Category Archives: Data Protection

August 25, 2012 · 11:20 am

What the Papers Say

It appears that a police officer has inadvertently disclosed operational notes regarding arrangements for the arrest of Julian Assange. This is not the first time a blunder like this has happened, and it should serve as a reminder that physical data needs to handled just as securely as electronic data.

In 2009 Britain’s then most senior counter-terrorism officer, Bob Quick, arrived at Downing Street for an important meeting. He’d probably been reading up on the issues during the journey there, and was clutching a file as he emerged from his car. Unfortunately for him, photographers were able to capture the contents of the document he was holding face up. Marked “Secret” (the second highest category in the government protective marking Security Policy Framework) it contained information some of which still cannot be disclosed because a DA-Notice applies. It led to anti-terror raids being brought forward, and it also led to his resignation.

Now we learn that a rather less senior police officer has been photographed in similar circumstances, outside the Ecuadorian Embassy wherein lies the persecuted activist/suspected rapist (delete according to your leanings) Julian Assange. Apparently the information relates to possible arrest plans.

Now, when I have to carry papers from one building to another at work, I make damn sure that they’re secured in an opaque binder, and as far as I know the eyes of the world’s press are not on me when I’m doing so. Information security and data protection are not just about taking care with electronic data: I recently did a quick analysis of the monetary penalty notices handed down by the Information Commissioner, and found that around two-thirds arose from a breach of security involving physical data*.

Modern photographic developments mean that millions of people have the ability quickly to capture compromising or damaging information, and internet publishing means that the same information can be uploaded and circulated within seconds. The European Association for Visual Data Security (yep, there is one) recently produced a white paper on the subject. In its article about the white paper The Register gave some examples of shoulder-surfing, in addition to Bob Quick’s infamous incident

a senior UK civil servant at the department of Business, Innovation and Skills fell asleep on a commuter train, leaving highly sensitive information displayed on his screen. A fellow passenger took two photographs of the information while it was displayed on the screen, which made their way into a Daily Mail story about the breach…[and] in August 2011 the UK’s International Development Secretary was photographed leaving Number 10 Downing Street with sensitive government papers relating to Afghanistan on display. These papers were caught on camera by news photographers and film crews.

Any organisation which needs to handle data outside its own office walls should make very sure it can’t be seen by prying eyes.

 

 

 

*It’s difficult accurately to categorise them. For instance, a fax is both electronic and physical, and a lost hard-drive is loss of physical data, but seriousness is tied to the electronic contents of said drive.

Leave a comment

Filed under Confidentiality, Data Protection, Information Commissioner, monetary penalty notice, police, Uncategorized

June 1, 2012 · 11:53 am

NHS Trust Given £325k Penalty

In January this year I blogged about reports that the Information Commissioner (IC) had sent a notice of intent to serve a civil monetary penalty notice (CMP) of £375,000 on Brighton and Sussex University Hospitals NHS Trust. At the time I said

If this MPN is served, as intended, then the IC might be faced with headlines equating (for example) £375,000 to the amount it costs to employ a nurse, or a doctor or provide essentail but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances.

Well, it has been served, today. And though the amount has been slightly reduced – £325,000 – it is still by some way the largest CMP ever imposed by the IC. However, this case may be important for other reasons.

Firstly, it related to disposal of hardware containing sensitive personal data. As the IC’s press release says

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site in October and November 2010.

The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences

The IC has been running an “unscrubbed hard drives initiative” following a reported security breach in 2009 involving the sale of un-scrubbed hard drives on the internet containing personal data, and internal meeting minutes from January indicated that this initiative was nearing completion. It would not be surprising if some formal guidance on the subject was now issued.

