Category Archives: Data Protection

February 10, 2015 · 5:15 pm

A bad day in court

If the Information Commissioner (IC) reasonably requires any information for the purpose of determining whether a data controller has complied or is complying with the data protection principles, section 43 of the Data Protection Act 1998 (DPA) empowers him to serve a notice on the data controller requiring it to furnish him with specified information relating to compliance with the principles. In short, he may serve an “information notice” on the data controller which requires the latter to assist him by providing relevant information. A data controller has a right of appeal, to the First-tier Tribunal (Information Rights) (FTT), under section 48 DPA.

These provisions have recently come into play in an appeal by Medway Council of an IC Information Notice. That it did not go well for the former is probably rather understating it.

It appears that, back in 2012, Medway had a couple of incidents in which sensitive personal data, in the form of special educational needs documents, was sent in error to the wrong addresses. Medway clearly identified these as serious incidents, and reported themselves to the IC’s Office. By way of part-explanation for one of incidents (in which information was sent to an old address of one of the intended recipients), they pointed to “a flaw in the computer software used”.  Because of this explanation (which was “maintained in detail both in writing and orally”) the ICO formed a preliminary view that there had been a serious contravention of the seventh data protection principle (which is, let us remind ourselves “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”). Moreover, the ICO served a Notice of Intent to serve a Monetary Penalty Notice (MPN). Upon receipt of this, it appears that Medway changed their explanation and said that the incident in question was a result of human error and that there was “no evidence of a ‘system glitch’”. It appears, however, that the ICO was concerned about discrepancies, and insufficient explanation of the change of position, and served a section 43 information notice requiring Medway to “provide a full explanation of how the security breach on 10 December 2012 occurred”. This was the notice appealed to the FTT.

However, during the FTT proceedings a third explanation for the incidents emerged, which seemed to combine elements of human error and system glitches. This was, observed the FTT, most unsatisfactory, saying, at paragraphs 28 and 29:

not only is this a third explanation of the breach but it is inconsistent with the other 2 explanations and is internally incoherent… The Tribunal is satisfied that there is still no reliable, clear or sufficiently detailed explanation of the incident to enable the Commissioner to be satisfied of:

a) what went wrong and why,
b) whether there was any prior knowledge of the potential for this problem,
c) what if any procedures were in place to avoid this type of problem at the relevant date,
d) why the Commissioner and the Tribunal have been provided with so many inaccurate and inconsistent accounts.

But even more ominously (paragraph 30)

The evidence provided to the Commissioner and the Tribunal has been inconsistent and unreliable and the Tribunal agrees with the Commissioner that it is reasonable that he should utilize a mechanism that enables him to call the Council to account if they recklessly [make] a statement which is false in a material respect  in light of the various contradictory and conflicting assertions made by the Council thus far

The words in italics are from section 47(2)(b) DPA, and relate to the potential criminal offence of recklessly making a material false statement in purported compliance with an information notice.

Finally, Medway’s conduct of the appeal itself came in for criticism: inappropriate, inconsistent and insufficient redactions were made in some materials submitted, and some evidence was sent in with no explanation of source, date or significance.

It is rare that information notices are required – most data controllers will comply willingly with an ICO investigation. It is even more rare that one is appealed, and maybe Medway’s recent experience shows why it’s not necessarily a good idea to do so. Medway may rather regret their public-spirited willingness to own up to the ICO in the first place.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Breach Notification, Data Protection, enforcement, Information Commissioner, information notice, Information Tribunal, monetary penalty notice

