November 23, 2012 · 1:35 pm

Tweets and Tw*ts, redux

NOTHING TO SEE HERE, MOVE ALONG.

UPDATE: 13 December 2012

In a tweet to me of 5 December the ICO kindly clarified that there has been no change. The reference to twitter names is now contained in this guidance.

Has there been a subtle change of policy by the ICO on the subject of FOI requests made by twitter?

Last year I blogged about a Freedom of Information Act 2000 (FOIA) request I made to the Information Commissioner’s Office (ICO) via twitter. I referred the ICO to their own guidance (hosted as part of a web page, not as a separate download), which said

The request must state the name of the applicant…A Twitter name may not be the requester’s real name, but the real name may be shown in their linked profile…The request must also state an address ‘for correspondence’. Does this include Twitter names? The length of a tweet makes it difficult for the authority to respond fully, but there are ways of dealing with this. The authority could ask the requester for an email address in order to provide a full response. Alternatively, it could publish the requested information, or a refusal notice, on its website and tweet a link to that.

The question I have given emphasis there did not have a specific answer in the guidance, but one inferred that the answer was “yes” from the words that followed.

This morning I made a twitter FOIA request to the Department for Education, to which they replied asking me to provide an email address or fill in an online form. I was going to refer them to the ICO’s guidance, but found that it doesn’t exist anymore. Fair enough: websites change and URLs get broken. However, unless I am mistaken what I have also found is that the ICO no longer seems to imply that a twitter name is an address for correspondence, according to section 8(1)(b) of FOIA. As far as my search skills can ascertain, the ICO now says

Requests can also be made via the web, or even on social networking sites such as Facebook or Twitter if your public authority uses these…[the request must] include an address for correspondence. This need not be the person’s residential or work address – it can be any address at which you can write to them, including a postal address or email address

No reference there to twitter names. More detailed guidance from the ICO says

Where a request has request in line with section 8(1) of FOIA if the requester has provided their name and a valid address. Where possible a response to the requester should be sent for example by providing a web link. If the name or address is not provided it is not a valid request, therefore if information is not being provided a reply should be sent advising the requester of this, and asking for the required information.

Again, no reference to twitter names.

These changes, unless I have indeed missed something, with their absence of reference to the possibility of a twitter name being “an address for correspondence” indicate a retreat by the ICO. It could well be that they’ve had to acknowledge that twitter is perhaps not the most appropriate medium for FOIA requests. If so, it would be helpful if they could – clearly – issue revised guidance. Their announcement that requests could be made by twitter got a lot of coverage, and led to the highest court in the land accepting that it had been wrong to imply it would not consider them valid requests.

I’ve made a FOIA request to the ICO to find out whether their policy has changed. Guess which medium I used?

UPDATE: 13 December 2012

In a tweet to me of 5 December the ICO kindly clarified that there has been no change. The reference to twitter names is now contained in this guidance.

7 Comments

Filed under Freedom of Information, Information Commissioner, transparency, Uncategorized

Tagged as ,

November 14, 2012 · 8:17 am

Internal Affairs

Has an NHS Trust tried wrongly to prevent publication of information under FOI? Or are they just perhaps (naively) internally exploring the options?

Brace yourselves. Hold on to your china. I have a shocking announcement to make: NOT ALL PUBLIC AUTHORITY STAFF FULLY UNDERSTAND FOI!

In fact, some of them don’t even like it – check out some of the submissions made to the Justice Committee when it was conducting its post-legislative scrutiny of the Freedom of Information Act 2000 (FOIA).

Even worse than those who don’t understand it and say so, are those who don’t understand it but think they do. All practitioners have been faced with the person who announces loudly and wrongly which exemption should be claimed, and won’t accept they’re wrong, because “that’s what we always used to say when I worked at [former employer]”.

These observations are prompted by a twitter exchange, and subsequent Telegraph article yesterday, regarding the accidental disclosure of internal emails by NHS Newcastle-upon-Tyne, in which staff there discuss how to respond to an FOI request. The article reports how the staff considered whether they had to disclose a strategy report, and that the following comments were made

The planned preventative maintenance is all my own work for which I can express intellectual rights…

The…strategy is commercially sensitive and subject to executive approval…Can we say that our Strategy is commercially sensitive and refuse to disclose?

