Category Archives: Breach Notification

If not that, then this?

Does the dropping of criminal charges against police officers under data protection and computer misuse legislation open the door to investigation of their employer’s civil liabilities?

The BBC reports that criminal charges have been dropped against three Nottinghamshire police officers. The charges appear to have been originally brought under the Data Protection Act 1998 (DPA) and Computer Misuse Act 1990 (CMA), and, according to the Police Federation it seems they were dropped because

prosecutors had found issues with training and advice on data protection for officers

Under section 55 of the DPA it is an offence to knowingly or recklessly, without the consent of the data controller, obtain or disclose personal data or the information contained in personal data. But the elements of the offence are not made out if the person doing this acted, for instance, in the reasonable belief that he or she had a lawful right to obtain or disclose the data, or if the obtaining was necessary for the purpose of preventing or detecting crime. Similarly, the offence of unauthorised access to computer material under section 1 of the CMA is only committed if the person knows that the access is unauthorised. If inadequate training and advice on access to data is given to employees of a data controller, then it will be difficult – as this story seems to reveal – to bring prosecutions. Effectively, the mens rea element of the offence is lacking.

However, perceptive readers of this blog might have noticed something: if incidents of inappropriate access to personal data have occurred, as appears to have been the case here, and the individuals accessing the data have been inadequately trained, does that not raise issues about the employer’s (the data controller’s) compliance with the seventh data protection principle in Schedule One of the DPA? This provides that

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data

The Information Commissioner’s Office (ICO) has repeatedly stressed that appropriate staff training is essential for compliance with the seventh principle. The ICO has the power, under section 55A of the DPA, to serve a civil monetary penalty notice on a data controller which has seriously contravened the DPA, where the contravention is of a kind likely to cause substantial damage or substantial distress. One wonders whether the ICO will now look into Nottinghamshire Police’s compliance with the Act, in view of the fact that incidents serious enough to bring now-dropped criminal charge took place, and the fact that they appear to have taken place against a background of inadequate staff training.


Filed under Breach Notification, Data Protection, Information Commissioner, monetary penalty notice, police, Privacy

A million data breaches?

Is it realistic for the ICO to expect all SMEs to encrypt hardware? And if those SMEs don’t, is it realistic to expect the ICO to enforce against what must be mass non-compliance?

Accurate figures for annual thefts and losses of laptops in the UK are not easy to come by – perhaps the most commonly-cited figure is the estimated 1 million from Sony’s Vaio Business Report 2013. On any analysis, though, it’s a relatively common occurrence.

A large proportion of these will be laptops containing personal data of people other than the owner of the device. And in many cases the device, or part of it, will be used for business purposes, often by small and medium-sized enterprises (SMEs). Personal data processed solely for domestic purposes is outwith the obligations of the Data Protection Act 1998 (DPA), but any personal data processed for business purposes is caught by the Act, and the person or business processing that data is likely to be a data controller.

As data controller, they will have an obligation inter alia to take “Appropriate technical and organisational measures …against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” (Principle 7 of Schedule One, DPA). A serious contravention of this obligation, of a sort likely to cause serious damage or serious distress, can lead to the Information Commissioner’s Office (ICO) serving the data controller with a Monetary Penalty Notice (MPN), under section 55A, to a maximum of £500,000.

And so it was this week that the ICO served Jala Transport Ltd, an oddly-named loans company, with an MPN of £5000 after

a hard drive containing financial details relating to all of the sole proprietor’s approximately 250 customers…[was stolen] from the business owner’s car while it was stationary at a set of traffic lights in London

The hard drive was in a case, with documents and some cash, and has still not been recovered.

Despite one’s possible distaste for the nature of the business involved (it may be difficult to muster much sympathy for a loans company), this case raises some interesting points, specifically for small-to-medium enterprises (SMEs) but also in general.

The MPN itself reveals that the business did not have a backup of the hard drive. This is a ridiculous oversight, when secure storage is simple, and cheap. But

it was taken home at the end of each working day for business continuity purposes and to reduce the risk of damage or theft

However, by not

closing the car window and placing the briefcase in the boot of his car or out of sight

this unsuccessful but probably well-meaning attempt at data security -and a business continuity plan – became an aggravating factor.