Tagged as , ,

February 9, 2015 · 5:00 pm

The cost of retaining old records

In 2008 the Law Society estimated that it held in storage 3.5 million files, in 180,000 boxes, at an annual cost of some £500,000 per annum. Those numbers can only have increased considerably since then. These are files gathered as a result of interventions in law firms by the Solicitors Regulation Authority (SRA) which, although an independent body, is administered and funded by the Law Society. An intervention involves the closing down of a firm, and the seizure of all money held by the firm (including clients’ money) and all documents and papers that relate to its clients, including files and accounting records. What happens to the money has been the subject of much analysis, and litigation, and the position is reasonably settled. But what happens to the files is less clear. Until 2001 the Law Society was of the opinion that it had the power to destroy obsolete files, but its confidence in that stance waned, and in The Law Society (Solicitors Regulation Authority) [2015] EWHC 166 (Ch) it sought, under paragraph 9(10) of the Solictors Act 1974 (“the Society may apply to the High Court for an order as to the disposal or destruction of any documents [or other property] in its possession by virtue of this paragraph”) an order that it could destroy

non-original documents seized from 885 firms, totalling around 1.5 million files (the equivalent of some 109,600 boxes), the destruction of which would produce an estimated annual saving of £344,000 per annum 

In making an order to that effect Iain Purvis QC, sitting as a Deputy Judge of the Chancery Division, noted that the risks in doing so were low: it was highly unlikely that any person would need the documents in question. That low risk needed to balanced against the data protection risks in retaining the documents (it was observed that permanent retention was likely in contravention of the fifth data protection principle in the Data Protection Act 1998) and the high costs of doing so. Moreover, the judge took into account that a responsible law firm would have had a document destruction policy under which the documents in question would have been unlikely to have survived. And finally, he considered whether there were any alternative measures which could be adopted, but the obvious ones – scanning the documents, or writing to the original clients – were prohibitively expensive.

What the judge declined to do was to make a formal declaration to the general effect that the SRA had the power to destroy documents (without the need for a court order). Although he accepted that such power did exist under paragraph 16 of Part II of Schedule 1 of the 1974 Act, the application he was hearing was unopposed, and so a declaration would have no obvious legal effect.

Nonetheless, the Law Society cannot be unpleased with an order which should save them almost £350,000 per annum. Document storage is not cheap, and excessive retention is both unnecessary and inherently risky in data protection terms. Most organisations don’t have the complex statutory underpinning of their functions as the Law Society does in this regard. A comprehensive and robust document retention policy can save a lot of money.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, records management

Tagged as ,

February 6, 2015 · 5:17 pm

Helping the ICO with databreach alerts?

Last weekend I noticed some tweets from the ever-vigilant Dissent Doe. She said

I’ve spent 5 min on NHS’s web site and still can’t figure out how/where to report or question an IT security issue. Anyone?…It’s 2015. It really shouldn’t be so hard to find a contact email to use to notify an entity of a security breach or vulnerability…So I finally said, “screw this waste of my time,” and emailed @ICOnews to alert them and ask them to pass the notification to #NHS

Knowing that she wouldn’t tweet this without good reason I made contact, and she referred me to a list of what looked like serious data security vulnerabilities on a range of NHS websites. The list had been posted openly on the internet by a well-known hacker (for obvious reasons I won’t link to it).

In response, I contacted an NHS Information Governance professional, who quickly pointed me towards the IG Alliance. I sent emails to two people, but have not yet had a reply. I even tweeted Tim Kelsey, the NHS’s National Director for Patients and Information, but he didn’t reply. Eventually, a contact managed to contact someone else (I’m being deliberately vague) and I have some reassurance that action will now be taken.

But when I told Dissent Doe this, earlier today (06.02.15) she, although pleased at that outcome, expressed surprise that she had not heard anything from the Information Commissioner’s Office (ICO), whom she had alerted last Sunday. I told her that this had been my, and others’, experience when reporting serious concerns about data protection and data security. The ICO is tremendously over-stretched, and can’t immediately respond to all queries and concerns raised, but there is a community of knowledgeable and dedicated professionals who can help. One of the ICO’s main regulatory roles is, after all

to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers

Indeed, I’ve written on the subject before, and suggested this

I think the ICO should consider operating a priority alert system when well-informed third-parties alert them to exposures of personal data. They certainly shouldn’t leave those third parties to do in-depth investigation.

I didn’t get a comment from the ICO when I wrote that previous post, but I also didn’t ask them for one. This time I will, and I’ll report back on what their response is.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner

Tagged as ,

February 6, 2015 · 3:35 pm

Labour’s “HowManyOfMe” – legitimate use of the electoral register?

