OSC RIPA (Surveillance) Procedures and Guidance: A view from its former editor

ripa

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For the first time, the Office of Surveillance Commissioners (OSC) has made its Procedures and Guidance (P&G) public (in electronic format).

The guidance is essential reading for public authorities, especially councils, who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)). The guidance also covers Part III of RIPA and RIP(S)A and to Part III of the Police Act 1997. It does not provide guidance on interception and the obtaining of communications data requiring a RIPA/RIP(S)A warrant.

Why should you care?

For reasons which Steve Morris explains in his blog on the latest OSC report, you’re going to face some form of inspection whether or not you have or intend to conduct covert surveillance; so at least understand how that inspection will be approached.

Also, as the Chief Surveillance Commissioner emphasises, every public authority should have in place policies, procedures and training programmes to ensure that relevant legislation is complied with when a situation arises. The OSC P&G will help you understand when relevant situations arise and how they should be approached.

Failure to recognise when the protection of RIPA/RIP(S)A may be sought or to know how to respond in a manner compliant with legislation – that is claiming ignorance – is no longer an option!

Why does the document exist?

When I first joined the OSC there was a best practice document which I believe had been shared with law enforcement agencies. This, combined with inspection reports, did not appear to meet with unanimous approval.

The Police Service attempted to introduce its own ‘Key Principles’ document which was sufficiently inadequate to attract the comment that “this is why the police should not be left to interpret legislation!”

However, I hope that I am not criticised for saying that the Surveillance Commissioners were not entirely comfortable publishing generic principles; they were more accustomed to making judgments on the facts of specific cases.

It is no coincidence that the following disclaimer, changed little since the first edition, is given prominence: 

“The opinions expressed within the Interpretation Guidance section of this publication are those of the Surveillance Commissioners. The OSC is not a judicial authority. This Guidance simply indicates the way in which the Commissioners would be minded to construe particular statutory provisions. There is no statutory requirement to publish them but they are a response to frequent requests for guidance from public authorities or are matters raised or identified during the inspection process. In the absence of case law, they are the most reliable indicator of likely judicial interpretation. They are the basis upon which inspections will be conducted and performance assessed by the Office of Surveillance Commissioners. Applicants and Authorising Officers should take note of the interpretations when constructing and considering applications and authorisations for the use of covert powers.”

These are the Surveillance Commissioners’ views. It’s rare that a collective interpretation of law is construed by seven ex-Appeal Court judges and three ex-Circuit judges. During my time, issues were examined and discussed at length during meetings with Commissioners and inspectors. You can imagine that, as Editor, I have happy memories of ‘wordsmithing’ each entry to accommodate the wishes of eminent lawyers!

In effect it is the OSC’s ‘party line’ but the disclaimer should be read in conjunction with paragraph 12. It would be wrong to imply that every member of the OSC agrees with every word in the document, so it is necessary to remember that it is guidance which may easily be altered by facts specific to each case. This is why you’ll find phraseology such as “is capable of being construed as [a type of] surveillance” rather than the definitive “is [a type of] surveillance”. Each Surveillance Commissioner is able to exercise his own judgment when approving authorisations.

RIPA and RIP(S)A are permissive and discretionary powers; the onus is on an authorising officer to decide whether or not to grant an authorisation for covert conduct. Assistant Surveillance Commissioners and inspectors cannot dictate. The aim of the document is to provide a level of consistency in approach from the OSC.

Finally, it is not the task of the OSC to make law; its task is to interpret the law as it is written, not as the Commissioners or others may prefer it. So don’t accuse the OSC of promoting covert conduct which you don’t agree with!

Why publication was resisted?

Partly because of conflict with the Police Service in relation to the ‘Key Principles’ document, and in response to concerns that operational techniques would be exposed, it was decided that the P&G should not be made available to the public. My repeated requests to identify any operational technique in the document that hadn’t already been disclosed by enthusiastic senior investigating officers resulted in no applications. But it was decided that we relied on practitioner transparency which required trust that we would not inhibit legitimate techniques.

When serving in the OSC and today, I am sometimes disappointed with the understanding of some trainers and the quality of their training. Too often legislation, codes of practice and the P&G are regurgitated or misused for commercial gain without improving knowledge or practitioner performance. Sometimes challenging the P&G was used as enticement to attendance or purchase; we were concerned that alternative opinions undermined confidence in the OSC.

I can avow the time and effort that goes into the formulation of this guidance; there is good reason why phrases are used. To protect copyright, to avoid misinterpretation and to prevent others gaining financially from the immense effort of the OSC were, I confess, causes of reticence to provide the document to the public.

In hindsight I believe my advice to the Chief Surveillance Commissioner to prevent public disclosure was misguided. Copies leaked to trainers and OSC silence allowed the media and campaigners to inadequately interpret legislation and its use.

Discussions relating to the Investigatory Powers Bill indicate that the need for regulators to transparently demonstrate how they hold public authorities to account has been recognised. Making the P&G public is a positive step but I am surprised that it is free! It‘s a publication worthy of a charge.

