Author Archives: Jon Baines

March 27, 2015 · 3:02 pm

Vidal-Hall v Google, and the rise of data protection ambulance-chasing

Everyone knows the concept of ambulance chasers – personal injury lawyers who seek out victims of accidents or negligence to help/persuade the latter to make compensation claims. With today’s judgment in the Court of Appeal in the case of Vidal-Hall & Ors v Google [2015] EWCA Civ 311 one wonders if we will start to see data protection ambulance chasers, arriving at the scene of serious “data breaches” with their business cards.

This is because the Court has made a definitive ruling on the issue, discussed several times previously on this blog, of whether compensation can be claimed under the Data Protection Act 1998 (DPA) in circumstances where a data subject has suffered distress but no tangible, pecuniary damage. Section 13 of the DPA provides that

(1)An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

(2)An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—

(a)the individual also suffers damage by reason of the contravention

This differs from the wording of the European Data Protection Directive 95/46/ec, which, at Article 23(1) says

Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered

It can be seen that, in the domestic statutory scheme “distress” is distinct from “damage”, but in the Directive, there is just a single category of “damage”. The position until relatively recently, following Johnson v Medical Defence Union [2007] EWCA Civ 262, had been that it meant pecuniary damage, and this in turn meant, as Buxton LJ said in that case, that “section 13 distress damages are only available if damage in the sense of pecuniary loss has been suffered”. So, absent pecuniary damage, no compensation for distress was available (except in certain specific circumstances involving processing of personal data for journalistic, literary or artistic purposes). But, this, said Lord Dyson and Lady Justice Sharp, in a joint judgment, was wrong, and, in any case, they were not bound by Johnson because the relevant remarks in that case were in fact obiter.  In fact, they said, section 13(2) DPA was incompatible with Article 23 of the Directive:

What is required in order to make section 13(2) compatible with EU law is the disapplication of section 13(2), no more and no less. The consequence of this would be that compensation would be recoverable under section 13(1) for any damage suffered as a result of a contravention by a data controller of any of the requirements of the DPA

As Christopher Knight says, in a characteristically fine and exuberant piece on the Panopticon blog, “And thus, section 13(2) was no more”.

And this means a few things. It certainly means that it will be much easier for an aggrieved data subject to bring a claim for compensation against a data controller which has contravened its obligations under the DPA in circumstances where there is little, or no, tangible or pecuniary damage, but only distress. It also means that we may well start to see the rise of data protection ambulance chasers – the DPA may not give rise to massive settlements, but it is a relatively easy claim to make – a contravention is often effectively a matter of fact, or is found to be such by the Information Commissioner, or is conceded/admitted by the data controller – and there is the prospect of group litigation (in 2013 Islington Council settled claims brought jointly by fourteen claimants following disclosure of their personal data to unauthorised third parties – the settlement totalled £43,000).

I mentioned in that last paragraph that data controller sometimes concede or admit to contraventions of their obligations under the DPA. Indeed, they are expected to by the Information Commissioner, and the draft European General Data Protection Regulation proposes to make it mandatory to do so, and to inform data subjects. And this is where I wonder if we might see another effect of the Vidal-Hall case – if data controller know that by owning up to contraventions they may be exposing themselves to multiple legal claims for distress compensation, they (or their shareholders, or insurers) may start to question why they should do this. Breach notification may be seen as even more of a risky exercise than it is now.

There are other interesting aspects to the Vidal-Hall case – misuse of private information is, indeed, a tort, allowing service of the claims against Google outside jurisdiction, and there are profound issues regarding the definition of personal data which are undecided and, if they go to trial, will be extremely important – but the disapplying of section 13(2) DPA looks likely to have profound effects for data controllers, for data subjects, for lawyers and for the landscape of data protection litigation in this country.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

17 Comments

Filed under Breach Notification, damages, Data Protection, Directive 95/46/EC, GDPR, Information Commissioner

Tagged as , ,

March 25, 2015 · 12:08 pm

A data protection justice gap?

