Zero Gravity

In March, I received an unsolicited email from a company called Gravicus. It was scaremongering nonsense, touting their data management software via the threat of director liability for data breaches. So far, so what: I get a lot of spammy junk from GDPR people to my 2040 Training email address, but this was to a personal Gmail address that I don’t give out all that often. The email claimed that it had been sent to me because I was “registered on Leadiro”, who I have never heard of. Under PECR, email sent to an address for which I am an individual subscriber can only be sent with consent (or soft opt-in), and given that I had heard of neither Gravicus or Leadiro before the email arrived, they had neither.

I contacted Gravicus to make a subject access request on 20th March, asking how they had obtained my data, what Leadiro had told them and for any other personal data about me that they held. Separately, I contacted Leadiro and asked them why they were selling my data. Leadiro got back to me, and confirmed that they had not supplied my data to Gravicus.

Having had no reply from Gravicus beyond an automated acknowledgement, I emailed them again on April 2nd, asking for confirmation that my request was being dealt with, and also passing on what Leadiro said. A week went by with no acknowledgement, so I wrote to the company’s registered office address and business address, chasing them up.

Gravicus finally reacted on 16th April via a letter from their lawyers, Keystone Law. Keystone admitted on behalf of their clients that the Leadiro story was false, and that my data had been harvested from the “business oriented and professional website” LinkedIn. I apparently connected “voluntarily” with a named Gravicus consultant, who then exported her connections to obtain contact details of “relevant professionals in the sector”. Nearly a month into my request, Gravicus wanted a copy of my passport and utility bill, certified by a lawyer, accountant or similar professional, as well as the £10 fee. I paid the £10 and sent an uncertified copy of my passport. The lawyers still demanded the utility bill as proof of my address, despite the fact that Gravicus’ own version of events shows that they would have nothing to compare it to – they have only ever dealt with me via email or Twitter. In any case, Keystone had already named the individual who harvested my address, so if it was wrong to reply to my subject access request without proof of address, why was it right to give me the name of the consultant? I threatened to complain to the Information Commissioner, and they backed down. I have no doubt that Gravicus took this approach to obstruct my request, which when they had already breached PECR and Data Protection isn’t the best way to resolve a problem.

It is a breach of LinkedIn’s terms and conditions to

  • “Disclose information that you do not have the consent to disclose”
  • “Copy, use, disclose or distribute any information obtained from the Services, whether directly or through third parties (such as search engines), without the consent of LinkedIn”
  • “Use, disclose or distribute any data obtained in violation of this policy”

Harvesting and using email addresses from LinkedIn in breach of their terms and conditions, without transparency and a legal basis is a clear breach of Data Protection. Gravicus did not have my consent, and by misrepresenting the source of my data in the email that they sent me, they blew any chance of relying on legitimate interests. Their use of my data was unlawful. Gravicus’ lawyers claimed that the confusion over where my data came from was understandable because Leadiro was one source that they were using. But that isn’t true. The CEO of Leadiro told me explicitly: “Gravicus are not a Leadiro customer, and have never been a Leadiro customer“. Added to that, sending a marketing email to an individual subscriber without consent is a breach of PECR, and Gravicus knew I was an individual subscriber because their records had my address marked as ‘Personal’.

Despite the fact that Gravicus’ original spam email touted data breaches as being the personal responsibility of directors, one of the shabbiest things about their response is the way they sought to throw their consultant under the bus. They named her straight away, and claimed that the company didn’t know that she was harvesting emails from LinkedIn, even though their lawyers continually stressed that I had voluntarily made my email available to her. In other words, you asked for it, but we didn’t know it was happening. I don’t believe this, but it doesn’t matter whose idea it was. The directors are responsible for what their company does, not some consultant who blocks people on Twitter when they ask awkward questions. Instead of dealing with me like a human being, Gravicus lawyered up and tried to obstruct my subject access request with bogus demands for unnecessary personal data, itself an additional breach of DP law.

