Category Archives: Information Commissioner

November 26, 2013 · 4:56 pm

The weakest link

I am a big fan of Bruce Hallas‘s The Analogies Project, and I’ve been promising him for a while that I will send him a proposal for a privacy analogy for possible inclusion in the Project. For the time being, and because I’m suffering from a bit of writer’s block on that piece, I’ll post a little – and obvious – analogy here.

The recent news that the Information Commissioner’s Office (ICO) had required Great Ormond Street Hospital  for Children NHS Foundation Trust (“GOSH”) to sign an undertaking (to improve data protection compliance) made me think of the famous quotation by William James from The Varities of Religious Experience

A chain is no stronger than its weakest link

The ICO noted that, at GOSH,

Although data protection training was in place, it was not required for temporary members of staff

By their nature, temporary staff are often subject to different procedures and obligations (or lack thereof) to permanent staff. It is, consequently, all too easy for data controllers to ask temporary to handle personal data without applying the appropriate safeguards which they would always apply where permanent staff are concerned.

Data security and data protection within an organisation can, indeed, be seen as a chain. By that I don’t mean that it should tightly bind or shackle the organisation. Rather, what I mean is that – ideally – all parts should link together, and no part be isolated: thus, data, and risks, are appropriately contained.  But if a weak link is in place, the potential exists for the whole chain to be broken.

This is not profound, and I strongly suspect it’s not even a new analogy, but I think it’s one worth making.

And it gives me the chance to quote William James for the second time today.

Leave a comment

Filed under Data Protection, Information Commissioner

Tagged as ,

November 18, 2013 · 4:46 pm

In which I ask the ICO for a Decision Notice

In September of this year I blogged about a request I made to the Information Commissioner’s Office (ICO) for details of which website some personal data had been inadvertently uploaded to, by a council employee, which had led to a monetary penalty notice. I have now had the ICO’s response to my internal review. I do not have (and haven’t sought) permission to upload that response, but suffice to say it doesn’t uphold my complaint. For those of you still awake I append my response to it here:

I am reluctantly now applying to the Commissioner for a decision whether my request for information has been dealt with in accordance with the requirements of Part I of the Freedom of Information Act 2000 (FOIA).
 
I am of the view that you do have lawful authority to disclose the information, and, therefore, section 59(1) of the Data Protection Act 1998 (DPA) is not engaged (and by extension nor is the substantive exemption claimed: section 44 of FOIA). Before I give my reasons I would just like to clarify an error on my part: I erred in my request for internal review when I queried whether section 59(1)(c) DPA was met. What I meant was that I accepted that sections 59(1)(a-c) were met, but I doubted whether there was a lack of lawful authority for the ICO to disclose.
 
My reasons why I believe you do have lawful authority to disclose are substantially the same as I gave in the rest of my request for internal review. I will repeat them here for completeness’ sake:
 
Section 59(2)(e) says that disclosure is made with lawful authority if “having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”. I would argue that analysis of whether this provision permits disclosure requires a two-fold test. Firstly, is disclosure necessary in the public interest? Secondly, if it is, do the rights and freedoms or legitimate interests of any person militate against this public-interest disclosure?

On the first point, I am not aware of any direct authority on what “necessary” means in section 59(2)(e) of DPA, but I would argue that it imports the meaning adopted by leading European authorities. Thus, as per the high Court in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 “‘necessary”…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends”. It is my view that there is a pressing social need to recognise the risks of indavertent uploading to the internet, by public authorities and others, of sensitive personal data, especially when this is by automatic means. Other examples of recent incidents and enforcement action illustrate this. For instance, as your office is aware, there have been reports that a regional Citizens’ Advice Bureau has indavertently made available on the internet very large amounts of such data, probably because of a lack of technical knowledge or security which resulted in automatic caching by Google of numerous files https://informationrightsandwrongs.com/2013/09/24/citizens-advice-bureaucracy/. Also for instance, as you are aware, there have been many many examples of indavertent internet publishing of personal data in hidden cells in spreadsheets http://www.ico.org.uk/news/blog/2013/the-risk-of-revealing-too-much. There is a clear lack of public understanding of the risks of such indavertent disclosures, with a consequent risk to the privacy of individuals’ often highly sensitive personal data. Any information which the regulator of the DPA can disclose which informs and improves public understanding of these risks serves a pressing social need and makes the disclosure “necessary”.

