Why is everyone so angry about the proposed EU Data Protection Regulations?

I have been reading about the proposed new EU Regulation on Data Protection and a lot of people seem to be highlighting a lot of what they perceive to be negatives within it, whereas I see them as being positives.

Jail terms for data misuse, absolutely!! Heavy monetary penalties against large corporations for failure to comply? Bring it on!!

There has not been much mention however, of the switch to explicit consent to process data, something that should be a common right of all individuals, rather than have these shoddy and shambolic clauses currently in place where you are not sure what you have signed up to. Couple that with the requirement to state clearly and in common language, what the data is to be used for and who it will be shared with makes processing much tighter and more controlled.

Another major area is the increased protection for children, which under these proposed Regulations, is currently planned to be someone who is under 18, and the requirement for parent/guardian sign up for under 13s.

There is also the requirement for Data Processors to be held as accountable as the Data Controllers when handling data and the requirements to have policies and processes in place that define what and how data is being used and disaster recovery plans built in. So far so good, these are all very positive steps and I welcome every single one of them.

On the downside however are the dropping of the requirement to notify, that could cause problems for the ICO revenue stream and also lead to unlicensed data misusers!!

Then there is the increased Data Access Request activity. This is the real downside of the proposed Regulation as it drops the fee (nobody will really miss that anyway) but it also reduces response time to one month rather than 40 days and the increased amount of extra information that will have to be supplied, such as length of time the data will be held, telling the applicant about their rights on erasure and correction and advising them that they have a right of complaint to the ICO. This is not so user friendly but when you look at the bigger picture, how many DSARs actually take 40 days? In my experience it is about 0.2% with the majority being completed in less than a week.

On to the right to be forgotten, this is new and allows for the individual to apply to have their data erased where it may just be stagnant or if there is no real rationale for keeping it. The data controller will need to advise all other users of those data that they will need to comply as well so there will need to be a log kept of who data are transferred to. I think this is aimed more at the Social Media sites where ‘information’ it used to profile people applying for jobs and that old photo of the lads on holiday with buckets on their heads may not be so good, therefore the applicant can ask for it to be removed as it is both excessive and probably out of date..

Just a few thoughts there to chew over, happy to discuss with anyone who wants to.


Posted in Breaches, Data Integrity, Data Protection, Data Security, EU Data Regulations, Fair Processing, Fixing Facebook, ICO, Information Commissioner, Information Security, Justice | Leave a comment

A Couple Of Not So Healthy Uses Of Sensitive Personal Data

It transpires that a manager of a leisure centre, run by a local council, who was responsible for accepting people with health problems from their GP to enable them to have fitness sessions related to their particular condition, was being made redundant by his employer. To offset this he decided to branch out on his own and offer the same services but as a private rather than council run operation. But how to get his message across was obviously a big hurdle but one he had in ingenious idea to overcome, he emailed himself  the data for over 2400 ‘clients’ including their sensitive medical details which included obesity, diabetes, arthritis, and cardiac and mild mental health issues.

For the uninitiated this would be a brilliant way to get a leg-up into the health service world but, as we know from our Data Protection training, this is not the case. Indeed, when the Information Commissioner got wind of it he decided to prosecute the person involved and took steps to this end. He was helped by the fact that the ex-manager had set up his new business with the exact same name as the council one had been, Active options, and this proved to be his downfall as people complained to the council about the person involved contacting them and it was the council who flagged this up to the Commissioner.

He was prosecuted under section 55 of the Data Protection Act at West Hampshire Magistrates Court this week (May 22) where he was fined a total of £3,000 and ordered to pay a £15 victim surcharge and £1,376 prosecution costs. Section 55 of the Data Protection Act 1998, makes it an offence (with certain exemptions) to obtain, disclose or procure the disclosure of personal information knowingly or recklessly, without the consent of the organisation holding the information.

