Tuesday, December 18, 2007

Petition on Data Security Breaches

Came across this petition:

"We the undersigned petition the Prime Minister to require all organisations notify customers immediately of any personal data security breaches. "

"The UK Government waited more than 10 days before telling Parliament and the Public it has accidentally lost sensitive personal details of 25 million individuals.

Under current US laws, the Government would have had to notify immediately.

The petition calls on the Prime Minister to place a legal duty on public and private sector organisations, so that affected customers are informed immediately if the security of their personal data has been compromised.

Individuals have a right to know straight away when this has occurred to protect against identify theft.

Mandatory notification would make organisations more careful and more accountable for the use of personal information."


Monday, December 17, 2007

Data Security Lapse

According to the latest press releases, it appears that 3 million L-driver details for the driving theory test have gone missing:
"The details of three million candidates for the driving theory test have gone missing, Ruth Kelly has told MPs.

Names, addresses and phone numbers - but not financial data - were among details on a computer hard drive which went missing in the US in May.

It belonged to a contractor working for the Driving Standards Agency, the transport secretary told MPs.

It is the latest in a series of data losses since discs with 25m people's details on were lost by HM Revenue.

Ms Kelly said the details of learner drivers had been formatted specifically for the contractor, Pearson Driving Assessments Ltd, and was not readily accessible or usable by third parties.

Risks 'not substantial'

She said the details were not sent in the post - but the hard drive had not been found where it had been expected to be, in the "security facility" in Iowa.

She said the Information Commissioner had judged the risks presented by the loss were not "substantial" as the details did not include bank account details, National Insurance numbers, driving licence numbers or dates of birth.

But she apologised for anyone for any "uncertainty or concern" caused to anyone whose details might have been included - who took a driving theory test between September 2004 and April 2007...

However her Tory shadow Theresa Villiers said the government was failing in its duty to obey its own laws on data security and said it was further evidence of a "systemic failure" by the government in handling people's private data."

Source: BBC Millions of L-Driver Details Lost

The scale of the data lost is unfathomable - again, the Data Protection Act 1998 is clear, under the 7th data protection principle that:

"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

This is further elaborated under Part 2 of Sch. 1 of the Data Protection Act 1998:

Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—

(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and

(b) the nature of the data to be protected.

10 The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.

11 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—

(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

(b) take reasonable steps to ensure compliance with those measures.

12 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—

(a) the processing is carried out under a contract—

(i) which is made or evidenced in writing, and

(ii) under which the data processor is to act only on instructions from the data controller, and

(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

Rights of those affected - The Data Protection Act 1998 (DPA) is clear to provide rights to data subjects affected by breaches under the DPA 1998.

s 10 of the DPA 1998 Right to prevent processing likely to cause damage or distress AND

s 13 of the DPA 1998 Compensation for failure to comply with certain requirements

For more information on this, visit the UK ICO's website. More powers for the ICO including a new criminal offence for knowingly or recklessly flouting data protection principles has been called for, so one awaits to see whether we will see a strengthening of the Data Protection Act 1998!

See also:

Thursday, December 13, 2007

Data Protection Developments Updates

Some latest developments on data protection:

  • The ICO called for a review of the data protection laws including a need for a data security breach notification, criminal sanctions and audit power. The transcript (uncorrected at present) is available here.
  • According to the latest press release, the ICO is currently investigating Facebook, following a complaint that one user could not delete his account. "Facebook does allow people to 'deactivate' their accounts. This means that most of their information becomes invisible to other viewers, but it remains on Facebook's servers - indefinitely." The data protection principles under the UK Data Protection Act 1998 is fairly clear that "personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes" (5th data protection principle). It seems slightly odd that a user on FB account, who wishes to remove their profile from FB could not have their personal data deleted. One awaits to see what developments arise on this front. See also an interesting article on the social implications arising from the use of FB here.
  • Adequate level of data protection in Jersey and the Faroe Islands: "The Working Party adopted two Opinions, on the adequate level of data protection in both Jersey and the Faroe Islands, which will enable the Commission to take further steps towards a Commission decision on adequacy. In the past the Commission has adopted adequacy decisions on such countries as Switzerland and Argentina after receiving the advice of the Art. 29 Working Party. The Commission decision makes the transfer of personal data to such countries much easier than to third countries in relation to which such a decision has not been adopted." (Art. 29 Working Party Press Release, October 2007).
Update: Headed by Richard Thomas and Dr Mark Walport, there is consultation on the use and sharing of personal information in the public and private sectors as part of their independent Data Sharing Review. The closing date is 15 February 2008. Further details of the consultation can be found here.

Monday, December 10, 2007

Highlights of the LSPI Conference 2007

Having been absent for a week in Beijing to attend the LSPI Conference, there was the opportunity to visit the various "touristy" places including the Forbidden City and the Summer Palace.

