Category Archives: police

April 16, 2013 · 12:15 pm

Police, poems and FOI

In which I am inspired into literary expression by a rather bizarre ICO decision notice saying that a poem sent by a senior police officer on his mobile device is exempt from disclosure under the “personal data” provisions of the Freedom of Information Act

Mr Plod once sent friends a rhyme
Which was rumoured to be out of line
When a request was lodged
To see what it was
His bosses politely declined

Chris Graham agreed with the force
Saying “It’s personal data because
He’s easy to spot
From the words that we’ve got:
It’s exempt from disclosure, of course!”

A Tribunal may have to decide later
- As the statutory arbitrator -
If it’s rather perverse
To suggest that a verse
Can possibly be personal data.

1 Comment

Filed under Data Protection, Freedom of Information, Information Commissioner, police

Tagged as , , ,

September 13, 2012 · 4:31 pm

The Public Interest in the Hillsborough Disaster

How could the Cabinet Office have originally decided the public interest favoured non-disclosure of information held about the Hillsborough Disaster?

On 15 December 2009 Alan Johnson, the then Secretary of State for the Home Department, announced that an Independent Panel would be appointed to enable disclosure of information relating to the 1989 Hillsborough disaster, and the events which followed it. The Panel would lead to

maximum possible public disclosure of governmental and other agency documentation on the events that occurred and their aftermath

As we all know, the Panel has now published an extraordinary amount of information, with a devastating covering report. It was not the Panel’s role to apportion blame for the tragedy but the disclosure has finally led to unequivocal public and political acceptance that, in the words of the Prime Minister, and despite previous despicable insinuations or outright pronouncements to the contrary

Today’s report is black and white. The Liverpool fans “were not the cause of the disaster”.

The efforts of bereaved families and those close to them in effecting this outcome can never be overstated. But a small part was attempted to be played using the Freedom of Information Act 2000. On 23 April 2009 a BBC journalist made an FOI request to the Cabinet Office for

Copies of all briefings and other information provided to Margaret Thatcher in April 1989 relating to the Hillsborough disaster [and] Copies of minutes and any other records of meetings attended by Margaret Thatcher during April 1989 at which the Hillsborough disaster was discussed.

The request was turned down. The Cabinet Office, rather than the 20 working days permitted by law, took nine months (they’re traditionally not very good at this FOI compliance thing, you must understand) to state that the information was exempt from disclosure under sections 31(1)(a), 31(1)(b), 31(1)(g) – which deal with prejudice to law enforcement – and sections 35(1)(a), 35(1)(b) and 35(1)(d) – which deal with information relating to the formulation or development of government policy, Ministerial communications and the operation of any Ministerial private office. All of these exemptions, if engaged, required consideration whether the public interest in disclosure outweighed the public interest in maintaining the exemption. In all instances, the decision was against disclosure: the public interest did not – according to those at the Cabinet Office determining this request – favour disclosure.

On appeal the Information Commissioner disagreed. He said

 the Commissioner considers it clear that the public interest in disclosure of information relating to the Hillsborough disaster – constituting improved public knowledge and understanding of the causes of and reaction to this event (and in relation to this specific information how the Government of the day reacted) – means that the balance of the public interest favours disclosure

He did not accept the Cabinet Office’s argument that the fact that the Independent Panel had now been set up was relevant to a decision as to whether the application of the exemptions was correct

 [the Panel] did not exist at the time of the request, or within 20 working days following the receipt of the request by the public authority. This Notice concerns whether the information should have been disclosed within 20 working days from the receipt of the request, and any factor that did not apply at the time of the request is not relevant

Notwithstanding this, the BBC ultimately agreed to withdraw its request, given the imminence of the outcome of the Panel’s work. And now we know the truth.

The Prime Minister went on to say in his statement

 At the time of the Taylor Report [Margaret Thatcher] was briefed by her private secretary that the defensive and – I quote – ‘close to deceitful’ behaviour of senior South Yorkshire officers was ‘depressingly familiar’. And it is clear that the then government thought it right that the Chief Constable of South Yorkshire should resign. But… governments then and since have simply not done enough to challenge publicly the unjust and untrue narrative that sought to blame the fans.

