Eye Tea

I couldn’t believe my eyes when I saw this on the Beeb website today – on the home page in the feature story banner across the top, no less (see link below).

Apparently UK businesses need to wake up and sort themselves out by May – it’s another law change that we’re about to flout to the collective detriment.

The real stories are far more interesting.  I’ll start with the trite angle.  Someone’s been caught napping, but it’s not businesses: it’s our Government.  I may be mistaken but I don’t think it has tabled any legislation to implement this EU-sourced law, which was passed in November 2009, and covers lots of issues besides cookies.  (This may well be the real reason behind the regulator’s press release today.   What do you reckon?)

The important news angle is that many UK organisations probably don’t comply with the current data protection law on cookies and customer profiling, let alone the changes.   This is about old law and a wide range of organisations not just the businesses, across the public and charity, not for profit and voluntary sectors as well as for-profit organisations.  Think CRM, customer profiling, stakeholder and donor management … these are the activities that the law change affects, and they’re a focal point for many organisations who are feeling the pinch.

Another important point is a corrective.  The BBC says that the changes mean you have to get explicit consent before using cookies.  The EU law just says “consent, having been provided with clear and comprehensive information”, and to me that means that implied consent is enough.  EU law, like UK law, only means explicit consent when it says “explicit consent”.

Come on BBC, can’t you find some new angle for reporting consumer law changes instead of wheeling out a load of negative assumptions about UK business?  Can’t you run some positive case studies from organisations that already have simple, cost effective ways of coping, instead of making us all feel guilty about overlooking over-complicated laws?

Whatever, this new law definitely won’t affect all websites or all organisations.  Privacy campaigners rightly focused on cookies in the early years of the internet, and triggered a move away from cookies.  As a result modern ‘brochureware’ or informational websites often manage to provide a great user experience without resorting to cookies.

Cookies come in two flavours, session cookies and persistent cookies.  Simple session cookies are only used during a site visit, then they are deleted from the visitor’s machine.  These cookies are tarnished with the same brush but the legislation isn’t really aimed at them.

The law really affects charities and their donor networks; online retailers; professional businesses and consultancies that thrive on CRM; new media businesses for whom advertising is a major source of revenue; marketing and PR agencies; mailing list suppliers; the networks of advertisers, technology and suppliers who generate sales  leads.  It also affects organisations who have highly sophisticated CRM or lead generation systems which are derived from ecommerce/ social web/ web 2.0, or are strongly sales orientated.  Put it this way, you’re likely to need to think about cookie/ similar compliance if you’re doing the following or similar:

• your website presents adverts to visitors, selected by relevance to the customer’s interests
• your website carries adverts from third parties
• you use customer profiling
• your website use techniques for achieving/ maximising sales or leads
• you are an online retailer (ecommerce, e-contracting, e-retail)
• you generate revenue from selling customer details to third parties
• you use unsolicited email or phone calls and you use data from your website
• your website gives you statistics about individual users.

In other words, it will affect you if you really want to collect lots of information about your visitors, and you really want to leverage the information to make a sale or generate revenue from advertising or data sale.  If you use anything like Phorm, the new law will apply to you too.  (Phorm assigns you a number, not a name, and builds a profile about ‘you’ from a wide range of participating websites to make lead generation and sales more effective.  Perfectly lawful … if you do it properly.)

There are already five headline ways to break the law with cookies: don’t tell people that you’re using cookies, don’t tell people what you’re using cookies for, don’t give people an opportunity to opt out, give the cookie data to other organisations without permission, and evade or ignore opt outs.  Whatever the law gets around to saying, none of this is good for your business – it tarnishes relationships with customers, tarnishes reputation, and can lead to complaints and waste of management time.

We’ll have to wait and see what the UK Parliament does to implement the changes ready for 25 May.  ICO’s press release refers to solutions that would have a very low impact on UK organisations, such as a legal presumption that users who use a browser with adjustable privacy settings are deemed to consent if cookies settings are switched on.  Which leaves us pretty much where we are.

Adopting a risk-based approach, how hard you have to try with getting consent under the current law depends in the real world on what you’re doing with the information.  If you’re just using session cookies, arguably you just mention that in the website privacy statement but make not much more of it.  If you’re doing any of the stuff in the bullet point list above you need to be going through a process of getting consent before you do that.  There are lots of ways to do this.  A classic one is that you only apply cookies to registered users, you tell them explicitly about your use of cookies during the sign-up process, and you give them a chance to opt out.  It’s good practice to include a link to information about how to manage browser privacy settings.  You might also give users the facility switch off cookies via their registered user account settings going forwards.

