July 11, 2008 | Glyn Wintle

Data Sharing Review

The Data Sharing Review, commissioned by the Prime Minister last October to look at the use and sharing of personal information in the public and private sectors, published its final report today. The report argues that data sharing is shrouded in confusion and spotlights deficiencies in the organisational culture of those who collect, manage and share personal information. Its authors call for personal data to be handled, like any valuable asset, with respect.

We attended workshops with the reports authors and drafted a submission emphasising the risks rather than the benefits associate with data sharing. In the conclusion to our submission, we said, "If customers were to participate fully in the design and decision-making of the public services intended to benefit them it seems to us very unlikely they would come up with the centralised databases and data sharing approach of Transformational Government."

The report is 80 pages long (ignoring the annexes, all 112 pages of them) so if you don't have time to read it all, here are some points of interest.

The report neglects to make specific recommendations on any of the current or future large government databases. This is deeply regrettable as a missed opportunity to encourage respect for personal data and greater trust in the public and private bodies who store our data. Even if all the recommendations are followed, the impact of this report will be minor: a toothless regulator will gain some powers, medical research will become easier, and sale of the edited electoral register will be prohibited.

Based on the evidence we have collected and analysed, we believe change is necessary to transform the culture that influences how personal information is viewed and handled; to clarify and simplify the legal framework governing data sharing; to enhance the effectiveness of the regulatory body that polices data sharing; to assist important work in the field of research and statistical analysis; and to help safeguard and protect personal information held in publicly available sources.

Data Sharing Review Report Page 7

No recommendations about any of the massive government databases

During the course of our review, many people made comment about specific Government initiatives involving the wider use of personal information, including proposals for a national identity card and the related national identity register, and about ContactPoint. Our task however was not to look at specific projects but to review the general principles governing the use and sharing of personal information. For this reason, we make no recommendations about individual data-sharing schemes.

Data Sharing Review Report Page 14

That the review ignores projects like the National Identity Register, ContactPoint, NHS Spine, which are planned to collate personal data on the entire population and represent a major concerns for many of those who responded to the consultation, is shameful. Our response to the Data Sharing Review noted that: "Large databases which need to grant access to many hundreds of users will inevitably fail along one of three axes - scale, functionality or security."

Enhancing the effectiveness of the the regulator

A strong regulator is also needed to facilitate these cultural improvements. It is essential that the regulator has sufficiently robust powers and sanctions available to it; and that it is resourced adequately. We welcome recent changes in the law to provide the Information Commissioner with a power to impose financial penalties for wilful and reckless breach of the data protection principles and call on the Government to implement these changes quickly. We also believe that stronger inspection and audit powers are required and that new funding arrangements to enable effective enforcement are long overdue. We also recommend an important change in the nature of the office of the Information Commissioner in order to improve the provision of guidance and the regulatory oversight of the handling and sharing of personal information. We recommend that a Commission with a supporting executive team replace the single Information Commissioner.

Data Sharing Review Report Page 3

The Information Commissioner's Office (ICO) is widely seen as "a toothless tiger", because it lacks resources and enforcement powers, amongst other reasons. The Data Protection Act should include stronger penalties and sanctions, and the ICO should be given increased powers and resources to more effectively carry out his duties.

Recommendation 9: The regulations under section 55A of the Data Protection Act setting out the maximum level of penalties should mirror the existing sanctions available to the Financial Services Authority, setting high, but proportionate, maxima related to turnover.

Data Sharing Review Report

One reason why the Data Protection Act is not taken seriously in businesses, at Board level, is its lack of sanctions. Section 55A of the Data Protection Act provides a new fine for data controllers who recklessly or repeatedly allow significant data breaches. This new power was created during the course of the review and this recommendation hopes to increase the maximum fine.

To date prosecutions brought under the any part of section 55 have generally resulted in low penalties. Between November 2002 and January 2006, only two out of 22 cases ended with fines above £5,000. Other investigations led to frustrating outcomes, despite the harm caused to individuals and public confidence more generally. Since 2006 there have been two further successful prosecutions and a further individual cautioned, resulting in fines ranging between £3,300 and £4,200. This is pocket change to many businesses and does not present a significant deterrent, so we welcome the recommendation to increase maximum fines.

