back to article UK Data Protection Bill lands: Oh dear, security researchers – where's your exemption?

The UK’s Data Protection bill has landed with a hefty thud, offering up 200-plus pages of legislation for the geeks and wonks to sink their teeth into. The bill, launched into the House of Lords yesterday and published in full today (PDF), aims to overhaul the UK’s data protection laws and update them for the digital age. …

  1. Anonymous Coward
    Anonymous Coward

    [an offense of] altering personal data in a way to prevent it being disclosed.

    Err, what's wrong with altering p-data (e.g. with encryption) to prevent it being disclosed? Presumably this makes sense in some context, can anyone enlighten me?

    Edit: Hmm, is it about (e.g.) tampering with access logs to prevent disclosure of disclosures?

    1. Cynical Observer

      Re: [an offense of] altering personal data in a way to prevent it being disclosed.

      In the context of a request to know what data an organisation holds on someone.

      Altering the data to misrepresent the data/ mislead the person requesting would appear to be an offence.

      Caveat: IANAL

    2. Neil Brown

      Re: [an offense of] altering personal data in a way to prevent it being disclosed.

      Basically, if someone has made a subject access request, you can't decide to just delete the lot or amend the records.

    3. Doctor Syntax Silver badge

      Re: [an offense of] altering personal data in a way to prevent it being disclosed.

      "Hmm, is it about (e.g.) tampering with access logs to prevent disclosure of disclosures?"

      I think that's it. Of course if you don't keep logs....

      1. DaLo

        Re: [an offense of] altering personal data in a way to prevent it being disclosed.

        "I think that's it"

        Nope. It is section 163

        "It is an offence for a person listed in subsection (4) to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive."

        i.e if you get a valid data subject access request you must not change or withhold any of that data before giving it to the data subject.

        1. John Smith 19 Gold badge
          Gimp

          "valid data..request..not change or withhold any of that data before giving it to.. data subject."

          I guarantee that clause will have the usual data fetishist Police, National Security and anyone-else-we-damm-well-please exemption clause

          1. veti Silver badge

            Re: "valid data..request..not change or withhold any of that data before giving it to.. data sub"

            Doesn't need exemptions, because the wording is "with intent to". You can delete whatever you like, as long as you can come up with some other explanation for doing it.

            And as ane fule kno, proving intent is pretty much impossible.

  2. Anonymous Coward
    Anonymous Coward

    GDPR is not compatible with high chancellor rees-mogg. It won't be passed into their law.

    1. Doctor Syntax Silver badge

      "GDPR is not compatible with high chancellor rees-mogg. It won't be passed into their law."

      I wouldn't worry about that. Once reality starts to bite and people discover what they actually voted for Rees-Mogg will either turn out to have been an enthusiastic Remainer or be a forgotten man.

    2. phuzz Silver badge
      Holmes

      The only question with Rees-Mogg is that, as he's clearly from the eighteenth century, are we dealing with time travel or a haunted portrait in his loft?

    3. Wensleydale Cheese

      Winston Smith is alive, well, and working on Rees-Mogg's Wiki entry

      "GDPR is not compatible with high chancellor rees-mogg. "

      Someone's very busy editing the Wiki entry for Jacob Rees-Mogg

      Here he's "A member of an established Somerset family of coal mine owners", in later versions that's disappeared.

  3. Nick Ryan Silver badge

    Splendid, if you read this implementation that it's littered with clauses stating that the "Secretary of State may..." i.e., it's within their whim to change the bloody thing without laws being passed or adequate discussions being had. Has anybody read the appropriate other EU implementations and do they have the same "power-crazy individual may make sweeping changes" type clauses in them?

    1. Anonymous Coward
      Anonymous Coward

      You mean like the Great Repeal Bill / Great Continuity Bill / Withdrawal from the EU Bill (delete as appropriate), which gives ministers the rights to change laws as they see fit without Parliamentary overview?

      1. MrXavia

        So, dictatorship by the back door... wonderful

        1. John Smith 19 Gold badge
          Big Brother

          " So, dictatorship by the back door... wonderful"

          Or perhaps they should just retitle it "The Act of Enablement"

          The classic question is how much of this garbage is TBD using the "Statutory Instrument."

