Zero rating for fairness

It’s a long time since I took a flight, but when I used to do so, I too would have the experience, when purchasing items in airport shops, of being asked to produce my boarding pass and having it scanned by the retailer. I now know that the reason for this is, contrary to my assumptions, nothing to do with security, and everything to do with the retailer’s VAT pricing structure

I don’t particularly object to the practice itself, but what does concern me, from a privacy and data protection perspective, is the lack of information traditionally given to passengers about the reason for it, and what happens with the information gathered.

The third data protection principle, in Schedule 1 of the Data Protection Act 1998 (DPA) states, in relevant part, that personal data should be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Is the processing by retailers compliant with their obligations under this principle?When retailers scan boarding passes they will be at least potentially collecting (“processing”) passengers’ names, flight numbers and travel destination. The last is the purpose of the exercise: if the passenger is travelling outside the European Union the purchase is zero-rates for the purposes of VAT. But is it necessary therefore to collect all the boarding pass data? Well, HMRC guidance suggests that it is:

Information from the boarding cards or travel documents presented by entitled passengers should be retained by retailers as part of their export evidence.

This suggests that, in order to satisfy any HMRC inspector that zero-rated purchases have been made legitimately, proof of the details of the purchase will need to be retained and provided. 

If that is the case then there’s a good argument that retailers could satisfy the requirements of the third DPA principle. But there is a more fundamental requirement, in the first Schedule One principle, to process personal data fairly, and fairness will not be achieved unless

in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him… [inter alia]…the purpose or purposes for which the data are intended to be processed

And there we are back to the start of this post: I didn’t know what the purpose was of scanning my boarding pass, and it’s very clear from the recent media coverage of the issue that many, probably most, passengers didn’t or don’t realise. In my view this, coupled with the retention of the data for HMRC purposes, renders the processing unfair and unlawful. Whether the relevant data controller is the retailer, who does the act, or HMRC, who appear to require it, is another question (it’s probable that they are acting as joint data controllers) but I think the Information Commissioner’s Office should take a look.

(Thanks to Rich Greenhill for pointing out the HMRC guidance).

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, privacy notice

Big Brother is misleading you

The best books… are those that tell you what you know already…

Big Brother Watch (BBW) is a campaigning organisation, a spin-off from the right-wing lobby group The Taxpayers’ Alliance, described as a “poorly disguised Conservative front”, a large part of whose funds come “from wealthy donors, many of whom are prominent supporters of the Conservative party“. To an extent, that doesn’t matter to me: BBW has done a lot to highlight privacy issues which chime with some of my own concerns – eg excessive use of CCTV, biometrics in schools – but regularly they rail against local authority “databreaches” in a way I think is both unhelpful and disingenuous.

The latest example is a report issued this week (on 11th August 2015) entitled “A Breach of Trust – how local authorities commit 4 data breaches every day”. Martin Hoskins has already done an excellent job in querying and critiquing the findings

At first glance, it looks impressive. It’s almost 200 pages long. But, and this is a big but, there are only a few pages of analysis – once you get past page 12, a series of annexes contain the responses from each local authority, revealing how minor the vast majority of the reported incidents (occurring between April 2011 and April 2014) actually were.

BBW started work on this report by submitting FOI requests to each local authority in June 2014. Quite why it has taken so to publish the results, bearing in mind that FOI requests should be returned within 20 days, is beyond me. Although BBW claims to have received a 98% response rate, some 212 authorities either declined to provide information, or claimed that they had experienced no data breaches between 2011 and 2014.

But plenty of media outlets have already uncritically picked the report up and run stories such as the BBC’s “Council data security ‘shockingly lax'” and the Mail’s “Councils losing personal data four times a day”. Local news media also willingly ran stories about their local councils’ data.

However, my main criticism of this BBW report is a fundamental one: their methodology was so flawed that the results are effectively worthless. Helpfully, although at the end of the report, they outline that methodology:

A Freedom of Information request was sent to all local authorities beginning on the 9th June 2014.

