Thursday, August 28, 2008

Where has the time gone?

A frequent query that I get is where has the time gone? Often difficult to prioritise, but have just been going through this book Shopping for time: how to do it all and not be overwhelmed by Mahaney, Whitacre, and Bradshaw. This is quite useful, and will need to start cutting down on a few activities and learning to say "no" to things. In the meantime, I enjoyed listening to this lecture on "Time Management" by Professor Randy Pausch:

Wednesday, August 27, 2008

Privacy by Design Principle

More research reading: Just been reading this latest (courtesy of H&W) on "privacy by design" principle:

On April 28, 2008, the European Data Protection Supervisor Peter Hustinx released a policy paper entitled “The EDPS and EU Research and Technological Development”, according to which privacy and data protection requirements should be introduced as soon as possible in the life cycle of new technological developments. Hustinx stated that the principle of “privacy by design” should represent an inherent part of the European Commission’s 7th Framework Program. The EDPS plans to assist the Commission in the evaluation of data protection issues of project proposals, promote the education of managers and designers, contribute to research advisory boards, and advise companies in order to ensure that privacy and data protection issues are included at an early stage in technology research and development projects.

More details can be found here (pdf). On this note, not to forget, the EU PRIME Project on identity management systems, which is worth reading. More at a later stage.

See also:

Tuesday, August 26, 2008

Privacy Audits

OPINION: With the recent incident surrounding the loss of data on a USB memory stick, one of the discussions that have been absent from the debate is privacy audits of government departments. What do I mean by privacy audits? This is often referred to as "Privacy Impact Assessments" :

"PIAs are a process of ensuring that privacy concerns are identified at the early stage of an initiative so that these can be addressed and safeguards built in rather than bolted on as an expensive afterthought. We have called for the use of these in the past with major public policy developments like ID cards and reinforced the need for these impact assessments in evidence to parliamentary enquiries and in our other publications such as the Information Sharing Framework Code of Practice.

PIAs go wider than simply a data protection compliance check and are aimed at looking at all aspects affecting privacy. The approach we are recommending involves a number of elements including an initial screening process and, depending upon the results, two possible levels of assessment (small scale and full scale) together with a data protection law checklist. The important thing about PIAs is the process of undertaking the assessment where the organisation considers the impact on privacy and whether there are more privacy friendly alternatives. Although a report is produced at the end and is usually published this is will not be subject to an approval process by the ICO."

Other than the handbook, some of the basic procedures still need to be addressed:

1) WHO are your data protection officers? HOW regular is the training about data protection laws?

2) What are the security procedures? Do we understand the data protection principles laid down under the Data Protection Act 1998? In particular, the 7th Data Protection principle that provides that
"appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

3) What are the complaints procedures? How many data subject access requests do we have? Do we keep a regular record? Is personal information accessible on the internet?

Privacy compliance check is available here, but certainly more needs to be done not simply at an organisational level, but also a recognition that privacy (storage of personal information) should be kept securely.

Saturday, August 23, 2008

Ixquick Search Engine

Ixquick search engine was awarded the first European privacy seal on July 14th:

Ixquick is a meta-search engine ( which
forwards search requests of its users to several search engines, gathers and
combines their results and presents the results to the requesting users. Privacy
is ensured by using several data-minimization techniques: personal data like IP addresses are deleted within 48 hours, after which they are no longer needed to
prevent possible abuse of the servers. The remaining (non-personal) data are
deleted within 14 days. Ixquick serves as a proxy, i.e. IP addresses of users
are not disclosed to other search engines.
This is quite a good search engine and shows all the relevant searches. Not sure why other search engines including Google have not cottoned on to this. Might as well start using this from now on!

Friday, August 22, 2008

More data loss!

More sensitive data loss (this time, on a unencrypted memory stick!) - Beeb has reported:

"Details of 84,000 prisoners in England and Wales were lost by private firm PA Consulting. The Home Office said a full investigation was being conducted.

The information commissioner's office described it as "deeply worrying".

PA Consulting has searched its premises and looked at CCTV recordings in an attempt to recover the missing memory stick - a commonly used portable storage device for computer files. It is not clear how it came to be lost."

Probably worth reading Ubisurv's comments on this.

Stricter privacy laws - Germany

This is the latest press release (courtesy of DataGuidance News) regarding recent developments about privacy laws in Germany:

Minister of Justice calls for stricter privacy laws after data trade scandal

The German Minister of Justice, Birgitte Zypries, has called for stricter privacy laws following the recent data trade scandal, which unveiled that German citizens’ personal data are easy to find for sale on the internet.

