Category Archives: Information Commissioner

February 17, 2012 · 4:30 pm

Police complaints, a databreach and a High Court injunction

I notice an interesting application in the High Court.

 The Independent Police Complaints Commission (IPCC) has been granted an injunction (actually, a second injunction) requiring that the first defendant, a Mark Warner, disclose to the IPCC the identity of the second defendant -“person(s) unknown” – who Mr Warner has indicated is holding certain information about a third party, as well as the circumstances in which they came to be in the possession of those person(s) unknown.

 The reason I’m posting about this is that it appears that the IPCC disclosed the information about the third party in error to Mr Warner while responding to a subject access request under section 7 of the Data Protection Act 1998 (DPA).

 Mr Warner apparently received some of his own data in response to that section 7 request, but feels that there is further information to which he is entitled, and for his own reasons, has refused to return the papers relating to the third party sent to him by mistake, saying (in a telephone conversation with the IPCC):

If I do not get [the further material which he wants the IPCC to provide to him] within a reasonable timeframe I will not only hang onto the information which I have been sent in error, but I will identify it to Fleet Street

 The IPCC brought the current application not only to protect its own rights, but the Article 8 rights of the third party.

 One wonders if the Information Commissioner has been informed. Inadvertent disclosure of personal data of a third party, of a kind which requires a high court injunction to identify the “person(s) unknown”, sounds like a serious contravention of the DPA of a kind likely to cause substantial damage or distress. Such contraventions can attract monetary penalty notices of up to £500,000.

 As several local authorities know to their cost.

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner, police, Privacy

February 12, 2012 · 4:32 pm

In Praise of the ICO (or how to avoid a £500k fine)

In the UK if you process personal data, you must comply in relevant part with your obligations under the Data Protection Act 1998 (DPA). This applies whether you are one of the world’s largest companies, or a sole-practitioner law firm, whether you’re a self-employed barrister, or the Lord Chief Justice of Northern Ireland. All of those hyperlinks go to examples of enforcement action taken by the Information Commissioner (IC) and are part of a regime which currently enables the IC, as statutory regulator, to impose, in appropriate cases, a civil monetary penalty notice of up to £500,000 for a serious contravention of the DPA. And when the draft European Commission Data Protection Regulation is ultimately passed, a similar contravention could risk a penalty of €1,000,000 or 2% of turnover for very large organisations. It is in any data controller’s interest to take all offers of advice and support to avoid the risk of sanctions under the DPA.

However much the IC and his office are criticised for failure to act, or failure to target the right data controllers, there are some things for which he and his office deserve praise. By section 51(1) of the DPA he must “promote the following of good practice by data controllers” and, by section 51(7) he

may, with the consent of the data controller, assess any processing of personal data for the following of good practice and shall inform the data controller of the results of the assessment

This is a power to conduct consensual audits. (There is also a power under s41A to conduct audits without consent, on central government bodies, and the IC would like that power extended, but I digress). In my view, if you are an organisation processing large amounts of and/or sensitive data, you would be mad not to consider this (with a couple of reservations I will address below).

Any in-depth audit of a statutory part of an organisation’s business will not normally come cheap (ask one of the “Big Four” accountancy firms how much their services cost, and then realise why they are called the Big Four). The IC could, with the Secretary of State’s agreement, charge for this service but (probably with a mind to his section 51(1) duty) he doesn’t.

So, you can ask for a in-depth audit of your compliance with the DPA. You can learn what the IC feels is best practice, get advice on improving poor practice and build positive relationships between your organisation and the IC’s office, and, in the event of a future major data breach,  it might well act as mitigation, because it would show at least that you are aware of your obligations and prepared to engage positively with the IC’s office. And all of this for free.

If you are a smaller organisation there is more informal approach by way of an Advisory Visit, again offered for free by the IC. Advisory visits involve a one-day visit and result in a short report.

The reservations I refer to earlier apply only really if your compliance is poor, and this is obvious to you. The IC, as a general approach, publishes summaries of his audits. What you really don’t want is for the IC to make a finding of “limited assurance” or “very limited assurance”. Additionally, although the IC will not publish any summary without your agreement, he will publish a note stating that an audit took place. Speculation being what it is, the fact that an organisation has not agreed to publication might not be viewed positively. So, if you suspect that your compliance is poor, my advice would be to get one of the specialist data protection advisory companies to audit you to. And appoint a good data protection officer (or pay more attention (and money) to him or her).

