Archive for January, 2011

A Cautionary Tale For Scottish Data Controllers

The Scottish Court Service (“SCS”) has been rebuked by the UK Information Commissioner’s Office (“ICO”) following a breach of the UK Data Protection Act.

The way in which the ICO learned of the breach is quite interesting, and is a cautionary tale for any organisation which controls data.

Last September Scottish tabloid The Daily Record published details of the discovery of court appeal files at a recycling area close to a special school in Clarkston, Glasgow. The files included details of a rape victim, and details of boys aged between 7 and 12 at the centre of abuse allegations.

The newspaper report came to the attention of the ICO, and a subsequent investigation by the ICO found that the papers had been “lost” (or, perhaps more accurately, “left for recycling at a public recycling area”?) by the editor of a series of law reports, and that the SCS, as data controller, had failed to meet its’ duties under the Data Protection Act to check how this individual intended to keep the shared information secure.

The SCS has signed a formal undertaking obliging it to ensure that personal data is processed in accordance with the Seventh Data Protection Principle (relating to the security of the processing as a whole and the measures taken by the data controller to provide security), and in particular to ensure that:

1. all staff are aware of SCS’s policy for the storage, use and disclosure or sharing of personal data (and are appropriately trained how to follow that policy);

2. adequate checks are carried out on contractors’ staff, and all parties to data-sharing will enter into a Memorandum of Understanding with SCS; and

3. compliance with SCS’s policy on data protection and with any such Memorandum of Understanding is appropriately and regularly monitored.

These strike me as sensible procedures which any organisation that controls data would be wise to follow.

ACS Law – No More Threatening Letters?

The BBC have reported on the recent court case in relation to ACS Law.

ACS Law was notorious for sending out letters that say “pay us £500 or we will take you to Court for infringing copyright by illegal downloading”. These letters were sent en masse and fairly indiscriminately.

The facts and case are all well summarised in the BBC report.

Here is my take:-

1. I always thought (and advised) the letters were a “shakedown”. That is, ACS had no intention of taking anyone to Court (because that would not have been economic). Rather they hoped to scare people (including innocent people) into paying (much more economic).  So I was slight surprised that any of these cases ended up in a Court. Perhaps the strategy was to get a few “wins” to increase the fear factor.

2. Its hard to have too much sympathy for Mr Crossley – but he does seem to have suffered quite a lot of abuse by the self appointed guardians of the Internet, and I never did care too much for any self appointed police force that operates without any rules (“Who watches the watchmen?”). 

3. Don’t get too excited about the “withdrawal of ACS Law” from this area. There already appears to be a successor lined up called  GCB Ltd (and it “smells” like it is run by the same people).

4. My initial take is you still shouldn’t pay up if you get one of these letters. Just file the letter, but don’t reply.  If you subsequently get served with official looking Court papers then consult a lawyer.  Even then, given how IP addressing works I think ACS/ will find it hard to make the relevant charges stick.

5. Judge Birss couldn’t be the fresh faced (but worringly smart) barrister I instructed on a software copyright infringement case in the mid 90s could it. Crikey it is! Does this mean I am old?

 Oh, and happy new year.

Innocent until proven guilty – tell it to the insurance company

Possibly not the most festive post but I was struck by a recent report in the press (Herald, 15 December) that the police in Strathclyde had opened up a new war on organised crime by passing on information to insurers on “gangsters” in order to make it more difficult for them to get life insurance which would pay out to their families in the event that they are killed.

Whilst it is difficult not to empathise with the general sentiment that honest law abiding punters are picking up the tab for these sorts of claim because “gangsters” won’t ‘fess up their occupation (presumably) when they take out the insurance, leaving insurers taking on a risk which they have not priced, the arrangements that have been put in place (if the report was correct) do raise a number of important issues (and concerns).

Firstly, the police have apparently agreed information sharing protocols with a number of insurers but are declining to say which ones.  The reports suggest that part of the reason for that is the fear of reprisal but it’s not really clear who would be at risk since (again, presumably) if a “gangster” knows that the police share information with insurance company X then he (or she) would probably avoid that insurance company when thinking about his (or her) life cover.

Secondly, and in my mind as importantly, some of the information is such that it needs to remain confidential and can’t be disclosed to the individual concerned.  As the senior officer quoted in the article put it, “Some of the information we give – because of the how, the where and from whom we got it – can’t be used in court. But that does not mean we should sit on the information and not share it with other legitimate bodies.”  Again, difficult not to empathise at one level but suppose the information concerned was just plain wrong.  Maybe the information relates to one individual who is, indeed, a “gangster” but because he has a common name, it is wrongly tagged to another individual.  Or perhaps, the information is just wrong – full stop – and an individual is tagged as a “gangster” and he actually isn’t.  Presumably, you have your insurance application declined and can’t work out why because the information on which the decision was based is never disclosed to you.

Don’t get me wrong.  This blogger is all for doing whatever can be done to make life as difficult as possible for the criminal fraternity but am I the only one to have concerns about information about individuals being shared on a covert basis without that individual (a) even knowing it is happening, and (b) getting the chance to challenge accuracy of the information.  I know that many people will take the view (my mum amongst them!) that the ends justify the means and that gangsters don’t deserve any protection but there needs to be some transparency around data sharing because without it, how do we hold accountable those who are holding the data and sharing it around?  Gangsters today, who knows who tomorrow.

A final thought and it might just be my ignorance of all things “gangster” related but if someone is murdered in gangland violence would that not be the time for the insurance company to look at the claim and take a decision as to whether the original application made full disclosure of all relevant circumstances?  Just a thought.

Twitter: @BrodiesTechBlog feed

January 2011
« Dec   Feb »

%d bloggers like this: