ACPO encourage the sending of identity documents over insecure connection

ACPO – the Association of Chief Police Officers – are inviting people to send online data protection subject access request including copies of proof of identity, such as passports or bank statements over an insecure http connection. This is almost certainly in breach of ACPOs obligations under the Data Protection Act.

One of the most important rights under data protection law is that of “subject access”. Section 7 of the Data Protection Act 1998 (DPA) provides, in broad terms, that a person may require an organisation to say whether it is processing data about that person, and if so, to be given a copy of it. It was, for instance, through exercise of this subject access right that six journalists recently discovered that they were on the National Domestic Extremism and Disorder Intelligence database. The DPA recognises the importance of this right by enshrining it in its Schedule One Principles – the sixth principle obliges data controllers to process personal data in accordance with data subjects’ rights under the Act.

The following principle – the seventh – is the one which deals with data security, and it requires data controllers to have appropriate measures in place to safeguard against loss of personal data. The Information Commissioner’s Office (ICO) explains why this is important:

Information security breaches may cause real harm and distress to the individuals they affect – lives may even be put at risk. Examples of the harm caused by the loss or abuse of personal data (sometimes linked to identity fraud) include
– fake credit card transactions;
– witnesses at risk of physical harm or intimidation;
– offenders at risk from vigilantes;
– exposure of the addresses of service personnel, police and prison officers, and women at risk of domestic violence…

But a tweet yesterday (22.02.15) by Information Security consultant Paul Moore alerted that ACPO’s criminal records office has a website which invites data subjects to make an online request but, extraordinarily, provides by an unencrypted http rather than encrypyted https connection.

image1

This is such a basic data security measure that it’s difficult to understand how it has happened – and to confirm their identity people are being encouraged to send highly confidential documents, such as passports, over an unsecure connection. The ICO points out that

Failure to provide the first assurance (encryption) means that any sensitive information transmitted will be viewable via any computer system on the route between the two systems

At a time when there are moves to encrypt all web traffic, the failure to offer encryption on such profoundly sensitive issues as information held by police, and identity documents, is jaw-dropping. The ICO was copied in to subsequent tweets, and it will be interesting to see what action they take.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Data Protection, data security, Information Commissioner, police

Praise where it’s due, but the senior people aren’t listening

A few months ago I had to attend a clinic at a large hospital (nothing embarrassing, nothing serious, but I’m not going to disclose my sensitive personal data). Said hospital is, as are so many these days, crumbling under a lack of resources. In the past I’ve been to other clinics at the same hospital and been concerned to note that they are often run from areas that are little better than corridors, with no real physical data security measures in place – files left out on tables, computer screens open to view by bystanders etc.

However, on this occasion as I approached the healthcare assistant – let’s call her “Anne” – who appeared to be running the clinic (sure enough effectively in a corridor), I notice she kept the clinic list carefully shielded from my eyes, and when I gave my name she retrieved my file from a row of all the others hidden under a long strip of blue hospital paper (you know, the stuff on big rolls like kitchen towels).

I said how impressed I was at her simple but effective attempt to protect patient confidentiality under difficult circumstances, and said I was chairman of NADPO so knew a bit whereof I spoke. A little bit later Anne called me from my seat and I thought it was to take me to my appointment. However, she took me to her manager, and they explained that Anne had previously been criticised by one of the clinic consultants, who felt the blue paper was inconveniencing him, and who would at times remove it and throw it away.

So, I thought I’d write a letter – to the Chief Executive of the NHS Trust, copied to its Medical Records Manager, and Anne herself – praising her actions.

I completely forgot about it but yesterday out of nowhere received a card. It was from Anne saying that she’d received my copy letter, although she hadn’t heard from anyone else (not the Chief Executive nor the Medical Records Manager). She said that the letter was the nicest thing that had happened to her at work in 16 years.

I think this illustrates several things: 1) the NHS, and the public sector in general, are overstretched and confidentiality is potentially compromised as a result, 2) even in times of austerity low-cost information security measures can be effectively implemented, 3) sometimes people lower down are frustrated by, or even undermined by, those above them, 4) compliments are enormously valuable, and too rarely offered.

But there’s one final point. Anne had said in her card to me “I hope [the Chief Executive] wrote and thanked you”. Well no, she didn’t. And nor did the Medical Records Manager nor anyone else in the Hospital Trust. Only Anne had the courtesy to do so, and she was not the one who the message needed to get through to. I’d like to name (and slightly shame) the Trust, but I’d then identify “Anne”, and I don’t want to do that.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Confidentiality, Data Protection, NHS

What’s happening with changes to anti-spam laws?

