Category Archives: Information Commissioner

February 26, 2013 · 2:57 pm

ICO cites Upper Tribunal on “vexatiousness”

The Information Commissioner has issued his first decision notice citing the Upper Tribunal’s judgments on “vexatiousness” since the latter were handed down

On 7 February 2013 the Upper Tribunal handed down judgment in three appeals relating to requests for information which had been refused either under section 14(1) of the Freedom of Information Act 2000, or regulation 12(4)(b) of the Environmental Information Regulations 2004. These two provisions provide, respectively, that the general obligation on public authorities to disclose information on requests is disapplied if the request is “vexatious” or “manifestly unreasonable”. Until the Upper Tribunal ruled on these cases there had been no authority from a relevant appellate court, and there was considerable variation in how the Information Commissioner and the First-tier Tribunal (Information Rights) approached these cases – I recently wrote about this position of uncertainty for PDP’s FOI Journal.

Both Paul Gibbons and Robin Hopkins have written, comprehensively, about the Upper Tribunal’s decisions, and the NADPO Spring Seminar will feature James Cornwell, of 11KBW, talking about the subject, so I merely blog now to observe that the Information Commissioner (IC) has correctly also taken note of them. In upholding a decision to refuse to disclose information, in decision notice FS50459595 (regarding a request to the Chief Constable of Surrey Police) he says

In reaching a conclusion in this case the Commissioner is also assisted by the Upper Tribunal’s comments in the case of Wise v Information Commissioner: “Inherent in the policy behind section 14 (1) is the idea of proportionality. There must be an appropriate relationship between such matters as the information sought, the purpose of the request and thetime and other resources that would be needed to provide it.”

It is interesting to note the IC’s reliance on this passage. What is also interesting (and not to be criticised) given the timing, is that the IC continues to refer to his own guidance (“When can a request be considered vexatious or repeated?”) in determining these sort of cases. The Upper Tribunal, while saying that “there is much to commend in the IC’s Guidance” (¶41 of the Dransfield judgment) did go on to give strong hints that it might need revising

in accordance with the thrust of this decision, it may be that the Guidance needs to place greater weight on the importance of adopting a holistic and broad approach to the determination of whether a request is vexatious or not, emphasising the attributes of manifest unreasonableness, irresponsibility and, especially where there is a previous course of dealings, the lack of proportionality that typically characterise vexatious requests

The fact that the IC honed in on the concept of a proportionality approach in this recent decision notice suggests the revised guidance might be appearing sooner rather than later.

3 Comments

Filed under Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, vexatiousness

February 22, 2013 · 5:18 pm

Practice makes perfect

Wirral borough council is on the watch list at the moment. I would really like to send in a good practice squad to Wirral borough council, but I do not have the powers do that. I am not picking on Wirral; it is just an example that comes to mind

So said Commissioner Christopher Graham in evidence to the Justice Committee during a recent one-off session on the work of the Information Commissioner’s Office (ICO).

The rather self-contradictory observation that he was not picking on that particular public authority is not the most interesting point about his comments (although it does seem a bit hard on Wirral, when the Department for Education, the Department for Work and Pensions and the Office of the First Minister and Deputy First Minister of Northern Ireland are all also currently subject to formal monitoring for especially poor compliance with the Freedom of Information Act 2000 (FOIA)).

What does strike me, though, is his complaint that he lacks powers to “send in a good practice squad”. Although strictly true, there is an enforcement power which he does have, which equates to the power to send in a “good practice squad”, albeit with the consent of the public authority concerned. To my knowledge, however, this is a power he and his predecessor have never exercised.

Section 47(3) of FOIA says

The Commissioner may, with the consent of any public authority, assess whether that authority is following good practice

 In the ICO’s own guidance on his FOIA regulatory action policies, he says

 An assessment may be conducted with the consent of a public authority. It is designed to determine whether an authority is following good practice – and specifically, to assess its conformity to the codes of practice [made under sections 45 and 46 of FOIA]

A Standard Operating Procedure document (disclosed, ironically enough, by the ICO in response to a FOIA request) suggests that the ICO sees his policy of monitoring FOIA compliance in specific poorly-performing authorities as constituting a s47(3) assessment. However, my feeling is that this does not restrain him from extending his actions under this section to physically sending in “good practice” teams. Certainly the Scottish Information Commissioner sees his equivalent powers under section 43(3) of the Freedom of Information (Scotland) Act 2002 as a means of conducting such good practice visits, and he does approximately twelve of them a year.

