Information Commissioner – June 2009

The current Information Commissioner is Christopher Graham, who replaced the outgoing Richard Thomas

Chris Graham ICO

Christopher Graham became Information Commissioner in June 2009. The Information Commissioner is appointed by HM The Queen and has independent status, reporting directly to Parliament, with a range of responsibilities under the Freedom of Information Act 2000, the Data Protection Act 1998 and related laws. The functions of the Information Commissioner’s Office (ICO) include promoting good practice, ruling on complaints and taking regulatory action.

Christopher’s career began at the BBC as a radio and TV journalist. Most recently he has been:

• Director General of the Advertising Standards Authority;
• Chairman of the European Advertising Standards Alliance; and
• Secretary of the BBC.

He was a Non-Executive Lay Representative of the Bar Standards Board and a Non-Executive Director of Electoral Reform Services Ltd. He studied History at Liverpool University and his interests include media, music, singing, history and writing.

Data Theft and the Legal System

Recently more news has come to light about data theft: More people are implicated, more data has been misused, and the fines seem to be poor. This all raises more questions than it answers.

A few days ago Mathew Single was sentenced for publishing the BNP membership details, which he took from the BNP. i.e. data theft. The ramifications of publishing the data were a series of vigilante acts against the members. Regardless of your views about the BNP they are a legal party, membership of the BNP  is legal, and they have even won an election. However, vigilante acts and data theft are not legal.

Despite this the fine for publishing the data, for breaking the law, was just £200. Even the judge complained about the level of the fine.

In addition to this more and more details of data theft  are gradually leaking out. There have been allegations of Prince William and Prince Harry’s phones being accessed. Also, the previous Head of the Professional Footballers’ Association, Gordon Taylor, had his phone hacked by the News of the World. The News of the World paid £700,000 in damages, following a court case, “but on condition that details of the case were not made public”. How can such a major media outlet go to court, lose, and still manage to keep the details of such an important case secret for so long. The key word in that sentence is probably “major”.

The ICO has recently stated that they have been let down by the press, politicians, and the court systems; in the failure to create strong enough laws, or the courts to enforce the laws they have effectively.

Recently Steve Whittamore, a former police officer, turned private detective turned crook has come back into the news. He worked for a company called JJ limited and during his time there uncovered 17,500 pieces of personal information, for over 400 journalists (from a variety of papers). The data he and his colleagues obtained varied from banking and telephone information to DVLA and PNC records.

In February 2004, Steve Whittamore, and three others were all convicted of the offences they were charged with and received …… a conditional discharge. A conditional discharge, for those not familiar with the legal system means nothing.

It means they went to court, go told they were bad people who had done a very bad thing, and then walked out, without so much as a peak at a prison. To criminals a conditional discharge is about as effective as sending a sex addict to a lap dancing bar. It just encourages them.

So, the laws are all a bit rubbish, the courts are useless, and the CPS could not organise a pissup in a brewery. But who is buying all of the this data (other than journalists).

So, Who buys Stolen Data?

[The article below has been re-published from July 2008 due to the current relevance]

A lot of the market for personal data theft is in the “gray/black” market.

Some companies specialize in the selling of personal information, anything from just the name and address (phone book/electoral role), upto bank details, phone records etc. The reported costs of this data vary from $100 to $500. These companies who sell the data to lawyers and businesses, may not “acquire” the information themselves, rather sub contract it out, keeping the “dirty end” of the business very much at arm’s length.  This means that the person who users the data, apparently legitimately, is removed by at least two steps from the actual “data theft”.

One such example involves Mischon de Reya, a famous UK law firm and Carratou an investigation agency were involved in the purchasing of stolen information.

In this case Mischon wanted find information about Mr Hughes, the former chairman of the now collapsed Allsports. Based on this Mischon instructed Carratou to track down Mr Hughes. Carratou then instructed Sharon and Stephen Anderson, who are independent contractors. Sharon and Stephen then sourced a variety of information about Mr Hughes, including details of his 11 of his bank accounts. They charged around £150 for each piece of financial data. They gained access to this information this through phone calls (impersonating Mr Hughes), false letters, etc, etc.

Once the Anderson’s had “stolen his identify” and got the relevant information, this information was then passed from the Andersons to Carratou then from Carratou to Mischon and then to Mischon’s client. The whole incident only came to light when Mr. Hughes took Carratou to court to find out how they had accessed his bank accounts.

It has since been revealed that Sharon and Stephen Anderson made around £140,000 a year doing this, which equates to nearly 4 pieces of financial information every work day. This means that they are supplying a lot of data to a lot of companies.

Articles in the Guardian and Computer Active and ICO

Other cases of people obtaining and selling data:

Man Convicted of selling personal data

ICO Publishes list of Media Buying Data

So, who buys the stolen data?

The Media (who are always reporting on the data theft), people in the investigation industy, (who are there to protect the public and businesses), and business (who are the victims of hackers and data theft)

Who suffers most? The public.

Electronic Discovery: Reviewing UK data from outside the EU

If data is processed and hosted in the UK, can it be reviewed from outside of the UK? How does the ICO view this? Does the Data Protection Act allow for review of data from outside of the EU?

Review platforms, such as Attenex, Relativity, RingTail, or IConect, allow for reviewers to plough through very large amounts of documents usually via a web browser. The reviewers can be anywhere in the world, as long as they have access to the internet.  E.g. a Manchester case, with the data hosted in London, can be reviewed by a law firm in Bristol. This example, of 3 UK cities, does not pose any legal problems. However what if the review is to be conducted outside of the UK? E.g if the data to be reviewed is from the UK, is processed and hosted in the UK, but reviewed by a  New York law firm, what does the law state about this?

