Category Archives: Information Commissioner

July 26, 2013 · 6:49 pm

It’s not fine.

About the rather odd Friday afternoon news that the ICO has served enforcement notices, not monetary penalties, on three police forces

In February 2011 the Information Commissioner (IC) served civil Monetary Penalty Notices (MPNs) under section 55A-E of the Data Protection Act 1998 (DPA) on Ealing and Hounslow Councils (£80,000 and £70,000 respectively), after two unencrypted laptops containing sensitive personal data of approximately 1700 individuals were stolen. The Councils had a joint working arrangement whereby Ealing would provide an out-of-hours service on behalf of both councils. The MPNs were fair enough – the IC and others had been saying for some time that encryption of hardware was a necessary data security measure, and even though Ealing Council had a policy on this, it issued the laptops to an employee in breach of it. Hounslow took the hit because they didn’t have a written contract in place to describe and prescribe the collaborative working arrangements it had entered into with Ealing.

One might have wondered, more than two years further on, what size of monetary penalty a data controller would receive if it had also entered into a joint working arrangement in the absence of a written contract, but had failed to carry out a risk assessment, simply relying on what turned out to have been inadequate security measures taken by one of parties, and several unencrypted laptops containing the sensitive personal data of approximately 4500 individuals were stolen.

The answer (unless MPNs are to follow) based on the IC’s news release and blog today about three police forces, appears to be that no MPNs of any size will be served. Rather, enforcement notices have been issued, requiring the police forces to appoint Senior Risk Information Owners (you mean they haven’t got them already?), encrypt all portable devices (you mean they don’t already?), ensure appropriate security measures are taken to protect personal data (you mean they aren’t already?), and ensure officers have received training on the security requirements of the DPA (you mean…etc, etc, etc).

Don’t get me wrong, enforcement notices are an important part of the IC’s regulatory weaponry (I just wish he’d use them on FOI miscreants) but they are a step down from MPNs, and they don’t really serve as a punishment for serious contraventions of the DPA, but merely act as a warning.

Clearly, considerable discretion is conferred on the IC as to what sort of enforcement action is appropriate, but, on the facts, and on comparison with previous MPNs, it is very hard to avoid the conclusion that: the contraventions of the DPA were serious; they were likely to cause damage or distress which was significant; and the police forces knew or ought to have known that there was a risk that a contravention of this kind would occur but failed to take reasonable steps to prevent it. In those circumstances, the relevant conditions for an MPN exist, and I struggle to understand why none transpired.

I do note that the laptop thefts were in August 2010, but this was after DPA provisions conferring the power on the IC to serve MPNs were commenced. I also note that the data subjects appear to have been criminals, but information about criminality is sensitive personal data under the DPA and accorded a higher level of protection.

I’ve asked the ICO on twitter if they can tell me why MPNs were not served. I don’t really expect an answer – it’s a thorny question, and probably doesn’t qualify as an FOI request, but I am, genuinely, interested to know. If anyone has any ideas, I’d like to hear them.

2 Comments

Filed under Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice, police

Tagged as ,

July 13, 2013 · 9:17 am

Sony and confidentiality of proceedings

Why I think Sony are wrong to claim they withdrew their databreach fine appeal because of concerns about disclosing sensitive information

So, Sony have withdrawn their appeal of the £250,000 Monetary Penalty Notice served on them by the Information Commissioner (ICO), following the 2011 hack of the Playstation Network which exposed the details of millions of subcribers. I blogged at the time

my suspicious nature makes me wonder if they will ultimately pursue the appeal. Although it will cost them nothing, this isn’t about cost, but reputation, and do Sony really want to risk another day of bad headlines about their data security, in the event that they lose the appeal?

Whether the fear of further publicity was a factor in the withdrawal is impossible to say, but Sony’s public statements about the withdrawal hark back to another point I noted at the time. The ICO’s notice was heavily redacted,  clearly to avoid disclosing commercially confidential or sensitive aspects of Sony’s network security, in line with ICO commitment to do so (7.3 in his Monetary Penalty Guidance). However Sony, in withdrawing their appeal to the First-tier Tribunal, now say

After careful consideration we are withdrawing our appeal. This decision reflects our commitment to protect the confidentiality of our network security from disclosures in the course of the proceeding. We continue to disagree with the decision on the merits

This rather disingenuously overlooks the fact that the Rules which govern tribunal proceedings expressly allow for parts of the hearing to be in private (Rule 35.2 of The Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009). So, while they are entitled to continue to disagree with the decision on the merits (reminds me of the cricket umpire who, when confronted with a batsman saying “That wasn’t out!” replied “Oh no? Let’s see what the newspapers say in the morning”) everyone else can be satisfied that Sony were correctly served a £250,000 Monetary Penalty Notice for a serious contravention of the Data Protection Act 1998, and that they chose not to pursue their right of appeal. And they’ve missed their chance for a 20% early payment discount (although that’s hardly going to worry their financial backers).

It’s a victory for the ICO, as well: he is often criticised for failing to take on the big private sector tech and social media companies. In this case, he did, and he won.

2 Comments

Filed under Confidentiality, Data Protection, enforcement, Information Commissioner, Information Tribunal, monetary penalty notice

Tagged as ,

July 12, 2013 · 10:16 am

The future of the ICO’s funding and functions

In February of this year the House of Commons Justice Committee took evidence from the Information Commissioner and his two deputies, and in March published a lengthy, sympathetic and wide-ranging report on The functions, powers and resources of the Information Commissioner. The Committee has now published the government response, which was in the form of a letter from Lord McNally, Minister of State for Justice. With the greatest of respect for the Ministry of Justice, the response seems to be little more than a deft kick into touch. Here are some examples.

Funding

The report raised various concerns about future funding for the Information Commissioner’s Office (ICO). Firstly, it noted that the ICO cannot use the money it receives for FOI work in the form of grant-in-aid for Data Protection work, and not can it use the funding it receives for Data Protection work from notification fees for FOI work. The report recommended that

The Government should consider relaxing the governing rules around virement and overheads

Lord McNally’s response says

…my officials have been working with the ICO to explore the potential for greater flexibility in the way the ICO apportions shared costs between the Freedom of Information (FOI) and Data Protection (DP) funding streams, in line with the Committee’s recommendation

Which adds little, if any, new information.

The report also noted that, if the European draft General Data Protection Regulation (GDPR) is passed in its current form, the ICO’s main funding for Data Protection work – notification fees – will be removed. It recommended

The Government needs to find a way of retaining a feebased self-financing system for the data protection work of the Information Commissioner, if necessary by negotiating an option for the UK to retain the notification fee or introduce an alternative fee. If the Government fails to achieve this, the unappealing consequence will be that funding of the ICO’s data protection work will have to come from the taxpayer.

To which Lord McNally replied

The work we intend to undertake in partnership with the ICO will include drawing upon research commissioned by the ICO into future funding options, and analysis they have done into the effectiveness of the tiered notification fee system which has been in place since 2009. I would like to reassure the Committee that the Government is committed to ensuring that the Information Commissioner is appropriately resourced.

Er, OK, but does that really say anything at all?

Independence of ICO

The Committee had linked the issue of adequacy of resources to the ICO’s relationship with the executive. If the regulator is reliant on government grant, can it be truly sufficiently independent? Their recommendation was

With the potential removal of the notification fee through the EU Regulation, we reiterate our recommendation that the Information Commissioner should become directly responsible to, and funded by, Parliament
Previously, during a Westminster Hall debate in January, justice minister Helen Grant had been clear that the government did not think this was appropriate. Lord McNally though was – again – equivocal
Whilst there are currently no plans for the Information Commissioner to be a Parliamentary body or to be funded by Parliament, the work we are taking forward on the ICO’s long-term funding and operating model will consider the range of recommendations that have been made by your Committee and others, including Lord Justice Leveson in relation to the future powers, governance and accountability arrangements of the ICO. I look forward to updating the Committee in due course.
Custodial data protection offences
On the subject of whether, finally, custodial sanctions for section 55 data protection offences should be commenced (see Pounder et al, passim), the Committee was clear
We call on the Government to adopt our previous recommendation, as well as that of the Home Affairs Committee, the Joint Committee on the Draft Communications Data Bill and the Leveson Inquiry, and commence sections 77 and 78 of the Criminal Justice and Immigration Act 2008 to allow for custodial sentences for breach of section 55 of the Data Protection Act 1998.
On this at least Lord McNally had a small piece of actual news. The government is to consult on Lord Justice Leveson’s proposals on data protection arising from his inquiry into the culture, practices and ethics of the press
It is…the Government’s view that the recommendations require careful consideration by a wide audience. We therefore intend to conduct a public consultation on the full range of data protection proposals, including on whether to make an Order introducing custodial sentences under section 77 CJIA (a statutory requirement), which will seek views on their impact and how they might be approached.
Compulsory data protection audits
Finally, the Committee had noted the reluctance of some public sector organisations to submit to the offer of a data protection audit by the ICO. They found it “shocking” that this should be the case (sensitive souls eh?) and recommended that the power of compulsory audit should be extended (it currently applies to government departments)
We recommend the Secretary of State bring forward an order under section 41 A of the Data Protection Act to meet the recommendation of the Information Commissioner that his power to serve Assessment Notices be extended to NHS Trusts and local councils.
Lord McNally confirmed that consultation was already under way regarding the extension of this ICO audit power to compel NHS bodies to submit, but he was – you’ve guessed it – equivocal on whether local government would be similarly compelled
There are currently no plans to extend the Information Commissioner’s powers of compulsory audit to local government but the Department for Communities and Local Government are taking a partnership approach to improving local government’s compliance with data protection principles.
I can’t help seeing Lord McNally’s response as little more than a polite nod to the Justice Committee. It promises very little (other than a consultation on Leveson’s data protection proposals, which, given the continuing wrangles over the GDPR, I can’t see achieving much quickly) and delivers nothing immediate. However, the ICO tweeted this morning that it welcomed the response regarding funding and powers, so maybe the future of the independent regulator of transparency and privacy is being decided behind closed doors.

1 Comment

Filed under Data Protection, Europe, Freedom of Information, Information Commissioner, transparency, Uncategorized

Tagged as , , ,

July 10, 2013 · 5:48 pm

Substantial distress or just a nuisance?

Can a large number of nuisance calls to a large number of people, none of whom inidividually suffers substantial distress, still equate to cumulative substantial distress, for the purposes of the PECR (and the DPA)?

I blogged recently in praise of the enforcement action taken by the Information Commissioner’s Office (ICO) against nuisance-caller companies, and I see that a further penalty notice has been served this week, on a “marketing company”. With considerable reluctance, though, I am drawn to a view that the ICO might be taking a flawed, or at least questionable approach to the enforcement. I say “reluctance” because I think the problem of nuisance calls is one that calls out for strong enforcement powers and the will to exercise those powers (I also think it’s a problem, by the way, that the BBC should, without apparent comment, continue to broadcast a programme which provides a platform for two companies who have received penalties totalling £225,000 for engaging in the practice).

The enforcement action is taken under the ICO’s powers conferred the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. The latter imported into the former the powers conferred on the ICO by the Data Protection Act 1998 (DPA) to serve, in appropriate circumstances, a civil monetary penalty notice (MPN) on a data controller where

there has been a serious contravention of section 4(4) by the data controller,

(b)the contravention was of a kind likely to cause substantial damage or substantial distress, and

(c)subsection (2) or (3) applies.

(2)This subsection applies if the contravention was deliberate.

(3)This subsection applies if the data controller—

(a)knew or ought to have known —

(i)that there was a risk that the contravention would occur, and

(ii)that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but

(b)failed to take reasonable steps to prevent the contravention.

(emphasis added)

What all this means, effectively, is that the ICO has two powers available to serve an MPN (to a maximum of £500,000): firstly, for a qualifying breach of the DPA, secondly for a qualifying breach of the PECR. He has exercised the former several times over the last three years, but has only exercised the latter more recently (the first time was in November last year). MPNs under the DPA have been for egregious breaches (e.g. highly sensitive information faxed numerous times to the wrong recipients, loss of unencrypted memory stick with details of people linked to serious crimes). In these circumstances it has not been difficult for the ICO to be satisfied that

such a contravention would be of a kind likely to cause substantial damage or substantial distress

However, what about when hundreds of nuisance calls have been made to hundreds of individuals? It is surely in the nature of nuisance calling that it is rarely (although not never) going to cause an individual substantial distress. The ICO says, in what appears effectively to be standard wording in PECR MPNs

The Commissioner is satisfied that the contravention is of a kind likely to cause substantial damage or substantial distress as required by section 55 (1) (b) because of the large numbers of individuals who complained about these unsolicited calls and the nature of some of the complaints they gave rise to…Although the distress in every individual complainant’s case may not always have been substantial, the cumulative amount of distress suffered by the large numbers of individuals affected, coupled with the distress suffered by some individuals, with some receiving multiple calls, means that overall the level was substantial.

