Author Archives: Jon Baines

August 24, 2012 · 3:14 pm

Why won’t you read my secret guidance?!

The Office of Surveillance Commissioners (OSC) is in charge of reviewing the exercise of powers and duties under the Regulation of Investigatory Powers Act 2000 (RIPA) and the equivalent Scottish Act. It does not regulate RIPA (that is the role of the judiciary) but conducts inspections, provides reports and issues guidance. That guidance is, effectively, secret.

I can understand why details of specific instances of lawful surveillance must not be disclosed publicly. I have never fully understood why guidance from the person appointed to review the exercise and performance of powers and duties conferred or imposed by or under RIPA should not be disclosed publicly

The Office of Surveillance Commissioners’ remit is

keeping under review (except in relation to the interception of communications and the intelligence services) the exercise and performance of powers and duties conferred or imposed by or under Part II (covert surveillance) and Part III (encryption) of RIPA and its Scottish equivalent RIP(S)A

(interestingly that website contains a typo – this remit is contained in section 62 of RIPA, not section 63).

This is an important role (which is in addition to the OSC’s remit under the Police Act 1997 to review authorisations by law enforcement agencies “for operations involving entry on, or interference with, property or wireless telegraphy, without the consent of the owner”). RIPA is muchmaligned, although, ironically enough, in key areas it merely provides a regulatory framework for intrusions  into private lives which were formerly permissible at common law (i.e. the sort of surveillance RIPA regulates perhaps always used to happen, it’s just that it was not prima facie unlawful).

However, the Chief Surveillance Commissioner never seems happy with his lot. In his latest report he bewails the limits on his office’s funding

The Home Secretary is required…to provide me with the support necessary to fulfil my responsibilities. The support I receive continues to be, in some respects, inadequate. In particular, information technology for many years has failed to meet the demands of remote, secure and mobile working which is an integral part of the inspection process. Promises of improvement are not fulfilled and there appears little urgency to resolve recurring problems. Similarly, I have to rely on archaic facsimile machines which repeatedly malfunction. (¶3.13)

If true, this is pretty shoddy. I would suggest that if anyone needs to be sure about their information security it’s the Chief Surveillance Commissioner (and why is he still reliant on “facsimile machines”?).

He is also unhappy with some authorities he has inspected

My Inspectors are not lawyers and they address their reports to me. Their reports are subject to my endorsement which I will make clear in my covering letter to the chief officer of the authority inspected. It is therefore important that conversations with them during an inspection are not misquoted or shared with others without prior agreement…There have been a few occasions when correspondence from me to a single public authority has been promulgated by that authority to others as a general interpretation. Usually my guidance relates to specific facts and may not be applicable in circumstances which may appear to be, but which on analysis are not, similar.(¶3.3-3.4)

This reluctance to be open about things he and his inspectors say carries through – in spades – to the guidance he produces. In the most recent report he says

my Commissioners from time to time publish guidance in a single document for use by public authorities. I do not wish to apply a security marking to my guidance but, despite clear instructions, I am dismayed at thoughtless disclosure of a document which provides information which necessarily alludes to covert tactics. The Home Office has not yet provided me with a website capable of balancing the need for transparency to the public with controlled access to specific guidance by a limited audience.

and refers back to the previous year’s report which provided reasoning for not publishing it

my small office does not have the capacity to answer the inevitable influx of requests for clarification this would invite…law enforcement agencies in particular are concerned that tactics might unnecessarily be revealed…it is not a comprehensive document which covers every eventuality and it might be misconstrued or misused; and…it is not my remit to provide free legal advice, though I proffer guidance to public authorities which I have a responsibility to review, in order to raise standards and promote consistency (¶3.4)

although not before regretting it is not always readily available to those who need it

If I continue to find this document is not readily available to those who need it, or is not promoted by national associations, I may make it publicly available on my website

Which seems to me to be a case not of threatening to take your bat home with you, but going home and leaving your bat behind.

All this seems to reveal an attitude rather, shall we say, paternalistic and ante-Freedom of Information Act. Needless to say, someone tried, a couple of years ago, to use FOIA to get a copy (asking the OSC, which is not a public authority for the purposes of FOIA, nonetheless to use the Act’s spirit as a model for discretionary disclosure). Although the OSC refused, the requestor, on the admirable whatdotheyknow.com site*, later found that a local authority had helpfully uploaded a copy as part of a committee report. Perhaps this was one of the naughty authorities lambasted by the OSC. If so, he hasn’t done much about it, because the report is still there, happily providing guidance and – I hope – not actually causing him any trouble whatsoever.

