Information & protecting the vulnerable
advertisement
11:00-12:30 Information & protecting the vulnerable Page 3 - ‘What do leaks and open government reveal about State Crimes?’ Matt Clement, University of Winchester Page 4 - ‘Child Protection MASH-up: the case of AB v Haringey, and whether seeking consent increases risk or increases trust’ Allan Norman, Celtic Knot Page 5 - ‘The End of the Volunteer Coach? Child Protection and Sports Coaching’ Merijn van Willigen, University of Winchester Trust & transparency – family courts, charities & whistle-blowing Page 6 - ‘Family court closures and cuts alongside the new online services’ Sarah Meads, University of Winchester Page 7 - ‘Exploring Construct of Public Trust in Charities: An Empirical Study Based on Scale Development’ Yongjiao Yang, University of Hull Page 8 - ‘Whistle while you work: effective data sharing and protection of the vulnerable’ Helen James, University of Winchester Misuse of information & miscarriages of justice Page 9 - ‘The Prosecutor’s Fallacy: how many innocent people have been convicted, and how can miscarriages of justice be identified after the event?’ Vincent Scheurer, Sarassin LLP Page 10 - ‘Assessing Criminal Law Response to the Misuse of Information’ Audrey Guinchard, University of Essex Page 11 - ‘Privacy by Design – a real solution or a daydream?’ Katarzyna Witkowska, University of Lodz Surveillance, encryption, State secrets & fashion! Page 12 - ‘Secrets of State and the Rights of Access in Spain after the approval of the Law on Transparency’ Pilar Cousido González, Universidad Complutense de Madrid Page 13 - ‘Binding the leviathan: encryption, surveillance and the digital state of nature’ Lawrence Serewicz Page 14 - ‘Electronic surveillance, fashion, marketing & the law’ Savithri Bartlett, University of Winchester, Matteo Montecchi, University of the Arts London, London College of Fashion and Marion Oswald, University of Winchester 1|Page 14:30 – 16:00 Anonymity, the benefits of reporting data breaches & balancing efficiency and efficacy Page 15 - 'Privacy, the impact of anonymisation & the ICO's Code' Iain Bourne, Information Commissioner’s Office Page 16 - ‘Do the Benefits of Voluntarily Reporting Serious Data Breaches to the ICO Outweigh the Risk of Monetary Penalties?: A Theoretical Analysis’ Jack Manhire, Visiting Faculty member & Executive Program Officer, Treasury Executive Institute, United States Department of the Treasury Page 17 - ‘Towards a Risk-Based Approach to Data Protection: Economic Efficiency at the Expense of Fundamental Rights Efficacy?’ Orla Lynskey, London School of Economics Alternative approaches – regulation of risk, information as property and information sharing Page 18 - ‘Contemporary evolutions of EU Personal Data protection: the risk management of nothing?’ Raphaël Gellert, Vrije Universiteit Brussel Page 19 - ‘Through a Glass Darkly: Revisiting Information as Property in Boardman v Phipps [1967]’ Louisa Dubery, University of Winchester Page 20 - ‘NEISAS – a pilot system for secure information sharing in critical infrastructures’ David Sutton, tacit.tel limited Disclosure of national statistics, forensic information & DNA – trust, control & anonymity Page 21 - ‘The push for open data: should EUL be replaced with OGL?’ Caroline Tudor, Office for National Statistics and Mark Elliot, University of Manchester Page 22 - ‘Trust and the International Exchange of Forensic Information’ Carole McCartney, Northumbria University Page 23 - ‘The governance of genetic information: a view from the trenches’ Maru Mormina, University of Winchester Data linking, statistical disclosure control, Facebook privacy policies & the right to be forgotten Page 24 - ‘Should the Law Prescribe Statistical Disclosure Control? Emmanuel Lazaridis, University College London Page 25 - ‘The people v Facebook: the transparency of privacy policies’ Estrella Gutiérrez, University Carlos III of Madrid Page 26 - ‘The right to be forgotten in the age of Big Data’ Monika Zwolinska, University of Nice Sophia Antipolis 2|Page What do leaks and open government reveal about State Crimes? The policing of whistleblowers, notably Wikileaks and Edward Snowden, has purposely promoted a message that this activity will not be tolerated and has led to the exile and imprisonment of the perpetrators. At the same time sensitive data which reveals the arguably criminal actions of states and their agencies is in the public domain to a far greater degree than in the cold war years. Well-kept secrets, known to key figures in state bureaucracies but shielded from public view, have been leaked in recent years. Scandals such as child abuse in state-run institutions, and by celebrated cultural icons, now disgraced, have been exposed. Other notorious examples of dereliction of duty by state care providers, such as at Mid- Staffs. Hospital, have been campaigned against by the friends and relations of those who died; due to the actions of a bureaucracy whose criminal neglect resulted from a failed government policy of ‘care provision’. Information can be a tool protecting the sick and vulnerable where there is a body resolved to wield it to its purpose: Without this active intervention, knowledge alone will not presage the changes required, as the state’s reaction to potential exposure of its failings is more often punitive than restorative. Matt Clement Lecturer, Criminology University of Winchester Matt.clement@winchester.ac.uk 3|Page Child Protection MASH-up: the case of AB v Haringey, and whether seeking consent increases risk or increases trust Countless Serious Case Reviews have identified poor information-sharing as a