Category Archives: journalism

September 4, 2013 · 1:34 pm

Pornography and its Frustrations

For those who have never worked with “basic” versions of web-filtering software, let me describe typical frustrations.

Researching the subject of malicious communications? Found what looks like a helpful search return via google? *CLICK*…

Access Blocked

Access to the requested web page (http://www.helpfullookingcommentary.com/) has been blocked as it is categorised as PROFANITY, which is considered unsuitable for access using this equipment. If you have any queries, please contact your system administrator

 Researching defamation? Found what looks like a helpful search return via google? *CLICK*…

Access Blocked

Access to the requested web page (http://www.interestinganalysis.com/) has been blocked as it is categorised as GAMBLING, which is considered unsuitable for access using this equipment. If you have any queries, please contact your system administrator

Doing some local history research on Scunthorpe? Found what looks like a helpful search return via google? *CLICK*…

Access Blocked

Access to the requested web page (http://www.scunthorpematters.com/) has been blocked as it is categorised as PORNOGRAPHY, which is considered unsuitable for access using this equipment. If you have any queries, please contact your system administrator

Each of these failed hits will be logged by some sysadmins as “attempt to access PROFANITY/GAMBLING/PORNOGRAPHY”. 

I suggest people bear this in mind when reading the numerous delighted shocked commentators who have picked up on the Huffington Post story which says that a Freedom of Information request apparently revealed that

MPs, Lords and parliamentary staff have been trying to access porn websites potentially thousands of times, official figures reveal.

The story goes on to say that users of the parliamentary network, over a period of one year

have repeatedly attempted to access websites classed on Parliament’s network as pornographic [emphasis added]

So, they haven’t tried to access pornography; they’ve tried to access sites that web-filtering software classes as pornography. A further clue to the fact that this outrageous story of parliamentary loucheness might not be as it’s being presented is the fact that in October 2012 there were 3391 “attempts”, in the following month there were 114,844 and in the month after that there were 6918. Either November that year coincided with rampant horniness on the part of politicians and their staff, or there’s another reason for the spike.

I suspect some new definitions were added to the software, which drastically increased the “false positive” hits, and these crappy new definitions were tweaked for the following months.

In fact, as I drafted this post Sky News’ Roddy Mansfield, and the Guardian’s James Ball have pointed out on twitter that that November 2012 spike coincided with intense political and media interest in the topic of sexual offences, following as the scandal involving Jimmy Savile broke. This is very plausible, and suggests that, far from users of parliamentary systems shirking their responsibilities by browsing for smut, they were actually trying – apparently unsuccessfully, and probably with no small frustration – to find out more about a serious and current news item.

But that makes for a dull story.

UPDATE:

As several people have pointed out, if this is a case of poor filtering, it provides a nice lesson in irony for those who propose ISP filtering as some sort of solution to the alleged “corroding” influence of online pornography.

4 Comments

Filed under Freedom of Information, journalism, parliament

Tagged as

August 30, 2013 · 5:30 pm

ICO – no Code of Practice for data protection and the press

On the 12th of August the Information Commissioner’s Office (ICO) announced that, following a period of consultation, it would not – contrary to previously-stated intentions – be issuing a Code of Practice on Data Protection and the Press. The proposed Code had been in response to Lord Justice Leveson’s recommendations that the ICO produce

comprehensive good practice guidelines and advice on appropriate principles and standards to be observed by the press in the processing of personal data

As the ICO’s Steve Wood says in the blogpost

Leveson did not stipulate a code but we proposed it as a possible vehicle for the guidance

Indeed they did, stating at the time that it was not

the ICO’s intention to purport to set ethical standards for journalists, or to interfere with the standards which already apply under relevant industry guidance, such as the Editors’ Code of Practice, the Ofcom Broadcasting Code, and the BBC Producers’ Guidelines. Nevertheless, the existing industry guidance does not consider the requirements of data protection law in any detail, and the ICO’s code will complement existing industry standards by providing additional coverage of this issue

However, the latest announcement – that the ICO is “looking to produce a guidance document” rather than carrying through with the issuing of a Code of Practice – is accompanied by the publishing of a summary of consultation responses to the draft Code of Practice. In fairness to the ICO, those who responded appeared not to want a Code, and, as any public authority will be aware, a consultation in name only (e.g. one with a predetermined outcome) is unlikely to be a lawful one. We are not told specifically who these responses were from, but that they were from “several media companies, individuals, regulators and representative bodies” (although there were only 16 responses overall, a figure which perhaps shames us all, or, alternatively, supports a view that not that many people were particularly aware of or bothered about the consultation). Seven responses specifically rejected the idea of a Code of Practice, with some concerns being

a code of practice implies a new set of rules or regulations;
risk of the ICO becoming a ‘mainstream de facto regulator of the press’;
risk of a proliferation of codes; and
risk of potential confusion with existing codes such as the Editors’ Code.