As for the conference, this was held at the Communications University, Beijing. The theme centred on "Cyberlaw, Security and Privacy". There were some very interesting papers given including (not exhaustive):

The European proposal concerning the structure of the Internet has offered a more international and rounded approach to the debate surrounding Internet Governance. Encouraging the formation of ‘alliances’ by a certain number of governments, who wish to proceed to specific policy decisions, ‘enhanced cooperation’ is viewed as the viable solution that would potentially remove the control of the Internet outside the United States Government. However, can ‘enhanced cooperation’ meet the democratic mandate of how the Internet should be governed?

With its future still undetermined, even within the confines of the European Union, ‘enhanced cooperation’ could work as the catalyst for either the unification or the segregation of the medium. The current structure of the Internet does not encourage the creation of a ‘Constitution’, due to its domination by a specific segment of governments and private entities. Due to this state of affairs, the setting of basic principles and policies with the active participation of all interested parties – Governments, the Private Sector, Civil Society and the International Corporation for Assigned and Numbers (ICANN,) is vital. Otherwise, if not used appropriately, ‘enhanced cooperation’ can “support” coalitions of specific groups, leaving outside actors, whose role is significant.

This proposal’s starting point is the notion that, before we proceed in any governance of the Internet, first we need to identify the principles that we need to secure and, based on that premise, shape the boundaries and effects of the European proposal. Otherwise ‘enhanced coopeartion’ or any other proposal for that matter will have a detrimental effect and might even cause more problems than solutions.

"The Global Positioning System (GPS) has slowly permeated into the civilian community and has become an essential accessory for the modern individual. Various commercial applications heavily rely on GPS technology. GPS has also started receiving attention in court cases, where it has been admissible as evidence leading to convictions or proving innocence. However, GPS is a radio-navigation system and is prone to vulnerabilities that may be introduced intentionally or unintentionally. The legal literature has not debated the possibility of human alteration of GPS data in judicial reasoning which raises the prospect of forged GPS data being presented to courts by individuals who have the motive and the technical knowledge to do so. By exposing the weaknesses present, this paper aims to draw the attention of the legal fraternity to these issues which may put the legal system in a dilemma as over-reliance on GPS technology may produce disastrous results, especially when innocence or guilt largely depends on GPS evidence."

"The EU has developed a comprehensive framework for Information Society law that spans various areas ranging from a liberal regulation of e-commerce to a stringent legislation in the area of copyrights in the Information Society. This article discusses the evolution of the EU approach to the regulation of e-commerce in the Single Market and demonstrates the most important aspects of the current regulations relevant to this area."

In Internet governance transparency issues merit more extensive consideration: The Internet offers valuable opportunities for transparent communication and for the achievement of open access to discussion topics, thereby enhancing communication and dialogue between the governance-related institutions and the interested parties concerned. Transparency could also promote the mobilisation of new actors and the participation of the civil society; such development would increase the level of democratic legitimization through active involvement. ICANN has recognized the need to improve the transparency framework with its structures; the ongoing attempts should be strengthened by scholar research supporting the effort of the ICANN bodies in the present consultation phase. Since a transparent methodology for rule-making processes based on revisable procedures reduces mistrust, transparency should become a persistent objective of governance mechanisms.

The dichotomy between personal privacy and free access to information, which has come increasingly to the fore with the advance of information technology, justifies a reconsideration of these traditional values and interests. In this article, it is contended that privacy, as a constitutional right, is subject to changing norms as a result of the advent of the information society. In today’s information society, citizens weigh the importance of protecting privacy against the advantages of free access to information. The criterion they use is a rational one: an evaluation of which option provides the individual with the most benefit. The protection of privacy is no longer an unconditional good. For state organisations to champion privacy at any cost is, therefore, out of step with this development. A new balance has to be established between the citizen’s right to privacy and their right to know, taking into account this shift in values. In order to prevent on the one hand overzealous protection and, on the other, the abuse of information, it is necessary to set up the monitoring function in a new way.

Although one's paper concentrated on the subject of network neutrality, a topic which has received less attention in the UK and Europe, the feedback was very useful.

I hope to follow up on the feedback received from the two panel discussions convened on social networking (with diverse opinions/perspectives given). Again, the feedback has been extremely useful - my thanks to the delegates for making this topic a lively discussion even if some of us did not manage to agree! - a topic which has been covered to a greater extent! For those interested in the privacy implications and social networking, see the Clip below as an example:

Sunday, December 09, 2007

Lecture online

Further to my previous post on Sir Alec Jeffrey's lecture on Genetic fingerprinting and beyond, this is now available online.

"DNA fingerprinting, accidentally invented in 1984, has revolutionised many areas of Biology, most notably in forensic and legal medicine. This lecture will describe how DNA typing can be used to solve casework and will review the latest developments, including the creation of major national DNA databases that are already proving extraordinarily effective in the fight against crime."