Category Archives: Data Protection

June 21, 2013 · 7:50 am

ICO Social Media Guidance – Shirking Responsibility?

The Information Commissioner has issued guidance on when the Data Protection Act is held to apply to Social Networking and Online Forums. While I recognise the pragmatic approach it takes, it appears to be in conflict with the leading legal authorities.

The Guidance

Apparently without much fanfare, unless I’ve missed it or am ahead of it, the Information Commissioner’s Office (ICO) has issued guidance for the public on Social networking and online forums when does the DPA apply? The short answer, applying European law, should be “always”. But this would a) make the guidance rather short, and b) not be in line with the ICO’s persistent line that his office should not have to regulate what people say about each other on the internet.

The guidance says

The DPA contains an exemption for personal data that is processed by an individual for the purposes of their personal, family or household affairs. This exemption is often referred to as the ‘domestic purposes’ exemption. It will apply whenever an individual uses an online forum purely for domestic purposes

There are several interesting things about this position statement. First, it omits that the Data Protection Act 1998 (DPA) says that personal data only processed for domestic purposes is exempt from the obligations under the Act. Second, it also, strangely, omits the phrase “including recreational purposes” which arguably supports the ICO’s position (although, as I will mention later, it is controversial wording). Third, it is in direct contradiction of the leading European judicial authority on the exemption.

The guidance goes on to accept that some forms of individual self-expression on the internet will not be caught by the domestic purposes exemption, but as a whole (see the section entitled “ICO involvement in complaints against those running social network sites, organisations and individuals”) it appears to be an exercise in saying “don’t come to us if you don’t like what someone is saying about you on the internet”.

This subject is, of course, of considerable current relevance, given concerns expressed that a regulatory scheme imposed subsequent to the Leveson inquiry might end up applying to the blogosphere, or even to social media in general. I’ve written previously on this, arguing that existing data protection law already applies to such activities.

The Law

Article 3(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“the Directive”) says that

This Directive shall not apply to the processing of personal data…by a natural person in the course of a purely personal or household activity

and recital 12 to the Directive says that the data protection principles contained therein do not apply to the processing

of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses

These provisions are given domestic effect in section 36 of the DPA, which says

Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III [emphasis added]

In the leading European case on the provisions of the Directive, Lindqvist (Approximation of laws) [2003] EUECJ C-101/01, the European Court of Justice held that

[the] exception must…be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people

Lest there be any doubt as to the meaning of this, the ECJ issued a press release to accompany the judgment, which said

the act of referring, on an internet page, to various persons and identifying them by name…does not fall within the category of activities for the purposes…of purely personal or domestic activities, which are outside the scope of the directive [emphasis in original]

Lindqvist is, I would submit, unequivocal authority for the proposition that referring to an identifiable person or persons on the internet constitutes the processing of personal data, and is processing which is not exempt under Article 3(2) of the Directive.

The ICO has never accepted that Lindqvist has general application to internet publication of personal data. For instance, the ICO’s internal 2011 guidance on “Dealing with complaints about information published online” says

the Lindqvist judgement [sic]…related to a specific set of circumstances and cannot be applied to all cases of online publication

Try as I might I cannot square this with ECJ’s authority in Lindqvist. Still less can I square with it the comment, in an ICO paper on the proposed General Data Protection Regulation that

