Eye Tea

While I was on holiday in July the Government started a review of how UK and EC data protection law is going. It wants case studies that illustrate how we are all finding the law – good things and bad – to inform its negotiations on the new EC Directive.  At the same time the Government is assessing the impact of the Data Protection Act 1998.

What are your experiences? What works and makes things better for business and consumers? What’s rubbish? If we get a good raft of comments on this page, I’ll batch them up and submit them. The doors close on this stage of the review on 6 October.

Here are a few initial thoughts from me:

• The £10 fee for making disclosures to the data subject is disproportionately low in most cases.  It costs more than £10 in real terms to drop a letter or phone call back to the requester asking them if they will consider narrowing down their request. 
• The burden of regulation should apply directly to data processors.  It’s not appropriate for data controllers to carry the can for a processor’s breach, or for that risk to be a topic of negotiation in the contract.
• Data sharing between organisations is essential across all sectors, often driven by outsourcing or partnerings.  It gets complicated, and in this context the legal concepts of “data controller” and “data processor” are blunt and inadequate.  We need some extra concepts to deal with the subtleties.
• What about sensitive personal data?  Is it right to give special status to certain categories of personal information?  Should special status be available to any information if the risks require?  Shouldn’t payment card details be included in the list?
• Does management of consents and permissions from customers give you a headache?  Would it be helpful if the law clarified what constitutes “consent”, especially where you lawfully hold personal data but need to cost-effectively change how you use it as your organisation develops?  Would it work if the law was relaxed for organisations who give their customers and contacts transparent information and control over their permissions, eg via a website?
• Do the opportunities for processing personal data without consent need to be wider?
• Do you think the law is realistic, or too high level?  Would you like more regulation so you have less discretion but more clarity about how to deal with compliance?  Or less regulation and more effective guidance from the regulator?
• If your organisation is international, how do you find it dealing with several different regulators and different laws, even within the EU?
• Is compulsory notification to the regulator really necessary?

The new directive will be with us for many years – the current one will have done over 15 years service by next year.  The changes are expected to include a move towards an “accountability” model, where rules are replaced by a more flexible, outcome-focused approach to regulation, and the regulator is re-cast as the overseer and auditor of a largely self-regulating system.  What do you think?  Old wine in new skins, or a worthwhile change?  What are the essential benefits?  What do we need to avoid?

Link: http://www.justice.gov.uk/call-for-evidence-060710.htm

Another quick plug.  I am presenting a case study about implementation of BS 10012:2009 at the BSI’s conference on data protection in June.  For further information click the link to the PDF, below.  My guests can receive a 25% discount on the booking fee – contact me for details.

PDF brochure: Data protection conference brochure

Event info and booking: http://shop.bsigroup.com/en/Navigate-by/Conferences/Conferences/Now-Booking2/Data-Protection/Data-Protection-conference/

If you’ve been reading Computing recently you’ll be aware that there is lots of interest in open standards in the public sector.  I like to see sharing and efficiency so this caught my eye.  This immediately came to mind when I was recently prompted to do some thinking about the Government’s Total Place and Frontline First initiatives.  These are all about efficiency and joint working across central and local Government.

Naturally there’s more to redesigning the Government machine than agreeing a pile of open data standards.  Before you can even contemplate routine sharing of data between different organisations, whatever their sector, you have to navigate information laws.  There are some significant issues, to which the Government is alive.

What struck me is that the issues are mainly about mindset.  There is tendency for organisations (not just in the public sector) either to totally overlook information law issues in certain contexts, or to adopt an overly rigid and cautious approach, sometimes in contexts where it really doesn’t matter.  Data protection ends up being a barrier to efficient sharing, or a major risk area due to non-compliance.  Major opportunities to farm intellectual property and confidential information to generate income are overlooked, whilst blood, sweat and tears are expended on gain share or risk reward deals with ICT providers which never generate income at all.  The success of Frontline First and Total Place depends on re-setting the balance in these areas.

