Tag Archives: data protection

Investigatory powers bill and libraries

This blog post was contributed by Ian Clark from the Informed team and Lauren Smith, a Research Associate at the University of Strathclyde.

The news that libraries may be forced to hand over personal data to the security services raises serious ethical questions regarding the confidentiality of what people choose to read. A fundamental ethical principle of the library and information profession is the freedom of individuals to access information and read whatever they choose in confidence. The Chartered Institute of Library and Information Professionals (CILIP) is very clear on the obligations to library users. Its ethical principles state the need to demonstrate:

Commitment to the defence, and the advancement, of access to information, ideas and works of the imagination.

Such a principle is undermined if the government is known to be able to access data on the “information, ideas and works of the imagination” that individuals access. The chilling effect of such a move would inhibit individuals from accessing whatever they want without fear of reprisals from the state.

Furthermore, CILIP has also endorsed the Council of Europe’s “Public access to and freedom of expression in networked information: Guidelines for a European cultural policy”. These guidelines are very clear that what users choose to access should be treated as confidential and that the privacy of users should be paramount:

1.2 It is the responsibility of individuals using Public Access Points to decide for themselves what they should, or should not, access.

1.3 Those providing Public Access Points should respect the privacy of users and treat knowledge of what they have accessed or wish to access as confidential.

The proposals laid out by Theresa May seriously threaten these basic ethical principles. If the state is able to access data on what individuals have been reading in public libraries their freedom to read and access what they choose is seriously compromised.

Ironically, these proposals come at a time when libraries and librarians in other parts of the world are emphasising the importance of ensuring that individuals can access what they wish in confidence. In December last year, librarians were in uproar when Haruki Murakami’s borrowing record was published in a Japanese newspaper. In response, the Japan Librarian Association re-affirmed that:

“Disclosing the records of what books were read by a user, without the individual’s consent, violates the person’s privacy.”

In the face of similarly intrusive legislation (the PATRIOT Act) in the United States, some libraries have begun purging records of inter-library loan requests to protect users’ privacy. As yet we have not seen comparable moves by the profession in the UK, but the increasingly aggressive rhetoric from the government regarding what and how individuals seek out information is clearly in conflict with the values we espouse as a profession.

Libraries should not distinguish between books and web activity. What individuals read and access online should be as private and as confidential as their book borrowing habits. Although we do not have the constitutional protections to intellectual liberty that American library users are afforded under the First Amendment, both professional organisations (such as CILIP) and political bodies (Council of Europe) are very clear that what a user accesses in a library should remain confidential. The proposals put forward by Theresa May threaten these basic principles of intellectual freedom and liberty and will put intolerable pressure on public libraries. Our government’s desire to undermine these principles is not only dangerous, but will also seriously undermine the bond of trust between public libraries and their users.

Will TalkTalk be held to account for cyber-attack?

talktalk
It’s good to Talk, but it would be even better if you could do so and know your personal data is secure. (Image c/o on Flickr.)

The following article was contributed by Tim Turner, trainer & consultant on Data Protection, FOI, PECR and information rights.

“Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.”

Donald Rumsfeld’s comment on the fact that sometimes we don’t know what we don’t know is notorious for its lack of clarity, but it is a very helpful summary of most massive data protection or security incidents. Take the recent TalkTalk debacle, in which the telco’s website was hacked, and a quantity of personal data was accessed and presumably stolen. We don’t actually know much more than that: we don’t know how the hack happened, we don’t know for certain who committed the act, we don’t know how much data has been stolen and most importantly, we definitely don’t know whether any laws have been breached.

There is a lot to keep an eye on. TalkTalk’s hastily assembled FAQs was emphatic that the Data Protection Act has not been breached by this incident, and the company has generally been at pains to hashtag every tweet with #cyberattack, painting itself as the victim. Meanwhile the company’s Chief Executive Dido Harding’s headlong rush into every available TV studio has impressed some with her frank admission that TalkTalk could have done more to protect customer data, but thrown the ‘no breach claim’ into doubt.

Data Protection law is built on eight principles, and the seventh principle requires that organisations put in place “appropriate” levels of technical and organisational security. The fact that whoever hacked the TalkTalk website has committed a crime in doing so does not absolve TalkTalk of responsibility. The 7th principle explicitly requires measures to prevent unauthorised and unlawful processing of personal data, so anyone whose website might be the gateway to personal data has to have proactive protections to repel a hacker. Several companies have already fallen foul of the 7th principle and received substantial monetary penalties after falling victim to hackers, including Sony Playstation Online, the British Pregnancy Advisory Service and the travel company Think W3. In each case, a criminally-motivated hacker was assisted by inadequate security and lack of testing.

All sorts of considerations can increase the burden of security. If an organisation is large and more high-profile, if they hold a large amount of personal data, or if a hack might expose sensitive data that might lead to harm, the measures must be progressively more robust. All three of these factors apply to TalkTalk. Harding has claimed that TalkTalk’s security was “head and shoulders” above that of its competitors, and if that can be proved, TalkTalk are off the hook. But with a Chief Executive who has already admitted that their security might have been found wanting, and the arrest of a 15 year old boy in connection with the hack (putting paid to some of the more lurid theories about some kind of Russian / ISIS / Cyber-Jihadi / SPECTRE agent being the perpetrator), presumably we know for certain that the Information Commissioner will act swiftly and decisively to enforce the law?

