Author Archives: Jon Baines

October 3, 2013 · 12:35 pm

Unintended FOI consequences

A nice little example of how a Freedom of Information (FOI) request can sometimes bring about an unexpected change, and advance a cause which has little to do with FOI.  Although in this instance I’m undecided whether this was a good thing or not.

On 3 January this year the Information Commissioner’s Office (ICO) issued a decision notice in respect of two requests for information made to Thames Valley Police (TVP) relating to

an incident in which the complainant’s driveway was blocked by the vehicle of someone he believes was visiting TVP headquarters

The ICO was satisfied, on the correct test of the balance of probabilities that TVP did not hold this information.

Nonetheless, the requester appealed that decision to the First-tier Tribunal (Information Rights), which has just issued a decision, in the form of a Consent Order disposing of the proceedings. The Schedule to the Consent Order explains

Thames Valley Police will give full and reasonable consideration to the reinstatement of 6 monthly liaison meetings with residents living in the vicinity of TVP HQ South with the objective of avoiding any unreasonable impact of operational activities on local residents

In consequence of this (and the agreement of the ICO) the request and the appeal have been withdrawn by the requester. So, a satisfactory outcome for the parties was achieved (although one notes that if the meetings are not arranged to the satisfaction of the requester, he will submit a further FOI request about the original incident!).

Of course, it would be have been preferable if this compromise could have been agreed in February 2011, when the requests first started. And a large amount of public money has been expended on something which is only very loosely, if at all, related to the aim of FOI (as stated in the explanatory notes to the Act): to provide a right of access to recorded information held by public authorities.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal

Tagged as ,

September 29, 2013 · 5:56 pm

A million data breaches?

Is it realistic for the ICO to expect all SMEs to encrypt hardware? And if those SMEs don’t, is it realistic to expect the ICO to enforce against what must be mass non-compliance?

Accurate figures for annual thefts and losses of laptops in the UK are not easy to come by – perhaps the most commonly-cited figure is the estimated 1 million from Sony’s Vaio Business Report 2013. On any analysis, though, it’s a relatively common occurrence.

A large proportion of these will be laptops containing personal data of people other than the owner of the device. And in many cases the device, or part of it, will be used for business purposes, often by small and medium-sized enterprises (SMEs). Personal data processed solely for domestic purposes is outwith the obligations of the Data Protection Act 1998 (DPA), but any personal data processed for business purposes is caught by the Act, and the person or business processing that data is likely to be a data controller.

As data controller, they will have an obligation inter alia to take “Appropriate technical and organisational measures …against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” (Principle 7 of Schedule One, DPA). A serious contravention of this obligation, of a sort likely to cause serious damage or serious distress, can lead to the Information Commissioner’s Office (ICO) serving the data controller with a Monetary Penalty Notice (MPN), under section 55A, to a maximum of £500,000.

And so it was this week that the ICO served Jala Transport Ltd, an oddly-named loans company, with an MPN of £5000 after

a hard drive containing financial details relating to all of the sole proprietor’s approximately 250 customers…[was stolen] from the business owner’s car while it was stationary at a set of traffic lights in London

The hard drive was in a case, with documents and some cash, and has still not been recovered.

Despite one’s possible distaste for the nature of the business involved (it may be difficult to muster much sympathy for a loans company), this case raises some interesting points, specifically for small-to-medium enterprises (SMEs) but also in general.

The MPN itself reveals that the business did not have a backup of the hard drive. This is a ridiculous oversight, when secure storage is simple, and cheap. But

it was taken home at the end of each working day for business continuity purposes and to reduce the risk of damage or theft

However, by not

closing the car window and placing the briefcase in the boot of his car or out of sight

this unsuccessful but probably well-meaning attempt at data security -and a business continuity plan – became an aggravating factor.

