Category Archives: monetary penalty notice

June 18, 2013 · 12:10 pm

Cold Comfort for Cold Callers

In which I praise the ICO, and implore people to report nuisance callers.

I was in conversation with a group of friends recently, and the topic of nuisance calls came up. Each of my friends described continually receiving  unsolicited, often agressive, calls, despite the fact that they were registered with the Telephone Preference Scheme. I said they must complain to the Information Commissioner’s dedicated service because the ICO was now taking breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) seriously (actually, I didn’t say it in quite those terms, because although my friends like to deride me, I try not to give them too much ammunition). I got a lot of replies of “I might”, but also some of “it won’t do any good”. In support of the fact that it might do some good I was able point to the three recent civil Monetary Penalty Notices (MPNs) for breaches of PECR issued to Christopher Niebel and Gary McNeish, joint owners of Tetrus Telecoms and DM Design Bedroom Ltd.

And today, two more MPNs have been issued, to two companies owned by “Save Britain Money Ltd” a company which, in what appear to be rather embarrassing circumstances for the BBC, is currently featuring in a fly-on-the-wall documentary series about call centres.

We need a regulator to take firm and public action for breaches of privacy laws, and it is pleasing to see the ICO doing so with nuisance callers. However, in order for practices to really change, nuisance callers need to be reported to the ICO, at every opportunity. The principle of a penalty pour encourager les autres only works if les autres are scared about what legal non-compliance can lead to.

And I note from a recent internal ICO report that, as at 10 June, both the DM Design and the McNeish MPNs were overdue for payment (Niebel has appealed his Notice). Penalties in the tens of thousands of pounds can potentially be ruinous for businesses. The ICO statutory guidance on MPNs provides that

a monetary penalty notice will not impose undue financial hardship on an otherwise responsible person

But this leaves open the possibility that an MPN might some times impose due hardship, on an otherwise irresponsible person. If future nuisance callers wilfully act irresponsibly, a financially-crippling MPN might not constitute undue hardship.

As someone who works in the public sector, and who trains other public sector partners in their obligations under the Data Protection Act 1998 (DPA), I can attest to the beneficial effect MPNs for DPA breaches (added to the willingness of the ICO to impose them) have had on data security and knowledge (it doesn’t half focus the minds of senior managers when you remind them that security vulnerabilities carry a risk of a £500,000 “fine”). Enforcement of the law does change things, and we should praise the ICO for what he is doing with nuisance callers, while continuing to report miscreants.

Now, how about some FOI enforcement…?

1 Comment

Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, monetary penalty notice, PECR

Tagged as , ,

June 7, 2013 · 12:26 pm

Transparency and the ICO

It is axiomatic that, under the Freedom of Information Act 2000 (FOIA), a requester is unlikely to know precisely what the information requested consists of. This means that a requester is at a (natural and fair) disadvantage if he or she wishes to challenge a refusal. How to argue, for instance, that the public interest favours disclosure of information, if you don’t know what the information is?

A requester will often be reliant, therefore, on the Information Commissioner (ICO), as independent regulator, or the judicial system, thoroughly to interrogate a public authority’s basis for non-disclosure.

Last year I made a FOIA request to the ICO’s office itself for copies of all Undertakings (not currently on their website) agreed by the ICO and data controllers following investigation of serious breaches of the Data Protection Act 1998.

The ICO kindly disclosed to me a large number of Undertakings, but withheld three, citing the exemption at section 22 of FOIA. This section provides an exemption to the general FOIA obligation to disclose information, if the information is held, at the time of the request, with a view to its publication at some future date (whether determined or not). Furthermore it must be reasonable in all the circumstances that the information should be withheld from disclosure until that future date. Section 22 is a qualified exemption, and, therefore, subject to the application of a public interest test. I was told by the ICO that the Undertakings

were not published at the time due to a risk of prejudice, in one case to a criminal trial and in the others to commercial interests. In light of your request we have revisited these considerations and find that they are still relevant

I’m a reasonable chap, and accepted that the ICO was well-placed to determine that the public interest did not favour disclosure. However, I thought they might be able to disclose the identities of the data controllers involved. So I made a FOIA request for that information.

This was also refused. I was told that one of the data controllers was News Group Newspapers and the Undertaking was

in connection with a cyber-security attack perpetrated against NGN for which criminal proceedings are ongoing. As we have previously indicated, the Undertaking will be published once the proceedings have been concluded

This was the case relating to a criminal trial, and it has now been published.