Comparison

For the remainder of this post I compare the July 2016 version with its predecessor of December 2014. There are many notes useful to practitioners. If you have not read it at least once, you should. Numbers in parenthesis are the relevant note number.

Part 1 – Procedures

Part 1 Section 1 provides detail of how to contact the OSC and matters relating to inspection process and reporting. Part 1 Section 2 provides detail in relation to Commissioner approvals, which apply mainly to law enforcement agencies.

[7-8] Disclosure of inspection reports. This is not new but worth reiterating. There is no requirement – as stated in the Codes of Practice – to notify the OSC of an intention to publicly disclose an inspection report, nor does the OSC promote or discourage the practice. The decision whether or not to publish rests entirely with the chief officer of the public authority inspected.

Part 2 – Guidance

[75] “I am satisfied” and “I believe” Again, not new but important. Too often authorising officers provide insufficient rationale to support their judgment; relying on the details provided by the applicant. This guidance cautions against lax authorisations. The heading indicates an unexplained difference between RIPA and RIP(S)A which use different requirements. This is likely to be complicated further if the terms in the draft IP Bill are enacted. That Bill currently requires a designated officer to “consider”. I may write another article on the significance of these differences.

[87] Duration of authorisations and renewals. Added clarification to ensure that electronic systems date/time algorithms do not have the effect of “losing a day” of authorised conduct. This amendment probably reflects the law enforcement agencies tendency to use electronic systems to create and process applications and authorisations. A useful audit is provided by date stamps and automatically generated data which cannot be altered. There have obviously been instances where automatic dates are not accurate. This amendment indicates how an OSC inspector will regard the inaccuracy but it’s a hint that authorising officers should ensure that dates are accurate.

[93-98] Persons, groups, associates and vehicles. These notes provide guidance in to assist public authorities amend authorisations when details are not known at the outset. The final sentence of Note [96] is amended:

Deleted: “The AO should set parameters to limit surveillance and use review to avoid “mission creep”.

Inserted: “The AO should guide the operational commanders by setting contextual parameters for the use of the “link” approach.” (i.e. where a possible link has previously been identified between individuals to the common criminal purpose being identified.)

There is a new note [97].

“The Authorising Officer should be updated when it is planned to deploy equipment or surveillance against a freshly identified subject before such deployment is made, to enable him to consider whether this is within the terms of his original authorisation, necessary, proportionate and that any collateral intrusion (or interference) has been taken into account; alternatively, where operational demands make it impracticable for the Authorising Officer to be updated immediately, as soon as reasonably practicable thereafter. This is to ensure that the decision to deploy further devices or surveillance remains with the Authorising Officer and is not delegate to, or assumed by, another, such as the operational commander. Such reviews should be pertinent and can be done outwith the usual formal monthly written review process, provided that the details of the Authorising Officer’s decisions are recorded contemporaneously and formally updated at the next due review. Where the terms of an authorisation do not extend to interference to other subjects (criminal associates) or their property then a fresh authorisation, using the urgency provisions if necessary, will need to be sought.” (My emphasis)

[222-229] Authorisation of undercover officers (UCOs). Note [226] is amended to enable additional UCOs to be authorised by way of review but indicates that every UCO must be authorised for the correct duration. This reflects the reality that it is frequently necessary to introduce additional UCOs to an investigation (for example to support a legend). Often the identity of additional UCOs will not be known at the outset. Rather than insist on the added bureaucracy of a new authorisation, the Commissioners have indicated that amendment by review (providing the terms of the original authorisation allow it) will not be criticised.

[289] Covert Surveillance of Social Network Sites (SNS). I advise that all members of local authorities read paragraph 289 in entirety as it’s the conduct most likely to introduce RIPA/RIP(S)A compliance issues. It remains my view that too few public authorities recognise (either deliberately or in ignorance) that the ‘less intrusive’ means that have resulted in decreased authorisations may be the result of not authorising internet investigations on the belief that ‘open source’ or publicly available mitigates RIPA/RIP(S)A consideration. This note provides the OSC’s guidance. Sub-note [289.3] is amended as shown in bold type:

“It is not unlawful for a member of a public authority to set up a false identity but it is inadvisable for a member of a public authority to do so for a covert purpose without an authorisation for directed surveillance when private information is likely to be obtained. The SRO should be satisfied that there is a process in place to ensure compliance with the legislation. Using photographs of other persons without their permission to support the false identity infringes other laws.”

See also Ibrahim Hasan’ blog post on RIPA and social networks.

 

Conclusion

I hope that this background is useful. I hope that my reticence to persuade the former Chief Surveillance Commissioner to make the P&G available to the public is proven to be misguided. Publishing the document is a very positive move in my opinion and is a useful indicator that the Commissioners have come to terms with the need to be public-facing. I applaud the decision.

Disclaimer: Sam Lincoln is a former Chief Surveillance Inspector with the OSC. In that capacity he introduced the OSC Procedures and Guidance and edited it from 2006 to 2013. The opinions expressed in this post are his alone; he does not represent the OSC and OSC endorsement is neither sought nor implied.