However, what really did for the proprietor was, “crucially”, that although the laptop was password-protected, it was not encrypted, and this led the ICO to repeat previous warnings about the need for encryption in these circumstances

We have continued to warn organisations of all sizes that they must encrypt any personal data stored on portable devices, where the loss of the information could cause clear damage and distress to the customers affected…if the hard drive had been encrypted the business owner would not have left all of their customers open to the threat of identity theft and would not be facing a £5,000 penalty following a serious breach of the Data Protection Act

Several questions are raised by this case, and this approach by the ICO. Firstly, encryption, for individual devices, is not necessarily straight-forward, and carries its own risks. This is not to say that attempts should not be made at either full disk encryption or file/folder encryption, but not all SMEs necessarily have the time or expertise to explore this effectively. Secondly, one notes that one of the reasons the MPN was imposed was because the ICO felt that the serious contravention of the DPA was of a sort likely to lead to serious damage in the form of identity theft. It was a very similar argument that the Information Tribunal recently refused to accept as being a likely consequence of another serious contravention, when it upheld Scottish Borders Council’s recent MPN appeal. £5000 is not a huge amount, and the time and expense of pursuing an appeal might be too much, but it will be interesting to see if one is lodged.

Finally – following on from the point that encryption of single standalone devices isn’t necessarily straightforward – one has to wonder how many of those estimated one million lost and stolen laptops were encrypted, and, of those that weren’t, how many contained personal data which required the relevant data controller to observe the security obligations of the DPA. Jala Transport appears to have taken the admirable, but perhaps ill-conceived, decision to report the theft to the ICO itself (and may now be regretting that decision).

If all the data controllers of those thousands and thousands of laptops lost or stolen annually reported the loss to the ICO, how many would have to own up to lack of encryption, and be liable to a similar or possibly larger MPN? And could the ICO possibly cope with the workload?

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner, Information Tribunal, monetary penalty notice, Uncategorized

September 28, 2013 · 8:44 am

It’s our Right to Know, Mr ICO

On 29 August the Information Commisioner’s Office (ICO) served a monetary penalty notice (MPN) of £100,000 on Aberdeen City Council. MPNs can be served on a data controller under section 55A of the Data Protection Act 1998 (DPA) for a serious contravention of the Act of a sort likely to cause serious damage or serious distress. In this instance, the ICO explained

sensitive information relating to social services involvement with several individuals [was] published online. The information included details relating to the care of vulnerable children.

The circumstances under which this happened were

a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website

Many people in the field of information rights have concerns that there is a significant lack of understanding on the part of many about the risk of inadvertently disclosing personal data on the web. In view of this, I though I would simply ask the ICO, and the Council, what website was involved, in order to inform my understanding. So I tweeted

What “website” were the files uploaded to?

I reminded the ICO and the Council on several occasions about this, and pointed out it was a valid request under the Freedom of Information Act 2000 (FOIA) and Freedom of Information (Scotland) Act 2002 (FOI(S)A), even though I had really only wanted a quick factual reply. The Council have asked me to contact them separately to make the FOI(S)A request, and I’m aware the Scottish Information Commissioner takes a different view on tweeted requests to her counterpart for the rest of the UK, so I’ve banged in a request at WhatDoTheyKnow. The ICO, by contrats, did treat my tweet as a valid request (although I got no acknowledgment of this, contrary to their good practice guidance) and responded yesterday on the twentieth working day, with a link to their disclosure log

Those who know me will be unsurprised to know that I don’t accept the refusal, and also unsurprised to know that, on International Right to Know Day 2013 I’ve submitted a crashingly pompous request for ICO to conduct an internal review. Here it follows, in all said crashing pomposity:

Please review your refusal to disclose information.

On 29 August you served a Monetary Penalty Notice on Aberdeen City Council

“after a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website, publishing sensitive information about several vulnerable children and their families, including details of alleged criminal offences”

I asked, on 30 August, “What ‘website’ were the files uploaded to?”

