Why All The Fuss About The New EU Data Protection Proposals?

Having read and re-read the EU Data Protection Proposals (EUDPP) I believe they will give much needed strength to the current Act and will also make the data that is held, more robust. There are a couple of downsides but let us look at the whole thing and throw a new perspective on it.

Basically, the EUDPP is giving the data subject more power over what their personal information is used for and by whom. It is also giving them the right to have their personal information removed from a company database and the 3rd party users of that data also notified that it is to be removed. From a citizen’s (data subject’s) perspective, this is a good control to have as it allows them to pick and choose who they wish to process their data and also prevent an unwanted barrage of marketing, sales and ‘information’ letter, texts and emails. It further prevents the secondary use of their information by other organisations who the citizen knows nothing about. The citizen will also have the right to know who has been and is processing their data and lets them know they do not have to have their data further processed when they sign up for something.

Surely this is a good thing? It gives us all the right to say ‘yes’ I am happy for you to process my personal information. You then have a definitive customer rather than one who is constantly trying to get away from your unwanted contact and is unhappy with you. It also puts the onus on companies that sell names on to take responsibility for what they do. If a customer says they want no more contact and to erase their information then the company will need to ensure it notifies the other companies it has sold the data to and made a profit out of it.

Current legislation makes harvesting of personal data so easy and lucrative. As long as you have a set of T&Cs and an opt-out somewhere on the form/website then it is all ok. The ones that really get me are the companies that say ‘by placing this order you give us permission to pass your details on to other third parties we believe you may be interested in hearing from’. The chances of me being interested? Zero, I always cancel the order at that point!! We are legally required to collect personal data for a specified reason, not just so we can make a small fortune by selling it on. The current harvesting methods are more akin to the Russian factory trawler system than any good direct marketing principal! Companies are hoovering up vast amounts of information that they are processing and using for profiling then selling this enriched data on to other companies who do more of the same to the detriment of the citizen. This new directive will torpedo the factory trawlers and the citizens will once again have a modicum of control over their lives. At the end of the day, would you rather have 100 happy customers who keep buying from you or 1000 unhappy ones who blog and moan about how bad your company is??

There will also be a new set of rules on what defines personal data, such as online identifiers (IP addresses and even pseudonyms used in social networking), locational data where an online placement shows exactly where you are, some search engines have this running in background all the time which is why you see everything local to you advertised first. The EUDPP is looking at restricting these and it could impact on both sides of the fence as more people are now used to their location being used online and there is greater awareness of how IP addresses are being used to assist in fraud and the prevention of SPAM so, with these suggestions, I am not so sure it will be a good move.

Another area I do agree with though is the obligation to notify any data breaches to the regulatory body with ‘no undue delay’ and at least within 24 hours of the breach being discovered. The number of breaches is increasing exponentially but still not all breaches are notified. This is usually from fear of the repercussions but at the end of the day, why should the company or individual losing the data get away with it? If it was my data I would certainly be up in arms about it and looking for something to be done and quickly yet more and more companies and government agencies are getting away with it.

The one area I must disagree with though is the removal of the £10 fee for a Subject Access Request. The amount of time and effort usually taken to fulfil these is ridiculous in some cases and the fee does not even cover the cost of the photocopying let alone the cost of getting someone to do the work! This and the fact that they want companies to employ a Data Protection Officer to manage their DP requirements may make even more companies decide that enough is enough and drop off the ICO’s radar thus creating a lot of hidden data that is being illegally processed. Before you do that though, remember the EUDPP is also suggesting an increase in fines to €1m or 2% of the company’s annual turnover.

If anyone wants to discuss this then feel free, I am always open to debate.

Is The Information Commissioner About Investigate His Own Office Or Is It Something Murkier?

Police in Liverpool, in an early morning raid on a house in Cheshire, seized a memory stick from a retired former police officer who used to work for the Information Commissioner’s Office. Whilst at the ICO he was responsible for working on Operation Motorman, an investigation into the intrusive information gathering that was being performed by the media using Private Investigators, and was part of the team that pounced on Private Investigator, Steven Whittamore, back in 2003. In a statement Cheshire Police said: “Following information received, a warrant was executed at an address inWidnes. The warrant relates to an investigation into allegations concerning breaches of the Data Protection Act 1998.”

