Protesting at the ICO Data Protection Officers' Conference at Manchester on March 4th 2009

By RobertJ

Here's our write up of the ICO Data Protection Officers' Conference at Manchester on March 4th, which Dephormation and I attended as delegates. Any mistakes down to me (RobertJ)

 

Arrival/Leafleting/Registration

Unfortunately because of the Royal Mail taking a week to deliver a parcel my bundle of leaflets arrived at my home after I had left the south coast to drive north, so we were a bit short of leaflets.

I arrived at the Convention Centre and found Dephormation-Pete in his anti-Phorm T shirt, handing out his leaflets to arriving delegates (including Richard Thomas!) so I helped him dispose of the remainder. People took these willingly, with the occasional friendly comment of interest, and the rueful admission that they were interested, because they were BT broadband customers

We registered, and then had our first networking opportunity over coffee - meeting the Information Commissioner himself, Mr Richard Thomas.

Pete was in good form, and launched straight into a question about the lack of enforcement action by ICO over Phorm. Mr Thomas said Phorm has to bee seen in a 'global context', though declined to elaborate. I then asked Mr Thomas why ICO had not sought technical advice about what was clearly a ground breaking new development in targeted advertising. Mr Thomas claimed not to know the details, and thought that advice had been sought. We assured him that we had it in writing from his own staff that neither Ofcom nor any other technical experts had been consulted, and that we felt that was totally unsatisfactory. At this point he politely found it necessary to move on, advising us to lobby the new commissioner.

 

Plenary Session 1 - Introductions and speech from Mr Richard Thomas

We then moved into the first plenary session - about 500 delegates, from all sectors, large multinational corporate.

Neither BT nor Phorm had sent their DPOs - obviously not feeling the need to learn anything about Data Protection despite the major cockups that the two organisations have been involved in over the last three years. Covert trials, the running of BT's own Webwise site, cookie security on bt.com and the farcical use of Phorm Inc to handle customer enquiries on the BT Webwise Contact Us page to name a few. Given BT and Phorm were unable to attend, we made sure such issues weren't forgotten.

After a brief introduction, the first session was from Mr Thomas himself. He reviewed what he felt had been major progress at the ICO over the last year, and also discussed proposals in the Coroners and Justice Bill (the relevant ICO government department is Min of Justice, and the Bill is the one that is supposed to be giving them new powers). The key development for the future in the bill, is to extend audit powers to the private sector which will be great news for Ian Livingstone and Kent Ertugrul. The ICO, "if minded to pursue the matter" (we have to make sure they ARE so minded), could then actually call for an audit of their Data Protection processes. At present, the ICO can only require audits of public sector bodies, national and local government, NHS etc.

Some quotes from Mr Thomas and notes from this session:

"Data Protection at last is being taken seriously"

In a survey of people's concerns, 94% of the public felt that protecting their personal information was a concern - this was joint top of ten concerns above crime and health care. 86% have a general awareness of their subject access rights to the information being stored about them.

"Government is playing catch-up with the private sector"

He noted that the reporting of data breaches by organisations, was not yet mandatory - so you can lose lots of your customers data and you don't actually have to tell ICO.

He wants to be "tougher on those who persistently ignore the legal requirements" which theoretically would be bad news for BT and Phorm.

Changes in prospect in new legislation/powers include

Civil penalties for deliberate recklessness or breaches with "serious consequences".

See s8 of Coroners and Justice Bill for details of new powers/proposals.

Increased notification fees for LARGER organisations (current fee for registering is £35 across the board, my little charity, or BT Global plc - same fee - new arrangement will be to keep fee same for about 80% of organisations, but raise it for large ones - this will result in a bigger budget for ICO, increasing from £12m to £16-17m).

Coroners and Justice bill

Data Sharing Orders- (this is the data sharing powers across all the uber-databases) will require MORE scrutiny and more safeguards, and with NARROWER grounds for issuing data sharing orders.

More powers for ICO

Power to issue an "assessment notice" against any data controller ( I think this is the rule extending current powers to the private sector)
He says there is a need for sanctions to be available against those who refuse (I'm not sure if the bill includes that or not)

 

The next session was led by Neil Paterson, DPO Tesco. And formerly of Ofcom - it seems that there is a revolving door between industry and Ofcom these days, not least to the top position but that's another matter.

I haven't recorded much for this session - some quotes:

"Customers expect to have control" (Take note BT, and don't pretend you have already complied with that because you haven't)

He was keen to emphasise 3 key customer expectations;

  • control,
  • responsibility,

and

  • benefits to the customer.

Coffee then..

 

Morning Workshop

Next session was a workshop - Pete and I attended this one together.

