Archive for the ‘Supply chain management’ Category

Information Pollution and the Internet of Things

Posted on September 8th, 2013 by

Kevin Ashton, the man credited with coining the term “The Internet of Things” once said: “The Internet of Things has the potential to change the world, just as the Internet did. Maybe even more so.

This couldn’t be more true. The range of potential applications for the Internet of Things, from consumer electronics to energy efficiency and from supply chain management to traffic safety, is breathtaking. Today, there are 6 billion or so connected devices on the planet. By 2020, some estimate that figure will be in the range of 30 to 50 billion. Applying some very basic maths, That’s between 4 and 7 internet-connected “things” per person.

All this, of course, means vast levels of automated data generation, processing and sharing. Forget Big Data: we’re talking mind-blowingly Huge Data. That presents numerous challenges to traditional notions of privacy, and issues of applicability of law, transparency, choice and security have been (and will continue to be) debated at length.

One area that deserves particular attention is how we deal with data access in an everything-connected world. There’s a general notion in privacy that individuals should have a right to access their information – indeed, this right is hard-coded into EU law. But when so much information is collected – and across so many devices – how can we provide individuals with meaningful access to information in a way that is not totally overwhelming?

Consider a world where your car, your thermostat, your DVR, your phone, your security system, your portable health device, and your fridge are all trying to communicate information to you on a 24 x 7 x 365 basis: “This road’s busy, take that one instead”, “Why not lower your temperature by two degrees”, “That program you recorded is ready to watch”, “You forgot to take your medication today” and so on.

The problem will be one of information pollution: there will be just too much information available. How do you stop individuals feeling completely overwhelmed by this? The truth is that no matter how much we, as a privacy community, try to preserve rights for individuals to access as much data as possible, most will never explore their data beyond a very cursory, superficial level. We simply don’t have the energy or time.

So how do we deal with this challenge? The answer is to abstract away from the detail of the data and make readily available to individuals only the information they want to see, when they want to see it. Very few people want a level of detail typically of interest only to IT forensics experts in complex fraud cases – like what IP addresses they used to access a service or the version number of the software on their device. They want, instead, to have access to information that holds meaning for them, presented in a real, tangible and easy to digest way. For want of a better descriptor, the information needs to be presented in a way that is “accessible”.

This means information innovation will be the next big thing: maybe we’ll see innovators create consumer-facing dashboards that collect, sift and simplify vast amounts of information across their many connected devices, perhaps using behavioural, geolocation and spatial profiling techniques to tell consumers the information that matters to them at that point in time.

And if this all sounds a little too far-fetched, then check out services like Google Now and TripIt, to name just a couple. Services are already emerging to address information pollution and we only have a mere 6 billion devices so far. Imagine what will happen with the next 30 billion or so!

ICO’s draft code on Privacy Impact Assessments

Posted on August 8th, 2013 by

This week the Information Commissioner’s Office (‘ICO’) announced a consultation on its draft Conducting Privacy Impact Assessments Code of Practice (the ‘draft code’). The draft code and the consultation document are available at  and the deadline for responding is 5 November 2013.

When it comes into force, the new code of practice will set out ICO’s expectations on the conduct of Privacy Impact Assessments (‘PIAs’) and will replace ICO’s current PIA Handbook. So why is the draft code important and how does it differ from the PIA Handbook?

  • PIAs are a valuable risk management instrument that can function as an early warning system while, at the same time, promoting better privacy and substantive accountability. Although there is at present no statutory requirement to carry out PIAs, ICO expects them.
  • For instance, in the context of carrying out audits, ICO has criticised controllers who had not rolled out a framework for carrying out PIAs. More importantly, the absence or presence of a risk assessment is a determinative factor in ICO’s decision making to take enforcement action or not. When ICO talks about the absence or presence of a risk assessment, it means the conduct of some form of PIA.
  • Impact assessments are likely to soon become a mandatory statutory requirement across the EU, as the current version of the draft EU Data Protection Regulation requires ‘Data Protection Impact Assessments’. Note, however, that the DPIAs mandated by article 33 of the Draft Regulation have a narrower scope than PIAs.  The former focus on ‘data protection risks’ as opposed to ‘privacy risks’, which is a broader concept that in addition to data protection encompasses broader notions of privacy such as privacy of personal behaviour or privacy of personal communications.
  • The fact that ICO’s guidance on PIAs will now take the form of a statutory Code of Practice (as opposed to a ‘Handbook’) means that it will have increased evidentiary significance in legal proceedings before courts and tribunals on questions relevant to the conduct of PIAs.

