Tuesday, August 28, 2007

Latest issue of Data Protection Law and Policy

The latest Issue of Data Protection Law and Policy is available:

In the UK, there is a growing consensus that the Information Commissioner's Office (ICO) is toughening up. It all started with the rogue traders who passed themselves as official registrars and demanded a few hundred pounds a shot for registration. That did not go down well in Wilmslow, given that their modest registration fees make up the bulk of their own funding. Then, a handful of aggressive marketers clogging small businesses' fax machines got to see the darker side of a normally peaceful regulator. But it is the good old Principle 7 - or the lack of compliance with it - that has kept the enforcement arm of the UK data protection authority especially busy in recent times.

OPINION: PNR AGREEMENT: SETTING A BAD PRECEDENT The recently enacted EU-US agreement on the transfer of Passenger Name Records (PNR) data is intended to provide a legal framework facilitating the transfer of this data whilst safeguarding individual privacy. In this article, Sophie in't Veld, Member of the European Parliament (MEP) for the Dutch social-liberal party 'D66', sets out why the agreement is fundamentally flawed, sets a bad precedent for future agreements and represents a defeat in the fight against terrorism.


The Article 29 Data Protection Working Party's opinion on the concept of personal data, issued 20 June, interpreted the four 'building blocks' in the Data Protection Directive that determine what constitutes personal data.
Siobhan McManus of Bird & Bird explains the Working Party's findings, discussing the implications of its 'wide' interpretation of what constitutes personal data, in contrast to the 'narrow' UK position.

NETHERLANDS: DISMISSAL UNDER EMPLOYER TELEPHONE TAPPING A recent ruling by the Breda Subdistrict Court, which permitted the playing of a surreptitious recording of a telephone conversation between an employer and his employee in dismissal proceedings, has contradicted recent human rights case law concerning the privacy of employees in the workplace. Nicole Wolters Ruckert of the Dutch law firm, Kennedy Van der Laan examines the judgment and its implications for employee privacy.

ITALY: THE 'PEPPERMINT' CASE: PRIVACY V COPYRIGHT UPDATE An ongoing case in Italy concerning the desire of a German record company to obtain the identities of internet users from ISPS, over the alleged posting and downloading of copyright infringing music files on P2P networks, has attracted the attention of the Italian Privacy Commissioner over allegations of illicit monitoring of internet user activity. In this article, Daniela De Pasquale, a partner in La Scala & Associati in Milan, sets out current developments in this case and in this area at EU level.

IDENTITY THEFT: LIMITING CLASS ACTION LIABILITY FOR BUSINESSES As concern surrounding identity theft in the United States continues, financial organisations are threatened by lawsuits over failures to ensure sufficient levels of corporate security, particularly in the form of class-action lawsuits where customers are affected on a nationwide basis. R. Bruce Allensworth, Andrew C. Glass, Ryan M. Tosi and David D. Christensen of K&L Gates' Boston office report on a recent US district court case where they successfully represented the defendants and which may limit class action liability for organisations that electronically store consumer personal information."

Saturday, August 25, 2007

Standing the test of time!

Postman's book, which some have read, and is highly recommended, laments the shift of public discourse from typography to television. This made me think about whether the shift is changing with the widespread use of the internet through Web 2.0, blogs, podcasts and so forth:

"In this book, Neil Postman, Professor of Communication Arts and Sciences at New York University argues eloquently and convincingly that television is transforming our culture into one vast arena for show business in which all public affairs - politics, religion, news, education, journalism, commerce - have been turned into a form of entertainment. Amusing ourselves to death is an urgent plea for us to question what is happening before it is too late."

The book not only succinctly examines the communication medium (through television), but discusses the change from a typographic America (see chapter 3) to a "Now...This" mindset.