I appreciate that the ICO prefers to take a more informal route towards enforcing FOIA compliance, by means, for example, of monitoring at a distance, or by issuing undertakings (“The culmination of negotiated resolution, [committing] an authority to a particular course of action in order to improve its compliance”). But there is doubt about how seriously some public authorities treat this informal approach. If he really did want to send in “good practice squads” I think he could certainly do so (and if an authority were to refuse consent, it could potentially trigger stronger powers, like practice recommendations and enforcement notices).

2 Comments

Filed under Cabinet Office, enforcement, Freedom of Information, Information Commissioner, practice assessment

February 20, 2013 · 1:26 pm

Smeaton v Equifax overturned

The Court of Appeal has overturned what had seemed an important, if controversial, judgment on the legal duties owed by Credit Reference Agencies to those about whom they hold records and issue reports.

I blogged in May last year  about a high court claim for damages under section 13 of the Data Protection Act 1998 (DPA). The claimant, Mr Smeaton, successfully argued that, as a result of processing inaccurate data about his credit history, the Credit Reference Agency (CRA) Equifax was in breach of the fourth data protection principle, and that Equifax’s obligations under the DPA as a data controller meant that it owed a duty of care to Smeaton in tort. Accordingly, damages were owed (to be assessed at a later date).

The case has now been comprehensively overturned in the Court of Appeal. Primarily, the appeal succeeded because the judge’s findings on causation (i.e. had the inaccuracy in Mr Smeaton’s credit record led to the detriment pleaded?) were not sustainable. Lord Justice Tomlinson, giving the lead judgment, was highly critical of the judge’s approach

the judge’s conclusion that the breaches of duty which he identified caused Mr Smeaton loss in that they prevented Ability Records from obtaining a loan in and after mid-2006 is in my view not just surprising but seriously aberrant. It is without any reliable foundation and completely unsupported, indeed contradicted, by the only evidence on which the judge could properly rely (¶11)

That effectively dispensed with the claim for damages, but Equifax, clearly concerned about the implications of the original findings regarding a breach of the DPA and consequent breach of a duty of care, asked the Appeal Court to consider these points as well.

Was there a DPA breach?

Tomlinson LJ held that the procedures which obtained at the time of the alleged DPA breach, regarding the annulment (and communication thereof) of bankruptcy orders, had never been the subject of the expression of any concern by either the Information Commissioner or the Insolvency Service. In the first instance the judge had observed that inaccurate personal data could be “particularly damaging”. Tomlinson LJ did not demur, but said that

it is necessary to put this important principle into context and to maintain a sense of proportion. In the context of lending, arrangements have been put in place to ensure that an applicant for credit should not suffer permanent damage as a result of inaccurate information appearing on his file (¶59)

Those arrangements are described in guidance both published by or approved by the Information Commissioner, and include the fact that, in the event of a failed credit application

[the] lender must tell a failed applicant by reference to the data of which CRA an application was declined, if it was, and the failed applicant, like any consumer, has the right to obtain a copy of his file from a CRA on payment of £2.00

and mistakes can thus be corrected.

Moreover, CRAs must, by reference to the Guide to Credit Scoring 2000, not decline a repeat application “solely on the grounds of having made a previously declined or accepted application to that credit grantor”. This, and other guidance, were inbuilt safeguards against the kind of detriment Mr Smeaton claimed to have suffered. Ultimately

Equifax did take steps to ensure that its bankruptcy data was accurate. It obtained the data from a reliable and authoritative source in the form of the [London] Gazette, it transferred the data accurately onto its data bases from that source and it amended its data immediately upon being made aware that it was inaccurate…the judge was wrong to conclude that Equifax had failed to take reasonable steps to ensure the accuracy of its data (¶81)

Was there a co-extensive duty of care in tort?

Here Tomlinson LJ considered the “traditional three-fold test of foreseeability, proximity and whether it is fair, just and reasonable to impose a duty” and held comprehensively that there was not. He agreed with counsel for Equifax’s argument that

(1)It is doubtful whether it was reasonably foreseeable that the recording of incorrect data on Mr Smeaton’s credit reference would cause him any loss…
(2)It would also not be fair, just or reasonable to impose a duty. In particular, imposing a duty owed to members of the public generally would potentially give rise to an indeterminate liability to an indeterminate class…
(3)It would also be otiose given that the DPA provides a detailed code for determining the civil liability of CRAs and other data controllers arising out of the improper processing of data
(4)Parliament has also enacted detailed legislation governing the licensing and operation of CRAs and the correction of inaccurate information contained in a credit file in the CCA 1974. This provides for the possibility of criminal sanctions, but does not create any right to civil damages. In such circumstances it would not be appropriate to extend the law of negligence to cover this territory (¶75)

The third of these seems to make it clear that the courts will be reluctant to allow for a notion of an actionable duty of care on data controller to process personal data fairly and lawfully. (This is in contrast, interestingly, with the situation in Ireland, whereby a statutory provision (section 7 of the Data Protection Act 1988) states that such a duty of care is owed (at least to the extent that “the law does not so provide”)).

My post on the first instance case has been one of the most-read (it’s all relative, of course – there haven’t been that many readers) so I think it only correct to post this update following the Court of Appeal judgment.

2 Comments

Filed under Data Protection, Information Commissioner, Uncategorized

December 18, 2012 · 8:08 am

A Fairy Tale of Wilmslow

A clunkingly fatuous fairy tale for Christmas

Once upon a time, in a land far away, there were villages where the villagers were told by the king to look after some valuable possessions of other people, and though they tried hard to protect these items, they had limited money with which to do so.

Most villagers did everything they could to protect these precious items, but sometimes the village elders overlooked the risks, or decided to spend some of the villages’ meagre earnings on other important things. And sometimes some of the stupid villagers took risks, or other villagers, thought they were not stupid, still took stupid risks. This all meant that, just sometimes, the valuable items got lost, or given to the wrong people, or maybe even stolen.

The Sheriff of the Land was a good and strong man, and he too was worried about these precious items. He encouraged village elders to tell him when something happened to the items. When he thought the villages had really been bad, or unwise, he would fine them, and so they had even less money. And the villages would try very hard to improve, and they would listen to all the Sheriff’s edicts, and try to do what was right.

Most people in the Land, and in the villages themselves, accepted this: they knew that it was important that the sheriff showed everyone he was strong, and wouldn’t tolerate loss of or risk to the precious items.

However, in the towns, there were people who had also been asked by the king to look after others’ valuable possessions. Some of these people were very irresponsible, and they often lost the items, or had them stolen, and, what was worse, they wouldn’t confess this to the sheriff. And even though the sheriff knew about this, he mostly allowed the lawlessness to continue, because it was so rife, and because some of the townspeople were very powerful.

And so it was that the villagers found it hard to bear when the Sheriff issued public proclamations that said how badly they – even those in villages which had never done anything wrong – protected the precious items. They found it especially hard to bear because it was their own precious items which were being treated with so little care in the Outlaw Towns.

Information Commissioner Christopher Graham said yesterday:

“We are fast approaching two million pounds worth of monetary penalties issued to UK councils for breaching the Data Protection Act, with nineteen councils failing to have the most straightforward of procedures in place

“It would be far too easy to consider these breaches as simple human error. The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence. Far too often in these cases, the councils do not appear to have acknowledged that the data they are handling is about real people, and often the more vulnerable members of society.

“The distress that these incidents would have caused to the people involved is obvious. The penalties we have issued will be of little solace to them, but we do hope it will stop other people having to endure similar distress by sending out a clear message that this type of approach to personal data will not be tolerated.

“There is clearly an underlying problem with data protection in local government and we will be meeting with stakeholders from across the sector to discuss how we can support them in addressing these problems.”

