Tag Archives: ICO

Protecting privacy in the aftermath of the Facebook-Cambridge Analytica scandal

Posted on by

By Steven McGinty

On 4 June, Information Commissioner Elizabeth Denham told MEPs that she was ‘deeply concerned’ about the misuse of social media users’ data.

She was speaking at the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) inquiry into the use of 87 million Facebook profiles by Cambridge Analytica and its consequences for data protection and the wider democratic process. The whole affair has shone a light on how Facebook collected, shared, and used data to target people with political and commercial advertising. And, in a warning to social media giants, she announced:

Online platforms can no longer say that they are merely a platform for content; they must take responsibility for the provenance of the information that is provided to users.”

Although this is tough talk from the UK’s guardian of information rights – and many others, including politicians, have used similar language – the initial response from the Information Commissioner was hardly swift.

The Information Commissioners Office (ICO) struggled at the first hurdle, failing to secure a search warrant for Cambridge Analytica’s premises. Four days after the Elizabeth Denham announced her intention to raid the premises, she was eventually granted a warrant following a five-hour hearing at the Royal Courts of Justice. This delay – and concerns over the resources available to the ICO – led commentators to question whether the regulator has sufficient powers to tackle tech giants such as Facebook.

Unsurprisingly, it was not long before the Information Commissioner went into “intense discussion” with the government to increase the powers at her disposal. At a conference in London, she explained:

Of course, we need to respect the rights of companies, but we also need streamlined warrant processes with a lower threshold than we currently have in the law.”

Conservative MP, Damien Collins, Chair of the Digital, Culture, Media and Sport select committee, expressed similar sentiments, calling for new enforcement powers to be included in the Data Protection Bill via Twitter:

Eventually, after a year of debate, the Data Protection Act 2018 was passed on the 23 May. On the ICO blog, Elizabeth Denham welcomed the new law, highlighting that:

The legislation requires increased transparency and accountability from organisations, and stronger rules to protect against theft and loss of data with serious sanctions and fines for those that deliberately or negligently misuse data.”

By introducing this Act, the UK Government is attempting to address a number of issues. However, the Information Commissioner, will be particularly pleased that she’s received greater enforcement powers, including creating two new criminal offences: the ‘alteration etc of personal data to prevent disclosure‘ and the ‘re-identification of de-identified personal data’.

GDPR

On 25 May, the long awaited General Data Protection Regulation (GDPR) came into force. The Data Protection Act incorporates many of the provisions of GDPR, such as the ability to levy heavy fines on organisations (up to €20,000,000 or 4% of global turnover). The Act also derogates from EU law in areas such as national security and the processing of immigration-related data. The ICO recommend that GDPR and the Data Protection Act 2018 are read side by side.

However, not everyone is happy with GDPR and the new Data Protection Act. Tomaso Falchetta, head of advocacy and policy at Privacy International, has highlighted that although they welcome the additional powers given to the Information Commissioner, there are concerns over the:

wide exemptions that undermine the rights of individuals, particularly with a wide exemption for immigration purposes and on the ever-vague and all-encompassing national security grounds”.

In addition, Dominic Hallas, executive director of The Coalition for a Digital Economy (Coadec), has warned that we must avoid a hasty regulatory response to the Facebook-Cambridge Analytica scandal. He argues that although it’s tempting to hold social media companies liable for the content of users, there are risks in taking this action:

Pushing legal responsibility onto firms might look politically appealing, but the law will apply across the board. Facebook and other tech giants have the resources to accept the financial risks of outsized liability – startups don’t. The end result would entrench the positions of those same companies that politicians are aiming for and instead crush competitors with fewer resources.

Final thoughts

The Facebook-Cambridge Analytical scandal has brought privacy to the forefront of the public’s attention. And although the social media platform has experienced minor declining user engagement and the withdrawal of high profile individuals (such as inventor Elon Musk), its global presence and the convenience it offers to users suggests it’s going to be around for some time to come.

Therefore, the ICO and other regulators must work with politicians, tech companies, and citizens to have an honest debate on the limits of privacy in a world of social media. The GDPR and the Data Protection Act provide a good start in laying down the ground rules. However, in the ever-changing world of technology, it will be important that this discussion continues to find solutions to future challenges. Only then will we avoid walking into another global privacy scandal.

