Category Archives: Uncategorized

Making even more criminals

Norfolk Police want your dashcam footage. Do you feel lucky, punk?

I wrote recently about the change to the Information Commissioner’s Office (ICO) registration process, which enables domestic users of CCTV to notify the ICO of that fact, and pay the requisite fee of £35. I noted that this meant that

it is the ICO’s apparent view that if you use CCTV in your household and capture footage outside the boundaries of your property, you are required to register this fact publicly with them, and pay a £35 fee. The clear implication, in fact the clear corollary, is that failure to do so is a criminal offence.

I didn’t take issue with the correctness of the legal position, but I went on to say that

The logical conclusion…here is that anyone who takes video footage anywhere outside their home must register

I even asked the ICO, via Twitter, whether users of dashcams should also register, to which I got the reply

If using dashcam to process personal data for purposes not covered by domestic exemption then would need to comply with [the Data Protection Act 1998]

This subject was moved from the theoretical to the real today, with news that Norfolk Constabulary are encouraging drivers using dashcams to send them footage of “driving offences witnessed by members of the public”.

Following the analyses of the courts, and the ICO, as laid out here and in my previous post, such usage cannot avail itself of the exemption from notification for processing of personal data “only” for domestic purposes, so one must conclude that drivers targeted by Norfolk Constabulary should notify, and pay a £35 fee.

At this rate, the whole of the nation would eventually notify. Fortunately (or not) the General Data Protection Regulation becomes directly applicable from May next year. It will remove the requirement to give notification of processing. Those wishing, then, to avoid the opprobrium of being a common criminal have ten months to send their fee to the ICO. Others might question how likely it is that the full force of the law will discover their criminality, and prosecute, in that short time period.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner, police, Uncategorized

Making criminals of us all

The Information Commissioner thinks that countless households operating CCTV systems need to register this, and pay a £35 fee for doing so. If they don’t, they might be committing a crime. The Commissioner is probably mostly correct, but it’s a bit more complex than that, for reasons I’ll explain in this post.

Back in 2014, to the surprise of no one who had thought about the issues, the Court of Justice of the European Union (CJEU) held that use of domestic CCTV to capture footage of identifiable individuals in public areas could not attract the exemption at Article 3(2) of the European data protection directive for processing of personal data

by a natural person in the course of a purely personal or household activity

Any use of CCTV, said the CJEU, for the protection of a house or its occupiers but which also captures people in a public space is thus subject to the remaining provisions of the directive:

the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision

As some commentators pointed out at the time, the effect of this ruling was potentially to place not just users of domestic CCTV systems under the ambit of data protection law, but also, say, car drivers using dashcams, cyclists using helmetcams, and many other people using image recording devices in public for anything but their own domestic purposes.

Under the directive, and the UK Data Protection Act 1998, any data controller processing personal data without an exemption (such as the one for purely personal or household activity) must register the fact with the relevant supervisory authority, which in the UK is the Information Commissioner’s Office (ICO). Failure to register in circumstances under which a data controller should register is a criminal offence punishable by a fine. There is a two-tier fee for making an entry in the ICO’s register, set at £35 for most data controllers, and £500 for larger ones.

For some time the ICO has advised corporate data controllers that if they use CCTV on their premises they will need to register:


But I recently noticed that the registration page itself had changed, and that there is now a separate button to register “household CCTV”


If one clicks that button one is taken to a page which informs that, indeed, a £35 fee is payable, and that the information provided will be published online 


There is a link to the ICO’s overarching privacy notice [ed. you’re going to have to tighten that up for GDPR, guys] but the only part of that notice which talks about the registration process relates only to “businesses”


Continuing the household CCTV registration process, one then gets to the main screen, which requires that the responsible person in the household identify themselves as data controller, and give either their household or email address for publication


What this all means is that it is the ICO’s apparent view that if you use CCTV in your household and capture footage outside the boundaries of your property, you are required to register this fact publicly with them, and pay a £35 fee. The clear implication, in fact the clear corollary, is that failure to do so is a criminal offence.

(In passing, there is a problem here: the pages and the process miss the point that for the registration to be required, the footage needs to be capturing images of identifiable individuals, otherwise no personal data is being processed, and data protection law is simply not engaged. What if someone has installed a “nest cam” in a nearby wooded area? Is ICO saying they are committing a criminal offence if they fail to register this? Also, what if the footage does capture identifiable individuals outside the boundaries of a household, but the footage is only taken for household, rather than crime reduction purposes? The logical conclusion of the ICO pages here is that anyone who takes video footage anywhere outside their home must register, which contradicts their guidance elsewhere.)

