Author Archives: Jon Baines

June 19, 2013 · 7:22 pm

CQC allegations and data protection

Data Protection laws have been said to be behind the decision not to name CQC officials alleged to have covered-up a damning internal report. Oh really? Well, yes, perhaps, I argue.

News bulletins today lead with the story that the Care Quality Commission apparently engaged in a cover-up of an internal review report critical of its oversight of University Hospitals Morecambe Bay in 2010, an NHS Trust now subject to investigations over the deaths of at least eight mothers and babies. The allegations of a cover-up were made by a whistleblower interviewed as part of an investigation by Grant Thornton, who were commissioned by CQC to look into its own activites. Potentially particularly damning are remarks at the time attributed to a senior manager at CQC regarding the alleged suppression on the original internal review report

Are you kidding me? This can never be in a public domain, nor subject to FOI

The Grant Thornton report, as published, has redacted the name of this senior manager and a colleague. And the Data Protection Act 1998 (DPA) is pleaded in defence of the redaction. As the Telegraph reports

The names of two individuals who ordered the destruction of evidence of the Care Quality Commission’s failure to investigate the University Hospitals of Morecambe Bay NHS Trust have been redacted from an official report…David Prior, the new chairman of the CQC, said that the names had been redacted because of “data protection concerns” and because the watchdog fears being sued…”to publish it with the names would breach the Data Protection Act.We would have been open to being sued on that basis”

As a number of people have pointed out, this is certainly questionable. Ben Bradshaw MP is reported by the Guardian as saying in Parliament that

the [Data Protection Act] allows exceptions in cases where protecting the public is an issue

and, in a thundering editorial, Health Policy Insight say the decision

is, quite simply, bullshit…Nor is it just a minor pellet of bullshit. This is epic, hog-whimpering and noxious bullshit…The Data Protection Act affords specific exemption at Section 55 2(d) “to a person who shows … that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest”…Moreover, the Information Commissioner’s Office, which enforces the Data Protection Act, is explicit in its advice on Principles One and Two (those dealing with an individual personal data) that fairness is crucial: “it depends on whether it would be fair to do so … personal data must not be processed for any purpose that is incompatible with the original purpose or purposes”

While I admire the level of polemic, HPI are rather mistaken in their analysis of the DPA. And I submit that it was not necessarily wrong for David Prior to be advised that disclosure of the name of the person might breach the DPA. I would stress that I am not suggesting that those responsible for failures at CQC should not be accountable for those failure, nor, if it is true that the original internal review report was suppressed, that those who did so should not also be accountable. What I do suggest is that, on the information currently available, there is perhaps a lack of hard evidence to establish to an appropriate level of certainty that the person or persons alleged to have suppressed the report did so, or did so in the way they are alleged to have done. For that reason, it could indeed be a breach of the DPA to disclose the names at this stage. I say this despite the parliamentary statement by the Secretary of State for Health, to the effect that he had not wanted the redactions, and that

There should be no anonymity, no hiding place, no opportunity to get off scot free for anyone at all who was responsible for this

(On this, we should perhaps remember the unlawful decision by Mr Bollocks [ed: Balls] peremptorily to require the dismissal of Sharon Shoesmith. Politicians are first and foremost politicians. They are not generally there to be lawyers or employers.)

The name of the person involved is clearly going to constitute “personal data” according the definition in section 1(1) of the DPA. And, for these purposes, the “data controller” (with whom lies the decision as to whether to disclose or redact, and to whom liability for a breach of DPA attracts) is CQC itself. HPI cite section 55(2)(d) of the DPA, which broadly provides that the offence of unlawfully obtaining personal data does not apply if it has been done in the public interest. This provision deals with a criminal offence of inter alia disclosing personal data without the consent of the data controller. This clearly does not apply here.

HPI are correct, however, in pointing to the first principle (as listed in Schedule One) of the DPA, and its reference to fairness (although they are talking nonsense when they refer to the first two principles being those “dealing with an individual personal data” [sic] – the whole of the DPA applies to an individual’s personal data). The first principle provides that the processing (and disclosure of a name will be “processing” under the DPA) of personal data must be fair and lawful.

When deciding whether names of public officials should be disclosed (albeit in response to a Freedom of Information request) the Information Commissioner (ICO) says

[the public authority] must decide whether disclosure would breach Principle 1 of the Data Protection Act (the DPA), ie whether it would be fair and lawful to disclose the information.

