I have just delivered a talk at today's NADPO conference and was followed by Jonathan Bamford, Head of Strategic Liaison, at the ICO’s office. A few things he said I was unaware of – so here goes.
The ICO is concerned that the CCTV/ANPR provisions in the Freedoms Bill are limited to police and local authorities whereas CCTV and ANPR technology is widely used by others (e.g. in private car parks), and in an equally potentially invasive way. I got the impression the ICO has asked to Government to modify the Bill so that the CCTV/ANPR provisions could be extended, by order, to other bodies that employ this technology. Will this change be made? Watch this space.
The ICO’s current advice on crime mapping is being revised and will be reissued in the light of experience. The Government want to release more and more detailed information on crime statistics as it is politically popular, so much so, that the release such detail is becoming problematic. For example, does one really need to pin-point on a map (e.g. within 6 houses or so), those houses that have reported an incidence of domestic violence? It is these issues that the ICO is raising with civil servants; reading the runes, I don’t think the Government is listening.
Statistics were presented that show that, since November 2007, there have been 1880 data breach notifications. The breakdown shows that 553 data losses were the result of “disclosure error”, 404 in relation to "lost data/hardware" and 518 in relation to s"tolen data/hardware". These statistics show that nearly 80% of data breaches fall into these three categories. So if you ever wanted a pointer as to what areas to check up on first, then procedures in these three areas are the ones to choose.
In relation to “consensual audit”, the provisions detailed in the statutory Code of Practice on Data Sharing will be assessed by the ICO’s audit staff (if an audit concerns disclosure of personal data). Since 30% of data losses fall into the category “disclosed in error”, I reckon disclosure procedure is the priority area to check.
Remember, the statutory Data Sharing Code of Practice has to be taken into account if any disclosure goes “pear shaped”; it is therefore a very important Code to consider. If you are checking in this area, also include subject access procedures and the disclosure of personal data, relating to other identifiable individuals, under subject access procedures. (There are some Undertakings which treat a mistaken disclosure of third party data when dealing with a SAR as a reportable data loss – see references).
Although Local Authorities have been subject to Monetary Penalties, the implication was that the NHS bodies would attract some penalties soon.
In relation to some carefully crafted commentary on the use of criminal records in employment, I gained the following impressions: (a) that the Government has promised something in the Freedoms Bill to deal with the issue of an individual not gaining employment because of a caution relating to a minor offence committed decades ago (e.g. nicking some sweets twenty five years ago); and (b) that promise has yet to be realised.
Finally, the ICO is planning to issue a Code of Practice on “anonymisation”. This will contain detailed advice for public authorities who will increasingly provide such anonymous details as a result of the “right to data” in the Freedoms Bill. It will also cover the situation where a recipients of anonymous data attempt to reconstruct the personal data using data from other sources. This Code will be a very interesting read, and I have already told my psychiatrist.
If anyone is interested in my NADPO presentation, I attach it here. It deals with the Accountability Principle (expected in the forthcoming reform of the Data Protection Directive), and my view that such a Principle exists already in the UK Act. In the UK context, all the Principle lacks is the unannounced data protection audit which the ICO wants.The presentation reviews the audits and undertakings from the last 6 months.
Other things were raised in the talk, but I have blogged on these before (see references)
Blogs that contain details of the changes to the Data Protection regime that the ICO wants:
My NADPO presentation re Accountability Principle: download here Download BLOG_NADPO_NOV2011_ACCOUNTABILITY
Data Protection/FOI courses
We have an audit and PIA course coming up in London very soon. Places still available.
There is a full set of data protection courses in Leeds, London and Edinburgh Our FOI courses are in London (currently underway) and Leeds (in 2012). Details on the Amberhawk site