There has been some suggestion the Regulation should be used to ‘implement’ the Lindqvist decision – in short meaning that information posted openly on the internet necessarily falls outside the law’s personal or household processing exemption. We never wholly accepted the reasoning in Lindqvist…
One might take a moment to reflect on what is being said here. The paper’s author appears to understand the meaning of Lindqvist, regarding the lack of exemption for information posted openly on the internet, but says the ICO doesn’t (wholly) accept what is the binding decision of the ECJ.
One possible justification for the position lies in the additional wording Parliament inserted into section 36 of the DPA relating to “recreational purposes” (although, as I note above, the new guidance doesn’t put much emphasis on this). It is perhaps possible to construe – as the ICO clearly does – this to permit the section 36 exemption to extend to internet publication of personal data. Indeed, the apparently interminable infraction proceedings brought against the UK by the European Commission (tracked doggedly by Dr Chris Pounder) for numerous examples of apparent lack of proper domestic implementation of the Directive include criticism that
the inclusion of “recreational purposes” in the Data Protection Act…in the Commission’s view appeared to be broader than household activities.
However, even if this addition of “recreational purposes” to the UK statutory scheme arguably extends – perhaps impermissibly – the ambit of the exemption, the ICO was told in unequivocal terms in The Law Society & Ors v Kordowski [2011] EWHC 3185 (QB) that
The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully
In Kordowski the ICO had been asked by the Law Society to intervene to prevent the publication of defamatory and unfair postings on a website called “Solicitors from Hell”. The ICO had declined, citing – in a letter to the Law Society – the domestic purposes exemption as the reason for not investigating
I do sympathise with solicitors and others who may find it extremely difficult, and in many cases impossible, to have offensive material about them removed from the internet. Perhaps this is a case where the law is out of step with technology. However, I am afraid the DPA is simply not designed to deal with the sort of problem that you have brought to my attention.
Tugendhat J expressed his sympathy
with the Commissioner in what he says about the practical difficulties raised by cases such as the present. It is also beyond doubt that the DPA was not designed to deal with the way in which the internet now works
but said that the ICO had an obligation to investigate a complaint “where there is no room for argument that processing is unlawful”.
The ICO (in the form of David Smith, the Deputy Commissioner responsible for data protection) has argued that the mistake the ICO made in the Kordowski matter was in holding that the site owner and administrator (Kordowski himself) was covered by the section 32 exemption. He does not appear to accept that the people submitting the “ratings” and comments about solicitors were not covered by the same
we took the view, quite rightly I think, that the individuals who posted the comments on the Solicitors from Hell website are just individuals, they are acting in their personal, domestic capacity…I think where we actually went a bit wrong in our analysis…we said the Solicitors from Hell website doesn’t exercise control, is not a data controller and so is not caught by the law. When this case came to court, quite rightly the court looked in more detail at what the operators of the site did, the notice board and it was a lot more than just a notice board, they were actually charging people to put information there and charging solicitors to have information taken down…The intermediary there was clearly a data controller. But this establishing who is a data controller and who isn’t in this whole environment is extremely difficult. [from a transcript of an oral presentation]
While this is an interesting argument, that the site owner, as clearly the primary data controller, holds some sort of primary liability for publication on his or her site, while those posting on it are exempt because of the domestic purposes exemptions, it is hugely problematic. This is because, firstly, it is inconsistent with the judgment in Lindqvist and, secondly, becuase it tends towards an illogical argument that an individual commenter on a site, perhaps a social media site, posting a defamatory, or even a criminal, statement, does so only for domestic purposes.
European developments
In Kordowski the judge’s sympathy rested in part on the fact that the DPA, and the ICO who must regulate it, are creatures of the 1995 Directive
In 1995 search engines were in their infancy. Google was incorporated in 1998. There have been many developments since that time, including the increasing use of third party facilities
In Janaury 2012 the European Commission began the lengthy process of introducing a new European data protection framework. The draft General Data Protection Regulation (GDPR) retains exemption provisions for domestic activities, and introduces new concepts: Article 2(2) states
This Regulation does not apply to the processing of personal data…by a natural person without any gainful interest in the course of its own exclusively personal or household activity [emphasis added]
and Recital 15 explains
This Regulation should not apply to processing of personal data by a natural person, which are exclusively personal or domestic, such as correspondence and the holding of addresses, and without any gainful interest and thus without any connection with a professional or commercial activity [emphasis added]
This might shift the scenery set by Lindqvist to a degree, and it is possible that the ICO’s guidance, although dealing with the current DPA, was written with an eye on the European developments. Indeed, the rest of Recital 15 says
the exemption should also not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities.
However, it is to be noted that Peter Hustinx, the European Data Protection Supervisor, did not think the draft domestic purposes provisions of the GDPR were adequate
Recital 15 indicates that the exception applies in the absence of gainful interest, but it does not address the common issue of processing of data for personal purposes ona wider scale, such as the publication of personal information within a social network…In line with the rulings of the Court of Justice in Lindquist and Satamedia, the EDPS suggests that a criterion be inserted to differentiate public and domestic activities based on the indefinite number of individuals who can access the information. This criterion should be understood as an indication that an indefinite number of contacts shall in principle mean that the household exemption does no longer apply. It is without prejudice to a stricter requirement for a genuine personal and private link, to prevent that individuals making data available to several hundreds or even thousands of individuals would automatically fall underthe exemption.
But a final development has occurred with the release on 31 May of Irish Presidency of the Council of the European Union’s Justice and Home Affairs draft compromise text which adds to Recital 15 the following words
Personal and household activities include social networking and on-line activity undertaken within the context of such personal and household activities.
One wonders if the ICO was aware, when drafting his Social Media Guidance, of this development. However, and while it remains to be seen what the GDPR will ultimately say, much could still turn on what “undertaken within the context” means within Recital 15.
And we should not get ahead of ourselves. The ICO regulates the DPA, and as the (European) law currently stands, the act of referring to a person on the internet does not attract the domestic purpose exemption. The ICO guidance implies it might. Will this be challenged?

4 Comments

Filed under Data Protection, defamation, Europe, GDPR, Information Commissioner, social media

Tagged as ,

June 19, 2013 · 7:22 pm

CQC allegations and data protection

Data Protection laws have been said to be behind the decision not to name CQC officials alleged to have covered-up a damning internal report. Oh really? Well, yes, perhaps, I argue.