"This is Neil Postman's contention. Television, he argues, has taken the place of the printed word as the centre of our culture, and in so doing has trivialised the onnce serious and coherent discussion of all public affairs. Even our political and religious leaders today depend more on camera angles and showmanship than on reason and rhetoric. Using examples from America's past and present history, he makes a convincing, often wittily argued case that we are moving not towards Orwell's vision of the future but towards Aldous Huxley's Brave New World in which people become addicted to the technologies that take away their capacity to think: their critical faculties are destroyed and their sense of history is lost."

Although Postman has written a book on technology, I am more inclined to think that what is happening is another culture revolution (shift from television to the electronic medium) through the use of the internet (blogs, podcasts, videoblogs etc.) has taken. Would Postman have envisaged this? I don't know, but I leave you with a few thoughts from his book:

"Any yet there is reason to suppose that the situation is not hopeless. Educators are not unaware of the effects of television on their students. Stimulated by the arrival of the computer they discuss it a great deal - which is to say, they have become somewhat "media conscious". It is true enough that much of their conciousness centres on the question, How can we use television (or the computer, or word processor) to control education? They have not yet go to the question, How can we use education to control television (or the computer, or word processor)? But our reach for solutions ought to exceed our present grasp, or what's our dreaming for?...

What I suggest here as a solution is what Aldous Huxley suggested, as well. And I can do no better than he. He believed what H.G. Wells that we are in a race between education and disaster, and he wrote continuously about the necessity of our understanding the politics and epistemology of media. For the end, he was trying to tell us that what afflicted the people in Brave New World was not that they were laughing instead of thinking, but that they did not know what they were laughing about and why they had stopped thinking."

I would hope that the internet revolution (blogs, podcasts etc.) not only challenges the mindsets of teachers and students to be critically aware, but to evaluate the things that we read - the problem that I find is usually an information overload (not merely from the television medium, but also from the internet etc.) - evaluating the sources (whether television, internet, radio to name a few examples), sifting through the main points will be the key.

Friday, August 24, 2007

Google Maps and Privacy

According to the latest post from Out-Law news, google maps are changing its privacy policy on its street view. This follows concerns about photographs of streets showing people's faces, car number plates and views of their houses. However, the subject of photographs and maps is particularly relevant when considering this as "personal data" under the Data Protection Directive - as I have noted in previous blog posts, this concept can be quite broad. However, one should note that protection personal information is not absolute and a proportionate response will need to be taken. A further point to add is that Art. 9 of the Data Protection Directive 95/46/EC on artistic, literary and journalistic purposes may still apply (consider the national data protection laws of each Member State). I have written on this in my thesis (still yet to be published), but for those researching this area, the Commission's report on the transposition of the Data Protection Directive 95/46/EC is a good starting point.

Thursday, August 23, 2007

Six thinking hats!

I have been reading a book titled "Six thinking hats", written by Edward De Bono, which I would recommend. It is a technique that looks at important decisions from different perspectives.

Here is an extract:

"How to Use the Tool:

You can use the Six Thinking Hats technique in meetings or on your own. In meetings it has the benefit of blocking the confrontations that happen when people with different thinking styles discuss the same problem.Each 'Thinking Hat' is a different style of thinking. These are explained below:

White Hat:
With this thinking hat you focus on the data available. Look at the information you have, and see what you can learn from it. Look for gaps in your knowledge, and either try to fill them or take account of them.This is where you analyze past trends, and try to extrapolate from historical data.

Red Hat:'Wearing' the red hat, you look at problems using intuition, gut reaction, and emotion. Also try to think how other people will react emotionally. Try to understand the responses of people who do not fully know your reasoning.

Black Hat:Using black hat thinking, look at all the bad points of the decision. Look at it cautiously and defensively. Try to see why it might not work. This is important because it highlights the weak points in a plan. It allows you to eliminate them, alter them, or prepare contingency plans to counter them.

Black Hat thinking helps to make your plans 'tougher' and more resilient. It can also help you to spot fatal flaws and risks before you embark on a course of action. Black Hat thinking is one of the real benefits of this technique, as many successful people get so used to thinking positively that often they cannot see problems in advance. This leaves them under-prepared for difficulties.

