Slashdot Mirror

This is a great comment. However, in theory this has already been done through the Data Protection Act

Unfortunately companies don't appear to get prosecuted for not complying at the moment and the rule isn't particularly enforcable. Not least because this is a UK law (although it might also fall into EU law) and the majority of sites you browse aren't UK based.

I should have stated it in the submission: Cookies can't collect personal data. If you enter personal data into a website and allow them to market to you because of it, then it is your own fault if they then market to you because of it. Another site can't collect that personal data without the site you entered it into giving them permission. If they do it illegally they should be punished, but this is nothing to do with the cookie. This should be what the EU focus on creating new laws. The cookies thing won't stop it.

You can request any footage of yourself, regardless of whether it's made by a public or private company. I recall Mark Thomas did this on his TV show numerous times against various McDonalds restaurants - and was sent any due recordings.
The UK CCTV code of practice also states this, see section 9.2 (Subject access requests)

This is me modding up without any mod points.

p.s. I seem to recall yes you can request footage from CCTV cameras but I think they are supposed to blur other people's faces.

Which got me googling and turning my comment into something relevant to the OP - a decision notice [PDF] by the Information Commissioner's Office on CCTV:

in the Commissionerâ(TM)s view, were CCTV footage to be available to the public on-demand, this would be likely not only to undermine the intended use and purpose of the technology but also to adversely affect individualsâ(TM) personal privacy.

And on a more general note of disclosure of CCTV footage:

In this case, disclosure of the requested footage (whether to the complainants or the general public) would be an unnecessary and disproportionate interference by a public authority in individualsâ(TM) private lives as it cannot be justified by any of the reasons provided for in Article 8(2) ECHR and, as such, would be incompatible with that right. Further, in the Commissionerâ(TM)s view, were the public allowed access to CCTV footage on demand by virtue of the Act this would erode personal privacy and undermine public confidence in the acceptable and responsible use of CCTV technology and the benefits such technology brings. As a result, release of this footage to the complainants or the general public would not only be unfair, but would also be unlawful as it would amount to a breach of section 6 of the Human Rights Act 1998, which provides that it is unlawful for a public authority (in this case the PCT) to act in a way which is incompatible with a Convention right (in this case Article 8 ECHR).

The ICO have guidance to help organisations using CCTV to stay within the law.

This is me modding up without any mod points.

p.s. I seem to recall yes you can request footage from CCTV cameras but I think they are supposed to blur other people's faces.

Which got me googling and turning my comment into something relevant to the OP - a decision notice [PDF] by the Information Commissioner's Office on CCTV:

in the Commissionerâ(TM)s view, were CCTV footage to be available to the public on-demand, this would be likely not only to undermine the intended use and purpose of the technology but also to adversely affect individualsâ(TM) personal privacy.

And on a more general note of disclosure of CCTV footage:

In this case, disclosure of the requested footage (whether to the complainants or the general public) would be an unnecessary and disproportionate interference by a public authority in individualsâ(TM) private lives as it cannot be justified by any of the reasons provided for in Article 8(2) ECHR and, as such, would be incompatible with that right. Further, in the Commissionerâ(TM)s view, were the public allowed access to CCTV footage on demand by virtue of the Act this would erode personal privacy and undermine public confidence in the acceptable and responsible use of CCTV technology and the benefits such technology brings. As a result, release of this footage to the complainants or the general public would not only be unfair, but would also be unlawful as it would amount to a breach of section 6 of the Human Rights Act 1998, which provides that it is unlawful for a public authority (in this case the PCT) to act in a way which is incompatible with a Convention right (in this case Article 8 ECHR).

The ICO have guidance to help organisations using CCTV to stay within the law.

In the UK you have the right under the Data Protection Act to require them to correct inaccurate data they hold about you. If they fail so to do then you should report them to the Data Protection Commissioner.

this former cop is not a public body, so this doesn't apply to him

From the site: The Data Protection Act requires all organisations which handle personal information to comply with a number of important principles regarding privacy and disclosure. The Act states that anyone who processes personal information must comply with eight principles. Also, if he's 'selling' or even storing this data, he's no longer a private individual. Any company or organisation is held to the DPA. It specifically says: The Act will usually apply unless you are an individual holding personal information for your own domestic use, eg an address book.

another government agency could make the request for the entire database encrypted and loaded unto a DVD (or a couple of DVDs), and that would count as just *one* request

That would be a governmental issue. If he's legally storing the data, he can legally charge up to £10 for online record access, or up to £50 for paper records.