The PIA Handbook is generally too cumbersome and convoluted. The aim of the draft code is to simplify the current guidance and promote practical PIAs that are less time consuming and complex, and as flexible as possible in order to be adapted to an organisation’s existing project and risk management processes.  However, on an initial review of the draft code I am not convinced that it achieves the optimum results in this regard.  Consider for example the following expectations set out in the draft code which did not appear in the PIA Handbook:

  • In addition to internal stakeholders, organisations should work with partner organisations and with the public. In other words, ICO encourages controllers to test their PIA analysis with the individuals who will be affected by the project that is being assessed.
  • Conducting and publicising the PIA will help build trust with the individuals using the organisation’s services. In other words, ICO expects that PIAs will be published in certain circumstances.
  • PIAs should incorporate 7 distinct steps and the draft code provides templates for questionnaires and reports, as well as guidance on how to integrate the PIA with project and risk management processes.

Overall, although the draft code is certainly an improvement compared to the PIA Handbook, it remains cumbersome and prescriptive.  It also places a lot of emphasis on documentation, recording decisions and record keeping.  In addition, the guidance and some of the templates include privacy jargon that is unlikely to be understood by staff who are not privacy experts, such as project managers or work-stream leads who are most likely to be asked to populate the PIA documentation in practice.

Many organisations are likely to want a simpler, more streamlined and more efficient PIA process with fewer steps, simpler tools / documents and clearer guidance, and which incorporates legal requirements and ICO’s essential expectations without undully delaying the launch of new processing operations. Such orgaisations are also likely to want to make their voice heard in the context of ICO’s consultation on the draft code.

Proportionality – the key to compliant anti-bribery due diligence

Posted on July 20th, 2011 by

On 1 July, the long anticipated Bribery Act 2010 came into force.   The Act attracted significant debate during its passage into law, largely due to concerns about how the newly-created s.7 offence of “failure by a commercial organisation to prevent bribery” would apply in practice. 

At an overview level, any organisation carrying on business in the UK can potentially be liable under s.7 for a bribe paid by its “associated persons” (including employees, contractors and subsidiaries), whether or not it knew of the bribe.  There is no requirement that the bribe must take place in the UK – organisations can attract liability for bribes paid by “associated persons” in overseas jurisdictions.  Criminal penalties apply for breach, including unlimited fines and even the prospect of personal liability (including jail time) for directors.  These onerous liabilities, coupled with the wide jurisdictional reach of s.7, are enough to give any senior executive sleepless nights.

“Adequate procedures” to guard against bribery risk

Organisations charged under s.7 have a defence if they can show that they had implemented “adequate procedures” to protect against bribery risk.  With a view to clarifying the anti-bribery measures it expects organisations to adopt, the Government published guidance on implementing “adequate procedures” in March this year (available here:  This explained that implementation of “adequate procedures” by an organisation to guard against bribery risk should be informed by six principles: (i) Proportionate procedures; (ii) Top-level commitment; (iii) Risk assessment; (iv) Due diligence; (v) Communication (including training); and (vi) Monitoring and review of anti-bribery policies and procedures.  

FFW has separately published detailed overviews (including FAQs) of the Bribery Act and the Government’s “adequate procedures” guidance at

Due diligence and data protection

With the excitement surrounding s.7 and the need to mitigate bribery risk by implementing “adequate procedures”, it’s all too easy for organisations to overlook their privacy compliance responsibilities.  However, organisations that do not take proper account of the privacy consequences of implementing “adequate procedures” risk jumping out of the frying pan and into the fire – on the one hand, mitigating risk under the Bribery Act while on the other hand exposing themselves to a raft of potential liabilities under UK and European data protection legislation.

