Tag Archive for privacy

GDPR – the phoney war is over

FOIMan launches a new resource to help practitioners and others get to grips with the General Data Protection Regulation (GDPR).

Data Protection Reform and GDPRThose interested in privacy had been waiting for years for the European Union to agree its new rules on data protection. Finally, in May of this year, the General Data Protection Regulation (GDPR) became law. Cue party poppers all round.

The party was well and truly pooped though a month later. Instead of starting a long campaign to educate colleagues and businesses about their new obligations (which take effect from May 2018), practitioners have been forced to spend the summer and early Autumn speculating about what BREXIT means for GDPR. Even if they wisely chose to continue their preparations, their words fell on stony ground as those in charge looked to government for a decisive message more informative than “BREXIT means BREXIT”.

Thankfully we now have more clarity. During a committee hearing last week, the Secretary of State for Culture, Media and Sport, Karen Bradley, stated that:

“An example might be the General Data Protection Regulation, which of course comes into effect in the spring of 2018. We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.” (Oral evidence to the Culture, Media and Sport Select Committee, HC 764, 24 October 2016, answer to Q.72)

So whilst there’s still a possibility that the rules will change again in a few years, at least we now know that GDPR is coming to stay and will be with us for a while. Long enough for us to give it a bedroom and clear some drawer and wardrobe space. Maybe even to cut it a set of keys.

In the meantime, the hands of the clock have been moving apace. There are now just over 18 months to get your house in order, which is not long given how much you need to do to make sure that you meet GDPR’s exacting requirements.

Thankfully there are lots of places to look for help. And now I’m adding to the list. I’ve added a new section to the FOIMan site dealing specifically with data protection reform and GDPR. There are free resources to help you understand your obligations, and suggestions as to where to start your preparations. There’s also a link to the GDPR itself in case you need it. I’ll be updating this page from time to time and adding new links, resources and suggestions so keep popping back for more as your preparations continue.

Divided by a common language – personal data and openness

A few months ago I was fortunate enough to travel to New York for a few days’ holiday. Sheltered soul that I am, this was my first visit to the USA.

The whole trip was fabulous, but you’re not here to have my holiday snaps inflicted upon you. The only down point really, as many others have found in recent years, was trying to get into the country.

I’d already had to complete my ESTA (electronic entry visa), and on the plane I was given a Customs Declaration form to fill in. On arrival I stood in line for about an hour whilst we were herded through the cramped arrivals hall and towards one of the immigration officials, sat in their cubicles of bullet-proof glass. Despite the posters promising friendly and courteous staff, when the time came for me to stand in front of one of these officials, he glowered at me suspiciously (fair enough, some might say), barked instructions and interrogated me as to my intentions. I’ve never been on trial, but my first experience of the US made me feel a little like I suspect I would as a defendant in the dock.

Things improved immeasurably from that point on. But the point is that throughout the process of entering the US, I was asked for a great deal of personal information. Now, it may cause you to roll your eyes heavenwards, but I found myself entertained during my long wait in the queue by contemplating a passage of small print on the back of the Customs Declaration form. It read:

“PAPERWORK REDUCTION ACT NOTICE: The Paperwork Reduction Act says we must tell you why we are collecting this information, how we will use it, and whether you have to give it to us…The estimated average burden associated with this collection of information is 4 minutes per respondent or record keeper depending on individual circumstances. Comments concerning the accuracy of this burden estimate and suggestions for reducing this burden should be directed to US Customs and Border Protection…”

This was in exactly the position that UK or European forms would place a Data Protection notice. What I thought was interesting is this. Here in the UK (and across Europe) we are increasingly concerned with what government and other organisations do with the data that they hold about us. We reacted with horror when HMRC lost two CD-ROMs containing details of 25 million families. It seems not a month goes past without the ICO issuing press notices about the latest NHS Trust data breaches, and they can now fine organisations up to half a million pounds in the worst cases. And the metaphorical and political blood that has been spilt over proposals for ID card and NHS patient databases could fill the country’s blood banks for the next decade.