Is Labour’s shiny new web widget “HowManyOfMe” compliant with the party’s obligations under electoral and ePrivacy law?

Regulations 102 and 106 of the Representation of the People (England and Wales) Regulations 2001 (as amended)mean that registered political parties can apply for a copy of the full electoral register, but they can only supply, disclose or make use of the information therein for “electoral purposes”. As far as I can see “electoral purposes” is nowhere defined, and, accordingly, I suspect it permits relatively broad interpretation, but, nevertheless, it clearly limits the use to which a political party can make use of electoral registration information.

With this in mind, it is worth considering whether the apparent use of such information by the Labour Party, in a new website widget, is a use which can be described as “for electoral purposes”. The widget in question invites people to submit their name (or indeed anyone else’s), email address and postcode and it will tell you how many voters in the country have that name. Thus, I find that there are 393 voters who have the name “Christopher Graham”. The widget then encourages users to register to vote. In small print underneath it says

in case you’re interested, this tool uses an aggregate figure from the electoral register and we’ve taken steps to protect the privacy of individuals

Well, I am interested. I’m interested to know whether this use of the electoral register is purely for electoral purposes. If it is, if its purpose is to encourage people to register to vote, then why does it need an email address? The widget goes on to say

The Labour Party and its elected representatives may contact you about issues we think you may be interested in or with campaign updates. You may unsubscribe at any point. You can see our privacy policy here.

But if they are using the electoral register to encourage people to give up email addresses which may then receive political marketing, surely this is stretching the use of “for electoral purposes” too far? Moreover, and despite the small print privacy notice, and the almost-hidden link to a generic privacy policy, any emails received by individuals will be likely to be sent in contravention of Labour’s obligations under The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which give effect to the UK’s obligations under Directive 2002/58/EC. This is because regulation 22 of PECR prohibits, in terms, the sending of electronic direct marketing (and promotion of a political party constitutes such marketing) without the prior consent of the recipient. Consent, the Directive tells us, must be “a freely given specific and informed indication of the user’s wishes”.  A vague description, as the widget here gives us, of what may happen if one submits an email address, and a statement about unsubscribing, do not legitimise any subsequent sending of direct marketing.

The email address I used is one I reserve for catching spammers; I’ve not received anything yet, but I expect to do so. I would be prepared to argue that any email I receive cannot be said to relate to the electoral purpose which permit use of the electoral register, and will be sent in contravention of PECR.  As I said recently, one of the key battlegrounds in the 2015 general election will be online, and unless action is taken to restrain abuse of people’s personal information, things will get nasty.

1The legislation.gov.uk doesn’t provide updated (“consolidated”) versions of secondary legislation, so there’s no point in linking to their version of the regulations.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under consent, Data Protection, marketing, PECR, privacy notice

Tagged as , ,

February 5, 2015 · 7:16 am

Online privacy – a general election battleground

It’s becoming increasingly clear that one of the key battlegrounds in the 2015 General Election will be online. The BBC’s Ross Hawkins reports that the Conservatives are spending large amounts each month on Facebook advertising, and Labour and UKIP, while not having the means to spend as much, are ramping up their online campaigning. But, as Hawkins says

the aim is not to persuade people to nod thoughtfully while they stare at a screen. They want consumers of their online media to make donations or, even better, to get their friends’ support or to knock on doors in marginal constituencies…[but] for all the novelties of online marketing, email remains king. Those Tory Facebook invoices show that most of the money was spent encouraging Conservative supporters to hand over their email addresses. Labour and the Conservatives send emails to supporters, and journalists, that appear to come from their front benchers, pleading for donations

I know this well, because in July last year, after growing weary of blogging about questionable compliance with ePrivacy laws by all the major parties and achieving nothing, I set a honey trap: I submitted an email address to the Conservative, Labour, LibDem, Green, UKIP, SNP and Plaid Cymru websites. In each case I was apparently agreeing with a proposition (such as the particularly egregious LibDem FGM example)  giving no consent to reuse, and in each case there was no clear privacy notice which accorded with the Information Commissioner’s Office’s Privacy Notices Code of Practice (I do not, and nor does the ICO, at least if one refers to that Code, accept that a generic website privacy policy is sufficient in case like this). Since then, the fictional, and trusting but naive, Pam Catchers (geddit??!!) has received over 60 emails, from all parties contacted. A lot of them begin, “Friend, …” and exhort Pam to perform various types of activism. Of course, as a fictional character, Pam might have trouble enforcing her rights, or complaining to the ICO, but the fact is that this sort of bad, and illegal, practice, is rife.