However, what really did for the proprietor was, “crucially”, that although the laptop was password-protected, it was not encrypted, and this led the ICO to repeat previous warnings about the need for encryption in these circumstances

We have continued to warn organisations of all sizes that they must encrypt any personal data stored on portable devices, where the loss of the information could cause clear damage and distress to the customers affected…if the hard drive had been encrypted the business owner would not have left all of their customers open to the threat of identity theft and would not be facing a £5,000 penalty following a serious breach of the Data Protection Act

Several questions are raised by this case, and this approach by the ICO. Firstly, encryption, for individual devices, is not necessarily straight-forward, and carries its own risks. This is not to say that attempts should not be made at either full disk encryption or file/folder encryption, but not all SMEs necessarily have the time or expertise to explore this effectively. Secondly, one notes that one of the reasons the MPN was imposed was because the ICO felt that the serious contravention of the DPA was of a sort likely to lead to serious damage in the form of identity theft. It was a very similar argument that the Information Tribunal recently refused to accept as being a likely consequence of another serious contravention, when it upheld Scottish Borders Council’s recent MPN appeal. £5000 is not a huge amount, and the time and expense of pursuing an appeal might be too much, but it will be interesting to see if one is lodged.

Finally – following on from the point that encryption of single standalone devices isn’t necessarily straightforward – one has to wonder how many of those estimated one million lost and stolen laptops were encrypted, and, of those that weren’t, how many contained personal data which required the relevant data controller to observe the security obligations of the DPA. Jala Transport appears to have taken the admirable, but perhaps ill-conceived, decision to report the theft to the ICO itself (and may now be regretting that decision).

If all the data controllers of those thousands and thousands of laptops lost or stolen annually reported the loss to the ICO, how many would have to own up to lack of encryption, and be liable to a similar or possibly larger MPN? And could the ICO possibly cope with the workload?

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner, Information Tribunal, monetary penalty notice, Uncategorized

Must Try Harder

So, I managed to get a piece run on the Guardian Public Leaders network on the continuing incidents of or risks of exposure of sensitive personal data in pivot tables. I tried to argue that those in the know probably know about these risks, and that those not in the know don’t. I suggested the Information Commissioner’s Office (ICO) and the government could do more to alert the latter.

Although I got nice and positive feedback from friends/colleagues/fellow professionals, there appears to have been very little interest. Clearly it’s not a subject that interests lay people (or rather, it’s probably a subject which actually repels lay people). But that was rather my point: as long as the relevant regulators and policy-makers don’t take sufficient steps to issue warnings and guidance these and similar breaches of data security will continue to happen.

What I’m slightly surprised at is the lack of any response from the ICO. I noticed that Tim Turner asked the ICO twitter account if they had a response to the piece, but, unless it was off-line, he appeared to get no response. And I asked their press office, again, with no reply (maybe the press office was the wrong place to ask?).

In the article I also called on government departments to do more. That’ll be my next move. The problem of inadvertent internet disclosure of sensitive data, normally through ignorance of technology, continues, and it goes broader than pivot tables. As public authorities, in particular, are being required to open up more and more data to promote transparency and economic growth, this is going to become more and more serious. We can’t pretend the gulf between those ambitions and the technological knowledge of some of those doing the “opening up” is a minor problem. Authorities need guidance, and, where appropriate, warnings, and these need to be targetted at the right people within organisations. The ICO and government cannot always rely on, say, data protection officers to do this.

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner, transparency

Pivot tables and databreaches

About a year ago I first became aware of reports of disturbing inadvertent disclosures of personal data (often highly sensitive) by public authorities who had intended only to disclose anonymous and/or aggregate data. These incidents were occurring both in the context of disclosures under the Freedom of Information Act 2000 (FOIA) and in the context of proactive disclosure of datasets. Mostly they were when what had been disclosed was not just raw data, but the spreadsheet in which the data was presented. Spreadsheet software is often very powerful, and not all users necessarily understand its capabilities (I don’t think I do). By use of pivot tables data can be sorted, summarised etc, but also, from the uninitiated or unwary, hidden. If the person who created or maintained a spreadsheet containing a pivot table is not involved in the act of publicly disclosing it it is possible that an apparently innocuous disclosure will contain hidden personal data.