The UK legislation says both a lot and very little about the subject.

The Data Protection Act has 8 core principles, it is the eighth principle which is most relevant in this case.   This principle states that ““Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

This means that data cannot be transferred out of the EEA, without permission of the custodian/person whose data it is, a safe harbor agreement, consent of the EU, or other acceptable EU security measure.

What does this mean for a reviewers? Is the data “transferred” out of the EEA durign a review? The term transfer is not described in legislation. Tools like Relativity, can prevent the physical of native documents, and only allow a “review” of the text or image (TIFF/PDF), this would imply that data was not transferred from the UK to the reviewers country (in this example the US), as it has not left anywhere. Also the act does not count transit as transfer.

However the ICO takes a different view. The ICO’s opinon on 2nd March 2008, and previously implied by the ICO, is that reviewing data from the the US (or any third party country) would effectively come under the eighth principle, as it is a transfer of data under the meaning of the act.

This taken alone would imply that reviewing data from a third party country, outside of the EEA would be an offence, which the ICO could prosecute for. With the ICO gradually gaining  more powers to protect data and privacy  in the UK, and pushing for more powers, the threat of a fine to law firms and data processesors has to be taken seriously.

However the ICO has stated that this problem can be resolved by a contract with the third party reviewing the data. For example if Company A was hosting data from Company B and Law Firm C, based in the US, wanted to review the data a contract between Company B and Law Firm C, guaranteeing the protection of the data, and suitable IT security by Company B and Law Firm C, should resolve the problem, and prevent any breach of the eighth principle.

Legal advice from an independent law firm and the ICO should be obtained in relation to transferring data outside of the UK. This article is provided for information purposes only and should not be construed as legal advice.

Law: Data Protection Act Section Exemptions

Data Protection Act, Part IV

The Data Protection Act, Part IV,  provides  exemptions, under certain circumstances from the act. For example, Section 28 of the DPA provides exemptions for reasons of “national security” this means that data is no longer guarded under the data protection principles, Parts II, III and V of the act, or section 55 of the data protection act. The exemption to Section 55 is the most interesting exemption as this section makes it an offence to “knowingly or recklessly” obtain or disclose data.

Data Protection Act Section 27 Preliminary

(1) References in any of the data protection principles or any provision of Parts II and III to personal data or to the processing of personal data do not include references to data or processing which by virtue of this Part are exempt from that principle or other provision.

(2) In this Part “the subject information provisions” means—

(a) the first data protection principle to the extent to which it requires compliance with paragraph 2 of Part II of Schedule 1, and

(b) section 7.

(3) In this Part “the non-disclosure provisions” means the provisions specified in subsection (4) to the extent to which they are inconsistent with the disclosure in question.

(4) The provisions referred to in subsection (3) are—

(a) the first data protection principle, except to the extent to which it requires compliance with the conditions in Schedules 2 and 3,

(b) the second, third, fourth and fifth data protection principles, and

(c) sections 10 and 14(1) to (3).

(5) Except as provided by this Part, the subject information provisions shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information

Data Protection Act Section 28 National security

(1) Personal data are exempt from any of the provisions of—

(a) the data protection principles,

(b) Parts II, III and V, and

(c) section 55,

if the exemption from that provision is required for the purpose of safeguarding national security.

(2) Subject to subsection (4), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions mentioned in subsection (1) is or at any time was required for the purpose there mentioned in respect of any personal data shall be conclusive evidence of that fact.

(3) A certificate under subsection (2) may identify the personal data to which it applies by means of a general description and may be expressed to have prospective effect.

(4) Any person directly affected by the issuing of a certificate under subsection (2) may appeal to the Tribunal against the certificate.

(5) If on an appeal under subsection (4), the Tribunal finds that, applying the principles applied by the court on an application for judicial review, the Minister did not have reasonable grounds for issuing the certificate, the Tribunal may allow the appeal and quash the certificate.

(6) Where in any proceedings under or by virtue of this Act it is claimed by a data controller that a certificate under subsection (2) which identifies the personal data to which it applies by means of a general description applies to any personal data, any other party to the proceedings may appeal to the Tribunal on the ground that the certificate does not apply to the personal data in question and, subject to any determination under subsection (7), the certificate shall be conclusively presumed so to apply.

(7) On any appeal under subsection (6), the Tribunal may determine that the certificate does not so apply.

(8) A document purporting to be a certificate under subsection (2) shall be received in evidence and deemed to be such a certificate unless the contrary is proved.

(9) A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under subsection (2) shall in any legal proceedings be evidence (or, in Scotland, sufficient evidence) of that certificate.

(10) The power conferred by subsection (2) on a Minister of the Crown shall not be exercisable except by a Minister who is a member of the Cabinet or by the Attorney General or the Lord Advocate.

(11) No power conferred by any provision of Part V may be exercised in relation to personal data which by virtue of this section are exempt from that provision.

(12) Schedule 6 shall have effect in relation to appeals under subsection (4) or (6) and the proceedings of the Tribunal in respect of any such appeal.

Law: Data Protection Principles

Under the Data Protection Act, there are eight principles that are regards as the “core” of the DPA; they are defined  in Part 1, Schedule 1 of the Act.

These principles are enforced by the ICO.

The eight principles are listed below

1. Personal data shall be processed fairly and lawfully
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.