If someone knows that a person's personal data has been breached, he's obligated under the current law to notify each potential victim of that breach

As I understand it, he's bought the data. It's not really his problem where the data has come from if he's following the DPA. You might have different rules in the US, but it might be useful to read the DPA to see how different the rules are here. Amazingly the UK is quite stringent on data, and even teaches the Data Protection Act in schools.

this former cop is not a public body, so this doesn't apply to him

From the site: The Data Protection Act requires all organisations which handle personal information to comply with a number of important principles regarding privacy and disclosure. The Act states that anyone who processes personal information must comply with eight principles. Also, if he's 'selling' or even storing this data, he's no longer a private individual. Any company or organisation is held to the DPA. It specifically says: The Act will usually apply unless you are an individual holding personal information for your own domestic use, eg an address book.

another government agency could make the request for the entire database encrypted and loaded unto a DVD (or a couple of DVDs), and that would count as just *one* request

That would be a governmental issue. If he's legally storing the data, he can legally charge up to £10 for online record access, or up to £50 for paper records.

If someone knows that a person's personal data has been breached, he's obligated under the current law to notify each potential victim of that breach

As I understand it, he's bought the data. It's not really his problem where the data has come from if he's following the DPA. You might have different rules in the US, but it might be useful to read the DPA to see how different the rules are here. Amazingly the UK is quite stringent on data, and even teaches the Data Protection Act in schools.

If you're in the UK then as long as the data isn't held securely by him then yes. The UK's data protection act requires that all information that can be used to personally identify an individual is held securely.

FYI (why is no-one linking to the DPA?) - it also says anyone who processes personal information must comply with eight principles, which make sure that personal information is fairly and lawfully processed

It is the Data Protection Act you use, not the Freedom of Information Act. FOI applies to non-personal information held by public bodies, and no fee is payable.

It IS the Data Protection Act but a fee of up to £10 can be charged per request

When I chaired a society at university I got loads of spam (my address was listed on the university's website as the contact for the society), and so did the society's email address. Most of them would be asking me to spam everyone in the society with offers for summer "charity" work and so on. I usually replied with this, which scared them off:

This is a spam.

Quoting from http://www.ico.gov.uk/what_we_cover/privacy_and_electronic_communications/the_basics.aspx ,----[ Electronic mail ]
| Electronic mail is emails, SMS (text), picture, video and answer-phone
| messages. Electronic mail marketing messages should not be sent to
| individuals without their permission unless all these following criteria
| are met:
|
| 1. The marketer has obtained your details through a sale or negotiations
| for a sale.
| 2. The messages are about similar products or services offered by the
| sender.
| 3. You were given an opportunity to refuse the marketing when your details
| were collected and, if you did not refuse, you were given a simple way to
| opt out in every future communication.
`----

You have met none of these criteria. If I receive another message from you I will report your business as sending spam.

What information is held in the National Identity Register database that the government doesn't already have access to via bank records, tax records, drivers license and DVLA database, mobile phone subscriber and call logs, passport, etc.? If the government already has access to all of this information in its various databases, then what difference does it make if it gets centralised into a single database?

Because the Data Protection Regime the government is supposed to work under says that they shouldn't do that:

Anyone who processes personal information must comply with eight principles, which make sure that personal information is:

        * Fairly and lawfully processed
        * Processed for limited purposes
        * Adequate, relevant and not excessive
        * Accurate and up to date
        * Not kept for longer than is necessary
        * Processed in line with your rights
        * Secure
        * Not transferred to other countries without adequate protection

My emphasis - more explanation here

Also, there's no reassurance that they won't hold Sensitive Personal Information sourced from wherever they like and make it available to anyone they bloody well like.

If you want to volunteer for this, fine, go ahead. But don't make me part of it.

I seem to recall a rather more blunt quote, but since I unfortunately cannot find it, the official ICO response to the proposals was:

20 October 2008
ICO statement on the Communications Data Bill A spokesperson for the Information Commissioner's Office (ICO) said: "This summer the Information Commissioner called for a public debate on government proposals for the state to retain citizensâ(TM) internet and phone records. The Commissioner warned that it is likely that such a scheme would be a step too far for the British way of life. Creating huge databases containing personal information is never a risk-free option as it is not possible to fully eliminate the danger that the data will fall into the wrong hands. It is therefore of paramount importance that proposals threatening such intrusion into our lives are fully debated. We welcome the fact that the government intends to fully consult the public on any scheme it brings forward. Precise details of the plans are unclear at this stage; the ICO will be studying the proposals once published and responding to the Government's consultation in due course."