Secondly, and more broadly, it is interesting and worrying to note the fact that a fundamental role in this data breach was played by a contractor appointed to securely destroy the hard drives. As a data processor (rather than the data controller) this contractor was not liable under the Data Protection Act 1998 (DPA) for any serious breaches: this is why the Trust takes the hit. However, the contractor in question was the Department of Health-accredited Sussex Health Informatics Service (SHIS). SHIS appears to have sub-contracted the work to “Company A” which in turn sub-contracted to a one-person “Company B”. This individual subsequently sold 232 hard drives on the internet auction site.

The contractual, and sub-contractual confusion appears to have been key: the Trust did not even know that the individual had been appointed, and did not know that he had been attending their offices, ostensibly to remove and securely destroy the drives. Data controllers need to be acutely aware of what is happening to the personal data they control, and this obligation cannot be overlooked when they feel the data, or the hardware containing it, has become obsolete.

The fact that SHIS was so involved is particularly worrying. Health Informatics Services are expected to be in the vanguard of data security in the NHS. They say

Keeping data safe and confidential is a core duty for health service providers – and a core THIS service. Our award-winning Confidentiality and IM&T Security service helps customers to fully comply with national and local standards.

Under current law the IC’s powers to take action against a data processor are limited. That may change when the European Data Protection Regulation is ultimately enacted. One would hope, however, that SHIS, and the Department of Health, are looking very closely at their own compliance and security.

UPDATE: 15:15

The Trust has now issued a statement, which to an extent attempts to deflect responsibility on to the contractor. Duncan Selbie, the Chief Executive has said

We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay

The Information Commissioner has ignored our extensive representations.  It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would “prejudice the monetary penalty process”

He goes on to say

We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal

If this transpires, it will be the second recent instance of an appeal of a CMP by an NHS body.

The Independent reports the Trust also saying

the fine would pay for the delivery of 300 babies, 50 hip operations, 30 heart bypasses and 360 chemotherapy treatments

This rather confirms what I predicted in January

the IC might be faced with headlines equating (for example) [an NHS CMP] to the amount it costs to employ a nurse, or a doctor or provide essential but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances

Perhaps this strategy will be revealed during any subsequent appeal proceedings.

 

 

 

 

 

 

 

2 Comments

Filed under Data Protection, Information Commissioner, monetary penalty notice

May 22, 2012 · 4:47 pm

Equifax in breach of DPA and common law duties

(20.02.2013 – NB – this judgment was subsequently overturned in the Court of Appeal – please see my blog post here)

An interesting case has been heard in the High Court, before His Honour Judge Anthony Thornton QC, in which the claimant succeeded in showing breach of the Data Protection Act 1998 (DPA), as well as common law breach of a duty of care, on the part of the Credit Reference Agency Equifax. He also succeeded in showing this caused damage, because he was unable to access personal and company banking services.

Mr Smeaton, the claimant, had for complex and unusual reasons, been subject to a bankruptcy order which was made on 1 March 2001, but almost immediately stayed, on 10 March 2001, and rescinded on 22 May 2002.

Despite this, the records kept by Equifax relating to Mr Smeaton wrongly showed that between 12 March 2001 and 17 July 2006 he was subject to the bankruptcy order. In June and August 2006 Mr Smeaton had, on his own behalf and on behalf of his company, Ability Records Ltd, made applications to Nat West Bank for account and overdraft facilities. These applications were refused by Nat West, having consulted Mr Smeaton’s credit file held by Equifax.

The judge held that Equifax had never reviewed its procedures for recording and reviewing the accuracy of bankruptcy information: it relied entirely on information provided by consumers (or placed in the London Gazette by consumers) before reviewing or amending entries (and Mr Smeaton was heavily dyslexic and not aware of the existence of Equifax and other credit reference agencies, nor their procedures). Although Equifax had argued that it was “wholly impracticable to undertake the checks that would be necessary if it was to itself ascertain when a bankruptcy order was discharged or otherwise brought to an end or stayed”, it had failed to distinguish between the (very large) number of bankruptcies that were eventually discharged, and (the relatively tiny number of) those which were subject to annulment, rescission or stay:

Equifax should have considered whether it was possible to find a quick, reliable and cheap way of being informed of annulment, rescission and stay orders which did not rely exclusively on consumers drawing such orders to its attention

Equifax (as data controller) were in breach of the fourth data protection principle in part 1 of Schedule 1 of the DPA, which states that

Personal data shall be accurate and, where necessary, kept up to date

Although there is a proviso (at part II of Schedule 1) which says that a contravention of the fourth principle will not take place if the data controller has taken reasonable steps to ensure the accuracy of the data, Equifax’s failure to have considered a way of being informed of annulment, rescission or stay meant that they could not rely on this.

