The International Association of Privacy Professionals (IAPP) encourages its members to organise a 'Privacy After Hours' social networking event. This year's London get-together will be held on Thursday 25 June around the noted US academic, Professor Daniel J. Solove. Enthusiasts will be congregating at The Bunghole, 57 High Holborn, from 5:00 to 6:30pm. It's a great opportunity to have an informal meeting with him and network with other Privacy Law practitioners. If you'd like any further information, the person to contact is Tara Taubman.

Please remember to bring proof of identity :-;
Here are some more data protection questions that have been referred to the Court of Justice of the European Communities for a preliminary ruling, which Datonomy hasn't previously brought to the attention of its readers: Case C-93/09, Hartmut Eifert v Land Hessen, Bundesanstalt für Landwirtschaft und Ernährung, a reference from the Verwaltungsgericht Wiesbaden (Germany). The questions referred are as follows:
"1. Are point 8b of Article 42(1) and Article 44a of Council Regulation 1290/2005 on the financing of the common agricultural policy, inserted by Council Regulation 1437/2007 amending Regulation 1290/2005 on the financing of the common agricultural policy, invalid?
2. Is Commission Regulation 259/2008 laying down detailed rules for the application of Council Regulation 1290/2005 as regards the publication of information on the beneficiaries of funds deriving from the European Agricultural Guarantee Fund (EAGF) and the European Agricultural … Continue Reading ››
You are reading a personal data guardianship code on a Sunday afternoon, on the sofa. You are also listening to Bob Dylan’s Modern Times. The code describes itself as a Highway Code for good data protection practice, and you are struck by this analogy. But gradually your eyelids begin to droop, in the way they do when reading data protection guidance. You fall asleep, and dream a dream.

Suddenly you find yourself on Highway 61. There are giant articulated lorries full of everyone’s personal data being driven at crushing speed down all the available lanes. You are in your Micro, in the recovery lane. Your wife has just lost it with the children. It feels like you have taken the wrong turn, but there is no way back.

Then as another datatruck sways alongside and the turbulence pushes … Continue Reading ››
As reported on Datonomy this morning, the ICO has now issued the final version of its Code of Practice on Privacy Notices following its public consultation earlier in the year (first reported on Datonomy by Elle). The purpose of the Code is stated to be "to see an end to the confusing privacy notices that are written to protect organisations rather than to inform the public", and to "end the reputation of privacy notices being impenetrable". Businesses are encouraged to use the Code to produce new privacy notices or amend existing ones (or, alternatively, to use as a checklist to reflect happily on a job well done).

Overall, it is a sensible and useful document, which makes helpful suggestions rather than being too prescriptive. What is interesting is how the final Code differs from the draft version published as part of the public consultation. Although most of … Continue Reading ››
The publication today of the ICO's privacy notices code of practice coincided with a furore this week over the announcement of the launch of the UK's first directory of mobile telephone numbers. Although the press coverage about Connectivity's service leaves unsaid important points about the business of providing directory services (which Datonomy will be airing over the coming week), it underlines an important point about the business of consent and privacy policies. The same point is made (in slightly different ways) by both the survey accompanying the ICO's consultation on the code (reproduced here, with permission of the ICO) and the recent RAND report, and the point is one that the intended readers of such policies have long known: almost nobody reads 'em.

Privacy policies now seem to be read mainly by the professionally interested, and there appears to be a steady drift away from … Continue Reading ››
A different kind of personal guardian

Last week saw the launch of the Personal Data Guardianship Code (Code) from the British Computer Society (BCS) and the Information Security Awareness Forum (ISAF). According to its introduction, the Code "is intended to help organisations and the people in them who handle personal data understand their individual responsibilities". The aim is to create a guide to best practice in this area - a "Highway Code" for the use of personal data.

The Code identifies what it calls the "data life span", which sets out the three-stage handling life span that personal data goes through. Firstly, there is "input", which includes collection, verification and cleansing of the data. The second stage is "use", which involves the primary use and the maintenance, updates, back-up and sharing of the data. Finally, there … Continue Reading ››
The original Trigger

Data breach notification is a wider topic than just focusing on the benefits or drawbacks of introducing laws to regulate it. There are other obstacles to overcome when considering how to approach legislation. In particular there is the issue of what level the "trigger point" for a data breach notification should be set at, and how to define it.

If the trigger point is too low, then there is a risk of authorities and customers alike being overwhelmed by notifications including those for trivial matters and breaches which will have little or no impact at all on the security of their identity or lives. People may simply end up ignoring them and not take precautions when necessary (something similar happened in Japan). This is also a risk with the current EU proposalsContinue Reading ››