The Knowledge Exchange provides information services to local authorities, public agencies, research consultancies and commercial organisations across the UK. Follow us on Twitter to see what developments in policy and practice are interesting our research team. 

If you found this article interesting, you may also like to read our other digital articles.

If more than one in three homeowners are interested in downsizing, why aren’t they making the move?

Posted on by

 

According to Savills estate agents, about 90,000 people over the age of 65 in the UK downsize to smaller homes each year. On the face of it, that’s a substantial number, but it still leaves more than three million houses under-occupied.

With an ageing population and a serious housing shortage, government at local and national levels is looking for ways to encourage older people to downsize their accommodation so that more family-sized housing is made available.

Benefits of downsizing

Everyone needs good housing, but as people grow older their homes become especially important as places where they can feel safe, independent and comfortable. Downsizing from larger properties can offer significant benefits to older people:

  • Smaller homes can be easier to heat and have lower utility bills.
  • People downsizing to sheltered housing can retain their independence, while having access to support when it’s needed.
  • Smaller homes are easier to manage and cheaper to maintain.
  • People moving into specialised retirement accommodation can experience improvements in their health and wellbeing.

Enabling people to remain in their own homes may also alleviate the pressures on the country’s social care system – pressures that are likely to intensify as the population age rises.

Downsizing barriers

While there are attractions to downsizing, important factors are putting off large numbers of people from moving to a smaller home. Some may feel too confined in a smaller space, experience problems storing their possessions, or miss having a large garden. Others may feel that they’ve taken a long time to climb the property ladder, and want to enjoy the home they have spent a lifetime working to achieve.

But for those who do want to move, downsizing can be expensive.  It may release equity, but some households find the costs of moving – notably stamp duty – may cancel out the financial benefits. And although lower maintenance costs can be a major reason for downsizing, older people moving into apartments may find that costs for maintenance and factoring, may be higher than in a standard family home.

Downsizing: the real story

A 2016 report by the International Longevity Centre (ILC) explored the experiences and expectations of people downsizing from under-occupied housing later in life. The report found that one in three homeowners over 55 are considering or expect to consider downsizing. However, while demand for downsizing is substantial, the reality is a different story:

“In many ways, the older generation is stuck in its current housing, which has resulted in the UK having one of the lowest moving rates amongst its older population compared to other developed countries.”

The study echoed the findings from a 2014 Age UK report which showed that the scarcity of suitable and affordable retirement housing was a barrier to downsizing:

“At the moment, retirement housing makes up just 5-6% of all older people’s housing. Research indicates that many more older people might consider downsizing if alternatives were available, although not just retirement housing schemes.”

The Age UK report noted that, based on demographic trends, specialist retirement housing would need to increase by between 35 and 75% just to keep pace with demand. The report also pointed to poor access standards and cramped accommodation in some sheltered housing schemes as downsizing deterrents.

Alternative approaches

The Scottish Government’s strategy for housing for older people, published in 2011, supports downsizing, and highlights Highland Council’s scheme as an example of good practice. In association with local housing associations, the council has provided financial and practical incentives to support older people wishing to move because their homes are too large for their needs.

Another approach, popular in Scandinavia and the Netherlands, is co-housing, which offers older residents a balance between independence and community life. Co-housing schemes are run totally by the residents, offering support when needed to those who live there, while respecting their dignity and independence.

In the Netherlands, there are now more than 200 co-housing communities. Successive governments there have supported co-housing because it has had such positive impacts on demand for health and social care services.

In April, the UK’s first co-housing project for older women opened in Barnet, north London. One of the scheme’s proponents, Maria Brenton, believes that it will be a model for similar projects:

“One of our purposes is to promote the idea of senior co-housing. Now we have shown the way, we are a living, breathing example, it will encourage people enormously.”

Final thoughts

As the ILC report notes, the policy debate on housing in the UK has focused almost completely on first-time buyers. However, with more than three million homeowners aged 55 or over open to the idea of downsizing, the impact of freeing up large numbers of family homes could be significant. Before that happens, the under-supply of affordable homes meeting the particular needs of older residents needs to be addressed:

“Fundamentally, the notion of downsizing in later life should be about choice rather than obligation. It therefore becomes clear that if we were to develop the right policy environment, we can enhance the choices available to people in later life, encouraging downsizing and creating a more dynamic housing market.”