Christopher Graham, the Information Commissioner, said afterwards: “People have a right to privacy and the ICO works to maintain that right. Nobody expects that their health records will be taken and used in this way. Mr Hedges had been told by Southampton Council about the need to keep patients’ details confidential, but he decided to break the law to benefit his new business. This case shows why there is a need for tough penalties to enforce the Data Protection Act. At very least, behaviour of this kind should be recognised as a ‘recordable offence’ which it isn’t now. For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated. The government must ensure that criminals do not see committing data theft as a victimless crime and worth the risk.”

This is the second Section 55 offence in this part of the UK this year as, in March, a former receptionist at a GP surgery in Southampton was prosecuted for unlawfully obtaining sensitive medical information relating to her ex-husband’s new wife. When she appeared at West Hampshire Magistrates, Marcia Phillips was fined £750 and ordered to pay a £15 victim surcharge and £400 prosecution costs.

Ms Phillips was found to have accessed the information on 15 separate occasions over a 16-month period while working as a receptionist at the Bath Lodge Practice. The breach became apparent after Phillips left her job and sent a text message to her ex-husband’s partner referring to highly sensitive medical information taken from her medical record.

So you see, although the data may be something you use on a daily basis it does not give you the right to use it outwith the reason it has been obtained. If you are caught you will, as these two cases prove, be prosecuted in the Criminal Court and be fined, obtain a criminal record and have your life and name tarnished.

Is it worth taking a chance? Absolutely not!!!!

And remember, Section 55 also refers to reckless loss of data so even if you make an error of judgement and give information to someone you cannot identify as having the right to that data, you could be liable under S.55 too and end up in court!!

For any help or further information respond to this post or go to http:www.kpgprofessionalservices.co.uk

Posted in Blagging, Breaches, Data Protection, Data Security, Fair Processing, ICO, Information Commissioner, Information Security, Justice | Tagged , , , , | Leave a comment

Do You Have Everything You Need To Process The Data You Hold?

This is becoming a very interesting question in the modern world of data retention and data management but too many companies are either holding insufficient data for their needs or, even worse, too much!! Either way, both are potentials for breach under The Data Protection Act 1998 (DPA) and the Information Commissioner’s Office (ICO) is starting to take notice of these types of things.

There are 8 data protection principles that organisations have to observe, but the three I want to focus on are that personal data must be: –

  1. Adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
  2. Accurate and where necessary kept up to date;
  3. Kept for no longer than is necessary for the purposes;

These cover the actual holding of the data and dictate what the Data Processor must do. And it is quite clear on the actions you have to take, if you are a company that is using your data for profiling/marketing purposes you really should be doing this anyway, unfortunately there are too many that don’t.

Let’s have a look at the three individually although I usually take all three as one combined ‘rule’ as they are all interlinked.

3: Personal data must be:

– Adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;

This is really basic and means to you the user that you should only hold enough information about a person to enable you to safely process their data within the realms of your notification. Therefore, if you have too little data you are not realistically able to use that data for any active purpose as it is too sketchy. Also, if you have too much you are in danger of using it incorrectly and be open to at least to an assessment being passed to you by the ICO. So the important thing here is make sure you only hold the data you need, if you are not using it then securely delete it, do not keep it ‘just in case’ as this is one of the measures of relevancy.

4: Personal data must be:

–          Accurate and where necessary kept up to date

Again, this is very self evident and also good practice for any database, information you are holding and using has to be accurate otherwise it is worthless and, in the eyes of the ICO, should never be used unless it is being updated by asking the customer to clarify and update their information. This should be a standard exercise for all data users, so make sure you check with your customers that the information being held is current otherwise, failure to do this, could result in interest being shown by the ICO and a possible assessment or worse if the result causes any damage to the customer.

5: Personal data must be:

–          Kept for no longer than is necessary for the purposes;

But how long is long? This is a very crucial answer and one that requires you to have and use a Retention Schedule or Policy. These can be built by either a Practitioner like myself or by looking at the data you use, comparing it to the legal, statutory or best practice retentions and then tabulating it and ensuring everyone knows about it and what it means to them. It is often easier to get an external person to look at this as they have a different perspective on the data you hold an use and are more inclined to ask the question, “Why is this being held/used?” Create a data retention schedule/policy and circulate to all staff to ensure they are aware that documents should not be disposed of until the agreed date.