We could refer to [other information] which is in the public domain…It would at least make us look slightly helpful

The Trust clearly did not want this exchange disclosed, because after inadvertently doing so, they tried to use an email recall function, which as we all know, hardly ever works. I don’t blame them – this sort of exchange hardly reflects well on the FOI knowledge of and intentions of, certain staff. If it happened in my organisation I’d toddle on down to their office with a rolled-up copy of ICO guidance and bang them on the head with it (or maybe just suggest they have some training).

However, this sort of exchange goes on daily, in hundreds of public authorities, as hard-working, possibly naive staff grapple with complex FOI requests. They’ll mull things over, discuss options, make ridiculous suggestions, until, ultimately – one hopes – an FOI officer pulls it all together and arrives at a reasoned, fair and lawful decision about disclosure.

Of course that doesn’t always happen, and not all organisations have the bulwark of an honest, good FOI officer in place, but disclosure of internal discussions about potential exemptions, before any final decision on disclosure has been arrived at, does not point towards a potential criminal offence, as some were suggesting on twitter, and it doesn’t really make for a good story.

Leave a comment

Filed under Uncategorized

November 12, 2012 · 8:49 am

Stupid, Stupid, Stupid.

How data security is like a car park. Sort of.

Last Friday I parked in my usual car park. I entered it past the signs informing me of the terms for parking there, and the penalties for breaching them. After parking I walked past the signs reminding me in big letters “HAVE YOU PAID AND DISPLAYED?”, and went in to work.

But when I returned later that day I had a ticket on my windscreen – a penalty charge notice – imposed for failing to display a ticket. I still don’t know how I managed to do this. Every other time I have parked, and bought a ticket, and placed it in the same place on the dashboard. But something went wrong this time.

Ever one to draw a clumsy analogy for the sake of a blog post, it got me thinking about data security. We all know how to avoid enforcement action by the Information Commissioner’s Officer (ICO): train your staff, have good policies and procedures and check regularly they’re being complied with. Then, if something goes wrong, the ICO will determine that there was nothing more as an organisation you could do to prevent the incident, and you are not in breach of the Data Protection Act. (Of course it’s a bit more complicated than that. But not much).

However watertight your policies are though, and however often and loudly you remind people about them, mistakes happen. As Einstein is reported to have said “Two things are infinite: the universe and human stupidity; and I’m not sure about the universe.” All you can do is mitigate the risks, and mitigate them sufficiently to satisfy those who regulate you. Thus, the ICO will (should) not impose a Monetary Penalty Notice if you had taken all the data security precautions you reasonably could have taken but one person made a stupid mistake leading to a data breach.

And, because the car park has clear and fair terms and conditions, I won’t challenge the lawfulness of imposing a penalty charge notice just because one stupid individual failed to check that his stupid car had a stupid $%*&ing ticket on the stupid dashboard last Friday morning.

 

1 Comment

Filed under Uncategorized

October 29, 2012 · 7:20 am

A Campaign Worth Fighting For

How the Campaign for Freedom of Information was integral to the original enactment of the Freedom of Information Act, and continues to lead on the subject. Support it.

In the mid-1990s my understanding of the concept of Freedom of Information was limited to two points: first, that it was heavily pushed by an organisation called the Campaign for Freedom of Information, and its director, Maurice Frankel and late Chairman, James Cornford and second, that FOI was, surely, unarguably a Good Thing.

In the heady months after Labour’s 1997 election victory it was easy simply to assume that the manifesto commitment to introducing a Freedom of Information Bill would be honoured. While those with more than a passing interest in the subject noted over the following months, with concern, a major retreat from David Clark‘s White Paper Your Right to Know, the Freedom of Information Act 2000, as passed, was still a piece of progressive legislation, very much to be welcomed.

It is interesting, then, to read, in Jack Straw’s recently published, and sometimes rather mean-spirited memoirs, potentially just how little is owed to those who are now seen as the key figures in that Labour administration, and how much is owed to the Campaign for Freedom of Information. Straw describes how the manifesto commitment resulted in a White Paper to parts of which he and Tony Blair were fundamentally opposed:

Tony himself was by now getting extremely worried about the eccentric FOI policy to which his government, in a trance, had seemingly committed itself

and how

I had half a thought that the best thing might to be bin the whole bill, or kick it into the long grass with a Royal Commission

But ranked against him were “all the enthusiasts for FOI-max, ably briefed by the indefatigable Maurice Frankel”.

