Monday, 25 October 2010

EU to criminalise data protection breaches? (based on unpublished Commission paper)

Privacy advocates may be pleased to hear that, according to a European Commission document obtained by Bloomberg's Aoife White (which I'm blogging as I've not seen it reported much elsewhere), the proposed updates to the EU Data Protection Directive, which won't be fully public till 2011, may include -

Expanded criminal penalties to enforce data protection requirements regulating how personal data is dealt with - the Bloomberg report quoted the Commission's paper as saying it's "essential to have effective provisions on remedies and sanctions” including “criminal sanctions in case of serious data protection violations".

A right to oblivion, the right to be forgotten - a right for data subjects to get their personal details deleted, and to get "lists of friends, photos or medical records removed".

Enhanced enforcement capabilities for regulators and others? - the Bloomberg article said that  "The proposals may also make it easier for data protection authorities and consumer groups to file lawsuits over privacy breaches" but unfortunately didn't expand on how the proposals intend to achieve that.

Bloomberg got Matthew Newman, a spokesman for Commissioner Reding, to confirm that they've not decided yet whether the new data protection laws should be mandatory or only guidelines -but unfortunately the article didn't spell out which aspects he was talking about. It would be odd if all the new rules were either mandatory or guidelines only, although it seems from the context that he was probably talking about criminalisation of breaches. If so, "guidelines only" still wouldn't change the current position.

The Bloomberg article said regarding the timetable that

"Changes could be made to the commission’s document before regulators discuss it on Dec. 4. They will then ask for support from national governments and EU lawmakers before they draw up draft legislation in mid-2011."

Sounds like Bloomberg managed to obtain a draft or leaked draft of the Commission's internal document (draft Communication?) - Yahoo, they said, wouldn't comment on the proposals "because the EU plan hasn't yet been published".

See also: search data retention periods for Google, Microsoft and Yahoo.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Leaders with powerful faces produce top law firms. And female leaders..?

The more "powerful" a managing partner's face looks, the higher is the ranking of the law firm they manage (suggesting that those with more "powerful" faces are more effective leaders).

So it seems from a University of Toronto / Tufts University study of top 100 US law firms in 2007 according to AmLaw, where 67 people were asked to judge 73 managing partners' faces for "dominance, maturity, attractiveness, likeability and trustworthiness" (see the press release, abstract, and full article Judgments of Power From College Yearbook Photos and Later Career Success by Nicholas O. Rule and Nalini Ambady, PDF (free for limited time), to be published in Social Psychological and Personality Science Journal.)

The measure of "power" was taken from a combo of ratings for "dominance" and "facial maturity".

The measure of a law firm's success was based on three measures of firm profits as taken from AmLaw: profit margin, profitability index, and profits per equity partner (PPP). Nick Rule (one of the authors), said:

"Moreover, just to be extra rigorous, we statistically controlled for the number of lawyers working at each firm, since size can be an issue--though mostly for firm revenues."

Previous research - military, CEOs, politicians

Previous research, mentioned in the paper, has shown that -

"West Point cadets whose faces projected dominance were more likely to become generals than cadets with less dominant faces, Senate candidates whose faces were judged more competent than their opponents won three-quarters of their races, and the more powerful the faces of CEOs of Fortune 1,000 companies looked, the more profits that their companies earned."

What's new here?

So what makes this research different? (Apart from being of interest to lawyers, of course.)

First, half the photos used were from college yearbooks rather than the law firms' websites. Yet "facial power" as judged from the "old" (we're talking generally 20 year old) pictures was almost as good at predicting law firm profitability as when evaluated from more recent website pics.

Does this mean some people are just slated for power?

Well, it appears that looks do matter, but don't think yet that your fate is forever dictated by your face. It's more likely to be t'other way round - ie that your face is shaped at least in part by your own personality and life experiences.

Certainly, from my own experience (an oh so scientific approach), it does seem that people I meet who have sour faces and downturned mouths turn out to be cold, unfriendly miseries. And people with pleasant smiley faces are usually rather nice.

Other studies (mentioned in the paper) have shown that childhood personality stays pretty much the same throughout life. And - this is just me talking here, I'm sure there has been proper research on this - I suspect people tend to be quite good at judging personalities from faces, just as a survival mechanism when interacting with other people, if nothing else.