Yet in the US, the equivalent concern is for bureaucracy. All very well and good, we’d all like to see less of that (yes, even us public employees). But that’s apparently the concern that takes priority over privacy. Of course, in limiting paperwork, a side effect may well be that less personal data is collected, but this or the protection of that data, is not the driver over there.

I was reminded of my post-plane perusals this week when I happened across a news article about a US court case reviewing an FOI appeal. In the US they don’t have an Information Commissioner, so anyone appealing against a public authority’s decision has to take the case to court.

The request was from a civil liberties group who wanted to have copies of the images taken by airport scanners. This has become quite a concern of late in the US (as here), as the latest scanners are reputed to reveal in intimate detail the contours of the human body. The judge in the court case upheld the authority’s decision not to disclose the images.

Now this in itself didn’t surprise me. I’d have assumed that if the images really do allow the sort of insight that most people only allow their intimate partner, then there’d be a reasonable argument to withhold the information on personal data or privacy grounds. But the story appeared to suggest that they’d been refused not for those reasons, but on the grounds of national security, as potential terrorists might be able to find ways to fool the scanners through analysis of the images.

This looks like another example to me of where US culture, law and politics is subtly, perhaps significantly, different to ours. They don’t have data protection laws. UK organisations are only allowed to exchange data with US businesses because of something called ‘Safe Harbor’. This means that US businesses can register with the US authorities promising to handle personal data in line with principles similar to our Data Protection Principles. But the only reason they do this is because otherwise they wouldn’t be able to do business with European bodies, public or commercial. Importantly, it’s voluntary. It’s a completely different mindset.

So why is this significant? And why am I talking about Data Protection on a blog about FOI?

Well-known freedom of information campaigner and freelance journalist Heather Brooke has a new book out called The Silent State. I’ll be up front and say that I haven’t had chance to read it yet. But by all reports it repeats something that she has said on many occasions before.

Heather is from the US and began her journalistic career there. One of her biggest complaints about public authorities in the UK is that they are secretive about the names and contact details of public employees. Apparently, in her native state the names, job titles, contact details and salaries of all public employees are published on-line. Not just senior executives. Everyone, from the street sweepers to the Chief Executive.

Her argument is that the UK’s culture of secrecy makes it inefficient and bureaucratic. That people hide their ineptitude behind the high crenellated walls of their particular public employer. And of course that things are much better in the US where they are open about who is doing what.

Conservative commentator Peter Oborne has written gushingly about Heather’s agenda. He comments that her connection of secrecy and inefficiency:

“…is a Tory insight and if David Cameron has real courage he should make Heather Brooke’s radical agenda his own.”

I don’t doubt that some public authorities are too secretive, and should be prepared to make more information available (and be less defensive when they receive FOI requests). And personally, I have no problem with my details being made available on my organisation’s website (they are). I could even accept my salary being published.

But I equally understand that some people don’t feel comfortable with that. Perhaps they resent the idea of such a degree of openness. They may see this as yet another ‘punishment’ for the ‘crime’ of taking a job in the public service. But they also may have very good, personal, reasons. Should the individual who has moved on to a new life after escaping an abusive relationship be forced to work in the private sector because they don’t want their former partner to track them down? Should anyone who fiercely defends their privacy be restricted in this way?

Most would agree that publishing details of the most senior and public facing officials is a good thing. But in reality, why would you want to know the name of the street cleaner? If you’re not happy with their work, your local council presumably provides a mechanism to report that. Is the idea that you should be able to directly confront them, vigilante style, if you find a cigarette stub on the pavement outside your house?

We have a tradition in this country of respecting individual freedoms. Our culture and our law recognises the importance of privacy and particularly of how personal data should be handled. There may well be virtue and value in publishing more details about public officials. But before we start to bash public authorities over the head with their perceived secrecy over their employees, we ought to consider what it is that we really want. Do we want our current model which balances the need for government openness with the need for individual privacy? Or do we want to make a significant shift to a US model where protecting personal data is much lower down the agenda?