Information Commissioner decisions requiring disclosure of Cabinet minutes, and similar information, have four times been subject to a ministerial veto to maintain secrecy. Was the initial refusal of the BBC’s FOI request for this Hillborough disaster information simply reflective of a government approach which automatically seeks to exempt any Cabinet minutes from disclosure? I rather hope so, because the alternative is that officials, and ministers, thought that the public interest did not favour disclosure of information relating to what some are calling the biggest cover-up in British history.

UPDATE

I’ve been reflecting on this. I think it’s only fair to point out that, arguably, because the Cabinet Office took so long (nine months, remember) to get round to responding to the request, by the time they did so, the Independent Panel was set up. So, by that argument, the person looking at the request never actually determined that the public interest did or did not favour disclosure, until it was clear that it was going to be published in the future. The Information Commissioner did not accept that point

This Notice concerns whether the information should have been disclosed within 20 working days from the receipt of the request, and any factor that did not apply at the time of the request is not relevant. This situation applies regardless of the lengthy delay

and was correct in law not to, but in fairness to the Cabinet Office officials, they might have handled the request differently (by the time they got round to it) if the Independent Panel, with its remit to disclose, had not been set up.

10 Comments

Filed under BBC, Cabinet Office, Freedom of Information, Information Commissioner, police, Uncategorized

August 25, 2012 · 11:20 am

What the Papers Say

It appears that a police officer has inadvertently disclosed operational notes regarding arrangements for the arrest of Julian Assange. This is not the first time a blunder like this has happened, and it should serve as a reminder that physical data needs to handled just as securely as electronic data.

In 2009 Britain’s then most senior counter-terrorism officer, Bob Quick, arrived at Downing Street for an important meeting. He’d probably been reading up on the issues during the journey there, and was clutching a file as he emerged from his car. Unfortunately for him, photographers were able to capture the contents of the document he was holding face up. Marked “Secret” (the second highest category in the government protective marking Security Policy Framework) it contained information some of which still cannot be disclosed because a DA-Notice applies. It led to anti-terror raids being brought forward, and it also led to his resignation.

Now we learn that a rather less senior police officer has been photographed in similar circumstances, outside the Ecuadorian Embassy wherein lies the persecuted activist/suspected rapist (delete according to your leanings) Julian Assange. Apparently the information relates to possible arrest plans.

Now, when I have to carry papers from one building to another at work, I make damn sure that they’re secured in an opaque binder, and as far as I know the eyes of the world’s press are not on me when I’m doing so. Information security and data protection are not just about taking care with electronic data: I recently did a quick analysis of the monetary penalty notices handed down by the Information Commissioner, and found that around two-thirds arose from a breach of security involving physical data*.

Modern photographic developments mean that millions of people have the ability quickly to capture compromising or damaging information, and internet publishing means that the same information can be uploaded and circulated within seconds. The European Association for Visual Data Security (yep, there is one) recently produced a white paper on the subject. In its article about the white paper The Register gave some examples of shoulder-surfing, in addition to Bob Quick’s infamous incident

a senior UK civil servant at the department of Business, Innovation and Skills fell asleep on a commuter train, leaving highly sensitive information displayed on his screen. A fellow passenger took two photographs of the information while it was displayed on the screen, which made their way into a Daily Mail story about the breach…[and] in August 2011 the UK’s International Development Secretary was photographed leaving Number 10 Downing Street with sensitive government papers relating to Afghanistan on display. These papers were caught on camera by news photographers and film crews.

Any organisation which needs to handle data outside its own office walls should make very sure it can’t be seen by prying eyes.

 

 

 

*It’s difficult accurately to categorise them. For instance, a fax is both electronic and physical, and a lost hard-drive is loss of physical data, but seriousness is tied to the electronic contents of said drive.

Leave a Comment

Filed under Confidentiality, Data Protection, Information Commissioner, monetary penalty notice, police, Uncategorized

May 6, 2012 · 9:44 am

Data Protection Obscenities

A tragic story about the suicide of a young man, and the apparent ridiculous citing of the Data Protection Act to explain why his mother was not warned.

