The Department for Business, Energy & Industrial Strategy recently published a privacy notice covering their intention to gather data related to gas and electricity consumption. Data gathered includes the meter number and postcode of the house, plus the level of consumption.
This is, by any standard, a vast data grab, covering millions of households. Although the purpose of the scheme is the Energy Price guarantee, there are huge risks here. Energy consumption can tell you an enormous amount about how a household behaves.
I made an #FOI request to DBEIS to dig into the background. In particular, I wanted to see the #DPIA that DBEIS must have carried out to get as far as publishing a privacy notice about the scheme and whether they’d discussed the project with @ICOnews.
There is no DPIA and though DBEIS claim to have discussed the project with the ICO, the fact that they have no recorded information makes me suspect that this is not true. If you’re interested in the full response, rather than pick it apart here, I’ve linked to it below.
The crucial point I wanted to make was about the role of the DPIA – the DPIA is not a late-stage process. It’s not part of the sign-off. For legal but more importantly practical reasons, it should happen as early as possible in the lifecycle of a project.
If you identify a risk / possible improvement, you want to do that before money and resources have been committed. DBEIS say: “The scope of the data required for the Energy Price Guarantee scheme and how regularly it is collected is still being defined.”
The privacy notice hedges its bets about whether names, dates of birth and email addresses will be needed. It’s definitely the wrong time to publish a privacy notice (because they don’t know exactly what they’re doing) and the right time to do a DPIA (for the same reason).
Whether or not DPIAs survive the government's DP reforms as an obligation is an open question; the merit of an enforced impact assessment has always been lost on me because if you’re only doing one because you have to, it probably won’t be very good.
But if you’re proposing to monitor every household in the country and you’re not keen to think about risks and alternatives early and often, the chances of you screwing it up just increased significantly
Instead of a post today, I have a request for your assistance and a plug. The request for assistance is for the best, most authoritative definition of personally identifiable information (PII) - what is it, and where does it come from.
I've seen a few examples over the years but none of the ones I can currently find seem like *the* definition. Maybe there isn't one, it's just an industry term with no real basis, but I don't want to make that assertion.
Don't tell me what you think the definition is; I can do that myself. Give me a source or tell me where I might find it.
The point of me asking will become clear in an upcoming post / series of posts.
If this decision (first spotted by @DataCorrection) gets any traction, the myth will become that the First Tier Tribunal said that a dog’s name was personal data. To be fair, I don’t think they did that, but it’s their fault if people come to that conclusion.
The dog in question bit a woman on the leg when police were breaking up an illegal rave in Bristol causing what sound like very severe injuries. The description in the original ICO decision is grisly. This post is a lot less jokey that it would have been had I not read it.
A @WhatDoTheyKnow regular made an #FOI request for the name of the dog, the name of the handler and their qualifications, plus a bewildering final demand for "Your reasons for the dog attacking". The Tribunal says the dog info is personal data.
In Manchester, we have a brown bin for bottles, cans and assorted other recyclables. They collect it every other Tuesday, and fortunately, next week is brown bin week. I say fortunately, because mine is full.
Friends, it’s brimming. The whole thing is loaded with 2L bottles of Frosty Jack cider and a variant of Strongbow that comes in purple cans. There’s a bunch of Stella cans, a brace of Carling, and tins of something called Hollandia that looks like a fake brand from a soap opera.
Anyone rooting around in my brown bin would think that I had either had a ‘things teenagers drink in the park’ themed party, or I am a raging alcoholic. But neither of these things are true.
Having seen a few posts about director liability and data protection, I thought it would be worth setting out how it works and how the ICO would prosecute a director for their company’s UK #GDPR misdeeds.
Put simply, they can’t.
Section 198 of the UK DPA says if “an offence under this Act has been committed by a body corporate” and it can be proved that it happened with the consent or connivance or because of the neglect of a director (or similar), they are liable to be prosecuted.
This section doesn’t apply to any contraventions of the UK GDPR, only to *offences* set out in the UK DPA. The offences themselves are a mixed bag, ranging from obtaining personal data without the authorisation of the controller to unauthorised reidentification.
If you’re a dinosaur like me, you’ve seen certain issues come around again and again, with different people coming at them with different perspectives. When I was a boy, the use of live data for testing systems or training was generally unacceptable.
There are ways to avoid it – you might take real data and anonymise it (a risk in itself but much better than letting staff loose with the live stuff), or you might create fake data from scratch (safer but more laborious).
Either way, the risk of making real data available to staff who didn’t need to see it or exposing it inadvertently was too great. The same went for testing things using a live system; you didn’t do it. The alternatives were being rejected because of they were time consuming.
An individual used the #FOI website What Do They Know to ask @ICOnews about complaints made about the Met Police; effectively, they wanted to know how many of the complaints were upheld. The info was disclosed, but the response also contained an interesting statement. (1/7)
The ICO reply said: “Please keep in mind that there is no requirement to produce a formal decision in data protection cases such as the Decision Notices issued in FOIA ones.” whatdotheyknow.com/request/795467… (2/7)
There’s a solid argument that this is true – there isn’t a line in the Data Protection Act 2018 which is as unambiguous as S50(2) of the FOI Act (the Commissioner “shall” make a decision unless certain conditions are met. (3/7)