2 Comments

Filed under Data Protection, Information Commissioner, satire

December 17, 2012 · 5:05 pm

MPs and Data Protection Offences, part etc etc

In which I bore again by banging on about the ICO’s apparent non-action against MPs who might be committing Data Protection offences

I’ve blogged on this before. To recap: MPs have the same obligations as any other data controller under section 17 of the Data Protection Act 1998 (DPA) to notify the Information Commissioner’s Office (ICO) of their processing of personal data. Most do so, some appear not to. Processing personal data without a notification or a suitable exemption constitutes a criminal offence under section 18 of the DPA.

In my previous posts I’ve question why the ICO appears to take a lenient approach to MPs’ legal obligations. Maybe I’ve made more of it than I should, and I’m pleased to see that the majority I named in my second post on the subject have now put things right.

However, two of the names in that previous list continue not to have an entry on the ICO register. There may be a reason for this (the list may not, for instance, have been updated) but it suggests that Jim Shannon MP has processed personal data without an appropriate registration since his last notification expired on 29 November 2010 and Pat Doherty MP has similarly processed personal data since 20 January 2011.

It’s not as though the ICO never prosecutes for this offence. He announced on twitter today that there had been a successful prosecution of two spamming scumbags owners of a marketing company for non-notification (both received £2000 fines). While reading this, I noticed that there had also been, on 28 November, a successful prosecution (she pleaded guilty) of a barrister for the same offence. For reasons of mitigating circumstances she received an absolute discharge. However, the ICO reports that

the magistrate warned that those whose profession is to prosecute people for failing to comply with the law must meet their legal obligations

If this magistrate can warn lawyers to observe their legal obligations, because they (act for those who) prosecute offences, where is the warning from the prosecutor to those who actually make the laws?

1 Comment

Filed under Data Protection, Information Commissioner

Tagged as ,

November 23, 2012 · 1:35 pm

Tweets and Tw*ts, redux

NOTHING TO SEE HERE, MOVE ALONG.

UPDATE: 13 December 2012

In a tweet to me of 5 December the ICO kindly clarified that there has been no change. The reference to twitter names is now contained in this guidance.

Has there been a subtle change of policy by the ICO on the subject of FOI requests made by twitter?

Last year I blogged about a Freedom of Information Act 2000 (FOIA) request I made to the Information Commissioner’s Office (ICO) via twitter. I referred the ICO to their own guidance (hosted as part of a web page, not as a separate download), which said

The request must state the name of the applicant…A Twitter name may not be the requester’s real name, but the real name may be shown in their linked profile…The request must also state an address ‘for correspondence’. Does this include Twitter names? The length of a tweet makes it difficult for the authority to respond fully, but there are ways of dealing with this. The authority could ask the requester for an email address in order to provide a full response. Alternatively, it could publish the requested information, or a refusal notice, on its website and tweet a link to that.

The question I have given emphasis there did not have a specific answer in the guidance, but one inferred that the answer was “yes” from the words that followed.

This morning I made a twitter FOIA request to the Department for Education, to which they replied asking me to provide an email address or fill in an online form. I was going to refer them to the ICO’s guidance, but found that it doesn’t exist anymore. Fair enough: websites change and URLs get broken. However, unless I am mistaken what I have also found is that the ICO no longer seems to imply that a twitter name is an address for correspondence, according to section 8(1)(b) of FOIA. As far as my search skills can ascertain, the ICO now says

Requests can also be made via the web, or even on social networking sites such as Facebook or Twitter if your public authority uses these…[the request must] include an address for correspondence. This need not be the person’s residential or work address – it can be any address at which you can write to them, including a postal address or email address

No reference there to twitter names. More detailed guidance from the ICO says

Where a request has request in line with section 8(1) of FOIA if the requester has provided their name and a valid address. Where possible a response to the requester should be sent for example by providing a web link. If the name or address is not provided it is not a valid request, therefore if information is not being provided a reply should be sent advising the requester of this, and asking for the required information.

Again, no reference to twitter names.

These changes, unless I have indeed missed something, with their absence of reference to the possibility of a twitter name being “an address for correspondence” indicate a retreat by the ICO. It could well be that they’ve had to acknowledge that twitter is perhaps not the most appropriate medium for FOIA requests. If so, it would be helpful if they could – clearly – issue revised guidance. Their announcement that requests could be made by twitter got a lot of coverage, and led to the highest court in the land accepting that it had been wrong to imply it would not consider them valid requests.

I’ve made a FOIA request to the ICO to find out whether their policy has changed. Guess which medium I used?

UPDATE: 13 December 2012

In a tweet to me of 5 December the ICO kindly clarified that there has been no change. The reference to twitter names is now contained in this guidance.

7 Comments

Filed under Freedom of Information, Information Commissioner, transparency, Uncategorized

Tagged as ,

October 11, 2012 · 1:54 pm

An Irresponsible Press Release?

What is the basis for the ICO saying the private sector is better at data protection than the public?

I defended the Information Commissioner’s Office (ICO) today, over a poor Register headline which suggested they were “red-faced” about imposing monetary penalty notices on NHS bodies (of course they’re not). To their great credit, the Register reworded the headline. Shortly afterwards, the ICO issued a headline of their own in a press release

Private Sector leads the way on data protection compliance but room for improvement elsewhere

Behind this headline are four reports on the ICO’s Data Protection Act 1998 (DPA) audit activities over the last two years. Each report relates to a “sector”, so we have:

Audit outcomes, central government (February 2010 – July 2012)

Audit outcomes, local authorities (February 2010 – July 2012)

Audit outcomes, NHS (February 2010 – July 2012)

Audit outcomes, private sector (February 2010 – July 2012)

Ignore for a moment the fact that the distinction between “private” and “public” sector is increasingly an artificial one – what I want to focus on is the evidential basis for the assertions made by the ICO, and why I think they are potentially damaging to the interests of data subjects. The press release goes on to say

[the reports have] highlighted the positive approaches many private sector companies are adopting to look after people’s data. However concerns remain about data protection compliance within the local government sector and the NHS…Within the private sector, the ICO had a high level of assurance that 11 out of the 16 companies audited had policies and procedures in place to comply with the Act…In the health service only one of the 15 organisations audited provided a high level of assurance to the ICO, with the local government sector showing a similar trend with only one out of 19 organisations achieving the highest mark. Central government departments fair little better with two out of 11 organisations achieving the highest level of assurance.

Let’s stop for a second to consider the nature of the audits we are looking at. The ICO does not have a general power to audit data controllers without their consent, although he does have that power over central government data controllers. So how does a data controller come to consent to an ICO audit? Very commonly it’s a result of a self-reported data breach, or following an ICO investigation giving rise to DPA concerns. The three arms of the public sector represented in these reports are required or expected to comply with specific data protection guidance: for central government it is the Cabinet Office Data Handling Procedures, for Local Government the LGA/SOCITM Data Handling Guidelines (derived from the Cabinet Office procedures), and for the NHS, the very robust Information Governance Toolkit. Each of these contains explicit directions that a serious DPA breach be reported to the ICO.

There is, of course, no such guidance for the “private sector” (although the ICO encourages data controllers, whether public or private sector, to self-report breaches).

Similarly, public sector organisations are subject to public law obligations and public-law-based corporate governance procedures which create an expectation that any breaches be self-reported and an expectation that they will agree to a suggestion by the ICO of a consensual audit.

Private sector organisations, while they have corporate governance obligations, are quite different. Responsibility to shareholders or owners is not the same thing as a public obligation.

What this means is that there are huge questions about how representative is the sample of audited organisations cited by the ICO in support of the contention that the “private sector leads the way on data protection compliance”. Additionally, the numbers used to draw this conclusion are so small that, even if the sectors were fully comparable, I doubt whether they would have statistical significance.

I’m not going to list the numerous examples of private sector poor compliance which arguably give lie to the ICO’s contention. I’m not even going to moan much about the fact that we will see this headline unthinkingly regurgitated over the following weeks.

But what I am going to say is I think this was an irresponsible press release. It was irresponsible because I simply cannot accept the universal premise of a statement that “the private sector leads the way on data protection compliance”. And because I can imagine that, somewhere, while a public sector data protection officer is shrugging his or her shoulders and going about his or her task with an extra dose of world-weariness, somewhere else, a private sector management board is thinking that perhaps it doesn’t need to worry too much about data security, and regulation by the ICO.

UDPATE: 12.10.12

I’ve had an email from a nice spokesman from the ICO press office, who wanted to give some further context, and clarified one point. He said

Motivation for agreeing to audit is undoubtedly a relevant context to the results we published, particularly given that, as you highlight, the ICO doesn’t have the power to compel organisations to submit to an audit. It isn’t true, though, that public sector audits are often the result of self-reported data breaches. In fact, most of our audits come from the ICO writing to organisations and asking them to volunteer, not as a direct result of a breach being reported.

Fair point, and I’m happy to clarify that most times the ICO invites organisations to volunteer for an audit not as a direct result of a breach being self-reported. Although I am pretty certain the ICO would not be sending that invite if he hadn’t determined, either as a result of a self-reported breach, or a complaint from a data subject, that there had been a breach of the DPA.

The spokesman went on to say

This is much the same as our approach to the private sector, though fewer private sector firms take up the opportunity, as we highlight in our report (perhaps due to the responsibility to shareholders versus public obligation argument you highlight in your blog).

I’m glad that there is, there, an implicit admission that audited public and private sector data controllers are not directly comparable. I rather wish the press release had said this.

But this next bit I’m not sure about

One of the purposes of this type of press release is to increase that take up and share best practice, by highlighting the availability of our audits.

Now, I’ve often, when training external (public sector) organisations, suggested to them that, if they feel relatively confident about their data protection compliance, they should consider inviting the ICO to audit them, because their auditors are fair, thorough and experienced (by the way, I advise those who are not confident about their compliance to get a consultant in first…). However, I’m not sure I could so readily recommend the ICO audit now, given what I maintain are the unfair comparisons which were drawn in this press release. Indeed, two public sector officers have now stated to me on twitter that this has actively dissuaded them from volunteering for an audit. That cannot be good.

8 Comments

Filed under Breach Notification, Data Protection, Information Commissioner

September 29, 2012 · 9:04 am

Private emails, FOI and Criminality

Private emails are subject to FOI searches, and it’s a crime intentionally to conceal relevant information.

So, it appears that the Department of Education (DfE) has conceded that business emails sent by private email accounts are subject to the Freedom of Information Act 2000 (FOIA), thus accepting what the right-thinking world, and, indeed, anyone with a glimmer of common sense knew all along.

Plaudits, or brickbats, according to your position on the merits of FOIA, should go to Christopher Cook of the Financial Times, who has pursued the Department of Education (DfE) on this with the enthusiasm of a Jack Russell terrier faced with a scurrying rat. Fellow hacks at the Independent had also joined themselves to the proceedings listed (but now withdrawn) in the First-tier Tribunal (Information Rights). The DfE had had the balls to launch a challenge to a previous decision by the Information Commissioner (ICO) that the information (held in private email accounts) requested by Chris should be released. The decision notice itself was clear, and difficult to argue with, as is the advice on the subject published by the ICO around the same time. One wondered what possible grounds the DfE had to base a successful appeal on, and the withdrawal of the appeal probably answers that point, although it appears the withdrawal was actually prompted by the imminent publication of Cabinet Office guidance.

Some are now predicting that there will be a deluge of FOI requests specifically targeted at information held in private emails, or text messages, and I think this is probably right. What is not clear is how they will be handled. The ICO’s guidance suggests that, faced with requests for information that could be held in private emails, public authorities should restrict themselves to asking the person to search their account and keeping a record to show that this was asked:

The public authority will then be able to demonstrate, if required, that appropriate searches have been made in relation to a particular request. The Commissioner may need to see this in the event of a…complaint

This suggests that, when investigating a complaint about refusal to disclose information, the ICO will restrict himself merely to satisfying himself that an authority has asked its staff to check emails. Absent any evidence that those staff have not been honest about the contents of those private emails, the ICO will take no further action. The reasons for this are, really, quite obvious: the powers open to a public authority to access private email accounts are limited. Although the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 allow an employer to “intercept” an employee’s private emails  (if sent using the employer’s systems) to determine whether they are business-related, those powers must be exercised with due regard to the employee’s privacy rights. The interception of private emails in a private email account (sent using the employer’s systems) must be necessary and proportionate. If an employee has told his or employer that their private emails contain no information caught by an FOI request it is doubtful, absent any evidence to the contrary, that a “trawl” of emails without the employee’s consent would be lawful (I’ve written for PDP journals on this subject – subscription needed).

On one view, then, nothing much has changed with the concession by the DfE, although no doubt many new FOI requests will be made as a result. What has changed, perhaps, is the focus on individuals’ personal responsiblity under FOIA. Currently, section 77 creates an offence if a person alters, defaces, blocks, erases, destroys or conceals a record in response to an FOI request. If a trawl of emails on a public authority’s systems is required this will normally fall to IT, or similar, and employees have little say – or, if you like, given the existence of back-up systems – limited opportunity to commit a section 77 offence. Now, if the same employee is asked whether private emails contain specific information, and he or she untruthfully says “no”, criminality – the mens rea – will be relatively easy to make out.

The question is, how would we find out?

6 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal, Privacy, RIPA, Uncategorized

Tagged as , ,

September 13, 2012 · 4:31 pm

The Public Interest in the Hillsborough Disaster

How could the Cabinet Office have originally decided the public interest favoured non-disclosure of information held about the Hillsborough Disaster?

On 15 December 2009 Alan Johnson, the then Secretary of State for the Home Department, announced that an Independent Panel would be appointed to enable disclosure of information relating to the 1989 Hillsborough disaster, and the events which followed it. The Panel would lead to

maximum possible public disclosure of governmental and other agency documentation on the events that occurred and their aftermath

As we all know, the Panel has now published an extraordinary amount of information, with a devastating covering report. It was not the Panel’s role to apportion blame for the tragedy but the disclosure has finally led to unequivocal public and political acceptance that, in the words of the Prime Minister, and despite previous despicable insinuations or outright pronouncements to the contrary

Today’s report is black and white. The Liverpool fans “were not the cause of the disaster”.

The efforts of bereaved families and those close to them in effecting this outcome can never be overstated. But a small part was attempted to be played using the Freedom of Information Act 2000. On 23 April 2009 a BBC journalist made an FOI request to the Cabinet Office for

Copies of all briefings and other information provided to Margaret Thatcher in April 1989 relating to the Hillsborough disaster [and] Copies of minutes and any other records of meetings attended by Margaret Thatcher during April 1989 at which the Hillsborough disaster was discussed.

The request was turned down. The Cabinet Office, rather than the 20 working days permitted by law, took nine months (they’re traditionally not very good at this FOI compliance thing, you must understand) to state that the information was exempt from disclosure under sections 31(1)(a), 31(1)(b), 31(1)(g) – which deal with prejudice to law enforcement – and sections 35(1)(a), 35(1)(b) and 35(1)(d) – which deal with information relating to the formulation or development of government policy, Ministerial communications and the operation of any Ministerial private office. All of these exemptions, if engaged, required consideration whether the public interest in disclosure outweighed the public interest in maintaining the exemption. In all instances, the decision was against disclosure: the public interest did not – according to those at the Cabinet Office determining this request – favour disclosure.

On appeal the Information Commissioner disagreed. He said

 the Commissioner considers it clear that the public interest in disclosure of information relating to the Hillsborough disaster – constituting improved public knowledge and understanding of the causes of and reaction to this event (and in relation to this specific information how the Government of the day reacted) – means that the balance of the public interest favours disclosure

He did not accept the Cabinet Office’s argument that the fact that the Independent Panel had now been set up was relevant to a decision as to whether the application of the exemptions was correct

 [the Panel] did not exist at the time of the request, or within 20 working days following the receipt of the request by the public authority. This Notice concerns whether the information should have been disclosed within 20 working days from the receipt of the request, and any factor that did not apply at the time of the request is not relevant

Notwithstanding this, the BBC ultimately agreed to withdraw its request, given the imminence of the outcome of the Panel’s work. And now we know the truth.

The Prime Minister went on to say in his statement

 At the time of the Taylor Report [Margaret Thatcher] was briefed by her private secretary that the defensive and – I quote – ‘close to deceitful’ behaviour of senior South Yorkshire officers was ‘depressingly familiar’. And it is clear that the then government thought it right that the Chief Constable of South Yorkshire should resign. But… governments then and since have simply not done enough to challenge publicly the unjust and untrue narrative that sought to blame the fans.

