In September of this year I blogged about a request I made to the Information Commissioner’s Office (ICO) for details of which website some personal data had been inadvertently uploaded to, by a council employee, which had led to a monetary penalty notice. I have now had the ICO’s response to my internal review. I do not have (and haven’t sought) permission to upload that response, but suffice to say it doesn’t uphold my complaint. For those of you still awake I append my response to it here:
I am reluctantly now applying to the Commissioner for a decision whether my request for information has been dealt with in accordance with the requirements of Part I of the Freedom of Information Act 2000 (FOIA).
I am of the view that you do have lawful authority to disclose the information, and, therefore, section 59(1) of the Data Protection Act 1998 (DPA) is not engaged (and by extension nor is the substantive exemption claimed: section 44 of FOIA). Before I give my reasons I would just like to clarify an error on my part: I erred in my request for internal review when I queried whether section 59(1)(c) DPA was met. What I meant was that I accepted that sections 59(1)(a-c) were met, but I doubted whether there was a lack of lawful authority for the ICO to disclose.
My reasons why I believe you do have lawful authority to disclose are substantially the same as I gave in the rest of my request for internal review. I will repeat them here for completeness’ sake:
Section 59(2)(e) says that disclosure is made with lawful authority if “having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”. I would argue that analysis of whether this provision permits disclosure requires a two-fold test. Firstly, is disclosure necessary in the public interest? Secondly, if it is, do the rights and freedoms or legitimate interests of any person militate against this public-interest disclosure?
On the first point, I am not aware of any direct authority on what “necessary” means in section 59(2)(e) of DPA, but I would argue that it imports the meaning adopted by leading European authorities. Thus, as per the high Court in Corporate Officer of the House of Commons v The Information Commissioner & Ors  EWHC 1084 “‘necessary”…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends”. It is my view that there is a pressing social need to recognise the risks of indavertent uploading to the internet, by public authorities and others, of sensitive personal data, especially when this is by automatic means. Other examples of recent incidents and enforcement action illustrate this. For instance, as your office is aware, there have been reports that a regional Citizens’ Advice Bureau has indavertently made available on the internet very large amounts of such data, probably because of a lack of technical knowledge or security which resulted in automatic caching by Google of numerous files https://informationrightsandwrongs.com/2013/09/24/citizens-advice-bureaucracy/. Also for instance, as you are aware, there have been many many examples of indavertent internet publishing of personal data in hidden cells in spreadsheets http://www.ico.org.uk/news/blog/2013/the-risk-of-revealing-too-much. There is a clear lack of public understanding of the risks of such indavertent disclosures, with a consequent risk to the privacy of individuals’ often highly sensitive personal data. Any information which the regulator of the DPA can disclose which informs and improves public understanding of these risks serves a pressing social need and makes the disclosure “necessary”.
On the second point, I simply fail to see what rights and freedoms or legitimate interests of any person can be engaged, let alone suffer a detriment by disclosing what public website the Council employee uploaded this to. If there are any, it would be helpful if your response to this Internal Review could address this. It may be that you would point to the information having been provided to you in confidence, but I similarly fail to see how that can be: was this an express obligation of confidence, or have you inferred it? In either case, I would question (per one the elements of the classic formulation for a cause of action in breach of confidence given by Megarry J in Coco v A.N.Clark (Engineers) Ltd  R.P.C. 41) whether the information even has the necessary quality of confidence (this was a public website after all).
However, I make the following further observations.
You say “I consider that the public interest here has been largely, if not entirely, met by the issuing and publication of the Monetary Penalty Notice dated 27 August 2013, the publication of the ICO News release dated 30 August 2013, and other press coverage concerning this particular data breach and how it occurred. I do not consider that disclosure of the name of the website would further this to any significant extent”. However, these sources of information were noticeably lacking in detail about how exactly the rather bizarre and worrying circumstances described in the Monetary Penalty Notice (MPN) could have happened: automatic upload to cloud storage can happen, but normally this will be to private storage – automatic upload to a “public website” is rather alarming.
I note, in passing, some recent criticism of the level of detail, or lack of clarity, in MPNs made by the First-tier Tribunal (see para 17 of the Scottish Borders case, and, the Niebel case, effectively throughout).
I also note that you say “when considering the balance of the public interest in relation to section 59(2)(e) it has to be borne in mind that the threshold is very high because disclosure in contravention of section 59, by the Commissioner or a member of ICO staff may/will constitute a criminal offence under section 59(3)”. With respect, whether the Commissioner or a member of his staff might commit a criminal offence is not relevant to whether the public interest means disclosure is necessary. If disclosure is necessary section 59(1) does not apply, and no suggestion of a criminal offence can arise. Moreover, you say “unless there is ‘lawful authority’ to disclose the information, to do so would constitute a criminal offence” and “disclosure in contravention of section 59, by the Commissioner or a member of ICO staff may/will constitute a criminal offence under section 59(3)”, and “Releasing information of this nature without lawful authority would not only constitute a criminal offence…”: all of these omit the crucial mens rea aspect of that offence, which is that the disclosure would have to be made knowingly or recklessly.
You go on to say “There is a strong public interest in information being provided to the Commissioner in confidence, to enable him to carry out his statutory duty, remaining confidential and that this information will not be disclosed without lawful authority. Releasing information of this nature without lawful authority would not only constitute a criminal offence but would also undermine the regulatory function and powers of the ICO. It would damage public trust in the Commissioner’s processes and make organisations less willing to share information on a voluntary basis making it difficult for the ICO to operate an efficient and effective regulatory system”. This repeats the earlier assertions, or implications, that the information in question is “confidential” or has been “provided…in confidence”, which I continue to dispute for reasons previously given (and not controverted), and makes further assertions that disclosing such information now would “make organisations less willing to share information on a voluntary basis making it difficult for the ICO to operate an efficient and effective regulatory system”. There appears simply to be no basis for this “chilling effect” assertion (is there, for instance, evidence to back it up?).
Finally, I note that you say “we did consult with Aberdeen City Council and we do not have explicit consent for disclosure”. You do not say when this consultation took place, but it appears that Aberdeen at some point changed their mind on this, because on 15 October they disclosed the information to me under FOIA (see https://www.whatdotheyknow.com/request/ico_monetary_penalty_notice#outgoing-307019). Clearly, this means that I do not continue to seek disclosure. It also explains why I say I make this application reluctantly (I have no wish to have you, or me, epxend time and resources unnecessarily). But I do wish to dispute that my request to you was handled according to requirements in part 1 of FOIA.
I am happy to provide any further information you might need.
with best wishes