News bulletins today lead with the story that the Care Quality Commission apparently engaged in a cover-up of an internal review report critical of its oversight of University Hospitals Morecambe Bay in 2010, an NHS Trust now subject to investigations over the deaths of at least eight mothers and babies. The allegations of a cover-up were made by a whistleblower interviewed as part of an investigation by Grant Thornton, who were commissioned by CQC to look into its own activites. Potentially particularly damning are remarks at the time attributed to a senior manager at CQC regarding the alleged suppression on the original internal review report

Are you kidding me? This can never be in a public domain, nor subject to FOI

The Grant Thornton report, as published, has redacted the name of this senior manager and a colleague. And the Data Protection Act 1998 (DPA) is pleaded in defence of the redaction. As the Telegraph reports

The names of two individuals who ordered the destruction of evidence of the Care Quality Commission’s failure to investigate the University Hospitals of Morecambe Bay NHS Trust have been redacted from an official report…David Prior, the new chairman of the CQC, said that the names had been redacted because of “data protection concerns” and because the watchdog fears being sued…”to publish it with the names would breach the Data Protection Act.We would have been open to being sued on that basis”

As a number of people have pointed out, this is certainly questionable. Ben Bradshaw MP is reported by the Guardian as saying in Parliament that

the [Data Protection Act] allows exceptions in cases where protecting the public is an issue

and, in a thundering editorial, Health Policy Insight say the decision

is, quite simply, bullshit…Nor is it just a minor pellet of bullshit. This is epic, hog-whimpering and noxious bullshit…The Data Protection Act affords specific exemption at Section 55 2(d) “to a person who shows … that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest”…Moreover, the Information Commissioner’s Office, which enforces the Data Protection Act, is explicit in its advice on Principles One and Two (those dealing with an individual personal data) that fairness is crucial: “it depends on whether it would be fair to do so … personal data must not be processed for any purpose that is incompatible with the original purpose or purposes”

While I admire the level of polemic, HPI are rather mistaken in their analysis of the DPA. And I submit that it was not necessarily wrong for David Prior to be advised that disclosure of the name of the person might breach the DPA. I would stress that I am not suggesting that those responsible for failures at CQC should not be accountable for those failure, nor, if it is true that the original internal review report was suppressed, that those who did so should not also be accountable. What I do suggest is that, on the information currently available, there is perhaps a lack of hard evidence to establish to an appropriate level of certainty that the person or persons alleged to have suppressed the report did so, or did so in the way they are alleged to have done. For that reason, it could indeed be a breach of the DPA to disclose the names at this stage. I say this despite the parliamentary statement by the Secretary of State for Health, to the effect that he had not wanted the redactions, and that

There should be no anonymity, no hiding place, no opportunity to get off scot free for anyone at all who was responsible for this

(On this, we should perhaps remember the unlawful decision by Mr Bollocks [ed: Balls] peremptorily to require the dismissal of Sharon Shoesmith. Politicians are first and foremost politicians. They are not generally there to be lawyers or employers.)

The name of the person involved is clearly going to constitute “personal data” according the definition in section 1(1) of the DPA. And, for these purposes, the “data controller” (with whom lies the decision as to whether to disclose or redact, and to whom liability for a breach of DPA attracts) is CQC itself. HPI cite section 55(2)(d) of the DPA, which broadly provides that the offence of unlawfully obtaining personal data does not apply if it has been done in the public interest. This provision deals with a criminal offence of inter alia disclosing personal data without the consent of the data controller. This clearly does not apply here.

HPI are correct, however, in pointing to the first principle (as listed in Schedule One) of the DPA, and its reference to fairness (although they are talking nonsense when they refer to the first two principles being those “dealing with an individual personal data” [sic] – the whole of the DPA applies to an individual’s personal data). The first principle provides that the processing (and disclosure of a name will be “processing” under the DPA) of personal data must be fair and lawful.

When deciding whether names of public officials should be disclosed (albeit in response to a Freedom of Information request) the Information Commissioner (ICO) says

[the public authority] must decide whether disclosure would breach Principle 1 of the Data Protection Act (the DPA), ie whether it would be fair and lawful to disclose the information.

Whether the disclosure is fair will depend on a number of factors including:

the consequences of disclosure;

the reasonable expectations of the employees; and

the balance between any legitimate public interest in disclosure and the rights and freedoms of the employees concerned…

These are the factors CQC would need to take into account, and one can see that a balancing exercise would ensue. The consequences of disclosure – of what appear merely to be allegations – for the person or persons involved could be grave, and be an important factor in identifying what his or her rights and freedoms are. On the other side, there would be appear to be a clear public interest in disclosure, notwithstanding that, I repeat, these are mere allegations, on the basis that someone taking such a significant decision as to try (allegedy) to suppress publication of the adverse report should be accountable (as should the CQC as their employer) for such actions. The issue as to reasonable expectations is more difficult however. If the person or persons has been told in explicit terms that their name will not be disclosed, they may have very strong expectations that this will not happen. As to whether those expectations are reasonable, one would need to know the terms upon which any undertaking might have been given. Employment rights might well be engaged

Also to be considered is that the naming of the person or persons in circumstances in which it might subsequently transpire that the allegations were not true could give rise to a successful claim in defamation. Indeed, as Robin Hopkins has observed, DPA is increasingly used as a primary claim in actions involving defamatory publications.

I repeat, none of this is to defend the actions of CQC, nor, if the allegations are shown to be true, to defend the actions of anyone who suppressed the report. It is simply to say that the claim that the DPA might be engaged at this point, and potentially breached if disclosure of names happened. Disclosure, in a clearly fair and lawful way, might follow in due course.

