Category Archives: Data Protection

Investigatory powers bill and libraries

This blog post was contributed by Ian Clark from the Informed team and Lauren Smith, a Research Associate at the University of Strathclyde.

The news that libraries may be forced to hand over personal data to the security services raises serious ethical questions regarding the confidentiality of what people choose to read. A fundamental ethical principle of the library and information profession is the freedom of individuals to access information and read whatever they choose in confidence. The Chartered Institute of Library and Information Professionals (CILIP) is very clear on the obligations to library users. Its ethical principles state the need to demonstrate:

Commitment to the defence, and the advancement, of access to information, ideas and works of the imagination.

Such a principle is undermined if the government is known to be able to access data on the “information, ideas and works of the imagination” that individuals access. The chilling effect of such a move would inhibit individuals from accessing whatever they want without fear of reprisals from the state.

Furthermore, CILIP has also endorsed the Council of Europe’s “Public access to and freedom of expression in networked information: Guidelines for a European cultural policy”. These guidelines are very clear that what users choose to access should be treated as confidential and that the privacy of users should be paramount:

1.2 It is the responsibility of individuals using Public Access Points to decide for themselves what they should, or should not, access.

1.3 Those providing Public Access Points should respect the privacy of users and treat knowledge of what they have accessed or wish to access as confidential.

The proposals laid out by Theresa May seriously threaten these basic ethical principles. If the state is able to access data on what individuals have been reading in public libraries their freedom to read and access what they choose is seriously compromised.

Ironically, these proposals come at a time when libraries and librarians in other parts of the world are emphasising the importance of ensuring that individuals can access what they wish in confidence. In December last year, librarians were in uproar when Haruki Murakami’s borrowing record was published in a Japanese newspaper. In response, the Japan Librarian Association re-affirmed that:

“Disclosing the records of what books were read by a user, without the individual’s consent, violates the person’s privacy.”

In the face of similarly intrusive legislation (the PATRIOT Act) in the United States, some libraries have begun purging records of inter-library loan requests to protect users’ privacy. As yet we have not seen comparable moves by the profession in the UK, but the increasingly aggressive rhetoric from the government regarding what and how individuals seek out information is clearly in conflict with the values we espouse as a profession.

Libraries should not distinguish between books and web activity. What individuals read and access online should be as private and as confidential as their book borrowing habits. Although we do not have the constitutional protections to intellectual liberty that American library users are afforded under the First Amendment, both professional organisations (such as CILIP) and political bodies (Council of Europe) are very clear that what a user accesses in a library should remain confidential. The proposals put forward by Theresa May threaten these basic principles of intellectual freedom and liberty and will put intolerable pressure on public libraries. Our government’s desire to undermine these principles is not only dangerous, but will also seriously undermine the bond of trust between public libraries and their users.

Will TalkTalk be held to account for cyber-attack?

talktalk
It’s good to Talk, but it would be even better if you could do so and know your personal data is secure. (Image c/o on Flickr.)

The following article was contributed by Tim Turner, trainer & consultant on Data Protection, FOI, PECR and information rights.

“Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.”

Donald Rumsfeld’s comment on the fact that sometimes we don’t know what we don’t know is notorious for its lack of clarity, but it is a very helpful summary of most massive data protection or security incidents. Take the recent TalkTalk debacle, in which the telco’s website was hacked, and a quantity of personal data was accessed and presumably stolen. We don’t actually know much more than that: we don’t know how the hack happened, we don’t know for certain who committed the act, we don’t know how much data has been stolen and most importantly, we definitely don’t know whether any laws have been breached.

There is a lot to keep an eye on. TalkTalk’s hastily assembled FAQs was emphatic that the Data Protection Act has not been breached by this incident, and the company has generally been at pains to hashtag every tweet with #cyberattack, painting itself as the victim. Meanwhile the company’s Chief Executive Dido Harding’s headlong rush into every available TV studio has impressed some with her frank admission that TalkTalk could have done more to protect customer data, but thrown the ‘no breach claim’ into doubt.

Data Protection law is built on eight principles, and the seventh principle requires that organisations put in place “appropriate” levels of technical and organisational security. The fact that whoever hacked the TalkTalk website has committed a crime in doing so does not absolve TalkTalk of responsibility. The 7th principle explicitly requires measures to prevent unauthorised and unlawful processing of personal data, so anyone whose website might be the gateway to personal data has to have proactive protections to repel a hacker. Several companies have already fallen foul of the 7th principle and received substantial monetary penalties after falling victim to hackers, including Sony Playstation Online, the British Pregnancy Advisory Service and the travel company Think W3. In each case, a criminally-motivated hacker was assisted by inadequate security and lack of testing.

