Fines for non-registration with the police? Reforms permit enhanced secondary use of electoral rolls.

Should you be fined if you failed to register with the local police, the national security agencies, any Government Department or a Credit Reference Agency? Should the national security agencies, for instance, be entitled to create a population register, the core of which could be similar to that of associated with the ill-fated ID Card (much beloved by the previous Government)?

Surprised by these questions? Both these outcomes are possible, courtesy of the Electoral Registration and Administration Bill just published following last week’s Queen’s Speech.

This Bill allows for individual electoral registration; this means that each elector must apply individually to be registered to vote. To ensure that all voters are registered, the Bill permits extensive data matching powers to verify applications, to check existing entries in electoral registers against other sources of data, and to hunt for individuals who do not currently appear on the electoral roll.

Also like registration for an ID Card, there will be a civil penalty for those who fail to make an application when required to do so by an Electoral Registration Officer (“ERO”). This continues the compulsion under the current law which makes it an offence if an individual fails to provide information to an ERO when asked.

The details provided on such registers are usually the voter’s name, address, nationality and age; however the associated Privacy Impact Assessment adds that the register will need to have access to Nationality (plus immigration status where appropriate), NINO and previous and/or alternative address. All these details formed core elements of the ID Card’s database (the National Identity Register or NIR).

Each full register is updated every month and published once a year. Like the ill-fated NIR, the full register can be used for several purposes: there is the obvious electoral purpose, a prevention and detection of crime purpose, a safeguarding national security purpose and a purpose related to checking the identities of individuals who have applied for financial services.

Each full register can also be sold to any government department for its purpose, it can be used for vetting job applicants and employees if this is required by law, and by credit reference agencies. The selling price for a full register is about £15 per 1,000 names so a 100,000 constituency will cost about £1,500 (for details see references). The Bill does not propose a central database of voters, but clearly this has not stopped the collection of a comprehensive set of electoral rolls (e.g. by the credit reference industry).

Despite an obligation to inform the ERO (and thence several state institutions) of your name, address and age (when asked), the Explanatory Notes accompanying the Bill plays down concerns over Article 8 and the obligation to respect private and family life. The Notes explain:

“The operation of the provisions in the Bill involves the processing of individuals’ personal information and therefore arguably engages Article 8 ECHR” (my emphasis on arguably).  The Notes then add “The question of compatibility with Article 8 will, therefore, depend to an extent on the way in which the new system is implemented”. (As we shall see, the implementation is by wide ranging, unfettered, exercise of power by the Secretary of State).

The claim that Article 8 is not engaged arises because:

a. it is necessary for EROs to ensure that only those individuals who are entitled to be registered to vote are included on the register and to reduce voter fraud;

b. all secondary uses (e.g. prevention of crime) are exclusions in Article 8(2) of the Human Rights Act; and

c. a challenge to the current scheme for the disclosure and use of the electoral register was found to be a “very modest” interference with the right to vote (and if challenged, is likely to fall within the margin of appreciation associated with Article 8; see R (Robertson) v Secretary of State [2003] EWHC 1760 (Admin)).

Now I turn to the powers of the Secretary of State in the Bill (and can you remember that what the ERO puts on an electoral register potentially goes to everybody allowed a copy of the full register e.g. police, credit reference agencies etc). The powers can be used to permit any ERO:

(a) to verify information relating to a person who is registered or who is named in an application for registration, or alteration of, an entry in a register (note that such verification includes checking with other sources of information held by other persons);

(b) to ascertain the names and addresses of people who are not registered but who are entitled to be registered (note that this is a “hunt the errant voter” provision possibly by data matching from such sources identified above), or

(c) to identify those people who are registered but who are not entitled to be registered (perhaps doing checks with the immigration service – who knows!).

The Secretary of State’s powers may also authorise “comparisons” (i.e. more data matching) with other information and allow the “conferring of other functions on a person” (this should make the processing undertaken by the other person, legitimate in terms of Schedule 2 of the DPA) and authorise the Secretary of State to make grants to a person on whom functions are conferred (this means the tax payer pays for the pleasure).

The idea behind the above is, for example, to set up a system whereby information provided with applications for registration and information held by specified public authorities are passed to say another person for comparison, with the results passed back to EROs for registration. The Audit Commission (or its replacement when abolished) springs to mind with its considerable data matching experience countering Local Government benefit fraud.

The powers can also minimise the impact or protection afforded by the Data Protection Principles; they can:

a. authorise “a person to disclose or otherwise process information only in accordance with an agreement” (i.e. this makes the data sharing lawful,  provides a Schedule 2 ground but the processing may have to be in accordance with a data sharing protocol);

b. authorise or require “a person to disclose or otherwise process information only in accordance with requirements imposed by the Secretary of State” (i.e. allows the Secretary of State to mandate such disclosures in the absence of an agreement; any disclosure becomes lawful in terms of the First, Second and Seventh Principles);

c. require “the retention or disposal, or otherwise regulating the processing, of information disclosed” (i.e. this can legitimise retention criteria that are more extensive that the minimum retention criteria that would be established by Fifth Data Protection Principle).

Now take a big breath as we are not finished discussing powers. Are you ready? There is also a power so that “Provision made under this paragraph (e.g. to require disclosure or data sharing) has effect despite any statutory or other restriction on the disclosure of information”! No comment except to say “overkill to the power of a million”.

The only safeguard re exercise of these powers is that the “Secretary of State must consult any relevant person” (e.g.  the Electoral Commission, the Information Commissioner). Note that what this really means that the Secretary of State is free to ignore what either Commissioner says; the obligation only is to “consult”.

The degree of compulsion that will be placed on voters to register under the new arrangements is yet an unknown quantity; however, the current position was set out in an answer to a PQ six months ago. Mr Clegg, Deputy PM, wrote that:

“It is currently not compulsory to be registered to vote and this will not change under the Government’s individual electoral registration (IER) proposals. It is an offence at present for anyone not to provide information when required to do so by an electoral registration officer (ERO), for example, in response to the household canvass form. The Government propose to retain this offence under the new system, however, it is not proposed to create a new offence for an individual failing to respond to an invitation to register. We believe that the act of registering is one of personal responsibility, and as such there should be no compulsion for an individual to make an application to register to vote”. (Hansard, 17 Oct 2011 : Column 714W).

To be fair to EROs, they have not pursued many prosecutions and I have only seen the odd one or two over the last decade. However, the fining regime that involves civil penalties could be completely different as there appears to be a shift in enforcement power: fining policy is in the hands of the Secretary of State and not in the hands of an ERO (as in the case or prosecution). All the Bill vaguely says is that “The procedure for imposing a civil penalty on a person is to be set out in regulations”; it outlines an appeals process but does not define the amount of the penalty.

If these civil penalty regulations are used to implement an combative approach to enforce voter registration, then you almost turn the clock back to the ID Card situation where failure to register on the NIR attracted a penalty, and entitlement for services depended on the existence of an entry in the NIR. Under an aggressive penalty regime, for instance, those in receipt of a benefit or driving licence or paying tax could be “reminded” by the relevant government department that they are not on the local electoral register, and be told that the local ERO “has been informed”. I think you can follow the rest of the logic by yourself!

The Government intend that the number of such organisations that can have copies of the individual voter registers are not really part of the discussion; this is because the wide powers of the Secretary of State, found in Schedule 2 (para 10B) of Representation of the People Act 1983, are being enhanced and strengthened (and not questioned! - even by the published PIA).

Under the 1983 Act provisions, the Secretary of State can continue to authorise or require an ERO “to supply to such persons as may be prescribed copies of the full register and other documents, or prescribed parts of them, whether free of charge or on payment of a prescribed fee”; the Secretary of State can also continue to define the secondary purposes for which the information contained in the registers may be used.

In other words, the Secretary of State has complete control over use, content and disclosure from all electoral registers and the Secretary of State has untrammelled powers to deliver any outcome the Government wants. All these powers exercised by Statutory Instruments which usually get little or no scrutiny; this is very redolent of New Labour’s surveillance state legislation.

The real issue is of course, is whether Electoral Rolls should be used for these wider purposes; and of course there are arguments either way on this score. In my view, the primary purpose of the Electoral Roll is to encourage voters to engage with the democratic process; having an infrastructure of wide ranging data sharing powers so that recalcitrant voters can be issued civil penalties will discourage such political engagement. Far better, I suggest, is to make the institution of Parliament more in tune or responsive with the needs of the voters; what we have with majority Governments is a Parliament that usually offers a degree of scrutiny at the level of a rubber stamp.