Sam has designed our RIPA E-Learning Package which is an interactive online learning tool, ideal for those who need a RIPA refresher before an OSC inspection.

 

Like our image? It is available as an A3 Poster for the office, We have a small range of them for only £5 for three!  Take a look at the link below.

http://www.actnow.org.uk/posters

Posted in Communications Data, OSC, Privacy, RIPA, RIPA codes, Surveillance | Tagged , , | Leave a comment

Data Protection Reform after Brexit. Does GDPR still matter?

gdprAccording to the new Prime Minister “Brexit means Brexit.” But what does Brexit mean for UK Data Controllers who are planning for implementation of the new General Data Protection Regulation (GDPR)? The short answer is keep calm and carry on.

GDPR received formal adoption by the European Parliament in April 2016 and was published on 4th May in the Official Journal. This means that it will be directly applicable throughout EU member states (without the need for implementing legislation) from 25th May 2018. Following the referendum result, you might be forgiven for thinking that you can shred your copy of the Regulation or indeed cancel your place on our very popular GDPR workshop.

The UK may have voted to leave the EU but formal divorce proceedings cannot begin until it notifies the EU of its intention to invoke Article 50 of the Lisbon Treaty. This gives negotiators two years from the date of notification to conclude new arrangements. The newly appointed Secretary of State for Exiting the European Union, David Davis, has said Article 50 should be “triggered before or by the beginning of next year.” Therefore the UK could leave the EU by December 2018 at the earliest. Consequently there would be at least six months where UK Data Controllers would have to abide by all the provisions of GDPR. In reality exiting the EU could take much longer than two years and so we could be stuck with GDPR for much longer.

In the unlikely event that Brexit negotiations are concluded before May 2018, the DPA is still living on borrowed time. Immediately after the Brexit vote the Information Commissioner’s Office (ICO), released a statement saying:

“If the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’—in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”

In a speech on 4th July 2016 the then Minister for Data Protection, Baroness Neville-Rolfe, touched on the future of data protection: (HT Panopticon Blog)

One thing we can say with reasonable confidence is that if any country wishes to share data with EU Member States, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection. This will be a major consideration in the UK’s negotiations going forward….”

The law firm, Bird and Bird, have set out the options available to the UK in terms of exiting the EU and its implications for data protection. Each of these options makes it likely that either the GDPR or a very close cousin will be required in the UK after Brexit takes effect.

Regardless of what data protection path the UK chooses, UK companies with European customers and operations have to continue with preparations. This is because GDPR will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies will be directly responsible for GDPR compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data.

Recently on the ICO’s Blog,  the message was reiterated that GDPR is still relevant and preparation must continue:

“We’ve been working hard on producing a set of guidance on GDPR, with an overview of the law being the first substantive part of that. We still think it will be useful to publish this overview. This is because once implemented in the EU, the GDPR will be relevant for many organisations in the UK – most obviously those operating internationally. The other main reason is that the GDPR has several new features – for example breach notification and data portability. Therefore, we thought it would still be useful to familiarise information rights professionals with the GDPR’s main principles and concepts.”

 Data Controllers have two years to prepare for the biggest change to the EU data protection regime in 20 years.  Many provisions such as breach notification and the new DP Principles will require careful planning. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, a “wait and see” approach would be very risky.

How Act Now can help

The next two years need to be spent wisely. Training and awareness (see our poster) at all levels needs to start now. We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised data protection/GDPR workshops as well as to carry out health checks and audits. GDPR requires many Data Controllers to appoint a dedicated Data Protection Officer. Our Data Protection Practitioner Certificate, with an emphasis on the practical skills requited to implement GDPR, is an ideal qualification for those aspiring for such positions.

And if you like our image, it, as well as some others are available as A3 Posters for the office for only £5 for three!  Take a look at the link below.

http://www.actnow.org.uk/posters

Posted in Data Protection, EU DP Regulation, GDPR, Privacy | Leave a comment

OSC Annual Report On Surveillance (RIPA) Published

 

canstockphoto8990372.jpg

Steve Morris

 

On the 7th July 2016 the Office of Surveillance Commissioners (OSC) published the 2015-2016 Annual Report.

The report covers the period from 1st April 2015 to 31st March 2016 and should be read by public authorities, especially councils, who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)).

We have reviewed the report and below are summaries of comments and sections of particular relevance to public authorities other than law enforcement. (The section numbers from the report are quoted below so that reference to the complete text can be made.)

Reduced use by public authorities Section 2.3.

  • There is substantially reduced number of authorisations by public authorities, most notably local district and borough councils, who do not deploy their statutory powers, or do so very rarely indeed, and do not intend or expect to do so in future.

However, while they remain vested with these powers, the appropriate structures and training must continue to be in place so that if they come to be exercised, the exercise will be lawful.

This reduction could be related to the substantial budgetary cuts faced by councils and the requirement for Magistrates’ Approval (and other reforms), which took effect on 1st November 2012.

Changed arrangements for inspection of local authorities Section 2.10.