To be honest, I thought Pam would receive more than this number of unsolicited emails (but I’m probably more cynical than her). But the point is that each of these emails was sent in breach of the parties’ obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) which demands that recipients of electronic direct marketing communications must have given explicit consent prior to the sending. By extension, therefore, the parties are also in breach of the Data Protection Act 1998 (DPA), which, when requiring “fair” processing of personal data, makes clear that a valid privacy notice must be given in order to achieve this.

The ICO makes clear that promotion by a political party can constitute direct marketing, and has previously taken enforcement action to try to ensure compliance. It has even produced guidance for parties about their PECR and DPA obligations. This says

In recent years we have investigated complaints about political parties and referendum campaigners using direct marketing, and on occasion we have used our enforcement powers to prevent them doing the same thing again. Failure to comply with an enforcement notice is a criminal offence.

But by “recent” I think they are referring at least six years back.

A data controller’s compliance, or lack thereof, with data protection laws in one area is likely to be indicative of its attitude to compliance elsewhere. Surely the time has come for the ICO at least to remind politicians that online privacy rights are not to be treated with contempt?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under consent, Data Protection, enforcement, Information Commissioner, marketing, PECR, privacy notice

Tagged as , ,

February 2, 2015 · 3:09 pm

No data protection “fines” for audited NHS bodies

UPDATE: 03.02.15 GPOnline have commendably now amended their piece on this END UPDATE

GPOnline warns its readers today (02.02.15) that

GP practices face compulsory audits from this month by the information commissioner to check their compliance with data protection laws, and could be fined heavily if they are found to have breached rules.

While it’s good that it is on the ball regarding the legal change to the Information Commissioner’s Office (ICO) audit powers, it is, in one important sense, wrong: I can reassure GP practices that they are not risking “fines” (more correctly, monetary penalty notices, or MPNs) if breaches of the law are found during an ICO audit. In fact, the law specifically bars the ICO from serving an MPN on the basis of anything discovered in the process of an audit.

Under s41A of the Data Protection Act 1998 (DPA) the ICO can serve a data controller with a notice “for the purpose of enabling the Commissioner to determine whether the data controller has complied or is complying with the data protection principles”. Until yesterday, this compulsory audit power was restricted to audits of government departments. However, the Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014, which commenced on 1 February 2015, now enables the ICO to perform mandatory data protection audits on NHS bodies specified in the schedule to the Order.  Information Commissioner Christopher Graham has said

We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens

And I think he chose those words carefully (although he used the legally inaccurate word “fine” as well). Section 55A of the DPA gives the ICO the power to serve a monetary penalty notice, to a maximum of £500,000, if he is “satisfied” that – there has been a serious contravention of the DPA by the data controllers and it was of a kind likely to cause substantial damage or substantial distress and the data controller knew or ought to have known that this would happen. However section 55A(3A) provides that the ICO may not be so “satisfied”

by virtue of any matter which comes to the Commissioner’s attention as a result of anything done in pursuance of…an assessment notice

This policy reason behind this provision is clearly to encourage audited data controllers to be open and transparent with the ICO, and not be punished for such openness. GP practices will not receive an MPN for any contraventions of the DPA discovered during or as a result of a section 41A audit.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Information Commissioner, monetary penalty notice, NHS

Tagged as , , ,

January 29, 2015 · 5:32 pm

Abuse survivors’ names published on home affairs committee website

Last week, in a testy exchange with Ben Emmerson QC, the Chairman of the House of Commons’ home affairs select committee, Keith Vaz, trumpeted his committee’s commitment to transparency. The committee was taking evidence on the Independent panel inquiry into child sexual abuse and, at one point, Mr Emmerson QC, who had been heavily criticised by panel member Sharon Evans at a previous committee session, was keen to known whether a letter she had written had been, as Mr Vaz had previously indicated, published on the committee’s website. Mr Vaz replied (at 16:34:46)