contributory factor in child tragedies. These findings have provided a basis for successive governments to promote “improved” information-sharing. In many areas of the country, ‘Multi-Agency Safeguarding Hubs’ or MASHs have been developed. They are not the result of a specific statutory initiative, but are consistent with the direction of information-sharing policy. Within MASHs, information is routinely shared without the knowledge or consent of the information subjects. Meanwhile, the underlying data protection law and human rights law is unchanged. In 2011, two parents contacted by social workers immediately challenged such sharing without knowledge or consent of anonymous concerns. I brought their legal challenge which led to the ruling in AB & Anor, R (on the application of) v The London Borough of Haringey [2013] EWHC 416 (Admin) (13 March 2013). The court declared the information-sharing breached data protection laws, and awarded Human Rights Act damages, the first known example of such an award. The judgment has had wide ramifications, including as a direct result that the London Safeguarding Children Board has rewritten its MASH guidance, and OFSTED its guidance on compliant information-sharing. This paper not only explores and questions the legal and policy framework underpinning the MASH initiative, but does so by asking bigger questions about trust. Underpinning MASH information-sharing policies are a lack of trust: parents cannot be trusted not to inflict harm on their children if we seek to work with them consensually. This in turn fosters a lack of trust in parents: how can I trust social workers who have already gone behind my back? I will argue that an alternative model of consensual information sharing carries risks, but will reap rewards by fostering trust which improves the relationship between citizen and state; it also conforms better to information-sharing and human rights law. Allan Norman Registered social worker and solicitor Celtic Knot, The Warehouse, 54-57 Allison Street, Birmingham, B5 5TH allan@celticknot.org.uk 4|Page The End of the Volunteer Coach? Child Protection and Sports Coaching The permeation of aspects of law into what had previously been purely social relations has been highlighted for some considerable time. This ongoing process of ‘juridification’ of social spheres such as family life, the environment and intimacy – to name but a few - seems in fact to be an irreversible social trend, and one that needs to be taken seriously also when regarding the development of a variety of sports practices. Over time, a number of child sex abuse cases involving sports coaches have highlighted the realities of risk involved in an area where adults had historically assumed in loco parentis roles without being exposed to the checks and scrutiny that other professions had been. The presentation will identify the changes that have occurred in sports coaching as a consequence of a growing concern with the risks involved in allowing adults access to young athletes. It will question whether the legalization of this sports field has effectively meant the end of a culture of volunteerism, and what the future holds for an area of sport that has historically relied on amateur involvement but is now forced to professionalise its practices. Merijn van Willigen Department of Sports Studies University of Winchester Meryn.willigen@winchester.ac.uk 5|Page Family law query, go online! Family court closures and cuts alongside the new online services Family law practitioners face interesting times as the Government seeks to minimise the role of lawyers and instead focus on information being made available online. This, it seems, is the new “access to justice”. Since 1st April 2013 legal aid has been removed for private family cases in all but a small majority of cases. The number of litigants in person chartering their way through the family courts is increasing. Yet at the same time the opening times for family courts counters are being reduced, from 10am-4pm, commonly to 10am-12noon and family courts are under threats of being closed. In tandem with the legal aid cull the Government has introduced the new web app, “Sorting out Separation”. This is intended to be a “one stop shop” of information for separating families. There is further Government provision available for out of court support, including a national “virtual” internet-based mediation service hosted by Relate. The role of information being provided through lawyers is markedly absent from Government provision. The Child Maintenance Options website is set to continue, being provided by G4S in a contract worth £18m over five years. This focuses on information available by telephone, online chat, and social media. This paper will look at the changes in the way the Government seems to be steering the provision of family law information and what this may mean for family law practitioners and separating families. Sarah Meads Solicitor, Lecturer University of Winchester 6|Page Exploring Construct of Public Trust in Charities: An Empirical Study Based on Scale Development This study seeks to examine the construct of public trust in charities based on a large scale survey in the UK. It fills the gaps of existing empirical study on measuring public trust in charities which regard trust as a one-dimensional concept without looking into what ‘trust’ truly means. A conceptual model of public trust in charities is proposed combining previous studies on trust and the characteristics of charity. In this model, public trust in charities is viewed as a multidimensional concept, which is defined as the willingness to take risk based on the truster’s propensity to trust, the expectation of the charity’s trustworthiness, and perception of value similarity. In order to examine whether this conceptual model capture the true meaning and construct of public trust in charities, both qualitative and quantitative methodologies are employed. First, focus group interviews are conducted in the UK to explore the participants’ perspectives on charities and the role of public trust therein and investigate the reasons for trust and lack of trust in these organisations. It aims to search for potential items and dimensions which could present accurately of meaning and each domain of trust in charities. Based on these focus group interviews and literature review, a preliminary Likert scale containing 49 items and four dimensions is developed. Then three waves of questionnaire surveys (609 samples) are conducted for scale refinement including item analysis, exploratory factor analysis and confirmatory factor analysis. In the process of scale refinement and validation, the construct of public trust in charities is examined. The findings confirm the validity of the conceptual model proposed in this study. It also proves that the scale developed is reliable for measuring public trust in charities in the UK and predicting risk in this sector. Yongjiao Yang Department of Social Sciences, University of Hull Yongjiao.Yang@2012.hull.ac.uk 7|Page Whistle while you work: effective data sharing and protection of the vulnerable In today’s high-tech computer aged society, many of us express concerns around the electronic storage of our sensitive personal data.1 Such data includes information relating to physical and mental health. Whilst such concerns are perhaps understandable, especially in light of the many highly publicised data breaches of recent years, effective information sharing is an essential tool in affording protection to the vulnerable. Public inquiries such as those following the appalling abuses which took place at Winterbourne View Hospital and Mid- Staffordshire NHS Foundation Trust have focused on the need for good practice in data-sharing and whistle-blowing in order to eliminate further such instances. It is against this background that this paper considers mechanisms through which a culture of openness and transparency can be created, whilst maintaining public confidence in the protection of sensitive personal data. Helen James Head of Law University of Winchester Helen.james@winchester.ac.uk 1 S2 Data Protection Act 1998 8|Page The Prosecutor’s Fallacy: how many innocent people have been convicted, and how can miscarriages of justice be identified after the event? This talk is divided into four short sections: (i) an explanation of the term “Prosecutor’s Fallacy” as it is understood by the writer, with examples from actual criminal trials including R v Sally Clark and R v Barry George; (ii) a summary of the writer’s core thesis that the Prosecutor’s Fallacy is probably responsible for multiple, currently undetected miscarriages of justice in the UK; (iii) a description of the writer’s use of the Freedom of Information Act to identify the steps (if any) taken by the Ministry of Justice to remedy this issue; and (iv) the writer’s thoughts about how these miscarriages of justice might be identified and corrected in the future. Associated documentation: The Freedom of Information Request for the Ministry of Justice, and any response (if received). Vincent Scheurer Sarassin LLP 9|Page Assessing Criminal Law Response to the Misuse of Information In its 2011 report on “Personal Data: the Emergence of a New Asset Class”, the World Economic Forum highlighted the main feature of the digital economy, i.e. that “Personal data is the new oil of the Internet and the new currency of the digital world” (quoting the European Consumer Commissioner, Meglena Kuneva, March 2009). Indeed, internet companies have been very successful in building business models that exploit the digital footprint of their users. The problem is that companies have not been the only ones to harness the economic value of data. Today, it is more lucrative to hack into computers and, for example, sell the data obtained than it is to steal one’s neighbour’s TV or car and resell it. Thus, the question is whether criminal law is or not successful in recognising that data is the new object of crime and that the misuse of information today can severely damage our trust in the digital. Are the existing offences and their corresponding penalties adequate? How do these offences feature in respect to the international framework, notably the Convention on Cybercrime, the new 2013 EU cybersecurity strategy, the EU Directive on cybercrime and the draft EU Regulation on General Data Protection? Furthermore, recent events have shown that the offenders are not always those we have in mind. The News of World scandal has revealed that beyond individuals, it is the structure of a company which is orientated towards illegal access and then misuse of information for profit. The Snowden leaks exposed the collusion between the private sector and the Governments to conduct surveillance of ordinary citizens. Thus, do we need to rearticulate the criminal liability of corporations which, as the key players of the digital economy, need to earn our trust as much as Governments need to do so? Audrey Guinchard University of Essex abguin@essex.ac.uk 10 | P a g e Looking for the interdisciplinary approach: Privacy by Design – a real solution or a daydream? Data is the lifeblood of the new economy as Ann Cavoukian, Privacy Commissioner of Ontario, Canada says. Information