Informationoverlord

The EU’s Article 29 Data Protection Working Party has sent public letters to the three major search engines – Google , Microsoft  and Yahoo!  saying that although it welcomes their efforts to bring their data retention policies in line with the law, they are all still in breach of the EU’s data protection directive.

The Working party tells Google that it should reduce the period at which it “anonymizes” IP addresses in it’s server logs to 6 months instead of the 9 months it agreed to reduce them to. It also states that Google’s method of anonymisation is not adequate – Google deletes the last octet of the IP-addresses.

According to the Working Party ’such a partial deletion does not prevent identifiability of data subjects.’ In addition to this, They were not happy with Google’s cookie retention practices, where Google retains cookies for a period of 18 months. ‘This would allow for the correlation of individual search queries for a considerable length of time. It also appears to allow for easy retrieval of IP-addresses, every time a user makes a new query within those 18 months.’ The Working party letter states.

The Working party is bit more gentle on Microsoft and applauded its willingness to reduce the retention period of cookies and IP addresses to 6 months, pending on the willingness of other search engines to follow suit. However, like Google, Microsoft retains Cookie date for 18 months, which again still left room for ‘the cross-matching of search queries for a considerable length of time.’ The Working party also questioned the effectiveness of Microsoft’s anonymisation claims.

Yahoo! had pledged to reduce their retention time to 90 days with limited exceptions for fraud, security, and legal obligations, which pleased the Working party, who welcomed the move to deleting the full IP-address from the first full dataset after 90 days instead of just deleting the last octet, but again there were concerns. ‘a partial deletion of the personal data contained in search logs does not constitute true anonymisation.’ the Working party points out. Also,as with Google and Microsoft it says they were not provided with enough information to technically assess the quality of their anonymisation policy.

Here there was a clear call to all three search engines to review their anonymisation claims and make the process verifiable, preferably by developing a credible audit process involving an external and independent auditing entity. ‘The actual techniques of anonymisation deserve an open debate, open to  public scrutiny, in light of the expanding body of research on the failures of anonymisation.’, states the Working party.

The Working party also recognises the transatlantic of the issue and states that it has forwarded its concerns to the Federal Trade Commission (FTC), and asked the FTC to use its authority to examine the compatibility of this behaviour with section 5 of the Federal Trade Commission Act.

It’s good how long you can get away with breaking the law isn’t it. Look forward to the responses from Google and Co.

The good people at Content and Carrier are reporting that Advocate General (AG) Bot has recommended that the European Court of Justice dismiss an appeal by Ireland for the annulment of the data retention directive (2006/24/EC) Ireland challenged the legal base of this Directive arguing that the European Commission did not have the power to make the directive as the matter should have been adopted under the ‘third pillar’ which deals with matters concerning public security and the activities of the State in areas of criminal law. Whilst agreeing that the dividing line between the pillars “may appear artificial in some respects”, the AG concluded that the legal basis for the directive was correct, and that the obligation to retain data for investigations serious crimes was not sufficient to remove the measure from the Community pillar as the directive’s purpose was to harmonise the conditions under which communications providers must retain traffic and location data, not to harmonise the conditions under which the law-enforcement authorities may access, use and exchange that retained data.

It may be only three months since the government announced in their Draft Legislation Programme plans to introduce a Communications Data bill, but you could be forgiven for thinking that common sense has raised its head, and the plans for primary legislation have been dropped. Why?, well, the Home Office is now consulting on draft regulations that will replace the Data Retention (EC Directive) Regulations 2007. The new regulations will cover the retention of specific internet data that were not covered in the original regs which only regulate the retention of data relating to fixed and mobile telephony.

The regs, once implemented, will complete the UK’s transposition of the EC Data Retention Directive into national law.

However, if you think this means that the government have abandoned plans for an all encompassing Communications Data Bill, you’d be wrong. According to the Home Office this is still very much in the works and is being finalised as we speak. In case you have forgotten the purpose of that bill:

The purpose of the Bill is to: allow communications data capabilities for the prevention and detection of crime and protection of national security to keep up with changing technology through providing for the collection and retention of such data, including data not required for the business purposes of communications service providers; and to ensure strict safeguards continue to strike the proper balance between privacy and protecting the public.