You have refused to disclose, claiming the exemption at section 44 of the Freedom of Information Act 2000, which provides an exemption “if disclosure [of the information] (otherwise than under this Act) by the public authority holding it…is prohibited by or under any enactment”. You say disclosure is prohibited, because “the information was provided to the ICO in confidence as part of our regulatory activities” and that the provisions of section 59(1) of the Data Protection Act 1998 forbid disclosure. Section 59(1) says

“No person who is or has been the Commissioner, a member of the Commissioner’s staff or an agent of the Commissioner shall disclose any information which—

(a)has been obtained by, or furnished to, the Commissioner under or for the purposes of the information Acts [of which FOIA is one],

(b)relates to an identified or identifiable individual or business, and

(c)is not at the time of the disclosure, and has not previously been, available to the public from other sources

unless the disclosure is made with lawful authority”

I am happy to concede that a) and b) are met here, but not c). This is because section 59(2) explains what “with lawful authority” means. Firstly, and largely as an aside, section 59(2)(a) says that a disclosure is made with lawful authority if

“the disclosure is made with the consent of the individual or of the person for the time being carrying on the business”

I am surprised you do not feel that, in your role as a public authority but also as the regulator for Freedom of Information, it would be prudent and transparent simply to ask the Council whether it consents. Nonetheless, on a strict reading of the law, I concede that you do not have an obligation to do so.

Secondly (and I note you do not even address this important provision), section 59(2)(e) says that disclosure is made with lawful authority if

“having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”

I would argue that analysis of whether this provision permits disclosure requires a two-fold test. Firstly, is disclosure necessary in the public interest? Secondly, if it is, do the rights and freedoms or legitimate interests of any person militate against this public-interest disclosure?

On the first point, I am not aware of any direct authority on what “necessary” means in section 59(2)(e) of DPA, but I would argue that it imports the meaning adopted by leading European authorities. Thus, as per the high Court in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 “‘necessary”…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends”. It is my view that there is a pressing social need to recognise the risks of indavertent uploading to the internet, by public authorities and others, of sensitive personal data, especially when this is by automatic means. Other examples of recent incidents and enforcement action illustrate this. For instance, as your office is aware, there have been reports that a regional Citizens’ Advice Bureau has indavertently made available on the internet very large amounts of such data, probably because of a lack of technical knowledge or security which resulted in automatic caching by Google of numerous files https://informationrightsandwrongs.com/2013/09/24/citizens-advice-bureaucracy/. Also for instance, as you are aware, there have been many many examples of indavertent internet publishing of personal data in hidden cells in spreadsheets http://www.ico.org.uk/news/blog/2013/the-risk-of-revealing-too-much. There is a clear lack of public understanding of the risks of such indavertent disclosures, with a consequent risk to the privacy of individuals’ often highly sensitive personal data. Any information which the regulator of the DPA can disclose which informs and improves public understanding of these risks serves a pressing social need and makes the disclosure “necessary”.

On the second point, I simply fail to see what rights and freedoms or legitimate interests of any person can be engaged, let alone suffer a detriment by disclosing what public website the Council employee uploaded this to. If there are any, it would be helpful if your response to this Internal Review could address this. It may be that you would point to the information having been provided to you in confidence, but I similarly fail to see how that can be: was this an express obligation of confidence, or have you inferred it? In either case, I would question (per one the elements of the classic formulation for a cause of action in breach of confidence given by Megarry J in Coco v A.N.Clark (Engineers) Ltd [1969] R.P.C. 41) whether the information even has the necessary quality of confidence (this was a public website after all).

I hope you can reconsider your decision.

best wishes

1 Comment

Filed under Confidentiality, Data Protection, FOISA, Freedom of Information, human rights, Information Commissioner, monetary penalty notice, transparency

Tagged as , ,

September 24, 2013 · 5:22 pm

Citizens Advice Bureaucracy?

It’s always hard when those you admire let you down (Van Morrison duetting with Cliff Richard*, Godfather 3, Larkin’s letters) and I preface what follows with an assertion that I think Citizens Advice Bureaux (CABs) are a force for good, and one that takes on even more importance as the government butchers the legal aid system. However, when those you admire do let you down, it is important not to shrink from criticism.

Last week reports emerged of what appeared to be a very serious incident of inadvertent exposure of large amounts of potentially highly sensitive data of clients of Newcastle Citizens Advice Bureau. I think the Northern Echo were the first traditional news source to break the story (after @FOIMonkey had announced the unfortunate discovery on twitter). Other outlets soon picked this up, including the BBC. What had apparently happened, said the BBC, was

About 1,300 files containing names, addresses, debt history and criminal records were accidentally made available on the internet.

This is no small matter for an organisation which requires, and indeed prides itself on, total confidentiality between it and its clients.

The Chief Executive of Newcastle CAB had reassuring words:

Shona Alexander, chief executive of the branch, said:

This isolated incident at Newcastle CAB is being thoroughly investigated…I’d like to reassure people that, because we take data protection extremely seriously, they can speak to us in total confidence. All Newcastle CAB staff and volunteers are fully trained in information assurance.

(Although, as Tim Turner pointed out, this bore some resemblance to a platitudinous quote given by Greater Manchester Police when they had contravened the Data Protection Act 1998, and as @FOIMonkey suggested, “isolated incident” is an odd way to describe the apparent long-term inadvertent disclosure of 1300 files in 16gb of client data cached by Google.)

However, it was reassuring to know that this compromised data had been identified, and would be removed, with the assistance of Google. Google are, I understand, generally happy to assist with removal, although each one (and there were hundreds here) normally requires a separate request and takedown is effected normally within twenty-four hours (there is also a process whereby site owners can ask that cached copies of entire directories/sites are removed). @FOIMonkey even had the decency and public-spiritedness to get Google to take many down herself, in what was I am sure a time-consuming task of no direct benefit to her.

But this morning (24 September), when I checked twitter, I noticed that @FOIMonkey had tweeted yesterday

Concerned that 5 days after the Newcastle CAB data breach came to light, the information is still online. Please sort them out @ICOnews

She went on to show that more than 11,000 files had still not been removed, pointing out that “it could all have been removed by now”.

Now, in terms of data protection law, I think it is the case that each local CAB functions as a separate data controller, with attendant legal obligations and liabilities, but it seems clear that regional CABs operate under the umbrella of the national organisation, and it seemed to me that this was an issue of general seriousness and importance for the CAB nationally. So I took the time to search out the CAB’s senior press officers, all of whom are on twitter, and asked them for comment, but got no reply.

I then emailed their Press Office, asking for comment, but was merely referred to a statement from last week which (obviously) made no reference to this current issue about apparent failure to remove the data. I pointed this out in reply, and, when I pushed them to say whether they had any further comment, was referred back to the earlier irrelevant statement they had given me earlier.

Meanwhile, I saw that the Assistant Chief Executive of the national CAB was active on twitter, and I asked him for comment. He replied

we take client data protection extremely seriously and working hard with both ICO and Google to resolve this local issue

Which is more like a parroting of the original press release, rather than an answer to the question posed.

It may be that, behind the scenes, frantic efforts are being made and have been made since last Wednesday to remove this data. Maybe Google are being awkward for some reason. I don’t know, but if so, I struggle to understand why we can’t be told this, and why, while we are given bland and unreassuring statements, the only person who publicly seems to be making successful efforts to have the data removed is someone with no obligation to do so, and who alerted the CAB to the problem in the first place.

*Van’s not too bad actually.

3 Comments

Filed under Uncategorized

September 20, 2013 · 6:51 am

Must Try Harder

So, I managed to get a piece run on the Guardian Public Leaders network on the continuing incidents of or risks of exposure of sensitive personal data in pivot tables. I tried to argue that those in the know probably know about these risks, and that those not in the know don’t. I suggested the Information Commissioner’s Office (ICO) and the government could do more to alert the latter.