If you would like to find out more about this or have a chat with me please either respond to this blog or use the contact page on my website –  http://www.kpgprofessionalservices.co.uk

Posted in Breaches, Data Integrity, Data Protection, Data Security, Fair Processing, Information Commissioner, Information Security | Tagged , , , , , , | Leave a comment

Dame Fiona Caldicott Review: Her Further Recommendations – “unlawful personal data processing and sharing should be reported as ‘data breach’”

Dame Fiona Caldicott has recommended that all health and social care bodies should publish details of cases where they have processed or shared patients’ personal data without legal basis. This recommendation formed part of her report, commissioned by the Government, into the health and social care sectors practices involving information governance.

Her report further states that “The processing of data without a legal basis, where one is required, must be reported to the board, or equivalent body of the health or social care organisation involved and dealt with as a data breach,” and she continued by saying, “There should be a standard severity scale for breaches agreed across the whole of the health and social care system. The board or equivalent body of each organisation in the health and social care system must publish all such data breaches. This should be in the quality report of NHS organisations, or as part of the annual report or performance report for non-NHS organisations. A ‘data breach’ should be defined as any failure to meet the requirements of the Data Protection Act. This includes unlawful disclosure or misuse of confidential data, recording or sharing of inaccurate data and inappropriate invasion of people’s privacy.”

She has identified that there is a “culture of anxiety” existing within these sectors and has found that personal information is not shared as often as it could easily be done, between professionals. She went on to say that “safe and appropriate sharing in the interests of the individual’s direct care should be the rule, not the exception”.

There should be no difference between the health and social care sectors and any other sector who captures and processes personal and sensitive personal data. They should be explaining to patients how their personal data that they are collecting and processing might be used, for example, in anonymised structure for “research, audit, public health and other purposes”. They must also recognise their patient’s rights when collecting this data and explain that they are able to withhold their consent from this type of processing. In line with the rest of the data gathering industry a they should also be told that they can change their decision on consent to sharing their personal data and these sectors should be maintaining records of “any explicit decision of consent, including withdrawal of consent previously given”. Dame Fiona also said that patients should also be informed of the consequences of not providing consent.

She further clarified this bay saying that, if personal data is fully anonymised the information is available to be “freely processed and publicly disclosed”, however, if the information has only been “de-identified by the use of pseudonyms or coded references” it is personal data and must be treated as such.

Dame Fiona further said that linking of de-identified personal data with other information that contains identifiers should only happen “in specialist, well-governed, independently scrutinised environments known as ‘accredited safe havens’” The Health and Social Care Information Centre should have it set out, in the code for processing confidential information, what the “attributes” are for an accredited safe haven. “Data sets containing personal confidential data, or data that can potentially identify individuals (de-identified data for limited disclosure or limited access), are only disclosed for linkage in secure environments, known as ‘accredited safe havens’,” she continuedd. “The purposes for such linkage should be expanded to cover audit, surveillance and service improvement. Within the accredited safe haven, de-identified data for limited disclosure or access must not be linked to personal confidential data unless there is a clear legal basis to do so, and contracts must forbid this. This would re-identify the de-identified data for limited access, and be a data breach.”

Her report identifies that there needs to be national minimum standards on “data stewardship” that govern how the ‘safe havens’ operate. These standards should outline the bodies responsibilities for anonymising data as well as mandating the use of “privacy enhancing technologies”. They should also ensure “robust governance arrangements” are in place and that there are “clear conditions for hosting researchers and other investigators who wish to use the safe haven”. Dame Fiona also recommends that patients are given information about how their data is used and shared and details of who has had access to their sensitive personal information should also be made available to them “in a suitable form”.

