Category Archives: Information Commissioner

July 6, 2014 · 11:52 am

DVLA, disability and personal data

Is the DVLA’s online vehicle-checker risking the exposure of sensitive personal data of registered keepers of vehicles?

The concept of “personal data”, in the Data Protection Act 1998 (DPA) (and, beyond, in the European Data Protection Directive EC/95/46) can be a slippery one. In some cases, as the Court of Appeal recognised in Edem v The Information Commissioner & Anor [2014] EWCA Civ 92 where it had to untangle a mess that the First-tier tribunal had unnecessarily got itself into, it is straightforward: someone’s name is their personal data. In other cases, especially those which engage the second limb of the definition in section 1(1) of the DPA (“[can be identified] from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller” it can be profoundly complex (see the House of Lords in Common Services Agency v Scottish Information Commissioner (Scotland) [2008] UKHL 47, a judgment which, six years on, still makes data protection practitioners wake up in the night screaming).

When I first looked at the reports that the DVLA’s Vehicle Tax Check service enabled people to see whether the registered owner of a car was disabled, I thought this might fall into the complex category of data protection issues. On reflection, I think it’s relatively straightforward.

I adopt the excellent analysis by the benefitsandwork.co.uk site

A new vehicle check service on the DVLA website allows visitors to find out whether their neighbours are receiving the higher rate of the mobility component of disability living allowance (DLA) or either rate of the mobility component of personal independence payment (PIP)…The information that DVLA are making available is not about the vehicle itself. Instead they are publishing personal information about the benefits received by the individual who currently owns the car or for whom the car is solely used.

It’s difficult to argue against this, although it appears the DVLA are trying, because they responded to the initial post by saying

The Vehicle Enquiry Service does not include any personal data. It allows people to check online what information DVLA holds about a vehicle, including details of the vehicle’s tax class to make sure that local authorities and parking companies do not inadvertently issue parking penalties where parking concessions apply. There is no data breach – the information on a vehicle’s tax class that is displayed on the Vehicle Enquiry Service does not constitute personal data. It is merely a descriptive word for a tax class

but, as benefitsandwork say, that is only true insofar as the DVLA are publishing the tax band of the car, but when they are publishing that the car belongs to a tax-exempt category for reasons of the owner’s disability, they are publishing something about the registered keeper (or someone they care for, or regularly drive), and that is sensitive personal data.

What DVLA is doing is not publishing the car’s tax class – that remains the same whoever the owner is – they are publishing details of the exempt status of the individual who currently owns it. That is personal data about the individual, not data about the vehicle

As the Information Commissioner’s guidance (commended by Moses LJ in Edem) says

Is the data being processed, or could it easily be processed, to: learn; record; or decide something about an identifiable individual, or; as an incidental consequence of the processing, either: could you learn or record something about an identifiable individual; or could the processing have an impact on, or affect, an identifiable individual

Ultimately benefitsandwork’s example (where someone was identified from this information) unavoidably shows that the information can be personal data: if someone can search the registration number of a neighbour’s car, and find out that the registered keeper is exempt from paying the road fund licence for reasons of disability, that information will be the neighbour’s personal data, and it will have been disclosed to them unfairly, and in breach of the DPA (because no condition for the disclosure in Schedule 3 exists).

I hope the DVLA will rethink.

 

11 Comments

Filed under Confidentiality, Data Protection, Directive 95/46/EC, disability, Information Commissioner, Privacy

Tagged as , ,

July 5, 2014 · 9:03 am

Labour Party website – unfair processing?

Earlier this year I wrote about a questionable survey on the Conservative Party website, which failed to comply with the legal requirements regarding capture of email addresses. It is perhaps unsurprising to see something similar now being done in the name of the Labour Party.

An innocuous looking form on Labour’s donation pages lies underneath a statement that almost 44 million babies have been delivered under NHS care since 1948. The form invites people to find out what number their birth was. There are of course lots of this type of thing on the internet: “What was number one when you were born?” “Find out which Banana Split you are” etc. But this one, as well as asking for people’s date of birth, asks for their (first) name, email address and postcode. And, sure enough, underneath, in small print that I suspect they hope people won’t read, it says

The Labour Party and its elected representatives may contact you about issues we think you may be interested in or with campaign updates. You may unsubscribe at any point

So, they’ll have your email address, your first name and a good idea of where you live (cue lots of “Hi Jon” emails, telling me about great initiatives in my area). All very predictable and dispiriting. And also almost certainly unlawful: regulation 22(2) of The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) says that

a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender

This Labour web page impermissibly infers consent. The European Directive  to which PECR give domestic effect makes clear in recital 40 that electronic marketing requires that prior, explicit consent  be obtained. Furthermore the Information Commissioner’s Office (ICO), issues clear guidance on PECR and marketing, and this says

Organisations must give the customer the chance to opt out – both when they first collect the details, and in every email or text. Organisations should not assume that all customers will be happy to get marketing texts or emails in future…It must be simple to opt out. When first collecting a customer’s details, this should be part of the same process (eg online forms should include a prominent opt-out box…

The ICO’s guidance on political campaigning is (given the likelihood of abuse) disappointingly less clear, but it does say that “An organisation must have the individual’s consent to communicate with them [by email]”. I rather suspect the Labour Party would try to claim that the small print would suffice to meet this consent point, but a) it wouldn’t get them past the hurdle of giving the option to opt out at the point of collection of data, and b) in the circumstances it would crash them into the hurdle of “fairness”. The political campaigning guidance gives prominence to this concept

It is not just in an organisation’s interests to act lawfully, but it should also have respect for the privacy of the individuals it seeks to represent by treating them fairly. Treating individuals fairly includes using their information only in a way they would expect

I do not think the majority of people completing the Labour Party’s form, which on the face of it simply returns a number relating to when they were born, would expect their information to be used for future political campaigning. So it appears to be in breach of PECR, not fair, and also, of course (by reference to the first principle in Schedule One) in breach of the Data Protection Act 1998. Maybe the ICO will want to take a look.

UPDATE:

I see that this page is being pushed quite hard by the party. Iain McNicol, General Secretary, and described as “promoter” of the page has tweeted about it, as have shadow Health Secretary Andy Burnham and Ed Miliband himself. One wonders how many email addresses have been gathered in this unfair and potentially unlawful way.

 

3 Comments

Filed under consent, Data Protection, Information Commissioner, marketing, PECR

Tagged as , , ,

July 3, 2014 · 4:23 pm

A green light for publishing FOI requesters names? I hope not

The Information Commissioner’s Office (ICO) today issued a statement about the data protection implications of public authorities publishing the names of people who have made requests under the Freedom of Information Act 2000 (FOIA). It was issued to journalist Jules Mattsson (it may have been issued to others) and I credit him for pursuing it. It arose out of concerns expressed on Twitter yesterday that a council had uploaded a disclosure log in which the names of requesters were unredacted*.

When the Justice Committee undertook its post-legislative scrutiny of FOIA in 2012 it made a recommendation (¶82) that names of requesters be published in disclosure logs

it can be argued that someone seeking to exercise freedom of information rights should be willing for the fact they have requested such information to be in the public domain; we therefore recommend that where the information released from FOI requests is published in a disclosure log, the name of the requestor should be published alongside it

But this was rejected by the government in its response to the report (¶25)

The Government does not share the view that publishing the names of requesters in disclosure logs would be beneficial in terms of burdens. Such a move would have implications for the data protection of requesters..

 Tim Turner blogged in his usual meticulous style on these data protection implications yesterday, and I am not going to rehearse the points he makes. Indeed, the ICO in its statement more or less agrees with Tim’s comments on fairness, and necessity, when it comes to the publication of requesters’ names

Individuals who make…requests must have their details handled fairly. Many people who have made a request would not expect to have their name linked to published details of the request they have made. If a public authority is considering publishing this information then they must consider why publishing the requester’s name is necessary/ While there is a need for authorities to be transparent about the [FOI] process, in most cases this would not extend to releasing people’s name simply to deter requesters

There then follow some (correct) observations that journalists and politicians might have different expectations, before the statement says

At the very least people should be told that their details will be published and given the opportunity to explain to the council why their name should not be disclosed. If having raised it with the authority a person is not happy with the way their details have been handled then we may be able to help

So what the ICO appears to be doing is agreeing that there are data protection implications, but, as long as authorities give requesters a privacy notice, announcing that they’re not going to do anything (unless people complain). It’s not often I take issue with the excellent Matt Burgess, who runs FOI Directory, but he claims that “the ICO has criticised the Council”. With respect, I don’t see any targeted criticism in the ICO’s statement, and I fear some public authorities will see it as a green light to publishing names.