society is currently standing on the doorstep of the datadriven future, in which information is shared and processed by all possible means. Undoubtedly, the abovementioned phenomena influences privacy in a very significant way and becomes though one of the most important challenges for privacy protection. Looking onto the global village we live in, it can easily be observed that this global village is like a mosaic, like a jigsaw puzzle made of various elements: legal, cultural, mental differences that have to be combined somehow. Not only the legal systems differ, but even privacy as a cultural value is often understood in a completely different way. It all leads to the conclusion that working on the common standard for privacy protection is extremely challenging. Regardless of the difficulties and obstacles to overcome when trying to guarantee respect for privacy in the data reality, information society requires effective solutions, especially that changing online world that affects traditional informational environment entails insufficiency of the traditional mechanisms for privacy protection. The paper aims to explore whether the interdisciplinary solutions by the example of the Privacy by Design concept can become effective remedies for privacy infringements in the profiled world and Big Data reality. It examines the idea itself, its advantages and the weak points, trying to prove that this concept should be taken into account when talking about privacy. It asks the fundamental question whether preventive attitude towards data protection should prevail and oust reactive way of thinking about privacy. It also exposes a need for the international cooperation and the international debate about changing privacy in the new technologies’ reality. Katarzyna Witkowska University of Lodz 11 | P a g e Secrets of State and the Right of Access in Spain after the approval of the Law on Transparency Thirty eight years have passed after its approval and the Spanish Constitution not only has not been fully developed but it seems to have arrive at its very end, in the middle of current circumstances of deep economic and political crisis. Constitutional institutions had had mixed fortunes and modern politico- legal trends such as transparency as principle of law had had little resonance among the Spanish political authorities. After 10 terms in office, no government has seriously considered the need to replace the Francoist Official Secrets Law (Law 9/1968 , revised by Law 48 /1978), by a law adapted to the current democratic and advanced times in the context of the technological revolution and the era of open governments. It is not easy to guess which ones might be the reasons that explain why the development of data protection, for example, is widely detailed in Spain, and, on the contrary, no political figure until almost now had sought to face the regulation of the right of access or of transparency or the replacement of legislation on State secrets. The coincidence of the three institutions in the common area of administrative policy is striking, in particular, considering the huge development of Private Law in Spain. The passing of the Act on Transparency at the Senate (November 27, 2013) leaves it only pending of its publication in the Official Gazette to be a law. Consequently, such a statute is to create a new framework where to reinterpret the existing Official Secrets Act, by definition opaque and, in this case, dictatorial, or compels to finally consider a new Official Secrets Act that fits in the geopolitical position of Spain and in its strategy on domestic policy and that could help to save the country of the crisis the current regime is undergoing. M. Pilar Cousido González Prof. Titular UCM, Visiting Prof. Winchester University 12 | P a g e Blinding the leviathan: encryption, surveillance and the digital state of nature States use surveillance to keep their citizens safe and protect the regime. The digital surveillance limits the digital autonomy that many individuals expect the state to respect. In response, they use encryption to protect their digital autonomy. As encryption allows the individual to demarcate a space that the state cannot penetrate without great effort or without clear justification, it creates a challenge to the state’s authority. In domestic politics, the state can justify its sovereignty through the rule of law, which reflects its legitimate political authority. Outside the state, the state does not have to rely upon the rule of law because it is beyond the bounded political sphere. In political terms, the digital domain presents a problem because it offers no immediate way to distinguish between friend and enemy. The difference between foreign and domestic, bound up with the idea of sovereignty, is a central tenet of the modern social contract that began with Hobbes. In particular, the Leviathan determines the exception not the individual. Encryption inverts that relationship. The paper uses Hobbes’ social contract theory in the Leviathan to analyse how encryption returns us to the digital state of nature by limiting the Leviathan’s capacity to enforce the rule of law in the digital domain. I review the writings by Scheier and other technology writers on digital encryption as a response to the surveillance state. I then draw on Carl Schmitt’s critique of liberalism regarding the exception. I argue that encryption undermines liberalism. The state cannot enforce rights and sustain equality unless it can stop those who want to live beyond the reach of the law. As the law requires surveillance and encryption hinders that surveillance, the rule of