Clearly such errors are likely to constitute breaches – sometimes very serious breaches – of the Data Protection Act 1998 (DPA) Those of us who were aware of a number of these inadvertent breaches were also aware that, if public authorities were not alerted to the risk a) the practice would continue and b) potentially large numbers of “disclosive” datasets would remain out in the open (in disclosure logs, on WhatDoTheyKnow, in open data sets etc). But we were also aware that, if the situation was not managed well and quietly, with authorities given the opportunity to correct/withdraw errors, inquisitive or even malicious sorts might go trawling open datasets for disclosures which could potentially be very damaging and distressing to data subjects.

It was with some relief, therefore that, following an earlier announcement by WhatDoTheyKnow, the Information Commissioner’s Office (ICO) finally gave a warning, and good guidance, on 28 June (although this relief was tempered by finding out, via Tim Turner, that the ICO had known about, and apparently done nothing about, the problem for three years). At the same time the ICO announced that it was “actively considering a number of enforcement cases on this issue”.

It appears that, according to an announcement on its own website, that Islington Council is the first recipient of this enforcement. The Council says it has

accepted a £70,000 fine from the Information Commissioner’s Office (ICO) after a mistake led to personal data being released

after it

responded to a Freedom of Information (FOI) request asking for information including the ethnicity and gender of people the council had rehoused. The response, in the form of Excel spreadsheet tables, included personal information concealed behind the summary tables

Fair play to Islington for acknowledging this and agreeing immediately to pay the monetary penalty notice. And if some of the other reported breaches I heard about were as bad as they sounded £70,000 will be at the lower end of the scale.

(thanks to @owenboswarva on twitter for flagging this up)


The ICO has now posted details of the MPN, and this clarifies that the disclosure was made on WhatDoTheyKnow and was only identifed when one of their site administrators noticed it.

Leave a comment

Filed under Breach Notification, Data Protection, Freedom of Information, Information Commissioner, monetary penalty notice, transparency

Transparency and the ICO

It is axiomatic that, under the Freedom of Information Act 2000 (FOIA), a requester is unlikely to know precisely what the information requested consists of. This means that a requester is at a (natural and fair) disadvantage if he or she wishes to challenge a refusal. How to argue, for instance, that the public interest favours disclosure of information, if you don’t know what the information is?

A requester will often be reliant, therefore, on the Information Commissioner (ICO), as independent regulator, or the judicial system, thoroughly to interrogate a public authority’s basis for non-disclosure.

Last year I made a FOIA request to the ICO’s office itself for copies of all Undertakings (not currently on their website) agreed by the ICO and data controllers following investigation of serious breaches of the Data Protection Act 1998.

The ICO kindly disclosed to me a large number of Undertakings, but withheld three, citing the exemption at section 22 of FOIA. This section provides an exemption to the general FOIA obligation to disclose information, if the information is held, at the time of the request, with a view to its publication at some future date (whether determined or not). Furthermore it must be reasonable in all the circumstances that the information should be withheld from disclosure until that future date. Section 22 is a qualified exemption, and, therefore, subject to the application of a public interest test. I was told by the ICO that the Undertakings

were not published at the time due to a risk of prejudice, in one case to a criminal trial and in the others to commercial interests. In light of your request we have revisited these considerations and find that they are still relevant

I’m a reasonable chap, and accepted that the ICO was well-placed to determine that the public interest did not favour disclosure. However, I thought they might be able to disclose the identities of the data controllers involved. So I made a FOIA request for that information.

This was also refused. I was told that one of the data controllers was News Group Newspapers and the Undertaking was

in connection with a cyber-security attack perpetrated against NGN for which criminal proceedings are ongoing. As we have previously indicated, the Undertaking will be published once the proceedings have been concluded

This was the case relating to a criminal trial, and it has now been published.

