Local Government to be subject to wide data matching powers.

In August 2010, the Audit Commission was targeted for abolition. At that time, I asked “who would get the Commission’s data matching powers?”. Two years later we have part of the answer: the Secretary of State (SoS) responsible for Local Government.

In a draft Audit Bill published last week, Eric Pickles (the current SoS) is suggesting he is given wide ranging data matching powers that covers all local government functions (and all public bodies that deliver local government functions – this could include some contractors but not all). These data matching powers could wildly exceed what the Audit Commission have at the moment.

Although the main purpose of data matching is limited to any type of fraud, in the proposed clause 91, there are powers to add further data matching purposes and Local Government public bodies subject to data matching arrangements. It is this open ended provision that does not place any limit on the data matching arrangements for Local Government.

My reading of the draft legislation is that the Audit Commission’s data matching powers that relate to benefit fraud committed by employees working for the NHS or Police still need to find a home. One can now presume that the Secretary of State for Health and the Home Secretary could get them and that new legislation is needed.

So if the Home Secretary drafts data matching legislation to transfer the Audit Commission’s current powers, do you think that legislation will be limited to benefit fraud and police payrolls? Very unlikely in my view so I am throwing down a marker for a possible future privacy battle over data matching and the replacement for Schedule 7 of the Serious Crime Act 2007.

The Secretary of State is going to produce a Code of Practice that governs data matching in Local Government. In other words, the data controller doing the data matching is going to identify the procedures and rules that meet the requirements of the Data Protection Act that protect individuals. The Code is not a statutory one and there is no penalty for non-compliance with the Code’s provisions.

Quite frankly, this is unacceptable. Although there is “consultation” about the content of the Code (e.g. with the Commissioner), I don’t think this works.

Firstly, the fact that one “consults” with someone does not mean that one follows the advice given. So if the Information Commissioner were to come up with a serious objection, what the Commissioner says could, in theory, be ignored.

The second objection is more fundamental. What you have in data matching is a balance. On one side there is the invasion of privacy for whatever reason (e.g. anti-benefit fraud has substantial public support), and on the other, the protection of the privacy of the individual whose personal data are matched.

I contend that a Code of Practice produced by the organisation that actually does the privacy invading cannot deliver the correct balance because instinctively, the organisation producing the Code is on the side of privacy invasion.

To achieve a sustainable balance, what should happen is that the Code of Practice has to be produced independently (e.g. by the Commissioner) and that this Code has to be a statutory one so that the Courts take it into account if there is any failure to meet the expected standards.

Let me provide an example. The notes to the draft Audit Bill, stated that “The National Fraud Initiative has been very successful, enabling participants to detect £919m in fraud, errors and overpayments since 1996”. Take a note of that number – it is about £61 million per year and not the billions often quoted by Ministers in relation to benefit fraud.

The reason for this discrepancy is that the Department of Work and Pensions assume that any detected fraud has been going on for 32 weeks, so it multiplies the weekly fraud by that number. In this way £61 million per year transmutes into £1.8 billion!

As an aside, the 27th Report of the Public Accounts Committee in 1997/98 noted that “The 32-week multiplier at the heart of the weekly benefit savings calculations may distort reported levels of fraud, detected, and it does not reflect the actual savings to the public purse achieved by fraud detection”. All I would add is that the Audit Commission figure measures actual savings.

Why am I raising this? Well suppose it costs the Mr Pickles £65 million to do all the data matching, and suppose you are a civil servant doing a cost-benefit report to justify your Department’s data matching operations.

Which headline would you choose for the report:  “Data matching saves £1.8 billion” or “Data matching looses £4 million”? I bet it is the former. And that why this Code of Practice has to be independently drafted by someone who is not the Secretary of State.

References

Who gets the Audit Commission’s privacy invasive powers? http://amberhawk.typepad.com/amberhawk/2010/08/data-protection-who-gets-the-audit-commissions-privacy-invasive-powers.html

Draft Audit Bill
http://www.communities.gov.uk/documents/localgovernment/pdf/2174738.pdf

Public accounts committee on benefit fraud: http://www.publications.parliament.uk/pa/cm199798/cmselect/cmpubacc/366xxvii/pa2705.htm

If readers are looking for detail of the types of “public bodies” that could be involved, see a House of Lords judgment http://www.publications.parliament.uk/pa/ld200607/ldjudgmt/jd070620/birm-1.htm (where a contracted out care home was not a public body).

 

Guilt by innuendo: recent press reporting of Google’s StreetView affair demonstrates need for enhanced protection for individuals

I think 99.999% of people in the UK have never met, or heard of, Mr. Stephen McCartney. Those attending data protection conferences might recall him speaking about his policy role at Information Commissioner’s Office (ICO); indeed we have asked him to speak at our Update sessions because he is articulate and thought provoking.

