March 1, 2024 · 7:02 am

John Edwards evidence to the Angiolini inquiry

On 29 February Lady Elish Angiolini published the first report from her inquiry into how off-duty Metropolitan police officer Wayne Couzens was able to abduct, rape and murder Sarah Everard.

Information Commissioner John Edwards contributed to the inquiry, and his evidence is cited at 4.320 (the paragraph is quoted below). It deals with the profoundly important (and perennially misunderstood) issue of data-sharing within and between police forces.

Although for obvious reasons the identity and content of some witness evidence to the inquiry is being kept anonymous, there should be no obvious reason that Mr Edwards’s is, and I hope that the Information Commissioner’s Office will, in addition to publishing his press statement, also publish any written evidence he submitted. It would also be good to know the details of the work Mr Edwards says his office is doing, and continuing, with the police, in this context.

In discussions with senior leaders of relevant organisations, the Inquiry was told that gaps in information-sharing between human resources, recruitment, professional
standards and vetting teams – and, indeed, between forces themselves – were a
significant barrier to capturing a clear picture of officers. The Inquiry heard from different sources, including senior leaders, that there are significant barriers to
information-sharing. Some cite data privacy and protection laws as a reason not to
share information. However, in a discussion with the Information Commissioner, John Edwards, the Inquiry was assured that data protection law recognises that there are legitimate reasons for information-sharing, particularly given the powers attributed to police officers. Indeed, Mr Edwards suggested that data protection law is widely misunderstood and misconstrued, and highlighted a failure of training in this regard.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, data sharing, Information Commissioner, police

Tagged as , , ,

March 1, 2024 · 6:48 am

How did George Galloway come to send different canvassing info to different electors?

As electors went to the polls in the Rochdale by-election on 29 February, a few posts were made on social media showing the disparity between letters sent to different electors by candidate George Galloway. An example is here

On the face of it, Galloway appears to have hoped to persuade Muslim voters to vote for him based on his views on a topic or topics he felt would appeal to them, and others to vote for him based on his views on different topics.

It should be stressed that there is nothing at all wrong that in principle.

What interests me is how Galloway identified which elector to send which letter to.

It is quite possible that a candidate might identify specific roads which were likely to contain properties with Muslim residents. And that, also would not be wrong.

But an alternative possibility is that a candidate with access to the full electoral register, might seek to identify individual electors, and infer their ethnicity and religion from their name. A candidate who did this would be processing special categories of personal data, and (to the extent any form of automated processing was involved) profiling them on that basis.

Article 9(1) of the UK GDPR introduces a general prohibition on the processing of special categories of personal data, which can only be set aside if one of the conditions in Article 9(2) is met. None of these immediately would seem available to a candidate who processes religious and/or ethnic origin data for the purposes of sending targeted electoral post. Article 9(2)(g) provides a condition for processing necessary for reasons of substantial public interest, and Schedule One to the Data Protection Act 2018 gives specific examples, but, again, none of these would seem to be available: paragraph 22 of the Schedule permits such processing by a candidate where it is of “personal data revealing political opinions”, but there is no similar condition dealing with religious or ethnic origin personal data.

If such processing took place in contravention of the prohibition in Article 9, it would be likely to be a serious infringement of a candidate’s obligations under the data protection law, potentially attracting regulatory enforcement from the Information Commissioner, and exposure to the risk of complaints or legal claims from electors.

To be clear, I am not saying that I know how Galloway came to send different letters to different electors, and I’m not accusing him of contravening data protection law. But it strikes me as an issue the Information Commissioner might want to look into.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under access to information, Data Protection, Data Protection Act 2018, data sharing, Information Commissioner, political parties, UK GDPR

Tagged as , , ,

February 9, 2024 · 8:39 am

When is a breach of FOIA not a breach of FOIA?

I posted about this originally on LinkedIn, but I found it so nerdily interesting I wanted to preserve it better by putting it on this blog.

