- No to central communications database
- ICO strengthens its audit function
- EU opinion: UK privacy law inadequate
- New research suggests harm-based approach for data protection
- ICO takes enforcement action against the British Council for serious data breach
1. No to central communications database
The government has decided not to go ahead with the planned central communications database, and has instead launched a consultation on the collection and use of ‘Communications Data’. The Home Secretary, Jacqui Smith writes in the consultation document: “I also know that the balance between privacy and security is a delicate one, which is why this consultation explicitly rules out the option of setting up a single store of information for use in relation to communications data.”
The communications service providers currently retain communications data for their own business purposes. The Data Retention Regulations 2009, which oblige Internet service providers and telephone companies to retain traffic and location data for 12 months, entered into force on 6 April. While the content of the emails will not be monitored, the regulations allow the monitoring of log-in times, duration of communications, and the IP address of the sender and receiver of the communication. The government now wants to extend this ability to data relating to communications services provided from overseas. While more and more service providers will be based abroad and use another company’s physical network, they may not be obliged to retain the data under the EU Data Retention Directive, and definitely not under Regulation of Investigatory Powers Act (RIPA). Data retained by the communications service providers would continue to be accessible on a case-by-case basis to public authorities, subject to the existing safeguards under RIPA.
The consultation, ‘Protecting the Public in a changing Communications Environment’ was published on 27 April and is available at http://www.homeoffice.gov.uk/documents/cons-2009-communications-data?view=Binary. Responses by 20 July to firstname.lastname@example.org
2. ICO strengthens its audit function
The ICO is getting ready to take on its new audit powers. According to its Business Plan 2009/10, it plans to conclude 12 compliance audits during the year. These will include spot check audits on Government departments. The ICO is also planning to use external consultants to assist in its audit function.
There is a hint of increased resources ahead for the ICO’s audit function in its Corporate Plan 2009/12, published this week at the ICO’s conference in London on 13th May. The ICO is currently negotiating additional powers and penalties with the Ministry of Justice to implement its new powers. The document states that the ICO will implement “an updated and strengthened Data Protection Regulatory Strategy…using additional staff and appointed experts to carry out audits and other inspections; and imposing the new sanctions in the most serious cases.”
Not yet clear is:
- how many audit staff will the ICO deploy? Until recently, there have been very few ICO auditors http://www.privacylaws.com/Documents/Other/Terra_Incognita_workbook6_bil.pdf
- how many of them will be direct employees?
- how many of them will be “appointed experts”? This term has not been used before by the ICO in the audit context so it may imply the use of external auditors to help the ICO cope with its new powers to conduct spot checks in the public sector
- how would external auditors be accredited?
- who would pay for an audit to be conducted?
Such a panel of approved external auditors would need to be greatly expanded if the ICO fulfills its wish to have the power to conduct spot checks in the private sector without the consent of audited organisations.
3. EU opinion: UK privacy law inadequate
The EU started infringement procedures against the UK in April for its implementation of the e-Privacy directive. The Commission says that the UK law in incapable of dealing with confidentiality of communications. The problem presented itself, in particular, in connection with the complaints about the Phorm interception and profiling technology. The European Commission has made enquiries about Phorm since July 2008, but has not received a satisfactory response from the UK Government.
"We have been following the Phorm case for some time and have concluded that there are problems in the way the UK has implemented parts of EU rules on the confidentiality of communications. I call on the UK authorities to change their national laws and ensure that national authorities are duly empowered and have proper sanctions at their disposal to enforce EU legislation on the confidentiality of communications. This should allow the UK to respond more vigorously to new challenges to e-Privacy and personal data protection such as those that have arisen in the Phorm case. It should also help reassure UK consumers about their privacy and data protection while surfing the internet," stated Viviane Reding, EU Commissioner for Information Society and Media.
The UK has two months (from 14 April) in which to defend itself against these claims. Otherwise it faces being taken to the European Court of Justice.
Read more about behavioural online advertising, Phorm and the infringement case in the May issue of PL&B UK.
4. New research suggests harm-based approach for data protection
A study evaluating the strengths and weaknesses of the EU Data Protection Directive suggests that a harm-based approach would work better than the current bureaucratic regime. However, the authors from RAND Europe do not propose to abandon the Directive, saying that much could be achieved with better implementation of the current rules. The study recommends a range of self-regulatory tools and better accountability, for example through breach notification and data protection balance sheets identifying organisations’ data losses and data breaches.
Read more about this topic in the May issue of PL&B UK.
5. ICO takes enforcement action against the British Council for serious data breach
The British Council has been found in breach of the Data Protection Act after the loss of an unencrypted computer disc. Details lost include sensitive personal information relating to trade union membership of over 2,000 members of staff. The British Council reported the data breach to the ICO as soon as it was aware it had taken place.
The British Council signed, on 17 April, a formal Undertaking, in which it promises to take reasonable measures to keep personal information secure in future. For example, the British Council agrees to encrypt immediately all portable and mobile devices which are used to store and transmit personal information
For further details on the Privacy Laws & Business UK Newsletter, please click here.
Copyright Privacy Laws & Business 2009