· Yellow Hat:The yellow hat helps you to think positively. It is the optimistic viewpoint that helps you to see all the benefits of the decision and the value in it. Yellow Hat thinking helps you to keep going when everything looks gloomy and difficult.

Green Hat:The Green Hat stands for creativity. This is where you can develop creative solutions to a problem. It is a freewheeling way of thinking, in which there is little criticism of ideas. A whole range of creativity tools can help you here.

Blue Hat:The Blue Hat stands for process control. This is the hat worn by people chairing meetings. When running into difficulties because ideas are running dry, they may direct activity into Green Hat thinking. When contingency plans are needed, they will ask for Black Hat thinking, etc.

A variant of this technique is to look at problems from the point of view of different professionals (e.g. doctors, architects, sales directors, etc.) or different customers."

Useful for conferences and seminars - I wonder what hat I'll be wearing, when I am teaching my students! Next book on my list - lateral thinking!

Wednesday, August 22, 2007

YouTube, Private Exemptions and Lindqvist all in one!

Out-Law has recently posted an interesting case, which has YouTube, Private exemptions (under s 36 of the Data Protection Act 1998) and Lindqvist issues all wrapped up in one case:

"The woman at the centre of a battle with social services over the future of her unborn baby will not be able to claim an exemption from the UK's Data Protection Act, a legal expert has warned.
Vanessa Brookes of Calderdale, Halifax was recently told by a social worker that the local authority would apply for an interim court order to take her baby from her and place it with foster parents on birth. Worried about the outcome of the meeting, Brookes tape recorded it. The recording was published on video sharing website YouTube. Local authority Calderdale Council has objected to that publication and has said that it will take legal action to have it taken down because, it says, it breaches the Data Protection Act (DPA). "The Council believes that the YouTube recording breaches the Data Protection Act, since the recording was made without the knowledge or consent of our member of staff," said a statement from Calderdale Council. "We have concerns that, because the case involves court proceedings, it could prejudice child protection and safeguarding outcomes." Dr Chris Pounder, a data protection specialist at Pinsent Masons, the law firm behind OUT-LAW.COM, said that the DPA has an exemption in section 36 that applies when recordings like this are used for domestic purposes. This exemption excludes all of the data protection principles and rights, and applies, for example, when parents take their video cameras to record their children's performance in a school play. But, he said, as soon as the recording was published online it is ineligible for the 'domestic purposes' exemption because of the European Court of Justice (ECJ) ruling in a case involving Mrs Bodil Lindqvist in Sweden.
Lindqvist was a church activist who published personal details of parishioners on a website as part of a computing project. She said that publishing details should not breach the EU's Data Protection Directive, but the ECJ disagreed. The ECJ stated: "That [domestic purpose] exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people." The Lindqvist judgment means that the section 36 exemption does not apply in the YouTube posting and the personal data is fully subject to the DPA and the enforcement powers of the Information Commissioner, said Pounder. He added "The exemption is also lost, even if I put up online information about myself. However, in this case, there are very few data protection obligations as there is my consent. The problems arise when I put someone else's personal data on these web-sites in the absence of consent" he said."

I have already written an article some time back with a colleague looking at publishing personal information on websites for private purposes and social networking in the context of data protection, so this case appears to be timely. The article is due to be published in the forthcoming John Marshall Journal of Computer and Information Law, but the working paper can be found here. Again, since the Lindqvist case, it is unlikely that publication of personal information on the internet would fall within the exemptions for private purposes (though, see the different EU Member States' approach, which I describe in the article). Comments welcome!