This might seem like a lot of fuss for a spam email. But look at what Gravicus is selling as a data processor. Their product works like this: “Tell Osprey your data sources, provide your access credentials and it will connect automatically to analyse your data“. As a data processor, they will have access to a huge amount of sensitive and possibly special categories personal data held by their clients. The GDPR states that data controllers “shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject“.

Gravicus harvested my data unlawfully, they gave me false information about where personal data has been obtained from, they demanded excessive personal data when dealing with my subject access request, and they sent me unlawful unsolicited emails in breach of PECR. They claim that they’ve stopped gathering data in this way, but it never should have happened in the first place, and suggests that the directors don’t know what’s going on in their company. In any case, when caught out, they hide behind their lawyers and consultants instead of dealing direct. Any organisation thinking of using them as a data processor should think long and hard about whether Gravicus can offer the kind of guarantees that GDPR requires.

2040 vision

The turn of the year is always an opportunity to make resolutions in your personal or professional life, but it’s hardly a revelation to observe that such aspirations often evaporate. The easy option presents itself, and the temptation to take it is difficult to resist. For many years, I have claimed to be a “freelancer” but in fact, although I’ve been doing my own thing since 2008, quite a lot of my work has come from Act Now Training. Every year, I tell myself that this is the year that I will cut the apron strings completely and strike out on my own, and every year, I don’t quite get there. I’ve done some fascinating work for a variety of people, but I haven’t found enough of it myself.

2018 was already shaping up to be an interesting year, given that the much-hyped General Data Protection Regulation will finally be enforceable, and we will find out whether the apocalyptic predictions of The Certified will come to pass (SPOILER: they won’t). Reader, that isn’t interesting enough for me. Much as I am grateful to Act Now for offering me my first training course in 2005, and for all the opportunities they’ve given me since, all good things must come to an end. I had to turn down all sorts of opportunities in 2017 because of all the courses I was running, and there are a number of things I’ve always wanted to do, but simply didn’t have the time. So from March 1st, if you want to be trained by me, or use my services, it’s 2040 Training or bust.

A couple of announcements in this context:

PUBLIC COURSES!

I am running some public courses with a practical, procedure based approach in London and Manchester. The first is a ‘GDPR SOS‘ course for those bodies large and small who either haven’t prepared for GDPR’s live incarnation, or don’t know whether they have got what they might need in place. It’s commonplace in the Data Protection world to sneer at those who haven’t thrown themselves into a compliance frenzy, but rather than brag about putting up my daily rate (which some LinkedIn GDPR bods have said they would do in 2018), I thought I would put on a no-nonsense, plain English guide for those who want to get up to speed. The first courses run at the end of March, and you can find out more about them here: http://2040training.co.uk/gdprcourses/

Following on from the SOS course, I hope to be running a detailed practical course on the GDPR rights in April and May, taking into account guidance from the ICO, the Article 29 Working Party, the DP Bill / Act, and of course, the many cases and examples that we’ve already got from 20 years of Data Protection. There will also be a course on PECR and Direct Marketing.

These courses will not be ‘Article or Section X says Y’ but will be based on real-life cases and scenarios. Both, and a range of other options, are of course available in house, and everything else that I can do for you is listed on my website, a link for which is above.

MORE GUIDES!

I wrote two free guides in 2017, one on fundraising and Data Protection, the other on choosing a DPO as a service. The feedback on both has generally been very positive, apart from the DPO as a service people who didn’t like reading that experience  is an essential part of being someone’s expert. It is. Live with it.

First, I am updating the fundraising guide to make it solely about GDPR and the DP Bill to the extent that this is possible. I want to complete this soon, so if any fundraisers have any specific questions about GDPR that you’d like to see answered, especially if you read the original and know the kind of questions I featured next time around, let me know but quickly!