The judge held also that because of the liability imposed on Equifax by the DPA, it also assumed a duty to act with reasonable skill and care at common law, and it had acted in breach of that duty.

Finally, the judge held that it was

inescapable that the [bank] applications were refused on the sole ground of Mr Smeaton’s bankruptcy entry on his credit file

and that therefore his failure to obtain funding was

as a direct result of Equifax’s breach of the data protection principles and, in particular, as a direct result of its retaining on Mr Smeaton’s credit file details of his undischarged bankruptcy order between 12 March 2001 and 17 July 2006

Mr Smeaton claims that the result of this was that

His life descended into a tragic mixture of homelessness, living in a car on the streets, mental breakdown, impecuniosity and a consequent inability to progress his business affairs as a direct result of the enormous shock on discovering that he had had an adverse credit record for the last five years and that the bank on which he had pinned so much hope in providing Ability with the necessary step up to obtain the SFLGS, itself an essential feature of its business plan, prevented him from taking anything other than relatively modest steps to further that plan for many months

However, the trial on causation and damages will be heard separately at a later date. This is a claim based on section 13 of the DPA, which provides that

An individual who suffers damage [and distress if it arises from that damage] by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage

It is worth noting that since 2008 an electronic version of the Individual Insolvency Register has been provided to Equifax under s subscription arrangement between them and the Insolvency Service. As the judge said

Due to advances in the electronic processing of credit data and to legislative changes in the insolvency legislation concerning personal bankruptcies, it is very unlikely that the highly unusual facts of this case will ever re-occur in the future

However, it is not particularly common for a section 13 claim under DPA to succeed, especially given the difficulty of proving damage (see Johnson v Medical Defence Union [2007] EWCA Civ 262 for an example of the difficulty in making a successful claim) so this a case data protection practitioners should continue to keep an eye on.

1 Comment

Filed under Data Protection

May 21, 2012 · 1:35 pm

Will NHS appeal ICO fine? Let’s hope so.

The Information Commissioner (ICO) today announced that it had imposed a monetary penalty notice (MPN), under section 55A of the Data Protection Act 1998 (DPA), against Central London Community Healthcare NHS Trust. The penalty was in the sum of £90,000, and was imposed after

patient lists from the Pembridge Palliative Care Unit, intended forSt John’sHospice, were faxed to the wrong recipient. The individual informed the Trust in June that they had been receiving the patient lists – around 45 faxes over a three month period – but had shredded them.

 The patient lists contained sensitive personal data relating to 59 individuals, including medical diagnoses and information relating to their domestic situations and resuscitation instructions”

 All very interesting, particularly because this was only the second MPN imposed on an NHS body, after one last month against the Aneurin Bevan Health Board.

 What was even more interesting, however, was to read on the publicservice.co.uk website that CLCH Trust are saying they will appeal the MPN. This would be the first such appeal, and would be very important in terms of getting some judicial opinion on the law and the ICO’s application of it.

 Section 55A of the DPA gives the ICO the power to impose an MPN, while section 55B provides that a person on whom the notice is served may appeal to the First Tier Tribunal (Information Rights) against both the issue of the notice and the amount.

 Regulations and an Order (the snappily-titled The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 and The Data Protection (Monetary Penalties) Order 2010) make further provision for both the imposing of and appeal against an MPN. Additionally, under section 55C the ICO must issue guidance on “the circumstances in which he would consider it appropriate to issue a monetary penalty notice, and how he will determine the amount of the penalty”.