(Straw effectively, by his account, found himself fighting his own bill. His victory, as he sees it, was to ensure that a power for ministers ultimately to veto disclosure was included. The unsavoury picture painted is of an over-eager administration – committed by its manifesto – unwillingly enacting a progressive law, but ham-stringing it in the process. And of course, we have since had several instances where that ministerial veto has been exercised (twice by Straw himself),, most recently and worringly to prevent disclosure of lobbying correspondence by the Prince of Wales, despite an extraordinarily thorough ruling in favour of disclosure in the Upper Tribunal.)

But this blog post is not about Jack Straw, now sniping from the opposition back benches, and not about the illiberal ministerial veto. It is about what a debt we all have to the Campaign for Freedom of Information, which has continued to argue for a more robust FOI Act, while defending it against threats of diminution. Regarding the latter, it is difficult to over-emphasise the significance of a late submission by the Campaign to the Justice Committee’s post-legislative scrutiny of the Act, which demolished many of the more specious arguments made by those criticising the Act. (Let us hope that the Committee’s welcome final report is accepted by the government, and that those of us who defend the Act can breathe easily, for a time at least.)

I have no personal interest in the Campaign (although I should perhaps declare that Maurice once gifted me a very-well-used-but-broken La Pavoni espresso machine) but it needs celebrating, and cherishing, and supporting (funding will always be an issue with an organisation like this). Everyone who uses and champions FOI should recognise this.

8 Comments

Filed under Uncategorized

October 11, 2012 · 1:54 pm

An Irresponsible Press Release?

What is the basis for the ICO saying the private sector is better at data protection than the public?

I defended the Information Commissioner’s Office (ICO) today, over a poor Register headline which suggested they were “red-faced” about imposing monetary penalty notices on NHS bodies (of course they’re not). To their great credit, the Register reworded the headline. Shortly afterwards, the ICO issued a headline of their own in a press release

Private Sector leads the way on data protection compliance but room for improvement elsewhere

Behind this headline are four reports on the ICO’s Data Protection Act 1998 (DPA) audit activities over the last two years. Each report relates to a “sector”, so we have:

Audit outcomes, central government (February 2010 – July 2012)

Audit outcomes, local authorities (February 2010 – July 2012)

Audit outcomes, NHS (February 2010 – July 2012)

Audit outcomes, private sector (February 2010 – July 2012)

Ignore for a moment the fact that the distinction between “private” and “public” sector is increasingly an artificial one – what I want to focus on is the evidential basis for the assertions made by the ICO, and why I think they are potentially damaging to the interests of data subjects. The press release goes on to say

[the reports have] highlighted the positive approaches many private sector companies are adopting to look after people’s data. However concerns remain about data protection compliance within the local government sector and the NHS…Within the private sector, the ICO had a high level of assurance that 11 out of the 16 companies audited had policies and procedures in place to comply with the Act…In the health service only one of the 15 organisations audited provided a high level of assurance to the ICO, with the local government sector showing a similar trend with only one out of 19 organisations achieving the highest mark. Central government departments fair little better with two out of 11 organisations achieving the highest level of assurance.

Let’s stop for a second to consider the nature of the audits we are looking at. The ICO does not have a general power to audit data controllers without their consent, although he does have that power over central government data controllers. So how does a data controller come to consent to an ICO audit? Very commonly it’s a result of a self-reported data breach, or following an ICO investigation giving rise to DPA concerns. The three arms of the public sector represented in these reports are required or expected to comply with specific data protection guidance: for central government it is the Cabinet Office Data Handling Procedures, for Local Government the LGA/SOCITM Data Handling Guidelines (derived from the Cabinet Office procedures), and for the NHS, the very robust Information Governance Toolkit. Each of these contains explicit directions that a serious DPA breach be reported to the ICO.

There is, of course, no such guidance for the “private sector” (although the ICO encourages data controllers, whether public or private sector, to self-report breaches).

Similarly, public sector organisations are subject to public law obligations and public-law-based corporate governance procedures which create an expectation that any breaches be self-reported and an expectation that they will agree to a suggestion by the ICO of a consensual audit.

Private sector organisations, while they have corporate governance obligations, are quite different. Responsibility to shareholders or owners is not the same thing as a public obligation.

What this means is that there are huge questions about how representative is the sample of audited organisations cited by the ICO in support of the contention that the “private sector leads the way on data protection compliance”. Additionally, the numbers used to draw this conclusion are so small that, even if the sectors were fully comparable, I doubt whether they would have statistical significance.

I’m not going to list the numerous examples of private sector poor compliance which arguably give lie to the ICO’s contention. I’m not even going to moan much about the fact that we will see this headline unthinkingly regurgitated over the following weeks.

But what I am going to say is I think this was an irresponsible press release. It was irresponsible because I simply cannot accept the universal premise of a statement that “the private sector leads the way on data protection compliance”. And because I can imagine that, somewhere, while a public sector data protection officer is shrugging his or her shoulders and going about his or her task with an extra dose of world-weariness, somewhere else, a private sector management board is thinking that perhaps it doesn’t need to worry too much about data security, and regulation by the ICO.

UDPATE: 12.10.12

I’ve had an email from a nice spokesman from the ICO press office, who wanted to give some further context, and clarified one point. He said

Motivation for agreeing to audit is undoubtedly a relevant context to the results we published, particularly given that, as you highlight, the ICO doesn’t have the power to compel organisations to submit to an audit. It isn’t true, though, that public sector audits are often the result of self-reported data breaches. In fact, most of our audits come from the ICO writing to organisations and asking them to volunteer, not as a direct result of a breach being reported.

Fair point, and I’m happy to clarify that most times the ICO invites organisations to volunteer for an audit not as a direct result of a breach being self-reported. Although I am pretty certain the ICO would not be sending that invite if he hadn’t determined, either as a result of a self-reported breach, or a complaint from a data subject, that there had been a breach of the DPA.

The spokesman went on to say

This is much the same as our approach to the private sector, though fewer private sector firms take up the opportunity, as we highlight in our report (perhaps due to the responsibility to shareholders versus public obligation argument you highlight in your blog).

I’m glad that there is, there, an implicit admission that audited public and private sector data controllers are not directly comparable. I rather wish the press release had said this.

But this next bit I’m not sure about

One of the purposes of this type of press release is to increase that take up and share best practice, by highlighting the availability of our audits.

Now, I’ve often, when training external (public sector) organisations, suggested to them that, if they feel relatively confident about their data protection compliance, they should consider inviting the ICO to audit them, because their auditors are fair, thorough and experienced (by the way, I advise those who are not confident about their compliance to get a consultant in first…). However, I’m not sure I could so readily recommend the ICO audit now, given what I maintain are the unfair comparisons which were drawn in this press release. Indeed, two public sector officers have now stated to me on twitter that this has actively dissuaded them from volunteering for an audit. That cannot be good.

8 Comments

Filed under Breach Notification, Data Protection, Information Commissioner

September 29, 2012 · 9:04 am

Private emails, FOI and Criminality

Private emails are subject to FOI searches, and it’s a crime intentionally to conceal relevant information.

So, it appears that the Department of Education (DfE) has conceded that business emails sent by private email accounts are subject to the Freedom of Information Act 2000 (FOIA), thus accepting what the right-thinking world, and, indeed, anyone with a glimmer of common sense knew all along.

Plaudits, or brickbats, according to your position on the merits of FOIA, should go to Christopher Cook of the Financial Times, who has pursued the Department of Education (DfE) on this with the enthusiasm of a Jack Russell terrier faced with a scurrying rat. Fellow hacks at the Independent had also joined themselves to the proceedings listed (but now withdrawn) in the First-tier Tribunal (Information Rights). The DfE had had the balls to launch a challenge to a previous decision by the Information Commissioner (ICO) that the information (held in private email accounts) requested by Chris should be released. The decision notice itself was clear, and difficult to argue with, as is the advice on the subject published by the ICO around the same time. One wondered what possible grounds the DfE had to base a successful appeal on, and the withdrawal of the appeal probably answers that point, although it appears the withdrawal was actually prompted by the imminent publication of Cabinet Office guidance.