The main elements of the Bill are:

(1)Modify the procedures for acquiring communications data and allow this data to be retained;

(2)Transpose EU Directive 2006/24/EC on the retention of communications data into UK law.

The fact that the Draft Regulations achieve point 2 should cause the alarm bells to start ringing. According to the Home Office, bringing forward the reg ahead of the proposed bill is merely to allow the government to complete the transposition of the Directive by the data specified in the Directive - 15 March 2009, something that they might not have been able to do if they waiting for the draft bill to be finalised and pushed through parliament.

This is obviously a new approach from the government who previously have been quite happy to ignore implementation dates on a variety of Directives. Also, logically it also means that the government is likely to revoke these new regulations almost as soon as they hit the statute book, so as to incorporate them into the CD bill. It will be interesting to see if the CD bill will also act as a consolidating piece of legislation, pulling into one act those aspect of Regulation of Investigatory Powers Act (RIPA), and the Anti-Terrorism, Crime and Security Act that also cover aspects of CD law.

The text of the new regulations do little more than add in the requirement for retaining internet data, which will now join fixed and mobile call data at having to be retained by 12 months (The government can request that data be retained for up to 24 months for specific cases). As before the regs will allow the Home Secretary to reimburse any additional expenses incurred by providers in complying with the regs, as long as such expenses have been notified to, and agreed with the Home Secretary in advance.

The government are also keen to avoid needlessly duplication of data. Whilst the regs apply to all communications service providers, the government agrees that the regs and the directive should be interpreted in such as way that if more than one communications service provider holds particular communications data, then only one need retain the data for the purposes of the Directive. The government gives the example where a mobile network provider’s services are sold by another provider, that provider will not be required to retain copies of itemised bills as that same detail will be retained within the scope of the Regulations by the mobile network provider.

Just who can have access to this data remains a key concern to many. The draft regs say:

Access to retained data

10. Access to data retained in accordance with these Regulations may be obtained only—
(a) in specific cases, and

(b) in circumstances in which disclosure of the data is permitted or required by law.

How Vague is this???? One presumes that the final text will make specific reference to the Regulation of Investigatory Powers Act, and in particular the The Regulation of Investigatory Powers (Communications Data) Order (as amended), which allows access for the Police, but also local councils, the post office and others.

Responses the consultation are requested by 31 October 2008.

In a post last week I spoke about the UK government’s plans for new communications retention legislation as part of their Draft Legislative Programme. They also decided to provide us - the UK citizenry - with the opportunity to comment on the bills because the government is interested in our views. Only, it isn’t.

Apparently, the government doesn’t REALLY want to hear your comments, it wants your sound bites. This can be the only reason why you are limited as a commenter to 100 characters - even Twitter gives you 140. Just how insightful and constructive are you meant to be in 100 characters exactly? I tried to say “We should all be worried that the gov are not just issuing an amending SI’s for the DR regs 2007 and RIPA.”, only to find even that was 106 characters. So stripped out a ‘the’ and an ‘are’ and posted away. I then got the nice message telling me “Thank you for submitting comments on this bill.Your contribution to this process is valuable”.

Valuable as long as I can phrase it in 100 characters or less. To be fair my comment should have asked why the government were not just issuing amending legislation, but the BBC has an answer for that one - a nice big database combining all our phone and internet records - and the Information Commissioner’s office an answer for that too.

“If the intention is to bring all mobile and internet records together under one system, this would give us serious concerns and may well be a step too far …we are not aware of any pressing need to justify the government itself holding this sort of data.” [Since when did that stop this government].

The UK government has announced its new Draft Legislation Programme. The programme includes plans to bring forward a Communications Data bill. According to the government the purpose of this Bill is to allow communications data capabilities for the prevention and detection of crime and protection of national security to keep up with changing technology by providing for the collection and retention of such data - including data not required for the business purposes of communications service providers; and to ensure strict safeguards continue to strike the proper balance between privacy and protecting the public.