          As favored by the Dark Lord Mandelscum.

    2. Adam 52 Silver badge

      Sure that can be the case, this government is all about taking back control and democratic accountability isn't it? They'd never do something like that.

      Or possibly they're a bunch of untrustworthy lying con (would)men.

  4. Phil Endecott

    > “Terms used in Chapter 2 and in the GDPR have the same

    > meaning in Chapter 2 as they have in the GDPR” - are fairly

    > Kafka-esque.

    Huh? That's not Kafka-esque, that's just English. What's the confusion?

    1. Doctor Syntax Silver badge

      "That's not Kafka-esque, that's just English."

      Yup. It's an assurance that the terms don't mean one thing in one place and something else in the other. Just the opposite of Kafkaesque.

    2. Anonymous Coward
      Anonymous Coward

      "When I use a word," Humpty Dumpty said, in rather a scornful tone, "it means just what I choose it to mean—neither more nor less."

      But if the use in one context implies one thing and its use in another context implies another thing then that's a fact. Can you make a word have the same meaning in different contexts just by saying it has?

      1. Tom 38

        Can you make a word have the same meaning in different contexts just by saying it has

        Sure. Remember, this is English, where we can make the word spelt "Happisburgh" be pronounced "Hayesburra".

        1. Alister

          Damn you sir, what do you mean by that?

          Lt-Col Cholmondely-Featherstonehaugh (ret'd)

          1. Sir Runcible Spoon

            Why not just import the fucking descriptions of the terms from the GDPR as well?

            (I bet I'm missing something ;) )

        2. not.known@this.address

          @Tom 38, you could also point out the fun the left-pondians have with "Wooster Sheer Sauce" - the norm seems to be something akin to "War Sez Ter Shire". Just because it is spelled "Worcestershire" is no excuse.

          Similar for "Edin Burg" etc...

    3. Anonymous Coward
      Anonymous Coward

      Would it not be the same to have shortened it to "Terms used in Chapter 2 and in the GDPR have the same meaning"?

      Otherwise the insertion of both makes it easier to read, i.e.

      “Terms used in both Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR” or many number of ways of making it more accessible.

      1. katrinab Silver badge

        Would it not be the same to have shortened it to "Terms used in Chapter 2 and in the GDPR have the same meaning"?

        Because the meaning in the GDPR is applied to Chapter 2, but the reverse doesn't happen.

      2. This post has been deleted by its author

  5. Zippy's Sausage Factory

    in practical terms, the [defences set out in the legislation] should prevent anyone being unfairly prosecuted for public interest security research

    Should, yes, but will it? Somehow, given the Home Office's record on the subject, I very much doubt it.

    1. Adam 52 Silver badge

      What makes you think that? The list of people who can have a public interest defense is:

      "the administration of justice,

      (b) the exercise of a function of either House of Parliament,

      (c) the exercise of a function conferred on a person by an enactment, or

      (d) the exercise of a function of the Crown, a Minister of the Crown or a government department."

      1. veti Silver badge

        Ye gods, that's awful.

        Any law that gives enumerated exemptions to specific people, however defined, is unjust. (Because "justice" means you treat all people the same, regardless of who they are - what matters is what they do.)

        For the same reason, an "exemption for security researchers" would be a bad idea. What's needed is a clearly defined rule describing exactly what you're allowed to do with the information once you've obtained it - which should be exactly the same, regardless of whether you're employed by GCHQ or Bob's Discount Computer Repairs.

  6. Christoph

    so they will have "to take care to ensure what they do is 'justified in the public interest'."

    After the Clive Ponting case it was decided that the public interest is defined as the interest of the current gang of crooks in power, not of the general public.

    1. Anonymous Coward
      Anonymous Coward

      Not entirely, it is up to the CPS to decide whether a prosecution is in the public interest.

      1. Anonymous Coward
        Anonymous Coward

        it is up to the CPS to decide whether a prosecution is in the public interest.

        Ah, yes. The Clown Prosecution Service. The people who let Dodgy Lord Janner off the hook, amongst many other "mysterious" decisions.