Some are now predicting that there will be a deluge of FOI requests specifically targeted at information held in private emails, or text messages, and I think this is probably right. What is not clear is how they will be handled. The ICO’s guidance suggests that, faced with requests for information that could be held in private emails, public authorities should restrict themselves to asking the person to search their account and keeping a record to show that this was asked:

The public authority will then be able to demonstrate, if required, that appropriate searches have been made in relation to a particular request. The Commissioner may need to see this in the event of a…complaint

This suggests that, when investigating a complaint about refusal to disclose information, the ICO will restrict himself merely to satisfying himself that an authority has asked its staff to check emails. Absent any evidence that those staff have not been honest about the contents of those private emails, the ICO will take no further action. The reasons for this are, really, quite obvious: the powers open to a public authority to access private email accounts are limited. Although the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 allow an employer to “intercept” an employee’s private emails  (if sent using the employer’s systems) to determine whether they are business-related, those powers must be exercised with due regard to the employee’s privacy rights. The interception of private emails in a private email account (sent using the employer’s systems) must be necessary and proportionate. If an employee has told his or employer that their private emails contain no information caught by an FOI request it is doubtful, absent any evidence to the contrary, that a “trawl” of emails without the employee’s consent would be lawful (I’ve written for PDP journals on this subject – subscription needed).

On one view, then, nothing much has changed with the concession by the DfE, although no doubt many new FOI requests will be made as a result. What has changed, perhaps, is the focus on individuals’ personal responsiblity under FOIA. Currently, section 77 creates an offence if a person alters, defaces, blocks, erases, destroys or conceals a record in response to an FOI request. If a trawl of emails on a public authority’s systems is required this will normally fall to IT, or similar, and employees have little say – or, if you like, given the existence of back-up systems – limited opportunity to commit a section 77 offence. Now, if the same employee is asked whether private emails contain specific information, and he or she untruthfully says “no”, criminality – the mens rea – will be relatively easy to make out.

The question is, how would we find out?

6 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal, Privacy, RIPA, Uncategorized

Tagged as , ,

September 13, 2012 · 4:31 pm

The Public Interest in the Hillsborough Disaster

How could the Cabinet Office have originally decided the public interest favoured non-disclosure of information held about the Hillsborough Disaster?

On 15 December 2009 Alan Johnson, the then Secretary of State for the Home Department, announced that an Independent Panel would be appointed to enable disclosure of information relating to the 1989 Hillsborough disaster, and the events which followed it. The Panel would lead to

maximum possible public disclosure of governmental and other agency documentation on the events that occurred and their aftermath

As we all know, the Panel has now published an extraordinary amount of information, with a devastating covering report. It was not the Panel’s role to apportion blame for the tragedy but the disclosure has finally led to unequivocal public and political acceptance that, in the words of the Prime Minister, and despite previous despicable insinuations or outright pronouncements to the contrary

Today’s report is black and white. The Liverpool fans “were not the cause of the disaster”.

The efforts of bereaved families and those close to them in effecting this outcome can never be overstated. But a small part was attempted to be played using the Freedom of Information Act 2000. On 23 April 2009 a BBC journalist made an FOI request to the Cabinet Office for

Copies of all briefings and other information provided to Margaret Thatcher in April 1989 relating to the Hillsborough disaster [and] Copies of minutes and any other records of meetings attended by Margaret Thatcher during April 1989 at which the Hillsborough disaster was discussed.

The request was turned down. The Cabinet Office, rather than the 20 working days permitted by law, took nine months (they’re traditionally not very good at this FOI compliance thing, you must understand) to state that the information was exempt from disclosure under sections 31(1)(a), 31(1)(b), 31(1)(g) – which deal with prejudice to law enforcement – and sections 35(1)(a), 35(1)(b) and 35(1)(d) – which deal with information relating to the formulation or development of government policy, Ministerial communications and the operation of any Ministerial private office. All of these exemptions, if engaged, required consideration whether the public interest in disclosure outweighed the public interest in maintaining the exemption. In all instances, the decision was against disclosure: the public interest did not – according to those at the Cabinet Office determining this request – favour disclosure.

On appeal the Information Commissioner disagreed. He said

 the Commissioner considers it clear that the public interest in disclosure of information relating to the Hillsborough disaster – constituting improved public knowledge and understanding of the causes of and reaction to this event (and in relation to this specific information how the Government of the day reacted) – means that the balance of the public interest favours disclosure

He did not accept the Cabinet Office’s argument that the fact that the Independent Panel had now been set up was relevant to a decision as to whether the application of the exemptions was correct

 [the Panel] did not exist at the time of the request, or within 20 working days following the receipt of the request by the public authority. This Notice concerns whether the information should have been disclosed within 20 working days from the receipt of the request, and any factor that did not apply at the time of the request is not relevant

Notwithstanding this, the BBC ultimately agreed to withdraw its request, given the imminence of the outcome of the Panel’s work. And now we know the truth.