Such penalties do make more sense if the objective is to populate the databases of the police, credit reference agencies, other Government Departments and the national security agencies etc etc; this is especially the case when the improved accuracy of individual voter registers become available.  So, in summary, I can see in about five years time (when this Bill is settled in), there will be increased pressure for even further wider use of electoral rolls by different bodies.

Those of you with memories of the National Identity Register will remember that the NIR was to be used for a Population Register, accessible to all public authorities. Remember that NIR was supported by wide ranging disclosure powers for the Secretary of State, a strict eligibility criteria of registration, and strident civil penalties for refusenicks.

Now consider the new system of voter registration and that pinnacle of inductive reasoning: “if it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck”.

And now you know where I am coming from!

References

Explanatory Notes on the Electoral Registration and Administration Bill: from http://www.publications.parliament.uk/pa/bills/cbill/2012-2013/0006/en/13006en.htm

The Electoral Registration and Administration Bill itself: http://services.parliament.uk/bills/2012-13/electoralregistrationandadministration.html

Privacy Impact Assessment (which amazingly does not consider any of the legislative issues raised here) https://update.cabinetoffice.gov.uk/sites/default/files/resources/Privacy-Impact-Assessment-090512.pdf.

Download background details of the supply and sale of the Electoral Roll (Parliamentary Paper):Download Electoral roll document_for blog May2012

 

Desire for a FOI charging regime equates to reduced accountability of public bodies

I have to confess that I am just a normal type of guy who reads Hansard and watches the BBC’s Parliamentary Channel. The last (wet) bank-holiday weekend, for instance, there was a riveting repeat of Jack Straw’s evidence to the Justice Committee on the operation of the Freedom of Information (FOI) Act.

As Home Secretary, Jack Straw was responsible for piloting the Data Protection and Freedom of Information Bills through Parliament; he knows where the legislative skeletons can be found. And at the time of his stewardship of the FOI Bill in Parliament, he knew that Tony Blair had decided that FOI was his worst idea ever. He confirmed that but for the Ministerial veto, the Government would have dropped the FOI Bill.

So I think his take on the current review of FOI is important. I also think Straw’s position is close to what I think the Government would like to propose.

As an aside, remember that the Data Protection and FOI Acts started off as Home Office Bills (prop J. Straw); that is why these Acts have significant exemptions in areas that cover Home Office functions such as law enforcement, policing, immigration and national security. Jack Straw protected his fiefdom very well.

Anyway back Jack Straw’s evidence to the Justice Committee; it amounted to four propositions:

•    charge the applicant about £10-£15 for each FOI access request;
•    make the FOIA exemptions in Section 35 (formulation of Ministerial policy etc) and Section 36 (prejudice to the effective conduct of public affairs) in so far as they apply to Ministerial decisions an absolute, class exemption (i.e. no public interest test);
•    reword the “formulation or development of government policy” part of the Section 35 exemption so that it applies indefinitely, and
•    keep the Ministerial veto as a safeguard to be used sparingly in other cases.

The argument over FOI as debated at the moment has two strands:

•    One strand goes something like this: “FOI requests costs us £184 each so it is only proper the applicant pays a modest amount, especially in these days when money is tight”.
•    The second strand is that Ministers (unlike NHS boards, police boards and Mayors in large conurbations) are in a special place because when they determine policy, they should be able to keep key information secret for at least 20 years (the minimum time when documents become public records).

As can be seen the second argument is far more difficult to make; that is why there is a fuss over the latest veto re the NHS Risk Assessment. Hence, the focus of debate is more on the first strand.

Backing the cost arguments is a report is a Mori study which has provided some cost estimates (which are not representative, if you read the report carefully). For example, Mori reports that:

“Statistics produced by the Ministry of Justice over the period 1 October 2010 – 30 September 2011 indicate that Departments of State and other monitored bodies covered by these statistics received a total of 45,958 FOI requests. In order to produce an estimate of the total annual cost in staff time of processing and responding to central government requests, it is possible to multiply £184 (the average cost of the 225 FOI requests submitted to central government) by the total number of requests received. This gives an estimated staff cost of £8,456,272 per year”.

Before you say that £8.5 million could allow us to build a new school or a hundredth of a new fighter aircraft, just ask what this money is doing?

I would argue that for £8.5 million, we get 46,000 FOI requestors using their own resources to make a Government accountable for its spending of £722 billions (the annual figure for expenditure on Central Government Departments). In other words, a relative spend of a small amount on FOI (0.01% of Government expenditure on Central Government) has the potential to hold Government accountable across the whole extent of its policy range (subject to an exemption, of course).

Similarly, for the Universities. For instance, JISC, the UK's body on information and digital technology in higher education, tracked 36 requests in seven institutions and found that the average cost, including staff time, of answering an FoI request was £121. Extrapolating this research to all FOI costs for the University sector, the cost of FOI can be estimated to be between £2.3 and £9.2 million (or around 16,000 – 40,000 requests across the University sector – if that £121 number is accurate).

But again ask: “What do you get for that money?”. In the UK, there are about 120,000 students paying about £7,000-£9,000 each per year under the new student loan system – that is about £1 billion; the public money spent on Universities by the Treasury is  around £9billion. So it follows that members of the public are contributing £10 billion to University sector; so spending something like £5 million on general public accountability to 25,000 requestors via FOI. This represents about 0.05% of spending in the University sector; pretty good value I would argue.

Of course these numbers (i.e. the 0.01% and 0.05%) I have quoted above are only an approximate guide, but they should be of the correct order of magnitude. They confirm that FOI expenditure is small beer indeed compared with what every taxpayer gains in accountability.

Of course, also, it’s a pain for a University to provide details of why it is doing animal research that has been banned in Germany or why a Minister does not want to publish a health risk assessment (suspected to confirm that the new Health Reforms could destabilise the NHS; yesterday’s veto does not help allay those fears, I should add).

However this is what accountability is all about; it is very uncomfortable at times for those being held to account. So when Ministers use private emails to conduct a public policy debate (to avoid FOI), they really don't like it when an independent regulator says that these emails are still subject to FOI requests.

Once upon a time, making public bodies accountable was central to Government policy. Remember in June 2011, Communities and Local Government Secretary Eric Pickles, stated that he wanted “a new wave of local scrutiny by citizen journalists, microbloggers and armchair auditors” as their role was needed in  “in eliminating waste and inefficiency to deliver value for money to the taxpayer and help protect services”. Isn’t this is what the product of an FOI does in many instances – raise issues of concern?

The Secretary of State even cited cases uncovered by local armchair auditors; for instance in Barnet where “serious deficiencies in procurement arrangements saw the council spend over £1m of taxpayers' money to hire a private security firm with no tendering exercise, contract or proper invoicing. It was and activist bloggers” or in Islington where “many invoices had been paid more than once”.

I would argue that an adjunct of the Pickles’ policy of encouraging “armchair auditors” is to empower them to make follow-up FOI requests, free of charge, about public contracts. If the Government introduces charges for FOIA requests, the Mr Pickles “armchair auditor” idea is finished. Which armchair auditor is going to shell out £10-£15 to follow an accounting trail?

In other words, I think the issue about FOI is simple: if you don’t want public accountability, implement a FOI charging regime. Tony Blair understood that charging undermines FOI – and his memoirs eloquently explained the motive. It appears that this Government is following in Blair’s wake for the same reasons one should add.

Honestly, the final equation is very simple: FOI charging = unaccountability (especially for Central Government).

References

Jack Straw’s evidence session (uncorrected): http://www.publications.parliament.uk/pa/cm201012/cmselect/cmjust/uc1849-v/uc184901.htm

Local Government FOI costs: http://www.lgcplus.com/briefings/corporate-core/legal/cost-of-foi-requests-rises-to-34m/5019109.article

Higher education FOI costs: http://www.timeshighereducation.co.uk/story.asp?storyCode=419674&sectioncode=26

Mori cost evidence: Download Blog May 2011 investigative-study-informing-foia

Is the Surveillance State being resurrected? Assessing whether privacy is protected when surveillance policy is developed

April is becoming a month of resurrections. The last blog referred to the Members of an Information Rights Tribunal resurrecting the corpse of Durant which then bit them; they were thus turned into zombies and issued a Decision that I will politely call “provocative and novel”.