I note that the Deputy Information Commissioner is reported tonight as saying

The Data Protection Act does not specifically prevent people being named publicly, but instead talks about using information fairly and considering what expectations of confidentiality people may have had when providing their personal information.

It is important the Data Protection Act is not used as a barrier to keep information out of the public domain where there is an overriding public interest in disclosure.

David Smith is a clever and astute man. He did not say the names should be revealed. That is revealing.

UPDATE 20.06.2013

My attention has been drawn to last night’s episode of BBC’s Newsnight on which David Smith’s boss, Information Commissioner Christopher Graham. As the BBC itself reports, he said

“This feels like a public authority hiding behind the Data Protection Act – it’s very common but you have to go by what the law says and the law is very clear.

“You have to process data fairly, you have to take into account people’s expectation of confidentiality.”

He said that was “obviously” the case with patient data in particular.

But when it came to officials, “there you have to apply a public interest test”, he added.

He said he was “not convinced” the CQC had been correctly advised.

He ended his short interview by saying “I think [the CQC] are going to have to look at this again”.

Fair enough. He’s right and I’m wrong then? Well, no – he still didn’t by any means say that disclosure now had to happen (and, in his role, he would have been be very ill-advised to have done so).

And, prompted by further coverage, and a comment below by Dr Chris Pounder, who probably knows more about Data Protection than the entire staff at the ICO (and that’s not intended as an insult to the latter), I now feel that two other factors might be at play. First, if the allegations quoted in the Grant Thornton report amount to allegations of possible criminal offences (e.g. misconduct in a public office) then there is an arguable need to avoid prejudice to any police investigation. Second, if the person or persons referred to in the report have already taken steps to challenge its veracity – either as a whole, or in respect of specific comments attributed to the whistleblower – then it would be prudent of CQC not to disclose until that challenge (whether it be made informally, or as part of or precursor to legal proceedings) has played out.

That said, when the combined forces of the government and the Information Commissioner are leaning on the CQC at least to review the decision not to disclose names, it would be a bold move to continue to resist. They will though, no doubt, be advised that there remain potential legal risks in doing so, unless they are completely satisfied about the veracity of allegations in the report.

UPDATE 2, 20.06.2013

The CQC has now published the names previously redacted. The letter to the Secretary of State makes clear that

We have reviewed the issues again with our legal advisers (and taken into account the comments of the Information Commissioner). In light of this further consideration, we have come to the view that the overriding public interest in transparency and accountability gives us sufficient grounds to disclose the names of the individuals who were anonymised in the report.

None of this changes my view that there was a clearly arguable legal basis for redaction. Data Protection is wrongly blamed for a lot of things but it was engaged in this instance.

This outcome also raises the rather interesting (if unlikely) possibility that the persons now named could complain to the ICO for a determination as to whether disclosure was in fact in breach of their rights under the DPA. Am I wrong to hope that happens?

14 Comments

Filed under Data Protection, Information Commissioner, Uncategorized

Tagged as ,

June 18, 2013 · 12:10 pm

Cold Comfort for Cold Callers

In which I praise the ICO, and implore people to report nuisance callers.

I was in conversation with a group of friends recently, and the topic of nuisance calls came up. Each of my friends described continually receiving  unsolicited, often agressive, calls, despite the fact that they were registered with the Telephone Preference Scheme. I said they must complain to the Information Commissioner’s dedicated service because the ICO was now taking breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) seriously (actually, I didn’t say it in quite those terms, because although my friends like to deride me, I try not to give them too much ammunition). I got a lot of replies of “I might”, but also some of “it won’t do any good”. In support of the fact that it might do some good I was able point to the three recent civil Monetary Penalty Notices (MPNs) for breaches of PECR issued to Christopher Niebel and Gary McNeish, joint owners of Tetrus Telecoms and DM Design Bedroom Ltd.

And today, two more MPNs have been issued, to two companies owned by “Save Britain Money Ltd” a company which, in what appear to be rather embarrassing circumstances for the BBC, is currently featuring in a fly-on-the-wall documentary series about call centres.

We need a regulator to take firm and public action for breaches of privacy laws, and it is pleasing to see the ICO doing so with nuisance callers. However, in order for practices to really change, nuisance callers need to be reported to the ICO, at every opportunity. The principle of a penalty pour encourager les autres only works if les autres are scared about what legal non-compliance can lead to.

And I note from a recent internal ICO report that, as at 10 June, both the DM Design and the McNeish MPNs were overdue for payment (Niebel has appealed his Notice). Penalties in the tens of thousands of pounds can potentially be ruinous for businesses. The ICO statutory guidance on MPNs provides that

a monetary penalty notice will not impose undue financial hardship on an otherwise responsible person

But this leaves open the possibility that an MPN might some times impose due hardship, on an otherwise irresponsible person. If future nuisance callers wilfully act irresponsibly, a financially-crippling MPN might not constitute undue hardship.

