A little bit about me...
I am a London-based lawyer specialising in privacy, data protection and data security law. My practice includes litigation and court-room advocacy. My client base includes major government departments, FTSE 100 companies and multi-nationals. I regularly undertake media work and am often quoted in the press. For example, I was the legal expert on the Channel 4 Dispatches documentary 'The Data Theft Scandal', which exposed security failings in the Indian call centre industry.
Posted on January 25, 2012 by Stewart
Have you ever had the misfortune to be involved in the immediate aftermath of a serious security breach? If you haven’t, let me tell you something for free; even with the best contingency plans and support from the best experts, it can be a brutal environment of chaos and stress, which can test the patience of a Saint. You are focusing on understanding the angles, containment, recovery and mitigation and if you get lucky you may come out of the first day with your sanity intact.
Against this backdrop of prior experience, I want to reflect on the new EU Data Protection Regulation proposal that serious personal data breaches must be reported to national data regulators within 24 hours of discovery. I kid you not. You read this right.
I’m at a loss as to what is going on within the EU’s thinking. Why is this stringent timetable being proposed? Seriously, what will be the benefit to data protection and privacy of this requirement? What will the regulator actually be able to add, other than providing some hyperlinks to website regulatory policies? Or does someone know something that I don’t, perhaps that regulators are experts on security breach handling? If you look at the ICO guidance on security breaches, you’ll see that it is fine as far as it goes, but it doesn’t add anything to that which a Chief Security Officer, or an expert security consultant, or an IT Co, or a GovCERT already knows. And there’s no criticism here, because ICO isn’t meant to be expert in these things and doesn’t pretend to be.
This new requirement adds an unnecessary compliance obligation that will be an unnecessary diversion and distraction from the key objectives of incident response. Why not continue with the requirement for telecos and ISPs, which is still not even 12 months old, namely that serious data breaches shall be notified to the regulators without “undue delay”? Surely, it would be better to see how that regime beds in before we start tinkering around with things in this way? And doesn’t the shift undermine all the assertions of confidence that the EU published in 2009, when they were saying that the without undue delay approach was the right thing to do?
I reflect also on the fact that in the summer last year the EU published a call for comments from telcos and ISPs on how to handle breach disclosure. The fruits of that work haven’t been published yet, which renders the new position thoroughly immature.
Hopefully, this proposal will be canned once the implications sink in.
Posted on January 25, 2012 by Stewart
After prolonged teasers and tasters the European Commission has finally published its proposal for a Data Protection Regulation, which will replace the 1995 Data Protection Directive.
The first thing that you notice is the density of the document, which is four times as fat as the current Directive. It occurs to me that if this is intended to simplify data protection compliance then it’s a funny way to go about this. Ah well …
The principle case for a Regulation is that it will help to reduce the differences in national legislations. That’s a fair ambition, but I recall that they said that about the original Directive. So let’s examine this a bit further. Will the Regulation achieve this objective?
Well, the fact that the Regulation will remove the need for national legislations means that we will be faced with just one legal framework, which is good. The new “Data Protection Board”‘ which will replace the Article 29 Working Party, should also help with consistency of regulatory approaches – because that is the Board’s role – so we have more reason to feel positive.
Yet, there is an Emperor’s New Clothes sense to the Regulation, because despite the innovations just identified we are still left with the fact that operationally-speaking the national regulators have day to day freedoms to deal with problems in their countries the way that they want to. This means that the scope for national divergences has not been fully eradicated by the new approach. And this leaves us with considerable uncertainty. Add to this the fact that national courts and tribunals also retain their own discretions, then it seems that the scope for continuing divergences seems massive.
Of course, only time will tell, but my guess is that despite the legal and political tinkering we will still have different rules in different countries, or, at least, different practices on the ground.
Posted on January 11, 2012 by Stewart
The most interesting piece of data protection news today is the story that the Information Commissioner has informed Brighton and Sussex NHS Hospitals that he is planning to fine them £375k. We don’t know from the news reports whether this is one data controller or two, or, if two, whether they are to be fined £375k each, or if this is the total amount of two separate fines, but if we are talking about one single fine of £375k, then this really is big news.
So far the highest single fine has been £120k (or £200k, if you treat the Crossley case as such), so in that sense this is big news. But what interests me the most – and why I actually consider this to be big news – is the fact that ICO is getting perilously close to the £500k cap, which cannot be exceeded.
And so this raises the question has ICO got its fining scale right? If we are to take £500k as being reserved for the extreme end of seriousness (which, surely, must be right) then does the insecure decommissioning of NHS computers get close to that level? Or can we imagine a security breach situation that would make such insecure decommissioning pale into insignificance in a relative sense? If we can, then these events get pushed down the scale of seriousness and the quantum, £375k, becomes difficult to justify.
You can argue the point both ways; after all, patient data is sensitive and it’s easy to see real distress being caused, perhaps even real “damage” (in the sense of pecuniary loss, including personal injury). So in the eyes of some, the insecure decommissioning of hospital computers might be the worst thing that can be imagined. And I know I wouldn’t be happy if my health records were affected. Yet these points on their own do not justify the quantum. Instead, you need the additional justifications of punishment, deterrent effect etc.
And all of this takes you to the key point of this blog, which is simply this – what is ICO’s plan? By this I mean, how does ICO arrive at its figures and how are they justified?
We’re probably not going to get to the bottom of this until someone takes a case on to appeal, but as we are nearly two years into the fining regime I think we’ve arrived at the point when we can legitimately expect ICO to explain where it is heading with the fine and what has driven it’s decisions so far.
← Older posts