Any organisation that does lots of CRM, donor/ stakeholder management, lead generation or sales should be looking pretty hard at data protection compliance across the board at the moment if it hasn’t done so over within the last 18 months.  Lots of my clients are doing a policy review or full compliance refresh.  For many it’s a routine review.  Even for those who don’t have a routine, let’s face it data protection compliance isn’t something you want or really need to be staring hard at every week, or even every month.  There should be no embarrassment about being in the position of playing catch up, and shame on the BBC for pretending that there is.

Come on folks, let’s just get on with it!  By the way, there are lots of other changes that the new laws will bring in, which are nicely hinted at by Hawktalk, an excellent technical blog on privacy (see the link below).

Links
BBC article: http://www.bbc.co.uk/news/technology-12668552

Information Commissioner’s announcement: http://www.ico.gov.uk/news/press_releases.aspx (8 March)

Hawktalk: http://amberhawk.typepad.com/amberhawk/2010/05/eu-directive-can-require-consent-for-behavioural-advertising.html

Spend a few minutes on the web ‘shopping’ for sites that are accessible.   Which ones do you really rate as meeting every accessibility need?

I guess it’s only fair to look at big, high profile organisations that have a diverse user base – broadcasters, big retailers, public authorities.  Comments please: who are your top performers?  I don’t want a naughty list but if you spot some trends I’d be interested: “Not many retail websites do …”, “The public sector is great at …”.  My comment about websites for mid-sized organisations would be: “Patchy – not all websites address accessibility, and those that do often don’t offer a complete set of facilities”. 

Like many technology lawyers I’ve been offering ‘accessibility/ data protection/ consumer compliance audit’ services for years, so I’ve kept a lazy eye on accessibility features.  I think we’ve seen steady, quite slow growth in accessibility features on websites over the years.  I’d say it’s to do with the rise in businesses trying to learn about their customers and meet their needs, and not really prompted by the steadily increasing demands of the law over the same period.

Accessibility support is quite an easy thing for website buyers to specify,  and offers massive added value that appeals to perhaps 20% of the buying public who rely on accessibility features.  For anyone who’s spending money on the corporate website in 2011, it’s a simple but effective thing to put on the shopping list, a solid buy with a good business case at this time of slow recovery for many economic  sectors.

Getting hot on accessibility is also a pretty easy way for website developers/ providers to differentiate themselves from the competition and/or command a premium.  It could be a good return against the price of developing standard features that will appeal to many business customers across all sectors.   Sometimes legal compliance is just frustrating, whereas this one offers benefits for developer/ provider, corporate customer, staff and the public alike.  I’ve come across providers who are rolling out well thought-through features in their products this year. 

Killer apps for accessibility?  Yes, I think there’s plenty of scope for getting creative and taking it outside the ‘we must so we will’ category of website functions.   I’m not aware of anything out there at the moment – let me know if you are.   Maybe 2011 could be the year for accessibility.

I’m booked variously to speak and advise on accessibility this year so please get in touch if you’re looking for input/ support too – if we can get similar work whilst we’re on the boil it’ll help reduce our prices for everyone.  Meantime, have a look at the links.

Pesky People blog: http://www.peskypeople.co.uk/

WAI-ARIA web standard: http://www.w3.org/WAI/intro/aria.php

While I was on holiday in July the Government started a review of how UK and EC data protection law is going. It wants case studies that illustrate how we are all finding the law – good things and bad – to inform its negotiations on the new EC Directive.  At the same time the Government is assessing the impact of the Data Protection Act 1998.

What are your experiences? What works and makes things better for business and consumers? What’s rubbish? If we get a good raft of comments on this page, I’ll batch them up and submit them. The doors close on this stage of the review on 6 October.

Here are a few initial thoughts from me:

• The £10 fee for making disclosures to the data subject is disproportionately low in most cases.  It costs more than £10 in real terms to drop a letter or phone call back to the requester asking them if they will consider narrowing down their request. 
• The burden of regulation should apply directly to data processors.  It’s not appropriate for data controllers to carry the can for a processor’s breach, or for that risk to be a topic of negotiation in the contract.
• Data sharing between organisations is essential across all sectors, often driven by outsourcing or partnerings.  It gets complicated, and in this context the legal concepts of “data controller” and “data processor” are blunt and inadequate.  We need some extra concepts to deal with the subtleties.
• What about sensitive personal data?  Is it right to give special status to certain categories of personal information?  Should special status be available to any information if the risks require?  Shouldn’t payment card details be included in the list?
• Does management of consents and permissions from customers give you a headache?  Would it be helpful if the law clarified what constitutes “consent”, especially where you lawfully hold personal data but need to cost-effectively change how you use it as your organisation develops?  Would it work if the law was relaxed for organisations who give their customers and contacts transparent information and control over their permissions, eg via a website?
• Do the opportunities for processing personal data without consent need to be wider?
• Do you think the law is realistic, or too high level?  Would you like more regulation so you have less discretion but more clarity about how to deal with compliance?  Or less regulation and more effective guidance from the regulator?
• If your organisation is international, how do you find it dealing with several different regulators and different laws, even within the EU?
• Is compulsory notification to the regulator really necessary?

