Posts by Qtoktok 20 posts • joined 24 Dec 2009
And what if one of those 50 is for social work case files? Or the entirety of a member of staff's file (including details of unfounded disciplinary actions and sickness)? Or you get someone who is making genuinely vexatious requests? And before you start with more ill-informed bleating, people really do make requests that are that stupid.
Thinking before you comment. Try it sometime.
"He was, unbeknown to even himself allergic to a rare ingredient of a drug he was given by the GP who was treated (sic) him, and he died.... shame he wasn't on the database.. huh"
Oh FFS - if this was unbeknown even to himself, how on earth would being on some leaky database have done one iota of wordly good? Perhaps they could have added a note after he died saying "the deceased turned out to be allergic to xxx"? Or do electronic patient records have some sort of time portal allowing GPs to future sniff for fatal anaphylaxis?
I call bollocks on that story.
Actually, it's frequently the case that the Data Protection Officer or similar doesn't have the authority to mandate particular security measures and even more frequently it's those in charge of the IT budget who are obstructive. "We don't have the budget" is the most common refrain, especially if it would take a ludicrously expensive change request to the outsourced service provider to get anything done.
A few years back I was working in a reasonably high profile public sector watchdog organisation with access to some extremely sensitive data. My manager and I could emphasise the need for encryption of all laptops till we were blue but were told no. It was the Head of IT who actually said "It's too expensive, too time-consuming and too irritating, so we're not going to do it". Fortunately (in a way) the HMRC data debacle happened the next week, so that position had to be reappraised.
High profile losses and fines do actually serve to force other organisations to get their houses in order and the fact that the ICO is levying fines might help - though the lack of custodial sentences means that the deterrent effect is still limited.
It's all very well to harp on about firing the DP person, but I suggest it would be more appropriate to investigate each incident first, find out who acted against policy and who failed to put decent security in place, who didn't act on proper recommendations before calling for your pound of flesh.
Oh I see, detection never includes actually find out WHO did a crime, not just WHAT they did? Wow, makes you wonder why the police waste money training their officers to become detectives when all they really need to know is what's illegal and what's not.
I hope you were being sarcastic because otherwise that's one of the most fatuous arguments I've seen in a long time.
1. It could have been done without breaching the DPA by anyone who actually understands the law in question.
2. Fines are only issued for serious breaches, generally involving the loss or deliberate theft/sale of personal data
3. There are no custodial sentences for any offences under the DPA (yet), so no-one would be going to prison. The ICO would like to see sentences introduced for offences under s55 of the DPA (unlawfully obtaining personal data) but the Government has said no. Too worried about what would happen to them, probably
It doesn't have to be a breach of privacy laws. There is scope in the law for this to be provided totally lawfully for the prevention and detection of crime without the added time and cost to the taxpayer of obtaining a court order for the release of a single image which could easily exonerate the registered keeper of the vehicle. Google undoubtedly knows this if they have an even halfway competent data protection officer. Oh, wait...
On the other hand, going to the media with the whinging? Agreed, that's an epic fail for Dibble.
A good point, though the fact that they haven't told the police they no longer hold that data suggests that they do. If the police do obtain the court order only to be told that Google have deleted the original image, then Google really should be prosecuted for wasting police time.
The ICO has ruled that Google did breach the DPA when they scarfed the data, so there is law breaking there.
The police are not bypassing the law as Google have the discretion to provide this data lawfully. However, since Google have already shown such disdain for the DPA, we shouldn't find this surprising.
However, the police have made themselves look thoroughly inept by allowing the to blow up in this fashion
No, the law is perfectly clear. It's just that the provision of data under section 29 (3) of the DPA is discretionary and Google is using its discretion to be obstructive.
Given the cuts that are being imposed on overstretched police and court services, you would rather see public time and money wasted on unnecessary court proceedings when Google could simply provide this in a wholly lawful manner ?
However, agreed, going to the media is a fail all round. Google get to look like they're not a bunch of data slurping info whores but the plucky guardians of privacy standing up to faceless bureaucracy, the driver of the "suspect" vehicle gets to cook up an alibi (if necessary), the family gets shoved into the spotlight whether they like it or not and the public gets to pay for a pointless pissing contest that could have been avoided if Google had the slightest interest in the crime being investigated appropriately.
To be contrary, I think Google is being deliberately and unnecessarily obstructive here. There is an exemption under section 29 (3) of the Data Protection Act that would allow them to share this information lawfully with the police if it is necessary for the prevention and detection of crime. The police cannot obtain this image from anywhere else, and have clearly explained the crime under investigation in this case and how this could be relevant.
It's an unnecessary delay, a waste of police time and court time and a waste of taxpayers money to require them to obtain a court order for something that they do have the discretion to do lawfully.
It's worth remembering that this could just as easily exonerate the vehicle's registered keeper as a suspect as lead to an arrest.
I agree that this smacks of Google respecting privacy only when it suits them.
You're really quite wrong on a few points here. There are more exemptions than that - correct there's one for personal data and the spooks but also quite a few others:
Information that is reasonably available - this may include a charge payable
Information intended for future publication. Information whose release would harm the economy, relations within the UK, international relations, defence, commercial interests, the development of government policy, anyone's health & safety or infringe parliamentary privilege. Also, communications with Her Maj, information on the awarding of honour, information held for the purposes of an investigation by a public authority or law enforcement, information which was provided in confidence, information covered by statutory prohibitions on disclosure, environmental information and, my personal favourite "information whose release would prejudice the effective conduct of public affairs". No scope for abuse of that last one then.
Your request can also be refused if it costs too much or is vexatious (the request, not the requester).
Plus, your request CAN be refused if you don't give your real name. There's little point in doing this if the information is going to be released but if anything is withheld and you want to appeal to the Information Rights Tribunal,as a court they can't hear the appeal without your real name.
Sorry to let facts get in the way of a good rant.
Hysterical much?
Ineffective I'll grant you, but then they are under-resourced and do pay peanuts, so it's no suprise that some of their case officers are paddling around in the shallow end of the gene pool. Add the lack of specialist skills in key areas and there are major issues.
However - pointless? Perhaps you think there should be no oversight or enforcement of FOI, DPA, EIR and PECR. Properly resourced, independent and with appropriate powers the ICO has the potential to be extremely useful, not least in combatting data slurping info-whores (you know who you are).
Lazy - what are you, some knee-jerk from the Daily Heil?
Corrupt - do you have any evidence for this, or do you just like libelling underpaid public servants for kicks?
You're pretty brave in cyberspace, flame boy.
True, but it was a bit limited. The extension of the DPA to cover data held in unstructured manual records applies only to public sector bodies, which would include the Courts as in this case.
However, thanks to a (IMHO) spectacularly ill considered judgement in the now infamous Durant case, private sector bodies can obfuscate as much as they like by holding manual records in an unstructured format.
According to the Durant judgement, files are unstructured if they aren't readily searchable.The fact that a file may relate entirely to a bank's dealings with one individual isn't enough to justify making that bank look through it for data to release.
So, if you're in the private sector and you don't want the masses to find out quite how badly you're screwing them over, just hold their personal data in unstructured files. Given that you've probably laid off all your experienced records management staff in a cost cutting exercise, that should't be too hard.
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2021