Send any questions, as soon as you can, to: fundraising@2040training.co.uk

Second, I will be writing a guide for GDPR and Councillors – a simple guide to Data Protection as it relates to the role of a local elected politician. It’s not going to cover what councils do, but the way in which a councillor operates their office, deals with constituents and how they store data. Once again, any questions or concerns about this area from Councillors and those who work for or with them would be very welcome. I hope to get this finished by the end of February, so any questions or comments that you can send before then would be more than welcome.

Send any questions (preferably before 20th Feb) to: councillors@2040training.co.uk

Both the updated Fundraising guide and the Councillor guide will be free and available to download from my website.

After these two are done, I will be working on a number of other guides including the use of violence warning markers under GDPR, and no matter how unpopular this will make me, a free guide for individuals who want to use their Data Protection rights. If you have thoughts or comments about this, please let me know.

EMPLOY ME!

Seriously, I’m available. More here: www.2040training.co.uk.

The Naked Truth

The story of Damian Green’s porn-clogged computer has several facets, with a surprising number of them related to data protection. Whether it was a breach for former Deputy Commissioner Bob Quick to reveal that there was porn on the computer is hard to say for certain – I think Quick has a journalistic defence in revealing hypocrisy given that the Government is current waging a moralistic war on adult websites, but you are welcome to disagree. The fact that Quick has form for revealing information that he shouldn’t have only adds spice to the mix.

The question of why Green’s other accuser Neil Lewis still has his police notebooks raises more serious questions. Did he keep them without authorisation from the Met? If he did, this could be a criminal offence under Data Protection’s Section 55 for which Lewis would be liable. Did the Met Police fail to recover them properly? This would be a serious breach of the seventh data protection principle, for which the Met should expect to answer. In any case, I have to agree with those who say that public servants should respect confidences even after they leave the service. Sensitive material should never be retained by former officers of any organisation. I know my reaction to the story is clouded by the entertaining spectacle of seeing a politician caught with his pants down, or at least, unzipped. The question of how the story came to light needs to be interrogated.

Green’s use of the Shaggy Defence to claim that he knows nothing about the porn begs more questions. If he didn’t download it, this means that someone else did (none of the Tories defending him seem to claim that it doesn’t exist). Part of Green’s outrage when his office was raided in 2008 was the threat to the sanctity of Parliamentary Privilege and the confidentiality due to his constituents. In the light of this, Green needs to explain how it was possible for someone else to download porn onto his computer. The best case scenario for him is that this was the result of malware, rather than someone else being able to log into his computer without his knowledge. Of course, malware infecting an MP’s computer is a story in itself. Regardless of whether this story should be in the public domain, we can’t be expected to ignore it now. As someone who processes highly sensitive data about his constituents (as well as possibly other sensitive information), at some point Green has to explain who had access to his computer and what they were doing downloading porn. Or he has to admit that it was him.

I don’t know what, if anything, Green is guilty of, but his fellow Tory Nadine Dorries’ spectacular contribution on Saturday doesn’t allow for any ambiguity. The MP for Mid Bedfordshire has a habit of deleting tweets when she (or someone else running her account) realises how stupid they make her look, so I have screengrabbed this one and I reproduce it in full here:

My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!

UPDATE: There’s more:

All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?

ANOTHER UPDATE: Robert Syms MP is at it as well

As a constituency MP, Dorries will be handling sensitive correspondence on a wide variety of matters, and she has publicly confirmed that access to information is open to a wide variety of people, including interns on exchange programmes. To this, there is no defence. The seventh data protection principle states that a data controller must have in place appropriate technical and organisational security measures to prevent “unauthorised or unlawful processing of personal data, and against accidental loss of or destruction of or damage to personal data“. This means a mix of technical measures like passwords and encryption and organisational measures like ensuring that passwords are not shared or written down. Dorries has confirmed she has authorised password sharing in her office – which is bad enough in itself because it means passwords are spoken aloud or written down, greatly increasing the chance of the password being known to someone nefarious. But worse than that, she says specifically that a wide group of people share her login. There is no way of knowing who has accessed what, because even if the intern has done it, it looks like Nadine was the person responsible.