This is particularly the case with counterparty due diligence.  Undertaking appropriate due diligence will be a compliance cornerstone in guarding against risk under the Bribery Act.  Of critical importance – for both data privacy and Bribery Act purposes – is that any due diligence conducted must be proportionate to its aims. The level of due diligence appropriate in any given situation will necessarily depend on a variety of factors, including the nature of the role and the organisation concerned, the services to be provided, and any other readily identifiable business or bribery risks. 

In the course of conducting due diligence, businesses will undoubtedly handle sensitive personal data relating to prospective clients, employees and contractors – such as information relating to criminal convictions and proceedings, political affiliations (e.g. if the data subject is a ‘politically exposed person’), trade union membership or otherwise.  This raises a number of issues, not least in terms of the need to make (or update) suitable data processing registrations with the Information Commissioner’s Office in order to reflect any sensitive data processed – bearing in mind that failing to make and maintain accurate and up-to-date registrations is, itself, a criminal offence. 

In particular, sensitive data benefits from enhanced protection under data protection law, and organisations must establish a lawful basis to legitimise their sensitive data processing in the first place.  In this context, it is important to note that the Bribery Act does not create a legal obligation to conduct due diligence or to process sensitive data.  It says only that “adequate procedures”, where implemented, are a defence to liability under the Bribery Act.  For this reason, simply assuming that the Bribery Act itself legitimises due diligence processing of sensitive data is misguided.  Businesses must instead consider the sensitive data processing grounds set out in the Data Protection Act 1998 and identify those that permit the specific due diligence processing in question.  Whilst various grounds potentially exist, it is important to identify the specific grounds that will be relied on in any given case, and to ensure that the sensitive data processing keeps within the scope of those grounds.  In many cases, it may be necessary to obtain explicit, informed consent directly from the due diligence subject to enable processing of his or her sensitive data.

The jurisdictional reach of the Bribery Act also has the potential to strain data privacy compliance.  Given their potential liability for acts of bribery conducted by overseas employees, subsidiaries and contractors, a natural response for UK organisations would be to conduct due diligence on any overseas counterparty they engage, either directly or through a subsidiary.  However, overseas data protection regimes may not readily permit processing of sensitive data for due diligence activities designed to mitigate risk under UK law (Spanish and Belgian data protection regimes, for example, impose strict requirements for sensitive data processing).  As a consequence, overseas subsidiaries and contractors that want to process and share due diligence data with UK businesses for Bribery Act compliance purposes may find themselves hindered by their national data protection regimes.  Likewise, overseas organisations that carry on business in the UK may want to implement due diligence procedures to guard against Bribery Act risk, but find themselves constrained by their local data protection laws.   Organisations therefore need to consider carefully how to implement “adequate procedures” in a way that fully addresses the requirements of wider European (and other) data protection regimes where these apply.

Why this matters

Any organisation implementing “adequate procedures” to mitigate Bribery Act risk must consider carefully its responsibilities under data protection law.  Without doing this, it runs the risk of implementing procedures that, while carefully designed to protect against bribery risk, attract liabilities under data protection law.  Due diligence is just one example, but organisations also need to consider other data privacy liabilities arising when, for example, implementing ‘speak up’ or whistleblowing procedures, or when conducting internal investigations into allegations of bribery by staff.

At first glance, the Bribery Act and data protection law might appear to impose conflicting demands on organisations that are difficult to resolve.  However, proportionality is at the heart of both regimes: whatever the “adequate procedures” implemented, they must be proportionate in light of the actual risks to the organisation.   For this reason, rather than considering data protection as a barrier to Bribery Act compliance, it should be viewed as an enabler to implementing effective and proportionate Bribery Act compliance mechanisms.  By considering and identifying potential privacy risks at the outset and rolling out “adequate procedures” that take account of these risks, a happy – and compliant – compromise can be achieved.

If you would like more information, please contact Phil Lee, Senior Associate, at