Author Archives: Jon Baines

March 3, 2013 · 10:27 am

Human Rights and Wrongs

“The first major law to curtail the rights of Jewish German citizens was the “Law for the Restoration of the Professional Civil Service” of April 7, 1933, according to which Jewish and “politically unreliable” civil servants and employees were to be excluded from state service” (source: wikipedia)

I was talking to a friend with Jewish heritage yesterday who is researching his family history. His success at tracing his German and Polish ancestors using the superb JewishGen site was – as has happened to some many thousands of Jewish genealogists – desperately and sickeningly curtailed by the events of the 1930s and 1940s. People die, or disappear, and lineages that go back centuries are broken by something that happened within our fathers’ lifetimes.

“[in 1935 the] “Nuremberg Laws” excluded German Jews from Reich citizenship and prohibited them from marrying or having sexual relations with persons of “German or German-related blood.” Ancillary ordinances to these laws deprived them of most political rights. Jews were disenfranchised and could not hold public office” (source: wikipedia)

We speculated on how his family members in 1930s Berlin might have responded to the erosion of their rights during this period. Why didn’t they leave when they could? They were affluent and well-connected. They may even have had the opportunity to emigrate. Philip Roth’s novel The Plot Against America imagines an alternative American history under the leadership of the Fascist-sympathising Charles Lindbergh. It is chilling precisely because it shows how gradual the process of erosion might be, and how difficult it must have been for my friend’s ancestors to accept that their country, and their neighbours and friends, were capable of destroying them, and attempting to annihilate their racial and religious identity.

“Persecution of the Jews by the Nazi German occupation government, particularly in the urban areas, began immediately after the invasion. In the first year and a half, the Germans confined themselves to stripping the Jews of their valuables and property for profit, herding them into ghettoes and putting them into forced labor in war-related industries”(source: wikipedia)

We spoke of how two of his relatives appear to have died on successive days in 1939, and how this might have happened. Though this was after Kristallnacht history shows that that was but one spike in a relentless process of denial of freedom of thought, conscience, religion and expression, of inhuman and degrading treatment or punishment, of forced and compulsory labour in ghettoes, of forcing people to live in unbearably cramped and oppressive conditions, with no respect for family or privacy. Though some might have tried to resist, all rights to freedom of assembly would have gone. Others of his relatives simply disappear from the records, and we had little doubt this would have been after an arbitrary deprivation of liberty with no right to any court hearing.

“Extermination camps (or death camps) were camps built by Nazi Germany during World War II (1939–45) to systematically kill millions of people by gassing and extreme work under starvation conditions. While there were victims from many groups, Jews were the main targets” (source: wikipedia)

And my friend found a record indicating the death of one relative in 1942. The place of death was not known, but by that time the Nazi regime was pursuing a state program of genocide, of mass deprivation of life.

“The rights of every man are diminished when the rights of one man are threatened” (source: John F Kennedy)

The development of the European Convention of Human Rights, with its proclamation of the universality of the rights it described, was born out of an acknowledgment and experience that a state can change its own laws, and depart from acknowledging and protecting human rights. If governments can (and they can) derogate themselves from the obligations of their own laws, then a system of international jurisdiction over the protection of human rights was essential. David Maxwell-Fyfe, a future United Kingdom Attorney General and Home Secretary was a key figure in the drafting of the Convention.

“A country is considered the more civilised the more the wisdom and efficiency of its laws hinder a weak man from becoming too weak and a powerful one too powerful” (source: Primo Levi, If this is a Man)

This morning I read reports that the Home Secretary will announce that a majority Conservative government would withdraw from the European Convention.

1 Comment

Filed under human rights, Uncategorized

February 26, 2013 · 2:57 pm

ICO cites Upper Tribunal on “vexatiousness”

The Information Commissioner has issued his first decision notice citing the Upper Tribunal’s judgments on “vexatiousness” since the latter were handed down

On 7 February 2013 the Upper Tribunal handed down judgment in three appeals relating to requests for information which had been refused either under section 14(1) of the Freedom of Information Act 2000, or regulation 12(4)(b) of the Environmental Information Regulations 2004. These two provisions provide, respectively, that the general obligation on public authorities to disclose information on requests is disapplied if the request is “vexatious” or “manifestly unreasonable”. Until the Upper Tribunal ruled on these cases there had been no authority from a relevant appellate court, and there was considerable variation in how the Information Commissioner and the First-tier Tribunal (Information Rights) approached these cases – I recently wrote about this position of uncertainty for PDP’s FOI Journal.

Both Paul Gibbons and Robin Hopkins have written, comprehensively, about the Upper Tribunal’s decisions, and the NADPO Spring Seminar will feature James Cornwell, of 11KBW, talking about the subject, so I merely blog now to observe that the Information Commissioner (IC) has correctly also taken note of them. In upholding a decision to refuse to disclose information, in decision notice FS50459595 (regarding a request to the Chief Constable of Surrey Police) he says

In reaching a conclusion in this case the Commissioner is also assisted by the Upper Tribunal’s comments in the case of Wise v Information Commissioner: “Inherent in the policy behind section 14 (1) is the idea of proportionality. There must be an appropriate relationship between such matters as the information sought, the purpose of the request and thetime and other resources that would be needed to provide it.”

It is interesting to note the IC’s reliance on this passage. What is also interesting (and not to be criticised) given the timing, is that the IC continues to refer to his own guidance (“When can a request be considered vexatious or repeated?”) in determining these sort of cases. The Upper Tribunal, while saying that “there is much to commend in the IC’s Guidance” (¶41 of the Dransfield judgment) did go on to give strong hints that it might need revising

in accordance with the thrust of this decision, it may be that the Guidance needs to place greater weight on the importance of adopting a holistic and broad approach to the determination of whether a request is vexatious or not, emphasising the attributes of manifest unreasonableness, irresponsibility and, especially where there is a previous course of dealings, the lack of proportionality that typically characterise vexatious requests

The fact that the IC honed in on the concept of a proportionality approach in this recent decision notice suggests the revised guidance might be appearing sooner rather than later.

3 Comments

Filed under Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, vexatiousness

February 22, 2013 · 5:18 pm

Practice makes perfect

Wirral borough council is on the watch list at the moment. I would really like to send in a good practice squad to Wirral borough council, but I do not have the powers do that. I am not picking on Wirral; it is just an example that comes to mind

So said Commissioner Christopher Graham in evidence to the Justice Committee during a recent one-off session on the work of the Information Commissioner’s Office (ICO).

The rather self-contradictory observation that he was not picking on that particular public authority is not the most interesting point about his comments (although it does seem a bit hard on Wirral, when the Department for Education, the Department for Work and Pensions and the Office of the First Minister and Deputy First Minister of Northern Ireland are all also currently subject to formal monitoring for especially poor compliance with the Freedom of Information Act 2000 (FOIA)).

What does strike me, though, is his complaint that he lacks powers to “send in a good practice squad”. Although strictly true, there is an enforcement power which he does have, which equates to the power to send in a “good practice squad”, albeit with the consent of the public authority concerned. To my knowledge, however, this is a power he and his predecessor have never exercised.

Section 47(3) of FOIA says

The Commissioner may, with the consent of any public authority, assess whether that authority is following good practice

 In the ICO’s own guidance on his FOIA regulatory action policies, he says

 An assessment may be conducted with the consent of a public authority. It is designed to determine whether an authority is following good practice – and specifically, to assess its conformity to the codes of practice [made under sections 45 and 46 of FOIA]

A Standard Operating Procedure document (disclosed, ironically enough, by the ICO in response to a FOIA request) suggests that the ICO sees his policy of monitoring FOIA compliance in specific poorly-performing authorities as constituting a s47(3) assessment. However, my feeling is that this does not restrain him from extending his actions under this section to physically sending in “good practice” teams. Certainly the Scottish Information Commissioner sees his equivalent powers under section 43(3) of the Freedom of Information (Scotland) Act 2002 as a means of conducting such good practice visits, and he does approximately twelve of them a year.

I appreciate that the ICO prefers to take a more informal route towards enforcing FOIA compliance, by means, for example, of monitoring at a distance, or by issuing undertakings (“The culmination of negotiated resolution, [committing] an authority to a particular course of action in order to improve its compliance”). But there is doubt about how seriously some public authorities treat this informal approach. If he really did want to send in “good practice squads” I think he could certainly do so (and if an authority were to refuse consent, it could potentially trigger stronger powers, like practice recommendations and enforcement notices).

2 Comments

Filed under Cabinet Office, enforcement, Freedom of Information, Information Commissioner, practice assessment

February 21, 2013 · 12:59 pm

We still have judgment here

Mr Justice Tugendhat makes very interesting observations about reserved judgments and open justice,  in a judgment on whether a defendant is in breach of prior undertakings relating to tawdry publications about the parents of Madeline McCann:

The decision not to identify in a reserved judgment a fact or person that has been identified in open court is not a reporting restriction, nor any other derogation from open justice. The hearing of this committal application was in public in the usual way. The decision not to set out everything in a judgment is simply a decision as to how the judge chooses to frame the judgment (¶86)

I have previously written about discussions taking place about the privacy and data protection implications of electronic publication of lists from magistrates’ courts, and I also wrote a thesis (NEVER to see the light of day thank you very much) which attempted in part to deal with the difficulties of anonymisation in court documents. These seem to me to be very urgent, and tremendously difficult, considerations for the subject of open justice in the digital era (the title of the initiative, led by Judith Townend, to “make recommendations for the way judicial information and legal data are communicated in a digital era”).

The judgment continues with Tugendhat J observing that, in previous cases where he has referred to parties by initials in reserved judgments this has sometimes been misinterpreted as his having made an anonymity order. Not true: the proceedings themselves were in open court, but

what happens in court, if not reported at the time, may be ephemeral, and may soon be forgotten and become difficult to recover, whereas a reserved judgment may appear in law reports, or on the internet, indefinitely (¶87)

This is a crucial point. My concern has always been about the permanence of information published on the internet, and the potential for it to be used, and abused, in ways and under jurisdictions, which would make a mockery of, for instance, the Rehabilitation of Offenders Act 1974, and the Data Protection Act 1998.

I haven’t noted the judge’s comments for any particular reason, other than I think they helpfully illustrate some important points, and might provoke some discussion.

1 Comment

Filed under Confidentiality, court lists, Data Protection, Open Justice, Privacy, Rehabilitation of offenders

February 20, 2013 · 1:26 pm

Smeaton v Equifax overturned

The Court of Appeal has overturned what had seemed an important, if controversial, judgment on the legal duties owed by Credit Reference Agencies to those about whom they hold records and issue reports.

I blogged in May last year  about a high court claim for damages under section 13 of the Data Protection Act 1998 (DPA). The claimant, Mr Smeaton, successfully argued that, as a result of processing inaccurate data about his credit history, the Credit Reference Agency (CRA) Equifax was in breach of the fourth data protection principle, and that Equifax’s obligations under the DPA as a data controller meant that it owed a duty of care to Smeaton in tort. Accordingly, damages were owed (to be assessed at a later date).

The case has now been comprehensively overturned in the Court of Appeal. Primarily, the appeal succeeded because the judge’s findings on causation (i.e. had the inaccuracy in Mr Smeaton’s credit record led to the detriment pleaded?) were not sustainable. Lord Justice Tomlinson, giving the lead judgment, was highly critical of the judge’s approach

the judge’s conclusion that the breaches of duty which he identified caused Mr Smeaton loss in that they prevented Ability Records from obtaining a loan in and after mid-2006 is in my view not just surprising but seriously aberrant. It is without any reliable foundation and completely unsupported, indeed contradicted, by the only evidence on which the judge could properly rely (¶11)

That effectively dispensed with the claim for damages, but Equifax, clearly concerned about the implications of the original findings regarding a breach of the DPA and consequent breach of a duty of care, asked the Appeal Court to consider these points as well.

Was there a DPA breach?

Tomlinson LJ held that the procedures which obtained at the time of the alleged DPA breach, regarding the annulment (and communication thereof) of bankruptcy orders, had never been the subject of the expression of any concern by either the Information Commissioner or the Insolvency Service. In the first instance the judge had observed that inaccurate personal data could be “particularly damaging”. Tomlinson LJ did not demur, but said that

it is necessary to put this important principle into context and to maintain a sense of proportion. In the context of lending, arrangements have been put in place to ensure that an applicant for credit should not suffer permanent damage as a result of inaccurate information appearing on his file (¶59)

Those arrangements are described in guidance both published by or approved by the Information Commissioner, and include the fact that, in the event of a failed credit application

[the] lender must tell a failed applicant by reference to the data of which CRA an application was declined, if it was, and the failed applicant, like any consumer, has the right to obtain a copy of his file from a CRA on payment of £2.00

and mistakes can thus be corrected.