In October last year the Department for Culture Media and Sport (DCMS) announced a consultation to lower, or even remove, the threshold for the serving financial penalties on those who unlawfully send electronic direct marketing. I wrote at the time that

There appears to be little resistance (as yet, at least) to the idea of lowering or removing the penalty threshold. Given that, and given the ICO’s apparent willingness to take on the spammers, we may well see a real and significant attack on the scourge

The Information Commissioner’s Office (ICO) and DCMS both seemed at the time to be keen to effect the necessary legislative changes to amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) so that, per the mechanism at section 55A of the Data Protection Act 1998 (DPA), adopted by PECR by virtue of regulation 31, either a serious contravention alone of PECR, or a serious contravention likely to cause annoyance, inconvenience or anxiety, could give rise to a monetary penalty without the need to show – as now – likely substantial damage or substantial distress.

However, today, the Information Commissioner himself, Christopher Graham, gave vent to frustrations about delay in bringing about these changes:

Time and time again the Government talks about changing the law and clamping down on this problem, but so far it’s just that – talk. Today they are holding yet another roundtable to discuss the issue, and we seem to be going round in circles. The Government need to lay the order, change the law and bring in a reform that would make a real difference

So what has happened? Have representatives of direct marketing companies lobbied against the proposals? It would be interesting to know who was at today’s “roundtable” and what was said. But there was certainly an interesting tweet from journalist Roddy Mansfield. One hopes a report will emerge, and some record of the meeting.

One wonders why – if they are – marketing industry bodies might object to the proposed changes. The financial penalty provisions would only come into play if marketers failed to comply with the law. Spammers would get punished – the responsible companies would not.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Information Commissioner, marketing, monetary penalty notice, PECR, spam texts

A bad day in court

If the Information Commissioner (IC) reasonably requires any information for the purpose of determining whether a data controller has complied or is complying with the data protection principles, section 43 of the Data Protection Act 1998 (DPA) empowers him to serve a notice on the data controller requiring it to furnish him with specified information relating to compliance with the principles. In short, he may serve an “information notice” on the data controller which requires the latter to assist him by providing relevant information. A data controller has a right of appeal, to the First-tier Tribunal (Information Rights) (FTT), under section 48 DPA.

These provisions have recently come into play in an appeal by Medway Council of an IC Information Notice. That it did not go well for the former is probably rather understating it.

It appears that, back in 2012, Medway had a couple of incidents in which sensitive personal data, in the form of special educational needs documents, was sent in error to the wrong addresses. Medway clearly identified these as serious incidents, and reported themselves to the IC’s Office. By way of part-explanation for one of incidents (in which information was sent to an old address of one of the intended recipients), they pointed to “a flaw in the computer software used”.  Because of this explanation (which was “maintained in detail both in writing and orally”) the ICO formed a preliminary view that there had been a serious contravention of the seventh data protection principle (which is, let us remind ourselves “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”). Moreover, the ICO served a Notice of Intent to serve a Monetary Penalty Notice (MPN). Upon receipt of this, it appears that Medway changed their explanation and said that the incident in question was a result of human error and that there was “no evidence of a ‘system glitch’”. It appears, however, that the ICO was concerned about discrepancies, and insufficient explanation of the change of position, and served a section 43 information notice requiring Medway to “provide a full explanation of how the security breach on 10 December 2012 occurred”. This was the notice appealed to the FTT.

However, during the FTT proceedings a third explanation for the incidents emerged, which seemed to combine elements of human error and system glitches. This was, observed the FTT, most unsatisfactory, saying, at paragraphs 28 and 29:

not only is this a third explanation of the breach but it is inconsistent with the other 2 explanations and is internally incoherent… The Tribunal is satisfied that there is still no reliable, clear or sufficiently detailed explanation of the incident to enable the Commissioner to be satisfied of:

a) what went wrong and why,
b) whether there was any prior knowledge of the potential for this problem,
c) what if any procedures were in place to avoid this type of problem at the relevant date,
d) why the Commissioner and the Tribunal have been provided with so many inaccurate and inconsistent accounts.

But even more ominously (paragraph 30)

The evidence provided to the Commissioner and the Tribunal has been inconsistent and unreliable and the Tribunal agrees with the Commissioner that it is reasonable that he should utilize a mechanism that enables him to call the Council to account if they recklessly [make] a statement which is false in a material respect  in light of the various contradictory and conflicting assertions made by the Council thus far

The words in italics are from section 47(2)(b) DPA, and relate to the potential criminal offence of recklessly making a material false statement in purported compliance with an information notice.

Finally, Medway’s conduct of the appeal itself came in for criticism: inappropriate, inconsistent and insufficient redactions were made in some materials submitted, and some evidence was sent in with no explanation of source, date or significance.

It is rare that information notices are required – most data controllers will comply willingly with an ICO investigation. It is even more rare that one is appealed, and maybe Medway’s recent experience shows why it’s not necessarily a good idea to do so. Medway may rather regret their public-spirited willingness to own up to the ICO in the first place.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Breach Notification, Data Protection, enforcement, Information Commissioner, information notice, Information Tribunal, monetary penalty notice

The cost of retaining old records

In 2008 the Law Society estimated that it held in storage 3.5 million files, in 180,000 boxes, at an annual cost of some £500,000 per annum. Those numbers can only have increased considerably since then. These are files gathered as a result of interventions in law firms by the Solicitors Regulation Authority (SRA) which, although an independent body, is administered and funded by the Law Society. An intervention involves the closing down of a firm, and the seizure of all money held by the firm (including clients’ money) and all documents and papers that relate to its clients, including files and accounting records. What happens to the money has been the subject of much analysis, and litigation, and the position is reasonably settled. But what happens to the files is less clear. Until 2001 the Law Society was of the opinion that it had the power to destroy obsolete files, but its confidence in that stance waned, and in The Law Society (Solicitors Regulation Authority) [2015] EWHC 166 (Ch) it sought, under paragraph 9(10) of the Solictors Act 1974 (“the Society may apply to the High Court for an order as to the disposal or destruction of any documents [or other property] in its possession by virtue of this paragraph”) an order that it could destroy

non-original documents seized from 885 firms, totalling around 1.5 million files (the equivalent of some 109,600 boxes), the destruction of which would produce an estimated annual saving of £344,000 per annum 

In making an order to that effect Iain Purvis QC, sitting as a Deputy Judge of the Chancery Division, noted that the risks in doing so were low: it was highly unlikely that any person would need the documents in question. That low risk needed to balanced against the data protection risks in retaining the documents (it was observed that permanent retention was likely in contravention of the fifth data protection principle in the Data Protection Act 1998) and the high costs of doing so. Moreover, the judge took into account that a responsible law firm would have had a document destruction policy under which the documents in question would have been unlikely to have survived. And finally, he considered whether there were any alternative measures which could be adopted, but the obvious ones – scanning the documents, or writing to the original clients – were prohibitively expensive.

What the judge declined to do was to make a formal declaration to the general effect that the SRA had the power to destroy documents (without the need for a court order). Although he accepted that such power did exist under paragraph 16 of Part II of Schedule 1 of the 1974 Act, the application he was hearing was unopposed, and so a declaration would have no obvious legal effect.

Nonetheless, the Law Society cannot be unpleased with an order which should save them almost £350,000 per annum. Document storage is not cheap, and excessive retention is both unnecessary and inherently risky in data protection terms. Most organisations don’t have the complex statutory underpinning of their functions as the Law Society does in this regard. A comprehensive and robust document retention policy can save a lot of money.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, records management

Helping the ICO with databreach alerts?

Last weekend I noticed some tweets from the ever-vigilant Dissent Doe. She said

I’ve spent 5 min on NHS’s web site and still can’t figure out how/where to report or question an IT security issue. Anyone?…It’s 2015. It really shouldn’t be so hard to find a contact email to use to notify an entity of a security breach or vulnerability…So I finally said, “screw this waste of my time,” and emailed @ICOnews to alert them and ask them to pass the notification to #NHS

Knowing that she wouldn’t tweet this without good reason I made contact, and she referred me to a list of what looked like serious data security vulnerabilities on a range of NHS websites. The list had been posted openly on the internet by a well-known hacker (for obvious reasons I won’t link to it).

In response, I contacted an NHS Information Governance professional, who quickly pointed me towards the IG Alliance. I sent emails to two people, but have not yet had a reply. I even tweeted Tim Kelsey, the NHS’s National Director for Patients and Information, but he didn’t reply. Eventually, a contact managed to contact someone else (I’m being deliberately vague) and I have some reassurance that action will now be taken.

But when I told Dissent Doe this, earlier today (06.02.15) she, although pleased at that outcome, expressed surprise that she had not heard anything from the Information Commissioner’s Office (ICO), whom she had alerted last Sunday. I told her that this had been my, and others’, experience when reporting serious concerns about data protection and data security. The ICO is tremendously over-stretched, and can’t immediately respond to all queries and concerns raised, but there is a community of knowledgeable and dedicated professionals who can help. One of the ICO’s main regulatory roles is, after all

to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers

Indeed, I’ve written on the subject before, and suggested this

I think the ICO should consider operating a priority alert system when well-informed third-parties alert them to exposures of personal data. They certainly shouldn’t leave those third parties to do in-depth investigation.

I didn’t get a comment from the ICO when I wrote that previous post, but I also didn’t ask them for one. This time I will, and I’ll report back on what their response is.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner

Labour’s “HowManyOfMe” – legitimate use of the electoral register?

Is Labour’s shiny new web widget “HowManyOfMe” compliant with the party’s obligations under electoral and ePrivacy law?

Regulations 102 and 106 of the Representation of the People (England and Wales) Regulations 2001 (as amended)mean that registered political parties can apply for a copy of the full electoral register, but they can only supply, disclose or make use of the information therein for “electoral purposes”. As far as I can see “electoral purposes” is nowhere defined, and, accordingly, I suspect it permits relatively broad interpretation, but, nevertheless, it clearly limits the use to which a political party can make use of electoral registration information.

With this in mind, it is worth considering whether the apparent use of such information by the Labour Party, in a new website widget, is a use which can be described as “for electoral purposes”. The widget in question invites people to submit their name (or indeed anyone else’s), email address and postcode and it will tell you how many voters in the country have that name. Thus, I find that there are 393 voters who have the name “Christopher Graham”. The widget then encourages users to register to vote. In small print underneath it says

in case you’re interested, this tool uses an aggregate figure from the electoral register and we’ve taken steps to protect the privacy of individuals

Well, I am interested. I’m interested to know whether this use of the electoral register is purely for electoral purposes. If it is, if its purpose is to encourage people to register to vote, then why does it need an email address? The widget goes on to say

The Labour Party and its elected representatives may contact you about issues we think you may be interested in or with campaign updates. You may unsubscribe at any point. You can see our privacy policy here.

But if they are using the electoral register to encourage people to give up email addresses which may then receive political marketing, surely this is stretching the use of “for electoral purposes” too far? Moreover, and despite the small print privacy notice, and the almost-hidden link to a generic privacy policy, any emails received by individuals will be likely to be sent in contravention of Labour’s obligations under The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which give effect to the UK’s obligations under Directive 2002/58/EC. This is because regulation 22 of PECR prohibits, in terms, the sending of electronic direct marketing (and promotion of a political party constitutes such marketing) without the prior consent of the recipient. Consent, the Directive tells us, must be “a freely given specific and informed indication of the user’s wishes”.  A vague description, as the widget here gives us, of what may happen if one submits an email address, and a statement about unsubscribing, do not legitimise any subsequent sending of direct marketing.

The email address I used is one I reserve for catching spammers; I’ve not received anything yet, but I expect to do so. I would be prepared to argue that any email I receive cannot be said to relate to the electoral purpose which permit use of the electoral register, and will be sent in contravention of PECR.  As I said recently, one of the key battlegrounds in the 2015 general election will be online, and unless action is taken to restrain abuse of people’s personal information, things will get nasty.

1The legislation.gov.uk doesn’t provide updated (“consolidated”) versions of secondary legislation, so there’s no point in linking to their version of the regulations.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, Data Protection, marketing, PECR, privacy notice

Online privacy – a general election battleground

It’s becoming increasingly clear that one of the key battlegrounds in the 2015 General Election will be online. The BBC’s Ross Hawkins reports that the Conservatives are spending large amounts each month on Facebook advertising, and Labour and UKIP, while not having the means to spend as much, are ramping up their online campaigning. But, as Hawkins says

the aim is not to persuade people to nod thoughtfully while they stare at a screen. They want consumers of their online media to make donations or, even better, to get their friends’ support or to knock on doors in marginal constituencies…[but] for all the novelties of online marketing, email remains king. Those Tory Facebook invoices show that most of the money was spent encouraging Conservative supporters to hand over their email addresses. Labour and the Conservatives send emails to supporters, and journalists, that appear to come from their front benchers, pleading for donations

I know this well, because in July last year, after growing weary of blogging about questionable compliance with ePrivacy laws by all the major parties and achieving nothing, I set a honey trap: I submitted an email address to the Conservative, Labour, LibDem, Green, UKIP, SNP and Plaid Cymru websites. In each case I was apparently agreeing with a proposition (such as the particularly egregious LibDem FGM example)  giving no consent to reuse, and in each case there was no clear privacy notice which accorded with the Information Commissioner’s Office’s Privacy Notices Code of Practice (I do not, and nor does the ICO, at least if one refers to that Code, accept that a generic website privacy policy is sufficient in case like this). Since then, the fictional, and trusting but naive, Pam Catchers (geddit??!!) has received over 60 emails, from all parties contacted. A lot of them begin, “Friend, …” and exhort Pam to perform various types of activism. Of course, as a fictional character, Pam might have trouble enforcing her rights, or complaining to the ICO, but the fact is that this sort of bad, and illegal, practice, is rife.

To be honest, I thought Pam would receive more than this number of unsolicited emails (but I’m probably more cynical than her). But the point is that each of these emails was sent in breach of the parties’ obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) which demands that recipients of electronic direct marketing communications must have given explicit consent prior to the sending. By extension, therefore, the parties are also in breach of the Data Protection Act 1998 (DPA), which, when requiring “fair” processing of personal data, makes clear that a valid privacy notice must be given in order to achieve this.

The ICO makes clear that promotion by a political party can constitute direct marketing, and has previously taken enforcement action to try to ensure compliance. It has even produced guidance for parties about their PECR and DPA obligations. This says

In recent years we have investigated complaints about political parties and referendum campaigners using direct marketing, and on occasion we have used our enforcement powers to prevent them doing the same thing again. Failure to comply with an enforcement notice is a criminal offence.

But by “recent” I think they are referring at least six years back.

A data controller’s compliance, or lack thereof, with data protection laws in one area is likely to be indicative of its attitude to compliance elsewhere. Surely the time has come for the ICO at least to remind politicians that online privacy rights are not to be treated with contempt?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under consent, Data Protection, enforcement, Information Commissioner, marketing, PECR, privacy notice

Is an FOI request from an investigative journalist ever vexatious?

Last week, in the Court of Appeal, the indefatigable, if rather hyperbolic, Mr Dransfield was trying to convince three judges that his request, made long ago, to Devon County Council, for information on Lightning Protection System test results relating to a pedestrian bridge at Exeter Chiefs Rugby Ground, was not vexatious. If he succeeds in overturning what was a thorough, and, I think, pretty unimpeachable ruling in the Upper Tribunal, then we may, at last, have some finality on how to interpret section 14(1) of the Freedom of Information Act 2000 (FOIA):

a public authority [is not obliged] to comply with a request for information if the request is vexatious

But what is certain is that the Court of Appeal will not hand down a ruling which would allow a public authority to feel able merely to state that a request is vexatious, and do nothing more to justify reliance on it. But that is what the Metropolitan Police appear to have done in an extraordinary response to FOIA requests from the Press Gazette. The latter has been engaging in a campaign to expose what it believes to be regular use of surveillance powers to monitor or investigate actions of journalists. This is both a serious subject and a worthy campaign. Investigative journalism, by definition, is likely to involve the making of enquiries, sometimes multiple ones, sometimes speculative, “to discover the truth and to identify lapses from it”. It is inevitable that an investigative journalist will from time to time need to make use of FOIA, and the Information Commissioner’s Office (ICO) advises that

[public] authorities must take care to differentiate between broad requests which rely upon pot luck to reveal something of interest and those where the requester is following a genuine line of enquiry

The ICO doesn’t (and couldn’t) say that a FOIA request from an investigative journalist could never be classed as vexatious, but I think the cases when that would happen would be exceptional. The Upper Tribunal ruling by Wikeley J that Mr Dransfield is seeking to overturn talked of “vexatious” as connoting

a manifestly unjustified, inappropriate or improper use of a formal procedure

and

It may be helpful to consider the question of whether a request is truly vexatious by considering four broad issues or themes – (1) the burden (on the public authority and its staff); (2) the motive (of the requester); (3) the value or serious purpose (of the request) and (4) any harassment or distress (of and to staff)

although it was stressed that these were neither exhaustive, nor a “formulaic checklist”.

It is difficult to imagine that the motive of the Press Gazette journalists can be anything but well-intended, and similarly difficult to claim there is no value or serious purpose to the request, or the other requests which need to be considered for context. Nor has there been, as far as I am aware, any suggestion that the requests have caused Met staff any harassment or distress. So we are (while noting and acknowledging that we are not following a checklist) only likely to be talking about “the burden on the public authority and its staff”. It is true that some requests, although well-intentioned and of serious value, and made in polite terms, have been accepted either by the ICO or the First-tier Tribunal (FTT), as being so burdensome to comply with that (even before considering whether FOIA costs limits are engaged) they merit rejection on vexatiousness grounds. In 2012 the FTT upheld an appeal from the Independent Police Complaints Commission, saying that

A request may be so grossly oppressive in terms of the resources and time demanded by compliance as to be vexatious, regardless of the intentions or bona fides of the requester. If so, it is not prevented from being vexatious just because the authority could have relied instead on s.12 [costs limits]

and last year the FTT similarly allowed a late submission by the Department of Education that a request from the journalist Laura McInerney for information about Free School applications was vexatious because of the burden it would impose:

There is no question here of anything in the tone of the request tending towards vexatiousness; nor does anyone doubt Ms McInerney’s genuine motives…There is value in openness and transparency in respect of departmental decision making. That value would be increased by the academic scrutiny which the disclosed material would receive…In our judgment, however, these important considerations are dwarfed by the burden which implementation of the request places on DFE.

But it does not appear that the request in question from the Press Gazette was likely to go any way towards being grossly oppressive, or to being a burden which would “dwarf” the other considerations.

Moreover, and it does not appear to have been a point argued in the DfE case, there is an argument, explored through a series of cases in the Court of Justice of the European Union, and, domestically, in the Supreme Court, in Kennedy v ICO and Charity Commission, that Article 10 of the European Convention on Human Rights, providing as it does in part a right “to receive and impart information and ideas without interference by public authority” (subject to limitations that are prescribed by law, necessary and proportionate, and pursue a legitimate aim) might sometimes need to read down into FOIA, particularly where a journalist is the requester. Although the Supreme Court, by a majority, and on the facts (specifically in the context of a FOIA absolute exemption), rejected the submission in Kennedy, the argument in the abstract still has some weight – someone engaging in investigative journalism is clearly generally acting as a “social watchdog”, and the likelihood that they are making a FOIA request with bad motives, or without serious purpose, or in a way likely to harass or cause distress is correspondingly low. It seems to me that, absent the sort of “excessive burden” argument explored in the IPCC and DfE cases – and, as I say, the Met don’t seem to have advanced any such argument – to label a request from an investigative journalist as vexatious is to stand at the top of a slippery slope. One hopes that the Met review and reverse this decision.

p.s. In a world in which we are all journalists, this all has the potential to get very complicated.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

9 Comments

Filed under Article 10, Freedom of Information, journalism, police

No data protection “fines” for audited NHS bodies

UPDATE: 03.02.15 GPOnline have commendably now amended their piece on this END UPDATE

GPOnline warns its readers today (02.02.15) that

GP practices face compulsory audits from this month by the information commissioner to check their compliance with data protection laws, and could be fined heavily if they are found to have breached rules.

While it’s good that it is on the ball regarding the legal change to the Information Commissioner’s Office (ICO) audit powers, it is, in one important sense, wrong: I can reassure GP practices that they are not risking “fines” (more correctly, monetary penalty notices, or MPNs) if breaches of the law are found during an ICO audit. In fact, the law specifically bars the ICO from serving an MPN on the basis of anything discovered in the process of an audit.

Under s41A of the Data Protection Act 1998 (DPA) the ICO can serve a data controller with a notice “for the purpose of enabling the Commissioner to determine whether the data controller has complied or is complying with the data protection principles”. Until yesterday, this compulsory audit power was restricted to audits of government departments. However, the Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014, which commenced on 1 February 2015, now enables the ICO to perform mandatory data protection audits on NHS bodies specified in the schedule to the Order.  Information Commissioner Christopher Graham has said

We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens

And I think he chose those words carefully (although he used the legally inaccurate word “fine” as well). Section 55A of the DPA gives the ICO the power to serve a monetary penalty notice, to a maximum of £500,000, if he is “satisfied” that – there has been a serious contravention of the DPA by the data controllers and it was of a kind likely to cause substantial damage or substantial distress and the data controller knew or ought to have known that this would happen. However section 55A(3A) provides that the ICO may not be so “satisfied”

by virtue of any matter which comes to the Commissioner’s attention as a result of anything done in pursuance of…an assessment notice

This policy reason behind this provision is clearly to encourage audited data controllers to be open and transparent with the ICO, and not be punished for such openness. GP practices will not receive an MPN for any contraventions of the DPA discovered during or as a result of a section 41A audit.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Information Commissioner, monetary penalty notice, NHS