2 Comments

Filed under Data Protection, Information Commissioner, Uncategorized

Tagged as ,

February 10, 2012 · 2:30 pm

Transparent as mud

Our Prime Minister is committed to transparency in government. In June 2010 he set up a Public Sector Transparency Board containing some of the great and good in the field of open data and transparency: you’d struggle to pick better people than Tom Steinberg, Nigel Shadbolt, Rufus Pollock and Tim Berners-Lee (I’m not hyperlinking him – if you don’t know who he is then find out who invented hyperlinks). The Board is chaired by Francis Maude, Minister for the Cabinet Office, who has written – at the same time as he was lambasting Tony Blair’s dispiriting comments on freedom of information –  that

If I ever sit down to write my own memoirs, freeing up government information will not number amongst my regrets. In fact, I very much hope that it will be one of my very proudest achievements.

Mr Cameron seems to feel the same way:

In the years to come, people will look back at the days when government kept all its data – your data – in vaults and think how strange it was that the taxpayers – the people who actually own all this – were locked out.

Now, it so happens that there has been, in recent months, much debate about whether – or rather, to what extent – private emails written by those connected with the Department for Education are “caught” by the Freedom of Information Act 2000 (FOIA).  (Read the BBC’s Martin Rosenbaum and the Financial Times’ Chris Cook on this, I insist). The Information Commissioner has been very clear that his view is that information concerning official business held in private email accounts is subject to FOIA (he’s right, by the way) but Michael Gove, Secretary of State for Education, told the House of Commons Education Select Committee that

The advice that we had received from the Cabinet Office was that anything that was held on private email accounts was not subject to Freedom of Information requests.

So, when, Lisa Nandy, MP for Wigan, tabled a question in parliament on 6 February asking if the Cabinet Office would publish

guidance on private emails and the Freedom of Information Act referred to in the Education Select Committee evidence session of 31 January 2012 as having been issued to the Department for Education.

It was, let’s say, not very encouraging for those of us who support the “transparency agenda” (as it seems it must be called) that she received the following response

Information relating to internal discussion and advice is not normally disclosed

Yep. That’s right – internal information about how a goverment department handles requests under FOIA, is not to be disclosed.

It might be thought odd, or interesting, or both, that the minister who replied to Ms Nandy was Francis Maude, MP. I’ll leave you to write your own jokes.

1 Comment

Filed under Freedom of Information, Information Commissioner, transparency

Tagged as , ,

January 25, 2012 · 8:12 pm

STOP BOTHERING US!

I’m a customer of the mobile phone service provider O2. They’re OK. Probably much the same as the rest, but I’ve been with them for a few years now, and I’ve had no real problems with them. And every so often they give me an “upgrade” to a nice shiny new smartphone which half fools me into thinking I’m getting a nice deal.

This morning a corner (my favourite corner) of twitter was buzzing with news of a potential security flaw (or was it deliberate coding?) discovered by a twitter user by the name of @lewispeckover which meant that customers using O2’s mobile network to access the internet were inadvertently revealing their mobile phone number in the headers delivered when they visited a website. As Lewis succinctly put it

So, @O2 send my phone no in an HTTP header to every site I browse. WTF? Is this normal?

No, it’s not normal. Some people have very good reasons for not wanting their mobile numbers handed to third parties, especially when they aren’t aware that it’s being done, and I’m one of them (actually, I haven’t got a “very good reason”, other than I just don’t like it). I had intended blogging about why this incident might involve breaches of the first, second, seventh and eighth data protection principles in the Data Protection Act 1998 (DPA), regulations 6 and 7 of the Privacy and Electronic Communications Regulations 2003 (PECR) and chapter II of the Regulation of Investigatory Powers Act 2000 (RIPA). However, as the news got picked up, first by specialist media then mainstream, and as I realised that people were complaining in numbers to the Information Commissioner (IC), who regulates compliance with both the DPA and the PECR (although not RIPA), I decided that the issue was in the appropriate hands.

But I still intended, when I got home from work tonight, making a complaint to that statutory regulator. This is a) an issue that concerns me, b) one I know something about, c) one that has made me a bit angry, and d) one I’m prepared to rant about. However, I noted, on my bus journey home, browsing the internet on my shiny smartphone via O2’s network, that the IC had updated his home page, and was saying

Today we’ve received a large number of complaints about an alleged data breach on the O2 mobile phone network.

We now have enough information to take this matter further, so there is no need for customers to complain to us.

Great. They’re taking the matter further. But hang on – they don’t want us to complain now, because they have enough information? Well, that’s a bit presumptuous, and risky (how do they know they’ve got enough information?). But also, it’s quite concerning. The IC has many powers available to him if he finds that a data controller has breached the DPA or the PECR. In assessing how bad a breach might be, he has to take into account various factors. For instance, from his own guidance on imposing Monetary Penalty Notices,

The number of individuals actually or potentially affected by the contravention

Hang on a minute.

The number of individuals actually or potentially affected by the contravention

Er.

I just question how can you can properly assess how many people have been affected by an alleged contravention if you discourage people from complaining about that alleged contravention?

And not satisfied with this attempt at dissuasion, the IC took to tweeting the same message, earlier this evening. He clearly doesn’t want any more people to send him complaints, but this could lead to a misleading assessment of the number of people actually affected. I’m sure that O2, in assisting the IC in his subsequent investigation, will tell him how many people were potentially affected, but, if were them, I would say “well, only a small number actually complained, so it wasn’t that bad a breach, after all”.

And this is not the first time the IC has done this. Currently, the first question and answer on his “Data Protection for the Public” FAQs page are

Q: I have received a letter from Welcome Financial Services Limited. What should I do?

We have recently been informed of a data breach involving Welcome Financial Services Limited including its business Shopacheck. We believe they are taking steps to inform those affected. We will be making enquiries into the circumstances of the apparent breach of the Data Protection Act before deciding what action, if any, needs to be taken.

As we are already aware of this issue and in contact with Welcome Financial Services Limited, there is no need to submit further complaints to this office. [emphasis added, as if you needed to know]

I do try to defend the IC and his office, and I know they are always sorely lacking funds, but when a regulator, who is supposed to be receptive to complaints about alleged failures to comply with laws he regulates, actively discourages people from complaining, my enthusiasm for defending falters.

To the IC I ask, do you want me to complain, and say how I have been affected by O2’s handling of my personal data? And if not, why not?

2 Comments

Filed under Data Protection, Information Commissioner, PECR, Privacy

Tagged as , ,

January 10, 2012 · 7:11 pm

Potential big DPA fine for NHS Trust

The Argus, a Brighton newspaper, is reporting that Brighton and Sussex University Hospitals NHS Trust has been served with a “notice of intent to fine” by the Information Commissioner (IC), for a breach of the Data Protection Act 1998 (DPA). The sum proposed is £375,000.

Assuming the story is true, the notice of intent to fine would be, strictly, a notice of intent, under s55B of the DPA, to impose a Monetary Penalty Notice (MPN). MPNs were introduced into the DPA by the provisions of Criminal Justice Act 2003. They provide a means whereby the IC can impose financial sanctions on Data Controllers for serious contraventions of the data protection principles. The maximum amount for an MPN is £500,000, and the sums levied are not retained by the IC, but go to the consolidated fund.

The paper says

The incident relates to the theft of 232 drives out of 1,000 being decommissioned.

The Sussex Health Informatics Service was responsible for the disposal of the drives on the trust’s behalf and had appointed an individual to carry out the job.

In December 2010 it emerged four hard drives had been bought by a data recovery organisation on eBay.

The buyer contacted the trust and the drives were collected with the information destroyed.

An investigation revealed that 232 hard drives in total had been stolen and sold on.

The trust worked with the ICO, NHS Counter Fraud and Sussex Police and all the drives have been recovered.

The trust says there was a very low risk of any of the data being passed into the public domain.

Several points arise from this.

At a proposed £375,000 this MPN, if imposed, would be by far the highest so far served on a data controller. The previous highest – £130,000 – was imposed in December last year on Powys County Council.

The fact that news of the proposed MPN has come out before it has been actually served (that is, at the “notice of intent” stage) is perhaps connected with the fact that the Argus reports that “The trust says it will be contesting the fine”. By s55B(5) of the DPA a data controller in receipt of an MPN may appeal to the Information Tribunal against both the issue of the MPN, and the amount. If the Trust are contesting the fine now, they may ultimately decide to appeal to the Tribunal. This would be interesting: most of the guidance on sanctions for serious contraventions of the DPA comes from the IC himself, and from previous MPNs and undertakings. Many data controllers would find it helpful also to have some judicial analysis to draw on in these circumstances.

Until now, nearly all MPNs have been imposed on local authorities. I’ve previously questioned why this was, and posited that it would be a high risk move for the IC to serve an MPN on the NHS:

one wonders what sort of critical media coverage might ensue, as well as what the effect on the reputation of the DPA regime would be, if the IC were to impose hefty monetary penalties on the NHS. And as the sums levied go not towards improving general data security, but rather straight into the government consolidated fund, one begins to see why it might not be a particularly attractive option: a regulator who takes direly-needed money from the NHS, and places it in the government’s wallet, could well struggle to maintain popularity with the media and the public.

If this MPN is served, as intended, then the IC might be faced with headlines equating (for example) £375,000 to the amount it costs to employ a nurse, or a doctor or provide essentail but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances.

1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner

Tagged as , ,

December 8, 2011 · 1:58 pm

Can the ICO Regulate the Internet?

It is…beyond doubt that the DPA was not designed to deal with the way in which the internet now works

says Tugendhat J in a crucial recently-published judgment (The Law Society & Ors v Kordowski [2011] EWHC 3185 (QB)), in which he lays into the Information Commissioner (IC), albeit in a polite, judgely manner.

The case concerned applications for injunctive relief against Kordowski, the publisher of the “Solicitors from Hell” website. The claims were in defamation, under the Protection of Harassment Act 1997, and the Data Protection Act 1998 (DPA). Unsurprisingly, given the focus of the blog, it is the last I focus on, although one must be aware it was only one of the causes of action discussed.

It transpires that the Chief Executive of the Law Society, on behalf of many solicitors who felt aggrieved by the contents of the website in question (which invited people to “rate” and comment on solicitors, with predictably defamatory results) had complained to the IC that the site was in breach of the provisions of the Data Protection Act 1998 (DPA). On 6 January this year the IC replied, in a three-page letter, apparently saying that the exemption at section 36 of the DPA effectively meant he lacked jurisdiction to determine whether there had been a breach:

 The inclusion of the “domestic purposes” exemption in the Data Protection Act (s.36) is intended to balance the individual’s rights to respect for his/her private life with the freedom of expression. These rights are equally important and I am strongly of the view that it is not the purpose of the DPA to regulate an individual right to freedom of expression – even where the individual uses a third party website, rather than his own facilities, to exercise this.

Fellow blogger Tim Turner has already recently criticised the IC’s invoking of s36 to avoid regulating the internet/blogosphere. He will be pleased to see Tugendhat J agreeing with him, in pretty stern and unequivocal language, that using that DPA “domestic purposes exemption” to avoid regulating websites and blogs is not an option open, in general terms, to the IC.

The IC had said in his letter

The situation would clearly be impossible were the Information Commissioner to be expected to rule on what it is acceptable for one individual to say about another be that a solicitor or another individual. This is not what my office is established to do. This is particularly the case where other legal remedies are available – for example, the law of libel or incitement.

The slapdown from Tugendhat J is

 I do not find it possible to reconcile the views on the law expressed in the Commissioner’s letter with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully. The authoritative statements of the law are to be found not only in the cases cited in this judgment (including para 16 above), but also by the Court of Appeal in Campbell v MGN Ltd [2002] EWCA Civ 1373 [2003] QB 633 paras [72] to [138], and in other cases. As Patten J made clear in Murray, where the DPA applies, if processing is unlawful by reason of it breaching the general law of confidentiality (and thus any other general law) there will be a contravention of the First Data Protection Principle within the meaning of s.40(1), and a breach of s.4(4) of the DPA. See also Douglas v Hello! Ltd [2003] EWHC 786 (Ch) [2003] 3 All ER 996 paras 230-239 and Clift v Slough Borough Council [2009] EWHC 1550 (QB) [2009] 4 All ER 756. The fact that a claimant may have claims under common law torts, or under HRA s.6, does not preclude there being a claim under, or other means of enforcement of, the DPA.

This, of course, places the IC in a very difficult situation (actually, according to him, an “impossible” one). In fairness to him, and in fairness to the judge, it is pointed out that IC was not in attendance nor represented in the proceedings, and it might be that he has a killer riposte up his sleeve. If not, he has a problem. Until now he has only had the criticism of mere people like Tim, or me, to lead him to question his approach to s36 and the internet.(Yes, yes, there was also the European Court of Justice, but the Lindqvist judgment was a very long time ago – effectively in pre-history – and therefore easy to sidestep). Now, given that a superior court of record has overruled him, and held that there were multiple breaches of the DPA in this case and that the IC was wrong in his application of the s36 domestic purposes exemption, he may find that his already over-stretched resources will have to cover complaints from people who feel that their rights under DPA have been both engaged, and breached, by other individuals on the Internet. Picking a theoretical example – a complaint from someone who objects to the uploading of a private photo of them to Facebook without their consent.

It also places bloggers, and social media users in general, in a potentially risky position. Tugendhat J distinguishes such internet publication from journalism (as does Hugh Tomlinson QC – who, uncoincidentally, I suspect, acted for the claimants in this case – in two important recent posts on the Inforrm blog). If we non-journalists are potentially subject to the DPA but lack the protection it offers to journalists, we could all find ourselves at risk not just of regulatory action from the IC, but those private actions which can also be brought under the Act.

One would hope that the new draft EC data protection regulation would grapple with “the practical difficulties raised by cases such as the present” but on first viewing I’m not sure it does. Whether the door would be open to the UK legislature to address the problem is a matter for conjecture. In the interim, however, with the publication of this judgment, the IC has some close reading to do.

2 Comments

Filed under Data Protection, Information Commissioner, Privacy