I was told though that the names of the other two data controllers were still exempt under section 22, as, even though the ICO accepted my argument

that prejudice is “unlikely to occur simply by disclosing the identity of the data controllers”, having consulted with the organisations involved, I am satisfied that there is a possibility that the release of even the identities could potentially damage the commercial interests of the Data Controllers

Well, after I waited a while, and then made a further FOI request, the names and Undertakings have now been disclosed. And I fail to see what the fuss was about: they related to some issues with residual data on legacy systems. I also fail completely to understand how, in any conceivable way, disclosure of the names of the Councils involved could have caused prejudice to their commercial interests, and I’d invite anyone else to explain to me how it could. If I am right, the argument that it was reasonable in all the circumstances that the information should be withheld from disclosure until a later date, and, indeed, the argument that the public interest favoured maintaining the section 22 exemption falls away.

I could, of course, have appealed at the time, but the point is that I did not know what information was being suppressed, or why. I trusted the ICO to apply the law properly.

It is interesting to consider this matter of “trust” in light of an important recent Upper Tribunal (UT) case. Although that case was concerned with the use of “closed material” and “closed proceedings” in FOIA cases in the First-tier Tribunal (FTT) some points are arguably of general application to public authorities. One strikes me in particular

The other side of the coin concerning the application of the FOIA exemptions is of course that the requester may want to challenge the reasons and evidence which are advanced to establish them and thereby show that the requested information should be provided to him or her pursuant to FOIA…This competing right and interest within the FOIA scheme is founded on the right of access to information held by public authorities that is given by FOIA.  So it is one of the starting points for the need for a decision-making process to weigh competing rights and interests [emphasis added]

I would argue (knowing now what I didn’t know then) that as one of the prime reasons for DPA Undertakings is to draw attention to serious breaches of the DPA (see ICO Guidance: Communicating Enforcement Activities) withholding this information under section 22 potentially is seen to undermine the regulatory functions of the ICO. I struggle to understand how the refusal to disclose the Undertakings, let alone the mere identities of the recipients, shows proper weighing of competing rights and interests.

One a final note, the guidance above also says

We will not risk damage to the reputation of the ICO by agreeing with an organisation that we won’t publicise our action or that we will give advance warning

I’m not sure how to square that with what I was told last year that

the Undertakings were signed on the understanding that they would not be publicised in the usual manner


Filed under Breach Notification, Confidentiality, Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice, transparency

Pondlife: privacy obligations and privacy rights

Anonymous has threatened the EDL with a campaign of exposure and disruption. However, disclosure – and onward dissemination – of private information, such as lists of members of a group can be unlawful under data protection (and other) laws. Failure to take adequate steps to prevent such disclosure can also put such groups at risk of breaching the same laws.

In 2010 the law firm ACS:Law was victim of a concerted campaign to disrupt its activities through denial of service attacks (DDOS) and other means. The “Hacktivist” network Anonymous claimed responsibility for the attacks, stating that they were in response to the firm’s aggressive litigation tactics in claims against alleged file-sharers. For a short time after the firm’s website was restored after the DDOS attacks a file was exposed which contained large amounts of personal data of individuals who were suspected of file-sharing. This file was rapidly spread by Anonymous activists, and others.

As a result of this data security breach the Information Commissioner (IC) subsequently served a civil Monetary Penalty Notice of £1000 on Andrew Crossley, who operated the firm. At the time the IC said that

Were it not for the fact that ACS:Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach.

The IC found that the firm’s website security was utterly inadequate and constituted a serious breach of the seventh principle of the Data Protection Act 1998 (DPA).

The security measures ACS:Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details

This point has current relevance because “Anonymous” have announced a campaign to disrupt the activities of the English Defence League. The Guardian reports that

A list of what were said to be mobile phone numbers for senior named EDL figures were published online on Tuesday evening along with addresses of what were said to be donors to the far-right group