As source does inform me that an ICO spokesman has said that they are going to be in touch with the council in question, to find out the full details. However, I wonder if the statement shows an approach more in line with the ICO’s new, largely reactive (as opposed to proactive), approach to data protection concerns (described on my blog by Dr David Erdos as having worrying implications for the rule of law), but I fear it risks the exposure of the personal data of large numbers of people exercising their right to information under a statutory scheme which, at heart, is meant to be applicant-blind. As the ICO implies, this could have the effect of deterring some requesters, and this would be, in the words of the always perceptive Rich Greenhill, a type of reverse chilling effect for FOIA.

 *I’m not going to link to the information: I don’t think its publication is fair. 

 

 

UPDATE: 05.07.14

The Council appears to have taken the information down, with Jules Mattsson reporting on 3 July that they are reviewing the publication of requesters’ names.

6 Comments

Filed under Data Protection, Freedom of Information, Information Commissioner

Tagged as , ,

June 29, 2014 · 12:35 pm

I DON’T KNOW WHAT I’M DOING

As surprising as it always is to me, I’m occasionally reminded that I don’t know everything. But when I’m shown not to know how my own website works, it’s more humbling.

A commenter on one of my blog posts recently pointed out the number of tracking applications which were in operation. I had no idea. (I’ve disabled (most of) them now).

And someone has just pointed out (and some others have confirmed) that, when visiting my blog on their iphone, it asks them whether they want to tell me their current location. I have no idea why. (I’m looking into it).

These two incidents illustrate a few things to me.

Firstly, for all my pontificating about data protection, and – sometimes – information security, I’m not particularly technically literate: this is a wordpress.com blog, which is the off-the-peg version, with lots of things embedded/enabled by default. Ideally, I would run and host my own site, but I do this entirely in my own time, with no funding at all.

Secondly, and following on from the first,  I am one among billions of people who run web applications without knowing a great deal about the code that they’re based on. In a world of (possibly deliberately coded) back-door and zero day vulnerabilities this isn’t that surprising. If even experts can be duped, what hope for the rest of us?

Thirdly, and more prosaically, I had naively assumed that, in inviting people to read and interact with my blog, I was doing so in a capacity of data controller: determining the purposes for which and the manner in which their personal data was to be processed. (I had even considered notifying the processing with the Information Commissioner, although I know that they would (wrongly) consider I was exempt under section 36 of the Data Protection Act 1998)). But if I don’t even know what my site is doing, in what way can I be said to determine the data processing purposes and manner? But if I can’t, then should I stop doing it? I don’t like to be nominally responsible for activities I can’t control.

Fourthly, and finally, can anyone tell me why my out-of-control blog is asking users to give me their location, and how I can turn the damned thing off?

UPDATE: 30.06.14

The consensus from lots and lots of helpful and much-appreciated comments seems to be a) that this location thingy is embedded in the wordpress software (maybe the theme software), and b) I should migrate to self-hosting.

The latter option sounds good, but I have to remind people that I DON’T KNOW WHAT I’M DOING.

UPDATE:05.07.14

The rather excellent Rich Greenhill seems to have identified the problem (I trust his judgement, but haven’t confirmed this). He says “WordPress inserts mobile-only getCurrentPosition from aka-cdn-nsDOTadtechusDOTcom/…DAC.js via adsDOTmopubDOTcom in WP ad script”…”Basically, WordPress inserts ads; but, for mobile devices only, the imported ad code also attempts to detect geo coordinates”.

So it dooes look like I, and other wordpress.com bloggers, who can’t afford the “no ads” option, are stuck with this unless or until we can migrate away.

UPDATE: 11.07.14

We are informed that the code which asks (some) mobile users for their location when browsing this blog has now been corrected. Please let me know if it isn’t.

3 Comments

Filed under Data Protection, Information Commissioner, Personal, social media, tracking

Tagged as ,

June 25, 2014 · 6:24 pm

Wading through the rules: fairness for litigants in the Information Tribunal

Any judicial system needs to have rules to ensure effective and efficient case management: failure to do so risks delays, backlogs and, ultimately, breaches of natural justice and Article 6 Convention rights. Thus, we have the civil, the criminal, and the family procedure rules, and, within the tribunal system, the 2008 Upper Tribunal Rules, and a whole host of First-tier Tribunal Rules (the ones relating to Information Rights cases are the General Regulatory Chamber Rules 2009 (TPR)). In addition, there are Practice Notes (such as one for “Closed Material in Information Rights Cases”) and a range of forms and guidance.  There are even specific “Guidance notes for individuals representing themselves in freedom of information appeals in the general regulatory chamber of the first-tier tribunal” (which I shall call the “LiP Guidance” (with LiP meaning Litigant in Person)). (Interestingly, the only copy of this I can find online is hosted on a third party site.)

For such litigants in person, these sources of rules and guidance (and the navigating of them) are essential but complicated. A neat illustration of this point comes in a recent judgment of the Upper Tribunal on a Freedom of Information Act 2000 (FOIA) case.

In the First-tier Tribunal (FTT) a Mr Matthews had sought to appeal the Information Commissioner’s (IC) decision notice  that the Department for Business, Innovation and Skills (DBIS) didn’t hold the majority of information sought about the tendering process for the delivery of marketing workshops from Business Link West Midlands, and that what it did hold was exempt from disclosure under section 40(2) of FOIA. Mr Matthews, referring to the LiP Guidance (at paragraph 16) asked for, and expected, an oral hearing.

However, in responding to the notice of appeal, the IC applied successfully, under rule 8(2)(a) of the TPR to “strike out” one ground of appeal, and under rule 8(3)(c) to “strike out” the remainder.

Lawyers, and those who deal in this subject regularly, recognise that to “strike out” all grounds of appeal means the appeal is no more. But others might sympathise with Mr Matthews, who did not have any help on this matter from the LiP Guidance, and who, when asked by the Upper Tribunal judge, explained that what he had thought it meant was

that the way in which he had written his grounds out may be stuck through or altered, or sent back to him to change, but that the appeal itself would continue

So, we have Mr Matthews, still expecting an appeal with a hearing, but getting neither.

But was he entitled to a hearing, not of his substantive appeal, but to determine whether his appeal should be struck out? This was what was, in the main, at issue in the Upper Tribunal.

Rule 32(3) of the TPR says that the general rule that the FTT must hold a hearing before disposing of an appeal need not apply when deciding whether to strike out a party’s case. It does not preclude a hearing, though, but, rather, leaves it to the FTT’s discretion. In this instance the Upper Tribunal judge decided that the FTT erred in law in not exercising its discretion to hold a hearing and, alternatively or additionally, for failing to give any reasons for not holding a hearing.

Accordingly, the case is remitted to the FTT for it to hold an oral hearing of the strike-out application.

This might seem a very convoluted and unimportant judgment, but it shows the Upper Tribunal is alive to the difficulties faced by lay self-represented litigants in what should be more of an inquisitorial, rather than adversial, system. And it shows, as have other cases before it (see for instance Dransfield v IC & Devon Council, and IICUS v IC & BIS & Ray) that the Upper Tribunal is not unwilling to remit cases to the FTT on grounds of procedural unfairness.

3 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

Tagged as

June 18, 2014 · 5:21 pm

The Partridge Review reveals apparently huge data protection breaches

Does the Partridge Review of NHS transfers of hospital episode patient data point towards one of the biggest DPA breaches ever?

In February this year Tim Kelsey, NHS England’s National Director for Patients and Information, and vocal cheerleader for the care.data initiative, assured the public, in an interview on the Radio 4 Today programme, that in the twenty five years that Hospital Episode Statistics (HES) have been shared with other organisations

the management of the hospital episode database…there has never been a single example of that data being compromised, the privacy of patients being compromised…

When pressed by medConfidential‘s Phil Booth about this, and about risks of reidentification from the datasets, Tim repeated that no patient’s privacy had been compromised.

Some of us doubted this, as news of specific incidents of data loss emerged, and even more so as further news emerged suggesting that there had been transfers (a.k.a. sale) of huge amounts of potentially identifiable patient data to, for instance, the Institute and Faculty of Actuaries. The latter news led me to ask the Information Commissioner’s Office (ICO) to assess the lawfulness of this processing, an assessment which has not been completed four months later.

However, with the publication on 17 June of Sir Nick Partridge’s Review of Data Releases by the NHS Information Centre one questions the basis for Tim’s assertions. Sir Nick commissioned PwC to analyse a total of 3059 data releases between 2005 and 2013 (when the NHS Information Centre (NHSIC) ceased to exist, and was replaced by the Health and Social Care Information Centre HSCIC). The summary report to the Review says that

It disappoints me to report that the review has discovered lapses in the strict arrangements that were supposed to be in place to ensure that people’s personal data would never be used improperly

and it reveals a series of concerning and serious failures of data governance, including

  • lack of detailed records between 1 April 2005 and 31 March 2009
  • two cases of data that was apparently released without a proper record remaining of which organisation received the data
  • [no] evidence that Northgate [the NHSIC contractor responsible for releases] got permission from the NHS IC before making releases as it was supposed to do
  • PwC could not find records to confirm full compliance in about 10% of the sample

 Sir Nick observes that

 the system did not have the checks and balances needed to ensure that the appropriate authority was always in place before data was released. In many cases the decision making process was unclear and the records of decisions are incomplete.

and crucially

It also seems clear that the responsibilities of becoming a data controller, something that happens as soon as an organisation receives data under a data sharing agreement, were not always clear to those who received data. The importance of data controllers understanding their responsibilities remains vital to the protection of people’s confidentiality

(This resonates with my concern, in my request to the ICO to assess the transfer of data from HES to the actuarial society, about what the legal basis was for the latter’s processing).

Notably, Sir Nick dispenses with the idea that data such as HES was anonymised:

The data provided to these other organisations under data sharing agreements is not anonymised. Although names and addresses are normally removed, it is possible that the identity of individuals may be deduced if the data is linked to other data

 And if it was not anonymised, then the Data Protection Act 1998 (DPA) is engaged.

All of this indicates a failure to take appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data, which the perspicacious among you will identify as one of the key statutory obligations placed on data controllers by the seventh data protection principle in the DPA.

Sir Nick may say

 It is a matter of fact that no individual ever complained that their confidentiality had been breached as a result of data being shared or lost by the NHS IC

but simply because no complaint was made (at the time – complaints certainly have been made since concerns started to be raised) does not mean that the seventh principle was not contravened, in a serious way.  And a serious contravention of the DPA of a kind likely to cause substantial damage or substantial distress can potentially lead to the ICO serving a monetary penalty notice (MPN) to a maximum of £500,000 (at least for contraventions after April 2010, when the ICO’s powers commenced).

The NHSIC is no more (although as Sir Nick says, HSCIC “inherited many of the NHS IC’s staff and procedures”). But that has not stopped the ICO serving MPNs on successor organisation in circumstances where their predecessors committed the contravention.  One waits with interest to see whether the ICO will take any enforcement action, but I think it’s important that they consider doing so, because, even though Sir Nick makes nine very sensible recommendations to HSCIC, one could be forgiven – having been given clear assurances previously, by the likes of Tim Kelsey and others – for having reservations as to future governance of our confidential medical data. I would suggest it is imperative that HSCIC know that their processing of personal data is now subject to close oversight by all relevant regulatory bodies.

 

 

 

 

 

 

 

 

 

2 Comments

Filed under care.data, Confidentiality, Data Protection, data sharing, Information Commissioner, monetary penalty notice, NHS, Privacy

Tagged as , , ,

June 12, 2014 · 1:44 pm

The Ministry of Poor Record Keeping?

If the Ministry of Justice really can’t search the text of emails for information, how can it comply with the FOI Code of Practice on Records Management?

In performing his functions under the Freedom of Information Act 2000 (FOIA) the Information Commissioner (IC) must promote the observance by public authorities of codes of practice issued under section 45 and section 46 of FOIA. Section 46 provides for a code of practice to be issued by the Lord Chancellor as to desirable practice for public authorities for the keeping, management and destruction of their records. A code was duly issued by the then Lord Chancellor Lord Irvine in 2002.

So, when deciding whether, for instance, a public authority has complied with its obligations under part 1 of FOIA (i.e. has it properly responded to a request for information?) the IC should, I submit, take into account where necessary whether the authority is complying with the Records Management Code.

With this in mind, consider the Ministry of Justice’s (MoJ) reported response to an FOI request for any mentions on its systems of the Howard League for Penal Reform. As Ian Dunt reports, the MoJ said that

On this occasion, the cost of determining whether we hold the information would exceed the limit set by the Freedom of Information Act

I have seen the MoJ response in question, and I accept that it is legitimate for a public authority to refuse to disclose information if the costs of determining whether it is held exceeds the limit prescribed by regulations (although authorities have an obligation under section 16 FOIA to advise and assist applicants as to how they might reframe their request to fall within the cost limits, and the MoJ have failed to do this). However, while the response refers to a necessity to search paper records, it also says

A manual search is required as central search functions (for example, those on email systems) would not identify all correspondence  – for example, if the Howard League for Penal Reform was mentioned in the body of the text

This appears to suggest, as Ian says, that “they can only search electronically for the headline of an email, not the body of a message”

If this is true (which seems extraordinary, but one is sure it must be, because intentionally to conceal information which otherwise should be disclosed under FOIA is an offence) it would appear to be contrary to the desirable practice in the Records Management Code, which says that

Records systems should be designed to meet the authority’s operational needs and using them should be an integral part of business operations and processes. Records systems should…enable quick and easy retrieval of information. With digital systems this should include the capacity to search for information requested under [FOIA]

It would be most interesting if the Howard League were to refer this to the IC for a decision. The IC rarely these days mentions the Records Management Code, but as the Code itself says

Records and information are the lifeblood of any organisation. They are the basis on which decisions are made, services provide and policies developed and communicate

Not only does poor records management affect compliance with FOIA (and other legal obligations), but it is not conducive to the reduction of back-office costs, developing new ways of working, and driving economies of scale (all things, of course, which the current Lord Chancellor prays in aid of his potentially devastating changes to legal aid provision).

p.s. As @Unity_MoT points out on twitter, if the MoJ struggles to search its systems to respond to FOIA requests, how does it undertake searches for responding to subject access requests under section 7 of the Data Protection Act 1998? See e.g. page 17 of the IC Code of Practice on Subject Access:

Not only should your systems have the technical capability to search for the information necessary to respond to a SAR, but they should also operate by reference to effective records management policies

 

Leave a comment

Filed under Freedom of Information, Information Commissioner, records management

Tagged as ,

June 9, 2014 · 3:08 pm

ICO’s power to refuse to decide cases is rarely used

The “filter” of section 50(2)(c) of the FOI Act allows the Information Commissioner to refuse to make a decision on frivolous or vexatious applications. It is rarely used. What an exciting intro to a blog post eh?

The First-tier Tribunal (Information Rights) (FTT), recently refused an application by Leeds City Council for an award of costs against a requester whose requests had been held by the Information Commissioner (IC), and the FTT itself, as vexatious under section 14(1) of the Freedom of Information Act 2000 (FOIA). Alistair Sloan has blogged about the decision itself, and I would commend his piece to readers, but an observation by the judge led me make an FOI request of my own.

After noting that

it must be possible, depending on the circumstances, for the maker of a request regarded by everyone else as vexatious, to defend his or her position on that point without automatically being treated under the costs Rules as behaving unreasonably

the judge adverted to section 50(2)(c) of FOIA. This permits to IC to not make a decision whether a public authority has complied with its FOIA obligations if the application for the decision is itself “frivolous or vexatious”. (This must be distinguished from a decision as to whether the original FOI request to the public authority was, pursuant to section 14(1), vexatious). It gives the IC an exception to the general requirement to make a formal decision on all cases where the applicant asks for one. The judge said

it is right to remember the protections which already exist for public authorities in the context of vexatious requests or hopeless appeals. Before a right of appeal is even a gleam in the Tribunal’s eye, there must be a complaint to the Information Commissioner (ICO). If the complaint to the ICO appears to be “frivolous or vexatious,” then there is no need for him even to make any decision appealable to the Tribunal. See Section 50(2) FIA

but then went on to note that he was

not aware of any published information about the extent to which the ICO makes use of this important provision.

 Ever keen to help our judiciary, I asked the IC, via What Do They Know. With admirable promptness they disclosed to me that, in the years for which records are retained (2007 onwards), the IC has declined to serve a decision notice because he considers the application vexatious or frivolous only 18 times (which breaks down into 16 frivolous and 2 vexatious).

Clearly, the IC considers this exceptional power to be just that – one that should be used only in exceptional cases, and maybe its use in 0.3% of cases accords with that. But in my research for this piece I did dig up again the IC’s submission to the Justice Committee for the latter’s 2012 post-legislative scrutiny of FOIA, and I noticed that there was this comment

For some reason Parliament made a distinction between this provision [section 50(2)(c)] and that in section 14(1) applying to requests to public authorities.

This strikes me as odd. It is quite clear that there is an important distinction between a vexatious request to a public authority and a frivolous or vexatious application for a decision. A requester could make a request to a public authority which was not in any way vexatious, yet choose to pursue the matter by applying for a decision in a way that made that application frivolous or vexatious. And it seems to me that this was what Judge Warren in the FTT was alluding to, and why it would be highly unusual – and potentially oppressive – to award costs against someone appealing a refusal of a vexatious request. Rule 10(1)(b) of the relevant tribunal rules does allow for the award of costs for unreasonably bringing (as opposed to conducting) the proceedings, but the availability of the filter of section 50(2)(c) FOIA should mean that it would be extraordinarily unusual for such an award ever to be made.

A final observation from me. The wording of section 50(2)(c) seems to make it clear that, as the IC would make no decision in a case where the application is frivolous or vexatious, then no possible right of appeal to the FTT could exist (and, therefore, judicial review would be the only legal remedy available). This would be in contrast to cases such as Sugar and (currently at case management stage in the Upper Tribunal) Cross v IC  where what is at issue is whether a decision by the IC that an organisation is not a public authority for the purposes of FOIA constitutes an appealable “decision”.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal, judiciary, vexatiousness

Tagged as ,

June 6, 2014 · 12:11 pm

Piles of cash for claiming against spammers? I’m not so sure

I am not a lawyer, but I’m pretty certain that most commercial litigation strategies will be along the lines of “don’t waste lots of money fighting a low-value case which sets no precedent”. And I know it is a feature of such litigation that some companies will not even bother defending such cases, calculating that doing so will cost the company much more, with no other gain.

With this in mind, one notes the recent case of Sky News producer Roddy Mansfield. His employer itself reported (in a piece with a sub-heading  “John Lewis is prosecuted…”, which is manifestly not the case – this was a civil matter) that

John Lewis has been ordered to pay damages for sending “spam” emails in a privacy ruling that could open the floodgates for harassed consumers.

Roddy Mansfield, who is a producer for Sky News, brought the case under EU legislation that prohibits businesses from sending marketing emails without consent

The case appears to have been brought under regulation 30 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Those regulations, as the title suggests, give effect to the UK’s obligations under the snappily titled Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. Regulation 30(1) of PECR provides that

A person who suffers damage by reason of any contravention of any of the requirements of these Regulations by any other person shall be entitled to bring proceedings for compensation from that other person for that damage

It appears that Mr Mansfield created an account on the John Lewis website, and omitted to “untick” a box which purported to convey his consent to John Lewis sending him marketing emails. It further appears that in the County Court Mr Mansfield successfully argued that the subsequent sending of such emails was in breach of regulation 22(2), which provides in relevant part that

a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent…

Assuming that this accurately reflects what happened, I think Mr Mansfield was probably correct to argue that John Lewis had breached the regulations: the Information Commissioner’s Office (ICO) guidance states that

Some organisations provide pre-ticked opt-in boxes, and rely on the user to untick it if they don’t want to consent. In effect, this is more like an opt-out box, as it assumes consent unless the user clicks the box. A pre-ticked box will not automatically be enough to demonstrate consent, as it will be harder to show that the presence of the tick represents a positive, informed choice by the user

For a detailed exposition of the PECR provisions in play, see Tim Turner’s excellent recent blog post on this same story.

I’ve used the word “appears” quite a bit in this post, because there are various unknowns in this story. One of the main missing pieces of information is the actual amount of damages awarded to Mr Mansfield. Unless (and it is not the case here) exemplary or aggravated damages are available, an award will only act as compensation. It has been said that

The central purpose of a civil law award of damages is to compensate the claimant for the damage, loss or injury he or she has suffered as a result of another’s acts or omissions, and to put the claimant in the same position as he or she would have been but for the injury, loss or damage, so far as this is possible

So I doubt very much whether the award to Mr Mansfield was anything other than a small sum (so the albeit tongue-in-cheek Register reference to a PILE OF CASH is very probably way off the mark) . I have asked him via his twitter account for details, but have had no reply as yet.

Perhaps the most important aspect of this story, though, is the extent to which it indicates the way the courts might interpret the relevant consent provisions of PECR. As this was a case in the County Court it sets no precedent, and, unless someone decides to pay for a transcript of the hearing we’re very unlikely to get any written judgment or law report, but the principles at stake are profound ones, concerning how electronic marketing communications can be lawfully sent, and about what “consent” means in this context.

The issue will not go away, and, although I suspect (referring back to my opening paragraph) that John Lewis chose not to appeal because the costs of doing so would have vastly outweighed the costs of settling the matter by paying the required damages, it would greatly benefit from some proper consideration by a higher court.

And another important aspect of the story is whether behaviours might change as a result. Maybe they have: I see that John Lewis, no doubt aware that others might take up the baton passed on by Mr Mansfield, have quietly amended their “create an account” page, so that the opt-in box is no longer pre-ticked.

jl

UPDATE: 7 June

In a comment below a pseudonymed person suggests that the damages award was indeed tiny – £10 plus £25 costs. It also suggests that John Lewis tried to argue that they were permitted to send the emails by virtue of the “soft opt-in” provisions of regulation 22(3) PECR, perhaps spuriously arguing that Mr Mansfield and they were in negotiations for a sale.

9 Comments

Filed under damages, Data Protection, Information Commissioner, marketing, PECR

Tagged as

May 30, 2014 · 8:46 am

Data Protection in the Court System

The Lord Chief Justice’s welcome call for a modern ICT system for the courts of England and Wales does, at the same time, raise concerns about the data protection compliance of the current systems

If a representative of a public sector data controller, responsible for processing huge amounts of manual and electronic sensitive data (of all categories), were to concede that their systems for handling this data “were recognised as outdated more than 15 years ago” it would – one imagines – raise a few eyebrows in Wilmslow. Outdated systems are, by default, systems which are unlikely to indicate compliance by the relevant data controller with the seventh data protection principle:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

A serious contravention of the obligation to comply with that principle can lead to monetary penalty notices to a maximum sum of £500,000, as many data controllers know to their cost.

But such a concession is just what the Lord Chief Justice of England and Wales appeared to make at the Annual Lecture of the Society of Computers and Law on 20 May in London. In his lecture he referred to

 re-entering information on different systems, using and holding paper files, diaries that are manual and unreliable telephonic and video communications

He spoke of how

Once papers are misfiled they are lost. In a number of parts of the country it is difficult to find people to do the filing at a wage which HMG is prepared to pay

and that

Save for using Outlook, judges have no electronic filing system for their administration. Outside the most senior Judiciary, very little clerical support is available for the judges

 All of this is enough to make most data security and data protection officers have sleepless (and screamful) nights.

In fairness to Lord Thomas, a) he was reflecting his own personal views, and b) his lecture, which laid out the history of how things had got to this state, was admirably aimed at seizing an opportunity to modernise. However, it did make me wonder how the judicial system appears to have largely avoided the steely enforcement glare of the Information Commissioner. I think this is probably, in part, because it is highly complicated when looked at through the lens of the Data Protection Act 1998 (DPA). The DPA distinguishes between data controllers and data processors, with former attracting all the legal obligations and liabilities under the Act. A data controller is, by section 1(1) of the DPA

a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed

Applying this to the situations which obtain in the court system is not an easy task (although it isn’t uniquely difficult – the distinction between data controller and processor is a notoriously complex, and perhaps increasingly artificial, one to establish). It seems to me that, with the sorts of personal data being processed as part of a legal claim or trial before a court, there may be multiple data controllers doing different things with the same or similar data – the parties, their legal representatives, the court staff, and the judiciary are those which immediately come to mind. In such circumstances we are probably talking about data controllers in common (“where data controllers share a pool of personal data, each processing independently of the other”*).

What is certain is that the Judicial Office for England and Wales considers the judiciary to be data controllers at least for some personal data and some acts of processing which take place within the court system. In a document entitled “Judicial Responsibilities and the Data Protection Act 1998” it says that

It is now acknowledged that individual judicial office-holders are data controllers in circumstances in which they determine the purpose for which and the manner in which any personal data is processed. This is so in relation to data processed in the exercise of any judicial functions

And another document “IT and Information Security Guidance for the Judiciary” contains generally sensible advice to judiciary on ICT security, but fine words butter no parsnips, and if the reality, as suggested by the Lord Chief Justice’s lecture (and, indeed, anecdotal evidence I have seen and heard) does not match up to the intentions of that document, then it would point to potentially serious contraventions of the DPA.

In April 2013 the Information Commissioner’s Office published the summary outcome of a data protection audit it had performed – by consent – on HM Courts and Tribunals Service. The audit gave the ICO “reasonable assurance” but one notes that it focused on data protection governance, training, and subject access requests, and did not appear to encompass security. And, for the reasons discussed earlier in this post, HMCTS are only one of the data controllers in play in the court system. In the rather unlikely event that the ICO decided to seek to audit them, would judges pass so easily?

*ICO Data Protection Legal Guidance, page 16

Leave a comment

Filed under Data Protection, Information Commissioner, judiciary, monetary penalty notice

Tagged as ,