Doing this well requires support from the top, and in large or complex organisations it requires well co-ordinated effort.  But it is achievable, and significant improvements in compliance can be achieved relatively quickly and easily.  It requires good quality training and careful review of internal policies and procedures.  There is a significant challenge for professional advisers who are perhaps often guilty of focusing on one project at a time instead of maintaining a ‘whole organisation’ approach to advising their clients on data protection.  If our client has committed to a balanced approach to information management, we absolutely must support that through our advice and methodologies.

I think the starting point for Government organisations has to be training and policy review on these issues.  It’s only when your internal systems are geared to “getting to yes” in relation to information sharing that the Total Place initiative has much hope of success.  Start with the tweak in attitudes, however, and the stage is set for some very effective information sharing and partnerings. 

Links

http://www.hm-treasury.gov.uk/psr_total_place.htm

http://www.computing.co.uk/computing/analysis/2252846/open-initiative-gathers-4890350

Monday this week brought me an email from the marketing manager at the firm where I work, giving me a link to an illegal file sharing news item on the BBC website.  The link’s at the bottom of this post.

I popped up to see him.  I don’t know how to play this one, I said.  Blog it, he said.  Fair enough.

First things first.  At our firm we often call ourselves ACS.  We don’t trade as ACS:Law – that’s someone else.  No connection.

Moving quickly on.  The BBC article raises interesting questions about how you deal with copyright piracy on the internet.  The thing is, if ACS:Law’s clients see some strategic value in sending letters to every illegal file sharer under the sun, that’s the service that they want from their lawyers.  If we were convinced of the strategic value, frankly we’d do the same.

I’d like to see a debate and it’s a shame that the BBC article doesn’t invite comments, and that the views reported in the article are polemic. 

I  see mixed strategic value in using big mail shots in these cases.  It depends how good the evidence is against the pirates.  The BBC article quotes that point being made, but the implications aren’t explained and they’re key.  Internet piracy is increasingly conducted through social networks.  They don’t bother to set up big websites for law enforcers to shoot at.  If all you’ve got to go on to provide piracy is an IP address, a big mailshot could make the problem worse.  Copyright pirates often have some spirit and nerve.  They might be intimidated by being pursued.  But they’ll probably also wait for the threats to develop.  The implications: no evidence = empty threat = bolder pirate.

You can however understand copyright owners’ frustration.  It’s a costly road to go down if you want enough evidence to really nail illegal file sharers.  You can easily make yourself anonymous on the web, and under current UK law it costs a small fortune through the courts to get names from the ISPs.  If you’re a copyright owner you’re pretty comfortable with the proposition that some alleged infringers will pay to make the problem go away, not because they did it.  If you’re a music copyright owner who has responded to Napster etc by offering cheap MP3 downloads as an alternative to full price CDs, you’ve got some moral high ground to stand on.  And after all, the UK TV licensing authority behaves in substantially the same way.

In the BBC article the BPI is quoted as saying its policy is to concentrate on the big infringers.  On balance I agree that probably is the more responsible approach.  But I think what’s really needed is a change in the law so that it’s easier and cheaper to identify pirates and collect evidence to pursue them.

BBC article: http://news.bbc.co.uk/1/hi/technology/8483482.stm

I’m fresh back from the Housing Quality Network’s conference on customer profiling which was held in Manchester today.  Fresh is the word – it was perishing cold all day in Manchester, and snow was falling heavily when I left.

There’s a single thought at the top of my mind.  The Tenant Services Authority is pushing social landlords to use customer profiling to help adapt their services to customers’ wants and needs.  The regulator is refreshingly averse to tick-box compliance, which offers landlords a real opportunity to demonstrate passion, creativity and sector leadership.  But landlords could be forgiven for thinking they’re being asked to walk to the first floor before the stairs have been built.

There’s lots to be gained here – desirable outcomes for landlords and the regulator.  There’s also a real risk of the wheel being reinvented several hundred times over.  Online and supermarket retailers have been developing know how on customer profiling for years now.  The worst case outcome would be for the social housing sector to ignore that and build new know how by trial and error.  A better route is to buy/acquire the retailers’ expertise and graft it over.  But it’s surely preferable to buy it once and share it within the sector, or at least within districts.