In 4 December 2023 the Information Commissioner’s Office (ICO) issued a decision notice under section 50 of the Freedom of Information Act 2000 (FOIA) finding that its own office did not deal with a FOIA request within the statutory time limit. Subsequently, however, as the ICO website has it, “Following a review of this case it has been noted that the Commissioner erred in citing a breach of section 17(1) of FOIA, having omitted to include the Scottish bank holiday of 7 August 2023 in his calculation of the 20 working day deadline. Therefore, the ICO did not breach section 17(1) of FOIA.”

However, merely staring on its website that “the ICO did not breach FOIA” is not sufficient. As a matter of law, the decision notice itself stands, unless it is substituted by another notice made by the Information Tribunal upon appeal. The ICO cannot withdraw/amend a decision notice, in the absence of an appeal (under the doctrine of “functus officio”, but see also IC v Bell [2014] UKUT 0106)).

So merely saying on its website “we didn’t breach the time limits” cannot cancel or overturn the decision notice.

In some analogous circumstances of “wrong” legal decisions by public authorities bound by functus officio, the authority will consent to judicial review proceedings quashing the decision. But here, the only person with any interest in quashing the decision is the ICO itself, and I don’t believe it could apply for judicial review of its own decision (although there have been cases, I believe, where local authorities have judicially reviewed decisions of their own planning committees).

What the ICO could have done though (and I give a nod to Ganesh Sittampalam here) is appeal the decision itself to the Tribunal. It would seem to be the case that the ICO, as the public authority on whom the decision notice was served, would have had a right of appeal to the Tribunal, even though it would be both the appellant and the respondent. This would, obviously, be rather an odd situation, but it’s one that the ICO already faces when it has to rule (as it did here) on its own compliance with the laws it regulates and enforces (for these purposes it effectively creates a fictional divide between “the ICO” and the “Commissioner” – see for example paragraph four in the decision notice linked above).

However, for whatever reason, the right of appeal was not exercised. But, given that that was the statutory route for challenge, why was the purported correction of the error instead subject to an internal, non-binding and unsatisfactory “review” within the ICO?

One wonders how this will be recorded within the ICO’s datasets: will the ICO accept the point that, as a matter of law, the decision is and remains that it breached the time limits? I doubt it.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal

Tagged as ,

January 17, 2024 · 7:26 am

NADPO January webinar – a focus on the DPDI Bill

As we hurtle into an election year there may be a rush to get parliamentary bills over the line. The signs are that there is a) a momentum behind the Data Protection and Digital Information Bill*, and b) little notable opposition opposition, so I’m expecting it to pass.

Accordingly, the NADPO executive have asked two experts to speak about the Bill at our next webinar, on Tuesday 23 January: Dr Chris Pounder and Ibrahim Hasan are preeminent in the field, and will be talking, respectively, about “New Data Sharing rules under the DPDI Bill” and “Proposed changes to UK GDPR”.

As always, attendance is free for NADPO members, and Data Protection Forum members can also attend for free under our mutual agreement with the Forum. If anyone else fancies testing the NADPO waters please drop me a line at chair at nadpo dot co dot uk and I’ll see if we can accommodate you.

[*the Bill is no longer titled “No.2”, despite what I’ve seen from many experts, including *cough* myself, albeit a few months ago now]

Leave a comment

Filed under Uncategorized

January 2, 2024 · 6:20 pm

UK GDPR amended

Three years ago, at the end of the Brexit Implementation Period, I helped prepare a version of the UK GDPR for the Mishcon de Reya website. At the time, it was difficult to find a consolidated version of the instrument, and the idea was to offer a user-friendly version showing the changes made to the retained version of the GDPR, as modified by the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2019, and the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2020.

Since then, the main legislation.gov.uk has offered a version. However, with respect to that site, it’s not always the easiest to use.

The burden now, though, falls to me and Mishcon, of updating our pages as and when the UK GDPR itself gets amended. Major changes are likely to made when the Data Protection and Digital Information Bill gets enacted, but, first, we have the minor amendments (minor in number, of not in significance) effected by The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 (which came into force at 23:59:59 on 31.12.23).

The changes have been made to Articles 1, 4, 9, 50, 85 and 86.