On the second point, I simply fail to see what rights and freedoms or legitimate interests of any person can be engaged, let alone suffer a detriment by disclosing what public website the Council employee uploaded this to. If there are any, it would be helpful if your response to this Internal Review could address this. It may be that you would point to the information having been provided to you in confidence, but I similarly fail to see how that can be: was this an express obligation of confidence, or have you inferred it? In either case, I would question (per one the elements of the classic formulation for a cause of action in breach of confidence given by Megarry J in Coco v A.N.Clark (Engineers) Ltd [1969] R.P.C. 41) whether the information even has the necessary quality of confidence (this was a public website after all).

However, I make the following further observations.

You say “I consider that the public interest here has been largely, if not entirely, met by the issuing and publication of the Monetary Penalty Notice dated 27 August 2013, the publication of the ICO News release dated 30 August 2013, and other press coverage concerning this particular data breach and how it occurred. I do not consider that disclosure of the name of the website would further this to any significant extent”. However, these sources of information were noticeably lacking in detail about how exactly the rather bizarre and worrying circumstances described in the Monetary Penalty Notice (MPN) could have happened: automatic upload to cloud storage can happen, but normally this will be to private storage – automatic upload to a “public website” is rather alarming.

I note, in passing, some recent criticism of the level of detail, or lack of clarity, in MPNs made by the First-tier Tribunal (see para 17 of the Scottish Borders case, and, the Niebel case, effectively throughout).

I also note that you say “when considering the balance of the public interest in relation to section 59(2)(e) it has to be borne in mind that the threshold is very high because disclosure in contravention of section 59, by the Commissioner or a member of ICO staff may/will constitute a criminal offence under section 59(3)”. With respect, whether the Commissioner or a member of his staff might commit a criminal offence is not relevant to whether the public interest means disclosure is necessary. If disclosure is necessary section 59(1) does not apply, and no suggestion of a criminal offence can arise. Moreover, you say “unless there is ‘lawful authority’ to disclose the information, to do so would constitute a criminal offence” and “disclosure in contravention of section 59, by the Commissioner or a member of ICO staff may/will constitute a criminal offence under section 59(3)”, and “Releasing information of this nature without lawful authority would not only constitute a criminal offence…”: all of these omit the crucial mens rea aspect of that offence, which is that the disclosure would have to be made knowingly or recklessly.

You go on to say “There is a strong public interest in information being provided to the Commissioner in confidence, to enable him to carry out his statutory duty, remaining confidential and that this information will not be disclosed without lawful authority. Releasing information of this nature without lawful authority would not only constitute a criminal offence but would also undermine the regulatory function and powers of the ICO. It would damage public trust in the Commissioner’s processes and make organisations less willing to share information on a voluntary basis making it difficult for the ICO to operate an efficient and effective regulatory system”. This repeats the earlier assertions, or implications, that the information in question is “confidential” or has been “provided…in confidence”, which I continue to dispute for reasons previously given (and not controverted), and makes further assertions that disclosing such information now would “make organisations less willing to share information on a voluntary basis making it difficult for the ICO to operate an efficient and effective regulatory system”. There appears simply to be no basis for this “chilling effect” assertion (is there, for instance, evidence to back it up?).

Finally, I note that you say “we did consult with Aberdeen City Council and we do not have explicit consent for disclosure”. You do not say when this consultation took place, but it appears that Aberdeen at some point changed their mind on this, because on 15 October they disclosed the information to me under FOIA (see https://www.whatdotheyknow.com/request/ico_monetary_penalty_notice#outgoing-307019). Clearly, this means that I do not continue to seek disclosure. It also explains why I say I make this application reluctantly (I have no wish to have you, or me, epxend time and resources unnecessarily). But I do wish to dispute that my request to you was handled according to requirements in part 1 of FOIA.

I am happy to provide any further information you might need.
with best wishes

etc

Leave a comment

Filed under Confidentiality, Freedom of Information, Information Commissioner, monetary penalty notice

Tagged as ,

November 15, 2013 · 12:45 pm

Will there be blood?

The First-tier Tribunal (Information Rights) (FTT) has overturned a decision by the Information Commissioner that the Northern Ireland Department for Health, Social Services and Public Safety (DHSSPS) should disclose advice received by the Minister of that Department from the Attorney General for Northern Ireland regarding a policy of insisting on a lifetime ban on males who have had sex with other males (“MSM”) donating blood.

On 11 October 2013 the Northern Ireland High Court handed down judgment in a judicial review application, challenging the decision of the Minister and the DHSSPS maintain the lifetime ban. The challenge arose because, in 20011, across the rest of the UK, the blanket ban which had existed since 1985 had been lifted.