Well, not quite. Data Protection does not allow for summary justice. The Information Commissioner needs to prove at least on the balance of probabilities that there were appropriate measures to prevent hacking that TalkTalk should have had in place but didn’t. TalkTalk will have to be able to make their case, and the ICO will have to listen. The DP framework allows for the possibility that TalkTalk can be hacked and yet no breach has occurred – the breach is not the incident, but the absence of measures to prevent it.

The omens are nevertheless not auspicious. As well as Harding’s unwise comments, TalkTalk’s track record is troubling. In 2008, the company received an enforcement notice from the ICO, requiring them to stop such basic errors as customers being able to see each others’ records online. Much more recently, TalkTalk’s security was audited by the ICO, and in a break with the normal practice, TalkTalk refused consent for the executive summary to be published (despite other organisations allowing quite negative summaries to go online).

The most important thing that we do know is that the TalkTalk hack does not just put the company in the frame. The Information Commissioner is better at enforcing on security matters than nearly any other aspect of Data Protection but their appetite for taking on large organisations is inconsistent: there may be £250,000 penalties for Sony, but until recently, only unenforceable undertakings on a largely unrepentant Google. Many activists can recall big Data Protection scandals like press misuse of private data (which the ICO discovered but did not tackle) or secret trials of the Phorm internet tracking software (which some suspect went unpunished because the trails were carried out by BT). If the ICO fails to act, it will need an extremely persuasive justification to calm the outrage that will likely follow, and we simply don’t know if such an explanation exists, whatever the law says.

The news where you are: digital preservation and the digital dark ages

(Image c/o Pierre-Louis FERRER on Flickr.)

The following article was contributed by William Kilbride, Executive Director of the Digital Preservation Coalition

That’s all from us, now the news where you are….

This awkward cliché, repeated at the end of every BBC news report, signals a crude shift in gear. It seems that ‘The News’ has two parts: ‘the news where we are’ (London-centred politics, war, economics, English premiership football); and ‘the news where you are’  (local and parochial oddities that may entertain the yeomanry but which won’t deflect the ship of state from its mighty  progress).  Ruthlessly and deservedly lampooned during last year’s independence debate, the phrase came to mind last week as Vint Cerf shared his fears on the evanescence of digital memory and the need to take collective action to counter the pernicious and ubiquitous impact of obsolescence.  Reported by the BBC, the Independent, the Guardian and others (mostly from San Jose CA) it would seem that a digital black hole is set to initiate a digital dark age sometime soon.  There’s a choice of metaphors but none of them good.

The news where I am (The Digital Preservation Coalition) is surprisingly different from the news where they are.

First thing’s first: I don’t have a copy of Vint Cerf’s original remarks so my observations are really only about the reportage.  In fact almost anything he might choose to say would have been welcome.  It’s undoubtedly true that preserving digital content through technological change is a real and sometimes daunting challenge.  Our generation has invested as never before in digital content and it is frankly horrifying when you consider what rapid changes in technology could do to that investment.  Vint, as one of the architects of the modern world, is exceptionally well placed to help us raise the issue among the engineers and technologists that need to understand the problem.

We do desperately need to raise awareness about the challenge of digital preservation so that solutions can be found and implemented.  Politicians and decision makers are consistently under-informed or unaware of the problem.  In fact awareness raising was one of the reasons that the DPC was founded. Since 2002 DPC has been at the forefront of joint activity on the topic in the UK and Ireland, supporting specialist training, helping to develop practical solutions, promoting good practice and building relationships.  A parliamentarian recently asked me which department of government will be best supported by all this work (presumably in an attempt to decide which budget should pay for it).  I answered ‘all of them’.  I am not sure if the question or the answer was more naïve: it’s hard to imagine an area of public and private life that isn’t improved by having the right data available in the right format to the right people at the right time; or conversely frustrated by its absence.  Digital preservation is a concern for everyone.

But that’s not the same as saying that a digital black hole is imminent. It might have been in 2002 but since then there’s been rather a lot to celebrate in the collective actions of the digital preservation community globally (and especially here in the UK and Ireland) where agencies and individuals are beginning to wake up to the problem in large numbers.  These days we’re seeing real interest from across the spectrum of industry and commerce. Put simply the market is ripe for large scale solutions.  It’s easy to focus on the issue of loss, but we can also talk confidently now about the creative potential of digital content over an extended lifecycle.

In January this year the DPC welcomed its 50th organisational member: the Bank of England.  It’s a household name but nor is it particularly a memory institution with a core mission to preserve.  Other new members in the last year include HSBC, NATO and the Royal Institution of British Architects.  They all depend on data and they all need to ensure the integrity of their processes, but they are not memory institutions with a mission to preserve.  Any organisation that depends on data beyond the short life spans of current technology – we’re all data driven decision makers now – needs to put digital preservation on its agenda.