Twitter accounts also re-published leaked details of hundreds of names and addresses linked to the EDL which were circulated on the web in 2010 after hackers broke in to one of the organisation’s websites
I confess I wasn’t aware of the 2010 hack. One wonders if the IC investigated this at the time. Nonetheless, any further hacks which reveal personal data of members and donors raise potential issues of liability for the EDL under the DPA, for the same reason that ACS:Law attracted enforcement action.
I found it notable at the time of the ACS:Law case that there was a lack of action or censure for the many people who happily publicised and distributed the file in question, thus exacerbating the already serious breach. It seemed to me, and still does, that those who originally downloaded the file and made it freely available, and those who continued to publicise it and make it available, were arguably guilty of an offence under section 55 of DPA, which provides that disclosing personal data knowingly or recklessly, without the consent of the data controller can be an offence.
The chances of an offence being committed are even more pronounced when concerted efforts are made to hack into a website. The offence under s55 DPA remains (through lack of a ministerial Order implementing the custodial provisions) only punishable by a maximum £5000 fine. However, other potential offences are enaged, including those under the Computer Misuse Act 1990, which are punishable by a maximum of five years’ imprisonment.
Anonymous have their reasons for the campaign, and they are perhaps difficult to argue against. But concerted efforts to gather and disclose private information raise worrying issues, which should not be avoided simply because of who the intended victims are.
None of this is to be seen as defending, or sympathising with, the views of the EDL, who are scum. But even scum have rights. Furthermore, it might be worth bearing in mind that when a list of apparent members of the BNP was leaked in 2009 – an incident which led to the prosecution of an individual under the DPA (at the sentencing of whom the judge said that he was obliged to impose a “fine…so low as to be ridiculous”) – there were strong indications that a number of people were wrongly named as members. Lists can be dangerous things, and I can think of few things more unpleasant than being wrongly associated with groups like this.


Filed under Breach Notification, Confidentiality, Data Protection, human rights, Information Commissioner, Privacy

Medical records databreach – what will result?

Today’s Sunday Mirror reports that thousands of confidential medical records have apparently been stored outdoors in a car park in an industrial estate for months. The paper alleges that

DHL Healthcare, which provides services for more than 100 NHS trusts, left out documents reportedly containing patients’ names, addresses and details of their medical conditions.

The paperwork is also believed to contain security “key codes” that enable DHL ambulance drivers to open the front doors of patients’ homes so they can be taken to hospital for treatments such as dialysis and chemotherapy.

Although the article doesn’t mention it, I am sure the Information Commissioner (IC) will take a keen interest in this.

Of particular interest is the fact that this apparent breach is said to have involved an organisation, DHL Healthcare, which doesn’t provide healthcare services itself. According to its website it provides “logistics services for the healthcare industry”. I also note that it provides a records management service. It seems almost certain that it acts under contract to NHS bodies. As such, in the terminology of the Data Protection Act 1998 (DPA), it is a “data processor” and an NHS body which instructs it is a “data controller”. Under the DPA, only the latter – the controller – is responsible for complying with the Act, and only the latter is liable to attract enforcement action for serious breaches of the DPA.

The seventh DPA data protection principle places an obligation on a data controller to ensure that

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

and where

Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—

(a)the processing is carried out under a contract—

(i)which is made or evidenced in writing, and

(ii)under which the data processor is to act only on instructions from the data controller, and

(b)the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

This means that where an NHS Trust contracts with – say – a records management service, it must enter into a written contract which demands that the contractor must do nothing other than what the contract says, and must have robust data security measures in place. If the contract does not say that then the NHS body is prima facie in breach of the DPA, and liable for any serious breach which might occur.

Thus, in 2012, Brighton and Sussex University Hospitals NHS Trust was “fined” (in reality, served with a s55A DPA Civil Monetary Penalty Notice) £325,000 by the IC after hard drives containing sensitive medical data ended up for sale on the internet. The IC said that the Trust

failed to choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and take reasonable steps to ensure compliance with those measures.
Further, the processing was not carried out under a contract between the Trust and HIS (whether made or evidenced in writing) under which the data processor was to act only on instructions from the data controller, and which required HIS to comply with obligations equivalent to those imposed on a data controller by the Seventh Data Protection Principle

Any investigation into this latest incident will likely involve assessment of the nature of the contracts in place, and the extent to which data controllers contracting with DHL Healthcare took reasonable steps to ensure compliance by the contractor. However, it appears to be the case, under current law, that if the IC determines there was a robust contract in place, and the data controller took all reaosnable steps to ensure compliance, no enforcement action can ensue. This seems slightly strange, but the DPA (which gives effect to the European Data Protection Directive) does not allow the IC to take action against the contractor. (Of course the other party to the contract could take civil action of its own, but this would almost certainly be only for breach of contract).

