Author Archives: Jon Baines

January 10, 2012 · 7:11 pm

Potential big DPA fine for NHS Trust

The Argus, a Brighton newspaper, is reporting that Brighton and Sussex University Hospitals NHS Trust has been served with a “notice of intent to fine” by the Information Commissioner (IC), for a breach of the Data Protection Act 1998 (DPA). The sum proposed is £375,000.

Assuming the story is true, the notice of intent to fine would be, strictly, a notice of intent, under s55B of the DPA, to impose a Monetary Penalty Notice (MPN). MPNs were introduced into the DPA by the provisions of Criminal Justice Act 2003. They provide a means whereby the IC can impose financial sanctions on Data Controllers for serious contraventions of the data protection principles. The maximum amount for an MPN is £500,000, and the sums levied are not retained by the IC, but go to the consolidated fund.

The paper says

The incident relates to the theft of 232 drives out of 1,000 being decommissioned.

The Sussex Health Informatics Service was responsible for the disposal of the drives on the trust’s behalf and had appointed an individual to carry out the job.

In December 2010 it emerged four hard drives had been bought by a data recovery organisation on eBay.

The buyer contacted the trust and the drives were collected with the information destroyed.

An investigation revealed that 232 hard drives in total had been stolen and sold on.

The trust worked with the ICO, NHS Counter Fraud and Sussex Police and all the drives have been recovered.

The trust says there was a very low risk of any of the data being passed into the public domain.

Several points arise from this.

At a proposed £375,000 this MPN, if imposed, would be by far the highest so far served on a data controller. The previous highest – £130,000 – was imposed in December last year on Powys County Council.

The fact that news of the proposed MPN has come out before it has been actually served (that is, at the “notice of intent” stage) is perhaps connected with the fact that the Argus reports that “The trust says it will be contesting the fine”. By s55B(5) of the DPA a data controller in receipt of an MPN may appeal to the Information Tribunal against both the issue of the MPN, and the amount. If the Trust are contesting the fine now, they may ultimately decide to appeal to the Tribunal. This would be interesting: most of the guidance on sanctions for serious contraventions of the DPA comes from the IC himself, and from previous MPNs and undertakings. Many data controllers would find it helpful also to have some judicial analysis to draw on in these circumstances.

Until now, nearly all MPNs have been imposed on local authorities. I’ve previously questioned why this was, and posited that it would be a high risk move for the IC to serve an MPN on the NHS:

one wonders what sort of critical media coverage might ensue, as well as what the effect on the reputation of the DPA regime would be, if the IC were to impose hefty monetary penalties on the NHS. And as the sums levied go not towards improving general data security, but rather straight into the government consolidated fund, one begins to see why it might not be a particularly attractive option: a regulator who takes direly-needed money from the NHS, and places it in the government’s wallet, could well struggle to maintain popularity with the media and the public.

If this MPN is served, as intended, then the IC might be faced with headlines equating (for example) £375,000 to the amount it costs to employ a nurse, or a doctor or provide essentail but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances.

1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner

Tagged as , ,

January 5, 2012 · 8:57 am

Shaft? You’re damn right

There was a heartening story in the Leicester Mercury a few days ago. Journalist  David MacLean praised Lynn Wyeth, Leicester City Council’s Head of Information Governance for her promotion of transparency (and her assistance in giving him “countless stories over the past two years”). The article illustrates how, when it comes to the Freedom of Information Act 2000 (FOIA), a relationship of mutual respect and openness between a public authority and the media can help both sides.

Contrast this with an item on Newbury Today’s site this morning. This is a follow-up to a recent series of FOIA requests made to police forces around the country. It appears that the Press Association asked for information relating to thefts of police property. I don’t know exactly what the request said (I don’t have a Press Association log-in, and the main release is unclear) and it has been variously reported as being specifically about thefts from police stations or simply thefts in general from the police (I rather suspect it was the latter, but if anyone can clarify this, I’d be most appreciative).

The Daily Mail highlighted that Thames Valley Police (TVP), with 90 incidents, “tops the list of crime-hit forces”. No public authority likes to be “top” of any of these type of lists, and the Newbury Today article shows TVP hitting back

…force spokesman Craig Evry…explained that the majority of the thefts took place from “trap cars” and added: “Thames Valley Police is one of several forces to use ‘trap houses’ and ‘trap vehicles.’ These are used in areas which police believe are being targeted by burglars or thieves.“When criminals break in, they could be recorded by cameras or any property taken may be remote tagged or marked with ultraviolet inks allowing police to quickly track it down. It’s a useful criminal reduction and evidence tool and criminals should realise that the home or vehicle they’re breaking into might be covered by hidden cameras. Hopefully using this technology might make them think twice about committing a crime.”

