has now been upheld by the ICO, in a decision notice which explains that

the data requested relates to a living individual who may be identified from that data and that [therefore] it constitutes personal data

That much is uncontroversial: a person’s email address and telephone number will generally be held to be their personal data, even in a professional context, providing that they can be identified from that data. However, the ICO goes on to say

the Commissioner considers that the Ombudsman would have a reasonable expectation that her email address and direct telephone number would not be placed into the public domain by disclosure under the FOIA…

…The Commissioner is aware that the requested email address and telephone number are personal to the Ombudsman but are professional contact details. He considers that their disclosure is unlikely to cause the Ombudsman distress on a personal level. However the Commissioner is satisfied that disclosure would disrupt the running of the organisation and it is apparent that the consequences would have a negative impact upon the PHSO

This seems to conflate two quite separate issues – personal privacy, and organisational impact. As far as I can understand it the argument is that, because this is personal data, and because disclosure would disrupt the running of the organisation, disclosure would not be “fair”, in line with the requirements of the first data protection principle. But, as the ICO’s own guidance on disclosure of personal data under FOIA explains (paragraph 44), the consequences to be taken into account are those to the data subject, not to their organisation, or a third party.

If disclosure of information would disrupt the running of a public authority, there are other, more appropriate FOIA exemptions which might apply. Specifically, section 36(2)(c), for situations where disclosure would prejudice, or would be likely otherwise to prejudice, the effective conduct of public affairs.

But even then I struggle to see how disclosure of such innocuous information would really cause sufficient prejudice to warrant keeping this information secret – shouldn’t the Ombudsman be able to implement systems to deal with a possible increase in emails and calls if the email address and phone number were made public? Isn’t this sort of potential irritation one of the slings and arrows of administrative misfortune with which broad shouldered officials have to cope?

(As a footnote to this piece, neither the section 40(2), nor the section 36(2)(c) are going to carry much weight when the information is readily available online already. I will not link to it, because I’m a cautious soul, but Dame Julie’s email address, at least, has been published on the internet as part of a document created by her, and hosted by a reputable academic institution.)

 

 

 

17 Comments

Filed under Data Protection, Freedom of Information, Information Commissioner, ombudsman, transparency

Tagged as , ,

April 25, 2014 · 6:43 am

Data Protection for Baddies

Should Chris Packham’s admirable attempts to expose the cruelties of hunting in Malta be restrained by data protection law? And who is protected by the data protection exemption for journalism?

I tend sometimes to lack conviction, but one thing I am pretty clear about is that I am not on the side of people who indiscriminately shoot millions of birds, and whose spokesman tries to attack someone by mocking their well-documented mental health problems. So, when I hear that the FNKF, the Maltese “Federation for Hunting and Conservation” has

presented a judicial protest against the [Maltese] Commissioner of Police and the Commissioner for Data Protection, for allegedly not intervening in “contemplated” or possible breaches of privacy rules

with the claim being that they have failed to take action to prevent

BBC Springwatch presenter Chris Packham [from] violating hunters’ privacy by “planning to enter hunters’ private property” and by posting his video documentary on YouTube, which would involve filming them without their consent

My first thought is that this is an outrageous attempt to manipulate European privacy and data protection laws to try to prevent legitimate scruting of activities which sections of society find offensive and unacceptable. It’s my first thought, and my lasting one, but it does throw some interesting light on how such laws can potentially be used to advance or support causes which might not be morally or ethically attractive. (Thus it was that, in 2009, a former BNP member was prosecuted under section 55 the UK Data Protection Act 1998 (DPA 1998) for publishing a list of party members on the internet. Those members, however reprehensible their views or actions, had had their sensitive personal data unlawfully processed, and attracted the protection of the DPA (although the derisory £200 fine the offender received barely served as a deterrent)).

I do not profess to being an expert in Maltese Data Protection law, but, as a member state of the European Union, Malta was obliged to implement Directive EC/95/46 on the Protection of Individuals with regard to the Processing of Personal Data (which it did in its Data Protection Act of 2001). The Directive is the bedrock of all European data protection law, generally containing minimum standards which member states must implement in domestic law, but often allowing them to legislate beyond those minimum standards.

It may well be that the activities of Chris Packham et al do engage Maltese data protection law. In fact, if, for instance, film footage or other information which identifies individuals is recorded and broadcast in other countries in the European Union, it would be likely to constitute an act of “processing” under Article 2(b) of the Directive which would engage data protection law in whichever member state it was processed.

Data protection law at European level has a scope whose potential breadth has been described as “breath-taking”. “Personal data” is “any information relating to an identified or identifiable natural person” (that is “one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”), and “processing” encompasses “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction”.

However, the broad scope does not necessarily means broad prohibitions on activities involving processing. Personal data must be processed “fairly and lawfully”, and can (broadly) be processed without the data subject’s consent in circumstances where there is a legal obligation to do so, or where it is necessary in the public interest, or necessary where the legitimate interests of the person processing it, or of a third party, outweigh the interests for fundamental rights and freedoms of the data subject. These legitimising conditions are implemented into the Maltese Data Protection Act 2001 (at section 9), so it can be seen that the FKNF’s claim that Packham requires the hunters’ consent to film might not have legs.

Moreover, Article 9 of the Directive, transposed in part at section 6 of the 2001 Maltese Act, provides for an exemption to most of the general data protection obligations where the processing is for journalistic purposes, which almost certainly be engaged for Packham’s activities. Whether, however, any other Maltese laws might apply is, I’m afraid, well outside my area of knowledge.

But what about activists who might not normally operate under the banner of “journalism”? What if Packham were, rather than a BBC journalist/presenter, “only” a naturalist? Would he be able to claim the journalistic data protection exemption?

Some of these sorts of issues are currently edging towards trial in litigation brought in the UK, under the DPA 1998, by a mining corporation (or, in its own words, a “diversified natural resources business”), BSG Resources, against Global Witness, an NGO one of whose stated goals is to “expose the corrupt exploitation of natural resources and international trade systems”. BSGR’s claims are several, but are all made under the DPA 1998, and derive from the fact they have sought to make subject access requests to Global Witness to know what personal data of the BSGR claimants is being processed, for what purposes and to whom it is being or may be disclosed. Notably, BSGR have chosen to upload their grounds of claim for all to see. For more background on this see the ever-excellent Panopticon blog, and this article in The Economist.

This strikes me as a potentially hugely significant case, firstly because it illustrates how data protection is increasingly being used to litigate matters more traditionally seen as being in the area of defamation law, or the tort of misuse of private information, but secondly because it goes to the heart of questions about what journalism is, who journalists are and what legal protection (and obligations) those who don’t fit the traditional model/definition of journalism have or can claim.

I plan to blog in more detail on this case in due course, but for the time being I want to make an observation. Those who know me will not have too much trouble guessing on whose side my sympathies would tend to fall in the BSGR/Global Witness litigation, but I am not so sure how I would feel about extending journalism privileges to, say, an extremist group who were researching the activities of their opponents with a view to publishing those opponents’ (sensitive) personal data on the internet. If society wishes to extend the scope of protection traditionally afforded to journalists to political activists, or citizen bloggers, or tweeters, it needs to be very careful that it understands the implications of doing so. Freedom of expression and privacy rights coexist in a complex relationship, which ideally should be an evenly balanced one. Restricting the scope of data protection law, by extending the scope of the exemption for journalistic activities, could upset that balance.

7 Comments

Filed under Data Protection, Europe, human rights, journalism, Privacy, Uncategorized

Tagged as , , ,

April 17, 2014 · 12:29 pm

Virgin Media, and a stray email

Anyone who’s worked for a large organisation is likely to be familiar with the situation when someone mistakenly sends an email to everyone who works there. Replies – to all – start straight away: “Hi, I don’t know what this means?” “Hi, nor me” “Hi, I don’t think you meant to send this to me” “Nor me” “Hi everyone, please don’t ‘reply to all'” “Hi, you just did the same thing!!!” “Stop replying to all!” “You too!!!” “AAAAGGGHHHH!!!” etc etc, until eventually it settles down.