How the ICO assesses complaints - Faye Spencer

The workshops were about 100 strong.

Pete and I were in the front row. (His T shirt works best on the front row, STOP PHORM in big block capitals across the back)

Here we learned about the structuring of ICO Casework, the inadequate numbers of staff and resources, and the delays in handling the more difficult cases. They are ahead of their targets for simple cases, but seriously behind on the more complicated cases.

Cases are filtered on receipt by the Data Protection Case Reception Unit. Those that detailed consideration are passed to the "Casework and Advice Division".

We learned about the "Casework Advice Division" (CAD) who fulfil the ICO legal duty to provide individuals with "assessments". CAD can call on policy and legal advice on the more difficult or sensitive or technical cases. For example "if there is a whizzy new use of technology". This advice unit is run by Phil Jones. So if you want to submit any FOI requests about the advice sought by CAD about Phorm, that's what you ask about and he's the guy to contact. You might want to ask if any complaints about Phorm have been referred to the Policy Advice Unit or the Legal Advice Unit. We raised this matter in a question at the workshop and again complained that ICO had not consulted Ofcom, or indeed any independent technical advice (despite claiming to be an "independent regulator").

The CAD have a "CAD Watch List" of the more complicated cases. It would be interesting to know if Phorm and BT were on that list (another FOI?).

As we learned about the Customer Service Team, headed by Paul Arnold, we spotted the name of Katherine Vander, Training and Quality, whose name appears on emails in dialogue between ICO and Phorm.

Further information was given on the Casework and Advice Division by Mike Hopwood. The Head of Data Protection Casework and Advice is Faye Spencer

They carry out the ICO "legal duty to provide individuals with assessments" (an ICO "opinion" not legally binding, about whether something does or doesn't comply with the DPA or PECR), they provide advice often sector specific about the application of the DPA, and they use "business intelligence to identify matters of significance and take them forward".
FOI - is Phorm/Webwise or DPI based BTA a matter of significance??

Pete made the point here that there were NO assessments published on the 2006 and 2007 trials.

Also - the ICO is not obliged to ACT on an assessment of non-compliance although they can issue an enforcement notice, and there is an appeal process via the Information Tribunal. NB - have any trial victims appealed to the Information Tribunal?

They also have a role in providing ADVICE and working with individuals, advising them of their rights, as well as working with DPOs.But it seems that at the moment, the ICO is more geared to servicing DPO's with information and advice than members of the public and they do seem to acknowledge this.

I wonder if we should be proactively asking the ICO CAD for ADVICE in relation to 

  1. ISP customers facing DPI use by their ISP (with emphasis on the DPI side of it) as well as the other issues around the use of a potentially insecure Phorm UID which is unique to them, and constitutes PI (although Phorm dispute that)
  2. Webmasters facing interception of their private communication, copying of their data, and interception even of cookie authenticated private pages
  3. Commercial issues regarding screen-scraping concerns over catalogues and databases behind cookie authentication


An issue is defined as a "Matter of Significance" if : (direct quote)

  • There is Harm or Detriment
  • Basic DPA rights are ignored; or misunderstood
  • There is a lack of clarity about the law.

Harm or detriment relates to perhaps vulnerable individuals (children and Webwise, lack of identification of end user...)

Long terms effects due to info being on a database (eg; CRO, crime)

Public confidence in Data Protection is being damaged (certainly has happened with Phorm and BT owing to the misrepresentations and covert activity and actual untruths in public statements over trials and data handling on BT Webwise site)

"It is important to foster the element of trust" - amen to that.

Next it was lunchtime - and we descended on the excellent free buffet.

 

Afternoon Plenary sessions

After lunch, two further plenary sessions. Pete and I got on to the front row, so Pete's T shirt could be seen by all 500 delegates. By this time the people chairing the sessions knew who we were and were looking a tad nervous.

 

First afternoon session - Rt Hon Michael Wills MP, Minister of State, Ministry for Justice. Mr Wills was fresh from the Liberty Convention on Saturday, and still bore the scars!! This was the most interesting and rewarding session. Remember that MoJ are the Ministry behind ICO, and the legislation DPA and PECR, although they are NOT the people responsible for RIPA. They also feature in the mysterious April 2008 "MoJ  issue" which surfaced in FOI disclosures about who spoke to whom when and about what!!

Well - Michael Wills did his stuff - initially a fair bit was in "response" to the Convention on Modern Liberty, and the accusations that we were sliding into a surveillance/police state.

I won't go into the whole speech - just give you the gist of it and some key quotes. The good stuff was at the end!! (but be patient)

He spoke a LOT (as did others) about the developments in technology.

