It’s hardly finished yet. But Matthew Shorter has posted a great post on the BBC Internet blog (albeit accompanied by a photograph which is less than flattering) explaining all about the new BBC Music website. The artist pages went into beta on Monday. Read Matthew’s blog post first if you’re a little confused why it’s a bit difficult to find your way around.

For a bit more of a techie look behind the scenes, you might try Tom Scott’s post. Tom’s a great member of my team, in spite of his apparent inability to do himself a favicon, and he does a good job of explaining what the team have been thinking of.

And it appears to be going down well: Techcrunch UK (another site without a favicon, I note) acknowledges that we’re releasing a ton of data from this system out into the wild.

What’s most neat isn’t the mashup with Wikipedia (been there, done that) or using the industry-standard Musicbrainz to use as the master data source (not least because it copes well with pop and classical music); but the link-up with programme data.

So, if I’m a fan of The Beatles, I now know that BBC Radio 2 is the station for me… and, indeed, the splendid Chris Evans plays the most Beatles tracks out of all the BBC national network presenters.

I also discover that national radio mostly shuns The Eels, with 6music being the only channel to really play them. This’ll be one of the reasons 6music appears as “super” in terms of compatibility with me on last.fm, I guess.

Linking together programmes and music is the first part of the plan. Further links with events (think “Glastonbury”), and topics (whether they’re people, places or concepts) are to come. And, of course, links to users (that’s you and me). Link all that data together, and you’ve a great way of exposing all the great things the BBC does. And making a ton of great data available for the rest of the web, too.

Earlier this week, I drew attention to the Driving Standards Agency’s massive data loss in May (but only just revealed), and asked people to sign a petition ensuring that people are promptly told about loss of their personal data. I also said I’d requested the Register Entry Report for the DSA.

I did this for two reasons: firstly, as a Data Controller myself, I wouldn’t mind seeing another example of a Register Entry; and secondly, because I was keen to discover what the DSA can do with my driving licence data (and whether, frankly, they’d broken the law).

So, register entry report for registration number Z7122992 appears through the post today. It’s actually the Register Entry for the Department of Transport (who run the Driving Standards Agency), which makes even more interesting reading.

First - was this data breach illegal?
By this I mean - did the Department of Transport specifically go outside the terms of data use laid down in their register entry?

Register entries are anything but clear, as I found doing the entry for Not At All Bad Ltd (which hosts this website, as well as Media UK). The Department of Transport’s entry has an entry (entry 9) for “Trading/Sharing in Personal Information”, which has a purpose description of “the sale, hire or exchange of personal information”. Transfers of this data are explicitly set as “None Outside The European Economic Area”. So, according to this register entry, they are not allowed to transfer personal information (names, addresses, phone numbers) outside of the EEA.

Let’s remind ourselves of the original story (at least, the details reported by the BBC):
Names, addresses and phone numbers - but no financial information - were among details on a computer hard drive which went missing in the US in May. It belonged to a contractor working for the Driving Standards Agency, she [Ruth Kelly] said.

So, is this a clear breach of their own requested use of data? It turns out it’s not quite that simple. “Information and Databank Administration” is section 8 of their register entry: for the purpose of “maintenance of information or databanks as a reference tool or general resource, including catalogues, lists, directories and bibliographic data”, and data subjects being, amongst others, “Customers and clients” - i.e. you and me. Data transfer for this is set as Worldwide.

I’m not a lawyer; and I don’t know which of these two sections is supposed to take precedence. Was the deliberate release of personal information outside the EEA a breach, or not? I’d welcome your views.

Second - anything else turn up in here which is a concern?

Let’s return to “Trading/Sharing in Personal Information”. The register says who can receive this information - which specifically includes “personal details, financial details, offences, criminal proceedings”. Here’s a few…

Police forces, central government, local government, employees and agents of the data controller, department of health, department for education and employment, the media…

The MEDIA?!?!!!

It seems that the Department of Transport can, if they wish, let any media organisation in the UK or the EEA know my driving licence details, including my financial information. Anyone in the media can know whether I got a speeding fine in 1997 for doing 42 in a non-built-up, badly-signed 30-zone. (I did. But I have a clean licence now.)

This is big stuff. And I wonder what the definition of “the media” is, in this context. Am *I* the media, running a blog that has more readers than many small magazines? Am I able to request this data on someone I know? The possibilities, the possibilities…

Photo: Ken Banks. Used under licence. An additional disclosure appears at the bottom of my original post on this subject.

Another month, another massive data loss - names, addresses, telephone numbers, email addresses. Except this data was lost in May, and the authorities have only now decided to, you know, tell us. Nice.

The Driving Standards Agency’s privacy statement says it’s registered under the Data Protection Act 1998 as registration number Z7122992. Amusingly, the Data Protection Act’s own website lookup is “currently unavailable as we are carrying out maintenance work to enhance its security.” I’d be interested to see whether their notification says that personal data will be transferred outside the EU; so I’ve requested the notification document. You never know - maybe the Information Commissioner might use his legal teeth. I hope so.

But, talking legal - if we were in the US, the government would be forced, by law, to inform all affected individuals immediately. In the UK, it seems that we don’t have any right to this information. Ever.

Currently there’s a petition to get a similar law in the UK. While it’s only got 389 signatures at the time of writing, I hope it gets plenty more. Please sign it now, and please pass this request on to others. We can change the law if we all work together on this.

Oooh, a little bit of politics.

Relevant disclosure: my personal website (where this blog is) is operated for me by Not At All Bad Ltd which is registered under the Data Protection Act 1998 - registration number Z1084808. The data controller is james.cridland@notatallbad.ltd.uk - that’s me. I have a full disclosure on this website.

Photo: David Bleasdale. Used under licence.