Category Archives: transparency

Political attitudes to ePrivacy – this goes deep

With the rushing through of privacy-intrusive legislation under highly questionable procedures, it almost seems wrong to bang on about political parties and their approach to ePrivacy and marketing, but a) much better people have written on the #DRIP bill, and b) I think the two issues are not entirely unrelated.

Last week I was taking issue with Labour’s social media campaign which invited people to submit their email address to get a number relating to when they were born under the NHS.

Today, prompted by a twitter exchange with the excellent Lib Dem councillor James Baker, in which I observed that politicians and political parties seem to be exploiting people’s interest in discrete policy issues to harvest emails, I looked at the Liberal Democrats’ home page. It really couldn’t have illustrated my point any better. People are invited to “agree” that they’re against female genital mutilation, by submitting their email address.

libdem

There’s no information whatsoever about what will happen to your email address once you submit it. So, just as Labour were, but even more clearly here, the Lib Dems are in breach of the The Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998. James says he’ll contact HQ to make them aware. But how on earth are they not already aware? The specific laws have been in place for eleven years, but the principles are much older – be fair and transparent with people’s private information. And it is not fair (in fact it’s pretty damn reprehensible) to use such a bleakly emotive subject as FGM to harvest emails (which is unavoidably the conclusion I arrive at when wondering what the purpose of the page is).

So, in the space of a few months I’ve written about the Conservatives, Labour and the Lib Dems breaching eprivacy laws. If they’re unconcerned about or – to be overly charitable – ignorant of these laws, then is it any wonder that they railroad each other into passing “emergency” laws (which are anything but) with huge implications for our privacy?

UPDATE: 13.07.14

Alistair Sloan draws attention to the Scottish National Party’s website, which is similarly harvesting emails with no adequate notification of the purposes of future use. The practice is rife, and, as Tim Turner says in the comments below, the Information Commissioner’s Office needs to take action.

snp

7 Comments

Filed under consent, Data Protection, PECR, Privacy, transparency

The slings and arrows of FOI

“…investigation by and even adverse comment from the Ombudsman is one of the slings and arrows of local government misfortune with which broad shouldered officials have to cope…” (Feld v London Borough of Barnet [2004] EWCA Civ 1307)

Ombudsmen loom over the actions of many public authorities. Particularly, the NHS and local authorities are subject to the scrutiny of respectively, the Parliamentary and Health Service Ombudsman (PHSO), and the Local Government Ombudsman (LGO). The Ombudsmen themselves must have broad shoulders, subject as they are to the oversight of both parliament, and, because they are public authorities subject to the Freedom of Information Act 2000 (FOIA), the Information Commissioner’s Office (ICO).

The PHSO was recently asked, under FOIA, for the email address and telephone number of the Ombudsman herself, Dame Julie Mellor. The request was refused, on the basis of the exemption at section 40(2) of FOIA – namely that the requested information was Dame Julie’s personal data, and disclosure would breach the first data protection principle in the Data Protection Act 1998. This refusal has now been upheld by the ICO, in a decision notice which explains that

the data requested relates to a living individual who may be identified from that data and that [therefore] it constitutes personal data

That much is uncontroversial: a person’s email address and telephone number will generally be held to be their personal data, even in a professional context, providing that they can be identified from that data. However, the ICO goes on to say

the Commissioner considers that the Ombudsman would have a reasonable expectation that her email address and direct telephone number would not be placed into the public domain by disclosure under the FOIA…

…The Commissioner is aware that the requested email address and telephone number are personal to the Ombudsman but are professional contact details. He considers that their disclosure is unlikely to cause the Ombudsman distress on a personal level. However the Commissioner is satisfied that disclosure would disrupt the running of the organisation and it is apparent that the consequences would have a negative impact upon the PHSO

This seems to conflate two quite separate issues – personal privacy, and organisational impact. As far as I can understand it the argument is that, because this is personal data, and because disclosure would disrupt the running of the organisation, disclosure would not be “fair”, in line with the requirements of the first data protection principle. But, as the ICO’s own guidance on disclosure of personal data under FOIA explains (paragraph 44), the consequences to be taken into account are those to the data subject, not to their organisation, or a third party.

