Category Archives: Information Commissioner

August 25, 2012 · 11:20 am

What the Papers Say

It appears that a police officer has inadvertently disclosed operational notes regarding arrangements for the arrest of Julian Assange. This is not the first time a blunder like this has happened, and it should serve as a reminder that physical data needs to handled just as securely as electronic data.

In 2009 Britain’s then most senior counter-terrorism officer, Bob Quick, arrived at Downing Street for an important meeting. He’d probably been reading up on the issues during the journey there, and was clutching a file as he emerged from his car. Unfortunately for him, photographers were able to capture the contents of the document he was holding face up. Marked “Secret” (the second highest category in the government protective marking Security Policy Framework) it contained information some of which still cannot be disclosed because a DA-Notice applies. It led to anti-terror raids being brought forward, and it also led to his resignation.

Now we learn that a rather less senior police officer has been photographed in similar circumstances, outside the Ecuadorian Embassy wherein lies the persecuted activist/suspected rapist (delete according to your leanings) Julian Assange. Apparently the information relates to possible arrest plans.

Now, when I have to carry papers from one building to another at work, I make damn sure that they’re secured in an opaque binder, and as far as I know the eyes of the world’s press are not on me when I’m doing so. Information security and data protection are not just about taking care with electronic data: I recently did a quick analysis of the monetary penalty notices handed down by the Information Commissioner, and found that around two-thirds arose from a breach of security involving physical data*.

Modern photographic developments mean that millions of people have the ability quickly to capture compromising or damaging information, and internet publishing means that the same information can be uploaded and circulated within seconds. The European Association for Visual Data Security (yep, there is one) recently produced a white paper on the subject. In its article about the white paper The Register gave some examples of shoulder-surfing, in addition to Bob Quick’s infamous incident

a senior UK civil servant at the department of Business, Innovation and Skills fell asleep on a commuter train, leaving highly sensitive information displayed on his screen. A fellow passenger took two photographs of the information while it was displayed on the screen, which made their way into a Daily Mail story about the breach…[and] in August 2011 the UK’s International Development Secretary was photographed leaving Number 10 Downing Street with sensitive government papers relating to Afghanistan on display. These papers were caught on camera by news photographers and film crews.

Any organisation which needs to handle data outside its own office walls should make very sure it can’t be seen by prying eyes.

 

 

 

*It’s difficult accurately to categorise them. For instance, a fax is both electronic and physical, and a lost hard-drive is loss of physical data, but seriousness is tied to the electronic contents of said drive.

Leave a comment

Filed under Confidentiality, Data Protection, Information Commissioner, monetary penalty notice, police, Uncategorized

August 2, 2012 · 8:33 am

The Bludgeoning of the Decision Notice

With the latest ministerial veto, is a quaint British tradition emerging?

So, the Attorney General has exercised his powers of veto under section 53 of the Freedom of Information Act 2000 (FOIA) for the third time this year. The only one of his predecessors to use the veto – Jack Straw – only managed to use it twice in one year, so Mr Grieve must now be considered champion at wielding this most blunt of legislative instruments.

Section 53 allows an accountable person (who can be any member of the Cabinet but who, by what appears to be a convention in making, has always thus far been the Attorney General) to issue a certificate to the Information Commissioner (ICO) telling him, in effect, that he got it wrong when ordering disclosure of information under FOIA.

The target of this week’s veto was, for the second time, an ICO decision that Cabinet minutes from March 2003 relating to the decision to go to war in Iraq, and to the then Attorney General’s legal advice regarding the military action, should be disclosed by the Cabinet Office. This decision notice, issued only on 4 July this year was in very similar terms to one issued by the ICO in February 2008, which was the subject of a Straw veto in February 2009, although only after the decision in favour of disclosure had been upheld by the Information Tribunal.

Much has been written about the potentially illiberal nature of the section 53 power – which seems to be a possibly unique example in statute of an executive override over the judiciary. It is ironic that some former and current government figures have argued so strongly for Cabinet minutes to be totally exempt from FOIA disclosure, when the veto can be wielded so easily and decisively (although they would no doubt counter-argue that it is only being used so often because of the lack of a class exemption applying to such information). Indeed, the Justice Committee, in its recent report as part of the post-legislative scrutiny of FOIA, said

we remind everyone involved in both using and determining that space that the Act was intended to protect high-level policy discussions…We also recognise that the realities of Government mean that the ministerial veto will have to be used from time to time to protect that space

There is no bar on someone requesting the same information again from the Cabinet Office, nor any mechanism to allow the ICO not to keep issuing decision notices in favour of disclosure. Given this (and given the words of the Justice Committee) perhaps we are seeing the beginnings of a quaint British tradition, like The Dragging of the Speaker of the Commons or The Searching of the Cellars. I shall call it The Bludgeoning of the Decision Notice.

5 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal

June 1, 2012 · 11:53 am

NHS Trust Given £325k Penalty

In January this year I blogged about reports that the Information Commissioner (IC) had sent a notice of intent to serve a civil monetary penalty notice (CMP) of £375,000 on Brighton and Sussex University Hospitals NHS Trust. At the time I said

If this MPN is served, as intended, then the IC might be faced with headlines equating (for example) £375,000 to the amount it costs to employ a nurse, or a doctor or provide essentail but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances.

Well, it has been served, today. And though the amount has been slightly reduced – £325,000 – it is still by some way the largest CMP ever imposed by the IC. However, this case may be important for other reasons.

Firstly, it related to disposal of hardware containing sensitive personal data. As the IC’s press release says

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site in October and November 2010.

The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences

The IC has been running an “unscrubbed hard drives initiative” following a reported security breach in 2009 involving the sale of un-scrubbed hard drives on the internet containing personal data, and internal meeting minutes from January indicated that this initiative was nearing completion. It would not be surprising if some formal guidance on the subject was now issued.

Secondly, and more broadly, it is interesting and worrying to note the fact that a fundamental role in this data breach was played by a contractor appointed to securely destroy the hard drives. As a data processor (rather than the data controller) this contractor was not liable under the Data Protection Act 1998 (DPA) for any serious breaches: this is why the Trust takes the hit. However, the contractor in question was the Department of Health-accredited Sussex Health Informatics Service (SHIS). SHIS appears to have sub-contracted the work to “Company A” which in turn sub-contracted to a one-person “Company B”. This individual subsequently sold 232 hard drives on the internet auction site.

The contractual, and sub-contractual confusion appears to have been key: the Trust did not even know that the individual had been appointed, and did not know that he had been attending their offices, ostensibly to remove and securely destroy the drives. Data controllers need to be acutely aware of what is happening to the personal data they control, and this obligation cannot be overlooked when they feel the data, or the hardware containing it, has become obsolete.

The fact that SHIS was so involved is particularly worrying. Health Informatics Services are expected to be in the vanguard of data security in the NHS. They say

Keeping data safe and confidential is a core duty for health service providers – and a core THIS service. Our award-winning Confidentiality and IM&T Security service helps customers to fully comply with national and local standards.

Under current law the IC’s powers to take action against a data processor are limited. That may change when the European Data Protection Regulation is ultimately enacted. One would hope, however, that SHIS, and the Department of Health, are looking very closely at their own compliance and security.

UPDATE: 15:15

The Trust has now issued a statement, which to an extent attempts to deflect responsibility on to the contractor. Duncan Selbie, the Chief Executive has said

We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay

The Information Commissioner has ignored our extensive representations.  It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would “prejudice the monetary penalty process”

He goes on to say

We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal

If this transpires, it will be the second recent instance of an appeal of a CMP by an NHS body.

The Independent reports the Trust also saying

the fine would pay for the delivery of 300 babies, 50 hip operations, 30 heart bypasses and 360 chemotherapy treatments

This rather confirms what I predicted in January

the IC might be faced with headlines equating (for example) [an NHS CMP] to the amount it costs to employ a nurse, or a doctor or provide essential but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances

Perhaps this strategy will be revealed during any subsequent appeal proceedings.

 

 

 

 

 

 

 

2 Comments

Filed under Data Protection, Information Commissioner, monetary penalty notice

May 21, 2012 · 1:35 pm

Will NHS appeal ICO fine? Let’s hope so.

The Information Commissioner (ICO) today announced that it had imposed a monetary penalty notice (MPN), under section 55A of the Data Protection Act 1998 (DPA), against Central London Community Healthcare NHS Trust. The penalty was in the sum of £90,000, and was imposed after

patient lists from the Pembridge Palliative Care Unit, intended forSt John’sHospice, were faxed to the wrong recipient. The individual informed the Trust in June that they had been receiving the patient lists – around 45 faxes over a three month period – but had shredded them.

 The patient lists contained sensitive personal data relating to 59 individuals, including medical diagnoses and information relating to their domestic situations and resuscitation instructions”

 All very interesting, particularly because this was only the second MPN imposed on an NHS body, after one last month against the Aneurin Bevan Health Board.

 What was even more interesting, however, was to read on the publicservice.co.uk website that CLCH Trust are saying they will appeal the MPN. This would be the first such appeal, and would be very important in terms of getting some judicial opinion on the law and the ICO’s application of it.

 Section 55A of the DPA gives the ICO the power to impose an MPN, while section 55B provides that a person on whom the notice is served may appeal to the First Tier Tribunal (Information Rights) against both the issue of the notice and the amount.

 Regulations and an Order (the snappily-titled The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 and The Data Protection (Monetary Penalties) Order 2010) make further provision for both the imposing of and appeal against an MPN. Additionally, under section 55C the ICO must issue guidance on “the circumstances in which he would consider it appropriate to issue a monetary penalty notice, and how he will determine the amount of the penalty”.

On appeal the Tribunal can consider both whether the MPN was in accordance with the law and whether, to the extent that it involved an exercise of discretion by the ICO, he ought to have exercised that discretion differently. The statutory section 55C guidance, and whether the ICO has adhered to it, will clearly be important, but so will, I would suggest, any evidence as to consistency of approach. An appellant would do well to submit evidence of examples where similar or worse apparent breaches of the Act have not resulted in an MPN. As Stewart Room wrote some months ago

 what is ICO’s plan? By this I mean, how does ICO arrive at its figures and how are they justified?

We’re probably not going to get to the bottom of this until someone takes a case on to appeal, but as we are nearly two years into the fining regime I think we’ve arrived at the point when we can legitimately expect ICO to explain where it is heading with the fine and what has driven it’s decisions so far.”

Perhaps we have indeed now arrived at that point.

EDIT, 7 August 2012:

The Trust are indeed appealing the MPN, and the Information Tribunal has listed it for a three-day-hearing in December. This will be a major case.

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner

May 21, 2012 · 8:14 am

How to overlook an FOI request

Is it realistic or helpful for the law to be that any written request for information should fall under FOI?

On 23 April I noticed that an appeal to the First Tier Tribunal (Information Rights) had been made by Ryanair regarding a Freedom of Information Act 2000 (FOIA) matter, also involving the Office of Fair Trading (OFT). The Information Commissioner (ICO) Decision Notice in question has the reference number FS50391208.  Knowing that Ryanair are sometimes a rather controversial outfit (although one acknowledges a lot of the controversy might actually be self-serving) I was interested to read the Decision Notice in question. The Tribunal’s website is rather basic, and the list of current appeals is uploaded only as a PDF document. This means that to read the Decision Notice in question one has to search for it elsewhere. However FS50391208 was, and is, nowhere to be found (unless my search skills have let me down).

This is a bit odd: a Decision Notice is a public document which the ICO issues when an application is made to him for a decision as to whether  “a request for information made by the complainant to a public authority has been dealt with in accordance with the requirements [of FOIA]” (section 50, FOIA). I say “public” but as far as I know the open publication of Decision Notices is at the discretion of the ICO – nonetheless, it is clearly his standard custom to do this. So, any Decision Notice, especially one appealed by a company such as Ryanair, which is not published, might attract interest (bear in mind that Ryanair will have made request in question, and the OFT is the public authority involved). It is, of course, possible that an error has occurred: for instance, the Tribunal might have published the wrong reference number (although a search on the ICO’s site doesn’t throw up any Ryanair Decision Notices), or someone might just have omitted to upload the Notice.

Accordingly, I sent a tweet to the ICO’s twitter account

Hi @ICOnews DN FS50391208 (OFT) which Ryanair are appealing does not appear to be on your website. Can we see it pls?

I didn’t receive any reply, so, a few days later, sent another

Hi @ICOnews – I asked this q the other day https://twitter.com/bainesy1969/status/194375116493291520 Any answer pls? It wd qualify as FOI request after all 🙂

I still haven’t received a reply. Perhaps my little emoticon made the tweet not seem serious? By my calculation the ICO’s twenty working days to respond is up tomorrow, so I thought I’d blog this today, lest the lovely ICO people I met at last week’s PDP conference think I’ve just waited until the time is up before reminding them (again).

The ICO has said that FOI requests made by twitter are valid requests, and I’ve previously blogged about this. But it does make me wonder how realistic it is for a public authority (especially a large one, which, with all due respect, the ICO is not) to be expected to monitor all information channels in case a request for information is made (which doesn’t even need to mention FOI, of course).  The Irish Freedom of Information Act 1997 requires requesters to state that the request is made under the Act. Although that would not really help the ICO in my example here, it would avoid the situation where an FOI request is lost among reams of correspondence on a related matter. I don’t think an amendment of FOIA to this effect has been proposed in the UK, but I’m starting to think it might be a good idea.

This isn’t the most pressing issue facing FOI, and light touch regulation should mean that no one loses too much sleep if a request is inadvertently overlooked, but it is a subject which keeps nagging at me.

I rather suspect I’ve previously advocated against requiring requesters to invoke FOI in a response, and I reserve my right to change my mind again. As Lawrence Serewicz said in his inspiring talk at that PDP Conference, he has very strong opinions, but he holds them very weakly. I like to think I’m the same.

7 Comments

Filed under Freedom of Information, Information Commissioner

May 10, 2012 · 8:48 am

MPs and Data Protection offences, part two.

In which I follow up a previous post, ask the ICO what action he is taking and consider the implications for ICO funding under proposed amendment of data protectionlaws

In a previous post I pointed out that 22 MPs who had been identified in October 2011 as not having registered with the Information Commissioner (ICO) were still showing as not being registered. As I said, failure to register in circumstances where there should be a registration constitutes a criminal offence under section 21 of the Data Protection Act 1998. The blog post got some interest, so I thought I should follow it up with this request to the ICO under the Freedom of Information Act 2000. The request can be seen on the excellent whatdotheyknow.com but I thought it would be useful to post a copy here:

Dear Information Commissioner’s Office

In October last year you disclosed to another requester a list of
46 MPs who had not renewed their section 18 DPA registration with
your office. You explained some of the procedure for enforcing the
statutory requirement to register, and explained that

“Prosecution is usually the last resort when all else fails and we
do give ample opportunity for the data controller to register. The
legal team are not currently considering any MPs for prosecution.”

