Slashdot Mirror

> I CAN force Microsoft to reveal all information they hold about me

Here's a link to Microsoft UK's data protection registration information, for the curious:

http://www.esd.informationcommissioner.gov.uk/esd/ DoSearch.asp?reg=3273345

However, if you paid your £10 and asked, he answer would probably be "nothing". The definition of "personal data" in the Data Protection Act (which you can read online at http://www.opsi.gov.uk/ACTS/acts1998/80029--a.htm - do have a look, it's not too hard to decipher; all EU states have essentially equivalent legislation) is

  "personal data" means data which relate to a living individual who can be identified-
      (a) from those data, or
      (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.

I think they would claim that they cannot identify you from the information that they record. Any thoughts?

5,000 seems a lot of people, but the police must have definite evidence to suspect them.

"Exemption 29 under the Data Protection Act can be applied if the police need some information for the prevention and detection of crime or for the apprehension or prosecution of offenders. This exemption cannot be used by the police as a 'fishing exercise'. This means that they can't ask for all your records in the hope of catching offenders but has to be quite specific and a need for this information." - Information Commisioner

The right to compensation

An individual can claim compensation from a data controller for damage and distress caused by any breach of the act. Compensation for distress alone can only be claimed in limited circumstances.

You, of course, must be able to demonstrate and document the damage and distress too.

The quickest start would be to go to the information commissioner's website (http://www.esd.informationcommissioner.gov.uk/ and see if your employer is registered to process employee data. Chances are they might be. If they're not, then you've got them. Failing that, they should (though it is not a legal requirement) comply with the codes of practice (http://tinyurl.com/dlwqr [www.ico.gov.uk]). The first paragraph of which points out that guidance on targeted surveillance of employees is 'forthcoming', so you might have to wait a bit if that's what you're worried about. If you're really impatient, you could report them to the Information Commissioner anyway. This is quite simple, and, providing you can prove (a) it is their intention to use captured images illicitly (b) pictures of you in an office constitute significant personal information and (c) that the cameras aren't be used for monitoring the 'security of the premises' or for 'public and employee safety', it would seem you've got a cast-iron case.

I don't know how it works in the US, but Googles UK operation has to stay within the confines set out by the Data Protection Act.

You can actually do a quick search of UK companies and find out what infomation they're collecting as a result of the act. Yup, Even Google.

Data Controller Search from the Uk's Infomation Commissioners Office. Compare Google to Microsoft - and note that Microsoft sells personal infomation to third parties. Google, on the other hand, does not.

Microsoft's suggestions sound quite a lot like what we've already got in the UK thanks to the Data Protection Act.

There's more information about the Data Protection Act from the Information Commissioner's Office website. Generally speaking, a sensible bit of legislation, one which the USA should look into implementing. Basically, it protects citizen's privacy. There are all sorts of loopholes and things (hey, it's the law), but the general idea is a good one.

I know of court rulings in Denmark that have stated that it is not legal to send personal data to the US to avoid the restrictions of the local personal data protection law. The UK laws on personal data protection are almost the same as in Denmark.

If I was you and wanted to pursue this, I would - after having tried to settle this amicably with Napster.co.uk - complain to the UK Information Commissioner.

I know of court rulings in Denmark that have stated that it is not legal to send personal data to the US to avoid the restrictions of the local personal data protection law. The UK laws on personal data protection are almost the same as in Denmark.

If I was you and wanted to pursue this, I would - after having tried to settle this amicably with Napster.co.uk - complain to the UK Information Commissioner.

I know of court rulings in Denmark that have stated that it is not legal to send personal data to the US to avoid the restrictions of the local personal data protection law. The UK laws on personal data protection are almost the same as in Denmark.

If I was you and wanted to pursue this, I would - after having tried to settle this amicably with Napster.co.uk - complain to the UK Information Commissioner.

If readers in other european countries have similar problems, please check the list of national data protection offices.

It seems that UK-based Websites that use Flash to track visitors must clearly display a reference to this use. This is because UK legislation is not specific to cookies.

Information Commissioner's Office
Information Commissioner

"Cookies or similar devices shall not be used unless the subscriber or user of the relevant terminal equipment a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and b) is given the opportunity to refuse the storage of, or access to, that information."
privacy and electronic communications (ec directive) reg. 2003

"...a visitor must be informed wherever a cookie or other tracking system enables the collection of personal data. This might be done via an on-line notification that appears before data collection begins, or via the website's privacy statement. However, if a notification provided via an on-line privacy statement is to be relied upon it is important that at least some reference to the use of tracking technology is clearly displayed to all site visitors."
FAQ

The marketers have responded with PIE. Persistent Identification Element (PIE) is a technology that uses Macromedia's Flash MX to track you even without using cookies.
slashdot

"[Macromedia] Local Shared Objects have the same functionality as cookies" Slashdot

"The list of Visited Websites displays the following information for each website: The name of the website..."
Privacy Settings

(IANAL)

It seems that UK-based Websites that use Flash to track visitors must clearly display a reference to this use. This is because UK legislation is not specific to cookies.