The Mishcon pages have been very well used, and we’ve had some great feedback on them. They don’t profess to be an authoritative version (and certainly should not be relied on as such) but we hope they’ll continue to be a useful resource.

Leave a comment

Filed under Data Protection, GDPR, UK GDPR

Tagged as , ,

November 17, 2023 · 6:35 am

EIR you sure you got that right?

Someone said they’d read this post if I wrote it. That’s miles more encouragement than I normally need, so here goes.

The other day, Tim Turner’s FOIDaily account pointed out how, after twenty-odd years, some public authorities still fail to identify when a request for information should be dealt with under the Environmental Information Regulations 2004 (EIR), rather than the Freedom of Information Act 2000 (FOIA). An example was given of Information Commissioner’s Office (ICO) identifying where a public authority had got this wrong.

As any fule kno, the two laws operate in parallel to create a regime for access to information held by public authorities, and it’s Regime 101 for a public authority to be able to know, and identify, when each applies. But, in short, if requested information is on, for instance, “measures (including administrative measures), such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect…the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape…” then the EIR, and not FOIA, apply.

I pointed out in the comments to the FOIDaily post that I’d seen a case where everyone, from the requester, to the public authority, to the ICO, to the First-tier Tribunal, had failed to deal with a case under the correct scheme.

This was it.

The case was about a request to a district council for information about whether a councillor had (in a private capacity) been required to pay any money to the council in relation to a fly-tipping incident or incidents. The request itself even referred to the Environmental Protection Act 1990, which was a very big hint that environmental information might be at issue.

What appears to have happened is that everyone jumped to the issue of whether disclosure of the requested information would contravene the councillor’s data protection rights. As most similar discussions take place in relation to the provisions of section 40 FOIA, the public authority, the ICO and the Tribunal (and presumably even the requester) all appear to have gravitated towards FOIA, without asking the correct first question: what is the applicable law? The answer to which was, clearly, EIR.

Regulation 13 of the EIR deals with personal data, and is cast in very similar terms to section 40 FOIA. It is, then, strongly arguable that, given that similarity, both the ICO and the Tribunal would have arrived at the same decision whichever regime applied. But Parliament has chosen to have two separate laws, and this is because they have a different genesis (EIR emanate from EU law which in turn emanates from international treaty obligations). Additionally, where all things are otherwise equal, the EIR contain an express presumption in favour of disclosure (something that is not the case in relation to personal data under the FOIA regime – see Lord Hope’s opinion in Common Services Agency v Scottish Information Commissioner).

As Tim implies in his post, the EIR have always been seen as somehow inferior, or subservient, to FOIA. No doubt this is because they are in the form of secondary legislation, rather than statute. This is more an accident of history, rather than of constitutional significance, and is never going to be relevant in most practice. But if the ICO and the courts continue to miss their relevance, it shouldn’t be that surprising that some public authorities will also do so.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal

Tagged as , , ,

November 16, 2023 · 5:36 pm

I was stupid

I was stupid, I was naive: I thought that recent statements from senior people at the Information Commissioner’s Office (ICO) indicated a willingness to enforce against non-compliance in the use of cookies and cookie banners.

I was wrong. My recent complaint, published as an open letter to John Edwards, the Commissioner, not only took ten weeks to be allocated to a case worker, but, now, that case worker has told me, in terms, that they’re not interested:

we do not respond to cookie complaints individually…Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. When consumers raise their complaints with us, we either conduct our own compliance check or write to the organisation…Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK.

This leaves two things hanging: 1) the site I complained about is one of the most visited in the UK; 2) the website in question arguably “raises awareness” of cookies, but only insofar as it confounds, frustrates and obstructs the user, in a manner which, in my submission, contravenes ePrivacy and Data Protection law, and 3) fails to get users’ consent (as it is defined in those laws).

MLex(£) have now written about this, and have secured a quote from the ICO, which is more than I got, really:

It is an ICO priority to influence changes to online tracking practices to create a more privacy-oriented internet. Where users want personalized adverts they should have the choice to receive them. But where websites don’t give people fair choices over how their data is used we will take action to safeguard their rights.

