ICO SIGNS UNDERTAKING WITH GOOGLE AND DEFENDS ITS STANCE

November 22nd, 2010 by Robin Hopkins

I reported in a recent post that the Information Commissioner had instructed Google to sign an undertaking aimed at any repeat of the breaches of the Data Protection Act 1998 committed during Google’s information-gathering for its Street View feature. That undetaking has now been signed, and a copy can be viewed here. It requires Google engineers to maintain a “privacy design document” for each new Google project prior to launch. It provides for further training and data protection awareness for Google engineers and other employees. The undertaking also assures the deletion of all personal data which had been gathered unlawfully, and provides for the Commissioner to audit Google’s revamped data protection procedures nine months from now. Interestingly, the undertaking applies to Google’s global activities and not just its UK ones.

The ICO has come under fire for being soft on Google. The Commissioner, Christopher Graham, has defended his stance, including in an interview with the Daily Telegraph which can be found here. In that interview, the Commissioner remarks that “a lot of people out there want somebody – probably not me – to be the privacy tsar. But that’s not what the Information Commissioner is”. Recent indications suggest, however, that the ICO could potentially take on a “privacy tsar” role – see the recommendations from its recent surveillance report, summarised here.

Tags: , ,
Posted in INFORMATION LAW | Comments Off

ICO’S SURVEILLANCE REPORT 2010: ‘SLEEPWALKING’ RISK REMAINS; ‘PRIVACY IMPACT ASSESSMENTS’ PROPOSED FOR NEW LEGISLATION

November 15th, 2010 by Robin Hopkins

The Information Commissioner has delivered his latest report to the Home Affairs Select Committee on “the state of surveillance” in the UK. The report traces privacy-related developments since the Commissioner’s 2006 report on the same theme, which memorably observed that the UK may be “sleepwalking into a surveillance society”. According to the November 2010 report, that warning

 “… is no less cogent in 2010 than it was several years ago. It is not being suggested that the UK is a ‘police state’ or that there are surveillance conspiracies afoot against the public. Neither the 2006 report nor this one supports such an assumption, and evidence for it is lacking. Much of what is taken to be surveillance is done for benign reasons and has beneficial effects on individuals and society. But much surveillance also goes beyond the limits of what is tolerable in a society based on the rule of law and human rights, one of which is the right to privacy.”

The report provides an illuminating summary of trends in (amongst others) the use of CCTV, body scanning and border control (including ‘ethnic targeting’ for security searches), workplace monitoring, social networking, ‘crowdsourcing’, the monitoring of protest activities and even the use of unmanned drones. Scrutiny is also given to a number of governmental policy tools, such as databases and the use of ‘social sorting’ (eg into groups such as ‘high cost, high risk’ social groups who are vulnerable to social exclusion’) to develop targeted welfare strategies.

As regards private-sector online commerce, the Commissioner recommends a number of measures to correct what he describes as the “worrying trend particularly with those who provide on-line services not to have thought through the privacy implications of their activities and given users robust privacy settings as a default”.

What to do about the risks identified in the report? The ICO’s recommendations focus principally on overhauling the legislative process insofar as it affects privacy, by introducing: 

  • a requirement for a privacy impact assessment to be presented during the parliamentary process where legislative measures have a particular impact on privacy;
  • an opportunity for the Information Commissioner to provide a reasoned opinion to Parliament on measures that engage concerns within his areas of competence, and
  • a legal requirement to make sure all new laws that engage significant privacy concerns undergo post-legislative scrutiny to ensure they are being implemented and used as intended by Parliament.

If implemented, these measures would add substantially to the ICO’s clout as the guardian of privacy.

The report can be found here, with the accompanying press release from the ICO here.

Tags: , , , , , , , , ,
Posted in INFORMATION LAW | Comments Off

GOOGLE ESCAPES FINE OVER STREET VIEW CARS, BUT MUST SIGN UNDERTAKING

November 3rd, 2010 by Robin Hopkins

Google used cars equipped with cameras to gather material for its much-publicised Street View feature. The material was not confined to photographs, but also included data by which wi-fi hotspots could be located. Earlier in 2010, the ICO investigated this ‘payload data’. It concluded that the information it had inspected was not personal data, in that it could not be linked to identifiable individuals. The ICO stated, however, that it would continue to work with its international counterparts, such as the Canadian authorities, in investigating Google. This co-operation has now shown the payload data to include URLs, passwords and email details.

 

The ICO today announced that:

 

“The Commissioner has concluded that there was a significant breach of the Data Protection Act when Google Street View cars collected payload data as part of their wi-fi mapping exercise in the UK. He has instructed Google UK to sign an undertaking in which the company commits to take action to ensure that breaches of this kind cannot happen again. An audit of Google UK’s Data Protection practices will also be undertaken. The Commissioner has rejected calls for a monetary penalty to be imposed but is well placed to take further regulatory action if the undertaking is not fully complied with”.