What I find particularly surprising about all this is that, although fundamentally it is correct as a matter of law (following the Ryneš decision by the CJEU), I have seen no publicity from the ICO about this pretty enormous policy change. Imagine how many households potentially *should* register, and how many won’t? And, therefore, how many the ICO is implying are committing a criminal offence?

And one thing that is really puzzling me is why this change, now? The CJEU ruling was thirty months ago, and in another eleven months, European data protection law will change, removing – in the UK also – the requirement to register in these circumstances. If it was so important for the ICO to effect these changes before then, why keep it quiet?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

9 Comments

Filed under Data Protection, Directive 95/46/EC, GDPR, Information Commissioner, Uncategorized

The first time Parliament heard the term “Freedom of Information”

…if there is one matter on which I feel more strongly than another it is that in a democratic community the foundation of good government lies in freedom of information, freedom of thought, and freedom of speech: You can not have a country, which is governed by its people, wisely and well governed, unless those people are permitted access to accurate information, and are permitted the free exchange of their views and their opinions: That is essential to good government: It is quite true that if you grant that freedom there will be abuses: It is quite true that foolish people advocate foolish views: That is one of the many unfortunate corollaries

Although the past is a foreign country, some of its citizens can seem familiar: the quotation above is from Liberal politician Sir Richard Durning Holt, and was made in a parliamentary debate seven months short of a hundred years ago. It contains the first recorded parliamentary use of the term “freedom of information”. It was said as part of a debate about conscientious objectors to the “Great War” (Holt was drawing attention to what he saw as the unfair and counter-productive prosecutions of objectors). He may not have meant “freedom of information” in quite the way we mean it now, but his words resonate, and – at a time when our own Freedom of Information Act 2000 is under threat – remain, as a matter of principle, remarkably relevant.

I found the quotation using Glasgow University’s extraordinary corpus of “nearly every speech given in the British Parliament from 1803-2005”. I commend it to you, and, a century on, commend Sir Richard’s words to Jack Straw and his fellow members on the Independent Commission on Freedom of Information.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Freedom of Information, Uncategorized

A novel defence by Talk Talk?

Talk Talk, in response to the recent revelations about the compromising of the data of up to four million of its customers, says rather boldly

Has TalkTalk breached the Data Protection Act?
No, this is a criminal attack. We have notified the ICO and we will work closely with them over the coming weeks and months. 

And it got me to wondering how well this rather novel approach could be extended in other legal areas.

The defendant, a Mr Talk Talk, was travelling at a speed of ninety-four miles per hour, and had consumed the equivalent of two bottles of gin. However, as the other driver involved in the collision had failed to renew his motor insurance we find that the defendant was evidently merely the victim of a crime, and my client could not, as a matter of law, have broken speeding and drink driving laws.

Furthermore, although the defendant later viciously kicked an elderly bystander in a motiveless attack, he cannot be guilty of an assault because the pensioner was recently convicted of watching television without a licence.

And finally, although my client picked up a police officer and threw him into a duck pond, the fact that the said officer once forgot to pay for a milky way in the staff canteen provides an absolute defence to the charge of obstructing a police officer in the line of duty.

Let’s see how well Talk Talk’s defence washes with the ICO.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under Data Protection, Information Commissioner, Uncategorized

Easy as 1-2-3…?

Has the ICO got its FOI sums wrong?

I wrote recently about a decision of the Information Tribunal where the Tribunal held that the Information Commissioner’s Office (ICO) had wrongly calculated the time for compliance with a request made under the Freedom of Information Act 2000 (FOIA) and consequently had said that the public authority in question had contravened its obligations under section 10(1) of FOIA, when in fact it had complied on time. 

One might have thought the ICO would have made sure that it didn’t make this counting mistake again, particularly in cases where an error can make the difference between requests being either compliant or not compliant with FOIA. I was rather surprised, therefore, to notice  a recently published decision notice by the ICO in which (if my calculations are correct) they have again wrongly calculated the time for compliance and consequently issued a decision against a public authority when in fact the public authority had complied with its obligations under section 10(1). As I have noted before, the 20 working day time for compliance with a FOIA request does not include bank holidays even where the bank holiday in question applies only in one part of the UK. So, for instance, a bank holiday in Scotland (say, St Andrew’s Day), but not in the rest of the UK, is still classed as a non-working day for the purposes of FOIA. In this instance one of the requests for information was made on March 16, 2014 and responded to on April 14 2014. The ICO said this meant that the public authority in question – the Student Loans Company – had taken 21 working days to respond. However this seems to overlook the fact that March 17 is a bank holiday in Northern Ireland, where it marks St Patrick’s Day. Accordingly it should not have been counted as a working day by the ICO for the purposes of FOIA. 

By my calculations the public authority responded on the 20th working day, they complied with their obligations under FOIA, and the ICO has issued a defective decision notice. I wonder if an appeal has been lodged.

There are a surprising number of bank holidays throughout the year, when one takes into account those in all parts of the UK, and it is worth bearing in mind that if one of those days falls within any of the putative 20 working days for compliance with a FOIA request then it will push the time for compliance back that one extra day. I reckon (and as nerdy as I am I’m not so nerdy as to have (yet) worked it out) that there’s probably something like a 50% chance that a FOIA request will actually contain a day that is a bank holiday, and maybe one that is not one that applies uniformly throughout the UK. All FOIA requesters, practitioners and, indeed, regulators, should bear this in mind.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

29 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal, Uncategorized

No Information Rights Levy for ICO – where now for funding?

The ICO’s plan for an “information rights levy” appears to have been scuppered by the government. But is retaining data protection notification fees the way to solve the funding problem?

Back in the heady days of January 2012, when a naive but optimistic European Commission proposed a General Data Protection Regulation (GDPR), to replace the existing 1995 Directive, one of the less-commented-on proposals was to remove the requirement for data controllers to notify their processing activities to the national data protection authority. However, the UK Information Commissioner’s Office (ICO) certainly noticed it, because the implications were that, at a stroke, a large amount of ICO funding would disappear. Currently, section 18(5) of the Data Protection Act 1998 (DPA), and accompanying secondary legislation, mean that data controllers (unless they have an exemption) must pay an annual fee to the ICO of either £35 or £500 (depending upon the size of the organisation). In 2012-2013 this equated to an estimated income of £17.4m, and this income effectively funds all of the ICO’s data protection regulatory actions (its FOI functions are funded by grant-in-aid from the Ministry of Justice).

Three years later, and the GDPR is still not with us. However, it will eventually be passed, and when it is, it seems certain that the requirement under European law to notify will be gone. Because of this, as the Justice Committee recognised in 2013, alternative ICO funding means need to be identified as soon as possible. The ICO’s preferred choice, and one which Christopher Graham has certainly been pushing for, was an “Information Rights Levy”, the details of which were not specified, but which it appears was proposed to be paid by data controllers and public authorities (subject to FOI) alike. In the 2013/14 ICO Annual Report Graham was bullish in calling for action:

Parliament needs to get on with the task of establishing a single, graduated information rights levy to fund the important work of the ICO as the effective upholder of our vital right to privacy and right to know

But this robust approach doesn’t seem to have worked. At a recent meeting of the ICO Management Board a much more pessimistic view emerges. In a report entitled “Registration Fee Strategy” it is said that

The ICO has previously highlighted the need for an ‘information rights fee’ or one fee, paid by organisations directly to the ICO, to fund all information rights activities. Given concerns across government that this would result in private sector cross subsidising public sector work, the ICO recognises that this is unlikely in the short term

The report goes on, therefore, to talk about proposed changes to the current fee/notification process, and about ways of identifying who needs to pay. 

But, oddly, it seems to assume that although the GDPR will remove the requirement for a data controller  to notify processing to the ICO, the UK will retain the discretion to continue with such arrangements (and to charge a fee). I’m not sure this is right. As I’ve written previously, under data protection law at least some recreational bloggers have a requirement to notify (and pay a fee), and the legal authorities are clear that the law’s ambit extends to, for instance, individuals operating domestic CCTV, if that CCTV covers public places where identifiable individuals are. Indeed, as the 2004 Lindqvist case found 

The act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number…constitutes ‘the processing of personal data…[and] is not covered by any of the exceptionsin Article 3(2) of Directive 95/46 [section 36 of the DPA transposes Article 3(2) into domestic law]

It is arguable that, to varying extents, we are all data controllers now (and ones who will struggle to avail ourselves of the data protection exemption for domestic purposes). Levying a fee on all of us, in order that we can lawfully express ourselves, has the potential to be a serious infringement of our right to freedom of expression under Article 10 of the European Convention on Human Rights, and even more directly, Article 11 of the Charter of Fundamental Rights of the European Union.

The problem of how to effectively fund the ICO in a time of austerity is a challenging one, and I don’t envy those at the ICO and in government who are trying to solve it, but levying a tax on freedom of expression (which notification arguably already is, and would almost certainly be if the GDPR doesn’t actually require notification) is not the way to do so.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with..

1 Comment

Filed under Data Protection, Directive 95/46/EC, GDPR, Information Commissioner, Uncategorized

Internal review request of case IRQ 0576154

Thanks for your reply. However, I would like to request an internal review of case IRQ0576154.

Specifically, I would like you to review the decision not to release the executive summary of your audit of Talk Talk’s compliance with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

I can understand and accept the application, in your initial response, of s31(1)(g) of the Freedom of Information Act 2000 (FOIA) in regard to most of the held (and withheld) information you have identified, but you say the disclosing the executive summary itself would or would be likely to prejudice the relevant exercise of your functions, and that the public interest favours the maintaining of the exemption. But neither in your consideration of the application of the exemption nor in your consideration of the public interest have you taken into account the fact that the executive summaries of your audits are prepared on the presumption that they will be published. As your document “Communicating Audits” says:

The ICO will expect to publish the Executive Summary on our website and will encourage the data controller to allow us to do so

And certainly in the case of some PECR audits you do (last year you published the summaries of audits into EE and Telefonica UK).

I appreciate that the document goes on to say that a data controller (and by inference a person, for PECR purposes) can “prevent” publication, but surely allowing, or purporting to allow, a person to prevent publication (without any other reason) is an impermissible restraint on your public law discretion to disclose information.

Furthermore, I would submit that you have failed to take into account, both when considering whether the exemption was engaged and when considering the public interest, the fact that publishing (or disclosing) the executive summary allows consumers to make a more informed choice about which telecoms provider to choose to do business with. If some providers’ PECR compliance is better, or worse, than others, then consumers have an interest in knowing this.

For these reasons I hope you can reconsider your decision and disclose the executive summary at least.

Best wishes,

Jon Baines

2 Comments

Filed under Uncategorized

ICO finds Lib Dems in breach of ePrivacy law

A few months ago, when I entered my email address on the Liberal Democrats’ website to say that I agreed with the statement 

Girls should never be cut. We must end FGM

I hoped I wouldn’t subsequently receive spam emails promoting the party. However I had no way of knowing because there was no obvious statement explaining what would happen. But, furthermore, I had clearly not given specific consent to receive such emails.

Nonetheless, I did get them, and continue to do so – emails purportedly from Nick Clegg, from Paddy Ashdown and from others, promoting their party and sometimes soliciting donations.

I happen to think the compiling of a marketing database by use of serious and emotive subjects such as female genital mutilation is extraordinarily tasteless. It’s also manifestly unlawful in terms of Lib Dems’ obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which require specific consent to have been given before marketing emails can be sent to individuals.

On the lawfulness point I am pleased to say the Information Commissioner’s Office (ICO) agrees with me. Having considered my complaint they have said:

I have reviewed your correspondence and the organisations website, and it appears that their current practices would fail to comply with the requirements of the PECR. This is because consent is not knowingly given, clear and specific….As such, we have written to the organisation to remind them of their obligations under the PECR and ensure that valid consent is obtained from individuals.

Great. I’m glad they agree – casual disregard of PECR seems to be rife throughout politics. As I’ve written recently, the Labour Party, UKIP and Plaid Cymru have also spammed my dedicated email account. But I also asked the ICO to consider taking enforcement action (as is my right under regulation 32 of PECR). Disappointingly, they have declined to do so, saying:

enforcement action is not taken routinely and it is our decision whether to take it. We cannot take enforcement action in every case that is reported to us

It’s also disappointing that they don’t say why this is their decision. I know they cannot take enforcement action in every case reported to them, which is why I requested it in this specific case.

However, I will be interested to see whether the outcome of this case changes the Lib Dems’ approach. Maybe it will, but, as I say, they are by no means the only offenders, and enforcement action by the ICO might just have helped to address this wider problem.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

8 Comments

Filed under consent, enforcement, Information Commissioner, marketing, PECR, spam, Uncategorized

Up a gum tree

Data protection law doesn’t prevent disclosure of personal data where not doing would be likely to prejudice criminal justice purposes

Theft of a bicycle may not be the most serious crime ever. However, crime it is, and any omission by a person which is likely to prejudice the detection of that crime or the apprehension or prosecution of the thief is, in societal terms, to be deplored. This is why, when the omission in question would be a failure by a data controller to disclose personal data to the police which would be likely to assist in the detection of the crime or the apprehension or prosecution of the thief, the Data Protection Act 1998 (DPA) provides an exemption to the general presumption in the Act against disclosure, which authorises such disclosure.

Section 29 of the DPA is often misunderstood. It is quite common, particularly in certain sectors (social services, housing etc.) for data controllers to be contacted by the police, or other bodies with powers to investigate crime, asking for disclosure of information about people whose personal data the data controller holds. Data protection officers will often talk of a “section 29 request”, but this is really just shorthand for saying “the police etc. have requested disclosure of personal data from this data controller and the section of the DPA which is engaged and under whose provisions we would be authorised to disclose would be section 29”.

With this in mind it is surprising to read in The Daily Record that police are unable to trace a person who had the gall to post an advert on the classified ad site Gumtree purporting to offer for sale a bike stolen from outside a gym in Edinburgh. According to the article police have told the owner of the bike, who spotted the advert, that

…officers could not act because of data protection laws…Due to data protection laws, a warrant must be applied for before police can access personal information held by the site.

The reference to a warrant, however, is surely excessive. The article also refers to the police “waiting to hear back” from Gumtree. Section 29(3) of the DPA allows Gumtree to disclose the details of the person who placed the advert, by exempting them from the general obligation to comply with the first five data protection principles and sections 10 and 14(1) to (3) (collectively referred to as the non-disclosure principles). Failure to exercise this power by a data controller, or a delay in doing so, in circumstances where such a failure would be likely to prejudice the police’s duties is detrimental to the public interest. One hopes that, if the article is correct, Gumtree will now act in that public interest and disclose the details without delay.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under Data Protection, data sharing, police, Uncategorized

Sensitive personal data exposed in Open Datasets

Since August last year I’ve been inviting the ICO to consider the issue of deliberate wholesale exposure of sensitive personal data in local authority open data. It’s still online.

UPDATE: 16.02.15 Well, I was wrong. The ICO says this is not personal data:

The data sets in question are clearly personal data in the hands of the [redacted] because it will retain the full original dataset containing the identifying details of individuals. However, the question is whether the information is still personal data post-publication. In our view it is not.

Although the data relates to particular living individuals, it does not in itself identify any of them and so in of themselves the data sets do not contain personal data.

The issue then is whether it is likely that a third party will come into the possession of other information that will allow an individual to be identified. To do so, such a person would already need prior knowledge of any given individual in order to identify them. However, we believe the publication of the information to have a low risk of individuals being re-identified because only someone with considerable prior knowledge would be able to perform this task.

We note that you have not identified anybody and the [redacted] has stated that it is unaware of any cases of re-identification as a result of publication.

I honestly struggle to fathom this. I accept the ICO’s further point that

the Information Commissioner only has to give his view about the likelihood that there has been a breach [of the DPA]. This view is made on the balance of probabilities and the Commissioner is under no obligation to prove this beyond doubt

but their assessment doesn’t seem to tally with my understanding of the techniques described in the ICO’s own Anonymisation Code. I’m no expert on that subject, but I wouldn’t dream of publishing the datasets in question, in the form they have been published. If anyone has any observations I’d be really interested to hear them.

And I’m still not linking to the datasets – I think they can identify individuals, and their sensitive personal data.

END UPDATE.

Imagine, if you will, a public authority which decides to publish as Open Data a spreadsheet of 6000 individual records of adults receiving social services support. Each row tells us an individual service user’s client group (e.g. “dementia” or “learning disability”), age range (18-64, 65-84, 84 and over), the council ward they live in, the service they’re receiving (e.g. “day care” or “direct payment” or “home care”), their gender and their ethnicity. If, by burrowing into that data, one could identify information that reveals that one, and only one, Bangladeshi man in the Blankety ward aged 18-64 with a learning disability is in receipt of direct payments, most data protection professionals (and many other people besides) would recognise that this is an identifiable individual, if not to you or me, then almost certainly to some of his neighbours or family or acquaintances.