Recommendation 10: We also call on the Government to bring these provisions fully into force within six months of Royal Assent of the Criminal Justice & Immigration Act, that is, by 8 November 2008.

Data Sharing Review Report

This is a welcome call on Government to hurry up. We also cover this in more detail later under the heading Time table please.

Recommendation 12: We recommend that the Information Commissioner should have a statutory power to gain entry to relevant premises to carry out an inspection, with a corresponding duty on the organisation to co-operate and supply any necessary information. Where entry or co-operation is refused, the Commissioner should be required to seek a court order.

Data Sharing Review Report

There is wide support for the Information Commissioner to be given powers to carry out audits and inspections unannounced. The simple threat of a court order should be enough in most cases to allow voluntary access. That an individual or organisation has the right to review via court of law provides an important safeguard against bureaucratic abuse. The wording of law will require carefully review, but the concept is good.

Recommendation 13: We therefore recommend that changes are made to the notification fee through the introduction of a multi-tiered system to ensure that the regulator receives a significantly higher level of funding to carry out his statutory data-protection duties.

Data Sharing Review Report

The ICO lack the resources to promote, let alone enforce, proper information management practices. Greater funding may to make the ICO slightly more effective. The review seeks to secure increased funding by levying a higher annual charge on the small percentage of organisations that hold data on millions of people. The figure for most data controllers will remain at £35.00 per year. In reality this will at most double their budget, and so business's will still know the odds of being caught are extremely low.

Recommendation 8(a): Where there is a genuine case for removing or modifying an existing legal barrier to data sharing, a new statutory fast-track procedure should be created. Primary legislation should provide the Secretary of State, in precisely defined circumstances, with a power by Order, subject to the affirmative resolution procedure in both Houses, to remove or modify any legal barrier to data sharing by:

  • repealing or amending other primary legislation;
  • changing any other rule of law (for example, the application of the common law of confidentiality to defined circumstances); or
  • creating a new power to share information where that power is currently absent.

Recommendation 8(b): Before the Secretary of State lays any draft Order before each House of Parliament, it should be necessary to obtain an opinion from the Information Commissioner as to the compatibility of the proposed sharing arrangement with data protection requirements.

Data Sharing Review Report

This is a bad recommendation. It weakens safety checks and removes powers from parliament, in exchange for giving the Information Commissioner the power to state an opinion. This opinion in practice can be ignored if the minister wants to.

Developing a culture of respect for personnel data

Recommendations 1 to 5 are rather woolly and will have little concrete effect. They recommend training for staff handling personnel data, knowing what personnel data you hold, what you do with it and what the controls are, etc. Recommendation 5 is the closest to a nod in the right direction, but even here its worth pointing out that most organisations do not need to authenticate you, many interactions can be done anonymously.

Research and statistical analysis

Recommendations 15, 16 and 17 cover research and statistical analyses of personal data, for example, wherever possible, such data should be anonymised. The review team evidently received complaints from researchers because the report tries to make life easier for medical researchers. We note that legal barriers to information sharing are generally in place for good reasons, for example preventing incidents like HMRC losing vast amount of data. The second data protection principle states "Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes." Data Protection Act 1998

Enquiry into online aggregation of personal information

Recommendation 18: We recommend that the government should commission a specific enquiry into online services that aggregate personal information, considering their scope, their implications and their regulation.

Data Sharing Review Report

This is an enquiry that ORG will keep an eye on. It mentions social networking sites but we cannot comment further without more detail.

Time table please

We strongly commend these recommendations to the Government and we look forward to a timely response. In particular we would like the Government, as part of its response, to set out a clear timetable for implementation and to report on progress in eighteen months time.

Data Sharing Review Report Page 10

P.S. It would be nice if the Government, as part of its response to this review, established a clear timetable for implementation so we do not end up one year from now asking "where are our reforms?"