Health Secretary Jeremy Hunt responded in a statement saying. “The Caldicott review has been about striking the right balance between sharing people’s health and care information to improve services and develop new treatments while respecting the privacy and wishes of the patient….. If patients are to see the benefits of these changes we must respect the wishes of the small number of people who would prefer not to share this information. I firmly believe that technology can transform the quality of healthcare in this country, but we must always respect the fact that this is very personal information about an individual.”

Jeremy Hunt previously outlined his vision for a ‘paperless’ NHS by 2018. He said that “NHS patients should each have a digital medical record that public health providers can access “when necessary” and where individuals’ “permission” has been granted.” To my mind this produces further possibilities for breach given the NHS’ record on data loss…

Posted in Breaches, Data Integrity, Data Protection, Data Security, Fair Processing, Information Security, NHS | Tagged , , , | Leave a comment

Does The Data Protection Act Need Beefing Up To Prevent Further Horse Play?

So, once again we hear of police officers, at all levels it would appear, using the PNC to access information on other people for their own ends and gains. This is becoming an all too common affair now and one that the Information Commissioner should really be stamping down on hard and looking for more support from Government to strengthen S.55 of the Act to introduce custodial sentences for those who flout the law!

It was interesting that several police officers were caught following the News of the World scandal and that it has come to light they were selling the information held on the PNC for their own profit to the journalists. This has gone on for years though and sadly we are seeing it on the increase as it is easier for people to fall into the trap of ‘I will not get caught’. However, this type of action is being seen as less of a sweep-it-under-the-carpet problem and more of a let’s tell the world one.

What really astonished me recently though, was the police officer who used the PNC for his own sexual gratification rather than selling on data. He was caught accessing the details of single women who had reported crimes and basically using the system as a dating service for himself, despite being married. Accessing the data is one thing but using it like this is such a betrayal of trust that I think the Act really does need beefing up and preventing this sort of tempting horse play to occur again!!

The Information Commissioner needs to look at his Act and realise that it is not much more than a paper tiger really, when it comes down to brass tacks. Yes, he has the powers to fine large companies for breaches but what about the ‘criminals’ who actually do breach like this? They are still constrained by a maximum fine of £5000 in the Sheriff/Magistrate Courts and an unlimited fine in the High/Crown Courts. But just how many people really get punished through these routes? I would reckon that there are hardly any prosecutions nowadays other than for non-compliance with the notification process, which is hardly a criminal act compared to what is going on elsewhere…..

Things need to improve with The Data Protection Act, either repeal it and re-write it, as happened before or beef it up and get S.55 fully engaged and give this Act of Parliament some real powers before it is too late. I know this has gone to the parliament before and they knocked it back but why? Out of self-interest protection or something more that nobody is telling us about? What have the Parliament got to hide? Is there something lurking in those chambers that might cause an explosion that Guido Fawkes failed to ignite? So many questions that need answering and ones that I feel we should all be asking of the UK Government and local MPs else we will also find ourselves being brushed off by the Home Secretary along with the European Convention on Human Rights!!

So let us look at and lobby for greater powers under S.55, to enable custodial sentences and criminal acts to be recognised as such, rather than fine the poor unfortunates who may have not realised or forgotten to renew their notification. The true criminals are the people that illegally access the information then use it for their own means, not the Mandarins who sit so high up the food chain that beef and horse have no sway on them! If we can target them we can stop this cancer that is starting to eat into our very rights structure, before it transpires that someone has been killed through this criminal negligence.

I look forward to hearing your thoughts

Posted in Blagging, Breaches, Data Protection, Fair Processing, ICO, Information Commissioner, Information Security, Justice | Leave a comment

Should Ticked Consent Be Valid?

How many times have you gone online to buy or book something and found that the website owner is asking your consent to send you other marketing or share your information with other third party suppliers? I would hope it is every time you go online however, how many times have you found these boxes already ticked?  More often than not I would suggest which means you have to ensure that you un-tick the box before proceeding to prevent the avalanche of emails from all and sundry hitting your inbox…….