We asked for the number of individuals that have been convicted for breaking the Data Protection Act, the number that had had their employment terminated as the result of a DPA breach, the number that were disciplined internally, the number that resigned during proceedings and the number of instances where no action was taken.

The FOI request itself asked for

a list of the offences committed by the individual in question

The flaw is this: individuals within an organisation can not, in general terms “break” or “breach” the Data Protection Act 1998 (DPA). An employee is a mere agent of his or her employer, and under the DPA the legal person with the general obligations and liabilities is the “data controller”: an employee of an organisation does not have any real status under the DPA – the employer will be the “person who determines the purposes for which and the manner in which personal data are processed”, that is, the data controller. An individual employee could, in specific terms, “break” or “breach” the DPA but only if they committed an offence under section 55, of unlawfully obtaining etc. personal data without the consent of the data controller. There is a huge amount of confusion, and sloppy thinking, when it comes to what is meant by a data protection “breach”, but the vast majority of the incidents BBW report on are simply incidents in which personal data has been compromised by the council in question as data controller. No determination of whether the DPA was actually contravened will have been made (if only because the function of determining whether the Act has been contravened is one which falls to the Information Commissioner’s Office, or the police, or the courts). And if BBW wanted a list of offences committed, that list would be tiny.

To an extent, therefore, those councils who responded with inaccurate information are to blame. FOI practitioners are taught (when they are well taught) to read a request carefully, and where there is uncertainty or ambiguity, to seek clarification from the requester. In this instance, I did in fact advise one local authority to do so. Regrettably, rather than clarifying their request, BBW chose not to respond, and the council is listed in the report as “no response received”, which is both unfair and untrue.

I am not saying that data security and data protection in councils is not an area of concern. Indeed, I am sure that in some places it is lax. But councils deal with an enormous amount of sensitive personal data, and mistakes and near misses will sometimes happen. Councils are encouraged to (and should be applauded for) keeping registers of such incidents. But they shouldn’t disclose those registers in response to ill-informed and badly worded FOI requests, because the evidence here is that they, and the facts, will be misleadingly represented in order to fit a pre-planned agenda.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Data Protection, Freedom of Information

Carphone Warehouse and the DPA risks

According to my less-than-reliable memory, I once purchased a mobile phone from Carphone Warehouse about twelve years ago. I seem to also remember buying a phone from a company with a name like mobiles.co.uk around the same time (we’re they even going then?). Since then, my telephone number, postal address and email address have all changed, but my main banking details have not. So when the news emerged in recent days that Carphone Warehouse and various subsidiaries and partners had been affected by a data security breach involving the data of 2.4m customers I was understandably concerned. I have asked Carphone Warehouse several times how far back they held data which has been compromised, and explained that my contact details will have changed from any they might hold, but I have just been referred to generic information on their website which says that affected customers will be sent an email or text message (which is clearly useless to me).

I think Carphone Warehouse need urgently to clarify how far back they were retaining customer data that was compromised in this incident: I will be extremely unhappy if my c.12 year old data was in fact involved, because as far as I can see there would have been no reason to retain it that long. The fifth principle in Schedule One of the Data Protection Act 1998 (DPA) states that personal data should not be kept for longer than is necessary to fulfil the original purpose for which it was gathered – I doubt that retaining for twelve-odd years would comply with Carphone Warehouse’s obligations under the DPA.

But on a more general, less personal, note, what might this incident mean in DPA terms for Carphone Warehouse and its customers? I note that the generic information referred to above states that the cause was “a sophisticated cyber-attack” and that such attacks are “part of the reality of the modern world”. This is true, but not all organisations suffer such a serious breach of their systems that more than two million people are affected. Carphone Warehouse, as a data controller with obligations to process customer data in accordance with their obligations under the DPA will have to satisfy the Information Commissioner’s Office (which is investigating) and its customers that it complied with the seventh data protection principle, and had appropriate technical and organisational measures in place to safeguard personal data. Failure to have done so would open Carphone Warehouse up to the risk of an ICO monetary penalty to a maximum of£500,000. But the reason I mentioned satisfying customers as to the appropriate measures in place is that the DPA affords individual data subjects the right to bring a compensation claim against a data controller for a contravention of the Act. Traditionally, this right only applied where the data subject had suffered quantifiable damage (in the form of monetary loss), but, since the decision of the Court of Appeal earlier this year in Google Inc v Vidal-Hall & ors. [2015] EWCA Civ 311, such claims can be made on the basis purely of the distress suffered as a result of the contravention. I’ve got to say, I’m feeling a certain level of distress just now at the thought that my data might have been compromised. If it transpires that it was, the distress will only increase. Although such distress payments are unlikely ever to be particularly large, when one then considers the emergence of group litigation of DPA claims, the financial risks to data controllers who suffer huge breaches of customer data is palpable: purely hypothetically, if Carphone Warehouse were found to have failed to comply with their DPA obligations, and half of the customers affected brought a money claim worth £100, they would be facing an exposure of more than £100 million. One wonders if the market’s continuing current confidence in the company allows for that.

Google has been granted permission to appeal Vidal-Hall to the Supreme Court, but pending that the Court of Appeal’s judgment remains good law. And, as I have predicted previously, I think there may be a number of law firms eyeing the case, and potential clients, expectantly.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under 7th principle, Data Protection, data security, Fifth principle, Information Commissioner

Non-compliant FOI compliance?

What does it mean to “comply” with an FOI request? This would appear to be a rather arid question, but when the provisions of section 14(2) of the Freedom of Information Act 2000 (FOIA) come into play, it is not perhaps as unambiguous as one might think.

Section 14(2) provides that

Where a public authority has previously complied with a request for information which was made by any person, it is not obliged to comply with a subsequent identical or substantially similar request from that person unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request [emphasis added]

I confess that, until recently, as both a practitioner and an observer, I had never given this too much thought: surely a public authority complies with a request by complying with its general obligations under FOIA? Namely, confirming whether requested information is held, and, where it is, either communicating it to the requester or providing a refusal notice, while at the same time providing appropriate advice and assistance.

However, it appears (and apologies to anyone who’s known this for ages – I didn’t) that the Information Commissioner’s Office (ICO) take a different view on section 14(2). Their approach, reflected in guidance, is that for the purposes of section 14(2) at least, a public authority has only previously complied with a request when it has either disclosed the information, or confirmed that it is not held:

A public authority may only apply Section 14(2) where it has either;
– previously provided the same requester with the information in response to an earlier FOIA request; or
– previously confirmed the information is not held in response to an earlier FOIA request from the same requester.
If neither of these conditions applies then the public authority must deal with the request in the normal manner.

So, if the authority has previously refused to disclose information, on the valid basis of the application of an exemption or exemptions, it cannot refuse to deal with a subsequent identical request, and it must (one assumes, and unless circumstances have changed) issue a fresh, identical, refusal notice.

This approach is also reflected in a recent decision notice relating to a request to the Department for Work and Pensions (DWP) for the names of charities and companies who have given placements to Mandatory Work Activity or Help to Work participants. DWP had replied to a previous almost identical request, refusing to disclose the information on the basis of the exemptions at section 29(1)(a), 29(1)(b), 36(2)(c) and 43(2) of FOIA. This time, they refused to reply to the request citing section section 14(2). Not on, said ICO:

the DWP can only rely on section 14(2) if, inter alia, it had previously complied with the same or substantially similar request by supplying the requested information to the complainant or confirming it was not held

As the previous request had resulted in the applications of exemptions to refuse disclosure, section 14(2) was not engaged. This was despite the fact that – as DWP pointed out – a previous ICO decision notice had actually said that its position was that

the term ‘previously complied with a request for information’ refers to whether an authority has responded to the previous requests by either providing information or by issuing a refusal notice (emphasis added)

ICO explained this discrepancy by saying first, they were not bound by previous decisions, and second, that the earlier decision was “erroneous” and contrary to their own guidance.

I suspect the ICO are drawing a distinction between the concepts of “complying with a request” (i.e. fulfilling it) and “complying with FOIA obligations”. and I’m not completely sure I’m in disagreement with the ICO’s settled position. But I think I am, if only because, followed to its logical extension, we would be saying that a public authority has not “complied” with any request for information, if it has validly applied exemptions and refused to disclose the information. This lacks logic: it will be interesting to see if DWP appeal.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with..

20 Comments

Filed under Freedom of Information, Information Commissioner

FOI, data protection and rogue landlords 

On 23rd July the Chartered Institute of Environmental Health (CIEH), in conjunction with the Guardian, published a database of landlords who have been convicted of offences under the Housing Act 2004. This showed, for example, that one landlord has been prosecuted seven times for issues relating to disrepair and poor state of properties rented out. It also showed apparent regional discrepancies regarding prosecutions, with some councils carrying out only one prosecution since 2006.

This public interest investigative journalism was, however not achieved without a fight: in September last year the information Commissioners office (ICO) issued a decision notice finding that the journalists request for this information had been correctly refused by the Ministry of Justice on the grounds that the information was sensitive personal data and disclosure under the Freedom of Information Act 2000 (FOIA) would contravene the MoJ’s obligations under the Data Protection Act 1998 (DPA). Section 40(2) of FOIA provides that information is exempt from disclosure under FOIA if disclosure would contravene any of the data protection principles in Schedule One of the DPA (it also provides that it would be exempt if disclosure would contravene section 10 of the DPA, but this is rarely invoked). The key data protection principle is the first, which says that personal data must be processed fairly and lawfully, and in particular that the processing must meet one of the conditions in Schedule Two, and also – for sensitive personal data – one of the conditions in Schedule Three.

The ICO, in its decision notice, after correctly determining that information about identifiable individuals (as opposed to companies) within the scope of the request was sensitive personal data (because it was about offences committed by those individuals) did not accept the requester’s submission that a Schedule Three condition existed which permitted disclosure. The only ones which could potentially apply – condition 1 (explicit consent) or condition 5 (information already made public by the individual) – were not engaged.

However, the ICO did not at the time consider the secondary legislation made under condition 10: the Data Protection (Processing of Sensitive Personal Data) Order 2000 provides further bases for processing of sensitive personal data, and, as the the First-tier Tribunal (Information Rights) (FTT) accepted upon appeal by the applicant, part 3 of the Schedule to that Order permits processing where the processing is “in the substantial public interest”, is in connection with “the commission by any person of any unlawful act” and is for journalistic purposes and is done with a “view to the publication of those data by any person and the data controller reasonably believes that such publication would be in the public interest”. In fairness to the ICO, this further condition was identified by them in their response to the appeal.

In this case, the information was clearly sought with a view to the future publication in the CIEH’s Magazine, “Environmental Health News” and the requester was the digital editor of the latter. This, the FTT decided, taken with the (objective) substantial public interest in the publication of the information, was sufficient to make disclosure under FOIA fair and lawful. In a passage (paras 28-30) worth quoting in full the FTT said

Unfit housing is a matter of major public concern and has a significant impact on the health of tenants.  The Housing Act is a key mechanism for local authorities to improve housing standards and protect the health of vulnerable tenants.  One mechanism for doing this is by means of prosecution, another is licensing schemes for landlords.  Local authorities place vulnerable families in accommodation outside their areas tenants seek accommodation, The publication of information about convictions under the Housing Act would be of considerable value to local authorities in discharge of their functions and assist prospective tenants and those assisting them in avoiding landlords with a history of breaches of the Housing Act.

The sanctions under the Housing Act are comparatively small and the  opprobrium of a conviction may well not rank with other forms of criminal misbehaviour, however the potential for harm to others from such activity is very great, the potential for financial benefit from the misbehaviour is also substantial.  Breaches of the Housing Act are economically motivated and what is proposed is a method of advancing the policy objective of the Housing Act by increasing the availability of relevant information to key actors in the rented housing market – the local authorities as regulator and purchaser and the tenants themselves.  Any impact on the data subjects will overwhelmingly be on their commercial reputations rather than more personal matters.

The Tribunal is therefore satisfied that not only is the disclosure of this information in the substantial public interest, but also any reasonably informed data controller with  knowledge of the social needs and the impact of such disclosure would so conclude.

It is relatively rare that sensitive personal data will be disclosed, or ordered to be disclosed, under FOIA, but it is well worth remembering the 2000 Order, particularly when it comes to publication or proposed publication of such data under public interest journalism.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with..

Leave a comment

Filed under Data Protection, Freedom of Information, Information Commissioner, Information Tribunal, journalism, Open Justice

Porsches, farts and environmental information

A quick post on what I think is a rather remarkable Information Tribunal ruling.

The First-tier Tribunal (Information Rights) (“FTT”) has recently handed down a judgment on a case relating to a request for information sent to the Driver and Vehicle Standards Agency (DVSA) about a safety evaluation of an apparent throttle malfunction in the Porsche Cayman. The request was refused by DVSA on the grounds that section 44 of the Freedom of Information Act 2000 (FOIA) provided an absolute exemption to disclosure, by way of existing restrictions on disclosure of this kind of information within the Enterprise Act 2002. Upon appeal, the Information Commissioner’s Office (ICO) upheld this refusal (pointing out that in fact the correct public authority was not the DVSA, but rather the Department of Transport, of which DVSA is an executive agency).

However, when the request exercised his right of appeal to the FTT, he introduced an argument that in fact the proper regime under which his request should have been considered was the Environmental Information Regulations 2004 (EIR) rather than FOIA, on the grounds that his request concerned an activity that directly affected the environment, namely an activity to regulate vehicle noise emissions. The ICO resisted this, on the basis that

the disputed information concerned a safety test of a certain vehicle “which is not an activity which affects, or is likely to affect, the elements and factors described in Regulation 2(1)(a) or (b) EIR”

This in itself was an interesting argument, touching on issues regarding the Glawischnig remoteness test. This refers to the judgment of the Court of Justice of the European Union in the 2003 case C-316/01 (Eva Glawischnig and Bundesminister für soziale Sicherheit und Generationen) which, observing that Article 2(a) of Directive 90/313 (to which the EIR give UK domestic effect)

classifies information relating to the environment within the meaning of that directive in three categories: information on the state of water, air, soil, fauna, flora, land and natural sites (‘the first category’), information on activities or measures affecting or likely to affect those environmental factors (‘the second category’), and information on activities or measures designed to protect those factors (‘the third category’)

said that

Directive 90/313 is not intended…to give a general and unlimited right of access to all information held by public authorities which has a connection, however minimal, with one of the environmental factors mentioned in Article 2(a). To be covered by the right of access it establishes, such information must fall within one or more of the three categories set out in that provision. [Emphasis added]

However, the FTT in the instant case decided, contrary to the positions of all the parties that “the safety test in this case is not an activity, which can be said to affect the elements of the environment” (the appellant was arguing essentially that “his request concerned an activity that directly affected the environment, namely an activity to regulate vehicle noise emissions”), the EIR were engaged merely because the safety test first required a car to be started, which by extension meant that started engine would produce emissions:

in order to test the issue complained of (i.e. the vehicle throttle response under specific conditions) the vehicle must be driven, or at the very least the engine must be running.
Consequently, by conducting the safety test:
– the DVSA caused emissions by driving the vehicle (r.2(1)(b));
– at the very least those emissions affected the air (r.2(1)(a));
– they did so through a measure (a safety test) which was likely to affect the elements (air) (r.2(1)(c));

But following this argument, the EIR would tend give the public, pace the ruling of the CJEU in Glawischnig, “a general and unlimited right of access to all information held by public authorities which has a connection, however minimal, with [the environment]”? Information, say, held by the DVLA on the number of people who passed their driving test first time would be environmental because by running the driving test the DVLA caused emissions by requiring the tester to drive the car, at the very least those emissions affected the air and they did so through a measure (a driving test) which was likely to affect the elements (air). Or consider DEFRA conducting TB tests on cattle – in order to conduct the test the inspector must travel to a farm, and by doing so DEFRA cause emissions by causing a vehicle to be driven (or a train ride to be taken etc). At the very least those emissions affect the air, and they do so through a measure which is likely to affect the elements (air). Or this: in order to deliver mail, the Royal Mail must drive vehicles which cause emissions. At the very least those emissions affect the air, and they do so through a measure (their policy to use motor vehicles to deliver the mail) which is likely to affect the elements.

What next? Is information on the statement about the benefits of dietary fibre in the human diet environmental information, because by giving it the Department of Health caused more farts (emissions) which affect the air through a measure (the statement) which was likely to affect the (elements) air?

Maybe I’m being silly, but I don’t think I am. Rather, I think the FTT are, and I wonder if the judgment will be appealed.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with..

4 Comments

Filed under Environmental Information Regulations, Freedom of Information, Information Tribunal

A life saved, by life savers

map

Around 10pm on the evening of Tuesday, 4th August, I received a phone call from my sister. My 81 year old father, who has dementia, had gone missing from his care home, and his absence had not been noticed for around four hours. The police were looking for him, but he had not been found in the immediate area. I jumped in the car with my wife, and we drove the eighty miles to Manton, Rutland. There then followed nearly forty-eight hours of constant driving, walking paths, telephone calls and growing despair, as we and the large police and search and rescue presence failed to find my father, or any sign of him. The only strong sightings of him had been from shortly after he must have left the care home.

But yesterday, Thursday, 6th August, around 16:45, my father was found. He had managed, apparently on that first evening, to walk 6 kilometres before either falling, or lying down, in a field of oilseed rape, due to be harvested – we were later told –  the next day. There he had lain for forty-odd hours, in a spot half a mile down a steep heavily rutted farm track so remote that – although some of us had previously searched part way down the track which led to it – it seemed barely credible he could have been there. He was badly dehydrated, and sunburnt (his disappearance coincided – thanks goodness – with some mild and partially sunny weather, and the nights were not cold) but fortunately, although he seems to have fallen in the field, the crops and his clothing (again thank goodness – he had full clothing on, including a fleece and a few layers of clothing) meant he was only slightly bruised. He is now recovering in hospital. The map above shows the route he took, along a busy main road with no pavement, past an army barracks and down the fateful rutted track.

Early on Wednesday morning, I put out a frantic tweet, followed by a few others, and my first ever Facebook post, to support the social media efforts of Leicestershire Police. The response was extraordinary (I even got replies from Alison Moyet and Caroline Flack!) and I can’t thank people enough for doing this, and equally, my gratitude to those who sent me direct messages of support is unbounded. Shortly after posting these messages all my phone’s data services packed up, so any replies or updates were done by borrowing other people’s devices.

But the people who deserve the most thanks (in addition to my so supportive wife) are those who actually helped to find my father. The fantastic local police of Leicestershire and Northamptonshire, and the remarkable volunteers of the various Lowland Rescue organisations: I know there were representatives of Leicestershire, Northamptonshire, Warwickshire and Staffordshire, and if I’ve forgotten anyone, then I apologise and will happily add them [ed. a commenter below tells me there were also rescuers from Nottinghamshire, Yorkshire, Cambridgeshire and Lincolnshire!]. There was no let-up in the searches, except when deep nighttime militated against it, and the planning and coordination were tremendous. They were positive, compassionate, patient when we were impatient, and totally dedicated to finding my father. He owes his life to them, and we can’t ever thank them enough. Our family is making an appropriate donation to Lowland Rescue, and we would strongly encourage everyone to do so: what happened to us could happen to any family.

Donate to Lowland Rescue (via their site)

11 Comments

Filed under Personal

Dear Google…Dear ICO…

On 15 June this year I complained to Google UK. I have had no response, so I have now asked the Information Commissioner’s Office to assess the lawfulness of Google’s actions. This is my email to the ICO

Hi

I would like to complain about Google UK. On 15 June 2015 I wrote to them at their registered address in the following terms

Complaint under Data Protection Act 1998

When a search is made on Google for my name “Jonathan Baines”, and, alternatively, “Jon Baines”, a series of results are returned, but at the foot of the page a message (“the message”) is displayed:

Some results may have been removed under data protection law in Europe. Learn more

To the best of my knowledge, no results have in fact been removed.

The first principle in Schedule One of the Data Protection Act 1998 (DPA) requires a data controller to process personal data fairly and lawfully. In the circumstances I describe, “Jonathan Baines”, “Jon Baines” and the message constitute my personal data, of which you are clearly data controller.

It is unfair to suggest that some results may have been removed under data protection law. This is because the message carries an innuendo that what may have been removed was content that was embarrassing, or that I did not wish to be returned by a Google search. This is not the case. I do not consider that the hyperlink “Learn more” nullifies the innuendo: for instance, a search on Twitter for the phrase “some results may have been removed” provides multiple examples of people assuming the message carries an innuendo meaning.

Accordingly, please remove the message from any page containing the results of a search on my name Jonathan Baines, or Jon Baines, and please confirm to me that you have done so. You are welcome to email me to this effect at [redacted]”

I have had no response to this letter, and furthermore I have twice contacted Google UK’s twitter account “@googleuk” to ask about a response, but have had none.

I am now asking, pursuant to my right to do so at section 42 of the Data Protection Act 1998, for you to conduct an assessment as to whether it is likely or unlikely that the processing by Google UK has been or is being carried out in compliance with the provisions of that Act.

I note that in Case C‑131/12 the Grand Chamber of the Court of Justice of the European Union held that “when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State” then “the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State”. I also note that Google UK’s notification to your offices under section 18 of the Data Protection Act 1998 says “We process personal information to enable us to promote our goods and services”. On this basis alone I would submit that Google UK is carrying out processing as a data controller in the UK jurisdiction.

I hope I have provided sufficient information for you to being to assess Google UK’s compliance with its obligations under the Data Protection Act 1998, but please contact me if you require any further information.

with best wishes,

Jon Baines

Leave a comment

Filed under Data Protection, Information Commissioner

What does it take to stop Lib Dems spamming?

Lib Dems continue to breach ePrivacy law, ICO still won’t take enforcement action.

It’s not difficult: the sending of unsolicited marketing emails to me is unlawful. Regulation 22 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and by extension, the first and second principles in Schedule One of the Data Protection Act 1998 (DPA) make it so. The Liberal Democrats have engaged in this unlawful practice – they know and the Information Commissioner’s Office (ICO) know it, because the latter recently told the former that they have, and told me in turn

I have reviewed your correspondence and the [Lib Dem’s] website, and it appears that their current practices would fail to comply with the requirements of the PECR. This is because consent is not knowingly given, clear and specific….As such, we have written to the organisation to remind them of their obligations under the PECR and ensure that valid consent is obtained from individuals

But the ICO has chosen not to take enforcement action, saying to me in an email of 24th April

enforcement action is not taken routinely and it is our decision whether to take it. We cannot take enforcement action in every case that is reported to us

Of course I’d never suggested they take action in every case – I’d requested (as is my right under regulation 32 of PECR) that they take action in this particular case. The ICO also asked for the email addresses I’d used; I gave these over assuming it was for the purposes of pursuing an investigation but no, when I later asked the ICO they said they’d passed them to the Lib Dems in order that they could be suppressed from the Lib Dem mailing list. I could have done that if I wanted to. It wasn’t the point and I actually think the ICO were out of order (and contravening the DPA themselves) in failing to tell me that was the purpose.

But I digress. Failure to comply with PECR and the DPA is rife across the political spectrum and I think it’s strongly arguable that lack of enforcement action by the ICO facilitates this. And to illustrate this, I visited the Lib Dems’ website recently, and saw the following message

Untitled

Vacuous and vague, I suppose, but I don’t disagree, so I entered an email address registered to me (another one I reserve for situations where I fear future spamming) and clicked “I agree”. By return I got an email saying

Friend – Thank you for joining the Liberal Democrats…

Wait – hold on a cotton-picking minute – I haven’t joined the bloody Liberal Democrats – I put an email in a box! Is this how they got their recent, and rather-hard-to-explain-in-the-circumstances “surge” in membership? Am I (admittedly using a pseudonym) now registered with them as a member? If so, that raises serious concerns about DPA compliance – wrongly attributing membership of a political party to someone is processing of sensitive personal data without a legal basis.