Similarly, imagine the same public authority decides to publish as Open Data a spreadsheet of nearly 7000 individual records of council housing tenants who have received Notices of Seeking Possession or Notices to Quit. Each row tells us the date individual tenant was served the notice, the council ward, the duration of the tenancy, whether it was joint or sole, the age of the tenant(s) in years, their gender, their ethnicity (if recorded), their disability status (if recorded), their vulnerability status (if recorded). If, by burrowing into that data, one could identify that reveals that one, and only one, 40-year-old Asian Indian male sole tenant with a tenancy 2.94 years old, was served a Notice of Seeking of Possession in June 2006, most data protection professionals (and many other people besides) would recognise that this is an identifiable individual, if not to you or me, then almost certainly to some of his neighbours or family or acquaintances.

If these individuals are identifiable (and, trust me, these are only two examples from hundreds, in many, many spreadsheets), then this is their sensitive personal data which is being processed by the public authority in question (which I am not identifying, for obvious reasons). For the processing to be fair and lawful it needs a legal basis, by the meeting of at least one of the conditions in Schedule Two and one in Schedule Three of the Data Protection Act 1998 (DPA).

And try as I might, I cannot find one which legitimises this processing, not even in the 2000 Order which significantly added to the Schedule 3 conditions. And this was why, when the datasets in question were drawn to my attention, I flagged my concerns up with the public authority

Hi – I notice you’ve uploaded huge amounts of data…some of it at a very high level of granularity – ie with multiple and specific identifiers. According to the definitions in recital 26 and Article 2 of Directive 95/46/EC, s1(1) of the Data Protection Act 1998, and the Information Commissioner’s Office guidance (eg “Determining What is Personal Data” and the Code of Practice on Anonymisation) this is very likely to be personal data and in many cases sensitive personal data. I’m curious to know why you are publishing such datasets in such form, and what the legal basis is to do so

Not receiving any reply, I then contacted the Information Commissioner’s Office, saying

It seems to me that they are processing (including disclosing) large amounts of sensitive personal dataI’m happy to elaborate to ICO if you want, but presume I wouldn’t need to explain exactly why I am concerned.

However, when I received the ICO case worker’s reply, I was rather dumbfounded

You have raised concerns that [redacted] is disclosing large amounts of sensitive personal data on…its website. For information to be personal data it has to relate to a living individual and allow that individual to be identified from the information. I have looked over some of the information…and it appears to be sharing generic data and figures. I could not see any information that identifies any individuals. In order to consider your concerns further it would be extremely helpful if you could provide some examples of where the sensitive personal data can be found and possibly provide a couple of screenshots.

Nonetheless, I replied, giving the two examples above, and the case worker further replied

I have now looked at the examples you have provided and agree that there is the potential for individuals to be identified from the information that [they are] publishing. We will now write to [them] about this matter to obtain some further information about its information rights practices. As this matter does not concern your personal data and relates to third party information we do not intend to write to you again about this matter

I thought the last sentence was a bit odd (nothing prevented them from keeping me informed) but took reassurance that the data would be removed or appropriately anonymised.

But nothing seemed to happen. So I chased the ICO at the end of November. No response. And now I’ve been forced to raise it with the ICO as a complaint:

I understand that you said you would not contact me again about this, but I note that the sensitive personal data is still online. I advise several public sector clients about the online publishing of datasets, with reference to the law and ICO guidance, and the lack of action on this…leaves me quite bemused – do I now advise clients that they are free to publish datasets with such specific and so many identifiers that individuals can be identified? If so, what legal basis do I point to to legitimise the processing?

Public authorities are increasingly being encouraged, as part of the transparency agenda, to make their data publicly available, and to make it available in reusable format, so that it can be subjected to analysis and further use. The ICO has produced generally helpful guidance on successful anonymisation which enables datasets to be removed of personal data. If public authorities fail to follow this guidance, and instead disclose sensitive personal data within those reusable datasets they are potentially exposing individuals to considerable and various risks of harm. Moreover, much of the data in question is gathered pursuant to the public authority’s statutory duties – in other words, data subjects have no ability to opt out, or refuse to give consent to the processing.

One has to ask what this does for the confidence of data subjects in Open Data and the transparency agenda.

I asked the ICO’s always very helpful press office if they wanted to comment, and an ICO spokesperson said: “This is an open case, and we continue to work with the council to explain our concerns about the amount of information being published.” Which raises interesting questions – if they have concerns (and I think I have amply explained here why those concerns are justified) why not take enforcement action to get the data taken down?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Uncategorized