Moreover, CRAs must, by reference to the Guide to Credit Scoring 2000, not decline a repeat application “solely on the grounds of having made a previously declined or accepted application to that credit grantor”. This, and other guidance, were inbuilt safeguards against the kind of detriment Mr Smeaton claimed to have suffered. Ultimately

Equifax did take steps to ensure that its bankruptcy data was accurate. It obtained the data from a reliable and authoritative source in the form of the [London] Gazette, it transferred the data accurately onto its data bases from that source and it amended its data immediately upon being made aware that it was inaccurate…the judge was wrong to conclude that Equifax had failed to take reasonable steps to ensure the accuracy of its data (¶81)

Was there a co-extensive duty of care in tort?

Here Tomlinson LJ considered the “traditional three-fold test of foreseeability, proximity and whether it is fair, just and reasonable to impose a duty” and held comprehensively that there was not. He agreed with counsel for Equifax’s argument that

(1)It is doubtful whether it was reasonably foreseeable that the recording of incorrect data on Mr Smeaton’s credit reference would cause him any loss…
(2)It would also not be fair, just or reasonable to impose a duty. In particular, imposing a duty owed to members of the public generally would potentially give rise to an indeterminate liability to an indeterminate class…
(3)It would also be otiose given that the DPA provides a detailed code for determining the civil liability of CRAs and other data controllers arising out of the improper processing of data
(4)Parliament has also enacted detailed legislation governing the licensing and operation of CRAs and the correction of inaccurate information contained in a credit file in the CCA 1974. This provides for the possibility of criminal sanctions, but does not create any right to civil damages. In such circumstances it would not be appropriate to extend the law of negligence to cover this territory (¶75)

The third of these seems to make it clear that the courts will be reluctant to allow for a notion of an actionable duty of care on data controller to process personal data fairly and lawfully. (This is in contrast, interestingly, with the situation in Ireland, whereby a statutory provision (section 7 of the Data Protection Act 1988) states that such a duty of care is owed (at least to the extent that “the law does not so provide”)).

My post on the first instance case has been one of the most-read (it’s all relative, of course – there haven’t been that many readers) so I think it only correct to post this update following the Court of Appeal judgment.

2 Comments

Filed under Data Protection, Information Commissioner, Uncategorized

February 7, 2013 · 9:36 am

Courts, Contempt and Data Protection

Can it be possible for HM Courts and Tribunals Service – who have responsibility for publishing court lists – to publish those same lists in an unlawful way?

Richard Taylor, a blogger and mySociety volunteer uploaded an intriguing blog post recently. Entitled Cambridge Magistrates Court Lists Obtained via Freedom of Information Request it described Richard’s request to HM Courts and Tribunals Service (HMCTS) for

 …the information which would be expected to appear on the full copy of the court list in relation to appearances, hearings, trials etc. currently scheduled to be held in Cambridge Magistrate’s Court [five specified days]

HMCTS, commendably, in Richard’s words (amazingly, in mine), responded to him within six days. The disclosure was, by any standards, extraordinary. Richard had made the request using the whatdotheyknow.com portal. This service means that any disclosure made by a public authority is by default uploaded to the internet for anyone to see. What was uploaded by HMCTS included

 …the identity of victims of crimes people were being charged with, including a girl under 14 who was named in relation to an indecent assault charge

As Richard points out, the anonymity of victims of alleged sexual offences is protected by law. Section 1 of the Sexual Offences (Amendment) Act 1992 (SO(A)A) provides that

neither the name nor address, and no still or moving picture, of [a victim of an alleged sexual offence] shall during that person’s lifetime…be published in England and Wales in a written publication available to the public

These necessary derogations from the principles of open justice cannot extend to complete anonymity. For obvious reasons, the name of a victim of an alleged sexual offence will need to be before a court in the event of a trial. So, the meaning of a “written publication available to the public” does not include (per s6 SO(A)A)).

an indictment or other document prepared for use in particular legal proceedings

It appears that the lists disclosed to Richard would fall into this category. However disclosure of such a document under FOIA, which is taken to be disclosure to the world at large (and, in the case of whatdotheyknow.com effectively is) would extend its “use” so far beyond those particular legal proceedings that it would undermine the whole intention of section of SO(A)A. It seems that HMCTS recognised this, because they subsequently contacted Richard and confirmed that the information was disclosed in error.

