Seasonal greetings from all at Amberhawk

On behalf of all at Amberhawk, can I wish all readers a relaxing break before getting back to the grind in early January.

Communications Data Bill and data retention: critical report on the cards

On Tuesday, a joint Committee of Parliament will report its views on the proposed Data Retention Bill. This is the piece of legislation which, if enacted as published, would require ISPs, Google, telecoms operators and service providers etc to keep details of our use of the Internet (e.g. who we contact, when. where from etc.) are retained for up to a year. The purpose of this retention is to allow law enforcement agencies and national security agencies to dip into this information resource, whenever it is “necessary” and “proportionate”.

This draft Bill, is in effect, an extension of the current scheme under the Regulation of Investigatory Powers Act (RIPA); this is used to authorise over half a million requests for communications data are made by these agencies per year to telecommunications companies. These requests primarily focus on our use of telephones; include your access to web-sites, contacts on Facebook, Skype  etc,  then the scope of law enforcement intrusion into everybody’s private life has the potential to escalate significantly.

Reading the runes, I reckon the Home Office is expecting that the Committee will be critical of the Government proposals. For instance, last Wednesday, the Home Secretary told the Sun Newspaper that in the context of the Communications Data Bill:

“Criminals, terrorists and paedophiles will want MPs to vote against this bill. Victims of crime, police and the public will want them to vote for it. It’s a question of whose side you’re on” adding that “Anybody who is against this bill is putting politics before people’s lives.”

You don’t deliver tosh on these lines unless you are preparing the ground to reject what the Committee will say. That is why I am inferring a critical report.

The Information Commissioner gave written evidence; it provides a classic example of how to read between the lines. For instance, the Commissioner says “My own view is that the Parliament should determine whether the proposals contained in the draft Bill are a proportionate response to the perceived problem of communications data capability”.

Would the Commissioner say this if he thought the proposals in the Bill were proportionate? Of course not!

So with that in mind, just look at the Commissioner’s comments from his written evidence.

• “If the case is made then the practical consequences of the proposals must be identified and addressed”. Do you think the Commissioner thinks these practical consequences have been identified?
• “The compensatory safeguards which are to be put in place must have a clear and specific purpose and be effective in practice”. Do you think the Commissioner thinks these safeguards are clear, specific and effective?
• “The extent of the Information Commissioner’s role needs to be clear so that both he and the public know what outcomes or assurances his oversight will bring”. So, does the Commissioner think his role is clear?
• “There should be provision for the Information Commissioner to report on his activities”. These activities only relate to data security, data integrity and data destruction; not retention, collection and use.
• “Any extension of the Information Commissioner’s functions or increase in the volume of work undertaken by his office will need to be properly resourced”. Do you think the Commissioner has sufficient resources for his “not so clear” role?
• “There should be some form of post-legislative scrutiny stipulated on the face of the legislation”. Does the Commissioner think that the legislation should have something like a “sunset clause”?

So when the Report is published expect some more “Privacy is for Peados” headlines from the tabloids and Home Office Ministers. They will want to get their retaliation in first, before the report is published.

Advert

We are running a course leading to ISEB/BCS’s Practitioner Certificate in Data Protection in London (January); Manchester (February) and Edinburgh (March).  See side panel for links to all details as well as our CISMP/FOI courses.

 

Press reporting about Kate’s blagging overlooks data protection angle

Note: this blog was published 20 hrs before the very sad news of the suicide of the nurse who was the subject of the hoax.

A quick blog about the press coverage of the prank call concerning Kate Middleton’s morning sickness. It appears that this has overlooked some interesting data protection aspects relating to criminal offences and monetary penalty notices

First is the prank an offence under Section 55 the Data Protection Act? At first sight, the answer is “yes” because the information released to the Australian radio presenters would be contained in personal data; even if Kate’s records were in paper form (i.e. Accessible Records), the information released would be from personal data and the disclosure would not have the consent of the data controller (The King Edward VII Hospital). Please note that I am assuming that the medical information disclosed by the nurse goes wider from that disclosed by the official announcements.

The only defence that is currently in place to the offence is that the obtaining of information contained in personal data is “in the public interest” – whatever that means. The normal punishment is a £5,000 fine.