Tuesday, August 21, 2007

A few developments

Just a few developments to note on data protection in the UK:

1) The draft Data Retention (EC Directive) Regulations 2007 will take effect on 1st October 2007. These regulations implement the Data Retentions Directive 2006/24/EC and will apply to public electronic communications providers. Data will be retained for a period of 12 months from the date of communication (Regulation 4(2)). The types of data to be retained are telephone numbers and mobile numbers (Regulation 5(1) and 5(2)). The regulations do not apply to data from internet access, e-mail and internet telephony (VoIP). The Information Commissioner will monitor the application of these regulations (Regulation 8). A comparison of the other European Member States' Laws implementing the Data Retentions Directive 2006/24/EC can be found here.

2) On 24 October 2007, the transitional exemptions under the UK Data Protection Act 1998 will end. This means that structured manual filing systems containing personal records will be covered under the Data Protection Act, but would apply to data that was held before October 1998. The Durant case will be relevant, which took the view that most manual file files are not relevant filing systems.

3) Draft Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2007 - The Government has drafted amended freedom of information (FOI) fees regulations which will allow public authorities to take into account more comprehensively the work involved in dealing with an FOI request. The consultation was completed in June, but further details can be found here.

Saturday, August 18, 2007

MInggl - Persona Centric

This is an interesting website, Minggl, which enables users who have online profiles such as Facebook and MySpace to limit access to their profiles. Here is some information on their website:

"Minggl is a "Persona Centric" toolbar and the first service to put you in charge on popular social networking sites (MySpace, Facebook, etc). "Persona Centric" means that what you see, and what you show, can vary, based on the current social site, and based on who you are and who's profile you are viewing.

Privacy control---hide whole sections of your MySpace profile

If you have BLOGs, Photos or viewpoints that you don't want to share with the whole Internet, Minggl will let you password (or attribute) protect this content (by adding Minggl notes to your profile).
  • password protect sections of your MySpace or Facebook profile---other sites coming soon
  • minors no longer need fear that the WRONG people are seeing their personal details
  • bosses and recruiters can’t see your political or religious views
  • share details of your life with people you trust..…not the whole Internet
  • display different profile views for the public, your friends, and the people you want to date"
Mingll is currently by invitation only, but already a few have started to sign up. A video tutorial can be found here. Will it solve some of the privacy concerns involving social networking? Maybe, but putting the user in control is a starting point! Worth trying this out.

Thursday, August 16, 2007

Portolano case

This is an interesting case as it concerns ISPs, filesharing and data protection. Here are the facts (from Mondaq):

"On April 2007, Peppermint Jam Records GmbH (hereinafter "Peppermint"), a German music label, sent out 3,636 notices of copyright infringements to alleged Italian file-sharers informing them that they have been found guilty of uploading copyrighted songs.

The notices, sent by an Italian Law Firm, requested the 3,636 Italian swappers to stop persisting in their infringements of copyright laws and requested them to immediately remove from their PCs all songs belonging to the Peppermint label. In particular, each user has been specifically charged of sharing only a single song.

The notices also invited users to wire transfer EUR300.00 to the Italian Law Firm’s bank account within May 14, 2007, if they wanted to avoid a criminal and/or a civil lawsuit brought against them. The amount represented a symbolic compensation for damages caused by sharing that song, including legal and investigation expenses. Attached to the notices Italian users also received a draft settlement agreement, to be signed and returned to the Italian Law Firm in case of acceptance.

As mentioned above, the notices stated that the acceptance of the draft settlement agreement as well as payment of the requested amount, would avoid users from being subject to a criminal judgement for copyright infringements. This statement, however, is not exactly true. In fact, Italian file sharers could be subject to a criminal proceeding although they have paid the above amount and signed the settlement agreement. This is because, under Italian law, the crime of copyright infringement is prosecuted ex officio....

Italian Supreme Court‘s Recent Decision on File Sharing Practices

In the Peppermint’s case, the Court did not take any positions on the legality of file sharing practices.

According to a recent Italian Suprem Court’s decision, however, the copyright infringement deriving from file sharing – if not aimed at making profit - is not punishable.

The decision of the Italian’s Supreme Court, dated January 9, 2007, no. 149, concerned a specific case happened on 1999, when two Italian students made some copyrighted materials available for download on a University bulletin board. The students, according to the Supreme Court’s view, were not punished as their behavior was not aimed at making profit, and, therefore, it was not criminally punishable but it constituted only a civil offense that could be pursued for alleged damages.

Data Protection Issues Involved in the Case

In the Peppermint’s case the Court of Rome ordered to the ISP to disclose its clients’ personal data. This has triggered many criticisms as this disclosure was deemed to be an infringement of Italian Data Protection Law.

What has been criticized, however, is not the fact that the Court ordered the ISP to provide such data, as Italian Data Protection Law expressly allows that personJustify Fullal data disclosure in a judicial proceeding. What has triggered many discussions in Italy is whether Peppermint’s and Logistep’s activities aimed at collecting information of users were carried out infringing Italian Data Protection Law.

As to Peppermint’s activities, regardless the fact that the company has its registered offices in Switzerland, Italian Data Protection law should apply according to Section 5 of the Legislative Decree no. 196 of 30 June 2003, (hereinafter "Italian Data Protection Code" or " the Code"), under which the Code applies (i), to the processing performed by any entity established in Italy, including when data are held abroad and (ii) to the processing performed by an entity located in the territory of a non EU country (such as Switzerland) where said entity makes use, in connection to the processing, of equipment situated in the Italy.

Many commentators said that, in the case at hand, the Code applies to processing carried out in Italy (a) at the time personal data were collected from users’ PCs located in Italy (although this is an arguable position) (b) when users’ personal data were transferred to the Italian Law Firm, and were processed for the purposes of sending them the notices on the basis of the data collected from the Italian ISP.

As to Logistep’s activities, some argued that Section 122 of the Code should apply, under which an electronic communication network shall not be used to gain access to information stored in the terminal equipment of a subscriber or user or to store information or monitor operations performed by any user. This is also an arguable position, however, as users’ information are normally processed by P2P platforms with such users’ consent or, in any event, upon request of such users.

Furthermore, some commentators pointed out that Section 37, letter d) of the Code should also apply, under which the data controller shall notify to the Data Protection Authority the processing of personal data concerning data processed with the help of electronic means aimed at profiling the data subject or monitoring use of electronic communications services. This is also arguable, as Logistep’s activity was only aimed at collecting the IP addresses of Italian users: a stand alone IP address is not able to identify or profile users."

Source: http://www.mondaq.com/article.asp?articleid=50310

Although the Italian Data Protection Authority is investigating whether the Data Protection Code has been breached when collecting IP addresses, there are a number of cases that are beginning to emerge that deals with filesharing, IP addresses and data protection:Finally, we should not forget the Art. 29 Working Party's recent opinion on Personal data.

Friday, August 10, 2007

HL Report into Personal Internet Security published

The House of Lords Science and Technology Committee has published its report on Personal Internet Security. Here is the abstract:

"The Internet is a powerful force for good: within 20 years it has expanded from almost nothing to a key component of critical national infrastructure and a driver of innovation and economic growth. It facilitates the spread of information, news and culture. It underpins communications and social networks across the world. A return to a world without the Internet is now hardly conceivable. But the Internet is now increasingly the playground of criminals. Where a decade ago the public perception of the e-criminal was of a lonely hacker searching for attention, today’s “bad guys” belong to organised crime groups, are highly skilful, specialised, and focused on profit. They want to stay invisible, and so far they have largely succeeded. While the incidence and cost of e-crime are known to be huge, no accurate data exist. Underpinning the success of the Internet is the confidence of hundreds of millions of individual users across the globe. But there is a growing perception, fuelled by media reports, that the Internet is insecure and unsafe. When this is set against the rate of change and innovation, and the difficulty of keeping pace with the latest technology, the risk to public confidence is clear. The Government have insisted in evidence to this inquiry that the responsibility for personal Internet security ultimately rests with the individual. This is no longer realistic, and compounds the perception that the Internet is a lawless “wild west”. It is clear to us that many organisations with a stake in the Internet could do more to promote personal Internet security: the manufacturers of hardware and software; retailers; Internet Service Providers; businesses, such as banks, that operate online; the police and the criminal justice system. We believe as a general principle that well-targeted incentives are more likely to yield results in such a dynamic industry than formal regulation. However, if incentives are to be effective, they may in some cases need to be backed up by the possibility of direct regulation. Also, there are some areas, such as policing, where direct Government action is needed. So Government leadership across the board is required. Our recommendations urge the Government, through a flexible mix of incentives, regulation, and direct investment, to galvanise the key stakeholders. The threat to the Internet is clear, but it is still manageable. Now is the time to act, both domestically, and internationally, through the European Union and through international organisations and partnerships."