If you enjoyed this article, you may also find these blog posts of interest:

General Data Protection Regulation (GDPR): what the public sector needs to consider

Posted on by

Graphic design image: three padlocks in front of a futuristic city.

By Steven McGinty

In March, the Information Commissioner’s Office (ICO) published the results of a survey into local government information governance as part of their preparations for the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018.

Although the ICO notes that many local authorities have good data protection policies, there are still councils where work needs to be done. The survey findings include:

  • A third of councils do not undertake Privacy Impact Assessments (PIAs)
  • 26% of councils do not have a data protection officer
  • 50% do not require data protection training before accessing systems

Under the new GDPR the above findings could constitute a breach, and result in the ICO taking action against the offending council. Recently, the ICO fined Norfolk County Council £60,000 (under the Data Protection Act) for failing to dispose of social work case files appropriately.

What impact will Brexit have on the GDPR?

The UK Government has finally triggered article 50 of the Lisbon Treaty, starting the process for leaving the European Union (EU). However, this does not mean that the UK will escape the European Commission’s GDPR. Digital minister, Matt Hancock, has confirmed that it is in the UK’s best interests to ensure the ‘uninterrupted and unhindered flow of data’, stating that the GDPR would be fully implemented into UK law, even after we leave the EU.

Is the public sector exempt from the GDPR?

There have been reports that some public sector bodies believe that they are exempt from the GDPR. This assumption is based on the regulation’s special conditions and derogations, which allow member states to restrict the GDPR’s scope to safeguard the public interest (some countries, such as Denmark, already have exemptions for public sector bodies). Additionally, fining a public sector body has also been viewed as making little sense – taking from one public sector budget and placing it in another.

However, both of these assumptions are flawed. As the GDPR has been designed to enhance the rights of EU citizens, it would be against the spirit of the regulation to introduce blanket exemptions for the public sector. And it is certainly not unheard of for regulators to fine public bodies, such as the recent Norfolk County Council case, or the Hampshire County Council case in August 2016, where the council was fined £100,000 by the ICO for leaving social care case files in a disused building.

How does the GDPR differ from the Data Protection Act?

The GDPR has been described ‘as the most important change in data privacy regulation in 20 years’, providing greater rights to citizens and harmonising data privacy laws across Europe. However, to achieve this, new requirements have been placed on organisations. These include:

  • Personal dataArticle 4(1) of the GDPR includes a broader definition of ‘personal data’ than previous legislation. It states that any information relating to an individual which can be directly or indirectly used to identify them is personal data. Specifically, it refers to ‘online identifiers’, which suggests that IP addresses and cookies may be considered personal data if they can be easily linked back to the person.
  • Privacy by designThe concept of ‘privacy by design’ is not new, but Article 23 of the GDPR makes this a legal requirement. In essence, it means that public sector bodies will have to consider data protection at the initial design stage of product development. This could involve adopting technical measures such as pseudonymisation – the technique of processing personal data in such a way that it can no longer identify a particular person.
  • Data Protection Impact Assessments (DPIAs) – As the ICO’s research highlights, a third of councils do not undertake any form of privacy impact assessment. From May 2018, public sector organisations will have to carry out DPIA’s for certain activities such as introducing new technologies and when processing presents a high risk to the rights and freedoms of individuals. In the latter case, organisations will need to consult the ICO to confirm they comply with the GDPR.
  • Appointment of a Data Protection Officer (DPO)Article 35 of the GDPR states that public bodies must have a designated Data Protection Officer. This can be an existing employee, as long as there is no conflict of interest, or a single DPO can represent a group of public sector bodies. As the ICO research suggests (26% of councils do not have a DPO), this is one of the main areas where councils need to improve.
  • Data portability– Public sector organisations must ensure that personal data is stored in a ‘structured, commonly used and machine readable form’, so that individuals can transfer data easily to other organisations. For instance, suitable formats would include CSV files.
  • Strengthening subject access rights– Individuals can now request access to their data for no cost and must be responded to within 30 days (this is a change from the Data Protection Act which requires a £10 fee and there is 40 days to respond). For complex cases, this can be extended by two months. However, individuals must be notified within one month and be provided with an explanation. These requests could prove time consuming and costly for public sector bodies, and as such, supports the case for introducing digital services that allow individuals access to their data.
  • Right to be forgotten – The right to erasure (its official name) allows individuals to ask an organisation to delete all the information held on them – although this would not apply if there was a valid reason to hold that data. This principle was established in the high profile case involving technology giant Google.
  • Failing to comply and breaching the GDPR – When there is a breach, public sector bodies will have an obligation to inform their national regulator (the ICO in England) “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” These requirements could present challenges for public sector bodies, who are often engaged in providing vital public services with limited resources. However, policies will have to be introduced to ensure breaches can be reported promptly, particularly as the new penalties for data breaches are significant, with public sector bodies liable for fines of up to €10,000,000. In addition, individuals also have the right of redress and may seek compensation if they feel their rights have been breached.

