back to article UK Data Protection Bill lands: Oh dear, security researchers – where's your exemption?

The UK’s Data Protection bill has landed with a hefty thud, offering up 200-plus pages of legislation for the geeks and wonks to sink their teeth into. The bill, launched into the House of Lords yesterday and published in full today (PDF), aims to overhaul the UK’s data protection laws and update them for the digital age. …

Anonymous Coward

[an offense of] altering personal data in a way to prevent it being disclosed.

Err, what's wrong with altering p-data (e.g. with encryption) to prevent it being disclosed? Presumably this makes sense in some context, can anyone enlighten me?

Edit: Hmm, is it about (e.g.) tampering with access logs to prevent disclosure of disclosures?

5
0
Silver badge

Re: [an offense of] altering personal data in a way to prevent it being disclosed.

In the context of a request to know what data an organisation holds on someone.

Altering the data to misrepresent the data/ mislead the person requesting would appear to be an offence.

Caveat: IANAL

5
0

Re: [an offense of] altering personal data in a way to prevent it being disclosed.

Basically, if someone has made a subject access request, you can't decide to just delete the lot or amend the records.

5
0
Silver badge

Re: [an offense of] altering personal data in a way to prevent it being disclosed.

"Hmm, is it about (e.g.) tampering with access logs to prevent disclosure of disclosures?"

I think that's it. Of course if you don't keep logs....

0
1
Silver badge

Re: [an offense of] altering personal data in a way to prevent it being disclosed.

"I think that's it"

Nope. It is section 163

"It is an offence for a person listed in subsection (4) to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive."

i.e if you get a valid data subject access request you must not change or withhold any of that data before giving it to the data subject.

4
0
Gold badge
Gimp

"valid data..request..not change or withhold any of that data before giving it to.. data subject."

I guarantee that clause will have the usual data fetishist Police, National Security and anyone-else-we-damm-well-please exemption clause

6
0
Silver badge

Re: "valid data..request..not change or withhold any of that data before giving it to.. data sub"

Doesn't need exemptions, because the wording is "with intent to". You can delete whatever you like, as long as you can come up with some other explanation for doing it.

And as ane fule kno, proving intent is pretty much impossible.

4
0
Anonymous Coward

GDPR is not compatible with high chancellor rees-mogg. It won't be passed into their law.

4
2
Silver badge

"GDPR is not compatible with high chancellor rees-mogg. It won't be passed into their law."

I wouldn't worry about that. Once reality starts to bite and people discover what they actually voted for Rees-Mogg will either turn out to have been an enthusiastic Remainer or be a forgotten man.

8
0
Silver badge
Holmes

The only question with Rees-Mogg is that, as he's clearly from the eighteenth century, are we dealing with time travel or a haunted portrait in his loft?

2
0
Silver badge

Winston Smith is alive, well, and working on Rees-Mogg's Wiki entry

"GDPR is not compatible with high chancellor rees-mogg. "

Someone's very busy editing the Wiki entry for Jacob Rees-Mogg

Here he's "A member of an established Somerset family of coal mine owners", in later versions that's disappeared.

0
0
Silver badge

Splendid, if you read this implementation that it's littered with clauses stating that the "Secretary of State may..." i.e., it's within their whim to change the bloody thing without laws being passed or adequate discussions being had. Has anybody read the appropriate other EU implementations and do they have the same "power-crazy individual may make sweeping changes" type clauses in them?

19
0
Anonymous Coward

You mean like the Great Repeal Bill / Great Continuity Bill / Withdrawal from the EU Bill (delete as appropriate), which gives ministers the rights to change laws as they see fit without Parliamentary overview?

18
1

So, dictatorship by the back door... wonderful

12
0
Gold badge
Big Brother

" So, dictatorship by the back door... wonderful"

Or perhaps they should just retitle it "The Act of Enablement"

The classic question is how much of this garbage is TBD using the "Statutory Instrument."

As favored by the Dark Lord Mandelscum.

7
0
Silver badge

Sure that can be the case, this government is all about taking back control and democratic accountability isn't it? They'd never do something like that.

Or possibly they're a bunch of untrustworthy lying con (would)men.

6
0

> “Terms used in Chapter 2 and in the GDPR have the same

> meaning in Chapter 2 as they have in the GDPR” - are fairly

> Kafka-esque.

Huh? That's not Kafka-esque, that's just English. What's the confusion?

8
0
Silver badge

"That's not Kafka-esque, that's just English."

Yup. It's an assurance that the terms don't mean one thing in one place and something else in the other. Just the opposite of Kafkaesque.

8
0
Anonymous Coward

"When I use a word," Humpty Dumpty said, in rather a scornful tone, "it means just what I choose it to mean—neither more nor less."

But if the use in one context implies one thing and its use in another context implies another thing then that's a fact. Can you make a word have the same meaning in different contexts just by saying it has?