Given this scenario, it is interesting to hear that the European Parliament’s Civil Liberties, Justice and Home Affairs Committee is now proposing that the pre-ticking of these boxes be stopped as it does not give the individual their free and explicit right of consent. Basically under the current regime, consent boxes can be pre-ticked and the consumer then has to opt-out of giving consent when, under best practice systems everyone should only have to opt-in, ie: tick the box to say that they unequivocally agree to their data being processed in the way the website is saying it will. Thus consent is being freely given by the consumer and they understand what they are opting in to.

Now, is this fair? Looking from both sides of the fence you will get different opinions. From the consumer angle it will be a very definite ‘yes’ as it will decrease the amount of spam and junk emails they receive and also means they have greater control over what they are asking for and do not feel ‘tricked’ by what is often perceived to be sharp practice by the online marketers. From the industry you will get a resounding ‘no’ as this is their bread and butter, they sell on lists of consumers who have ‘opted-in’ to receive third party emails and e-marketing. That fact that this is done be using an enforced opt-in has nothing to do with the ethics of the situation, this is a marketing initiative that goes back many years to when we used paper forms and the wording was something like “XYZ Ltd will pass your information on to other interested companies it feels you will benefit from, if you do not want us to do this please tick here” and a tick box was added. This was not regulated at all and some companies would switch between the opt-out, as above, to an opt-in on their next mailing. This meant the consumer had to carefully read the opt-in/out statement to ensure they were ticking to receive or not receive.

This has transferred, in the current scheme of things, to the pre-ticked boxes in the online forms and, although this should be fully visible, is often buried in their terms and conditions or privacy notice, which the consumer should be reading but who actually does? So the business side of the equation believes that there is a precedent for supplying the pre-ticked boxes as this is what used to happen with the old paper opt-outs but is this right?

Basically I do not think there is any reason why the opt-out should be used in this day and age. We are all capable of understanding what we read and we should not be made to go hunting for something that is one of our basic rights, that of preventing unwanted marketing. The Information Commissioner has also said many times in the past that he believes the use of opt-outs should be stopped as it is an unfair burden on the consumer and is denying their rights. It would appear the EU is now coming to the same decision and I for one would support this all the way as I do ot derive any pleasure from trying to opt-out but it is much nicer to be able to say “yes, I think I would like to receive information from you in the future”. In fact, I find myself using websites that make me opt-out, les and less and this is the way forward, if we all did this how would they survive? I leave it to you to decide, should we be opting-out or opting-in.

I look forward to hearing your thoughts

Posted in Cookies, Data Protection, Email, Fair Processing, ICO, Information Commissioner, Information Security, Justice | Leave a comment

Overcooking the Cookies?

Well, it looks like everyone is starting to use their cookie warning but is it going too far for the average user? There are many sites who just put the cookie notice up on the screen and ask you to confirm you are happy for them to attach a cookie to your computer and explains how to opt out from them in the future but the vast majority are starting to get a little tedious…

Many more sites are using the constant warning where every time you go to their site a cookie notice appears on a pop up, this also includes the site of the Information Commissioner’s Office, who I think should really know better!!

There are some others I have found who give you chapter and verse about the type of cookies they use, and the file name suffixes but unfortunately they do not tell you what they are used for, just that you have to accept or decline them, which to me is a waste of time unless you are extremely well versed in cookie culture and understand all the cookie types (does anyone??)

So, is this just an annoying trend that website developers are using to get people to complain about the cookie laws or is it just laziness on the part of the vast majority of sites, like the ICO? To be honest I am really not sure about it and think it does not really comply with the regulations as all it is doing is saying that at this time I am happy for my computer to hold a cookie from your website. My understanding is that we should be told that if we agree a cookie will be attached to the computer and it is for updating (or whatever) purposes. It should then show how to cancel the cookie at a later stage or, which would be a lot better, have another click through to turn off and delete cookies from that site available to the user. Why complicate the whole thing with this constant requirement to accept cookies from the sites you use all the time?

Well, it looks to me as though the cookie users have decided on a plan to make the public complain about this so as to get the cookie regulations changed into something they want to use rather than what is best for business…. If we all start complaining to the ICO about them they may put it to the MoJ to relook at the legislation and come up with something more akin to we had previously, wouldn’t they? After all, the ICO is doing exactly the same thing to hack off the users of their own website.

Folk are asking where we go from here, in my mind we need to ensure the cookie regulations are not diluted but the users experience is made better by changing the way they process cookie notices. Let’s make it mandatory for firms to ask only once for your opt-in to receiving cookies, with an explanation of why they are using them and for what purposes. They could even have a click through for the more technical minded who want to know what type of cookie is being planted and finally a simple click box to opt-out, and have removed, cookies from that website.

Am I being too simplistic? No, I am trying to make website owners be more compliant and make better use of their customer’s time.

I look forward to reading your comments

Posted in Cookies, Data Protection, Fair Processing, ICO, Information Commissioner, Justice, Uncategorized | Leave a comment

Yahoo!! What A Breach That Was….

Well, it seems that a few days ago that Yahoo! security was breached and the details of 450k passwords and user accounts were copied and published online by a group calling itself D33D. Yahoo! were quick to investigate this alleged breach and have assured customers that everything is now safely sorted out, but is it? ‘Computing’, the online magazine, checked some of the accounts and found they were still vulnerable and have suggested that the breach was worse than Yahoo! are making it out to be. With this being a very popular email and shopping site, Yahoo! should have had much stricter encryption policies in place to prevent this sort of thing happening. D33D have assured users that there was no malice involved and issued the following statement: “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in Web servers belonging to Yahoo Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.” This breach prompted Boston-based data security expert, Marcus Carey, to state that “the key thing is from a corporate perspective: perhaps invest more in security. If Yahoo! didn’t encrypt their passwords, they were probably cutting corners on other things.” So what does this mean for the hundreds of thousands of Yahoo! users? There will probably be a rash of strange emails floating around for a few days but their accounts will not be used by D33D for anything other than exposing the failings of Yahoo! However, if anyone has been able to get hold of the account and password details then things may change and we will find a lot of spam coming out and suddenly email accounts becoming unsecure. What can Yahoo! users do about this? Simple, change your passwords immediately to something that is secure. I have espoused on this before but too many people have simple, basic passwords that they use because they are easy to remember and to input. If it is easy for you then it is easy for the hacker as well…. People find creating a password quite a difficult task to do and fall back on their child’s or pet’s name, their date of birth or something even dafter like ‘password’ which is so common as to be unbelievable! Passwords do not have to be scientific equations but they do need to be more than a simple word to stop the easy access to your account. So if you use ‘rover’ as your password, it will be easier to hack into your account than someone who uses ‘S1mPl1cITy’. I am not saying it is not totally secure but it goes a long way towards being there! So what is a password? Passwords need to be long enough to prevent a hacker simply taking chances with random personal identities, it needs to mix UPPER and lower case letters, numbers and characters and, if you have read my previous rant on passwords, should ideally be 15 characters long, as a minimum, to prevent Windows ‘remembering’ it in the operating system. Alternatively you could use a pass-phrase which could be something like ‘I_do_NoT_like_SpiDers_IN_my_hair’ which is easy to remember but really difficult for a hacker to get round. But I detract, the management teams at Yahoo! have got to take responsibility for this breach and hold their hands up to it, not hide away behind corporate statements saying how well they have reacted to the situation (which they have not incidentally!). This breach leaves all other generic email accounts vulnerable and I would suggest that everyone who uses a generic email supplier, go away and change your password now before anything nasty happens…….

Posted in Breaches, Data Protection, Email, Information Security, Password | Leave a comment

Have Too Many Cookies Spoiled The Broth?