[Read more] (1 comments)

July 07, 2008 | Becky Hogge

Growing the ORG community - and having fun doing it

Update: We've had quite literally tens of new supporters sign up to support ORG in the last week or so. Please keep telling your mates about Open Rights and why our issues deserve their support. Here's a recording from Open Tech, where Becky and Danny launched the ORG-GRO campaign.

Or if you want to download the MP3 ORG-GRO.mp3

ORG needs your help. Over the next five months, we want to do something really ambitious.

Not explain to MPs and record companies why DRM was a dead-end technology (done that). Not marshall a team of election observers to uncover e-voting bungling that could have swayed an election, and put electronic voting on the back-burner for years (tick). Not singlehandedly beat back the music industry's lobbying for copyright term extension in the UK (yawn, done it). Not even make sure Britain was safe for knitted Dr Who monsters everywhere (well, you get the idea).

No, what we want to do is *everything else* on our ever-growing list of digital rights fights. And to do that we need you. And your money.

And the money of all of your friends.

By December of this year, we intend to double the amount of financial support we receive directly from individuals who are concerned about the erosion of civil liberties in the digital age.

Why? Because we want ORG sustainable with money from individuals' donations. After all, we're here to protect individual rights for all tech users. And we think the best way to do that is through the direct advice and support of smart, well-informed individuals.

That's why, in 2005, ORG started with nothing more than 1,000 people pledging to give £5/month to fund a UK digital rights organisation.

Today, we receive the equivalent of roughly 750 of those fivers from ORG supporters (that's accounting for the fact that some folk give more than £5, while some chose to pay at our concessionary rate of £2.50/month). By 1 December 2008, we want that figure to be 1,500. But we won't be able to do that unless everybody gets involved and makes this happen. Here's how:

If you already support the Open Rights Group:

  • Get as many of your friends to join as you can. If every ORG supporter recruited just one of their friends, we'd reach our target. We're not beneath bribery, here: if you recruit three friends or more, we'll send you a glamorous ORG T-Shirt.
  • Double your support for ORG. If none of your friends care about digital rights, make an investment in their future now and they'll be sure to thank you later. If you double (or more!) your support to ORG, let us know and we’ll send you a special gift.
  • Do all of the above and do more. Get creative. Run a mini-ORG fundraising campaign on your blog. Approach strangers on the street. Knock on your neighbour's door. Sign up on behalf of your pets. If you've got an idea of how to enlist more people to the ORG community – go for it. If you need our help, get in touch.

If you're not already supporting the Open Rights Group

  • Start. Now. Then do all of the things we've just listed above.

1,500 regular supporters are enough to make ORG sustainable into the foreseeable future. We're not being greedy – we'll make every penny we receive from the Open Rights Group community count. To see what we'll spend your money on, click here.

This year and last we've received grants from organisations like JRRT Ltd and the Open Society Institute – for which we're very grateful. But ORG's heart lies with the views of its independent membership, and being funded direct by our community means we can represent your concerns 100%.

Over the coming months, we'll be announcing more initiatives and happenings that we think will help us reach that magic number.

And if we make it to 1,500 by December 2008, we'll throw a big party for everyone who helped us get there (note to self: do not spend all of new income on this party).

Databases that log where you go, what you buy and who you talk to and pass it on to state snoopers. Electronic elections that rob you of your right to vote. Constricted copyright laws that mean you can't even post your holiday snaps online. Every day, your digital rights are under threat. Supporting the Open Rights Group won't make it all go away, it won't mean we stop asking you to do stuff. It won't help you become even smarter and glamorous than you are now[1]. But joining the ORG community will ensure that in the corridors of Westminster, the warrens of Brussels, in the national and international media, and for years into the future that you know so well, and even now are helping to craft, your voice gets heard.

[1] Because that would be impossible.