 

*I’ve not linked to it, out of deference to the OSC – I can tug my forelock with the best of ’em – but a bit of googling will get you there in no time.

 

 

 

 

 

1 Comment

Filed under Freedom of Information, RIPA, surveillance, surveillance commissioner

August 24, 2012 · 12:34 pm

Initial thoughts on a suspiciously missing judgment

A guest post by anonymous blogger “Juvenal”

Finding court judgments should be easy. And finding a judgment of the Supreme Court should be easier still. Could it be possible that a landmark judgment has suddenly “disappeared”. Even that it might never have been reported in the first place??

That is the shocking conclusion I have come to after reading the excellent analysis by blogger @loveandgarbage of the landmark case of Smith v DPP and Commissioner of the Metropolitan Police [2011] UKSC 666. He points out that the judgment should be at http://www.supremecourt.gov.uk/docs/uksc-2011-0666-judgment.pdf but that goes, suspiciously, to a blank page. Every effort is being made to find out what is going on.

Making an FOI request seemed to me to be the best way forward. Under FOI, unless an exemption applies, a public authority must disclose information to a requester. So, even though the Supreme Court holds an absolute exemption under section 32, I thought it was worth a try. I was shocked to be told that the information was “not held” and that I was being classed as vexatious for asking for a judgment that never even existed. Can you imagine anything more suspicious?

5 Comments

Filed under satire

Tagged as

August 2, 2012 · 8:33 am

The Bludgeoning of the Decision Notice

With the latest ministerial veto, is a quaint British tradition emerging?

So, the Attorney General has exercised his powers of veto under section 53 of the Freedom of Information Act 2000 (FOIA) for the third time this year. The only one of his predecessors to use the veto – Jack Straw – only managed to use it twice in one year, so Mr Grieve must now be considered champion at wielding this most blunt of legislative instruments.

Section 53 allows an accountable person (who can be any member of the Cabinet but who, by what appears to be a convention in making, has always thus far been the Attorney General) to issue a certificate to the Information Commissioner (ICO) telling him, in effect, that he got it wrong when ordering disclosure of information under FOIA.

The target of this week’s veto was, for the second time, an ICO decision that Cabinet minutes from March 2003 relating to the decision to go to war in Iraq, and to the then Attorney General’s legal advice regarding the military action, should be disclosed by the Cabinet Office. This decision notice, issued only on 4 July this year was in very similar terms to one issued by the ICO in February 2008, which was the subject of a Straw veto in February 2009, although only after the decision in favour of disclosure had been upheld by the Information Tribunal.

Much has been written about the potentially illiberal nature of the section 53 power – which seems to be a possibly unique example in statute of an executive override over the judiciary. It is ironic that some former and current government figures have argued so strongly for Cabinet minutes to be totally exempt from FOIA disclosure, when the veto can be wielded so easily and decisively (although they would no doubt counter-argue that it is only being used so often because of the lack of a class exemption applying to such information). Indeed, the Justice Committee, in its recent report as part of the post-legislative scrutiny of FOIA, said

we remind everyone involved in both using and determining that space that the Act was intended to protect high-level policy discussions…We also recognise that the realities of Government mean that the ministerial veto will have to be used from time to time to protect that space

There is no bar on someone requesting the same information again from the Cabinet Office, nor any mechanism to allow the ICO not to keep issuing decision notices in favour of disclosure. Given this (and given the words of the Justice Committee) perhaps we are seeing the beginnings of a quaint British tradition, like The Dragging of the Speaker of the Commons or The Searching of the Cellars. I shall call it The Bludgeoning of the Decision Notice.

5 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal

June 15, 2012 · 2:47 pm

MPs and data protection offences, part three

In previous posts I have written about the apparent failure by several MPs to register with the Information Commissioner’s Officer (ICO) for data protection purposes. I have pointed out that a failure by someone to do so in circumstances where they should constitutes a criminal offence. In the last post I related that I had made a Freedom of Information Act (FOIA) request to the IC asking him what he was doing about these potential offences. I have now received the response.

In general terms Section 21 of the Data Protection Act 1998 creates a criminal offence if a data controller processes personal data without an entry being made in the register held by the ICO: the power to prosecute lies primarily with the ICO itself. MPs process personal data, and the very large majority properly register this processing (which costs them £35 a year – in contrast to the £500 notification fee for larger data controllers). However, FOI requests over recent months have revealed that several MPs have not only failed to do so, but their failure has continued despite the ICO reminding them of their obligation.

On 10 May I wrote to the ICO, naming the then 22* MPs who had not registered, and asking

Please inform me…

1. What enforcement action has been taken against these MPs?

2. How many reminders each has been given (I understand you normally operate a two-reminder, then enforcement, system)

3. In addition to these 22, how many other MPs have not renewed
their notification? (as more than seven months have elapsed I
presume there will be some additional notifications which have
lapsed)

(As for the third question, I was sent a spreadsheet showing (as at 24 May) all MPs and their notification record. (Interestingly, two MPs who have been elected to the House of Commons in the last two years have no registration showing at all – Debbie Abrahams and Louise Mensch)).

As for the second question, the ICO’s reply comes with an attachment showing that – with three exceptions – the 22 MPs in question had all received two reminders (one had received only one reminder, and two – because of a technical glitch – had received none). The reply also came with some explanatory comments to the effect that

it is the responsibility of the Data Controller to assess their data processing at that point and make a determination as to whether notification is still required…We provide a reminder service to notified entities to help them maintain their notification. However, because there are legitimate reasons why many Data Controllers may not need to renew their notification once it expires, we do not actively pursue all 350,000 of our annual renewals.

These points are well-made. However, regarding the first question (what enforcement action had taken place) I was told

no enforcement action has been taken against these MP’s.

By explanation a distinction was drawn between the “reminder” service, and the non-notification enforcement activities of the ICO, and

Our non notification activities are targeted at particularly high risk or under represented groups or sectors.

This seems to suggest that, even where non-notification – a potential criminal offence, remember – by MPs is drawn to the IC’s attention he will not take enforcement action unless MPs form part of a group of data controllers who are being specifically targetted by the ICO.

I’m really struggling with this. I understand the extreme resource pressures the ICO has to cope with, and I even understand that taking action against MPs ((perhaps as far as prosecuting them) is not a very attractive proposition for a sometimes beleaguered regulator, but the evidence points towards named MPs failing persistently to comply with a legal obligation – even when reminded by the regulator. If law makers break the law, and the enforcer turns a blind eye, why would anyone else feel the need to obey that law?

The full request can be seen at http://www.whatdotheyknow.com/request/enforcement_of_section_18_dpa/new

*One of the 22 – Shailesh Vara – appears since to have registered

13 Comments

Filed under Uncategorized

June 1, 2012 · 11:53 am

NHS Trust Given £325k Penalty

In January this year I blogged about reports that the Information Commissioner (IC) had sent a notice of intent to serve a civil monetary penalty notice (CMP) of £375,000 on Brighton and Sussex University Hospitals NHS Trust. At the time I said

If this MPN is served, as intended, then the IC might be faced with headlines equating (for example) £375,000 to the amount it costs to employ a nurse, or a doctor or provide essentail but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances.

Well, it has been served, today. And though the amount has been slightly reduced – £325,000 – it is still by some way the largest CMP ever imposed by the IC. However, this case may be important for other reasons.

Firstly, it related to disposal of hardware containing sensitive personal data. As the IC’s press release says

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site in October and November 2010.

The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences

The IC has been running an “unscrubbed hard drives initiative” following a reported security breach in 2009 involving the sale of un-scrubbed hard drives on the internet containing personal data, and internal meeting minutes from January indicated that this initiative was nearing completion. It would not be surprising if some formal guidance on the subject was now issued.

Secondly, and more broadly, it is interesting and worrying to note the fact that a fundamental role in this data breach was played by a contractor appointed to securely destroy the hard drives. As a data processor (rather than the data controller) this contractor was not liable under the Data Protection Act 1998 (DPA) for any serious breaches: this is why the Trust takes the hit. However, the contractor in question was the Department of Health-accredited Sussex Health Informatics Service (SHIS). SHIS appears to have sub-contracted the work to “Company A” which in turn sub-contracted to a one-person “Company B”. This individual subsequently sold 232 hard drives on the internet auction site.

The contractual, and sub-contractual confusion appears to have been key: the Trust did not even know that the individual had been appointed, and did not know that he had been attending their offices, ostensibly to remove and securely destroy the drives. Data controllers need to be acutely aware of what is happening to the personal data they control, and this obligation cannot be overlooked when they feel the data, or the hardware containing it, has become obsolete.

The fact that SHIS was so involved is particularly worrying. Health Informatics Services are expected to be in the vanguard of data security in the NHS. They say

Keeping data safe and confidential is a core duty for health service providers – and a core THIS service. Our award-winning Confidentiality and IM&T Security service helps customers to fully comply with national and local standards.

Under current law the IC’s powers to take action against a data processor are limited. That may change when the European Data Protection Regulation is ultimately enacted. One would hope, however, that SHIS, and the Department of Health, are looking very closely at their own compliance and security.

UPDATE: 15:15

The Trust has now issued a statement, which to an extent attempts to deflect responsibility on to the contractor. Duncan Selbie, the Chief Executive has said

We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay

The Information Commissioner has ignored our extensive representations.  It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would “prejudice the monetary penalty process”

He goes on to say

We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal

If this transpires, it will be the second recent instance of an appeal of a CMP by an NHS body.

The Independent reports the Trust also saying

the fine would pay for the delivery of 300 babies, 50 hip operations, 30 heart bypasses and 360 chemotherapy treatments

This rather confirms what I predicted in January

the IC might be faced with headlines equating (for example) [an NHS CMP] to the amount it costs to employ a nurse, or a doctor or provide essential but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances

Perhaps this strategy will be revealed during any subsequent appeal proceedings.

 

 

 

 

 

 

 

2 Comments

Filed under Data Protection, Information Commissioner, monetary penalty notice

May 23, 2012 · 8:54 am

I should (not) Coco? EIRs and common law of confidence

Has the Information Tribunal once again followed too slavishly the principles of a 44-year-old expression of the doctrine of common law confidentiality?

In 2008 the then Information Tribunal held that the Home Office had not been entitled to rely on exemptions in the Freedom of Information Act 2000 (FOIA) when dealing with a request from the British Union of Anti-Vivisectionists (BUAV). Specifically, the Tribunal held that some of the information in question did not attract the protection of the common law of confidence (which, for complex reasons was invoked through the interplay of section 24 of the Animals (Scientific Procedures) Act 1986, and section 44 of FOIA, rather than section 41 FOIA, which deals in explicit terms with confidential information). The Tribunal relied heavily in its analysis of the law of confidence on the principles in the landmark case of Coco v AN Clark (Engineers) Ltd (1968) FSR 415 Ch D. On appeal to the High Court, Mr Justice Eady was critical of this reliance, pointing out that there had been significant developments in the law since Coco v Clark:

The Tribunal rather proceeded on the assumption that “the law of confidence” was to be found only in the principles explained by Sir Robert Megarry in Coco v Clark. It assumed that this authority provided an exclusive definition such that, whenever the phrase “in confidence” was to be found in a statute, the legislature must be taken to have had those principles in mind. With respect, however, this does not seem to me to be necessarily the case. Much will depend on context.

It is clear, for example, that the law of confidence is not confined to the principles governing the circumstances in which an equitable duty of confidence will arise; nor to the specialist field of commercial secrets. An obligation of confidence can arise by reason of an agreement, express or implied, and presumably also by the imposition of a statutory duty. (Secretary of State for the Home Office v BUAV & Anor [2008] EWHC 892 (QB))

It is thus important to bear in mind, for the present case, the broad principle, stated by Buxton LJ in McKennitt at [11], that ” … in order to find the rules of the English law of breach of confidence we now have to look in the jurisprudence of articles 8 and 10″. The Tribunal did not address these developments at all and thus proceeded on an incomplete understanding of the present law.

(emphasis added)

It is somewhat surprising, therefore, to read the recent judgment of a differently consituted First-Tier Tribunal (Information Rights), considering the extent to which environmental information was exempt from disclosure under regulation 12(5)(e) of the Environmental Information Regulations 2004 (EIR). Regulation 12(5)(e) provides that

a public authority may refuse to disclose information to the extent that its disclosure would adversely affect…the confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest

The case – Jones (on behalf of Swansea Friends of the Earth) v IC & Environment Agency  – involved a request for information relating to financial guarantee arrangements put in place a landfill site operator, as a condition for obtaining a permit to operate a waste landfill site near Swansea. It was common ground that the request for enviromental information, and that it was commercial in nature, so the main question which fell to be decided by the Tribunal was whether the information was

subject to a duty of confidence provided by law because the information was created and provided in circumstances giving rise to an obligation of confidence

At paragraph 35 of its judgment, the Tribunal says

The well-established test in Coco v Clark is that, apart from contract, for a common law breach of confidence claim to succeed, three elements must be
present:
(a) the information itself must “have the necessary quality of confidence about it;
(b) the information must have been imparted in circumstances importing an obligation of confidence; and
(c) there must be an unauthorised use of that information, to the detriment of the party communicating it.

(emphasis added)

With respect, the Tribunal here appears to have had no regard to Eady J’s dicta, and the many recent authorities he cited, in Home Office v BUAV.

Accordingly, the Tribunal went on hold (para 36) that it

[did] not see that it can be said that the [financial guarantee arrangement] information was imparted in circumstances importing an obligation of confidence…[because] the information came into existence through a process of negotiation between the parties

The Tribunal drew support for this from the findings of a (differently-constituted) tribunal in a case concerning the analagous (but differently-worded) section 41 exemption in FOIA concerning confidential information:

We recognise that section 41 refers more explicitly to information being “obtained” by the public authority from any other person. That is not the language of regulation 12(5)(e). However, we consider that the same element is imported by the incorporation of the common law test of breach of confidence into regulation 12(5)(e) of the EIR. In short, we find that the second element of the test in Coco v Clark has not been met and the information is not subject to a duty of confidence provided by law. (para 38)

This extension of the FOIA confidentiality principles into the EIR is controversial in itself. It becomes even more so when compared with a previous Tribunal decision on regulation 12(5)(e). In South Gloucestershire CC v IC & Bovis Homes (EA/2009/32) the more restrictive language of section 41 FOIA was explicitly contrasted with that of regulation 12(5)(e). The Tribunal held there that the Council’s own information could attract the protection of the law of confidence, without the necessity of its having been provided by a third party. See this helpful article by Practical Law Company for further on this, and for reference to the rather regrettable fact that South Gloucestershire v IC & Bovis Homes was not mentioned by the Tribunal in the instant case.

The slavish adherence to the Coco v Clark principles also risks – as Eady J alluded to when citing Buxton LJ –  overlooking the significance of the jurisprudence of the European Convention on Human Rights as it applies to confidential information. In Veolia ES Nottinghamshire Ltd v Nottinghamshire County Council & Ors [2010] EWCA Civ 1214 the Court of Appeal considered, in a case under the Audit Commission Act 1998 (ACA), whether commercially confidential information could constitute a “possession” protected by article 1 of the First Protocol of the Convention, and, potentially, by extension, Article 8. Lord Justice Rix said

 I can see no reason, in the light of the Strasbourg jurisprudence which does exist, why valuable commercial confidential information, such as the evidence in this case demonstrates is in question here, particularly with respect to the second disputed documents, cannot fall within the concept of “possessions”

I am not entirely convinced that English common law has always regarded the preservation of confidential information as a fundamental human right, although I accept that it has been recognised and accepted by our common law. Nevertheless, in the light of at least article 1 of the first protocol, it can now be seen that it is a species of “possessions”, with which the state cannot interfere without justification

Disclosure of information under a regime such as the EIR (or FOIA) is different to the potential unfettered disclosure proposed under the ACA, and the public interest provisions might provide the “justification” for state interference discussed by Rix LJ. Nonetheless, it seems surprising to say the least that Jones v IC & Environment Agency proceeded without reference to any of the more recent authorities of confidentiality.

It is notable that Jones v IC & Environment Agency was determined on the papers, without the benefit of oral argument. It would greatly assist both public authorities, and the commercial organisations with whom they interact, if these points were fully argued, and a reasonably definitive position laid down, by an appellate court.

 

1 Comment

Filed under Confidentiality, Environmental Information Regulations, Information Tribunal

May 22, 2012 · 4:47 pm

Equifax in breach of DPA and common law duties

(20.02.2013 – NB – this judgment was subsequently overturned in the Court of Appeal – please see my blog post here)

An interesting case has been heard in the High Court, before His Honour Judge Anthony Thornton QC, in which the claimant succeeded in showing breach of the Data Protection Act 1998 (DPA), as well as common law breach of a duty of care, on the part of the Credit Reference Agency Equifax. He also succeeded in showing this caused damage, because he was unable to access personal and company banking services.

Mr Smeaton, the claimant, had for complex and unusual reasons, been subject to a bankruptcy order which was made on 1 March 2001, but almost immediately stayed, on 10 March 2001, and rescinded on 22 May 2002.

Despite this, the records kept by Equifax relating to Mr Smeaton wrongly showed that between 12 March 2001 and 17 July 2006 he was subject to the bankruptcy order. In June and August 2006 Mr Smeaton had, on his own behalf and on behalf of his company, Ability Records Ltd, made applications to Nat West Bank for account and overdraft facilities. These applications were refused by Nat West, having consulted Mr Smeaton’s credit file held by Equifax.

The judge held that Equifax had never reviewed its procedures for recording and reviewing the accuracy of bankruptcy information: it relied entirely on information provided by consumers (or placed in the London Gazette by consumers) before reviewing or amending entries (and Mr Smeaton was heavily dyslexic and not aware of the existence of Equifax and other credit reference agencies, nor their procedures). Although Equifax had argued that it was “wholly impracticable to undertake the checks that would be necessary if it was to itself ascertain when a bankruptcy order was discharged or otherwise brought to an end or stayed”, it had failed to distinguish between the (very large) number of bankruptcies that were eventually discharged, and (the relatively tiny number of) those which were subject to annulment, rescission or stay:

Equifax should have considered whether it was possible to find a quick, reliable and cheap way of being informed of annulment, rescission and stay orders which did not rely exclusively on consumers drawing such orders to its attention

Equifax (as data controller) were in breach of the fourth data protection principle in part 1 of Schedule 1 of the DPA, which states that

Personal data shall be accurate and, where necessary, kept up to date

Although there is a proviso (at part II of Schedule 1) which says that a contravention of the fourth principle will not take place if the data controller has taken reasonable steps to ensure the accuracy of the data, Equifax’s failure to have considered a way of being informed of annulment, rescission or stay meant that they could not rely on this.

The judge held also that because of the liability imposed on Equifax by the DPA, it also assumed a duty to act with reasonable skill and care at common law, and it had acted in breach of that duty.

Finally, the judge held that it was

inescapable that the [bank] applications were refused on the sole ground of Mr Smeaton’s bankruptcy entry on his credit file

and that therefore his failure to obtain funding was

as a direct result of Equifax’s breach of the data protection principles and, in particular, as a direct result of its retaining on Mr Smeaton’s credit file details of his undischarged bankruptcy order between 12 March 2001 and 17 July 2006

Mr Smeaton claims that the result of this was that

His life descended into a tragic mixture of homelessness, living in a car on the streets, mental breakdown, impecuniosity and a consequent inability to progress his business affairs as a direct result of the enormous shock on discovering that he had had an adverse credit record for the last five years and that the bank on which he had pinned so much hope in providing Ability with the necessary step up to obtain the SFLGS, itself an essential feature of its business plan, prevented him from taking anything other than relatively modest steps to further that plan for many months

However, the trial on causation and damages will be heard separately at a later date. This is a claim based on section 13 of the DPA, which provides that

An individual who suffers damage [and distress if it arises from that damage] by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage

It is worth noting that since 2008 an electronic version of the Individual Insolvency Register has been provided to Equifax under s subscription arrangement between them and the Insolvency Service. As the judge said

Due to advances in the electronic processing of credit data and to legislative changes in the insolvency legislation concerning personal bankruptcies, it is very unlikely that the highly unusual facts of this case will ever re-occur in the future

However, it is not particularly common for a section 13 claim under DPA to succeed, especially given the difficulty of proving damage (see Johnson v Medical Defence Union [2007] EWCA Civ 262 for an example of the difficulty in making a successful claim) so this a case data protection practitioners should continue to keep an eye on.

1 Comment

Filed under Data Protection

May 21, 2012 · 1:35 pm

Will NHS appeal ICO fine? Let’s hope so.

The Information Commissioner (ICO) today announced that it had imposed a monetary penalty notice (MPN), under section 55A of the Data Protection Act 1998 (DPA), against Central London Community Healthcare NHS Trust. The penalty was in the sum of £90,000, and was imposed after

patient lists from the Pembridge Palliative Care Unit, intended forSt John’sHospice, were faxed to the wrong recipient. The individual informed the Trust in June that they had been receiving the patient lists – around 45 faxes over a three month period – but had shredded them.

 The patient lists contained sensitive personal data relating to 59 individuals, including medical diagnoses and information relating to their domestic situations and resuscitation instructions”

 All very interesting, particularly because this was only the second MPN imposed on an NHS body, after one last month against the Aneurin Bevan Health Board.

 What was even more interesting, however, was to read on the publicservice.co.uk website that CLCH Trust are saying they will appeal the MPN. This would be the first such appeal, and would be very important in terms of getting some judicial opinion on the law and the ICO’s application of it.

 Section 55A of the DPA gives the ICO the power to impose an MPN, while section 55B provides that a person on whom the notice is served may appeal to the First Tier Tribunal (Information Rights) against both the issue of the notice and the amount.

 Regulations and an Order (the snappily-titled The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 and The Data Protection (Monetary Penalties) Order 2010) make further provision for both the imposing of and appeal against an MPN. Additionally, under section 55C the ICO must issue guidance on “the circumstances in which he would consider it appropriate to issue a monetary penalty notice, and how he will determine the amount of the penalty”.

On appeal the Tribunal can consider both whether the MPN was in accordance with the law and whether, to the extent that it involved an exercise of discretion by the ICO, he ought to have exercised that discretion differently. The statutory section 55C guidance, and whether the ICO has adhered to it, will clearly be important, but so will, I would suggest, any evidence as to consistency of approach. An appellant would do well to submit evidence of examples where similar or worse apparent breaches of the Act have not resulted in an MPN. As Stewart Room wrote some months ago

 what is ICO’s plan? By this I mean, how does ICO arrive at its figures and how are they justified?

We’re probably not going to get to the bottom of this until someone takes a case on to appeal, but as we are nearly two years into the fining regime I think we’ve arrived at the point when we can legitimately expect ICO to explain where it is heading with the fine and what has driven it’s decisions so far.”

Perhaps we have indeed now arrived at that point.

EDIT, 7 August 2012:

The Trust are indeed appealing the MPN, and the Information Tribunal has listed it for a three-day-hearing in December. This will be a major case.

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner

May 21, 2012 · 8:14 am

How to overlook an FOI request

Is it realistic or helpful for the law to be that any written request for information should fall under FOI?

On 23 April I noticed that an appeal to the First Tier Tribunal (Information Rights) had been made by Ryanair regarding a Freedom of Information Act 2000 (FOIA) matter, also involving the Office of Fair Trading (OFT). The Information Commissioner (ICO) Decision Notice in question has the reference number FS50391208.  Knowing that Ryanair are sometimes a rather controversial outfit (although one acknowledges a lot of the controversy might actually be self-serving) I was interested to read the Decision Notice in question. The Tribunal’s website is rather basic, and the list of current appeals is uploaded only as a PDF document. This means that to read the Decision Notice in question one has to search for it elsewhere. However FS50391208 was, and is, nowhere to be found (unless my search skills have let me down).

This is a bit odd: a Decision Notice is a public document which the ICO issues when an application is made to him for a decision as to whether  “a request for information made by the complainant to a public authority has been dealt with in accordance with the requirements [of FOIA]” (section 50, FOIA). I say “public” but as far as I know the open publication of Decision Notices is at the discretion of the ICO – nonetheless, it is clearly his standard custom to do this. So, any Decision Notice, especially one appealed by a company such as Ryanair, which is not published, might attract interest (bear in mind that Ryanair will have made request in question, and the OFT is the public authority involved). It is, of course, possible that an error has occurred: for instance, the Tribunal might have published the wrong reference number (although a search on the ICO’s site doesn’t throw up any Ryanair Decision Notices), or someone might just have omitted to upload the Notice.

Accordingly, I sent a tweet to the ICO’s twitter account

Hi @ICOnews DN FS50391208 (OFT) which Ryanair are appealing does not appear to be on your website. Can we see it pls?

I didn’t receive any reply, so, a few days later, sent another

Hi @ICOnews – I asked this q the other day https://twitter.com/bainesy1969/status/194375116493291520 Any answer pls? It wd qualify as FOI request after all 🙂

I still haven’t received a reply. Perhaps my little emoticon made the tweet not seem serious? By my calculation the ICO’s twenty working days to respond is up tomorrow, so I thought I’d blog this today, lest the lovely ICO people I met at last week’s PDP conference think I’ve just waited until the time is up before reminding them (again).

The ICO has said that FOI requests made by twitter are valid requests, and I’ve previously blogged about this. But it does make me wonder how realistic it is for a public authority (especially a large one, which, with all due respect, the ICO is not) to be expected to monitor all information channels in case a request for information is made (which doesn’t even need to mention FOI, of course).  The Irish Freedom of Information Act 1997 requires requesters to state that the request is made under the Act. Although that would not really help the ICO in my example here, it would avoid the situation where an FOI request is lost among reams of correspondence on a related matter. I don’t think an amendment of FOIA to this effect has been proposed in the UK, but I’m starting to think it might be a good idea.

This isn’t the most pressing issue facing FOI, and light touch regulation should mean that no one loses too much sleep if a request is inadvertently overlooked, but it is a subject which keeps nagging at me.

I rather suspect I’ve previously advocated against requiring requesters to invoke FOI in a response, and I reserve my right to change my mind again. As Lawrence Serewicz said in his inspiring talk at that PDP Conference, he has very strong opinions, but he holds them very weakly. I like to think I’m the same.

7 Comments

Filed under Freedom of Information, Information Commissioner

May 10, 2012 · 8:48 am

MPs and Data Protection offences, part two.

In which I follow up a previous post, ask the ICO what action he is taking and consider the implications for ICO funding under proposed amendment of data protectionlaws

In a previous post I pointed out that 22 MPs who had been identified in October 2011 as not having registered with the Information Commissioner (ICO) were still showing as not being registered. As I said, failure to register in circumstances where there should be a registration constitutes a criminal offence under section 21 of the Data Protection Act 1998. The blog post got some interest, so I thought I should follow it up with this request to the ICO under the Freedom of Information Act 2000. The request can be seen on the excellent whatdotheyknow.com but I thought it would be useful to post a copy here:

Dear Information Commissioner’s Office

In October last year you disclosed to another requester a list of
46 MPs who had not renewed their section 18 DPA registration with
your office. You explained some of the procedure for enforcing the
statutory requirement to register, and explained that

“Prosecution is usually the last resort when all else fails and we
do give ample opportunity for the data controller to register. The
legal team are not currently considering any MPs for prosecution.”

It appears, from a check of your register that, currently, 22 of
those same MPs have still not registered, more than seven months
later. These are

Z1243695
NIGEL EVANS MP
Z1434043
GAVIN BARWELL
Z1939110
EDWARD LEIGH MP
Z9286519
KHALID MAHMOOD MP
Z1993957
JAMES CLAPPISON MP
Z1102604
ANGUS ROBERTSON MP
Z9256111
JIM SHANNON
Z927838X
DAVID SIMPSON
Z1577500
DAVID BURROWES
Z1538835
PAT DOHERTY MP MLA
Z2134863
MARGARET CURRAN
Z2241138
RACHEL REEVES MP
Z2241519
NIGEL ADAMS
Z2247846
STUART ANDREW
Z9938280
SHAILESH VARA MP
Z2342005
TRISTRAM HUNT
Z1893869
PAUL BERESFORD
Z1903198
CHRISTOPHER CHOPE MP
Z2378834
JESSICA LEE
Z8752516
ERIC JOYCE MP
Z2343491
ZAC GOLDSMITH MP
Z1728512
ADAM HOLLOWAY

I note that in several instances these MPs appear not to have
renewed their notification for over a year.

Please inform me, under the Freedom of Information Act 2000

1. What enforcement action has been taken against these MPs?
2. How many reminders each has been given (I understand you
normally operate a two-reminder, then enforcement, system)
3. In addition to these 22, how many other MPs have not renewed
their notification? (as more than seven months have elapsed I
presume there will be some additional notifications which have
lapsed).

I acknowledge that the online register does not guarantee to be
up-to-date.

As my previous post said, enforcement of this provision of the DPA does not appear to have stopped: I have seen no announcement to suggest this, and it would be odd, to say the least, if the ICO decided to turn a blind eye to one of the clear offences in the DPA. What would make it particularly odd is the fact that registration represents a huge revenue stream for the ICO, and the more data controllers who register, the greater the income. A fee is levied against a data controller when they register, which amounts to either £35 or £500, depending on the size of the organisation. The last set of accounts show that the income to the ICO from this stream was just short of £15 million.

Clearly it is in the ICO’s interest to enforce this requirement. A failure to enforce, or a perceived failure to enforce could lead to data controllers deciding it’s worth taking a risk by not registering, to save an annual £35 or £500 (they know they would get at least two reminders as it is).

Finally, I note that under amendments to the statutory scheme which will follow the enactment of a new European data protection Regulation, this requirement to register will probably be removed. I presume someone has thought about the effect this will have on the funding of the ICO? £15 million is a hell of a lot to lose, and, the office is underfunded as it is.

2 Comments

Filed under Data Protection, Information Commissioner