In adopting this “cumulative distress” approach the ICO refers to his own guidance about the issuing of monetary penalties issued under section 55C (1) of the DPA. This guidance (which applies to PECR as well as DPA) says

The Commissioner does…consider that if damage or distress that is less than considerable in each individual case is suffered by a large number of individuals the totality of the damage or distress can nevertheless be substantial.

As far as I am aware this approach has only been used in when issuing PECR MPNs, not DPA ones. But is it the correct approach? I’m not so sure. The law requires the contravention (of the PECR or DPA) to have been of a kind likely to cause “substantial distress”, not “substantial instances of distress” and one could argue that, if the latter is what Parliament intended, Parliament would have said that (although, as is often the case, one can turn that around and say, if Parliament had not intended the ICO to cumulate instances of distress it would have restrained him from so doing). To me, though, the ICO’s approach seems wrong. But when I put the scenario to two lawyers, they agreed with the ICO, and to two lay-people, they agreed with me. I’m not sure what the lesson to be drawn there is.

I suspect this will be tested, and I note that Christopher Niebel’s appeal of his PECR MPN is listed for a five-day hearing before the First-tier Tribunal in October. And Sony’s appeal of their DPA MPN is listed for a four-day hearing before the First-tier Tribunal in November. Although the “cumulative distress” approach was not explicitly cited by the ICO in Sony’s MPN, one could argue that finding out that a data controller has lost one’s name, address, email address, date of birth and account password is unlikely to be capable of causing individual substantial distress.

I should stress that I think there should be sanctions for organisations which commit serious contraventions affecting large numbers of people, even where individual distress is not subtantial. I think that nuisance caller companies are, er, a nuisance, and deserve to be targetted robustly by a regulator. And I actually hope I’m wrong on the meaning of “substantial distress”.

Postscript:

Very interestingly (well I think so) there are reports that the government is considering proposing legislative changes to alter the threshold whereby substantial damage or substantial threat must be demonstrated. Whether this is simply to bring larger numbers of nuisance-calling companies into the ICO’s sights, or whether it is to address perceived weaknesses in current legislation remains to be seen (it might be both, of course).

Postscript 2:

Recently-published minutes from the ICO’s Management Board of 22 July support my view. They say

Civil monetary penalties for offences under PECR were discussed further. There are concerns about the requirement to show substantial damage and distress when what was happening was minor inconvenience to many people; ie in receiving spam texts.

Niebel’s appeal is happening this week (Sony dropped theirs). We will know soon whether the laudable attempts by the ICO to punish nuisance calling will be defeated by what was perhaps inadequate legislative drafting.

9 Comments

Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, monetary penalty notice, PECR, Uncategorized

July 9, 2013 · 5:15 pm

Who’s to blame for the Ministerial Veto?

The people to blame for our not being able to see Prince Charles’ lobbying correspondence with the government are not the judges – it’s the people who passed the FOI Act.

So, perhaps to no one’s great surprise, the judicial review application by the Guardian’s Rob Evans of the Attorney General’s ministerial veto has failed. As three of 11KBW’s array of brilliant information law advocates were instructed in the proceedings, I am sure we will see a Panopticon blog post shortly, and I wouldn’t try to compete with what will be the usual clear and percipient legal analysis (for which, also, see this excellent post from Mark Elliott). However, I wanted to address what I see as a potential misapprehension that this was an expression by the High Court that it agreed that the Attorney General was correct to issue a certificate vetoing disclosure of correspondence between Prince Charles and government departments. While the natural outcome of the court’s judgment is that the correspondence will not be disclosed, what was actually to be decided, and ultimately was decided in the Attorney General’s favour, was whether the exercise of his powers was lawful.

Under section 53(2) of the Freedom of Information Act 2000 (FOIA) a decision notice issued by the Information Commissioner (IC) (or later remade by a tribunal) ceases to have effect if an “accountable person” (effectively, either a Cabinet Minister or the government’s senior law officer) issues a certificate stating that he has “on reasonable grounds” decided that there was in fact no prior failure by the government department in question to comply with a request for information under FOIA. It is a power of executive override of a decision made by the statutory regulator (the IC). Its place in the statutory, and constitutional, scheme is what people should be objecting to, particularly in light of what the court in this case found.

The case dates back to the earliest days of the commencement of FOIA. Evans had requested correspondence between Prince Charles and various government departments, but those departments had refused to disclose. In a detailed and complex analysis the Upper Tribunal (the case having been transferred from the First-tier Tribunal) last September decided that, although the FOIA exemption (at section 37) relating to communications with the Royal Household was engaged, the public interest fell in favour of disclosure of the information (two points of note: first, the section 37 exemption, which was at the time of the request a qualified one, subject to the application of the public interest, has since been amended to make it absolute; second, there were other exemptions engaged, but the section 37 was the focal one). 

There was potentially further right of appeal, to the Court of Appeal and, ultimately, the Supreme Court. So why did the government not follow this route? The Campaign for Freedom of Information have issued a press release in which their Director Maurice Frankel says “Ministers should have to appeal against decisions they dislike and not be able simply to overturn them”. I agree (of course) but the reason the government departments did not appeal in this case is because any appeal would have had to have been on a point of law – the more senior courts could not have substituted different findings of fact, or decided whether an exercise of discretion should have been exercised differently. In short, I suspect the government did not appeal because they knew they would have been unsuccessful (or rather, their lawyers would presumably have advised, as lawyers do, that the chances of success were low).

Davis LJ, giving the leading judgment in the High Court, identified that

The underlying submission on behalf of the claimant is, in effect, that the accountable person is not entitled simply to prefer his own view to that of the tribunal

to which he countered

why not? It is inherent in the whole operation of s.53 that the accountable person will have formed his own opinion which departs from the previous decision (be it of Information Commissioner, tribunal or court) and may certify without recourse to an appeal. As it seems to me, therefore, disagreement with the prior decision…is precisely what s.53 contemplates, without any explicit or implicit requirement for the existence of fresh evidence or of irrationality etc. in the original decision which the certificate is designed to override. Of course the accountable person both must have and must articulate reasons for that view…[It] is for the accountable person in practice to justify the certification. But if he does so, and that justification comprises “reasonable grounds”, then the power under s.53(2) is validly exercised. Accordingly, the fact the certificate involves, in this case, in effect reasserting the arguments that had not prevailed before the Upper Tribunal does not of itself mean that it is thereby vitiated

 The power to issue a certificate exists under section 53(2), even if, as Lord Judge said, such a power “appears to be a constitutional aberration”. If it exists, it can be exercised, subject to it being done so lawfully. To admit of another interpretation, says David LJ, would be (taken with the claimant’s other arguments) to 

greatly [narrow] the ostensible ambit of s.53. As a matter of statutory interpretation I can see no justification for such a limitation, either on linguistic grounds or on purposive grounds

Parliament chose to enact s53, and any potential inherent constitutional imbalance or threat to the rule of law in its having done so is overcome by the availability of judicial review:

for the purposes of s.53 of FOIA, Parliament has provided the procedure by which this statutory provision is to be mediated. It is to be mediated, on challenge by way of judicial review, by the courts assessing whether the Secretary of State has certified “on reasonable grounds”. That involves no derogation from the fundamental principle of the rule of law: on the contrary, it is an affirmation of it.

For the same reasons, any challenge as to whether the exercise of the veto (as applied to environmental information under the Environmental Information Regulations 2004) offends the relevant sections of the originating EC Directive and the Aarhus Convention (specifically, those that deal with the need to have a “review procedure”) could also be met by reference to the availability of judicial review (although one wonders, along with the Aarhus Convention Compliance Committee, whether judicial review meets the requirement to be not “prohibitively expensive”).

And ultimately, and  relatively straighforwardly, it fell to the court to

consider whether the Attorney General has shown in the present case reasonable grounds for certifying as he did…[and] the Statement of Reasons appended to the certificate, once carefully read and analysed, does indeed demonstrate such “reasonable grounds”. The views and reasons expressed as to where the balance of public interest lies are proper and rational. They make sense. In fact, I have no difficulty in holding them to be “cogent”. Indeed – especially given that the Attorney General’s reasons and conclusions are in many respects to the like effect as those previously provided by the Information Commissioner – it will be recalled that the Upper Tribunal had itself, in paragraph 4 of its decision, acknowledged that there are “cogent arguments for nondisclosure”

So, if you want to criticise the fact that the Attorney General was allowed to veto disclosure of Prince Charles’ correspondence with the government, don’t criticise the judges, don’t even criticise (too much, at least) the Attorney General himself – rather, criticise Parliament which passed the law.

UPDATE: 25 July 2013

The Guardian reports that permission has been granted to appeal to the Court of Appeal.

 

Leave a comment

Filed under Environmental Information Regulations, Europe, Freedom of Information, Information Commissioner, transparency, Uncategorized

Tagged as ,

June 21, 2013 · 7:50 am

ICO Social Media Guidance – Shirking Responsibility?

The Information Commissioner has issued guidance on when the Data Protection Act is held to apply to Social Networking and Online Forums. While I recognise the pragmatic approach it takes, it appears to be in conflict with the leading legal authorities.

The Guidance

Apparently without much fanfare, unless I’ve missed it or am ahead of it, the Information Commissioner’s Office (ICO) has issued guidance for the public on Social networking and online forums when does the DPA apply? The short answer, applying European law, should be “always”. But this would a) make the guidance rather short, and b) not be in line with the ICO’s persistent line that his office should not have to regulate what people say about each other on the internet.

The guidance says

The DPA contains an exemption for personal data that is processed by an individual for the purposes of their personal, family or household affairs. This exemption is often referred to as the ‘domestic purposes’ exemption. It will apply whenever an individual uses an online forum purely for domestic purposes

There are several interesting things about this position statement. First, it omits that the Data Protection Act 1998 (DPA) says that personal data only processed for domestic purposes is exempt from the obligations under the Act. Second, it also, strangely, omits the phrase “including recreational purposes” which arguably supports the ICO’s position (although, as I will mention later, it is controversial wording). Third, it is in direct contradiction of the leading European judicial authority on the exemption.

The guidance goes on to accept that some forms of individual self-expression on the internet will not be caught by the domestic purposes exemption, but as a whole (see the section entitled “ICO involvement in complaints against those running social network sites, organisations and individuals”) it appears to be an exercise in saying “don’t come to us if you don’t like what someone is saying about you on the internet”.

This subject is, of course, of considerable current relevance, given concerns expressed that a regulatory scheme imposed subsequent to the Leveson inquiry might end up applying to the blogosphere, or even to social media in general. I’ve written previously on this, arguing that existing data protection law already applies to such activities.

The Law

Article 3(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“the Directive”) says that

This Directive shall not apply to the processing of personal data…by a natural person in the course of a purely personal or household activity

and recital 12 to the Directive says that the data protection principles contained therein do not apply to the processing

of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses

These provisions are given domestic effect in section 36 of the DPA, which says

Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III [emphasis added]

In the leading European case on the provisions of the Directive, Lindqvist (Approximation of laws) [2003] EUECJ C-101/01, the European Court of Justice held that

[the] exception must…be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people

Lest there be any doubt as to the meaning of this, the ECJ issued a press release to accompany the judgment, which said

the act of referring, on an internet page, to various persons and identifying them by name…does not fall within the category of activities for the purposes…of purely personal or domestic activities, which are outside the scope of the directive [emphasis in original]

Lindqvist is, I would submit, unequivocal authority for the proposition that referring to an identifiable person or persons on the internet constitutes the processing of personal data, and is processing which is not exempt under Article 3(2) of the Directive.

