The Reading of the 30,000

There is some irony in the quite extraordinary news that the Independent Commission on Freedom of Information received 30,000 submissions in response to its public call for written evidence: one of the considerations in the call for evidence was the fact that “reading time” cannot currently be factored in as one of the tasks which determines whether a request exceeds the cost limit under section 12 of the FOI Act. 

Lord Burns has now announced that

Given the large volume of evidence that we have received, it will take time to read and consider all of the submissions

Well, yes. The Commission originally planned to report its findings “before the end of the year” (that is, the parliamentary year, which ends on 17 December). It also planned to read all the evidence which was before the Justice Committee when it conducted its post-legislative scrutiny of FOIA in 2012, and there was a fair amount of that. But let us put that to one side, and let us estimate that reading and where necessary taking a note of each of the current 30,000 submissions will take someone ten minutes (as some submissions were 400 pages long, this is perhaps a ridiculously conservative estimate). That equates to 300,000 minutes, or 5000 hours, or 208 days of one person’s time (assuming they never slept or took a break: if we imagine that they spent eight hours reading every day, it would be 625 days).

I don’t know what sort of administrative support Lord Burns and his fellow Commission members have been given, but, really, to do their job properly one would expect them to read the submissions themselves. There are five of them, so even assuming they shared the reading between them, we might expect they would between them take 125 days (without a break, and with little or no time to undertake their other jobs and responsibilities) to digest the written evidence.

Lord Burns has sensibly conceded that the Commission will not be able to report by the end of the year, and he has announced that two oral evidence sessions will take place in January next year (although who will participate has not been announced, nor whether the sessions will be broadcast, nor even whether they will take place in public).

What is clear though is that someone or ones has a heck of a job ahead of them. I doubt that the Commission, as an advisory non-departmental public body, would be amenable to judicial review, so it is probably not strictly bound by public law duties to take all relevant evidence into account when arriving at its decisions and recommendations, but, nonetheless, a failure so to do would open it up to great, and justified, criticism.

And, one final point, as Ian Clark noticed when submitting his evidence, the web form was predicated on the assumption that those making submissions would only be from an “organisation”. Surely the Commission didn’t assume that the only people with views on the matter were those who received FOI requests? Surely they didn’t forget that, ultimately, FOIA is for the public?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.


Filed under Freedom of Information, transparency

The first time Parliament heard the term “Freedom of Information”

…if there is one matter on which I feel more strongly than another it is that in a democratic community the foundation of good government lies in freedom of information, freedom of thought, and freedom of speech: You can not have a country, which is governed by its people, wisely and well governed, unless those people are permitted access to accurate information, and are permitted the free exchange of their views and their opinions: That is essential to good government: It is quite true that if you grant that freedom there will be abuses: It is quite true that foolish people advocate foolish views: That is one of the many unfortunate corollaries

Although the past is a foreign country, some of its citizens can seem familiar: the quotation above is from Liberal politician Sir Richard Durning Holt, and was made in a parliamentary debate seven months short of a hundred years ago. It contains the first recorded parliamentary use of the term “freedom of information”. It was said as part of a debate about conscientious objectors to the “Great War” (Holt was drawing attention to what he saw as the unfair and counter-productive prosecutions of objectors). He may not have meant “freedom of information” in quite the way we mean it now, but his words resonate, and – at a time when our own Freedom of Information Act 2000 is under threat – remain, as a matter of principle, remarkably relevant.

I found the quotation using Glasgow University’s extraordinary corpus of “nearly every speech given in the British Parliament from 1803-2005”. I commend it to you, and, a century on, commend Sir Richard’s words to Jack Straw and his fellow members on the Independent Commission on Freedom of Information.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Freedom of Information, Uncategorized

Any Safe Harbor in a storm…?

The ICO has contacted me to say that it actually selected SnapSurveys because they offered clients the option of hosting survey response on UK servers, and it has checked with SnapSurveys that this remains the case. I’ve been pointed me to which confirms this point.

So the answer to my question

Is the ICO making unlawful transfers of personal data to the US?

I’m pleased to confirm, appears to be “no”.

Earlier this week the Information Commissioner’s Office (ICO) published a blogpost by Deputy Commissioner David Smith, entitled The US Safe Harbor – breached but perhaps not destroyed!

“Don’t panic” says David to those data controllers who are currently relying on Safe Harbor as a means of ensuring that personal data transferred by them to the United States has adequate protection (in line with the requirements of Article 25 of the European Data Protection Directive, and the eighth principle of schedule one of the UK’s Data Protection Act 1998 (DPA)). He is referring, of course, to the recent decision of the Court of Justice of the European Union in Schrems. which Data controllers should, he says, “take stock” and “make their own minds up”:

businesses in the UK don’t have to rely on Commission decisions on adequacy. Although you won’t get the same degree of legal certainty, UK law allows you to rely on your own adequacy assessment. Our guidance tells you how to go about doing this.  Much depend [sic] here on the nature of the data that you are transferring and who you are transferring it to but the big question is can you reduce the risks to the personal data, or rather the individuals whose personal data it is, to a level where the data are adequately protected after transfer? The Safe Harbor can still play a role here.

Smith also refers to a recent statement by the Article 29 Working Party – the grouping of representatives of the various European data protection authorities, of which he is a member – and refers to “the substance of the statement being measured, albeit expressed strongly”. What he doesn’t say is how unequivocal it is in saying that

transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful

And this is particularly interesting because, as I discovered today, the ICO itself appears (still) to be making transfers under Safe Harbor. I reported a nuisance call using its online tool (in doing so I included some sensitive personal data about a family member) and noticed that the tool was operated by SnapSurveys. The ICO’s own website privacy notice says

We collect information volunteered by members of the public about nuisance calls and texts using an online reporting tool hosted by Snap Surveys. This company is a data processor for the ICO and only processes personal information in line with our instructions.

while SnapSurveys’ privacy policy explains that

Snap Surveys NH, Inc. complies with the U.S. – E.U. Safe Harbor framework

This does not unambiguously say that SnapSurveys are transferring the personal data of those submitting reports to the ICO to the US under Safe Harbor – it is possible that the ICO has set up some bespoke arrangement with its processor, under which they process that specific ICO data within the European Economic Area – but it strongly suggests it.

It is understandable that a certain amount of regulatory leeway and leniency be offered to data controllers who have relied on Safe Harbor until now – to that extent I agree with the light-touch approach of the ICO. But if it is really the case that peoples’ personal data are actually being transferred by the regulator to the US, three weeks after the European Commission decision of 2000 that Safe Harbor provided adequate protection was struck down, serious issues arise. I will be asking the ICO for confirmation about this, and whether, if it is indeed making these transfers, it has undertaken its own adequacy assessment.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.


1 Comment

Filed under 8th principle, Data Protection, Directive 95/46/EC, Information Commissioner, safe harbor

A novel defence by Talk Talk?

Talk Talk, in response to the recent revelations about the compromising of the data of up to four million of its customers, says rather boldly

Has TalkTalk breached the Data Protection Act?
No, this is a criminal attack. We have notified the ICO and we will work closely with them over the coming weeks and months. 

And it got me to wondering how well this rather novel approach could be extended in other legal areas.

The defendant, a Mr Talk Talk, was travelling at a speed of ninety-four miles per hour, and had consumed the equivalent of two bottles of gin. However, as the other driver involved in the collision had failed to renew his motor insurance we find that the defendant was evidently merely the victim of a crime, and my client could not, as a matter of law, have broken speeding and drink driving laws.

Furthermore, although the defendant later viciously kicked an elderly bystander in a motiveless attack, he cannot be guilty of an assault because the pensioner was recently convicted of watching television without a licence.

And finally, although my client picked up a police officer and threw him into a duck pond, the fact that the said officer once forgot to pay for a milky way in the staff canteen provides an absolute defence to the charge of obstructing a police officer in the line of duty.

Let’s see how well Talk Talk’s defence washes with the ICO.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.


Filed under Data Protection, Information Commissioner, Uncategorized

Blackpool Displeasure Breach, redux

Over a year ago I blogged about a tweet by a member of the Oyston family connected with Blackpool FC:

a fan replies to a news item about the club’s manager, and calls the Oyston family “wankers”. Sam Oyston responds by identifying the seat the fan – presumably a season-ticket holder – occupies, and implies that if he continues to be rude the ticket will be withdrawn

For the reasons in that post I thought this raised interesting, and potentially concerning, data protection issues, and I mentioned that the Information Commissioner’s Office (ICO) had powers to take action. It was one of (perhaps the) most read posts (showing, weirdly, that football is possibly more of interest to most people than data protection itself) and it seemed that some people did intend complaining to the ICO. So, recently, I made an FOI request to the ICO for any information held by them concerning Blackpool FC’s data protection compliance. This was the reply

We have carried out thorough searches of the information we hold and have identified one instance where a member of the public raised concerns with the ICO in September 2014, about the alleged processing of personal data by Blackpool FC.

We concluded that there was insufficient evidence to consider the possibility of a s55 offence under the Data Protection Act 1998 (the DPA), and were unable to make an assessment as the individual had not yet raised their concerns with Blackpool FC direct.  We therefore advised the individual to contact the Club and to come back to us if they were still concerned, however we did not hear from them again.  As such, no investigation took place, nor was any assessment made of the issues raised.

This suggests the ICO appears wrongly to consider itself unable to undertake section 42 assessments under the Data Protection Act 1998 unless the data subject has complained to the data controller – a stance strongly criticised by Dr David Erdos on this blog, and one which has the potential to put the data subject further in dispute with the data controller (as I can imagine could have happened here, with a family some of whose members are ready to sue to protect their reputation). It also suggests though that maybe people weren’t quite as interested as the page views suggested. Nonetheless, I am posting this brief update, because a few people asked about it.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner

Complaint about Google’s Innuendo, redux

Some time ago I complained to the Information Commissioner’s Office (ICO) about the innuendo carried in the message that Google serves with search results on most personal names: “Some results may have been removed under data protection law in Europe”. I had already complained to Google UK, and wrote about it here. Google UK denied any responsibility or liability, and referred me to their enormous, distant, parents at 1600 Amphitheatre Parkway. I think they were wrong to do so, in light of the judgment of the Court of Justice of the European Union in the Google Spain case C‑131/12, but I will probably pursue that separately.

However, section 42 of the Data Protection Act 1998 (DPA) allows me to ask the ICO to assess whether a data controller has likely or not complied with its obligations under the DPA. So that’s what I did (pointing out that a search on “Jon Baines” or “Jonathan Baines” threw up the offending message).

In her response the ICO case officer did not address the jurisdiction point which Google had produced, and nor did she actually make a section 42 assessment (in fairness, I had not specifically cited section 42). What she did say was this

As you know, the Court of Justice of the European Union judgement in May 2014 established that Google was a data controller in respect of the processing of personal data to produce search results. It is not in dispute that some of the search results do relate to you. However, it is also clear that some of them will relate to other individuals with the same name. For example, the first result returned on a search on ‘Jonathan Baines’ is ‘LinkedIn’, which says in the snippet that there are 25 professionals named Jonathan Baines, who use LinkedIn.

It is not beyond the realms of possibility that one or more of the other individuals who share your name have had results about them removed. We cannot comment on this. However, we understand that this message appears in an overwhelming majority of cases when searching on any person’s name. This is likely to be regardless of whether any links have actually been removed.

True, I guess. Which is why I’ve reverted with this clarification of my complaint:

If it assists, and to extend my argument and counter your implied question “which Jon Baines are we talking about?”, if you search < “Jon Baines” Information Rights and Wrongs > (where the search term is actually what lies between the < >) you will get a series of results which undoubtedly relate to me, and from which I can be identified. Google is processing my personal data here (that is unavoidable a conclusion, given the ruling by the Court of Justice of the European Union in “Google Spain” (Case C‑131/12)). The message “Some results may have been removed under data protection law in Europe” appears as a result of the processing of my personal data, because it does not appear on every search (for instance < prime minister porcine rumours > or < “has the ICO issued the cabinet office an enforcement notice yet” >). As a product of the processing of my personal data, I argue that the message relates to me, and constitutes my personal data. As it carries an unfair innuendo (unfair because it implies I might have asked for removal of search results) I would ask that you assess whether Google have or have not likely complied with their obligation under section 4(4) to comply with the first and fourth data protection principles. (Should you doubt the innuendo point, please look at the list of results on a Twitter search for “Some results may have been removed”).

Let’s hope this allows the ICO to make the assessment, without my having to consider whether I need to litigate against one of the biggest companies in world history.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Information Commissioner

When data security = national security

One of the options open to the Information Commissioner’s Office (ICO), when considering whether to take enforcement action under the Data Protection Act 1998 (DPA) is – as an alternative to such action – to invite an offending data controller to sign an “undertaking”, which will in effect informally commit it to taking, or desisting from, specified actions. An undertaking is a relatively common event (there have been fifty over the last year) – so much so that the ICO has largely stopped publicising them (other than uploading them to its website) – very rarely is there a press release or even a tweet.

There is a separate story to be explored about both ICO’s approach to enforcement in general, and to its approach to publicity, but I thought it was worth highlighting a rather remarkable undertaking uploaded to the ICO’s site yesterday. It appears that the airline Flybe reported itself to the ICO last November, after a temporary employee managed to scan another individual’s passport, and email it to his (the employee’s) personal email account. The employee in question was in possession of an “air side pass”. Such a pass allows an individual to work unescorted in restricted areas of airports and clearly implies a level of security clearance. The ICO noted, however, that

Flybe did not provide data protection training for all staff members who process personal data. This included the temporary member of staff involved in this particular incident…

This is standard stuff for DPA enforcement: lack of training for staff handling personal data will almost always land the data controller in hot water if something goes wrong. But it’s what follows that strikes me as remarkable

the employee accessed various forms of personal data as part of the process to issue air side passes to Flybe’s permanent staff. This data included copies of passports, banking details and some information needed for criminal record background checks. The Commissioner was concerned that such access had been granted without due consideration to carrying out similar background checks to those afforded to permanent employees. Given the nature of the data to which the temporary employee had access, the Commissioner would have expected the data controller to have had some basic checking controls in place.

Surely this raises concerns beyond the data protection arena? Data protection does not exist in isolation from a broader security context. If it was really the case that basic checking controls were not in place regarding Flybe’s temporary employees and data protection, might it raise concerns about how that impacts on national security?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, national security, undertaking

Anti-EU campaign database – in contravention of data protection laws?

The site reports that an anti-EU umbrella campaign called Leave.EU (or is it has been written to by the Information Commissioner’s Office (ICO) after allegedly sending unsolicited emails to people who appear to have been “signed up” by friends or family. The campaign’s bank-roller, UKIP donor Aaron Banks, reportedly said

We have 70,000 people registered and people have been asked to supply 10 emails of friends or family to build out (sic) database

Emails sent to those signed up in this way are highly likely to have been sent in breach of the campaign’s obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), and the ICO is reported to have to written to the campaign to

inform them of their obligations under the PECR and to ask them to suppress [the recipient’s] email address from their databases

But is this really the main concern here? Or, rather, should we (and the ICO) be asking what on earth is a political campaign doing building a huge database of people, and identifying them as (potential) supporters without their knowledge? Such concerns go to the very heart of modern privacy and data protection law.

Data protection law’s genesis lie, in part, in the desire, post-war, of European nations to ensure “a foundation of justice and peace in the world”, as the preamble to the European Convention on Human Rights states. The first recital to the European Community Data Protection Directive of 1995 makes clear that the importance of those fundamental rights to data protection law.

The Directive is, of course, given domestic effect by the Data Protection Act 1998 (DPA). Section 2 of the same states that information as to someone’s political beliefs is her personal data: I would submit that presence on a database purporting to show that someone supports the UK”s withdrawal from the European Union is also her personal data. Placing someone on that database, without her knowledge or ability to object, will be manifestly “unfair” when it comes to compliance with the first data protection principle. It may also be inaccurate, when it comes to compliance with the fourth principle.