DHSSPS lost the judicial review case, and lost relatively heavily: the decision of the Minister was unlawful for reasons that i) the Secretary of State, and not the Minister, by virtue of designation under the Blood Safety and Quality Regulations 2005, was responsible for whether to maintain or not the lifetime ban, ii) similarly, as (European) Community law dictated that this was a reserved matter (an area of government policy where the UK Parliament keeps the power to make legislate in Scotland, Northern Ireland and Wales), the decision was an act which was incompatible with Community law, iii) the Minister had taken a decision in breach of the Ministerial Code, by failing to refer the matter, under Section 20 of the Northern Ireland Act 1998, to the Executive Committee, and iv) although a ban in itself might have been defensible, the fact that blood was then imported from the rest of the UK (where the ban had been lifted) rendered the decision irrational.

Running almost concurrently with the judicial review proceedings was a request, made under the Freedom of Information Act 2000 (FOIA), for advice given to the Minister by the Attorney General for Ireland. The FOIA exemption, at section 42, for information covered by legal professional privilege (LPP) was thus engaged. The original decision notice by the Information Commissioner had rather surprisingly found that it was advice privilege, as opposed to litigation privilege. The IC correctly observed that for litigation privilege to apply

at the time of the creation of the information, there must have been a real prospect or likelihood of litigation occurring, rather than just a fear or possibility

and, because the information was dated October 2011, and leave for judicial review had not been sought until December 2011

at the time the information was created, ltigation was nothing more than a possibility

But one questions whether this can be correct, when one learns from the FTT judgment that DHSSPS had been sent a pre-action protocol letter on 27 September 2011. Again rather surprisingly, though, the FTT does not appear to have made a clear decision one way or the other which type of privilege applied, but its observation that

when the request was made judicial review proceedings…were already underway

would imply that they disagreed with the IC.

This discrepancy might lie behind the fact that the FTT afforded greater weight to the public interest in favour of maintaining the exemption. It was observed that

[the existence of the proceedings] at the time of the request seems to us to be an additional specific factor in favour of maintaining the exemption. It seems unfair that a public authority engaged in litigation should have a unilateral duty to disclose its legal advice [para 19]

Additionally, the fact that the advice was sought after the decision had been taken meant that it could give “no guide to the Minister’s motives or reasoning”.

Ultimately – and this is suggestive that the issue was finely balanced – it was the well-established inherent public interest in the maintenance of LPP which prevailed (para 21). This was a factor of “general importance” as found in a number of cases summarised by the Upper Tribunal in DCLG v The Information Commissioner and WR (2012) UKUT 103 (AAC).

Because the appeal succeeded on the grounds that the section 42 exemption applied, the FTT did not go on to consider the other exemptions pleaded by DHSSPS and the Attorney General – sections 35(1)(a) and 35(1)(c), although it was very likely that the latter at least would have also applied.

Aggregation of public interest factors

Because the other exemptions did not come into play, the FTT’s observation on the IC’s approach to public interest factors where more than one exemption applies are strictly obiter, but they are important nonetheless. As all good Information Rights people know, the European Court of Justice ruled in 2011, that when more than one exception applies to disclosure of information under the Environmental Information Regulations 20040 (EIR), the public authority may (not must)  weigh the public interest in disclosure against the aggregated weight of the public interest arguments for maintaining all the exceptions. The IC does not accept that this aggregation approach extends to FOIA, however (see para 73 of his EIR exceptions guidance) and this was reflected in his decision notice in this matter, which considered separately the public interest balance in respect of the two exemptions he took into account. He invited the FTT to take the same approach, but, said the FTT, had the need arisen, the IC would have needed to justify how this “piecemeal approach” tallied with the requirement at section 2(2)(b) of FOIA to consider “all the circumstances of the case”. Moreover, the effect of the IC’s differing approaches under EIR and FOIA means that

there will be a large number of cases in which public authorities, the ICO and the Tribunal will be required to make a sometimes difficult decision about which disclosure regime applies in order to find out how to conduct the public interest balancing exercise

I am not aware of anywhere that the IC has explained his reasoning that aggregation does not apply in FOIA, and it would be helpful to know, before the matter becomes litigated (as it surely will).

And I will just end this rather long and abstruse piece with two personal observations. Firstly, donating blood is simple, painless and unarguably betters society – anyone who can, should donate. Secondly, denying gay men the ability, in this way, to contribute to this betterment of society is absurd, illogical and smacks of bigotism.

Leave a comment

Filed under Environmental Information Regulations, Europe, Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

October 25, 2013 · 4:02 pm

One for the insomniacs – Upper Tribunal on EIRs and commercial confidentiality

In May 2012 I blogged about a case in the First-tier Tribunal (Information Rights) (FTT).  It was an appeal by  Swansea Friends of the Earth against a decision of the Information Commissioner (IC) not to require the Environment Agency to disclose  information relating to financial guarantee arrangements put in place a landfill site operator, as a condition for obtaining a permit to operate a waste landfill site near Swansea.

I was critical of the FTT’s approach to breach of confidence, as it applies to the Environmental Information Regulations 2004 (EIR). However, with the handing down of judgment by the Upper Tribunal, following an appeal by Natural Resources Wales, as successor to the Environment Agency, I see I was wrong on two points (one minor, one major), right on another, and my key point was left undecided. Exciting stuff folks – hold on to your hats!

My minor error was to repeat the FTT’s description of Megarry J’s classic tri-partite breach of confidence test in Coco v A N Clark (Engineers) Ltd [1969] RPC 44 as being a common law doctrine. As the Upper Tribunal points out

That, to be correct, is a decision about the equitable doctrine of confidential communication (not the common law) that may arise otherwise than by contract between the parties

Silly me. Silly FTT.

Natural Resources Wales argued before the Upper Tribunal that

there was a statutory obligation in place [militating against disclosure], so that the Agency did not have to rely on equitable grounds

And this goes to my major error, which was to overlook, in striving to make a point of general application about the modern development of the law of confidence, that in this specific case the IC’s original Decision Notice had found that information in question was confidential for the purposes of Regulation 12(5)(e) of the EIR firstly because the provisions of the Pollution Prevention and Control (England and Wales) Regulations 2000 (PPCR) (which were the regulations – since revoked and remade – which applied to the licence in question) effectively made it so, and only secondly because the information and the circumstances by which it came into the Environment Agency’s control met the Coco v Clark tests.

Regulation 12(5)(e) provides that

a public authority may refuse to disclose information to the extent that its disclosure would adversely affect…the confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest

The Upper Tribunal held that the FTT had erred in law, saying (paragraphs 51-52), as had the IC in the first instance, that relevant provisions of the PPCR meant that confidentiality was “provided by law to protect a legitimate economic interest”:

disclosure of the relevant information would adversely affect confidentiality “where such confidentiality is provided by law to protect a legitimate economic interest”… Here that must be regarded as a reference across to regulation 31 of the 2000 Regulations. Regulation 31(1)(a) makes an express reference to commercial confidentiality. The factual background to these appeals makes it plain that the figures in question here were figures produced within the 2000 Regulations framework and were subject to the necessary application and ruling to protect confidentiality of them

So it was not necessary to consider whether the information was also covered by the equitable doctrine of confidence.

The point on which I was right (in my original post) was regarding whether, or the extent to which, regulation 12(5)(e) of the EIR was directly comparable to the similar section 41 of the Freedom of Information Act 2000 (FOIA). I said

This extension of the FOIA confidentiality principles into the EIR is controversial…

and the Upper Tribunal judge says

the tests in section 41 and regulation 12 are separate and cannot be read together to include in one something in the other simply because they deal with similar issues

which is pretty unequivocal (and see also Chichester District Council v IC and Friel (GIA 1253 2011), cited as authority for the lack of analogy between the two).

Finally, another point I hadn’t addressed (although Phil Bradshaw did, in the comments to my original post) concerns the failure by the FTT to distinguish between the location of information in documents, with the information itself. The FTT had said

the information came into existence through a process of negotiation between the parties

but this surely was not the case – rather, documents, containing information, came into existence through a process of negotiation. But the information itself was caught by regulation 12(5)(e)

the focus is on this information, not on any particular document or form in which those figures are recorded or any process by which they emerged. I accordingly agree with the challengers that in so far as the First-tier Tribunal concerned itself with the specific location of those figures in specific documents produced as part of the licensing process rather than the information itself it was wrong in law

So there you have it. A rip-roaring convoluted run-through of why an obscure old blog post by me was slightly wrong and slightly right. I aim to please.

Leave a comment

Filed under Confidentiality, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

Tagged as ,

October 4, 2013 · 12:58 pm

Photographing sleeping people – data protection implications

Is it ever OK to photograph strangers on a train? asks Nell Frizzell, in a balanced, and nuanced, article in the Guardian

one new public transport phenomenon has recently crashed into my consciousness. Tumblr accounts dedicated to secretly photographing, uploading and then critiquing fellow commuters, have spored like bed bugs on a bus seat.

She correctly points out that domestic law, even to the extent that it gives effect to Article 8 of the European Convention on Human Rights, does not prevent, in general terms, the act of photographing an individual without their consent.

However, the practice she describes, of uploading photographs to social media sites, does engage, and, I would argue, breach, the Data Protection Act 1998 (DPA).

An image of a person is potentially (and in these specific cases almost certainly) their personal data (particularly bearing in mind the observation by the Court of Appeal in Durant v Financial Services Authority [2003] EWCA Civ 1746 that for information to be personal data it “should have the putative data subject as its focus”). The DPA contains an exemption (at section 36) from all the provisions of the DPA for processing of personal data by an individual for the purposes of that individual’s personal, family or household affairs (including recreational purposes) (the “domestic purposes exemption”). It is possible, although arguable, that the mere taking (and no more) of a photograph of someone on a train, would be caught by this exemption. However, once such a photograph is uploaded to the internet, the exemption falls away. This is because the European Court of Justice held, in a 2003 ruling that binds all inferior courts, that personal data posted on the internet could not be caught by the domestic purposes exemption (Lindqvist (Approximation of laws) [2003] EUECJ C-101/01).

That said, the Information Commissioner’s Office (ICO), which regulates the DPA in the UK, has shown reluctance to accept this authoritative statement of the law regarding the online processing of personal data. I have previously written about this, in the context of the ICO’s social media DPA guidance, which sidesteps (or, rather, ignores) the point. However, it might be more difficult for a domestic court (bound by the authority of Lindqvist) to ignore it in the same way, in the event that any case came before one for determination.

But therein lies the (lack of) rub. Uploading a photograph, without consent, of someone sleeping on a train is unfair, and therefore in breach of the first Data Protection Principle (because no Schedule 2 condition exists which permits the processing). But I struggle to imagine the chain of events which could give rise to a claim (for instance, the data subject would have to contact the photographer, or the site, to require them to cease processing on the grounds that doing so was causing, or was likely to cause, substantial damage or substantial distress, and the photographer, or site, would have to refuse).

So, ultimately, even though I’d argue that these sites, and those who upload to them, breach the DPA, the unwillingness of the ICO to exercise jurisdiction, and the unlikelihood of any legal claim emerging, mean that they can probably continue with impunity, unfairness notwithstanding.

As photographer Paul Clarke said in an excellent blogpost on the subject earlier this year

Sticking to rigid rules of law won’t help us very much. This might feel (it does to me) like gross intrusion on privacy. But being offensive is not enough to make something an offence.

6 Comments

Filed under Data Protection, human rights, Information Commissioner, Privacy, social media

Tagged as , ,

October 4, 2013 · 8:20 am

CQC and data protection, redux

In June this year I blogged about the furore caused when the Care Quality Commission (CQC) initially refused, citing data protection law, to identify four members of staff who were alleged to have tried to cover up an critical internally-commissioned report into its oversight of the University Hospitals Morecambe Bay NHS Trust.

Even Christopher Graham, the Information Commissioner got involved, saying

This feels like a public authority hiding behind the Data Protection Act – it’s very common but you have to go by what the law says and the law is very clear

and, perhaps as a result of his intervention, the day after the news broke, the CQC changed position, saying

We have reviewed the issues again with our legal advisers (and taken into account the comments of the Information Commissioner). In light of this further consideration, we have come to the view that the overriding public interest in transparency and accountability gives us sufficient grounds to disclose the names of the individuals who were anonymised in the report.

I had wondered if the reason for the initial non-disclosure was because of doubt as to the veracity of the reported cover-up comments, perhaps in conjunction with a challenge by the data subjects, on the basis that publishing that they had made those comments was untrue, and potentially defamatory and, therefore, in breach of the Data Protection Act 1998 (DPA):

on the information currently available, there is perhaps a lack of hard evidence to establish to an appropriate level of certainty that the person or persons alleged to have suppressed the report did so, or did so in the way they are alleged to have done. For that reason, it could indeed be a breach of the DPA to disclose the names at this stage

Yesterday, news emerged that the CQC had published a statement on its website exonerating one of the people named

  • Anna Jefferson had not used “any inappropriate phrases” as attributed to her by one witness quoted in the Grant Thornton report; and

  • Anna Jefferson had not supported any instruction to delete an internal report prepared by a colleague – Louise Dineley.

The CQC regrets any distress Anna Jefferson has suffered as a consequence of this matter

So, it looks like someone was wrongly identified as committing an act of misconduct. Ms Jefferson is said to have been “deeply upset” by the allegations, and describes it as having been a “difficult time”.

In a postscript to my original blog post I wondered idly about

the rather interesting (if unlikely) possibility that the persons now named could complain to the ICO for a determination as to whether disclosure was in fact in breach of their rights under the DPA

It is possible that the statement on the CQC website is in fact an attempt to avoid this, or alternative, legal action. I wonder if Christopher Graham is going to revisit his comments.

1 Comment

Filed under Confidentiality, Data Protection, defamation, Information Commissioner

Tagged as , ,

October 3, 2013 · 2:34 pm

Two more years for Chris Graham?

I think one mark of a true information rights nerd is whether they read minutes of meetings at the Information Commissioner’s Office (ICO), which are published, with a generally admirable commitment to transparency, on their website.

While browsing some recent minutes (of the Management Board meeting of 22 July) I noticed something interesting, which I wasn’t aware of (and haven’t seen anyone else pick up on?). Under a heading of “Major issues affecting the ICO” is

The Ministry of Justice has confirmed the Government’s intention to recommend to HM The Queen that Christopher Graham is reappointed as Information Commissioner [IC] for a period of two years following his current tenure ending in June next year.

The IC is a Crown appointment and his or her tenure is set at five years (paragraph 2(1) of Schedule 5 of the Data Protection Act 1998) but, by virtue of paragraph 2(5) he or she may be reappointed, provided he or she is not over 65, or has not already served for fifteen years. The reappointment of Christopher Graham (born 1950) will (if it happens) take him to that retirement age of of 65.

This is hardly shock news: all three of Graham’s predecessors as IC (formerly “Data Protection Registrar”) were reappointed after their initial terms of office, and he has, on most objective analyses, performed well in office: he got rid of the appalling backlog of Freedom of Information cases he inherited, and has been an effective stern-faced enforcer of data protection breaches. What he hasn’t done, yet, is see the implementation of the General Data Protection Regulation – the updating of the creaking 18-year-old current European data protection regime. But, given the apparently interminable wrangling about that instrument, one wonders whether an extra two years, starting in June 2014, will even help him achieve that.

Leave a comment

Filed under Data Protection, Freedom of Information, Information Commissioner

Tagged as ,

October 3, 2013 · 12:35 pm

Unintended FOI consequences

A nice little example of how a Freedom of Information (FOI) request can sometimes bring about an unexpected change, and advance a cause which has little to do with FOI.  Although in this instance I’m undecided whether this was a good thing or not.

On 3 January this year the Information Commissioner’s Office (ICO) issued a decision notice in respect of two requests for information made to Thames Valley Police (TVP) relating to

an incident in which the complainant’s driveway was blocked by the vehicle of someone he believes was visiting TVP headquarters

The ICO was satisfied, on the correct test of the balance of probabilities that TVP did not hold this information.

Nonetheless, the requester appealed that decision to the First-tier Tribunal (Information Rights), which has just issued a decision, in the form of a Consent Order disposing of the proceedings. The Schedule to the Consent Order explains

Thames Valley Police will give full and reasonable consideration to the reinstatement of 6 monthly liaison meetings with residents living in the vicinity of TVP HQ South with the objective of avoiding any unreasonable impact of operational activities on local residents

In consequence of this (and the agreement of the ICO) the request and the appeal have been withdrawn by the requester. So, a satisfactory outcome for the parties was achieved (although one notes that if the meetings are not arranged to the satisfaction of the requester, he will submit a further FOI request about the original incident!).

Of course, it would be have been preferable if this compromise could have been agreed in February 2011, when the requests first started. And a large amount of public money has been expended on something which is only very loosely, if at all, related to the aim of FOI (as stated in the explanatory notes to the Act): to provide a right of access to recorded information held by public authorities.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal

Tagged as ,

September 29, 2013 · 5:56 pm

A million data breaches?

Is it realistic for the ICO to expect all SMEs to encrypt hardware? And if those SMEs don’t, is it realistic to expect the ICO to enforce against what must be mass non-compliance?

Accurate figures for annual thefts and losses of laptops in the UK are not easy to come by – perhaps the most commonly-cited figure is the estimated 1 million from Sony’s Vaio Business Report 2013. On any analysis, though, it’s a relatively common occurrence.

A large proportion of these will be laptops containing personal data of people other than the owner of the device. And in many cases the device, or part of it, will be used for business purposes, often by small and medium-sized enterprises (SMEs). Personal data processed solely for domestic purposes is outwith the obligations of the Data Protection Act 1998 (DPA), but any personal data processed for business purposes is caught by the Act, and the person or business processing that data is likely to be a data controller.

As data controller, they will have an obligation inter alia to take “Appropriate technical and organisational measures …against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” (Principle 7 of Schedule One, DPA). A serious contravention of this obligation, of a sort likely to cause serious damage or serious distress, can lead to the Information Commissioner’s Office (ICO) serving the data controller with a Monetary Penalty Notice (MPN), under section 55A, to a maximum of £500,000.

And so it was this week that the ICO served Jala Transport Ltd, an oddly-named loans company, with an MPN of £5000 after

a hard drive containing financial details relating to all of the sole proprietor’s approximately 250 customers…[was stolen] from the business owner’s car while it was stationary at a set of traffic lights in London

The hard drive was in a case, with documents and some cash, and has still not been recovered.

Despite one’s possible distaste for the nature of the business involved (it may be difficult to muster much sympathy for a loans company), this case raises some interesting points, specifically for small-to-medium enterprises (SMEs) but also in general.

The MPN itself reveals that the business did not have a backup of the hard drive. This is a ridiculous oversight, when secure storage is simple, and cheap. But

it was taken home at the end of each working day for business continuity purposes and to reduce the risk of damage or theft

However, by not

closing the car window and placing the briefcase in the boot of his car or out of sight

this unsuccessful but probably well-meaning attempt at data security -and a business continuity plan – became an aggravating factor.

However, what really did for the proprietor was, “crucially”, that although the laptop was password-protected, it was not encrypted, and this led the ICO to repeat previous warnings about the need for encryption in these circumstances

We have continued to warn organisations of all sizes that they must encrypt any personal data stored on portable devices, where the loss of the information could cause clear damage and distress to the customers affected…if the hard drive had been encrypted the business owner would not have left all of their customers open to the threat of identity theft and would not be facing a £5,000 penalty following a serious breach of the Data Protection Act

Several questions are raised by this case, and this approach by the ICO. Firstly, encryption, for individual devices, is not necessarily straight-forward, and carries its own risks. This is not to say that attempts should not be made at either full disk encryption or file/folder encryption, but not all SMEs necessarily have the time or expertise to explore this effectively. Secondly, one notes that one of the reasons the MPN was imposed was because the ICO felt that the serious contravention of the DPA was of a sort likely to lead to serious damage in the form of identity theft. It was a very similar argument that the Information Tribunal recently refused to accept as being a likely consequence of another serious contravention, when it upheld Scottish Borders Council’s recent MPN appeal. £5000 is not a huge amount, and the time and expense of pursuing an appeal might be too much, but it will be interesting to see if one is lodged.

Finally – following on from the point that encryption of single standalone devices isn’t necessarily straightforward – one has to wonder how many of those estimated one million lost and stolen laptops were encrypted, and, of those that weren’t, how many contained personal data which required the relevant data controller to observe the security obligations of the DPA. Jala Transport appears to have taken the admirable, but perhaps ill-conceived, decision to report the theft to the ICO itself (and may now be regretting that decision).

If all the data controllers of those thousands and thousands of laptops lost or stolen annually reported the loss to the ICO, how many would have to own up to lack of encryption, and be liable to a similar or possibly larger MPN? And could the ICO possibly cope with the workload?

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner, Information Tribunal, monetary penalty notice, Uncategorized

September 28, 2013 · 8:44 am

It’s our Right to Know, Mr ICO

On 29 August the Information Commisioner’s Office (ICO) served a monetary penalty notice (MPN) of £100,000 on Aberdeen City Council. MPNs can be served on a data controller under section 55A of the Data Protection Act 1998 (DPA) for a serious contravention of the Act of a sort likely to cause serious damage or serious distress. In this instance, the ICO explained

sensitive information relating to social services involvement with several individuals [was] published online. The information included details relating to the care of vulnerable children.

The circumstances under which this happened were

a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website

Many people in the field of information rights have concerns that there is a significant lack of understanding on the part of many about the risk of inadvertently disclosing personal data on the web. In view of this, I though I would simply ask the ICO, and the Council, what website was involved, in order to inform my understanding. So I tweeted

What “website” were the files uploaded to?