The only way that Dorries has not admitted a clear breach of Data Protection’s security principle is if she (or whoever wrote the tweet) is lying in order to defend Green,  which is quite the stupidest thing I can imagine.

There are several possible breaches here – Quick’s original revelations about Green, Lewis’ retention of his notebooks / the Met’s failure to recover them when he left, Green’s insecure computer equipment and Dorries’ admission of her completely lax security. While Quick and Green’s problems are somewhat murky, Lewis / Met Police and Dorries present much more straightforward issues for the Information Commissioner. Both should be investigated as a matter of urgency.

Given Dorries’ casual admission of the insecure way in which her office operates, a much wider investigation might be required. Elizabeth Denham has put huge resources into investigating the possibility of political use of analytics and big data in an unlawful way, even though it’s hard to imagine anything coming of it. On the other hand, here we have a sitting MP openly admitting that constituents’ data is unsafe – how many more of Dorries’ colleagues operate in a similarly unlawful fashion? I cannot complain to the ICO about these matters, as I am not affected by them. However, the issues are serious, and Wilmslow should step in immediately. A bland press release reminding MPs to process data safely is not good enough; the ICO needs to demonstrate that Data Protection law applies to MPs just as it does to the rest of us.

Just say no

On Friday December 16th 2016, I had a routine eye test. The optician noticed swelling on the optic discs at the back of my eye, and I was dispatched to the Manchester Eye Hospital to attend their Emergency Eye Clinic. This is basically A&E for eyes, a mix of swollen eyelids, sudden blindness and people who should have just gone to an optician. I arrived at 2.45pm, and fairly quickly, I was put in the ‘people who need to be seen’ pile. However, this meant waiting for the next available doctor, and like any A&E, the wait was long.

At 5.30, having waited in a dull holding area (with the files of other patients unattended and clearly visible), I was seen by a doctor. At this point, I was bored and worried, desperate to go home but desperate to find out what was going on in my head. Swollen discs can mean all sorts of things, you see, but one of the things Google told me that they can mean is Brain Tumour.

The doctor was terrible. He examined my eyes, pulled faces, and asked lots of questions about the medical history of my family without explaining the significance of any of them. In the middle of that barrage of questions was this one: ‘Any history of tumours in your family?’. Of course, having sat there for nearly three hours with only Google Searches That Spell Imminent Death for company, this question fired out of nowhere was just perfect. After the obligatory disappearance act to consult with a more senior doctor, I was told that they wanted to scan my brain in case “God Forbid” there was a tumour in there.

I was shunted back into another holding area, then at around 7pm a very sympathetic nurse inserted a cannula into my arm so that they could put a dye into my bloodstream when scanning me (a process that never actually happened) and explained ‘We’d like to do a CT scan’. She told me where to go, and because I was evidently in a bad place mentally, made clear that if I wanted to go for a walk before the scan, that would be fine. At length (and after it became clear that the people doing the CT scan weren’t actually expecting me), I had the scan. Several hours later, they decided I had high blood pressure and I went home at 10.45pm.

Looking at the whole thing as a Data Protection professional rather than a patient, the thing that leapt out at me at the time were the boxes of paper records left unattended. During the day, the holding area I was sitting in is very busy, with at least one member of staff behind the desk able to prevent access. When I was there on the Friday evening, there were long stretches when I could have got behind the desk and read the files, and nobody would have known. It’s an open question as to whether a patient left alone with unattended medical records is a ‘personal data breach’ that would have to be reported to the Information Commissioner.

In retrospect, there is a more interesting question. Carrying out a CT scan is processing personal data – it involves the creation of a scan of the patient’s brain which is plainly sensitive personal data (under GDPR, special categories data). So, what condition did Manchester Eye Hospital have for processing my personal data, and did they provide me with adequate fair processing?

Here’s the thing: they didn’t have my consent and I suspect they think they did. They probably didn’t have Data Protection Act consent, but they definitely didn’t have GDPR standard consent. I’m sure many readers will disagree. Surely my lying down to have the scan is a “clear affirmative action”, signifying my agreement to the processing?