The draft European Data Protection Regulation seeks to deal with this possible gap in the law. Draft Article 26 (read with Articles 24 and 30) provides that

If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers

This apparently sensible and minor amendment might, though, have major implications for contractual arrangements to process data. If a data processor becomes (jointly) liable for breaches it is likely to assess risk in a much different way when entering into a contract. “Traditional” data controllers need to be alive to the potential financial implications of this.

One final note. Under current law, a data controller is

a person who determines the purposes for which and the manner in which any personal data are, or are to be, processed

Could it be argued that, even now, when a contractor diverges from the terms of a contract, and decides to process data in a different way, they are in fact determining the purposes in a way which could potentially make them a controller? I would be interested to know if this has ever been argued.

Leave a comment

Filed under Breach Notification, Data Protection, enforcement, Information Commissioner, monetary penalty notice

Courts, Contempt and Data Protection

Can it be possible for HM Courts and Tribunals Service – who have responsibility for publishing court lists – to publish those same lists in an unlawful way?

Richard Taylor, a blogger and mySociety volunteer uploaded an intriguing blog post recently. Entitled Cambridge Magistrates Court Lists Obtained via Freedom of Information Request it described Richard’s request to HM Courts and Tribunals Service (HMCTS) for

 …the information which would be expected to appear on the full copy of the court list in relation to appearances, hearings, trials etc. currently scheduled to be held in Cambridge Magistrate’s Court [five specified days]

HMCTS, commendably, in Richard’s words (amazingly, in mine), responded to him within six days. The disclosure was, by any standards, extraordinary. Richard had made the request using the portal. This service means that any disclosure made by a public authority is by default uploaded to the internet for anyone to see. What was uploaded by HMCTS included

 …the identity of victims of crimes people were being charged with, including a girl under 14 who was named in relation to an indecent assault charge

As Richard points out, the anonymity of victims of alleged sexual offences is protected by law. Section 1 of the Sexual Offences (Amendment) Act 1992 (SO(A)A) provides that

neither the name nor address, and no still or moving picture, of [a victim of an alleged sexual offence] shall during that person’s lifetime…be published in England and Wales in a written publication available to the public

These necessary derogations from the principles of open justice cannot extend to complete anonymity. For obvious reasons, the name of a victim of an alleged sexual offence will need to be before a court in the event of a trial. So, the meaning of a “written publication available to the public” does not include (per s6 SO(A)A)).

an indictment or other document prepared for use in particular legal proceedings

It appears that the lists disclosed to Richard would fall into this category. However disclosure of such a document under FOIA, which is taken to be disclosure to the world at large (and, in the case of effectively is) would extend its “use” so far beyond those particular legal proceedings that it would undermine the whole intention of section of SO(A)A. It seems that HMCTS recognised this, because they subsequently contacted Richard and confirmed that the information was disclosed in error.

We believe the majority of the information in the Court Lists is exempt from disclosure under Section 32 (Court Records) and Section 40 (Personal Information) of the Freedom of Information Act. We also believe provision and publication of sensitive personal data may also breach The Data Protection Act.

Well, I hate to be a tell-tale, but this seems to be a tacit admission that the disclosure to Richard was an extremely serious breach of the Data Protection Act 1998 (DPA). It was also potentially in breach of SO(A)A and potentially an act of contempt under the Magistrates’ Courts Act 1980 (MCA), section 8(4) of which permits publication only of certain information relating to commital proceedings, before a trial, and the names of alleged victims certainly does not fall under that sub-section. But can a court (or at least, a court service) be in contempt of itself by digitally disclosing (publishing) to the world information which it is required otherwise to disclose publicly?

While distinction should be drawn between a “full” list, such as was inadvertently disclosed to Richard, and “noticeboard” lists, habitually stuck up outside the court room, the points raised by this incident exemplify some crucial considerations for the development of the justice system in a digital era. It seems clear that, even if a court were permitted to  this or similar information, the re-publication by others would infringe one or all of the SO(A)A, DPA and MCA. What this means for the advancement of open justice, the protection of privacy rights and indeed the rehabilitation of offenders is something I hope to try to grapple with in a future post (or posts).