The same goes for data protection law, which is what I have to contribute on this topic.

Here we go again, then.  The benefits of co-sourcing ICT (for example), and whinging about how few organisations see the light on this, are two of my pet themes.  I’m not the first to apply it to customer profiling in the social housing sector.  I heard it first today from Donna Hall, Chorley Borough Council’s Chief Executive, who chaired the conference.  Needless to say, I think she’s spot on.

The TSA is running pilots and by the sound of it will publish some guidance saying what worked and what didn’t in the pilots.  I look forward to seeing that, and hopefully some of the pilots have drawn on retail sector experience so that it feeds through to other landlords that way.

Whilst we’re waiting for the guidance or regulatory comment on the pilots, or if the pilot outcomes aren’t very helpful, the smart landlords will pool resources to develop and share best practice.

A quick plug.  I’m doing a session at this event on Tuesday 26 January (London) and Wednesday 3 February 2010 (Manchester).  The conference is about using customer profiling to understand customers’ wants and needs better.  The Tenant Services Authority is pushing for landlords to do profiling, and the TSA will be presenting at the conference.  Social landlords, it would be great to see you there.  If you can’t make it, feel free to contact me to get the guts of what I’m saying at the event.

Event flier: http://www.hqnetwork.org.uk/scripts/get_events?file=2087

Bookings for London: http://www.hqnetwork.org.uk/booking_form.php?selected_id=647

Bookings for Manchester: http://www.hqnetwork.org.uk/booking_form.php?selected_id=648

Okay, let’s be polemical.

Data protection in the UK is benign. For the average organisation that gets routine compliance wrong but doesn’t mean to, you don’t get into trouble as such.  You get told how to comply, and as long as you do as you’re told there’s no talk of criminal offences. You could almost make it your compliance strategy to wait for customers to complain then let the regulator tell you what to do.  Customers have the right to compensation in some cases, but it’s small stuff and rarely goes to court. You can get named and shamed on the regulator’s website, but so what? It’s a rare case that causes major reputational damage and makes the national news headlines, and you can ride out stories in local news and sector/ trade publications.

The thing is, you pretty much can run your compliance strategy like that, and I think many organisations do.  I don’t imagine that it’s driven by cynicism.  It’s just what it ends up looking like if you don’t put enough resources into data protection compliance.  And with plenty of other calls on your cash and time, why would you ?

I think there’s quite a good business case for good data protection compliance, although I’ll write about that another time.  What interests me today is why DP compliance gets neglected.

My guess is, not many people know how to do compliance simply and cost-effectively, without making a business out of it.  The law and regulators’ guidance are pretty complicated.  They offer high level principles and really specific guidance and case studies, and not much in between.  You could be forgiven for not even bothering to make a start, let alone boil it all down into a simple, effective system.  I like the BSI’s new standard on data protection but I think it’s complicated and can’t yet be certified.  Ditto the information governance standards.  So far as I can tell the regulator hasn’t issued similar standards guidance, which I find a bit surprising.  Which leaves us all … not doing too well at DP compliance.

What’s prompted me to think about this is news this week about new powers for the regulator.  (See the “News” links, below.)  I need to spend time getting to grips with guidance on the new powers, and I’ll be watching the first few decisions carefully, but it looks like time is nearly up for relaxed or cynical approaches to compliance.  These features caught my eye:

• You get penalised if the outcome of a breach is serious, or likely to be, and the breach and outcome were foreseeable but not managed as such.  That puts virtually any business in the frame, and pushes organisations to put effort into DP risk assessment.
• Penalties will be used to neutralise commercial benefit.  There’s a commercial benefit to slack compliance.  Are we looking at that kind of compliance saving being charged in the end, by the regulator?

I’m surprised to see the regulator’s practice notes are treated as a benchmark in the guidance.  I find that difficult, because the recommendations do not cover all sectors or DP issues, and they’re not always easy to apply in practice.  Humph.   If you can build a business case for it, the on-the-shelf solution is British Standards compliance (which gets several endorsements in the guidance).