The Prime Minister went on to say in his statement

 At the time of the Taylor Report [Margaret Thatcher] was briefed by her private secretary that the defensive and – I quote – ‘close to deceitful’ behaviour of senior South Yorkshire officers was ‘depressingly familiar’. And it is clear that the then government thought it right that the Chief Constable of South Yorkshire should resign. But… governments then and since have simply not done enough to challenge publicly the unjust and untrue narrative that sought to blame the fans.

Information Commissioner decisions requiring disclosure of Cabinet minutes, and similar information, have four times been subject to a ministerial veto to maintain secrecy. Was the initial refusal of the BBC’s FOI request for this Hillborough disaster information simply reflective of a government approach which automatically seeks to exempt any Cabinet minutes from disclosure? I rather hope so, because the alternative is that officials, and ministers, thought that the public interest did not favour disclosure of information relating to what some are calling the biggest cover-up in British history.

UPDATE

I’ve been reflecting on this. I think it’s only fair to point out that, arguably, because the Cabinet Office took so long (nine months, remember) to get round to responding to the request, by the time they did so, the Independent Panel was set up. So, by that argument, the person looking at the request never actually determined that the public interest did or did not favour disclosure, until it was clear that it was going to be published in the future. The Information Commissioner did not accept that point

This Notice concerns whether the information should have been disclosed within 20 working days from the receipt of the request, and any factor that did not apply at the time of the request is not relevant. This situation applies regardless of the lengthy delay

and was correct in law not to, but in fairness to the Cabinet Office officials, they might have handled the request differently (by the time they got round to it) if the Independent Panel, with its remit to disclose, had not been set up.

10 Comments

Filed under BBC, Cabinet Office, Freedom of Information, Information Commissioner, police, Uncategorized

August 31, 2012 · 10:22 am

Data Security and Churnalism

On the lazy reporting of a silly story about increases in data breaches

Over the past couple of days the following have all published stories on the fact that data breaches in the UK have “rocketed” or “spiked” by an “alarming” 1000% over the last five years.

Computer Business Review
Techweek Europe
The Nextweb
Public Service
Help Net Security
V3.co.uk
Computing.co.uk
SC Magazine
UKAuthority.com
The Register
Computer World UK
The BBC

These are mostly well-respected news sources, serving either the tech industries or the public sector. All of them report this story as though the news that self-reporting to the Information Commissioner of serious data breaches is a bad thing. I’ve given the links to the stories not because I want to increase their clicks, but to show the remarkable similarity between them. This is not surprising, as they are all picking up on a press release by Imation (ironically, as a non-hack, I don’t have access to it) which was issued following an FOI request to the Information Commissioner. The response to the request showed that, indeed, in 2007-08 the number of breaches reported to the ICO was 79, and in 2011-12 it was 828. But does that really mean that “Data breaches in the UK have increased tenfold in the past five years” as the BBC put it?

The answer, certainly, is “no”.

The reporting of breaches has increased by that proportion. But that is not particularly surprising. As far as I recall the first guidance issued by the ICO on reporting serious breaches was only issued in July 2010.  Before that while there may have been an inferrable assumption that serious breaches should be reported, there was not much in the way of clear direction or expectation until relatively recently. This expectation has become much more explicit since the ICO gained powers to issue civil monetary penalties for serious breaches. Now, all major data controllers know that when there is a serious breach of data security it needs to be reported to the ICO (and for telecoms providers, there is a lawful requirement to do so under the Privacy and Electronic Communications (EC Directive) Regulations 2003).

But is it a bad thing that numbers of reported incidents has increased? Of course not. All breaches of data security are to be regretted, and lessons learnt to avoid they don’t recur. But data controllers need to be encouraged to recognise breaches, and put their hands up when they happen. The ICO even considers self-reporting to be a mitigating factor when assessing what action he should take.

I doubt that many, if any of the people writing for the websites I link to above really think that data security breaches (rather than reports of breaches) have increased 1000% over five years. I’m sure their writers and reporters are very busy, and an eye-catching press release makes for easy copy. But these websites (with the execption of the BBC) are important and specialist sources of information. For them to resort to “churnalism” (a form of journalism in which press release…are used to create articles…without undertaking further research or checking) at the expense of common-sense, especially when it might lead to greater reluctance to self-report, is greatly to be regretted.