Yet Mr. McCartney has become a central figure in the national press and the blogosphere over a story about the ICO’s investigation into Google’s StreetView.

Mr. McCartney is not a public figure. He is not a celebrity, nor related to one, nor has he been involved in an incident which attracts the attention of the tabloids. He was not involved in investigations for the ICO. He has not broken any law, nor taken a bribe, nor involved in any malfeasance. He is for all intents and purposes, an ordinary member of the public.

So why is Mr. McCartney the centre of attention? The reason is that his new employer, Google (who are not flavour of the month and never will be one suspects) and his old employer, the Information Commissioner (who has been widely chastised for not enforcing the Data Protection Act with respect of Google StreetView) have all attracted negative press commentary for various reasons.

Both these coincidences have conspired together: journalists looking to develop an angle on the Google StreetView story have added two plus two to produce a five star fiction centred on Mr. McCartney as potential leading villain. The matter is serious as this story has appeared in the Daily Telegraph, The Guardian, The Times, the Daily Mail and the BBC web-site and from thence into the trade press and blogosphere.

Consider how the Daily Mail (see references) headlined the story. “Boss at data watchdog that 'let off' Google in much-derided probe gets a job... at Google!”. It’s and eye-catching headline:- pity about the inconvenient fact that Mr. McCartney is not a “boss” nor did he have any involvement in the “much-derided probe” into Google.

The Daily Mail line continues “In 2010, following an inquiry that lasted just three hours, the ICO cleared Google. Eighteen months later, Mr. McCartney joined Google as its privacy manager”. Does this combination of sentences from the same paragraph suggest they are connected and that possibly, Mr. McCartney has been “rewarded” for his “work” on the Google inquiry?

Even Mr. McCartney’s contacts with the ICO get the innuendo treatment. The Daily Mail states that “But his close relationship with the ICO remained and in May he even emailed his former colleagues to complain about media reporting of the (Google) case. Christopher Graham, the Information Commissioner, responded to the email with a message saying: ‘Thanks for this, Stephen”.

I suppose the Daily Mail expects that Mr. McCartney should cut himself off from his work colleagues of seven years; perhaps it thinks, also, that the Commissioner should also ignore his previous employee’s involvement at his office and end his letters with the words “Sod off Stephen”?

The Daily Mail then reports that:

“Tory MP Robert Halfon said the appointment raised questions about the watchdog’s ‘cosy relationship’ with Google. `This is a pretty shocking revelation’, he said. ‘It raises more questions about the Information Commissioner than it does Google because clearly the ICO has been asleep on their watch on this issue. Now it seems they [the ICO] have had a cosy relationship with the company they have been investigating”.

The fact that a Tory MP takes up Mr. McCartney’s new job gives the story credibility and gravitas, does it not?  It is therefore of no surprise that some of the Daily Mail’s reader comments, posted under the story, refer to corruption.

My own view with this story is that there is hard reporting of innuendo in order to substantiate that there is a public interest in Mr McCartney. Yet in reality, there is no evidence of anything except someone has changed his job after several years.

How many officials, for instance, have left a regulator after a period of years and gone to work elsewhere in an industry that is subject to regulation? Would this story have been published if, Mr. McCartney, for example, had decided to work as a privacy officer at Barclay’s Bank? I think not.

And what redress is available to Mr. McCartney. Is he expected as an ordinary member of the public to risk all his financial means in order to fund a court case to seek redress? Is there a right to reply? Given that this story remains on the Internet, is there a right to forget?

The short answer is that for all ordinary members of the public in Mr. McCartney’s position there is no effective remedy. One can try the Press Complaints Commission (PCC) but it is common ground, even at the PCC, that this regulator is not fit for purpose.

This is what the Leveson Inquiry is all about. It is not about celebrity peccadilloes; it is about when the Press gets a member of the public in its sights and invents a story which is, quite simply, wrong.

And because employers are increasingly using the Internet, and because the Internet will never forget newspaper stories that have had this degree of coverage, the innuendo of recent days could haunt Mr. McCartney’s career for decades to come.

This explains why Leveson’s conclusions will be very important.

