[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Information Laundering

To: med-privacy@essential.org
Subject: Re: Information Laundering
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
Date: Mon, 13 Dec 1999 09:40:20 +0000
Cc: Ross.Anderson@cl.cam.ac.uk
Delivered-To: med-privacy@venice.essential.org
In-reply-to: Your message of "Sun, 12 Dec 1999 21:19:51 EST." <3.0.3.32.19991212211321.00b56da0@mail.albany.net>

Dick Mills' comments are to the point. It has long been
recognised as a problem that UK data protection laws
only allow the authorities to regulate the conduct of
people who've bothered to register under it, and although
you can in theory you can be prosecuted for failing to
register, this doesn't happen in practice. (The criteria
for registration are impossibly broad and you'd end up
prosecuting every club secretary who kept his mailing
list on his PC, and maybe a lot of private citizens too.
Enforcement of the letter of the law could well be struck
down under our Human Rights Act.)

It has also been a problem that manual disclosure of data
originally held on computer wasn't an offence provided 
you didn't abuse authorised access to the original 
machine. So a private eye who bought your vehicle records
from a friend in the police force wasn't committing an
offence (though the policeman could in theory be
disciplined); and an insurance investigator who called
your doctor asking for medical information and pretending
to be another doctor was just `doing his job'. The same
went for false pretext enquiries by journalists (which is
why politicians were reluctant to act).

Britain's now been forced to clean up its act by an EU
directive on data protection. However, the government is
dragging its feet as long as it can on issuing the
regulations which will give force to the new law.

Another problem to watch out for is that the British
government has so far always appointed as data protection
registrars people who could be trusted not to rock the
boat. We have a complaint in since January about how some
data flows in our Department of Health are in flagrant
breach of the criminal law. The registrar's response is
to write to the department asking them to confess to the
crime, and when they ignore her letters she wrings her
hands and tells us there's nothing she can do. (She has
got just as much right to send in men with machine guns 
at 4am as any other law enforcement agency, but this
power appears never to have been used.)

When our data protection regime was set up, the then
Home Secretary (David Waddington) made it clear that the
law was only being introduced because Europe demanded it
and in consequence the regime would be the absolute
minimum that britain could get away with. List members
had better ask themselves whether the same exercise is
now being conducted by Shalala, and if so what the
practical consequences are likely to be.

Ross

References:
- Information Laundering
  - From: Dick Mills <dmills@albany.net>

Prev by Date: Information Laundering
Next by Date: NCPR on proposed rules
Prev by thread: Information Laundering
Next by thread: NCPR on proposed rules
Index(es):
- Date
- Thread