If disclosure of information would disrupt the running of a public authority, there are other, more appropriate FOIA exemptions which might apply. Specifically, section 36(2)(c), for situations where disclosure would prejudice, or would be likely otherwise to prejudice, the effective conduct of public affairs.

But even then I struggle to see how disclosure of such innocuous information would really cause sufficient prejudice to warrant keeping this information secret – shouldn’t the Ombudsman be able to implement systems to deal with a possible increase in emails and calls if the email address and phone number were made public? Isn’t this sort of potential irritation one of the slings and arrows of administrative misfortune with which broad shouldered officials have to cope?

(As a footnote to this piece, neither the section 40(2), nor the section 36(2)(c) are going to carry much weight when the information is readily available online already. I will not link to it, because I’m a cautious soul, but Dame Julie’s email address, at least, has been published on the internet as part of a document created by her, and hosted by a reputable academic institution.)

 

 

 

17 Comments

Filed under Data Protection, Freedom of Information, Information Commissioner, ombudsman, transparency

Implications of the Home Office data breach

What sanctions might result from the recent Home Office data breach, and how does it relate to the transparency agenda?

News emerged yesterday, through the rather unusual route of a statement to Parliament by Mark Harper, Minister for Immigration, that a spreadsheet containing the personal information of almost 1600 people had been inadvertently published by the Home Office on a government website. The minister’s statement says

between 15 and 28 October 2013 some personal data was available on the Home Office website as part of a spreadsheet alongside the regular data set in error. This was identified by Home Office officials on 28 October 2013 and the personal information was  removed immediately. The personal data related to the names of 1,598 main applicants in the family returns process, their date of birth and limited details about their immigration case type and status

On these conceded facts this would appear to be a clear breach of the Data Protection Act 1998 (DPA), and, specifically, the principles of Schedule 1 to the Act which require that processing be fair and lawful, and that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data. But what are the implications of this?

By virtue of section 4(4) of the DPA a data controller – in this instance the Home Office – must comply with those principles. A serious contravention of them, of a kind which is likely to cause substantial damage or substantial distress, can (by section 55A) invoke the powers of the Information Commissioner’s Office (IC) to serve a monetary penalty notice, to a maximum of £500,000. Whether the IC would exercise his discretion to do so would depend on various factors. Firstly, he would need to satisfy himself whether the personal data involved was “sensitive”. Sensitive personal data is afforded greater protection by the DPA, and breaches involving it are accordingly more serious. We are told that the information involved here consisted of people’s names, dates of birth, and their immigration status. Information about a person’s racial or ethnic origin is sensitive personal data – could one derive or infer that from the mistakenly disclosed information? This will be an important question to answer. But, additionally and more simply, it seems that these were “illegal immigrants” – the data was related to immigration family returns, and this would certainly seem to imply either the commission or alleged commission of an offence by those whose data was exposed, and this would also move the data into the category of “sensitive”.

Whether the apparent contravention was likely to cause substantial damage or substantial distress is less clear. The minister points out that there appear to have been fewer than thirty page views, but that we don’t know whether any of those people accessed or downloaded the data. But this perhaps overlooks the part of the statutory scheme which talks about whether the contravention was “of a kind likely” to cause the damage or distress. If for instance, this incident, which we are told is being investigated by the IC, is a symptom of inappropriate or insufficient data security measures, then that factor, rather than this discrete incident, could potentially give rise to sanctions. Also relevant might be what efforts the Home Office has taken to ensure that cached versions of the data have been removed from the internet – it is remarkably easy for information quickly to be captured and mirrored elsewhere, by automated web services.

The IC’s powers are not limited, however, to issuing monetary penalties. He can also issue enforcement notices requiring data controllers to take specified actions, and a breach of an enforcement notice can be a criminal offence. Less seriously, he can simply make a determination as to whether there is likely to have been a breach of the DPA. And he can take informal action, requiring a responsible person at the ministry to sign an undertaking to improve compliance.