Whether the disclosure is fair will depend on a number of factors including:

the consequences of disclosure;

the reasonable expectations of the employees; and

the balance between any legitimate public interest in disclosure and the rights and freedoms of the employees concerned…

These are the factors CQC would need to take into account, and one can see that a balancing exercise would ensue. The consequences of disclosure – of what appear merely to be allegations – for the person or persons involved could be grave, and be an important factor in identifying what his or her rights and freedoms are. On the other side, there would be appear to be a clear public interest in disclosure, notwithstanding that, I repeat, these are mere allegations, on the basis that someone taking such a significant decision as to try (allegedy) to suppress publication of the adverse report should be accountable (as should the CQC as their employer) for such actions. The issue as to reasonable expectations is more difficult however. If the person or persons has been told in explicit terms that their name will not be disclosed, they may have very strong expectations that this will not happen. As to whether those expectations are reasonable, one would need to know the terms upon which any undertaking might have been given. Employment rights might well be engaged

Also to be considered is that the naming of the person or persons in circumstances in which it might subsequently transpire that the allegations were not true could give rise to a successful claim in defamation. Indeed, as Robin Hopkins has observed, DPA is increasingly used as a primary claim in actions involving defamatory publications.

I repeat, none of this is to defend the actions of CQC, nor, if the allegations are shown to be true, to defend the actions of anyone who suppressed the report. It is simply to say that the claim that the DPA might be engaged at this point, and potentially breached if disclosure of names happened. Disclosure, in a clearly fair and lawful way, might follow in due course.

I note that the Deputy Information Commissioner is reported tonight as saying

The Data Protection Act does not specifically prevent people being named publicly, but instead talks about using information fairly and considering what expectations of confidentiality people may have had when providing their personal information.

It is important the Data Protection Act is not used as a barrier to keep information out of the public domain where there is an overriding public interest in disclosure.

David Smith is a clever and astute man. He did not say the names should be revealed. That is revealing.

UPDATE 20.06.2013

My attention has been drawn to last night’s episode of BBC’s Newsnight on which David Smith’s boss, Information Commissioner Christopher Graham. As the BBC itself reports, he said

“This feels like a public authority hiding behind the Data Protection Act – it’s very common but you have to go by what the law says and the law is very clear.

“You have to process data fairly, you have to take into account people’s expectation of confidentiality.”

He said that was “obviously” the case with patient data in particular.

But when it came to officials, “there you have to apply a public interest test”, he added.

He said he was “not convinced” the CQC had been correctly advised.

He ended his short interview by saying “I think [the CQC] are going to have to look at this again”.

Fair enough. He’s right and I’m wrong then? Well, no – he still didn’t by any means say that disclosure now had to happen (and, in his role, he would have been be very ill-advised to have done so).

And, prompted by further coverage, and a comment below by Dr Chris Pounder, who probably knows more about Data Protection than the entire staff at the ICO (and that’s not intended as an insult to the latter), I now feel that two other factors might be at play. First, if the allegations quoted in the Grant Thornton report amount to allegations of possible criminal offences (e.g. misconduct in a public office) then there is an arguable need to avoid prejudice to any police investigation. Second, if the person or persons referred to in the report have already taken steps to challenge its veracity – either as a whole, or in respect of specific comments attributed to the whistleblower – then it would be prudent of CQC not to disclose until that challenge (whether it be made informally, or as part of or precursor to legal proceedings) has played out.

That said, when the combined forces of the government and the Information Commissioner are leaning on the CQC at least to review the decision not to disclose names, it would be a bold move to continue to resist. They will though, no doubt, be advised that there remain potential legal risks in doing so, unless they are completely satisfied about the veracity of allegations in the report.

UPDATE 2, 20.06.2013

The CQC has now published the names previously redacted. The letter to the Secretary of State makes clear that

We have reviewed the issues again with our legal advisers (and taken into account the comments of the Information Commissioner). In light of this further consideration, we have come to the view that the overriding public interest in transparency and accountability gives us sufficient grounds to disclose the names of the individuals who were anonymised in the report.

None of this changes my view that there was a clearly arguable legal basis for redaction. Data Protection is wrongly blamed for a lot of things but it was engaged in this instance.

This outcome also raises the rather interesting (if unlikely) possibility that the persons now named could complain to the ICO for a determination as to whether disclosure was in fact in breach of their rights under the DPA. Am I wrong to hope that happens?

14 Comments

Filed under Data Protection, Information Commissioner, Uncategorized

Tagged as ,

June 18, 2013 · 12:10 pm

Cold Comfort for Cold Callers

In which I praise the ICO, and implore people to report nuisance callers.