Last month Theresa May resurrected the data retention ambitions of GCHQ so that all contact details, dates and times of all electronic communications between all individuals in the UK are retained for a year or so and captured in real-time (the electronic communication can be in any format - email, social network, VOIP).

Now Francis Maude appears to have resurrected the data sharing ambitions of the previous Government, quoting Thomas Walport as justification. In a speech on 6th February, he said that he had established a Taskforce that “is committed to removing barriers to sharing information and it is prepared to recommend changes to legislation where there are unnecessary legal barriers”.

Somewhere down the line, Mr Maud appears to have formed a different view of Thomas Walport which concluded on page 2 (of a 200 page report) that:

“There can be no formulaic answer as to whether or not it is appropriate to share personal information. The legal context for the sharing of personal information is encompassed by the common law, the European Union Data Protection Directive, the Data Protection Act and the Human Rights Act. We have found that in the vast majority of cases, the law itself does not provide a barrier to the sharing of personal data” (my emphasis).

So I have decided that it is time to do some resurrecting of my own.

Four years ago, I became fed up of New Labour Ministers saying stuff like: “Don’t panic! Privacy is safeguarded in the ID Card system, Childrens' database etc etc as the Data Protection Act applies”.

I decided to set out formally why reliance on the current framework of data protection or human rights legislation, or on the current regulatory regime would not and could not protect privacy. This is still the case if the Government’s current plans go-ahead.

I developed a set of Principles that were to be used to assess whether individual privacy is comprehensively considered/protected whenever surveillance policy is developed by Government. These Principles can be applied to surveillance in the UK to identify the structural improvements that could create an effective balance between the citizen and the state.

These Principles have little to do with a Privacy Impact Assessment (PIA) which is focused on ensuring compliance with the existing framework of law. What I was showing was that a PIA  is irrelevant as it looks at HOW to make sure that surveillance is complaint with the existing law; PIA does not really consider WHETHER  some surveillance activity should be made lawful in the first place. The difference is that a PIA largely applies "post-legislation"; my Principles are definitely "pre-legislation". They are a guide to the process of scrutiny.

For completeness these Principles are:

Principle 1: THE JUSTIFICATION PRINCIPLE: Information relating to any legislation or policy that involves surveillance (or extension to an existing surveillance policy) is provided so an assessment can be made to ensure that the surveillance can be justified in terms of pressing social needs and measurable outcomes; this information is provided prior to the approval of legislation or policy.

Principle 2: THE APPROVAL PRINCIPLE: Any surveillance is limited to lawful purposes defined in legislation where such legislation has been thoroughly scrutinised by a fully informed Parliament and, where appropriate, informed public debate has taken place.

Principle 3: THE SEPARATION PRINCIPLE:  Procedures which authorise or legitimise a surveillance activity are separate from procedures related to the actual surveillance itself; the more invasive the surveillance, the wider the degree of separation.

Principle 4: THE ADHERENCE PRINCIPLE:  Procedures which authorise a surveillance activity are professionally managed and audited; staff involved in a surveillance activity are fully trained to follow relevant procedures and that such training is assessed if appropriate; any malfeasance in relation to a surveillance activity can be identified and individuals concerned suitably punished.

Principle 5: THE REPORTING PRINCIPLE: A Regulator shall determine what records, including statistical records, are retained and maintained concerning a surveillance activity, in order to ensure transparency and accountability to the Regulator, to the public and to Parliament.

Principle 6: THE INDEPENDENT SUPERVISION PRINCIPLE: The system of supervision for a surveillance activity is independent of Government, well financed, and has effective powers of investigation and can delve into operational matters.

Principle 7: THE PRIVACY PRINCIPLE: Individuals should be granted a right to privacy of personal data, via data protection legislation, which can be enforced by a Data Protection Commissioner, and should possess a much simpler right to object to the processing of personal data in appropriate circumstances.

Principle 8: THE COMPENSATION PRINCIPLE: An individual should obtain compensation if a surveillance activity has caused damage, distress or detriment that proves to be unjustified.

Principle 9: THE UNACCEPTABILITY PRINCIPLE :If the  other Principles cannot be complied with in relation to a surveillance activity then within a reasonable time:

(a) the activity ceases; or
(b) alternative steps are taken to bring the activity into conformity with the other Principles; or
(c) Parliament or a Parliamentary Committee approves the non-compliance with the relevant Principle.

So, if for example, the Government wants to propose legislation so that personal data between Department X and Department Y are shared (or to capture more communications data),  you can use these Principles to assess whether the policy  or legislation and the degree of interference with privacy:

• is justified in terms of pressing social need;
• is properly scrutinised by Parliament;
• is subject to a rigorous approval process and separation of powers;
• is supported by rigorous procedures that can be independently audited by an independent regulator who can investigate fully and require certain records to be kept and require changes of procedure or even halt the processing;
• is protected by Article 8 of the Human Rights Act;
• is subject to compensation when things go wrong, and
• is subject to the above rules at all times.

In other words, these Principles provide a means of exploring possible deficiencies in information law governance when Parliament's is scrutinising the executive's proposals. They will allow you to make your own conclusion as to where the Government are leaving privacy loopholes and whether promises made by Ministers are worth the paper they are written on. They also identify where policy and legislation needs to be strengthened.

Health warning: if you apply them to some of the stuff the European Commission has agreed (e.g. USA-EU PNR)  you get a migraine.

References

Download my analysis of why data protection cannot protect privacy when Government legislate and more details of the Principles specified above. Download Assess surveillance principles

Thomas Walport can be obtained here: Download Thomas Walport DataSharingReview2008

Francis Maude Speech promising more data sharing on http://www.cabinetoffice.gov.uk/news/francis-maude-speech-tackling-financial-loss-government-fraud-error-debt.

Durant strikes again! The names of those investigating complaints are not personal data

The Information Tribunal has just adjudged that the names of three junior members of staff who had a part in an applicant’s complaint to the Financial Services Authority (FSA) can be disclosed as part of a Freedom of Information (FOI) request. The Information Rights Tribunal, following Durant, concluded that the names of these staff were not personal data.

As every data protection aficionado knows, mentioning Durant is rather like swearing in public, as its application can result in bizarre conclusions; this Tribunal determination, I think, is one of these. So this blog explains where I think the Tribunal went wrong and suggests what should happen with such FOI requests.

The Tribunal Decision

The appeal concerned a request made by an applicant to the FSA for a copy of information it held about his complaint. Paragraph 21 of the Information Commissioner’s Decision Notice confirms that the requested information included the names of “the staff in question (who) worked on the complainant’s complaint” (see references).

In its decision (see references) the Information Rights Tribunal said that these employee names were not personal data because the name did not "affect the individuals' privacy, whether in their personal or family life, business or professional capacity". This overturned the ICO’s Decision Notice which concluded that the FSA was right to withhold these details because:

“21 The Commissioner notes that while the staff in question worked on the complainant’s complaint, they did not correspond with him about it. He also notes that the public authority has confirmed that they were not in public facing roles and that these individuals were of a grade below that of manager. It is the Commissioner’s view that these members of staff would have had no expectation that their names would be released into the public domain.

22. The Commissioner is also satisfied that disclosure of their names would not add anything further to the way in which the complainant’s complaint had been dealt with. Therefore any legitimate interest in the disclosure of the names of these individuals is outweighed by the prejudice disclosure would cause to the rights and freedoms of the individuals concerned”.

By contrast, the Information Rights Tribunal said that the three names "may well be sufficient" to identify the individuals when taken together with information that they were employed by the FSA in certain positions on a given date, however it did not follow that the names themselves were personal data even if the individuals could be identified as the information must also be "such as to affect the person's privacy".

Slavishly following Durant, the Tribunal concluded that "In our view the Disputed Information (these are the names of employees) is not biographical in any significant sense" and that in this case "The information does not go beyond the recording of the data subjects' involvement in a matter that has no personal connotations. It simply concerns a transaction or matter in which the individuals in question were involved".

The Tribunal was careful to say that this would not always be the case. For instance, "there are a number of organisations, the nature of whose activities are such that information that a particular individual was employed by them, might well amount to personal data" and that disclosing the name of an individual who was employed by an organisation licensed to conduct experiments on animals "may disclose something about his likely opinion on the often contentious subject of animal rights, and could lead to harassment by so-called animal rights activists".

In such cases, the Tribunal said this information would be personal data that were exempt under FOI as the requested details were "biographical" and did indeed impact on an individual's privacy.

Where the Tribunal went wrong

We can now see what has happened? The Tribunal has asked:

a. Is the requested information “data”? Answer “yes”
b. Does it relate to a living individual? Answer “yes”
c. Does it relate to a living individual in a biographically significant way? Answer “No”
d. Is there a context that makes it biographically significant? Answer “No – we can’t see one” (despite the fact that “the staff in question worked on the complainant’s complaint”!)

The problem is at questions (c) and (d) – so the question has to be asked “How does a public authority know what is biographically significant for a data subject and what is not”?

For the Tribunal, consideration of the “two notions” put forward by Auld LJ. in Durant is suffice (e.g. “biographical significance” and “continuum”). In other words, it is the public authority who determines these matters in every instance. However, I think this is a too simplistic approach to the three possible scenarios concerning “biographical significance”.

These scenarios are:

• The public authority knows for certain the personal details are biographically significant;
• The public authority knows for certain the personal details are not biographically significant; or 
• The public authority does not know whether the details are biographically significant or not.

I think we can agree that the essential problem is with the last issue (i.e. the public authority does not know).

This issue of “not knowing” was actually resolved in the Durant judgement. In section 7(4) of the Data Protection Act, the data controller is faced with the dilemma of whether it is reasonable in all the circumstances to release (or not to release) the identity of other individuals identified in personal data that have been requested by a data subject.

In paragraph 61 of Durant, Auld LJ. states that where the data controller cannot resolve this dilemma, “The data controller ....  should also be entitled to ask what, if any, legitimate interest the data subject has in disclosure of the identity of another individual named in or identifiable from personal data to which he is otherwise entitled...”.  In other words, if in doubt, ask the requestor why he wants the name. This was not suggested by the Tribunal.

This “ask the requestor” idea is reinforced by interpreting the balance of interest tests in Schedule 2, paragraph 6 of the DPA which is used to justify release of personal data by FOI requests. This sets out the balance of interest as follows:

“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”. (my emphasis)

So how does one know what weight to place on the “legitimate interests of the data subject” when you don’t know? Use a crystal ball? Employ Tarot Cards? Throw dice?

If you just ask “Who is in the best position to know what weight to place on the data subject’s legitimate interests?”, then I think the answer is obvious. So my conclusion: ask the requestor for why he wants the personal data and then, if needed, ask the data subject for a view? There is nothing in the FOI Act that I can see that stops this kind of approach.

Of course, the public authority after consideration of the data subject’s legitimate interests can still decide to release the personal data. In addition, there might be standard conditions when there is no need to ask the data subject for his view (these have been established by cases before the Tribunal such as those dealing with expenses of senior managers).

I should add that the Scottish Information Commissioner already asks this question of the FOISA applicant when he can’t fathom "the legitimate interests of the Third Party to whom personal data are disclosed" (see above). I raise this just to show that asking the requestor is not an alien FOI concept just made up by me for this blog (see references below).

Reverting to Durant, it is interesting to note that Mr Durant did not get the details of the individual handling his complaint at the FSA because, according to the judgment Auld LJ says “.....the name of an FSA employee which, in itself, can have been of little or no legitimate value to Mr. Durant and who had understandably withheld his or her consent because Mr. Durant had abused him or her over the telephone” (para 67 of Durant).

Note that it is this "little or no legitimate value" sentiment finds expression in the Commissioner’s Decision Notice, where he says “...The Commissioner is also satisfied that disclosure of their names would not add anything further to the way in which the complainant’s complaint had been dealt with. Therefore any legitimate interest in the disclosure of the names of these individuals is outweighed by the prejudice disclosure would cause to the rights and freedoms of the individuals concerned” (para 22 of the Decision).

So that is why I think that when a public authority receives a request on the lines outlined above and has difficulty in deciding what to do, it is perfectly proper for it to ask modest questions of the requestor AND/OR the data subject about his or her legitimate interest so that the correct balance can be struck. Indeed, I am brave enough to say that when a public authority does not know where the balance of interests lies, this is the only way for that authority to determine the correct balance of interests.

This is where the Tribunal went wrong. It has decided that the public autrhority in all instances should have a punt at arriving at the correct balance whereas it should have promoted the obvious mechanism which actually arrives at the correct balance.

Note that there is a sting in the tail for the FOI requestor who misleads the public authority as to his legitimate interest; such a requestor could be committing an offence under Section 55 of the Act if the public authority were to disclose personal data on the wrong basis.

This assures the public authority that the FOI requestor is unlikely to tell porkies.

References

Download the ICO’s Decision Notice: Download Fs_50312938_durant_names not personal data

Download the Tribunal Notice in this case:Download Fs_50312938_APPEAL_names not personal data

“Some FOI requests for personal data are not purpose blind” (this includes the SIC Decision Notice referred to above): http://amberhawk.typepad.com/amberhawk/2010/07/some-foi-requests-for-personal-data-are-not-purpose-blind.html

I have been taken to the Promised Land and seen our data protection future

I have just attended an interesting (and partly depressing) data protection event which considered the implementation of the Data Protection Regulation. The European Commission’s spokesperson (Paul Nemitz) signalled an inflexible approach towards the implementation of the Data Protection Regulation; he stated that he would consider amendments that make the Regulation work better but not those amendments that were based on alternative (and better) ideas.

At the meeting Mr Nemitz pointedly said that in Germany there is a high level of data subject trust and a thriving German economy; high standards of data protection  and economic success go hand in hand. He said that the Commission had the balance of interests “more or less correct”, and changes to the text most needed would be those that tinker at the edges.

This means that the list of “no real change” areas for the Commission that appear to be non-negotiable are as follows:

• routine transfers of personal data outside the EEA by larger data controllers have to be approved by a data protection authority or Commission in some way or another;

• adherence to breach notification arrangements that do not consider the harm to data subjects. My fellow blogger Martin Hoskins – who deals with breach notifications as part of his day job - estimates that the ICO will have to employ 150 staff to deal with this element of the Regulation alone (see references)!

• a data protection authority that has no flexibility and little freedom of decision making and are almost reduced to automatons;

• a concentration of power in the hands of the Commission. All data protection power is in the hands of the Commission, there is little role for national parliaments.

I really don’t like the fact that we are expected to trust the Commission with these unfettered powers. This is a Commission that has a track record of ignoring the European Data Protection Supervisor, Working Party 29 Agreements and making political agreements such as the EU-USA PNR deal which have undermined data protection standards (see references). It even has powers to modify the Regulation that will apply to its own processing.

At the end of the presentation, a colleague who is on the candidates’ list of a major political party, reached across and asked “whether I agreed that Mr Nemitz was recruiting for UKIP?”. And that about sums it up.

Working Party view

The Data Protection Working Party has just published their view of the Regulation and has supported some of my concerns. For instance the Working Party says:

Data loss: “The Working Party nevertheless has doubts as to whether the way in which the notification duty is set up will lead to satisfactory results. Notably the scope of the duty to notify to the supervisory authority should be more focused and restricted. The situation that supervisory authorities are distracted by and overburdened with the processing of notifications of minor data breaches which are unlikely to adversely affect the rights of data subjects should be avoided”.

Lack of flexibility in the Regulatory structure: “DPAs  (data protection authorities) should be enabled to be selective in order to be effective; they should be able to define their own priorities and to start actions, such as investigations, on their own initiative, notwithstanding the obligations regarding cooperation, mutual assistance and consistency according to Chapter VII.

DPAs should be able to allocate resources according to the strategic character and the complexity of issues at stake, for example by taking into account the actual or potential detriment to data protection, the number of persons concerned and the technology used. Allowing DPAs to set their own priorities also helps to deal with financial and budgetary constraints.

In relation to Commission’s powers: “with regard to both proposed instruments, the Working Party notes with concern the extent to which the Commission is empowered to adopt delegated and implementing acts. While recognising the need to ensure that certain issues can be dealt with at a more detailed level at a later stage, the Working Party considers this is not the case, for example, for rules regarding data breach notifications”.