All sorts of considerations can increase the burden of security. If an organisation is large and more high-profile, if they hold a large amount of personal data, or if a hack might expose sensitive data that might lead to harm, the measures must be progressively more robust. All three of these factors apply to TalkTalk. Harding has claimed that TalkTalk’s security was “head and shoulders” above that of its competitors, and if that can be proved, TalkTalk are off the hook. But with a Chief Executive who has already admitted that their security might have been found wanting, and the arrest of a 15 year old boy in connection with the hack (putting paid to some of the more lurid theories about some kind of Russian / ISIS / Cyber-Jihadi / SPECTRE agent being the perpetrator), presumably we know for certain that the Information Commissioner will act swiftly and decisively to enforce the law?

Well, not quite. Data Protection does not allow for summary justice. The Information Commissioner needs to prove at least on the balance of probabilities that there were appropriate measures to prevent hacking that TalkTalk should have had in place but didn’t. TalkTalk will have to be able to make their case, and the ICO will have to listen. The DP framework allows for the possibility that TalkTalk can be hacked and yet no breach has occurred – the breach is not the incident, but the absence of measures to prevent it.

The omens are nevertheless not auspicious. As well as Harding’s unwise comments, TalkTalk’s track record is troubling. In 2008, the company received an enforcement notice from the ICO, requiring them to stop such basic errors as customers being able to see each others’ records online. Much more recently, TalkTalk’s security was audited by the ICO, and in a break with the normal practice, TalkTalk refused consent for the executive summary to be published (despite other organisations allowing quite negative summaries to go online).

The most important thing that we do know is that the TalkTalk hack does not just put the company in the frame. The Information Commissioner is better at enforcing on security matters than nearly any other aspect of Data Protection but their appetite for taking on large organisations is inconsistent: there may be £250,000 penalties for Sony, but until recently, only unenforceable undertakings on a largely unrepentant Google. Many activists can recall big Data Protection scandals like press misuse of private data (which the ICO discovered but did not tackle) or secret trials of the Phorm internet tracking software (which some suspect went unpunished because the trails were carried out by BT). If the ICO fails to act, it will need an extremely persuasive justification to calm the outrage that will likely follow, and we simply don’t know if such an explanation exists, whatever the law says.

Do you Care for your Data? What care.data means for NHS patients in England

The new care.data database has prompted much debate about its impact on healthcare and patients.
(Image c/o Jamie on Flickr.)

The following post was written by Informed team member, Elly O’Brien.

NHS England’s new database, Care.data, will be populated with data collected by the Health and Social Care Information Centre (HSCIC) from different care providers such as General Practitioners (GPs). The HSCIC already collects Hospital Episode Statistics, which details admissions, outpatient appointments and accident and emergency department attendances. The concept behind care.data is to create a single database with information spanning primary care (e.g. GP surgeries) and secondary care (e.g. hospital admissions), to enable this “big data” to be used to help understand and treat diseases, inform how local services are organised, identify people at risk of conditions and improve the “pathway” of treatment a patient follows.

We are frequently told that we are living in an age of “information overload”, where we are bombarded with information which can lead to an “information paradox” in which there are so many sources of information, that knowledge becomes hard to find and this superfluity of information can make it harder to reach a decision. Care.data is a perfect example of this in action, having created a flurry of media coverage and commentary from all sides.

The aim of this blog post is not to add to this excess of information or to try to sway anyone’s opinion, but to signpost sources of information from various organisations and viewpoints.

The HSCIC has background information on care.data, NHS England has a range of information specifically for health professionals. NHS Choices has information tailored for patients including an electronic copy of the leaflet that has been distributed to all households in England and a video.

So what are some of the issues that have been raised about care.data?

Anonymisation

NHS England has stated that the records will have identifiable information removed but the HSCIC has conceded that there is a small risk that records would be potentially identifiable as records will be pseudonymised rather than anonymised.

How the data will be used

The data will be used within the NHS nationally to inform research and improve practice, as well as by the NHS locally to understand local needs and for the NHS to commission services accordingly. It will also be made available (for a fee) to insurance firms and private organisations such as pharmaceutical companies. Some people are fundamentally opposed to this, but NHS England has sought to reassure patients that the data will not affect insurance premiums or be used for marketing purposes. NHS England has in place information governance measures designed to ensure that it complies with relevant legislation with regards to how care.data will be shared, stored and used. The same laws will apply to any non-NHS organisations using care.data, however, some critics have are concerned that any misuse of data would only be apparent after the fact and that law in itself is not necessarily a deterrent.

Having to opt-out

The new database is based on an opt-out system and patients who do not want their data included in the database are instructed to contact their GP in the leaflet being posted out. This has been criticised on principle by some, because people may not opt-out (perhaps due to laziness or lack of awareness) but in doing so are not necessarily positively consenting. Others have criticised that an opt-out form has not been provided, although some GP surgeries have created opt-out forms for patients on their websites (such as this Durham-based practice). To opt out you simply need to contact your GP surgery (not your actual GP), you can phone them or write to them (medConfidential has an opt-out form you can print out and send to your GP surgery).

The decision is yours to make, but a little reading can ensure that it is an informed, empowered decision rather than an unwitting opt-in.