On the 4th March the Supreme Court handed down judgment in the conjoined cases of Catt and T v Commissioner of Police of the Metropolis ([2015] UKSC 9). Almost unanimously (there was one dissenting opinion in Catt) the appeals by the Met were allowed. In brief, the judgments held that the retention of historical criminal conviction data was proportionate. But what I thought was particularly interesting was the suggestion (at paragraph 45) by Lord Sumption (described to me recently as “by far the cleverest man in England”) that T‘s claim at least had been unnecessary:

[this] was a straightforward dispute about retention which could have been more appropriately resolved by applying to the Information Commissioner. As it is, the parties have gone through three levels of judicial decision, at a cost out of all proportion to the questions at stake

and as this blog post suggests, there was certainly a hint that costs might flow in future towards those who choose to litigate rather than apply to the Information Commissioner’s Office (ICO).

But I think there’s a potential justice gap here. Last year the ICO consulted on changing how it handled concerns from data subjects about handling of their personal data. During the consultation period Dr David Erdos wrote a guest post for this blog, arguing that

The ICO’s suggested approach is hugely problematic from a rule of law point of view. Section 42 of the Data Protection Act [DPA] is crystal clear that “any person who is, or believes himself to be, directly affect by any processing of personal data” may make a request for assessment to the ICO “as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions” of the Act. On receiving such a request the Commissioner “shall make an assessment” (s. 42 (1)) (emphasis added). This duty is an absolute one

but the ICO’s response to the consultation suggested that

We are…planning to make much greater use of the discretion afforded to us under section 42 of the legislation…so long as a data controller has provided an individual with a clear explanation of their processing of personal information, they are unlikely to need to describe their actions again to us if the matter in question does not appear to us to represent a serious issue or we don’t believe there is an opportunity for the data controller to improve their information rights practice

which is problematic, as section 42 confers a discretion on the ICO only as to the manner in which an assessment shall be made. Section 42(3) describes some matters to which he may have regard in determining the manner, and these include (so are not exhaustive) “the extent to which the request appears to him to raise a matter of substance”. I don’t think “a matter of substance” gets close to being the same as “a serious issue”: a matter can surely be non-serious yet still of substance. So if the discretion afforded to the ICO under section 42 as to the manner of the assessment includes a discretion to rely solely on prior correspondence between the data controller and the data subject, this is not specified in (and can only be inferred from) section 42.

Moreover, and interestingly, Article 28(4) of the European Data Protection Directive, which is transposed in section 42 DPA, confers no such discretion as to the manner of assessment, and this may well have been one of the reasons the European Commission began protracted infraction proceedings against the UK (see Chris Pounder blog posts passim).

Nonetheless, the outcome of the ICO consultation was indeed a new procedure for dealing with data subjects’ concerns. Their website now says

Should I raise my concern with the ICO?

If the organisation has been unable, or unwilling, to resolve your information rights concern, you can raise the matter with us.  We will use the information you have provided, including the organisation’s response to your concerns, to decide if your concern provides an opportunity to improve information rights practice.

If we think it does provide that opportunity, we will take appropriate action

“Improving information rights practice” refers to the ICO’s general duties under section 51 DPA, but what is notable by its absence there, though, is any statement that the ICO’s general duty, under section 42, to make an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of the DPA.

Lord Sumption in Catt (at 34) also said that “Mr Catt could have complained about the retention of his personal data to the Information Commissioner”. This is true, but would the ICO have actually done anything? Would it have represented a “serious issue”? Possibly not  – Lord Sumption describes the background to Mrs T’s complaints as a “minor incident” and the retention of her data as a “straightforward dispute”. But if there are hints from the highest court of the land that bringing judicial review proceedings on data protection matters might results in adverse costs, because a complaint to the ICO is available, and if the ICO, however, shows reluctance to consider complaints and concerns from aggrieved data subjects, is there an issue with access to data protection justice? Is there a privacy justice gap?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