One initially wonders, why didn’t they say that in the first place? Well, they say they did:

The FoI response included the caveat: “Please note that of the above thefts recorded, all but six involved ‘trap vehicles’ deployed specifically to be targeted by offenders.”
Mr Evry said: “They simply misinterpreted the data.”

Most, if not all, FOI officers have been here. A request is received for “All the information on X”. Now, you hold this information, but, taken in isolation, it might be misinterpreted, so you add an explanation, or a disclaimer. However, for whatever reason, the disclaimer is lost in the bustle of preparing a story for print, and suddenly your nuanced explanation of the information is lost, and you are being lambasted in the press.

In fairness to the Press Association, it seems that the background details to their original story might have included TVP’s disclaimer. For instance, the Oxford Mail, writing three days before the Daily Mail, referred to it in their article. So maybe the fault is only with those media organisations who misinterpreted, or chose to misrepresent, the Press Association material. Nonetheless (and I can speak from bitter experience here) journalists may want to ask themselves whether the helpfulness of FOI officers might be inversely related to the likelihood of their getting shafted as a result of that helpfulness.

 

 

 

 

2 Comments

Filed under Freedom of Information, police

Tagged as

December 8, 2011 · 1:58 pm

Can the ICO Regulate the Internet?

It is…beyond doubt that the DPA was not designed to deal with the way in which the internet now works

says Tugendhat J in a crucial recently-published judgment (The Law Society & Ors v Kordowski [2011] EWHC 3185 (QB)), in which he lays into the Information Commissioner (IC), albeit in a polite, judgely manner.

The case concerned applications for injunctive relief against Kordowski, the publisher of the “Solicitors from Hell” website. The claims were in defamation, under the Protection of Harassment Act 1997, and the Data Protection Act 1998 (DPA). Unsurprisingly, given the focus of the blog, it is the last I focus on, although one must be aware it was only one of the causes of action discussed.

It transpires that the Chief Executive of the Law Society, on behalf of many solicitors who felt aggrieved by the contents of the website in question (which invited people to “rate” and comment on solicitors, with predictably defamatory results) had complained to the IC that the site was in breach of the provisions of the Data Protection Act 1998 (DPA). On 6 January this year the IC replied, in a three-page letter, apparently saying that the exemption at section 36 of the DPA effectively meant he lacked jurisdiction to determine whether there had been a breach:

 The inclusion of the “domestic purposes” exemption in the Data Protection Act (s.36) is intended to balance the individual’s rights to respect for his/her private life with the freedom of expression. These rights are equally important and I am strongly of the view that it is not the purpose of the DPA to regulate an individual right to freedom of expression – even where the individual uses a third party website, rather than his own facilities, to exercise this.

Fellow blogger Tim Turner has already recently criticised the IC’s invoking of s36 to avoid regulating the internet/blogosphere. He will be pleased to see Tugendhat J agreeing with him, in pretty stern and unequivocal language, that using that DPA “domestic purposes exemption” to avoid regulating websites and blogs is not an option open, in general terms, to the IC.

The IC had said in his letter

The situation would clearly be impossible were the Information Commissioner to be expected to rule on what it is acceptable for one individual to say about another be that a solicitor or another individual. This is not what my office is established to do. This is particularly the case where other legal remedies are available – for example, the law of libel or incitement.

The slapdown from Tugendhat J is

 I do not find it possible to reconcile the views on the law expressed in the Commissioner’s letter with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully. The authoritative statements of the law are to be found not only in the cases cited in this judgment (including para 16 above), but also by the Court of Appeal in Campbell v MGN Ltd [2002] EWCA Civ 1373 [2003] QB 633 paras [72] to [138], and in other cases. As Patten J made clear in Murray, where the DPA applies, if processing is unlawful by reason of it breaching the general law of confidentiality (and thus any other general law) there will be a contravention of the First Data Protection Principle within the meaning of s.40(1), and a breach of s.4(4) of the DPA. See also Douglas v Hello! Ltd [2003] EWHC 786 (Ch) [2003] 3 All ER 996 paras 230-239 and Clift v Slough Borough Council [2009] EWHC 1550 (QB) [2009] 4 All ER 756. The fact that a claimant may have claims under common law torts, or under HRA s.6, does not preclude there being a claim under, or other means of enforcement of, the DPA.