The transparency agenda

What I also find noteworthy is that the minister prefaces his statement with remarks about the government’s commitment

to openness and transparency to enable the public to hold the government and other public bodies to account. This government has made more data available than ever before…

These are laudable aims and actions, but, I have written before that the transparency agenda carries with it risks that, in the rush to publish more and more data, there will be privacy and data protection breaches. And if the government and the IC, as regulator, do not do more to alert people to these risks they must be aware that they risk being seen as complicit in such breaches. As I said in my piece for The Guardian

The IC must work with the government to offer advice direct to chief executives and those responsible for risk…So far these disclosure errors do not appear to have led to harm to those individuals whose private information was compromised, but, without further action, I fear it is only a matter of time.

1 Comment

Filed under Data Protection, enforcement, Home Office, Information Commissioner, monetary penalty notice, parliament, transparency

Reducing regulation…by clogging up the courts

The only thing that made me stop laughing about the Cabinet Office’s arguments in a doomed Tribunal appeal was thinking about the cost to the public purse.

Soon after it was formed the coalition government made an admirable commitment to cut government red tape, by reducing the amount of domestic regulation

Through eliminating the avoidable burdens of regulation and bureaucracy, the Government aims to promote growth, innovation and social action

A Cabinet sub-committee – the Reducing Regulation Committee (RRC) – was set up, to “take strategic oversight of the delivery of the Government’s regulatory framework”.

Around the same time the government was also trumpeting its transparency agenda, with the Prime Minister saying, in an Observer article in September 2010

For too long those in power made decisions behind closed doors, released information behind a veil of jargon and denied people the power to hold them to account. This coalition is driving a wrecking ball through that culture – and it’s called transparency

One might not have supposed, therefore, that it would have been necessary in August 2012 for a request under the Freedom of Information Act 2000 (FOIA) to be made, for (merely) the number of times the RRC had met. Surely this is the sort of information which should be made public as a matter of course? But it was necessary. Moreover, this particular door stayed shut, despite the gentle tapping of transparency’s wrecking ball, when the Cabinet Office refused the request, citing the FOIA exemption which applies to information held by a government department which relates to a) the formulation or development of government policy, or (b) Ministerial communications (section 35(1)(a) and (b)).

The Cabinet Office continued to argue that this exemption was engaged, and that the public interest favoured non-disclosure, when the requester complained to the Information Commissioner’s Office (ICO). And when the ICO held that, yes, the exemption was engaged, but, no, the public interest favoured disclosure , the Cabinet Office appealed the decision.

The First-tier Tribunal (Information Rights) (FTT) has now handed down its judgment, and it makes amusing if dispiriting reading. Wholly unsurprisingly, the ICO’s decision is upheld, and it seems that the Cabinet Office’s argument boils down to two main points: “if we tell you how often the RRC has met then it might mislead you into missing all the great work being done elsewhere, and as a result that great work elsewhere might be adversely affected” (my apologies to the Cabinet Office if this misrepresents their position, but I’ve really tried my best).

The FTT had very little time for these arguments. The only thing vaguely in the Cabinet Office’s favour was that, as a lot of information about “reducing regulation” processes was already publicly available, the public interest in disclosure was small. But, rather devastatingly, the FTT says

the public interest in maintaining the exemption is so weak that it does not equal, let alone outweigh, the, admittedly light, public interest in disclosure (para 27) [emphasis added]

It is worth reading the judgment (which I won’t dissect in detail), as an example of a particularly weak argument against FOIA disclosure, but I would add three closing observations from which you might deduce my level of approval of the Cabinet Office’s conduct:

1. this was a request simply and merely for the number of times a government committee has met (how “transparent” is a refusal to disclose that?)
2. taking a case to FTT is not without significant costs implications (bear in mind this was an oral hearing, with a witness, and with counsel instructed on both sides)
3. the whole litigation in any case carries a huge hint as to the nature/substance of the information held (if the RRC had met often, would the Cabinet Office really want to withhold that fact?)