9 Comments

Filed under Data Protection, Directive 95/46/EC, Information Commissioner

Tagged as , , ,

March 5, 2015 · 2:09 pm

Parties, party leaders and data protection registration

UPDATE 24.03.15 The ICO has confirmed to me that none of George Galloway, the Respect Party and Nigel Farage has an entry on the statutory register of data controllers (section 19 of the Data Protection 1998 refers). Might they, therefore, be committing a criminal offence? Natalie Bennett, not being an elected representative, does not necessarily need to register. END UPDATE

George Galloway, the Respect Party, Nigel Farage and Natalie Bennett all appear not to have an entry in the ICO’s online register of data controllers. Failure to have an entry in the actual register constitutes a criminal offence if no exemption can be claimed.

I’ve written before on the subject of politicians and notification under the Data Protection Act 1998 (DPA). To recap:

Section 17 of the DPA states in broad terms that a data controller (a person who solely or jointly “determines the purposes for which and the manner in which any personal data are, or are to be, processed”) must not process personal data unless “an entry in respect of the data controller is included in the register maintained by the [Information] Commissioner” (IC) or unless a relevant exemption to registration applies. Accordingly (under section 18) a relevant data controller must make a notification to the IC stating (again in broad terms) what data it is processing and for what purposes, and must pay a fee of either £35 or £500 (depending on the size of the organisation which is the controller). Section 19 describes the register itself and also provides that registration lasts for twelve months, after which a renewed notification must be made, with payment of a further fee.

Section 21 creates an offence the elements of which will be made out if a data controller who cannot claim an exemption processes personal data without an entry being made in the register. Thus, if a data controller processes personal data and has not notified the IC either initially or at the point of renewal, that controller will be likely to have committed a criminal offence (there is a defence if the controller can show that he exercised all due diligence to comply with the duty).

Political parties, and members of parliaments process personal data (for instance of their constituents) in the role of data controller, and cannot avail themselves of an exemption. Thus, they have an obligation to register, and thus it is, for example, that the Prime Minister has this entry in the register

Untitled

and so it is that Stuart Agnew, UKIP Member of the European Parliament, has this entry

Untitled2

and so it is that the Liberal Democrats have this entry

Untitled2

(all the entries have more information in them than those screenshots show).

But, as I have written before, not all politicians appear to comply with these legal obligations under the DPA. And this morning I noticed lawyer Adam Rose tweeting about the fact that neither George Galloway MP, nor his Respect Party appeared to have an entry on the IC register. This certainly seems to be the case, and I took the opportunity to ask Mr Galloway whether it was correct (no response as yet). It is also worth noting that back in 2012 the IC stated that

it appears that the Respect Party has not notified under the DPA at any time since its formation in November 2004….[this has] been brought to the attention of our Non-Notification Team within our Enforcement Department. They will therefore consider what further action is appropriate in the circumstances

It must be born in mind, however, that non-appearance on the online searchable register is not proof of non-appearance on the actual register. The IC says

It is updated daily. However, due to peaks of work it may be some time before new notifications, renewals and amendments appear in the public register. Please note data controllers are deemed notified from the date we receive a valid form and fee. Therefore the fact that an entry does not appear on the public register does not mean that the data controller is committing a criminal offence

Nonetheless, the online register is there for a purpose – it enables data subjects to get reassurance that those who process their personal data do so lawfully. Non-appearance on the online register is at least cause for concern and the need for clarification from the IC and/or the data controller.

And it is not just Mr Galloway and the Respect Party who don’t appear on the online register. I checked for registrations for some of the other main party leaders: David Cameron, Ed(ward) Miliband and Nick Clegg all have registrations, as do Nicola Sturgeon and Peter Robinson, but Nigel Farage, Leader of UKIP and Natalie Bennett, Leader of the Green Party appear not to.