What should public sector bodies be focusing on?

Although May 2018 may seem a long time away, the ICO research suggests some local councils (and the wider public sector) need to make several changes to ensure compliance with the GDPR.

Most importantly, organisations need to start reviewing the new regulation and considering how it applies to them. Evidence of a clear strategy – including the appointment of a Data Protection Officer, the use of privacy impact assessments, and staff training – will go a long way towards demonstrating an organisation’s intent to comply with the GDPR.

Follow us on Twitter to see what developments in public and social policy are interesting our research team. If you enjoyed this article, you may also be interested in: 

How can the government unlock the potential of big data?

Posted on by

By Steven McGinty

Last May, the Open Rights Group announced that they were in discussions with the UK Government over their proposals to remove the barriers to data sharing and link up government databases. This would mean that thousands of government databases, containing information such as criminal records and even energy use, could be accessed by local councils, schools, the civil service and the police. It’s hoped that the sharing of data will allow the government to capitalise on big data techniques and provide better and more tailored public services.

However, several issues have been identified that may make widespread government data sharing challenging. These include:

  • a lack of prioritisation by local council and government leaders;
  • concerns over protecting the privacy of citizens;
  • a mistrust of government data handling;
  • the use of different systems and different standards by government bodies.

The Information Commissioner’s Office (ICO) reports that from April 2013 to March 2014 there were just over 1500 breaches of the Data Protection Act. Local authorities accounted for 234 of these breaches, coming second only to health organisations, who committed 551 breaches. In the last quarter of the year, the most common offences were disclosing personal information in error (175 incidents) and lost or stolen paperwork (74 incidents).

The ICO has also handed out several high profile fines to organisations in the public sector. For example, North East Lincolnshire Council was fined £80,000 for losing an unencrypted USB stick which held the personal and sensitive data of children. Similarly, Aberdeen City Council were fined £100,000 after a member of their staff accidently uploaded documents onto the internet, including personal information about social care cases.

The Improvement and Development Agency (I&DeA) released a report in 2010 on the role of data sharing in tackling worklessness. The report findings, still relevant today, highlighted the importance of developing data sharing systems that:

  • build in the need for data sharing into the design;
  • adopt clear and consistent definitions;
  • respect the privacy of individuals;
  • ensure data integrity.

Further, the report explained how anonymised personal data can be used to share data legally. For example, anonymised data (data which has had its identifiable information removed), has been used increasingly to provide local analysis across a number of areas, including health, crime and employment. Some examples include Eastleigh Ambition, which uses data to target and support vulnerable families, and Newham Council, who use a range of data, including Disability Living Allowance information to improve their understanding of changing populations and needs.

Working in partnership and using technological innovations has also provided solutions for data sharing issues. For instance, the Tyne and Wear City Strategy Partnership was established to purchase a shared customer tracking system to facilitate data sharing. The system has been rolled out in a variety of ways across the North East of England, with partners helping to make the system more user friendly. The system has been designed to ensure that consent is built in whenever data is shared. Users also have different levels of access depending on their organisation and on what they ‘need to know’, to ensure compliance with the Data Protection Act.

Although there have been some high profile cases of government data mishandling, it’s clear that data sharing will continue to increase, particularly as all levels of government look for more targeted services. Government and society will have to come to an agreement on how this should be done.

 

Further reading: