Category Archives: Information Commissioner

March 11, 2025 · 6:04 am

Why is the ICO so quiet about prosecutions?

Not infrequently, I get contacted (personally and professionally) by individuals who are concerned that their personal data has been compromised in circumstances that may constitute the criminal offence of “obtaining” or “retaining”, under section 170 of the Data Protection Act 2018.

In many cases, there is not much I can bring to the table. If an offence has been committed then this is a matter for the prosecutor. Normally, for data protection offences, this is the Information Commissioner’s Office.

But what strikes me is that there appears to be no information on the ICO website for anyone who wants to report an alleged or potential offence. Their “For the public” pages don’t cover the scenario, and all of the data protection complaints information there is predicated on the assumption that the individual will be complaining about the data controller’s compliance (whereas, in a section 170 offence, the controller is more of the status of “victim”).

In fact, the best I can find is one brief reference (at page 61) of a lengthy guide to the DPA 2018, aimed at “organisations and individuals who are already familiar with data protection law”, and which doesn’t even actually explain that the offences described can be prosecuted by the ICO.

Dr David Erdos has recently highlighted both the low number of ICO prosecutions, and the rather slapdash way in which the ICO appears to be handling information about them. But the section 170 provisions are criminal ones for a reason: they will sometimes involve the most distressing and serious interferences with people’s data protection and privacy rights.

Surely the ICO should pay more attention to such incidents, and assist concerned data subjects (or others) who might want to report potential offences?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, Information Commissioner, offences

Tagged as DPA, ICO

March 1, 2025 · 9:20 am

Concerns over the Public Authorities (Fraud, Error and Recovery) Bill

When it comes to proposed legislation, most data protection commentary has understandably been on the Data (Use and Access) Bill, but it’s important also to note some of the provisions of the Public Authorities (Fraud, Error and Recovery) Bill, introduced in the Commons on 25 January.

The abandoned Tory Data Protection and Digital Information Bill would have conferred powers on the DWP to inspect bank accounts for evidence of fraud. To his credit, the Information Commissioner John Edwards, in evidence given on that earlier Bill, had warned about the “significant intrusion” those powers would have created, and that he had not seen evidence to assure him that they were proportionate. This may be a key reason why they didn’t reappear in the DUA Bill.

The Public Authorities (Fraud, Error and Recovery) Bill does, however, at clause 74 and schedule 3, propose that the DWP will be able to require banks to search their own data to identify whether recipients of Universal Credit, ESA and Pension Credit meet criteria for investigation for potential fraud.

But such investigative powers are only as good as the data, and the data governance, in place. And as the redoubtable John Pring of Disability News Service reports, many disabled activists are rightly concerned about the potential for damaging errors. In evidence to the Bill Committee one activist noted that “even if there was an error rate of just 0.1 per cent during this process, that would still mean thousands of people showing up as ‘false positives’, even if it just examined those on means-tested benefits”.

The Bill does not appear to confer any specific role on the Information Commissioner in this regard, although there will be an independent reviewer, and – again, creditably – the Commissioner has said that although he could not be the reviewer himself, he would expect to be involved.

It is worth also reading the concerns of the Public Law Project, contained in written evidence to the Bill committee.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, data sharing, Information Commissioner

Tagged as data protection, ICO

February 19, 2025 · 9:41 am

The state of central government transparency

[reposted from my LinkedIn account]

This is one of the most extraordinary FOIA judgments I’ve ever seen, and it says an awful lot about the approach to transparency at the centre of the civil service.

The Cabinet Office have been trying to resist disclosure under FOIA of copies of blank ministerial declaration of interest forms, on grounds that to do so would be prejudicial to the conduct of public affairs, because among other things [checks notes] “Disclosure may lead to speculative scrutiny regarding why certain elements are included in the forms, potentially leading to amendments to the form which undermines its effectiveness”.

But there’s also an extraordinary citation of a piece of evidence given by a Cabinet Office witness – the “Director of Propriety and Ethics” – to the effect that the system for Minister declaring interests relies heavily on the trust and candour of Ministers, and the effect of disclosure would be that they “may be reluctant to provide the same level of detail” than they do currently.

Let’s just think about that. Ministers have a constitutional and ethical duty to declare interests, but this relies on trust and candour, and disclosure of a blank declaration form might mean that those we trust to be candid in their ethical duty to declare those interests might decide to be less trustworthy and candid as a result? What a sorry state of affairs.

Fortunately, the Information Tribunal, like the Information Commissioner’s Office before, had no truck with these arguments, and refused the Cabinet Office’s appeal.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Cabinet Office, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as FOI, ICO

February 7, 2025 · 4:17 am

Clarity needed on NHS publication of reports into homicides

[reposted from my LinkedIn account]

Does the law need clarifying on the publication of reviews into homicides by those receiving mental health services from the NHS?

The Times led recently on stories that NHS England was refusing to publish the full independent report into the health care and treatment of Valdo Calocane prior to his manslaughter of three people in Nottingham in 2023. NHSE apparently argued that data protection and patient confidentiality concerns prevented them publishing anything but a summary. Under pressure from victims’ families, and the media, NHSE about-turned, and the full report is reported to contain damning details of failings in Calocane’s treatment which were not in the summary version.

Now The Times reports that this is part of a pattern, since last year, of failure to publish full reviews of homicides by mental health patients, contrary to previous practice. It says that NHSE received legal advice that the practice “could breach data protection rules and the killers’ right to patient confidentiality”. The charity Hundred Families talks of cases where the names of victims are not published, or even the identity of the NHS Trust involved.

Of course, without seeing the advice, it is difficult to comment with any conviction, but I did write in recent days about how the law can justify publication where it is “necessary for a protective function” such as exposing malpractice, or failures in services. And it’s important to note that, in many cases, such reports show failings that mean that killers themselves have been let down by the adequacy of treatment: publication can surely, in some cases, cast light on this so that similar failings don’t happen in the future. In any case, guidance says that those preparing reports should do so with a view to their being published, and so confidentiality concerns should be taken into account in the drafting.

However, if NHSE remains concerned about the legality of publication, and if its legal advice continues to say that data protection and medical confidentiality law militated against disclosure, it strikes me that this might call for Parliament to legislate. I also believe that it would be welcomed if the Information Commissioner’s Office issued a statement on the legal issues arising.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Confidentiality, Data Protection, Information Commissioner, NHS

Tagged as data protection, ICO, NHS

February 6, 2025 · 7:47 am

Is the legal sector really suffering a flood of databreaches?

[reposted from my LinkedIn account]

There have been various articles in the media recently, reporting a significant rise in personal data breaches reported by the legal sector to the Information Commissioner’s Office. I have some real doubts about the figures.

An example article says

A new analysis of data from the Information Commissioner’s Office (ICO) by NetDocuments has revealed a sharp increase in data breaches across the UK legal sector. In the period between Q3 2023 and Q2 2024, the number of identified data breaches in the UK legal sector rose by 39% (2,284 cases were reported to the ICO, compared to 1,633 the previous year)

But something didn’t seem right about those numbers. The ICO say that they have received 60,607 personal data breach reports since their current reporting methods began in Q2 2019 (see their business intelligence visualised database), so it seemed remarkable to suggest that the legal sector was scoring so highly. And, indeed, when I look at the ICO BI data for self-reported personal data breaches, filtered for the legal sector, I see only 197 reported in Q3 2023, and, coincidentally, 197 in Q2 2024 (see attached visuals) – an increase from one relatively low number to another relatively low number of precisely 0%.

A serious question to those more proficient with data than I am – am I missing something?

If I’m not, I really think the ICO should issue some sort of corrective statement.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, data security, Information Commissioner, personal data breach

Tagged as data protection, data security, ICO

February 5, 2025 · 8:04 am

Is information held by external solicitors “held” for the purposes of FOIA?

[reposted from my LinkedIn account]

Where an external solicitor’s firm holds information in relation to advice given by the solicitor on instructions by a public authority client, is the information held by the solicitor “on behalf of” the public authority, for the purposes of section 3(2)(b) of the Freedom of Information Act 2000?

While the matter is live, the answer is probably “yes”, but what if the public authority client has long since destroyed its own records, but the solicitor’s firm has retained its records for its own regulatory or risk purposes? Here, the answer is probably “no”.

And that is the situation which came before the Information Tribunal recently. The requester was seeking information from Sheffield City Council about a development scheme from 2007/2008. The Council had said that it would have destroyed its own records, and said that to determine whether the information was held would necessitate the inspection of 28 box files held by law firm Herbert Smith Freehills, who had been instructed by the Council at the relevant time. To even determine whether the information was held or not would exceed the costs limits in section 12 of FOIA. The ICO, in the decision notice being appealed, had agreed.

As I was reading the first few paragraphs of the Tribunal judgment, I said to myself “hang on – is this info being held by HSF on behalf of the Council, or is it being held for HSF’s purposes?” I was limbering up my fingers to write a post criticising everyone for not spotting this, so I was then pleased to see that the Tribunal, of its own volition, identified it as an issue and sought submissions from the ICO and the Council on it.

After some back and fro (it is not entirely clear from the judgment who said what in their submissions, and there was a side issue as to whether in fact the Environmental Information Regulations applied) the evidence was pretty clear that the Council had had no intention to retain the information, nor to entrust it to HSF. Accordingly, the information was not “held” for the purposes of FOIA.

I’m not sure I understand why the Tribunal did not substitute a different decision notice to reflect this (it simply dismissed the requester’s appeal), but ultimately nothing really turns on that.

What one can take from this is that solicitors and their clients (especially public authority clients) should, jointly and separately, make clear in agreements and policies what the status is of information retained by solicitors after an instruction has ceased, and how requests for such information should be dealt with.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as EIR, FOI, ICO

January 30, 2025 · 7:54 am

Exceptionally unlikely: ICO and judicial review

[reposted from my LinkedIn account]

Where Parliament has entrusted a specialist body with bringing prosecutions, such as the Serious Fraud Office, or the Information Commissioner’s Office (ICO), it is “only in highly exceptional circumstances” that a court will disturb a decision made by that body (see Lord Bingham in R(Corner House and others) v Director of the Serious Fraud Office [2008] UKHL 60)).

Such was the situation faced by the claimant in an unsuccessful recent application for judicial review of two decisions of the ICO.

The claimant, at the time of the events in question, was a member of the Labour Party and of the Party’s “LGBT+Labour” group, She had been concerned about an apparent disclosure of the identity and trans status of 120 members of a “Trans Forum” of the group, of which she was also a member, and of what she felt was a failure by the LGBT+Labour group to inform members of the Forum of what had happened.

She reported this to the ICO as potential offences under sections 170 and 173 of the Data Protection Act 2018 (it’s not entirely clear what specific offences would have been committed), and she asked whether she was “able to discuss matters relating to potential data breaches with the individuals involved”. The ICO ultimately declined to prosecute, and also informed her that disclosing information to the individuals could in itself “potentially be a section 170 offence”.

The application for judicial review was i) in respect of the “warning” about a potential prosecution in the event she disclosed information to those data subjects, and her subsequent rejected request for a commitment that she would not be prosecuted, and ii) in respect of the decision not to prosecute LGBT+Labour.

Neither application for permission succeeded. In the first case, there was no decision capable of being challenged: it was an uncontroversial statement by the ICO about a hypothetical and fact-sensitive future situation, and in any event she was out of time in bringing the application. In the second case, there were no “highly exceptional circumstances” that would enable the court “to consider there was a realistic prospect of showing that the ICO had acted outside the wide range of its discretion when deciding not to prosecute”.

One often sees suggestions that the ICO should be JRd over its failure to take action (often in a civil context). This case illustrates the deference that the courts will give to its status and expertise both as regulator and prosecutor. Outside the most exceptional of cases, such challenges are highly unlikely to succeed.

Peto v Information Commissioner [2025] EWHC 146 (Admin)

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under crime, Data Protection, Data Protection Act 2018, Information Commissioner, judgments, judicial review

Tagged as ICO, judicial review

December 5, 2024 · 5:57 am

FOIA costs decision against applicant for failing to withdraw contempt application

A freedom of information requester is facing costs in what seems to have been a bit of a shambles before the First Tier Tribunal (FTT). I think this is rather concerning, albeit slightly convoluted, and, frankly, the whole thing is not assisted by a judgment that is strewn with errors and lacks coherence. In what follows I’ve had to piece together some of the information missing, or unclear, from the judgment.

It appears that the requester (AHB) had made a Freedom of Information Act 2000 (FOIA) request to the Royal Mint on 19 June (not July, as the FTT judgment says) 2021 for information about its “Garbled Coin Policy” in relation to repatriated UK currency. On 16 July 2021 The Royal Mint replied with what appears to have been a short narrative response. AHB complained to the Information Commissioner (ICO) on 28 September 2021, and ten months later the ICO held (very peremptorily, and rather oddly, I would say) that the Royal Mint held no information in relation to the original request.

AHB then appealed to the FTT and in a judgment of 3 October 2023 (the “2023 judgment”) the FTT held that the ICO had either or both erred in law, or in the exercise of his discretion, because the Royal Mint held further information in relation to the request. It issued a judgment constituting a substitute decision notice (SDN), under which the Royal Mint was ordered to issue a fresh decision within 35 days of the date on which the SDN was promulgated. The judgment specifically says “Failure to comply with this decision may result in the Tribunal making written certification of this fact pursuant to section 61 of the Freedom of Information Act 2000 and may be dealt with as a contempt of court”. The Royal Mint had chosen not to join itself to those proceedings and neither AHB nor the ICO had applied for it to be joined.

It is not at all clear, from the judgment, what happened next, but it appears that the SDN, with its Order that the Royal Mint issue a fresh response, was not served on the Royal Mint itself (presumably this error arose from its not having been a party, although it was aware of the proceedings). Then, on 9 December 2023, having received no fresh response, and no doubt taking his cue from the SDN, AHB made an application to the FTT under section 61(4) of FOIA for the Royal Mint to be certified to the Upper Tribunal for contempt of court.

It appears that the FTT finally served the SDN on the Royal Mint on 22 December 2023 (the judgment at several points has this as the obviously impossible “22 December 2024”).

One assumes, at this point, that, although the SDN was not served on the Royal Mint until the time of 35 days from 3 October 2023 had already passed, the Order in the SDN still had effect. That being the case, it appears to have been incumbent on the Royal Mint’s lawyers to make an urgent application, for instance for compliance with the Order to be waived, for relief from sanctions and for a new date for compliance to be set. Instead, they did not take action until 3 January 2024, when they wrote to the FTT suggesting that a response would be provided within a further 35 days. However, this was just correspondence – no actual application was made.

Eventually, a response was issued by the Royal Mint in relation to the SDN, on 5 February 2024, more than two-and-a-half years after AHB made his request.

AHB’s application for a contempt certification was still live though, and here I pause to observe that, on the information available, I am not surprised he took no action to withdraw it. He had been vindicated by the FTT’s SDN of 3 October 2023, and he was unaware that the SDN had erroneously not been served on the Royal Mint (in fact, it is not at all clear at what point he did become aware of this). In any case, as no application was made by the Royal Mint for further time, the Order in the SDN must still have been in effect. In fact the judgment alludes to this when it notes that AHB was “indicating” in his contempt application that the final Royal Mint response “was provided 125 days after the Substituted Decision Notice was issued and 90 days later than directed”.

In any event, the FTT declined to certify the failure to comply on time as contempt, because

whilst the Tribunal does consider that the Respondent could have acted more diligently on becoming aware of the Substituted Decision Notice, by applying for an extension of time and requesting permission to extend the time set out in the SDN, the Tribunal does not consider that [the Royal Mint’s lawyer] wilfully avoided complying with the order. The Tribunal accepts that he was simply not aware of the appropriate course of action to take in circumstances where a Court or Tribunal imposed a deadline that had already been missed. In any event, the approach taken is not sufficiently serious to warrant certification to the Upper Tribunal for contempt and the application is refused. [emphasis added]

I will pause here to say that it’s unusual, to say the least, for a court to accept a submission that a solicitor was not aware of what to do when in receipt of an order of a court. Most judges would be quite intolerant of such an argument.

But the story does not end there. In submissions dated 17 July 2024 the Royal Mint then “indicated an intention to pursue an application for the costs ‘of and associated with’ the [contempt] application”. Under rule 10 of The Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 the FTT may make an order in respect of costs but only if it considers that a party has acted unreasonably in bringing, defending or conducting the proceedings.

And, remarkably, the FTT acceded to the costs application, on the grounds that AHB did not withdraw his application for the FTT to certify the Royal Mint’s (undoubted) failure to comply with the 3 October 2023 Order, after he had finally received the fresh response of 5 February 2024. The FTT also took into account AHB’s reference to pursuing a “campaign” to encourage greater transparency.

But does this mean AHB has “acted unreasonably in…conducting the proceedings”? I’m far from convinced (in fact, I’m not convinced). The FTT says

The Tribunal does not consider that it is reasonable (or that any other reasonable person would consider it reasonable) for an application for a party to be certified to the Upper Tribunal for contempt of court to be used as part of a campaign to encourage greater transparency…The Tribunal considers that the obligation to deal with cases fairly, justly, and proportionately in circumstances where the Applicant accepts that he was in appropriately [sic] pursuing a “campaign” for other purposes and where the chances of success in relation to the Tribunal actually certifying the contempt may be limited may justify the making of a costs order against the Applicant.

Well, if I’m to be considered a reasonable person, then I do not think it unreasonable for a person to decide not to withdraw such an application where they have waited more than two-and-half years for an answer from a public authority to a simple FOIA request, and where the public authority has failed to comply with an Order, because its lawyer chose not to acquaint himself with procedural rules. Unreasonableness imposes a very high threshold, and this is shown by the fact that costs awards are extraordinarily rare in FOIA cases in the FTT (from my research I have only found two, in the twenty-odd years FOIA has been in effect, and one of those was overturned on appeal). AHB may have been tenacious, perhaps overly so, and he may have ancillary reasons for (some of) his conduct, but – again – that does not connote unreasonableness.