ICO is out on a limb re data transfers outside EEA

However, with respect to data transfers outside the EEA, even the Working Party want the data protection authority to sign them off in some way or another. Because of this, it is important to understand the difference between most DPAs and our ICO.

• The UK Act takes the view that all data controllers are responsible for all their own personal data and if they transfer personal data then they are accountable for that transfer.  The ICO takes the view that this is the best solution – ensure that the data controller remains accountable for transfers is maintained in the Regulation.

• Most European regulators have provisions that require transfers that have to be authorised by some way or another; the Regulation states that such authorisation has to be via standardised contracts authorised by the regulator or by binding corporate rules. If these regulators followed the ICO’s approach they will reduce what they do already; something that does not go down well.

• The European Data Protection Supervision is in the middle. For instance, he has stated in a speech that in the context of the Cloud, that “the mechanisms envisaged (in the Regulation) have proven to be, in many cases, burdensome or ineffective or have lacked of the necessary flexibility”; he expects Binding Corporate Rules to provide a solution (see references).

My own view is that the ICO’s position is correct. Under the Regulation, if a data controller gets this wrong, a hefty fine is on the cards. Because of this, I think that most data controllers will not take unnecessary risks and will seek real assurances (e.g. from Cloud service providers).

The alternative view is to say that most data controllers will not be in a position to argue with say Google or Microsoft re Cloud Services; hence there is a need to set out legal requirements to protect data subjects in advance of any problem.

The down side of this latter approach occurs when things go wrong. So suppose that these legal requirements are accepted and then the Cloud services go “pear shaped”. What you will find is that there is little redress for data subjects as the data controller has had adopted contract terms imposed on him. All such Controllers says is “sorry. I was following what was approved by the Regulator” or more or less “I was following orders”.

My own view: data subjects need the redress when things go wrong and the Commission’s approach thus removes the protection afforded to data subjects. Although the current UK position looks weaker, the approach adopted supported by large fines to buttress the test of adequacy will offer better protection for data subjects when they need it most (i.e. when things go wrong).

Concluding comment

As we had the German economic model thrust upon us, I will summarise the meeting in data protection terms by making an analogy to with the economy of the German Democratic Republic.

Pretend the Commission have manufactured a motor car; the seats are very comfortable, the windscreen wipers work, the door handles are the best stainless steel and the headlights are first rate. But sadly the rest of the car is based on the GDR’s Trabant design.

What the Commission want to do is make the other parts of their Trabant car work efficiently and effectively; it is not interested as to whether or not their chosen vehicle is any good.

References

Down load a copy of Working Party view of the Regulation/Directive here Download Wp view of regulation and directive_en

Martin Hoskyns blog (29th March 2012) re data breach reporting http://dataprotector.blogspot.co.uk/

Speech of the EDPS re Clud Computing: http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Speeches/2012/12-03-21_Cloud_computing_EN.pdf

“Analysis of proposed EU-USA PNR Directive exposes absent or minimal data protection and privacy safeguards”: http://amberhawk.typepad.com/amberhawk/2011/06/my-entry.html

Just one example of the way the Commission ignores the EDPS: “Should the European Data Protection Supervisor resign?” http://amberhawk.typepad.com/amberhawk/2010/04/should-the-european-data-protection-supervisor-resign.html

 

Facebook passwords and employment: why data protection works and Facebook’s promise to take legal action to protect privacy doesn’t

The Huffington Post has recently published a story that begins thus:  “When Justin Bassett interviewed for a new job, he expected the usual questions about experience and references. So he was astonished when the interviewer asked for something else: his Facebook username and password”.

So what would you do in such circumstances? And what would the data protection implications be if this happened in the UK?  The conclusions I have reached is that the UK Data Protection Act would apply (even if an employer took a fleeting glance at a Facebook page), and that Facebook’s public comments promising legal action to protect privacy are window dressing.

Why does the Data Protection Act apply?

Suppose an employer at a job interview asks you to “consent” to provide your Facebook password and suppose further, the employer just loads one of your pages and says “No job for you”.

The data protection questions that need to be asked are (a) “has the employer processed personal data as a data controller?”; (b) “is consent valid?” and (c) “are there other data protection issues?”. I think the answer to (a) is “yes; (b) is that the employer’s consent procedure is very likely to be valid in the UK; and (c) there are potential breaches of the Data Protection Principles, at least relating to fairness and relevance.

So to the first question: why does the Act apply? Obviously, if the employer cuts and pastes anything from the Facebook pages onto a data file then obviously the Act applies as there are recorded personal data under the control of an employer as data controller.

But what if the data were not recorded by the employer? This is an important question because under the old Data Protection Act 1984, personal data needed to be permanently recorded. This meant that personal information held temporarily in electronic memory were not personal data and not caught by that Act.

So, suppose the employer just looked at a screen of personal information and that information had only a transient existence when it was displayed on the screen? Does this information still fall within one of the specified categories of “data”? Does the “data” still constitute the “personal data”? And are these personal data “processed”?

My answer is “yes” to all three. The information displayed on the screen is “data” by virtue of the definition of limb(a) of “data” which only requires that information “is being processed by means of equipment operating automatically in response to instructions given for that purpose”. Clearly the information is personal data as it identifies and relates to a prospective employee. The only remaining issue is whether the information is “processed” and there again, the definition of “processing” includes “obtaining”.

So the definitions do not include a requirement that personal data have to be “recorded in a form that can be processed” (as in the 1984 Act).  This means that the employer in the UK would be processing personal data and the Act would be engaged, even if the employer restricted himself to a fleeting glance of a single Facebook page on a VDU screen.

Has the data subject consented to the processing?

I think the answer under the current DPA is “yes” – and it is important to explain why.

Our hypothetical UK employer is using what I call “Home Office consent” (or “Hobson’s choice consent”, if one is talking to Home Office officials). This form of consent is often used in the UK – it describes circumstances when the consent is freely given and fully informed, but the choices on offer are not really a choice.

For instance, most readers will have consented to their personal details being used by any host of people to trace their debts via a credit reference agency; you have to consent to this or you don’t get a loan or mortgage.

When you go through airport security, you may be given the following consent choice: “go through the scanner or do not fly”. The New Labour ID Card system was also keen on this form on consent: “consent to showing us your ID card, or choose not to get the service”. Enforced Subject Access also depends on this: “consent to use your access rights to your personal data held by the police or forget about a job”. (Note: I use the term “Home Office consent” because the issues mentioned in this paragraph are to some significant degree, unaddressed policy matters that are the responsibility of the Home Office in the UK)
.
The changes proposed in the Regulation infer that “Home Office consent” constitutes a valid “data subject consent” with respect to the definition in Directive 95/46/EC. For instance, the Regulation states in Article 7 that “Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller” (and obviously there is such an imbalance if the choice is “give consent or give up hope of a job”).

So why does this support the notion of “Home Office consent” is valid? Well, the Regulation would not propose the inclusion of a concept of “imbalance” if the meaning of “data subject consent” as found in the Directive excluded “Home Office consent”.

Other data protection principles?

Although the data controller can argue he has “data subject consent” has to consider at least two Data Protection Principles (even in the ‘fleeting glance’ scenario). These Principles are:

(a) the Third Data Protection Principle in that the data controller has to demonstrate that the personal data are relevant to the purpose (e.g. employment purpose).

(b) the First Data Protection Principle in that the data controller has to be fair. I think in this context, fairness requires telling the data subject what personal data have been used to making the employment decision and an explanation why the personal data are relevant to that decision.

Breach of these Principles would also, I assume, be likely to trigger other breaches of employment law.

Facebook’s response to the use of Facebook for employment purposes

In response to this problem in the USA, Facebook’s Chief Privacy Officer (CPO) has stated on the company’s web-site that “In recent months, we’ve seen a distressing increase in reports of employers or others seeking to gain inappropriate access to people’s Facebook profiles or private information” and adds that “If you are a Facebook user, you should never have to share your password, let anyone access your account, or do anything that might jeopardize the security of your account or violate the privacy of your friends. We have worked really hard at Facebook to give you the tools to control who sees your information”.