We believe the majority of the information in the Court Lists is exempt from disclosure under Section 32 (Court Records) and Section 40 (Personal Information) of the Freedom of Information Act. We also believe provision and publication of sensitive personal data may also breach The Data Protection Act.

Well, I hate to be a tell-tale, but this seems to be a tacit admission that the disclosure to Richard was an extremely serious breach of the Data Protection Act 1998 (DPA). It was also potentially in breach of SO(A)A and potentially an act of contempt under the Magistrates’ Courts Act 1980 (MCA), section 8(4) of which permits publication only of certain information relating to commital proceedings, before a trial, and the names of alleged victims certainly does not fall under that sub-section. But can a court (or at least, a court service) be in contempt of itself by digitally disclosing (publishing) to the world information which it is required otherwise to disclose publicly?

While distinction should be drawn between a “full” list, such as was inadvertently disclosed to Richard, and “noticeboard” lists, habitually stuck up outside the court room, the points raised by this incident exemplify some crucial considerations for the development of the justice system in a digital era. It seems clear that, even if a court were permitted to  this or similar information, the re-publication by others would infringe one or all of the SO(A)A, DPA and MCA. What this means for the advancement of open justice, the protection of privacy rights and indeed the rehabilitation of offenders is something I hope to try to grapple with in a future post (or posts).

3 Comments

Filed under Breach Notification, court lists, Data Protection, Open Justice, Rehabilitation of offenders

January 25, 2013 · 2:41 pm

Public Interest in Empty Buildings

Does the public interest favour publishing lists of vacant properties? No, says the First-tier tribunal. Yes, suggests the launch of the government website “Find Me Some Government Space”.

On 22 January the First-tier tribunal (FTT) handed down judgment in the remitted case of Voyias v IC and Camden Council. Those looking for intelligent insights into the case, and the reasons why it was originally appealed to the Upper Tribunal, and then sent back to the FTT should read the excellent series of posts on the Panopticon blog. I’m here to make a much blunter observation: at the same time a local authority is strongly resisting publishing details of vacant properties, the government appears to be actively promoting similar publication.

At issue  in the FTT was whether the Council should disclose, under the Freedom of Information Act 2000 (FOIA), addresses of vacant properties in its area. The information had been withheld on the basis of the FOIA exemption at section 31(1)(a)

disclosure…would, or would be likely to, prejudice…the prevention or detection of crime

The FTT had little difficulty (having been bound by the Upper Tribunal to consider indirect consequences of disclosure on the prevention of crime) in finding the exemption was engaged, holding that

releasing the requested information would increase squatting and that there would be an increase in the instances of various types of criminal activity directly connected to it*

When it came to the balance of public interest factors (section 31 being a qualified FOIA exemption) the only real factor pleaded in favour of disclosure was

The need to ensure that the Council takes appropriate measures to bring empty property back into use

And the FTT, at paragraph 55, afforded it “relatively small weight”.

Against disclosure were the following (not all of them accepted by the FTT, it should be said)

The inherent public interest in the prevention of all crimes…; The cost of securing properties vulnerable to squatting and repairing damage resulting from it, whether that cost falls on the private or public purse; The cost of evicting squatters; The potential detrimental impact on those directly affected by criminal damage; The impact on the community in the vicinity of a squatted property; The problems faced by Council staff having to deal with squatting and its consequences; The impact on police resources; The direct financial cost caused by property stripping.

Fine. FTT found the exemption engaged and that the public interest favoured non-disclosure of empty, unused properties. As John Murray has pointed out to me, this is somewhat surprising given that it also appears that many other local authorities have had little concern about disclosing similar information.

And one wonders why, if such prejudice would or would clearly be likely to arise, the government two days later launched  a website called Find Me Some Government Space. Launching it Chloe Smith, Minister for Political and Constitutional Reform, (what a grand title) said

…we will have a number of properties both owned and rented that we need to do more with. Not only will this website help to save government money but we will see new opportunities, jobs and growth in local economies as new life is brought into empty, unused properties. [emphasis added, naturally]

These sentiments were, oddly, not reflected by the then Housing Minister Grant Shapps, when the initial FTT ruling was made.He said it was a “bizarre decision that flies in the face of common sense” and that publishing details of empty properties “in other areas has led to the numbers of squats doubling”.