Leave a comment

Filed under Cabinet Office, Freedom of Information, Information Commissioner, Information Tribunal, transparency

Let’s Blame Data Protection – the Gove files

Thanks to Tim Turner, for letting me blog about the FOI request he made which gives rise to this piece

On the 12th September the Education Secretary, Michael Gove, in an op-ed piece in the Telegraph, sub-headed “No longer will the quality, policies and location of care homes be kept a secret” said

A year ago, when the first shocking cases of sexual exploitation in Rochdale were prosecuted, we set up expert groups to help us understand what we might do better…Was cost a factor? Did we need to spend more? There was a lack of clarity about costs. And – most worrying of all – there was a lack of the most basic information about where these homes existed, who was responsible for them, and how good they were….To my astonishment, when I tried to find out more, I was met with a wall of silence

And he was in doubt about where the blame lay (no guesses…)

The only responsible body with the information we needed was Ofsted, which registers children’s homes – yet Ofsted was prevented by “data protection” rules, “child protection” concerns and other bewildering regulations from sharing that data with us, or even with the police. Local authorities could only access information via a complex and time-consuming application process – and some simply did not bother…[so] we changed the absurd rules that prevented information being shared

This seemed a bit odd. Why on earth would “data protection” rules prevent disclosure of location, ownership and standards of children’s homes? I could understand that there were potentially child protection concerns in the too-broad-sharing of information about locations (and I don’t find that “bewildering”) but data protection rules, as laid out in the Data Protection Act 1998 (DPA), only apply to information relating to identifiable individuals. This seemd odd, and Tim Turner took it upon himself to delve deeper. He made a freedom of information request to the Department for Education, asking

1) Which ‘absurd’ rules was Mr. Gove referring to in the first
statement?

2) What changes were made that Mr. Gove referred to in the second
statement?

3) Mr Gove referred to ‘Data Protection’ rules. As part of the
process that he is describing, has any problem been identified with
the Data Protection Act?

Fair play to the DfE – they responded within the statutory timescales, explaining

Regulation 7(5) of the Care Standards Act 2000 (Registration) (England) Regulations 2010 …prohibited Ofsted from disclosing parts of its register of children’s homes to any body other than to a local authority where a home is located. Whatever the original intention behind this limitation, it represented a barrier preventing Ofsted from providing information about homes’ locations to local police forces, which have explicit responsibilities for safeguarding all children in their area…we introduced an amendment to Regulation 7 with effect from April 2013

But their response also revealed what had been very obvious all along: this had nothing to do with data protection rules:

the reference to “data protection” rules in Mr Gove’s article involved the Regulations discussed above, made under section 36 of the Care Standards Act 2000. His comments were not intended as a reference to the Data Protection Act 1998

This is disingenuous: “data protection” has a very clear and statutory context, and to extend it to more broadly mean “information sharing” is misleading and pointless. One could perhaps understand it if Gove had said this in an oral interview, but his piece will have been checked carefully before publication, and personally I am in no doubt that blaming data protection has a political dimension. The government is determined, for some right reasons, and some wrong ones, to make the sharing of public sector data more easy, and data protection does, sometimes – and rightly – present an obstacle to this, when the data in question is personal data and the sharing is potentially unfair or unlawful. Anything which associates “data protection” with a risk to child safety, serves to represent it as bureaucratic and dangerous, and serves the government agenda.

And the rather delicious irony of all this – as pointed out on twitter by Rich Greenhill – is that the “absurd rules” (the Care Standards Act 2000 (Registration) (England) Regulations 2010) criticised by Gove were made on 24 August 2010. And the Secretary of State who made these absurd rules was, of course, the Right Honourable Michael Gove MP.

How absurd.

Leave a comment

Filed under Data Protection, data sharing, Freedom of Information, Let's Blame Data Protection, transparency

It’s our Right to Know, Mr ICO

On 29 August the Information Commisioner’s Office (ICO) served a monetary penalty notice (MPN) of £100,000 on Aberdeen City Council. MPNs can be served on a data controller under section 55A of the Data Protection Act 1998 (DPA) for a serious contravention of the Act of a sort likely to cause serious damage or serious distress. In this instance, the ICO explained

sensitive information relating to social services involvement with several individuals [was] published online. The information included details relating to the care of vulnerable children.

