Category Archives: parliament

MPs have rights too

The Guardian reports on MPs’ concerns that IPSA’s proactive commitment to transparency is putting them at risk. Could those MPs use the Data Protection Act to stop IPSA publishing?

Anyone who has worked in the fields of Freedom of Information (FOI) and transparency will have come across colleagues or third parties who fear that one will simply disclose information, including personal information, into the public domain, without any thought. The reality is very different: FOI and transparency  professionals need to be expert not only in FOI law, but also other laws, such as breach of confidence, and, especially, the law of data protection: the FOI Act’s most cited exemption is at section 40(2), which provides an absolute exemption to disclosure where to do so would contravene someone’s rights under the Data Protection Act 1998 (DPA).

With this in mind, and at least on the face of things, I have some sympathies with MPs concerned at proactive disclosure of details of mileage claims by IPSA (the Independent Parliamentary Standards Authority). (Although the law requires candidates for parliamentary seats to declare their home address, as UKIP’s Paul Nuttall has recently been reminded, candidates can ask that the addresses not be made public.) The Guardian reports that the SNP’s Angus Robertson has ordered colleagues to stop submitting claims, because

data now required to make a claim for mileage, including the locations of journeys travelled to and from on a daily basis, was now being publicised [by IPSA]

Robertson says

Ipsa have been aware for some time that they are inadvertently confirming the home locations of parliamentarians, which runs contrary to basic security advice

Although IPSA appear to dispute that what is being published could locate specific properties, it is important to note that the expenses information being published is the personal data of the MPs involved. Therefore, any processing of it by IPSA must be in accordance with their obligations under the Data Protection Act 1998 (DPA). The first data protection principle (in Schedule One of the DPA) requires that processing must be fair and lawful: if Robertson and others are right that there is a risk of disclosure of their home addresses (maybe by combining the IPSA data with other publicly available data), there is a strong argument that the processing is not fair.

So what can MPs do? Well, in addition to refusing to submit claims (which is rather cutting off one’s nose to spite one’s face), the DPA offers a possible option. Section 10 allows a data subject to serve a notice in writing requiring a data controller to cease a specified act of processing, on the grounds that the processing is causing unwarranted substantial distress. Upon receipt of such a notice the data controller has twenty one days to respond, either by ceasing the processing, or stating why it considers the notice unjustified. At that point the data subject can ask a court to rule on whether the notice was justified, and order such steps as are appropriate.

Were an MP or MPs to serve such a notice, it might be difficult for IPSA to dispute the potential for substantial distress to be caused – if MPs reasonably fear that disclosure of their home addresses could occur (and it seems to me to be quite possible that they could – a location frequently travelled from at the start of a day, and to at the end of the day is quite likely to be a place of residence) then, given the horrendous murder of Jo Cox last year, and general ongoing security threats, I don’t think it would be surprising for such distress to be caused. And if the distress caused is real and substantial, could IPSA say it was warranted? I very much doubt it – the publication of this information is not necessary for the performance of IPSA’s core functions.

IPSA say that they have “consulted police” and feel that there is not a risk, although the Guardian suggests that both the Met and “senior security sources” have expressed concerns.

MPs’ expenses of course play an important part in the history of FOI in the UK, and some of the abuses of the system which were revealed when the requested information was leaked to the Telegraph were egregious (although it’s always worth remembering that were it not for the leak, a lot of the more gory details would probably not have emerged). But threats to MPs are real and serious, and one wonders why IPSA, even if it thinks the risk of identification of home addresses is low or even non-existent would not want to review the practice. A section 10 notice would, though, force the issue.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Freedom of Information, parliament

Do bloggers need to register with the ICO?

A strict reading of data protection law suggests many (if not all) bloggers should register with the ICO, even though the latter disagrees. And, I argue, the proposal for an Information Rights Levy runs the risk of being notification under a different name

Part III of the Data Protection Act 1998 (DPA) gives domestic effect to Article 18 of the European Data Protection Directive (the Directive). It describes the requirement that data controllers notify the fact that they are processing personal data, and the details of that processing, to the Information Commissioner’s Office (ICO). It is, on one view, a rather quaint throwback to the days when processing of personal data was seen as an activity undertaken by computer bureaux (a term found in the predecessor Data Protection Act 1984). However, it is law which is very much in force, and processing personal data without a valid notification, in circumstances where the data controller had an obligation to notify, is a criminal offence (section 21(1) DPA). Moreover, it is an offence which is regularly prosecuted by the ICO (eleven such prosecutions so far this year).

These days, it is remarkably easy to find oneself in the position of being a data controller (“a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed”). There are, according to the ICO, more than 370,000 data controllers registered. Certainly, if you are a commercial enterprise which in any way electronically handles personal data of customers or clients it is almost inevitable that you will be a data controller with an obligation to register. The exemptions to registering are laid out in regulations, and are quite restrictive – they are in the main, the following (wording taken from the ICO Notification Handbook)

Data controllers who only process personal information for: staff administration (including payroll); advertising, marketing and public relations (in connection with their own business activity); and accounts and records.
Some not-for-profit organisations.
Maintenance of a public register.
Processing personal information for judicial functions.
Processing personal information without an automated system such
as a computer.
But there is one other, key exemption. This is not within the notification regulations, but at section 36 of the DPA itself, and it exempts personal data from the whole of the Act if it is
processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes)
Thus, if you, for instance, keep a record of your children’s medical histories on your home computer, you are not caught by any of the DPA (and not required to notify with the ICO).Where this becomes interesting (it does become interesting, honestly) is when the very expansive interpretation the ICO gives to this “domestic purposes exemption” is considered in view of the extent to which people’s domestic affairs – including recreational purposes – now take place in a more public sphere, whereby large amounts of information are happily published by individuals on social media. As I have written elsewhere, the Court of Justice of the European Union (CJEU) held in 2003, in the Lindqvist case, that the publishing of information on the internet could not be covered by the relevant domestic purposes exemption in the Directive. The ICO and the UK has, ever since, been in conflict with this CJEU authority, a point illustrated by the trenchant criticism delivered in the High Court in the judgment by Tugendhat J in The Law Society v Kordowski.

But I think there is a even more stark illustration of the implications of an expansive interpretation of the section 36 exemption, and I provide it. On this blog I habitually name and discuss identifiable individuals – this is processing of personal data, and I determine the purposes for which, and the manner in which, this personal data is processed. Accordingly, I become a data controller, according to the definitions at section 1(1) of the DPA. So, do I need to notify my processing with the ICO? The answer, according to the ICO, is “no”. They tell me

from the information you have provided it would be unlikely that you would be required to register in respect of your blogs and tweets
But I don’t understand this. I cannot see any exemption which applies to my processing – unless it is section 36. But in what way can I seriously claim that I am processing personal data only for my domestic (including recreational) purposes. Yes, blogging about information rights is partly a recreation to me (some might say that makes me odd) but I cannot pretend that I have no professional aims and purposes in doing so. Accordingly, the processing cannot only be for domestic purposes.I have asked the ICO to confirm what, in their view, exempts me from notification. I hope they can point me to something I have overlooked, because, firstly, anything that avoids my having to pay an annual notification fee of £35 would be welcome, and secondly, I find it rather uncomfortable to be on the receiving end of my own personal analysis that I’m potentially committing a criminal offence, even if the lead prosecutor assures me I’m not.

The point about the notification fee leads to me on to a further issue. As I say above, notification is in some ways rather quaint – it harks back to days when processing of personal data was a specific, discrete activity, and looks odd in a world where, with modern technology, millions of activities every day meet the definition of “processing personal data”. No doubt for these reasons, the concept of notification with a data protection authority is missing from the draft General Data Protection Regulation (GDPR) currently slouching its way through the European legislative process. However, a proposal by the ICO suggests that, at least in the domestic sphere, notification (in another guise), might remain under new law.The ICO, faced with the fact that its main funding stream (the annual notification fees from those 370,000-plus data controllers) would disappear if the GDPR is passed in its proposed form, is lobbying for an “information rights levy”. Christopher Graham said earlier this year

I would have thought  an information rights levy, paid for by public authorities and data controllers [is needed]. We would be fully accountable to Parliament for our spending.

and the fact that this proposal made its way into the ICO’s Annual Report  with Graham saying that Parliament needs to “get on with the task” of establishing the levy, suggests that it might well be something the Ministry of Justice agrees with. As the MoJ would be first in line to have make up the funding shortfall if a levy wasn’t introduced, it is not difficult to imagine it becoming a reality.

On one view, a levy makes perfect sense – a “tax” on those who process personal data. But looked at another way, it will potentially become another outmoded means of defining what a data controller is. One cannot imagine that, for instance, bloggers and other social media users will be expected to pay it, so it is likely that, in effect, those data controllers whom the ICO currently expects to notify will be those who are required to pay the levy. One imagines, also, that pour encorager les autres, it might be made a criminal offence not to pay the levy in circumstances where a data controller should pay it but fails to do so. In reality, will it just be a mirror-image of the current notification regime?

And will I still be analysing my own blogging as being processing that belongs to that regime, but with the ICO, for pragmatic, if not legally sound, reasons, deciding the opposite?

1 Comment

Filed under Data Protection, Directive 95/46/EC, Europe, GDPR, parliament

Implications of the Home Office data breach

What sanctions might result from the recent Home Office data breach, and how does it relate to the transparency agenda?

News emerged yesterday, through the rather unusual route of a statement to Parliament by Mark Harper, Minister for Immigration, that a spreadsheet containing the personal information of almost 1600 people had been inadvertently published by the Home Office on a government website. The minister’s statement says

between 15 and 28 October 2013 some personal data was available on the Home Office website as part of a spreadsheet alongside the regular data set in error. This was identified by Home Office officials on 28 October 2013 and the personal information was  removed immediately. The personal data related to the names of 1,598 main applicants in the family returns process, their date of birth and limited details about their immigration case type and status

On these conceded facts this would appear to be a clear breach of the Data Protection Act 1998 (DPA), and, specifically, the principles of Schedule 1 to the Act which require that processing be fair and lawful, and that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data. But what are the implications of this?

By virtue of section 4(4) of the DPA a data controller – in this instance the Home Office – must comply with those principles. A serious contravention of them, of a kind which is likely to cause substantial damage or substantial distress, can (by section 55A) invoke the powers of the Information Commissioner’s Office (IC) to serve a monetary penalty notice, to a maximum of £500,000. Whether the IC would exercise his discretion to do so would depend on various factors. Firstly, he would need to satisfy himself whether the personal data involved was “sensitive”. Sensitive personal data is afforded greater protection by the DPA, and breaches involving it are accordingly more serious. We are told that the information involved here consisted of people’s names, dates of birth, and their immigration status. Information about a person’s racial or ethnic origin is sensitive personal data – could one derive or infer that from the mistakenly disclosed information? This will be an important question to answer. But, additionally and more simply, it seems that these were “illegal immigrants” – the data was related to immigration family returns, and this would certainly seem to imply either the commission or alleged commission of an offence by those whose data was exposed, and this would also move the data into the category of “sensitive”.

Whether the apparent contravention was likely to cause substantial damage or substantial distress is less clear. The minister points out that there appear to have been fewer than thirty page views, but that we don’t know whether any of those people accessed or downloaded the data. But this perhaps overlooks the part of the statutory scheme which talks about whether the contravention was “of a kind likely” to cause the damage or distress. If for instance, this incident, which we are told is being investigated by the IC, is a symptom of inappropriate or insufficient data security measures, then that factor, rather than this discrete incident, could potentially give rise to sanctions. Also relevant might be what efforts the Home Office has taken to ensure that cached versions of the data have been removed from the internet – it is remarkably easy for information quickly to be captured and mirrored elsewhere, by automated web services.

The IC’s powers are not limited, however, to issuing monetary penalties. He can also issue enforcement notices requiring data controllers to take specified actions, and a breach of an enforcement notice can be a criminal offence. Less seriously, he can simply make a determination as to whether there is likely to have been a breach of the DPA. And he can take informal action, requiring a responsible person at the ministry to sign an undertaking to improve compliance.

The transparency agenda

What I also find noteworthy is that the minister prefaces his statement with remarks about the government’s commitment

to openness and transparency to enable the public to hold the government and other public bodies to account. This government has made more data available than ever before…

These are laudable aims and actions, but, I have written before that the transparency agenda carries with it risks that, in the rush to publish more and more data, there will be privacy and data protection breaches. And if the government and the IC, as regulator, do not do more to alert people to these risks they must be aware that they risk being seen as complicit in such breaches. As I said in my piece for The Guardian

The IC must work with the government to offer advice direct to chief executives and those responsible for risk…So far these disclosure errors do not appear to have led to harm to those individuals whose private information was compromised, but, without further action, I fear it is only a matter of time.

1 Comment

Filed under Data Protection, enforcement, Home Office, Information Commissioner, monetary penalty notice, parliament, transparency

Pornography and its Frustrations

For those who have never worked with “basic” versions of web-filtering software, let me describe typical frustrations.

Researching the subject of malicious communications? Found what looks like a helpful search return via google? *CLICK*…

Access Blocked

Access to the requested web page (http://www.helpfullookingcommentary.com/) has been blocked as it is categorised as PROFANITY, which is considered unsuitable for access using this equipment. If you have any queries, please contact your system administrator

 Researching defamation? Found what looks like a helpful search return via google? *CLICK*…

Access Blocked

Access to the requested web page (http://www.interestinganalysis.com/) has been blocked as it is categorised as GAMBLING, which is considered unsuitable for access using this equipment. If you have any queries, please contact your system administrator

Doing some local history research on Scunthorpe? Found what looks like a helpful search return via google? *CLICK*…

Access Blocked

Access to the requested web page (http://www.scunthorpematters.com/) has been blocked as it is categorised as PORNOGRAPHY, which is considered unsuitable for access using this equipment. If you have any queries, please contact your system administrator

Each of these failed hits will be logged by some sysadmins as “attempt to access PROFANITY/GAMBLING/PORNOGRAPHY”. 

I suggest people bear this in mind when reading the numerous delighted shocked commentators who have picked up on the Huffington Post story which says that a Freedom of Information request apparently revealed that

MPs, Lords and parliamentary staff have been trying to access porn websites potentially thousands of times, official figures reveal.

The story goes on to say that users of the parliamentary network, over a period of one year

have repeatedly attempted to access websites classed on Parliament’s network as pornographic [emphasis added]

So, they haven’t tried to access pornography; they’ve tried to access sites that web-filtering software classes as pornography. A further clue to the fact that this outrageous story of parliamentary loucheness might not be as it’s being presented is the fact that in October 2012 there were 3391 “attempts”, in the following month there were 114,844 and in the month after that there were 6918. Either November that year coincided with rampant horniness on the part of politicians and their staff, or there’s another reason for the spike.

I suspect some new definitions were added to the software, which drastically increased the “false positive” hits, and these crappy new definitions were tweaked for the following months.

In fact, as I drafted this post Sky News’ Roddy Mansfield, and the Guardian’s James Ball have pointed out on twitter that that November 2012 spike coincided with intense political and media interest in the topic of sexual offences, following as the scandal involving Jimmy Savile broke. This is very plausible, and suggests that, far from users of parliamentary systems shirking their responsibilities by browsing for smut, they were actually trying – apparently unsuccessfully, and probably with no small frustration – to find out more about a serious and current news item.

But that makes for a dull story.

UPDATE:

As several people have pointed out, if this is a case of poor filtering, it provides a nice lesson in irony for those who propose ISP filtering as some sort of solution to the alleged “corroding” influence of online pornography.

4 Comments

Filed under Freedom of Information, journalism, parliament