  • The OSC is to introduce a new system of inspection for some local authorities where the statutory powers have not been used at all, or have been very rarely used in the last three years since a previous inspection, the process will start on paper, with a request for information. An Inspector or Assistant Surveillance Commissioner will visit the authority if there has been any significant increase in the use of the statutory powers, or if the responses to the OSC paper give ground for concern, or if the authority itself requests a personal visit by an Inspector. There will be no automatic visit.

Irregularities Section 4.18.

  • The total number of reports of irregularities (100) continues to represent a tiny proportion of the total number of authorisations granted during the course of a year. The overwhelming majority are the result of human error.

Section 4.19.

  • Irregularities caused by human error reinforces the need for those with responsibilities for ensuring compliance with the statutory provisions to receive regular, updated training, together with the need for continuing robust oversight by senior officers and managers of the processes. In the case of enforcement agencies, including the police, both these requirements are understood. In relation to some of the public authorities which, facing strains on their financial resources either have ceased or virtually ceased to use the statutory powers, and do not envisage using them in the future, training arrangements can sometimes assume a lowly priority. The view of the OSC is that every single authority vested with the relevant statutory powers should have in place structures and training arrangements which will ensure that the exercise of any such powers, even if arising unexpectedly, will be lawful.

Use of covert powers by public authorities other than law enforcement agencies Section 5.10.

  • From the OSC point of view the principle is clear. The fact that a local authority has elected not to exercise the relevant statutory powers does not remove it from the inspection process. While it retains these powers, which may be exercised at any time, appropriate structures and officials with the requisite training are required.

The “virtual world” Section 2.8.

  • There is a shift towards criminal activity in or by the use of the “virtual world”. This increases the demands on those responsible for covert surveillance. They need an understanding of the technological advances and myriad types of communication and storage devices which are constantly being updated. They also need assistance about how the statutory powers available to them can or should be applied

Social Networks and the “virtual world” Section 5.17.

  • Patterns of criminal planning are changing to embrace technological advances. Criminals and terrorists are less likely to meet in public, in parked up cars, with police officers using binoculars and longsighted cameras to follow their movements. Social media and private electronic communications provide greater anonymity for the criminals, and enable their activities to proceed on a global scale. This issue was addressed by my predecessor in his last two reports, and the Surveillance Commissioners have issued guidance on the need for appropriate authorisations to cover these developments.

Extract from OSC Procedures & Guidance document

Covert surveillance of Social Networking Sites (SNS)

  1. The fact that digital investigation is routine or easy to conduct does not reduce the need for authorisation. Care must be taken to understand how the SNS being used works. Authorising Officers must not be tempted to assume that one service provider is the same as another or that the services provided by a single provider are the same.

288.1 Whilst it is the responsibility of an individual to set privacy settings to protect unsolicited access to private information, and even though data may be deemed published and no longer under the control of the author, it is unwise to regard it as ―open source, or publicly available; the author has a reasonable expectation of privacy if access controls are applied. In some cases data may be deemed private communication still in transmission (instant messages for example). Where privacy settings are available but not applied the data may be considered open source and an authorisation is not usually required. Repeat viewing of ―open source sites may constitute directed surveillance on a case by case basis and this should be borne in mind.

288.2 Providing there is no warrant authorising interception in accordance with section 48(4) of the 2000 Act, if it is necessary and proportionate for a public authority to breach covertly access controls, the minimum requirement is an authorisation for directed surveillance. An authorisation for the use and conduct of a CHIS is necessary if a relationship is established or maintained by a member of a public authority or by a person acting on its behalf (i.e. the activity is more than mere reading of the site‘s content).

288.3 It is not unlawful for a member of a public authority to set up a false identity but it is inadvisable for a member of a public authority to do so for a covert purpose without an authorisation for directed surveillance when private information is likely to be obtained. The SRO should be satisfied that there is a process in place to ensure compliance with the legislation. Using photographs of other persons without their permission to support the false identity infringes other laws.

288.4 A member of a public authority should not adopt the identity of a person known, or likely to be known, to the subject of interest or users of the site without authorisation, and without the consent of the person whose identity is used, and without considering the protection of that person. The consent must be explicit (i.e. the person from whom consent is sought must agree (preferably in writing) what is and is not to be done).

Section 5.18.

  • Inspectors and the Assistant Surveillance Commissioners pay particular attention to the way this developing method of criminal activity is kept under covert surveillance. The topic forms the basis for numerous requests for guidance. Perhaps the most significant feature is that investigating authorities cannot proceed on the basis that because social networking developed after much of the legislation came into force it is immunised from compliance with it. Requirements for appropriate authorisation may arise from the work done by those whose roles do not traditionally fall within RIPA or RIP(S)A. The necessary training and information must be addressed by the Senior Responsible Officer in each authority.

See our blog post on RIPA and social networks.

