DPO Daily

My time at the Information Commissioner’s Office was brief and undistinguished, but I learned a lot, not least a healthy scepticism for the organisation and its senior staff. There have always been a huge number of hard-working, dedicated people at the ICO. They were and are the majority. But equally, Wilmslow has never known a shortage of donkeys, although I believe the paddock is more densely stocked in London these days. Nobody is infallible. No person, organisation or group is incapable of being wrong. I’ve had variations of the same conversation dozens of times. I say something along the lines of the Commissioner or a senior ICO staffer is talking nonsense, and someone brays like a horse. Surely you’re not saying you know better than the Commissioner? Am I saying that I understand UK Data Protection better than someone who literally just arrived from New Zealand / Canada / the Advertising Standards Authority? Yes. Next question? It’s not even a bold claim. If we pick John Edwards, his long service in New Zealand doesn’t make him an expert in UK data protection, any more than my experience and knowledge would pay off if I decamped to NZ. It would take me a long while to find my feet. He's got less experience of our jurisdiction than most people reading this, and experience generally builds expertise. It would be nice to think that august panels like the European Data Protection Board never make mistakes. But such panels are comprised of people. People make mistakes. They sometimes substitute opinion and policy for logic. They say how things should be, not how they are. They react instinctively and emotionally. They get captured by groupthink. This is not to say that authority figures are always wrong or that off-beat opinions are always right. But 'X cannot be wrong' isn't a legal analysis; it's a doctrine. There are a number of qualities that a good data protection practitioner needs. They can be innate or they can be learned. One of the most important is scepticism, a willingness to ask questions and to have debates. Don’t take things at face value. Don’t follow the herd. Adopt a stance because you think it’s correct, not because it’s popular. And of course, be willing to admit when you get something wrong.

Today, I'm sharing a post written by Jon Baines; there are two reasons why you should read it. The first is the point he's making: including lack of availability in the definition of 'loss' when considering whether an incident is a personal data breach is the wrong approach. Even if the people doing that are the Commissioner and the European Data Protection Board (the latter being a heavy influence of me probably getting it wrong), that doesn't mean they can't be mistaken. The second is the way Jon breaks the issue down carefully and methodically. This is the way data protection questions should be considered - not with your gut, or some guidance, but by laying out the relevant factors. Of course, there may be a lot of room for judgement or policy within the factors, but the steady and precise approach is the right one. And as it happens, working out whether an incident is a PDB has less room for manoeuvre than other questions. Many adverse incidents that are evidence of GDPR breaches are not PDBs; some PDBs are not breaches of the GDPR. https://lnkd.in/enRK-Swf

Are the specifics of an individual who had an accident in a Derby school playground in 2006 personal data? According to Derbyshire Live, Derby City Council has paid £10,668 in compensation to a former school pupil who sustained a serious head injury. The incident happened in 2006 but for some reason, the payout only happened in the past year. The details have been released due to an FOI request. The kid's name and school were not released, but this information was: "A pupil was in the school playground when they were pushed by another child into an exposed metal hinge on a gate support. The pupil suffered severe laceration to the forehead resulting in permanent scarring." I have no idea who this person is, and I cannot think of a way of finding out. However, if you went to school with the unfortunate pupil, you may well remember that time they got their head slashed open. If you do, you now know that they've just been given ten grand. If you don't already know about the injury, you won't be able to work it out. If you have a friend with a scarred forehead, you won't know for certain that they're the recipient. But I doubt Derby's schools were full of kids getting head trauma from hinge accidents, so I suspect it's just the one person. I thought about doing one of my little 'vote today, my answer tomorrow' posts, but I think this one is clear. By releasing the details of the accident, Derby have disclosed identifiable personal data. There is a public interest in knowing that the council paid out £10000 in compensation to a nameless pupil, but there is no legitimate interest in disclosing the details. I think the council got this wrong. https://lnkd.in/edj79f8a

This week, after the end of the period where the ICO doesn’t announce anything because of the election (rather than not announcing anything because they do so little), the Commissioner unleashed a reprimand on Hackney Council following a catastrophic cyber attack in 2020. Criticisms of the Council include the failure to apply a security patch management system to all devices and allowing a dormant account to sit connected to the network for years with the password ‘kiosk’. The case was originally considered for a penalty but because of Edwards’ unproven and weak regulatory theories, the council instead gets the ultimate sanction of bad PR. City AM claimed that they were ‘lambasted’. Gosh. Interestingly, Hackney came out swinging with a statement that the Commissioner had “misunderstood the facts and misapplied the law with respect to the issues in question, and has mischaracterised and exaggerated the risk to residents’ data.” However, they’re not going to waste any more resources by challenging the reprimand. This last point is interesting. There is no direct way to appeal a reprimand. I don’t think a serious regulator would make so much use of them because they’d want to offer their targets due process. But as it is, Edwards prefers theatre that can’t be tested rather than action that can be. I can see two possibilities. Either Hackney considered asking for judicial review or the statement is disingenuous. I’d love to see the ICO’s current approach scrutinised somewhere but I doubt JR is the best venue, so this is the end. As ever, there are useful things to learn from reading the reprimand; another reason why I think the Commissioner should issue fines is that more people would pay attention if they did, but in any case, the decision is there for well-intentioned people to read. I’ll be running a free webinar on it next month (it was this or the Annual Report), so you can wait for that if you prefer. The reprimand: https://lnkd.in/efFXGbvk Hackney’s response: https://lnkd.in/eHwQ8pxc Sign up for my webinar: https://lnkd.in/eJ3WDHBb