And then two weeks later someone comes back from leave and replies to all “Hi, I don’t know what this means”…

I imagine the frustration felt by fellow employees in those circumstances doesn’t begin to equate to that felt by some Virgin Media customers, if stories about an incident yesterday are correct. As The Register reports

The broadband biz emailed Brits using its virgin.net email service, which is provided by Google, to warn them of some forthcoming changes…But any email replies to that message were sent to everyone on the mailing list: the email address the update was sent from acted as a conduit to the full list of virgin.net customers. This not only spewed hundreds of extra missives into inboxes, it also shared the senders’ email addresses with everyone on the list

And the BBC says

Some people reported receiving hundreds of emails, including spam messages and light-hearted exchanges between other customers.

I’ve added the emphasis there, to highlight how excruciatingly annoying it must have been to be on the receiving end of hundreds of light-hearted messages like “I don’t know why you’re emailing me” “Stop replying to all!!!” “You’re doing it too LOL!!” ad nauseum.

Virgin Media have apologised, and tell customers that the issue is now resolved

A small proportion of our customers have received an email from one of our suppliers which, if they reply-all, it is sent to a wider group…We are confident that this issue has now been resolved, the problem stopped and further messages prevented.

I’ve just got a couple of observations to make. One is that “a small proportion of our customers” does not necessarily mean a small number, and while this is not quite a simple “reply to all” issue (it seems that the mailing list was wrongly configured) it clearly caused considerable disruption for those affected. And if Wikipedia is correct Virgin Media has several million customers – a “small proportion” of those could well number the 130,000-odd that some news outlets are claiming were affected. And the other observation is that as far as I can see Virgin Media don’t say whether they have informed the Information Commissioner, who will, no doubt, be wanting to ask some questions to establish whether this incident was as a result of a serious contravention of the data controller’s obligations under the Data Protection Act 1998. After all it only takes one careless individual to send a wrongly-addressed email, but it might point to information security failings if a mailing list is wrongly configured.

 

1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner

Tagged as ,

March 21, 2014 · 7:32 am

Opting patients out of care.data – in breach of data protection law?

The ICO appear to think that GPs who opt patients out of care.data without informing them would be breaching the Data Protection Act.  They say it would be unfair processing

In February of this year GP Dr Gordon Gancz was threatened with termination of his contract, because he had indicated he would not allow his patients’ records to be uploaded to the national health database which as planned to be created under the care.data initiative. He was informed that if he didn’t remove information on his website, and if he went on to add “opt-out codes” to patients’ electronic records, he would be in breach of the NHS (GMS contract) Regulations 2004. Although this threatened action was later withdrawn, and care.data put on hold for six months, Dr Gancz might have been further concerned to hear that in the opinion of the Information Commissioner’s Office (ICO) he would also have been in breach of the Data Protection Act 1998 (DPA).

A few weeks ago fellow information rights blogger Tim Turner (who has given me permission to use the material) asked NHS England about the basis for Health Services Minister Dan Poulter’s statement in Parliament that

NHS England and the Health and Social Care Information Centre will work with the British Medical Association, the Royal College of General Practitioners, the Information Commissioner’s Office and with the Care Quality Commission to review and work with GP practices that have a high proportion of objections [to care.data] on a case-by-case basis

Tim wanted to know what role the ICO would play. NHS England replied saying, effectively, that they didn’t know, but they did disclose some minutes of a meeting held with the ICO in December 2013. Those minutes indicate that

The ICO had received a number of enquiries regarding bulk objections from practices. Their view was that adding objection codes would constitute processing of data in terms of the Data Protection Act.  If objection codes had been added without writing to inform their patients then the ICO’s view was that this would be unfair processing and technically a breach of the Act so action could be taken by the ICO

One must stress that this is not necessarily a complete or accurate respresentation of the ICO’s views. However, what appears to be being said here is that, if GPs took the decision to “opt out” their patients from care.data, without writing to inform them, this would be an act of “processing” according to the definition at section 1(1) of the DPA, and would not be compliant with the GPs’ obligations under the first DPA principle to process personal data fairly.

On a very strict reading of the DPA this may be technically correct – for processing of personal data to be fair data subjects must be informed of the purposes for which the data are being processed, and, strictly, adding a code which would prevent an upload (which would otherwise happen automatically) would be processing of personal data. And, of course, the “fairness” requirement is absent from the proposed care.data upload, because Parliament, in its wisdom, decided to give the NHS the legal power to override it. But “fairness” requires a broad brush, and the ICO’s interpretation here would have the distinctly odd effect of rendering unlawful a decision to maintain the status quo whereby patients’ GP data does not leave the confidential confines of their surgery. It also would have the effect of supporting NHS England’s apparent view that GPs who took such action would be liable to sanctions.

In fairness (geddit???!!) to the ICO, if a patient was opted out who wanted to be included in the care.data upload, then I agree that this would be in breach of the first principle, but it would be very easily rectified, because, as we know, it will be simple to opt-in to care.data from a previous position of “opt-out”, but the converse doesn’t apply – once your data is uploaded it is uploaded in perpetuity (see my last bullet point here).

A number of GPs (and of course, others) have expressed great concern at what care.data means for the confidential relationship between doctor and patient, which is fundamental for the delivery of health care. In light of those concerns, and in the absence of clarity about the secondary uses of patient data under care.data, would it really be “unfair” to patients if GPs didn’t allow the data to be collected? Is that (outwith DPA) fair to GPs?

Leave a comment

Filed under care.data, Confidentiality, Data Protection, data sharing, Information Commissioner, NHS

Tagged as , , ,

March 19, 2014 · 2:27 pm

Kent Police get £100,000 penalty for poor data security

I blogged last week about “data breaches”, and the need to define and sometimes to differentiate between a breach of the Data Protection Act 1998 (DPA) and a general data security breach. Well, I’m (not at all) pleased to say that today’s news of the latest monetary penalty notice (MPN) served by the Information Commissioner’s Office (ICO) on Kent Police doesn’t need any such nuanced analysis. Here was a data security breach which was also a manifest breach of the DPA.

A police officer, by chance, discovered in some premises video tapes clearly marked as police material. He subsequently ascertained that the owner had found them, and much more besides, in the basement of a former police station which he had purchased. It is difficut to think of more sensitive information than the kind which was involved here. In part it consisted of

documents and video/audio tapes containing confidential and highly sensitive personal data about a significant number of individuals. These included files relating to threats to kill, rape, grievous bodily harm and child abuse cases; interviews with victims, witnesses/informants and suspects

Although the force had initially

taken some steps to safeguard the information by carrying out inspections of the former police station which identified that items were still in situ

the failure to have any policies in place, or to assign responsibility to anyone, meant that this was a clear and serious contravention of the seventh data protection principle (relating to data security measures) of a kind likely to cause, at least, substantial distress. I would add, although the ICO does not, that it might well have been also a serious contravention of the fifth principle (“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”). Given this, it is somewhat surprising that this case falls (admittedly at the top end) into the lowest category of cases qualifying for an MPN (the ICO’s internal guidance says that these cases will attract an amount of £40,000 to £100,000). Bearing in mind that Brighton and Sussex University Hospitals NHS Foundation Trust got an MPN of £325,000 for failing to dispose of computer hard drives properly, this current MPN seems low.

It also, once again, draws attention to the importance of good records management within police forces. I wrote only recently, in the context of the Ellison Review of policing relating to the Stephen Lawrence inquiry, about how records management is essential for the operation of the rule of law and the current case just gives even greater strength to this.

1 Comment

Filed under Data Protection, enforcement, Information Commissioner, monetary penalty notice, police, records management

Tagged as , ,

March 17, 2014 · 5:10 pm

A balanced view on Optic Nerve

As I’m keen always to take a balanced view of important privacy issues, and not descend into the sort of paranoid raving which always defines, say, the state as the enemy, capable of almost anything, I sometimes think I end up being a bit naive, or at least having naive moments.

So, when outgoing Chair of Ofcom Dame Colette Bowe recently gave evidence to the House of Lords Select Committee on Communications, and said about consumers that

their smart TV may well have a camera and a microphone embedded in it there in their living room. What is that smart TV doing? Do people realise that this is a two-way street?