Now here's another interesting point from the study.

Unlike CEOs in most other industries (many of whom are lateral hires), managing partners of law firms have usually worked their way up within the firm - so having a powerful face should matter less than other factors like demonstrable skills, in terms of getting them selected as leader.

And yet, whether or not a more powerful face makes someone more likely to be elected as managing partner, it still seems that managing partners who do have more powerful faces are more likely to make more money for the firm who elects them.

Human warmth unrelated to profitability

The press release also said "Surprisingly, human warmth in the face—likeability and trustworthiness—was uncorrelated with law firm profits".

Some, of course, might say it's not so "surprising", especially with law firms. A likeable leader does not necessarily a profitable law firm make.

However it's perhaps a bit more worrying that "trustworthiness" isn't related to profitability in law firms.

It's true that people assessed how trustworthy the partners looked, than rather than how trustworthy they actually were, but is there a correlation between trustworthy looks and trustworthiness? My gut murmurs, possibly - shifty eyes and all that…

And what about the women?

Now what about female managing partners, you may ask? With female leaders, does having a more "powerful" face translate to a more profitable firm?

The paper didn't mention whether there were any differences there. However, Nick Rule kindly clarified to me that -

"Four of the MPs were women. Obviously, this small number prevents us from being able to do any meaningful analyses looking at differences between perceptions of the male and female MPs. However, if we remove these women from the data set the results don't change, suggesting that they were viewed consistently with the greater overall pattern."

He also pointed to a study following the work on how judgments of power from the faces of Fortune 1000 male CEOs predicted their companies' profits, mentioned above (Rule & Ambady, 2008; Psychological Science -  The Face of Success - Inferences From Chief Executive Officers’ Appearance Predict Company Profits).

Their follow-up concerned all the female CEOs in the Fortune 1,000 (Rule & Ambady, 2009; Sex Roles - She’s Got the Look: Inferences from Female Chief Executive Officers’ Faces Predict their Success). Well worth a read as it describes other research in the area too -  fascinating.

There, they found that judgments of power from the faces of female CEOs also predicted their companies' profits. Comparing the male and female data sets from the two studies they found that there were no significant differences in the way male and female CEOs were judged along any of the traits examined.

"Thus, although the findings with CEOs don't necessarily generalize to those of law firm MPs, they do seem to follow parallel lines," Nick Rule told me.

Very interesting indeed. Perhaps when deciding which job offer to go for, you should check out the photos of their managing partners or CEOs first - whether it's because you want to join a firm marked for success, or contrariwise want one with a leader ripe for displacement whose face is weaker than yours!

Now, is anyone up for doing a study on the top 100 UK law firms…?

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 20 October 2010

Privacy - do companies need specific power to share / use personal data?

This blog was prompted by a comment by clerkendweller on my report of the ICO's personal data sharing code consultation, about a sentence on p. 7 of the consultation paper -

The consultation mentions that private sector organisations should be able to "identify a power which permits the organisation to [disclose or share information]". The CoP suggests this might be in a company's memorandum and articles of association. [WH's note: the consultation paper said on this, "A private sector organisation’s powers are likely to be set out in, or to derive from, its constitutional documents, such as a company’s memorandum of association, rather than statute."]

Have you come across this in an actual MAA, and if so, do you know what sort of wording directors should be looking for? Maybe a corporate information policy would be a better suggestion?

This blog is my reply, because the answer to clerkendweller's question isn't as straightforward as one might like. It's affected by political, commercial and indeed historical issues more than legal ones, probably. It also depends partly on whether you're the company itself, or a third party dealing with the company.

I'm talking only about English law and "normal" English companies; and I'll ignore the issue of company directors exceeding their authority, which is another matter (something may be within the powers of a company, but not within the powers of its directors to authorise).

I also don't discuss what rights individuals might have if a company holding their personal data discloses it to someone else without having power to do so! Which is some ways the more interesting question, but wasn't what was asked, and would take even more blogs.

The short answer

It can now be generally taken that an English company of the bog standard variety has the capacity to share data, even without express specific powers in its constitutional documents to do so (and assuming the lack of certain special circumstances which corporate lawyers ought to know to look for, eg where the company is a charity).

However, most lawyers will probably say someone dealing with the company should still scrutinise its constitutional documents, and pay lawyers for doing that of course. Full reasons below.

The company itself, to make sure its own house is in order, would probably want to check it doesn't have restrictions in its own mem / arts preventing it from sharing data (unless of course that's the intention).

The long answer

To explain the answer properly, we need to consider corporate powers generally.

First, some background. Companies aren't "natural persons", of course; they're a legal construct, owing their existence and legal status to legislation by lawmakers made from the 19th century onwards.

Companies, as artificial creatures, only have capacity to do what the law says they can do - which was, largely, what was specified in the documents constituting them, filed on registering the company or when updated and publicly available for a fee. In the UK people call those constitutional documents the memorandum and articles of association, or "mem and arts".

However, people dealing with companies have sometimes found that a company has tried to get out of the deal, saying "Oh I'm just a company, I didn't actually have the power to do this deal with you, so tough luck".

Now why should those dealing with a company take the risk of the company not having enough powers? That risk should fall on the company itself, rather than third parties suffering the consequences if the company acted outside of its powers (ultra vires).

That's what lawmakers felt, too. Which is why they tried, several times over the years, to change the law to make it crystal clear (or so they thought) that innocent third parties shouldn't be prejudiced by internal restrictions on companies' powers.

The latest attempt to sort this area out was the Companies Act 2006, whose provisions on corporate capacity came in over a year ago.

Every English company should now effectively have the capacity to do anything - unless the company's articles specifically restrict what it can do (the extraneous stuff contained in the mems of pre 1 October 2009 companies is now considered to be part of the arts).

Even if there are restrictions of that kind, section 39 of the CA 2006 says (emphasis added) -

"39  A company's capacity

(1)     The validity of an act done by a company shall not be called into question on the ground of lack of capacity by reason of anything in the company's constitution.

(2)     This section has effect subject to section 42 (companies that are charities)."

This new law, from 1 October 2009, applies to existing English companies just as much as it does to companies incorporated after that date.

So an English company's ability to do things may be considered generally unrestricted, as far as third parties dealing with the company are concerned (with some limited exceptions, eg in the case of charities, or where the person dealing with the company is actually its director or connected to its director).

But now let's consider the big deals where people feel they need to bring out the lawyers.

It's been standard practice for years, when you're going to enter into a major transaction with a company, for your lawyers to check the company's constitutional documents to make sure that the company has the power to do the deal with you.

One main area where this happens is when a company wants to borrow money. The bank's lawyers will check the company's constitution, supposedly to make sure it has the power to do everything it has to do for the deal (borrow money, give security etc). The borrower pays for all this, of course. It pays its own lawyer's fees, it pays the bank's lawyer's fees. That's just life if you're a borrower trying to get finance.

In (2010) 7 JIBFL 395 (that's the Journal of International Banking and Financial Law, 1 August 2010 - subscriber-only access) Richard Bethell-Jones wrote an article "Checking constitutional documents: business as usual or money for old rope?".

There he pointed out that all these laws really ought to make people comfortable about not having to check companies' constitutional documents and the like, except in certain limited situations.

He says in trenchant terms that all this checking and re-checking is mostly a big waste of time, resources, money and paper. In fact, he think's it's "money for old rope" -

"My view is that the other reasons given for continuing these checks are unconvincing. If they convince you, please get in touch, because I can let you have the Eiffel Tower at a very advantageous price…

…I think that if the lenders paid for these checks out of their own pockets they would quickly tell their lawyers to devise
an effective sifting system, and stop checking when it isn't needed. But they do not pay; the borrower pays. Until the
borrowers tell their lenders they are not going to pay for the lenders' lawyer to make these checks (or supply it with copies
of their constitutional documents for that purpose) when it is clearly unnecessary, this ludicrous 19th century practice will
continue. It will, indeed, be business as usual."

While his article was written in the context of bank loans, the same principle applies to other powers of companies, like the power to share data.

I'm with Richard here. You shouldn't have to put specific powers allowing data sharing into English companies' constitutional documents, nor should people dealing in good faith with English companies need to check for those specific powers, in the vast majority of cases. Lawyers should of course be aware of the few cases (eg charities) where they do need to make those checks, and do them then. But not otherwise.

People dealing in good faith with English companies should be able to trust that those companies generally have power to disclose or share information (and indeed to collect and use personal data), without having to inspect their constitutional documents.

But would most lawyers (who do get paid for checking constitutional documents) agree with that view?

By training, if not temperament, most lawyers tend to be cautious conservative types.

For a company that wants to share personal data, its lawyers may well want to put into its constitutional documents specific wording spelling out powers to share personal data etc, "just in case". (Of course, for the company they really ought to make sure any restrictions on data sharing etc in the mem / arts are got rid of, although in most cases it seems unlikely that there would be any. "No restrictions on sharing" is obviously not the same thing as having specific powers to share data, but is now equally if not more important to check that.)

Similarly, lawyers working for someone obtaining data from a company will probably want to look at the company's constitutional documents to ensure that it has powers to share data, or at least no restrictions on those powers - whether they actually need to do that to protect their client, or not.

It would take a brave law firm to go against years and years of "Check the Mem and Arts!" Especially when doing that provides a steady if not always significant source of income for lawyers.

Richard also made the point that when law firms issue legal opinions to clients, it's standard practice to check constitutional documents - and it's easier to keep doing that rather than say in the legal opinion that it really doesn't matter to the third party what the company's constitutional documents contain as long as the third party is acting in good faith (and if they're not dealing in good faith, they may be in trouble, and checking the mem and arts won't do them any good then).

Richard hoped "the legal community would wake up and smell the coffee". We shall see!

(By the way, the environmentally-conscious may also applaud Richard's having a go at the practice of making those seeking finance print out and hand over "boxes and boxes" of hard copy constitutional documents -

"at completion bearing an illegible mark made in ink to certify its authenticity. This is the digital age, for heaven's sake."

- and his view that borrowers could justifiably tell lenders to go whistle for signed hard copies (my paraphrase!), they don't need them and "it is simply impertinent of the lender to ask for them.")

Declaration of interest - I know Richard well and am a huge fan of his. For many years, working mainly for banks rather than borrowers, he was a member of the elite, invitation-only City of London Law Society's Financial Law Committee, and I've been privileged to work with him as well as some other members of the Committee. He has one of the best legal minds you'll ever find, and he's robust to boot - not in the bad sense of "Oh don't worry about trivial things like the law, just do whatever you like" (which I've encountered in more than one or two lawyers), but in the good sense of being commercially pragmatic while still looking after the client's interests. He writes in a way non-lawyers can understand, too. Which is all too rare amongst lawyers.

Note - this isn't legal advice of course, just general information. And, I emphasise again, the position may well be different for other types of entities or non-English companies.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 18 October 2010

Data protection principles - mnemonics

When studying privacy law, in order to help me remember the data protection principles under the UK Data Protection Act 1998 (implementing the EU Data Protection Directive), which regulate the processing of personal data, I came up with some mnemonics.

For computery types - this blog is sort of a tribute to the OSI layer mnemonics. Which I am hereby changing to "All People Seem To Need Data Protection"! And note that "data protection", as a term in law, isn't just about backup and redundancy.

Here are my mnemonics. There are extra notes under each principle, which with Javascript turned on in your browser you can see if you [+/-] click here to show the notes (and click here again to hide them). Without Javascript the notes will be visible all the time.

If anyone has any better suggestions for mnemonics, please let me know - some of my ideas may be better for me than other people as it's just the weird way my mind works; you don't even want to know what tricks I use to try to memorise phone numbers!

1. First principle

F is for “First”, F is for “Fair and lawful” (and don’t Forget the compulsory conditions).

Personal data shall be processed Fairly and lawfully and, in particular, shall not be processed unless -

  • at least one of the conditions in Schedule 2 [of the Data Protection Act] is met, and
  • in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

(About: collection limitation, data quality, purpose specification; openness / transparency, notice / awareness, choice / consent)

In plain English, for processing of personal data to satisfy the first principle, at least one of a list of conditions must be met (eg getting the data subject's "consent" to the collection of their data, or - for sensitive personal data - falling within circumstances specified by government Order), and, in addition, the processing has to be generally fair and lawful too; again, it's not "fair" unless eg the data subject has been given notification about who's processing their personal data, for what purpose etc.

In other words, if none of the required conditions can be met the processing can't be "fair" and the processing can't comply with this principle, no matter how generally fair it might seem as a matter of common sense. "Fair and lawful" is necessary but not sufficient - you have to scrutinise the conditions and other requiremens too.

For "sensitive personal data" there are stricter conditions, precisely because the data is sensitive. That includes personal data about health, race, religious or political beliefs and sexual life, even trade union membership - but, interestingly, financial data is not considered "sensitive" in the EU, eg your income or assets.

2. Second principle

S is for “Second Principle”, S is for “Specified and lawful Purposes only”.

Personal data shall be obtained only for one or more Specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

(About: data minimization, data quality, purpose specification, purpose limitation or use limitation, transparency)

In other words, if an organisation says they're collecting your personal data for purpose X only, they should tell you so up front, and they really shouldn't then use it for another purpose Y.

But how anyone can catch them using it for purpose Y is a different matter, and one of the biggest problems for privacy protection today.

3. Third principle

T is for “Third”, and there ARE Three elements here: Adequate; Relevant; and not Excessive.

Personal data shall be Adequate, Relevant and not Excessive in relation to the purpose or purposes for which they are processed.

(About: data quality, data minimisation, purpose limitation / use limitation)

Similar point to the above. Most websites don't really need your date of birth or mother's maiden name just to let you in, but many make you give that info before they allow you to even register.

Strictly, they shouldn't be seeking to obtain excessive personal data like that. But if they don't get caught out, reported or fined for doing it, what's to stop them?

4. Fourth principle

F is for “FoUrth”, F is for “Fidelity - Faithfulness to the Facts” (=Accuracy); U is for “Updated where necessary”

Personal data shall be accurate and, where necessary, kept Up to date.

(About: data quality, data integrity)

Of course, normally you can't find out what personal data an organisation holds about you (in order to check its accuracy and currency) unless you first fork out a tenner or more. In contrast, making Freedom of Information requests to public bodies doesn't you cost a penny.

5. Fifth principle

For “Five” the Roman numeral is L; L is for the Length of time for which personal data may be kept.

Personal data processed for any purpose or purposes shall not be kept for Longer than is necessary for that purpose or those purposes.

(About: data quality, data retention, purpose limitation / use limitation)

Again, the tricky practical issue is how one checks this and makes sure all backups or duplicates are also deleted too.

6. Sixth principle

S is for “Sixth”, S is for “Subject rights”.

Personal data shall be processed in accordance with the rights of data Subjects under this Act.

(About: openness / transparency, individual participation / access, enforcement / redress)

An individual's rights in relation to personal data held about them aren't as good as you might think.

Frankly individual data subject rights don't amount to very much, in the UK. That's one of the reasons why the European Commission took issue with the UK over the UK's data protection laws. The Commission is also taking the UK to the European Court over the UK's inadequate internet privacy laws.

7. Seventh principle

S is for “Seventh”, S is for “Security - ATOM, U2 And D2”.

Appropriate Technical and Organisational Measures shall be taken against Unauthorised or Unlawful processing of personal data and against Accidental loss or Destruction of, or Damage to, personal data.

I admit I’m reaching here - the capitalised words above, and going through the explanations below of how to (vaguely!) connect the abbreviations to the concept, should hopefully help clarify my bash at the mnemonics, and make them stick better -

  • ATOMic stuff (for Appropriate Technical and Organisational Measures), you’ll certainly want security for that!
  • U2 (for Unauthorised or Unlawful) - that's an Irish band, well some authorities are still nervous about security in relation to things Irish aren’t they? (reminds me - I once heard a Northern Irish guy remark, only half-jokingly, about the risks of being arrested for being in possession of an Irish accent!).
  • And” is for Accidental loss.
  • D2 (for Destruction and Damage) - the connection there with security isn’t too hard. (I just couldn’t squeeze R2-D2 in there, believe me I tried.)

(About: data security, data integrity)

Yet again, a difficult issue is how to make sure those measures really have been taken. Which is where the principle of accountability, that's increasingly gaining credence, comes in.

8. Eighth principle

E is for “Eighth”, E is for EEA - that’s “EEA-only Except if ALPS” (Adequate Level of Protection for Subjects).

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an Adequate Level of Protection for the rights and freedoms of data subjects in relation to the processing of personal data.

(About: data transfer)

No, Switzerland is not part of the EEA, though it certainly boasts alps galore. Austria is in the EEA, however. As are Norway, Iceland and Liechstenstein, as well as the other usual EU suspects. (Another suggested memory trick - Norway, Iceland and Liechstenstein are NOT in the EU though they're in the EEA, so think Eurovision song contest and NIL points (I know, purists would say it's actually "nul")).

(Yes, the Eighth Principle's mnemonic is a recursive acronym, as a tribute to GNU. And there's nesting too, if you count ALPS. Am I allowed to be slightly smug about that mnemonic, or d'ya think I'm just sad?)

This is another tricky area. It's not straightforward figuring out the "location" and "transfer" of data, just for starters. I won't say more about it here.

Warning notes

For non-lawyers - this blog isn't meant to explain the data protection principles or their application, it's just to provide an aide memoire and make a few points about the principles. Whole books have been written about the principles. Just bear in mind that in legislation and cases, "normal" words can have special meanings - so you can't always read the data principles (or indeed other laws) literally, as they don't necessarily mean what you'd think. Which is partly why you need specialist lawyers and judges.

F'rinstance, even the concept of "personal data" is both wider and narrower than you might think.

And "processing" includes passively storing data as well as collecting, manipulating, deleting data, using it; even sending or giving someone else access to data is "processing" it.

See generally the ICO's data protection guide, which is excellent. (The Information Commissioner is the UK's main data protection / privacy regulator.) There are good glossaries at the European Data Protection Supervisor's website and the ICO website.

For everyone - the data protection principles are good stuff and don't need changing at their core, as was recently pointed out in the ICO's response to the UK Ministry of Justice's consultation seeking views on data protection laws. Many best practices are implicit in the principles (eg using PETs).

But just having laws or regulations in place doesn't mean people will automatically respect or obey them.

If you can't monitor or police properly the extent to which organisations are failing to follow the principles, or you can't punish breaches adequately to provide a meaningful deterrent against infringements, then many will continue to ignore laws and regulations.

When proposals for a modernised EU Data Protection Directive come out in 2011 hopefully they'll include provisions that will help improve matters on this front.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Sunday, 17 October 2010

ComputerWeekly IT blogs award - individual female nomination

Whether it's for my writings on privacy and technology or on technology and law more generally, some unknown person has very kindly nominated Tech and Law for ComputerWeekly's IT Blog Awards 2010: Individual IT Professional Female.

Thank you very much, whoever you are. It's quite unexpected, especially as this blog's only been going for not much more than a year, but it's a real honour and delight given that ComputerWeekly is a top magazine for IT professionals in the UK.

If any of you would like to vote for Tech and Law as and when the voting opens, I wouldn't be at all upset either! :-D

Thank you all again.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 13 October 2010

Sharing of personal data - UK consultation

Privacy obviously may be affected when organisations give your personal data to others. UK privacy regulator the Information Commissioner last week issued a consultation paper on a data sharing code of practice, which -

"sets out a model of good practice for public, private and third sector organisations, and covers routine data sharing as well as one-off instances where a decision is made to release data to a third party…

The code covers a number of areas including:
what factors an organisation must take into account when coming to a decision about whether to share personal data;
the point at which individuals should be told about their data being shared;
• the security and staff training measures that must be put in place;
• the rights of the individual to access their personal data; and
• when it’s not acceptable to share personal data."

The press release mentions some scenarios where data sharing might occur eg -

"a school passing information about a child to a social services department, a group of insurance companies pooling data about people making claims, GPs sending a patient’s record to a hospital, or a retailer passing customer details to a debt collection company."

The consultation paper includes case studies, suggested contents for a data sharing protocol and template forms.

Note that, as the consultation paper itself points out, "The ICO cannot take enforcement action over a failure to adopt good practice or to act on the recommendations set out in this code unless this in itself constitutes a breach of the DPA." [UK Data Protection Act 1998]

The consultation ends on 5 Jan 2011. Anyone interested can download the consultation questions and respond by email to or by letter to: Policy Delivery, ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. See further the ICO consultations page on publication of responses etc.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Digital Economy Act - draft costs sharing order

The UK Department for Business Innovation & Skills (BIS) have published the draft text of The Online Infringement of Copyright (Initial Obligations) (Sharing of Costs) Order 2011.