  7. DaLo

    It also seems that Direct Marketing and Data Sharing have no clarity. The Bill states that the ICO must come up with a code of practice for each at some point and then have it approved by parliament, but failure to follow those guidelines does not make the company liable to prosecution.

    Almost sounds like - "we're running out of time for this complex part where everyone is lobbying us and threatening to withhold their party contributions, we'll just pass the buck and deal with it later".

  8. PVecchi

    Logging the lot

    Chapter 60 says:

    A controller (or, where personal data is processed on behalf of the controller by a processor, the processor) must keep logs for at least the following processing operations in automated processing systems—

    (a) collection;

    (b) alteration;

    (c) consultation;

    (d) disclosure (including transfers);

    (e) combination;

    (f) erasure;

    etc....

    IANAL but as there is no definition of what an APS is and the retention period so I may be led to think that we'll have to log also access to each email or contact page in a CRM as they all contain PII.

    If that's the case then many applications in use aren't compliant and those that are will generate so many logs that would make it impractical for many SMEs to comply.

    I've checked the Explanatory notes and it doesn't define the logging requirements any better.

    Any additional PoV?

    1. nsld

      Re: Logging the lot

      An APS is pretty much any data storage system in use as the whole point of them is to automate manual tasks (think emailing a receipt at the end of a transaction for example)

      You will have to log every interaction with the data to meet this as its currently written which will mean you will end up with more data in logs than in the actual database. GDPR focuses on consent changes and adequate tracking of how consent is obtained and removed so it makes sense to log those.

      One way of increasing server sales and boosting the economy it seems!

      1. PVecchi

        Re: Logging the lot

        If it was for boosting the economy it may be, kind of, OK but as that's not in the original GDPR it smells fishy.

        Some say... that the usual lobbyists promoted a feature that may be available on their Cloud platform very soon... naturally at a premium.

        I wouldn't be surprised.

    2. Neil Brown

      Logging applies only to law enforcement agencies

      Clause 60 sits within Part 3, and Part 3 applies only to "processing by a competent authority", defined as "a person specified in Schedule 7, and any other person if and to the extent that the person has statutory functions for any of the law enforcement purposes, but excluding intelligence agencies".

      At the moment, Schedule 7 contains pretty much what one would expect to be treated as law enforcement agencies.

      For now, at least, "normal" data controllers can appear to be able to sleep a little easier...

  9. Snowy Silver badge
    Facepalm

    Ripe it up and start again!

    [quote]The document runs to 218 pages, with 194 clauses, 18 schedules and 112 pages of explanatory notes, and - as has been pointed out by many observers, parts of the text - like this eye-crossing sentence: “Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR” - are fairly Kafka-esque.[/quote]

    If a 116 page document needs 112 page to explain it, it is not fit for purpose and needs to be binned and started again from scratch!

    We need laws to be clear and easy to understand not so complicated. The more complex it become the more clauses it needs to fill in the holes those complexities makes!

    Also if this is replacing GDPR it should state those terms and not quote a something it is replacing. What happens when Euro rewords GDPR, is the old or the new version?

    1. Doctor Syntax Silver badge

      Re: Ripe it up and start again!

      "We need laws to be clear and easy to understand not so complicated."

      Laws have something in common with programs. They are lists of things to do. And, therefore, they have to be able to deal with all those tricky corner cases. Remember all those problems with programs where nobody bothered to check whether a parameter passed to a function was within specification? Not checking made for clear, easy to understand, compact and unreliable code. Checking made for longer, somewhat harder to read and more reliable code.

      Your clear and easy to understand laws trying to regulate unclear, hard to understand life are liable to fail to fit. Here's one instance for you to consider. It was real and goes right back to the DPA Mark 1 and to my days as a forensic scientist and setting up a casework system for my lab. As such I might receive an exhibit labelled "Clothes of John Smith". That's a label someone else wrote and so would be the accompanying documentation. I, personally, have no idea whether they are indeed the clothes of John Smith, nor who John Smith is. Someone may have given a false name of John Smith. I don't even know if they came from a single person. The defence might subsequently dispute some or all of what I've been told. Should I count the label and accompanying documentation as PII? What does the law say about it? What would you do if you were in that position?