On appeal the Tribunal can consider both whether the MPN was in accordance with the law and whether, to the extent that it involved an exercise of discretion by the ICO, he ought to have exercised that discretion differently. The statutory section 55C guidance, and whether the ICO has adhered to it, will clearly be important, but so will, I would suggest, any evidence as to consistency of approach. An appellant would do well to submit evidence of examples where similar or worse apparent breaches of the Act have not resulted in an MPN. As Stewart Room wrote some months ago

 what is ICO’s plan? By this I mean, how does ICO arrive at its figures and how are they justified?

We’re probably not going to get to the bottom of this until someone takes a case on to appeal, but as we are nearly two years into the fining regime I think we’ve arrived at the point when we can legitimately expect ICO to explain where it is heading with the fine and what has driven it’s decisions so far.”

Perhaps we have indeed now arrived at that point.

EDIT, 7 August 2012:

The Trust are indeed appealing the MPN, and the Information Tribunal has listed it for a three-day-hearing in December. This will be a major case.

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner

May 10, 2012 · 8:48 am

MPs and Data Protection offences, part two.

In which I follow up a previous post, ask the ICO what action he is taking and consider the implications for ICO funding under proposed amendment of data protectionlaws

In a previous post I pointed out that 22 MPs who had been identified in October 2011 as not having registered with the Information Commissioner (ICO) were still showing as not being registered. As I said, failure to register in circumstances where there should be a registration constitutes a criminal offence under section 21 of the Data Protection Act 1998. The blog post got some interest, so I thought I should follow it up with this request to the ICO under the Freedom of Information Act 2000. The request can be seen on the excellent whatdotheyknow.com but I thought it would be useful to post a copy here:

Dear Information Commissioner’s Office

In October last year you disclosed to another requester a list of
46 MPs who had not renewed their section 18 DPA registration with
your office. You explained some of the procedure for enforcing the
statutory requirement to register, and explained that

“Prosecution is usually the last resort when all else fails and we
do give ample opportunity for the data controller to register. The
legal team are not currently considering any MPs for prosecution.”

It appears, from a check of your register that, currently, 22 of
those same MPs have still not registered, more than seven months
later. These are

Z1243695
NIGEL EVANS MP
Z1434043
GAVIN BARWELL
Z1939110
EDWARD LEIGH MP
Z9286519
KHALID MAHMOOD MP
Z1993957
JAMES CLAPPISON MP
Z1102604
ANGUS ROBERTSON MP
Z9256111
JIM SHANNON
Z927838X
DAVID SIMPSON
Z1577500
DAVID BURROWES
Z1538835
PAT DOHERTY MP MLA
Z2134863
MARGARET CURRAN
Z2241138
RACHEL REEVES MP
Z2241519
NIGEL ADAMS
Z2247846
STUART ANDREW
Z9938280
SHAILESH VARA MP
Z2342005
TRISTRAM HUNT
Z1893869
PAUL BERESFORD
Z1903198
CHRISTOPHER CHOPE MP
Z2378834
JESSICA LEE
Z8752516
ERIC JOYCE MP
Z2343491
ZAC GOLDSMITH MP
Z1728512
ADAM HOLLOWAY

I note that in several instances these MPs appear not to have
renewed their notification for over a year.

Please inform me, under the Freedom of Information Act 2000

1. What enforcement action has been taken against these MPs?
2. How many reminders each has been given (I understand you
normally operate a two-reminder, then enforcement, system)
3. In addition to these 22, how many other MPs have not renewed
their notification? (as more than seven months have elapsed I
presume there will be some additional notifications which have
lapsed).

I acknowledge that the online register does not guarantee to be
up-to-date.