Information Commissioner decisions requiring disclosure of Cabinet minutes, and similar information, have four times been subject to a ministerial veto to maintain secrecy. Was the initial refusal of the BBC’s FOI request for this Hillborough disaster information simply reflective of a government approach which automatically seeks to exempt any Cabinet minutes from disclosure? I rather hope so, because the alternative is that officials, and ministers, thought that the public interest did not favour disclosure of information relating to what some are calling the biggest cover-up in British history.

UPDATE

I’ve been reflecting on this. I think it’s only fair to point out that, arguably, because the Cabinet Office took so long (nine months, remember) to get round to responding to the request, by the time they did so, the Independent Panel was set up. So, by that argument, the person looking at the request never actually determined that the public interest did or did not favour disclosure, until it was clear that it was going to be published in the future. The Information Commissioner did not accept that point

This Notice concerns whether the information should have been disclosed within 20 working days from the receipt of the request, and any factor that did not apply at the time of the request is not relevant. This situation applies regardless of the lengthy delay

and was correct in law not to, but in fairness to the Cabinet Office officials, they might have handled the request differently (by the time they got round to it) if the Independent Panel, with its remit to disclose, had not been set up.

10 Comments

Filed under BBC, Cabinet Office, Freedom of Information, Information Commissioner, police, Uncategorized

August 31, 2012 · 10:22 am

Data Security and Churnalism

On the lazy reporting of a silly story about increases in data breaches

Over the past couple of days the following have all published stories on the fact that data breaches in the UK have “rocketed” or “spiked” by an “alarming” 1000% over the last five years.

Computer Business Review
Techweek Europe
The Nextweb
Public Service
Help Net Security
V3.co.uk
Computing.co.uk
SC Magazine
UKAuthority.com
The Register
Computer World UK
The BBC

These are mostly well-respected news sources, serving either the tech industries or the public sector. All of them report this story as though the news that self-reporting to the Information Commissioner of serious data breaches is a bad thing. I’ve given the links to the stories not because I want to increase their clicks, but to show the remarkable similarity between them. This is not surprising, as they are all picking up on a press release by Imation (ironically, as a non-hack, I don’t have access to it) which was issued following an FOI request to the Information Commissioner. The response to the request showed that, indeed, in 2007-08 the number of breaches reported to the ICO was 79, and in 2011-12 it was 828. But does that really mean that “Data breaches in the UK have increased tenfold in the past five years” as the BBC put it?

The answer, certainly, is “no”.

The reporting of breaches has increased by that proportion. But that is not particularly surprising. As far as I recall the first guidance issued by the ICO on reporting serious breaches was only issued in July 2010.  Before that while there may have been an inferrable assumption that serious breaches should be reported, there was not much in the way of clear direction or expectation until relatively recently. This expectation has become much more explicit since the ICO gained powers to issue civil monetary penalties for serious breaches. Now, all major data controllers know that when there is a serious breach of data security it needs to be reported to the ICO (and for telecoms providers, there is a lawful requirement to do so under the Privacy and Electronic Communications (EC Directive) Regulations 2003).

But is it a bad thing that numbers of reported incidents has increased? Of course not. All breaches of data security are to be regretted, and lessons learnt to avoid they don’t recur. But data controllers need to be encouraged to recognise breaches, and put their hands up when they happen. The ICO even considers self-reporting to be a mitigating factor when assessing what action he should take.

I doubt that many, if any of the people writing for the websites I link to above really think that data security breaches (rather than reports of breaches) have increased 1000% over five years. I’m sure their writers and reporters are very busy, and an eye-catching press release makes for easy copy. But these websites (with the execption of the BBC) are important and specialist sources of information. For them to resort to “churnalism” (a form of journalism in which press release…are used to create articles…without undertaking further research or checking) at the expense of common-sense, especially when it might lead to greater reluctance to self-report, is greatly to be regretted.

 

 

 

 

 

 

 

 

1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner, PECR

Tagged as ,