  10. Red Bren
    Big Brother

    "...aims to overhaul the UK’s data protection laws and update them for the digital age."

    Erm, the 1998 Data Protection Act was written for the digital age. Perhaps you mean the social media age where nothing is private anymore?

  11. This post has been deleted by its author

  12. Adam 52 Silver badge

    Exemptions

    As I read it, the following are exempt:

    1. Anyone in government, or government related activity (like policing)

    2. Anyone in banking

    3. Credit reference agencies

    4. Employers checking on their employees

    5. Phone hacking journalists

    6. Google health data researchers

    7. Sporting bodies

    Is there anyone left who isn't covered by an exemption, apart from a few small businesses trying to scrape by?

  13. Boris the Cockroach Silver badge
    Big Brother

    So

    the guy informing Iceland (in another el-reg story today) that their web security sucks would be committing a crime by finding out Iceland's web security sucks

    And then another crime by going public with the information 12 months after telling Iceland their web security sucks.

    Is this what is ment by "Security through obscurity"?

  14. John Smith 19 Gold badge
    Unhappy

    But if you think that's bad, consider it from the other EU members perspecitve.

    Because if they can't figure out wheather their data is protected in the UK they have a simple option.

    Don't deal with the UK.

    Delusional morons Brexiteers will sniff "Good riddance," but I think people might be surprised how many businesses depend on a data flow from Europe to carry out their business. Either they move to an actual EU country, or they lose that business.

    1. nsld

      Re: But if you think that's bad, consider it from the other EU members perspecitve.

      They already are moving the data. General consensus is stick the data in the EU27 and let the ICO worry about the problem rather than the other way round.

      Anyone relying on an adequacy approach for UK law to allow them to process EU data subjects data is taking a significant risk.

      1. John Smith 19 Gold badge
        Unhappy

        "They already are moving the data."

        That was sort of my point.

        Of course only time will tell if this is a minor readjustment by the very most twitchy companies or if it's a general data exodus from the UK to the rest of the EU, and of course wheather the jobs to process, store and protect it go with them.

        But either way UK IT staff will be finding out real soon.

        Have you noticed how often these questions come down to "That's a tricky legal area?"

        Better hope David Davis and his Brexit negotiating team are playing their "A" game.

    2. Anonymous Coward
      Anonymous Coward

      Re: But if you think that's bad, consider it from the other EU members perspecitve.

      The problem with "Don't deal with the UK" is that it may break some of their (EU company/division/governmental body) processes. That's also the problem with the USA being sometimes inside a boundary, sometimes out, depending on the current legality or not depending on the phase of the Moon in the EU (ECJ). Increasingly anything transnational is a nightmare and only seems set to get worse.

      Anarchy is sounding better and better.

  15. Saul Dobney

    Is consent needed to hold records regarding consent?

    If a system asks for consent, and consent is not given, a) should the system store personal details to be able to demonstrate that consent was not given (and so show compliance) and b) in order to ensure the system doesn't repeat the consent screen on subsequent visits?

    Or are we at the stage of the cookie-warning, where everyone will get asked the consent questions every single visit (eg for session management, IP security checks), unless they have opted in?

    1. Adam 52 Silver badge

      Re: Is consent needed to hold records regarding consent?

      Covered under the necessity justification.

  16. EnviableOne

    Is it just me...

    Or should the offense be not Annonimising the data properly

    not de-annonimising it after said offence?

  17. John Smith 19 Gold badge
    Unhappy

    As for those companies needing to process data from the rest of the EU I'm sure

    most of them will stay in the UK and continue to support their loyal work force.

    Except for the (no doubt) small minority of more "ethically challenged" businesses, who will resort to less gentlemanly tactics.

    Such as setting up a parallel company in some part of the EU that's not planning to leave it and is more business and living expense friendly, switching over all the data feeds on Friday night and putting the UK operation into liquidation so the staff (try to) come in Monday morning and find no company and no redundancy.

    Although I'm sure that will only be a very small minority of those affected, and run by scoundrels.

  18. Anonymous Coward
    Anonymous Coward

    "...will keep the lawyers in business for the foreseeable."

    And there it is.

    :(

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon