Permission Impossible? Consent and the new EU Data Protection Regulation

By Scott Sammons

I recently took part in an ‘Information Awareness’ week for a local council. This was an event for council staff involving various training sessions revolving around a certain theme. Last year the sessions were on the theme of game shows and this year the theme was films.

I was lucky enough to draw the session title ‘Per-mission Impossible’ which would be looking at the subject of consent and permissions in their various forms. I make a point of not naming organisations I work with but credit for the title of this blog must go to them.

We had some really interesting discussions around what people believe are the current pitfalls and benefits with consent and what people think of the new world of consent as proposed by the European Union (EU) in their Data Protection Regulation.

We started with the current world and looked at the guidance from the Information Commissioner’s Office (ICO). Their Guide to Data Protection states;

“Consent is not defined in the Data Protection Act. However, the European Data Protection Directive (to which the Act gives effect) defines an individual’s consent as: …any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”

This is primarily aimed at Data Controllers who are looking to use consent as a justification for the processing of personal data especially, and more explicitly, where that data is sensitive in nature.

Bearing this in mind there is then a conversation to be had around what that actually means in the real world. You know, that world where you have a Data Subject on the phone or sat in front of you more interested in resolving their query or issue than understanding what is happening with their personal data. Personally I’ve always seen the matter of consents and permissions as a customer service issue. Yes, there are things that we must do as part of compliance and demonstrate as part of our compliance. However the method and delivery should very much be aligned with the customer service standards and processes of the organisation. As the phrase goes “tax doesn’t have to be taxing.” Well “permissions don’t have to be a mission”. (I know, it was the best I could come up with on short notice!).

If you treat the gaining and subsequent management of permissions as a “compliance task” then that mind-set will be to always see it as a nightmare and a hurdle to overcome. However if you approach it as you would any other aspect of customer service and apply good customer service principles, you will get much closer to a compliant permissions model. It also puts you in something of a good position for the future.

Another aspect of the discussion around permissions and consent management involves the question of how to effectively manage a consent or permission regardless of the channel in which it is being obtained.

Regardless of the channel in which you communicate with the Data Subject, the only effective method for tracking consents/permissions is an electronic database that either forms part of or interacts with your main customer database. But with that comes a series of concerns around ensuring that this system is kept relevant and up to date. For example, in a large organisation where a customer speaks to some random part of the organisation and expresses a preference how do you ensure that the preference is captured and updated accordingly throughout the organisation?

These are important discussions to be had now because, as I run through below, the requirement to effectively and clearly demonstrate that you are doing the above becomes more important when the proposed EU Data Protection Regulation comes into force.

Permissions of the Future: All roads lead to explicit…?

So in my last blog post I gave an update on the General Data Protection Regulation and said that I’d start to focus on individual parts. Well this is the first one (and apologies that it’s taken me a while).

In the Commission’s proposal for a new General Data Protection Regulation, it proposed that whenever a business relies on consent as a valid ground for processing personal data, that consent should be ‘explicitly’ given. This changes the current position where consent only needs to be ‘explicit’ where a business wants to rely on it as a basis for processing sensitive personal data. Put simply, for processing for marketing purposes for example (which is almost always on the basis of consent) everyone will be required to “opt in” rather than opt out under the current regime (for phone and post at least). [References: European Commission Regulation Text CH I ART 4: General Provisions – definitions (8), CH II ART 6: Principles – lawfulness of processing (a), CH II ART 7: Principles – Conditions for consent (1-4)]

When the draft text made it through the European Parliament, the Parliament gave its backing to the new definition of ‘consent’ suggested by the Commission. It too believed that consent needs to be “freely given specific, informed and explicit” and provided “either by a statement or by a clear affirmative action”. And, in contrast to today’s requirements, the burden of demonstrating that the legal standard of ‘consent’ has been achieved would lie with organisations. [References: European Parliament Regulation Text CH I ART 4: General Provisions – definitions (8), CH II ART 6: Principles – lawfulness of processing (a), CH II ART 7: Principles – Conditions for consent (2)]

In contrast, the Council said there was broad support for rules which would require organisations seeking to rely on consent to process personal data to ensure that the consent is “unambiguous”. This seems to back the broad legal standard for consent that exists under current EU data protection laws and not a radical change to explicit consent regardless of context. [References: European Council Regulation Text Comparison (so far) CH I ART 4: General Provisions – definitions, CH II ART 6: Principles – lawfulness of processing (a), CH II ART 7: Principles – Conditions for consent (1)]

This post does not explore the requirements around children’s data. However the principle of “informed and explicit” consent is replicated there. This will be the subject of a different post so watch this space.

Which of these texts is likely to survive, I hear you ask? Well like most things in the world of politics that is unclear. However, if you look at it from a numbers point of view then 2 of the 3 approving bodies favour explicit consent and a requirement to demonstrate when and where that consent was collected. If I was a betting man I’d say that some shift towards explicit consent is going to happen, but how far is anybody’s guess.

More importantly organisations should be looking at how they currently manage and capture consents. If this is something that they don’t do (for whatever reason) then it’s time to start looking at how this can be factored into processes and staff trained so it gets woven into customer service standards.

Scott Sammons an Information Risk and Security Officer in the medico-legal sector and blogs under the name @privacyminion. He is on the Exam Board for the Act Now Data Protection Practitioner Certificate.

Want to know more about the EU Data Protection Regulation? Attend our full day workshop: http://www.actnow.org.uk/courses/1540

Facebook, Social Networks and the Need for RIPA Authorisations

By Ibrahim Hasan

Increasingly local authorities are turning to the online world, especially social media, when conducting investigations. There is some confusion as to whether the viewing of suspects’ Facebook accounts and other social networks requires an authorisation under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA). In his latest annual report the Chief Surveillance Commissioner states (paragraph 5.42):

“Perhaps more than ever, public authorities now make use of the wide availability of details about individuals, groups or locations that are provided on social networking sites and a myriad of other means of open communication between people using the Internet and their mobile communication devices. I repeat my view that just because this material is out in the open, does not render it fair game. The Surveillance Commissioners have provided guidance that certain activities will require authorisation under RIPA or RIP(S)A and this includes repetitive viewing of what are deemed to be “open source” sites for the purpose of intelligence gathering and data collation.”

Careful analysis of the legislation suggests that whilst such activity may be surveillance, within the meaning of RIPA (see S.48(2)), not all of it will require a RIPA authorisation. Of course RIPA geeks will know that RIPA is permissive legislation anyway and so the failure to obtain authorisation does not render surveillance automatically unlawful (see Section 80).

There are two types of surveillance, which may be involved when examining a suspect’s Facebook or other social network pages; namely Directed Surveillance and the deployment of a Covert Human Intelligence Source (CHIS). Section 26 of the Act states that surveillance has to be covert for it to be directed:

“surveillance is covert if, and only if, it is carried out in a manner that is calculated to ensure that persons who are subject to the surveillance are unaware that it is or may be taking place” (my emphasis)

If an investigator decides to browse a suspect’s public blog, website or “open” Facebook page (i.e. where access is not restricted to “friends”, subscribers or followers) how can that be said to be covert? It does not matter how often the site is accessed as long as the investigator is not taking steps to hide his/her activity from the suspect. The fact that the suspect is not told does about the “surveillance” does not make it covert. Note the words in the definition of covert; “unaware that it is or may be taking place.” If a suspect chooses to publish information online they can expect the whole world to read it including law enforcement and council investigators. If he/she wants or expects privacy it is open to them to use the available privacy settings on their blog or social network.

The Commissioner stated in last year’s annual report:

“5.31 In cash-strapped public authorities, it might be tempting to conduct on line investigations from a desktop, as this saves time and money, and often provides far more detail about someone’s personal lifestyle, employment, associates, etc. But just because one can, does not mean one should. The same considerations of privacy, and especially collateral intrusion against innocent parties, must be applied regardless of the technological advances.” (my emphasis)

I agree with the last part of this statement. The gathering and use of online personal information by public authorities will still engage Human Rights particularly the right to privacy under Article 8 of the European Convention on Human Rights. To ensure such rights are respected the Data Protection Act 1998 must be complied with. A case in point is the monitoring last year of Sara Ryan’s blog by Southern Health NHS Trust. Our data protection expert Tim Turner wrote recently about the data protection implications of this kind of monitoring.

Where online surveillance involves employees then the Information Commissioner’s Office’s (ICO) Employment Practices Code (part 3) will apply. This requires an impact assessment to be done before the surveillance is undertaken to consider, amongst other things, necessity, proportionality and collateral intrusion. Whilst the code is not law, it will be taken into account by the ICO and the courts when deciding whether the DPA has been complied with. In December 2014, Caerphilly County Borough Council signed an undertaking after an ICO investigation found that the Council’s surveillance of an employee , suspected of fraudulently claiming to be sick, had breached the DPA.