May 26th saw a year pass since the introduction of the new ‘cookie rule’ under PECR but still a few things stand out. How many companies have taken this on board and actually done something about it? How many consumers really understand what it is all about and are happy with the consenting system? Then there are the facts thatBelgium,Denmark and theNetherlands are still to implement anything and are now looking at sanctions from the EC. 

So how many companies have complied? It is hard to say as there does not appear to be any controlling function that tests websites for cookie compliance. The ICO has made some investigations and it seems some are struggling auditing their cookies due to the vast number of them whilst others are still setting their plan in place. ICO has also published guidelines on what companies should already be doing, but are they? If they have not got cookie controls in place then they must have a firm plan for implementation and a short term compliance completion date. Failure to do so could end up with formal undertakings or enforcement action being taken by the Commissioner.

The new legislation requires that positive consent is required to place a cookie onto a users PC. This has been vigorously campaigned against by many data administrators as being overkill and likely to result in nobody allowing cookies. These fears seem to be unfounded as more and more users seem to be allowing the cookie to be planted but do they actually understand why they are allowing it, or is it just to allow them access to certain websites? I for one am happy with the new regime, my website does not place cookies and I am now able to manage them much easier and my laptop seems to be operating a lot faster for it too, but that is probably just coincidence……

The ICO guidance for companies has a few interesting stats about consumer awareness of cookies from a study of 1000 users.

  • 41% were unaware of the different types of cookie (first party, third party, Flash/Local Storage)
  • 50% were aware of first party cookies
  • 13% fully understood how cookies work
  • 37% had heard of cookies but did not know how they worked
  • 2% had not heard of cookies before the survey
  • 37% said they did not know how to manage cookies on their computer

This goes to show just how important the new regulations are as some of those stats are scary numbers and, just like with other new technology, the users have to be taught how it all works so they can decide what they want to do. In the interim it would seem that the planting of cookies will continue unabated for several years until the public get wise to what is happening.

The guidance given by the ICO is, as always, very informative but again, as always, very long winded and in some places open to interpretation. One point made very clear is that of the First principle in that all users of a website must be able to understand what is going to happen to their information, both obvious and hidden in the cookie action. Implied consent is becoming a thing of the past as the public are being given back control of their personal information again. Is that really as bad as the industry is making out? Surely if the consumer has more control then they will have more confidence in websites that are complying with the act won’t they? All that will happen is that the more unscrupulous websites will be found out and lose out, and is that also such a bad thing? Do we actually want companies harvesting and selling on our personal data and likes to all and sundry? I certainly don’t want this and would suggest that this would be the same for most of the general public, which I am also part of….

Another important part of this is making sure the explanation about the cookies is in plain language and not couched in techno-babble, as I found on one site that I promptly turned off the cookie for! Which brings me on to another important area, the ability of the user to be able to turn off cookies that they had previously had turned on. This means that your cookie statement should appear at every occasion a user accesses your site, not just random appearances, to enable them to withdraw their consent if they wish. I have seen quite a few websites where this is not happening and, if yours was one of them, you will have received an email from me explaining why I will not be using that site again. Just because it is electronically handled it does not mean the user has lost their rights of consent, rather they should be enhanced to ensure compliance. I remember back in the ‘old days’ when direct marketing companies harvested names and addresses (now this is pre-email….) and there was a massive selling on of these to anyone who wanted to pay for them. The consent or tick-box soon followed and we had some regulation over how our data was used, all that has happened is that this time it is electronic. A lot of businesses went on about the cost of making this change, exactly the same arguments as 25 years ago, but it will soon pass and we will have something else to worry about…..

The ICO has also published a webpage for the public explaining what cookies are and their rights. They also explain how to control cookies and where to get further information. A link to this is at the end of this text.

We are now hearing that three of the EC regimes have not started compliance work or are nowhere near completing it and they now face legal sanctions. It will be interesting to see what the ECJ do in this case as there are talks of daily ‘fines’ being issued until the legislation is enacted in these countries. What this space!!

