Technology lessons

Technology lessons

It seems there is insufficient evidence to prosecute Boris Johnson for misconduct in a public office; the police had been investigating him as a result of his alleged relationship with Jennifer Arcuri  in the light of decisions taken by the Mayor’s Officer to support her business. It should be noted that he did not declare his relationship as a potential conflict of interest. His day-time visits to her home, so presumably during working hours, were, it seems, for ‘technology lessons’; it reminds me of the private eye euphemism of “Ugandan discussions”. One disturbing part of the affair is that the emails seem to be unavailable., possible in contravention of the GLA’s & Mayor’s statutory record keeping rules and duties. The rest of this blog looks at alternative legal approaches to investigating if wrong doing has occurred; it highlights the role of ISO 27001 in specifying good IT Management and Security practices and that compliance/certification may be seen as part of a legal defence against liability for a security breach. Without good IT Security controls, essential audit questions cannot be answered.

In order to help consider how that might have happened, I have just written a short note on how ISO 27001 deals with deletion. It is clear that the rules and means of making data deletions need to be specified and controlled. ISO guidance on “Asset Management” specifies good practice for data management and the section on “Logging & Monitoring” details how business actions need to be, well …, logged and monitored. Without these tools, we cannot know who took any actions, and who instructed that these actions occur. I talk about the well known exception to the storage principle, that data needed for disputes or compliance must not be deleted until these needs aee no longer in place. If these tools, are not available, perhaps we should be asking, why not? Who said that these controls were too expensive? The GDPR establishes that using a certified code is an important indicator that the organisation has “adequate technical and organisational protection”.

While Johnson’s relationship with Arcuri is not what led me to look at the Bribery Act, I wrote a short note on that and discovered that a bribe is

[any] act designed to obtain or having the effect of obtaining advantage through the ‘improper performance’ of another person.

Now it’s over to the GLA’s Oversight Committee. …

Google, the GDPR and Brexit

Google, the GDPR and Brexit

Google are going to move their UK users data from Ireland to the USA. I wrote a little note on my linkedin blog. I headline it as

Google are moving UK data from Ireland to the US … what does this say about UK/EU/US dataflows and ompliance with the GDPR and the world’s data protection laws.

I also point out the need for robust legal redress to comply with the GDPR, which the UK and USA may not meet and that the UK will lose access to the US Privacy Shield arrangements. I note that the UK will lose its member state privileges and powers under the GDPR when the transition period ends and that RIPA 2016 and the immigration exception of the DPA 2018 may cause the Commission some problems with respect to “Adequacy”.

I note that model clauses and binding corporate rules will remain in place and I wonder if this is a business opportunity for a European based phone operating system author as people choose to withdraw from Android? Nokia? Canonical? …

HRMS, a distressed purchase?

I was provoked by this on Hackernoon, and wrote a little piece on HRMS systems. I have just come back from a Trade Union course on Employment Law and wonder whether the US based systems built for Silicon Valley behemoths are suitable for UK based SMEs. I reference the Gartner MQ which seems to have come on in the last two years; google it, you can get to see it from one of the companies in the top right quadrant but I like their functional breakdown.

I state that a “person” data model is key and finish with the following quote,

HR functions need to define their mission statement, somewhere between “stop the staff suing us”, and “delivering a self-actualising company”; only then can the needs of the software be defined and developed, bought or rented.

 …

Banks Eh?

Banks Eh?

Have you got outraged over FATCA yet? Over the last quarter, I have received several pieces of correspondence from different banks asking me to certify that I have no income that the US Government might be interested in. It goes to show just how poor, the Banks’ whole person/customer knowledge is. …

The customer is, and shall be king

I have posted an article on my linkedin blog, which looks at the future of banking technology particularly as it applies to their technical debt in the data centre. It argues that customer intimacy is key. I say,

So the incumbent players have to re-modernise their systems, build fit for purpose customer relationship management systems i.e. KYC and cope with the business disruption that new software driven competitors are developing, on top of which margins in retail financial services are very low.

 …

Have the US killed their cloud business?

As the proof that Governments are spying on social media users is found, we should all take measures to make it hard. I am sure that they’ll try and outlaw encryption next, but they might have a problem with that since it’ll kill e-commerce. Talking of killing e-commerce, a number of commentators, including David Kirkpatrick posting at linkedin are asking if this will cause Europeans and their Governments to withdraw from the US cloud providers.

The Swedish Government, for instance have already decided to abandon Google’s web services. …