This is quite a lengthy report, but see also the recommendations (in the context of data security breaches):

"Conclusions and Recommendations

5.53. The steps currently being taken by many businesses trading over the Internet to protect their customer’s personal information are inadequate. The refusal of the financial services sector in particular to accept responsibility for the security of personal information is disturbing, and is compounded by apparent indifference at Government level. Governments and legislators are not in position to prescribe the security precautions that should be taken; however, they do have a responsibility to ensure that the right incentives are in place to persuade businesses to take the necessary steps to act proportionately to protect personal data.

5.54. We therefore recommend that the Government introduce legislation, consistent with the principles enshrined in common law and, with regard to cheques, in the Bills of Exchange Act 1882, to establish the principle that banks should be held liable for losses incurred as a result of electronic fraud.

5.55. We further believe that a data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal Internet security. We recommend that the Government, without waiting for action at European Commission level, accept the principle of such a law, and begin consultation on its scope as a matter of urgency.

5.56. We recommend that a data security breach notification law should incorporate the following key elements:

• Workable definitions of data security breaches, covering both a threshold for the sensitivity of the data lost, and criteria for theaccessibility of that data;
• A mandatory and uniform central reporting system;
• Clear rules on form and content of notification letters, which muststate clearly the nature of the breach and provide advice on the steps that individuals should take to deal with it.

5.57. We further recommend that the Government examine as a matter of urgency the effectiveness of the Information Commissioner’s Office in enforcing good standards of data protection across the business community. The Commissioner is currently handicapped in his work by lack of resources; a cumbersome “two strike” enforcement process; and inadequate penalties upon conviction. The Government have expressed readiness to address the question of penalties for one type of offence; we recommend that they reconsider the tariffs for the whole of the data protection regime, while also addressing resources and enforcement procedures as well. These should include the power to conduct random audits of the security measures in place in businesses and other organisations holding personal data."


Thursday, August 09, 2007

Diminishing Privacy: Search Engines

With the number of people subscribing to social networking websites such as Facebook and Myspace, it appears that the phenomenom does not stop here. The Beeb has recently published a story indicating the growth of some personal search engines, (Wink.com, Spock.com etc) which would profile individuals and make it easily accessible to anybody:

"The niche search engines are making use of the information that is already out there about us on the web to cross reference details so they can index and build up searchable profiles. Zoominfo.com, which came online in 2001, was one of the first sites to do this. It began life as a subscription service where it gathered profile information from the web in response to requests from recruiters or salespeople, but in 2005 it added a public service, enabling free company and personal searches. Russell Glass, the firm's vice president of products and marketing, said: "Users can come in and search for a person's name, and we essentially crawl somewhere between one billion and two billion pages to gather, organise and summarise a virtual resume." It provides a detailed and rich look at who a person is from a professional perspective." The business-orientated directory contains more than 37 million personal profiles and 3.5 million companies profiles pulled from across the web. Other search engines are aiming for a different market. Some, like Wink.com, a US company that launched in 2006, are using the ever-growing swells of personal information found on social networking sites such as MySpace, Bebo and Friendster in addition to other web sources such as Wikipedia to create public profiles. Michael Tanne, founder and CEO of Wink, said: "The Wink service is where people find people.
"It's targeted at anyone who is trying to find someone else online - old friends, new friends, dates, people they heard or read about, job searches, business leads, celebs etc." Mr Tanne said users could search more than 200 million profiles but added that the company had ambitions to eventually index every person online."