The CPO continues “Facebook takes your privacy seriously. We’ll take action to protect the privacy and security of our users, whether by engaging policymakers or, where appropriate, by initiating legal action, including by shutting down applications that abuse their privileges” adding that “While we will continue to do our part, it is important that everyone on Facebook understands they have a right to keep their password to themselves, and we will do our best to protect that right” (my emphasis).

Why these statements on privacy are window dressing

So is the threat of initiating legal action to protect privacy valid? Well, I think the threat is much diminished by Facebook’s own Privacy Policy. This states that “When you publish content or information using the Public setting, it means that you are allowing everyone, including people off of Facebook, to access and use that information, and to associate it with you (i.e., your name and profile picture)”.

The policy also states that “As a general rule, you should assume that if you do not see a sharing icon, the information will be publicly available”. Additionally, “when others share information about you, they can also choose to make it public” or “when you write on a Page's wall or comment on a news article that uses our comments plugin; this is because some types of posts are always public posts”. The Privacy Policy then states that “your name, profile picture, Facebook profile, User ID, etc has to be public so it can show up when someone does a search on Facebook or on a public search engine” (my emphasis).

Facebook has therefore stated that the fact you have a Facebook account (and therefore control Facebook pages) is public knowledge, available to all prospective employers, and this fact is out of your control. Of course you could deactivate a profile, but this deactivation does not guarantee to deactivate those details that have already been published (thus inferring the existence of a Facebook account that has been deactivated, an act that could easily reinforce the suspicions of any employer who asks for Facebook passwords).

In other words, Facebook makes a lot of information public and its business model makes it easy for users to make information public. And if information is in the public domain, it can’t have any claim that it is “private”. Hence, I don’t think there can be successful legal action in the USA to protect privacy with respect to this kind of public information.

But what about non-public information? Research has shown that the average Facebook user has 245 friends. So I think that most Facebook posts to large networks of “friends” are, in fact, publishing events in themselves. One cannot tell 200 individuals, many of whom are acquaintances rather that real friends, and expect to make a subsequent successful claim that these personal details distributed to 200 people (who could publish these details) are confidential or private.

So, I would argue that an employer would also have the defence that most personal information that is password controlled is effectively published. By asking for a Facebook password, all the employer is doing is accessing the public information in the full knowledge of the Facebook user.

In other words, I suspect the same “it’s in the public domain” defence as above could well apply, except in those rare circumstances when a circle of “Facebook friends” is very few in number.

That is why Facebook’s promise of supporting legal action to protect privacy is not credible. It’s a promise that has been defeated by Facebook’s own desire to make the maximum amount of information public, so it can be subsequently exploited by advertisers.

In summary, Facebook has been hoisted by its own petard – the use of Facebook by employers exposes the fact that users think their information is “private” when in fact it isn’t.

Privacy versus data protection; there are important differences

Finally, the above shows the fundamental difference in approach between the USA’s view of “privacy” and Europe’s view of “data protection”.  The USA Privacy Officers will state, quite correctly, that anything in the public domain cannot be private. Hence there cannot be any “privacy protection” so the information can be used for anything. But, as we have seen, a data protection analysis asks additionally whether the use of public domain information is fair and relevant; the fact that such personal data may be in the public domain is largely irrelevant.

So whenever you talk to American Privacy Officers do not use the term “privacy legislation” as a shorthand to explain the workings of Europe’s data protection legislation. This is a mistake; there are far too many differences between the two concepts.

References

Huffington post story: http://www.huffingtonpost.com/2012/03/20/facebook-passwords-job-seekers_n_1366577.html?1332247088&ref=business

Protecting Your Passwords and Your Privacy, statement from its Chief Privacy Officer, Policy  https://www.facebook.com/notes/facebook-and-privacy/protecting-your-passwords-and-your-privacy/326598317390057

 

 

The Commission’s Data Protection Regulation: weaknesses from the data subject perspective

Next week, the ICO is holding a meeting to discuss, in detail, the Regulation as published by the European Commission. So, I have decided to publish our comments on the Regulation (see references) and use this blog to provide a summary of the key points.

The comments I make focus on how the Regulation can be improved from the data subject perspective. This is because the initial “Call for Evidence” by the MoJ was more like a “Call for Ammunition”, where the only respondents were supposed to be data controllers. In such circumstances, I think data controllers can look after themselves; it is the data subjects who need a hand.

The comments that I think could interest blog readers relate to the following topics:

• The wider definition of “personal data” should not cause problems for data controllers
• The Regulation excludes confidential personal data already subject to the DPA
• There is need for a prohibition on enforced subject access
• Switch from the right to be forgotten to the right to object to the processing
• The centralization of power by the Commission is unbalanced and unacceptable

The wider definition of “personal data” should not cause problems for data controllers.

The fact that identifying details held by another person is not an alien concept for data controllers in the UK, as it already exists in section 8(7) of the current DP Act in the context of subject access. (It occurs when there is a subject access request made by the data subject and the issue is whether the data controller can release personal data that identifies another individual).

In this case section 8(7) states that if the “other individual” can be identified by the data subject from the personal data that are released or from the personal data plus “any other information which, in the reasonable belief of the data controller, is likely to be in, or to come into, the possession of the data subject making the request”, then the data controller might redact any information that could identify the other individual.

So I conclude therefore, that such a change to the definition of personal data as proposed by the Regulation is unlikely to hold many difficulties for data controllers as they do it already, albeit in a more limited context. If there were practical problems or difficulties concerning the identification being held by another person, these would have been aired in the context of subject access.

I am sure that many data controllers will oppose the change in the scope of the data protection regime because it would mean more compliance work; by contrast, data subjects are likely to be in favour this change because it means more protection.

As there is no evidence of difficulty with the inclusion of identification by another person, this in turn means there is only one question for Government to resolve: “which side it is on?”.

The Regulation excludes confidential personal data already subject to the DPA

The Regulation applies to personal data held in a structured “filing system” (Article 4(4)) and the rights of access (Article 15) are to personal data (e.g. in a structured filing system). Recital 13 of the Regulation confirms that manual personal data that are not in a structured file are not subject to the Regulation.

An Accessible Record under the DPA contains personal data that does not need to possess any structure (section 1, definition of “data”). Thus Accessible Records could well be excluded from the Regulation if they are not held in a structured filing system. This exclusion could be from all Principles and all rights whereas currently such personal data is subject to all principles and all rights in the Act.

Similarly “Unstructured personal data”, as used in section 9A of the DPA (introduced as a result of FOIA) is subject to the right of access and correction. By implication the Regulation is stating that “Unstructured personal data” can’t be personal data (not in a structured filing system) so it follows that there is no right of access nor correction. The concept of “Unstructured personal data” does not exist in the Regulation.

The Regulation should be changed to maintain the protection of those personal data that are already subject to the UK’s data protection regime.

There is need for a prohibition on enforced subject access

There needs to be a provision that stops enforced subject access in the Regulation. Such provision exists in the Data Protection Act 1998 but has not been commenced; employers, in the UK for instance, can thus gain access to criminal records for employment purposes without the need to bother with the rules or Code of Practice promulgated by the Criminal Records Bureau.

The technique is being used by Legal and General (and possibly others in insurance industry in relation to health). This undermines the Access to Health Records Act. As the right of access to personal data is to be free under the Regulation, then other data controllers could be tempted to misuse a right targeted at protecting the individual.

The UK experience shows that the right can be perverted to protect a data controller’s interest.

Switch from the right to be forgotten to the right to object to the processing

My general view is that the many aspects of the “right to be forgotten” in Article 17 is best dealt with by “right to object” in Article 19, possibly by an amendment linked to Article 82 if the context is employment.

The switch to the “right to object” has the same effect as the “right to be forgotten” but it avoids any “attack on freedom of expression” criticism, and is more effective as it targets the use of personal data by a data controller within the EU (and not the hosting of the personal data anywhere in the world). This effectiveness is especially important in the context of employment.

For instance, suppose an embarrassing fact about a data subject is posted on a USA web-site, but is used in the UK by an organisation (which by definition has to be by a data controller) to make an employment decision. If the controller is situated in the UK, then even the current Data Protection Act would apply – let alone the Regulation.

Such a data controller under the existing UK Act has to apply three Data Protection Principles (1st, 3rd and 4th). He has to demonstrate that the personal data are relevant to the purpose (e.g. employment purpose), that they are accurate and up to date (e.g. the personal data relate to the actual individual under examination and not someone who happens to have the same name) and ensure that the data subject knows of their use for a specific purpose. The data subject also has the right of access to personal data used to make that decision. The same will go for the Regulation.