This, of course, places the IC in a very difficult situation (actually, according to him, an “impossible” one). In fairness to him, and in fairness to the judge, it is pointed out that IC was not in attendance nor represented in the proceedings, and it might be that he has a killer riposte up his sleeve. If not, he has a problem. Until now he has only had the criticism of mere people like Tim, or me, to lead him to question his approach to s36 and the internet.(Yes, yes, there was also the European Court of Justice, but the Lindqvist judgment was a very long time ago – effectively in pre-history – and therefore easy to sidestep). Now, given that a superior court of record has overruled him, and held that there were multiple breaches of the DPA in this case and that the IC was wrong in his application of the s36 domestic purposes exemption, he may find that his already over-stretched resources will have to cover complaints from people who feel that their rights under DPA have been both engaged, and breached, by other individuals on the Internet. Picking a theoretical example – a complaint from someone who objects to the uploading of a private photo of them to Facebook without their consent.

It also places bloggers, and social media users in general, in a potentially risky position. Tugendhat J distinguishes such internet publication from journalism (as does Hugh Tomlinson QC – who, uncoincidentally, I suspect, acted for the claimants in this case – in two important recent posts on the Inforrm blog). If we non-journalists are potentially subject to the DPA but lack the protection it offers to journalists, we could all find ourselves at risk not just of regulatory action from the IC, but those private actions which can also be brought under the Act.

One would hope that the new draft EC data protection regulation would grapple with “the practical difficulties raised by cases such as the present” but on first viewing I’m not sure it does. Whether the door would be open to the UK legislature to address the problem is a matter for conjecture. In the interim, however, with the publication of this judgment, the IC has some close reading to do.

2 Comments

Filed under Data Protection, Information Commissioner, Privacy

December 2, 2011 · 9:03 am

Mandatory breach reporting and the public interest

In May of this year the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 amended the existing Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “PECR”).

The regulations apply to different bodies in different circumstances (for instance those parts relating to cookies, which apply effectively to anyone using cookies on their website). However, a key amendment applies to specifically to providers of a public electronic communications service (broadly, telecoms companies and internet service providers): regulation 5A(2) of the PECR now says

If a personal data breach occurs, the service provider shall, without undue delay, notify that breach to the Information Commissioner.

This is the first appearance in domestic law of a mandatory requirement to inform the Information Commissioner (IC) of a data breach. “Data breach” itself  is defined as

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service

While a PECR data breach is not, expressly, a breach of the Data Protection Act 1998 (DPA) I cannot imagine circumstances in which a PECR breach would not also involve a breach of the provisions of the DPA (and – specifically and primarily – the seventh data protection principle). How the IC responds to notifications made to him under regulation 5A(2) will, therefore, be of interest to all data controllers.

This is because the imminent new European data protection instrument (either a new Directive or a Regulation) is likely to introduce mandatory data breach reporting into the Data Protection laws. It is not yet clear how far the requirement would extend. In an interview on 16 November with The Washington Post the EU Justice Commissioner, Vivian Reding, said

…we will now have such rules on notification for all sectors so citizens will know when their data has been breached, whether by criminal intent, accidental or other circumstances. We already have this rule for telecom companies but not for other sectors such as e-banking services, private-sector medical records and online shopping. We will extend the telecom rules to the Internet.

So will mandatory notification apply to “all sectors” or just (in addition to telcos/ISPs) “e-banking services, private-sector medical records and online shopping”? We’ll have to wait and see.

I made a Freedom of Information Act 2000 (FOIA) request to the IC asking how many mandatory notifications had been made to this office since the amended PECR came into effect, and by whom and whether the companies involved had informed data subjects of the breach. The IC’s response is that 76 notifications have been made (they don’t say, but I presume this is to the 3 November, the date of my request) and in 64 of these cases data subjects were also informed. By way of explanation for the latter figure the IC says

…it is not a requirement of the regulations for providers to tell the ICO whether or not they have notified data subjects. The service providers only have to inform subscribers where ‘the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user’. If that is the case they have to ‘without undue delay, notify that breach to the subscriber or user concerned.’

When it comes to disclosing the names of the companies involved, however, the IC is scratching his head. He has identified (at least this is how I read his response) that disclosing this information would prejudice the commercial interests of those companies, and that, therefore, section 43 of FOIA is engaged. Having decided this, however, he has to consider (under section 2(2)(b) of FOIA) whether

in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information

Section 10(3)(b) of FOIA allows authorities to extend the time for compliance with a request (from 20 working days) where they need to consider the public interest test. FOIA itslef unhelpfully only says that it can be extended by “such time as is reasonable in the circumstances” but the IC himself advises that the maximum time that should be taken, in total, is 40 working days. His office has advised me that this applies with my request for names of companies, and it

…may take up to an additional 20 working days to take this decision.  We therefore aim to provide you with a response to this part of your request for information by 23 December 2011

This is, of course, completely acceptable, and I’ll update this post when I get the response, but three things occur to me.

First, if or when mandatory breach notification is extended to other organisations, they will need to be aware that people may request information about such breaches from the IC, and that there is a clear public interest in such information.

Second, if the IC is wrestling with the public interest factors this is clearly a finely-balanced point, and if he comes down against disclosure then this might be a case worth appealing.

Third, surely the IC anticipated that he would get such requests? I’m surprised he hadn’t already considered this public interest point.

 

 

1 Comment

Filed under Breach Notification, Data Protection, Freedom of Information, PECR, Privacy

November 17, 2011 · 9:10 am

Tweets and Tw*ts

A few days ago I tweeted @ICONews, the twitter account of the Information Commissioner (IC)

@ICONews any chance you can disclose (waive privilege?) legal advice/analysis of Letwin case? Important re: manual data/Cat E data #DPA

The context of this was that there had been some discussions in data protection circles, following the revelations about Oliver Letwin and his dumping of correspondence in the bins of St Jame’ss Park, about whether in strict terms there would have been a breach of the Data Protection Act 1998 (DPA) (on this see similar questions raised by Stewart Room about Vince Cable’s recent incident).

The undertaking signed by Letwin didn’t make clear exactly how the IC had arrived at a decision that there had been a breach of the DPA, and I was keen to know more. So was fellow tweeter @tim2040 who asked me

@bainesy1969 Are you going to #FOI them or am I? Or did your tweet to them count?

When I sent my first tweet I hadn’t thought of it as a request made under Freedom of Information Act 2000 (FOIA). However, knowing that a public authority must treat a request for information even if the requester does not “mention the Freedom of Information Act…although it may help to do so” I realised that I had rather inadvertently made a formal request which the IC’s office had to respond to, in accordance with Part 1 of FOIA. I also know that it’s easy sometimes for a public authority to miss that a valid FOIA request has been made. So, in a spirit of helpfulness, I clarified:

@ICONews Just to confirm, this earlier tweet to you was request for information #FOI http://t.co/gUeqdwGg

I’ve now received a reply from @ICONews, which says

@bainesy1969 In line with our guidance please could you provide a postal or email address for further correspondence.

Now, I really don’t want to come across as a twit (what else did you think the asterisked word was in this post title?) but I know what their guidance says (it’s my job to know it)

The request must state the name of the applicant…A Twitter name may not be the requester’s real name, but the real name may be shown in their linked profile

as mine is

The request must also state an address ‘for correspondence’. Does this include Twitter names? The length of a tweet makes it difficult for the authority to respond fully, but there are ways of dealing with this. The authority could ask the requester for an email address in order to provide a full response. Alternatively, it could publish the requested information, or a refusal notice, on its website and tweet a link to that.

So I’ve gone back to them saying

@ICONews My name’s in my profile. In line with yr guidance cd you not publish info or refusal notice on yr site and tweet link to it?

A bit twattish twittish, I accept, and I’ll be extending an olive branch to the IC’s office by contacting them privately to give them my email address. However, it does raise interesting questions about the extent to which one has to put a request for information in “formal” terms for it to be recognised. I don’t know if the IC’s office would have recognised my original tweet as a request for information – maybe they would. But, as I say, I wasn’t thinking of FOIA when I made it – I was rather hoping that someone at the office would see it and think “Hey – it would be a good idea for us to publish a note explaining how we arrived at our findings in the Letwin case”.

I know of an incident where the press office at a Council received an enquiry from a local journalist. He and the press office were well-acquainted and on generally good terms. He asked for information about a council employee and an alleged criminal offence, and he was given an “unable to comment” response. He queried this and was told (correctly) that it was for data protection reasons. He, knowing something of the regulatory process, then complained to the IC. The problem was that the press office had followed their normal press enquiry prcoedures and consequently not issued a formal refusal notice under section 17 of FOIA. The IC, if he had been asked to issue a decision notice, could not have avoided a determination that there had been a breach of FOIA. However, I would suggest neither the local media nor the Council’s press office could effectively function if every enquiry by a time-pressed local hack was dealt with as a formal FOIA request (with a 20 working day deadline).

I’m not sure there is an easy answer to this, and perhaps there will always be a grey area  separating “general correspondence” from “FOI request”. However, public authorities who have a twitter account must be aware of the possibility (probability?) that they will receive requests for information, and that sometimes these won’t be clearly labelled as FOI requests. I would hope that, in the event that these end up as complaints to his office, the IC would show some understanding of the difficulties of applying the formal mechanisms of FOIA to circumstances which might warrant a less formal approach (as in fact he did in the press office case in the preceding paragraph) .

8 Comments

Filed under Data Protection, Freedom of Information

Tagged as ,

November 9, 2011 · 8:51 am

Biting the Hand that Feeds – a Risky Business?

Bloggers in the fields of UK Information Rights can sometimes be critical of the Information Commissioner’s Office (ICO) (we can?). But that’s really because we love the IC and his people. Or, at least, we strongly support the existence of the office, and the principle functions it carries out. There may be disagreements on the decisions and actions taken, but many frustrations are caused by the restrictions on his powers, or as a result of the limited funding he gets.

I noticed earlier this week that Francis Maude, Minister for the Cabinet Office, had told parliament that his Department’s shocking record on compliance with Freedom of Information Act 2000 (FOIA) timescales (in the last quarter only 48% of response met the 20-working-day deadline) was in part as a result of the fact that

The Cabinet Office deals with FoI requests in relation to cabinet papers under the last government which takes some time to be dealt with because we need to consult with ministers in the last government.

As I suggested on twitter, it would be nice if we all could blame our predecessors for our heavy workload (I for one still can’t forgive Rupert Baxter for handing over that tricky planning file to me in 2002) but this really is not good enough as an excuse.

In the same period in which the Cabinet Office achieved 48% compliance, the Ministry of Justice (MoJ) achieved a still very poor 75% (by contrast the Department of Health achieved 99%, the Department for Culture, Media and Sport 96% and the Department for Work and Pensions 93% – all these figures are from the MoJ’s own quarterly stats) The MoJ is the sole provider, by means of grant in aid, of funding for the IC’s Freedom of Information work (the IC also receives approximately £15 million from the notification fee that data controllers pay to operate under the Data Protection Act 1998 (DPA), but this is ring-fenced for DPA work). This FOI grant amounted last year to approximately £5.5 million. However, that grant is at risk of reduction, and the IC is concerned about that. His risk register has recently been disclosed and this shows as a “red risk” a “gap between FOI resources and incoming casework affects FOI and DP casework…” and it is clear that this risk potentially leads on to others, such as the “ICO reputation suffers because some of the risks facing the ICO materialise…”. None of this is real news, of course. Christopher Graham himself told the Home Affairs Select Committee

Like all public authorities, we are having to take our slice of the cuts. We are responding to that constructively, trying to achieve better for less. But the fact is that if we are asked to do more and more under the transparency and accountability agenda, we will need the resources to do it.

Now consider this: the IC is under a statutory duty to operate so as to ensure the observance by public authorities of their requirements under FOIA. One means by which he does this is to monitor authorities which repeatedly or seriously fail to respond to freedom of information requests within the appropriate timescales. This monitoring can be a precursor to further action, and the Cabinet Office was subject to such further action when it signed an undertaking with the IC in June this year to improve its performance.
The IC says that he is likely to monitor authorities if, among other criteria, “(for those authorities which publish data on timeliness) it appears that less than 85% of requests are receiving a response within the appropriate timescales”. Well, as we have seen, it certainly appears, from the published data, that less than 85% of requests to the MoJ are receiving a response within the appropriate timescales. Interestingly, in the previous quarter the figure was 83%, the quarter before that 87% and the quarter before that 88%. A downward trend like that is arguably further evidence of a need for monitoring, and it would be interesting to know if the IC takes this into account, or whether, perhaps, he takes an annual average from those quarterly stats.
So a simple question arises – when the next group of authorities whose compliance is begin monitored is announced, will it include the MoJ? Will the IC risk biting the hand that feeds him?

2 Comments

Filed under Freedom of Information

Tagged as , ,

November 3, 2011 · 8:11 am

MPs, Data Protection and Criminal Offences

In 2000 the then Minister for London, Keith Hill MP, was prosecuted under the Data Protection Act 1984. He was fined £200 with £500 costs for an offence which the Daily Mail (so it must be true) says was “non-notification”. (I’ve tried hard to find more about Hill’s conviction – but even a contemporaneous Evening Standard story does not mention specific offences: if anyone knows or recalls more I’ll happily amend this post. For the time being, I’m proceeding on the assumption that the Mail is correct.)

Under the successor act, our current Data Protection Act 1998 (DPA), similar obligations and a similar offence exist. Section 17 states in broad terms that a data controller (a person who solely or jointly “determines the purposes for which and the manner in which any personal data are, or are to be, processed”) must not process personal data unless “an entry in respect of the data controller is included in the register maintained by the [Information] Commissioner” (IC). Accordingly (under section 18) a data controller must make a notification to the IC stating (again in broad terms) what data it is processing and for what purposes, and must pay a fee of either £35 or £500 (depending on the size of the organisation which is the controller). Section 19 describes the register itself and also provides that registration lasts for twelve months, after which a renewed notification must be made, with payment of a further fee.