Facebook Friends – A Friend Indeed

Of course the situation will be different if an investigator needs to become a “friend’ of a person on Facebook in order to communicate with them and get access to their profile and activity pages. For example, local authority trading standards officers often use fake profiles when investigating the sale of counterfeit goods on social networks. In order to see what is on sale they have to have permission from the suspect. This, in my view, does engage RIPA as it involves the deployment of a CHIS defined in section 26(8):

“For the purposes of this Part a person is a covert human intelligence source if—

(a) he establishes or maintains a personal or other relationship with a person for the covert purpose of facilitating the doing of anything falling within paragraph (b) or (c);

(b) he covertly uses such a relationship to obtain information or to provide access to any information to another person; or

(c) he covertly discloses information obtained by the use of such a relationship, or as a consequence of the existence of such a relationship”  (my emphasis)

Here we have a situation where a relationship (albeit not personal) is formed using a fake online profile to covertly obtain information for a covert purpose. In the case of a local authority, this CHIS will not only have to be internally authorised but also, since 1^st November 2012, approved by a Magistrate.

This is a complex area and staff who do not work with RIPA on a daily basis can be forgiven for failing to see the RIPA implications of their investigations. From the Chief Surveillance Commissioner’s comments (below) in his annual report, it seems advisable for all public authorities to have in place a corporate policy and training programme on the use of social media in investigations:

“5.44 Many local authorities have not kept pace with these developments. My inspections have continued to find instances where social networking sites have been accessed, albeit with the right intentions for an investigative approach, without any corporate direction, oversight or regulation. This is a matter that every Senior Responsible Officer should ensure is addressed, lest activity is being undertaken that ought to be authorised, to ensure that the right to privacy and matters of collateral intrusion have been adequately considered and staff are not placed at risk by their actions and to ensure that ensuing prosecutions are based upon admissible evidence.”

We have a workshop on investigating E – Crime and Social Networking Sites, which considers all the RIPA implications of such activities. It can also be delivered in house.

In conclusion, my view is that RIPA does not apply to the mere viewing of “open” websites and social network profiles. However in all cases the privacy implications have to be considered carefully and compliance with the Data Protection Act is essential.

Ibrahim will be looking at this issue in depth in our forthcoming webinars.

Looking to update/refresh your colleagues’ RIPA Knowledge. Try our RIPA E Learning Course. Module 1 is free.

We also have a full program of RIPA Courses and our RIPA Policy and Procedures Toolkit contains standard policies as well as forms (with detailed notes to assist completion).

New RIPA E-Learning Course

Regular refresher training for those conducting covert surveillance under Part 2 of the Regulation of Investigatory Powers Act (RIPA) is a common recommendation by the Office of Surveillance Commissioners (OSC) following inspections. Up to now, public authorities have had a choice of sending their staff on external courses or engaging our RIPA experts to deliver customised in house training at their premises. Both these options have cost implications. Some authorities can only afford to train a handful of staff thereby running the risk of non compliance by others who may not know what RIPA is and when it is engaged.

Enter the new Act Now RIPA E Learning Course. From the comfort of their own desk public authority staff can now receive relevant and up to date training on covert surveillance regulated by Part 2 of RIPA (Directed Surveillance, CHIS and Intrusive Surveillance) including the authorisation process. From as little as £49 plus vat, five interactive modules can be accessed which have a stimulating and creative approach that engages and challenges the learner. Real-life scenarios, knowledge checks, case studies and examples are included to add relevance and increase comprehension and retention. A short final course assessment leads to a certificate.

This course is not just for new staff or those with little knowledge of RIPA. It will also help experience staff to refresh and update their knowledge as it takes into account the latest RIPA codes and new authorisation procedures. Those who are really confident can do the final course assessment first, to test and identify any gaps in their knowledge. These can then be filled by doing each module. The unscored quizzes and interactions within each module and the final scored assessment are designed to challenge even RIPA geeks!

Sam Lincoln, a former OSC chief inspector, has designed the course assisted by Ibrahim Hasan. Sam says:

“I was delighted to be commissioned by Ibrahim and his team at Act Now to produce this eLearning course. When I was Chief Inspector at the OSC I was aware that many local authorities, constrained by budget reductions, were attempting to provide their own training in-house. Despite valiant efforts the result was often regurgitation of the codes of practice and ‘death by PowerPoint’ lectures. I wanted to produce something that was more interesting and included interaction, feedback and assessment.”

Upon reviewing the course our RIPA expert and trainer, Steve Morris, said:

“I have had an opportunity to review the finished product and have to say it is a great mix of knowledge, animation and assessment, using many different learning delivery methods to keep the learner engaged. Sam provides clear well-paced narration and his choice of words make the modules easy to follow and understand. I would say the modules are ideal for anyone involved with the management and application of RIPA, whatever their position.”

The Act Now RIPA E Learning Course is suitable for staff in all public authorities but particularly those in local authorities working in trading standards, environmental health, planning, licensing and enforcement.

Want to know more? Watch module 1 for FREE and join our live demonstration webinar.