 

This follows the ICO’s press release on Monday, in which it commented that:

 

“It is also important to note that none of the regulators currently investigating Google Street View have taken direct enforcement action at this stage, with the US investigation led by the US Federal Trade Commission for example ruling out direct action, although mirroring our own concern that this data was allowed to be collected by an organisation who showed such disregard for international data protection legislation. This week the Metropolitan Police have also closed their case believing it would not be appropriate to pursue a criminal case against Google under the Regulation of Investigatory Powers Act (RIPA). Whilst we continue to work with our other international counterparts on this issue we will not be panicked into a knee jerk response to an alarmist agenda.”

 

The latter press release also explained the ICO is “keen to discuss with MPs and Ministers how we can further defend privacy on the internet as technologies and applications develop”. In this regard, the Guardian reports today that culture minister Ed Vaizey is proposing a new internet code of conduct and a mediation mechanism to resolve complaints by individuals against data controllers. He is reportedly meeting with the ICO today to discuss these matters. Watch this space.

 

Tags: , ,
Posted in INFORMATION LAW | Comments Off

ICO BEGINS TARGETED MONITORING OF TARDY AUTHORITIES

October 1st, 2010 by Robin Hopkins

The Information Commissioner’s Enforcement Team has begun cracking down on public authorities that habitually fail to respond to requests for information within the statutory limits. This morning, it began publishing a list – to be updated quarterly – of authorities whose timeliness will now be subject to specific monitoring by the ICO.

 

 Those on the list have either (i) been the subject of six or more complaints of delay in the last six months, (ii) exceeded the time limit by a significant margin on at least one occasion, or (iii) appear to respond in time to fewer than 85% of requests.

  

There are 33 authorities on the first monitoring list.

 

For the ICO’s statement, click here. For the debut monitoring list, click here.

Tags:
Posted in INFORMATION LAW | Comments Off

LABOUR PARTY IN THE DOG-HOUSE OVER AUTOMATED CALLS

February 11th, 2010 by Anya Proops

The Commissioner has this week issued an enforcement notice to the Labour Party in response to its act of making unsolicited automated marketing calls without consent to almost half a million people. The calls were made in June 2009 and were designed to encourage people to vote in the European elections. The ICO held that, notwithstanding their inherently political nature, the actions taken by the Labour Party amounted to unlawful ‘direct marketing’ for the purposes of the Privacy and Electronic Communications Regulations 2003. The enforcement notice requires the Labour Party to desist from making further automated calls without the recipients’ consent. Breach of the notice will amount to a criminal offence and could lead to prosecution. This is not the first time that a political party has received an enforcement notice in response to making automated calls. Similar notices have previously been served on the Conservatives, the Scottish National Party and the Liberal Democrats. See further the Commissioner’s press release on this issue.

Tags: , ,
Posted in Uncategorized | Comments Off

Demystifying Data Protection

November 27th, 2009 by Timothy Pitt-Payne QC

The Information Commissioner’s Office has just launched a Guide to Data Protection, available on the ICO website.  At the heart of the guidance is a detailed commentary on each of the Data Protection Principles, and on the conditions for processing set out in Schedule 2 and 3 of the Act.

The Data Protection Act 1998 is, notoriously, not user-friendly.  One of the problems is that so much of its central content is tucked away in the Schedules: for instance, you have to get as far as Schedule 7, paragraph 10 before you find out that there is an exemption to the right of subject access where information is protected by legal professional privilege.   So assistance in navigating the legislation is very welcome.

On a first glance, the ICO Guide looks as if it will be of real help – clearly written, comprehensive, but not unduly lengthy.  It will also be useful to those wanting to know how the ICO itself might interpret and enforce the Act.

Tags: ,
Posted in Uncategorized | Comments Off

Banned Aid

November 21st, 2009 by Timothy Pitt-Payne QC

In March this year the Information Commissioner took enforcement action against the Consulting Association, which had been operating a secret blacklist of employees in the construction industry, including details of trade union activity. We posted about this story here, earlier this year.

Today, the Guardian has extensive coverage of what has happened since.

The Department for Business, Enterprise and Regulatory Reform has now consulted on draft regulations under section 3 of the Employment Relations Act 1999. The consultation ended on 18th August 2009. The proposed regulations are intended to outlaw the compilation, dissemination and use of blacklists of trade unionists. They would make it unlawful to refuse employment, or to dismiss employees or subject them to a detriment, for reasons related to a prohibited blacklist. Individuals who suffer loss through blacklisting would be able to bring claims either in the Employment Tribunal or in the civil courts, depending on the nature of their complaint.

The trade union UCATT commissioned a report from the Institute of Employment Rights about the proposed regulations. The report, by Professor Keith Ewing, was published on 15th September 2009: it is entitled “Ruined Lives”, and deals specifically with blacklisting in the construction industry. It includes sample material from Consulting Association files.  The report gives a fascinating history of the practice of blacklisting, going back to the late 19th century. It suggests a number of changes to the draft Regulations, including: that keeping or using a blacklist, or supplying information to it, should be a criminal offence; and that there should be a right to compensation for the fact of being included on a blacklist, even if the inclusion does not lead to any loss.

A further point to note about the draft Regulations is that they deal specifically with the blacklisting of trade unionists (as does section 3 of the 1999 Act). So they would not assist individuals who had been blacklisted for other reasons; e.g. because of their political beliefs and affiliations, or because they have a history of raising concerns about health and safety issues.

A number of individuals have brought employment tribunal claims arising out of alleged blacklisting. The claims have been consolidated and there will be a case management discussion in Manchester ET on 24th November 2009. This blog gives further information.

Meanwhile the Information Commissioner’s Office (ICO) has taken control of the Consulting Association database. Individuals who think that they may have been blacklisted can contact the ICO; for more information, see this page of the ICO’s website.

Tags: , , ,
Posted in Uncategorized | Comments Off

Civil penalty notices: consultation

November 12th, 2009 by Ben Hooper

When the new monetary penalties regime under sections 55A-E of the DPA comes fully into force, the Information Commissioner will have power to impose a civil penalty on a data controller for a serious contravention of any of the data protection principles if – in essence – the contravention is (1) deliberate or reckless and (2) of a kind likely to cause substantial damage or distress.

 

The Ministry of Justice is currently consulting on what the maximum penalty under section 55A should be. £500,000 is proposed. Whilst this is clearly not an insubstantial sum, it needs to be compared with the fact that many other regulators have power to impose a penalty of up to 10% of an organisation’s turnover. If the data controller at issue has a turnover that is significantly above £5m, and – for example – a serious contravention has caused damage or distress to a very large number of people, the maximum penalty of £500,000 may begin to look a little on the small side. Indeed, the Commissioner may not even be able to go that far: the ICO’s draft guidance on the monetary penalty powers indicates at paragraph 7.4 that swift payment of the penalty will lead to a 20% reduction. So a data controller that decides not to contest the penalty may end up only paying a maximum of £400,000.

 

One final point. The penalties are to be paid into the consolidated fund (section 55A(8)). Thus, where the data controller is a central government body, the imposition of any size of penalty will have a slightly unreal quality to it, as the sum involved will simply return to the financial pot from which the body in question drew its funding in the first place.

 

Tags: ,
Posted in Uncategorized | Comments Off

WHEN WILL THEY EVER LEARN?

November 10th, 2009 by Timothy Pitt-Payne QC

We call them “data protection duck outs”.  The New Zealanders call them “BOTPAs” (standing for “Because of the Privacy Act”).  Organisations do something silly, and then blame it on data protection legislation.

There’s a nice recent example. A parcel was addressed to a 9 day old baby.  Initially the Royal Mail wouldn’t deliver it to her grandfather, apparently because the Data Protection Act required the baby to sign for it personally.  Not surprisingly, the ICO has confirmed that the Act does not require anything of the kind.

Tags: , ,
Posted in Uncategorized | Comments Off

Paying for the ICO

October 2nd, 2009 by Timothy Pitt-Payne QC

Organisations that process personal data must notify the Information Commissioner’s Office, and pay an annual fee. Up to now the fee has been £35, for all data controllers. With effect from 1st October 2009, some large data controllers will instead pay a fee of £500.

The changes are made by the Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 (SI 2009 No 1677). These divide data controllers into two groups: tier 1 organisations, which pay £35, and tier 2 organisations, which pay £500. All data controllers not in tier 2 are in tier 1.

A data controller will be in tier 2 if it satisfies the following three conditions: (i) it is not a charity or a small occupational pension scheme; (ii) it has been in existence for more than a month; and (iii) it has a turnover of £25.9 million or more for the data controller’s financial year and 250 or more members of staff, or it is a public authority with 250 or more members of staff. There are detailed provisions as to how turnover and staff numbers should be calculated for these purposes.

An explanatory memorandum issued by the Ministry of Justice gives the policy background to the change. Essentially it argues that large organisations cost more for the ICO to regulate, and so should pay a higher fee. The memorandum suggests that about 4% of data controllers will pay the higher fee, and that the extra annual income to the ICO will be about £4.7 million.

 A more interesting question perhaps – and one that the new Regulations do not affect at all – is who is obliged to notify the Information Commissioner. Anyone who uses a computer to process personal data is a data controller and obliged to notify, unless they are subject to an exemption. Under section 36 of the Data Protection Act 1998, personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the duty to notify (and indeed from most of the rest of the Act as well). This is sometimes referred to as the “domestic use”, or “Christmas card list” exemption: if you keep your family’s Christmas card list on a computer, you do not have to notify the ICO that you are processing personal data, and you can spend the £35 on something else instead.

But what if you put personal data on to the internet? The Lindqvist case in the European Court of Justice suggests that the domestic exemption would not apply here, because information posted on the internet is available to all the world. Since Lindqvist was decided, there has been an explosion of blogging, and social networking, all internet-based. How much of this activity would come within the domestic use exemption remains unclear.

 

 

Tags: , , ,
Posted in Uncategorized | Comments Off

« Older Entries
Newer Entries »