law is weakened. The leviathan is blinded. Lawrence Serewicz 13 | P a g e Electronic surveillance, fashion, marketing & the law With 2014 being dubbed the year of wearable tech and with apps such as ‘NameTag’ promising to make facial recognition and profile matching available to the masses, will everyone now be regarded as a ‘data controller’ and if so, how can the law respond to the rise of smart-phone and wearable surveillance technology? The privacy issues are all too evident but with the take-up of wearable tech by high fashion brands, will the desirability of wearable tech override privacy concerns or will consumers be put off by the intrusive factor? And what might fashion offer those consumers who feel a growing need to exert control over their loss of privacy? Might their dress of metallised fabric protect against thermal surveillance from drones, or inhibit incoming and outgoing iPhone signals or act as camouflage, both as deception and decoration, which protects from intrusion? Combining fashion marketing, dress history and legal elements, this inter-disciplinary paper will explore a possible future where the law has failed to respond swiftly and adequately to technological innovations, leaving consumers to take matters into their own hands, using fashion and dress to prevent surveillance or to indicate their lack of consent, eventually generating a new societal norm. Savithri Bartlett, University of Winchester Matteo Montecchi, University of the Arts London, London College of Fashion Marion Oswald, University of Winchester 14 | P a g e Privacy, the impact of anonymisation & the ICO's Code Iain will discuss his involvement with ICO’s work on privacy and anonymisation and the impact of the ICO’s anonymisation code on year on. Iain Bourne Group Manager (Policy Delivery Department) Information Commissioner’s Office 15 | P a g e Do the Benefits of Voluntarily Reporting Serious Data Breaches to the ICO Outweigh the Risk of Monetary Penalties?: A Theoretical Analysis The Upper Information Rights Tribunal recently held that controllers not required by law to report data breaches are still subject to monetary penalties even if they voluntarily report a breach. The ICO and some information law experts stated that this holding notwithstanding, the economic benefits of self-reporting still outweigh the risk of penalties since the ICO considers self-reporting a mitigating factor in determining the amount of any fine. This paper attempts a theoretical analysis of controllers’ risk calculi to determine if they are truly better off self-reporting breaches. Based on historic ICO data, we first examine the claim that self-reporting mitigates a penalty’s magnitude. We then investigate whether the mitigation of penalty amounts alone is sufficient to persuade controllers that they are better off self-reporting given their “chances of being fined.” Conventional models use a fixed value for this probability in analyzing economic benefit. Through the employment of the principle of perspectivity, we show that for these models to accurately reflect experience we must modify our definition of the “chances of being fined” and factor in a controller’s decision to report or not report. Modifying the traditional models accordingly, we conclude that controllers as a population are currently not better off self-reporting. We close by offering specific suggestions for the ICO to create conditions where controllers will be better off self-reporting breaches even if they are fined. J. Manhire Visiting Faculty, Treasury Executive Institute, USA 16 | P a g e Towards a Risk-Based Approach to Data Protection: Economic Efficiency at the Expense of Fundamental Rights Efficacy? The EU introduced data protection legislation on the legal basis that it was necessary for the completion of the EU’s internal market and for the free movement of personal data throughout the EU. Nevertheless, EU data protection regulation also serves the purpose of protecting the fundamental rights of individuals. This dual purpose for data protection regulation makes it difficult to categorise from a regulatory perspective as it encompasses elements of both economic and social regulation. However, recent negotiations on the EU’s draft Data Protection Regulation reveal that numerous EU Member States now favour a riskbased approach to data protection regulation. This paper sets out to examine to what extent the adoption of a risk-based approach to data protection law will strike the right balance between economic efficiency and fundamental rights efficacy. From a substantive perspective, the attraction of risk-based regulation is that it has the potential to ensure that the regulatory burden placed on those who process personal data remains proportionate to the nature and the extent of their activities. In this sense, it is economically efficient. Nevertheless, the pitfalls of adopting a risk-based approach to personal data processing are also immediately obvious. For instance, how can a data processor determine the level of risk particular processing entails for an individual? A risk-based approach to data protection therefore also has the potential to lower the current level of fundamental rights protection afforded to individuals. Moreover, from a procedural perspective, national data protection authorities, constrained by austerity measures, are prioritising their work. Some, such as the UK’s ICO, have stated they will focus their limited resources on tackling ‘systemic problems ahead of individual lapses’. Such prioritization, stemming from economic necessity, is arguably a procedural reflection of ‘risk-based regulation’ and will also be analysed in this paper. Dr Orla Lynskey Lecturer in Law London School of Economics o.lynskey@lse.ac.uk 17 | P a g e Contemporary evolutions of EU Personal Data protection: the risk management of everything? The aim of this contribution is to provide a critical analysis on the emergence of “risk discourse” and risk management techniques in EU legislation on personal data protection. It takes as a point of departure the on-going overhaul of EU personal data protection legislations, and observes that new provisions on the management of privacy and data protection risks are to be found in the European Commission’s proposal for a General Data Protection Regulation, that of the DAPIX, as well as that of the LIBE Committee of the European Parliament. It relates the emergence of these provisions notably to Michael Power’s work on “The Risk Management of Everything” and argues that they are thus yet another occurrence of the trends therein described. However it also makes the point that though these risk management provisions are new indeed, it can be demonstrated that to some extent data protection has been a risk regulation regime since its very inception. The question it then asks is the following: if data protection has always been about the regulation of risks (to citizens’ fundamental rights), then it might allow for another account to the regulation of risk than that of risk management. Could this alternative account be related to the precautionary principle? And if so, how? Raphaël Gellert Ph.D. candidate Vrije Universiteit Brussel, Law, Science, Technology, and Society (LSTS) research group raphael.gellert@vub.ac.be 18 | P a g e Through a Glass Darkly: Revisiting Information as Property in Boardman v Phipps [1967] The Court of Appeal in the recent case of Fairstar Heavy Transport NV v Adkins [2013] EWCA Civ 886 left open the question of whether, or how, proprietary constructions may contribute to protection against the risk of abuse of information. For the argument against information as property, the judge (a point seemingly affirmed in the Court of Appeal) relied on Boardman v Phipps [1967] 2 AC 46. This is despite the fact that, of the three majority opinions in Boardman, two stated that the trust information in the case was property and the third, while inconclusive, was far from dismissive on the point. Boardman is a notoriously difficult case. As typified in Fairstar, later judges have read into it or taken from it what was necessary to justify the instant decision, creating a façade of stability which may be illusory. The object of this paper is to revisit constructions of property in Boardman in the context of orthodox proprietary reasoning, and especially relative to Fairstar. The analysis focuses on the tension between the dominant textual approach, which expounds the words in a judgment, and the historical approach, which is based not merely on what is stated, but why. In particular, the paper considers if problems of language in eliciting ratio decidendi have excluded more fruitful contributions to the discourse on the protection of information. Louisa Dubery Senior Lecturer in Property Law University of Winchester 19 | P a g e NEISAS - A pilot system for secure information sharing in critical infrastructures In the various sectors of critical infrastructure (communications, emergency services, energy, financial services, food, government, health, transport, and water), the sharing of information between the public and private sector is of primary importance in helping to preserve the confidentiality, integrity and availability of information, and especially the integrity and availability of services. Between 2009 and 2011, a pilot project funded by the European Commission – the National And European information Sharing and Alert System (NEISAS) developed a means of exchanging vital information in a secure manner between private sector organisations and public sector agencies. The project addressed in particular the need to ensure that all contributors could use a common methodology centred at the time around the ISO/IEC 27010 draft standard, which NEISAS helped to develop, and which deals with the security aspects of transfer of information between organisations. Next, the project ensured that information was classified using the so--‐called ‘traffic light protocol’ which, as the name suggests, classifies information as red, amber and green according to its sensitivity and need for protection. NEISAS also addressed the need for anonymity in cases where an organisation might suffer embarrassment or reputational damage if details about impacts to its operations became public knowledge. This was addressed through the principle of using a trusted intermediary or Trust Master to anonymise the information. The next objective of the project was that of information rights management, in which the actions that recipients could take with information they receive could be tightly controlled and previously posted information could be withdrawn. Finally, as this was an EU--‐wide project, the need for sharing information across national borders was key to its success, as was the need to share information between the different critical infrastructure sectors. David Sutton tacit.tel limited 20 | P a g e The push for open data: should EUL be replaced with OGL? ONS has a publicly declared commitment to the government’s transparency agenda. As part of our output range, ONS produce over 250 End User Licence microdata files which provide users - typically researchers - access to a huge range of social survey data such as the Labour Force Survey and Living Costs