That's a "Draft order which specifies provisions that must be included in the initial obligations code about payment by copyright owners and internet service providers of contributions towards costs incurred under the copyright infringement provisions in the Communications Act 2003, inserted by the Digital Economy Act 2010."

According to the BIS What's New page the draft Order was published on Monday, 11 October 2010. But the date in the title (2011) gives a hint as to when they expect to issue the order officially. (Small conflict in the titles between reg 1 and the title itself.)

I've not looked at it properly yet - though I did do a quick rough blackline showing changes from the March 2010 draft Online Infringement of Copyright (Initial Obligations) (Sharing of Costs) Order.

But it no doubt reflects the government's September 2010 response (Online Infringement Of Copyright (Initial Obligations) Cost Sharing - HM Government Response) following their March 2010 consultation on their proposals with draft statutory instrument.

A big issue being, who pays how much for making ISPs act as copyright owners' police officers and "enforcers" against music or movie etc file sharers.

As many will know, ISPs will have to fork out for 25% of the costs, which probably means they'll pass that on to their customers, that's us mere internet users, thus possibly reducing the numbers of people in the UK who will be able to afford internet access. Which, given that a lot of people now believe that internet access should be a fundamental human right, is an issue.

There's also who bears ISPs' upfront capital expenses of investing in systems to enable them to do all this… (see the Society for Computer and Law's response - and full PDF response).

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 7 October 2010

How privacy laws should be updated - UK regulator's views

UK data protection regulator the Information Commissioner recently issued a detailed paper responding to the Ministry of Justice's call for evidence on how well current UK data protection laws are working.

I'd spotted and blogged the ICO's webpage summarising their views on the key data protection law issues a month ago, and wondered then why the response was so short.

Clearly that webpage was just a very brief advance summary. The full response entitled "The Information Commissioner’s response to the Ministry of Justice’s call for evidence on the current data protection legislative framework" was released yesterday, 6 October 2010, and contains views not just on the UK Data Protection Act but also the underlying EU Data Protection Directive more generally.

From the ICO's press release of the same date -

"The ICO supports the [MoJ's] review and believes that there needs to be a common sense and modern day approach to data protection.

The ICO has pointed out that although the current data protection principles are sound, the law needs to provide more clarity for individuals and for businesses. In particular the privacy watchdog wants more clarity on the scope of the law including what constitutes personal data.

The law must be clearer on when consent is required to use personal information and adopt a more pragmatic approach to the regulation of international data flows. The allocation of responsibilities amongst those handling personal data also needs to reflect the changing nature of modern day business relationships.

The ICO believes there needs to be better coordination between freedom of information law and an appreciation that individual’s rights need to be updated to bring them in line with the capabilities of modern technology."

David Smith, Deputy Commissioner and Director of Data Protection at the ICO, welcomed the MoJ’s call for evidence and said -

"We need to ensure that people have real protection for their personal information, not just protection on paper and that we are not distracted by arguments over interpretations of the Data Protection Act.”

I've not read the full response in detail yet but it appears to be sensible, realistic and pragmatic (which is typical of the ICO).

It advocates a simpler, clearer approach with flexible, contextual, nuanced assessment of the risks to privacy involved in the circumstances - rather than the current "all or nothing" binary approach (either it's personal data or it's not; either it's sensitive personal data, or it's not; either a specific strict exemption or condition applies, or it doesn't) which has made privacy protection dependent on bureaucracy and fine legalistic distinctions that even lawyers specialising in the area have trouble making out or understanding - notably, what is or isn't "personal data", and when data can be anonymised enough to cease to be "personal data".

And, although it wasn't in their summary, the ICO have in their full response mentioned "privacy by design" -

"The principle of privacy by design is implicit in the existing data protection principles - for example, the requirement that personal data shall not be excessive. However, an explicit privacy by design requirement would give a clear message to those designing, procuring and operating information systems that the processing of personal data must be done in the most privacy friendly way practicable."

I would add, or rather reiterate - now if only the government would give the ICO proper monitoring and enforcement powers, and the funding, resources and training to exercise them too. (At least the ICO are planning to fine two organisations for data protection failures, soon.)

Recall that the EU are taking the UK to the EU Court of Justice for failing to implement even the existing EU data protection and electronic privacy laws properly. Hopefully that will spur the government to take action soon following the MoJ review.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.