Yes, yes, all letters that we receive – we don’t believe in suppressing information. This is Parliament so we put everything on the website

However, it now transpires that, when he said “everything”, this might have been taken too literally. It appears that not just correspondence might have been published, but, also, the names of four survivors of abuse. Sky News reports that

Survivors of child sex abuse have received death threats after their personal details and confidential communications with an abuse inquiry were published online.

Members of the group have written to the Home Secretary expressing “grave concern” about the publication of documents they say were leaked by a member of an abuse inquiry panel

In response, Mr Vaz, the Telegraph reports, said “The names of all these individuals were already in the public domain”.

However, just because names of victims or alleged victims of sexual offences are in the public domain does not provide a defence, for instance, to a charge under section 5 of the Sexual Offences (Amendment) Act 1992, (SO(A)A) which provides lifetime anonymity for such people, insofar as no publication may be made of their name, or address, or a still or moving picture of them.

Moreover, even if personal data is in the public domain, the provisions of the Data Protection Act 1998 (DPA) apply, and in the absence of a legal basis for publication, there will be a contravention of that Act if personal data is published unfairly. Given that complaints have been made about this publication, it certainly seems to be the case that the data subjects did not consent to such publication, and would not have had a reasonable expectation that it would happen. That would tend to suggest unfair processing.

I have written before about the dangers of inadvertently disclosing personal data in pursuance of an over-eager transparency agenda. It may be that Mr Vaz’s commitment to transparency on the part of his committee has realised these dangers.

However (and contrary to what I suggested in the first draft of this post – thanks Rich Greenhill) it appears that information published by a parliamentary committee is likely to be covered by parliamentary privilege (pages 58-59 of the Select Committee Red Book), and Greg Callus informs me that I failed to check the early-Victorian statute book – the Parliamentary Papers Act 1840 lays the basis for parliamentary privilege. This would probably provide a defence to charge of breach of SO(A)A, but it wouldn’t necessarily completely oust the regulatory jurisdiction of the Information Commissioner, in the event that the publication was inadvertent, as opposed to deliberate, and to the extent that it evinced a lack of organisational and technical measures to safeguard against unlawful or unfair processing of personal data (in contravention of the seventh data protection principle). This is because the DPA exemption (section 35A) applying to parliamentary privilege does not cover the seventh principle.However, I’m sure this is purely an academic question.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under Data Protection, sexual offences amendment act, transparency

Tagged as , ,

January 29, 2015 · 7:08 am

Up a gum tree

Data protection law doesn’t prevent disclosure of personal data where not doing would be likely to prejudice criminal justice purposes

Theft of a bicycle may not be the most serious crime ever. However, crime it is, and any omission by a person which is likely to prejudice the detection of that crime or the apprehension or prosecution of the thief is, in societal terms, to be deplored. This is why, when the omission in question would be a failure by a data controller to disclose personal data to the police which would be likely to assist in the detection of the crime or the apprehension or prosecution of the thief, the Data Protection Act 1998 (DPA) provides an exemption to the general presumption in the Act against disclosure, which authorises such disclosure.

Section 29 of the DPA is often misunderstood. It is quite common, particularly in certain sectors (social services, housing etc.) for data controllers to be contacted by the police, or other bodies with powers to investigate crime, asking for disclosure of information about people whose personal data the data controller holds. Data protection officers will often talk of a “section 29 request”, but this is really just shorthand for saying “the police etc. have requested disclosure of personal data from this data controller and the section of the DPA which is engaged and under whose provisions we would be authorised to disclose would be section 29”.

With this in mind it is surprising to read in The Daily Record that police are unable to trace a person who had the gall to post an advert on the classified ad site Gumtree purporting to offer for sale a bike stolen from outside a gym in Edinburgh. According to the article police have told the owner of the bike, who spotted the advert, that

…officers could not act because of data protection laws…Due to data protection laws, a warrant must be applied for before police can access personal information held by the site.