As is well known, the Section 55 offence was to be made custodial (up to two years imprisonment)  in line with the Computer Misuse Act. Although the legislation making this change has been enacted, it has not been activated.

Those changes also included a defence to the Section 55 offence specific for the press. So in the context of the radio presenters, there would be no offence if the presenters acted:

(i)   for the special purposes, .
(ii)   with a view to the publication by any person of any journalistic, literary or artistic material, and .
(iii)  in the reasonable belief that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest”.

Well I think most of the tabloid press, if they had “done it” would have argued that any story based on this material would be “in the public interest” on the grounds that there is mammoth interest in the Kate’s pregnancy. I also think that even in the post Leveson era that the tabloid press would still think this was the case.

So an interesting question to ask is each editor is: "suppose an editor had obtained the Kate Middleton information, would they have run the story as an exclusive?".

Note also that the protection from the section 55 offence is aimed at protecting the investigative journalist or journalism that has a public interest. So we can see now that any opposition to this offence (which is prevelant in the press) has to be explored in terms of journalism that does not meet any "public interest threshold". I wonder what kind of journalism that is?

As is well known, the press are opposed to the other data protection recommendations from Leveson.

One of them reads as follows:

“The necessary steps should be taken to bring into force the amendments made to section 55 of the Data Protection Act 1998 by section 77 of the Criminal Justice and Immigration Act 2008 (increase of sentence maxima) to the extent of the maximum specified period; and by section 78 of the 2008 Act (enhanced defence for public interest journalism”.

In July 2011, Deputy Prime Minister Nick Clegg told the BBC  for those guilty of obtaining personal information by deception - known as "blaggers" - to be jailed. By contrast, David Cameron is not convinced this is needed.

The second data protection issue is addressed to the data controller  (The King Edward VII Hospital). Are they vulnerable to enforcement or a Monetary Penalty Notice? Are staff properly trained?  Are there appropriate organisational measures to protect personal data from unauthorised disclosure?

Well obviously I can’t answer these questions, but I can provide list similar events that have resulted in enforcement (e.g. when sensitive personal data about one individual has been disclosed,  let alone broadcasted to the planet). These cases are:

• On 15 February 2012, a  monetary penalty of £80,000 has been issued to Cheshire East Council after an email containing sensitive personal information about an individual of concern to the police was distributed to 180 unintended recipients.
• On 14 March 2012 a monetary penalty of £70,000 was issued to Lancashire Constabulary following the discovery of a missing person’s report containing sensitive personal information about a missing 15 year old girl.
• On 30 April 2012 A monetary penalty of £70,000 has been issued to the Aneurin Bevan Health Board following an incident where a sensitive report - containing explicit details relating to a patient’s health - was sent to the wrong person.
• On 12 July 2012 a monetary penalty of £60,000 was issued to St George’s Healthcare NHS Trust after a vulnerable individual’s sensitive medical details were sent to the wrong address.
• On 25 February 2011, an undertaking to comply with the seventh data protection principle has been signed by Doncaster Metropolitan Borough Council. This follows the disclosure of third party data by the council during court proceedings.
• On 20 September 2011, an undertaking to comply with the third and seventh data protection principles has been signed by Eastleigh Borough Council. This follows the potential disclosure of a document containing sensitive personal data.
• On 17 October 2011, an undertaking to comply with the seventh data protection principle has been signed by Dumfries and Galloway Council. This follows the accidental online disclosure of current and former employee’s personal data in response to a Freedom of Information (Scotland) Act request.
• On 5 April 2011, an undertaking to comply with the seventh principle of the DPA has been signed by City of York Council, further to the inappropriate disclosure of an individual’s personal data, which occurred as a result of the information in question being erroneously included with documentation sent to an unrelated third party.

So in my view, is that the hospital’s review of “telephone protocols” might not be enough.

References

Clegg’s speech supporting the custodial sentences applying to journalists. http://www.bbc.co.uk/news/uk-politics-14150348

Advert

We are running a course leading to BCS’s Foundation Certificate in Information Security Management in January in London; ideal for data protection people wanting to understand best practice in information security management. See side panel for links to all details as well as our DP/FOI courses.