After pausing to note that the now-proposed ICO guidance will apparently be issued in draft (for further consultation) before the end of the year, which is a long, long way from meeting Leveson’s recommendation that any guidance be implemented within six months of his report,  it might be helpful to look at just why some respondents might have been unhappy with a Code of Practice, as opposed to “mere” guidance.

As is well-known, there is a very broad exemption, at section 32, from most of the obligations of the Data Protection Act 1998 (DPA) where:

(a)the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,
(b)the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and
(c)the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes [emphasis added]

This, broadly, means that, as long as personal data is processed with a view to journalistic publication (note: not that it has to be published) it is exempt from effectively all of the DPA (although not the 7th “security” principle) as long as the press body “reasonably believes” publication would be in the public interest. This has generally been taken to mean that it will be extremely difficult for a data subject to enforce her rights against, or for the ICO to regulate the activities of, the press. And, indeed, instances of successful DPA claims, or successful enforcement, against the press, are rare (privacy cases against the press, where they have included DPA claims, have tended to see the latter sidelined or dropped in favour of meatier claims in tort – see e.g. Douglas v Hello [2005] EWCA Civ 595 (where the DPA claim did succeed in the first instance, but only resulted in nominal damages) and Campbell v MGN [2002] EWCA Civ1373 (where, by contrast, the section 32 defence succeeded)). As Leveson LJ says

the effect of the development of the case law has been to push personal privacy law in media cases out of the data protection regime and into the more open seas of the Human Rights Act [page 1070 of Leveson Report]

 As everyone knows, the press kicked back strongly against parliament’s proposal of a Royal Charter for the press (that proposed Charter itself being the result of a rowing back by the political parties from Leveson’s proposal for some form of direct statutory underpinning of any regulatory scheme (“Guaranteed independence, long-term stability, and genuine benefits for the industry, cannot be realised without legislation”)). Both proposed Charters (the parliamentary-backed one and the Pressbof-backed one ) are to be considered by the Privy Council.

What has perhaps not been so widely-known, or widely-understood was that an ICO Code of Practice, if it had been designated by the Secretary of State (by means of an Order pursuant section 32(3)(b) of the DPA), would itself have constituted a form of statutory underpinning. This is because a Code designated in this way could have been taken into account by a court, or by the ICO, when determining whether personal data had been processed (for the special purposes) by the data controller in the reasonable belief that it had been in the public interest. The now-proposed “mere” guidance will not have the same status.

This might seem a minor point, and perhaps it is (bear in mind that there are already other Codes of Practice designated pursuant to section 32(3)(b), including the Press Complaints Commission Code of Practice) but, although we don’t know specifically who responded to the ICO’s consultation, it is safe to say that those who did included in their number organisations strongly opposed to (and alive to the threat of) any form of what they perceive to be statutory regulation of the press.

In this post I draw heavily on previous posts by Chris Pounder, on his Hawktalk blog, and if, as he suggested earlier this year, the then-proposed ICO Code raised the prospect of enhanced protection for ordinary data subjects, it is perhaps the case that the dropping of the proposal means no such enhanced protection.

1 Comment

Filed under Data Protection, human rights, Information Commissioner, journalism, Leveson

Tagged as , , ,

August 6, 2013 · 4:11 pm

On the tweet where you live

Do Home Office tweets of people arrested on suspicion of committing immigration offences engage data protection law?

The recent sordid campaign by the Home Office to publicise their “crackdown on illegal immigration” involved the tweeting of pictures of people apparently arrested in connection with immigration offences. I’m loath to post links because any further publicity risks undermining my point in this piece, but suffice to say that two pictures in particular were posted, one of a man being escorted (police officers at either side of him, holding his arms) from what look like retail premises, and one of a man being led by other officers into a cage in the back of a van. In both cases, the person’s face has been blurred by pixelation. There have been suggestions that the broader aspects of the campaign (disgracefully, vans have been deployed displaying advertisements saying “In the UK illegally? Go home or face arrest“) might be unlawful for breach of the Public Sector Equality Duty, and some have argued that to use the hashtag #immigrationoffenders to accompany pictures of people only suspected of crime might be to prejudge a trial, and could even constitute contempt of court. However, I would argue that the tweets also engage, and potentially breach, data protection law.

For the sake of this argument I will work on the presumption that, because the images of their faces have been obscured no third party can recognise the individuals concerned (I think this is actually probably wrong – potential identifying features, such as location and clothing are still displayed, and it is quite likely that friends, relative, colleagues could identify them). However, this does not mean that the images are outwith the Data Protection Act 1998 (DPA) and the European Data Protection Directive 95/46/EC to which it gives effect. The former defines personal data as

data which relate to a living individual who can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller [emphasis added]

In this instance the Home Office (or its agents) must itself know who the people in the images are (they will have had sufficient identifying information in order to effect an arrest) so, in their hands, the images constitute the personal data of the people in them. As the Information Commissioner’s Office (ICO) explains

It is important to remember that the same piece of data may be personal data in one party’s hands while it may not be personal data in another party’s hands…data may not be personal data in the hands of one data controller…but the same data may be personal data in the hands of another data controller…depending on the purpose of the processing and the potential impact of the processing on individuals

So the taking, retaining and publishing of images of people whose identities are obscured but who can be identified by the data controller will constitute the processing of personal data by that data controller. Consequently, the legal obligations for fair and lawful processing apply: section 4(4) of the DPA imposes a duty on a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller. Lord Hoffman explained this, in the leading FOI (and DPA) case on identification 

As the definitions in section 1(1) DPA make clear, disclosure is only one of the ways in which information or data may be processed by the data controller. The duty in section 4(4) is all embracing. He must comply with the data protection principles in relation to all “personal data” with respect to which he is the data controller and to everything that falls within the scope of the word “processing”. The primary focus of the definition of that expression is on him and on everything that he does with the information. He cannot exclude personal data from the duty to comply with the data protection principles simply by editing the data so that, if the edited part were to be disclosed to a third party, the third party would not find it possible from that part alone without the assistance of other information to identify a living individual. Paragraph (b) of the definition of “personal data” prevents this. It requires account to be taken of other information which is in, or is likely to come into, the possession of the data controller. Common Services Agency v Scottish Information Commissioner (Scotland) [2008] UKHL 47

So the Home Office cannot merely edit the data (by pixelation) and thus exclude it from the duty to process it in accordance with the data protection principles: these images are personal data. Moreover, they will come under the subset known as sensitive personal data, because they consist of information as to the commission or alleged commission by the data subject of any offence (they might also fall into this subset because they show the racial or ethnic origin of the data subject, but this is less certain).

The first data protection principle requires that

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
As this is sensitive personal data, a Schedule 3 condition must be met in order for the processing to be fair and lawful. Try as I might, I cannot find one that is (I adopt the list as explicated by the ICO)

  • The individual who the sensitive personal data is about has given explicit consent to the processing.
  • The processing is necessary so that you can comply with employment law.
  • The processing is necessary to protect the vital interests of: – the individual (in a case where the individual’s consent cannot be given or reasonably obtained), or- another person (in a case where the individual’s consent has been unreasonably withheld).
  • The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents. Extra limitations apply to this condition.
  • The individual has deliberately made the information public.
  • The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights.
  • The processing is necessary for administering justice, or for exercising statutory or governmental functions.
  • The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality.
  • The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.

It will be noted that the two conditions emphasised by me in italics might be thought to apply, but one notes the word “necessary”. In no way were these tweets “necessary” for the purposes to which those conditions relate. By contrast, when authorities publish photographs of wanted criminals, the necessity test will normally be made out. It is, I suppose, just possible that the data subjects gave their explicit consent to the tweets, but that’s vanishingly unlikely. (A question does arise as to what conditions permit the processing by the police of pixelated images of potential offenders in programmes such as “Police, Camera, Action” and “Motorway Cops”: it may be that this has never been challenged, but it may also be that the data controller is in fact the film company, who might be protected by the exemption from much of the DPA if the processing of data is for journalistic purposes).

(I would observe, in passing, that many customary practices to do with publication of information about crimes or suspicion of criminal behaviour are potentially in breach of these provisions of the DPA if they are construed strictly. Although there is the journalistic exemption mentioned above, those to whom that exemption arguably does not apply (bloggers, tweeters, police, other public authorities) are at risk of breach if they, for instance, publish identifying information about people who have criminal convictions or are suspected of having committed a crime. This area of the law, and its implications for open justice, have not, I think, been fully played out yet. For discussions about it see my post and others linked here.)

If no Schedule 3 condition can be met, the processing will not be in accordance with the first data protection principle, and the data controller will be in breach of section 4(4) of the DPA. What flows? Well, probably very little – the data subjects have a right to serve a notice (under section 10 of the DPA) requiring the cessation of processing which is causing or likely to cause substantial unwarranted damage or distress. Additionally, they have a right either to bring a civil claim for damages (very difficult to show) or to complain to the ICO. However, data subjects like this are not necessarily going to want to assert their rights in a strident way. The ICO himself could intervene – he has the power to take enforcement action if he is satisfied a data controller has contravened or is contravening the data protection principles (and, much to his credit, he has recently issued notices against a Council which was requiring taxi drviers to instal CCTV/audio recording facilities in all cabs, and against a Police force which was operating a “ring of steel” ANPR network). It appears though that the Home Office twitter account has gone quiet (it hasn’t tweeted in several days). Perhaps there have been second thoughts not just about the legality, but also the morality, of the campaign. I am always the optimist.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Home Office, human rights, Information Commissioner, journalism, police

Tagged as , ,

July 20, 2013 · 8:30 am

Good Lord!

On Lord Selsdon and the subject of criminal offending under the Data Protection Act

There was much astonishment yesterday, after a peer of the realm, the 3rd Baron Selsdon, claimed in a debate about littering in the House of Lords that he sometimes gets private information about people throwing litter from cars, and later telephones them to admonish them:

I have followed them occasionally and, for a bit of fun, have taken a note of their vehicle registration numbers. Occasionally, because I have friends in the DVLA, I manage to find their telephone number and I give them a ring

Several media outlets point out that, if this were true, it could be a breach of the Data Protection Act 1998. For instance, the Independent says

If Lord Selsdon did access information from the DVLA in this way, there may have been a breach of the Data Protection Act 1998, which requires organisations such as the DVLA to keep personal information secure

This isn’t wrong, but it overlooks that not only could it be a DPA breach, it could also be a criminal offence committed by the noble Lord and his “friends in the DVLA”. I note that the Telegraph touches on this, but doesn’t clearly explain why the criminal law might be engaged (it focuses on the DPA requirement that organisations should keep data secure).

(It should be noted that I am not accusing Lord Selsdon or his friends of committing an offence – nothing has been proven and he has so far declined to comment, while the DVLA are said to be investigating. Additionally, it does occur to me that sometimes one exaggerates when one is trying to impress one’s P̶e̶e̶r̶s̶ peers – the 3rd Baron might simply have been gilding his oratory lily.)

Nonetheless, under section 55 of the DPA a criminal offence is committed if, “without the consent of the data controller” (which here is the DVLA itself, not its individual employees), a person “knowingly or recklessly…obtain[s] or disclose[s] personal data or the information contained in personal data”. An offence will not be committed if the obtaining or procuring was necessary “for the purpose of preventing or detecting crime” or if the person acted in the reasonable belief that he had the legal right to obtain or disclose the data, or that he had the consent of the data controller, or if the obtaining or disclosing were in the public interest. What “necessary”, “reasonable belief” and “public interest” mean must be considered in light of the purposes for which the obtaining or disclosing occurred. So, for instance, if a serious crime were averted by such an action the elements of the offence might not be made out, but, distasteful and irritating as some of us find it, littering is certainly not a serious crime. Equally, someone who mistakenly thinks he has the right to obtain or disclose data might avoid the offence, but someone who says that he did it “for a bit of fun” by contacting “friends” might not.

Examples of successful prosecutions for this offence are: a letting agent and one of its directors who obtained details about a tenant’s finances from a rogue council employee; a gambling industry worker who obtained and sold gamblers’ personal details; a GP’s receptionist who obtained medical data about her ex-husband’s new wife.

The offence is also very much in the headlines following Lord Justice Leveson’s inquiry into the culture, practices and ethics of the press, which recommended strengthening of prosecution and sentencing powers under the DPA. Some journalists are perhaps understandably concerned that the practice of investigative reporting could be compromised by too robust a statutory scheme which criminalises the obtaining or disclosure of information by unofficial means.

Lord Selsdon will no doubt be regretting his apparent throwaway remarks.

1 Comment

Filed under Data Protection, journalism

Tagged as

July 17, 2013 · 5:07 pm

The Fog of War (on Drugs)

A recent Freedom of Information (FOI) request to Nottinghamshire police by a local newspaper resulted in the press headline

Police winning war on production of cannabis in county

The request was apparently for “the number of cannabis farms discovered” in the county, and the number of arrests in relation to production of the drug. Over a five year period the data showed that both were down, by 19% and 25% respectively. The paper reported that

Police say the figures prove a crackdown on cannabis production is having an impact

Do the figures prove that? I don’t think so. In fact, I think you could just as reasonably extrapolate that, for instance, police are actually “losing the war on drugs” and have chosen to expend fewer resources in discovering the farms, or, that producers have got a lot better at hiding them. The figures don’t “prove” these assertions either, but each seems to me to be as valid a conclusion as the one reported.

I read the article in light of an exchange on twitter about whether public authorities, when responding to FOI requests, were entitled to include a statement to be used in the event that the requester wished to publish an article.

Provided that the response to the FOI request itself is compliant with legal requirements I see no problem with this approach, which is really only an extension of the practice of providing explanatory comment to FOI disclosures.

What I would be critical of, though, is an unquestioning approach by journalists to such accompanying statements.

Leave a comment

Filed under Freedom of Information, journalism

Tagged as ,