"Techology is driving the importance of this area"

"People are worried about the scale of change" (I suspect this means the govt think they have a task therefore to reassure us, and change our perceptions rather than roll back some of the changes in legislation but that's politics for you - note that Ofcom see their role nowadays as not so much "regulating" BTA as changing our "perceptions" of it - but I digress)

"Debate is difficult to conduct on a rational level" (you see - you lot are just paranoid tinfoil hats getting worked up into a lather - no he didn't actually SAY that - but these were the scars from Saturday!!)

He took great exception to a phrase used on Saturday "Children are being groomed for life in the database state". (re the Contact Point database).

The good thing about him being upset about that is that I think he may have got a bit of a shock on Saturday about just how bothered the public are.

He then ate humble pie about the data losses that occur with such monotonous shocking regularity.

Data losses "were a profound shock to government" (good)

The "loss of the HMRC data was a profound shock" (he liked that word "profound") involving as they did 25 million records.

He emphasised the importance of understanding the technology - several colleagues had not realised that you could get 25 million records on a couple of CDs or a memory stick. Well - they do now.

He used the example of giving children access to school meals as an example of the value of sharing data across departments (from the benefits agency to education authority I imagine) and was upset that he got jeered when mentioning this at the Liberty Convention.

I think they want to talk - they realise they are losing the PR war on this sort of thing.

I think we should talk - but remind them that talking is a two way process - not just about US being reassured (their agenda) but about them changing the way THEY do things (our agenda). You have to watch government when they say they want dialogue - and make sure you get what YOU want out of it and don't just get used to make them look better.

At the end, Pete was on his feet again. STOP PHORM being exposed to all 500 people behind him.

Pete stood up to ask the Minister about Phorm and Webwise and BT; a nervous smile from Mr Mills. "Would Mr Mills care to comment on the covert sharing of the private communications data of 200,000 BT customers with a marketing company called 121Media/Phorm?"

Mr Wills suggested that the ICO were dealing with the matter. Pete challenged that assertion; the ICO staff had declined to act. The Minister looked to David Smith, who said he would discuss the matter privately.

At this point the chair intervened to try and excuse the Minister having to deal with the question, saying he shouldn't have to answer it in this particular setting, but to give Michael Wills his due (and admire his political savvy) he refused to hide behind the Chairman and addressed Pete directly and at length.

And here is what the Minister said: (I was scribbling furiously, Pete was eyeballing the Minister so couldn't write)


  • "I am taking a very keen and vigilant interest in this matter"
  • "It is not going below the radar"
  • "I am happy to write to you about this"
  • "People really care about it"
  • "If further legal provision is needed to enshrine freedoms in this area, we will have no hesitation in dealing with it�

Again - make a note of those quotes. And use them.

Mr Wills was also asked by someone else why neither he nor Jack Straw had signed the Personal Information Promise. No answer!!

He promises the results of the consultation on FOI SOON.

Pete will be writing to Michael Wills. We will keep you posted.

Hopefully someone is inviting him or someone from his department to the HoL meeting - we need DBERR, Home Office and MoJ represented, in order to cover the relevant parts of the legislation completely.

I'm not sure what session this comment came from but there was a mention somewhere in a plenary session, that while all the headlines had been about public sector breaches, there was "an increasing number of breaches coming from the private sector". (and see this mornings headlines!! http://news.bbc.co.uk/1/hi/uk/7927487.stm )

Take note - the regulation of the private sector is definitely part of the development and change in emphasis at ICO and is where new powers are directed. BT/Phorm take note.

 

Next Plenary session was the Government Chief Information Officer, John Suffolk - he's the guy who has to deal with govt's data protection policies and whip all the various public sector DPOs into line and clean up the mess left by all the various breaches.

Again he went on about the issue of technology and IT. Mentioning that Facebook has a population around about that of Japan, and is doubling every 6 months.

(See yesterdays Guardian Society pullout, People Power, discussed in my thread at

https://nodpi.org/forum/index.php/topic,938.msg9318/topicseen.html#msg9318 )

Some quotes from John Suffolk:

"Technology is where the kids expect us to be"

There are 5 Strands of Focus in government data policies

  1. Awareness Understanding Education
  2. Developing our Information Awareness Community
  3. Applying standards and rules, (there is no such thing as "slightly" bending a rule)
  4. Monitoring compliance and learning
  5. Anticipating and adapting to the future threat

Hereminded that 65% of government IT handling is outsourced to the private sector including Income tax forms, and Benefits info. He gave an example of  a serious breach which immediately resulted in loss of contract (USB stick containing Unencrypted data, that outsourced company had received in encrypted form but then they Unencrypted it, and stuck it on a memory stick)

He said to Data Protection Officers; "On your shoulders rests the reputationof your organisation".

