Author Archives: Jon Baines

May 16, 2013 · 7:58 am

NO THANK YOU I DON’T WANT TO REGISTER

The other day I was in town, and popped in to a shop to look at an interesting item. I was rather annoyed to be greeted by a shop assistant waving a large banner which obscured everything. He said he’d put the banner down if I handed over my contact details so he could send me marketing guff in the future. He only got out of the way when I kneed him in the Edwards.

Not strictly true of course. However – you wouldn’t run a physical shop this way, so why run web scripts that have the same effect?

bfp

I don’t want to register for your website – I just want to dip in for a quick look then leave (that still counts as a page view for you to quote to advertisers) and I’d suggest that’s pretty standard practice for the large majority of internet users.

I confidently state that no one, ever, in recorded history, has thought, when they got a pop-up inviting them to register their details, “Oo, how helpful that was. Thank you for obstructing my journey to what I really wanted”.

And I know I could probably configure a pop-up blocker to bypass them, but I don’t (often) walk around town accompanied by a bouncer. So just stop it, everyone who does this.

3 Comments

Filed under Uncategorized

April 16, 2013 · 12:15 pm

Police, poems and FOI

In which I am inspired into literary expression by a rather bizarre ICO decision notice saying that a poem sent by a senior police officer on his mobile device is exempt from disclosure under the “personal data” provisions of the Freedom of Information Act

Mr Plod once sent friends a rhyme
Which was rumoured to be out of line
When a request was lodged
To see what it was
His bosses politely declined

Chris Graham agreed with the force
Saying “It’s personal data because
He’s easy to spot
From the words that we’ve got:
It’s exempt from disclosure, of course!”

A Tribunal may have to decide later
– As the statutory arbitrator –
If it’s rather perverse
To suggest that a verse
Can possibly be personal data.

1 Comment

Filed under Data Protection, Freedom of Information, Information Commissioner, police

Tagged as , , ,

April 5, 2013 · 5:11 pm

A Howitzer of an FOI Exemption

A recent decision by the Information Commissioner shows that the House of Commons is able, under the FOI Act, to apply a blanket provision preventing disclosure of information of potential public interest, from which there is no appeal. If I were a cynical adviser to the House, I’d suggest using it more often.

The Freedom of Information Act 2000 (FOIA) contains a few howitzers with which a relevant public authority can obliterate an otherwise valid request for information. The most familiar of these is at section 53, whereby, in relation to a Information Commissioner (IC) decision notice served on a government department requiring them to disclose information, a Cabinet minister can issue a veto, from which there is no right of appeal.

Less well-known are the certificates which can be served under sections 23 and 24, by ministers, to be conclusive evidence that information requested was supplied by or relates to national security bodies, or is exempt from disclosure for reasons of national security. (These are appealable, either by the IC or by the applicant, under section 60 of FOIA).

Less well-known still is a section which allows the Speaker of the House of Commons (or the Clerk of the Parliaments) to issue a certificate which provides conclusive evidence that disclosure would or would be likely to cause prejudice to the effective conduct of public affairs. This is section 36(7) and, read with section 2(3)(e), it provides an absolute exemption to disclosure, which the IC is duty bound to accept. In effect, it is a means whereby the Houses of Parliament can prevent FOIA disclosure, with no right of appeal.

Thus, in a decision notice published this week about a request for information relating to the tax treatment of residential accommodation provided by the House of Commons, the IC says

Given the nature and provenance of the certificate, the Commissioner is obliged by section 36(7) FOIA to accept the certificate as “conclusive evidence” that the opinion is reasonable in both process and substance and that the alleged inhibition would be likely to occur; therefore, the Commissioner accepts that section 36(2) FOIA is engaged and that the withheld information is exempt

Any appeal of this decision would have the same outcome: if a properly-made certificate states that the exemption applies, then it does, and no regulator or court can say different. So, despite what appears to be a potentially high degree of public interest in the information requested, about, in the applicant’s words

issues of principle… the provision of residential accommodation is a substantial benefit, and its tax treatment is of legitimate interest to the public

we will not get to see it.

There could, I imagine, potentially be an application for judicial review of the decision to issue the certificate, in the same way that the ministerial veto at section 53 is potentially amenable to judicial review, but this would have to be on the classic public law grounds, and would be a very difficult challenge.