Incidentally some may find the ICO's press release list (the source for the above quote) makes for some interesting reading. Surprised there is no follow-up to the debate though, I'd have thought he's try to get his oar in again.

Just kidding. They simply didn't bother with the debate: "Civil libertarians are outraged that the change came into force without a debate in parliament, having been brought in by statutory implement". (statutory instrument info).

So, it would appear that firstly they sneaked the EU directive in by calling it "commercial" legislation rather than a policing one. This forced themselves to implement it, but allows them to blame it on the EU, even though they were the ones pushing it through there. Back home, they proposed a Bill (which would result in an Act, a "proper" law by "proper" means IMHO), started the normal proposal procedure, but then didn't like what they were hearing so chucked it through as a statutory implement instead. Nice.

Oh and by the way, since people seem to be avoiding it, the names of the directives & law are, I think:
UK SI The Data Retention (EC Directive) Regulations 2009
(Also see Regulation of Investigatory Powers Act 2000)
EU Directive is EU Directive 2006/24/EC[PDF]
(doubtless there's a raft of other legislation of varying degrees of relevance)

Yeah, not going to be too easy, but at least they're taking it seriously and offering help. According to news on the ICO's website, "From 16 March the ICO will operate a dedicated enquiry system for people who believe personal information about them may be held on the database. Members of the public are advised not to contact the ICO until 16 March."

One of the questions about our new terms of use is whether Facebook can use this information forever. When a person shares something like a message with a friend, two copies of that information are createdâ"one in the person's sent messages box and the other in their friend's inbox. Even if the person deactivates their account, their friend still has a copy of that message. We think this is the right way for Facebook to work, and it is consistent with how other services like email work.

Except that Facebook is completely unlike email, because everything in under the control of a single company, in a single application. If I share something with a friend (and by "share" that means "make a status update" or "post a new public photo", not necessarily privately a one-to-one private exchange), Facebook does not make a separate copy of that information in their database for every single person that might read it, that is under that person's exclusive control. The data and sharing terms remain under Facebook's control at all times.

So in the UK they should be terrified of the first person to issue a Data Protection Act request to stop processing personal information which, if a request were justified (e.g. "someone is stalking me, I need to be anonymous for a while"), could force Facebook to delete every piece of information linked to your account. For instance they would have to turn your name and every reference to your account into Account_Redacted1234, leaving status updates and historical information deleted or looking broken. They would probably also have to remove / blur any tagged photos to comply fully.

If there is ever a channel for this kind of information editing to start happening, Facebook could be in trouble as soon as somebody starts a "this site sucks, and I'm going to get my information deleted!" movement. As a defence they are trying to retroactively write themselves blank cheques with people's personal data in ways that seem rushed and legally questionable in some parts of the world.

The DPA does not apply to CCTV. CCTV information is simply in a recording in chronological order - it has no filing system based on an individual.

It's not as simple as that. Whether something is personal data often depends on the context. For example, quoting the ICO web site you linked to yourself:

"Where an individual is not previously known to the operators of a sophisticated multi-camera town centre CCTV system, but the operators are able to distinguish that individual on the basis of physical characteristics, that individual is identified. Therefore, where the operators are tracking a particular individual that they have singled out in some way (perhaps using such physical characteristics) they will be processing 'personal data'."

The DPA does not apply to CCTV. CCTV information is simply in a recording in chronological order - it has no filing system based on an individual. See http://www.ico.gov.uk/Home/what_we_cover/data_protection/guidance/technical_guidance_notes.aspx If there was some way of accessing the information by name or a number that could identify an individual then it would be covered.

I was going to download it, I was even going to pay.

However, the site requires you to enter your name, address, email address, and if I remember correctly also your phone number. Because of this, I looked for a privacy policy but couldn't find one. Therefore no sale.

Exactly my response - by the end of this Radiohead - or rather their marketing agent - will have personal data including mobile number for millions of people.. What are they going to do with it?

As for UK strong laws - true, but the Information Commissioner http://www.ico.gov.uk/ recommends that every site collecting data should have a published privacy policy. Why did Radiohead choose to ignore that?

I also found the site unreliable - I'll get a copy by 'other means'

It is still quite legal for an employer in the EU to declare that its computers, phones, etc are for business use only, and that correspondence will be monitored.

That's a very bold statement. Care to back it up with sources?