It appears, from a check of your register that, currently, 22 of
those same MPs have still not registered, more than seven months
later. These are

Z1243695
NIGEL EVANS MP
Z1434043
GAVIN BARWELL
Z1939110
EDWARD LEIGH MP
Z9286519
KHALID MAHMOOD MP
Z1993957
JAMES CLAPPISON MP
Z1102604
ANGUS ROBERTSON MP
Z9256111
JIM SHANNON
Z927838X
DAVID SIMPSON
Z1577500
DAVID BURROWES
Z1538835
PAT DOHERTY MP MLA
Z2134863
MARGARET CURRAN
Z2241138
RACHEL REEVES MP
Z2241519
NIGEL ADAMS
Z2247846
STUART ANDREW
Z9938280
SHAILESH VARA MP
Z2342005
TRISTRAM HUNT
Z1893869
PAUL BERESFORD
Z1903198
CHRISTOPHER CHOPE MP
Z2378834
JESSICA LEE
Z8752516
ERIC JOYCE MP
Z2343491
ZAC GOLDSMITH MP
Z1728512
ADAM HOLLOWAY

I note that in several instances these MPs appear not to have
renewed their notification for over a year.

Please inform me, under the Freedom of Information Act 2000

1. What enforcement action has been taken against these MPs?
2. How many reminders each has been given (I understand you
normally operate a two-reminder, then enforcement, system)
3. In addition to these 22, how many other MPs have not renewed
their notification? (as more than seven months have elapsed I
presume there will be some additional notifications which have
lapsed).

I acknowledge that the online register does not guarantee to be
up-to-date.

As my previous post said, enforcement of this provision of the DPA does not appear to have stopped: I have seen no announcement to suggest this, and it would be odd, to say the least, if the ICO decided to turn a blind eye to one of the clear offences in the DPA. What would make it particularly odd is the fact that registration represents a huge revenue stream for the ICO, and the more data controllers who register, the greater the income. A fee is levied against a data controller when they register, which amounts to either £35 or £500, depending on the size of the organisation. The last set of accounts show that the income to the ICO from this stream was just short of £15 million.

Clearly it is in the ICO’s interest to enforce this requirement. A failure to enforce, or a perceived failure to enforce could lead to data controllers deciding it’s worth taking a risk by not registering, to save an annual £35 or £500 (they know they would get at least two reminders as it is).

Finally, I note that under amendments to the statutory scheme which will follow the enactment of a new European data protection Regulation, this requirement to register will probably be removed. I presume someone has thought about the effect this will have on the funding of the ICO? £15 million is a hell of a lot to lose, and, the office is underfunded as it is.

2 Comments

Filed under Data Protection, Information Commissioner

May 6, 2012 · 9:44 am

Data Protection Obscenities

A tragic story about the suicide of a young man, and the apparent ridiculous citing of the Data Protection Act to explain why his mother was not warned.

A few years ago, Richard Thomas, the then Information Commissioner (ICO) launched a campaign to counter what were called “Data Protection Duck Outs”. It got some media attention, but I’ve always thought it suffered from sounding like the kind of phrase a “hip” teacher, or my parents, would have come up with. The ICO said

The Data Protection Act does not impose a blanket ban on the release of personal information. It requires a common sense approach, and should not be used as an excuse by those reluctant to take a balanced decision.

The bad-practice examples cited to illustrate the campaign were mostly light-hearted

In September 2008, Marks and Spencer wrongly blamed the Data Protection Act when they told a mother they could not discuss the delivery of her seven year old son’s Superman suit because it would infringe his data protection rights.
ICO view: Organisations should be cautious about releasing details of an order or account to a third party. However, in this case M&S was not being asked to release any personal information (only to confirm that a part of the suit was missing, and send it), so M&S could have spoken to the boy’s mother without breaching the Data Protection Act.

or

In 2005 it was reported that Catholic priests were no longer allowed to pray out loud for an ill person by name because they might be breaking data protection rules.
ICO view: Unless this sort of information was formally held on file it would not be covered by the Act. Even if it were on file, there would only be a breach if the person had specifically asked not to be mentioned or the church had reason to believe they would object.

Well, if the following story from thisiscornwall.co.uk is true, I have a current-day example, and I wouldn’t call it a “duck out” but an obscenity.

A man with a history of drug abuse killed himself in Camborne after being released from police custody, where he was detained under the Mental Health Act, a coroner has heard….Because of the Data Protection Act [his mother] did not know that her son had been detained and said she was powerless to help him.

The “duck out” campaign was launched because of misconceptions about the Data Protection Act 1998 (DPA). The DPA certainly has faults, but you can bet your house that when you hear someone blaming the DPA for not doing something, it is either because they have made a mistake, and are trying to cover themselves, or because they are ignorant of what the Act does and does not permit. The Cornwall story is unclear as to who allegedly cited the DPA for not informing this poor man’s mother, but, just to be clear, Schedule 3 of the Act specifically permits disclosure of sensitive personal data where

The processing is necessary…in order to protect the vital interests of the data subject or another person, in a case where…consent cannot be given by or on behalf of the data subject, or…the data controller cannot reasonably be expected to obtain the consent of the data subject.

This is before we get to considering other factors – for instance whether an appropriate adult was a requirement in this instance, and the fact that under section 56 of the Police and Criminal Evidence Act a person detained has the right to have someone informed. In which case there would have certainly have been other conditions permitting disclosure (thanks to @MentalHealthCop on twitter, for pointing this out, and for alerting me to the story in the first place).

In 2004 the Bichard Inquiry report into the Soham Murders was highly critical about the misunderstandings and misinterpretations of the DPA which led to Humberside Police deleting information about Ian Huntley, and which subsequently meant that when Cambridgeshire Police ran checks on him, when he applied for a school-caretaker position, nothing came up.

The term “duck-out” doesn’t begin to describe the enormity of the mistaken decision to delete Huntley’s data, nor, if this Cornwall story is accurate, does it begin to describe the enormity of the decision – whoever might have taken it (and the story is unclear) – not to tell Daniel Carrick’s mother her son was detained. The current ICO is very keen to clamp down on serious breaches of the DPA, but these are almost exclusively concerned with the loss of, or inadvertent disclosure of, personal data. Perhaps he should also be alive to stories like this, which suggest potential tragic misconceptions and misuse of the DPA, and which really should carry the term Data Protection Fuck-Ups.

 

1 Comment

Filed under Data Protection, Information Commissioner, police

May 4, 2012 · 12:17 pm

Politicians break the law – where is the ICO?

Following up a post from last year, it appears that some MPs continue to flout their legal obligations under the Data Protection Act, potentially committing a criminal offence, and that the ICO doesn’t seem to be taking action. I’m happy to be told otherwise

 Back in November last year I blogged on the fact that 46 MPs had apparently failed to comply with their statutory obligation to notify the Information Commissioner of their status as a processor of personal data. In general terms Section 21 of the Data Protection Act 1998 creates a criminal offence if a data controller processes personal data without an entry being made in the register held by the Information Commissioner (ICO). Although there are rumours that the obligation to register will be removed when the DPA is ultimately amended or repealed, following the enactment of the European Data Protection Regulation (currently in draft), all the relevant provisions are very much still in force.

At the time the ICO said

 …our non notification process is to write to them asking for their comments and advise them to consider their need to notify. If the entity registers or provides a suitable explanation…that is usually the end of the matter and no further action is taken. If no response (or an inadequate response) is forthcoming then we write again explaining the requirement to notify and advising that failure to respond may result in the matter being passed to our legal team for consideration of prosecution. If there is still no response then the file is passed over for the legal team to consider the evidence and if they think there is sufficient evidence they will write advising that if no registration is received within 14 days or representations made as to why a prosecution should not be carried out then a summons will be issued.  If registration is then forthcoming then that is the end of the matter and no further action is taken. Prosecution is usually the last resort when all else fails and we do give ample opportunity for the data controller to register. The legal team are not currently considering any MPs for prosecution.

Well, I’ve just checked that list of 46 MPs who had not renewed their registration as at October last year, and, according to the register (which I stress is, as the ICO says, not necessarily absolutely up-to-date), 22 of them still haven’t (bear in mind as well that there may well others whose registration has lapsed in the interim). Most of those 22 are those whose registration has lapsed for longest. The worst apparent example is one MP who has not renewed his registration since July 2010! That is potentially almost two years of illegal processing of personal data.

 It is not as though the ICO never exercises his prosecution powers for non-registration. He certainly does – and has a “non-notification team” to deal with this sort of thing (although the last prosecution I can find was in March last year).

 My checking was prompted by an exchange on twitter with Alistair Sloan, who made enquiries of the ICO about registrations by Members of the Scottish Parliament, and by the Respect Party. Alistair was told

 Our Non-Notification Team, part of our Enforcement Department, have confirmed that the ICO has not contacted any members of the Scottish Parliament since 5th May 2011 in connection with Notification under the Data Protection Act 1998 (the DPA). Whilst this Team did work on a project which involved contacting MSP’s to remind them of the notification requirements under Part III of the DPA, this project took place some time before the date you have specified of 5 May 2011.

 and

 Having conducted thorough searches of our notification records we have been unable to find any register entry, either current or one which has lapsed, in the name of the Respect Party. Therefore, it appears that the Respect Party has not notified under the DPA at any time since its formation in November 2004.

 but

all of the issues you have raised in respect of the notification status of the data controllers… above have been brought to the attention of our Non-Notification Team within our Enforcement Department. They will therefore consider what further action is appropriate in the circumstances

 One assumes that the “further action” will be reminders. If the Respect Party now registers, I think it’s highly unlikely the ICO will take retrospective action for the seven-and-a-half years when it failed to do so. As it is, reminders appear to have failed to move 22 MPs to comply with their legal obligations, and no apparent action is being taken against them (I would love the ICO to correct me on this). One can’t avoid asking what sort of enforcement, what sort of deterrent is this?

4 Comments

Filed under Data Protection, Information Commissioner

April 24, 2012 · 9:23 am

A Marathon Task for the ICO

Will the London Marathon databreach trigger the ICO’s powers to issue a monetary penalty notice? If so, the ICO is in a tricky position, if he is seen to be effectively “fining” such a high-profile charity, and delivering that money to central government coffers.

 Reports emerged on 23 April that the personal data of runners in this year’s London Marathon had inadvertently been disclosed on the organiser’s website. It appears that names, home addresses and email addresses were exposed. The BBC says

The details were accessible all day to anybody logging on to the site…Marathon organisers apologised and said the mistake had been rectified

A data controller must observe its various obligations under the Data Protection Act 1998 (DPA). London Marathon Ltd appears to be the data controller in this instance, and it donates any surplus income to The London Marathon Charitable Trust. Last year the charity received £4.6m from the company. Some of the income came from the entrance fees of the runners themselves.

The seventh principle of the DPA says

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

A breach of that principle may attract the attention of the regulator of the DPA – the Information Commissioner (ICO). The ICO has various options open to him in the event that he finds that a serious contravention has taken place. In some instances he will require a data controller to sign an undertaking to improve its practices, but since 2010 he has had the power, under section 55A of the DPA to issue a monetary penalty notice (MPN), to a maximum of £500,000. To date he has issued fourteen, largely to local authorities, and the maximum penalty has been £140,000.

The ICO has issued guidance [PDF] on the issuing of MPNs, which expands on the statutory factors which would trigger exercise of the power:

there has been a serious contravention… of a kind likely to cause substantial damage or substantial distress…[and] the data controller…knew or ought to have known… that there was a risk that the contravention would occur, and

…that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but…failed to take reasonable steps to prevent the contravention

The BBC reports that the ICO has said

This is something the Information Commissioner will need to look in to to see how it has come about.

It’s the reasons these things come about that determine the course of the investigation.

Every case is different and we will certainly be making enquiries.

If the ICO does issue a MPN the money paid goes into the consolidated fund – the government’s own bank account. It is one thing to fine a local authority, and, as I have argued before, politically sensitive to fine, say, an NHS body, but it would be a enormously brave act for the ICO to fine an organisation for disclosing the personal data of thousands of the very people whose amazing efforts have contributed to the funds which would have to be depleted to pay the fine. Even more so when one sees the huge contributions being made to the charity supported by one runner who tragically died in this year’s race.

2 Comments

Filed under Data Protection, Information Commissioner

April 12, 2012 · 5:18 pm

When ARE emails subject to FOIA?

Information held in private email accounts can be subject to the Freedom of Information Act 2000. Conversely, information held in the email accounts of the public authority can, in some circumstances, not be subject to FOIA. A recent decision by the Information Commissioner (ICO) confirms this.

There has been much recent discussion and argument about the extent to which information contained in “private” email accounts (such as “gmail”, “hotmail” etc) can be said to be “held on behalf of” a public authority under FOIA. The ICO issued guidance in December 2011 that says in unequivocal terms

 FOIA applies to official information held in private email accounts (and other media formats) when held on behalf of the public authority.

No one sensible who knows anything about FOIA is likely to disagree with this.

In a Decision Notice against the Department for Education (DfE), issued after this guidance was published, the ICO applied these principles to a request for information made by the Financial Times’ Christopher Cook. Cook, in an interesting twist, already had leaked “private” emails in his possession, and was seeking information corroborating certain details about them. He showed one of these emails to the ICO, whose subsequent Decision Notice said

 The Commissioner has reviewed this email and found that whilst it was sent from a private email account it was held on behalf of the DfE for the purposes of the Act. By failing to disclose details of the email the DfE breached section 1 of the Act

(It is understood that the DfE is going to appeal this Decision Notice to the Information Tribunal.)

What has been overlooked, to a certain extent, in all this is the corollary of the proposition that “FOIA applies to official information held in private email accounts (and other media formats) when held on behalf of the public authority” which is, that FOIA does not apply to private information held in public authority email accounts, when it is not held on behalf of that authority.

Thus, for example, an email from a employee, or an elected member, of a public authority asking her partner to feed the cat this evening, is highly unlikely to be considered to be information “held” by the public authority for the purposes of FOIA. This is because section 3(2)(a) of FOIA says

information is held by a public authority if…it is held by the authority, otherwise than on behalf of another person

Private information might physically be stored on the email servers of the public authority, but for the purposes of FOIA it is being “held on behalf of” the employee (for our purposes here we don’t need to consider whether the terms of employment actually allow the employee to use the employer’s systems to engage in private correspondence).

In a Decision Notice published on 27 March the ICO has affirmed this position. A complainant had sought copies of emails received or sent by a councillor at Camden Council, on his “camden.gov.uk” address. The complainant argued

…that use of a camden.gov.uk email address for correspondence explicitly renders any correspondence on that email account part of the business of the council

The ICO rejected this submission:

 the Commissioner observes that none of these emails are about council business but instead relate either to correspondence between the councillor and constituents in his role as a ward councillor, or to personal matters of the councillor, or business which is external to his council activities… Because this information is not council business, it cannot be argued to be held by the councillor on behalf of the council. It may instead be considered to be held by the council, on behalf of the councillor as an individual, solely by virtue of being hosted on the council’s email systems.

Those previously concerned about the implications of the ICO’s guidance on private emails might take some reassurance from this statement about the limits of FOIA. However, there may also be a lesson for public authorities themselves: it is not safe always to assume that an email sent from or received by an employee’s work email account is subject to FOIA.

8 Comments

Filed under Freedom of Information, Information Commissioner, Uncategorized