Leveson Principles underpinned in 133 words of legislation: no need for an extensive law

Have you followed all the hand wringing by Government about the statutory underpinning of the Leveson Principles? Have you seen the press coverage equating statutory underpinning with state control?

Evidently the Government say there are pages and pages of legislation to draft in order to underpin, in law, an independent self-regulatory body for the Press. So in the spirit of “Jamie’s 15 Minute Meals” here is a statutory underpinning of the Leveson Principles in 133 words of law.

Like Jamie’s meals, this works, tastes well and involves very light touch supervision of any independent self-regulatory body which is established by the press. There is little risk that the supervision of the independent self-regulatory body will morph into fully fledged statutory control of the press. And my changes rely on legal provisions that the Press have accepted for over a decade.

Don’t believe me? Too good to be true? Well follow the argument: all you need to do is replace Section 3 of the Data Protection Act in order to change the definition of the “Special Purposes”.

This new Section 3 reads as follows:

New Section 3 of the DPA – The Special Purposes

3(1)  A data controller processes personal data for “special purposes” if the processing occurs for:

(a) journalistic purposes where the data controller is subject to an independent self-regulatory body that operates under the Leveson Principles, or
(b) artistic purposes, or
(c) literary purposes.

3(2)  In this section “the Leveson Principles” are the set of actions, adjudications, decisions, objectives, policies, procedures or rulings which are described by Recommendations 1 to 47 of the Executive Summary of “An Inquiry into the Culture, Practices and Ethics of the Press”, HC 779, November 2012”.

3(3)  When determining the scope of any “Leveson Principle” account can be taken as to any relevant explanation, commentary, or amplification outlined in the Leveson Report (Volumes I to IV) and, for the absence of doubt, all  “Leveson Principles” are interpreted purposively.

Explanatory commentary on the impact of section 3(1)

1. These changes do not change the position with respect to artistic and literary material. They do not focus on the content of any journalistic material; only the regulatory structure in which journalism operates.
2. All the existing current freedom of expression protections for the Press in the DPA, that have satisfied the press since 1998, remain intact.
3. There is no change to the current regulatory regime if a data controller is processing personal data for journalism and is regulated by an independent self-regulatory body operating under the Leveson Principles. In these circumstances, there will be very little additional regulation by the Information Commissioner because the Special Purposes have a special enforcement mechanism which balances Article 8 (private life) and Article 10 (freedom of expression). The widely scoped exemption in Section 32 still applies to the processing and the Special Purposes defence to the S.55 offence is available. Thus, if journalism is regulated by the Leveson Principles, there is no change to the data protection regime.
4. If, however, a data controller ignores or opts-out of the independent self-regulatory body, or does not accept its procedures or findings etc, then it might not be able claim the processing is for journalistic purposes. This means the processing of personal data can be fully subject to the Act, the Commissioner’s powers, data subject rights and the exemption in Section 32 does not apply. The defence to the S.55 offence is not available.
5. In this way, paragraphs (a) and (b) underpin the Leveson Principles by statute. Any dispute as to which paragraph (a) or (b) applies can be resolved under existing powers (this is the Determination by Commissioner as to the special purposes in Section 45 of the DPA). Note that there is an already established Appeals mechanism with respect to a determination (there again, accepted by the Press since 1998) which allows the Commissioner’s determination to be challenged.
6. Lying beyond the system of Appeals to the Tribunal under the DPA are the UK Courts and ultimately the European Human Rights Court in Strasbourg. This allows issues concerning “freedom of expression” to be explored in their entirety and provides a counter-balance to the Commissioner’s misuse of powers.
7. Note that if an independent self-regulatory body is not really independent, there is no special status for the processing of personal data for journalistic purposes. This should stop the independent voluntary regulatory body returning to “the old ways of doing things” (as per the current Press Complaints Commission).
8. The use of “an independent self-regulatory body” in new Section 3(1)(a) means there can be more than one independent self-regulatory body (e.g. the Scottish Government want this).
9. The changes in new Section 3 do not implement the other more controversial data protection proposals suggested in the Leveson Report that restrict the scope of the Section 32 exemption. These proposals need a different amendment and a wholly different debate.
10. Note that all sorts of blogs etc could count as “journalism” if there is adherence to an independent Code of Practice – perhaps a separate Code of Practice for bloggers and internet could emerge. Who knows? That is for the independent self-regulatory body to work-out.
11. The Code of Practice produced by an independent self-regulatory body can be underpinned by Parliament under Regulations such as the ““Data Protection (Designated Codes of Practice) (No. 2) Order 2000” which, there again, the Press have not contested on free speech grounds since 1998. This Order underpins the current Code of Practice that applies to the Press.