I reminded the ICO and the Council on several occasions about this, and pointed out it was a valid request under the Freedom of Information Act 2000 (FOIA) and Freedom of Information (Scotland) Act 2002 (FOI(S)A), even though I had really only wanted a quick factual reply. The Council have asked me to contact them separately to make the FOI(S)A request, and I’m aware the Scottish Information Commissioner takes a different view on tweeted requests to her counterpart for the rest of the UK, so I’ve banged in a request at WhatDoTheyKnow. The ICO, by contrats, did treat my tweet as a valid request (although I got no acknowledgment of this, contrary to their good practice guidance) and responded yesterday on the twentieth working day, with a link to their disclosure log

Those who know me will be unsurprised to know that I don’t accept the refusal, and also unsurprised to know that, on International Right to Know Day 2013 I’ve submitted a crashingly pompous request for ICO to conduct an internal review. Here it follows, in all said crashing pomposity:

Please review your refusal to disclose information.

On 29 August you served a Monetary Penalty Notice on Aberdeen City Council

“after a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website, publishing sensitive information about several vulnerable children and their families, including details of alleged criminal offences”

I asked, on 30 August, “What ‘website’ were the files uploaded to?”

You have refused to disclose, claiming the exemption at section 44 of the Freedom of Information Act 2000, which provides an exemption “if disclosure [of the information] (otherwise than under this Act) by the public authority holding it…is prohibited by or under any enactment”. You say disclosure is prohibited, because “the information was provided to the ICO in confidence as part of our regulatory activities” and that the provisions of section 59(1) of the Data Protection Act 1998 forbid disclosure. Section 59(1) says

“No person who is or has been the Commissioner, a member of the Commissioner’s staff or an agent of the Commissioner shall disclose any information which—

(a)has been obtained by, or furnished to, the Commissioner under or for the purposes of the information Acts [of which FOIA is one],

(b)relates to an identified or identifiable individual or business, and

(c)is not at the time of the disclosure, and has not previously been, available to the public from other sources

unless the disclosure is made with lawful authority”

I am happy to concede that a) and b) are met here, but not c). This is because section 59(2) explains what “with lawful authority” means. Firstly, and largely as an aside, section 59(2)(a) says that a disclosure is made with lawful authority if

“the disclosure is made with the consent of the individual or of the person for the time being carrying on the business”

I am surprised you do not feel that, in your role as a public authority but also as the regulator for Freedom of Information, it would be prudent and transparent simply to ask the Council whether it consents. Nonetheless, on a strict reading of the law, I concede that you do not have an obligation to do so.

Secondly (and I note you do not even address this important provision), section 59(2)(e) says that disclosure is made with lawful authority if

“having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”

I would argue that analysis of whether this provision permits disclosure requires a two-fold test. Firstly, is disclosure necessary in the public interest? Secondly, if it is, do the rights and freedoms or legitimate interests of any person militate against this public-interest disclosure?

On the first point, I am not aware of any direct authority on what “necessary” means in section 59(2)(e) of DPA, but I would argue that it imports the meaning adopted by leading European authorities. Thus, as per the high Court in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 “‘necessary”…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends”. It is my view that there is a pressing social need to recognise the risks of indavertent uploading to the internet, by public authorities and others, of sensitive personal data, especially when this is by automatic means. Other examples of recent incidents and enforcement action illustrate this. For instance, as your office is aware, there have been reports that a regional Citizens’ Advice Bureau has indavertently made available on the internet very large amounts of such data, probably because of a lack of technical knowledge or security which resulted in automatic caching by Google of numerous files https://informationrightsandwrongs.com/2013/09/24/citizens-advice-bureaucracy/. Also for instance, as you are aware, there have been many many examples of indavertent internet publishing of personal data in hidden cells in spreadsheets http://www.ico.org.uk/news/blog/2013/the-risk-of-revealing-too-much. There is a clear lack of public understanding of the risks of such indavertent disclosures, with a consequent risk to the privacy of individuals’ often highly sensitive personal data. Any information which the regulator of the DPA can disclose which informs and improves public understanding of these risks serves a pressing social need and makes the disclosure “necessary”.

On the second point, I simply fail to see what rights and freedoms or legitimate interests of any person can be engaged, let alone suffer a detriment by disclosing what public website the Council employee uploaded this to. If there are any, it would be helpful if your response to this Internal Review could address this. It may be that you would point to the information having been provided to you in confidence, but I similarly fail to see how that can be: was this an express obligation of confidence, or have you inferred it? In either case, I would question (per one the elements of the classic formulation for a cause of action in breach of confidence given by Megarry J in Coco v A.N.Clark (Engineers) Ltd [1969] R.P.C. 41) whether the information even has the necessary quality of confidence (this was a public website after all).

I hope you can reconsider your decision.

best wishes

1 Comment

Filed under Confidentiality, Data Protection, FOISA, Freedom of Information, human rights, Information Commissioner, monetary penalty notice, transparency

Tagged as , ,