Now – and I concede they are not residential – within seconds, using “Find Me Some Government Space”, I’d found a list of 30 properties for sale within a 20km radius of Camden Council’s offices. It’s not clear if they’re currently empty and unused, but the words of the Minister imply that those are the sort of buildings which will be on “Find Me Some Government Space”. Moreover, as the government clearly thinks bringing new life into empty, unused properties is connected to the creation of jobs and economic growth, will they be encouraging councils to disclose the very type of information this Council sought so hard to avoid disclosing?

*At the time of the request, squatting in residential properties was not a criminal offence, something that has now changed with the enactment of section 144 of the Legal Aid, Sentencing and Punishment of Offenders Act.

Leave a comment

Filed under Freedom of Information, Information Tribunal

Tagged as

January 25, 2013 · 8:54 am

Sony Make Believe?

The ICO has “fined” Sony £250k for its Playstation Network breach.

My swiftly-grabbed breakfast coffee yesterday morning was interrupted by an emailed press release from the Information Commissioner’s Office (ICO) informing us that a civil Monetary Penalty Notice (MPN) in the sum of £250,000 had been served on Sony Computer Entertainment Europe Limited by the ICO. It was such an important case it was celebrated by a rare foray into video by the ICO’s David Smith. This was the outcome of investigations into a data security breach in April 2011 which had, in the ICO’s words, the effect of

compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk

An MPN is served under section 55A of the Data Protection Act 1998. One can be served where the ICO determines that there has been a serious contravention of the Act, of a kind of a kind likely to cause substantial damage or substantial distress, and the data controller knew or ought to have known that there was a risk a contravention of this type would occur, but failed to take reasonable steps to prevent it.

There is a right of appeal against both the MPN itself, and the amount, to the First-tier Tribunal (FTT). Rather to my initial surprise Sony swiftly announced they were lodging an appeal. I had noticed that there were very large parts of the ICO’s formal MPN document that were blacked out. See

cropped-untitled.jpg

and

cropped-untitled.jpg

Even figures such as the estimated worldwide number (in millions) of PS Network users were redacted. I had a suspicion that some sort of negotiation might have taken place between the ICO and Sony, whereby the former would willingly redact everything the latter asked for, if the latter accepted their punishment. The announcement that they would appeal showed how I should be wary of my suspicious nature*.

Sony say

the ICO recognises Sony was the victim of “a focused and determined criminal attack,” that “there is no evidence that encrypted payment card details were accessed,” and that “personal data is unlikely to have been used for fraudulent purposes” following the attack on the PlayStation Network.

This seems to miss the point that section 55A does not require the ICO to determine that harm has occurred, only that the contravention was likely to cause substantial damage – or distress. As the ICO points out, thousands of people had their personal details (names, address, dates of birth and account password)s were compromised. The risk of identity theft existed, and, as the ICO points out, continues to exist. However, a question does arise as to how serious the breach was.

Last week the FTT handed down judgment in an unsuccessful appeal of a previous MPN served on Central London Community Healthcare NHS Trust (for a detailed analysis of that case, see Robin Hopkins’ piece on the Panopticon blog) . As a result of this we now know a bit more both about the ICO’s procedures in serving MPNs and the FTT’s likely approach to any further appeal. We know (paragraphs 37 and 38) that the FTT will conduct in effect a de novo hearing of the facts, and permit itself, where appropriate, to substitute its own view for the ICO’s, but that it will be likely to afford a degree of deference to the ICO’s views, given his expertise in DPA matters. We know (paragraph 39) that the FTT could increase the amount of the MPN. We also know that £250,000 marks the border between what the ICO sees as a “very serious” type of breach and the “most serious” type. One suspects Sony will be asking the FTT to consider whether this breach, which potentially affected a huge number of people, but which did not involve sensitive personal data, was as serious as the ICO treated it.

Personally, I think it was – the sheer numbers, and fact that this data is still out there, perhaps being sold and traded to crooks and spammers, make it so. Although the FTT could take a different view, Sony could well be living in the land of make believe.