[Read more] (12 comments)

Write to your MEP: say no to "3 strikes" through the backdoor

Could Europe be drafting a new law to disconnect suspected filesharers from the internet? MEPs have already signalled their condemnation of this approach. But last-minute amendments to telecommunications legislation could bring the so-called "3 strikes" approach in by the backdoor. If you want your MEP to stick to their guns on 3 strikes, write to them today to voice your concerns.

Back in February, we reported that the UK Government was considering a law to ban illicit filesharers from the 'net. A promised consultation on proposed legislation is yet to materialise (although we're still hoping it will appear before the Summer recess). Meanwhile, pressure on ISPs and rightsholders to come to a voluntary arrangement has had some effect, with both Virgin and BT recently starting to "educate" those customers they believe are infringing copyright in their use of p2p networks.

As we pointed out at the time, neither the voluntary nor the statutory approach will put a penny in artists' pockets unless accompanied by viable legal alternatives that deliver consumers what they want. A recent survey commissioned by British Music Rights [pdf] indicates that 80% of those currently downloading music would pay for so-called "legal p2p" - properly licensed and competitive filesharing alternatives. Rumours that industry is close to developing such an offer are yet to be confirmed. But without it, any enforcement move is likely only to drive illicit filesharing further underground.

Over in France, President Nicolas Sarkozy (who also took over the European presidency yesterday) has put his weight behind legislation proposed by the Olivennes report. The bill, which has been delayed until the Autumn, will mandate termination of internet connections. It goes without saying that it is the subject of much controversy across the Channel.

La Quadrature du Net - a French pressure group - have been actively campaigning on the issue. They're also tracking the progress of the Telecoms Package, a review of European telecoms law currently in the European Parliament. Ordinarily this bill would deal with network infrastructure, universal service and other purely telecoms matters.

But as La Quadrature du Net announced yesterday:

"One week before a key vote in the reform of European law on electronic communications ("Telecom Package"), La Quadrature du Net (Squaring the Net) denounces a series of amendments aimed at closing the open architecture of the Internet for more control and surveillance of users..

…this set of amendments creates the unprecedented mechanism known as graduated response in European law; judicial authority and law courts are vacated in favour of private actors and "technical measures" of surveillance and filtering. According to rules set forth by administrative authorities and rights holders, intermediaries will be forced to cooperate in monitoring and filtering their subscribers, or they will be exposed to administrative sanctions"

If you want to voice your concerns about 3 strikes legislation brought in through the backdoor in Brussels, you have until 7 July, the date of the vote in IMCO and ITRE committees, to contact your MEP and inform them that the "Telecoms Package" amendments could bring in disproportionate and ineffective law.

You can find details of your MEPs here. Suggestions for topics to raise in your letters are here and analysis and commented amendments with other resources about the Telecoms Package are also available.

[Read more] (75 comments)

July 02, 2008 | Becky Hogge

ORG verdict on London Elections: "Insufficient evidence" to declare confidence in results

ORG's report into e-counting of votes cast in the London Elections is out today. The report, which is the result of a huge team effort, finds that:

"there is insufficient evidence available to allow independent observers to state reliably whether the results declared in the May 2008 elections for the Mayor of London and the London Assembly are an accurate representation of voters’ intentions."

Votes for London Mayor and the 25 member London Assembly were counted electronically, and overall the election was well-managed by the independent body set up to run elections in London, London Elects.

However, transparency around the recording of valid votes was a major issue, leading many of our team of 27 official observers to conclude that they were unable to observe votes being counted. And while hundreds of screens set up by vote scanners showed almost meaningless data to observers, London Elects admit that the system was likely to be recording blank ballots as valid votes.

The report also details how London Elects are unable to publish an audit, commissioned from KPMG, of some of the software used to count the London vote, because of disputes over commercial confidentiality. The situation highlights the problems that arise when the very public function of running elections is mixed with issues of commercial confidentiality and proprietary software. In the context of a public election, it is unacceptable that these issues should preclude the publication of the KPMG audit.

London Elects will pay Indra – the company who supplied both Bedford and Breckland during last year's chaotic trials of e-counting technology in local elections – upwards of £4.5 million for delivering the London e-count. Today's report recommends a full cost benefit analysis of any future e-count, set against a properly costed manual count.

