Tag Archives: law

Will TalkTalk be held to account for cyber-attack?

talktalk
It’s good to Talk, but it would be even better if you could do so and know your personal data is secure. (Image c/o on Flickr.)

The following article was contributed by Tim Turner, trainer & consultant on Data Protection, FOI, PECR and information rights.

“Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.”

Donald Rumsfeld’s comment on the fact that sometimes we don’t know what we don’t know is notorious for its lack of clarity, but it is a very helpful summary of most massive data protection or security incidents. Take the recent TalkTalk debacle, in which the telco’s website was hacked, and a quantity of personal data was accessed and presumably stolen. We don’t actually know much more than that: we don’t know how the hack happened, we don’t know for certain who committed the act, we don’t know how much data has been stolen and most importantly, we definitely don’t know whether any laws have been breached.

There is a lot to keep an eye on. TalkTalk’s hastily assembled FAQs was emphatic that the Data Protection Act has not been breached by this incident, and the company has generally been at pains to hashtag every tweet with #cyberattack, painting itself as the victim. Meanwhile the company’s Chief Executive Dido Harding’s headlong rush into every available TV studio has impressed some with her frank admission that TalkTalk could have done more to protect customer data, but thrown the ‘no breach claim’ into doubt.

Data Protection law is built on eight principles, and the seventh principle requires that organisations put in place “appropriate” levels of technical and organisational security. The fact that whoever hacked the TalkTalk website has committed a crime in doing so does not absolve TalkTalk of responsibility. The 7th principle explicitly requires measures to prevent unauthorised and unlawful processing of personal data, so anyone whose website might be the gateway to personal data has to have proactive protections to repel a hacker. Several companies have already fallen foul of the 7th principle and received substantial monetary penalties after falling victim to hackers, including Sony Playstation Online, the British Pregnancy Advisory Service and the travel company Think W3. In each case, a criminally-motivated hacker was assisted by inadequate security and lack of testing.

All sorts of considerations can increase the burden of security. If an organisation is large and more high-profile, if they hold a large amount of personal data, or if a hack might expose sensitive data that might lead to harm, the measures must be progressively more robust. All three of these factors apply to TalkTalk. Harding has claimed that TalkTalk’s security was “head and shoulders” above that of its competitors, and if that can be proved, TalkTalk are off the hook. But with a Chief Executive who has already admitted that their security might have been found wanting, and the arrest of a 15 year old boy in connection with the hack (putting paid to some of the more lurid theories about some kind of Russian / ISIS / Cyber-Jihadi / SPECTRE agent being the perpetrator), presumably we know for certain that the Information Commissioner will act swiftly and decisively to enforce the law?

Well, not quite. Data Protection does not allow for summary justice. The Information Commissioner needs to prove at least on the balance of probabilities that there were appropriate measures to prevent hacking that TalkTalk should have had in place but didn’t. TalkTalk will have to be able to make their case, and the ICO will have to listen. The DP framework allows for the possibility that TalkTalk can be hacked and yet no breach has occurred – the breach is not the incident, but the absence of measures to prevent it.

The omens are nevertheless not auspicious. As well as Harding’s unwise comments, TalkTalk’s track record is troubling. In 2008, the company received an enforcement notice from the ICO, requiring them to stop such basic errors as customers being able to see each others’ records online. Much more recently, TalkTalk’s security was audited by the ICO, and in a break with the normal practice, TalkTalk refused consent for the executive summary to be published (despite other organisations allowing quite negative summaries to go online).

The most important thing that we do know is that the TalkTalk hack does not just put the company in the frame. The Information Commissioner is better at enforcing on security matters than nearly any other aspect of Data Protection but their appetite for taking on large organisations is inconsistent: there may be £250,000 penalties for Sony, but until recently, only unenforceable undertakings on a largely unrepentant Google. Many activists can recall big Data Protection scandals like press misuse of private data (which the ICO discovered but did not tackle) or secret trials of the Phorm internet tracking software (which some suspect went unpunished because the trails were carried out by BT). If the ICO fails to act, it will need an extremely persuasive justification to calm the outrage that will likely follow, and we simply don’t know if such an explanation exists, whatever the law says.

How should we tackle “extreme” comments posted online?

The European Court of Human Rights, Strasbourg (image c/o James Russell on Flickr).

A recent ruling by the European Court of Human Rights (ECHR) could have ramifications for all of those with websites enabling comments to be posted by readers. The Court ruled that an Estonian news site (Delfi) may be held responsible for anonymous comments that are allegedly defamatory. A representative of digital rights organisation Access argued that the judgement has:

“…dramatically shifted the internet away from the free expression and privacy protections that created the internet as we know it.”