A few years ago, Richard Thomas, the then Information Commissioner (ICO) launched a campaign to counter what were called “Data Protection Duck Outs”. It got some media attention, but I’ve always thought it suffered from sounding like the kind of phrase a “hip” teacher, or my parents, would have come up with. The ICO said

The Data Protection Act does not impose a blanket ban on the release of personal information. It requires a common sense approach, and should not be used as an excuse by those reluctant to take a balanced decision.

The bad-practice examples cited to illustrate the campaign were mostly light-hearted

In September 2008, Marks and Spencer wrongly blamed the Data Protection Act when they told a mother they could not discuss the delivery of her seven year old son’s Superman suit because it would infringe his data protection rights.
ICO view: Organisations should be cautious about releasing details of an order or account to a third party. However, in this case M&S was not being asked to release any personal information (only to confirm that a part of the suit was missing, and send it), so M&S could have spoken to the boy’s mother without breaching the Data Protection Act.

or

In 2005 it was reported that Catholic priests were no longer allowed to pray out loud for an ill person by name because they might be breaking data protection rules.
ICO view: Unless this sort of information was formally held on file it would not be covered by the Act. Even if it were on file, there would only be a breach if the person had specifically asked not to be mentioned or the church had reason to believe they would object.

Well, if the following story from thisiscornwall.co.uk is true, I have a current-day example, and I wouldn’t call it a “duck out” but an obscenity.

A man with a history of drug abuse killed himself in Camborne after being released from police custody, where he was detained under the Mental Health Act, a coroner has heard….Because of the Data Protection Act [his mother] did not know that her son had been detained and said she was powerless to help him.

The “duck out” campaign was launched because of misconceptions about the Data Protection Act 1998 (DPA). The DPA certainly has faults, but you can bet your house that when you hear someone blaming the DPA for not doing something, it is either because they have made a mistake, and are trying to cover themselves, or because they are ignorant of what the Act does and does not permit. The Cornwall story is unclear as to who allegedly cited the DPA for not informing this poor man’s mother, but, just to be clear, Schedule 3 of the Act specifically permits disclosure of sensitive personal data where

The processing is necessary…in order to protect the vital interests of the data subject or another person, in a case where…consent cannot be given by or on behalf of the data subject, or…the data controller cannot reasonably be expected to obtain the consent of the data subject.

This is before we get to considering other factors – for instance whether an appropriate adult was a requirement in this instance, and the fact that under section 56 of the Police and Criminal Evidence Act a person detained has the right to have someone informed. In which case there would have certainly have been other conditions permitting disclosure (thanks to @MentalHealthCop on twitter, for pointing this out, and for alerting me to the story in the first place).

In 2004 the Bichard Inquiry report into the Soham Murders was highly critical about the misunderstandings and misinterpretations of the DPA which led to Humberside Police deleting information about Ian Huntley, and which subsequently meant that when Cambridgeshire Police ran checks on him, when he applied for a school-caretaker position, nothing came up.

The term “duck-out” doesn’t begin to describe the enormity of the mistaken decision to delete Huntley’s data, nor, if this Cornwall story is accurate, does it begin to describe the enormity of the decision – whoever might have taken it (and the story is unclear) – not to tell Daniel Carrick’s mother her son was detained. The current ICO is very keen to clamp down on serious breaches of the DPA, but these are almost exclusively concerned with the loss of, or inadvertent disclosure of, personal data. Perhaps he should also be alive to stories like this, which suggest potential tragic misconceptions and misuse of the DPA, and which really should carry the term Data Protection Fuck-Ups.

 

Leave a Comment

Filed under Data Protection, Information Commissioner, police

February 17, 2012 · 4:30 pm

Police complaints, a databreach and a High Court injunction

I notice an interesting application in the High Court.

 The Independent Police Complaints Commission (IPCC) has been granted an injunction (actually, a second injunction) requiring that the first defendant, a Mark Warner, disclose to the IPCC the identity of the second defendant -“person(s) unknown” – who Mr Warner has indicated is holding certain information about a third party, as well as the circumstances in which they came to be in the possession of those person(s) unknown.

 The reason I’m posting about this is that it appears that the IPCC disclosed the information about the third party in error to Mr Warner while responding to a subject access request under section 7 of the Data Protection Act 1998 (DPA).

 Mr Warner apparently received some of his own data in response to that section 7 request, but feels that there is further information to which he is entitled, and for his own reasons, has refused to return the papers relating to the third party sent to him by mistake, saying (in a telephone conversation with the IPCC):

If I do not get [the further material which he wants the IPCC to provide to him] within a reasonable timeframe I will not only hang onto the information which I have been sent in error, but I will identify it to Fleet Street

 The IPCC brought the current application not only to protect its own rights, but the Article 8 rights of the third party.

 One wonders if the Information Commissioner has been informed. Inadvertent disclosure of personal data of a third party, of a kind which requires a high court injunction to identify the “person(s) unknown”, sounds like a serious contravention of the DPA of a kind likely to cause substantial damage or distress. Such contraventions can attract monetary penalty notices of up to £500,000.

 As several local authorities know to their cost.

Leave a Comment

Filed under Breach Notification, Data Protection, Information Commissioner, police, Privacy

January 5, 2012 · 8:57 am

Shaft? You’re damn right

There was a heartening story in the Leicester Mercury a few days ago. Journalist  David MacLean praised Lynn Wyeth, Leicester City Council’s Head of Information Governance for her promotion of transparency (and her assistance in giving him “countless stories over the past two years”). The article illustrates how, when it comes to the Freedom of Information Act 2000 (FOIA), a relationship of mutual respect and openness between a public authority and the media can help both sides.

Contrast this with an item on Newbury Today’s site this morning. This is a follow-up to a recent series of FOIA requests made to police forces around the country. It appears that the Press Association asked for information relating to thefts of police property. I don’t know exactly what the request said (I don’t have a Press Association log-in, and the main release is unclear) and it has been variously reported as being specifically about thefts from police stations or simply thefts in general from the police (I rather suspect it was the latter, but if anyone can clarify this, I’d be most appreciative).

The Daily Mail highlighted that Thames Valley Police (TVP), with 90 incidents, “tops the list of crime-hit forces”. No public authority likes to be “top” of any of these type of lists, and the Newbury Today article shows TVP hitting back

…force spokesman Craig Evry…explained that the majority of the thefts took place from “trap cars” and added: “Thames Valley Police is one of several forces to use ‘trap houses’ and ‘trap vehicles.’ These are used in areas which police believe are being targeted by burglars or thieves.“When criminals break in, they could be recorded by cameras or any property taken may be remote tagged or marked with ultraviolet inks allowing police to quickly track it down. It’s a useful criminal reduction and evidence tool and criminals should realise that the home or vehicle they’re breaking into might be covered by hidden cameras. Hopefully using this technology might make them think twice about committing a crime.”

One initially wonders, why didn’t they say that in the first place? Well, they say they did:

The FoI response included the caveat: “Please note that of the above thefts recorded, all but six involved ‘trap vehicles’ deployed specifically to be targeted by offenders.”
Mr Evry said: “They simply misinterpreted the data.”

Most, if not all, FOI officers have been here. A request is received for “All the information on X”. Now, you hold this information, but, taken in isolation, it might be misinterpreted, so you add an explanation, or a disclaimer. However, for whatever reason, the disclaimer is lost in the bustle of preparing a story for print, and suddenly your nuanced explanation of the information is lost, and you are being lambasted in the press.

In fairness to the Press Association, it seems that the background details to their original story might have included TVP’s disclaimer. For instance, the Oxford Mail, writing three days before the Daily Mail, referred to it in their article. So maybe the fault is only with those media organisations who misinterpreted, or chose to misrepresent, the Press Association material. Nonetheless (and I can speak from bitter experience here) journalists may want to ask themselves whether the helpfulness of FOI officers might be inversely related to the likelihood of their getting shafted as a result of that helpfulness.

 

 

 

 

2 Comments

Filed under Freedom of Information, police

Tagged as