The main elements of the Bill are:

• modify the procedures for acquiring communications data and allow this data to be retained
• transpose EU Directive 2006/24/EC on the retention of communications data into UK law

The UK has already transposed part of the directive through the Data Retention (EC Directive) Regulations 2007. Those regulations introduced a retention period of 12 months for data generated by fixed and mobile telephony providers. The UK, like many other EU member states, excepted the limited opt out offered by the directive relating to the imposing of retention rules to internet access, IP telephony and email. They have until 15 March 2009 to implement these rules.

The intention of the government to bring forward primary legislation is an interesting one. If their intention was to merely extend those aspects of retention already covered in the 2007 regulations to cover email and the internet, they need merely have introduced amending regulations. The fact that they are choosing not to, may be a sign that the government plans to push beyond what is required by the Directive. It also seems logical that in doing so, they will revoke the 2007 regulations so as to include all the relevant law regarding communications data retention in the one act.

Should be some interesting debates and discussion ahead when this one hits parliament towards the end of the year.

The Guardian are reporting that Gordon Brown, like most PM’s these days is more concerned with his ‘friends’ (the proprietors of the UK’s press) than with providing adequate privacy protection for uk citizens. This follows rumours that Brown wants to get clause 76 removed from the Criminal Justice and Immigration Bill

Clause 76 currently (bill as amended in committee 13.3.08) reads:

76
Imprisonment for unlawfully obtaining etc. personal data

(1)
Section 60 of the Data Protection Act 1998 (c. 29) (penalties for offences under Act) is amended as follows.

(2)
In subsection (2) (offences under Act punishable by fine) for “other than section

54A” substitute “other than sections 54A and 55”.

(3)
After subsection (3) insert—

“(3A)
A person guilty of an offence under section 55 is liable—
(a) on summary conviction, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;

(b) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both.

(3B)
In the application of subsection (3A)(a)—
(a) in England and Wales, in relation to an offence committed before the commencement of section 282(1) of the Criminal Justice Act 2003 (increase in sentencing powers of magistrates’ court from 6 to 12 months for certain offences triable either way), and
(b) in Northern Ireland, the reference to 12 months is to be read as a reference to 6 months.”

According to the article, Peers were recently told by one minister, Lord Hunt, that Brown was concerned “to make sure that legitimate investigative journalism is not impeded”. Hunt said: “We intend to withdraw this clause … unless a satisfactory solution … can be identified by all the parties involved.”

Richard Thomas, the UK’s Information Commissioner, is - needless to say - not impressed.

‘I am pleased that government is now taking data protection, and the need to prevent security breaches, more seriously. But there have been powerful last-ditch efforts to get clause 76 removed from the Criminal Justice and Immigration Bill. There has been widespread support for the government’s decision to strengthen the law and – if data protection is to be taken seriously - it is vital that the government and other parties should stand firm against any possible amendments. I am determined to stop the pernicious illegal market in personal information which our reports exposed … If there is a change of heart on legislation aimed at deliberate security breaches, the government will find it hard to convince people that measures aimed at preventing data loss need to be taken seriously. I know there are concerns in some quarters of the media, but – with a powerful public interest defence - responsible journalists have nothing to fear. ‘

This really is just typical. The newspaper owners claim the clause would mean that the Uk would become one of the few countries in the world where journalists and editors could be jailed for doing their job. I’m sorry, but when did illegally obtaining information become part of their jobs?

Congratulations to Richard Thomas.  The UK’s Information Commissioner (and ex CC employee) has received the International Association of Privacy Professionals’ 2008 Privacy Leadership Award for his ongoing commitment to raising the public profile of privacy and data protection issues.

According to the IAPP, the world’s largest association for the privacy profession,
“Commissioner Thomas has demonstrated an enduring commitment to strengthening privacy protections during his tenure,” said Sandra R. Hughes, Global Ethics, Compliance and Privacy Executive, The Procter and Gamble Company. “Under his leadership, the ICO has focused on raising public awareness of important privacy issues and strengthening the UK’s approach to preventing and addressing misuse of sensitive data and other harmful practices. The Commissioner has diligently worked to further the protection of citizens’ rights through public debate, education, regulatory action and enforcement.”