Try as I might, I can’t square that, and the ICO’s previous public statements about taking firm action, with an approach which fails in any real way to engage with people who take the time and effort to make complaints. But, as I say, I was stupid and naive to think it might have been different.

I’ve now complained, in turn, about the ICO’s handling of my complaint (and made an FOI request), in these terms:

1. I made a complaint under Article 77 UK GDPR. You have not investigated that at all, let alone “to the extent appropriate” as you are required to do under Article 57(1)(f). 

2. My letter was addressed to John Edwards. Has he seen it? 

3. You say, “When consumers raise their complaints with us, we either conduct our own compliance check or write to the organisation.” Which have you done here? Please disclose information either in respect of the compliance check you undertook, or of the correspondence you sent to Associated Newspapers Ltd.

4. Frankly, your response is discourteous. I went to some effort to assist the ICO in its stated intention to investigate poor compliance with PECR, but your response gives no indication that you’ve even read the substance of my complaint.

5. Your letter contains no apology or explanation for the extensive delay in handling it, which falls outside your own service standards.

In seriousness, I find this all really disheartening. The gulf between what the ICO says and what it does is sometimes huge, and not necessarily appreciated by those who don’t work in the field.

But I will get back in my stupid box.

+++

For completeness’ sake, the full response from the caseworker was:

Thank you for your correspondence in which you have complained about Associated Newspapers Ltd and its use of cookies.

Complaints regarding cookies can be submitted to us through the following link: Cookies | ICO

In this case, I have forwarded the information you have provided to the appropriate department. Although we do not respond to cookie complaints individually, we use the information you send us to help us identify, investigate and take action against organisations causing you complaint. To do this, we work alongside other organisations and website owners.

Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. When consumers raise their complaints with us,
we either conduct our own compliance check or write to the organisation. Our website provides further information about the action we’re taking on cookies.

Yours sincerely

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under adtech, consent, cookies, Information Commissioner, PECR, UK GDPR

Tagged as , , ,

October 23, 2023 · 1:15 pm

Verging on contempt

Where the Information Commissioner serves a decision notice on a public authority, under section 50(3)(b) of the Freedom of Information Act 2000 (FOIA), it is a legal notice and a failure to comply may be treated by the High Court (or in Scotland, the Court of Session) as if the authority had committed a contempt of court. It is, therefore (and to state the obvious) a serious matter not to comply. The process involves the Commissioner “certifying” to the court that there has been a failure to comply.

Yet, a recent FOIA disclosure by the Information Commissioner’s Office (ICO) reveals that it currently has two such cases where it has referred non-compliance by one particular public authority to its own solicitors to initiate (or at least consider) certification proceedings. The rather remarkable thing is that the public authority in question is the government department with overall responsibility for FOIA policy – namely, the Cabinet Office.

The disclosure reveals no more in the way of detail – we do not know what the cases relate to, or what the current progress is (other than court proceedings have not yet commenced). However, it is very rare for a case actually to proceed to certification (in fact, I can only recall one case relating to a s50(3)(b) decision notice, and that was instead certified to the High Court by the First-tier Tribunal under section 61 of FOIA (as it applied then)).

It is worth pointing out that it doesn’t necessarily follow that, if there were a finding of contempt, sanctions would be imposed. Although a committal application or fines are, in principle, available, the Court could merely make a public finding that the Cabinet Office had breached the obligation to respond to the decision notice, but impose no further punishment.

Over the years the Cabinet Office has been subject to much criticism for its approach to FOIA – some of it, quite frankly, fully justified. However, there have been encouraging signs of improvements more recently, with its response to the “Clearing House” review, and its setting up of an Information Rights User Group (of which I am a member), although the latter has not fully kicked off yet, as far as I can understand.