The reference to a warrant, however, is surely excessive. The article also refers to the police “waiting to hear back” from Gumtree. Section 29(3) of the DPA allows Gumtree to disclose the details of the person who placed the advert, by exempting them from the general obligation to comply with the first five data protection principles and sections 10 and 14(1) to (3) (collectively referred to as the non-disclosure principles). Failure to exercise this power by a data controller, or a delay in doing so, in circumstances where such a failure would be likely to prejudice the police’s duties is detrimental to the public interest. One hopes that, if the article is correct, Gumtree will now act in that public interest and disclose the details without delay.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under Data Protection, data sharing, police, Uncategorized

January 28, 2015 · 2:37 pm

What a difference an “s” made

Inaccuracy in personal data can be damaging. Inaccuracy in company data even more so…

By the interplay of section 4(4) and the fourth principle of Schedule One of the Data Protection Act 1998 (DPA) a data controller has an obligation to ensure that “personal data shall be accurate and, where necessary, kept up to date” (although if the data controller has taken reasonable steps to ensure the accuracy of the data the principle will not have been contravened).  A failure to comply with this obligation in circumstances which lead to damage on the part of the data subject can gives rise to a claim for compensation.

“Personal data”, of course, is data which relates to a living individual who can be identified from that data or from that data in conjunction with other information. But what obligation is there on a relevant organisation to process data on non-natural persons accurately? Can, for instance, a duty, breach of which may give rise to a claim in negligence, be owed to a company by Companies House which requires the latter to record data about the former accurately? This question was the key one of three preliminary issues to be determined by Mr Justice Edis in a recent case in the High Court.

The claim was brought by the person who had been Managing Director of “Taylor and Sons Limited”, a firm which, admittedly, had “suffered a setback because of the recession and the banking crisis” but traced its roots back to the late 18th Century. Nonetheless, it was in the in the process of taking to steps to raise money, reduce costs and diversify its customer base. However, at the same time, a company call “Taylor and Son Limited” (note “Son” singular) was the subject of a winding-up order in the Chancery Division of the High Court under the provisions of the Insolvency Act 1986. The judgment describes what happened next

The Order, which did not include the company number, was received by Companies House on the 12th of February 2009, on which date a bar-code confirming receipt was affixed. On 20th of February 2009 the CHIPS system (the Companies House computer system on which the information concerning registered companies is kept) was amended by the registration of the Order, not against Taylor & Son Limited, as it should have been, but against Taylor & Sons Limited, the Company… The error in this case was, therefore, describing a company as being in liquidation when it was not.

For a short period of time, therefore, until the error was noticed by Taylor and Sons‘ accountant and auditor, and amended, Companies House records were incorrect. However, and crucially, Companies House also creates and distributes what are known as “bulk products” which it sells to clients who then distribute the contents in turn to their clients. In essence these are bulletins summarising company liquidation news for those who have need to access it quickly. News of Taylor and Sons‘ apparent liquidation was included in these bulk products, and, the court found, no real attempt was made to correct the false information. In short, the error was not decisively nor widely corrected quickly.

What happened next to the company was deleterious – it went into Administration on 9th April 2009:

the Company ran out of cash and the Bank would not lend it any more….its suppliers demanded to be paid up to date before supplying any further goods or services rather than allowing the usual 30 days credit which actually extends to 90 days in real life

Questions the court had to determine were – did the error by Companies House cause the failure of the company? and did Companies House owe a duty of care to the company to record data about it accurately? (the defendant conceded that, if there was such a duty, it had been breached).

In answer to the first, the court heard detailed and compelling submissions from the claimant, and found the causation point proved

There is no evidence of any other precipitating factor, and the suggestion made by the Defendants that actions of others or of the Company in addressing the consequences of the error were new causes which break the chain of causation between the error and the administration are without foundation.

As to whether a duty of care was owed, the judge was reluctant to hold that a statutory duty existed under the provisions of the Companies Act 1996, and, in any case, did not have to decide that point, because he did hold that a common law duty existed, following the three-stage process in Caparo Industries v. Dickman [1990] 2 AC 605.

the Registrar owes a duty of care when entering a winding up order on the Register to take reasonable care to ensure that the Order is not registered against the wrong company. That duty is owed to any Company which is not in liquidation but which is wrongly recorded on the Register as having been wound up by order of the court. The duty extends to taking reasonable care to enter the Order on the record of the Company named in the Order, and not any other company

So, because of the addition of an “s”, a company went under, and Companies House is facing a damages claim which the Telegraph suggests might run to £9million.

One doubts that an inaccuracy in personal data would ever give rise to a claim that high.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection

Tagged as ,

January 26, 2015 · 5:06 pm

The ICO and records management

The Tribunal is an unusual position in respect of this Appeal…”

The Freedom of Information Act 2000 (FOIA) requires a public authority, when someone makes a request for information, to say whether or not it holds it, and if it does, to disclose that information to the requester (subject to the application of any exemption). But what if it doesn’t know whether it holds it or not? What if, after it has said it can’t find the information, and after the Information Commissioner’s Office (ICO) has accepted this and issued a decision notice upholding the authority’s approach, it then discovers it held it all along? This is the situation the First-tier Tribunal (FTT) recently found itself faced with.

The facts of the case are relatively complex, but the issues turned on whether briefing notes, prepared for the Mayor of Doncaster Metropolitan Borough Council (DMBC) in the lead-up to a decision to withdraw funding for DMBC’s United Nations Day, could be found. The ICO had determined, in Decision Notice FS50503811 that

Ultimately the Commissioner had to decide whether a set of briefing notes were held by the Council. His decision, on the balance of probabilities, is that it does not

The requester appealed to the FTT, which, after initially considering the matter on the papers, ordered an oral hearing because of some apparent inconsistencies in DMBC’s evidence (I have to be frank, what exactly these were is not really clear from the FTT’s judgment (at paragraph 27). However, prior to that oral hearing DMBC located the briefing notes in question, so

the focus of the oral hearing was limited simply to establishing whether, at the time of the information request by the Appellant, DMBC knew that it held the information in the light of the searches that it had made in response to the Information Commissioner’s enquiries prior to his issuing the Decision Notice

In determining that it was satisfied that DMBC did not know, at the time of the request, that it held the information, the FTT was swayed by the fact that DMBC “even during the Information Commissioner’s enquiries, DMBC had maintained it had nothing to gain from ‘hiding’ the briefing notes” but also by the fact that DMBC owned up to poor records management practice in the period leading up to the request

In many senses it is more embarrassing for DMBC now to admit the truth that it had, historically, an unreliable and ineffective Records Management system than to continue to maintain that it could not find the requested information

It doesn’t surprise me that the FTT found as it did. What does surprise me, however, is that records management is not given a greater focus by the ICO. Although FOIA is not, primarily, a records management act, it does contain provisions relating to records management. Powers do exist both to help improve practice both generally (through guidance) and specifically (through the use of practice recommendations). As I’ve written before

section 46 of FOIA [requires] the Lord Chancellor to issue a code of practice for management of records. Section 9 of that Code deals with the need to keep records in systems that enable records to be stored and retrieved as necessary, and section 10 with the need to know what records are held and where they are.

Under section 47 of FOIA the [ICO] must promote the following of good practice by public authorities and perform his functions so as to promote the observance by authorities of the section 46 Code, as well as the requirements of the Act in general. And under section 48 he may issue a “practice recommendation” if it appears to him that the authority has not conformed with the section 46 Code. In investigating compliance with the Code he has the power (section 51) to issue an “information notice” requiring the authority to furnish him with the information. Failure to comply with an information notice can, ultimately, constitute contempt of court.

I appreciate that the ICO has a lot on its hands, but good records management is so very integral not just to good FOIA compliance, but also to good compliance with the other major statute the ICO oversees – the Data Protection Act 1998. Greater focus on records management could drive better overall compliance with information rights law.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Freedom of Information, Information Commissioner, records management

Tagged as , ,