ICO Guidance on the EU cookie law / e-Privacy Directive –  V3, May 2012

Cookies – Advice For Members of the Public – ICO


Posted in Cookies, Data Protection, Fair Processing, ICO, Information Commissioner, Information Security | Leave a comment

Why All The Fuss About The New EU Data Protection Proposals?

Having read and re-read the EU Data Protection Proposals (EUDPP) I believe they will give much needed strength to the current Act and will also make the data that is held, more robust. There are a couple of downsides but let us look at the whole thing and throw a new perspective on it.

Basically, the EUDPP is giving the data subject more power over what their personal information is used for and by whom. It is also giving them the right to have their personal information removed from a company database and the 3rd party users of that data also notified that it is to be removed. From a citizen’s (data subject’s) perspective, this is a good control to have as it allows them to pick and choose who they wish to process their data and also prevent an unwanted barrage of marketing, sales and ‘information’ letter, texts and emails. It further prevents the secondary use of their information by other organisations who the citizen knows nothing about. The citizen will also have the right to know who has been and is processing their data and lets them know they do not have to have their data further processed when they sign up for something.

Surely this is a good thing? It gives us all the right to say ‘yes’ I am happy for you to process my personal information. You then have a definitive customer rather than one who is constantly trying to get away from your unwanted contact and is unhappy with you. It also puts the onus on companies that sell names on to take responsibility for what they do. If a customer says they want no more contact and to erase their information then the company will need to ensure it notifies the other companies it has sold the data to and made a profit out of it.

Current legislation makes harvesting of personal data so easy and lucrative. As long as you have a set of T&Cs and an opt-out somewhere on the form/website then it is all ok. The ones that really get me are the companies that say ‘by placing this order you give us permission to pass your details on to other third parties we believe you may be interested in hearing from’. The chances of me being interested? Zero, I always cancel the order at that point!! We are legally required to collect personal data for a specified reason, not just so we can make a small fortune by selling it on. The current harvesting methods are more akin to the Russian factory trawler system than any good direct marketing principal! Companies are hoovering up vast amounts of information that they are processing and using for profiling then selling this enriched data on to other companies who do more of the same to the detriment of the citizen. This new directive will torpedo the factory trawlers and the citizens will once again have a modicum of control over their lives. At the end of the day, would you rather have 100 happy customers who keep buying from you or 1000 unhappy ones who blog and moan about how bad your company is??

There will also be a new set of rules on what defines personal data, such as online identifiers (IP addresses and even pseudonyms used in social networking), locational data where an online placement shows exactly where you are, some search engines have this running in background all the time which is why you see everything local to you advertised first. The EUDPP is looking at restricting these and it could impact on both sides of the fence as more people are now used to their location being used online and there is greater awareness of how IP addresses are being used to assist in fraud and the prevention of SPAM so, with these suggestions, I am not so sure it will be a good move.

Another area I do agree with though is the obligation to notify any data breaches to the regulatory body with ‘no undue delay’ and at least within 24 hours of the breach being discovered. The number of breaches is increasing exponentially but still not all breaches are notified. This is usually from fear of the repercussions but at the end of the day, why should the company or individual losing the data get away with it? If it was my data I would certainly be up in arms about it and looking for something to be done and quickly yet more and more companies and government agencies are getting away with it.

The one area I must disagree with though is the removal of the £10 fee for a Subject Access Request. The amount of time and effort usually taken to fulfil these is ridiculous in some cases and the fee does not even cover the cost of the photocopying let alone the cost of getting someone to do the work! This and the fact that they want companies to employ a Data Protection Officer to manage their DP requirements may make even more companies decide that enough is enough and drop off the ICO’s radar thus creating a lot of hidden data that is being illegally processed. Before you do that though, remember the EUDPP is also suggesting an increase in fines to €1m or 2% of the company’s annual turnover.

If anyone wants to discuss this then feel free, I am always open to debate.

Posted in Breaches, Data Protection, Fair Processing, ICO, Information Commissioner, Justice | Leave a comment