This cost-benefit analysis should include our report's five recommendations for improved transparency around the recording of valid votes in e-counting systems. The problems around transparency observed by the ORG team can be solved, but it is important to ask: at what cost? There comes a time when electoral administrators need to ask themselves whether electronic counting really delivers value for money to our democracy.

Huge thanks go out to all the observers who put in hard work and long hours to make this report possible. We are still in the shadows of the chaotic May 2007 e-count in Scotland, and the electoral timetable is likely to preclude the deployment of computers in elections for the next two years. However, in that time these deterrents may have faded and legislators may feel eager to experiment with e-counting again. This report should be top of their reading list.




[Read more] (13 comments)

June 30, 2008 | Michael Holloway

Supporter update - June 2008

The June 2008 supporter update is now available for your enjoyment. Read on...

[Read more]

June 25, 2008 | Glyn Wintle

HMRC "Datagate" verdict: further data loss "a distinct possibility"

Kieran Poynter has published his review of information security at HM Revenue and Customs. Yes, after a seven month wait, it's the official explanation of how it was possible for a junior official to lose discs containing records for 25 million individuals and 7.25 million families in the post. ORG is very pleased to see the review making sensible recommendations that should be followed not only by HMRC but by all government institutions. Information security should be seen as a priority. This report is clear in stating that in HMRC it was not.

The fact that information has value may be blindingly obvious to most of those who read our blog, but it is not so obvious to officials working in government. Poynter recommends that HMRC should hold the minimum amount of data required to perform its functions - a recommendation echoed by the Home Affairs Select Committee in their recent report A Surveillance Society?. Unfortunately, unless this Government can get over its addiction to large, centralised databases, data minimisation will be a distant dream.

The report also recommends that the transfers of digital data involving physical media should be phased out completely and computers (and in the short term, any removable media) should be encrypted. From the report it is clear that HMRC employees were unsure about who owned and was responsible for data. Insufficient security education and awareness is highlighted as an unsurprising explanation for the poor information security. And because HMRC did not understand how data moved through the organisation it was hard to effectively identify and manage its information security risks. Or, put a different way, if you do not know what you have got, where it is and who is doing what with it, it is impossible to guarantee that someone is not doing something they shouldn't be.

The data loss incident arose following a sequence of communications failures between junior HMRC officials and between them and the National Audit Office ("NAO"). The loss was entirely avoidable and the fact that it could happen points to serious institutional deficiencies at HMRC.

The two major institutional deficiencies from which many of the more detailed issues flow were:

  • Information security simply wasn't a management priority as it should have been, and
  • HMRC had an organisational design which was unnecessarily complex and crucially, did not clearly focus on management accountability

So now to an important question: will it happen again?

HMRC has significantly reduced the risk of further data loss since the incident. However, when there are so many islands of information and so many data transfers going on, and while simple guidance is not available to staff, further data loss nonetheless remains a distinct possibility and more needs to be done. Investment will be required to continue the reduction of risk to an acceptably low level, although the review process is identifying data transfer practices which can simply be stopped at no significant cost.

Not the most reassuring answer. The good news is that a low level employee has not had all the blame placed on his head. The culture inside HMRC of getting things done quickly and cheaply at the expense of information security is singled out throughout the report.

... the more junior staff involved in the incident clearly voiced their concerns about handing over the data to the NAO, but were overruled by their immediate superiors - at least in part to save the cost of producing a bespoke set of data.

The HMRC Discgate affair has not solved Government's bad habit of losing valuable and sensitive data about individuals. A rolling log of data losses can be found on our UK Privacy Debacles page.

Richard Thomas, Information Commissioner, said:

I will be taking formal enforcement action against HMRC and MOD following the serious data breaches that have occurred.

The reports that have been published today show deplorable failures at both HMRC and MOD. Whilst these breaches have been highly publicised and involve big numbers, sadly they are not isolated cases. It is deeply worrying that many other incidents have been reported, some involving even more sensitive data. It is of fundamental importance that lessons are learned from these breaches. Information security and other aspects of data protection must be taken a great deal more seriously by those in charge of organisations. No chief executive can now say that data protection doesn’t matter.