Instead of the “right to be forgotten”, I would extend the existing “right to object” to the processing (as is proposed in Article 19 of the Regulation) to apply the “right to object” to those circumstances where the processing is “necessary for an employment contract with the data subject” or with “a view to entering into an employment contract with the data subject” (e.g. an employment contract with a prospective employee). That is why I suggested this change might better stand as a part of Article 82.

In this way, data controllers can argue that they should be able to scour the internet for background details about an individual but that data subject will be able to argue the exact opposite. This provides a structure where the facts of each case can be independently examined to identify whether the data controller’s or the data subject’s position should prevail. Following such examinations, advice on best practice will emerge.

The centralization of power by the Commission is unbalanced and unacceptable

There are about 50 places where you have a provision like this: “The Commission shall be empowered to adopt delegated acts in accordance with Article yy for the purpose of further specifying the criteria and requirements as to the circumstances in which a personal data .breach is likely to adversely affect the personal data referred to in paragraph zz”.

Essentially this type of provision makes the Commission the ultimate arbiter of the data protection rules as these powers can overturn the actions of any supervisory authority.

My suggestion is that the untrammeled powers the Commission seeks should be modified so that the Board of Data Protection Regulators could be involved. I suggest:

the Board could exercise the powers the Commission identify in the Regulation. The Commission could raise an issue with the Board who then determines a suggested data protection solution. The Commission can then be given the power to overrule the Board in cases where this is deemed necessary – this would require the Board to “try again”. In this way, the Commission still possesses all the trump cards (as in the Regulation

an alternative is to leave the Commission’s powers where they are, but state that the exercise of the power is subject to Board approval on data protection grounds. This again provides a check on the misuse of Commission’s powers but gives the Board an ultimate veto.

There have been several circumstances when the European Commission has determined that there is an adequate level of data protection, when most data protection authorities have formed the opposite view. The PNR agreement with the USA is a good example of this divergence of view, and any reading of the output from the European Data Protection Supervisor will provide a host of other examples.

Put simply, the European Commission appears to have a track record of putting political considerations above those of data protection; there is a significant risk that this approach will continue. Secondly, the issue is quite serious in the context of the Commission as the Regulation will eventually apply to the Commission itself. This means the Commission is to be given powers to modify how the Regulation would apply to its own processing of personal data.

In my view, both these prospects are equally unacceptable.

References:

If interested in our submission, you can download it here. I go into some other definitional commentary and make comments on notification not mentioned above: Download Amberhawk_ MoJ Call for Evidence March 2012

Blogs that give background to our submission are:

“The Regulation: what are the big changes to the Data Protection Act regime?” (http://amberhawk.typepad.com/amberhawk/2012/01/the-regulation-what-are-the-big-changes-to-the-data-protection-act-regime.html)

“EU Data Protection Regulation breaks explicit link with “privacy” and Human Rights” (http://amberhawk.typepad.com/amberhawk/2012/02/eu-data-protection-regulation-breaks-explicit-link-with-privacy-and-human-rights.html)

Judgement reinforces the link between “lawful processing”, the First Data Protection Principle and human rights/other laws: http://amberhawk.typepad.com/amberhawk/2012/01/judgement-reinforces-the-link-between-lawful-processing-the-first-data-protection-principle-and-human-rightsother-law.html

“Enforced Subject Access to medical data raises its ugly head in the insurance industry” on http://amberhawk.typepad.com/amberhawk/2012/02/enforced-subject-access-raises-its-ugly-head-in-the-context-of-medical-insurance.html)

“Data Protection: forget about a “right to forget”; http://amberhawk.typepad.com/amberhawk/2011/03/data-protection-forget-about-a-right-to-forget.html

MoJ asks for arguments to oppose the European Commission’s Data Protection Regulation; http://amberhawk.typepad.com/amberhawk/2012/02/moj-ask-for-arguments-to-oppose-the-european-commissions-data-protection-regulation.html

Analysis of proposed PNR Directive exposes absent or minimal data protection and privacy safeguards: http://amberhawk.typepad.com/amberhawk/2011/06/my-entry.html

Note: Our Update session on March 26th   (London, £195+VAT, next week; has a half-day devoted to the Regulation from the data controller perspective. Places still available - details on the Amberhawk web-site (top right button).

EU’s Data Protection Regulation: divisions exposed as Member States show disharmony.



DAPIX is the Working Party on Information Exchange and Data Protection where delegations of civil servants from Member States discuss the European Commission’s Data Protection Regulation. The minutes of the meeting held on 23-24 February shows that there are deep divisions as to the content of the Regulation; in fact, the minutes record that only “a few delegations supported the Commission in its choice of a Regulation”.

I can also reveal the Commission’s “hoped-for” timescale for the discussions about the Regulation to reach a conclusion. The Commission is aiming to have agreement between Member States on the content of the Regulation by June 2014 (before the Elections to the European Parliament). If one assumes a two-year lead in, then the new Regulation should be in force by June 2016. That is why readers should keep a watching brief on the content of the Regulation, but there is no immediate need to implement any measure to meet its content.

At the meeting, the Commission said that there was a “quadrant of objectives underlying the Commission's proposals”. These were:

stimulating growth by building confidence as the result of using uniform data protection rules applicable throughout the European Union;

the protection of fundamental rights;

the adoption of legal instruments that are flexible enough to adapt to future technological developments; and

legal certainty (Note: I think the last one is moderately amusing given the 120 page length of the Regulation as published!).

The minutes record that there was “a real need for reform of the EU data protection regime” but divergence on what was really needed. For instance:

“Some delegations felt that the Commission should have been more radical in its proposal for overhauling the data protection regime and dared to abandon some of the existing main rules and concepts on data protection”.

“Many delegations had serious concerns that this newly proposed data protection regime, rather than simplifying the data protection rules as it intended, would result in an increased administrative burden on both the private and public sectors”.

“A number of delegations thought that the proposed Regulation did not distinguish sufficiently between the position of, and rules applicable to individuals, small and medium-sized enterprises (SMEs), large international enterprises and the public sector”.

“As regards the private sector, several delegations argued that the number of employees a company employed should not be the decisive criterion for differentiating as to the applicability of a number of data protection rules, but that this should instead hinge on the data protection risk inherent in specific types of data processing operations”.

“Some delegations strongly advocated a more risk-based approach for the future EU data protection regime”.

The minutes record that “A significant number of delegations stated they would have preferred a Directive” and that “a few delegations that a Regulation was too prescriptive”. One delegation “thought that a Regulation might be appropriate for the private sector, but not for the public sector”. By contrast, “another delegation thought it would have been preferable to have brought the judicial and police sector under the scope of the Regulation”.

Many delegations “criticised the many instances in which the proposal delegated powers to the Commission to flesh out the rules of the General Data Protection Regulation through delegated acts” and that the Commission “was undermining one of the main aims of the proposed Regulation, namely, to simplify data protection rules”. The prospect that “delegated acts could eventually lead to an (implicit) modification of national procedural legislation was considered unacceptable by one delegation” (I wonder whether this is the UK?).

Finally the minutes noted that:

“Whilst welcoming the concepts of privacy by design and the attention to privacy-enhancing technologies, some delegations queried whether the proposed Data Protection Regulation was sufficiently technology-neutral”.

“Some delegations expressed concerns as to the technical feasibility of concepts such as the right to be forgotten and the right to data portability”.

“A few delegations considered the rules on the data protection officers (DPOs) to be too prescriptive. It was also stressed that the DPOs could find themselves with conflicting roles if they were meant to perform controlling tasks whilst maintaining an independent stance”.

“The increased role of the data protection authorities (DPAs) in the draft regulation was welcomed, however the increased tasks of the DPAs would inevitably have to be matched by a substantial increase of their staff and budget, which was not easy at a time of economic crisis and austerity of public budgets”.

“Several delegations said the sanctions provided by the draft regulation were too heavy, especially for SMEs”.

Get the drift of these discussions yet? Do you get the impression that the minutes show that Member States are as harmonious as a busyness of ferrets in a sack?