2
0
Silver badge

Can you make a word have the same meaning in different contexts just by saying it has

Sure. Remember, this is English, where we can make the word spelt "Happisburgh" be pronounced "Hayesburra".

6
0
Anonymous Coward

Would it not be the same to have shortened it to "Terms used in Chapter 2 and in the GDPR have the same meaning"?

Otherwise the insertion of both makes it easier to read, i.e.

“Terms used in both Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR” or many number of ways of making it more accessible.

2
0
Silver badge

Damn you sir, what do you mean by that?

Lt-Col Cholmondely-Featherstonehaugh (ret'd)

3
0
Silver badge

Why not just import the fucking descriptions of the terms from the GDPR as well?

(I bet I'm missing something ;) )

4
0
Bronze badge

Would it not be the same to have shortened it to "Terms used in Chapter 2 and in the GDPR have the same meaning"?

Because the meaning in the GDPR is applied to Chapter 2, but the reverse doesn't happen.

5
0

This post has been deleted by its author

@Tom 38, you could also point out the fun the left-pondians have with "Wooster Sheer Sauce" - the norm seems to be something akin to "War Sez Ter Shire". Just because it is spelled "Worcestershire" is no excuse.

Similar for "Edin Burg" etc...

0
0
Silver badge

in practical terms, the [defences set out in the legislation] should prevent anyone being unfairly prosecuted for public interest security research

Should, yes, but will it? Somehow, given the Home Office's record on the subject, I very much doubt it.

5
0
Silver badge

What makes you think that? The list of people who can have a public interest defense is:

"the administration of justice,

(b) the exercise of a function of either House of Parliament,

(c) the exercise of a function conferred on a person by an enactment, or

(d) the exercise of a function of the Crown, a Minister of the Crown or a government department."

1
0
Silver badge

Ye gods, that's awful.

Any law that gives enumerated exemptions to specific people, however defined, is unjust. (Because "justice" means you treat all people the same, regardless of who they are - what matters is what they do.)

For the same reason, an "exemption for security researchers" would be a bad idea. What's needed is a clearly defined rule describing exactly what you're allowed to do with the information once you've obtained it - which should be exactly the same, regardless of whether you're employed by GCHQ or Bob's Discount Computer Repairs.

5
1
Silver badge

so they will have "to take care to ensure what they do is 'justified in the public interest'."

After the Clive Ponting case it was decided that the public interest is defined as the interest of the current gang of crooks in power, not of the general public.

8
0
Anonymous Coward

Not entirely, it is up to the CPS to decide whether a prosecution is in the public interest.

1
0
Silver badge

it is up to the CPS to decide whether a prosecution is in the public interest.

Ah, yes. The Clown Prosecution Service. The people who let Dodgy Lord Janner off the hook, amongst many other "mysterious" decisions.

0
0
Silver badge

It also seems that Direct Marketing and Data Sharing have no clarity. The Bill states that the ICO must come up with a code of practice for each at some point and then have it approved by parliament, but failure to follow those guidelines does not make the company liable to prosecution.

Almost sounds like - "we're running out of time for this complex part where everyone is lobbying us and threatening to withhold their party contributions, we'll just pass the buck and deal with it later".

2
0

Logging the lot

Chapter 60 says:

A controller (or, where personal data is processed on behalf of the controller by a processor, the processor) must keep logs for at least the following processing operations in automated processing systems—

(a) collection;

(b) alteration;

(c) consultation;

(d) disclosure (including transfers);

(e) combination;

(f) erasure;

etc....

IANAL but as there is no definition of what an APS is and the retention period so I may be led to think that we'll have to log also access to each email or contact page in a CRM as they all contain PII.

If that's the case then many applications in use aren't compliant and those that are will generate so many logs that would make it impractical for many SMEs to comply.

I've checked the Explanatory notes and it doesn't define the logging requirements any better.

Any additional PoV?

3
0

Re: Logging the lot

An APS is pretty much any data storage system in use as the whole point of them is to automate manual tasks (think emailing a receipt at the end of a transaction for example)

You will have to log every interaction with the data to meet this as its currently written which will mean you will end up with more data in logs than in the actual database. GDPR focuses on consent changes and adequate tracking of how consent is obtained and removed so it makes sense to log those.

One way of increasing server sales and boosting the economy it seems!

2
0

Re: Logging the lot

If it was for boosting the economy it may be, kind of, OK but as that's not in the original GDPR it smells fishy.

Some say... that the usual lobbyists promoted a feature that may be available on their Cloud platform very soon... naturally at a premium.

I wouldn't be surprised.

3
0

Logging applies only to law enforcement agencies

Clause 60 sits within Part 3, and Part 3 applies only to "processing by a competent authority", defined as "a person specified in Schedule 7, and any other person if and to the extent that the person has statutory functions for any of the law enforcement purposes, but excluding intelligence agencies".

At the moment, Schedule 7 contains pretty much what one would expect to be treated as law enforcement agencies.

For now, at least, "normal" data controllers can appear to be able to sleep a little easier...