 

 

 

 

 

 

 

 

1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner, PECR

Tagged as ,

August 28, 2012 · 10:05 am

(Data?) Protection for Maine Coons

News that the Police Union of Senior Staff  has called for controls over ownership of Maine Coon cats, following the serious concerns raised by recent misidentification of one as the Essex Lion, raises interesting points about the extent to which cat-lovers should be required to place their pets on a central register.

So, the Essex Lion turns out in all probability to have been a Maine Coon cat. Those of us who questioned whether Essex Police were potentially over-reacting to the reports now accept that problems with perspective can confuse the best of us.

Although there is no need at all for those caught up in the scare to be embarrassed, Felix Silvester, spokesman for the Police Union of Senior Staff – an organisation representing senior police spokespersons – has announced that the Union are calling for registration of Maine Coon cats:

These animals are not like normal cats. For one thing, they are bigger. For another they are quite possibly fiercer. The fact that the Essex Lion scare went on for as long as it did is unavoidably connected to the fact that there is no register of Maine Coon cats. If there had been one I’m sure it’s the first thing Essex Police would have checked. The Police Union of Senior Staff is calling for a compulsory register of all Maine Coons.

This raises important points both for animal rights and privacy activists. Although the concept of “personal data” in the Data Protection Act does not currently extend to animals, a proposed European Commission directive may change that. The Directive 12/666/EC on Monitoring Information on Animals and Other Wildlife states that

the definition of personal data…should be extended to all domestic animals, and some ruminants

While this is wholly sensible, and something respected commentators have been calling for for some time, it must be observed that none of the protections afforded to human data subjects will extend to feline ones. Cats could find themselves subject to unlimited detention and inhumane treatment (because they are not human).

I remain deeply suspicious of Mr Silvester’s comments, and do not think that the embarrassment of an entire police force justifies such draconian measures as a compulsory register.

4 Comments

Filed under satire

Tagged as

August 25, 2012 · 11:20 am

What the Papers Say

It appears that a police officer has inadvertently disclosed operational notes regarding arrangements for the arrest of Julian Assange. This is not the first time a blunder like this has happened, and it should serve as a reminder that physical data needs to handled just as securely as electronic data.

In 2009 Britain’s then most senior counter-terrorism officer, Bob Quick, arrived at Downing Street for an important meeting. He’d probably been reading up on the issues during the journey there, and was clutching a file as he emerged from his car. Unfortunately for him, photographers were able to capture the contents of the document he was holding face up. Marked “Secret” (the second highest category in the government protective marking Security Policy Framework) it contained information some of which still cannot be disclosed because a DA-Notice applies. It led to anti-terror raids being brought forward, and it also led to his resignation.

Now we learn that a rather less senior police officer has been photographed in similar circumstances, outside the Ecuadorian Embassy wherein lies the persecuted activist/suspected rapist (delete according to your leanings) Julian Assange. Apparently the information relates to possible arrest plans.

Now, when I have to carry papers from one building to another at work, I make damn sure that they’re secured in an opaque binder, and as far as I know the eyes of the world’s press are not on me when I’m doing so. Information security and data protection are not just about taking care with electronic data: I recently did a quick analysis of the monetary penalty notices handed down by the Information Commissioner, and found that around two-thirds arose from a breach of security involving physical data*.

Modern photographic developments mean that millions of people have the ability quickly to capture compromising or damaging information, and internet publishing means that the same information can be uploaded and circulated within seconds. The European Association for Visual Data Security (yep, there is one) recently produced a white paper on the subject. In its article about the white paper The Register gave some examples of shoulder-surfing, in addition to Bob Quick’s infamous incident

a senior UK civil servant at the department of Business, Innovation and Skills fell asleep on a commuter train, leaving highly sensitive information displayed on his screen. A fellow passenger took two photographs of the information while it was displayed on the screen, which made their way into a Daily Mail story about the breach…[and] in August 2011 the UK’s International Development Secretary was photographed leaving Number 10 Downing Street with sensitive government papers relating to Afghanistan on display. These papers were caught on camera by news photographers and film crews.

Any organisation which needs to handle data outside its own office walls should make very sure it can’t be seen by prying eyes.

 

 

 

*It’s difficult accurately to categorise them. For instance, a fax is both electronic and physical, and a lost hard-drive is loss of physical data, but seriousness is tied to the electronic contents of said drive.

Leave a comment

Filed under Confidentiality, Data Protection, Information Commissioner, monetary penalty notice, police, Uncategorized