The circumstances under which this happened were

a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website

Many people in the field of information rights have concerns that there is a significant lack of understanding on the part of many about the risk of inadvertently disclosing personal data on the web. In view of this, I though I would simply ask the ICO, and the Council, what website was involved, in order to inform my understanding. So I tweeted

What “website” were the files uploaded to?

I reminded the ICO and the Council on several occasions about this, and pointed out it was a valid request under the Freedom of Information Act 2000 (FOIA) and Freedom of Information (Scotland) Act 2002 (FOI(S)A), even though I had really only wanted a quick factual reply. The Council have asked me to contact them separately to make the FOI(S)A request, and I’m aware the Scottish Information Commissioner takes a different view on tweeted requests to her counterpart for the rest of the UK, so I’ve banged in a request at WhatDoTheyKnow. The ICO, by contrats, did treat my tweet as a valid request (although I got no acknowledgment of this, contrary to their good practice guidance) and responded yesterday on the twentieth working day, with a link to their disclosure log

Those who know me will be unsurprised to know that I don’t accept the refusal, and also unsurprised to know that, on International Right to Know Day 2013 I’ve submitted a crashingly pompous request for ICO to conduct an internal review. Here it follows, in all said crashing pomposity:

Please review your refusal to disclose information.

On 29 August you served a Monetary Penalty Notice on Aberdeen City Council

“after a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website, publishing sensitive information about several vulnerable children and their families, including details of alleged criminal offences”

I asked, on 30 August, “What ‘website’ were the files uploaded to?”

You have refused to disclose, claiming the exemption at section 44 of the Freedom of Information Act 2000, which provides an exemption “if disclosure [of the information] (otherwise than under this Act) by the public authority holding it…is prohibited by or under any enactment”. You say disclosure is prohibited, because “the information was provided to the ICO in confidence as part of our regulatory activities” and that the provisions of section 59(1) of the Data Protection Act 1998 forbid disclosure. Section 59(1) says

“No person who is or has been the Commissioner, a member of the Commissioner’s staff or an agent of the Commissioner shall disclose any information which—

(a)has been obtained by, or furnished to, the Commissioner under or for the purposes of the information Acts [of which FOIA is one],

(b)relates to an identified or identifiable individual or business, and

(c)is not at the time of the disclosure, and has not previously been, available to the public from other sources

unless the disclosure is made with lawful authority”

I am happy to concede that a) and b) are met here, but not c). This is because section 59(2) explains what “with lawful authority” means. Firstly, and largely as an aside, section 59(2)(a) says that a disclosure is made with lawful authority if

“the disclosure is made with the consent of the individual or of the person for the time being carrying on the business”

I am surprised you do not feel that, in your role as a public authority but also as the regulator for Freedom of Information, it would be prudent and transparent simply to ask the Council whether it consents. Nonetheless, on a strict reading of the law, I concede that you do not have an obligation to do so.

Secondly (and I note you do not even address this important provision), section 59(2)(e) says that disclosure is made with lawful authority if

“having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”

I would argue that analysis of whether this provision permits disclosure requires a two-fold test. Firstly, is disclosure necessary in the public interest? Secondly, if it is, do the rights and freedoms or legitimate interests of any person militate against this public-interest disclosure?

On the first point, I am not aware of any direct authority on what “necessary” means in section 59(2)(e) of DPA, but I would argue that it imports the meaning adopted by leading European authorities. Thus, as per the high Court in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 “‘necessary”…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends”. It is my view that there is a pressing social need to recognise the risks of indavertent uploading to the internet, by public authorities and others, of sensitive personal data, especially when this is by automatic means. Other examples of recent incidents and enforcement action illustrate this. For instance, as your office is aware, there have been reports that a regional Citizens’ Advice Bureau has indavertently made available on the internet very large amounts of such data, probably because of a lack of technical knowledge or security which resulted in automatic caching by Google of numerous files https://informationrightsandwrongs.com/2013/09/24/citizens-advice-bureaucracy/. Also for instance, as you are aware, there have been many many examples of indavertent internet publishing of personal data in hidden cells in spreadsheets http://www.ico.org.uk/news/blog/2013/the-risk-of-revealing-too-much. There is a clear lack of public understanding of the risks of such indavertent disclosures, with a consequent risk to the privacy of individuals’ often highly sensitive personal data. Any information which the regulator of the DPA can disclose which informs and improves public understanding of these risks serves a pressing social need and makes the disclosure “necessary”.

On the second point, I simply fail to see what rights and freedoms or legitimate interests of any person can be engaged, let alone suffer a detriment by disclosing what public website the Council employee uploaded this to. If there are any, it would be helpful if your response to this Internal Review could address this. It may be that you would point to the information having been provided to you in confidence, but I similarly fail to see how that can be: was this an express obligation of confidence, or have you inferred it? In either case, I would question (per one the elements of the classic formulation for a cause of action in breach of confidence given by Megarry J in Coco v A.N.Clark (Engineers) Ltd [1969] R.P.C. 41) whether the information even has the necessary quality of confidence (this was a public website after all).

I hope you can reconsider your decision.

best wishes

1 Comment

Filed under Confidentiality, Data Protection, FOISA, Freedom of Information, human rights, Information Commissioner, monetary penalty notice, transparency

Must Try Harder

So, I managed to get a piece run on the Guardian Public Leaders network on the continuing incidents of or risks of exposure of sensitive personal data in pivot tables. I tried to argue that those in the know probably know about these risks, and that those not in the know don’t. I suggested the Information Commissioner’s Office (ICO) and the government could do more to alert the latter.

Although I got nice and positive feedback from friends/colleagues/fellow professionals, there appears to have been very little interest. Clearly it’s not a subject that interests lay people (or rather, it’s probably a subject which actually repels lay people). But that was rather my point: as long as the relevant regulators and policy-makers don’t take sufficient steps to issue warnings and guidance these and similar breaches of data security will continue to happen.

What I’m slightly surprised at is the lack of any response from the ICO. I noticed that Tim Turner asked the ICO twitter account if they had a response to the piece, but, unless it was off-line, he appeared to get no response. And I asked their press office, again, with no reply (maybe the press office was the wrong place to ask?).

In the article I also called on government departments to do more. That’ll be my next move. The problem of inadvertent internet disclosure of sensitive data, normally through ignorance of technology, continues, and it goes broader than pivot tables. As public authorities, in particular, are being required to open up more and more data to promote transparency and economic growth, this is going to become more and more serious. We can’t pretend the gulf between those ambitions and the technological knowledge of some of those doing the “opening up” is a minor problem. Authorities need guidance, and, where appropriate, warnings, and these need to be targetted at the right people within organisations. The ICO and government cannot always rely on, say, data protection officers to do this.

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner, transparency

Contributing to society?

Why are proponents of care:data resorting to rudeness about those who are not as convinced as they are?

When I attended the launch of MedConfidential in April of this year I was largely ignorant of the proposals to amass patient data by the Health and Social Care Information Centre (HSCIC) under the banner of care:data. I was concerned by what I heard, and I remain so: details were unclear and in many cases remain so, regarding what data will be gathered, and how, and for what purposes, and what arrangements will be to allow third party access to it, and whether or to what extent it will be anonymised, and whether patients’ consent will be sought, or assumed, or ignored.

What I did see, and was greatly impressed by, was a large group of people, from various backgrounds and roles, coming together, mostly on a purely voluntary basis (for instance, I took a day’s leave to attend), to discuss the implications of this.

The centralising and use of patient confidential data raises questions of profound importance, which don’t have easy answers: such as to what extent should people waive an expectation of privacy in order – for instance – to further medical research? These are issues which led two of my favourite bloggers to come to (digital) blows recently.

Yet earlier today I read an otherwise sensible piece on the subject (I am not saying I agree with it) by the high-profile columnist Polly Toynbee, which talked about her receiving letters from people who ask her to

investigate the dark forces planting cameras and microphones in their walls: they think I’m part of the conspiracy when I suggest this is a usually curable delusion, and their doctor is probably not part of the plot

I fail to see the relevance of this reference to people with a diagnosis of apparent paranoid schizophrenia, unless it is to draw an analogy by insinuation with

those not clinically ill [among whom] there is a growing trend to fear Big Brother and the state

This is nasty stuff, and leads one to wonder why she feels the need to resort to such a rhetorical device.

Someone who liked Toynbee’s post was Tim Kelsey, NHS National Director for Patients and Information, and former government “czar” for Transparency and Open Data. He described it as “seminal” on twitter. I’m sure Tim finds the constant questioning of the care:data plans irritating: his tweets are often replied to by people who are not as convinced as he is that it is unequivocally a Good Thing. An example of this irritation was his response to an observation by Calderdale councillor James Baker. James tweeted, in response to Tim’s “seminal” tweet

I don’t think using people’s data for research purposes without informed consent is ‘good for science’

This is unexceptional, and a fair comment. Tim’s reply* was certainly not

you can object and your data will not be extracted and you can make no contribution to society

I think that to suggest that someone who might object (in the context of a worrying lack of, er, transparency, about the details of care:data) to the extraction of their highly sensitive medical data is making “no contribution to society” is extraordinarily unfair, and, as James pointed out in reply

It’s an offensive thing to say to an elected representative who contributes a lot to society…It’s also using trying to use guilt and shame to persuade someone to partake in medical research. Unethical

I couldn’t agree more.

UPDATE:

*It appears the tweet has now been deleted. Tim did reply to James saying

offence not intended – I meant contribution to health improvement thru sharing non PID

but there’s been no explanation or apology for that original tweet

20130823-174459.jpg

3 Comments

Filed under Data Protection, NHS, Privacy, transparency

Pivot tables and databreaches

About a year ago I first became aware of reports of disturbing inadvertent disclosures of personal data (often highly sensitive) by public authorities who had intended only to disclose anonymous and/or aggregate data. These incidents were occurring both in the context of disclosures under the Freedom of Information Act 2000 (FOIA) and in the context of proactive disclosure of datasets. Mostly they were when what had been disclosed was not just raw data, but the spreadsheet in which the data was presented. Spreadsheet software is often very powerful, and not all users necessarily understand its capabilities (I don’t think I do). By use of pivot tables data can be sorted, summarised etc, but also, from the uninitiated or unwary, hidden. If the person who created or maintained a spreadsheet containing a pivot table is not involved in the act of publicly disclosing it it is possible that an apparently innocuous disclosure will contain hidden personal data.

Clearly such errors are likely to constitute breaches – sometimes very serious breaches – of the Data Protection Act 1998 (DPA) Those of us who were aware of a number of these inadvertent breaches were also aware that, if public authorities were not alerted to the risk a) the practice would continue and b) potentially large numbers of “disclosive” datasets would remain out in the open (in disclosure logs, on WhatDoTheyKnow, in open data sets etc). But we were also aware that, if the situation was not managed well and quietly, with authorities given the opportunity to correct/withdraw errors, inquisitive or even malicious sorts might go trawling open datasets for disclosures which could potentially be very damaging and distressing to data subjects.

It was with some relief, therefore that, following an earlier announcement by WhatDoTheyKnow, the Information Commissioner’s Office (ICO) finally gave a warning, and good guidance, on 28 June (although this relief was tempered by finding out, via Tim Turner, that the ICO had known about, and apparently done nothing about, the problem for three years). At the same time the ICO announced that it was “actively considering a number of enforcement cases on this issue”.

It appears that, according to an announcement on its own website, that Islington Council is the first recipient of this enforcement. The Council says it has

accepted a £70,000 fine from the Information Commissioner’s Office (ICO) after a mistake led to personal data being released

after it

responded to a Freedom of Information (FOI) request asking for information including the ethnicity and gender of people the council had rehoused. The response, in the form of Excel spreadsheet tables, included personal information concealed behind the summary tables

Fair play to Islington for acknowledging this and agreeing immediately to pay the monetary penalty notice. And if some of the other reported breaches I heard about were as bad as they sounded £70,000 will be at the lower end of the scale.