When Mr Owens and the team investigated Mr Whittamore, he had a list of transactional services he had performed for various newspaper reporters and these amounted to around 17,000 entries! Mr Owens quit his job in 2006 claiming the Information Commissioner failed to investigate these transactions resulting in Mr Whittamore only getting his knuckles rapped and a two year conditional discharge. This was for a deliberate breach and flouting of The Data Protection Act 1998 where he illegally obtaining personal information and sold it on for personal gain. It also let the hundreds of reporters and newspaper editors off the hook.

Following a request from the current Information Commissioner, the police are looking to question Mr Owens with regards to possible breaches of the Act in that he leaked information to the Independent newspaper. The memory stick the police took relates to the work Mr Owens was doing when employed by the Information Commissioner, he did however, refuse to hand over a copy of the statement prepared for the Leveson Inquiry. Mr Owens has allegedly described the police as being on a ‘fishing expedition’ and that there was no doubt as the result of an ICO complaint.

Mr Owens is meant to be giving evidence to the Leveson Inquiry later this month into the media’s use of private investigators to illegally obtain personal information. He has notified them of the police raid but it is understood he has already supplied Strathclyde Police with a statement and a copy of the Motorman disk to aid their investigations into the media’s illegal practices inScotland.

So, who is investigating whom? The current Information Commissioner seems hell bent on investigating something his predecessor did and using the police to do so. Is this right or is there something more sinister happening here? Why would this suddenly come up just days before a former employee was to give evidence? Is the Commissioner’s Office trying to hide something? On speaking to someone at the ICO it was carefully explained that they would not comment about that and also that they would not respond to a Freedom of Information request I tried to file.

I will watch this one carefully as I am sure something else is going to come out about it……

The Legal Profession and Data Protection – Is It Ignorance Or Pure Arrogance?

Once again we hear of another legal eagle being hit by the Information Commissioner for not holding personal information securely. Yet when I contact the local solicitors to try and discuss their data security all I get is silence, is this ignorance or arrogance? To my mind it is a bit of both. Very few solicitors have an in-house specialist that can handle their data protection compliance and, from experience, very few of them have a scooby about what it means to them nor do they care!

The ICO has recently published another press release relating to an advocate of all people who did not keep her laptop secured and it was stolen yet she waited 2 years to report it to the Commissioner!! Why oh why oh why do we put up with this? These people are meant to know the law yet it seems that The Data Protection Act 1998 has slipped ‘off their radar’ either that or they are blissfully ignorant and really do not care about data security, the latter I think is more the case! See what you think after reading the press release and feel free to respond with your thoughts

The ICO’s press release goes like this:

A Scottish advocate breached the Data Protection Act after failing to encrypt a laptop containing sensitive personal data which was later stolen, the Information Commissioner’s Office (ICO) said today.

The laptop was stolen from the home of Ruth Crawford QC in 2009 when she was away on holiday. It contained personal data relating to a number of individuals involved in eight court cases the advocate had been working on. This included some details relating to the physical and mental health of individuals involved in two of the cases. The device has not been recovered; however, most of the information compromised would already have been released as evidence in court papers.

The breach was only reported to the ICO on 30 August 2011 when the last case relating to information held on the laptop was concluded. The ICO’s enquiries found that, whilst Ms Crawford had some physical security measures in place at the time of the theft, she failed to ensure that either the device or the sensitive information stored on it was appropriately encrypted.

The QC has now agreed to put the necessary changes in place to ensure this type of incident does not happen again. This includes locking away any personal information stored at her home and following any future data protection guidance issued by the Faculty of Advocates or her stable.

Ken Macdonald, Assistant Commissioner for Scotland said:

“The legal profession holds some of the most sensitive information available. It is therefore vital that adequate security measures are in place to keep information secure.

“As this incident took place before the 6 April 2010 the ICO is unable to serve a financial penalty in this instance. But this case should act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000 – it could affect their careers too. If confidential information is made public, it could also jeopardise the important work they do in court.

“The ICO would also like to assure the legal profession that any information reported to this office will not be disclosed unless there is specific legal authority for us to do so. Therefore all breaches should be reported to our office as soon as practically possible.”   

Is My Password A Good Password?

This is something I have been asked about many times over the years and basically the password is a secure as you make it. We all have our own idiosyncrasies for the way we ‘design’ our passwords, myself included, but how secure do we make them?

The vast majority of people use either the names of their children or pets as a password and dates of birth for PINs and other number based passwords. Quite often these passwords are no longer than about 6-8 letters or numbers but does this help?

The Telegraph has published the top 25 worst passwords (from SplashData) and these are:

1. password

2. 123456

3. 12345678

4. qwerty

5. abc123

6. monkey

7. 1234567

8. letmein

9. trustno1

10. dragon

11. baseball

12. 111111

13. iloveyou

14. master

15. sunshine

16. ashley

17. bailey

18. passw0rd

19. shadow

20. 123123

21. 654321

22. superman

23. qazwsx

24. michael

25. football

It may help you as it is easy to remember but it also helps the hackers of this world as it will be easy to get your password and access your computer. If you use names and dates of birth as passwords, anyone who wanted to hack into your PC would try these as a first port of call as they are the easiest way to try. Therefore, the best thing to do is mix up your password by using upper-case letters randomly placed throughout the word, add in some numbers and maybe even a symbol or two.

For example, let’s say I decide to use a pet name like Rover. This would be easy to remember and quick to type in but it is something that someone could find out about me. Therefore, what I should be looking at is making it something like rOveR-07. This introduces mixed case in the word, a symbol “-“ and numbers (these representing the year he arrived). This would be harder to crack than just the one word name and I would suggest that you all look at your passwords to see that they are like this.

Some of you will remember the debacle in October 2007 when HM Revenue & Customs lost the records of 25 million child benefit recipients. This caused untold panic as a lot of people had used their children’s names as passwords and we were then telling them all to change passwords quickly to prevent any possible attack on their accounts etc.

The vast majority of us also use Windows as a computer operating system which is probably one of the ‘friendliest’ systems around. It offers to remember your password for any website you want to visit where you have to log in. This is done by windows holding it in two blocks of seven so my password rOveR-07 would be held on Windows as rOveR-0 : 7 in its memory blocks. Now this is really useful as it means I do not have to remember the password and, if I forget it, the website will either reset it for me or give me a hint as to what it is.

The only problem is that there is software available that can be run on your computer and within 30 minutes will give me all your account details and their passwords. Therefore, the only really secure password is one that is mixed case, symbol and number and over 14 characters in length. Why? Simple, if it is over 14 characters, Windows cannot remember it so nobody can get hold of it. I would suggest that if you are storing sensitive information you use this type of password as you can never be too safe. Facebook is reporting that there are over 600,000 attempts per day to hack into accounts so this really brings it into perspective!

Some top industry tips for passwords:

- Vary different types of characters in your passwords; include numbers, letters and special characters when possible.

- Choose passwords of eight characters or more. Separate short words with spaces or underscores.

- Don’t use the same password and username combination for multiple websites. Use an online password manager to keep track of your different accounts

If you have any concerns that you or your company may not have safe passwords or just want more information, please feel free to contact KPG Professional Services on data@kpgps.co.uk or by calling 07413 943228 for help and guidance.

Is Vince Cable Really Guilty Of A DP Breach? What About The Blagger?

Interesting question I think as what actually happened? It appears some of his constituency staff decided to be ‘green’ and put out old paperwork for recycling. Unfortunately this included information about his constituents which, quite rightly, they are up in arms about but how did this all come to light?

Reading through the stories on this one it would appear the newspapers and media became aware of the situation due to a ‘concerned citizen’ opening the recycling bags, rifling through the paperwork in them and taking some papers out of the bag over a series of weeks!!

