Category Archives: police

July 7, 2014 · 1:23 pm

Police building register of domestic CCTV for crime investigation purposes?

This is a flyer apparently being distributed by Thames Valley Police (TVP).

flyer

It invites householders who have private CCTV systems to register with TVP, who want to use those systems “in order to assist us in future investigations”.

Surveillance camera footage can undoubtedly be of great use in the investigation and prosecution of crime. But there is a potential problem for householders who decided to register with TVP, and I’d be interested to know if the latter have taken this into account.

The problem is this: CCTV cameras involve the processing of data, and where they capture images of identifiable individuals, it is personal data that they are processing. Purely domestic processing of personal data is exempt from all of the obligations under the Data Protection Act 1998, but when the processing is no longer purely for domestic purposes, then legal obligations potentially attach themselves to those doing the processing. The Information Commissioner’s Office (ICO) CCTV Code of Practice (both the current 2008 version and an updated version currently in draft) explains

The use of cameras for limited household purposes is exempt from the DPA. This applies where an individual uses CCTV to protect their home from burglary, even if the camera overlooks the street or other areas near their home

But the corollary of this is that if its use is not purely for the “household purposes” of protecting one’s home from bulgary, then the exemption no longer applies. If householders are determining that the purpose for which they will process personal data is to assist TVP in criminal investigations, then they are data controllers.

This can’t simply be TVP wanting a register of CCTV-operating households to assist them if a crime happens on those specific premises, because that would be pointless: in those circumstances the householder would draw the footage to the police’s attention. No, this must be that TVP want to be able to access footage of relevant incidents outwith the individual household. 

I’ve asked TVP if they have any policy statement or guidelines on this initiative, and will update as and when they reply.

1 Comment

Filed under Data Protection, police, Privacy, surveillance, surveillance commissioner

Tagged as , ,

June 30, 2014 · 4:02 pm

What’s so foolish about FOI?

The television presenter Phillip Schofield took to Twitter recently to draw attention to a Freedom of Information (FOI) request to Avon and Somerset Police. He did so because the request had asked about the cost to the force of Mr Schofield’s attendance at an open day.

Message to Tom Hodder .. No Fee!! My bro works for the police, it was a family day out!

I’ve no problem with his drawing attention to it, nor with his naming the person, but I thought it was rather unpleasant that he chose to use the hashtags #WastingPoliceTime #Fool. As Mr Schofield, and the response on WhatDoTheyKnow.com, say, the cost was nil, but I don’t suppose Mr Hodder was to know that: Mr Schofield was described on his own employer’s site as having been invited to attend, and he promotes himself as someone for hire for “personal appearances”. I didn’t know Mr Schofield’s brother works for the police, and I suspect Mr Hodder didn’t either.

Wasting Police Time is a term used to describe a criminal offence. What Mr Hodder was doing was exercising his statutory right to ask a public authority for information (in this instance about the expenditure of public funds), and I see nothing wrong in what he asked (nor, indeed, in the response by the police. I am sure Mr Schofield wasn’t seriously suggesting the commission of a criminal offence, but his use of the term, and the epithet “fool” seem mean-spirited. And, of course, as he might have expected, many of his fans jumped to his defence and to verbally attack Mr Hodder.

All this seems rather ironic when one considers Mr Schofield’s involvement in 2012 in another “transparency” story. This was when he confronted the prime minister with a list of alleged child sex abusers which he had found online, but which he failed to shield from the studio cameras – a stunt which Jonathan Dimbleby described as “cretinous”. This led to his employer having to pay the late Lord McAlpine (whose name was on the list) £125,000 to settle a defamation claim. Even the apology which followed the incident had a mean-spirited air about it, when Mr Schofield appeared to blame the cameraman.

Mr Schofield has one of the largest followings on Twitter (2.99 million, at the time of writing). People with that sort of following carry some responsibility, and if they criticise named individuals they should do so fairly. I think it would be in order if he apologised to Mr Hodder.

 

 

2 Comments

Filed under Freedom of Information, police, social media

Tagged as ,

June 24, 2014 · 8:59 am

Social media crimes at least 50% of front line policing? I don’t think so

UPDATE: The BBC have now amended the headline, but, as FullFact point out, there are still concerns about the accuracy of the story.

What looks like a silly and hyperbolic BBC headline about crimes on social media is getting a lot of coverage. On social media. Here I question whether it’s accurate. On social media

Trailing the always excellent Joshua Rozenberg programme Law in Action the BBC has run a story with a headline saying

Social media crimes ‘at least half’ of front-line policing

And Law in Action’s own page on the broadcast in question also says

Chief Constable Alex Marshall, head of the College of Policing…estimates that as much as half of a front-line officer’s daily workload is spent dealing with calls related to online disputes

I know the BBC has to publicise itself, and maybe the programme itself will support the assertions made, but the quotes attributed to Mr Marshall don’t do so. He says

[Reports of crime involving social media are] a real problem for people working on the front line of policing, and they deal with this every day…So in a typical day where perhaps they deal with a dozen calls, they might expect that at least half of them, whether around antisocial behaviour or abuse or threats of assault may well relate to social media, Facebook, Twitter or other forms

SO what he’s actually saying is that of the dozen or so calls that a front line officer receives a day, about half “may well” relate to social media. Now, I may be naive, but surely a front line police officer’s workload is about an awful lot more than receiving calls. Even if a call is often the precursor to further actions, Mr Marshall doesn’t suggest that the calls about social media inevitably lead to such further action. In fact, I would be amazed if they did, and, indeed, other remarks attributed to Mr Marshall and an unnamed officer suggest that many of these calls relate to obviously non-criminal matters, and the clear implication is that they will lead to no further action whatsoever.

Crimes involving or committed on social media are a serious societal and policing issue, and I am sure Law in Action itself will consider this in its usual measured and serious way, but for the BBC to suggest that the issue takes up more than half of front line policing resource seems to me to be hyperbolic and irresponsible.

Leave a comment

Filed under BBC, police, social media

June 16, 2014 · 6:47 pm

A public interest test in the Data Protection Act?

Mr Justice Cranston has suggested that there is a public interest factor when considering whether disclosure of personal data would be “fair” processing. I’m not sure that is right.

The first data protection principle (DPP1) in Schedule 1 of the Data Protection Act 1998 (DPA) says that personal data must be processed “fairly” (and lawfully). But what does “fairly” mean?

In an interesting recent case (AB v A Chief Constable [2014] EWHC 1965 (QB)) the High Court determined that, on the very specific facts, it would not be fair, in terms of DPP1, and common law legitimate expectation, for a Chief Constable to send a second, non-standard, reference to the new employer of a senior police officer who was subject to disciplinary investigation. (The judgment merits close reading – this was by no means a statement of general principle about police references). The reason it would not be fair was because the officer in question had tendered his resignation upon the sending of the initial, anodyne, reference, and the force had terminated misconduct proceedings:

He was thus in the position that for the Force to send the second reference would most likely leave him without employment and without the opportunity to refute the gross misconduct allegations. In these special circumstances it would be a breach of the Data Protection Act 1998 and undermine his legitimate expectations for the second reference to be sent [¶94]

Something in particular struck me about the judge’s analysis of DPP1, although, given the outcome, it was not determinative. He rejected a submission from the claimant officer that the duty of fairness in the DPP1 and the European Data Protection Directive was a duty to be fair primarily to the data subject. Rather, correctly identifying that the privacy rights in the Directive and the DPA are grounded in article 8 of the European Convention on Human Rights and in general principles of EU law, he held that

The rights to private and family life in Article 8 are subject to the countervailing public interests set out in Article 8(2). So it is here: assessing fairness involves a balancing of the interests of the data subject in non-disclosure against the public interest in disclosure [¶75]

I am not sure this is right. Recital 28 of the Directive says

Whereas any processing of personal data must be lawful and fair to the individuals concerned [emphasis added]

and recital 38 suggests that whether processing is “fair” is in large part dependent on whether the data subject is made aware of the processing and the circumstances under which it takes place. These recitals give way to the descriptions in Articles 10 and 11 which both talk about “fair processing in respect of the data subject” (again, emphasis added). Similarly Part II of Schedule One to the DPA provides interpretation to DPP1, and says that in determining whether personal data are processed fairly

regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed

Admittedly this introduces “any person”, which could be someone other than the data subject, but more general considerations of public interest are absent. It is also notable that the Information Commissioner’s position in guidance seems predicated solely on the belief that it is the data subject’s interests that are engaged in an analysis of “fairness”, although the guidance does conceded that processing might cause some detriment to the individual without it being unfair, but I do not think this is the same as taking into account public interest in disclosure.

To the extent that a public interest test does manifest itself in DPP1, it is normally held to be in the conditions in Schedules 2 and 3. DPPP1 says that, in addition to the obligation to process personal data fairly and lawfully, a condition in Schedule 2 (and, for sensitive personal data, Schedule 3) must be met. Many of these conditions contain tests as to whether the processing is “necessary”, and that “necessity test” constitutes a proportionality test, as described by Latham LJ in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 (Admin)

‘necessary’…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends

To import a public interest test into the word “fairly” in DPP1 seems to me to be a potentially radical step, especially when disclosures of personal data under the Freedom of Information Act 2000 (FOIA) are being considered. As I say – I doubt that this is correct, but I would welcome any contrary (or concurring) opinions.

(By the way, I at first thought there was a more fundamental error in the judgment: the judge found that a rule of law was engaged which ordinarily would have required the Chief Constable to send the second reference:

the public law duty of honesty and integrity would ordinarily have demanded that the Chief Constable send the Regulatory Body something more than the anodyne reference about the claimant [¶93]

If a rule of law necessitates disclosure of personal data, then the exemption at section 35 DPA removes the requirement to process that data fairly and lawfully. However, I think the answer lies in the use of the word “ordinarily”: in this instance the doctrine of legitimate expectation (which the claimant could rely upon) meant that the public law duty to send the second reference didn’t apply. So section 35 DPA wasn’t engaged.)

 

 

 

 

 

7 Comments

Filed under Confidentiality, Data Protection, human rights, police

Tagged as , ,

May 29, 2014 · 8:31 am

Data Protection rights of on-the-run prisoners

Does data protection law prevent the disclosure under the FOI Act of the identities of prisoners who have absconded?

The Mail reported recently that the Ministry of Justice (MoJ) had refused to disclose, in response to a request made under the Freedom of Information Act 2000 (FOIA), a list of prisoners who have absconded from open prisons. The MoJ are reported to have claimed that

under Freedom of Information laws, there is a blanket ban on releasing the criminals’ identities because it is their own ‘personal data’

but the Justice Secretary Chris Grayling was reported to be

furious with the decision, which was taken without his knowledge. He is now intending to over-rule his own department and publish a list of all on-the-run criminals within days

and sure enough a few days later the Mail was able to report, in its usual style, the names of the majority of the prisoners after Grayling

intervened to end the ‘nonsense’ of their names being kept secret…[and stated] that data protection laws will not be used to protect them, arguing: “They are wanted men and should be treated as such. That’s why on my watch we will not hold back their names, unless the police ask us not to for operational reasons”

Regarding the initial article, and in fairness to the MoJ, the Mail does not publish either the FOI request, nor the response itself, so it is difficult to know whether the latter was more nuanced than the article suggests (I suspect it was), but is it correct that disclosure of this information was prevented by data protection law?

More information was given in a follow-up piece on the Press Gazette website which cited a spokeswoman from the MoJ’s National Offender Management Service’s Security Group:

She said the department was “not obliged” to provide information that would contravene the Data Protection Act, adding, “for example, if disclosure is unfair”, which also meant that it did not have to consider “whether or not it would be in the public interest” to release the information

This is technically correct: FOIA provides an exemption to disclosure if the information requested constitutes personal data and disclosure would be in contravention of the Data Protection Act 1998 (DPA), there is no “public interest test” under this exemption, and whether disclosure is unfair is a key question. The reference to “fairness” relates to the first data protection principle in Schedule One to the DPA. This provides that

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—

(a)at least one of the conditions in Schedule 2 is met, and

(b)in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met

As the Information Commissioner’s Office says (page 13 of this guidance) “fairness can be a difficult concept to define”, and assessing it in a FOIA context will involve whether the information is “sensitive personal data” (it is in this instance – section 2 of the DPA explains in terms that data about prison sentences is included in this category); what the possible consequences of disclosure are on the individual; what the individual’s reasonable expectations are; and the balance of the interests of the public against the rights of the individual (this last example shows that there is, in effect, if not in actuality, there is a kind of public interest test for the FOIA personal data exemption).

With this in mind, would it really have been “unfair” to disclose the identities of on-the-run prisoners? The consequences of disclosure might be recapture (although I concede there might also be exposure to risk of attack by members of the public), but does an absconder really have a reasonable expectation that their identity will not be disclosed? I would argue they have quite the opposite – a reasonable expectation (even if they don’t desire it) that their identity will be disclosed. And the balance of public interest against the absconders’ rights surely tips in favour of the former – society has a compelling interest in recapturing absconders.

But this doesn’t quite take us to the point of permitting disclosure of this information under FOIA. If we look back to the wording of the first data protection principle we note that a condition in both Schedule Two (and, this being sensitive personal data) Schedule Three must be met. And here we note that most of those conditions require that the processing (and FOIA disclosure would be a form of processing) must be “necessary”. The particular conditions which seem to me most to be engaged are the identically worded 5(a) in Schedule Two, and 7(1)(a) in Schedule Three:

The processing is necessary for the administration of justice

What “necessary” means, in the context of a balance between the FOIA access rights and the privacy rights of individual has been given much judicial analysis, notably in the MPs’ expenses case (Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 (Admin)), where it was said that “necessary”

should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends

In this way “necessary” in the DPA, accords with the test in Article 8 of the European Convention on Human Rights, which provides that any interference with the right to respect for private and family life etc. must be

necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others [emphasis added]

Deciding whether there was a “pressing social need” to disclose, under FOIA, the absconders’ identities to the Mail was not straightforward, and no doubt the civil servants at MoJ erred on the side of caution. I can imagine them thinking that, if it was necessary in a democratic society to publish these names, they already would be published as routine, and the fact that they hadn’t meant that it would not be proportionate to disclose under FOIA (I happen to think that would be wrong, but that’s not strictly relevant). But this is an interesting case in which the subsequent intervention by the Justice Secretary created the justification which perhaps did not exist when the FOIA request was being handled: after all, if the Justice Secretary feels so strongly about publishing the names, then doing so must be necessary in the interests of public safety etc.

As it was, five of the names (out of eighteen) were not disclosed, no doubt for the police operational reasons that were alluded to by Grayling. And this, of course, points to the most likely, and the most strong, exemptions to disclosure of this sort of information – those relating to likely prejudice to law enforcement (section 31 FOIA).

 p.s. I am given to understand that the Information Commissioner’s Office may be contacting the MoJ to discuss this issue.

2 Comments

Filed under Data Protection, Freedom of Information, human rights, police

Tagged as , , ,

May 28, 2014 · 8:37 am

Letting the data protection genie out of the bottle

Ireland police tweet a picture of a distinctive car they pulled over…social media speculates as to the owner…police warn of data protection implications…

 Recital 26 to the 1995 European data protection Directive explains that

the principles of protection must apply to any information concerning an identified or identifiable person [and] to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person

The Directive was transposed into Irish domestic law by amendments to the Data Protection Act 1988 which defines personal data as

data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller

What this means is that, as the Ireland Data Protection Commissioner says

There are different ways in which an individual can be considered ‘identifiable’.  A person’s full name is an obvious likely identifier.  But a person can also be identifiable from other information, including a combination of identification elements

With that in mind it was instructive to note a brief exchange on Twitter this morning involving the An Garda Síochána official account which is set up to provide “information on traffic and major events”. The exchange began with a tweet containing a photograph of a car pulled over for having “overly tinted windows”, and this was followed by a couple of tweets from another twitter user  alluding to the identity of the driver of the car. Finally, the Garda tweeted

Please do not post name, data protection issues, we want to raise awareness, we do not want to cause embarrassment

Some of the tweets have since been deleted, but @anyabike helpfully took a screengrab, which I have edited to remove any identifying information (except the picture of the car, which is still on the Garda timeline):

image

This is interesting (well, to me at least) because the concerns from the Garda about data protection should perhaps more properly have been addressed at themselves, for tweeting the picture in the first place. I have previously written about the practice of emanations of the state using social media to “shame” people, or to pursue campaigns and the fact that this almost inevitably engages data protection and human rights laws. The fact that the Garda published a picture from which an individual could be identified (either from that data or from that data in conjunction with other information in their possession) meant that they were, by definition, processing personal data (uploading a picture to the internet is certainly “processing”). And it is at least arguable that, in doing so, they should have been alive to the possibility of third parties being able to identify the individual, which would go to the heart of whether the initial processing was “fair” (section 2(1)(a) Data Protection Act 1988). Any complaint arising out of identification would perhaps be made not only about the person naming the individual, but also, and more strongly, about the public authority who initiated the identification.

This is not a huge issue, and I’m not saying the Garda were wrong to tweet the picture, merely that it is some kind of irony that, having done so, they then seek to restrain speculation as to the identity of the car owner: on social media, once the data protection genie is out of the bottle, it can be very hard to get him back in.

1 Comment

Filed under Data Protection, human rights, police, social media

Tagged as ,

March 19, 2014 · 2:27 pm

Kent Police get £100,000 penalty for poor data security

I blogged last week about “data breaches”, and the need to define and sometimes to differentiate between a breach of the Data Protection Act 1998 (DPA) and a general data security breach. Well, I’m (not at all) pleased to say that today’s news of the latest monetary penalty notice (MPN) served by the Information Commissioner’s Office (ICO) on Kent Police doesn’t need any such nuanced analysis. Here was a data security breach which was also a manifest breach of the DPA.

A police officer, by chance, discovered in some premises video tapes clearly marked as police material. He subsequently ascertained that the owner had found them, and much more besides, in the basement of a former police station which he had purchased. It is difficut to think of more sensitive information than the kind which was involved here. In part it consisted of

documents and video/audio tapes containing confidential and highly sensitive personal data about a significant number of individuals. These included files relating to threats to kill, rape, grievous bodily harm and child abuse cases; interviews with victims, witnesses/informants and suspects

Although the force had initially

taken some steps to safeguard the information by carrying out inspections of the former police station which identified that items were still in situ

the failure to have any policies in place, or to assign responsibility to anyone, meant that this was a clear and serious contravention of the seventh data protection principle (relating to data security measures) of a kind likely to cause, at least, substantial distress. I would add, although the ICO does not, that it might well have been also a serious contravention of the fifth principle (“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”). Given this, it is somewhat surprising that this case falls (admittedly at the top end) into the lowest category of cases qualifying for an MPN (the ICO’s internal guidance says that these cases will attract an amount of £40,000 to £100,000). Bearing in mind that Brighton and Sussex University Hospitals NHS Foundation Trust got an MPN of £325,000 for failing to dispose of computer hard drives properly, this current MPN seems low.

It also, once again, draws attention to the importance of good records management within police forces. I wrote only recently, in the context of the Ellison Review of policing relating to the Stephen Lawrence inquiry, about how records management is essential for the operation of the rule of law and the current case just gives even greater strength to this.

1 Comment

Filed under Data Protection, enforcement, Information Commissioner, monetary penalty notice, police, records management

Tagged as , ,

March 13, 2014 · 5:43 pm

Data Protection – civil and criminal action in tandem

The Guardian reports that

A police force faces a fine from the information commissioner and compensation claims from thousands of motorists after an officer stole accident victims’ details from a police computer and sold them on to personal injury solicitors

The crime here was shocking: the ex-officer, with a co-conspirator, accessed accident victims’ records on police systems, and then rang them, posing as a car repairs company, urging them to claim compensation. She would then pass the information to solicitors for a referral fee. Because there is currently no custodial sentence available for offences under the Data Protection Act 1998 (DPA), and because she was a public officer, she was prosecuted for the offence of misconduct in a public office, and sentenced to three and a half years’ imprisonment (her co-conspirator received three years).

But what interests me is the Guardian’s suggestion, prompted it seems by comments made in court, that the employing police force (Thames Valley Police), as data controller, is potentially to face civil claims from aggrieved individuals and civil enforcement action from the Information Commissioner’s Office (ICO). For the force to be liable to either of these, it must be shown to have contravened its obligations under the DPA. And, contrary to what many people think, the mere fact that a data controller has lost, or had stolen, personal data, does not mean ineluctably that it has contravened the DPA.

The seventh principle of the DPA provides

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

and an allegation of a failure to do so (and hence of a contravention of the obligation, at section 4(4), to comply with the eight DPA principles) is likely to be the basis of any civil action.

Moreover, for civil enforcement, in the form of a monetary penalty notice (MPN), under section 55A, to be taken by the ICO, the contravention must be a “serious” one, “of a kind likely to cause significant damage or significant distress” and the data controller has to have known there was a risk of such a contravention happening, but to have failed to take reasonable steps to prevent it. This presents a series of boxes for the ICO to tick before enforcement action, and his experience in having an MPN recently overturned by the First-tier Tribunal (Information Rights) (FTT) will have shown how potentially onerous it is to successfully serve one. In that instance, the FTT found that, although Scottish Borders Council had committed a serious contravention of the seventh principle, in allowing its contractor to dispose of pensions records unsecurely, it was not a of a kind likely to cause significant damage or significant distress (the FTT was unimpressed by the ICO’s claim that data subjects were put at risk of identity fraud).

The test for successful civil claims for compensation (under section 13 DPA) to be brought by data subjects against a data controller is not so onerous, however. All that a claimant needs to show is that there has been “any contravention of any requirements of the Act” by a data controller which has caused the claimant to suffer damage (note that it doesn’t have to have been a “serious” contravention, and the damage doesn’t have to have been serious, but it must have been real damage, not merely the likelihood of such). If the claimant can prove she has suffered damage, she may also be able to claim for consequent distress (the law as it stands does not permit compensation for distress alone).

But, if the personal data in question has been compromised, or lost, through no attributable fault of the data controller, then no liability can attach to them. This may often be the case with a “rogue employee”, and is the reason that, often, criminal prosecution of an individual will not run parallel with civil claims or enforcement action against a data controller. I blogged on the contrary position recently, arguing that if someone was not criminally liable for data loss, then would the (civil) liability attach to the data controller? And, of course, it does not mean that the two cannot run in parallel – Tim Turner blogged last week on the civil MPN served on the British Pregnancy Advisory Service, after it was subject to a criminal act not by a rogue employee, but by a hacker. As Tim suggests, being victim of a criminal act does not give you a shield against enforcement action, when you are shown to have allowed the criminal act to happen, through contravening your obligations under the DPA.

In the case of Thames Valley Police, it may well be that there are details which were available to the court but not made public, and I do not intend to speculate on the chances of successful civil claims or enforcement action, but it will be an interesting case to watch develop.

7 Comments

Filed under Data Protection, Information Commissioner, Information Tribunal, monetary penalty notice, police

March 7, 2014 · 8:29 am

The Ellison Review and records management

Failings in records management hampered the Ellison Review. In the absence of legal enforcement mechanisms, we should recognise the important of records managers

It is a truism that good records management is essential to good information rights practice. Section 46 of the Freedom of Information Act 2000 requires the Lord Chancellor to issue a records management code of practice, and the code itself says

Freedom of information legislation is only as good as the quality of the records and other information to which it provides access. Access rights are of limited value if information cannot be found when requested or, when found, cannot be relied upon as authoritative

Similarly, records management is embedded in the principles of Schedule One to the Data Protection Act 1998, particularly those relating to adequacy, accuracy and retention of personal data.

But Mark Ellison QC’s report following The Stephen Lawrence Independent Review throws even sharper focus on how important records management can be in the service of justice, and the rule of law. Ellison’s Review was not a statutory inquiry, and thus did not have the legal powers to search records, or compel production of information (although its terms of reference did say that it should be given access to all necessary files). However, it appears to have been hampered by what looks like failings in records management. The report notes that

a number of potentially important areas of documentation…have not been provided to us. The explanation for this absence varies between:

a) a suspicion (or sometimes hard evidence) that they have been destroyed;
b) a belief that they must exist but cannot be found; or
c) that there simply is no record available and no way of knowing if one was ever made

Note that none of these explanations gives an indication that information has been deliberately withheld, so the subsequent announcement by the Home Secretary that there will now be a public inquiry (with full legal powers to gather information) into the infiltration methods of undercover police does not necessarily mean that information-gap will be filled.

The revelations of the disgraceful “spying” on the Lawrence family during the initial McPherson inquiry into Stephen’s death are, of course, the most important outcome of the Ellison Review. However, what unnerves me about the Ellison Review’s difficulties in getting information is that they starkly show that a failure to follow good records management practice potentially enables corruption and illegality to be covered-up, and that there is a lack of enforcement and regulatory mechanisms to prevent or punish this. The criminal sanctions regarding wilful destruction or withholding of information under FOIA apply only if the actions occur following the submission of a FOIA request, and, under the DPA, criminal sanctions only apply to unlawful obtaining or disclosure of personal data: destruction or hiding of information is unlikely to be a criminal act, in the absence of other factors.

I think this shows that Records Managers hold an exceptionally important role, one which is vital for organisational governance and compliance, and one which is sadly not recognised by some organisations. Records Managers should sit on information governance boards, should have a hotline to the Chief Information Officer, Head of Legal, Senior Information Risk Officer etc., and should be properly resourced and supported by those senior officers.

Stephen Lawrence would have been forty this year. The Stephen Lawrence Charitable Trust helps transform the lives of the young people it supports.

1 Comment

Filed under Data Protection, Freedom of Information, police, records management

Tagged as , ,

January 23, 2014 · 11:22 am

Staffs Police to drop controversial naming “drink drivers” twitter campaign

ICO confirms hashtag campaign prior to conviction was unlikely to be compliant with the Data Protection Act. Other forces to be advised via ACPO of issues raised by the case

Over the Christmas period Staffordshire Police ran a social media campaign, in which drivers arrested and charged with drink-driving offences were named on twitter with the “hashtag” #drinkdriversnamedontwitter. It seemed to me, and others, that this practice arguably suggested guilt prior to any trial or conviction. As I said at the time

If someone has merely been charged with an offence, it is contrary to the ancient and fundamental presumption of innocence to shame them for that fact. Indeed, I struggle to understand how it doesn’t constitute contempt of court to do so, or to suggest that someone who has not been convicted of drink-driving is a drink driver

and I asked the Information Commissioner’s Office (ICO)

whether the practice is compliant with Staffordshire Police’s obligations under the first data protection principle (Schedule 1 of the Data Protection Act 1998 (DPA)) to process personal data fairly and lawfully

The ICO have now issued a statement. Their spokesman says

The ICO spoke to Staffordshire Police following its #DrinkDriversNamedOnTwitter campaign. Our concern was that naming people who have only been charged alongside the label ‘drink driver’ strongly implies a presumption of guilt for the offence, which we felt wouldn’t fit with the Data Protection Act’s fair and lawful processing principle.

We have received reassurances from Staffordshire Police that the hashtag will no longer be used in this way, and are happy with the procedures they have in place. As a result, we will be taking no further action. We’ve also spoken with ACPO about making other police forces aware of the issues raised by this case.

I think this is a very satisfactory result. The ICO have, as I said previously, shown that they are increasingly willing to investigate contraventions of the DPA not limited to security breaches. No one would defend drink driving (and it was not the naming itself that was objectionable, but the tweeting of the names in conjunction with the hashtag) but the police should not be free to indicate or imply guilt prior to conviction – that is quite simply contrary to the rule of law.

What I still think is disappointing though, is that after an initial prompt response from the Attorney General’s twitter account (which missed my point), there has been no word from them as to whether the practice was potentially prejudicial to any forthcoming trial. Maybe they’d like to rethink this, in light of the statement from the ICO?

1 Comment

Filed under Data Protection, human rights, Information Commissioner, police, Uncategorized

Tagged as , , ,