The Ministry of Justice, who has responsibility in Germany for most consumer issues, proposed that companies should only be able to transfer consumer’s data to other companies with the prior consent of the data subjects involved. “At the moment, it is legal for companies to transfer certainkinds of data, such as names, age and addresses of customers, to other companies for marketing analysis purposes”, a Ministry of Justice spokesperson said to DataGuidance on 20 August 2008. “This provision does not apply to bank account information, and customers have the possibility to opt-out from their data being shared at any time”.

The Ministry of Justice also suggested that controllers should have an obligation to notify a data breach to the subjects involved and that companies should be forced to return any profits made with the illegal collection and processing of data.

The Ministry of Justice spokesperson clarified that Mrs Zypries made the recommendations “as a politician and as a member of the Social Democratic Party, and not in her formal position as the Minister of Justice”.

“Having responsibility for consumers’ rights, the Minister of Justice felt that German consumers expected her to express an opinion on the data trade scandal”, the spokesman explained to DataGuidance. “It is then up to the Ministry of Interior to take the recommendations on board and take any steps necessary to amend the law”.

In August 2008, an employee of a call centre engaged in fraudulent activities delivered a disc containing the names, contact information and bank account details of 17,000 German citizens to the Schleswig-Holstein consumer agency. The call centre would have used the information on the disc to contact the subjects involved and ask them to confirm their banking details in order to withdraw money from their accounts.

After the incident, the Federation of German Consumer Organisations (VZBV) appointed a journalist to conduct an undercover research on the trade of personal data. “We instructed a journalist to find out how easy it would be to buy German citizens’ personal data on the internet”, a VZBV spokesperson explained to DataGuidance on 20 August 2008. “Within hours, our investigator was offered a database containing the personal data of 6 million people and the bank details of 4 million people for EU 850”.

VZBV are still investigating the sources of the illegally sold data. “We have no confirmation yet as to who made the data available for sale on the internet”, said the VZBZ spokesperson, “however we are aware of the involvement of lottery companies that unlawfully collect personal data”.

Dr. Jochen Lehmann, Partner at German law firm Görg, said: ”While data protection has only been the subject of discussions among experts in Germany, it is now all over the headlines. This suggests that the debate over the unlawful collection and use of data will not simply fade away this time, and the involvement of the Minister of Justice is certainly a strong sign. Should the Minister’s recommendations be put into practice even partially, the data protection landscape in Germany will be considerably affected.”

Thursday, August 21, 2008

Amendments to the Data Protection Act 1998

The Criminal Justice and Immigration Act 2008 received the Royal Assent on 8th May 2008, which amends the UK Data Protection Act 1998 and gives the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act 1998. The main provisions to consider is s 77 Criminal Justice and Immigration Act 2008. The other main change is s 78 on new defences for the purposes of journalism and other special purpose when processing personal data. Explanatory note provides that:

"Section 78 inserts a new defence into section 55 of the Data Protection Act 1998. The defence applies when a person acts for journalistic, literary or artistic purposes with a view to the publication of journalistic, literary or artistic material and in the reasonable belief that their actions were justified as being in the public interest." (notwithstanding Pepper v Hart, will need to read through Hansard to look into the background of this as to why this amendment is necessary)

See also:

Thursday, August 07, 2008

Monday, August 04, 2008

CoE DP Treaty

Privacy, Laws and Business reports the following:

"The Council of Europe Convention on Data Protection, for the first time since it was opened for signature in 1981, is inviting non-European countries with data protection laws to sign and ratify it. The Convention’s Consultative Committee recommended “that non-member states, with data protection legislation in accordance with Convention 108, should be allowed to accede to the Convention”, and it “invited the Committee of Ministers to take note of this recommendation and to consider any subsequent accession request accordingly”. The Committee of Ministers, on 2 July 2008, “agreed to examine any accession request in the light of this recommendation” and “instructed the Secretariat to disseminate information about the Convention”.


Google Maps and privacy

According to Out-Law News:

"Google's Street View service has received the blessing of UK privacy watchdog the Information Commissioner, who has said that the safeguards Google has put in place for people's privacy are 'adequate'.

The Street View service works by taking photographs of a city's streets and publishing them together so that they form a kind of photo-map of a city. It has raised privacy concerns because people are identifiable in the photos.

Google, though, has always said that it will change the service according to the privacy laws of the countries in which it operates. Cameras gathering data for the service have been spotted for the first time on UK streets in recent weeks.

We are satisfied that Google is putting in place adequate safeguards to avoid any risk to the privacy or safety of individuals, including the blurring ofvehicle registration marks and the faces of anyone included in Streetview images," said a statement from the Information Commissioner's Office (ICO)."

The Data Protection Act 1998 clearly gives rights to individuals (as data subjects) to request for information held about them and Google would be no exception. The Art 29 Working Party's opinion goes into greater detail over the broad notion of personal data, which one will not elaborate.