Today the UK Information Commissioner's Office (ICO) announced the publication of its report on the business case for investing in proactive privacy protection, which it is launching at the Data Protection Officer Conference in Manchester.

The aim of the research and report defined in the tendering brief was to create a soundly argued business case for expending money on privacy friendly systems and business processes. John Leach of John Leach Information Security Ltd and myself working for Watson Hall Ltd submitted a proposal to undertake the project for the ICO. We were awarded the contract in August 2009.

We began the project by producing a public discussion document and initiated conversations with a number of experts. Our research was complemented by interviews with a cross-section of data processors and discussions held with an expert panel. We were particularly concerned about producing a report that would be relevant across all UK business sectors and size of organisation. Our draft report was reviewed by a small number of senior business leaders, and modified based on their experience and knowledge of justifying investments and practical experiences of implementing privacy protection measures.

The result? Well I'd like your opinions after reading the report. The Privacy Dividend is comprised of two volumes:

• Volume 1 - The Business Case (20 pages)
• Volume 2 - Supporting Materials (71 pages)

I hope you find "The Privacy Dividend" a useful resource. Additional updates and references are included on the Business Case for Investing in Proactive Privacy Protection project microsite.

Last month I described the ability to track users sessions with browser data. A recent posting on IT Law in Ireland highlighted a series of blog posts elsewhere that give further insight into what is possible.

Well, I just got round to reading them properly. The posts on Freedom to Tinker by David Robinson and Harlan Yu are:

• Identifying John Doe: It might be easier than you think
• What Third Parties Know About John Doe
• The Traceability of an Anonymous Online Comment

The conclusion? It is possible to trace and identify individuals easier than you may think. We are dropping evidence like dead skin cells as we traverse the internet. Fact or fiction? Well the US Defense Advanced Research Projects Agency (DARPA) are taking it seriously with a recent call for research into cyber genetics, cyber anthropology and cyber physiology in its Cyber Genome Program. DARPA hopes to develop advanced methods to fingerprint or identify the origins of a cyber attacks by examining digital artifacts, and presumably other criminal activities utilising computer technology.

Getting a bit more down to earth, web site owners need to consider what information is being gathered and why, ensure this is legal, check that consent is implied or has been explicitly given for the purposes and what monitoring and analysis is performed on the data. It could be easy for system developers to carried away with tracking and tagging. Contracts with third parties should state clearly what the expectations are about the security and privacy of information, to protect web site users (employees, customers, clients, citizens) and the business.

The Ponemon Institute has realeased its latest survey of UK data losses.

The findings of the 2009 Annual Study: Cost of a UK Data Breach indicate that personal data losses ("breaches") are still increasing in cost (per record). The report discusses the growth of data breaches due to malicious attacks and botnets, how prevalent these are compared with other losses and the relative costs. The report also presents comparitive data for losses involving third parties, and for organisations who have experienced their first data loss.

Although we hear a lot about lost or stolen devices (laptops, USB sticks, mobile phones, etc) and malicious/criminal attacks, the most common primary cause for the losses was negligence.

The recent news that the German government is considering buying stolen personal data of its citizens who it suspects of tax evasion is worrying. This sort of activity may fuel personal data theft by leavers and disgruntled employees.

The report is available in PDF format.

I have updated the chart detailing the most important guidance, standards, legislation and organisations that can affect web development security and privacy in the UK.

The Principal Influences on UK Web Applications is published on my company's web site and details the changes made since the previous version in August. The information is laid out as a mind map diagram, and as a text tree.

Not all the items are relevant to every web site—some aspects are sector specific—but much of the guidance from organisations, in guidelines and in standards can be of use beyond their intended audiences.

But this chart isn't just about web site security and privacy. The chart can also be useful for organisations implementing an information security management system (ISMS) that need to keep up-to-date with compliance requirements, and those with a need for knowledge on wider information assurance (IA) aspects. There's quite a lot of overlap.

This week the Ministry of Justice published the summary of responses to their consultation on revised fines for serious breaches of the Data Protection Act.

In Civil Monetary Penalties: Setting the Maximum Penalty proposals were made for a maximum £500,000 fine following granting of powers to impose civil monetary penalties being added to the Data Protection Act (DPA) 1998 (Sections 55A to 55E) by the Information Commissioner's Office (ICO) through section 144 of the Criminal Justice and Immigration Act 2008.

The 52 submissions described in the summary of responses showed broad agreement for fines up up to £500,000 for data controllers who seriously contravene data protection principles. The ICO issued a press release Data Breaches to Incur Up To £500,000 Penalty on the same day with details of how they will consider:

• the circumstances including the seriousness of the data breach
• the likelihood of substantial damage and distress to individuals
• whether the breach was deliberate or negligent
• what reasonable steps the organisation has taken to prevent breaches.

The ICO has produced statutory guidance about how it proposes to use this new power, which has been approved by the Secretary of State for Justice, and has been laid before Parliament.

The statutory guidance is worth reading since it outlines things such as "reasonable steps the Commissioner expects the data controller to take" that include (in a non-exhaustive list that includes mention of risk assessment, governance, audit, policies, procedures and practices):

So, the standards are being raised.

Subject to Parliamentary approval, the civil monetary penalties are expected to come into force later this year on 6 April:

• Draft Order "The Data Protection (Monetary Penalties) Order 2010"
• Statutory Instrument 2010/31, The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010

P.S. If you are interested in privacy matters, The EU's Article 29 Working Party and Working Party on Police and Justice have jointly published a paper on The Future of Privacy (WP 168) and there is an excellent summary and overview on the Tech and Law blog. The conclusion: a new comprehensive legal framework for data protection is needed in the EU.