This made me think about the current Data Protection Directive 95/46/EC. Surely, by aggregating personal information from various sources without obtaining individual's consent, would lend itself to a claim that it may fall foul of the Art. 11:

Article 11 Information where the data have not been obtained from the data subject

1. Where the data have not been obtained from the data subject, Member States shall provide that the controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information, except where he already has it:

(a) the identity of the controller and of his representative, if any;

(b) the purposes of the processing;

(c) any further information such as

    • the categories of data concerned,
    • the recipients or categories of recipients,
    • the existence of the right of access to and the right to rectify the data concerning him

in so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject.

Furthermore, Art. 14 of the Data Protection Directive 95/46/EC (and corresponding national legislation) provides the opportunity for individuals to object to the processing of their personal data.

Certainly a good starting point would be for Data Protection Authorities to start issuing guidelines on social networking and the data protection implications. The Ontario Privacy Commissioner has already issued some guidelines titled "When Privacy gets out of line" (pdf), but more still needs to be done. Furthermore, social responsibility will be the key - if individuals voluntarily put their personal information online, then they are also responsible for the information they share with other individuals. The three Ps, which the Ontario Privacy Commissioners warned students to beware of are quite memorable to remember when going on any social networking website: professors, prospective employers and predators. For such examples, see the recent example of Oxford Dons and Facebook and here.

Some interesting reading:

Tuesday, August 07, 2007

ICO consultation on CCTV Code of Practice

The ICO has issued a consultation on its new draft on CCTV Code of Practice:

"The new draft code of practice states that CCTV must not be used to record conversations between members of the public. According to the draft code this action is ‘highly intrusive and unlikely to be justified’. If a CCTV system is equipped with a sound recording facility it should always be turned off or disabled. Before deciding whether to use CCTV the ICO is encouraging businesses and organisations to carry out an impact assessment to determine whether CCTV is justified and how it will be operated. The assessment also aims to take into account the effect CCTV may have on individuals. Jonathan Bamford, Assistant Commissioner at the ICO, said: “It is clear that use of CCTV enjoys a lot of public support and can have benefits such as helping with the detection of crime. However, it can be extremely intrusive, putting law abiding people under surveillance. It is essential that the public is confident that CCTV is being used responsibly and for a proper purpose. As most uses of CCTV will be covered by the Data Protection Act this revised guidance will help CCTV operators comply with their legal obligations under the Act.”

Closing date is 31 October 2007.

Draft code is available here.

Friday, August 03, 2007

CLSR Latest articles

Some of the latest articles worth reading on CLSR, 2007, 23(4) including:

Parliamentary Committee strongly criticises EU/US Passenger Name Record Agreement
Pages 295-296
Stephen Saxby

A snapshot of legal developments and industry issues relevant to information technology, media and telecommunications law in key jurisdictions across the Asia Pacific – Co-ordinated by Lovells and contributed to by other leading law firms in the region
Pages 322-331
Gabriela Kennedy and Sarah Doyle

‘Access all areas’: Function creep guaranteed in Australia's ID Card Bill (No. 1)
Pages 332-341
Graham Greenleaf

Risk, responsibility and compliance in ‘Circles of Trust’ – Part I
Pages 342-351
Thomas Olsen and Tobias Mahler

Binding Corporate Rules: A simpler clearer vision?
Pages 352-356
Philip Rees and Dominic Hodgkinson

Charging up the batteries: Squeezing more capacity and power into the new EU Battery Directive
Pages 357-364
Sylvia Kierkegaard

OK ! So we now have a final decision, or do we? – Douglas & Ors v. Hello! Ltd & Ors [2007] UKHL 21 (2 May 2007)
Pages 378-380
Mark Crichard