A note on Data Protection Officers

A note on Data Protection Officers

Data Protection Officers roles were revised by GDPR and the member state implementations. Here is a reminder for those that need it.

Article 37 states that a processor or controller requires a DPO if it is a public authority, if it requires regular sys systematic monitoring of data subjects on a large scale or if it processes special data.

A DPO may work for multiple companies, but Article 38 requires the DPO to be adequately resourced and supported.

The DPO must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks specified in the GDPR Article 39.

Article 38 states that the DPO must be involved in in all issues which relate to the protection of personal data, be properly resourced to perform their duties and to maintain their professional expertise, not receive instructions on the conduct of their duties, not be dismissed for doing their job, and report to the highest levels of management.

The tasks of the role are defined in Article 39, the job is to advise the highest levels of management on their obligations, to monitor compliance including the assignment of responsibilities,  training and operations’ audits, to assist and monitor the data privacy impact assessments, to cooperate and act as a contact point for the supervisory body, in the UK, the ICO.

I have used the EU text as the source of my summary and is reproduced overleaf/below ...

This post was originally posted at linkedin.

The 7 Principles

The 7 Principles

When evaluating Data Protection laws and enforcement appetite, one sometimes needs to refer to the 7 principles. These were agreed by the OECD in 1980 and I summarise them below.

  • Notice, Data subjects should be given notice when their data is being collected.
  • Purpose, Data should only be used for the purpose stated
  • Consent, Data should not be disclosed without the data subject’s consent
  • Security, Collected data should be kept secure from potential abuses
  • Disclosure, Data subjects should be informed as to who is collecting their data
  • Access, Data subjects should be allowed to access their data and make corrections to any inaccurate data.
  • Accountability, Data subjects should have a method available to them to hold data collectors accountable to the above principles.

Europe’s privacy laws are constructed by building legislative infrastructure based on treaties and then the creation of law. This diagram below shows the time line of European infrastructure (above the line) and law (below the line), it was made in a year or so ago and thus does not have the UK’s departure from the EU, nor the assignment of “Adequacy” by the Commission.

No alt text provided for this image

While much focus today is on the EU’s GDPR, the principles that underpin it, are more broadly accepted than that law, and in some areas, the GDPR maybe found wanting.

This blog post originally appeared on my LinkedIn blog. …

On Cyber-security

On Cyber-security

I posted a note on cyber security on my linkedin blog. I post some pointers on the standards and controls needed to defend against a cyberattack and implement “adequate technical and organisational” protection. It looks and links at the NIST cyber-security framework and lists some of the necesary controls to implement a reasonable defence and prove “adequate technical and organisational” controls. If you do what I suggest badly, you might get away with it, if you do it well, you might stop and or recover from attacks.  …

Software Piracy and supply

Software Piracy and supply

This is interesting. From the Register, an article called, “Software piracy pushes companies to be more competitive, study claims • The Register“, sub-titled, irreverently as ever, “So, do copy that floppy?”

The article is written by, Wendy Bradley, assistant professor of strategy, entrepreneurship, and business economics at Southern Methodist University’s Cox School of Business, and Julian Kolev, an economist at the United States Patent and Trademark Office. The article describes their methodology, and links to their paper. They define the launching of Bittorent as a shock and examine the intellectual property development of vulnerable companies to that shock.

“When comparing the IP strategies of software firms at risk of piracy (the treatment group) against those of not-at-risk firms (the control group), we find that our treatment group significantly increases its innovative activity after the piracy shock in terms of R&D expenditures and granted copyright, trademark, and patent applications,”

Bradley & Kolev – Software Piracy and IP Management Practices: Strategic Responses to Product-Market Imitation (August 2021)

Interestingly it seems, that Entertainment software companies behave differently. although the academic work done, as quoted in the article does not suggest that piracy reduces the supply of content.

Basically the big software firms use their superior cost structures, achieved by size and source code ownership to increase the rate of innovation to keep their customers coming to them. The entertainment companies don’t. I don’t think they look at the size and cost of investment into regulatory barriers to entry, both buying the laws they want, and pursuing newly created malefactors.

Bradley, Wendy and Kolev, Julian, Software Piracy and IP Management Practices: Strategic Responses to Product-Market Imitation (August 2021). USPTO Economic Working Paper No. 2021-3, Available at SSRN: https://ssrn.com/abstract=3912074 or http://dx.doi.org/10.2139/ssrn.3912074 …

Wiping the phone at the Treasury

Wiping the phone at the Treasury

I wrote a piece on the Guardian story about the Treasury losing the Perm Sec’s texts and posted it on linkedin. One particularly disturbing feature of this story may be that messages from David Cameron about Greensill Capital have been lost. On the linkedin blog, I looked at the story from an IT Security and employment law point of view rather than looking at the political corruption angle. I suggest that for an organisation with a public record, FoI or compliance liability that SMS and whatsapp or any messaging product without central logging should not be used. I suggest that wiping the phone instead of a password reset especially when the device has not been lost might be a bit extreme. I hint that peer to peer messaging without a super user is also inappropriate.

I argue that this is a symptom of the growing contempt that politicians and now it seems bureaucrats have for their record keeping responsibilities which are mandate by statute law. It is likely that the use of personal IT i.e. phones and emails if not laptops/workstations is becoming endemic destroying and designed to destroy audit trails of behaviour. I note and have commented elsewhere on the failure to pass the email & records relating to Johnson’s decisions with respect to Jennifer Arcuri’s trade missions and grants.