Although I got nice and positive feedback from friends/colleagues/fellow professionals, there appears to have been very little interest. Clearly it’s not a subject that interests lay people (or rather, it’s probably a subject which actually repels lay people). But that was rather my point: as long as the relevant regulators and policy-makers don’t take sufficient steps to issue warnings and guidance these and similar breaches of data security will continue to happen.

What I’m slightly surprised at is the lack of any response from the ICO. I noticed that Tim Turner asked the ICO twitter account if they had a response to the piece, but, unless it was off-line, he appeared to get no response. And I asked their press office, again, with no reply (maybe the press office was the wrong place to ask?).

In the article I also called on government departments to do more. That’ll be my next move. The problem of inadvertent internet disclosure of sensitive data, normally through ignorance of technology, continues, and it goes broader than pivot tables. As public authorities, in particular, are being required to open up more and more data to promote transparency and economic growth, this is going to become more and more serious. We can’t pretend the gulf between those ambitions and the technological knowledge of some of those doing the “opening up” is a minor problem. Authorities need guidance, and, where appropriate, warnings, and these need to be targetted at the right people within organisations. The ICO and government cannot always rely on, say, data protection officers to do this.

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner, transparency

September 13, 2013 · 7:14 am

Thanks for the memory walk

All human things/ Of dearest value hang on slender strings*

Ten days or so ago I asked for donations for a charity walk a friend and I were about to do. Normally, in a very English way, we don’t ask for donations for this sort of thing, but just make one ourselves and then feel guilty we haven’t raised more. This time I decided to ask, and was blown away by the response. With direct donations to the Alzheimer’s Society and cash donations we raised close to £550.

And in the beautiful grounds of Hall Barn, once home to Edmund Waller*, last Sunday, we barely exerted ourselves for five whole gentle kilometres. What was very, and rather unexpectedly hard, however, was hearing the stories of other walkers. Dementia affects so many lives in such horrible ways, and this was reflected by the fact that many people who had donated said how they had experienced it in their families.

I said I would run part of it, and I did – all of about three strides. So we didn’t get a picture, but if we had it wouldn’t have been pretty. I will post another picture, sadly from a few years ago, of someone who would have recognised and been truly grateful, as we are, for the kind, kind donations and support for such an important charity.

DSC00159

Leave a comment

Filed under Uncategorized

September 5, 2013 · 7:32 am

Let’s blame Data Protection: Part Two

“The leader of the council wishes to make the names of the debtors public, but the Data Protection Act of 1998 prohibits their publication.”

So says an article from the Blackpool Gazette, when quoting a council report (which I haven’t yet been able to find) which appears to have indicated that

The council has been forced to write off £1.68m in owed business rates going back around the last six years

The council leader is reported to have said

Several names appear more than once, owing vast sums of money to the council…Several high-profile business owners, who always seemed to have a lot to say about how the town is run, seem to have no qualms about disappearing owing us tens of thousands of pounds…We are very dogged and tenacious when it comes to pursuing debtors, and clearly need to continue to be.

but

What I do find very frustrating is that I am not able to publish the names of these people

This puzzles me: names of businesses will not, as a general rule constitute personal data under section 1(1) of the Data Protection Act 1998 (DPA). The definition of personal data

data which relate to a living individual who can be identified—
(a) from those data, or
(b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller

Even if individuals can be identified from disclosure of the names of defaulting businesses it is perhaps the case that the information will not considered to be personal data, especially following the precedent of the Court of Appeal in Durant where it was held that, for information to be personal data it
should have the putative data subject as its focus rather than…some transaction or event in which he may have figured or have had an interest
It is interesting to note that the Information Commissioner’s Office (ICO), in guidance which appears to have been withdrawn, said
Information about people who run businesses, and the businesses they run, will often be covered by the Act. This is because information about a person’s business, activities, possessions, and so on is generally personal information about that person
although, in a rather circular argument

Business information that does not identify individuals is not covered by the Act

What I think is being got at is that, for example, information consisting of “Richard Hannay is a fifty-year-old black man who runs Imaging Solutions Ltd, which made a £1.2m profit last year” is potentially Richard Hannay’s personal data throughout, whereas “Imaging Solutions Ltd made a £1.2m profit” is unlikely to be Hannay’s personal data when considered in isolation, even though one can easily find out that he is the sole director.
In another, more specific scenario, it might be more easily argued that the names of business are personal data. This is where someone is conducting business as a sole trader. The ICO’s ?withdrawn guidance said

Information about a sole trader’s business will be personal information about him

I’m not sure I would be so unequivocal, but as a general proposition it’s not objectionable.

However, even if business information is personal data, the DPA does not necessarily prevent disclosure of it. In fact, the DPA permits disclosure of any and all types of personal data, as long as it is in compliance with the Act. In short, if disclosure is fair and lawful and relevant provisions permit it, then it will be in compliance with the Act. And, helpfully for the council, there is a specific provision relating to personal data “processed for…the assessment or collection of any tax or duty”. This exemption permits disclosure where not disclosing would be likely to prejudice the collection of the tax in question. Additionally, the sixth condition of Schedule 2 of the DPA provides that, if it  is “necessary for the purposes of legitimate interests pursued by the data controller” personal data may be processed, provided it is not “unwarranted…by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”.
This will not give carte blanche to disclosure of personal data (if personal data it is) of owners of defaulting businesses, but it is certainly arguable in this instance that disclosure would assist the collection of the tax (and, therefore, non-disclosure could prejudice it), and that the balancing exercise required by the sixth Schedule 2 condition would fall in favour of disclosure.
So, a) I doubt that the withheld information is personal data, and, even if it is b) disclosure would be in compliance with the DPA.
One thing is certain, the DPA does not prohibit publication of this information, and, to the extent that it might be engaged, I would not see it as a barrier to disclosure. It might even help the council in its aim to be “dogged and tenacious when it comes to pursuing debtors”.
But it’s so much easier to blame Data Protection.

Leave a comment

Filed under Data Protection, Let's Blame Data Protection

September 4, 2013 · 1:34 pm

Pornography and its Frustrations

For those who have never worked with “basic” versions of web-filtering software, let me describe typical frustrations.

Researching the subject of malicious communications? Found what looks like a helpful search return via google? *CLICK*…

Access Blocked

Access to the requested web page (http://www.helpfullookingcommentary.com/) has been blocked as it is categorised as PROFANITY, which is considered unsuitable for access using this equipment. If you have any queries, please contact your system administrator

 Researching defamation? Found what looks like a helpful search return via google? *CLICK*…

Access Blocked

Access to the requested web page (http://www.interestinganalysis.com/) has been blocked as it is categorised as GAMBLING, which is considered unsuitable for access using this equipment. If you have any queries, please contact your system administrator

Doing some local history research on Scunthorpe? Found what looks like a helpful search return via google? *CLICK*…

Access Blocked

Access to the requested web page (http://www.scunthorpematters.com/) has been blocked as it is categorised as PORNOGRAPHY, which is considered unsuitable for access using this equipment. If you have any queries, please contact your system administrator

Each of these failed hits will be logged by some sysadmins as “attempt to access PROFANITY/GAMBLING/PORNOGRAPHY”. 

I suggest people bear this in mind when reading the numerous delighted shocked commentators who have picked up on the Huffington Post story which says that a Freedom of Information request apparently revealed that

MPs, Lords and parliamentary staff have been trying to access porn websites potentially thousands of times, official figures reveal.

The story goes on to say that users of the parliamentary network, over a period of one year

have repeatedly attempted to access websites classed on Parliament’s network as pornographic [emphasis added]

So, they haven’t tried to access pornography; they’ve tried to access sites that web-filtering software classes as pornography. A further clue to the fact that this outrageous story of parliamentary loucheness might not be as it’s being presented is the fact that in October 2012 there were 3391 “attempts”, in the following month there were 114,844 and in the month after that there were 6918. Either November that year coincided with rampant horniness on the part of politicians and their staff, or there’s another reason for the spike.

I suspect some new definitions were added to the software, which drastically increased the “false positive” hits, and these crappy new definitions were tweaked for the following months.

In fact, as I drafted this post Sky News’ Roddy Mansfield, and the Guardian’s James Ball have pointed out on twitter that that November 2012 spike coincided with intense political and media interest in the topic of sexual offences, following as the scandal involving Jimmy Savile broke. This is very plausible, and suggests that, far from users of parliamentary systems shirking their responsibilities by browsing for smut, they were actually trying – apparently unsuccessfully, and probably with no small frustration – to find out more about a serious and current news item.

But that makes for a dull story.

UPDATE:

As several people have pointed out, if this is a case of poor filtering, it provides a nice lesson in irony for those who propose ISP filtering as some sort of solution to the alleged “corroding” influence of online pornography.

4 Comments

Filed under Freedom of Information, journalism, parliament

Tagged as

September 3, 2013 · 8:47 am

A Memory Walk

My mother wore a yellow dress;
Gentle, gently, gentleness.
Come back early or never come.1

I agonised over whether to use my blog to seek sponsors for a charity walk I’m doing, but decided in favour because a) I would hope that making clear that it’s a mere 5k does away with any suggestion I’m showing off, b) I won’t make a habit of it, and c) in itself it’s probably selfish to agonise about blogging to raise a small donation to  worthwhile cause. Forgive my self-flagellation: I do it a lot.

On Sunday 8 September my partner and I are doing the 5k Memory Walk in the lovely grounds of Hall Barn, near Beaconsfield. The Memory Walk

is a series of fundraising walking events taking place across England, Wales and Northern Ireland every September, all raising money to provide vital support to people living with dementia and help our research to find a cure for the future.

I won’t go into great detail about my and my partner’s experience of having someone you love ravaged by dementia, but many have already done so, and many will.

I would be truly appreciative though if you were able to donate using my Just Giving page.

UPDATE: 4 September

Firstly, I want to say thank you to all the wonderful people who have donated to the cause. It sounds trite, but I really am so very touched and appreciative. Even though, thanks to the evil machinations of @lexysumner it looks like I’ll have to run part of the WALK (believe me, if I ran all of it this would be the last blog you’d ever see from me).

Secondly, it has been pointed out to me that donating through Just Giving is not the only option – a couple of donations have been made directly to The Alzheimer’s Society, and doing this means that all the money goes directly to the charity (Just Giving take a 5% cut). I apologise for not realising and mentioning this before. All I would ask is that if anyone makes a donation directly they let me know, so I can let the WALK organisers know.

1 Comment

Filed under Uncategorized

August 30, 2013 · 5:30 pm

ICO – no Code of Practice for data protection and the press

On the 12th of August the Information Commissioner’s Office (ICO) announced that, following a period of consultation, it would not – contrary to previously-stated intentions – be issuing a Code of Practice on Data Protection and the Press. The proposed Code had been in response to Lord Justice Leveson’s recommendations that the ICO produce

comprehensive good practice guidelines and advice on appropriate principles and standards to be observed by the press in the processing of personal data

As the ICO’s Steve Wood says in the blogpost

Leveson did not stipulate a code but we proposed it as a possible vehicle for the guidance

Indeed they did, stating at the time that it was not

the ICO’s intention to purport to set ethical standards for journalists, or to interfere with the standards which already apply under relevant industry guidance, such as the Editors’ Code of Practice, the Ofcom Broadcasting Code, and the BBC Producers’ Guidelines. Nevertheless, the existing industry guidance does not consider the requirements of data protection law in any detail, and the ICO’s code will complement existing industry standards by providing additional coverage of this issue

