I think the ICO should consider operating a priority alert system when well-informed third-parties alert them to exposures of personal data. They certainly shouldn’t leave those third parties to do in-depth investigation.
My attention was recently drawn to the existence of sensitive personal data being made available online. Google’s bots are brute things, and will effectively cache anything they can, such as data exposed by an unsecured ftp server, and that is what appears to have happened in this case. I looked at the names of the files and folders exposed, and I felt very uncomfortable. I don’t want to see this information, and the people involved certainly wouldn’t want me to. Furthermore, neither would the data controller – a voluntary service organisation. And section 55 of the Data Protection Act 1998 (DPA) creates, in terms, an offence of obtaining personal data knowingly, without the consent of the data controller. Admittedly, if one does so and it is justified as in the public interest, then the elements of the offence are not made out, but my feeling was very much that, having seen very briefly the extent of the inadvertent exposure, I should go so far, and no further.
But what to do then? The short answer, is, to alert the data controller and refer the matter to the Information Commissioner’s Office (ICO). The ICO’s duties are to regulate and enforce the DPA, and promote the following of good practice by data controllers. Although their website is predicated on the basis that a person reporting a concern will have a direct interest in the situation, it is still possible to report a third party concern. However, when I recently reported the fact that a local authority was exposing huge amounts of personal data as open data, firstly, the case officer could not understand why the data in question allowed individuals to be identified, and secondly, asked me to explain why, by providing screenshots. (I should add that I never received a reply from the local authority.) And I know of two other people who have been asked by the ICO to provide specific and detailed examples, such as screenshots, of exposed personal data. The problem with this is that it is dragging concerned third parties directly into potential illegality: taking and emailing screenshots of personal data is processing, without the consent of the data controller, and will (or should) involve encryption (although the ICO doesn’t appear to offer this to third parties) and issues about retention. I’m not suggesting that people will be prosecuted for doing a beneficial civic act, but it is far from ideal.
As always, I understand and accept that the ICO is woefully underfunded. They can only afford to pay new case officers about £4.5k above the annual minimum wage, but I do think they should have a system in place for people to report serious exposures of personal data, and for these reports to be treated and investigated with some urgency. In my recent “open data” case, I didn’t receive any acknowledgment of receipt of my concerns (other than an automated one indicating my email had been received) and the case officer, when I did get a reply, rather impatiently explained that their service standards mean “that if you have reported a concern to us you can expect to receive a response within 30 days”. But I noted that the MS Word doc. that was sent to me was called “ICO to DS raising concerns”. I presume “DS” means “data subject”, but, of course, that is not what I was in this case. A data subject raising concerns is, in the vast majority of cases, not going to be reporting the public exposure of large amounts of sensitive personal data (most often they will be complaining about a discrete incident involving their own data).
I have spoken to people who have reported what were quite clearly horrendous exposures of personal data, but by the time the ICO looked at the case the problem had either been rectified by the data controller, or, for instance, the Google cache links had expired. Of course, that is good on one view, but when it comes to the ICO’s regulatory role, it effectively means that delays in considering these reports allow evidence of serious contraventions by data controllers to be erased.
Almost a year ago I was alerted to a horrendous exposure of highly sensitive personal data (I understand that, again, an unsecured ftp server was to blame). And I remember the frustration and consternation that I and others felt at the apparent delay by Newcastle Citizen’s Advice Bureau in getting the data removed from the web. I’m rather amazed we never heard anything from the ICO about that incident – did they complete their investigation? did they take action? if not, how on earth did the CAB manage to persuade them there wasn’t a serious DPA contravention warranting enforcement action? And, as far as I know, the CAB branch never acknowledged what had happened, nor apologised for it, nor thanked those who had alerted them to the situation.
There are many expert and well-informed people who are prepared to alert data controllers and the ICO to potentially harmful exposures of personal data. Could there not be some sort of priority alert system? (If necessary, it could be through some sort of “trusted third-party” list.) If data controllers, but particularly if the ICO, are not willing to embrace the sort of public-spiritedness which identifies and alerts them to exposures of personal data, then it’s a poor lookout for data subjects.
informationrightsandwrongs 
The Commissioner needs to decide what their purpose is, and then stick to it. Their announcement of a new approach to casework in April signalled that they don’t want to be an Ombudsman – those who complain to the ICO might well not get a formal response if the ‘concern’ they raise doesn’t pique the Wilmslow’s interest. However, their refusal to comprehend that anyone else but an affected Data Subject might legitimately raise a concern fatally undermines any attempt they might be making to be a proper regulator. In the end, the ICO’s DP role might be reduced to making mediocre assessments in a small number of cases, and fining errant public sector bodies for losing stuff. In which case, why bother having an ICO at all?
I would strongly agree with the sentiment, but even being such an ‘affected data subject’ doesn’t seem to do much good when complaining.
I’ve sent in complaints before, and one of them was when I realised that my mobile phone company was sharing each HTTP request made through their network with a US company with the servers also physically located within the US (Bluecoat). This was supposedly done for the purpose of filtering.
It didn’t seem to be needed in the first place if that really was their intent, and SSL completely neutered any advantage. It might also be worth contrasting what went on with government assertions that any surveillance is acceptable if it involves communications to or from other countries, and think for a moment how that would impact on purely domestic communications if they were all being sent abroad anyway.
But I digress…
Since each URL being requested could easily contain PII it would not seem unreasonable – in my opinion at any rate – for the likes of the ICO to take an interest in this.
Their conclusion seemed to be that it was sufficient for it to be buried in the terms and conditions of the contract (and even this was vague and could have been interpreted in more than one way).
In addition the way in which the reply was phrased left me with the distinct impression that they thought the onus should be on me to prove that the behaviour of the phone company had caused me harm rather than for them to enforce the DPA as a matter of course.
Of course that sort of reaction is nothing new. Part of the reason the CPS dropped any action against BT for their secret Phorm trials was that there was ‘no criminal intent’ (a wonderful phrase that I suspect they would never allow to be applied against any single member of the general public)
Complaints from 3rd parties were previously logged separately and started with a “COM” (Compliance) prefix as opposed to the more common RFA (Request For Assessment), although I understand that has now changed. However, the website/complaint form is no doubt aimed at affected data subjects because that’s where the overwhelming majority of complaints come from.
As reflected by your own experience, that doesn’t equate to a “refusal to comprehend that anyone else but an affected Data Subject might legitimately raise concern” and therefore certainly does not “fatally undermine any attempt they might be making to be a proper regulator”.
Pingback: Helping the ICO with databreach alerts? | informationrightsandwrongs