Filed under Breach Notification, court lists, Data Protection, Open Justice, Rehabilitation of offenders

An Irresponsible Press Release?

What is the basis for the ICO saying the private sector is better at data protection than the public?

I defended the Information Commissioner’s Office (ICO) today, over a poor Register headline which suggested they were “red-faced” about imposing monetary penalty notices on NHS bodies (of course they’re not). To their great credit, the Register reworded the headline. Shortly afterwards, the ICO issued a headline of their own in a press release

Private Sector leads the way on data protection compliance but room for improvement elsewhere

Behind this headline are four reports on the ICO’s Data Protection Act 1998 (DPA) audit activities over the last two years. Each report relates to a “sector”, so we have:

Audit outcomes, central government (February 2010 – July 2012)

Audit outcomes, local authorities (February 2010 – July 2012)

Audit outcomes, NHS (February 2010 – July 2012)

Audit outcomes, private sector (February 2010 – July 2012)

Ignore for a moment the fact that the distinction between “private” and “public” sector is increasingly an artificial one – what I want to focus on is the evidential basis for the assertions made by the ICO, and why I think they are potentially damaging to the interests of data subjects. The press release goes on to say

[the reports have] highlighted the positive approaches many private sector companies are adopting to look after people’s data. However concerns remain about data protection compliance within the local government sector and the NHS…Within the private sector, the ICO had a high level of assurance that 11 out of the 16 companies audited had policies and procedures in place to comply with the Act…In the health service only one of the 15 organisations audited provided a high level of assurance to the ICO, with the local government sector showing a similar trend with only one out of 19 organisations achieving the highest mark. Central government departments fair little better with two out of 11 organisations achieving the highest level of assurance.

Let’s stop for a second to consider the nature of the audits we are looking at. The ICO does not have a general power to audit data controllers without their consent, although he does have that power over central government data controllers. So how does a data controller come to consent to an ICO audit? Very commonly it’s a result of a self-reported data breach, or following an ICO investigation giving rise to DPA concerns. The three arms of the public sector represented in these reports are required or expected to comply with specific data protection guidance: for central government it is the Cabinet Office Data Handling Procedures, for Local Government the LGA/SOCITM Data Handling Guidelines (derived from the Cabinet Office procedures), and for the NHS, the very robust Information Governance Toolkit. Each of these contains explicit directions that a serious DPA breach be reported to the ICO.

There is, of course, no such guidance for the “private sector” (although the ICO encourages data controllers, whether public or private sector, to self-report breaches).

Similarly, public sector organisations are subject to public law obligations and public-law-based corporate governance procedures which create an expectation that any breaches be self-reported and an expectation that they will agree to a suggestion by the ICO of a consensual audit.

Private sector organisations, while they have corporate governance obligations, are quite different. Responsibility to shareholders or owners is not the same thing as a public obligation.

What this means is that there are huge questions about how representative is the sample of audited organisations cited by the ICO in support of the contention that the “private sector leads the way on data protection compliance”. Additionally, the numbers used to draw this conclusion are so small that, even if the sectors were fully comparable, I doubt whether they would have statistical significance.

I’m not going to list the numerous examples of private sector poor compliance which arguably give lie to the ICO’s contention. I’m not even going to moan much about the fact that we will see this headline unthinkingly regurgitated over the following weeks.

But what I am going to say is I think this was an irresponsible press release. It was irresponsible because I simply cannot accept the universal premise of a statement that “the private sector leads the way on data protection compliance”. And because I can imagine that, somewhere, while a public sector data protection officer is shrugging his or her shoulders and going about his or her task with an extra dose of world-weariness, somewhere else, a private sector management board is thinking that perhaps it doesn’t need to worry too much about data security, and regulation by the ICO.