However, it is a terrible look for the primus inter pares of government departments, and the one which holds the brief for FOIA policy, to be faced with potential contempt proceedings for failure to do what the law, and the regulator, requires it to do. Although the original FOIA request to the ICO was not mine, I’ll be interested to see if any updates are given.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under access to information, Cabinet Office, contempt, Freedom of Information, Information Commissioner

Tagged as ,

September 28, 2023 · 7:23 am

Review of Freedom of Information: A practical guidebook, by Martin Rosenbaum

For a law that can be so integral to their trade, the actual workings of Freedom of Information Act 2000 (FOIA) get surprisingly little attention from journalists. This is not to say that it is not deployed by journalists: last year there were more than 52,000 requests made to government bodies alone. When one considers the range of public authorities subject to FOIA, or to its Scottish equivalent, or to the parallel Environmental Information Regulations 2004 – not just central government, but also local authorities, NHS Trusts, police forces, public utilities companies, and many others – one can see that, largely unheralded, the right of access to FOIA is one of the most heavily and regularly exercised of rights. And often, it will be journalists making these requests.

Yet if one lists those journalists who really specialise in the area, who really know how to use FOIA most effectively, the same handful of names tend to come up. The doyen of them all, though, is Martin Rosenbaum.

Formerly the BBC’s in-house expert in the use of FOIA (not, as he often patiently had to explain – including to me – the person responsible for the BBC’s FOIA compliance), but also a distinguished producer, Martin went freelance a couple of years ago. But while at the BBC he broke, or otherwise reported on, any number of stories which were the result of FOIA research, as his own website reveals:

The wide list of topics I investigated ranged from what Tony Blair and Bill Clinton said to each other, to revealing which models of cars had the worst MOT failure record; from the Hillsborough disaster and Margaret Thatcher, to flaws in the workings of the honours system; from the policing of anti-nuclear protests at Greenham Common, to how date of birth can affect university entrance. [hyperlinks to stories on the web page itself]

Martin has now published an essential book on the topic: Freedom of Information: A practical guidebook.

Quite simply, if you’re new to FOI you’d be silly not to read it, and even if you’re experienced in it, it will tell you things of value.

The book is structured in a straightforward way (a summary of the law, making requests, what sort of replies you might get, how to challenge replies) but has some extras which will be tremendously helpful. In particular, the template requests which are suggested will help avoid some of the biggest pitfalls requesters make (such as not being specific or clear enough, or making requests which are too broad in scope).

Although the book as a whole is excellent, if requesters only read Part B, on requests (including tactics and advice) they are still likely to make much more sensible and productive requests.

There are only a handful of useful guides (in print or online) to FOI. And really, there are not much more than a handful of experts in it. This is a useful guide by one of those experts – why would you not buy it?

[Disclaimer: I received a free review copy, and Martin and I have known each other for a number of years.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Environmental Information Regulations, Freedom of Information, Information Commissioner

Tagged as ,

September 27, 2023 · 7:23 am

Soft regulation = poorer compliance?

The Information Commissioner’s Office (ICO) has published reprimands against seven separate organisations all of whom committed serious infringements of data protection law by inadvertently disclosing highly sensitive information in the context of cases involving victims of domestic abuse.

The ICO trumpets the announcement, but does not appear to consider the point that, until recently, most, if not all, of these infringements would have resulted in a hefty fine, not a regulatory soft tap on the wrist. Nor does it contemplate the argument that precisely this sort of light-touch regulation might lead to more of these sorts of incidents, if organisations believe they can act (or fail to act) with impunity.

I have written elsewhere about both the lack of any policy or procedure regarding the use of reprimands, and also about the lack of empirical evidence that a “no fines” approach works.

I think it is incumbent on the Information Commissioner, John Edwards, to answer this question: are you confident that your approach is not leading to poorer compliance?

The cases include

  • Four cases of organisations revealing the safe addresses of the victims to their alleged abuser. In one case a family had to be immediately moved to emergency accommodation. 
  • Revealing identities of women seeking information about their partners to those partners. 
  • Disclosing the home address of two adopted children to their birth father, who was in prison on three counts of raping their mother. 
  • Sending an unredacted assessment report about children at risk of harm to their mother’s ex-partners. 

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, monetary penalty notice, reprimand, UK GDPR

Tagged as , , ,