References (Mainstream media sources of innuendo in this case)

The Daily Mail: “Boss at data watchdog that 'let off' Google in much derided probe gets a job... at Google!”: http://www.dailymail.co.uk/news/article-2170035/Boss-data-watchdog-let-Google-derided-probe-gets-job--Google.html#ixzz1zxCsK0Kc

The Guardian: “Google UK privacy manager worked for ICO during Street View probe”: MP to raise matter in parliament after it emerges Stephen McCartney was at watchdog during controversial investigation””. http://www.guardian.co.uk/technology/2012/jul/05/google-uk-privacy-manager-ico?newsfeed=true
The Telegraph: “ICO Employee poached by Google ‘never worked on Streetview’. The Information Commissioner has denied that an employee poached by Google was ever involved in its investigation into Streetview data snooping”: http://www.telegraph.co.uk/technology/google/9381493/ICO-Employee-poached-by-Google-never-worked-on-Streetview.html
The BBC: “Google hired former UK data privacy official: Google UK's privacy policy manager held a senior role at the UK's data privacy watchdog during the time of its original probe into Street View”. http://www.bbc.co.uk/news/technology-18720572

The Times: “Google privacy manager worked for ICO” http://www.thetimes.co.uk/tto/public/profile/Murad-Ahmed

 

 

 

 

“Open data” White Paper could mean open season for enforced subject access

The Government has just published its ideas for allowing general access to data (which includes the intention to allow individuals on-line access to their own personal data). In general, I support this measure but sadly, the Open Data White Paper has not even considered that it has widened the privacy problems associated with “enforced subject access” (see references).

In the White Paper, the Government states that it wants to make personal data available to the data subject by a secure portal. Indeed it intends to give NHS patients access to their own health records before the end of the Parliament (if the coalition lasts that long). This is, I suspect, the quid pro quo for the fact that the Government wants wider use of medical records for research purposes (see last week’s blog – 26th June 2012-  where I show that the Data Protection Regulation has been changed at the UK Government request to support this move).

To illustrate the problems of online access to medical records, consider the following conversation:

Interviewer:”Hello John. Thanks for coming for an interview. Before we start, you have access to your medical records online. As you know, we want to make sure that you have all the hallmarks of a co-operative employee. I wonder whether you would allow us to look at your last 5 GP visits”.

John: “Well I am not sure of this. Doesn’t it breach the Data Protection Act?”

Interviewer: “No John it doesn’t and we are surprised that a cooperative individual like you could think so. All the protection you get from the Data Protection Act is unaffected. The first thing to say is that we would have your consent to your sharing your own personal details with us. 'Share' is a nice word isn’t it; indeed we encourage all our employees to consent and share their details with us in this way on a regular basis”.

Interviewer continues: “In addition, we are not going to record anything from your files in our databases. We are just going to look at your personal data. Because this information is not copied from your files to ours, we don’t have any “data” and because of that, we don’t have any personal data. All we are doing is “looking” but not “recording”.

Interviewer continues: “In theory, because we don’t have personal data we don’t have to apply the Principles. This means we don’t have to tell you what we looking for or why, we can make use of irrelevant details in the file, and of course, if there are inaccuracies in your file, we can just accept them as being the truth. This process is very secure:- after all, we can’t lose what we don’t have. But don’t worry about all these issues. Because we rely on consent, we think we are a very ethical company”.

John: “Well that is reassuring. I will just log on to my GP by the secure portal”.

Interviewer: “Please give me time to look away – I don’t want to see your password do I! This is an example of our ethics in action”.

Interviewer (after inspecting health records):”Oh. I forgot to ask. The job you are going for involves access to financial information. Do you, by chance have access to an online banking account?”....

In summary, the White Paper has ignored the obvious problem of individuals having to consent to access by others for whatever reason. Let us hope it is fixed before that portal is ever opened.

References relevant to the blog:

Enforced Subject Access to medical data raises its ugly head in the insurance industry. http://amberhawk.typepad.com/amberhawk/2012/02/enforced-subject-access-raises-its-ugly-head-in-the-context-of-medical-insurance.html

Data Protection: the use of the Internet to vet employees or job applicants: http://amberhawk.typepad.com/amberhawk/2010/08/data-protection-the-use-of-the-internet-to-vet-employees-or-job-applicants.html

Facebook passwords and employment: why data protection works and Facebook’s promise to take legal action to protect privacy doesn’t: http://amberhawk.typepad.com/amberhawk/2012/03/facebook-passwords-and-employment-why-data-protection-works-and-facebooks-promise-to-take-legal-action-to-protect-privacy.html

The Commission’s Data Protection Regulation: weaknesses from the data subject perspective (includes plea about enforced subject access): http://amberhawk.typepad.com/amberhawk/2012/03/the-commissions-data-protection-regulation-weaknesses-from-the-data-subject-perspective.html

 Open Government white paper on http://data.gov.uk/sites/default/files/Open_data_White_Paper.pdf