The best books… are those that tell you what you know already…
Big Brother Watch (BBW) is a campaigning organisation, a spin-off from the right-wing lobby group The Taxpayers’ Alliance, described as a “poorly disguised Conservative front”, a large part of whose funds come “from wealthy donors, many of whom are prominent supporters of the Conservative party“. To an extent, that doesn’t matter to me: BBW has done a lot to highlight privacy issues which chime with some of my own concerns – eg excessive use of CCTV, biometrics in schools – but regularly they rail against local authority “databreaches” in a way I think is both unhelpful and disingenuous.
The latest example is a report issued this week (on 11th August 2015) entitled “A Breach of Trust – how local authorities commit 4 data breaches every day”. Martin Hoskins has already done an excellent job in querying and critiquing the findings
At first glance, it looks impressive. It’s almost 200 pages long. But, and this is a big but, there are only a few pages of analysis – once you get past page 12, a series of annexes contain the responses from each local authority, revealing how minor the vast majority of the reported incidents (occurring between April 2011 and April 2014) actually were.
BBW started work on this report by submitting FOI requests to each local authority in June 2014. Quite why it has taken so to publish the results, bearing in mind that FOI requests should be returned within 20 days, is beyond me. Although BBW claims to have received a 98% response rate, some 212 authorities either declined to provide information, or claimed that they had experienced no data breaches between 2011 and 2014.
But plenty of media outlets have already uncritically picked the report up and run stories such as the BBC’s “Council data security ‘shockingly lax'” and the Mail’s “Councils losing personal data four times a day”. Local news media also willingly ran stories about their local councils’ data.
However, my main criticism of this BBW report is a fundamental one: their methodology was so flawed that the results are effectively worthless. Helpfully, although at the end of the report, they outline that methodology:
A Freedom of Information request was sent to all local authorities beginning on the 9th June 2014.
We asked for the number of individuals that have been convicted for breaking the Data Protection Act, the number that had had their employment terminated as the result of a DPA breach, the number that were disciplined internally, the number that resigned during proceedings and the number of instances where no action was taken.
The FOI request itself asked for
a list of the offences committed by the individual in question
The flaw is this: individuals within an organisation can not, in general terms “break” or “breach” the Data Protection Act 1998 (DPA). An employee is a mere agent of his or her employer, and under the DPA the legal person with the general obligations and liabilities is the “data controller”: an employee of an organisation does not have any real status under the DPA – the employer will be the “person who determines the purposes for which and the manner in which personal data are processed”, that is, the data controller. An individual employee could, in specific terms, “break” or “breach” the DPA but only if they committed an offence under section 55, of unlawfully obtaining etc. personal data without the consent of the data controller. There is a huge amount of confusion, and sloppy thinking, when it comes to what is meant by a data protection “breach”, but the vast majority of the incidents BBW report on are simply incidents in which personal data has been compromised by the council in question as data controller. No determination of whether the DPA was actually contravened will have been made (if only because the function of determining whether the Act has been contravened is one which falls to the Information Commissioner’s Office, or the police, or the courts). And if BBW wanted a list of offences committed, that list would be tiny.
To an extent, therefore, those councils who responded with inaccurate information are to blame. FOI practitioners are taught (when they are well taught) to read a request carefully, and where there is uncertainty or ambiguity, to seek clarification from the requester. In this instance, I did in fact advise one local authority to do so. Regrettably, rather than clarifying their request, BBW chose not to respond, and the council is listed in the report as “no response received”, which is both unfair and untrue.
I am not saying that data security and data protection in councils is not an area of concern. Indeed, I am sure that in some places it is lax. But councils deal with an enormous amount of sensitive personal data, and mistakes and near misses will sometimes happen. Councils are encouraged to (and should be applauded for) keeping registers of such incidents. But they shouldn’t disclose those registers in response to ill-informed and badly worded FOI requests, because the evidence here is that they, and the facts, will be misleadingly represented in order to fit a pre-planned agenda.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.