The new directive will be with us for many years – the current one will have done over 15 years service by next year.  The changes are expected to include a move towards an “accountability” model, where rules are replaced by a more flexible, outcome-focused approach to regulation, and the regulator is re-cast as the overseer and auditor of a largely self-regulating system.  What do you think?  Old wine in new skins, or a worthwhile change?  What are the essential benefits?  What do we need to avoid?

Link: http://www.justice.gov.uk/call-for-evidence-060710.htm

Another quick plug.  I am presenting a case study about implementation of BS 10012:2009 at the BSI’s conference on data protection in June.  For further information click the link to the PDF, below.  My guests can receive a 25% discount on the booking fee – contact me for details.

PDF brochure: Data protection conference brochure

Event info and booking: http://shop.bsigroup.com/en/Navigate-by/Conferences/Conferences/Now-Booking2/Data-Protection/Data-Protection-conference/

If you’ve been reading Computing recently you’ll be aware that there is lots of interest in open standards in the public sector.  I like to see sharing and efficiency so this caught my eye.  This immediately came to mind when I was recently prompted to do some thinking about the Government’s Total Place and Frontline First initiatives.  These are all about efficiency and joint working across central and local Government.

Naturally there’s more to redesigning the Government machine than agreeing a pile of open data standards.  Before you can even contemplate routine sharing of data between different organisations, whatever their sector, you have to navigate information laws.  There are some significant issues, to which the Government is alive.

What struck me is that the issues are mainly about mindset.  There is tendency for organisations (not just in the public sector) either to totally overlook information law issues in certain contexts, or to adopt an overly rigid and cautious approach, sometimes in contexts where it really doesn’t matter.  Data protection ends up being a barrier to efficient sharing, or a major risk area due to non-compliance.  Major opportunities to farm intellectual property and confidential information to generate income are overlooked, whilst blood, sweat and tears are expended on gain share or risk reward deals with ICT providers which never generate income at all.  The success of Frontline First and Total Place depends on re-setting the balance in these areas.

Doing this well requires support from the top, and in large or complex organisations it requires well co-ordinated effort.  But it is achievable, and significant improvements in compliance can be achieved relatively quickly and easily.  It requires good quality training and careful review of internal policies and procedures.  There is a significant challenge for professional advisers who are perhaps often guilty of focusing on one project at a time instead of maintaining a ‘whole organisation’ approach to advising their clients on data protection.  If our client has committed to a balanced approach to information management, we absolutely must support that through our advice and methodologies.

I think the starting point for Government organisations has to be training and policy review on these issues.  It’s only when your internal systems are geared to “getting to yes” in relation to information sharing that the Total Place initiative has much hope of success.  Start with the tweak in attitudes, however, and the stage is set for some very effective information sharing and partnerings. 

Links

http://www.hm-treasury.gov.uk/psr_total_place.htm

http://www.computing.co.uk/computing/analysis/2252846/open-initiative-gathers-4890350

I’m fresh back from the Housing Quality Network’s conference on customer profiling which was held in Manchester today.  Fresh is the word – it was perishing cold all day in Manchester, and snow was falling heavily when I left.

There’s a single thought at the top of my mind.  The Tenant Services Authority is pushing social landlords to use customer profiling to help adapt their services to customers’ wants and needs.  The regulator is refreshingly averse to tick-box compliance, which offers landlords a real opportunity to demonstrate passion, creativity and sector leadership.  But landlords could be forgiven for thinking they’re being asked to walk to the first floor before the stairs have been built.

There’s lots to be gained here – desirable outcomes for landlords and the regulator.  There’s also a real risk of the wheel being reinvented several hundred times over.  Online and supermarket retailers have been developing know how on customer profiling for years now.  The worst case outcome would be for the social housing sector to ignore that and build new know how by trial and error.  A better route is to buy/acquire the retailers’ expertise and graft it over.  But it’s surely preferable to buy it once and share it within the sector, or at least within districts.

The same goes for data protection law, which is what I have to contribute on this topic.