One final point. Some have suggested that the ICO has traditionally been unwilling to take on the large private sector organisations when it comes to data protection enforcement. The suspicion has been that he is reluctant to risk lengthy and costly challenges. With this action, the ICO gives (at least a little bit of) lie to that. It would be a real shame if a lengthy and costly challenge ensues. We don’t want the ICO to whisper “I told you so”, do we?

*Actually, my suspicious nature makes me wonder if they will ultimately pursue the appeal. Although it will cost them nothing, this isn’t about cost, but reputation, and do Sony really want to risk another day of bad headlines about their data security, in the event that they lose the appeal?

UPDATE: 12 July

The First-tier Tribunal listings show that Sony withdrew their appeal on 8 July. We don’t know the reason why, but I wonder if I was right after all?

3 Comments

Filed under Uncategorized

January 8, 2013 · 3:48 pm

When is a working day not a working day?

If you made an FOI request over the Christmas period, be aware of a strange anomaly regarding time for compliance

Everyone knows that the time for compliance by a public authority with a request made under the Freedom of Information Act 2000 (FOIA) is twenty working days. Section 10 of FOIA says

a public authority must comply with [a request for information made under] section 1(1) promptly and in any event not later than the twentieth working day following the date of receipt

A “working day” means (by s10(6))

any day other than a Saturday, a Sunday, Christmas Day, Good Friday or a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom. [emphasis added]

This means that, even when a request is made in England, Wales or Northern Ireland, to a English, Welsh or Northern Irish public authority, under FOIA (which in relevant part only applies to England, Wales and Northern Ireland – Scotland has its own Freedom of Information (Scotland) Act 2002), the existence of a Scottish bank holiday during the relevant period effectively extends the time for compliance by one day.

The 2nd of January is a bank holiday in Scotland.

So, think twice before you chase a public authority this month about a request you think is one day overdue.

9 Comments

Filed under Freedom of Information, Uncategorized

Tagged as

January 4, 2013 · 4:01 pm

Opt Me Out! Please

Do some barriers to opting out of direct marketing risk a breach of the Data Protection Act?

I’m trying to open a credit card account: long interest-free periods are useful for those who are careful with their money. They’re also useful for people like me.

My application was going fine until the point at which I was asked to agree to their policy on the use of my information for marketing purposes. This says

[Generic Financial Services Company] may inform me of special offers, products and services, either by letter, telephone or e-mail. If I am a new GFSC customer and I do not wish to receive marketing material by letter, telephone or email, or any combination of these I can write to you at GFSC, Marketing opt-out, FREEPOST XXXX

Thanks GFSC, but I don’t have to send you snail mail to opt-out of marketing. Section 11 of the Data Protection Act 1998 (DPA) simply says I can serve a notice in writing requiring you to cease, or not to begin, processing my personal data for the purposes of direct marketing. “In writing” includes, by virtue of section 64 of the DPA, email.

So I agreed to the terms of their marketing statement (I didn’t have to do that by snail mail, of course – I just ticked a box) and then very cleverly emailed them serving a section 11 notice requiring them not to being marketing, and asking them to confirm receipt of the notice.

However, I’ve now received a friendly email saying

Thank you for your message. The email service you have used is not 100% secure and we’re unable to reply to you using this service.  Emails can be intercepted which is why we provide secure messaging within our Online Banking facility.  I’m unable to access your account details and provide the information you require. I want to answer your query, but in a secure environment…

I didn’t “require” any specific information (other than an acknowledgement of receipt) and I was not wishing to discuss any matters which required secure email correspondence (I had freely provided my name and address). And I don’t have account details, because they haven’t accepted me as a customer yet.

So now I’m in limbo. I agreed to receive direct marketing, by ticking an online box, but immediately served a section 11 notice which they presumably won’t pay any attention to.

However, in strict terms the fact I got a reply to my email confirms that my notice was received. It may not mean I won’t get direct marketing, but it does probably mean that any such marketing would be sent to me unlawfully, in breach of section 11 of the DPA, as well as the first, second and sixth principle in Schedule One, and (therefore) section 4(4).

Having said all this I’m not sure I should name this nation wide financial institution, because I still want the service, and my principles don’t quite extend to withdrawing my application under these circumstances. I’m left wondering what I should do?

2 Comments

Filed under Data Protection

Tagged as