Common inspection findings Section 5.23

  • Some of the more common areas of criticism revealed in the inspection reports. They must be seen in context. In relation to law enforcement agencies, the standard of applications to and decisions of Authorising Officers for directed surveillance, property interference and intrusive surveillance are generally sound. Much of this is due to increased focus on the statutory requirements, clear internal leadership and investment in training.
  • The greatest complexity arises in the context of CHIS… In the context of social media in particular, it is sometimes difficult to recognise when a CHIS relationship has been established.

See our blog post on common inspection findings.

Section 5.24.

  • Some intelligence cases are too brief, others too long; most are of appropriate length; similarly with reviews, when a pertinent summary of what has happened since the latest update is required with, so far as possible, a simple explanation why the covert activity remains necessary and proportionate;
  • Occasional formulaic considerations given to the potential for collateral intrusion; for the OSC it remains a crucial feature that any authorisation for covert surveillance should be confined to those against whom there are grounds for suspicion, not their families or friends;
  • Authorisations for surveillance tactics and equipment use which, when reviews and cancellations are examined, appear to have been too widely drawn at the outset;
  • The conduct parameters for a CHIS are sometimes unclear and occasionally in such cases, the full extent of risks to the CHIS are insufficiently addressed, or, where the records are required by statute, left incomplete;
  • At cancellation, occasionally more detail is required from the Authorising Officer about the activity conducted, the value of the surveillance, the resulting product, and its management, and whether there has been any tangible or beneficial outcome, together with greater attention to any collateral intrusion;
  • In relation to public authorities the need for training for those vested with surveillance responsibilities is sometimes overlooked, particularly when budgets have been seriously depleted; in the case of adjacent local authorities training costs could perhaps be shared.

This is a summary of the detailed annual report – clearly the OSC places a high value on training (mentioned 19 times!), and indicates difficulties that arise as a result of not providing the training for all personnel involved or likely to be involved in authorised activity.

One emerging trend not addressed in the report is the rise in covert surveillance undertaken without the protection of RIPA when a local authority deems it necessary and proportionate to conduct covert surveillance in relation to preventing or detecting crime which does not meet the six month criteria, or a public authority deems it necessary and proportionate to conduct covert surveillance as part of it’s legitimate pursuit of responsibilities in relation to public safety, public health, regulation, and enforcement, in compliance with Article 8 Human Rights (commonly known as ‘non RIPA Surveillance’). See our blog post here for more on this issue.

Act Now’s programme of RIPA Courses  address all of the issues raised in the report, and those associated with non RIPA surveillance, research and gathering of intelligence as well as evidence from social media. If your training budget is an issue, our online RIPA training is worth trying out. Module 1 is free.

The OSC Procedures & Guidance document (July 2016) has now been re issued and is, for the first time, available to download from the OSC website.

Act Now also has a RIPA policy and procedures manual which is very useful for those revising their RIPA documents. It contains useful guidance for staff on when RIPA applies and how to complete the authorisation forms.

Raise awareness of RIPA in your organisation with our RIPA poster.

Steve Morris is a former police officer who delivers our RIPA Courses as well as a course on Internet Investigations.

Posted in CCTV, OSC, Privacy, RIPA, RIPA codes, Surveillance | 1 Comment

Who’s afraid of the big bad cloud?

canstockphoto6394773

By Frank Rankin

For when you first begin to undertake it, all that you find is a darkness, a sort of cloud of unknowing; you cannot tell what it is…

The Cloude of Unknowynge, Anonymous, 14th Century

When it comes to IT, “Cloud” is still a scary word for many organisations. The language doesn’t help – “Cloud” suggests an arrangement that is (literally) nebulous rather than the mature industry expected to be worth almost 200 billion dollars per year by the end of the decade[i]. The apprehension is largely expressed in terms of concerns around the robustness of security (let’s call those Principle 7 concerns) and the suspicion that cloud providers will store data willy-nilly on data servers in far-off, none-European lands (we’ll call those Principle 8 concerns).  But often these concerns are raised without real attempts to explore what these are or look at the solutions and controls offered by cloud providers and others.

To be clear of our terms, let’s borrow from the US government definition: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” [ii]

In other words, computing capacity is purchased as a commodity with the supplier, in contrast to an organisation purchasing and managing its own servers or software. And that means a transfer of controls.

Models of cloud computing range from Software as a Service (SaaS) such as Office 365 and Google Docs, through Platform as a Service (PaaS) to Infrastructure as a Service (IaaS) where the purchaser buys virtualized capacity and runs its own software.

Depending on the flavour of Cloud service being used, the scale of that transfer of controls varies as the diagram below illustrates.

From Cloud Security and Privacy by Mather and Kumaraswamy

And it is that transfer that is a source of nervousness for organisations. But it needn’t be. The cloud providers have invested heavily in information security and see good security as a market differentiator. Vendors such as Microsoft and Amazon Web Services advertise their certification to ISO27001:2013 and other national and international standards, and provide (within reason) detailed descriptions of their security arrangements.  It is up to the purchaser of cloud services to make our own risk assessment with regard to our information assets, and assess the adequacy of the offerings of the cloud vendors.