I thought for a moment “Oh come on, don’t be so scaremongering”. Sure, we saw the stories about Smart TVs and cookies, which is certainly an important privacy issue, but the idea that someone would use your TV to spy on you…?!

And then, of course, I quickly remembered – with a feeling of nausea – that that is exactly the sort of thing that GCHQ are alleged to have done, by jumping on the unencrypted web cam streams of Yahoo users, as part of the Optic Nerve program. And each time I remember this, it makes me want to scream “THEY WERE INDISCRIMINATELY SPYING ON PEOPLE…IN THEIR HOMES, IN THEIR BEDROOMS, FOR ****’S SAKE!”

And they were doing it just because they could. Because they’d notice a way – a vulnerability – and taken advantage of it to slurp masses of intensely private data, just in case it might prove useful in the future.

The intrusion, the prurience, the violation do indeed make me feel like raving against the state and its agents who, either through direct approval, or tacit acceptance, or negligence, allowed this to happen. Although *balance alert* GCHQ do, of course, assure us that “GCHQ insists all of its activities are necessary, proportionate, and in accordance with UK law”. So that’s OK. And yes, they really did call it “proportionate”. 

I know the web cam grabbing was by no means the only such intrusion, but for me it exemplifies the “something” which went wrong, at some point, which led to this. I don’t know what that something was, or even how to fix it, and I’ve never used a web cam, so have no direct interest, but I will closely watch the progress of Simon Davies’ request for the Attorney General to refer the matter to the police.

Leave a comment

Filed under Confidentiality, Data Protection, human rights, interception, Privacy, RIPA, surveillance

Tagged as , , ,

March 17, 2014 · 9:24 am

Your Twitter account is worth…

SWEET F.A.

Go and learn some economics. Something’s value is determined by what people are prepared to pay for it, and no one wants to buy your twitter account. Don’t be so greedy.

1 Comment

Filed under nonsense, social media

Tagged as

March 16, 2014 · 8:36 am

Sale of patient data – time for an independent review?

The Sunday Times reports that a billion patient records have been sold to a marketing consultancy. Is it time for an independent review of these highly questionable data sharing practices?

In 2012, at the behest of the then Secretary of State for Health, Andrew Lansley (driver of the Health and Social Care Act 2012), Dame Fiona Caldicott chaired a review of information governance in the NHS. Her report, which focused on the issue of sharing of information, was published in April 2013. At the time a statement in it, referring to the Information Commissioner’s Office (ICO) stood out to me, and it stands out even more now, but for different reasons. It says

The ICO told the Review Panel that no civil monetary penalties have been served for a breach of the Data Protection Act due to formal data sharing between data controllers in any organisation for any purpose

At the time, I thought “Well duh” – of course the ICO is not going to take enforcement action where there has been a formal data sharing agreement, because, clearly, the parties entering into such an agreement are going to make sure they do so lawfully, and with regard to the ICO guidance on data sharing – lawful and proportionate data sharing is, er, lawful, so the ICO wouldn’t be able to take action.

But now, with the frequent and worrying stories emerging of apparent data sharing arrangements between the NHS Information Centre (NHSIC), and its successor, the Health and Social Care Information Centre (HSCIC), I start to think the ICO’s comments are remarkable for what they might reveal about them looking in the wrong direction, when they should have been paying more attention to the lawfulness of huge scale data sharing arrangements between the NHS and private bodies. And now, The Sunday Times reports that

A BILLION NHS records containing details of patients’ hospital admissions and operations have been sold to a marketing consultancy working for some of the world’s biggest drug companies

I think it is time for a wholesale review, properly funded, by the ICO as independent regulator, of these “formal data sharing” arrangements. They appear to have a questionable legal basis, based to a large extent on questionable assumptions and assurances that pseudonymisation equates to anonymisation (which anyone who looks into will realise is nonsense).

And I think the review should also consider how and why these arrangements appear to have deliberately been taking place behind the backs of the patients whose data has been “shared”.

Leave a comment

Filed under care.data, Data Protection, data sharing, Information Commissioner, monetary penalty notice, NHS, Privacy

Tagged as , ,