and Food Survey. The files have been anonymised so that the risk of disclosure is remote, however in addition users must agree to certain conditions of access. This paper discusses issues of disclosure in considering whether the End User Licence (EUL) could potentially be replaced by an Open Government Licence (OGL). This requires careful assessment of probability of disclosure and how it might be used as evidence within the law. We provide an overview of the work Manchester University have carried out in helping the ONS to address this issue. Dr Caroline Tudor (Office for National Statistics) and Dr Mark Elliot (Manchester University) caroline.tudor@ons.gsi.gov.uk, mark.elliot@manchester.ac.uk 21 | P a g e Trust and the International Exchange of Forensic Information. While policing and judicial cooperation across international borders has been an expectation for many years, increasingly, strategies to combat terrorism, organized and serious crime, incorporate the exchange of forensic information. While informal forensic cooperation is not wholly novel, often having been undertaken on an ad hoc basis in response to a particular event, exchange capabilities and initiatives are now numerous and formal bilateral and multi-lateral agreements to exchange forensic data between countries proliferate apace. Since the Prüm Treaty of 2005, automated exchange of DNA profiles and dactyloscopic data (fingerprints) has become mandatory across the EU. Such increasing demand and capacity for the extra-territorial exchange of forensic information between law enforcement professionals and agencies, mean that there are growing numbers of criminal investigations where evidence may have been collected, examined, or interpreted across national borders. As well as presenting technological challenges, mutual assistance in evidence-gathering and utilization pose important and urgent questions. Attempts to regulate case-based forensic practice across the EU have barely commenced and time is still needed for regulation to ‘bed-down’. Yet as forensic technologies become more sophisticated, there is the threat that the technology progresses faster than the law, social and political systems can utilise, and importantly, regulate them. Those developing the technology (scientists), and those charged with utilising it (police and legal authorities), however, (understandably) focus upon technical issues, rarely interrogating the complex inter-relationship between trust, confidence, control, security, inter alia. The social and ethical challenges facing the utilisation of forensic information shall thus be the focus here, considering how the ‘integrity’ of forensic information plays an essential role in the production and maintenance of ‘trust’: a critical factor in international policing cooperation. Carole McCartney Reader in Law School of Law Northumbria University 22 | P a g e The governance of genetic information: a view from the trenches Since the sequencing of the human genome and the advent of new and increasingly accessible technologies, the “genomic revolution” poses ethical, legal and social challenges on a scale proportional to the unprecedented volume of data that has become and continues to become available through public repositories and biobanks. As geneticists plough quietly through data to infer gene function, and link it to clinical records to find association with traits and diseases, ethicists voice concerns about individual rights to privacy, confidentiality, autonomy and self-determination being undermined, but are they? Current governance models of biobanks include the anonymisation of genetic information and various forms of informed consent. These checks and balances are the “gold standards” of ethical practice but have been criticised as ineffective and bureaucratic. Why are anonymisation and consent so problematic? Can scientists not be trusted with sensitive information? What are the real threats to individual liberties if any at all? In part, the nature of DNA material is itself to blame. Genetic information is as much about the individual as it is about his or her “connected others”. Thus, models of governance based on a postenlightenment individualistic discourse will inevitably fail to offer adequate ethical protection, whilst a move towards governance modes that encapsulate the collective nature of DNA data (e.g. through group consent) provoke fears that individual choices may not be adequately represented. Moreover, the biobanks’ potentially indefinite capacity to expand and link genetic data with other types of data means that the possibility of re-identification by cross-referencing makes anonymity next to impossible, and given that future findings cannot be predicted, regulation requires not rigid governance models but adaptable and reactive mechanisms. In this talk I review current trends in biobank governance, with particular emphasis on issues of privacy (anonymisation), autonomy (consent) and trust arising from population based research in an attempt to offer an ethical perspective from the embattled scientist’s trench. Maru Mormina Senior Lecturer in Forensics University of Winchester 23 | P a g e Should the Law Prescribe Statistical Disclosure Control? The government's transparency agenda reflects a heightened awareness of the benefits that can be derived from improved access to data. However, the sharing and linking of data across governmental agencies and services, and with private entities, combined with the recent lowering of the bar to data release by way of the government's transparency agenda, increases the likelihood that the identities of persons on whom