I note that such behaviour if undertaken by more junior staff would probably involve disciplinary action. I have dealt with cases where people have been investigated under the disciplinary policy for misuse of their personal IT in the office and also for the destruction or unauthorised amendment to business records. These have usually been considered gross misconduct cases which can lead to dismissal, but most of my members are blue collar workers.

With respect to the Treasury, I wonder if the texts have been truly lost, if they have, it’s either a policy failure, i.e. a failure of the control design or a deliberate breach. Someone should be accountable, just as they should at the GLA. The irony here i.e. at the Treasury is that it looks like the responsible person for either of these failures is the same person. The Permanent Secretary is meant to be a check on the, certainly, financial probity of ministers and occupy an important role in implementing a segregation of duties and avoiding  toxic combinations. These controls are designed to stop fraud and corruption. These ones seem to have failed. …

More nonsense on Bitcoin

The Indy reports on Bailey of the Bank on Bitcoin, who warns, “Cryptocurrency has ‘no intrinsic value’ and investors will ‘lose all your money’, says Bank of England chief” I add, “Bitcoin only works because the ‘proof of work’ is so expensive and time consuming; and its also destructive of the environment due to its useless power consumption. (It’s also very slow, doing 700 TPS, that’s not enough for a business, let alone an economy.) …

Vendor Management and the Labour Party

Vendor Management and the Labour Party

I wrote a blog on linkedin, on what I call Vendor Management. This is based on my experience as an IT Security and Compliance consultant, and leans on ISO 27001. Some of the words in this article, mirror what I say in the linkedin post. This article, see below/overleaf talks about risk classification, risk control super-strategies and risk monitoring. It then looks at the Labour Party, recommends the adoption of quality brands as an employer and as an IT User. It ends by asking some basic questions about the impact of [the lack of IT Governance]. It challenges the secrecy and the commitment of the NEC to get this right and concludes the statement that there is a common body of knowledge that allows the effective management of IT & IT Risk. AS Liverpool Council have discovered, this can’t be made up. …

Privacy Regulation

Privacy Regulation

I wrote a little piece on my linkedin blog on the EU Commission’s proposal to agree a data “adequacy” agreement. I point out the next set of hurdles, although I downplay the likelihood of any intervention by the CJEU but note that not was critical in striking down the original EU/US “Safe Harbour” agreement. I note that one threat to its renewal at the end of its four year live is the desire and plans of the British Govt to depart from the current legal protections which are based on the EU’s GDPR.

Issues of state surveillance, the European Council’s Convention 108 and the Human Rights act are all engaged. We’ll probably get it, but for it to be renewed, we’ll have to remain aligned with the GDPR & C108. The right to seek judicial redress by EU citizens may become important as it is a point of contention between the EU & US over the Privacy Shield.

One indicator of a desire for divergence is the advert for the role of Information Commissioner, which asks for,

The Government’s National Data Strategy sets out its ambition for the UK’s pro-growth and trusted data regime, one that helps innovators and entrepreneurs to use data responsibly and securely, without undue regulatory uncertainty or risk, …

cabinetoffice.gov.uk

This has been picked up by the Open Rights Group, who are asking people to write to their MPs, we need an independent Privacy Regulator.

The retreat from the promise of the GDPR is not just a UK phenomenon, across Europe pro-business politicians are beginning to say that it’s too onerous. It’s a shame we’re out, our voices no longer count …

Technical debt, depreciation and risk

Technical debt, depreciation and risk

I wrote and posted a piece on Technical Debt on my linkedin blog. Its post comment, based on the concluding paragraph says, “I look at “Technical Debt” in the context of IT budget planning and suggest that it is not such a useful concept. Using standard risk management analysis is a more effective means of planning a maintenance budget which should consist of funding for both error & risk remediation. Depreciation is a better financial model for the problem.”

There must be much written about the nature of depreciation from physical wear and tear, to the need and cost to replace due to increasing failure; perhaps I should look for some reading on how this applies to information systems. I question if software is an asset in terms of accounting theory, I suppose so because it has value in more than one accounting period, but can it be realised? I also question the value of placing a cash value on software in use, identifying its cost to acquire is potentially simple, its residual value is much harder and synchronising this change to a single corporate depreciation rule can be difficult.

Some things I considered writing about include the number of times while trying to clean up or rationalise corporate IT estates to be told that, “you’re not touching that!”. We used to joke that they’d lost the system which pays the board’s bonuses, but these systems were almost always obsolete and acted as a technology sink keep product in the portfolio that should have been abandoned. Recently I came across the phrase, fictional capital, these systems had an unknown value and the decision to leave them alone seemed based on a pessimistic and fictional view of their value. I sometimes suggested turning them off to see who squealed but this advice was never accepted.

Also it needs to be considered that the maintenance budget is a function of the size of the information systems portfolio and much of it is a fixed cost. If you don’t spend the money the systems stop and they do not vary with output.  …

On DMCA takedown of youtube-dl

On DMCA takedown of youtube-dl

The EEF thought fit to comment on an RIAA DCMA takedown using §1201 of the DCMA aimed at a program called youtube-dl hosted on Github; I forwarded it via Facebook with a cryptic, acronym laden comment, and not surprisingly, some of my correspondents suggested I could have been more helpful and understandable. So I wrote an article on Linkedin, although much of it can be gained from the EFF article, however, this version includes a bit on oppressive economics of copyright maximalism, and a comment noting that Github have reposted the repo and revised their process to ensue their policies of supporting developers is fully considered when considering takedown notices. ...