While using cloud does involve the transfer of controls, we should be honest enough to recognise whether this is likely to offer an improvement in the efficacy of those controls. To take one example, your own IT colleagues may be good and conscientious at applying software patches and updates, but it is unlikely that they can respond as timeously and consistently as the big cloud providers.

In making our assessments, we can be guided by resources such as the UK Government Cloud Security Principles against which suppliers listed on the G-Cloud are expected to self-assess.

Where the purchaser sees a need for further security controls in addition to the out-of-the-box cloud offerings, there is an extensive eco-system of third party vendors who specialise in add-on solutions for security, records management and other governance challenges around the cloud.

As long as the transfer of control is done transparently, and an organisation has clearly mapped out the locus for each required security control (on premise, core cloud offering or third-party solution) then you should be in a good position to assure yourself of the ongoing robustness of your information security on the cloud.

So much for Principle 7 of the Data Protection Act 1998.

The data protection concerns relate to the globalised nature of cloud provision. Perhaps in the early stages, the big cloud players in the USA didn’t always “get” European privacy concerns.

But the cloud providers have matured in their understanding of these issues.  That is why, for example, Microsoft offer European customers guarantees that their Office 365 or Azure solutions will be hosted within Europe (Dublin and Amsterdam at the moment with a U.K. data centre due to open shortly.) The larger vendors, such as Amazon, are happy to provide European customers with data processing agreements which incorporate the Model Clauses, and in some cases have received Article 29 Working Party approval of their contractual terms.

Think of the relationship between cloud customer and vendor as just like any of your existing relationships between data controller and data processor – only on a larger scope and scale.

And the shift in the EU General Data Protection Regulation (GDPR) (I am not going into Brexit here, but our GDPR expert has explained here, GDPR is still relevant post-Brexit) where data processors will be liable for data processing actions they take which go against or beyond the instructions of the data controller should only increase the level of assurance for European cloud purchasers. (More on the security requirements of GDPR here.)

A risk-based approach to assess the offerings of a cloud vendor should give assurance that the requirements of Principle 8 of the Data Protection Act 1998 are met.

Act Now is not in the business of promoting cloud providers – they do a good enough job of that themselves. But concerns around data protection and information security need not be a barrier to adopting cloud-based technology. Colleagues or stakeholders who argue that these issues are show-stoppers may have an incomplete understanding of the current state of play, or may have another agenda in mind.

So, in considering transferring information assets to the cloud, information governance practitioners should:

  • Carry out an information risk assessment, including a realistic understanding of threats and identifying the possible risks arising from keeping the data on the premises.
  • Make sure that information governance and security issues are “front-loaded” and made central to the procurement process: Many of the key controls and protection for the organisation have to be in the terms of the contract.
  • Understand the geographical location of the provider’s data centres and, where relevant, include contractual terms stating where your data must be held.
  • Survey the available third party security and governance add-on tools for cloud, but be wary of the vendors claims and measure the value of their offerings against a realistic understanding of your specific risks.

Ultimately, whether to move to the cloud or not will be a decision for the wider business, but privacy and information security professionals can help to make that decision an informed one.

Frank Rankin is an information security, FOI and records management expert. Amongst other courses he is currently delivering our Practitioner Certificate in Freedom of Information (Scotland).

 

[i] http://www.bloomberg.com/news/articles/2014-04-24/cloud-spending-by-companies-outpaces-predictions-forrester-says

[ii] http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf

Posted in Cloud, Data Protection, Security | Leave a comment

Full Metal Jacket…

For many after the historic events in the UK, it may indeed feel necessary to don a metaphorical “full metal jacket” to survive what is an ongoing onslaught of the political landscape. Uncertainty grows and the decision to “Brexit” continues to have ramifications far beyond those that were considered by many, it seems.

Info Sec

Given these uncharted waters, we must look to our principles to steady ourselves. This is never more true than in the security community. Cyber threats continue to escalate, the capacity for intelligent risk analysis (end to end) remains never more relevant. The economic climate may be unstable but the economics of crime remain certain. So it behoves all professionals with responsibilities for both information and technology to arm themselves with a greater understanding of what is required to actually embed secure thinking across their organisations.

That being said, less of the cyber, more of the information view is required. This is not easy, given the legacy, at so many levels, that many are working with. Cyber is the domain in which the greatest threats to our corporate information is being realised. However, risks are coming from all domains – people, process, technology, physical – and now we can add politicians to this list! Professionals know this. Without having full knowledge of your information assets – without knowing what is important to your organisation and what could happen if that information fell into the wrong hands – you are actually running with a level of blindness that in and of itself creates risk(s) and ensures that you are not providing truthful reporting. But – and it’s a big BUT, “Security” is everyone’s responsibility – and everyone needs a LOT more understanding!

There is a US cyber security strategy, an EU one, country specific ones…. So what? It’s not stopping the rot. Corporate businesses are still supporting bad design practices as a result of not allowing the time required to design both safely and securely. Everyone is outsourced to a point of stretch that is unsustainable. In spite of Brexit, we remain full steam ahead on the preparations for the General Data Protection Regulation (GDPR), and with these come a requirement to be able to adopt a “full disclosure” approach to incidents and breaches.

We will also be preparing for adoption of the Network and Information Security (NIS) Directive, which is very much more a directive that operates at a government level but includes a requirement to establish “security and notification requirements for operators of essential services, as well as digital service providers” – with an explanation of who is covered by “essential services”.

Nonetheless, as per the “path to GDPR” picture, what is really required is good project management. In order to achieve the desired outcomes, which will include behaviour change (to deliver “privacy by design”), there is a lot of information required and a lot of understanding across the whole organisation. Security is everyone’s responsibility – and everyone needs a LOT more understanding! Procurement need to understand the implications of the deals being undertaken; so do Legal – and Legal need to not be looking to the Security community to educate them on matters of Information based legislation. Shame on them! Keep up with the law yourselves!

HR need to be much more engaged in helping to discipline badly behaving employees and support the need for showing good security behaviour as being an active element of annual appraisal processes.

IT need to be factoring in safety and security within all change management and future development – not coming to Security right at the end. None of this is rocket science; it’s not new news. Security is a collective. And much like all the rhetoric these past few months, stop believing the hype! The Security industry itself needs to look deep into its soul and reflect on the ethics of selling pipe dreams of layer upon layer of defence over the top of known insecure systems.

There are at least 85 different security tools from 45 different vendors. In an increasing “internet of things” environment, this approach is going to crumble and will embarrass us all. It’s a fallacy to think that we can cure cancer by putting a plaster on it – likewise the continued application of technology to a technology problem cannot be seen to make sense in the abstract!

In conclusion: ensure you know your information asset landscape; ensure you know the impact of the realisation of any threats to those information assets; and stop focussing on just all things “cyber”.

Act Now’s course on Information Risk & Security course runs in London and Manchester in October. See http://www.actnow.org.uk/courses/2015

About the Author

Andrea C Simmons, FBCS CITP, CISM, CISSP, M.Inst.ISP, MA, ISSA Senior Member has more than 17 years’ direct information security, assurance and governance experience. Andrea’s most recent role as Chief Information Security Officer for HP Enterprise Security was one of worldwide influence addressing Security Policy and Risk Governance seeking to support and evidence the delivery of organisational assurance across a wide portfolio of clients and services.

Posted in Data Protection, GDPR, Information Security | Tagged , , | Leave a comment

DP and #GDPR after #Brexit

brexit-1477615_1920

For the last six months, Data Protection experts, novices and agnostics have talked of little else but the General Data Protection Regulation, the new version of Data Protection law that will hold sway consistently across the 28 members of the European Union from the 25th May 2018.

Well, about that. 28 now becomes 27, as the United Kingdom has decided on a slim margin to vote ourselves out of the European Union, and sail off into the Atlantic. So what does this mean for the GDPR? Do we wave goodbye to the mandatory Data Protection Officer, the Right to Be Forgotten and the joys of impact assessments?

The short answer is no. The Information Commissioner has already announced that the only way forward for the UK’s creaking Data Protection legislation and its relationship with Europe is UK legislation as close to the GDPR as we can get. Every serious commentator in the Data Protection world (and all the others) are saying the same thing. The consensus is impressive but unsurprising – the redoubtable Max Schrems has proved how much creative mischief can be wrought if a country does not have a sound data protection relationship with the EU. Some of the comments coming out of the EU today make it clear how difficult it will be to achieve that relationship, so the one thing we cannot be certain of is when things will become certain.

Sooner or later, the GDPR or a close relation of it will replace the DPA in the UK. However, it is impossible to say when. Every business that offers services to EU citizens will be caught in limbo from the moment the Regulation goes live in the EU, struggling to balance the DPA in the UK and the GDPR abroad, or just succumbing to the GDPR on the basis that operating the higher GDPR standards will not cause them problems here.

In the meantime, what should organisations do? Our advice – keep your eyes peeled for the timetable for GDPR’s inception here, but look to your DP compliance now.

Consent

Whether you’re UK based or operating across the EU, the version of consent popular in the UK (implied, opt-out, buried in terms and conditions) isn’t consent. The ICO has taken enforcement action under both the DPA and the Privacy Regulations to this effect. Look everywhere that you rely on consent – you need freely given, specific and informed consent.

Fair processing

Linked to this is the issue of privacy policies and fair processing. It’s clear that the ICO does not think that long, legalistic fair processing notices are acceptable, so concentrate on communicating clearly with your customers, clients and service users.

Impact assessments

The difference between the ICO’s code on Privacy Impact Assessments and the Regulation’s requirements on impact assessments are very thin. Although the Regulation’s bold demands for Data Protection by Design (bold but not especially well explained) will only bite when we implement it, the ICO has been advocating for pro-active impact assessments in advance of new projects for a long time. We strongly advise you to look the ICO code now – it’s current good practice (and sometimes the ICO will enforce if you don’t). Moreover, it’s a dry run for the impact assessments and design principles that the GDPR will ultimately require.