Yesterday morning, I grabbed a bag of files that been cluttering up my house and put it in the boot of my car. I won’t be able to get to my storage unit for a few days, so I'd been moving it from one room to another. I realised that I could still get it out of the way, so into the car it went. One of the files in the bag contained all the notes and printouts I had about the defunct Data Protection and Digital Information Bill. I won't chuck them yet, I said to myself, but I have zero reason to keep them handy. The Universe heard me and as usual it said: let's mess with this clown some more. Like the killer in a slasher movie, DPDI seemingly cannot be killed, whether by machete, the premiership of Liz Truss or a catastrophic election loss. The Digital Information and Smart Data Bill therefore contains DPDI elements including digital verification and ICO reform. The former is unexceptional and I rashly predict that this government won't be as keen to influence the new Information Commission as the last one was. Feel free to remind me I said this when Peter Kyle gives himself the power appoint the Chair of the Commission personally. But one sentence deserves highlighting. We're promised "targeted reforms to some data laws that will maintain high standards of protection but where there is currently a lack of clarity impeding the safe development and deployment of some new technologies". I obviously don’t know what that means – it could be the revisions to the definition of personal data, changes to legitimate interests or tinkering around research. It sounds closer to the meddling side of DPDI than the sensible elements but this government is less likely to put adequacy at risk than the last, and that might temper any tinkering. Yesterday, I said that there would probably be an AI bill and that the word 'probably' was doing all the heavy lifting. Despite overheated claims from the usual suspects, there is no bill. The main reference could be the promise of one or a sop to whichever Labour Party tech bro who tried and failed to get a bill included: "[my government] will seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models." Cool. Sounds totally real and concrete. Whatever happens there, the DISDB (dissdib?) is on the starting blocks, there's a Cyber Security and Resilience Bill as well, and assuming Chaz didn't freestyle the AI line, AI regulation may be on the cards. Change is coming. Here we go again. Again. I said yesterday that nobody is an EU AI expert. Without even draft bills to read, that goes double for UK DP reform. You all have better things to do right now, so ignore the boosters and grifters and keep on keeping on. Having said all that, we all have bills to pay so the waitlist for my Certified DISDB Programme is nevertheless open now. There are limited places on offer, so reply with 'Sucker' in the comments for more information.

As a lot of people join the headlong rush to become AI gurus, with LinkedIn bios rapidly altering to reflect new-found specialisms, perhaps a lesson from the Great GDPR Panic of 2017 -2018 is worth learning. Back then, there was a frenzy to be perceived as an expert on the new legislation, to get the right letters after your name and then leap on the bandwagon. What followed was a bit of a mess. A lazy, bastardised version of the GDPR was promulgated: it's all about consent, subject rights are supreme and FINES! FINES! FINES! Underneath, those who already understood data protection and new entrants who were prepared to learn studied the actual text, and worked out how it fit with other relevant legislation. It became easy to spot who had done the work, and who had been on a certain four day training course where they forget to mention PECR. A lot of time and money was wasted on over-elaborate processes, re-consenting databases and unnecessary data disposal. A few of the cowboys are still at large but many melted away to the Next Thing. And now, the Next Thing is AI. The text of the EU AI Act is available and the enforcement timetable is advancing. Meanwhile, it's being reported that today's King's Speech will contain an AI bill for the UK. UPDATE: there is no AI bill in the King's Speech - it's hinted at for the future. Both present challenges for organisations making use of AI and opportunities for people to make cash. As someone who literally ran a course about GDPR and AI yesterday, I'm obviously in this game myself. If you see your role here as being the expert, do the work. Read the legislation. You have time. Whatever you're intending to sell, make it accurate and useful rather than quick and easy. The trick to being a specialist isn't to dumb down complex ideas and then serve slop to an infantilised audience. Truly getting to grips with your subject will be more time-consuming: the EU AI training course or consultancy that you hope to offer will take longer to develop and will be harder to conceptualise. It's easy to write and - to some extent - sell the dumbed-down version. But nearly every consultant I know who has a thriving career in data protection either already had it before 2017 or they did the work. You can cash in, or you can invest. And if you're a potential customer, look for depth and humility, not speed and flashy claims. There are probably no experts on the EU AI Act yet. It will take time for them to emerge, but someone will claim to be one today. That's the guy (and it will be a guy) you should ignore.