Costs have not yet been awarded, as the FTT has adjourned for submissions on AHB’s means, and a breakdown of the Royal Mint’s costs.

I should end by saying there may be other material not in the public domain which provides a gloss on AHB’s conduct of the proceedings, but one can (and must) only go on what is in the public domain.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, contempt, costs, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as contempt, costs, FOI, Tribunal

December 3, 2024 · 6:00 am

I don’t think that word means what you think it means

[reposted from LinkedIn]

I think there’s a plain error of law in this Information Tribunal judgment (O’Hanlon & Anor v Information Commissioner & Anor [2024] UKFTT 1061 (GRC)).

Section 36(2)(b) of the Freedom of Information Act 2000 (FOIA) says that information is exempt if, in the reasonable opinion of a qualified person, disclosure would, or would be likely to, inhibit the free and frank provision of advice, or the free and frank exchange of views for the purposes of deliberation, or would otherwise prejudice (or would be likely to do so) the effective conduct of public affairs.

I’ve written elsewhere about the flawed concept of who a “qualified person” is, but, at least in relation to govt departments, it’s straightforward: it’s a minister (s36(5)(a)).

In June 2022, Lord True, Minister of State in the Cabinet Office, in the context of a then-live FOIA request, gave a s36 “reasonable opinion”, as a qualified person, that internal department email addresses were exempt, and – crucially – that his opinion was to apply “going forward” in relation to any similar requests. Subsequently, the Cabinet Office applied his opinion to a new request which was received after he had given it.

The ICO said this was not permitted: “the provisions of s36 only become relevant once a request for information has been made…a Qualified Person’s opinion must therefore necessarily post-date the request for the information, and must be an opinion relating to the specific request”.

Not so, said the Tribunal: s36(6)(b) allows an “authorisation” to be “general”, and, therefore “a general authorisation must include be [sic] forward looking to other requests”.

But that is not what “authorisation” means in s36: the word only occurs, prior to s36(6)(b), in s36(5), and it refers to the authorisation of persons as qualified persons to give a reasonable opinion. In other words, the qualified person gives an opinion – not an “authorisation”. The reference in s36(6)(b) to an authorisation being permitted to be “general” is followed by “or limited to specific classes of case” – i.e. a person may be authorised in general to give a reasonable opinion, or authorised (perhaps they have a specialism) only in certain cases).

It does not mean that they are “authorised” to give a prospective qualified opinion that classes of information will always be exempt (subject to a public interest test).

The Tribunal’s reading of s36(6)(b) heavily informed its judgment, and it’s certainly questionable whether, but for this error, it would have decided in favour of giving this “prospective effect” to some s36 qualified opinions.

One hopes the ICO will appeal – because there will otherwise be a risk that public authorities will start classifying, of their own accord, certain classes of information as “always exempt”.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as FOI, ICO, Tribunal

November 27, 2024 · 8:16 am

ICO Annual Reports 1985 to date

I’ve had to retrieve a lot of these from the National Archives Web Archive.

The sixteenth report looks like it was co-published with the Australian Commissioner.

All reports are published under the Open Government Licence by which the licensor grants a worldwide, royalty-free, perpetual, non-exclusive licence to use the information, subject to conditions.

First report.pdf 1985
Information Commissioner’s Office, licensed under the Open Government Licence Download

Second report.pdf 1986
Information Commissioner’s Office, licensed under the Open Government Licence Download

Third report.pdf 1987
Information Commissioner’s Office, licensed under the Open Government Licence Download

Fourth report.pdf 1988
Information Commissioner’s Office, licensed under the Open Government Licence Download

Fifth report part a.pdf 1989
Information Commissioner’s Office, licensed under the Open Government Licence Download

Fifth report part b.pdf 1989
Information Commissioner’s Office, licensed under the Open Government Licence Download

Sixth report.pdf 1990
Information Commissioner’s Office, licensed under the Open Government Licence Download

Seventh report.pdf 1991
Information Commissioner’s Office, licensed under the Open Government Licence Download

Eighth report.pdf 1992
Information Commissioner’s Office, licensed under the Open Government Licence Download

Ninth report.pdf 1993
Information Commissioner’s Office, licensed under the Open Government Licence Download

Tenth report.pdf 1994
Information Commissioner’s Office, licensed under the Open Government Licence Download

Eleventh report.pdf 1995
Information Commissioner’s Office, licensed under the Open Government Licence Download