I had a look at the UCL' website which was recently updated to include a search facility for ICO Decision notices. The website had also translated two articles about Germany's freedom of information laws. Worth visiting!
Monday, January 30, 2006
Wednesday, January 25, 2006
Search engines
There has been some concern over the last few day about search engines (in particular, the news concerning Google and whether it will hand over the search engine results to the DOJ) and privacy in general. It was not really surprising (certainly for privacy scholars, data protection experts etc) that google search results could be of use to official authorities (particularly as it contains personal information of individuals albeit indirectly).
However, what would be more of interest is the consequences of such use, particularly in the context of online profiling - users' habits, what they read, do etc. being collected.
From a data protection perspective, the Directive on Privacy and Electronic Communications 2002/58/EC have been very clear about the collection of personal information online (see Art. 5 on confidentiality of communications and Art. 6 on traffic data).
The Data Protection Directive (particularly Art. 8 on sensitive data) is also relevant. Art. 8(1) expressly prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life. There are then a list of exemptions provided under Art. 8(2). The point is that search engine results can and may show that personal information relate to the specific categories (political, philosopical beliefs etc.) Unless the exemptions apply, search engines would find itself at fault with the Data Protection Directive.
I have included a list for those who want follow up on online profiling:
CDT
FTC: Report into Online profiling
EPIC: Online profiling (pdf)
However, what would be more of interest is the consequences of such use, particularly in the context of online profiling - users' habits, what they read, do etc. being collected.
From a data protection perspective, the Directive on Privacy and Electronic Communications 2002/58/EC have been very clear about the collection of personal information online (see Art. 5 on confidentiality of communications and Art. 6 on traffic data).
The Data Protection Directive (particularly Art. 8 on sensitive data) is also relevant. Art. 8(1) expressly prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life. There are then a list of exemptions provided under Art. 8(2). The point is that search engine results can and may show that personal information relate to the specific categories (political, philosopical beliefs etc.) Unless the exemptions apply, search engines would find itself at fault with the Data Protection Directive.
I have included a list for those who want follow up on online profiling:
CDT
FTC: Report into Online profiling
EPIC: Online profiling (pdf)
Monday, January 23, 2006
Outsourcing
I was reading through the latest article on outsourcing about concerns that some of the key services by the UK government, Department of Work and Pensions may be transferred abroad. What is unclear is where there are transferring these services and whether the UK government have really considered the implications of the Data Protection Act 1998 (see also the eight data protection principle). Security aside, perhaps the question that arises, is how "adequate" are the laws abroad to protect the personal information of individuals?
I recall one instance in which an investigative reporter was able to obtain personal details belonging to UK bank customers from a call centre in Delhi. Although, this matter has been investigated by the Information Commissioner (see another article) with the conclusion that the security procedures of call centres in India were robust, it raises serious issues about the extent of offshoring activities - I raise these questions because India does not currently have data protection laws, but have been planning to do so (how long, one awaits to see).
For more information on data protection however, see the UK Information Commissioner website.
Friday, January 20, 2006
Online Brokers
Well, what can I say? There have been some press releases circulating about the practice of online brokers, who manage to obtain the personal information and cell phone records of users. These are then sold onto anybody who requests this (see also
this press release).
The US Federal Communications Commission is currently investigating this practice. Perhaps, what is surprising to me (if it is correct) is the lack of powers on the part of the Privacy Commissioner in Canada to investigate this. The main reason is that the current Canadian legislation PIPEDA does not intend to apply outside of Canada. While it is acknowledged that there may be potential enforcement problems, it raises serious issues about the current PIPEDA.
As for the European side, Art. 5 of the Directive on Privacy and Electronic Communications 2002/58/EC provides for the confidentiality of communications and with the exceptions from the processing of such data, the consent of the user is required (see Art. 5(1)).
For anyone interested in examining the subject of online brokers, see the Canadian Internet Policy and Public Interest Clinic as a starting point. They are due to issue a report in the Spring on the Canadian data-brokerage industry.
this press release).
The US Federal Communications Commission is currently investigating this practice. Perhaps, what is surprising to me (if it is correct) is the lack of powers on the part of the Privacy Commissioner in Canada to investigate this. The main reason is that the current Canadian legislation PIPEDA does not intend to apply outside of Canada. While it is acknowledged that there may be potential enforcement problems, it raises serious issues about the current PIPEDA.
As for the European side, Art. 5 of the Directive on Privacy and Electronic Communications 2002/58/EC provides for the confidentiality of communications and with the exceptions from the processing of such data, the consent of the user is required (see Art. 5(1)).
For anyone interested in examining the subject of online brokers, see the Canadian Internet Policy and Public Interest Clinic as a starting point. They are due to issue a report in the Spring on the Canadian data-brokerage industry.
Wednesday, January 18, 2006
ID cards debate
As some of you may be aware, the UK government has been pushing through ID cards Bill this week, which was recently blocked by the House of Lords. The main concern has been the cost, which keeps fluctuating every time I read a press release.
However, leaving aside the costs, the biometric passports is currently being rolled out this year with the possibility of fingerprints from 2008 (date not yet decided). Why waste the money on ID Cards that duplicates what the passport does, lacks robustness (or potential if we look at the LSE report), flawed (in terms of the cost) and is far too complex? I have my reservations (of course, data protection issues comes into this), but for more information, see the following websites:
Monday, January 16, 2006
Online mapping - privacy concerns
I came across a recent posting in Boston.com about mapping services introduced by companies such as Microsoft and Google, which raised potential privacy concerns.
The images are so detailed you can tell whether a neighbor's hedge was recently trimmed or whether the car parked in front of a local eatery might belong to a friend....The companies' newly evolving search and mapping services make it easier than ever to scout out everything from vacation destinations to a new hairdresser.Never before have searchable databases of detailed pictures covering wide swaths of urban areas been readily available.
Well, should we sound alarmed or not? Before I consider the Data Protection Directive (DPD), I should say that I have no objection with a general map showing roads, motorways etc. My main concern is the level of detail contained in a map, which will inevitably raise privacy concerns under the Data Protection Directive. More specifically, Art. 2(a) of the DPD:
(a) 'personal data' shall mean any information relating to an identified
or identifiable natural person ('data subject'); an identifiable person
is one who can be identified, directly or indirectly, in particular by reference
to an identification number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity.
This is where we get to the crux of the issue. Can a home be related to an identifiable person? This is not an easy question, but it really comes down to whether the home in question relates to an identified or identifiable individual. Leaving aside the exemptions, it is arguable that if someone can identify the home as belonging to X, then it is personal data.
Probably, a pertinent example I could think of is the recent ruling by the Press Complaints Commission (PCC) which upheld the complaint by JK Rowling when a national newspaper had published a picture of the author's London home together with the name of the road on which it was located. According to the PCC, this was "sufficient information to identify the exact location of the property".
The Commission recognises that high profile individuals may be exposed to security problems if their precise addresses are published. Indeed, the newspaper itself noted that the complainant had ‘gained her fair share of stalkers and obsessive fans’. The Commission was satisfied that the photograph and its caption contained sufficient information to identify the exact location of the property. It did not consider that the newspaper had demonstrated that the information was in the public domain to such an extent as to justify publishing it in this way. There was therefore a breach of Clause 3 on this point.
Well, one awaits to see what legal developments arise on this issues!
Friday, January 13, 2006
Another case of privacy invasion
I came across this recent press release about Apple's popular iTunes software. It was disconcerting to find that the software could send information about computer users' playlists back to Apple.
The new music software includes a 'MiniStore' window, which provides recommended links to Apple's music download service when a listener actively clicks on a song in their personal playlist, including songs that haven't been purchased from the iTunes store.
To provide those recommendations, the software sends information about the selected song, such as artist, title and genre, back to Apple. But the software also transmits a string of data that is linked to a computer user's unique iTunes account ID, computer experts have found.
Because iTunes users typically sign up for the music store with an email address and a credit card number, the account ID number could in theory be linked to that information, as well as a user's purchase history, said Apple expert Kirk McElhearn, who has published several books on Macintosh computers.
If one looks at the data protection principles under the Data Protection Directive (Art. 6), this provides that:
1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
2. It shall be for the controller to ensure that paragraph 1 is complied with.
What is unclear is why users were not informed about the fact that information about their playlist could be sent back to Apple. Irrespective of whether consent has been given, it certainly appears that information collected about its users and redirected to the company goes against some of the data protection principles.
Furthermore, the Directive on Privacy and Electronic Communications 2002/58/EC provides that such use should only be allowed for legitimate purposes with the knowledge of the user concerned. Art. 5(3) states that:
Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.Recital 24 of the same Directive provides that:
Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.
I do not want to dwell on this too much, but for those interested in this area, see Spyware watch and Wikipedia's definition of spyware.
The UK Information Commissioner has also issued some guidance on the Privacy and Electronic Communications (EC Directive) Regulations 2003 that implements the Directive on Privacy and Electronic Communications 2002/58/EC.
The UK Information Commissioner has also issued some guidance on the Privacy and Electronic Communications (EC Directive) Regulations 2003 that implements the Directive on Privacy and Electronic Communications 2002/58/EC.
Wednesday, January 11, 2006
Journals worth reading!
The DCA has recently launched its journal entitled Information Rights Journal (pdf). A quick glance of the journal will show recent developments of data protection and decisions of the UK Information Commissioner to Freedom of Information Requests. As stated on the DCA website, the purpose of the journal is to:
Provide information rights practitioners with a round up of the latest developments in the information rights field. The journal will provide information on a wide range of issues across information rights as a whole, uniting freedom of information, data protection and the environmental information regulations. It will provide reports of emerging case law from decisions of the information commissioner and tribunal, and will serve as a useful reference tool for practitioners in central government and beyond.Another journal I would recommend reading is opengovjournal.org. I have still yet to go through the articles, but quick skim read of the contents shows interesting perspectives to the UK Freedom of Information Act including:
- First pulse check on UK FOI community indicates good health by Sarah Holsen.