I would urge the ICO to look much more closely at this – the compiling of (query inaccurate) of secret databases of people’s political opinions has very scary antecedents.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, Directive 95/46/EC, Europe, human rights, Information Commissioner

ICO discloses names of Operation Motorman journalists

In August this year the Upper Tribunal dismissed an appeal by the Information Commissioner’s Office (ICO) of a prior ruling that he must disclose the names of certain journalists who appeared on a list 305 names seized by the ICO during a raid in 2003 on the home of private investigator Steve Whittamore. The raid was part of “Operation Motorman”, an investigation which forms part of the background to the various civil and criminal proceedings generated by the phone-hacking scandals, and to the establishment of the Leveson Inquiry.

The names which have been ordered to be disclosed have now been provided by the ICO to the requester, the clearly indefatigable Chris Colenso-Dunne. Chris has kindly given the list to me, and I make it available in the attachment below. One name stands out in particular: Rebekah Wade (as she then was), now Brooks, who has always denied knowledge of the phone-hacking which took place while she was editor of the now defunct News of the World (and who was, of course, acquitted in 2014 of conspiring to hack phones when editor of that paper and of making corrupt payments to public officials when editor of The Sun, as well as of all other charges).

It is important to be aware, as the Upper Tribunal said, that presence on the list means nothing more than that the journalists in question

had commissioned Mr Whittamore to obtain information… The information did not carry with it any assertion as to the actual or alleged commission of any crime by those journalists [para 38]

No doubt the list will generate further comment, though.

ICO Motorman List

[this post was edited to remove a paragraph where I’d mistakenly taken the list to mean that Wade was working for “Femail” at the time]

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.


Filed under Data Protection, Freedom of Information, Information Commissioner, Information Tribunal, journalism, Upper Tribunal

Easy as 1-2-3…?

Has the ICO got its FOI sums wrong?

I wrote recently about a decision of the Information Tribunal where the Tribunal held that the Information Commissioner’s Office (ICO) had wrongly calculated the time for compliance with a request made under the Freedom of Information Act 2000 (FOIA) and consequently had said that the public authority in question had contravened its obligations under section 10(1) of FOIA, when in fact it had complied on time. 

One might have thought the ICO would have made sure that it didn’t make this counting mistake again, particularly in cases where an error can make the difference between requests being either compliant or not compliant with FOIA. I was rather surprised, therefore, to notice  a recently published decision notice by the ICO in which (if my calculations are correct) they have again wrongly calculated the time for compliance and consequently issued a decision against a public authority when in fact the public authority had complied with its obligations under section 10(1). As I have noted before, the 20 working day time for compliance with a FOIA request does not include bank holidays even where the bank holiday in question applies only in one part of the UK. So, for instance, a bank holiday in Scotland (say, St Andrew’s Day), but not in the rest of the UK, is still classed as a non-working day for the purposes of FOIA. In this instance one of the requests for information was made on March 16, 2014 and responded to on April 14 2014. The ICO said this meant that the public authority in question – the Student Loans Company – had taken 21 working days to respond. However this seems to overlook the fact that March 17 is a bank holiday in Northern Ireland, where it marks St Patrick’s Day. Accordingly it should not have been counted as a working day by the ICO for the purposes of FOIA. 

By my calculations the public authority responded on the 20th working day, they complied with their obligations under FOIA, and the ICO has issued a defective decision notice. I wonder if an appeal has been lodged.

There are a surprising number of bank holidays throughout the year, when one takes into account those in all parts of the UK, and it is worth bearing in mind that if one of those days falls within any of the putative 20 working days for compliance with a FOIA request then it will push the time for compliance back that one extra day. I reckon (and as nerdy as I am I’m not so nerdy as to have (yet) worked it out) that there’s probably something like a 50% chance that a FOIA request will actually contain a day that is a bank holiday, and maybe one that is not one that applies uniformly throughout the UK. All FOIA requesters, practitioners and, indeed, regulators, should bear this in mind.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.


Filed under Freedom of Information, Information Commissioner, Information Tribunal, Uncategorized