It’s possible that I haven’t yet been registered as such, because the email went on to say

Click here to activate your account

When I saw this I actually thought the Lib Dems might have listened to the ICO – I assumed that if I didn’t (I didn’t) “click here” I would hear no more. Not entirely PECR compliant, but a step in the right direction. But no, I’ve since received an email from the lonely Alistair Carmichael asking me to support the Human Rights Act (which I do) but to support it by joining a Lib Dem campaign. This is direct marketing of a political party, I didn’t consent to it, and it’s sending was unlawful.

I’ll report it to the ICO, more in hope than expectation that they will do anything. But if they don’t, I think they have to accept that a continuing failure to take enforcement against casual abuse of privacy laws is going to lead to a proliferation of that abuse.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with..

2 Comments

Filed under consent, Data Protection, enforcement, Information Commissioner, marketing, PECR, spam

What a difference a day makes

Back in 2013 I blogged about a little-known (not unknown, as some commenters thought I was suggesting) oddity of the Freedom of Information Act 2000 (FOIA). This oddity is that a bank holiday falling in any part of the United Kingdom counts as a non-working-day for the purposes of FOIA. So, as January 2nd (or the nearest substitute day) is a bank holiday in Scotland, it is not a working day for the purposes of calculating the maximum timescale for compliance with a request made under FOIA, despite the fact that Scotland has its own Freedom of Information (Scotland) Act 2002.
What “bank holiday” means, according to section 10(6) of FOIA, is 

any day other than a Saturday, a Sunday, Christmas Day, Good Friday or a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom

And section 1 of the Banking and Financial Dealings Act 1971 says 

the days specified in Schedule 1 to this Act shall be bank holidays in England and Wales, in Scotland and in Northern Ireland as indicated in the Schedule

The Schedule therefore provides a number of dates which are to be considered as bank holidays

All straightforward then? Not quite. Sections 1(2) and 1(3) of The Banking and Financial Dealings Act 1971 also provide that the Queen can effectively remove or add a bank holiday “by proclamation”. What this means has recently been considered by the First-tier Tribunal (Information Rights) (FTT), and it shows that even the Information Commissioner’s Office (ICO) can get this issue wrong sometimes. In the case, the ICO had said in its decision notice that the public authority, Monitor, had complied with its obligation to respond to a FOIA request within twenty working days, because the period involved included two bank holidays within the UK (on 14 July (Northern Ireland) and 4 August (Scotland)). However, when faced with an appeal to the FTT by the requester, the ICO faltered, and

recalculated the 20 day period and concluded that while July 14 was commemorated as the anniversary of the Battle of the Boyne for the purpose of a public holiday in Northern Ireland it was not a bank holiday and accordingly the response from Monitor had been outside the 20 day period

Not so fast, said the FTT – remember section 1(3) of the Banking and Financial Dealings Act 1971? Well, as the London Gazette records, on 14 June 2013 a proclamation was made by Her Majesty, providing that

…We consider it desirable that Monday the fourteenth day of July in the year 2014 should be a bank holiday in Northern Ireland

As the FTT said

The effect of this was to insert a bank holiday in July…accordingly [Monitor] responded within the time limit

All very arcane and abstruse, no doubt, but practitioners and requesters should note that the London Gazette records that on 18 July 2014 Her Majesty also proclaimed that 13th July 2015 would also be a bank holiday. So, for FOI requests whose normal twenty-working-day period includes the date of 13th July this year, everyone needs to bear in mind that, as hard as they may be working on that date, it is not to be counted as a FOIA working day. 

But everyone should also bear in mind that, if they find this tricky, even the ICO gets confused sometimes.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with..

7 Comments

Filed under FOISA, Freedom of Information, Information Commissioner, Information Tribunal