Information Commissioner's Office
Information Commissioner

"Cookies or similar devices shall not be used unless the subscriber or user of the relevant terminal equipment a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and b) is given the opportunity to refuse the storage of, or access to, that information."
privacy and electronic communications (ec directive) reg. 2003

"...a visitor must be informed wherever a cookie or other tracking system enables the collection of personal data. This might be done via an on-line notification that appears before data collection begins, or via the website's privacy statement. However, if a notification provided via an on-line privacy statement is to be relied upon it is important that at least some reference to the use of tracking technology is clearly displayed to all site visitors."
FAQ

The marketers have responded with PIE. Persistent Identification Element (PIE) is a technology that uses Macromedia's Flash MX to track you even without using cookies.
slashdot

"[Macromedia] Local Shared Objects have the same functionality as cookies" Slashdot

"The list of Visited Websites displays the following information for each website: The name of the website..."
Privacy Settings

(IANAL)

It seems that UK-based Websites that use Flash to track visitors must clearly display a reference to this use. This is because UK legislation is not specific to cookies.

Information Commissioner's Office
Information Commissioner

"Cookies or similar devices shall not be used unless the subscriber or user of the relevant terminal equipment a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and b) is given the opportunity to refuse the storage of, or access to, that information."
privacy and electronic communications (ec directive) reg. 2003

"...a visitor must be informed wherever a cookie or other tracking system enables the collection of personal data. This might be done via an on-line notification that appears before data collection begins, or via the website's privacy statement. However, if a notification provided via an on-line privacy statement is to be relied upon it is important that at least some reference to the use of tracking technology is clearly displayed to all site visitors."
FAQ

The marketers have responded with PIE. Persistent Identification Element (PIE) is a technology that uses Macromedia's Flash MX to track you even without using cookies.
slashdot

"[Macromedia] Local Shared Objects have the same functionality as cookies" Slashdot

"The list of Visited Websites displays the following information for each website: The name of the website..."
Privacy Settings

(IANAL)

Not exactly sure what they do, but they have a UK division http://www.lexisnexis.co.uk/

A search on the DPA register seems to show them up, so you can write to them and get a copy of any personal data they have on you (if thats what they do?) do they share this data with other countries?

Data classes are:
-Personal Details
-Family, Lifestyle and Social Circumstances
-Goods or Services Provided

Hmm..

Amazon UK's data protection register entry, looks like it just expired too.

Amazon

Nearly every domestic burglar I've come across is a prime example of genuine (and usually drug enhanced) stupidity.

A basic CCTV system in commercial premises that just sits there, isn't used to spy on people, and is only looked at in responce to an incident, is not covered by the UK Data Protection Act. So this set-up is exempt from the requirements.

I suspect that the victim did not have his cameras registered and signposted according to the data protection act and the rules for applying it. Now, it was the guy private residence so there is a question if the rules apply, but IANAL so I would rather not get there.

I believe that there are some restrictions on what you're able to access, though I'm not entirely sure on what these are. There's a lot more to the act though, and anybody interested can look here

Thankfully the UK's "Data Protection Act" will prevent this coming here :-)

info on data protection act: http://www.informationcommissioner.gov.uk/

Anyone storing data about you must conform to the Data Protection Act, where it explicitly states "it is immaterial that it is intended to be so processed or to form part of such a system only after being transferred to a country or territory outside the European Economic Area". Your data IS protected because you are a UK citizen. The Data Protection Registrar takes any breaches very seriously and can be contacted via their web site.

Phillip.

"British Gas was cited as the Most Invasive Company, after it declared that U.K. privacy rules prevented it from helping an elderly couple who were found dead of hypothermia in their home last winter, weeks after their gas service was cut off due to nonpayment of a 140-pound ($255) bill." How is this invasive? It sounds like the exact opposite. I'll admit it's a bit obsessive, but behavior like this is exactly what privacy is all about.

As I understand it the reason they got the award was not for killing those old people, or invading privacy as such, but rather because in an attempt to shift blame they tried to say that the Data Protection Act meant they could not inform Social Services that they had cut off the gas in the depths of winter. This was a bullshit excuse as the Information Commissioner pointed out, and was one of several cases (see the Soham murders) where various incompetents found it convenient to blame their stupidity on the Act.