So we all need simple, quick, cost-effective ways of achieving compliance without a huge increase in the legal or consultancy bill, or the payroll of your compliance department.  If you think you’ve succeeded in setting up a great personal information management system, leave a comment, let me know.  I reckon I’ve got good solutions and I’d be happy to share ideas.

News: http://www.ico.gov.uk/upload/documents/pressreleases/2010/penalties_guidance_120110.pdf

BSI survey: http://www.bsigroup.com/About-BSI/News-Room/BSI-News-Content/Disciplines/Information-Management/BS-10012-publication/

BSI standards: http://shop.bsigroup.com/en/Browse-by-Subject/Data-Protection–Freedom-of-Information/?t=r

Technology blogs and news recently have given lots of coverage to the international Consumer Electronics Show 2010, in Las Vegas, which closed yesterday.   We’re into technology for business rather than consumer gadgets on this blog, and that’s why a new offering called LightTouch(TM) from Light Blue Optics particularly caught my eye.  Have a look at the images in this slideshow.

There are some cracking opportunities for businesses in the sectors I work for.

• Retail – In-store brochures for customers to search.  You could advertise related or similar items that you sell, by projecting images next to a static display.  You could tell customers whether the item is in stock or can be ordered.  You could tell customers where to get the item they want, on the shop floor.
• Coffee shops and pubs – give customers something to do.  You could provide board games, gambling, or perhaps today’s newspapers or website access.   If you want to focus on the professional market you could offer business information and email or other simple applications.  Provide them for free to encourage visitors; or pay-per-play to generate revenue.
• Food outlets – provide the menu.  No more tatty-looking or dirty menus.  Customers don’t have to wait to order what they want.  Waiting staff are freed up to concentrate on delivering food and service.

So what’s my quick legal assessment of those ideas?  For the on-the-wall catalogue and on-the-table menu, the images you use will come from your photographer or the supplier; in each case you need their permission to use the image.  In the coffee shop/ pub example, you need a gambling licence for gaming, and you might need permission to use or replicate popular board games.

This technology also gives you an opportunity to profile customers’ behaviour or get their personal details, to provide you with business planning data or possibly revenue from selling the information.  There’s a bit of data protection compliance to deal with here – nothing insurmountable, but there’s plenty of scope for red faces and public censure for those who don’t bother.  There must be loads of other business models that could use this technology.  Any ideas?

See Light Blue Optics website: LightTouch(TM).

Happy New Year and welcome to the first post on our blog. Ever!

You probably don’t remember Steve Taylor’s album, I Predict 1990. I’m not sure that I should, either, and I’m not recommending it. But it came to mind as we turn another decade and I fell to thinking about what’s on the way. Here’s what’s on my radar for the year.

• Remarkable things in IT For (s)he who seeks, I see the price of IT plummeting, and some impressive internet-based services.  On the internet I predict more sophisticated data sharing built on XML and mash-ups.  We also hope to see smarter IT procurement, through buying groups, and re-use of existing IT, both of which we have seen used to great effect particularly in the public sector in the noughties.  2010 will show us the way forward for business IT, just as we (hopefully) emerge from recession.
• Green goes commercial Kyoto comes to town this year when the UK’s carbon trading system gets going.  The Carbon Reduction Commitment will apply to big electricity users.  If that’s you, you should already be taking action.  I expect the risk of penalties will drive deeper investment in carbon-reducing measures like insulation, building management systems, and new sources of heat and power.
• Legal services on the move Within 2 years the first wave of supermarket law and outside investment in law firms will hit.  The sharpest law firms will shift on how they deliver legal services, and pricing.  2010 should see the beginning of significant change.
• Public sector IT gets smarter The public sector is grabbing the concept of cloud computing with both hands and I will be keeping a close eye on it this year.  Recent announcements suggest that using IT to make data accessible to Joe Public, and to improve data sharing between organisations.

What do you think?