However, the latest announcement – that the ICO is “looking to produce a guidance document” rather than carrying through with the issuing of a Code of Practice – is accompanied by the publishing of a summary of consultation responses to the draft Code of Practice. In fairness to the ICO, those who responded appeared not to want a Code, and, as any public authority will be aware, a consultation in name only (e.g. one with a predetermined outcome) is unlikely to be a lawful one. We are not told specifically who these responses were from, but that they were from “several media companies, individuals, regulators and representative bodies” (although there were only 16 responses overall, a figure which perhaps shames us all, or, alternatively, supports a view that not that many people were particularly aware of or bothered about the consultation). Seven responses specifically rejected the idea of a Code of Practice, with some concerns being

a code of practice implies a new set of rules or regulations;
risk of the ICO becoming a ‘mainstream de facto regulator of the press’;
risk of a proliferation of codes; and
risk of potential confusion with existing codes such as the Editors’ Code.

After pausing to note that the now-proposed ICO guidance will apparently be issued in draft (for further consultation) before the end of the year, which is a long, long way from meeting Leveson’s recommendation that any guidance be implemented within six months of his report,  it might be helpful to look at just why some respondents might have been unhappy with a Code of Practice, as opposed to “mere” guidance.

As is well-known, there is a very broad exemption, at section 32, from most of the obligations of the Data Protection Act 1998 (DPA) where:

(a)the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,
(b)the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and
(c)the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes [emphasis added]

This, broadly, means that, as long as personal data is processed with a view to journalistic publication (note: not that it has to be published) it is exempt from effectively all of the DPA (although not the 7th “security” principle) as long as the press body “reasonably believes” publication would be in the public interest. This has generally been taken to mean that it will be extremely difficult for a data subject to enforce her rights against, or for the ICO to regulate the activities of, the press. And, indeed, instances of successful DPA claims, or successful enforcement, against the press, are rare (privacy cases against the press, where they have included DPA claims, have tended to see the latter sidelined or dropped in favour of meatier claims in tort – see e.g. Douglas v Hello [2005] EWCA Civ 595 (where the DPA claim did succeed in the first instance, but only resulted in nominal damages) and Campbell v MGN [2002] EWCA Civ1373 (where, by contrast, the section 32 defence succeeded)). As Leveson LJ says

the effect of the development of the case law has been to push personal privacy law in media cases out of the data protection regime and into the more open seas of the Human Rights Act [page 1070 of Leveson Report]

 As everyone knows, the press kicked back strongly against parliament’s proposal of a Royal Charter for the press (that proposed Charter itself being the result of a rowing back by the political parties from Leveson’s proposal for some form of direct statutory underpinning of any regulatory scheme (“Guaranteed independence, long-term stability, and genuine benefits for the industry, cannot be realised without legislation”)). Both proposed Charters (the parliamentary-backed one and the Pressbof-backed one ) are to be considered by the Privy Council.

What has perhaps not been so widely-known, or widely-understood was that an ICO Code of Practice, if it had been designated by the Secretary of State (by means of an Order pursuant section 32(3)(b) of the DPA), would itself have constituted a form of statutory underpinning. This is because a Code designated in this way could have been taken into account by a court, or by the ICO, when determining whether personal data had been processed (for the special purposes) by the data controller in the reasonable belief that it had been in the public interest. The now-proposed “mere” guidance will not have the same status.

This might seem a minor point, and perhaps it is (bear in mind that there are already other Codes of Practice designated pursuant to section 32(3)(b), including the Press Complaints Commission Code of Practice) but, although we don’t know specifically who responded to the ICO’s consultation, it is safe to say that those who did included in their number organisations strongly opposed to (and alive to the threat of) any form of what they perceive to be statutory regulation of the press.

In this post I draw heavily on previous posts by Chris Pounder, on his Hawktalk blog, and if, as he suggested earlier this year, the then-proposed ICO Code raised the prospect of enhanced protection for ordinary data subjects, it is perhaps the case that the dropping of the proposal means no such enhanced protection.

1 Comment

Filed under Data Protection, human rights, Information Commissioner, journalism, Leveson

Tagged as , , ,