- The role of the information tribunal under the UK Freedom of Information Act 2000 by Timothy Pitt-Payne.
- The UK’s openness watchdog lacks teeth and transparency by Heather Brooke.
Monday, January 09, 2006
Another Cause for Concern
I was reading through a press release that slightly alarmed me after it emerged that credit card details of hundreds of guests at an exclusive hotel were found dumped in a skip.
The Information Commissioner's Office (ICO) said the hotel may also have breached the Data Protection Act by wrongly disposing of the cards, understood to include those completed by a number of MPs.
I agree that there was certainly a procedural lapse to ensure the security/confidentiality of customer's personal details. I cannot overemphasise the need to comply with the Data Protection Act 1998. In particular, the seventh data protection principle states that:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
To see further guidelines, see the Information Commissioner's website.
Thursday, January 05, 2006
One year on: the Freedom of Information Act
There was an article recently on the Freedom of Information Act (FOIA). It provides as follows:
One awaits to see what proposals arise to amend the FOIA. However, one main concern is the continued backlog of complaints arising from the FOIA and are dealt with by the Information Commissioner. In a special report on the FOIA, it found that 'the commissioner has so far received more than 2,200 complaints, mainly about Whitehall and local councils. Of these, he has yet to deliver a verdict on 1,300 of them. His staff are only now starting to consider complaints which were submitted to his office in May.' How can these problems be remedied? More staffing? Staffing is only one part of the solution. According to the same report, what is being is considered is as follows:
Writing in the Guardian on the first anniversary of the Freedom of Information Act, Lord Falconer, the constitutional affairs secretary, signals his intention to end what ministers regard as abuses of a system that is generally working well.
His move will anger the tabloid press and cause concern among freedom of information campaigners suspicious that wider restrictions will be imposed under the cover of protecting individuals. Lord Falconer writes: "Freedom of information is about giving power to the people, not about declaring open season for the wilder fevers of journalistic wish lists".
One awaits to see what proposals arise to amend the FOIA. However, one main concern is the continued backlog of complaints arising from the FOIA and are dealt with by the Information Commissioner. In a special report on the FOIA, it found that 'the commissioner has so far received more than 2,200 complaints, mainly about Whitehall and local councils. Of these, he has yet to deliver a verdict on 1,300 of them. His staff are only now starting to consider complaints which were submitted to his office in May.' How can these problems be remedied? More staffing? Staffing is only one part of the solution. According to the same report, what is being is considered is as follows:
The government is now reviewing at least two aspects of the act. The first is the issue of fees that can be charged by government bodies to members of the public when they make requests to recover the costs of, for example, finding and photocopying documents. So far, the public has been charged very little. However charging would almost certainly reduce the number of requests made.Secondly, Charles Falconer, the constitutional affairs secretary responsible for the act, is looking to clamp down on what he believes are "wilder" and irresponsible requests, particularly from the tabloid press. He cited as examples requests for the number of windows at the department for education and skills, and the amount of money that departments spend on toilet paper.
Although there are concerns about potential misuse arising from the FOIA, it is questionable whether the proposed changes has the counter-effect of defeating the very purpose of the FOIA - transparency, accountability etc. We await (with bated breath). For more information about the FOIA, see the DCA website.
Wednesday, January 04, 2006
Radio Interview about DNA
I was listening to the Today programme and came across this interesting discussion (realplayer) on DNA and privacy between Lord Mackenzie and Simon Davies from Privacy International. The introduction to the interview was about the following:The number of crimes solved by DNA has quadrupled in five years. But what if there are mistakes?
What was interesting was the discussion about potential mistakes that could be made from contaminated DNA? It was defended on the grounds that such opposition (not the actual words used) could apply to fingerprints. What needed to be tightened were the procedural aspects when collecting the DNA of individuals.
Another area of discussion was the use of DNA collected. One example given by Davies was the reluctance by many police officers to volunteer their own DNA in a National DNA database on the grounds that this would be used for other purposes such as paternity testing.
Looking at this subject from a data protection perspective, it is disconcerting to find potential misuses arising from the collection of DNA ie. collected and used for purposes other than that which was originally intended. The Data Protection Principles (under Art. 6 of the Data Protection Directive 95/46/EC) states that:
1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further
processed in a way incompatible with those purposes. Further processing of
data for historical, statistical or scientific purposes shall not be considered as incompatible
provided that Member States provide appropriate safeguards;
The data protection principles can be found in Schedule 1 of the UK Data Protection Act 1998. Although, we cannot ignore the potential benefits that have arisen through the use of DNA testing, we must also guard against the potential misuse from the DNA collected. The UK Data Protection Act 1998 and the Data Protection Directive 95/46/EC goes some way to address this, but more awareness (in my view) of this legislation in the context of genetic information is required.(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
2. It shall be for the controller to ensure that paragraph 1 is complied with.
For more information about genetic information, see the Human Genetics Commission website and a report (pdf) published back in 2000 on the public attitudes to the use of genetic information.
Subscribe to:
Posts (Atom)
Posts