Data Processors

Find every contractor and agent that your organisation does business with. Make sure there is a binding legal agreement between you and them. Like other steps we are mentioning here, this is self-preservation for the present as much for the future. If cloud computing is “your data on someone else’s computer”, then processors are “your data in the hands of someone who isn’t covered by the Data Protection Act”. Find them. Get contracts in place. Make sure they’re being followed.

Deletion

The GDPR Right to be Be Forgotten is a different beast to anything that the European courts have created under the current regime, and it is underpinned by a need to delete data from systems that process personal data. It’s well worth looking at how you might delete data and finding out where deletion / overwriting of data is difficult. When the GDPR lands, deletion will be a massive headache, but if you can’t delete now, you can’t comply with the existing Data Protection principle on retention.

Security

Every organisation needs a viable, appropriate, effective and validated security framework. Data Protection compliance under the DPA and the GDPR isn’t about incidents, it’s about effective and verified methods to prevent them, whether technical or organisational. Security isn’t everything that Data Protection is about, but there is no question that the highest penalties will still apply to poor security frameworks. The extra detail in the GDPR about security – especially what good security requires – is essential guidance and well worth implementing.

And that’s definitely not now!

BUT WHAT ABOUT….

Act Now is not predicting when the GDPR will come to the UK. Anyone who predicts confidently when it will arrive is fooling you, or themselves. The GDPR also contains a mandatory Data Protection Officer, mandatory breach notification and a whole lot else besides. It might be that the UK Government acts quickly to bring in legislation to introduce the whole package. However, while we might be confident that the GDPR is on its way, we’re not certain about when. Our advice is to work on the foundations now, and get ready to put the new GDPR structures on top when the timetable is a little clearer.

And that’s definitely not now!

Act Now continues to receive bookings for its GDPR workshops for which new dates and venues have been added. Our Data Protection Practitioner Certificate is ideal for those who want a formal qualification in this area. The syllabus is endorsed by the Centre for Information Rights based at the University of Winchester.

Posted in Data Protection, EU DP Regulation, GDPR, Personal Data | Tagged , , , | 1 Comment

Nationwide breaches of DPA

clip_image002

To leave or to remain. What a difficult question and the citizens of the UK are wrestling daily with this issue under an intense barrage of claim and counter claim.

But sneaking under the radar are hundreds of breaches of Data Protection law some involving thousands or millions of data subjects. Not noticed them? If you work for a large organisation like BT or JCB your boss will have communicated to you that you should vote the way he thinks. He’s not the only one. Large companies are using the email address they hold for payroll purposes to communicate a political message to their staff. Principle 1 says

“Personal data shall be processed fairly and lawfully (and according to a condition from Schedule 2 and/or 3)”

They could look for a justification in Schedule 2 but they’d be better looking in Schedule 3 as political data is sensitive. So consent turns into the slightly more difficult informed consent but which employee ever consents that his data will be used to tell him which way to vote and which employer ever thought he’d need to help his employees with voting. Old faithful Schedule 2 (6) allows

“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”

Which data subject would accept that political lobbying is warranted with his payroll data and who would ever say that voting recommendations were a legitimate interest of your boss. So all schedules are out of the window. So they can’t do it lawfully and/or fairly. Principle 1 breached.

Principle 2 says

“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.”

Specified means in fair processing and notification sent to Commissioner. So if an organisation hasn’t said to its employees that it will use their personal data for pushing a political end they can’t do it. Principle 2 breached.

It may be that these companies are stretching the definition of personnel & payroll to include ‘what might happen to your pay if we left the EU’ but it’s quite a long stretch. It may end up with someone in authority making a judgement one day. But time is short and it’s unlikely anyone will be interested after the polling stations close.

And these employers trying to influence people’s opinions or beliefs drops into the ICO definition of direct marketing.

clip_image004

Quite a few of these fit neatly with the leave/remain issue. If employers are doing it by electronic means then PECR applies. You could argue that a corporate email address isn’t personal data but there are plenty who will argue that it is. (But PECR’s only concerned with subscribers isn’t it?)

Further afield European businessmen are trying to help us make up our mind as well.

An email sent to a few million people recently (all the people who’ve ever flown with Ryanair) was brazenly labelled Brexit Special. Even with a public service announcement thrown in it clearly used email addresses collected for administration of air travel to influence voting intentions.

clip_image006

So there’s a possibility that millions of data subjects are having their rights infringed and Breaches of the DPA are legion. Captains of industry could argue that it’s their personal view to leave/remain not the corporate body that holds the payroll data but that just opens up another can of worms doesn’t it. We may get as far as a criminal offence of procuring or unauthorised obtaining if the boss uses the company data for a personal purpose.

At least it’s only a few breaches of the Data Protection Act. It could be worse – they could be lying to us.

It’ll all be forgotten on Friday morning. (Until the next referendum)

Act Now can help you prepare for the Regulation. Our one day GDPR workshops are ideal for those wanting to get a headstart in their preparations.

Posted in Data Protection, EU DP Regulation | Tagged , , | Leave a comment