It is beyond doubt that both Departments have breached Data Protection requirements and we intend to use the powers currently available to us to serve formal Enforcement Notices on them. To comply with the terms of the Enforcement Notices we will require HMRC and the MOD to use their best endeavours to implement all the recommendations outlined in the reports. We will also be monitoring the situation closely. We will require progress reports to be published after 12, 24 and 36 months documenting in detail how the recommendations have been, or are being, implemented to improve Data Protection compliance. Failure to comply with an Enforcement Notice is a criminal offence. ‘I welcome the seriousness of the requirements and guidance for central government in the Cabinet Secretary’s Data Handling Report; this material should help chief executives across the whole of the public, private and third sectors achieve better compliance with the Data Protection Act and keep people’s personal details more secure.

A separate report by the Independent Police Complaints Commission said that "investigation found no visible management of data security at any level".

[Read more] (5 comments)

June 23, 2008 | Michael Holloway

Open Tech 2008 preview

Open Tech 2008 is an informal, low cost one-day conference on technology, society and low-carbon living, featuring Open Source ways of working and technologies that anyone can have a go at.

We don't usually flag events on this blog, instead we use Upcoming to publish events. Open Tech is exceptional because Open Rights Group was conceived at this conference in 2005. Our sessions at Open Tech 2008 will review the giant steps we've made and look forward to even greater things.

The programme is a three-streamed feast of 60 talks from the likes of mySociety, No2ID, OpenStreetMap, the Power of Information task force, ourselves and many others. Our sessions kick-start the day, beginning at 10.30am, when we'll share the stage with No2ID to present our current programme of works. The second slot at 11.30am will features Danny O'Brien telling the story of ORG and asking for your suggestions to help chart our future course. Recordings will be made available.

Open Tech logo

Besides these seminars, we're rounding up a posse of staff, directors, advisors and volunteers for a few drinks after the formal sessions close at 7.15pm. We're inviting everyone who cares about their digital rights to help us celebrate ORG and spot future issues. Here's all the details you need to be a part of Open Tech 2008:

When: Saturday 5 July 2008, 10.30am-7.15pm. Registration now open (Doors open at 10am, bar closes at 11pm) Where: ULU, Malet street, London WC1E 7HY (Zone 1, CC zone). Link to map. Cost: £5 on the door. The organisers expect to sell all tickets so pre-registry is strongly advised.

[Read more]

Term Extension "will damage Commission's reputation", top legal advisers tell Barroso

Today, the leading European centres for intellectual property research have released a joint letter to EU Commission President José Manuel Barroso, enclosing an impact assessment detailing the far-reaching and negative effects of the proposal to extend the term of copyright in sound recordings. With the confusion and disillusionment of Ireland's rejection of the Lisbon Treaty still ringing in the Commission's ears, the letter states:

"This Copyright Extension Directive, proposed by Commissioner McCreevy, is likely to damage seriously the reputation of the Commission. It is a spectacular kowtow to one single special interest group: the multinational recording industry (Universal, Sony/BMG, Warner and EMI) hiding behind the rhetoric of "aging performing artists".

"The Commission is required to conduct an impact study for each directive it proposes. We, the leading European centres for intellectual property policy research, have collectively reviewed the empirical evidence. Our findings are unanimous. The proposed Copyright Extension Directive will damage European creative endeavour and innovation beyond repair."

Read the letter and impact assessment in full. Further details are available from the Centre for Intellectual Property and Management.

[Read more] (5 comments)

: Electronic Voting - Response to Scottish Government's consultation on Electoral Reform-->
  • June 28: ORG Edinburgh: Social with Chief Operating Officer Martha Dark
  • ORG Aberdeen: Cryptonoise May 2018
  • ORG Glasgow: A discussion of the General Data Protection Regulation (GDPR)
  • ORG Aberdeen: March Cryptonoise event