Section 21 creates an offence the elements of which will be made out if a data controller processes personal data without an entry being made in the register. Thus, if a data controller processes personal data and has not notified the IC either initially or at the point of renewal, that controller will be likely to have committed a criminal offence (there is a defence if the controller can show that he exercised all due diligence to comply with the duty).

In 2008 the Mail reported that eleven government ministers were “flounting” (whatever that might mean – one presumes the sub meant “flouting”) the DPA by not having notified, or renewed notification of, their processing to the IC. The Deputy IC said at the time

It’s a statutory requirement and no one should get away with it. We will write to those people you have identified and remind them very clearly of their obligation under the law to notify. If they haven’t notified us within a reasonable period, or given us a good enough reason why they do not need to, we will consider prosecution, punishable in court by a fine of up to £5,000.

Well, it’s still a statutory requirement, still a criminal offence not to comply with that requirement and the sentence is still a maximum fine of £5000.

Bear this in mind when you learn that , currently (as at 24 October) 46 MPs have either failed to notify or failed to renew their notification. The worst example is one MP who has not renewed his notification since 1 July 2010. This is despite the fact that the IC has a policy of gently reminding such controllers that their processing may be criminally unlawful. I say “despite”, but perhaps I should say “because”. The IC’s policy appears to be to remind controllers three times

…our non notification process is to write to them asking for their comments and advise them to consider their need to notify. If the entity registers or provides a suitable explanation…that is usually the end of the matter and no further action is taken. If no response (or an inadequate response) is forthcoming then we write again explaining the requirement to notify and advising that failure to respond may result in the matter being passed to our legal team for consideration of prosecution. If there is still no response then the file is passed over for the legal team to consider the evidence and if they think there is sufficient evidence they will write advising that if no registration is received within 14 days or representations made as to why a prosecution should not be carried out then a summons will be issued.  If registration is then forthcoming then that is the end of the matter and no further action is taken. Prosecution is usually the last resort when all else fails and we do give ample opportunity for the data controller to register. The legal team are not currently considering any MPs for prosecution.

No one realistically expects any prosecutor always to take a zero-tolerance approach, but notification is the very first step a data controller should take before processing personal data. Any processing which takes place without notification is, in strict but very clear terms, unlawful. The first thing I advise people who have a gripe about a data protection matter is to check whether the controller has made a notification. If it hasn’t you’ve won your fight with the first punch. And if nothing else, failure to notify is a strong indication that the data controller might not have the greatest respect for the personal data it is processing, and might also indicate other areas of non-compliance.

The IC is in a tricky statutory position. He is both the enforcer and, by virtue of section 51, the educator under the DPA. He can prosecute offences, but he must also  promote the following of good practice by data controllers. However, he has other options open to him which are stronger than a gentle reminder but which fall short of prosecution. He can, of course, issue a caution under criminal law, but he can also issue an enforcement notice under section 40, which is a formal notice requiring the controller to take the action specified in the notice in order to bring about compliance with the Act. But another measure he can propose is to undertake a consensual audit of the controller’s processing (and, if he had his way, he would be able to require compulsory audits for all controllers). It would be interesting to know if he has used any of these options when data controller’s have shown little regard for the need to notify.

All this is me leading up to making the point that a failure by a significant number of MPs to comply with a statutory requirement under the DPA is not a minor issue. Mr Walsh, for the IC, says

In general terms, we have found that Data Controllers usually do renew their  notification as a result of our reminders. This appears to be reflected in the relatively high proportion of MPs who are notified.

I would argue the opposite: 46 out of 650 means that 7% of the members of the parliament which passed the DPA appear to treat it in such a cavalier manner that they don’t consider it necessary to ensure that their registration is up to date, despite the fact that failure to do this can amount to a criminal offence. And the regulator responsible for ensuring compliance with the DPA, and enforcing its provisions seems quite happy to allow this to continue.

p.s. I must give credit to John Cross, who blogs at confirmordeny.org.uk for getting this information disclosed by the IC.

1 Comment

Filed under Data Protection

October 3, 2011 · 8:50 am

(Non-) Invasion of the Body-scanners

The writer and broadcaster Victoria Coren wrote in The Observer yesterday that commuters at Bath railway station had recently been “instructed to walk through a 7ft body scanner”:

Since when did we surprise the public with electronic body searches, randomly as they go about their daily lives, without any reason to suspect them of anything? Have search warrants also been abandoned while I wasn’t looking? May the police now turn up on a whim and rootle around in our drawers?

These are serious and current concerns. The use of Advanced Imaging Technology (or AIT) at airports is not without controversy. However, the rolling-out of this technology to other areas, for instance railway stations, would be a major development, and it would raise great concern if it was done without publicity, consultation, and without there being clear reasons for its use. However, the American blogger and privacy activist who goes by the twitter handle of @PogoWasRight has spotted this press release on Avon and Somerset Constabulary’s website, which suggests that in fact what Coren experienced was a metal detector designed primarily to pick up people carrying hidden knives:

The police operation will see people arriving by train being screened by an airport-style metal detector to see if they are carrying knives or other weapons.

These are commonly known as “knife-arches” and are essentially the same metal detector arches we are accustomed to passing through at airports. They are a considerably less intrusive technology than AIT, although their use is not in itself without controversy

Many police forces now set up “knife arches” as part of their drive against knife crime. They have no legal power to compel an individual to walk through them, yet the Met has indicated that refusal to walk through an arch when asked to do so by an officer “may” be grounds for a search. In other words, the police have no explicit power to compel an individual to walk through an arch – if parliament had wished to grant that power, it probably would have – but creative interpretation of the law has given it to them all the same.

Unless any further information is received, it seems safe to assume that what Coren saw at Bath was a knife-arch, about which Liberty‘s James Welch has written some helpful advice.

EDIT: this Daily Mail article confirms the point (via Aaron K. Martin, @WC2A_2AE on twitter).

Leave a comment

Filed under Privacy

Tagged as , ,

September 20, 2011 · 7:54 am

Hiding Information and section 77 FOIA

My twitter timeline was alive this morning with discussion of news that the Information Commissioner (“IC”) is to investigate the Education Secretary Michael Gove and his close advisers at the Department for Education in connection with allegations that they have deliberately been using private email accounts to conduct government business.

E-mail traffic, seen by the FT, shows the education secretary and his advisers have conducted government business using private e-mail addresses. Civil servants were then unable to find these e-mails when asked to retrieve them under the Freedom of Information Act (FOIA).

(It should be stressed that the Department concerned appear to deny that there was any impropriety, and that private email was being used to conduct party political rather than government business.)

The article concludes by referring to section 77 of FOIA

Section 77 of the act states that officials must not conceal or destroy information to prevent its disclosure. Breaches of the law carry a fine of up to £5,000.

This perhaps misses a key point. Section 77 states

Where…a request for information has been made to a public authority, and… the applicant would have been entitled…to communication of any information…any person to whom this subsection applies is guilty of an offence if he alters, defaces, blocks, erases, destroys or conceals any record held by the public authority, with the intention of preventing the disclosure by that authority of all, or any part, of the information to the communication of which the applicant would have been entitled.

This is carefully worded and means, I would submit, that an offence can only be committed if the attempt to conceal occurs in response to a request having been received. If, however, it is merely standard practice to conceal, no offence would be committed. FOIA is predicated largely on what happens or must happen if a request for information is made. It is not, primarily, a records management act.

However section 46 of FOIA does require the Lord Chancellor to issue a code of practice for management of records. Section 9 of that Code deals with the need to keep records in systems that enable records to be stored and retrieved as necessary, and section 10 with the need to know what records are held and where they are.

Under section 47 of FOIA the IC must promote the following of good practice by public authorities and perform his functions so as to promote the observance by authorities of the section 46 Code, as well as the requirements of the Act in general. And under section 48 he may issue a “practice recommendation” if it appears to him that the authority has not conformed with the section 46 Code. In investigating compliance with the Code he has the power (section 51) to issue an “information notice” requiring the authority to furnish him with the information. Failure to comply with an information notice can, ultimately, constitute contempt of court.

None of this is to down-play the potential seriousness of an allegation of a “pre-emptive” attempt to conceal information. It is also not to suggest that it might not constitute a breach of other kinds of code.  However, I would suggest that the biggest weapon at the IC’s disposal is one of publicity, something that Christopher Graham, the current IC, with his journalistic background, is quite good at creating.

[EDITED TO ADD] FoIMan’s and Tim Turner’s takes on this are worth a read. Additionally, I note that the indefatigable Campaign for Freedom of Information took the opportunity to maintain the push for greater sanctions under section 77.

24 Comments

Filed under Freedom of Information

September 17, 2011 · 12:57 pm

DNA = data not available?

On 26 July 2011 The Telegraph reported that “Innocent people’s DNA profiles won’t be deleted after all, minister admits”. It said that

“police will retain DNA profiles in anonymised form, leaving open the possibility of connecting them up with people’s names, ministers have admitted”.

In S and Marper v United Kingdom [2008] ECHR 1581 the European Court of Human Rights held that indefinite retention by the police of fingerprints and DNA samples of two people who had been arrested but not convicted of criminal offences was a breach of their rights under Article 8 of the European Convention on Human Rights (overturning a decision upheld at each instance in the English courts).

The Protection of Freedoms Bill proposes, accordingly, to amend the Police and Criminal Evidence Act 1984 (“PACE”) so that – broadly – a lawfully taken DNA sample (and fingerprints) must be destroyed after three (or in some cases five) years if the suspect has not been convicted of an offence to which the sample relates (Genewatch have a helpful detailed explanation of the proposals).

The Telegraph article said that Home Office minister James Brokenshire “had won agreement from the [Information Commissioner’s Office] that the DNA profiles could be retained by forensic science laboratories”. The Information Commissioner’s Office (ICO) has now, following an FOI request for correspondence between his office and the Home Office about this matter, effectively said that, to quote Ben Goldacre, “I think you’ll find it’s a little bit more complicated than that”.

The complicating factor is that a DNA profile is different to a DNA sample, which in turn is different to the raw data derived from the sample. Christopher Graham, the Commissioner, in his evidence to the Public Bill Committee on the Protection of Freedoms Bill said

“Clause 13 [of the Bill] refers to the destruction of DNA profiles and that no copy must be retained by the police except in a form which does not include information which identifies the person to whom the DNA profile relates. It is assumed that this is aimed at addressing issues relating to the raw data, the electro-phoretogram, from which the DNA profile is created”.

Some existing DNA profiling systems process DNA samples in batches of up to 82 (or possibly 96 – I’m unclear which is the correct figure). In these processes it is not possible to isolate and destroy the raw data relating to a single sample without also destroying the whole batch data (which, of course, might contain raw data relating to samples of now-convicted-persons, which need to be retained).

Graham went on to say

“This provision [Clause 13 of the Bill] should be expressed in a way so it cannot be used to perpetuate such batch processing practices in any new systems used to generate DNA profiles and to require deletion of all the DNA profile information as the norm”.

One hopes this proposal is accepted. Even if it is, however, there will still remain a considerable number of batches of raw data derived from the samples of innocent people, and which it will not be possible to destroy. The question then arises as to what measures can be, and are being, taken to ensure that this remaining raw data cannot be linked to identifiable individuals. In response to my enquiries the IC’s office has said

“the Commissioner has stipulated that forensic science providers remove all the names and identifications from their systems to prevent them being able to link an individual with the ‘raw data’.”

But what confidence can we have that this will be sufficient? The IC’s office continues:

“The Commissioner is satisfied that the deletion of the associated records will remove the link between the identity of the individual and the ‘raw data’ which will be retained in the batch. This will effectively put the retained ‘raw data’ beyond practical use as it should be no longer possible to re-link the individual to the ‘raw data’ retained”.

There remains a lingering concern, however:

“given that the ‘raw data’ is used to create a DNA profile, and a DNA profile is unique to an individual, we are relying on the assurances we have been given and cannot say categorically that there is no possibility of the retained ‘raw data’ ever being linked to an individual.”

These assurances have to be balanced against the contents of a letter from James Brokenshire MP (the Home Office minister quoted in the original Telegraph article) to the joint chairs of the Protection of Freedoms Bill Committee . I’m not sure if this letter has been published yet, but was disclosed in response to my request. Brokenshire says

“Members of the Committee will be aware that most existing DNA records…will include the original barcode, which is used by the police and the FSS [Forensic Science Service] to track the sample and resulting profile through the system. It is therefore theoretically possible that a laboratory could identify an individual’s profile from the barcode, but only in conjunction with the force which took the original sample, by giving details of the barcode to the force and asking for the individual’s name”

This doesn’t strike me as a purely theoretical risk, and one might bear in mind that the FSS’s raison d’etre is to work with the police to detect crime by piecing together and analysing evidence.

Brokenshire explains, however

“Such conduct [i.e. trying to re-identify someone in these circumstances from residual DNA evidence], in clear breach of the requirements set out in the [Protection of Freedoms] Bill, would be likely to constitute offences of misconduct in public office and under the Data Protection Act. In addition, new section 63S of PACE (as inserted by clause 16 of the Bill) specifically excludes the use of such material in evidence or as any part of a criminal investigation.”

Given that both misconduct in public office and offences under the Data Protection Act 1998 can be countered in effect by defences of acting in the public interest, it seems to me that clause 16 might be the best assurance we have against any attempts to use any residual information from innocent people’s DNA samples.

Leave a comment

Filed under Privacy