Category Archives: police

August 25, 2012 · 11:20 am

What the Papers Say

It appears that a police officer has inadvertently disclosed operational notes regarding arrangements for the arrest of Julian Assange. This is not the first time a blunder like this has happened, and it should serve as a reminder that physical data needs to handled just as securely as electronic data.

In 2009 Britain’s then most senior counter-terrorism officer, Bob Quick, arrived at Downing Street for an important meeting. He’d probably been reading up on the issues during the journey there, and was clutching a file as he emerged from his car. Unfortunately for him, photographers were able to capture the contents of the document he was holding face up. Marked “Secret” (the second highest category in the government protective marking Security Policy Framework) it contained information some of which still cannot be disclosed because a DA-Notice applies. It led to anti-terror raids being brought forward, and it also led to his resignation.

Now we learn that a rather less senior police officer has been photographed in similar circumstances, outside the Ecuadorian Embassy wherein lies the persecuted activist/suspected rapist (delete according to your leanings) Julian Assange. Apparently the information relates to possible arrest plans.

Now, when I have to carry papers from one building to another at work, I make damn sure that they’re secured in an opaque binder, and as far as I know the eyes of the world’s press are not on me when I’m doing so. Information security and data protection are not just about taking care with electronic data: I recently did a quick analysis of the monetary penalty notices handed down by the Information Commissioner, and found that around two-thirds arose from a breach of security involving physical data*.

Modern photographic developments mean that millions of people have the ability quickly to capture compromising or damaging information, and internet publishing means that the same information can be uploaded and circulated within seconds. The European Association for Visual Data Security (yep, there is one) recently produced a white paper on the subject. In its article about the white paper The Register gave some examples of shoulder-surfing, in addition to Bob Quick’s infamous incident

a senior UK civil servant at the department of Business, Innovation and Skills fell asleep on a commuter train, leaving highly sensitive information displayed on his screen. A fellow passenger took two photographs of the information while it was displayed on the screen, which made their way into a Daily Mail story about the breach…[and] in August 2011 the UK’s International Development Secretary was photographed leaving Number 10 Downing Street with sensitive government papers relating to Afghanistan on display. These papers were caught on camera by news photographers and film crews.

Any organisation which needs to handle data outside its own office walls should make very sure it can’t be seen by prying eyes.

 

 

 

*It’s difficult accurately to categorise them. For instance, a fax is both electronic and physical, and a lost hard-drive is loss of physical data, but seriousness is tied to the electronic contents of said drive.

Leave a comment

Filed under Confidentiality, Data Protection, Information Commissioner, monetary penalty notice, police, Uncategorized

May 6, 2012 · 9:44 am

Data Protection Obscenities

A tragic story about the suicide of a young man, and the apparent ridiculous citing of the Data Protection Act to explain why his mother was not warned.

A few years ago, Richard Thomas, the then Information Commissioner (ICO) launched a campaign to counter what were called “Data Protection Duck Outs”. It got some media attention, but I’ve always thought it suffered from sounding like the kind of phrase a “hip” teacher, or my parents, would have come up with. The ICO said

The Data Protection Act does not impose a blanket ban on the release of personal information. It requires a common sense approach, and should not be used as an excuse by those reluctant to take a balanced decision.

The bad-practice examples cited to illustrate the campaign were mostly light-hearted

In September 2008, Marks and Spencer wrongly blamed the Data Protection Act when they told a mother they could not discuss the delivery of her seven year old son’s Superman suit because it would infringe his data protection rights.
ICO view: Organisations should be cautious about releasing details of an order or account to a third party. However, in this case M&S was not being asked to release any personal information (only to confirm that a part of the suit was missing, and send it), so M&S could have spoken to the boy’s mother without breaching the Data Protection Act.

or

In 2005 it was reported that Catholic priests were no longer allowed to pray out loud for an ill person by name because they might be breaking data protection rules.
ICO view: Unless this sort of information was formally held on file it would not be covered by the Act. Even if it were on file, there would only be a breach if the person had specifically asked not to be mentioned or the church had reason to believe they would object.

Well, if the following story from thisiscornwall.co.uk is true, I have a current-day example, and I wouldn’t call it a “duck out” but an obscenity.

A man with a history of drug abuse killed himself in Camborne after being released from police custody, where he was detained under the Mental Health Act, a coroner has heard….Because of the Data Protection Act [his mother] did not know that her son had been detained and said she was powerless to help him.

The “duck out” campaign was launched because of misconceptions about the Data Protection Act 1998 (DPA). The DPA certainly has faults, but you can bet your house that when you hear someone blaming the DPA for not doing something, it is either because they have made a mistake, and are trying to cover themselves, or because they are ignorant of what the Act does and does not permit. The Cornwall story is unclear as to who allegedly cited the DPA for not informing this poor man’s mother, but, just to be clear, Schedule 3 of the Act specifically permits disclosure of sensitive personal data where

The processing is necessary…in order to protect the vital interests of the data subject or another person, in a case where…consent cannot be given by or on behalf of the data subject, or…the data controller cannot reasonably be expected to obtain the consent of the data subject.

This is before we get to considering other factors – for instance whether an appropriate adult was a requirement in this instance, and the fact that under section 56 of the Police and Criminal Evidence Act a person detained has the right to have someone informed. In which case there would have certainly have been other conditions permitting disclosure (thanks to @MentalHealthCop on twitter, for pointing this out, and for alerting me to the story in the first place).