I was in conversation with a group of friends recently, and the topic of nuisance calls came up. Each of my friends described continually receiving  unsolicited, often agressive, calls, despite the fact that they were registered with the Telephone Preference Scheme. I said they must complain to the Information Commissioner’s dedicated service because the ICO was now taking breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) seriously (actually, I didn’t say it in quite those terms, because although my friends like to deride me, I try not to give them too much ammunition). I got a lot of replies of “I might”, but also some of “it won’t do any good”. In support of the fact that it might do some good I was able point to the three recent civil Monetary Penalty Notices (MPNs) for breaches of PECR issued to Christopher Niebel and Gary McNeish, joint owners of Tetrus Telecoms and DM Design Bedroom Ltd.

And today, two more MPNs have been issued, to two companies owned by “Save Britain Money Ltd” a company which, in what appear to be rather embarrassing circumstances for the BBC, is currently featuring in a fly-on-the-wall documentary series about call centres.

We need a regulator to take firm and public action for breaches of privacy laws, and it is pleasing to see the ICO doing so with nuisance callers. However, in order for practices to really change, nuisance callers need to be reported to the ICO, at every opportunity. The principle of a penalty pour encourager les autres only works if les autres are scared about what legal non-compliance can lead to.

And I note from a recent internal ICO report that, as at 10 June, both the DM Design and the McNeish MPNs were overdue for payment (Niebel has appealed his Notice). Penalties in the tens of thousands of pounds can potentially be ruinous for businesses. The ICO statutory guidance on MPNs provides that

a monetary penalty notice will not impose undue financial hardship on an otherwise responsible person

But this leaves open the possibility that an MPN might some times impose due hardship, on an otherwise irresponsible person. If future nuisance callers wilfully act irresponsibly, a financially-crippling MPN might not constitute undue hardship.

As someone who works in the public sector, and who trains other public sector partners in their obligations under the Data Protection Act 1998 (DPA), I can attest to the beneficial effect MPNs for DPA breaches (added to the willingness of the ICO to impose them) have had on data security and knowledge (it doesn’t half focus the minds of senior managers when you remind them that security vulnerabilities carry a risk of a £500,000 “fine”). Enforcement of the law does change things, and we should praise the ICO for what he is doing with nuisance callers, while continuing to report miscreants.

Now, how about some FOI enforcement…?

1 Comment

Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, monetary penalty notice, PECR

Tagged as , ,

June 15, 2013 · 9:30 am

Information Rights and Wrongs Alternative Honours List

Martin Hoskins muses today on why – apart from those who’ve worked for the Information Commissioner’s Office – no data protection professionals have ever received royal honours. I can certainly think of a few information rights people whose selflessness and length of practice deserve recognition – Dr Chris Pounder, for instance, whose career in data protection spans five decades, or Maurice Frankel, without whom we might not even have an FOI Act. But, given that there’s little chance of this happening, I am today announcing an alternative

Information Rights and Wrongs Birthday Honours List

First up…

For services to the DfE, the Financial Times’ Chris Cook. Without Chris’s sterling efforts we would have little understanding of the devotion to the cause of ministers and SpAds at the Department for Education. Chris revealed that, such was this devotion, they spend much of their time and resources using their own home email accounts to do government work.

For services to public authorities in general, Alan M Dransfield, whose FOI campaigns mean there is now much greater clarity about how and when to treat FOI requests as vexatious.

For apparent defiance of in the face of the law, Jim Shannon MP, who – as well as holding the title of least sexy MP – does not appear to have been registered with the Information Commissioner for at least three years, despite the fact that processing personal data without a registration is a criminal offence (unless there is an exemption).

For donations to the legal profession Brighton and Sussex University Hospital Trust, who paid lawyers £178,000 in fees seeking to challenge an Information Commissioner monetary penalty, before withdrawing their appeal before it went to a hearing.

But there is one candidate which stands out above all others. A group honour, because no single individual could have (not) achieved all that they have (not) achieved. They are the inspiration behind a great new website, and they are the winner of the highest accolade, the Information Rights and Wrongs Arcana Imperii honour…

my_medal(1)

For sheer jaw-dropping contempt of the law, the Cabinet Office, who have decided to dispense with the need to observe the FOI Act. They are an inspiration for all of us and for as long as no effective enforcement is taken to ensure compliance, they will continue to be the shining beacon for all public authorities.

5 Comments

Filed under Uncategorized

June 13, 2013 · 2:04 pm

Savile and Dishonourable Information

The Cabinet Office is required by the Information Commissioner to disclose internal correspondence about the conferring of honours on Jimmy Savile. Despite there being strong public interest arguments in favour of non-disclosure, they are outweighed by those in favour of disclosure.

There is an odd phenomenon, when considering the application of qualified exemptions under the Freedom of Information Act 2000 (FOIA),  that I like to think of as “the escalation of public interest factors”: if something is of great sensitivity, the corresponding public interest in disclosure is also great, with the result that the public interest in maintaining the exemption increases. This, is, of course, strictly, nonsense, but it is a phenomenon that public authorities can sometimes find themselves experiencing.

I note the phenomenon in the Cabinet Office’s handling of a recent request for disclosure of information relating to the conferring of honours on the benighted, and sadly still beknighted, Jimmy Savile. The requester sought

any correspondence [that] exists between either civil servants or ministers discussing the award either of an OBE in 1971 or a knighthood in 1996 [the knighthood was actually awarded in 1990] to Mr Savile, prior to either award being made

The information was, said the Cabinet Office, exempt from disclosure under sections 37(1)(b) (the conferring by the Crown of any honour or dignity) and 36 (effective conduct of public affairs. They

…acknowledged that this was an exceptional case in light of the information that had come to light in 2012 concerning Jimmy Savile [but] precisely because this was an exceptional case…the public interest favoured maintaining the exemption

The Information Commissioner’s Office, in a well-argued (n.b. I don’t always criticise the ICO) decision notice, has rejected the Cabinet Office’s arguments. The relevant exemptions are engaged, says the ICO, and there is public interest in maintaining them. So, in relation to section 37, the ICO

accepts that disclosure of the information would, to some degree, undermine the confidentiality of the honours system. The Commissioner accepts that this presents some risk of creating a chilling effect for contributions to future discussions in relation to honours nominees

however

disclosure would enable the public to be better informed about the matters taken into account at times when the award of honours to Jimmy Savile was under consideration. In the Commissioner’s opinion disclosure of the withheld information that is the focus of this request would go a significant way to serving the public interest, the nature of which is unique to this particular case

The ICO

wishes to emphasise that in reaching this decision he does not dispute the argument that disclosure would to some degree undermine the confidentiality of the honours system, simply that the public interest arguments in favour of disclosure attract more weight

Similar factors obtain in relation to section 36. So, while ongoing inquiries into the scandal mean that officials involved need a safe space to discuss relevant issues

the Commissioner does not accept that the safe space…will be significantly encroached by disclosure of this particular information…This is because the information focuses on one, relatively narrow, issue, namely Jimmy Savile’s receipt of two honours. In contrast the terms of reference for the investigations are wide ranging and cover matters of a wholly different nature

and while

the Commissioner accepts that it can be argued that the effective conduct of public affairs could be materially affected if disclosure of information under FOIA undermined the confidentiality of the honours system…the significant weight that the Commissioner considers should be attributed to the public interest arguments in favour of disclosure [mean that] the Commissioner has concluded that the public interest…favours disclosing the withheld information

Finally, although the ICO agreed that names of junior officials involved in the discussion regarding the conferring of honours were exempt under the Data Protection Act 1998 provisions of FOIA, the same did not apply to more senior officials and others. Even though

the individuals would have had a reasonable – and indeed weighty – expectation that such information would not be made public…the Commissioner believes that the legitimate public interest is only met, or, perhaps more accurately, best met, by revealing not only the comments of the individuals but also revealing who made them so that the recorded deliberations about the awarding of the honours can be fully and accurately understood

When finely balanced decisions on matters of public interest result in a recommendation for public disclosure it is common for an appeal to the First-tier Tribunal to follow. The Cabinet Office will have to consider now whether it wants to be seen to be trying to suppress information about the conferring on a serial sexual offender of an honour which the Prime Minister himself has questioned.

2 Comments

Filed under Cabinet Office, Freedom of Information, Information Commissioner

Tagged as ,

June 12, 2013 · 4:25 pm

Schools and Children’s Privacy

Parents, when confronted with the familiar complaint by a child that a parental decision “isn’t fair”, are entitled to say “I don’t care – what I say goes”.

Schools*, and their teachers, although acting in loco parentis, cannot necessarily do the same. Particularly in their role as public authorities they have obligations to act fairly and lawfully at common law, and under various statutes – not least the Human Rights Act 1998 (HRA). Article 8 of the European Convention on Human Rights, incorporated into domestic law by the HRA, famously provides everyone a qualified right

to respect for his private and family life, his home and his correspondence

Parents do not have to respect this in their dealings with their children: the latter cannot enforce the Article 8 right against a parent who demands access to their private correspondence, or who sends them to their bedroom for a spurious reason, or who uploads personal information to a dodgy cloud storage provider. Schools do have to respect the right – in loco parentis only goes so far.

I make this observation in light of research published by SafeGov.org and Ponemon Institute into the views of school staff on the use of cloud services in the education sector and the potential risks to student privacy. Among generally encouraging results (rejection of data-mining, seeing threats to student privacy as the top risk of cloud) was something less happy

Some schools admit to a conflict of interest regarding student privacy…47% say they might be tempted to trade student privacy for lower costs

If I were a child, or a parent, I would be tempted, in turn, to say “my (or my child’s) privacy is not yours to trade”. Rather, it is the school’s duty to protect that privacy, to the extent required by the law. Levels of privacy protection should not be related to cost (or only to the limited extent permitted by the second part of Article 8). Relatedly, the seventh principle of Schedule One of the Data Protection Act 1998 (DPA) requires a school, as data controller, to take

Appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

I would query whether a decision to adopt a software provider at lower cost, at the expense of student privacy, would be compliant with a school’s obligations under the DPA, or the HRA.

*I am talking about non-independent state schools

Leave a comment

Filed under Data Protection, human rights, Privacy, Uncategorized

Tagged as

June 7, 2013 · 12:26 pm

Transparency and the ICO

It is axiomatic that, under the Freedom of Information Act 2000 (FOIA), a requester is unlikely to know precisely what the information requested consists of. This means that a requester is at a (natural and fair) disadvantage if he or she wishes to challenge a refusal. How to argue, for instance, that the public interest favours disclosure of information, if you don’t know what the information is?

A requester will often be reliant, therefore, on the Information Commissioner (ICO), as independent regulator, or the judicial system, thoroughly to interrogate a public authority’s basis for non-disclosure.

Last year I made a FOIA request to the ICO’s office itself for copies of all Undertakings (not currently on their website) agreed by the ICO and data controllers following investigation of serious breaches of the Data Protection Act 1998.

The ICO kindly disclosed to me a large number of Undertakings, but withheld three, citing the exemption at section 22 of FOIA. This section provides an exemption to the general FOIA obligation to disclose information, if the information is held, at the time of the request, with a view to its publication at some future date (whether determined or not). Furthermore it must be reasonable in all the circumstances that the information should be withheld from disclosure until that future date. Section 22 is a qualified exemption, and, therefore, subject to the application of a public interest test. I was told by the ICO that the Undertakings

were not published at the time due to a risk of prejudice, in one case to a criminal trial and in the others to commercial interests. In light of your request we have revisited these considerations and find that they are still relevant

I’m a reasonable chap, and accepted that the ICO was well-placed to determine that the public interest did not favour disclosure. However, I thought they might be able to disclose the identities of the data controllers involved. So I made a FOIA request for that information.

This was also refused. I was told that one of the data controllers was News Group Newspapers and the Undertaking was

in connection with a cyber-security attack perpetrated against NGN for which criminal proceedings are ongoing. As we have previously indicated, the Undertaking will be published once the proceedings have been concluded

This was the case relating to a criminal trial, and it has now been published.

I was told though that the names of the other two data controllers were still exempt under section 22, as, even though the ICO accepted my argument

that prejudice is “unlikely to occur simply by disclosing the identity of the data controllers”, having consulted with the organisations involved, I am satisfied that there is a possibility that the release of even the identities could potentially damage the commercial interests of the Data Controllers

Well, after I waited a while, and then made a further FOI request, the names and Undertakings have now been disclosed. And I fail to see what the fuss was about: they related to some issues with residual data on legacy systems. I also fail completely to understand how, in any conceivable way, disclosure of the names of the Councils involved could have caused prejudice to their commercial interests, and I’d invite anyone else to explain to me how it could. If I am right, the argument that it was reasonable in all the circumstances that the information should be withheld from disclosure until a later date, and, indeed, the argument that the public interest favoured maintaining the section 22 exemption falls away.

I could, of course, have appealed at the time, but the point is that I did not know what information was being suppressed, or why. I trusted the ICO to apply the law properly.

It is interesting to consider this matter of “trust” in light of an important recent Upper Tribunal (UT) case. Although that case was concerned with the use of “closed material” and “closed proceedings” in FOIA cases in the First-tier Tribunal (FTT) some points are arguably of general application to public authorities. One strikes me in particular

The other side of the coin concerning the application of the FOIA exemptions is of course that the requester may want to challenge the reasons and evidence which are advanced to establish them and thereby show that the requested information should be provided to him or her pursuant to FOIA…This competing right and interest within the FOIA scheme is founded on the right of access to information held by public authorities that is given by FOIA.  So it is one of the starting points for the need for a decision-making process to weigh competing rights and interests [emphasis added]

I would argue (knowing now what I didn’t know then) that as one of the prime reasons for DPA Undertakings is to draw attention to serious breaches of the DPA (see ICO Guidance: Communicating Enforcement Activities) withholding this information under section 22 potentially is seen to undermine the regulatory functions of the ICO. I struggle to understand how the refusal to disclose the Undertakings, let alone the mere identities of the recipients, shows proper weighing of competing rights and interests.

One a final note, the guidance above also says

We will not risk damage to the reputation of the ICO by agreeing with an organisation that we won’t publicise our action or that we will give advance warning

I’m not sure how to square that with what I was told last year that

the Undertakings were signed on the understanding that they would not be publicised in the usual manner

2 Comments

Filed under Breach Notification, Confidentiality, Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice, transparency

Tagged as , ,

May 28, 2013 · 6:58 pm

Pondlife: privacy obligations and privacy rights

Anonymous has threatened the EDL with a campaign of exposure and disruption. However, disclosure – and onward dissemination – of private information, such as lists of members of a group can be unlawful under data protection (and other) laws. Failure to take adequate steps to prevent such disclosure can also put such groups at risk of breaching the same laws.

In 2010 the law firm ACS:Law was victim of a concerted campaign to disrupt its activities through denial of service attacks (DDOS) and other means. The “Hacktivist” network Anonymous claimed responsibility for the attacks, stating that they were in response to the firm’s aggressive litigation tactics in claims against alleged file-sharers. For a short time after the firm’s website was restored after the DDOS attacks a file was exposed which contained large amounts of personal data of individuals who were suspected of file-sharing. This file was rapidly spread by Anonymous activists, and others.

As a result of this data security breach the Information Commissioner (IC) subsequently served a civil Monetary Penalty Notice of £1000 on Andrew Crossley, who operated the firm. At the time the IC said that

Were it not for the fact that ACS:Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach.

The IC found that the firm’s website security was utterly inadequate and constituted a serious breach of the seventh principle of the Data Protection Act 1998 (DPA).

The security measures ACS:Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details

This point has current relevance because “Anonymous” have announced a campaign to disrupt the activities of the English Defence League. The Guardian reports that

A list of what were said to be mobile phone numbers for senior named EDL figures were published online on Tuesday evening along with addresses of what were said to be donors to the far-right group

Twitter accounts also re-published leaked details of hundreds of names and addresses linked to the EDL which were circulated on the web in 2010 after hackers broke in to one of the organisation’s websites
I confess I wasn’t aware of the 2010 hack. One wonders if the IC investigated this at the time. Nonetheless, any further hacks which reveal personal data of members and donors raise potential issues of liability for the EDL under the DPA, for the same reason that ACS:Law attracted enforcement action.
 
I found it notable at the time of the ACS:Law case that there was a lack of action or censure for the many people who happily publicised and distributed the file in question, thus exacerbating the already serious breach. It seemed to me, and still does, that those who originally downloaded the file and made it freely available, and those who continued to publicise it and make it available, were arguably guilty of an offence under section 55 of DPA, which provides that disclosing personal data knowingly or recklessly, without the consent of the data controller can be an offence.
 
The chances of an offence being committed are even more pronounced when concerted efforts are made to hack into a website. The offence under s55 DPA remains (through lack of a ministerial Order implementing the custodial provisions) only punishable by a maximum £5000 fine. However, other potential offences are enaged, including those under the Computer Misuse Act 1990, which are punishable by a maximum of five years’ imprisonment.
 
Anonymous have their reasons for the campaign, and they are perhaps difficult to argue against. But concerted efforts to gather and disclose private information raise worrying issues, which should not be avoided simply because of who the intended victims are.
 
None of this is to be seen as defending, or sympathising with, the views of the EDL, who are scum. But even scum have rights. Furthermore, it might be worth bearing in mind that when a list of apparent members of the BNP was leaked in 2009 – an incident which led to the prosecution of an individual under the DPA (at the sentencing of whom the judge said that he was obliged to impose a “fine…so low as to be ridiculous”) – there were strong indications that a number of people were wrongly named as members. Lists can be dangerous things, and I can think of few things more unpleasant than being wrongly associated with groups like this.

2 Comments

Filed under Breach Notification, Confidentiality, Data Protection, human rights, Information Commissioner, Privacy

Tagged as ,

May 26, 2013 · 10:27 am

Medical records databreach – what will result?

Today’s Sunday Mirror reports that thousands of confidential medical records have apparently been stored outdoors in a car park in an industrial estate for months. The paper alleges that

DHL Healthcare, which provides services for more than 100 NHS trusts, left out documents reportedly containing patients’ names, addresses and details of their medical conditions.

The paperwork is also believed to contain security “key codes” that enable DHL ambulance drivers to open the front doors of patients’ homes so they can be taken to hospital for treatments such as dialysis and chemotherapy.

Although the article doesn’t mention it, I am sure the Information Commissioner (IC) will take a keen interest in this.

Of particular interest is the fact that this apparent breach is said to have involved an organisation, DHL Healthcare, which doesn’t provide healthcare services itself. According to its website it provides “logistics services for the healthcare industry”. I also note that it provides a records management service. It seems almost certain that it acts under contract to NHS bodies. As such, in the terminology of the Data Protection Act 1998 (DPA), it is a “data processor” and an NHS body which instructs it is a “data controller”. Under the DPA, only the latter – the controller – is responsible for complying with the Act, and only the latter is liable to attract enforcement action for serious breaches of the DPA.

The seventh DPA data protection principle places an obligation on a data controller to ensure that

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

and where

Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—

(a)the processing is carried out under a contract—

(i)which is made or evidenced in writing, and

(ii)under which the data processor is to act only on instructions from the data controller, and

(b)the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

This means that where an NHS Trust contracts with – say – a records management service, it must enter into a written contract which demands that the contractor must do nothing other than what the contract says, and must have robust data security measures in place. If the contract does not say that then the NHS body is prima facie in breach of the DPA, and liable for any serious breach which might occur.

Thus, in 2012, Brighton and Sussex University Hospitals NHS Trust was “fined” (in reality, served with a s55A DPA Civil Monetary Penalty Notice) £325,000 by the IC after hard drives containing sensitive medical data ended up for sale on the internet. The IC said that the Trust

failed to choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and take reasonable steps to ensure compliance with those measures.
Further, the processing was not carried out under a contract between the Trust and HIS (whether made or evidenced in writing) under which the data processor was to act only on instructions from the data controller, and which required HIS to comply with obligations equivalent to those imposed on a data controller by the Seventh Data Protection Principle

Any investigation into this latest incident will likely involve assessment of the nature of the contracts in place, and the extent to which data controllers contracting with DHL Healthcare took reasonable steps to ensure compliance by the contractor. However, it appears to be the case, under current law, that if the IC determines there was a robust contract in place, and the data controller took all reaosnable steps to ensure compliance, no enforcement action can ensue. This seems slightly strange, but the DPA (which gives effect to the European Data Protection Directive) does not allow the IC to take action against the contractor. (Of course the other party to the contract could take civil action of its own, but this would almost certainly be only for breach of contract).

The draft European Data Protection Regulation seeks to deal with this possible gap in the law. Draft Article 26 (read with Articles 24 and 30) provides that

If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers

This apparently sensible and minor amendment might, though, have major implications for contractual arrangements to process data. If a data processor becomes (jointly) liable for breaches it is likely to assess risk in a much different way when entering into a contract. “Traditional” data controllers need to be alive to the potential financial implications of this.

One final note. Under current law, a data controller is

a person who determines the purposes for which and the manner in which any personal data are, or are to be, processed

Could it be argued that, even now, when a contractor diverges from the terms of a contract, and decides to process data in a different way, they are in fact determining the purposes in a way which could potentially make them a controller? I would be interested to know if this has ever been argued.

Leave a comment

Filed under Breach Notification, Data Protection, enforcement, Information Commissioner, monetary penalty notice

Tagged as ,

May 20, 2013 · 12:23 pm

There’s nothing like consistency…

Two contradictory decisions from the ICO as to whether disclosure of the names of councillors in the Local Government Pension Scheme is lawful might leave FOI officers – and requesters – scratching their heads

Remember those “Spot the Difference” competitions?

In 2010 the Information Commissioner’s Office (ICO) issued a Decision Notice concerning a request made to Buckinghamshire County Council under the Freedom of Information Act 2000 (FOIA). The request was for the names of councillors who had chosen to join the Local Government Pension Scheme (LGPS). The ICO agreed with BCC that

the withheld information is personal data relating to these councillors

But disagreed that section 40(2) and (3) of FOIA exempted the information from disclosure, rejecting an argument that the councillors would not have had a reasonable expectation of disclosure of the information:

the Commissioner has not found any evidence to support a view that disclosing the requested information would be likely to cause unnecessary or unjustified damage or distress to the individuals concerned

and

The Commissioner is satisfied the requested information relates primarily to the councillors’ public lives and does not intrude significantly on their private and family lives.

Consequently BCC was

to provide the complainant with the list of names of the ten councillors who were members of the LGPS

Compare and contrast with a Decision Notice issued recently relating to a FOIA request to Central Bedfordshire Council (CBC). The request was for names of councillors who had chosen to join the Local Government Pension Scheme (LGPS). The ICO agreed that

information regarding the details of an individual’s pension is personal data

And agreed with CBC that section 40(2) and (3) of FOIA exempted the information from disclosure, saying

individuals will have a reasonable expectation that information about their pension, and their decision whether or not to take one, will not be routinely disclosed

and that the councillors’

expectations of privacy with regard to their pensions are still objectively reasonable as it relates far more to their private lives than their professional lives

Consequently CBC was correct

to rely on section 40(2) to withhold…the requested information

A few questions arise: are BCC councillors entitled to bring a complaint against their council for unfair processing? if so, would BCC have a defence that they complied with a legal notice from the statutory regulator? Is local government “lagging behind best practice in other parts of the public sector” (para 20 of FS50233989) or not? Which Decision Notice should other councils follow when they get similar requests? And, finally, did the ICO even look at the earlier decision when it issued the second?

 

DISCLAIMER: I have a professional connection to one of the public authorities involved.

1 Comment

Filed under Data Protection, Freedom of Information, Information Commissioner

May 17, 2013 · 2:58 pm

Damages under s13 Data Protection Act – an Opportunity Lost?

A concession of an issue by the defendant in Halliday v Creation Consumer Finance means the law is still unclear as to whether nominal damages trigger compensation for distress arising from a contravention of the Data Protection Act

Section 13(1) of the Data Protection Act (DPA) provides a right to compensation for a data subject who has suffered damage by reason of any contravention by a data controller of any of the requirements of the Act.  The domestic authorities are clear that “damage” in this sense consists of pecuniary loss. Thus, section 13(1) is a “gateway” to a further right of compensation under section 13(2)(a), for distress. The right to distress compensation cannot be triggered unless section 13(1) damage has been suffered.

This point was addressed in Johnson v The Medical Defence Union Ltd (2) [2006] EWHC 321 and  on appeal (Johnson v Medical Defence Union [2007] EWCA Civ 262), with Buxton LJ in the latter saying

section 13 distress damages are only available if damage in the sense of pecuniary loss has been suffered

In the case at first instance  the judge had found against Mr Johnson in his claim that a failure to renew his membership was caused by unfair processing of his personal data. However, if the first head of claim had succeeded, pecuniary damages in the sum of £10.50, to cover the cost of a breakfast (don’t ask) would have been owed, and

the price of that breakfast [would have represented] his gateway to a right to recover compensation for distress under section 13(2)(a)

This point, already largely hypothetical, fell away on appeal, because the Court held 

The Judge was not entitled to find that this, the only item of pecuniary damage that survived, was attributable to damage for which the MDU was responsible

The judgment in a recent case, Halliday v Creation Consumer Finance Ltd (CCF) [2013] EWCA Civ 333 had been anticipated as possibly clarifying whether nominal, as opposed to substantial, damages under section 13(1), could suffice to be a gateway to distress compensation, and, indeed, whether the DPA effectively transposes the requirements of the European Data Protection Directive to which it gives effect. The case concerned errors by the defendant regarding disputed payments, which affected the claimant’s credit record. As Robin Hopkins said in a recent post on the Panopticon blog, after reports of the ex tempore judgment surfaced,

In Halliday…nominal damages (of £1) were awarded, thereby apparently fulfilling the ‘damage’ requirement and opening the door for a ‘distress’ award (though note that Panopticon has not yet seen a full judgment from the Court of Appeal in this case, so do not take this as a definitive account). If that approach becomes standard practice, claimants may be in much stronger positions for seeking damages.

Now that the full judgment has been made available, it can be seen that Mr Halliday did indeed succeed in using the nominal £1 damages as a gateway to £750 compensation for distress, but only because the defendant conceded the point:

this issue, which was the main issue of the proposed appeal to this court, is now academic as the respondent, CCF, concedes an award of nominal damages is “damage” for the purposes of the Directive and for the purposes of section 13(2) of the Data Protection Act 1998

So it appears we must continue to wait for fuller consideration of the meaning of the word “damage” in both the Directive and section 13 DPA.

UPDATE: Robin Hopkins has blogged on this case at the Panopticon blog. As he says – and as I may have omitted – “the judgment is not without its notable points”.

5 Comments

Filed under damages, Data Protection