In my opinion the DPA is one of the best pieces of legislation to have been created in the UK in the past 20 years. Unfortunately the current UK government, together with the EU Commission and us.gov is working to essentially destroy the act by having the USA declared a "Safe Harbour" for data transfers - ridiculous as there are almost no personal data protections in the USA at all (especially for non-US citizens).

As for the site, it says nothing about the Reg 22 in question

Here's the Information Commissioner's Guidance on Regulation 22 (you have to scroll down to p.24 of the pdf). What, you expected something accessible from that bunch of clowns? Think again...

First, a bit about UK law, which they do have to comply with if they are doing this from the UK. If you contact them directly and ask to be removed from their list, then they are committing an offense if they call you again.

The FPS is a UK-wide do not call list maintained by the Direct Marketers Association. All marketers are supposed to treat it the same as having called them directly to be removed from the list, but the only penalty for not following this seems to be a slap on the wrist and maybe getting booted out of the DMA. The DMA is not interested in enforcing the law, particularly against non-members.

Ultimately, enforcement is up to Ofcom and the Information Commissioner. If you do make a complaint, be sure to include the response you got from FPS, I'm sure they'd be interested to see how self-policing by the DMA really works.

OK - so maybe dog pound supervisor is perhaps hyperbole, but the list of people able to access your information does extend as far as, for example, any local authority, any health service trust, even the Royal Pharmaceutical Society.

So yes, we have a law, and even an authority set up to protect citizens from the misuse of data, but at the same time we have RIPA, which drives a coach and horses through any privacy we may have felt entitled to under the Data Protection Act.

Be assured, under RIPA the Home Secretary can add whoever he wishes to the list of people authorised to access information about citizens, and if the current atmosphere is anything to go by, business will be allowed to check the database for any of their employees.

what you left out was the clause 'except by the state'

Come to the UK and look at David Blunkett's ideas - somehow I don't think he's cottoned on that the World described in '1984' was a bad thing. Only this week he proposed mining private and corporate databases of personal information so that he can build his ID card database. Breaks every part of the Data Protection Act (1998) - illegal? In his case - no.

Does any other country have a govenment position as creepy sounding as 'The Information Commissioner'? In case you're wondering, they're the unelected member of the government machine that determines if you should be allowed to see any piece of information that might upset the government.

Of course there are a few things NOT covered by the UK's FoI Act... deep breath now... ready? Pay attention there might be questions at the end.

Information accessible to applicant by other means, information intended for future publication, information supplied by, or relating to, bodies dealing with security matters, national security, defence, international relations, relations within the United Kingdom, the economy, investigations and proceedings conducted by public authorities, law enforcement, court records etc., audit functions, Parliamentary privilege, formulation of government policy etc, prejudice to effective conduct of public affairs, communications with Her Majesty the Queen etc. and honours, health and safety, environmental information, personal information, information provided in confidence and (finally) commercial interests.

Which leaves pretty much - well nothing. Britain - a land where your secrets are safe - provided you're in government, a spy or a member of an obscure part of the German aristocracy.

Best wishes,
Mike.

Sounds like a very untrustworthy ISP.

Its a complicated issue as it involves international transfer of personal data. This document may shed a light on this issue. In effect transfer of personal data to USA is not condoned under the UK Data Protection Act 1998.

Although according to the document, the law does give powers of transfer to the ISP, this seems like a grey area unless an agreement was signed to enable the ISP to give personal information to third parties.

To quote from the document.

8.8 Legal Compulsions: It should be noted that there is no exception for legal compulsion. If a data controller in the UK is required by the law of another country to transfer personal data to that country there is no blanket exemption allowing the transfer to take place. It might of course be that the transfer is necessary for reasons of substantial public interest or is necessary in connection with legal proceedings but this will not necessarily be so. A judgement will have to be made based on the circumstances of the particular case and nature of the legal requrement.

DATA PROTECTION ACT 1998
International Transfers of Personal Data

Since its an American law I don't think the UK ISPs can give out information without a warrant from the UK courts proper.

Why not take this up with human rights organisation like liberty?

The paperwork/procedure is available now, from this site.

It's ineffectual paperwork, naturally -- and to use it you have to be able to read documents created in a secret proprietary format (MS Word) -- but then, just look at the ineffectual law it's supporting!

Yup, looks like the politicians have dropped the ball again...

and here's the InfoCom guidance.

But new research suggests most top UK websites are already breaking the new rules. "Companies are either not aware of the legislation, or are ignoring it," said Ian Thomas from WebAbacus.