Next bit of good news was that at the plenary session someone came and asked to photograph Pete. Sadly they weren't after his face, but message on the t-shirt, STOP PHORM. When we inspected the guys label, he wasn't a rep for a model agency. He turned out to be the DPO for T-Mobile. So a few more direct questions

Are T-Mobile using Phorm or going to use Phorm or similar methods?
Clear answer NO.
Can we quote you on that? Yes.

He then volunteered his opinion that NO mobile operators were considering using Phorm, and also indicated that the sort of advertising they were considering was not based on the content of individual communications or on individual profiling but on aggregated anonymous data only, such as "number of customers visiting a given site". Advertising would not be individually targeted in the way Phorm were doing.

We got the distinct impression from talking to this guy that phrases like "wouldn't touch it with a barge pole" weren't far below the surface. He seemed to find Phorm quite amusing - as if it was a clear example of how NOT to go about things, how to ruin your reputation, how to shoot yourself in the foot. But those are just my subjective impressions of what he might have said - if you understand. I've long felt that Phorm have simply succeeded with all their PR and legal bluster in making a laughing stock of themselves, along with BT, and that they have become a byword even in the ad world, for folly, and how to lose the PR war, annoy friends and alienate people.
He recommended we visit the GSMA website,
http://www.gsmworld.com/
to see what they were planning and gave Pete his business card.

Next another cup of tea and a bit more networking, especially for Pete. It was an opportunity to brief David Smith about the concerns that technologists have about Phorm, the nature of the interception, the opt out model, industrial espionage, and the 'Privacy Enhancing Technology' hoax.

Next session was final workshops.

Pete and I split up.

 

I went to a workshop on "Privacy Notices and Transparency" which was reviewing the ICO consultation document "Privacy notices code of practice" which is basically the (DRAFT) ICO guide to how to write and administer your privacy notice.

http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/ico_privacy_notes_cop.pdf

It's still out for consultation so you can comment on it but the period is nearly over.

During the Q&A session at this workshop, a DPO asked about policy and disclosure relating to outsourcing to data processors, so I felt that was the right opportunity to mention the saga of BT and their outsourced BT Webwise pages. I explained that BT had specifically promised that they weren't sending PI to Phorm, and then we discovered that they had outsourced the hosting of the BT Webwise pages to Phorm, and that customer enquiries about BT Webwise were being handled by Phorm, and that customers using the pages were finding that insecure cookie handling was exposing their bt.com login cookie, their username and primary email address to Phorm, as well as all the non-essential data demanded on the Webwise contact form. I mentioned that when BT got "found out" they changed the hosting of the site, and changed the outsourcing of the data processing immediately and seemed rather embarrassed, And that I had made a complaint to ICO. There was a loud guffaw at this from at least one DPO - I think BT and Phorm seem to be held in contempt by quite a few people at that conference.

After the workshop I got my tram back to Altrincham (rush hour squash) where I had left the car, and started the journey home.

 

Peter went to a different workshop "Privacy Impact Assessments (PIAs) - remember the Phorm PIA story? This is his report on that workshop....

I sat through an interesting presentation about the motivation and purpose of Privacy Impact Assessment.

PIA needs to be undertaken at the design stage in a project. (My personal view is that it is even earlier, part of the requirements capture even before design).

ICO were keen to establish that PIA was not an administrative ball and chain, but a chance to consider, preserve and protect a valuable asset - the trust and confidence of your customers.

I questioned the failings of the BT Webwise PIA, particularly the failure to identify and consider all stakeholders (such as web site operators). I was told it was a poor example of a PIA, conducted at completely the wrong stage of system design.

The ICO were keen to emphasise that significant new powers are coming, with financial teeth. Ignoring the privacy of data subjects will risk serious financial penalties, and following best practise will help to mitigate that risk.

The good news (for people who work in IT) is that ICO are keen to support any PIA work, to firmly establish good practise.

 

Well - that was our day. It was well worth going, and we achieved excellent exposure, and I definitely felt that people were aware of the issue of Phorm. I would particularly highlight the opportunities we had for direct personal contact with Richard Thomas, his deputy, several other members of staff, T-Mobile's DPO, and most significantly, getting the personal public attention of Michael Wills, Minister of State in MoJ who are the department responsible for the ICO. There is significant Rephorming opportunity there. We need to make sure that people like Lord Northesk and Baroness Miller are aware of that.

This was a good day, and I hope you find this report encouraging.

 

Many thanks again to people who couldn't make it, yet made it possible through donations of time, money and effort. Your contribution is appreciated.