One rather wonders why this provision has not been used more often. It has been used in the past to prevent disclosure of information relating to names and salaries of MPs’ staff, and to prevent disclosure of information about the claiming of parliamentary privilege. But when requests were made for disclosure of MPs’ expenses information, the exemption claimed was the one relating to personal data. A section 36(7) certificate would, it seems to me, have rendered those requests dead in the water. Did the House of Commons miss a cynical trick?

Leave a comment

Filed under Freedom of Information, Information Commissioner, Uncategorized

Tagged as ,

April 2, 2013 · 11:33 am

A Question of Apparent Bias?

So, the Information Commissioner’s Office (ICO) has been using “ctrl+v” a bit too much. Large chunks of source material from Wikipedia and – to me more crucially – the website of the Royal Household were quoted, without attribution (and without indication that they were quotations) in a decision letter upholding the Royal Household’s refusal to disclose environmental information to tweeter @foimonkey.

Paul Gibbons – “FOIMan” – has blogged about this, and he wonders if this is evidence of a current lack of resources for the ICO. I think the ICO is under-resourced, and this is set to get worse but I’m not sure I agree with Paul that @FOIMonkey’s case illustrates this.

When Christopher Graham, the current Information Commissioner, was appointed, he inherited a damning backlog of FOI complaint cases, some going back several years. He stated openly that, to deal with this backlog, there might at times be a “silver standard” of investigation (as opposed to a gold one) from his office. True to his word, and much to his credit, the backlog has been greatly reduced, to the point where no cases were more than one year old, at the time of the publication of his last annual report.

So, I would agree with Paul, if @FOImonkey’s case was simply one of these “silver standard” ones, but that surely is not the case here. The refusal by the Royal Household to consider itself a public authority for the purposes of the Environmental Information Regulations 2004 was made over a year ago, and I understand the complaint to the ICO was made promptly after that. This means the ICO has had effectively twelve months to consider a request of considerable (if perhaps obscure) constitutional interest and significance. Even with limited resources twelve months is an awfully long time for a qualified solicitor and national Director of Freedom of Information to have to arrive at a decision.

I have a bigger concern though.

Paul is by no means uncritical of the ICO, and he notes that internal quality controls appear to be lacking, but he is perhaps not overly concerned with the act of copying itself (which could potentially be in breach of copyright):

I’m sure there are FOI out there who have copied chunks of the ICO’s decisions into their own FOI responses without citing them where it suited

However, I think the difference here is related to authority, and perception.

It is quite right for an FOI officer to quote ICO decisions in their own FOI responses (although I agree that citations should be given). Common law relies on a system of precedent and judicial authority, and, although the ICO is a regulator, and not a judicial body, the principle is similar: refer to and cite the authoritative statements of those who make decisions on the law in question.

However, the ICO is the one in a position of decision-making authority here, and to cite the website (without attribution) of one of the parties in a case he has to decide, gives rise to a perception of lack of independence, or bias. And that is an extremely important thing for a regulator to avoid doing.

As it is, most of the unattributed quotes are merely of uncontroversial statements of fact, and I am not sure they are clear evidence of any actual bias on the part of the ICO, but perception of bias is corrosive in itself. The classic test, as propounded by Lord Hope in Porter v Magill [2002] 2 AC 357, is

whether the fair-minded and informed observer, having considered the facts, would conclude that there was a real possibility that the tribunal was biased

Maybe I’m not fair-minded (although I do consider myself reasonably informed) so I would have to invite other observers to say whether they would conclude there was a real possibility of bias in this case.

UPDATE: the ICO has now tweeted saying the failure to cite sources was an error. Fair enough, but I’m not sure that changes my views here.

3 Comments

Filed under Environmental Information Regulations, Freedom of Information, Information Commissioner, transparency

March 27, 2013 · 2:35 pm

Private NHS Providers and FOI

Monitor have recommended that FOI requirements should apply to private providers of NHS services. I’m not sure we should be too optimistic that much will ensue.

Regardless of one’s views of the Health and Social Care Act 2012* it is important that, if “any willing provider” can be commissioned to provide private health services, there should be parity of treatment. And, indeed, the need to ensure a “Fair Playing Field” was, at least ostensibly, what led the Secretary of State for Health to ask Monitor (“the sector regulator of NHS-funded health care services”) to conduct

an independent review of matters that may be affecting the ability of different providers of NHS services to participate fully in improving patient care

That review has now finished, and was laid before Parliament by the Secretary of State yesterday.

My specific interest is in the section regarding transparency. Monitor note that

Historically, public providers have faced higher levels of scrutiny than other providers, including requests for information under the Freedom of Information Act. This degree of scrutiny can improve accountability to patients and promote good practice. Freedom of Information requirements have been extended through the standard NHS contract to private and charitable providers. However, it is not clear that this is operating effectively as yet, and other aspects of transparency do not apply across all types of provider

Accordingly

The Government and commissioners should ensure that transparency, including Freedom of Information requirements, is implemented across all types of provider of NHS services on a consistent basis

This could be read as a recommendation that the Freedom of Information Act 2000 (FOIA) be extended to all (including private) providers.

However, I am not sure we should be too optimistic that the recommendation will be read in this way by the Department of Health. The Justice Committee, in its recent post-legislative scrutiny of FOIA, was unconvinced that FOIA needed to be extended to private providers of public services, feeling that the use of contractual terms to ensure transparency was sufficient:

The evidence we have received suggests that the use of contractual terms to protect the right to access information is currently working relatively well…We believe that contracts provide a more practical basis for applying FOI to outsourced services than [extending FOIA to those private providers]

and rather unsurprisingly the government, in its response to the Justice Committee, agreed

 The Government therefore does not intend, at this time, to legislate to extend FOIA obligations to contractors.

 Given this, I suspect that, rather than taking up Monitor’s recommendation and extending FOIA to private healthcare providers, the government will merely reiterate the point about the use of contractual terms to promote transparency aims.

However, even if FOIA is not to be explicitly extended to include private contractual providers, there is a potential way forward which would achieve those transparency aims in a clearer and more enforceable way. This is the proposal by the Campaign for Freedom of Information, who observed (in light of the post-legislative scrutiny reports)

We don’t believe that relying on every authority to insert an appropriate clause into every contract one at a time is likely to be effective. The FOI Act itself should state that all such contracts are deemed to include a wide disclosure requirement, automatically bringing information about the contractor’s performance and the way the contractor goes about it within the Act’s scope

This seems eminently sensible. I wish eminently sensible things would happen more often than they do.

 

*I happen to think it’s an example of an ideologically-driven privatisation of public services which we will look back on in decades to come as a drastic mistake.

3 Comments

Filed under Freedom of Information

Tagged as

March 20, 2013 · 7:38 am

ICO Bares Teeth at Nuisance Callers

I know a retired chap whose daily life is blighted by nuisance marketing phone calls. Some are from charities he donates to, and I’ve told him he’s entitled to donate and still opt out of receiving these. But others are entirely unsolicited, and despite the fact that about a year ago I got him to register with the Telephone Preference Service (TPS) the calls continue.

Now I remember when I signed up with the TPS a few years ago it was remarkably successful in stopping all nuisance calls, especially when, if one got through, I’d threaten to complain. However, my retired friend won’t complain because, he says, “it wouldn’t achieve anything”. Until recently, I’d have tended to agree with him, but it is good to see the Information Commissioner’s Office (ICO) showing that it does have teeth when it comes to enforcement of the Privacy and Electronic Communications Regulations 2003 (PECR). The ICO have today announced that a monetary penalty notice of £90,000 has been served on a Glasgow company for a breach of the PECR.

DM Design, based in Glasgow, has been the subject of nearly 2,000 complaints to the ICO and the Telephone Preference Service (TPS). The company consistently failed to check whether individuals had opted out of receiving marketing calls – in clear breach of the law – and responded to just a handful of the complaints received.

In one instance an employee refused to remove a complainant’s details from the company’s system and instead threatened to “continue to call at more inconvenient times like Sunday lunchtime”

And it is interesting to note that the ICO say they intend to issue similar “fines” against two other companies.

Of course, this kind of robust enforcement action can only really happen if people complain about this type of call, either to the ICO or to the TPS. I will be encouraging my retired friend to do so, in the knowledge that it might actually achieve something.

Leave a comment

Filed under Uncategorized

March 19, 2013 · 8:34 am

Don’t Panic about the Royal Charter. Panic Now!

Bloggers shouldn’t panic about the proposed Royal Charter, unless they’re already panicking about the current law.

Imagine that a local citizen blogger – let’s call her Mrs B, who is a member of a local church group – decides to let others know, by way of a website, some news and information about the group. She includes information for those about to be confirmed into the church as well as extraneous, light-hearted stuff about her fellow parishioners, including the fact that one of them has a broken leg. Now imagine that a complaint by one of the fellow parishioners that this website is intrusive is upheld and Mrs B is found to have breached domestic law.

The coercive power of the state being brought against a mere blogger would be, you might imagine, unacceptable. You might imagine that any such domestic law, in a country which is a signatory to the European Convention on Human Rights, would be held to be in breach of the free-expression rights under Article 10 of the same.

This sort of outcome, you might say, would surely be unimaginable even under the proposed regulatory scheme by Royal Charter agreed in principle by the main party leaders on 18 March.

But, as anyone who knows about data protection law will tell you, exactly this happened in 2003 in Sweden, when poor Mrs Bodil Lindqvist was prosecuted and convicted under national Swedish legislation on data protection and privacy. On appeal to the European Court of Justice her actions were held to have been the “processing” of “personal data” (and, in the case of the person with the injured leg, of the higher-category “sensitive personal data”) and thus those actions engaged Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data which is given domestic effect in Sweden by the law under which she was convicted. The same Directive is, of course, given domestic effect in the UK by the Data Protection Act 1998 (DPA).

The response to the proposed Royal Charter was heated, and many people noticed that the interpretative provisions in Schedule 4 implied the regulation of web content in general (if said content was “news-related material”), thus potentially bringing the “blogosphere” and various social media activities into jurisdiction. This has caused much protest. For instance Cory Doctorow wrote

In a nutshell, then: if you press a button labelled “publish” or “submit” or “tweet” while in the UK, these rules as written will treat you as a newspaper proprietor, and make you vulnerable to an arbitration procedure where the complainer pays nothing, but you have to pay to defend yourself, and that will potentially have the power to fine you, force you to censor your posts, and force you to print “corrections” and “apologies” in a manner that the regulator will get to specify.

But the irony is, that is effectively exactly the position as it currently stands under data protection law. If you publish or submit or tweet in the UK information which relates to an identifiable individual you are “processing” “personal data”. The “data subject” can object if they feel the processing is in breach of the very broad obligations under the DPA. This right of objection is free (by means of a complaint to the Information Commissioner’s Office (ICO)). The ICO can impose a monetary penalty notice (a “fine”) up to £500,000 for serious breaches of the DPA, and can issue enforcement notices requiring certain actions (such as removal of data, corrections, apologies etc) and a breach of an enforcement notice is potentially a criminal offence.

As it is, the ICO is highly unlikely even to accept jurisdiction over a complaint like this. He will say it is covered by the exemption for processing if it is “only for the purposes of that individual’s personal, family or household affairs (including recreational purposes)”. He will say this despite the fact that this position is legally and logically unsound, and was heavily criticised in the High Court, where, in response to a statement from the ICO that

The situation would clearly be impossible were the Information Commissioner to be expected to rule on what it is acceptable for one individual to say about…another individual. This is not what my office is established to do. This is particularly the case where other legal remedies are available – for example, the law of libel or incitement.

Mr Justice Tugendhat said

 I do not find it possible to reconcile the views on the law expressed in the Commissioner’s letter with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully. The authoritative statements of the law are to be found not only in the cases cited in this judgment (including para 16 above), but also by the Court of Appeal in Campbell v MGN Ltd [2002] EWCA Civ 1373 [2003] QB 633 paras [72] to [138], and in other cases. As Patten J made clear in Murray, where the DPA applies, if processing is unlawful by reason of it breaching the general law of confidentiality (and thus any other general law) there will be a contravention of the First Data Protection Principle within the meaning of s.40(1), and a breach of s.4(4) of the DPA…The fact that a claimant may have claims under common law torts, or under HRA s.6, does not preclude there being a claim under, or other means of enforcement of, the DPA.

The ICO will decline jurisdiction because, in reality, he does not have the resources to regulate the internet in its broadest sense, and nor does he have the inclination to do so. And I strongly suspect that this would also be the position of any regulator established under the Royal Charter.

I’m not normally one for complacency, and I actually think that the fact that the coercive power of the state potentially applies in this manner to activities such as blogging and tweeting is problematic (not wrong per se, note, but problematic). But the fact is that, firstly, the same coercive power already applies, to the extent that such activities engage, for instance, defamation law, or contempt of court, or incitement laws, and secondly – and despite the High Court criticism – no one seems to be particularly exercised by the fact that the current DPA regulator is able to ignore the activities of the blogosphere, so I doubt that the social and legal will exists to regulate these activities. I hope I’m not wrong.

3 Comments

Filed under Data Protection, human rights, Information Commissioner, monetary penalty notice, Privacy

Tagged as ,

March 13, 2013 · 8:25 am

The Right to Unknown Information

It is important to note that there is no requirement in the FOIA that those intending to make requests for information have any prior knowledge of the information they are requesting.

These words of the Information Commissioner (IC) in, Decision Notice FS50465008, are an important statement about the role of the Freedom of Information Act 2000 (FOIA) in investigative journalism and activism. They establish that, at least in the IC’s view, FOIA requests may be made on a speculative basis, without a knowledge of the specific contents of documents.

To many users and practitioners they are probably also an obvious statement about the right to information conferred by FOIA. If someone is asking for information from a public authority, it is self-evident that, at least in the large majority of cases, they do not know what the information specifically consists of – otherwise, why request it? As the IC goes on to say

The idea of a requirement of prior knowledge that the relevant information exists is itself contrary to the very purpose of the legislation, let alone prior knowledge as to what it comprises

The request in question, made – as those who followed the “Govegateimbroglio might have guessed – by the impressively dogged journalist Christopher Cook (who has given me permission to identify him as the requester), was to the Cabinet Office for

the last email received by the [Prime Minister] personally on government business via a private non-GSI account. I also want the last government email sent by the PM via such an account

It was made in the context of suspicions that attempts might have been made to circumvent FOIA by conducting government business using private email accounts. For obvious reasons Chris was unlikely to be able to identify the specific type of information he sought, and the Cabinet Office knew this, telling the IC that

he has no idea of the nature of the information that may be contained in such emails, if indeed such emails even exist…For a request for a document to be valid, it needs to describe (if it would not otherwise be apparent) the nature of the information recorded in the document. The Cabinet Office does not accept that asking a public authority to undertake a search for emails without any subject matter, or reference to any topic or policy, sent using a particular type of account can satisfy the requirement on the application to ‘describe the information requested’

However, the IC rejected this, splendidly demolishing the Cabinet Office’s position with an argument by analogy

a request for the minutes of the last Cabinet meeting would clearly describe the information requested, even though it does not describe the content by reference to the matters discussed

I think this decision is particularly important because it accepts that, sometimes, a person contemplating requesting information from a public authority might not have a fully-formed view of what it is she wants, or expects to get. Authorities sometime baulk at requests which they see as “fishing expeditions”, but the practice of investigative journalism (in de Burgh‘s classic formulation “…to discover the truth and to identify lapses from it in whatever media may be available…”) will often involve precisely that, and the IC recognises this

Whilst public authorities might find such requests irritating, the FOIA does not legislate against so-called ‘fishing expeditions’

 The Cabinet Office must now treat Chris’s request as properly-made under FOIA. That does not mean that they will necessarily disclose emails from the PM’s private email account (in fact I’d be amazed if they did), but no one ever suggested the trade of investigative journalism was easy.

5 Comments

Filed under Cabinet Office, enforcement, Freedom of Information, Information Commissioner, transparency, Uncategorized

Tagged as , ,

March 8, 2013 · 1:10 pm

Why bother?

It is a statutory duty to comply with the 20-working-day response time to a request made under the Freedom of Information Act 2000 (FOIA). It is breach of the Code of Practice issued by the Secretary of State to fail to respond promptly to a request for internal review of a FOIA refusal (and the IC recommends 20 working days for this as well). It is a statutory duty, breach of which is potentially a criminal offence, to fail to comply with an Information Notice or a Decision Notice issued by the Information Commissioner (IC).

With all this in mind, and with acknowledgement that this is copied in total from an IC Decision Notice FS50427906, read the following comments by the IC, on how the Cabinet Office (who, er, have poor FOI history) handled a specific request, and weep.

73. At every stage during the handling of these requests and the investigation of this case, the Cabinet Office has been responsible for causing severe delays. As noted above, the complainant did not receive a substantive response to his requests until more than a year had passed following his first request, and over eight months following the second.

74. These responses were only forthcoming after the Cabinet Office was ordered to provide these in the earlier decision notice issued by the Commissioner. Even then, the Cabinet Office did not respond within the time limit specified in the notice. The internal review was also late and again was only provided following the intervention of the ICO.

75. During the Commissioner’s investigation the responses provided to his office were frequently late and incomplete. This necessitated the issuing of an information notice, which the Cabinet Office also failed to comply with within the specified time.

76. Given this background, the Commissioner trusts that the Cabinet Office will view the steps required in this notice as providing an opportunity to demonstrate to the complainant its commitment to its obligations under the FOIA and to providing a better service than the complainant has received thus far.

77. A record of the various issues that have arisen in relation to these requests and during this investigation has been made by the ICO. Issues relating to responding to requests in accordance with the FOIA and about responding promptly to correspondence in section 50 investigations have been raised with the Cabinet Office by the ICO in the past. The Commissioner is concerned that, despite this, issues of such severity have arisen in relation to the requests in this case. It is essential that the Cabinet Office ensures that there is no repetition of these issues in relation to future requests.

3 Comments

Filed under Cabinet Office, Freedom of Information, Information Commissioner, transparency

Tagged as ,

March 7, 2013 · 2:13 pm

Google Streetview and “Incidental” Processing

Someone I follow on twitter recently posted a link from Google Streetview of the interior of a pub, in which he could identify himself and a friend having a quiet pint. I must confess this addition of building interiors to the Streetview portfolio had passed me by. It appears that businesses can sign-up to have “Google Trusted Photographers and Trusted Agencies” take photographs of their premises, which are uploaded to the web and linked to Streetview locations.

When it was launched Streetview caused some concern in privacy circles, and this was prior to, and separate from, the concerns caused by the discovery that huge quantities of wifi payload data had been gathered and retained during the process of capture of streetview data. These more general concerns were partly due to the fact that, in the process of taking images of streets the Google cameras were also capturing images of individuals. Data protection law is engaged when data are being processed which relate to a living individual, who can identified from the data. To mitigate against the obvious potential privacy intrusions from Streetview, Google used blurring technology to obscure faces (and vehicle number plates). In its 2009 response to Privacy International’s complaint about the then new service the Information Commissioner’s Office said

blurring someone’s face is not guaranteed to take that image outside the definition of personal data. Even with a face completely removed, it will still be entirely likely that a person would recognise themselves or someone close to them. However, what the blurring does is greatly reduce the likelihood that lots of people would be able to identify individuals whose image has been captured. In light of this, our analysis of whether and to what extent Streetview caused data protection concerns placed a great deal of emphasis on the fact that at its core, this product is in effect a series of images of street scenes…the important data protection point is that an individual’s presence in a particular image is entirely incidental to the purpose for capturing the image as a whole. (emphasis added)

One might have problems with that approach (data protection law does not talk in terms of “incidental” processing of personal data) but as an exercise in pragmatism it makes sense. However, it seems to me that the “business interiors” function of Streetview takes things a step further. Firstly, these are not now just “images of street scenes”, and secondly, it is at least arguable that an individual’s presence in, for instance, an image of an interior of a pub, is not “entirely incidental” to the image’s purpose.

Google informs the business owner that “it would be your responsibility to notify your employees and customers that the photo shoot is taking place” but that “Google may use these images in other products and services in new ways that will make your business information more useful and accessible to users”. It seems likely to me therefore that, to the extent that personal data is being processed in the publishing of these images, Google and the business owner are potentially both data controllers (with consequent responsibilities and liabilities under European law).

It would be interesting to know if the Information Commissioner’s assessment of this processing would be different given that a factor he previously placed a “great deal of emphasis on” (the fact that Streetview was then “just images of street scenes”) no longer applies.

1 Comment

Filed under Data Protection, enforcement, Information Commissioner, Privacy

Tagged as ,