(thanks to @owenboswarva on twitter for flagging this up)

UPDATE:

The ICO has now posted details of the MPN, and this clarifies that the disclosure was made on WhatDoTheyKnow and was only identifed when one of their site administrators noticed it.

Leave a comment

Filed under Breach Notification, Data Protection, Freedom of Information, Information Commissioner, monetary penalty notice, transparency

The loophole to avoid enforcement?

Cabinet Office, FOI, Financial Times, Christopher Graham, blah blah blah

To recap. The Financial Times recently ran a resounding editorial on FOI, the ICO and the Cabinet Office, lauding the first, criticising the second’s lack of enforcement against the first, and lambasting the third. The Information Commissioner himself, Christopher Graham, replied in rather hurt tones, defending his office. Both Paul Gibbons (FOIMan) and Tim Turner have blogged on this. Here are my oar-sticking-in-coattail-hanging observations.

A key measure used by the Information Commissioner’s Office (ICO) to assess public authorities’ compliance with the Freedom of Information Act 2000 (FOIA) is the percentage of requests which are responded to within the statutory twenty day timescales. The guidance on this says

The ICO is may contact authorities [sic] if…(for those authorities which publish data on timeliness) – it appears that less than 85% of requests are receiving a response within the appropriate timescales.

Let’s ignore the obvious and worrying point that this is an encouragement not to publish such data. Fortunately for our purposes, government departments do commit to doing so, and quarterly reports covering the whole of central government are published. I can’t actually find them all on one page, so here are the reports for the last four quarters

April-June 2012
July-September 2012
October-December 2012
January-March 2013 

If you scroll through those datasets you’ll see that, over the last four quarters, the Cabinet Office has managed to respond to FOI requests within the statutory time limit or with a permitted extension in 92, 93, 95 and 86% of cases. Pretty good eh? This keeps them out of reach of the ICO radar. And, in fact, just prior to this, the Cabinet Office had been monitored by the ICO, and been required to sign an undertaking to improve, after appalling previous statistics had showed compliance in only 42 and 55% of cases in two quarters. After this monitoring period (the MoD were also monitored) the ICO announced

Both authorities have now improved their response times with over 85% of information requests being answered within the time limit of 20 working days and are working hard to deal with outstanding requests where responses have been unduly delayed. The ICO will continue to offer support and advice to help both Departments to ensure that outstanding requests are cleared as soon as possible.

However, what does “with a permitted extension” mean? It means, that in complex cases where a public authority needs more time to consider whether the public interest favours disclosure, it can disapply the twenty-working-day deadline and extend its time for compliance indefinitely, subject to reasonableness (although the ICO says it should be no more than an extra 20 days, he cannot enforce that). So let’s go back to those figures and see how the Cabinet Office would do if there wasn’t this potential loophole. If one simply asks “what percentage of requests were responded to within 20 working days?”, the figures are in fact 77, 77, 79 and 74%. Of course, without access to individual cases it is impossible to say whether these multiple extensions to consider public interest were made legitimately or not. However, the Cabinet Office appears to claim the extension much more than most other departments (the Foreign and Commonwealth Office has similar figures, however).

I am sure the Cabinet Office will claim that the reason it does this is because it has to deal with more complex cases. Maybe that’s the case, but it would be nice if someone could look into it. And, of course, the ICO could. The guidance on how authorities are selected for monitoring doesn’t stop at the 85%-compliance measure. It also says they may contact authorities if 

our analysis of complaints received by the ICO suggests that we have received three or more complaints citing delays within a specific authority within a six month period [or if there is] Evidence of a possible problem in the media or other external sources.

To which I say, ICO, the evidence is clear (look at Tim’s analysis, look at Paul’s, even look again at Chris Cook’s). Compliance stats are not the only measure (and even then they may hide the true picture). The triggers for enforcement are there, but is there a will?

And finally.

3 Comments

Filed under Cabinet Office, Freedom of Information, Information Commissioner, transparency