We should also note that there is a difference between monitoring and intercepting communications. In essence, the former is looking at things like where an e-mail going from and to or the addresses of web sites visited, while the latter involves observing the content. This ruling seems to refer only to monitoring communications.

For those who are interested in the UK, the Information Commissioner's Office publish a rather detailed Employment Practices Code (caution: large PDF) that gives a lot of guidance to employers on the relevant laws and guidelines. The topic of intercepting electronic communications such as phones and e-mail is covered in a fair bit of detail.

>>> Just having a database of addresses without the consent of the people who own the addresses may be illegal.

Never mind maybe, it is!

I run a business (two actually) and keep client details. We're supposed to pay a fee and register with the information commissioner to do that I think. http://www.ico.gov.uk/Global/faqs/data_protection_ for_organisations.aspx

That's beside all the other conditions you rightly mention. So why is this law needed? It's already an offence under existing statutes.

Oh and I agree that just prison may not be right. A shorter spell in prison (paid for using sale of their own assets [or those of parents in case of under 16s]) and an extended spell on working cleaning litter and dog crap from our countryside, painting community buildings, cleaning sewers, skilled work for charities where appropriate, etc.. Followed by a state sponsored television broadcast of an apology and explanation of the crime, punishment and why it was wrong (helps to demonstrate rehabilitation and deter others).

Claims for state support after release from prison would be limited to a living expense + a bunk bed and locker. No flat's with satellite TV! Those finding work will have a small additional income tax taken to pay off any excess expenses.

Bill of Rights 1698 http://en.wikipedia.org/wiki/Bill_of_Rights_1689

Data protection Act http://en.wikipedia.org/wiki/Data_Protection_Act

Subject access Request http://www.ico.gov.uk/upload/documents/library/dat a_protection/practical_application/subject_access_ -_guide_for_data_subjects.pdf

The only downside that I can see is you have to put up with people whinging about a `surveillance society` without defining what that is, and what's wrong with it.

In this context, surveillance is not just about cameras. They are not even the most important aspect. Unfortunately they are the most visually obvious signs and so the media tend to concentrate on them rather than the underlying framework. The surveillance society is about the database state - the detailed picture of our lives that is assembled by the state, ostensibly in the name of efficiency and serving us better, but often acting in a manner that reduces personal privacy and basic freedoms.

Now the National Identity Register and National DNA Database - they scare me. I'll fight against those!

Why? Something to hide? Remind me of the downside again?

The Identity Cards Act requires each of us to notify the authorities of our whereabouts on pain of a 1000 pound fine - why should this be necessary? Why should people escaping domestic violence have to update a central database, to which many thousands of people will have access, when they are trying to hide?

The National Identity Register will record every visit to a clinic. Why should petty officials be able to find out if their neighbour has had an abortion?

A DNA database could potentially allow those with access to know whether we are increased likelihood of suffering from particular diseases later in life, some of which we may not yet even know are genetic and from which you yourself might be at increased risk. There are no safeguards in place to prevent employers or insurance companies from discriminating against such bad risks. Once information is out in the open, there is no way to recover it.

It is extremely foolish to even consider collecting all this information into one central, vulnerable, database when there hasn't been even the slightest thought about who should have access and what rights individuals should retain over the processing of their data.

WGA communicates with Microsoft HQ. The information transferred may or may not be 'sensitive' but this could be considered an invasion of privacy.

Hang about - presumably this is going on all over the world, right?

How does it stand in those parts of the world with Data Protection laws?

For instance, in the UK, the Data Protection Act is supposed to ensure that data is:

        * fairly and lawfully processed;
        * processed for limited purposes;
        * adequate, relevant and not excessive;
        * accurate and up to date;
        * not kept longer than necessary;
        * processed in accordance with the individual's rights;
        * secure;
        * not transferred to countries outside the European Economic area, unless there is adequate protection.

http://www.ico.gov.uk/eventual.aspx?id=34

• Know what data they have stored
• Supply them with updated data and require them to update their records to reflect this
• Demand to see their policies for how the data is stored and updated
• Prohibit them from using data for purposes other than those it was collected for (so if they collect my name and address for the purpose of sending me something I bought, they can't sell that information to choicepoint or other marketers)
• (and some other less interesting things)

As far as I know, you can only obtain CCTV camera footage under UK privacy law if you were deliberately targeted for filming. You cannot request footage from a passive camera that is filming a "general scene".

http://www.ico.gov.uk/documentUploads/CCTV_Systems _and_the_Data_Protection_Act_Good_Practice_Not%E2% 80%A6.pdf