Here we go again, then.  The benefits of co-sourcing ICT (for example), and whinging about how few organisations see the light on this, are two of my pet themes.  I’m not the first to apply it to customer profiling in the social housing sector.  I heard it first today from Donna Hall, Chorley Borough Council’s Chief Executive, who chaired the conference.  Needless to say, I think she’s spot on.

The TSA is running pilots and by the sound of it will publish some guidance saying what worked and what didn’t in the pilots.  I look forward to seeing that, and hopefully some of the pilots have drawn on retail sector experience so that it feeds through to other landlords that way.

Whilst we’re waiting for the guidance or regulatory comment on the pilots, or if the pilot outcomes aren’t very helpful, the smart landlords will pool resources to develop and share best practice.

A quick plug.  I’m doing a session at this event on Tuesday 26 January (London) and Wednesday 3 February 2010 (Manchester).  The conference is about using customer profiling to understand customers’ wants and needs better.  The Tenant Services Authority is pushing for landlords to do profiling, and the TSA will be presenting at the conference.  Social landlords, it would be great to see you there.  If you can’t make it, feel free to contact me to get the guts of what I’m saying at the event.

Event flier: http://www.hqnetwork.org.uk/scripts/get_events?file=2087

Bookings for London: http://www.hqnetwork.org.uk/booking_form.php?selected_id=647

Bookings for Manchester: http://www.hqnetwork.org.uk/booking_form.php?selected_id=648

Okay, let’s be polemical.

Data protection in the UK is benign. For the average organisation that gets routine compliance wrong but doesn’t mean to, you don’t get into trouble as such.  You get told how to comply, and as long as you do as you’re told there’s no talk of criminal offences. You could almost make it your compliance strategy to wait for customers to complain then let the regulator tell you what to do.  Customers have the right to compensation in some cases, but it’s small stuff and rarely goes to court. You can get named and shamed on the regulator’s website, but so what? It’s a rare case that causes major reputational damage and makes the national news headlines, and you can ride out stories in local news and sector/ trade publications.

The thing is, you pretty much can run your compliance strategy like that, and I think many organisations do.  I don’t imagine that it’s driven by cynicism.  It’s just what it ends up looking like if you don’t put enough resources into data protection compliance.  And with plenty of other calls on your cash and time, why would you ?

I think there’s quite a good business case for good data protection compliance, although I’ll write about that another time.  What interests me today is why DP compliance gets neglected.

My guess is, not many people know how to do compliance simply and cost-effectively, without making a business out of it.  The law and regulators’ guidance are pretty complicated.  They offer high level principles and really specific guidance and case studies, and not much in between.  You could be forgiven for not even bothering to make a start, let alone boil it all down into a simple, effective system.  I like the BSI’s new standard on data protection but I think it’s complicated and can’t yet be certified.  Ditto the information governance standards.  So far as I can tell the regulator hasn’t issued similar standards guidance, which I find a bit surprising.  Which leaves us all … not doing too well at DP compliance.

What’s prompted me to think about this is news this week about new powers for the regulator.  (See the “News” links, below.)  I need to spend time getting to grips with guidance on the new powers, and I’ll be watching the first few decisions carefully, but it looks like time is nearly up for relaxed or cynical approaches to compliance.  These features caught my eye:

• You get penalised if the outcome of a breach is serious, or likely to be, and the breach and outcome were foreseeable but not managed as such.  That puts virtually any business in the frame, and pushes organisations to put effort into DP risk assessment.
• Penalties will be used to neutralise commercial benefit.  There’s a commercial benefit to slack compliance.  Are we looking at that kind of compliance saving being charged in the end, by the regulator?

I’m surprised to see the regulator’s practice notes are treated as a benchmark in the guidance.  I find that difficult, because the recommendations do not cover all sectors or DP issues, and they’re not always easy to apply in practice.  Humph.   If you can build a business case for it, the on-the-shelf solution is British Standards compliance (which gets several endorsements in the guidance).

So we all need simple, quick, cost-effective ways of achieving compliance without a huge increase in the legal or consultancy bill, or the payroll of your compliance department.  If you think you’ve succeeded in setting up a great personal information management system, leave a comment, let me know.  I reckon I’ve got good solutions and I’d be happy to share ideas.

News: http://www.ico.gov.uk/upload/documents/pressreleases/2010/penalties_guidance_120110.pdf

BSI survey: http://www.bsigroup.com/About-BSI/News-Room/BSI-News-Content/Disciplines/Information-Management/BS-10012-publication/

BSI standards: http://shop.bsigroup.com/en/Browse-by-Subject/Data-Protection–Freedom-of-Information/?t=r