sensitive data are collected will inadvertently be disclosed. Even so, the importance of data linkage to the development of evidence-based public policy cannot be overstated. New statistical disclosure control methods are needed in this context to enable wider distribution of record-level data, methods that will ensure that the informational content of data is retained while the risk of inadvertent breaches of confidentially is quantified, reduced and managed. This paper reports on a new approach and method for statistical disclosure control that finds and targets for protection only the most sensitive data. This approach is applied to data from the Myocardial Ischaemia National Audit Project (MINAP), a national clinical audit of the management of heart attack commissioned by the Healthcare Quality Improvement Partnership (HQIP). It is shown that the insertion of small, targeted amounts of synthetic data into records for public release helps ensure that the informational content of the data as a whole remains as intact as possible while confidentiality is substantially enhanced. In light of these developments we consider whether regulation of the use of statistical disclosure control methods on record-level data may be necessary. We develop some thoughts on how disclosure control could be regulated and outline the potential benefits and drawbacks of a legal approach. Emmanuel Lazaridis Senior Information Analyst National Institute for Cardiovascular Outcomes Research Institute of Cardiovascular Science University College London 24 | P a g e The people v Facebook: the transparency of privacy policies According to Kosinski et al. (2013), digitally mediated behaviours can easily be recorded, analysed and use to accurately predict a range of highly sensitive personal attributes including personality traits, sexual orientation, ethnicity, religious and political views. One may agree with Warren and Brandeis´ statement in their classic approach on The Right to Privacy that: “There are others who, in varying degrees, have renounced the right to live their lives screened from public observation.” Thus, if we share with our friends personal photos on Facebook, it might be reasonable to wonder, as Eady J. did in Mosley case (2008), to what extent we are the authors of our “own misfortune”. Sponsored stories are one of the last concerns on privacy protection. According to his Statement of Rights and Responsibilities, Facebook users agree to the following: firstly, to “give us permission to use your name, profile picture, content, and information in connection with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us”; secondly, Facebook states that it “will not give your content or information to advertisers without your consent.” The wording of the statement is anything but clear. Whereas paragraph (1) suggests that users have no choice to object Facebook disclosure of their content and information; paragraph (2) seems to say the opposite: that explicit consent is required for such disclosure. In the light of the principle of transparency, as set forth in the EU Proposal on General Data Protection Regulation (2102), this paper shall analyse whether privacy policies of Facebook are easily accessible and understandable or make use of a clear and plain language. A survey conducted by the authors shall reveal privacy policies are not transparent enough and to what extent users cannot make an informed decision on whether they should exchange their personal data stored on their account. PhD. Estrella Gutiérrez Information Law Lecturer at University Carlos III of Madrid and ICT Lawyer Lucía Herrero Corporate Lawyer Universidad Carlos III de Madrid 25 | P a g e The right to be forgotten in the age of Big Data The increasing ability to analyze data represents well-recognized benefits for both companies and individuals, enabling them to provide and receive more accurate information and better adapt their private and business choices. However, given the increased volume of data creation, usage and storage, as well as the growing velocity with which it is used and exchanged, direct implications may be identified for privacy rights. As more data, from more sources, assembles around a single individual, reliable protection of identity may easily be compromised. Therefore, privacy shall not anymore be viewed as a personal good and a matter of individual responsibility, but rather as a societal one, to be protected by public rules. These concerns are reflected in the debate around the recently proposed European legislation which includes a ‘right to be forgotten’ that is aimed at helping individuals better manage data protection risks online by requiring organizations to delete their data. While this right allows individual to control the public dissemination of private information, it is clear that it cannot amount to a right of the total erasure of history. Neither must it take precedence over freedom of expression or freedom of the media. Therefore, several points need yet to be clarified: what type of data are concerned, who the data controller precisely is, till what extent the purpose of data processing may evolve and be enlarged, what kind of technological measures may be implemented, how to reach data that is being shared by multiple users, how this right may be enforced in a system that is open and global by definition, is the concept of privacy by design any response to the debate, etc. As long as all these questions remain unanswered, the constant reuse of our data will represent an important threat to our privacy. Monika Zwolinska University of Nice - Sophia Antipolis 26 | P a g e