The ICO has never accepted that Lindqvist has general application to internet publication of personal data. For instance, the ICO’s internal 2011 guidance on “Dealing with complaints about information published online” says

the Lindqvist judgement [sic]…related to a specific set of circumstances and cannot be applied to all cases of online publication

Try as I might I cannot square this with ECJ’s authority in Lindqvist. Still less can I square with it the comment, in an ICO paper on the proposed General Data Protection Regulation that

There has been some suggestion the Regulation should be used to ‘implement’ the Lindqvist decision – in short meaning that information posted openly on the internet necessarily falls outside the law’s personal or household processing exemption. We never wholly accepted the reasoning in Lindqvist…
One might take a moment to reflect on what is being said here. The paper’s author appears to understand the meaning of Lindqvist, regarding the lack of exemption for information posted openly on the internet, but says the ICO doesn’t (wholly) accept what is the binding decision of the ECJ.
One possible justification for the position lies in the additional wording Parliament inserted into section 36 of the DPA relating to “recreational purposes” (although, as I note above, the new guidance doesn’t put much emphasis on this). It is perhaps possible to construe – as the ICO clearly does – this to permit the section 36 exemption to extend to internet publication of personal data. Indeed, the apparently interminable infraction proceedings brought against the UK by the European Commission (tracked doggedly by Dr Chris Pounder) for numerous examples of apparent lack of proper domestic implementation of the Directive include criticism that
the inclusion of “recreational purposes” in the Data Protection Act…in the Commission’s view appeared to be broader than household activities.
However, even if this addition of “recreational purposes” to the UK statutory scheme arguably extends – perhaps impermissibly – the ambit of the exemption, the ICO was told in unequivocal terms in The Law Society & Ors v Kordowski [2011] EWHC 3185 (QB) that
The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully
In Kordowski the ICO had been asked by the Law Society to intervene to prevent the publication of defamatory and unfair postings on a website called “Solicitors from Hell”. The ICO had declined, citing – in a letter to the Law Society – the domestic purposes exemption as the reason for not investigating
I do sympathise with solicitors and others who may find it extremely difficult, and in many cases impossible, to have offensive material about them removed from the internet. Perhaps this is a case where the law is out of step with technology. However, I am afraid the DPA is simply not designed to deal with the sort of problem that you have brought to my attention.
Tugendhat J expressed his sympathy
with the Commissioner in what he says about the practical difficulties raised by cases such as the present. It is also beyond doubt that the DPA was not designed to deal with the way in which the internet now works
but said that the ICO had an obligation to investigate a complaint “where there is no room for argument that processing is unlawful”.
The ICO (in the form of David Smith, the Deputy Commissioner responsible for data protection) has argued that the mistake the ICO made in the Kordowski matter was in holding that the site owner and administrator (Kordowski himself) was covered by the section 32 exemption. He does not appear to accept that the people submitting the “ratings” and comments about solicitors were not covered by the same
we took the view, quite rightly I think, that the individuals who posted the comments on the Solicitors from Hell website are just individuals, they are acting in their personal, domestic capacity…I think where we actually went a bit wrong in our analysis…we said the Solicitors from Hell website doesn’t exercise control, is not a data controller and so is not caught by the law. When this case came to court, quite rightly the court looked in more detail at what the operators of the site did, the notice board and it was a lot more than just a notice board, they were actually charging people to put information there and charging solicitors to have information taken down…The intermediary there was clearly a data controller. But this establishing who is a data controller and who isn’t in this whole environment is extremely difficult. [from a transcript of an oral presentation]
While this is an interesting argument, that the site owner, as clearly the primary data controller, holds some sort of primary liability for publication on his or her site, while those posting on it are exempt because of the domestic purposes exemptions, it is hugely problematic. This is because, firstly, it is inconsistent with the judgment in Lindqvist and, secondly, becuase it tends towards an illogical argument that an individual commenter on a site, perhaps a social media site, posting a defamatory, or even a criminal, statement, does so only for domestic purposes.
European developments
In Kordowski the judge’s sympathy rested in part on the fact that the DPA, and the ICO who must regulate it, are creatures of the 1995 Directive
In 1995 search engines were in their infancy. Google was incorporated in 1998. There have been many developments since that time, including the increasing use of third party facilities
In Janaury 2012 the European Commission began the lengthy process of introducing a new European data protection framework. The draft General Data Protection Regulation (GDPR) retains exemption provisions for domestic activities, and introduces new concepts: Article 2(2) states
This Regulation does not apply to the processing of personal data…by a natural person without any gainful interest in the course of its own exclusively personal or household activity [emphasis added]
and Recital 15 explains
This Regulation should not apply to processing of personal data by a natural person, which are exclusively personal or domestic, such as correspondence and the holding of addresses, and without any gainful interest and thus without any connection with a professional or commercial activity [emphasis added]
This might shift the scenery set by Lindqvist to a degree, and it is possible that the ICO’s guidance, although dealing with the current DPA, was written with an eye on the European developments. Indeed, the rest of Recital 15 says
the exemption should also not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities.
However, it is to be noted that Peter Hustinx, the European Data Protection Supervisor, did not think the draft domestic purposes provisions of the GDPR were adequate
Recital 15 indicates that the exception applies in the absence of gainful interest, but it does not address the common issue of processing of data for personal purposes ona wider scale, such as the publication of personal information within a social network…In line with the rulings of the Court of Justice in Lindquist and Satamedia, the EDPS suggests that a criterion be inserted to differentiate public and domestic activities based on the indefinite number of individuals who can access the information. This criterion should be understood as an indication that an indefinite number of contacts shall in principle mean that the household exemption does no longer apply. It is without prejudice to a stricter requirement for a genuine personal and private link, to prevent that individuals making data available to several hundreds or even thousands of individuals would automatically fall underthe exemption.
But a final development has occurred with the release on 31 May of Irish Presidency of the Council of the European Union’s Justice and Home Affairs draft compromise text which adds to Recital 15 the following words
Personal and household activities include social networking and on-line activity undertaken within the context of such personal and household activities.
One wonders if the ICO was aware, when drafting his Social Media Guidance, of this development. However, and while it remains to be seen what the GDPR will ultimately say, much could still turn on what “undertaken within the context” means within Recital 15.
And we should not get ahead of ourselves. The ICO regulates the DPA, and as the (European) law currently stands, the act of referring to a person on the internet does not attract the domestic purpose exemption. The ICO guidance implies it might. Will this be challenged?

4 Comments

Filed under Data Protection, defamation, Europe, GDPR, Information Commissioner, social media

Tagged as ,

June 19, 2013 · 7:22 pm

CQC allegations and data protection

Data Protection laws have been said to be behind the decision not to name CQC officials alleged to have covered-up a damning internal report. Oh really? Well, yes, perhaps, I argue.

News bulletins today lead with the story that the Care Quality Commission apparently engaged in a cover-up of an internal review report critical of its oversight of University Hospitals Morecambe Bay in 2010, an NHS Trust now subject to investigations over the deaths of at least eight mothers and babies. The allegations of a cover-up were made by a whistleblower interviewed as part of an investigation by Grant Thornton, who were commissioned by CQC to look into its own activites. Potentially particularly damning are remarks at the time attributed to a senior manager at CQC regarding the alleged suppression on the original internal review report

Are you kidding me? This can never be in a public domain, nor subject to FOI

The Grant Thornton report, as published, has redacted the name of this senior manager and a colleague. And the Data Protection Act 1998 (DPA) is pleaded in defence of the redaction. As the Telegraph reports

The names of two individuals who ordered the destruction of evidence of the Care Quality Commission’s failure to investigate the University Hospitals of Morecambe Bay NHS Trust have been redacted from an official report…David Prior, the new chairman of the CQC, said that the names had been redacted because of “data protection concerns” and because the watchdog fears being sued…”to publish it with the names would breach the Data Protection Act.We would have been open to being sued on that basis”

As a number of people have pointed out, this is certainly questionable. Ben Bradshaw MP is reported by the Guardian as saying in Parliament that

the [Data Protection Act] allows exceptions in cases where protecting the public is an issue

and, in a thundering editorial, Health Policy Insight say the decision

is, quite simply, bullshit…Nor is it just a minor pellet of bullshit. This is epic, hog-whimpering and noxious bullshit…The Data Protection Act affords specific exemption at Section 55 2(d) “to a person who shows … that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest”…Moreover, the Information Commissioner’s Office, which enforces the Data Protection Act, is explicit in its advice on Principles One and Two (those dealing with an individual personal data) that fairness is crucial: “it depends on whether it would be fair to do so … personal data must not be processed for any purpose that is incompatible with the original purpose or purposes”

While I admire the level of polemic, HPI are rather mistaken in their analysis of the DPA. And I submit that it was not necessarily wrong for David Prior to be advised that disclosure of the name of the person might breach the DPA. I would stress that I am not suggesting that those responsible for failures at CQC should not be accountable for those failure, nor, if it is true that the original internal review report was suppressed, that those who did so should not also be accountable. What I do suggest is that, on the information currently available, there is perhaps a lack of hard evidence to establish to an appropriate level of certainty that the person or persons alleged to have suppressed the report did so, or did so in the way they are alleged to have done. For that reason, it could indeed be a breach of the DPA to disclose the names at this stage. I say this despite the parliamentary statement by the Secretary of State for Health, to the effect that he had not wanted the redactions, and that

There should be no anonymity, no hiding place, no opportunity to get off scot free for anyone at all who was responsible for this

(On this, we should perhaps remember the unlawful decision by Mr Bollocks [ed: Balls] peremptorily to require the dismissal of Sharon Shoesmith. Politicians are first and foremost politicians. They are not generally there to be lawyers or employers.)

The name of the person involved is clearly going to constitute “personal data” according the definition in section 1(1) of the DPA. And, for these purposes, the “data controller” (with whom lies the decision as to whether to disclose or redact, and to whom liability for a breach of DPA attracts) is CQC itself. HPI cite section 55(2)(d) of the DPA, which broadly provides that the offence of unlawfully obtaining personal data does not apply if it has been done in the public interest. This provision deals with a criminal offence of inter alia disclosing personal data without the consent of the data controller. This clearly does not apply here.

HPI are correct, however, in pointing to the first principle (as listed in Schedule One) of the DPA, and its reference to fairness (although they are talking nonsense when they refer to the first two principles being those “dealing with an individual personal data” [sic] – the whole of the DPA applies to an individual’s personal data). The first principle provides that the processing (and disclosure of a name will be “processing” under the DPA) of personal data must be fair and lawful.

When deciding whether names of public officials should be disclosed (albeit in response to a Freedom of Information request) the Information Commissioner (ICO) says

[the public authority] must decide whether disclosure would breach Principle 1 of the Data Protection Act (the DPA), ie whether it would be fair and lawful to disclose the information.

Whether the disclosure is fair will depend on a number of factors including:

the consequences of disclosure;

the reasonable expectations of the employees; and

the balance between any legitimate public interest in disclosure and the rights and freedoms of the employees concerned…

These are the factors CQC would need to take into account, and one can see that a balancing exercise would ensue. The consequences of disclosure – of what appear merely to be allegations – for the person or persons involved could be grave, and be an important factor in identifying what his or her rights and freedoms are. On the other side, there would be appear to be a clear public interest in disclosure, notwithstanding that, I repeat, these are mere allegations, on the basis that someone taking such a significant decision as to try (allegedy) to suppress publication of the adverse report should be accountable (as should the CQC as their employer) for such actions. The issue as to reasonable expectations is more difficult however. If the person or persons has been told in explicit terms that their name will not be disclosed, they may have very strong expectations that this will not happen. As to whether those expectations are reasonable, one would need to know the terms upon which any undertaking might have been given. Employment rights might well be engaged

Also to be considered is that the naming of the person or persons in circumstances in which it might subsequently transpire that the allegations were not true could give rise to a successful claim in defamation. Indeed, as Robin Hopkins has observed, DPA is increasingly used as a primary claim in actions involving defamatory publications.

I repeat, none of this is to defend the actions of CQC, nor, if the allegations are shown to be true, to defend the actions of anyone who suppressed the report. It is simply to say that the claim that the DPA might be engaged at this point, and potentially breached if disclosure of names happened. Disclosure, in a clearly fair and lawful way, might follow in due course.

I note that the Deputy Information Commissioner is reported tonight as saying

The Data Protection Act does not specifically prevent people being named publicly, but instead talks about using information fairly and considering what expectations of confidentiality people may have had when providing their personal information.

It is important the Data Protection Act is not used as a barrier to keep information out of the public domain where there is an overriding public interest in disclosure.

David Smith is a clever and astute man. He did not say the names should be revealed. That is revealing.

UPDATE 20.06.2013

My attention has been drawn to last night’s episode of BBC’s Newsnight on which David Smith’s boss, Information Commissioner Christopher Graham. As the BBC itself reports, he said

“This feels like a public authority hiding behind the Data Protection Act – it’s very common but you have to go by what the law says and the law is very clear.

“You have to process data fairly, you have to take into account people’s expectation of confidentiality.”

He said that was “obviously” the case with patient data in particular.

But when it came to officials, “there you have to apply a public interest test”, he added.

He said he was “not convinced” the CQC had been correctly advised.

He ended his short interview by saying “I think [the CQC] are going to have to look at this again”.

Fair enough. He’s right and I’m wrong then? Well, no – he still didn’t by any means say that disclosure now had to happen (and, in his role, he would have been be very ill-advised to have done so).

And, prompted by further coverage, and a comment below by Dr Chris Pounder, who probably knows more about Data Protection than the entire staff at the ICO (and that’s not intended as an insult to the latter), I now feel that two other factors might be at play. First, if the allegations quoted in the Grant Thornton report amount to allegations of possible criminal offences (e.g. misconduct in a public office) then there is an arguable need to avoid prejudice to any police investigation. Second, if the person or persons referred to in the report have already taken steps to challenge its veracity – either as a whole, or in respect of specific comments attributed to the whistleblower – then it would be prudent of CQC not to disclose until that challenge (whether it be made informally, or as part of or precursor to legal proceedings) has played out.

That said, when the combined forces of the government and the Information Commissioner are leaning on the CQC at least to review the decision not to disclose names, it would be a bold move to continue to resist. They will though, no doubt, be advised that there remain potential legal risks in doing so, unless they are completely satisfied about the veracity of allegations in the report.

UPDATE 2, 20.06.2013

The CQC has now published the names previously redacted. The letter to the Secretary of State makes clear that

We have reviewed the issues again with our legal advisers (and taken into account the comments of the Information Commissioner). In light of this further consideration, we have come to the view that the overriding public interest in transparency and accountability gives us sufficient grounds to disclose the names of the individuals who were anonymised in the report.

None of this changes my view that there was a clearly arguable legal basis for redaction. Data Protection is wrongly blamed for a lot of things but it was engaged in this instance.

This outcome also raises the rather interesting (if unlikely) possibility that the persons now named could complain to the ICO for a determination as to whether disclosure was in fact in breach of their rights under the DPA. Am I wrong to hope that happens?

14 Comments

Filed under Data Protection, Information Commissioner, Uncategorized

Tagged as ,

June 18, 2013 · 12:10 pm

Cold Comfort for Cold Callers

In which I praise the ICO, and implore people to report nuisance callers.

I was in conversation with a group of friends recently, and the topic of nuisance calls came up. Each of my friends described continually receiving  unsolicited, often agressive, calls, despite the fact that they were registered with the Telephone Preference Scheme. I said they must complain to the Information Commissioner’s dedicated service because the ICO was now taking breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) seriously (actually, I didn’t say it in quite those terms, because although my friends like to deride me, I try not to give them too much ammunition). I got a lot of replies of “I might”, but also some of “it won’t do any good”. In support of the fact that it might do some good I was able point to the three recent civil Monetary Penalty Notices (MPNs) for breaches of PECR issued to Christopher Niebel and Gary McNeish, joint owners of Tetrus Telecoms and DM Design Bedroom Ltd.

And today, two more MPNs have been issued, to two companies owned by “Save Britain Money Ltd” a company which, in what appear to be rather embarrassing circumstances for the BBC, is currently featuring in a fly-on-the-wall documentary series about call centres.

We need a regulator to take firm and public action for breaches of privacy laws, and it is pleasing to see the ICO doing so with nuisance callers. However, in order for practices to really change, nuisance callers need to be reported to the ICO, at every opportunity. The principle of a penalty pour encourager les autres only works if les autres are scared about what legal non-compliance can lead to.

And I note from a recent internal ICO report that, as at 10 June, both the DM Design and the McNeish MPNs were overdue for payment (Niebel has appealed his Notice). Penalties in the tens of thousands of pounds can potentially be ruinous for businesses. The ICO statutory guidance on MPNs provides that

a monetary penalty notice will not impose undue financial hardship on an otherwise responsible person

But this leaves open the possibility that an MPN might some times impose due hardship, on an otherwise irresponsible person. If future nuisance callers wilfully act irresponsibly, a financially-crippling MPN might not constitute undue hardship.

As someone who works in the public sector, and who trains other public sector partners in their obligations under the Data Protection Act 1998 (DPA), I can attest to the beneficial effect MPNs for DPA breaches (added to the willingness of the ICO to impose them) have had on data security and knowledge (it doesn’t half focus the minds of senior managers when you remind them that security vulnerabilities carry a risk of a £500,000 “fine”). Enforcement of the law does change things, and we should praise the ICO for what he is doing with nuisance callers, while continuing to report miscreants.

Now, how about some FOI enforcement…?

1 Comment

Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, monetary penalty notice, PECR

Tagged as , ,

June 13, 2013 · 2:04 pm

Savile and Dishonourable Information

The Cabinet Office is required by the Information Commissioner to disclose internal correspondence about the conferring of honours on Jimmy Savile. Despite there being strong public interest arguments in favour of non-disclosure, they are outweighed by those in favour of disclosure.

There is an odd phenomenon, when considering the application of qualified exemptions under the Freedom of Information Act 2000 (FOIA),  that I like to think of as “the escalation of public interest factors”: if something is of great sensitivity, the corresponding public interest in disclosure is also great, with the result that the public interest in maintaining the exemption increases. This, is, of course, strictly, nonsense, but it is a phenomenon that public authorities can sometimes find themselves experiencing.

I note the phenomenon in the Cabinet Office’s handling of a recent request for disclosure of information relating to the conferring of honours on the benighted, and sadly still beknighted, Jimmy Savile. The requester sought

any correspondence [that] exists between either civil servants or ministers discussing the award either of an OBE in 1971 or a knighthood in 1996 [the knighthood was actually awarded in 1990] to Mr Savile, prior to either award being made

The information was, said the Cabinet Office, exempt from disclosure under sections 37(1)(b) (the conferring by the Crown of any honour or dignity) and 36 (effective conduct of public affairs. They

…acknowledged that this was an exceptional case in light of the information that had come to light in 2012 concerning Jimmy Savile [but] precisely because this was an exceptional case…the public interest favoured maintaining the exemption

The Information Commissioner’s Office, in a well-argued (n.b. I don’t always criticise the ICO) decision notice, has rejected the Cabinet Office’s arguments. The relevant exemptions are engaged, says the ICO, and there is public interest in maintaining them. So, in relation to section 37, the ICO

accepts that disclosure of the information would, to some degree, undermine the confidentiality of the honours system. The Commissioner accepts that this presents some risk of creating a chilling effect for contributions to future discussions in relation to honours nominees

however

disclosure would enable the public to be better informed about the matters taken into account at times when the award of honours to Jimmy Savile was under consideration. In the Commissioner’s opinion disclosure of the withheld information that is the focus of this request would go a significant way to serving the public interest, the nature of which is unique to this particular case

The ICO

wishes to emphasise that in reaching this decision he does not dispute the argument that disclosure would to some degree undermine the confidentiality of the honours system, simply that the public interest arguments in favour of disclosure attract more weight

Similar factors obtain in relation to section 36. So, while ongoing inquiries into the scandal mean that officials involved need a safe space to discuss relevant issues

the Commissioner does not accept that the safe space…will be significantly encroached by disclosure of this particular information…This is because the information focuses on one, relatively narrow, issue, namely Jimmy Savile’s receipt of two honours. In contrast the terms of reference for the investigations are wide ranging and cover matters of a wholly different nature

and while

the Commissioner accepts that it can be argued that the effective conduct of public affairs could be materially affected if disclosure of information under FOIA undermined the confidentiality of the honours system…the significant weight that the Commissioner considers should be attributed to the public interest arguments in favour of disclosure [mean that] the Commissioner has concluded that the public interest…favours disclosing the withheld information

Finally, although the ICO agreed that names of junior officials involved in the discussion regarding the conferring of honours were exempt under the Data Protection Act 1998 provisions of FOIA, the same did not apply to more senior officials and others. Even though

the individuals would have had a reasonable – and indeed weighty – expectation that such information would not be made public…the Commissioner believes that the legitimate public interest is only met, or, perhaps more accurately, best met, by revealing not only the comments of the individuals but also revealing who made them so that the recorded deliberations about the awarding of the honours can be fully and accurately understood

When finely balanced decisions on matters of public interest result in a recommendation for public disclosure it is common for an appeal to the First-tier Tribunal to follow. The Cabinet Office will have to consider now whether it wants to be seen to be trying to suppress information about the conferring on a serial sexual offender of an honour which the Prime Minister himself has questioned.

2 Comments

Filed under Cabinet Office, Freedom of Information, Information Commissioner

Tagged as ,

June 7, 2013 · 12:26 pm

Transparency and the ICO

It is axiomatic that, under the Freedom of Information Act 2000 (FOIA), a requester is unlikely to know precisely what the information requested consists of. This means that a requester is at a (natural and fair) disadvantage if he or she wishes to challenge a refusal. How to argue, for instance, that the public interest favours disclosure of information, if you don’t know what the information is?

A requester will often be reliant, therefore, on the Information Commissioner (ICO), as independent regulator, or the judicial system, thoroughly to interrogate a public authority’s basis for non-disclosure.

Last year I made a FOIA request to the ICO’s office itself for copies of all Undertakings (not currently on their website) agreed by the ICO and data controllers following investigation of serious breaches of the Data Protection Act 1998.

The ICO kindly disclosed to me a large number of Undertakings, but withheld three, citing the exemption at section 22 of FOIA. This section provides an exemption to the general FOIA obligation to disclose information, if the information is held, at the time of the request, with a view to its publication at some future date (whether determined or not). Furthermore it must be reasonable in all the circumstances that the information should be withheld from disclosure until that future date. Section 22 is a qualified exemption, and, therefore, subject to the application of a public interest test. I was told by the ICO that the Undertakings

were not published at the time due to a risk of prejudice, in one case to a criminal trial and in the others to commercial interests. In light of your request we have revisited these considerations and find that they are still relevant

I’m a reasonable chap, and accepted that the ICO was well-placed to determine that the public interest did not favour disclosure. However, I thought they might be able to disclose the identities of the data controllers involved. So I made a FOIA request for that information.

This was also refused. I was told that one of the data controllers was News Group Newspapers and the Undertaking was

in connection with a cyber-security attack perpetrated against NGN for which criminal proceedings are ongoing. As we have previously indicated, the Undertaking will be published once the proceedings have been concluded

This was the case relating to a criminal trial, and it has now been published.

I was told though that the names of the other two data controllers were still exempt under section 22, as, even though the ICO accepted my argument

that prejudice is “unlikely to occur simply by disclosing the identity of the data controllers”, having consulted with the organisations involved, I am satisfied that there is a possibility that the release of even the identities could potentially damage the commercial interests of the Data Controllers

Well, after I waited a while, and then made a further FOI request, the names and Undertakings have now been disclosed. And I fail to see what the fuss was about: they related to some issues with residual data on legacy systems. I also fail completely to understand how, in any conceivable way, disclosure of the names of the Councils involved could have caused prejudice to their commercial interests, and I’d invite anyone else to explain to me how it could. If I am right, the argument that it was reasonable in all the circumstances that the information should be withheld from disclosure until a later date, and, indeed, the argument that the public interest favoured maintaining the section 22 exemption falls away.

I could, of course, have appealed at the time, but the point is that I did not know what information was being suppressed, or why. I trusted the ICO to apply the law properly.

It is interesting to consider this matter of “trust” in light of an important recent Upper Tribunal (UT) case. Although that case was concerned with the use of “closed material” and “closed proceedings” in FOIA cases in the First-tier Tribunal (FTT) some points are arguably of general application to public authorities. One strikes me in particular

The other side of the coin concerning the application of the FOIA exemptions is of course that the requester may want to challenge the reasons and evidence which are advanced to establish them and thereby show that the requested information should be provided to him or her pursuant to FOIA…This competing right and interest within the FOIA scheme is founded on the right of access to information held by public authorities that is given by FOIA.  So it is one of the starting points for the need for a decision-making process to weigh competing rights and interests [emphasis added]

I would argue (knowing now what I didn’t know then) that as one of the prime reasons for DPA Undertakings is to draw attention to serious breaches of the DPA (see ICO Guidance: Communicating Enforcement Activities) withholding this information under section 22 potentially is seen to undermine the regulatory functions of the ICO. I struggle to understand how the refusal to disclose the Undertakings, let alone the mere identities of the recipients, shows proper weighing of competing rights and interests.

One a final note, the guidance above also says

We will not risk damage to the reputation of the ICO by agreeing with an organisation that we won’t publicise our action or that we will give advance warning

I’m not sure how to square that with what I was told last year that

the Undertakings were signed on the understanding that they would not be publicised in the usual manner

2 Comments

Filed under Breach Notification, Confidentiality, Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice, transparency

Tagged as , ,