At all times, but especially in the run up to the general election, voters and constituents have a right to have their personal information handled lawfully, and a right to reassurances from politicians that they will do so. For this reason, it would be good to have clarification from Mr Galloway, the Respect Party, Mr Farage and Ms Bennett, as to why they have no entry showing in the IC’s online register. And if they do not have an entry in the register itself, it would be good to have clarification from the IC as to what action might be taken.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under Data Protection, Information Commissioner

Tagged as , ,

March 4, 2015 · 4:26 pm

A cookie for your health problems

Imagine this. You enter a shop (let’s call it Shop A) to browse, and you look at an item of interest (let’s call it Item Q). While you do so, an unbeknown to you, a shop assistant places a sticker on your back, revealing that you looked at this item, and when and where. You leave and a few days later enter another shop, where a shop assistant says “I understand a few days ago you were interested in Item Q, here are some similar items you might be interested in”.

You might initially think “how helpful”, but afterwards you might start to wonder how the second shop knew about your interest, and to think that it’s a bit off that they seemed to have been able to track your movements and interests.

But try this as well. You go to your doctor, because you’re concerned about a medical condition – let’s say you fear you may have a sexually transmitted disease. As you leave the doctor secretly puts a sticker on your back saying when and where you visited and what you were concerned about. You later visit a pharmacy to buy your lunch. While you queue to pay an assistant approaches you and says openly “I understand you’ve been making enquiries recently about STDs – here are some ointments we sell”.

The perceptive reader may by now have realised I am clunkily trying to illustrate by analogy how cookies, and particularly tracking cookies work. We have all come to curse the cookie warning banners we encounter on web sites based in Europe, but the law mandating them (or at least mandating the gaining of some sort of consent to receive cookies) was introduced for a reason. As the Article 29 Working Party of European Data Protection Authorities noted in 2011

Many public surveys showed, and continue to show, that the average internet user is not aware that his/her behaviour is being tracked with the help of cookies or other unique identifiers, by whom or for what purpose. This lack of awareness contrasts sharply with the increasing dependence of many European citizens on access to internet for ordinary everyday activities

The amendments to the 2002 EC Directive, implemented in domestic law by amendment regulations to the The Privacy and Electronic Communications (EC Directive) Regulations 2003 aimed to ensure that there was “an adequate level of privacy protection and security of personal data transmitted or processed in connection with the use of electronic communications networks” (recital 63). And Article 5 of the Directive specified that

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC [the 1995 Data Protection Directive], inter alia, about the purposes of the processing

Of course, the requirement that users of electronic communications networks should give consent to the storing of or gaining access to information stored in their terminal equipment (i.e. that they should consent to the serving of cookies) has not been an easy one to implement, and even the Information Commissioner’s Office’s in 2013 rowed back on attempts to gather explicit consent, claiming that there was now no need because people were more aware of the existence of cookies. But I made what to me was an interesting observation recently when I was asked to advise on a cookie notice for a private company: it appeared to me, as I compared competitors’ sites, that those which had a prominent cookie banner warning actually looked more professional than those that didn’t. So despite my client’s wariness about having a banner, it seemed to me that, ironically, it would actually be of some professional benefit.

I digress.

Just what cookies are and can achieve is brought sharply home in a piece on the Fast Company website, drawing on the findings of a doctoral research student at the University of Pennsylvania. The paper, and the article, describe the use of web analytics, often in the form of information gathered from tracking cookies, for marketing in the health arena in the US. Tim Libert, the paper’s author discovered that

over 90% of the 80,000 health-related pages he looked at on the Internet exposed user information to third parties. These pages included health information from commercial, nonprofit, educational, and government websites…Although personal data is anonymized from these visits, they still lead to targeted advertisements showing up on user’s computers for health issues, as well as giving advertisers leads (which can be deciphered without too much trouble) that a user has certain health issues and what issues those are

The US lacks, of course, federal laws like PECR and the DPA which seek – if imperfectly – to regulate the use of tracking and other cookies. But given that enforcement of the cookie provisions of PECR is largely non-existent, are there similar risks to the privacy of web users’ health information in the UK?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, cookies, Data Protection, PECR

Tagged as , ,

March 3, 2015 · 3:10 pm

ACPO: contractor’s error, or data controller’s liability?

I blogged a week or so ago about the worrying fact that the Association of Chief Police Officers (ACPO) were encouraging people to send sensitive personal data over an unsecure HTTP connection.

 a tweet…by Information Security consultant Paul Moore alerted that ACPO’s criminal records office has a website which invites data subjects to make an online request but, extraordinarily, provides by an unencrypted http rather than encrypyted https connection. This is such a basic data security measure that it’s difficult to understand how it has happened…

Well now, thanks to Dan Raywood of ITSecurity Guru, we have a bit more information about how it did happen. Dan had to chase ACPO several times for a comment, and eventually, after he had run the story, they came back to him with the following comment:

The ACPO Criminal Records Office (ACRO) became aware of the situation concerning the provision of personal data over a HTTP rather than a encrypted HTTPS connection on Tuesday February 24. This was caused by a contractual oversight. The Information Commissioner was immediately advised. The secure HTTPS connection was restored on February 25. We apologise for this matter.

It’s good to know that they acted relatively quickly to secure the connection, although one is rather led to wonder whether or when – had not Paul Moore raised the alert – ACPO would have otherwise noticed the problem.

But there is potentially a lot of significance in the words “caused by a contractual oversight”. If ACPO are saying that a contractor is responsible for the website, and that it was the contractor’s error which caused the situation, they should also consider the seventh data protection principle in the Data Protection Act 1998 (DPA), which requires a data controller (which ACPO is, in this instance) to take

Appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

but also

Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—

(a)choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

(b)take reasonable steps to ensure compliance with those measures

What this means is that a failure to choose a data processor with appropriate security guarantees, and a failure to make sure the processor complies with those guarantees, can mean that the data controller itself is liable for those failings. If the failings are of a kind likely to cause substantial damage or substantial distress, then there is potential liability to a monetary penalty notice, to a maximum of £500,000, from the Information Commissioner’s Office (ICO).

In truth, the ICO is unlikely to serve a monetary penalty notice solely because of the likelihood of substantial damage or substantial distress – it is much easier to take enforcement action when actual damage or distress has occurred. Nonetheless, one imagines the ICO will be asking searching questions about compliance with the contract provisions of the seventh principle.

Thanks to IT Security Guru for permission to use the ACPO quote. Their story can be seen here.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under 7th principle, Data Protection, data security, Information Commissioner, police

Tagged as , ,

March 3, 2015 · 12:44 pm

Attend ICO DP conference, get unsolicited marketing from a hotel…

I greatly enjoyed yesterday’s (2 March 2015) Data Protection Practitioner Conference run by the Information Commissioner’s Office. I was representing NADPO on our stand, and the amount of interest was both gratifying and illustrative of the importance of having a truly representative body for professionals working in the field of information rights. NADPO were at pains – in running our prize draw (winners picked at random on stage by Information Commissioner Christopher Graham) – to make sure we let participants know what would or would not happen with their details. Feedback from delegates about this was also positive, and I’m pleased at least one privacy professional picked up on it.  Therefore the irony of the following events is not lost on me.

I’d stayed overnight on Sunday, in a Macdonald hotel I booked through the agency Expedia. Naturally, I’m not one to encourage the sending to me of direct electronic marketing, and as the unsolicited sending of such marketing is contrary to regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 I didn’t expect to receive any, either from the agent or the hotel. Yet yesterday I did receive some, from the hotel group. So I’ve sent them this complaint:

I booked the hotel through your agent, Expedia.co.uk. As a professional working in the field of privacy and data protection I always make sure I opt out of any electronic marketing. Hence, when making my booking, I checked the Expedia box which said

“Check the box if you do not want to receive emails from Expedia with travel deals, special offers, and other information”.

However, I also consulted their privacy policy, which says:

“Expedia.co.uk may share your information with [suppliers] such as hotel, airline, car rental, and activity providers, who fulfill your travel reservations. Throughout Expedia.co.uk, all services provided by a third-party supplier are described as such. We encourage you to review the privacy policies of any third-party travel supplier whose products you purchase through Expedia.co.uk. Please note that these suppliers also may contact you as necessary to obtain additional information about you, facilitate your travel reservation, or respond to a review you may submit.”

I then consulted Macdonald Hotels’ privacy policy, but this seems to relate only to your website, and is silent on the use of clients’ data passed on by an agent.

Accordingly, I cannot be said to have consented to the sending by you to me of electronic marketing. Yet yesterday at 13.07 I received an email saying “Thank you for registering with Macdonald Hotels and Resorts…As a member of our mailing list you will shortly start to receive [further unsolicited electronic marketing].”

Ironically enough, I was in Manchester to attend the annual Data Protection Practitioners’ Conference run by the Information Commissioner’s Office (ICO). As you will be aware, the ICO regulates compliance with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Before I raise a complaint with the ICO I would appreciate a) your removing me from any marketing database b) not receiving any further unsolicited marketing, and c) receiving your comments regarding your apparent breach of your legal obligations.

Each instance of unsolicited marketing is at best one of life’s minor irritants, but I have concerns that, because of this, some companies treat compliance with legal obligations as, at best, a game in which they try to trick customers into agreeing to receiving marketing, and at worst, as unnecessary. It may be that I received this particular unsolicited marketing from Macdonald Hotels by mistake (although that in itself might raise data protection concerns about the handling of and accuracy of customer data) but it happens too often. The media have rightly picked up on the forthcoming changes to PECR which will make it easier for the ICO to take enforcement actions regarding serious contraventions, but, sadly, I don’t see the lower level, less serious contraventions, decreasing.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, Data Protection, Information Commissioner, marketing, PECR

Tagged as , , ,

February 23, 2015 · 7:25 am

ACPO encourage the sending of identity documents over insecure connection

ACPO – the Association of Chief Police Officers – are inviting people to send online data protection subject access request including copies of proof of identity, such as passports or bank statements over an insecure http connection. This is almost certainly in breach of ACPOs obligations under the Data Protection Act.

One of the most important rights under data protection law is that of “subject access”. Section 7 of the Data Protection Act 1998 (DPA) provides, in broad terms, that a person may require an organisation to say whether it is processing data about that person, and if so, to be given a copy of it. It was, for instance, through exercise of this subject access right that six journalists recently discovered that they were on the National Domestic Extremism and Disorder Intelligence database. The DPA recognises the importance of this right by enshrining it in its Schedule One Principles – the sixth principle obliges data controllers to process personal data in accordance with data subjects’ rights under the Act.

The following principle – the seventh – is the one which deals with data security, and it requires data controllers to have appropriate measures in place to safeguard against loss of personal data. The Information Commissioner’s Office (ICO) explains why this is important:

Information security breaches may cause real harm and distress to the individuals they affect – lives may even be put at risk. Examples of the harm caused by the loss or abuse of personal data (sometimes linked to identity fraud) include
– fake credit card transactions;
– witnesses at risk of physical harm or intimidation;
– offenders at risk from vigilantes;
– exposure of the addresses of service personnel, police and prison officers, and women at risk of domestic violence…

But a tweet yesterday (22.02.15) by Information Security consultant Paul Moore alerted that ACPO’s criminal records office has a website which invites data subjects to make an online request but, extraordinarily, provides by an unencrypted http rather than encrypyted https connection.

image1

This is such a basic data security measure that it’s difficult to understand how it has happened – and to confirm their identity people are being encouraged to send highly confidential documents, such as passports, over an unsecure connection. The ICO points out that

Failure to provide the first assurance (encryption) means that any sensitive information transmitted will be viewable via any computer system on the route between the two systems

At a time when there are moves to encrypt all web traffic, the failure to offer encryption on such profoundly sensitive issues as information held by police, and identity documents, is jaw-dropping. The ICO was copied in to subsequent tweets, and it will be interesting to see what action they take.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under Data Protection, data security, Information Commissioner, police

Tagged as , , ,

February 13, 2015 · 3:41 pm

Praise where it’s due, but the senior people aren’t listening

A few months ago I had to attend a clinic at a large hospital (nothing embarrassing, nothing serious, but I’m not going to disclose my sensitive personal data). Said hospital is, as are so many these days, crumbling under a lack of resources. In the past I’ve been to other clinics at the same hospital and been concerned to note that they are often run from areas that are little better than corridors, with no real physical data security measures in place – files left out on tables, computer screens open to view by bystanders etc.

However, on this occasion as I approached the healthcare assistant – let’s call her “Anne” – who appeared to be running the clinic (sure enough effectively in a corridor), I notice she kept the clinic list carefully shielded from my eyes, and when I gave my name she retrieved my file from a row of all the others hidden under a long strip of blue hospital paper (you know, the stuff on big rolls like kitchen towels).

I said how impressed I was at her simple but effective attempt to protect patient confidentiality under difficult circumstances, and said I was chairman of NADPO so knew a bit whereof I spoke. A little bit later Anne called me from my seat and I thought it was to take me to my appointment. However, she took me to her manager, and they explained that Anne had previously been criticised by one of the clinic consultants, who felt the blue paper was inconveniencing him, and who would at times remove it and throw it away.

So, I thought I’d write a letter – to the Chief Executive of the NHS Trust, copied to its Medical Records Manager, and Anne herself – praising her actions.

I completely forgot about it but yesterday out of nowhere received a card. It was from Anne saying that she’d received my copy letter, although she hadn’t heard from anyone else (not the Chief Executive nor the Medical Records Manager). She said that the letter was the nicest thing that had happened to her at work in 16 years.

I think this illustrates several things: 1) the NHS, and the public sector in general, are overstretched and confidentiality is potentially compromised as a result, 2) even in times of austerity low-cost information security measures can be effectively implemented, 3) sometimes people lower down are frustrated by, or even undermined by, those above them, 4) compliments are enormously valuable, and too rarely offered.

But there’s one final point. Anne had said in her card to me “I hope [the Chief Executive] wrote and thanked you”. Well no, she didn’t. And nor did the Medical Records Manager nor anyone else in the Hospital Trust. Only Anne had the courtesy to do so, and she was not the one who the message needed to get through to. I’d like to name (and slightly shame) the Trust, but I’d then identify “Anne”, and I don’t want to do that.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Confidentiality, Data Protection, NHS

Tagged as ,

February 11, 2015 · 4:03 pm

What’s happening with changes to anti-spam laws?

In October last year the Department for Culture Media and Sport (DCMS) announced a consultation to lower, or even remove, the threshold for the serving financial penalties on those who unlawfully send electronic direct marketing. I wrote at the time that

There appears to be little resistance (as yet, at least) to the idea of lowering or removing the penalty threshold. Given that, and given the ICO’s apparent willingness to take on the spammers, we may well see a real and significant attack on the scourge

The Information Commissioner’s Office (ICO) and DCMS both seemed at the time to be keen to effect the necessary legislative changes to amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) so that, per the mechanism at section 55A of the Data Protection Act 1998 (DPA), adopted by PECR by virtue of regulation 31, either a serious contravention alone of PECR, or a serious contravention likely to cause annoyance, inconvenience or anxiety, could give rise to a monetary penalty without the need to show – as now – likely substantial damage or substantial distress.

However, today, the Information Commissioner himself, Christopher Graham, gave vent to frustrations about delay in bringing about these changes:

Time and time again the Government talks about changing the law and clamping down on this problem, but so far it’s just that – talk. Today they are holding yet another roundtable to discuss the issue, and we seem to be going round in circles. The Government need to lay the order, change the law and bring in a reform that would make a real difference

So what has happened? Have representatives of direct marketing companies lobbied against the proposals? It would be interesting to know who was at today’s “roundtable” and what was said. But there was certainly an interesting tweet from journalist Roddy Mansfield. One hopes a report will emerge, and some record of the meeting.

One wonders why – if they are – marketing industry bodies might object to the proposed changes. The financial penalty provisions would only come into play if marketers failed to comply with the law. Spammers would get punished – the responsible companies would not.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Information Commissioner, marketing, monetary penalty notice, PECR, spam texts

Tagged as , , , ,

February 10, 2015 · 5:15 pm

A bad day in court

If the Information Commissioner (IC) reasonably requires any information for the purpose of determining whether a data controller has complied or is complying with the data protection principles, section 43 of the Data Protection Act 1998 (DPA) empowers him to serve a notice on the data controller requiring it to furnish him with specified information relating to compliance with the principles. In short, he may serve an “information notice” on the data controller which requires the latter to assist him by providing relevant information. A data controller has a right of appeal, to the First-tier Tribunal (Information Rights) (FTT), under section 48 DPA.

These provisions have recently come into play in an appeal by Medway Council of an IC Information Notice. That it did not go well for the former is probably rather understating it.

It appears that, back in 2012, Medway had a couple of incidents in which sensitive personal data, in the form of special educational needs documents, was sent in error to the wrong addresses. Medway clearly identified these as serious incidents, and reported themselves to the IC’s Office. By way of part-explanation for one of incidents (in which information was sent to an old address of one of the intended recipients), they pointed to “a flaw in the computer software used”.  Because of this explanation (which was “maintained in detail both in writing and orally”) the ICO formed a preliminary view that there had been a serious contravention of the seventh data protection principle (which is, let us remind ourselves “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”). Moreover, the ICO served a Notice of Intent to serve a Monetary Penalty Notice (MPN). Upon receipt of this, it appears that Medway changed their explanation and said that the incident in question was a result of human error and that there was “no evidence of a ‘system glitch’”. It appears, however, that the ICO was concerned about discrepancies, and insufficient explanation of the change of position, and served a section 43 information notice requiring Medway to “provide a full explanation of how the security breach on 10 December 2012 occurred”. This was the notice appealed to the FTT.

However, during the FTT proceedings a third explanation for the incidents emerged, which seemed to combine elements of human error and system glitches. This was, observed the FTT, most unsatisfactory, saying, at paragraphs 28 and 29:

not only is this a third explanation of the breach but it is inconsistent with the other 2 explanations and is internally incoherent… The Tribunal is satisfied that there is still no reliable, clear or sufficiently detailed explanation of the incident to enable the Commissioner to be satisfied of:

a) what went wrong and why,
b) whether there was any prior knowledge of the potential for this problem,
c) what if any procedures were in place to avoid this type of problem at the relevant date,
d) why the Commissioner and the Tribunal have been provided with so many inaccurate and inconsistent accounts.

But even more ominously (paragraph 30)

The evidence provided to the Commissioner and the Tribunal has been inconsistent and unreliable and the Tribunal agrees with the Commissioner that it is reasonable that he should utilize a mechanism that enables him to call the Council to account if they recklessly [make] a statement which is false in a material respect  in light of the various contradictory and conflicting assertions made by the Council thus far

The words in italics are from section 47(2)(b) DPA, and relate to the potential criminal offence of recklessly making a material false statement in purported compliance with an information notice.

Finally, Medway’s conduct of the appeal itself came in for criticism: inappropriate, inconsistent and insufficient redactions were made in some materials submitted, and some evidence was sent in with no explanation of source, date or significance.

It is rare that information notices are required – most data controllers will comply willingly with an ICO investigation. It is even more rare that one is appealed, and maybe Medway’s recent experience shows why it’s not necessarily a good idea to do so. Medway may rather regret their public-spirited willingness to own up to the ICO in the first place.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Breach Notification, Data Protection, enforcement, Information Commissioner, information notice, Information Tribunal, monetary penalty notice

Tagged as , ,