A post by the Media Legal Defence Initiative listed the main reasons why the court came to this decision, which included:

  1. the “extreme” nature of the comments which the court considered to amount to hate speech
  2. the fact that they were published on a professionally-run and commercial news website
  3. the insufficient measures taken by Delfi to weed out the comments in question and the low likelihood of a prosecution of the users who posted the comments.

The full judgement can be read here.

Who is responsible for comments posted online?

The timing of this is particularly relevant for me following the coverage of a tragic local incident. Following an attempted suicide by a local woman that led to the death of a man attempting to rescue her, a local news website reported the incident in relative detail, including statements from witnesses (although withholding, at the time, the names of the individuals involved). Sadly this led to a number of insensitive and inappropriate comments being posted about the woman who tried to take her own life. Upon approaching the publishers to request the closing of comments for such a story, I was told that I should report individual inappropriate comments rather than expect them to remove the comments thread altogether.

These two stories raise a number of interesting issues. Who is ultimately liable for content that is published online? Is it the responsibility of the host website to deal with “extreme comments”? Is it the responsibility of the individual who posts the comments? Should there even be any restrictions on what people post online? Should we just accept that everyone has a right to free expression online and that hurtful comments are just manifestations of free expression?

What is your view?

If you’ve got a perspective on the judgement by the ECHR, who should ultimately be responsible for comments posted online or whether any limits in this area are an unreasonable limitation of free expression and would like to write about the issues for Informed, we’d like to hear from you. Articles should be 800-1000 words (although this is flexible) and our normal moderation process applies. If you are interested in writing for Informed, please contact us via submissions[at]theinformed.org.uk.

If you require any support, The Samaritans are available 24hrs a day, 365 days a week to provide support.

Ian Clark
The Informed Team

Do you Care for your Data? What care.data means for NHS patients in England

The new care.data database has prompted much debate about its impact on healthcare and patients.
(Image c/o Jamie on Flickr.)

The following post was written by Informed team member, Elly O’Brien.

NHS England’s new database, Care.data, will be populated with data collected by the Health and Social Care Information Centre (HSCIC) from different care providers such as General Practitioners (GPs). The HSCIC already collects Hospital Episode Statistics, which details admissions, outpatient appointments and accident and emergency department attendances. The concept behind care.data is to create a single database with information spanning primary care (e.g. GP surgeries) and secondary care (e.g. hospital admissions), to enable this “big data” to be used to help understand and treat diseases, inform how local services are organised, identify people at risk of conditions and improve the “pathway” of treatment a patient follows.

We are frequently told that we are living in an age of “information overload”, where we are bombarded with information which can lead to an “information paradox” in which there are so many sources of information, that knowledge becomes hard to find and this superfluity of information can make it harder to reach a decision. Care.data is a perfect example of this in action, having created a flurry of media coverage and commentary from all sides.

The aim of this blog post is not to add to this excess of information or to try to sway anyone’s opinion, but to signpost sources of information from various organisations and viewpoints.

The HSCIC has background information on care.data, NHS England has a range of information specifically for health professionals. NHS Choices has information tailored for patients including an electronic copy of the leaflet that has been distributed to all households in England and a video.

So what are some of the issues that have been raised about care.data?

Anonymisation

NHS England has stated that the records will have identifiable information removed but the HSCIC has conceded that there is a small risk that records would be potentially identifiable as records will be pseudonymised rather than anonymised.

How the data will be used

The data will be used within the NHS nationally to inform research and improve practice, as well as by the NHS locally to understand local needs and for the NHS to commission services accordingly. It will also be made available (for a fee) to insurance firms and private organisations such as pharmaceutical companies. Some people are fundamentally opposed to this, but NHS England has sought to reassure patients that the data will not affect insurance premiums or be used for marketing purposes. NHS England has in place information governance measures designed to ensure that it complies with relevant legislation with regards to how care.data will be shared, stored and used. The same laws will apply to any non-NHS organisations using care.data, however, some critics have are concerned that any misuse of data would only be apparent after the fact and that law in itself is not necessarily a deterrent.

Having to opt-out

The new database is based on an opt-out system and patients who do not want their data included in the database are instructed to contact their GP in the leaflet being posted out. This has been criticised on principle by some, because people may not opt-out (perhaps due to laziness or lack of awareness) but in doing so are not necessarily positively consenting. Others have criticised that an opt-out form has not been provided, although some GP surgeries have created opt-out forms for patients on their websites (such as this Durham-based practice). To opt out you simply need to contact your GP surgery (not your actual GP), you can phone them or write to them (medConfidential has an opt-out form you can print out and send to your GP surgery).

The decision is yours to make, but a little reading can ensure that it is an informed, empowered decision rather than an unwitting opt-in.