Author Archives: Jon Baines

May 7, 2012 · 6:53 pm

Godwin’s Law and Data Protection (or, Let’s Be Careful Out There)

A data protection officer I know has been having a bit of a hard time lately from his managers for questioning their relentless push to encourage greater sharing of information between their public sector organisation and other public sector bodies. My friend has been accused of not being a “can-do” person. In defence of his managers, they are being pushed themselves: despite the Conservative party’s pre-election pledge to “scale back the database state” and the Lib Dems’ commitments not to harvest unneccesary information about people’s private lives, data-sharing is being vigorously promoted.

Sometimes it’s important to share data. I blogged only yesterday about a situation where (if it’s true) a failure to share data possibly had tragic consequences. Similarly I remember once, when I worked in a mental health clinic, how two police officers came in and asked if we knew the whereabouts of one of our regular patients: I had been warned that some police officers would try to trick us into revealing information about our patients, but I knew that this patient was highly vulnerable and unstable and the officers apparently had good reason to know the information. I exercised a discretion that I still wonder about today to disclose that personal data. It was a judgement call, and sometimes you get them wrong –  I hope I didn’t then.

However, it is surely not uncontroversial to say that there are risks in excessive data-sharing. Paul Bernal has blogged today, prompted by the worrying success of the neo-Nazi Golden Dawn movement in last week’s Greek elections, about the importance of recognising what are the current, and historical, implications of surveillance of citizens by the state. “Surveillance” can take many forms – sometimes it’s video recording of people, or retention of their DNA. Sometimes it’s not even the state doing it, but citizens themselves: I recently wrote a rather crude post (which I need to re-visit) questioning whether it was a good idea to have hyper-local media collating and publishing information about people appearing in magistrates’ courts.

Sometimes, as well, it can take the form of creeping databases.  Thus, hypothetically, the state is able to collate the following: person W, who is Jewish, knows person X, who is a trade unionist, who has been known to associate with person Y, who is disabled and has twice been accused of crime Z. The state thinks this is useful data. It might be, but equally it might be excessive, or unnecessarily gathered, or retained too long.

In a modern, liberal, state, none of the identifiying features in my hypothetical example should really raise an eyebrow. In a non-liberal state, however, similar information that has possibly been innocently, or naively, collated, can be misused in horrendous ways: so, in 1940s Holland, municipal registers were used by the Nazis to identify and persecute Jews, trade union membership lists used to persecute organised labour and public health and crime records used to persecute the disabled and criminals.

Maybe I’ve godwinned myself and my own blog, but one cannot avoid the fact that modern digital communication and storage are tremendously powerful – unimaginably so compared to even ten years ago, let alone 70 years. Data-sharing can have enormous and beneficial implications, but we need to exercise caution. We mustn’t amass personal data just because we can. We mustn’t use that data for purposes which were not envisaged when we gathered it. And we mustn’t retain that data just because we can’t be bothered to think what to do with it after its usefulness has passed.

As it happens, all the foregoing  principles are actually enshrined in the statutory Principles in the Data Protection Act 1998. That Act gave domestic effect to an EC Directive, which in part had its genesis in the European Convention on Human Rights. That Convention – in turn – had its genesis in the lessons learned after a fascist party gained support in Europe, and then ultimately took power in a fractured and devastated country.

 

2 Comments

Filed under Data Protection, Privacy

May 6, 2012 · 9:44 am

Data Protection Obscenities

A tragic story about the suicide of a young man, and the apparent ridiculous citing of the Data Protection Act to explain why his mother was not warned.

A few years ago, Richard Thomas, the then Information Commissioner (ICO) launched a campaign to counter what were called “Data Protection Duck Outs”. It got some media attention, but I’ve always thought it suffered from sounding like the kind of phrase a “hip” teacher, or my parents, would have come up with. The ICO said

The Data Protection Act does not impose a blanket ban on the release of personal information. It requires a common sense approach, and should not be used as an excuse by those reluctant to take a balanced decision.

The bad-practice examples cited to illustrate the campaign were mostly light-hearted

In September 2008, Marks and Spencer wrongly blamed the Data Protection Act when they told a mother they could not discuss the delivery of her seven year old son’s Superman suit because it would infringe his data protection rights.
ICO view: Organisations should be cautious about releasing details of an order or account to a third party. However, in this case M&S was not being asked to release any personal information (only to confirm that a part of the suit was missing, and send it), so M&S could have spoken to the boy’s mother without breaching the Data Protection Act.

or

In 2005 it was reported that Catholic priests were no longer allowed to pray out loud for an ill person by name because they might be breaking data protection rules.
ICO view: Unless this sort of information was formally held on file it would not be covered by the Act. Even if it were on file, there would only be a breach if the person had specifically asked not to be mentioned or the church had reason to believe they would object.

Well, if the following story from thisiscornwall.co.uk is true, I have a current-day example, and I wouldn’t call it a “duck out” but an obscenity.

A man with a history of drug abuse killed himself in Camborne after being released from police custody, where he was detained under the Mental Health Act, a coroner has heard….Because of the Data Protection Act [his mother] did not know that her son had been detained and said she was powerless to help him.

The “duck out” campaign was launched because of misconceptions about the Data Protection Act 1998 (DPA). The DPA certainly has faults, but you can bet your house that when you hear someone blaming the DPA for not doing something, it is either because they have made a mistake, and are trying to cover themselves, or because they are ignorant of what the Act does and does not permit. The Cornwall story is unclear as to who allegedly cited the DPA for not informing this poor man’s mother, but, just to be clear, Schedule 3 of the Act specifically permits disclosure of sensitive personal data where

The processing is necessary…in order to protect the vital interests of the data subject or another person, in a case where…consent cannot be given by or on behalf of the data subject, or…the data controller cannot reasonably be expected to obtain the consent of the data subject.

This is before we get to considering other factors – for instance whether an appropriate adult was a requirement in this instance, and the fact that under section 56 of the Police and Criminal Evidence Act a person detained has the right to have someone informed. In which case there would have certainly have been other conditions permitting disclosure (thanks to @MentalHealthCop on twitter, for pointing this out, and for alerting me to the story in the first place).

In 2004 the Bichard Inquiry report into the Soham Murders was highly critical about the misunderstandings and misinterpretations of the DPA which led to Humberside Police deleting information about Ian Huntley, and which subsequently meant that when Cambridgeshire Police ran checks on him, when he applied for a school-caretaker position, nothing came up.

The term “duck-out” doesn’t begin to describe the enormity of the mistaken decision to delete Huntley’s data, nor, if this Cornwall story is accurate, does it begin to describe the enormity of the decision – whoever might have taken it (and the story is unclear) – not to tell Daniel Carrick’s mother her son was detained. The current ICO is very keen to clamp down on serious breaches of the DPA, but these are almost exclusively concerned with the loss of, or inadvertent disclosure of, personal data. Perhaps he should also be alive to stories like this, which suggest potential tragic misconceptions and misuse of the DPA, and which really should carry the term Data Protection Fuck-Ups.

 

1 Comment

Filed under Data Protection, Information Commissioner, police

May 4, 2012 · 12:17 pm

Politicians break the law – where is the ICO?

Following up a post from last year, it appears that some MPs continue to flout their legal obligations under the Data Protection Act, potentially committing a criminal offence, and that the ICO doesn’t seem to be taking action. I’m happy to be told otherwise

 Back in November last year I blogged on the fact that 46 MPs had apparently failed to comply with their statutory obligation to notify the Information Commissioner of their status as a processor of personal data. In general terms Section 21 of the Data Protection Act 1998 creates a criminal offence if a data controller processes personal data without an entry being made in the register held by the Information Commissioner (ICO). Although there are rumours that the obligation to register will be removed when the DPA is ultimately amended or repealed, following the enactment of the European Data Protection Regulation (currently in draft), all the relevant provisions are very much still in force.

At the time the ICO said

 …our non notification process is to write to them asking for their comments and advise them to consider their need to notify. If the entity registers or provides a suitable explanation…that is usually the end of the matter and no further action is taken. If no response (or an inadequate response) is forthcoming then we write again explaining the requirement to notify and advising that failure to respond may result in the matter being passed to our legal team for consideration of prosecution. If there is still no response then the file is passed over for the legal team to consider the evidence and if they think there is sufficient evidence they will write advising that if no registration is received within 14 days or representations made as to why a prosecution should not be carried out then a summons will be issued.  If registration is then forthcoming then that is the end of the matter and no further action is taken. Prosecution is usually the last resort when all else fails and we do give ample opportunity for the data controller to register. The legal team are not currently considering any MPs for prosecution.

Well, I’ve just checked that list of 46 MPs who had not renewed their registration as at October last year, and, according to the register (which I stress is, as the ICO says, not necessarily absolutely up-to-date), 22 of them still haven’t (bear in mind as well that there may well others whose registration has lapsed in the interim). Most of those 22 are those whose registration has lapsed for longest. The worst apparent example is one MP who has not renewed his registration since July 2010! That is potentially almost two years of illegal processing of personal data.

 It is not as though the ICO never exercises his prosecution powers for non-registration. He certainly does – and has a “non-notification team” to deal with this sort of thing (although the last prosecution I can find was in March last year).

 My checking was prompted by an exchange on twitter with Alistair Sloan, who made enquiries of the ICO about registrations by Members of the Scottish Parliament, and by the Respect Party. Alistair was told

 Our Non-Notification Team, part of our Enforcement Department, have confirmed that the ICO has not contacted any members of the Scottish Parliament since 5th May 2011 in connection with Notification under the Data Protection Act 1998 (the DPA). Whilst this Team did work on a project which involved contacting MSP’s to remind them of the notification requirements under Part III of the DPA, this project took place some time before the date you have specified of 5 May 2011.

 and

 Having conducted thorough searches of our notification records we have been unable to find any register entry, either current or one which has lapsed, in the name of the Respect Party. Therefore, it appears that the Respect Party has not notified under the DPA at any time since its formation in November 2004.

 but

all of the issues you have raised in respect of the notification status of the data controllers… above have been brought to the attention of our Non-Notification Team within our Enforcement Department. They will therefore consider what further action is appropriate in the circumstances

 One assumes that the “further action” will be reminders. If the Respect Party now registers, I think it’s highly unlikely the ICO will take retrospective action for the seven-and-a-half years when it failed to do so. As it is, reminders appear to have failed to move 22 MPs to comply with their legal obligations, and no apparent action is being taken against them (I would love the ICO to correct me on this). One can’t avoid asking what sort of enforcement, what sort of deterrent is this?

4 Comments

Filed under Data Protection, Information Commissioner

April 24, 2012 · 9:23 am

A Marathon Task for the ICO

Will the London Marathon databreach trigger the ICO’s powers to issue a monetary penalty notice? If so, the ICO is in a tricky position, if he is seen to be effectively “fining” such a high-profile charity, and delivering that money to central government coffers.

 Reports emerged on 23 April that the personal data of runners in this year’s London Marathon had inadvertently been disclosed on the organiser’s website. It appears that names, home addresses and email addresses were exposed. The BBC says

The details were accessible all day to anybody logging on to the site…Marathon organisers apologised and said the mistake had been rectified

A data controller must observe its various obligations under the Data Protection Act 1998 (DPA). London Marathon Ltd appears to be the data controller in this instance, and it donates any surplus income to The London Marathon Charitable Trust. Last year the charity received £4.6m from the company. Some of the income came from the entrance fees of the runners themselves.

The seventh principle of the DPA says

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

A breach of that principle may attract the attention of the regulator of the DPA – the Information Commissioner (ICO). The ICO has various options open to him in the event that he finds that a serious contravention has taken place. In some instances he will require a data controller to sign an undertaking to improve its practices, but since 2010 he has had the power, under section 55A of the DPA to issue a monetary penalty notice (MPN), to a maximum of £500,000. To date he has issued fourteen, largely to local authorities, and the maximum penalty has been £140,000.

The ICO has issued guidance [PDF] on the issuing of MPNs, which expands on the statutory factors which would trigger exercise of the power:

there has been a serious contravention… of a kind likely to cause substantial damage or substantial distress…[and] the data controller…knew or ought to have known… that there was a risk that the contravention would occur, and

…that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but…failed to take reasonable steps to prevent the contravention

The BBC reports that the ICO has said

This is something the Information Commissioner will need to look in to to see how it has come about.

It’s the reasons these things come about that determine the course of the investigation.

Every case is different and we will certainly be making enquiries.

If the ICO does issue a MPN the money paid goes into the consolidated fund – the government’s own bank account. It is one thing to fine a local authority, and, as I have argued before, politically sensitive to fine, say, an NHS body, but it would be a enormously brave act for the ICO to fine an organisation for disclosing the personal data of thousands of the very people whose amazing efforts have contributed to the funds which would have to be depleted to pay the fine. Even more so when one sees the huge contributions being made to the charity supported by one runner who tragically died in this year’s race.

2 Comments

Filed under Data Protection, Information Commissioner

April 12, 2012 · 5:18 pm

When ARE emails subject to FOIA?

Information held in private email accounts can be subject to the Freedom of Information Act 2000. Conversely, information held in the email accounts of the public authority can, in some circumstances, not be subject to FOIA. A recent decision by the Information Commissioner (ICO) confirms this.

There has been much recent discussion and argument about the extent to which information contained in “private” email accounts (such as “gmail”, “hotmail” etc) can be said to be “held on behalf of” a public authority under FOIA. The ICO issued guidance in December 2011 that says in unequivocal terms

 FOIA applies to official information held in private email accounts (and other media formats) when held on behalf of the public authority.

No one sensible who knows anything about FOIA is likely to disagree with this.

In a Decision Notice against the Department for Education (DfE), issued after this guidance was published, the ICO applied these principles to a request for information made by the Financial Times’ Christopher Cook. Cook, in an interesting twist, already had leaked “private” emails in his possession, and was seeking information corroborating certain details about them. He showed one of these emails to the ICO, whose subsequent Decision Notice said

 The Commissioner has reviewed this email and found that whilst it was sent from a private email account it was held on behalf of the DfE for the purposes of the Act. By failing to disclose details of the email the DfE breached section 1 of the Act

(It is understood that the DfE is going to appeal this Decision Notice to the Information Tribunal.)

What has been overlooked, to a certain extent, in all this is the corollary of the proposition that “FOIA applies to official information held in private email accounts (and other media formats) when held on behalf of the public authority” which is, that FOIA does not apply to private information held in public authority email accounts, when it is not held on behalf of that authority.

Thus, for example, an email from a employee, or an elected member, of a public authority asking her partner to feed the cat this evening, is highly unlikely to be considered to be information “held” by the public authority for the purposes of FOIA. This is because section 3(2)(a) of FOIA says

information is held by a public authority if…it is held by the authority, otherwise than on behalf of another person

Private information might physically be stored on the email servers of the public authority, but for the purposes of FOIA it is being “held on behalf of” the employee (for our purposes here we don’t need to consider whether the terms of employment actually allow the employee to use the employer’s systems to engage in private correspondence).

In a Decision Notice published on 27 March the ICO has affirmed this position. A complainant had sought copies of emails received or sent by a councillor at Camden Council, on his “camden.gov.uk” address. The complainant argued

…that use of a camden.gov.uk email address for correspondence explicitly renders any correspondence on that email account part of the business of the council

The ICO rejected this submission:

 the Commissioner observes that none of these emails are about council business but instead relate either to correspondence between the councillor and constituents in his role as a ward councillor, or to personal matters of the councillor, or business which is external to his council activities… Because this information is not council business, it cannot be argued to be held by the councillor on behalf of the council. It may instead be considered to be held by the council, on behalf of the councillor as an individual, solely by virtue of being hosted on the council’s email systems.

Those previously concerned about the implications of the ICO’s guidance on private emails might take some reassurance from this statement about the limits of FOIA. However, there may also be a lesson for public authorities themselves: it is not safe always to assume that an email sent from or received by an employee’s work email account is subject to FOIA.

8 Comments

Filed under Freedom of Information, Information Commissioner, Uncategorized

March 16, 2012 · 5:29 pm

Open Justice Charter versus Privacy Rights

 The Guardian has published an article suggesting court lists should be freely available as part of a drive towards open data. William Perrin, in his own words a local active citizen, proposes (“with the government’s drive to transparency and open data “) a charter for transparency in the courts under which

people should be able to find out easily, on the internet:
what cases are expected to come up in a court from the time that they are scheduled
name, address and specific charges in all cases available from the time the case is scheduled (see footnote)
the full names, including first names, of judges, prosecution and defence lawyers, witnesses, and other professionals who speak during proceedings (e.g. magistrates’ clerks giving legal advice) from when they are known
judgements handed down from the end of the working day on which the case is concluded

Footnote

In criminal cases, the following basic information should be readily available
The full spelling of a defendant’s name
Their date of birth and full home address, including door number and postcode
The charges against them (including an opportunity to read them)
Written copies of any reporting restrictions applicable in the case

Perrin appreciates some of the risks

All the above is subject to contempt of court and protection of vulnerable defendants and witnesses

but

The longstanding openness of courts must not be compromised by data protection. In particular, well meaning but misplaced concerns about the data protection act and copyright must not stop the recording and transmission of information presented in open court.

(In passing, I struggle to understand his contrasting of “codified” data protection and copyright and “uncodified” open justice. If by “codified” he is referring to written laws and procedures then I would refer him to, in particular,  rule 39.2(1) of the Civil Procedure Rules, which provides that “The general rule is that a hearing is to be in public”. This is reinforced by our Convention rights, given full domestic effect in the Human Rights Act 1998. Article 6 says

In the determination of his civil rights and obligations or of any criminal charge against him, everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal established by law. Judgement shall be pronounced publicly by the press… (emphasis added))

Justice certainly should be, as a general principle, open. It is an ancient concept – it goes to the heart of the judicial system.  Lord Halsbury famously said, in 1913

Publicity is the very sole of justice…and the surest of all guards against improbity (Scott v Scott 1913 AC 417)

and Lord Diplock, in 1979

The application of this principle of open justice has two aspects: as respects proceedings in the court itself it requires that they should be held in open court to which the press and public are admitted and that, in criminal cases at any rate, all evidence communicated to the court is communicated publicly. As respects the publication to a wider public of fair and accurate reports of proceedings that have taken place in court the principle requires that nothing should be done to discourage this (Attorney-General  v Leveller Magazine Ltd. and Others [1979] A.C. 440)

At the recent Justice Wide Open event at CityUniversity, I saw Perrin speak eloquently about his experiences of trying to engage as a member of public in his local courts. He and other speakers gave dispiriting accounts of misinformed court staff and the paucity of reporters covering court news.  Addressing these shortfalls is a worthy aim, and I would not want to be seen as in any way criticising someone for doing that. Perrin, however, appears to see data protection (and perhaps to a lesser extent, the law of copyright) as contributing to an erosion of open justice.

The DPA has its origins – in part – in concerns about the potential for harm caused by electronic processing of personal information. As far back as 1972 the Younger Committee on Privacy had recognised public concerns about the accumulation by the state of electronic databanks. Electronic processing power has increased immeasurably since then, and it is in the light of that increase that we must consider proposals to open up the personal data of those appearing in court.

The DPA gives effect to theUK’s obligation under Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. In very broad terms it requires that those who “process” “personal data” in the role of “data controller” do so in compliance with the Act and specifically with eight data protection principles (at Schedule 1). Failure to do so can in some circumstances constitute a criminal offence. The DPA is enforced primarily by the Information Commissioner (IC) who has various powers, including one to impose monetary penalties (to a maximum of £500,000 for serious breaches of the Act).

Personal data are

data which relate to a living individual who can be identified from that data

so, clearly, someone’s name, address and criminal charge would be personal data

“Processing” is defined as

obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data

Publishing court listings on the internet would be classed as “carrying out an operation on the data”. Under Perrin’s proposals it would appear to be, at least in the first instance, the courts themselves which would be disclosing. The courts would certainly be classed as data controllers (the “person who…determines the purposes for which and the manner in which any personal data are…processed”). They would, therefore, have to process the personal data in accordance with the Act.

Just because personal data are or might be considered to be in the public domain, this does not necessarily authorise further processing. In R (on the application of Robertson) v City Of Wakefield Metropolitan Council [2001] EWHC Admin 915 the High Court held that the sale of the electoral register to commercial concerns was in breach of section 11 of the DPA (which gives data subjects the right to object to direct marketing based on their personal data) and of their Article 8 rights. Kay J rejected a submission that because an individual could not object to public right of inspection of the electoral register, there was not an actionable breach of these Article 8 rights arising from the sale of the same (and he could have equally rejected a similar submission on DPA grounds). The collection and publishing of personal data in the form of an electoral register available for physical public inspection was prescribed in law, and was a legitimate form of processing; its sale to commercial interests was not.

For similar reasons the Information Commissioner advises planning authorities that, although they may have a statutory duty to maintain, and make available for physical public inspection, a register of planning applications including objections

Extreme care should be taken to avoid any unnecessary disclosure of telephone numbers, email addresses and signatures. The need for the local authority to hold such information is obviously of benefit to all parties. However, there is no requirement to make it publicly available on the Internet… The recommendation…is that the applicant’s telephone number, email address and signature should not be visible via a website or other online system.

The DPA says that information about criminal offences will almost certainly be “sensitive personal data”, which includes

Personal data consisting of information as to… the commission or alleged commission by [the data subject] of any offence, or…any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Such data must be processed fairly and lawfully, but also at least one condition in Schedule 3 must be met. In simple terms, Schedule 3 will, broadly, for the current purposes, only permit processing of sensitive personal data if the data subject has explicitly consented to it,  if it is required by law or if it is necessary for the purposes of legal proceedings or the administration of justice.

Even the posting outside the court room of lists is processing of sensitive personal data, and, although there is some inconsistency (I have heard, for instance, that some courts tweet the names of defendants) the general approach is that these lists are not published widely by the court service. (To the limited extent that they are published I would suggest that the processing would be justified by an argument that it is necessary for the purposes of legal proceedings or the administration of justice.)

The problem with publishing, on the internet, the sort of information Perrin’s charter proposes, is that the internet has few limits, whether special, technological or temporal.

Anyone, in any country, could harvest the data published. They could amass huge data banks not just of criminals, but those who have merely been charged with an offence, as well as witnesses. If that information is then tied to their address (and date of birth) hugely sensitive databases could be created, about which there might be little knowledge, and over which there might be little control. In 2009 the Information Commissioner prosecuted a man called Ian Kerr for running a secret blacklist of containing information about construction workers’ personal relationships, trade union activity and employment history. Kerr created the blacklist on behalf of an organisation called The Consulting Association. The Commissioner only had jurisdiction because this processing of personal data took place in theUK. A blacklist amassed from court data, and hosted outside the EU, could be hugely damaging to the employment prospects of countless people, whether they be convicted, charged and not convicted, or even merely witnesses.

Moreover, this information could be kept indefinitely. Rehabilitation of offenders, and the laws that underpin the rehabilitation could be greatly compromised if this sort of court data is openly available for anyone to retain and archive. In S and Marper v United Kingdom 30562/04 [2008] ECHR 1581 the European Court of Human Rights held that the indefinite retention of DNA samples of people who had been arrested or charged, but not convicted of an offence, was a violation of Article 8 of the Convention, and observed that

The protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life, as guaranteed by Article 8 of the Convention. The domestic law must afford appropriate safeguards to prevent any such use of personal data as may be inconsistent with the guarantees of this Article

Marper was concerned with the indefinite retention of sensitive information under a state measure authorising its retention. Perrin’s charter is silent on how long the information it describes should be retained, or remain published, and it would be interesting to see how it would fit into the proposed new European data protection framework [pdf] which proposes a “right to be forgotten” (a right which in fact arguably already exists under principle 3 and 5 of the DPA), but even if the state or an emanation of the state deleted the data at a later date, it is difficult to see how any restrictions could be imposed on the information which would prevent its retention (even if such retention was unlawful) by private individuals, or organisations, or even other emanations of the state.

The permanence of internet-published information, and the ease with which it can be harvested and disseminated, could also greatly increase the risk of witness (and judge, and lawyer, and court official) intimidation or retribution, and most strategies for prevention [pdf] of this understandably focus on restricting the amount of information.

And, ultimately, mistakes and crimes often occur with the electronic processing of personal data. Given the huge financial pressures the court system is currently experiencing, it is very difficult to imagine that there could never be a data breach, and if one occurred it would potentially involve the personal data of vulnerable victims of crime, as well as witness, and those accused.

For these reasons, and absent any major change in the UK data protection statutory scheme (which in turn would suggest there would have had to have been a major change in the European framework) I have doubts that Perrin’s charter, as currently presented, could operate without the people acting under it being at risk of breach of the DPA, and potentially in violation of Article 8.

Those who work in the field of data protection are often accused of putting barriers in the way of progress, and of effective working. I don’t accept this: I’m an advocate of good data protection, but I’m also an advocate of freedom of information, transparency and open justice. It seems clear that the court system could be better at promoting open justice without disproportionately infringing private rights. However, I don’t think that Perrin’s charter is the way forward, because I do not feel it goes anywhere near far enough in adequately protecting the personal information of those who would be publicised under it.

Addendum 9 May 2012

Since writing this blog post my attention has been drawn to the Magistrates Court Act 1980 (thanks @Greg_Callus on twitter). Section 8 deals with restrictions on reporting of commital proceedings, and, by way of s8(4) permits publication of

(a)the identity of the court and the names of the examining justices;

(b)the names, addresses and occupations of the parties and witnesses and the ages of the accused and witnesses;

(c)the offence or offences, or a summary of them, with which the accused is or are charged;

(d)the names of the legal representatives engaged in the proceedings;

(e)any decision of the court to commit the accused or any of the accused for trial, and any decision of the court on the disposal of the case of any accused not committed;

(f)where the court commits the accused or any of the accused for trial, the charge or charges, or a summary of them, on which he is committed and the court to which he is committed;

(g)where the committal proceedings are adjourned, the date and place to which they are adjourned;

(h)any arrangements as to bail on committal or adjournment;

(i)whether a right to representation funded by the Legal Services Commission as part of the Criminal Defence Service was granted to the accused or any of the accused.

These provisions of the MCA appear to have been drafted in order to prevent the risk of prejudice to forthcoming trials, rather than with a view to protecting any privacy rights of accused. Nonetheless, they clearly, in general terms, permit publication of the sort of information proposed by Will Perrin’s Open Justice Charter. Whether the ICO would consider that they were sufficient to mean that a Schedule 3 DPA condition were met is another matter. The Data Protection (Processing of Sensitive Personal Data) Order 2000 does provide a Schedule 3 condition if the disclosure “is in the substantial public interest…[and]…is in connection with…the commission by any person of any unlawful act (whether alleged or established)…[and]…is for the special purpose [of journalism]”. However, can a blog, even one as clearly public-focussed as Perrin’s, be classed as “journalism”?

The MCA was enacted long before the internet as we know it was even conceived (it was amended in 1990 to encompass television broadcasts) and the DPA was enacted in the modern internet’s infancy. “Journalism” has no fixed definition, probably for very pragmatic reasons, but modern technology means that many people, such as bloggers, social commentators, twitter users, etc, are engaging, to a greater or lesser extent, in activities which might broadly be defined as journalism.

This leads on to wonder, in an age when “we are all journalists”, might we all benefit from the common law and statutory protections afforded to journalism? And, if so, in what way could journalism benefit from being a special category under laws such as the DPA?

5 Comments

Filed under Uncategorized

February 17, 2012 · 4:30 pm

Police complaints, a databreach and a High Court injunction

I notice an interesting application in the High Court.

 The Independent Police Complaints Commission (IPCC) has been granted an injunction (actually, a second injunction) requiring that the first defendant, a Mark Warner, disclose to the IPCC the identity of the second defendant -“person(s) unknown” – who Mr Warner has indicated is holding certain information about a third party, as well as the circumstances in which they came to be in the possession of those person(s) unknown.

 The reason I’m posting about this is that it appears that the IPCC disclosed the information about the third party in error to Mr Warner while responding to a subject access request under section 7 of the Data Protection Act 1998 (DPA).

 Mr Warner apparently received some of his own data in response to that section 7 request, but feels that there is further information to which he is entitled, and for his own reasons, has refused to return the papers relating to the third party sent to him by mistake, saying (in a telephone conversation with the IPCC):

If I do not get [the further material which he wants the IPCC to provide to him] within a reasonable timeframe I will not only hang onto the information which I have been sent in error, but I will identify it to Fleet Street

 The IPCC brought the current application not only to protect its own rights, but the Article 8 rights of the third party.

 One wonders if the Information Commissioner has been informed. Inadvertent disclosure of personal data of a third party, of a kind which requires a high court injunction to identify the “person(s) unknown”, sounds like a serious contravention of the DPA of a kind likely to cause substantial damage or distress. Such contraventions can attract monetary penalty notices of up to £500,000.

 As several local authorities know to their cost.

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner, police, Privacy

February 12, 2012 · 4:32 pm

In Praise of the ICO (or how to avoid a £500k fine)

In the UK if you process personal data, you must comply in relevant part with your obligations under the Data Protection Act 1998 (DPA). This applies whether you are one of the world’s largest companies, or a sole-practitioner law firm, whether you’re a self-employed barrister, or the Lord Chief Justice of Northern Ireland. All of those hyperlinks go to examples of enforcement action taken by the Information Commissioner (IC) and are part of a regime which currently enables the IC, as statutory regulator, to impose, in appropriate cases, a civil monetary penalty notice of up to £500,000 for a serious contravention of the DPA. And when the draft European Commission Data Protection Regulation is ultimately passed, a similar contravention could risk a penalty of €1,000,000 or 2% of turnover for very large organisations. It is in any data controller’s interest to take all offers of advice and support to avoid the risk of sanctions under the DPA.

However much the IC and his office are criticised for failure to act, or failure to target the right data controllers, there are some things for which he and his office deserve praise. By section 51(1) of the DPA he must “promote the following of good practice by data controllers” and, by section 51(7) he

may, with the consent of the data controller, assess any processing of personal data for the following of good practice and shall inform the data controller of the results of the assessment

This is a power to conduct consensual audits. (There is also a power under s41A to conduct audits without consent, on central government bodies, and the IC would like that power extended, but I digress). In my view, if you are an organisation processing large amounts of and/or sensitive data, you would be mad not to consider this (with a couple of reservations I will address below).

Any in-depth audit of a statutory part of an organisation’s business will not normally come cheap (ask one of the “Big Four” accountancy firms how much their services cost, and then realise why they are called the Big Four). The IC could, with the Secretary of State’s agreement, charge for this service but (probably with a mind to his section 51(1) duty) he doesn’t.

So, you can ask for a in-depth audit of your compliance with the DPA. You can learn what the IC feels is best practice, get advice on improving poor practice and build positive relationships between your organisation and the IC’s office, and, in the event of a future major data breach,  it might well act as mitigation, because it would show at least that you are aware of your obligations and prepared to engage positively with the IC’s office. And all of this for free.

If you are a smaller organisation there is more informal approach by way of an Advisory Visit, again offered for free by the IC. Advisory visits involve a one-day visit and result in a short report.

The reservations I refer to earlier apply only really if your compliance is poor, and this is obvious to you. The IC, as a general approach, publishes summaries of his audits. What you really don’t want is for the IC to make a finding of “limited assurance” or “very limited assurance”. Additionally, although the IC will not publish any summary without your agreement, he will publish a note stating that an audit took place. Speculation being what it is, the fact that an organisation has not agreed to publication might not be viewed positively. So, if you suspect that your compliance is poor, my advice would be to get one of the specialist data protection advisory companies to audit you to. And appoint a good data protection officer (or pay more attention (and money) to him or her).

2 Comments

Filed under Data Protection, Information Commissioner, Uncategorized

Tagged as ,

February 10, 2012 · 2:30 pm

Transparent as mud

Our Prime Minister is committed to transparency in government. In June 2010 he set up a Public Sector Transparency Board containing some of the great and good in the field of open data and transparency: you’d struggle to pick better people than Tom Steinberg, Nigel Shadbolt, Rufus Pollock and Tim Berners-Lee (I’m not hyperlinking him – if you don’t know who he is then find out who invented hyperlinks). The Board is chaired by Francis Maude, Minister for the Cabinet Office, who has written – at the same time as he was lambasting Tony Blair’s dispiriting comments on freedom of information –  that

If I ever sit down to write my own memoirs, freeing up government information will not number amongst my regrets. In fact, I very much hope that it will be one of my very proudest achievements.

Mr Cameron seems to feel the same way:

In the years to come, people will look back at the days when government kept all its data – your data – in vaults and think how strange it was that the taxpayers – the people who actually own all this – were locked out.

Now, it so happens that there has been, in recent months, much debate about whether – or rather, to what extent – private emails written by those connected with the Department for Education are “caught” by the Freedom of Information Act 2000 (FOIA).  (Read the BBC’s Martin Rosenbaum and the Financial Times’ Chris Cook on this, I insist). The Information Commissioner has been very clear that his view is that information concerning official business held in private email accounts is subject to FOIA (he’s right, by the way) but Michael Gove, Secretary of State for Education, told the House of Commons Education Select Committee that

The advice that we had received from the Cabinet Office was that anything that was held on private email accounts was not subject to Freedom of Information requests.

So, when, Lisa Nandy, MP for Wigan, tabled a question in parliament on 6 February asking if the Cabinet Office would publish

guidance on private emails and the Freedom of Information Act referred to in the Education Select Committee evidence session of 31 January 2012 as having been issued to the Department for Education.

It was, let’s say, not very encouraging for those of us who support the “transparency agenda” (as it seems it must be called) that she received the following response

Information relating to internal discussion and advice is not normally disclosed

Yep. That’s right – internal information about how a goverment department handles requests under FOIA, is not to be disclosed.

It might be thought odd, or interesting, or both, that the minister who replied to Ms Nandy was Francis Maude, MP. I’ll leave you to write your own jokes.

1 Comment

Filed under Freedom of Information, Information Commissioner, transparency

Tagged as , ,

January 25, 2012 · 8:12 pm

STOP BOTHERING US!

I’m a customer of the mobile phone service provider O2. They’re OK. Probably much the same as the rest, but I’ve been with them for a few years now, and I’ve had no real problems with them. And every so often they give me an “upgrade” to a nice shiny new smartphone which half fools me into thinking I’m getting a nice deal.

This morning a corner (my favourite corner) of twitter was buzzing with news of a potential security flaw (or was it deliberate coding?) discovered by a twitter user by the name of @lewispeckover which meant that customers using O2’s mobile network to access the internet were inadvertently revealing their mobile phone number in the headers delivered when they visited a website. As Lewis succinctly put it

So, @O2 send my phone no in an HTTP header to every site I browse. WTF? Is this normal?

No, it’s not normal. Some people have very good reasons for not wanting their mobile numbers handed to third parties, especially when they aren’t aware that it’s being done, and I’m one of them (actually, I haven’t got a “very good reason”, other than I just don’t like it). I had intended blogging about why this incident might involve breaches of the first, second, seventh and eighth data protection principles in the Data Protection Act 1998 (DPA), regulations 6 and 7 of the Privacy and Electronic Communications Regulations 2003 (PECR) and chapter II of the Regulation of Investigatory Powers Act 2000 (RIPA). However, as the news got picked up, first by specialist media then mainstream, and as I realised that people were complaining in numbers to the Information Commissioner (IC), who regulates compliance with both the DPA and the PECR (although not RIPA), I decided that the issue was in the appropriate hands.

But I still intended, when I got home from work tonight, making a complaint to that statutory regulator. This is a) an issue that concerns me, b) one I know something about, c) one that has made me a bit angry, and d) one I’m prepared to rant about. However, I noted, on my bus journey home, browsing the internet on my shiny smartphone via O2’s network, that the IC had updated his home page, and was saying

Today we’ve received a large number of complaints about an alleged data breach on the O2 mobile phone network.

We now have enough information to take this matter further, so there is no need for customers to complain to us.

Great. They’re taking the matter further. But hang on – they don’t want us to complain now, because they have enough information? Well, that’s a bit presumptuous, and risky (how do they know they’ve got enough information?). But also, it’s quite concerning. The IC has many powers available to him if he finds that a data controller has breached the DPA or the PECR. In assessing how bad a breach might be, he has to take into account various factors. For instance, from his own guidance on imposing Monetary Penalty Notices,

The number of individuals actually or potentially affected by the contravention

Hang on a minute.

The number of individuals actually or potentially affected by the contravention

Er.

I just question how can you can properly assess how many people have been affected by an alleged contravention if you discourage people from complaining about that alleged contravention?

And not satisfied with this attempt at dissuasion, the IC took to tweeting the same message, earlier this evening. He clearly doesn’t want any more people to send him complaints, but this could lead to a misleading assessment of the number of people actually affected. I’m sure that O2, in assisting the IC in his subsequent investigation, will tell him how many people were potentially affected, but, if were them, I would say “well, only a small number actually complained, so it wasn’t that bad a breach, after all”.

And this is not the first time the IC has done this. Currently, the first question and answer on his “Data Protection for the Public” FAQs page are

Q: I have received a letter from Welcome Financial Services Limited. What should I do?

We have recently been informed of a data breach involving Welcome Financial Services Limited including its business Shopacheck. We believe they are taking steps to inform those affected. We will be making enquiries into the circumstances of the apparent breach of the Data Protection Act before deciding what action, if any, needs to be taken.

As we are already aware of this issue and in contact with Welcome Financial Services Limited, there is no need to submit further complaints to this office. [emphasis added, as if you needed to know]

I do try to defend the IC and his office, and I know they are always sorely lacking funds, but when a regulator, who is supposed to be receptive to complaints about alleged failures to comply with laws he regulates, actively discourages people from complaining, my enthusiasm for defending falters.

To the IC I ask, do you want me to complain, and say how I have been affected by O2’s handling of my personal data? And if not, why not?

2 Comments

Filed under Data Protection, Information Commissioner, PECR, Privacy

Tagged as , ,