In 2004 the Bichard Inquiry report into the Soham Murders was highly critical about the misunderstandings and misinterpretations of the DPA which led to Humberside Police deleting information about Ian Huntley, and which subsequently meant that when Cambridgeshire Police ran checks on him, when he applied for a school-caretaker position, nothing came up.

The term “duck-out” doesn’t begin to describe the enormity of the mistaken decision to delete Huntley’s data, nor, if this Cornwall story is accurate, does it begin to describe the enormity of the decision – whoever might have taken it (and the story is unclear) – not to tell Daniel Carrick’s mother her son was detained. The current ICO is very keen to clamp down on serious breaches of the DPA, but these are almost exclusively concerned with the loss of, or inadvertent disclosure of, personal data. Perhaps he should also be alive to stories like this, which suggest potential tragic misconceptions and misuse of the DPA, and which really should carry the term Data Protection Fuck-Ups.

 

1 Comment

Filed under Data Protection, Information Commissioner, police

February 17, 2012 · 4:30 pm

Police complaints, a databreach and a High Court injunction

I notice an interesting application in the High Court.

 The Independent Police Complaints Commission (IPCC) has been granted an injunction (actually, a second injunction) requiring that the first defendant, a Mark Warner, disclose to the IPCC the identity of the second defendant -“person(s) unknown” – who Mr Warner has indicated is holding certain information about a third party, as well as the circumstances in which they came to be in the possession of those person(s) unknown.

 The reason I’m posting about this is that it appears that the IPCC disclosed the information about the third party in error to Mr Warner while responding to a subject access request under section 7 of the Data Protection Act 1998 (DPA).

 Mr Warner apparently received some of his own data in response to that section 7 request, but feels that there is further information to which he is entitled, and for his own reasons, has refused to return the papers relating to the third party sent to him by mistake, saying (in a telephone conversation with the IPCC):

If I do not get [the further material which he wants the IPCC to provide to him] within a reasonable timeframe I will not only hang onto the information which I have been sent in error, but I will identify it to Fleet Street

 The IPCC brought the current application not only to protect its own rights, but the Article 8 rights of the third party.

 One wonders if the Information Commissioner has been informed. Inadvertent disclosure of personal data of a third party, of a kind which requires a high court injunction to identify the “person(s) unknown”, sounds like a serious contravention of the DPA of a kind likely to cause substantial damage or distress. Such contraventions can attract monetary penalty notices of up to £500,000.

 As several local authorities know to their cost.

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner, police, Privacy

January 5, 2012 · 8:57 am

Shaft? You’re damn right

There was a heartening story in the Leicester Mercury a few days ago. Journalist  David MacLean praised Lynn Wyeth, Leicester City Council’s Head of Information Governance for her promotion of transparency (and her assistance in giving him “countless stories over the past two years”). The article illustrates how, when it comes to the Freedom of Information Act 2000 (FOIA), a relationship of mutual respect and openness between a public authority and the media can help both sides.

Contrast this with an item on Newbury Today’s site this morning. This is a follow-up to a recent series of FOIA requests made to police forces around the country. It appears that the Press Association asked for information relating to thefts of police property. I don’t know exactly what the request said (I don’t have a Press Association log-in, and the main release is unclear) and it has been variously reported as being specifically about thefts from police stations or simply thefts in general from the police (I rather suspect it was the latter, but if anyone can clarify this, I’d be most appreciative).

The Daily Mail highlighted that Thames Valley Police (TVP), with 90 incidents, “tops the list of crime-hit forces”. No public authority likes to be “top” of any of these type of lists, and the Newbury Today article shows TVP hitting back

…force spokesman Craig Evry…explained that the majority of the thefts took place from “trap cars” and added: “Thames Valley Police is one of several forces to use ‘trap houses’ and ‘trap vehicles.’ These are used in areas which police believe are being targeted by burglars or thieves.“When criminals break in, they could be recorded by cameras or any property taken may be remote tagged or marked with ultraviolet inks allowing police to quickly track it down. It’s a useful criminal reduction and evidence tool and criminals should realise that the home or vehicle they’re breaking into might be covered by hidden cameras. Hopefully using this technology might make them think twice about committing a crime.”

One initially wonders, why didn’t they say that in the first place? Well, they say they did:

The FoI response included the caveat: “Please note that of the above thefts recorded, all but six involved ‘trap vehicles’ deployed specifically to be targeted by offenders.”
Mr Evry said: “They simply misinterpreted the data.”

Most, if not all, FOI officers have been here. A request is received for “All the information on X”. Now, you hold this information, but, taken in isolation, it might be misinterpreted, so you add an explanation, or a disclaimer. However, for whatever reason, the disclaimer is lost in the bustle of preparing a story for print, and suddenly your nuanced explanation of the information is lost, and you are being lambasted in the press.

In fairness to the Press Association, it seems that the background details to their original story might have included TVP’s disclaimer. For instance, the Oxford Mail, writing three days before the Daily Mail, referred to it in their article. So maybe the fault is only with those media organisations who misinterpreted, or chose to misrepresent, the Press Association material. Nonetheless (and I can speak from bitter experience here) journalists may want to ask themselves whether the helpfulness of FOI officers might be inversely related to the likelihood of their getting shafted as a result of that helpfulness.

 

 

 

 

2 Comments

Filed under Freedom of Information, police

Tagged as