Now let us look back at who should be in court over this. Mr Cable could be prosecuted for non-notification and an assessment would be made of the breach. If I was involved in the defence of this then we would be looking at damage limitation and instilling some harsh new measures to ensure this does not happen again and throwing ourselves at the mercy of the ICO. But, what I would also be pursuing would be the criminal prosecution of the ‘concerned citizen’ who stolethe papers from those bags.

This person is no better than a blagger, going round and removing confidential information from folks bin bags and waste bins. I am struggling to find any excuses for their behaviour as, when they found out that this was happening, why did they not just speak to the constituency team and point out what they had been putting out in the bags? No, they were so concerned that they kept stealing papers and then once they had enough, allegedly sold it to a newspaper for a sum of money! They are not a concerned citizen, they are a common thief and blagger and I would like to see The Commissioner prosecuting them for this to make a showcase of what can happen if you start dipping your fingers into other people’s waste paper.

We see plenty of other folk being prosecuted for blagging but so far no-one has mentioned this as they are all too concerned with vilifying Mr Cable for his office doing what they thought was the correct thing to do. Yes, they will be sacked and yes, Mr Cable will be fined but if the blagger gets away with it then where is the justice in this world?

I have no political affiliation to Mr Cable nor the Lib Dems but I do have an affiliation with seeing justice being done fairly so let’s start making a noise about it.

How Secure Is It When Buying Online?

Given the number of transactions per day online this is a very good question recently asked by one of my readers. It is also quite timely as my debit card was cloned a couple of
weeks ago from an online purchase so let me try and help you understand how it works.

Firstly, when you are buying something online, make sure the comp0any you are buying from is legitimate and trustworthy. Many companies now accept payment via PayPal and this is fairly secure however, in recent months we have seen the rise of the false payment
window where a scammer has created a false webpage identical to the PayPal one and asked you for the information. This it appears is what happened to me.

So what can you do about it? Really it is quite simple, when you are entering a payment page online, the address line will change slightly and instead of having “http://” you will see that it changes to “https://” indicating that this is a secure area. There will also be a wee gold padlock symbol in the address bar showing you who the company is. If this does not appear then it is not really safe to input your details. You can also set up a “Verify By Visa/Mastercard” setting so that when you go to pay anything, the website will divert you to enter your verification password, this prevents any fraudulent activity on your account and many sites are now using this as part of the payment process.

You should also check the Privacy Statement for the website you are using, this will explain how they are using your data, where and how it will be stored and how to contact them about your information.

The sort of things to be aware of are the sites where you are asked to input personal information or bank details where there is no “https://” in the address line. It does not mean they are not secure but it does mean they are not using a secure payment site and this was my downfall. I needed to get an update for my SatNav and used a site which did not have the https but felt that having read the information relating to the payment it would be safe. Three days later, the night before I was going on holiday, my account was relieved of over £1400….. The bank felt this was unusual and blocked my account until I had contacted them to clarify what had happened. They sent me an email asking me to call them, if you ever get one asking you to fill things in online just delete it, it is a scam! Once
I had called them we started to unravel the fraud and I eventually got my account back a week later.

Today Is International Right To Know Day

International Right to Know Day was established by access to information advocates from around the globe. It was first celebrated on 28 September 2003, and 2011 will see the 9th International Right to Know Day.

The aim of Right to Know Day is to raise awareness of every individual’s right of access to government-held information: the right to know how elected officials are exercising power and how the tax-payers’ money is being spent.

Whether you have tried to ask ‘that’ question of your local council or a government department, today is the day you should try. It really is easy, all you have to do is email them asking the question you want an answer to. Currently I am assembling statistics on the number of data protection breaches the police in Scotland have incurred and the actions taken. You may just want to know how much money has been spent on those ridiculous speed bumps in your road or why there are so many mini roundabouts or sets of traffic lights in the town and how much of your council tax has been spent on them.

Do you ever wonder what that big chimney on the edge of town is for? What causes the smoke and why it smells so bad? You have the right to ask under the Environmental Information Regulations, just ask.

All you need to do is log on to the council website and go to the Freedom of Information section and just send in your request. They have to reply to you within 20 working days and also tell you the answer to your question or where you can find the answer.

So go on, give it a try, what have you got to lose?