If the last decade has taught us anything, it’s that we face a social and cultural challenge as well as a technical one.  We certainly need better tools, smarter processes and enhanced capacity which is ultimately what Vince’s suggestion for Digital Vellum is about (though others dispute the detail of his proposal).  But this won’t solve the problem alone. We also need competent and responsive workforces ready to address the challenges of digital preservation.  Time and again surveys of the digital preservation community show that the skills are lacking and where they exist they are themselves subject to rapid obsolescence.  We know that digital skills are crucially short in the UK economy: at the same time as Vint was arguing for Digital Vellum the Chief Constable of Police Scotland had to apologise for having misled parliament because statistics about draconian stop-and-search powers were inadvertently deleted.  The nation’s most senior policeman could lose his job because his organisation lacked digital preservation skills.  Arguably the lack of skills is a bigger challenge than obsolescence.

Moreover a political and institutional climate responsive to the need for digital preservation would allow us to make sense of the peculiarities of copyright.  Those who argue for the right to be forgotten ingenuously assume an infrastructure where you will be remembered: a somewhat populist rush for data protection and cybersecurity is tending to stifle reasonable calls for data retention.  This is pretty raw stuff.  At the same time as the technology commentators were worrying about technical obsolescence a senior politician was caught deleting content of his own containing comments that now seem ill-judged. The machinations of those who want us to forget might well be a bigger threat to our collected memories than digital obsolescence.

DPC was founded to ensure closer and more productive collaboration by its members.  I grant you that some of this has involved the slow grind of hard problems: a standard here, a training programme there, a research project peering into the future, a policy review, a procedures manual.  All of it is worth celebrating and we’ve been doing so for years now. I have no idea why journalists haven’t noticed this: we’ve been trying to get their attention for years.

San Jose is lovely in early spring. But there’s a better story about digital preservation where we are.


Do you have something to say on a current issue facing the information world? We’re always looking for new contributions to Informed from the information professional community. If you would like to write something for the site, do drop us a line!

Do you Care for your Data? What care.data means for NHS patients in England

The new care.data database has prompted much debate about its impact on healthcare and patients.
(Image c/o Jamie on Flickr.)

The following post was written by Informed team member, Elly O’Brien.

NHS England’s new database, Care.data, will be populated with data collected by the Health and Social Care Information Centre (HSCIC) from different care providers such as General Practitioners (GPs). The HSCIC already collects Hospital Episode Statistics, which details admissions, outpatient appointments and accident and emergency department attendances. The concept behind care.data is to create a single database with information spanning primary care (e.g. GP surgeries) and secondary care (e.g. hospital admissions), to enable this “big data” to be used to help understand and treat diseases, inform how local services are organised, identify people at risk of conditions and improve the “pathway” of treatment a patient follows.

We are frequently told that we are living in an age of “information overload”, where we are bombarded with information which can lead to an “information paradox” in which there are so many sources of information, that knowledge becomes hard to find and this superfluity of information can make it harder to reach a decision. Care.data is a perfect example of this in action, having created a flurry of media coverage and commentary from all sides.

The aim of this blog post is not to add to this excess of information or to try to sway anyone’s opinion, but to signpost sources of information from various organisations and viewpoints.

The HSCIC has background information on care.data, NHS England has a range of information specifically for health professionals. NHS Choices has information tailored for patients including an electronic copy of the leaflet that has been distributed to all households in England and a video.

So what are some of the issues that have been raised about care.data?

Anonymisation

NHS England has stated that the records will have identifiable information removed but the HSCIC has conceded that there is a small risk that records would be potentially identifiable as records will be pseudonymised rather than anonymised.

How the data will be used

The data will be used within the NHS nationally to inform research and improve practice, as well as by the NHS locally to understand local needs and for the NHS to commission services accordingly. It will also be made available (for a fee) to insurance firms and private organisations such as pharmaceutical companies. Some people are fundamentally opposed to this, but NHS England has sought to reassure patients that the data will not affect insurance premiums or be used for marketing purposes. NHS England has in place information governance measures designed to ensure that it complies with relevant legislation with regards to how care.data will be shared, stored and used. The same laws will apply to any non-NHS organisations using care.data, however, some critics have are concerned that any misuse of data would only be apparent after the fact and that law in itself is not necessarily a deterrent.

Having to opt-out

The new database is based on an opt-out system and patients who do not want their data included in the database are instructed to contact their GP in the leaflet being posted out. This has been criticised on principle by some, because people may not opt-out (perhaps due to laziness or lack of awareness) but in doing so are not necessarily positively consenting. Others have criticised that an opt-out form has not been provided, although some GP surgeries have created opt-out forms for patients on their websites (such as this Durham-based practice). To opt out you simply need to contact your GP surgery (not your actual GP), you can phone them or write to them (medConfidential has an opt-out form you can print out and send to your GP surgery).

The decision is yours to make, but a little reading can ensure that it is an informed, empowered decision rather than an unwitting opt-in.