The only departure from Leveson is that if there is an issue concerning an independent voluntary regulatory body, the statutory regulator who will be approached is the Information Commissioner and not OFCOM. This makes sense because, after all, any conflict will be about privacy and the processing of personal data. As this is the case, the ICO is the obvious independent regulator to choose.

I should add that I support the Leveson recommendation that the single Information Commissioner should be replaced by a collegiate Commission. I would add that such a Commission should also incorporate the other Commissioners who have a finger in the privacy supervisory pie (e.g. Surveillance Commissioner; Interception of Communications Commissioner etc).

Explanatory commentary on the impact of sections 3(2) and 3(3)

In the modest change I propose, the journalistic Special Purpose is linked to an independent self-regulatory body operating under the Leveson Principles. These Principles are defined in terms of Recommendations 1 to 47 (Pages 32-38) of the Executive Summary of “An Inquiry into the Culture, Practices and Ethics of the Press”, HC 779, November 2012”, and where necessary, amplified by Leveson’s full Report. The Leveson Principles have to be interpreted “purposively” – this means there should not be arguments about the literal meaning of words.

I think the threat that the ICO could determine that the journalistic purpose is no longer a Special Purpose, on the grounds that an independent self regulatory body has diverted from the Leveson Principles, would be sufficient encouragement for the Press to implement and maintain the standards outlined by Leveson.

Each Press “data controller” is free to take their chances if they want to ignore the independent self regulatory body it has set up.

Finally, if there emerges a legal constraint restricting the freedom of the press, this dispute can be taken all the way to Strasbourg on Article 10 grounds.

General Commentary on the implementation of the Leveson Principles

It is common ground that the “Leveson Principles” are acceptable to all political parties; the only issue is whether they should be underpinned by statute. Part of the problem re the legislative underpinning is that length of legislation that is needed. The more law there is, the more legal hooks there are for those “troublesome lawyers” or “interfering politicians” to make hay while the sun shines.

My approach avoids this prospect because there is hardly any new law. It is the Information Commissioner who makes the “Determination of Special Purpose” (under section 45 of the DPA) and undertakes subsequent enforcement action subject to an appeals process accepted and unchallenged by the Press for over a decade.  That is why I support a collegiate Commission; I think such a determination – given its importance - should not be the preserve of a single Commissioner.

It is important to stress, contrary to what the tabloid Press is often reporting, Leveson was very careful NOT to make comments on how the Press should report matters and the content of any new Press Code of Practice. He says in paragraph 60 of the Executive Summary that “It is not my role to seek to establish a new press standards code or to seek to be determinative about the way in which the independent self-regulatory body goes about its business”. Leveson expects that the new body will draw up a new Code of Practice; he states that “The Code Committee should advise the new body which itself would take ultimate responsibility for its content and promulgation”.

So in conclusion I would argue that a 2000 page report, millions of words, over a hundred witnesses, and the main conclusions of a one year public inquiry can be boiled down to 133 words of law. Done and dusted; no need for lengthy legislation at all.

I wonder whether the Guinness Book of Records has taken notice?

Relevant blogs

Leveson, Press and data protection: the Rubicon has already been crossed. http://amberhawk.typepad.com/amberhawk/2012/11/leveson-press-and-data-protection-the-rubicon-has-already-been-crossed.html

Could the Information Commissioner have stopped the use of ex-directory numbers by the press? http://amberhawk.typepad.com/amberhawk/2012/02/could-the-information-commissioner-have-stopped-the-use-of-ex-directory-numbers-by-the-press.html

Advert

We are running a course leading to BCS’s Foundation Certificate in Information Security Management in January in London; ideal for data protection people wanting to understand best practice in information security management. See side panel for links to all details as well as our DP/FOI courses.