As my previous post said, enforcement of this provision of the DPA does not appear to have stopped: I have seen no announcement to suggest this, and it would be odd, to say the least, if the ICO decided to turn a blind eye to one of the clear offences in the DPA. What would make it particularly odd is the fact that registration represents a huge revenue stream for the ICO, and the more data controllers who register, the greater the income. A fee is levied against a data controller when they register, which amounts to either £35 or £500, depending on the size of the organisation. The last set of accounts show that the income to the ICO from this stream was just short of £15 million.

Clearly it is in the ICO’s interest to enforce this requirement. A failure to enforce, or a perceived failure to enforce could lead to data controllers deciding it’s worth taking a risk by not registering, to save an annual £35 or £500 (they know they would get at least two reminders as it is).

Finally, I note that under amendments to the statutory scheme which will follow the enactment of a new European data protection Regulation, this requirement to register will probably be removed. I presume someone has thought about the effect this will have on the funding of the ICO? £15 million is a hell of a lot to lose, and, the office is underfunded as it is.

2 Comments

Filed under Data Protection, Information Commissioner

May 7, 2012 · 6:53 pm

Godwin’s Law and Data Protection (or, Let’s Be Careful Out There)

A data protection officer I know has been having a bit of a hard time lately from his managers for questioning their relentless push to encourage greater sharing of information between their public sector organisation and other public sector bodies. My friend has been accused of not being a “can-do” person. In defence of his managers, they are being pushed themselves: despite the Conservative party’s pre-election pledge to “scale back the database state” and the Lib Dems’ commitments not to harvest unneccesary information about people’s private lives, data-sharing is being vigorously promoted.

Sometimes it’s important to share data. I blogged only yesterday about a situation where (if it’s true) a failure to share data possibly had tragic consequences. Similarly I remember once, when I worked in a mental health clinic, how two police officers came in and asked if we knew the whereabouts of one of our regular patients: I had been warned that some police officers would try to trick us into revealing information about our patients, but I knew that this patient was highly vulnerable and unstable and the officers apparently had good reason to know the information. I exercised a discretion that I still wonder about today to disclose that personal data. It was a judgement call, and sometimes you get them wrong –  I hope I didn’t then.

However, it is surely not uncontroversial to say that there are risks in excessive data-sharing. Paul Bernal has blogged today, prompted by the worrying success of the neo-Nazi Golden Dawn movement in last week’s Greek elections, about the importance of recognising what are the current, and historical, implications of surveillance of citizens by the state. “Surveillance” can take many forms – sometimes it’s video recording of people, or retention of their DNA. Sometimes it’s not even the state doing it, but citizens themselves: I recently wrote a rather crude post (which I need to re-visit) questioning whether it was a good idea to have hyper-local media collating and publishing information about people appearing in magistrates’ courts.

Sometimes, as well, it can take the form of creeping databases.  Thus, hypothetically, the state is able to collate the following: person W, who is Jewish, knows person X, who is a trade unionist, who has been known to associate with person Y, who is disabled and has twice been accused of crime Z. The state thinks this is useful data. It might be, but equally it might be excessive, or unnecessarily gathered, or retained too long.

In a modern, liberal, state, none of the identifiying features in my hypothetical example should really raise an eyebrow. In a non-liberal state, however, similar information that has possibly been innocently, or naively, collated, can be misused in horrendous ways: so, in 1940s Holland, municipal registers were used by the Nazis to identify and persecute Jews, trade union membership lists used to persecute organised labour and public health and crime records used to persecute the disabled and criminals.

Maybe I’ve godwinned myself and my own blog, but one cannot avoid the fact that modern digital communication and storage are tremendously powerful – unimaginably so compared to even ten years ago, let alone 70 years. Data-sharing can have enormous and beneficial implications, but we need to exercise caution. We mustn’t amass personal data just because we can. We mustn’t use that data for purposes which were not envisaged when we gathered it. And we mustn’t retain that data just because we can’t be bothered to think what to do with it after its usefulness has passed.

As it happens, all the foregoing  principles are actually enshrined in the statutory Principles in the Data Protection Act 1998. That Act gave domestic effect to an EC Directive, which in part had its genesis in the European Convention on Human Rights. That Convention – in turn – had its genesis in the lessons learned after a fascist party gained support in Europe, and then ultimately took power in a fractured and devastated country.

 

2 Comments

Filed under Data Protection, Privacy

May 6, 2012 · 9:44 am

Data Protection Obscenities

A tragic story about the suicide of a young man, and the apparent ridiculous citing of the Data Protection Act to explain why his mother was not warned.

A few years ago, Richard Thomas, the then Information Commissioner (ICO) launched a campaign to counter what were called “Data Protection Duck Outs”. It got some media attention, but I’ve always thought it suffered from sounding like the kind of phrase a “hip” teacher, or my parents, would have come up with. The ICO said

The Data Protection Act does not impose a blanket ban on the release of personal information. It requires a common sense approach, and should not be used as an excuse by those reluctant to take a balanced decision.

The bad-practice examples cited to illustrate the campaign were mostly light-hearted

In September 2008, Marks and Spencer wrongly blamed the Data Protection Act when they told a mother they could not discuss the delivery of her seven year old son’s Superman suit because it would infringe his data protection rights.
ICO view: Organisations should be cautious about releasing details of an order or account to a third party. However, in this case M&S was not being asked to release any personal information (only to confirm that a part of the suit was missing, and send it), so M&S could have spoken to the boy’s mother without breaching the Data Protection Act.

or

In 2005 it was reported that Catholic priests were no longer allowed to pray out loud for an ill person by name because they might be breaking data protection rules.
ICO view: Unless this sort of information was formally held on file it would not be covered by the Act. Even if it were on file, there would only be a breach if the person had specifically asked not to be mentioned or the church had reason to believe they would object.

Well, if the following story from thisiscornwall.co.uk is true, I have a current-day example, and I wouldn’t call it a “duck out” but an obscenity.

A man with a history of drug abuse killed himself in Camborne after being released from police custody, where he was detained under the Mental Health Act, a coroner has heard….Because of the Data Protection Act [his mother] did not know that her son had been detained and said she was powerless to help him.

The “duck out” campaign was launched because of misconceptions about the Data Protection Act 1998 (DPA). The DPA certainly has faults, but you can bet your house that when you hear someone blaming the DPA for not doing something, it is either because they have made a mistake, and are trying to cover themselves, or because they are ignorant of what the Act does and does not permit. The Cornwall story is unclear as to who allegedly cited the DPA for not informing this poor man’s mother, but, just to be clear, Schedule 3 of the Act specifically permits disclosure of sensitive personal data where

The processing is necessary…in order to protect the vital interests of the data subject or another person, in a case where…consent cannot be given by or on behalf of the data subject, or…the data controller cannot reasonably be expected to obtain the consent of the data subject.

This is before we get to considering other factors – for instance whether an appropriate adult was a requirement in this instance, and the fact that under section 56 of the Police and Criminal Evidence Act a person detained has the right to have someone informed. In which case there would have certainly have been other conditions permitting disclosure (thanks to @MentalHealthCop on twitter, for pointing this out, and for alerting me to the story in the first place).

In 2004 the Bichard Inquiry report into the Soham Murders was highly critical about the misunderstandings and misinterpretations of the DPA which led to Humberside Police deleting information about Ian Huntley, and which subsequently meant that when Cambridgeshire Police ran checks on him, when he applied for a school-caretaker position, nothing came up.

The term “duck-out” doesn’t begin to describe the enormity of the mistaken decision to delete Huntley’s data, nor, if this Cornwall story is accurate, does it begin to describe the enormity of the decision – whoever might have taken it (and the story is unclear) – not to tell Daniel Carrick’s mother her son was detained. The current ICO is very keen to clamp down on serious breaches of the DPA, but these are almost exclusively concerned with the loss of, or inadvertent disclosure of, personal data. Perhaps he should also be alive to stories like this, which suggest potential tragic misconceptions and misuse of the DPA, and which really should carry the term Data Protection Fuck-Ups.

 

1 Comment

Filed under Data Protection, Information Commissioner, police

May 4, 2012 · 12:17 pm

Politicians break the law – where is the ICO?

Following up a post from last year, it appears that some MPs continue to flout their legal obligations under the Data Protection Act, potentially committing a criminal offence, and that the ICO doesn’t seem to be taking action. I’m happy to be told otherwise

 Back in November last year I blogged on the fact that 46 MPs had apparently failed to comply with their statutory obligation to notify the Information Commissioner of their status as a processor of personal data. In general terms Section 21 of the Data Protection Act 1998 creates a criminal offence if a data controller processes personal data without an entry being made in the register held by the Information Commissioner (ICO). Although there are rumours that the obligation to register will be removed when the DPA is ultimately amended or repealed, following the enactment of the European Data Protection Regulation (currently in draft), all the relevant provisions are very much still in force.

At the time the ICO said

 …our non notification process is to write to them asking for their comments and advise them to consider their need to notify. If the entity registers or provides a suitable explanation…that is usually the end of the matter and no further action is taken. If no response (or an inadequate response) is forthcoming then we write again explaining the requirement to notify and advising that failure to respond may result in the matter being passed to our legal team for consideration of prosecution. If there is still no response then the file is passed over for the legal team to consider the evidence and if they think there is sufficient evidence they will write advising that if no registration is received within 14 days or representations made as to why a prosecution should not be carried out then a summons will be issued.  If registration is then forthcoming then that is the end of the matter and no further action is taken. Prosecution is usually the last resort when all else fails and we do give ample opportunity for the data controller to register. The legal team are not currently considering any MPs for prosecution.

Well, I’ve just checked that list of 46 MPs who had not renewed their registration as at October last year, and, according to the register (which I stress is, as the ICO says, not necessarily absolutely up-to-date), 22 of them still haven’t (bear in mind as well that there may well others whose registration has lapsed in the interim). Most of those 22 are those whose registration has lapsed for longest. The worst apparent example is one MP who has not renewed his registration since July 2010! That is potentially almost two years of illegal processing of personal data.

 It is not as though the ICO never exercises his prosecution powers for non-registration. He certainly does – and has a “non-notification team” to deal with this sort of thing (although the last prosecution I can find was in March last year).

 My checking was prompted by an exchange on twitter with Alistair Sloan, who made enquiries of the ICO about registrations by Members of the Scottish Parliament, and by the Respect Party. Alistair was told

 Our Non-Notification Team, part of our Enforcement Department, have confirmed that the ICO has not contacted any members of the Scottish Parliament since 5th May 2011 in connection with Notification under the Data Protection Act 1998 (the DPA). Whilst this Team did work on a project which involved contacting MSP’s to remind them of the notification requirements under Part III of the DPA, this project took place some time before the date you have specified of 5 May 2011.

 and

 Having conducted thorough searches of our notification records we have been unable to find any register entry, either current or one which has lapsed, in the name of the Respect Party. Therefore, it appears that the Respect Party has not notified under the DPA at any time since its formation in November 2004.

 but

all of the issues you have raised in respect of the notification status of the data controllers… above have been brought to the attention of our Non-Notification Team within our Enforcement Department. They will therefore consider what further action is appropriate in the circumstances

 One assumes that the “further action” will be reminders. If the Respect Party now registers, I think it’s highly unlikely the ICO will take retrospective action for the seven-and-a-half years when it failed to do so. As it is, reminders appear to have failed to move 22 MPs to comply with their legal obligations, and no apparent action is being taken against them (I would love the ICO to correct me on this). One can’t avoid asking what sort of enforcement, what sort of deterrent is this?