It's that time again when organisations want your opinion on how well they've been performed in the previous year. I'm often quite happy to provide feedback, but sometimes prefer this to be anonymous.

Many of these surveys use third party services to display the form and collect the data, but very few have privacy notices or details you would expect/require on a corporate web site (e.g. the company registration number and registered address). But I can't remember one of these where the option for complete anonymity is provided. The links often include a code in the address URL (an argument name with a value) which I suspect identifies the recipient.

I copied the link and removed the value from the argument and was presented with a horrible error message which gives clues as to what the site is doing. Perhaps a database query that can't find NULL as an identifier?

Then I tried it with the argument completely removed.

So very sloppily put together. At least hide this script error message. Better still, inform me why this code is necessary and give options for anonymity. After all, some feedback is better than none.

If you're going to use third party services, ask them what security verification has been undertaken and to what standard. They should be able to provide details of a recent independent audit if they don't allow their customers to verify security themselves.

Following on from Tuesday's topic of terms and conditions for interactive advertising, the US Network Advertising Initiative (NAI) has just released their 2009 compliance report.

The NAI is an association of 35 US advertising networks, data exchanges, and marketing analytics services providers including Advertising.com, Google and Yahoo.

The NAI Compliance Report 2009 discusses compliance by its members with its self-regulatory code of conduct governing the collection, use, and disclosure of data for online advertising services by its member companies (the NAI Code). The NAI Code has its own definition of personally identifiable information (PII) and sensitive information and its own protection principles. The NAI found its members to be broadly in compliance with the code, apart from ten members that did not disclose specific retention periods for data collected.

Whatever your views of behavioural advertising, industry initiatives like this to improve, and report on, standards are a welcome contribution. No doubt the code will evolve over time, but it is a good starting point. The code perhaps lacks requirements for measuring the accuracy of data or requiring ways for consumers to correct information about themselves, and it would be useful to know what checks are being undertaken as part of the audit. For example "Reasonable security is determined in light of several factors including, but not limited to, the sensitivity of the data, the nature of a company's business operations, the types of risks a company faces, and the reasonable protections available to a company" could be interpreted in a number of ways and some guidance on what is "reasonable" both from the organisation and individual's points of view would be welcome.

P.S. Happy new year.

The Interactive Advertising Bureau (IAB) and Association of American Advertising Agencies (4A's) have published a draft revised Standard Terms and Conditions for Interactive Advertising. Whilst this is principally aimed at the USA market, due to the international nature of the Internet, I thought it worth a mention here.

Use of the template (full title "Standard Terms and Conditions for Interactive Advertising for Media Buys One Year or Less") is voluntary and open to negotiation between media companies and advertisers. However it does discuss data usage and privacy. This is important if you have advertising on your own web site and need to write a privacy notice. Without knowing the agreement between the advertiser and media company, how can you inform your web site users what will happen to their personal information? Although this is only an example template, it probably contains most of the likely issues you will come across in other ones. The definitions of "user volunteered data", "performance data", "site data" and "use of collected data" probably need careful reading and advice from a lawyer! The education version provides some further explanation of terminology and the changes since the previous version.

The template also describes the "special situation of User-Generated Content (UGC) pages" on advert placement and positioning—there could be an interesting discussion if the actual content was neither that intended by the site owner, nor that added by the user, but instead was the result of some malicious injection.

There doesn't seem to be any reference to malware on the site or malware delivered by the advert.

Of course, including third party content is a risk that should be considered in itself.

On Wednesday I attended the Information Commissioner's Office (ICO) Personal Information Online Conference 2009 at which the ICO launched their consultation on the new Personal Information Online Code of Practice.

Manchester and Salford gave us a beautiful sunny day for the event which briefed delegates on the ICO's approach to data protection and an outline of the collaborative process used to develop the draft code of practice. Iain Bourne, Head of Data Protection projects, noted that fewer than hoped public sector organisations had been involved to date, and they would like more feedback from this sector in particular during the consultation phase that ends on 5 March 2009.

My first impressions are this will be a useful document for organisations without staff dedicated to data protection or compliance, especially once the examples and SME checklist are added. The structure and content are still a little raw, but probably about right for the start of a 12-week consultation process. Areas where I am already considering providing feedback are:

• local storage of personal information (not just cookies)
• verification of protection
• suppliers, sub-contractors and staff
• monitoring and anomaly detection
• transmission of personal information
• inclusion of third party content in web sites
• using cookies to enforce an opt out
• additional reference materials.

The full text and consultation document is available as a PDF.

Feedback on the Personal Information Online Code of Practice can be provided using the ICO's consultation portal with further background available in the related press release.

If you are considering undertaking customer monitoring, offering personalisation, providing targetted recommendations or even just appointing an advertiser that uses online behavioural advertising, reading guidance from the Internet Advertising Bureau (IAB) is a good starting point.

The IAB have developed a consumer-orientated website Your Online Choices, a guide to online behavioural advertising and online privacy.

However, more useful reading matter is the IAB's Good Practice Principles for Online Behavioural Advertising. The principles are self-regulatory and prospectively binding on each member in respect of their UK operations. Also remember the principles I discussed last month in User Analytics and Tracking. Whether your company, or advert network, is a signatory or not, it makes sense to understand the issues and apply them in your own online provisions. Consider what data are really necessary and ensure compliance with all internal and external mandates, including legislation.