I was told though that the names of the other two data controllers were still exempt under section 22, as, even though the ICO accepted my argument

that prejudice is “unlikely to occur simply by disclosing the identity of the data controllers”, having consulted with the organisations involved, I am satisfied that there is a possibility that the release of even the identities could potentially damage the commercial interests of the Data Controllers

Well, after I waited a while, and then made a further FOI request, the names and Undertakings have now been disclosed. And I fail to see what the fuss was about: they related to some issues with residual data on legacy systems. I also fail completely to understand how, in any conceivable way, disclosure of the names of the Councils involved could have caused prejudice to their commercial interests, and I’d invite anyone else to explain to me how it could. If I am right, the argument that it was reasonable in all the circumstances that the information should be withheld from disclosure until a later date, and, indeed, the argument that the public interest favoured maintaining the section 22 exemption falls away.

I could, of course, have appealed at the time, but the point is that I did not know what information was being suppressed, or why. I trusted the ICO to apply the law properly.

It is interesting to consider this matter of “trust” in light of an important recent Upper Tribunal (UT) case. Although that case was concerned with the use of “closed material” and “closed proceedings” in FOIA cases in the First-tier Tribunal (FTT) some points are arguably of general application to public authorities. One strikes me in particular

The other side of the coin concerning the application of the FOIA exemptions is of course that the requester may want to challenge the reasons and evidence which are advanced to establish them and thereby show that the requested information should be provided to him or her pursuant to FOIA…This competing right and interest within the FOIA scheme is founded on the right of access to information held by public authorities that is given by FOIA.  So it is one of the starting points for the need for a decision-making process to weigh competing rights and interests [emphasis added]

I would argue (knowing now what I didn’t know then) that as one of the prime reasons for DPA Undertakings is to draw attention to serious breaches of the DPA (see ICO Guidance: Communicating Enforcement Activities) withholding this information under section 22 potentially is seen to undermine the regulatory functions of the ICO. I struggle to understand how the refusal to disclose the Undertakings, let alone the mere identities of the recipients, shows proper weighing of competing rights and interests.

One a final note, the guidance above also says

We will not risk damage to the reputation of the ICO by agreeing with an organisation that we won’t publicise our action or that we will give advance warning

I’m not sure how to square that with what I was told last year that

the Undertakings were signed on the understanding that they would not be publicised in the usual manner

2 Comments

Filed under Breach Notification, Confidentiality, Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice, transparency

Tagged as , ,

May 26, 2013 · 10:27 am

Medical records databreach – what will result?

Today’s Sunday Mirror reports that thousands of confidential medical records have apparently been stored outdoors in a car park in an industrial estate for months. The paper alleges that

DHL Healthcare, which provides services for more than 100 NHS trusts, left out documents reportedly containing patients’ names, addresses and details of their medical conditions.

The paperwork is also believed to contain security “key codes” that enable DHL ambulance drivers to open the front doors of patients’ homes so they can be taken to hospital for treatments such as dialysis and chemotherapy.

Although the article doesn’t mention it, I am sure the Information Commissioner (IC) will take a keen interest in this.

Of particular interest is the fact that this apparent breach is said to have involved an organisation, DHL Healthcare, which doesn’t provide healthcare services itself. According to its website it provides “logistics services for the healthcare industry”. I also note that it provides a records management service. It seems almost certain that it acts under contract to NHS bodies. As such, in the terminology of the Data Protection Act 1998 (DPA), it is a “data processor” and an NHS body which instructs it is a “data controller”. Under the DPA, only the latter – the controller – is responsible for complying with the Act, and only the latter is liable to attract enforcement action for serious breaches of the DPA.

The seventh DPA data protection principle places an obligation on a data controller to ensure that

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

and where

Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—

(a)the processing is carried out under a contract—

(i)which is made or evidenced in writing, and

(ii)under which the data processor is to act only on instructions from the data controller, and

(b)the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

This means that where an NHS Trust contracts with – say – a records management service, it must enter into a written contract which demands that the contractor must do nothing other than what the contract says, and must have robust data security measures in place. If the contract does not say that then the NHS body is prima facie in breach of the DPA, and liable for any serious breach which might occur.

Thus, in 2012, Brighton and Sussex University Hospitals NHS Trust was “fined” (in reality, served with a s55A DPA Civil Monetary Penalty Notice) £325,000 by the IC after hard drives containing sensitive medical data ended up for sale on the internet. The IC said that the Trust

failed to choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and take reasonable steps to ensure compliance with those measures.
Further, the processing was not carried out under a contract between the Trust and HIS (whether made or evidenced in writing) under which the data processor was to act only on instructions from the data controller, and which required HIS to comply with obligations equivalent to those imposed on a data controller by the Seventh Data Protection Principle

Any investigation into this latest incident will likely involve assessment of the nature of the contracts in place, and the extent to which data controllers contracting with DHL Healthcare took reasonable steps to ensure compliance by the contractor. However, it appears to be the case, under current law, that if the IC determines there was a robust contract in place, and the data controller took all reaosnable steps to ensure compliance, no enforcement action can ensue. This seems slightly strange, but the DPA (which gives effect to the European Data Protection Directive) does not allow the IC to take action against the contractor. (Of course the other party to the contract could take civil action of its own, but this would almost certainly be only for breach of contract).

The draft European Data Protection Regulation seeks to deal with this possible gap in the law. Draft Article 26 (read with Articles 24 and 30) provides that

If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers

This apparently sensible and minor amendment might, though, have major implications for contractual arrangements to process data. If a data processor becomes (jointly) liable for breaches it is likely to assess risk in a much different way when entering into a contract. “Traditional” data controllers need to be alive to the potential financial implications of this.

One final note. Under current law, a data controller is

a person who determines the purposes for which and the manner in which any personal data are, or are to be, processed

Could it be argued that, even now, when a contractor diverges from the terms of a contract, and decides to process data in a different way, they are in fact determining the purposes in a way which could potentially make them a controller? I would be interested to know if this has ever been argued.

Leave a comment

Filed under Breach Notification, Data Protection, enforcement, Information Commissioner, monetary penalty notice

Tagged as ,

March 19, 2013 · 8:34 am

Don’t Panic about the Royal Charter. Panic Now!

Bloggers shouldn’t panic about the proposed Royal Charter, unless they’re already panicking about the current law.

Imagine that a local citizen blogger – let’s call her Mrs B, who is a member of a local church group – decides to let others know, by way of a website, some news and information about the group. She includes information for those about to be confirmed into the church as well as extraneous, light-hearted stuff about her fellow parishioners, including the fact that one of them has a broken leg. Now imagine that a complaint by one of the fellow parishioners that this website is intrusive is upheld and Mrs B is found to have breached domestic law.

The coercive power of the state being brought against a mere blogger would be, you might imagine, unacceptable. You might imagine that any such domestic law, in a country which is a signatory to the European Convention on Human Rights, would be held to be in breach of the free-expression rights under Article 10 of the same.

This sort of outcome, you might say, would surely be unimaginable even under the proposed regulatory scheme by Royal Charter agreed in principle by the main party leaders on 18 March.

But, as anyone who knows about data protection law will tell you, exactly this happened in 2003 in Sweden, when poor Mrs Bodil Lindqvist was prosecuted and convicted under national Swedish legislation on data protection and privacy. On appeal to the European Court of Justice her actions were held to have been the “processing” of “personal data” (and, in the case of the person with the injured leg, of the higher-category “sensitive personal data”) and thus those actions engaged Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data which is given domestic effect in Sweden by the law under which she was convicted. The same Directive is, of course, given domestic effect in the UK by the Data Protection Act 1998 (DPA).

The response to the proposed Royal Charter was heated, and many people noticed that the interpretative provisions in Schedule 4 implied the regulation of web content in general (if said content was “news-related material”), thus potentially bringing the “blogosphere” and various social media activities into jurisdiction. This has caused much protest. For instance Cory Doctorow wrote

In a nutshell, then: if you press a button labelled “publish” or “submit” or “tweet” while in the UK, these rules as written will treat you as a newspaper proprietor, and make you vulnerable to an arbitration procedure where the complainer pays nothing, but you have to pay to defend yourself, and that will potentially have the power to fine you, force you to censor your posts, and force you to print “corrections” and “apologies” in a manner that the regulator will get to specify.

But the irony is, that is effectively exactly the position as it currently stands under data protection law. If you publish or submit or tweet in the UK information which relates to an identifiable individual you are “processing” “personal data”. The “data subject” can object if they feel the processing is in breach of the very broad obligations under the DPA. This right of objection is free (by means of a complaint to the Information Commissioner’s Office (ICO)). The ICO can impose a monetary penalty notice (a “fine”) up to £500,000 for serious breaches of the DPA, and can issue enforcement notices requiring certain actions (such as removal of data, corrections, apologies etc) and a breach of an enforcement notice is potentially a criminal offence.

As it is, the ICO is highly unlikely even to accept jurisdiction over a complaint like this. He will say it is covered by the exemption for processing if it is “only for the purposes of that individual’s personal, family or household affairs (including recreational purposes)”. He will say this despite the fact that this position is legally and logically unsound, and was heavily criticised in the High Court, where, in response to a statement from the ICO that

The situation would clearly be impossible were the Information Commissioner to be expected to rule on what it is acceptable for one individual to say about…another individual. This is not what my office is established to do. This is particularly the case where other legal remedies are available – for example, the law of libel or incitement.

Mr Justice Tugendhat said

 I do not find it possible to reconcile the views on the law expressed in the Commissioner’s letter with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully. The authoritative statements of the law are to be found not only in the cases cited in this judgment (including para 16 above), but also by the Court of Appeal in Campbell v MGN Ltd [2002] EWCA Civ 1373 [2003] QB 633 paras [72] to [138], and in other cases. As Patten J made clear in Murray, where the DPA applies, if processing is unlawful by reason of it breaching the general law of confidentiality (and thus any other general law) there will be a contravention of the First Data Protection Principle within the meaning of s.40(1), and a breach of s.4(4) of the DPA…The fact that a claimant may have claims under common law torts, or under HRA s.6, does not preclude there being a claim under, or other means of enforcement of, the DPA.

The ICO will decline jurisdiction because, in reality, he does not have the resources to regulate the internet in its broadest sense, and nor does he have the inclination to do so. And I strongly suspect that this would also be the position of any regulator established under the Royal Charter.

I’m not normally one for complacency, and I actually think that the fact that the coercive power of the state potentially applies in this manner to activities such as blogging and tweeting is problematic (not wrong per se, note, but problematic). But the fact is that, firstly, the same coercive power already applies, to the extent that such activities engage, for instance, defamation law, or contempt of court, or incitement laws, and secondly – and despite the High Court criticism – no one seems to be particularly exercised by the fact that the current DPA regulator is able to ignore the activities of the blogosphere, so I doubt that the social and legal will exists to regulate these activities. I hope I’m not wrong.

3 Comments

Filed under Data Protection, human rights, Information Commissioner, monetary penalty notice, Privacy

Tagged as ,

August 25, 2012 · 11:20 am

What the Papers Say

It appears that a police officer has inadvertently disclosed operational notes regarding arrangements for the arrest of Julian Assange. This is not the first time a blunder like this has happened, and it should serve as a reminder that physical data needs to handled just as securely as electronic data.

In 2009 Britain’s then most senior counter-terrorism officer, Bob Quick, arrived at Downing Street for an important meeting. He’d probably been reading up on the issues during the journey there, and was clutching a file as he emerged from his car. Unfortunately for him, photographers were able to capture the contents of the document he was holding face up. Marked “Secret” (the second highest category in the government protective marking Security Policy Framework) it contained information some of which still cannot be disclosed because a DA-Notice applies. It led to anti-terror raids being brought forward, and it also led to his resignation.

Now we learn that a rather less senior police officer has been photographed in similar circumstances, outside the Ecuadorian Embassy wherein lies the persecuted activist/suspected rapist (delete according to your leanings) Julian Assange. Apparently the information relates to possible arrest plans.

Now, when I have to carry papers from one building to another at work, I make damn sure that they’re secured in an opaque binder, and as far as I know the eyes of the world’s press are not on me when I’m doing so. Information security and data protection are not just about taking care with electronic data: I recently did a quick analysis of the monetary penalty notices handed down by the Information Commissioner, and found that around two-thirds arose from a breach of security involving physical data*.

Modern photographic developments mean that millions of people have the ability quickly to capture compromising or damaging information, and internet publishing means that the same information can be uploaded and circulated within seconds. The European Association for Visual Data Security (yep, there is one) recently produced a white paper on the subject. In its article about the white paper The Register gave some examples of shoulder-surfing, in addition to Bob Quick’s infamous incident

a senior UK civil servant at the department of Business, Innovation and Skills fell asleep on a commuter train, leaving highly sensitive information displayed on his screen. A fellow passenger took two photographs of the information while it was displayed on the screen, which made their way into a Daily Mail story about the breach…[and] in August 2011 the UK’s International Development Secretary was photographed leaving Number 10 Downing Street with sensitive government papers relating to Afghanistan on display. These papers were caught on camera by news photographers and film crews.

Any organisation which needs to handle data outside its own office walls should make very sure it can’t be seen by prying eyes.

 

 

 

*It’s difficult accurately to categorise them. For instance, a fax is both electronic and physical, and a lost hard-drive is loss of physical data, but seriousness is tied to the electronic contents of said drive.

Leave a comment

Filed under Confidentiality, Data Protection, Information Commissioner, monetary penalty notice, police, Uncategorized

June 1, 2012 · 11:53 am

NHS Trust Given £325k Penalty

In January this year I blogged about reports that the Information Commissioner (IC) had sent a notice of intent to serve a civil monetary penalty notice (CMP) of £375,000 on Brighton and Sussex University Hospitals NHS Trust. At the time I said

If this MPN is served, as intended, then the IC might be faced with headlines equating (for example) £375,000 to the amount it costs to employ a nurse, or a doctor or provide essentail but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances.

Well, it has been served, today. And though the amount has been slightly reduced – £325,000 – it is still by some way the largest CMP ever imposed by the IC. However, this case may be important for other reasons.

Firstly, it related to disposal of hardware containing sensitive personal data. As the IC’s press release says

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site in October and November 2010.

The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences

The IC has been running an “unscrubbed hard drives initiative” following a reported security breach in 2009 involving the sale of un-scrubbed hard drives on the internet containing personal data, and internal meeting minutes from January indicated that this initiative was nearing completion. It would not be surprising if some formal guidance on the subject was now issued.

Secondly, and more broadly, it is interesting and worrying to note the fact that a fundamental role in this data breach was played by a contractor appointed to securely destroy the hard drives. As a data processor (rather than the data controller) this contractor was not liable under the Data Protection Act 1998 (DPA) for any serious breaches: this is why the Trust takes the hit. However, the contractor in question was the Department of Health-accredited Sussex Health Informatics Service (SHIS). SHIS appears to have sub-contracted the work to “Company A” which in turn sub-contracted to a one-person “Company B”. This individual subsequently sold 232 hard drives on the internet auction site.

The contractual, and sub-contractual confusion appears to have been key: the Trust did not even know that the individual had been appointed, and did not know that he had been attending their offices, ostensibly to remove and securely destroy the drives. Data controllers need to be acutely aware of what is happening to the personal data they control, and this obligation cannot be overlooked when they feel the data, or the hardware containing it, has become obsolete.

The fact that SHIS was so involved is particularly worrying. Health Informatics Services are expected to be in the vanguard of data security in the NHS. They say

Keeping data safe and confidential is a core duty for health service providers – and a core THIS service. Our award-winning Confidentiality and IM&T Security service helps customers to fully comply with national and local standards.

Under current law the IC’s powers to take action against a data processor are limited. That may change when the European Data Protection Regulation is ultimately enacted. One would hope, however, that SHIS, and the Department of Health, are looking very closely at their own compliance and security.

UPDATE: 15:15

The Trust has now issued a statement, which to an extent attempts to deflect responsibility on to the contractor. Duncan Selbie, the Chief Executive has said

We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay

The Information Commissioner has ignored our extensive representations.  It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would “prejudice the monetary penalty process”

He goes on to say

We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal

If this transpires, it will be the second recent instance of an appeal of a CMP by an NHS body.

The Independent reports the Trust also saying

the fine would pay for the delivery of 300 babies, 50 hip operations, 30 heart bypasses and 360 chemotherapy treatments

This rather confirms what I predicted in January

the IC might be faced with headlines equating (for example) [an NHS CMP] to the amount it costs to employ a nurse, or a doctor or provide essential but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances

Perhaps this strategy will be revealed during any subsequent appeal proceedings.

 

 

 

 

 

 

 

2 Comments

Filed under Data Protection, Information Commissioner, monetary penalty notice