Well, it’s not that simple. First, there is the lack of fair and transparent processing. I was told why they wanted to do the scan, but I wasn’t told who would get access to it (which in today’s NHS could be Google), how long it would be kept for, what legal basis they were relying on and so on. Even if the DPA doesn’t demand this now, it’s hard to argue that the processing would be fair unless I was told these things. Moreover, without any fair processing, any consent I gave would not be informed and specific.

The second problem is that my consent was not freely given. I was tired after hours of sitting around, I had been given limited information by a doctor with poor communication skills and frankly I was scared that I had a brain tumour. I hadn’t eaten and or drunk very much, and my phone was dead so I couldn’t discuss it with anyone else. I do not believe I had the capacity to freely give my consent to have my brain scanned. At no point did anyone say ‘Do you consent to having your brain scanned?’, it was couched in passive language: we would like to do this, and if I didn’t object, my consent was assumed.

Then there is the power imbalance – people like to talk about ‘Our NHS’ as if we all collectively own it, but that’s bullshit. Surrounded – outnumbered – by doctors and nurses who want to do something, it’s hard to say no. Indeed, I am aware of cases where a person who refuses to do what the doctors want have been sectioned. Admittedly, as a white, middle-aged, middle-class man, I’m probably less likely to be subjected to this, but who knows. What would they have done if I had said no?

In this context, recital 43 of the GDPR is worth reading:

consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation

I think the power imbalance between the assembled medical staff and me made it impossible for me to say ‘no’, especially when considering the specifics of the situation. I had gone from a routine eye appointment to a request for a brain scan to find out if I had a brain tumour. My ability to make decisions was fried. A few months later, I got up at 7am on a Sunday to drive to Trafford Hospital where some improbably chirpy technicians did an MRI on my head. That interaction was certainly closer to consent than the CT scan, but strictly speaking, nobody asked my consent. It was a lot better, but by no means the only way in which the NHS processes data.

Since my diagnosis of high blood pressure, I have spent an afternoon in a specialist diagnostic ward in one hospital, had the above MRI in another, had separate MRIs and ultrasound scans on my kidneys, a shedload of blood tests and monthly appointments at my GP. My GP aside (who is excellent at explaining everything), the standard of fair processing in all my interactions with the NHS since last December has been lamentable. I don’t know who gets access to my data, I don’t know what for, and nobody has told me how to find out. There may be a privacy notice somewhere on a website but I don’t know where it is and nobody told me how to find it.

I respect and trust my GP. Every nurse I have met, even those briefly sticking a needle in my arm, has been exemplary. The team at the ARMU at Wythenshawe Hospital are superb, both at medicine and communication (in fact, every experience I have had there has been good). But for all the fact that I can be a troll sometimes, I have never caused as much hostility and frustration as when I give my honest opinion about my experiences in the NHS. People are angry with me if I speak my mind. Criticising the NHS is modern-day blasphemy. I’m only writing this blog now because it looks like my eyes are getting better and I probably haven’t got a brain tumour (although the fact that the hospital lost the brain MRI for several months because of the virus infection in May dents my confidence in this). I worry about pointing out the Eye Hospital’s failings because I do have to go back there. Do I want to be treated by people who know that I have criticised them online? This is the power imbalance in a nutshell.

So what’s my point?

The GDPR is built on an improved model of Data Protection – organisations should be transparent, and wherever possible, subjects should be empowered. One of the most important elements in this relationship is the proper treatment of consent. Ironically, given the number of ill-informed articles claiming that GDPR requires consent for data processing, a significant effect of GDPR should be to reduce reliance of consent. Organisations, especially those like the NHS who purport to rely on it, should be much more honest with people. Sometimes you don’t have a choice at all and a thing is going to happen whether you like it or not (HELLO, ROYAL FREE HOSPITAL). Sometimes, there isn’t a real choice – ask me whether I want you to find out whether I have a brain tumour, and honestly, the answer’s no. Rationally, the answer’s probably, ‘OK then’, but it’s not much of a choice and in my case, the question wasn’t even posed.

The NHS is going to breach the GDPR as much in spirit as in practice if it continues in its dubious mantras of implied consent and ‘no decision about me without me’. The fact that a person doesn’t have to be physically forced into the scanner does not mean that they have consented, especially if they haven’t been told clearly and directly how that data will be used. In many situations throughout the NHS, medical professionals think they have consent, tell each other they have consent and they don’t. There are other options in the GDPR, of course, including a rock-solid legal condition for special categories data for the purposes of medical treatment and diagnosis. But many people in the NHS still think consent is their byword and it really isn’t.

For one thing, secondary uses for analysis and research either have to stop, or a much more open and transparent process has to be developed to contact people directly, either to be transparent or, if that’s the basis that being relied on, to seek consent. For all my many scans and blood tests since last December, I have to assume that none of them will ever be used for any purpose other than the direct diagnosis and treatment of my condition because I have never been given a hint that anything else will happen. But is that true?

For another, if the NHS is going to get to grips with GDPR philosophically, it has to be much more honest about the flawed nature of the consent it thinks it’s getting. For years, NHS staff have told me on training courses that a patient rolling up their sleeve is evidence of ‘implied consent’ to take blood (and by further implication, process the data that flows from the test). In fact, what they have at best is inferred consent; and with the power imbalance, possibly not even that.

We know for certain that the Information Commissioner will not tackle this issue because they are terrified of challenging such fundamental issues. Elizabeth Denham’s trumpeting of a slapped-wrist undertaking for the Royal Free Hospital’s misuse of 1.6 million people’s personal data was, at least for me, the final nail in the coffin of her credibility. As a friend of mine said, the chief role of each new Commissioner is make the last one seem better. I am not predicting fines or enforcement of any kind; it won’t happen. But the best thing about the GDPR is its recognition that we are human beings who deserve respect and autonomy. My experience of the NHS in Manchester is far from achieving that.

Actually Asked Questions II

Last year, I wrote a blog asking for questions from fundraising and charity professionals about Data Protection for a guide that I was writing. Despite something of a lull between asking and delivering the guide, those ‘Actually Asked Questions’ were one of the things I thought worked best. It was great to include real questions from real, lovely people.

I am doing it again. This time, the guide I am writing is shorter and more focussed than the charity one, although it is not for charities, but for any data controller. The subject is choosing a company to provide your Data Protection Officer (AKA DPO as a Service). Most organisations that need a DPO will recruit a staff member, and to be honest, that’s what I consider to be the wisest choice. Nevertheless, the GDPR plainly allows data controllers to hire DPOs under contract, and many so-called GDPR experts and companies are offering themselves as DPOs on Demand. I am writing a short practical guide, containing questions and tips for anyone who is thinking of hiring a company to provide DPO as a Service. What should you look for? What should you avoid? How do you spot the cowboys? What questions should you ask?

FULL DISCLOSURE: I am not going to be a DPO for hire, either by myself or via any organisation. I have turned down several organisations already (two in particular who know they are and that I adore). This is not a way to get you to hire me, although an organisation did have me on the interview panel for their DP officer role recently, and I WOULD SNATCH YOUR HAND OFF TO DO THAT AGAIN.

What I would like to know is this: are there any questions you have about DPOs as a service, or hiring a DPO generally? If possible, I will extend the text to be a general guide to getting a DPO internal or external, but at the moment, I have more material on the external side than the internal side.

Send me a question, send me an issue you’d like to see someone talk about, send me anything you’d like a smart-arse to think about when writing a guide like this. You will not be mentioned in the guide unless you want to be, and the guide will be free to anyone who wants it.

SEND ME YOUR QUESTIONS HERE: tim@2040training.co.uk

DEADLINE: September 30th 2017

If you approve of this endeavour and would like to promote it, please do.