As someone who works in the public sector, and who trains other public sector partners in their obligations under the Data Protection Act 1998 (DPA), I can attest to the beneficial effect MPNs for DPA breaches (added to the willingness of the ICO to impose them) have had on data security and knowledge (it doesn’t half focus the minds of senior managers when you remind them that security vulnerabilities carry a risk of a £500,000 “fine”). Enforcement of the law does change things, and we should praise the ICO for what he is doing with nuisance callers, while continuing to report miscreants.

Now, how about some FOI enforcement…?

1 Comment

Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, monetary penalty notice, PECR

Tagged as , ,

June 12, 2013 · 4:25 pm

Schools and Children’s Privacy

Parents, when confronted with the familiar complaint by a child that a parental decision “isn’t fair”, are entitled to say “I don’t care – what I say goes”.

Schools*, and their teachers, although acting in loco parentis, cannot necessarily do the same. Particularly in their role as public authorities they have obligations to act fairly and lawfully at common law, and under various statutes – not least the Human Rights Act 1998 (HRA). Article 8 of the European Convention on Human Rights, incorporated into domestic law by the HRA, famously provides everyone a qualified right

to respect for his private and family life, his home and his correspondence

Parents do not have to respect this in their dealings with their children: the latter cannot enforce the Article 8 right against a parent who demands access to their private correspondence, or who sends them to their bedroom for a spurious reason, or who uploads personal information to a dodgy cloud storage provider. Schools do have to respect the right – in loco parentis only goes so far.

I make this observation in light of research published by SafeGov.org and Ponemon Institute into the views of school staff on the use of cloud services in the education sector and the potential risks to student privacy. Among generally encouraging results (rejection of data-mining, seeing threats to student privacy as the top risk of cloud) was something less happy

Some schools admit to a conflict of interest regarding student privacy…47% say they might be tempted to trade student privacy for lower costs

If I were a child, or a parent, I would be tempted, in turn, to say “my (or my child’s) privacy is not yours to trade”. Rather, it is the school’s duty to protect that privacy, to the extent required by the law. Levels of privacy protection should not be related to cost (or only to the limited extent permitted by the second part of Article 8). Relatedly, the seventh principle of Schedule One of the Data Protection Act 1998 (DPA) requires a school, as data controller, to take

Appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

I would query whether a decision to adopt a software provider at lower cost, at the expense of student privacy, would be compliant with a school’s obligations under the DPA, or the HRA.

*I am talking about non-independent state schools

Leave a comment

Filed under Data Protection, human rights, Privacy, Uncategorized

Tagged as

June 7, 2013 · 12:26 pm

Transparency and the ICO

It is axiomatic that, under the Freedom of Information Act 2000 (FOIA), a requester is unlikely to know precisely what the information requested consists of. This means that a requester is at a (natural and fair) disadvantage if he or she wishes to challenge a refusal. How to argue, for instance, that the public interest favours disclosure of information, if you don’t know what the information is?

A requester will often be reliant, therefore, on the Information Commissioner (ICO), as independent regulator, or the judicial system, thoroughly to interrogate a public authority’s basis for non-disclosure.

Last year I made a FOIA request to the ICO’s office itself for copies of all Undertakings (not currently on their website) agreed by the ICO and data controllers following investigation of serious breaches of the Data Protection Act 1998.

The ICO kindly disclosed to me a large number of Undertakings, but withheld three, citing the exemption at section 22 of FOIA. This section provides an exemption to the general FOIA obligation to disclose information, if the information is held, at the time of the request, with a view to its publication at some future date (whether determined or not). Furthermore it must be reasonable in all the circumstances that the information should be withheld from disclosure until that future date. Section 22 is a qualified exemption, and, therefore, subject to the application of a public interest test. I was told by the ICO that the Undertakings

were not published at the time due to a risk of prejudice, in one case to a criminal trial and in the others to commercial interests. In light of your request we have revisited these considerations and find that they are still relevant

I’m a reasonable chap, and accepted that the ICO was well-placed to determine that the public interest did not favour disclosure. However, I thought they might be able to disclose the identities of the data controllers involved. So I made a FOIA request for that information.

This was also refused. I was told that one of the data controllers was News Group Newspapers and the Undertaking was

in connection with a cyber-security attack perpetrated against NGN for which criminal proceedings are ongoing. As we have previously indicated, the Undertaking will be published once the proceedings have been concluded

This was the case relating to a criminal trial, and it has now been published.

I was told though that the names of the other two data controllers were still exempt under section 22, as, even though the ICO accepted my argument

that prejudice is “unlikely to occur simply by disclosing the identity of the data controllers”, having consulted with the organisations involved, I am satisfied that there is a possibility that the release of even the identities could potentially damage the commercial interests of the Data Controllers

Well, after I waited a while, and then made a further FOI request, the names and Undertakings have now been disclosed. And I fail to see what the fuss was about: they related to some issues with residual data on legacy systems. I also fail completely to understand how, in any conceivable way, disclosure of the names of the Councils involved could have caused prejudice to their commercial interests, and I’d invite anyone else to explain to me how it could. If I am right, the argument that it was reasonable in all the circumstances that the information should be withheld from disclosure until a later date, and, indeed, the argument that the public interest favoured maintaining the section 22 exemption falls away.

I could, of course, have appealed at the time, but the point is that I did not know what information was being suppressed, or why. I trusted the ICO to apply the law properly.

It is interesting to consider this matter of “trust” in light of an important recent Upper Tribunal (UT) case. Although that case was concerned with the use of “closed material” and “closed proceedings” in FOIA cases in the First-tier Tribunal (FTT) some points are arguably of general application to public authorities. One strikes me in particular

The other side of the coin concerning the application of the FOIA exemptions is of course that the requester may want to challenge the reasons and evidence which are advanced to establish them and thereby show that the requested information should be provided to him or her pursuant to FOIA…This competing right and interest within the FOIA scheme is founded on the right of access to information held by public authorities that is given by FOIA.  So it is one of the starting points for the need for a decision-making process to weigh competing rights and interests [emphasis added]

I would argue (knowing now what I didn’t know then) that as one of the prime reasons for DPA Undertakings is to draw attention to serious breaches of the DPA (see ICO Guidance: Communicating Enforcement Activities) withholding this information under section 22 potentially is seen to undermine the regulatory functions of the ICO. I struggle to understand how the refusal to disclose the Undertakings, let alone the mere identities of the recipients, shows proper weighing of competing rights and interests.

One a final note, the guidance above also says

We will not risk damage to the reputation of the ICO by agreeing with an organisation that we won’t publicise our action or that we will give advance warning

I’m not sure how to square that with what I was told last year that

the Undertakings were signed on the understanding that they would not be publicised in the usual manner

2 Comments

Filed under Breach Notification, Confidentiality, Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice, transparency

Tagged as , ,

May 28, 2013 · 6:58 pm

Pondlife: privacy obligations and privacy rights

Anonymous has threatened the EDL with a campaign of exposure and disruption. However, disclosure – and onward dissemination – of private information, such as lists of members of a group can be unlawful under data protection (and other) laws. Failure to take adequate steps to prevent such disclosure can also put such groups at risk of breaching the same laws.

In 2010 the law firm ACS:Law was victim of a concerted campaign to disrupt its activities through denial of service attacks (DDOS) and other means. The “Hacktivist” network Anonymous claimed responsibility for the attacks, stating that they were in response to the firm’s aggressive litigation tactics in claims against alleged file-sharers. For a short time after the firm’s website was restored after the DDOS attacks a file was exposed which contained large amounts of personal data of individuals who were suspected of file-sharing. This file was rapidly spread by Anonymous activists, and others.

As a result of this data security breach the Information Commissioner (IC) subsequently served a civil Monetary Penalty Notice of £1000 on Andrew Crossley, who operated the firm. At the time the IC said that

Were it not for the fact that ACS:Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach.

The IC found that the firm’s website security was utterly inadequate and constituted a serious breach of the seventh principle of the Data Protection Act 1998 (DPA).

The security measures ACS:Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details

This point has current relevance because “Anonymous” have announced a campaign to disrupt the activities of the English Defence League. The Guardian reports that

A list of what were said to be mobile phone numbers for senior named EDL figures were published online on Tuesday evening along with addresses of what were said to be donors to the far-right group

Twitter accounts also re-published leaked details of hundreds of names and addresses linked to the EDL which were circulated on the web in 2010 after hackers broke in to one of the organisation’s websites
I confess I wasn’t aware of the 2010 hack. One wonders if the IC investigated this at the time. Nonetheless, any further hacks which reveal personal data of members and donors raise potential issues of liability for the EDL under the DPA, for the same reason that ACS:Law attracted enforcement action.
 
I found it notable at the time of the ACS:Law case that there was a lack of action or censure for the many people who happily publicised and distributed the file in question, thus exacerbating the already serious breach. It seemed to me, and still does, that those who originally downloaded the file and made it freely available, and those who continued to publicise it and make it available, were arguably guilty of an offence under section 55 of DPA, which provides that disclosing personal data knowingly or recklessly, without the consent of the data controller can be an offence.
 
The chances of an offence being committed are even more pronounced when concerted efforts are made to hack into a website. The offence under s55 DPA remains (through lack of a ministerial Order implementing the custodial provisions) only punishable by a maximum £5000 fine. However, other potential offences are enaged, including those under the Computer Misuse Act 1990, which are punishable by a maximum of five years’ imprisonment.
 
Anonymous have their reasons for the campaign, and they are perhaps difficult to argue against. But concerted efforts to gather and disclose private information raise worrying issues, which should not be avoided simply because of who the intended victims are.
 
None of this is to be seen as defending, or sympathising with, the views of the EDL, who are scum. But even scum have rights. Furthermore, it might be worth bearing in mind that when a list of apparent members of the BNP was leaked in 2009 – an incident which led to the prosecution of an individual under the DPA (at the sentencing of whom the judge said that he was obliged to impose a “fine…so low as to be ridiculous”) – there were strong indications that a number of people were wrongly named as members. Lists can be dangerous things, and I can think of few things more unpleasant than being wrongly associated with groups like this.

2 Comments

Filed under Breach Notification, Confidentiality, Data Protection, human rights, Information Commissioner, Privacy

Tagged as ,

May 26, 2013 · 10:27 am

Medical records databreach – what will result?

Today’s Sunday Mirror reports that thousands of confidential medical records have apparently been stored outdoors in a car park in an industrial estate for months. The paper alleges that

DHL Healthcare, which provides services for more than 100 NHS trusts, left out documents reportedly containing patients’ names, addresses and details of their medical conditions.

The paperwork is also believed to contain security “key codes” that enable DHL ambulance drivers to open the front doors of patients’ homes so they can be taken to hospital for treatments such as dialysis and chemotherapy.

Although the article doesn’t mention it, I am sure the Information Commissioner (IC) will take a keen interest in this.

Of particular interest is the fact that this apparent breach is said to have involved an organisation, DHL Healthcare, which doesn’t provide healthcare services itself. According to its website it provides “logistics services for the healthcare industry”. I also note that it provides a records management service. It seems almost certain that it acts under contract to NHS bodies. As such, in the terminology of the Data Protection Act 1998 (DPA), it is a “data processor” and an NHS body which instructs it is a “data controller”. Under the DPA, only the latter – the controller – is responsible for complying with the Act, and only the latter is liable to attract enforcement action for serious breaches of the DPA.

The seventh DPA data protection principle places an obligation on a data controller to ensure that

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

and where

Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—

(a)the processing is carried out under a contract—

(i)which is made or evidenced in writing, and

(ii)under which the data processor is to act only on instructions from the data controller, and

(b)the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

This means that where an NHS Trust contracts with – say – a records management service, it must enter into a written contract which demands that the contractor must do nothing other than what the contract says, and must have robust data security measures in place. If the contract does not say that then the NHS body is prima facie in breach of the DPA, and liable for any serious breach which might occur.

Thus, in 2012, Brighton and Sussex University Hospitals NHS Trust was “fined” (in reality, served with a s55A DPA Civil Monetary Penalty Notice) £325,000 by the IC after hard drives containing sensitive medical data ended up for sale on the internet. The IC said that the Trust

failed to choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and take reasonable steps to ensure compliance with those measures.
Further, the processing was not carried out under a contract between the Trust and HIS (whether made or evidenced in writing) under which the data processor was to act only on instructions from the data controller, and which required HIS to comply with obligations equivalent to those imposed on a data controller by the Seventh Data Protection Principle

Any investigation into this latest incident will likely involve assessment of the nature of the contracts in place, and the extent to which data controllers contracting with DHL Healthcare took reasonable steps to ensure compliance by the contractor. However, it appears to be the case, under current law, that if the IC determines there was a robust contract in place, and the data controller took all reaosnable steps to ensure compliance, no enforcement action can ensue. This seems slightly strange, but the DPA (which gives effect to the European Data Protection Directive) does not allow the IC to take action against the contractor. (Of course the other party to the contract could take civil action of its own, but this would almost certainly be only for breach of contract).

The draft European Data Protection Regulation seeks to deal with this possible gap in the law. Draft Article 26 (read with Articles 24 and 30) provides that

If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers

This apparently sensible and minor amendment might, though, have major implications for contractual arrangements to process data. If a data processor becomes (jointly) liable for breaches it is likely to assess risk in a much different way when entering into a contract. “Traditional” data controllers need to be alive to the potential financial implications of this.

One final note. Under current law, a data controller is

a person who determines the purposes for which and the manner in which any personal data are, or are to be, processed

Could it be argued that, even now, when a contractor diverges from the terms of a contract, and decides to process data in a different way, they are in fact determining the purposes in a way which could potentially make them a controller? I would be interested to know if this has ever been argued.

Leave a comment

Filed under Breach Notification, Data Protection, enforcement, Information Commissioner, monetary penalty notice

Tagged as ,

May 20, 2013 · 12:23 pm

There’s nothing like consistency…

Two contradictory decisions from the ICO as to whether disclosure of the names of councillors in the Local Government Pension Scheme is lawful might leave FOI officers – and requesters – scratching their heads

Remember those “Spot the Difference” competitions?

In 2010 the Information Commissioner’s Office (ICO) issued a Decision Notice concerning a request made to Buckinghamshire County Council under the Freedom of Information Act 2000 (FOIA). The request was for the names of councillors who had chosen to join the Local Government Pension Scheme (LGPS). The ICO agreed with BCC that

the withheld information is personal data relating to these councillors

But disagreed that section 40(2) and (3) of FOIA exempted the information from disclosure, rejecting an argument that the councillors would not have had a reasonable expectation of disclosure of the information:

the Commissioner has not found any evidence to support a view that disclosing the requested information would be likely to cause unnecessary or unjustified damage or distress to the individuals concerned

and

The Commissioner is satisfied the requested information relates primarily to the councillors’ public lives and does not intrude significantly on their private and family lives.

Consequently BCC was

to provide the complainant with the list of names of the ten councillors who were members of the LGPS

Compare and contrast with a Decision Notice issued recently relating to a FOIA request to Central Bedfordshire Council (CBC). The request was for names of councillors who had chosen to join the Local Government Pension Scheme (LGPS). The ICO agreed that

information regarding the details of an individual’s pension is personal data

And agreed with CBC that section 40(2) and (3) of FOIA exempted the information from disclosure, saying

individuals will have a reasonable expectation that information about their pension, and their decision whether or not to take one, will not be routinely disclosed

and that the councillors’

expectations of privacy with regard to their pensions are still objectively reasonable as it relates far more to their private lives than their professional lives

Consequently CBC was correct

to rely on section 40(2) to withhold…the requested information

A few questions arise: are BCC councillors entitled to bring a complaint against their council for unfair processing? if so, would BCC have a defence that they complied with a legal notice from the statutory regulator? Is local government “lagging behind best practice in other parts of the public sector” (para 20 of FS50233989) or not? Which Decision Notice should other councils follow when they get similar requests? And, finally, did the ICO even look at the earlier decision when it issued the second?

 

DISCLAIMER: I have a professional connection to one of the public authorities involved.

1 Comment

Filed under Data Protection, Freedom of Information, Information Commissioner

May 17, 2013 · 2:58 pm

Damages under s13 Data Protection Act – an Opportunity Lost?

A concession of an issue by the defendant in Halliday v Creation Consumer Finance means the law is still unclear as to whether nominal damages trigger compensation for distress arising from a contravention of the Data Protection Act

Section 13(1) of the Data Protection Act (DPA) provides a right to compensation for a data subject who has suffered damage by reason of any contravention by a data controller of any of the requirements of the Act.  The domestic authorities are clear that “damage” in this sense consists of pecuniary loss. Thus, section 13(1) is a “gateway” to a further right of compensation under section 13(2)(a), for distress. The right to distress compensation cannot be triggered unless section 13(1) damage has been suffered.

This point was addressed in Johnson v The Medical Defence Union Ltd (2) [2006] EWHC 321 and  on appeal (Johnson v Medical Defence Union [2007] EWCA Civ 262), with Buxton LJ in the latter saying

section 13 distress damages are only available if damage in the sense of pecuniary loss has been suffered

In the case at first instance  the judge had found against Mr Johnson in his claim that a failure to renew his membership was caused by unfair processing of his personal data. However, if the first head of claim had succeeded, pecuniary damages in the sum of £10.50, to cover the cost of a breakfast (don’t ask) would have been owed, and

the price of that breakfast [would have represented] his gateway to a right to recover compensation for distress under section 13(2)(a)

This point, already largely hypothetical, fell away on appeal, because the Court held 

The Judge was not entitled to find that this, the only item of pecuniary damage that survived, was attributable to damage for which the MDU was responsible

The judgment in a recent case, Halliday v Creation Consumer Finance Ltd (CCF) [2013] EWCA Civ 333 had been anticipated as possibly clarifying whether nominal, as opposed to substantial, damages under section 13(1), could suffice to be a gateway to distress compensation, and, indeed, whether the DPA effectively transposes the requirements of the European Data Protection Directive to which it gives effect. The case concerned errors by the defendant regarding disputed payments, which affected the claimant’s credit record. As Robin Hopkins said in a recent post on the Panopticon blog, after reports of the ex tempore judgment surfaced,

In Halliday…nominal damages (of £1) were awarded, thereby apparently fulfilling the ‘damage’ requirement and opening the door for a ‘distress’ award (though note that Panopticon has not yet seen a full judgment from the Court of Appeal in this case, so do not take this as a definitive account). If that approach becomes standard practice, claimants may be in much stronger positions for seeking damages.

Now that the full judgment has been made available, it can be seen that Mr Halliday did indeed succeed in using the nominal £1 damages as a gateway to £750 compensation for distress, but only because the defendant conceded the point:

this issue, which was the main issue of the proposed appeal to this court, is now academic as the respondent, CCF, concedes an award of nominal damages is “damage” for the purposes of the Directive and for the purposes of section 13(2) of the Data Protection Act 1998

So it appears we must continue to wait for fuller consideration of the meaning of the word “damage” in both the Directive and section 13 DPA.

UPDATE: Robin Hopkins has blogged on this case at the Panopticon blog. As he says – and as I may have omitted – “the judgment is not without its notable points”.

5 Comments

Filed under damages, Data Protection

April 16, 2013 · 12:15 pm

Police, poems and FOI

In which I am inspired into literary expression by a rather bizarre ICO decision notice saying that a poem sent by a senior police officer on his mobile device is exempt from disclosure under the “personal data” provisions of the Freedom of Information Act

Mr Plod once sent friends a rhyme
Which was rumoured to be out of line
When a request was lodged
To see what it was
His bosses politely declined

Chris Graham agreed with the force
Saying “It’s personal data because
He’s easy to spot
From the words that we’ve got:
It’s exempt from disclosure, of course!”

A Tribunal may have to decide later
– As the statutory arbitrator –
If it’s rather perverse
To suggest that a verse
Can possibly be personal data.

1 Comment

Filed under Data Protection, Freedom of Information, Information Commissioner, police

Tagged as , , ,