UDPATE: 12.10.12

I’ve had an email from a nice spokesman from the ICO press office, who wanted to give some further context, and clarified one point. He said

Motivation for agreeing to audit is undoubtedly a relevant context to the results we published, particularly given that, as you highlight, the ICO doesn’t have the power to compel organisations to submit to an audit. It isn’t true, though, that public sector audits are often the result of self-reported data breaches. In fact, most of our audits come from the ICO writing to organisations and asking them to volunteer, not as a direct result of a breach being reported.

Fair point, and I’m happy to clarify that most times the ICO invites organisations to volunteer for an audit not as a direct result of a breach being self-reported. Although I am pretty certain the ICO would not be sending that invite if he hadn’t determined, either as a result of a self-reported breach, or a complaint from a data subject, that there had been a breach of the DPA.

The spokesman went on to say

This is much the same as our approach to the private sector, though fewer private sector firms take up the opportunity, as we highlight in our report (perhaps due to the responsibility to shareholders versus public obligation argument you highlight in your blog).

I’m glad that there is, there, an implicit admission that audited public and private sector data controllers are not directly comparable. I rather wish the press release had said this.

But this next bit I’m not sure about

One of the purposes of this type of press release is to increase that take up and share best practice, by highlighting the availability of our audits.

Now, I’ve often, when training external (public sector) organisations, suggested to them that, if they feel relatively confident about their data protection compliance, they should consider inviting the ICO to audit them, because their auditors are fair, thorough and experienced (by the way, I advise those who are not confident about their compliance to get a consultant in first…). However, I’m not sure I could so readily recommend the ICO audit now, given what I maintain are the unfair comparisons which were drawn in this press release. Indeed, two public sector officers have now stated to me on twitter that this has actively dissuaded them from volunteering for an audit. That cannot be good.


Filed under Breach Notification, Data Protection, Information Commissioner

Data Security and Churnalism

On the lazy reporting of a silly story about increases in data breaches

Over the past couple of days the following have all published stories on the fact that data breaches in the UK have “rocketed” or “spiked” by an “alarming” 1000% over the last five years.

Computer Business Review
Techweek Europe
The Nextweb
Public Service
Help Net Security
SC Magazine
The Register
Computer World UK

These are mostly well-respected news sources, serving either the tech industries or the public sector. All of them report this story as though the news that self-reporting to the Information Commissioner of serious data breaches is a bad thing. I’ve given the links to the stories not because I want to increase their clicks, but to show the remarkable similarity between them. This is not surprising, as they are all picking up on a press release by Imation (ironically, as a non-hack, I don’t have access to it) which was issued following an FOI request to the Information Commissioner. The response to the request showed that, indeed, in 2007-08 the number of breaches reported to the ICO was 79, and in 2011-12 it was 828. But does that really mean that “Data breaches in the UK have increased tenfold in the past five years” as the BBC put it?

The answer, certainly, is “no”.

The reporting of breaches has increased by that proportion. But that is not particularly surprising. As far as I recall the first guidance issued by the ICO on reporting serious breaches was only issued in July 2010.  Before that while there may have been an inferrable assumption that serious breaches should be reported, there was not much in the way of clear direction or expectation until relatively recently. This expectation has become much more explicit since the ICO gained powers to issue civil monetary penalties for serious breaches. Now, all major data controllers know that when there is a serious breach of data security it needs to be reported to the ICO (and for telecoms providers, there is a lawful requirement to do so under the Privacy and Electronic Communications (EC Directive) Regulations 2003).

But is it a bad thing that numbers of reported incidents has increased? Of course not. All breaches of data security are to be regretted, and lessons learnt to avoid they don’t recur. But data controllers need to be encouraged to recognise breaches, and put their hands up when they happen. The ICO even considers self-reporting to be a mitigating factor when assessing what action he should take.

I doubt that many, if any of the people writing for the websites I link to above really think that data security breaches (rather than reports of breaches) have increased 1000% over five years. I’m sure their writers and reporters are very busy, and an eye-catching press release makes for easy copy. But these websites (with the execption of the BBC) are important and specialist sources of information. For them to resort to “churnalism” (a form of journalism in which press release…are used to create articles…without undertaking further research or checking) at the expense of common-sense, especially when it might lead to greater reluctance to self-report, is greatly to be regretted.









1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner, PECR