I wrote this before I saw Jon Baines's post about burning his hand and while it might now seem derivative, once a post gets written, it gets used. And apologies to the gorehounds: I didn't take any pictures. A few weeks ago, I bought a new cycle lock. It was smaller and less robust than one I already had, but it was also lighter and easier to connect. I used it for a couple of days and then on Friday, I stopped off at a shop on the way home. When I returned to my locked bike, the combination didn’t work. I tried it multiple times, but nothing clicked (literally). I did a quick web search and Reddit users said it was fairly easy to scrape out the plastic grooves that formed part of the mechanism and open it up. I tried this, but I couldn’t yank out the final bit. The lock was a plastic loop encasing a metal band, so I thought that if I could free the metal, I’d be left with plastic that I could more easily break. I managed to pull the metal strip free, but slashed my finger in the process. Blood rushed out of the cut, making any further progress on the lock impossible. I was perhaps ten minutes’ walk from home, so squeezing my fingers together tightly to stop the bleeding, I locked my bike with the other more cumbersome chain and walked off. I got back, wrapped up my finger (it wasn’t as bad as it looked) and then walked back with a pair of bolt cutters. It was only at this point that it occurred to me that I had already spent 20 minutes openly trying to annihilate a bike lock in full view of the staff and customers of a barbers, a betting shop, a Tesco local and a chippy, and now I was going to just walk up, snip it off and ride it away. As before, nobody so much as blinked when I did this. So what data protection lesson am I going to inelegantly extrude from this? I chose very unwisely here. The plastic lock was both faulty and ineffective – although I’d disassembled it a bit, bolt cutters would have made quick work of it even if it was intact. You’d need an angle grinder or a hacksaw and a lot of patience to get through the other lock. The very mild convenience of the new lock was overwhelmed by the effectiveness of the old one; what I should have done was reconciled myself to a few extra steps. Ideally, security measures are both effective and user-friendly, but if a more robust approach requires a bit more effort, that’s not an unreasonable compromise. And if you want to know a place where you can steal a bike without anyone stopping you, DM me.

The Information Commissioner has to produce a list of circumstances in which he thinks a data protection impact assessment must be carried out. This makes sense: it would be unjust if he decided you should have done one without telling you. But the GDPR is clearly drafted to give supervisory authorities discretion over whether to produce a list of situations where one isn’t required. Such a list would be useful for organisations trying to minimise their DP workload, but I’d always advocate strongly for the merits of doing DPIAs on a new project, even if it’s low risk. Asking how a thing might go wrong before you do it is a good discipline to have. Someone used FOI to ask the Commissioner whether they’d produced the second list (the first is on their website), and via the ICO disclosure log, we have an answer, although their guidance already reflects this. No. https://lnkd.in/eGnEmkty

A previous version of me would have torn apart the article linked below with glee, pointing out every error. The usual suspects are present: there's a spurious claim about who has been fined by the ICO, the controller is said to be a specific person, and there's a heavy emphasis on consent. I'm going to forego the line by line demolition because most DPO Daily readers are astute enough to spot the errors and you might wish to entertain yourself by finding them all. But even though I'm not in the mood to fillet it, the author deserves to have their poor work exposed. I have no time for the people who whine about how you should contact the author on the QT instead of publicly critiquing it. If you put something out in public, whether it's an article or a book, people have a right to comment on it. When I write anything, I get out the case, the decision, the legislation or whatever it is and I check every assertion I'm going to make. On the relatively few occasions where I am too lazy to do that, if I make a mistake, I don't complain if others point it out. It's my fault for not putting in the work. Even if you what you're saying is your opinion, you're still responsible for your words. A well-known consultant posted that all data protection training is impractical and everyone who works in the sector is boring. When I pointed out that this was shabby and insulting, it was the same thing: you could have messaged me. Yes, and I can also say it in public because you did. There is, of course, a question about the tone with which you criticise, but even if people like me were as polite as possible, a lot of people don't want criticism to be there at all. If you can't say something nice, don't say anything and so on. I wonder what the world would be like if they got their way. Anyway, this article is terrible and contributes to the general ignorance and confusion that makes all of our working lives harder. I think it's right to point out that it's terrible. If you're writing about DP or other legal issues, I think it's your responsibility to check everything, re-read what you've written and even ask someone else to check it before you hit send or post. Because once you do, people are entitled to say what they think about it. https://lnkd.in/eVRiBw2c

If you didn't make it yesterday, you might enjoy the free webinar I did on the ICO's decision to take no action against the instant messaging service Snapchat. The regulator's investigation was prompted by the introduction of a new AI chatbot, and it took some interesting turns. The Commissioner announced that he'd issued a preliminary enforcement notice on Snap, but action didn't follow. Watch here to find out why: https://lnkd.in/e7JCsUDk