Hat tip

Following the seemingly endless recent stream of stories concerning Data Protection Act 1998 breaches by various organisations, including the UK government; the UK Information Commissioner, Richard Thomas has published a wishlist of changes he’d like to see the act, to increase the ability of his office to deliver its commitment to “Strengthening public confidence in data protection by taking a practical, down-to-earth approach - making it easier for the majority of organisations who seek to handle personal information well and tougher for the minority who do not”.

The ICO comments that currently his powers are concerned with bringing an organisation’s/person’s future conduct into compliance with the act, but that there is a shortfall in sanctions available and the means with which to enforce the sanctions quickly and effectively. In particular, he highlights the issue of spam and how under the UK’s Privacy and Electronic Communications (EC Directive) Regulations 2003 , spammers know they can abuse the law, as besides the exception of issuing an enforcement notice under the Enterprise Act, the ICO’s powers are ineffective (just try and find any spammer prosecuted by the ICO). He also points to the fact that, whilst the FSA can impose large fines - as it did when it fined Nationwide £980,000 in February last year for failing to have effective systems and controls to manage its information security risks, following the theft of a laptop containing personal information and financial details from a Nationwide employee’s home in 2006, he would not be able to impose any penalty in a similar situation where an employer failed to manage the security of its HR records, or where a hospital failed to do so with regards its medical records.

He also states that: regardless of whether or not the enquiry into whether or not the enquiry into whether the HMRC acted knowingly or recklessly in allowing what the ICO regarded as an unprecedented security breach, by losing CDs containing private data on almost half the UK population, his office would have no powers to impose any penalty.

To this end, the ICO wants to introduce a new penalty of knowingly/recklessly failing to comply with the Data Protection principles - such as that of Carphone Warehouse and TalkTalk and their breach of 4 of the 8 principles in the use of inaccurate and incorrect personal data. Whilst conceding that the precise form of any penalty may require careful consideration, he suggests as a starting point for the new criminal offence:

1. A data controller who, knowingly or recklessly, fails to discharge the duty imposed by section 4(4) is guilty of an offence where that failure results in a substantial risk that any person will suffer damage or distress.

2. It is a defence for a data controller charged with an offence under subsection (1) to prove that he exercised all due diligence to comply with the section 4(4) duty.

[Section 4(4) of the Act provides that, subject to some exemptions, -

“… it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller” ]

The ICO believes this should be coupled with the threat of an unlimited fine.

Additionally, the ICO, has requested:

1) “a power for the Information Commissioner to inspect personal data and the circumstances surrounding its processing in order to assess whether or not any processing of the data is carried out in compliance with the Act.”

The ICO comments on the examination by the EU Commission into the UK’s implementation of the Data Protection Directive, and that the Information Commissioner’s powers are one aspect that the Commission has flagged as being possibly non-compliant. This he believes coupled with new requirements placed on him by the Data Retention Directive make it imperative that he has full compulsory inspection powers.

2)”a power for the Information Commissioner to require a data controller to provide him with a report by a skilled person”

This is based on power given to the Financial Services Authority, and most likely to arise in cases of security breach (the FCO has recently commissioned an expert report on its recent breach of security with regards its visa application website).

3) “enhanced enforcement powers to enable the Information Commissioner to bring seriously unlawful processing to an immediate halt, to place formal undertakings on a statutory basis and to enable the Information Commissioner to take enforcement action to prevent breaches of the Act that are likely to occur”

The ICO notes that currently the ICO has difficulty in enforcing the act against those who choose to ignore its requirements. The ICO believes in such cases it should have the powers to stop the alleged unlawful practices from continuing pending any prosecution or other enforcement activity.

4) “information notices that can be served on any person rather than just a data controller.”

The problems associated with acting against spammers is highlighted. The current information notice power is only applied to data controllers, whereas often the ICO will need information from people - telecoms service providers etc - to investigate such cases.

Richard Thomas is wise to strike whilst the iron is hot on this issue, at a time when there is quite broad cross-party support within Parliament to take (or at least be seen to take) this issue seriously. The public has also become, both more aware, and more vocal, in its concern about privacy issues - which will additionally make action attractive to many politicians.

As someone who has had an interest in this issue for many years, I have long felt that the UK’s attitude to data protection has been to merely pay lip service to potential problems. Even at a business level, the only fear organisations have is some potential bad PR, and even this until recent events was only something that few people would be aware of. As I mentioned in my post last week on the carphone warehouse case - this was a case where very large fines should have been coming there way. As it is they get a slap on the wrist and just have to promise not to do it again. Is it any wonder, when this has been the attitude to enforcement of the act, that data protection compliance is often not taken as seriously as it should be by many organisations.

The Government should draw up and SI to implement these proposed changes asap (which of course they won’t do. Waste some time, eventually draw up some draft regs, issue a consultation, sit on it for a while, then take the regs to parliament, and if anything has happened by the end of 2008 we’ll be doing good).

The UK Information Commissioner’s Office (ICO) has issued enforcement notices to mobile phone retailer Carphone Warehouse and its retail telecom business Talk Talk for some quite spectacular breaches of the Data Protection Act 1998.

There are 8 data protection principles:

1. Personal data shall be processed fairly and lawfully

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7.Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Now the ICO investigation in this case found that Carphone Warehouse and TalkTalk seemed to have some difficulty with applying HALF of these principles properly when processing customer data. The ICO broke it down thus:

Subject access request - The failure to comply with subject access requests, having clearly received them as cheques were cashed and in certain instances further information was requested when it was not reasonably required.

Accuracy and Fairness - The setting up of accounts using incorrect details such as the name address and bank details, which in some instances had been obtained from old contract or purchase data, together with the refusal to amend inaccurate records without the permission of the account holder.

Security - The ability of customers to view confidential personal data of other customers when logging on to their online account and in some instances the emailing of such data to other customers.

Accuracy - The holding of inaccurate data and its disclosure to credit reference agencies or debt collection agencies and the failure to amend the data unless instructed to do so by the Commissioner.

According to the ICO “Carphone Warehouse and TalkTalk’s use of inaccurate and incorrect personal data has caused real damage and distress to customers.”

And what has happened to them? The ICO sent out an enforcement notice to them both and told them to sort things out within 35 days, and let the ICO what they are doing to sort things out, or face prosecution. What can the ICO do? “A data controller who persistently breaches the Act and has been served with an enforcement notice can be prosecuted for failing to comply with a notice. This offense carries a maximum penalty of a £5,000 fine in the magistrates’ court and an unlimited fine in the Crown Court”

In reality the potential fine the companies would currently face would be quite small, whereas it should - be more akin to the £980,000 the Financial Services Authority dished out to the Nationwide Building Society in February last year for failing to have effective systems and controls to manage its information security risks, following the theft of a laptop containing personal information and financial details from a Nationwide employee’s home in 2006. But, then again , I would be prosecuting on the information currently revealed and wouldn’t be giving the companies a month to come up with some undertakings to promise to do better in the future.

Until now, I have steered clear of the government posting out details of half the population. But then, I had thought it was all over. But wait, it now seems that we have sent the apologies - with yet more personal information - to the places where people used to live, not their current addresses.

Still, even this wasn’t as funny as Ministry of Justice Minister, Michael Wills, who has responsibility for data sharing and data protection matters telling a joint House of Commons and House of Lords select committee on human rights, that he was not informed about the data breach at Her Majesty’s Revenue & Customs (HMRC) before Alistair Darling’s public statement to the House of Commons. According to Wills this was ‘perfectly acceptable’. Well, that’s nice.

I’m sorry but we now have a situation where we have the biggest potential data protection cock up in government history, and the guy given responsibility for data protection finds out the same time as the general public. Astonishing. Wills did at least admit what the rest of the government failed to do, that the breach now raises questions about the security of the government’s National Identity Register and biometric ID cards. “We are going to obviously have to look at the national identity register in the light of all this …We are going to have to learn the lessons. Everything will have to be scrutinised and then we will assess it again.” ID Cards are not the answer people. Just say no.