Well if this level of “agreement” continues, then the Regulation will not see the light of day in its current form. There is likely to be a number of compromises with the text, many on the lines of “if you support our view about consent we will support your line on data protection officers”.  Underpinning any lack of agreement will be Article 16 of the Consolidated Version of the Treaty on European Union; this states that "a blocking minority must include at least four Council members, failing which the qualified majority shall be deemed attained".

I suspect “blocking” will be the name of the tactical game played by all Member States when they discuss the content Regulation. In other words, be prepared for agreements about the text of the Regulation, not to be made for the best of data protection reasons, but on grounds reached as result of horse-trading in smoke-filled rooms somewhere in the bars of Brussels.

Also, if you can get odds on the Regulation not being implemented by 2018, please let me know!

References

Download the EU minutes on the proposed Regulation (there are comments on the Directive as well) here ... Download Minutes for blog_March2012

“The Regulation: what are the big changes to the Data Protection Act regime?” (http://amberhawk.typepad.com/amberhawk/2012/01/the-regulation-what-are-the-big-changes-to-the-data-protection-act-regime.html)

“EU Data Protection Regulation breaks explicit link with “privacy” and Human Rights” (http://amberhawk.typepad.com/amberhawk/2012/02/eu-data-protection-regulation-breaks-explicit-link-with-privacy-and-human-rights.html)

Note: Our Update session on March 26th   (London, £195+VAT; follow link on the left panel  "(Update/Events)" for has a half-day devoted to the Regulation

Google’s Privacy Policy: incoherent and does not meet the standards of the USA’s own Safe Harbor Principles

Google’s new combined Privacy Policy (March 2012) has been widely criticised by privacy professionals and Data Protection Authorities (in particular the CNIL – the French Data Protection Authority). However the reasons for this criticism have been made in general terms; the analysis I have published (see references) provides a detailed explanation.

The analysis shows that Google’s Privacy Policy is incoherent because it uses overlapping terms. This makes the Policy difficult to follow or to understand what type of information the Policy is claiming to protect. It cannot be fair to users if they cannot easily understand what the Policy means for them. The Policy is also unfair in conventional terms as it does not, in many instances, fully describe the purposes of the processing. I identify these areas in the analysis.

Secondly, my analysis also supports the claim of the CNIL that the Privacy Policy is in breach of the Data Protection Directive. However, I also show that the Policy is in breach of the USA’s Safe Harbor Principles. As the Privacy Policy states that “Google complies with the US-EU Safe Harbour Framework”,  I show that this claim cannot be substantiated if Google’s new Privacy Policy is implemented.

Why contradictory and confusing?

The Privacy Policy uses a wide range of similar terms in different circumstances which I think are contradictory. For example, it uses the following terms: “information”, “personal information”, “personal data”, “data”, “non-personally identifiable information", “personally identifiable information”, “sensitive personal information", and "other information that identifies you". Are these terms talking about the same thing?  Put simply, the reader doesn’t know for certain.

So when one part of the Policy offers protection for “personal information”, another offers protection for “personal data”, another for “personally identifiable information” and yet another for "other information that identifies you" is the Policy referring to the same type of information or not? Answers on a post-card to Google.

This is not the only problem as sometimes the Policy uses a qualifier (e.g. “log information” or “location information”). "Log information" by the way are the "details of how you used our service, such as your search queries" whilst "location information" which is "information about your actual location". (My emphasis on you and your).

Can we have a quick quiz? Can you tell me whether “information” about your use or your location is “non-personally identifiable information” or “personal information”? My own view is that, because the Policy uses the word “information” to describe logs and locations, that Google thinks it to be the former, but I suspect you think it could well be the latter.

Confused? You can now safely join the ranks of those who do not know what Google’s Privacy Policy means in practice.

Why in breach of the Directive and Safe Harbor?

The CNIL has claimed that, at first reading, Google’s Privacy Policy is in breach of the Directive, a claim so far not accepted by Google. As the Directive is the legislation mentioned expressly in the Safe Harbor Framework, I have checked whether Google’s Privacy Policy is consistent with the terms of that Framework.

There are demonstrable areas where Google’s Privacy Policy is inconsistent with the Safe Harbor Principles (see Appendix 1); it follows that it is inconsistent with the Directive. These areas include the following:

1. Safe Harbor requires acceptance of the EU Directive definition of “personal data” – Google’s Privacy Policy uses a definition which is close to that used by the old UK’s Data Protection Act 1984 (and ignores the Directive definition of personal data completely).

2. Safe Harbor requires acceptance of the EU Directive definition of sensitive personal data – Google’s Privacy Policy does not include all items of sensitive personal data identified in the Directive.

3. Safe Harbor requires acceptance of the right of access to personal data – Google’s Privacy Policy includes some administrative exemptions from the right of access to personal data that are not authorised by Safe Harbor.

4. The confusion in the Privacy Policy does not meet the Safe Harbor requirement for clarity; there are several places where the purposes of the processing are not fully described by the Policy.

5. Google’s co-operation with data protection authorities specified in the Privacy Policy relates only to the transfer of personal data; Safe Harbor requires co-operation across the whole Framework.

Concluding comment

Everybody uses Google because its services are free and very useful. However, because they are “free”, it does not mean that Google can take the privacy of its users for granted in order to maximise profit. The Privacy Policy, I am afraid to say, is incoherent, unclear, and likely lead to breaches of data protection legislation. In my view, the Policy needs a major overhaul.

Secondly, I don’t think Google (and other USA corporations, I have to say) have quite “got it” in the context of the messages coming out of the Leveson Inquiry. Google has not understood that a large multinational communications company, headed by the Murdochs, is in trouble not because it invaded the privacy of celebrities, but because it invaded the privacy of ordinary individuals. Google’s meat and drink is the processing of personal data and data relating to millions of ordinary citizens.

The Murdochs thought they were so large and powerful  that they were invincible; so does Google. The Murdochs thought they were above the law; so does Google. By ignoring basic data protection laws and rules in the way described in its Policy, even those agreements established in the USA, Google is taking some unnecessary risks.

References

Follow the link to down load the analysis in Word (which includes Google’s Policy, the related FAQs and the Safe Harbor Framework) Download Google_privacy_docs .

 

Internal investigation into a Monetary Penalty Notice has to be released under FOIA

Public authorities should be prepared that, if they are subject to enforcement action by the Information Commissioner  (e.g. Monetary Penalty Notice, Undertaking, Audit, Enforcement Notice etc), that internal reports into why the action was taken might become the target for FOI requests. This is the outcome of a recent Decision Notice involving the London Borough of Ealing. Implicitly, the ICO is signalling that he thinks such reports and investigations should be published where practicable.

In February 2011, Ealing Council reported a theft of two laptops containing the details of around 1,700 individuals were stolen from an employee’s home (including sensitive personal data). Almost 1,000 of the individuals were clients of Ealing Council and both laptops were password protected but unencrypted – despite this being of Council policy. The ICO served Ealing Council with a Monetary Penalty Notice of £80,000.

On 30 May 2011, the Council received a FOI request for “….a copy of the report into the loss of the unencrypted laptop which resulted in an £80,000 fine from the ICO”  The Council directed the applicant to the Monetary Penalty Notice published on the ICO’s website.

The requestor wrote back explaining that it was the Council’s own internal report into the matter that was being sought. The Council refused to provide the requested information stating that the information was being withheld under the ‘prejudice to effective conduct of public affairs’ exemption (namely section 36(2)(b) of the FOIA) and that the public interest was in favour of non-disclosure. This position was upheld on internal review.

The ICO decided that the Council had correctly applied the ‘prejudice to effective conduct of public affairs’ exemption but that it wrongly concluded that the public interest in maintaining the exemption outweighed the public interest in disclosure.  The two main reasons for this decision were as follows:

• disclosure “would also contribute to public understanding of the issues documented in the publically-available Monetary Penalty Notice”.

• “disclosure would demonstrate to the public that the council has taken robust steps to address the security implications of the incident and that measures have been put in place to ensure that there is not a recurrence. This would improve public confidence in the workings of the council”.

Now I am suggesting to you that these two arguments employed by the ICO could apply to almost any enforcement action by his office. So if your employer is a public authority and subject to enforcement action under the Data Protection Act, then expect FOI requests which will probably lead to the publication of your internal investigations into the problem.

Download the Decision Notice here: Download Fs_50399720_EALINGBLOG