4 Comments

Filed under Data Protection, Information Commissioner

April 24, 2012 · 9:23 am

A Marathon Task for the ICO

Will the London Marathon databreach trigger the ICO’s powers to issue a monetary penalty notice? If so, the ICO is in a tricky position, if he is seen to be effectively “fining” such a high-profile charity, and delivering that money to central government coffers.

 Reports emerged on 23 April that the personal data of runners in this year’s London Marathon had inadvertently been disclosed on the organiser’s website. It appears that names, home addresses and email addresses were exposed. The BBC says

The details were accessible all day to anybody logging on to the site…Marathon organisers apologised and said the mistake had been rectified

A data controller must observe its various obligations under the Data Protection Act 1998 (DPA). London Marathon Ltd appears to be the data controller in this instance, and it donates any surplus income to The London Marathon Charitable Trust. Last year the charity received £4.6m from the company. Some of the income came from the entrance fees of the runners themselves.

The seventh principle of the DPA says

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

A breach of that principle may attract the attention of the regulator of the DPA – the Information Commissioner (ICO). The ICO has various options open to him in the event that he finds that a serious contravention has taken place. In some instances he will require a data controller to sign an undertaking to improve its practices, but since 2010 he has had the power, under section 55A of the DPA to issue a monetary penalty notice (MPN), to a maximum of £500,000. To date he has issued fourteen, largely to local authorities, and the maximum penalty has been £140,000.

The ICO has issued guidance [PDF] on the issuing of MPNs, which expands on the statutory factors which would trigger exercise of the power:

there has been a serious contravention… of a kind likely to cause substantial damage or substantial distress…[and] the data controller…knew or ought to have known… that there was a risk that the contravention would occur, and

…that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but…failed to take reasonable steps to prevent the contravention

The BBC reports that the ICO has said

This is something the Information Commissioner will need to look in to to see how it has come about.

It’s the reasons these things come about that determine the course of the investigation.

Every case is different and we will certainly be making enquiries.

If the ICO does issue a MPN the money paid goes into the consolidated fund – the government’s own bank account. It is one thing to fine a local authority, and, as I have argued before, politically sensitive to fine, say, an NHS body, but it would be a enormously brave act for the ICO to fine an organisation for disclosing the personal data of thousands of the very people whose amazing efforts have contributed to the funds which would have to be depleted to pay the fine. Even more so when one sees the huge contributions being made to the charity supported by one runner who tragically died in this year’s race.

2 Comments

Filed under Data Protection, Information Commissioner

February 17, 2012 · 4:30 pm

Police complaints, a databreach and a High Court injunction

I notice an interesting application in the High Court.

 The Independent Police Complaints Commission (IPCC) has been granted an injunction (actually, a second injunction) requiring that the first defendant, a Mark Warner, disclose to the IPCC the identity of the second defendant -“person(s) unknown” – who Mr Warner has indicated is holding certain information about a third party, as well as the circumstances in which they came to be in the possession of those person(s) unknown.

 The reason I’m posting about this is that it appears that the IPCC disclosed the information about the third party in error to Mr Warner while responding to a subject access request under section 7 of the Data Protection Act 1998 (DPA).

 Mr Warner apparently received some of his own data in response to that section 7 request, but feels that there is further information to which he is entitled, and for his own reasons, has refused to return the papers relating to the third party sent to him by mistake, saying (in a telephone conversation with the IPCC):

If I do not get [the further material which he wants the IPCC to provide to him] within a reasonable timeframe I will not only hang onto the information which I have been sent in error, but I will identify it to Fleet Street

 The IPCC brought the current application not only to protect its own rights, but the Article 8 rights of the third party.

 One wonders if the Information Commissioner has been informed. Inadvertent disclosure of personal data of a third party, of a kind which requires a high court injunction to identify the “person(s) unknown”, sounds like a serious contravention of the DPA of a kind likely to cause substantial damage or distress. Such contraventions can attract monetary penalty notices of up to £500,000.

 As several local authorities know to their cost.

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner, police, Privacy