0
0
Facepalm

Ripe it up and start again!

[quote]The document runs to 218 pages, with 194 clauses, 18 schedules and 112 pages of explanatory notes, and - as has been pointed out by many observers, parts of the text - like this eye-crossing sentence: “Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR” - are fairly Kafka-esque.[/quote]

If a 116 page document needs 112 page to explain it, it is not fit for purpose and needs to be binned and started again from scratch!

We need laws to be clear and easy to understand not so complicated. The more complex it become the more clauses it needs to fill in the holes those complexities makes!

Also if this is replacing GDPR it should state those terms and not quote a something it is replacing. What happens when Euro rewords GDPR, is the old or the new version?

7
0
Silver badge

Re: Ripe it up and start again!

"We need laws to be clear and easy to understand not so complicated."

Laws have something in common with programs. They are lists of things to do. And, therefore, they have to be able to deal with all those tricky corner cases. Remember all those problems with programs where nobody bothered to check whether a parameter passed to a function was within specification? Not checking made for clear, easy to understand, compact and unreliable code. Checking made for longer, somewhat harder to read and more reliable code.

Your clear and easy to understand laws trying to regulate unclear, hard to understand life are liable to fail to fit. Here's one instance for you to consider. It was real and goes right back to the DPA Mark 1 and to my days as a forensic scientist and setting up a casework system for my lab. As such I might receive an exhibit labelled "Clothes of John Smith". That's a label someone else wrote and so would be the accompanying documentation. I, personally, have no idea whether they are indeed the clothes of John Smith, nor who John Smith is. Someone may have given a false name of John Smith. I don't even know if they came from a single person. The defence might subsequently dispute some or all of what I've been told. Should I count the label and accompanying documentation as PII? What does the law say about it? What would you do if you were in that position?

3
0
Silver badge
Big Brother

"...aims to overhaul the UK’s data protection laws and update them for the digital age."

Erm, the 1998 Data Protection Act was written for the digital age. Perhaps you mean the social media age where nothing is private anymore?

11
0

This post has been deleted by its author

Silver badge

Exemptions

As I read it, the following are exempt:

1. Anyone in government, or government related activity (like policing)

2. Anyone in banking

3. Credit reference agencies

4. Employers checking on their employees

5. Phone hacking journalists

6. Google health data researchers

7. Sporting bodies

Is there anyone left who isn't covered by an exemption, apart from a few small businesses trying to scrape by?

5
0
Silver badge
Big Brother

So

the guy informing Iceland (in another el-reg story today) that their web security sucks would be committing a crime by finding out Iceland's web security sucks

And then another crime by going public with the information 12 months after telling Iceland their web security sucks.

Is this what is ment by "Security through obscurity"?

6
0
Gold badge
Unhappy

But if you think that's bad, consider it from the other EU members perspecitve.

Because if they can't figure out wheather their data is protected in the UK they have a simple option.

Don't deal with the UK.

Delusional morons Brexiteers will sniff "Good riddance," but I think people might be surprised how many businesses depend on a data flow from Europe to carry out their business. Either they move to an actual EU country, or they lose that business.

11
2

Re: But if you think that's bad, consider it from the other EU members perspecitve.

They already are moving the data. General consensus is stick the data in the EU27 and let the ICO worry about the problem rather than the other way round.

Anyone relying on an adequacy approach for UK law to allow them to process EU data subjects data is taking a significant risk.

3
1
Silver badge

Re: But if you think that's bad, consider it from the other EU members perspecitve.

The problem with "Don't deal with the UK" is that it may break some of their (EU company/division/governmental body) processes. That's also the problem with the USA being sometimes inside a boundary, sometimes out, depending on the current legality or not depending on the phase of the Moon in the EU (ECJ). Increasingly anything transnational is a nightmare and only seems set to get worse.

Anarchy is sounding better and better.

1
0
Gold badge
Unhappy

"They already are moving the data."

That was sort of my point.

Of course only time will tell if this is a minor readjustment by the very most twitchy companies or if it's a general data exodus from the UK to the rest of the EU, and of course wheather the jobs to process, store and protect it go with them.

But either way UK IT staff will be finding out real soon.

Have you noticed how often these questions come down to "That's a tricky legal area?"

Better hope David Davis and his Brexit negotiating team are playing their "A" game.

1
0

Is consent needed to hold records regarding consent?

If a system asks for consent, and consent is not given, a) should the system store personal details to be able to demonstrate that consent was not given (and so show compliance) and b) in order to ensure the system doesn't repeat the consent screen on subsequent visits?

Or are we at the stage of the cookie-warning, where everyone will get asked the consent questions every single visit (eg for session management, IP security checks), unless they have opted in?

1
0
Silver badge

Re: Is consent needed to hold records regarding consent?

Covered under the necessity justification.

1
0
Bronze badge

Is it just me...

Or should the offense be not Annonimising the data properly

not de-annonimising it after said offence?

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017