July 5, 2014 · 9:03 am

Labour Party website – unfair processing?

Earlier this year I wrote about a questionable survey on the Conservative Party website, which failed to comply with the legal requirements regarding capture of email addresses. It is perhaps unsurprising to see something similar now being done in the name of the Labour Party.

An innocuous looking form on Labour’s donation pages lies underneath a statement that almost 44 million babies have been delivered under NHS care since 1948. The form invites people to find out what number their birth was. There are of course lots of this type of thing on the internet: “What was number one when you were born?” “Find out which Banana Split you are” etc. But this one, as well as asking for people’s date of birth, asks for their (first) name, email address and postcode. And, sure enough, underneath, in small print that I suspect they hope people won’t read, it says

The Labour Party and its elected representatives may contact you about issues we think you may be interested in or with campaign updates. You may unsubscribe at any point

So, they’ll have your email address, your first name and a good idea of where you live (cue lots of “Hi Jon” emails, telling me about great initiatives in my area). All very predictable and dispiriting. And also almost certainly unlawful: regulation 22(2) of The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) says that

a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender

This Labour web page impermissibly infers consent. The European Directive  to which PECR give domestic effect makes clear in recital 40 that electronic marketing requires that prior, explicit consent  be obtained. Furthermore the Information Commissioner’s Office (ICO), issues clear guidance on PECR and marketing, and this says

Organisations must give the customer the chance to opt out – both when they first collect the details, and in every email or text. Organisations should not assume that all customers will be happy to get marketing texts or emails in future…It must be simple to opt out. When first collecting a customer’s details, this should be part of the same process (eg online forms should include a prominent opt-out box…

The ICO’s guidance on political campaigning is (given the likelihood of abuse) disappointingly less clear, but it does say that “An organisation must have the individual’s consent to communicate with them [by email]”. I rather suspect the Labour Party would try to claim that the small print would suffice to meet this consent point, but a) it wouldn’t get them past the hurdle of giving the option to opt out at the point of collection of data, and b) in the circumstances it would crash them into the hurdle of “fairness”. The political campaigning guidance gives prominence to this concept

It is not just in an organisation’s interests to act lawfully, but it should also have respect for the privacy of the individuals it seeks to represent by treating them fairly. Treating individuals fairly includes using their information only in a way they would expect

I do not think the majority of people completing the Labour Party’s form, which on the face of it simply returns a number relating to when they were born, would expect their information to be used for future political campaigning. So it appears to be in breach of PECR, not fair, and also, of course (by reference to the first principle in Schedule One) in breach of the Data Protection Act 1998. Maybe the ICO will want to take a look.

UPDATE:

I see that this page is being pushed quite hard by the party. Iain McNicol, General Secretary, and described as “promoter” of the page has tweeted about it, as have shadow Health Secretary Andy Burnham and Ed Miliband himself. One wonders how many email addresses have been gathered in this unfair and potentially unlawful way.

 

3 Comments

Filed under consent, Data Protection, Information Commissioner, marketing, PECR

Tagged as , , ,

July 4, 2014 · 1:32 pm

The chilling effect of Google Spain on my blog

UPDATE 04.07.14: As a result of the European Court of Justice’s oppressive judgment requiring the removal of virtually all of history from the internet, I feel I am forced to edit this old post. This is nothing at all to do with childishly making a point. Honestly.

10 December 2006

The shock publication by [REDACTED] that world-famous [REDACTED] and celebrity, [REDACTED], was snapped with several large [REDACTED] on his [REDACTED] raises profound data protection issues.

[REDACTED] surely never expected that his night out with [REDACTED], Sir Jimmy [REDACTED] and Elizabeth Taylor, would end in him being [REDACTED] so ignominiously [REDACTED] as they looked in on Wang with [REDACTED] [REDACTED] [REDACTED] and a miniature trombone. Nor would he have expected it to be plastered across the front page of the News of the World.

Whether the journalists can rely on the section 32 DPA exemption will depend upon how the ICO or the courts assess whether knowing that [REDACTED] has such an hilariously small [REDACTED] – despite his well known predilection for [REDACTED] – will depend on [REDACTED].

My assessment is naturally clouded by my enormous [REDACTED WHOLE OF REST OF BLOG POST] 

 

3 Comments

Filed under nonsense, satire

July 4, 2014 · 10:06 am

We’re looking into it

The news is awash with reports that the UK Information Commissioner’s Office (ICO) is “opening an investigation” into Facebook’s rather creepy research experiment, in conjunction with US universities, in which it apparently altered the users’ news feeds to elicit either positive or negative emotional responses. Thus, the BBC says “Facebook faces UK probe over emotion study”, SC Magazine says “ICO probes Facebook data privacy” and the Financial Times says “UK data regulator probes Facebook over psychological experiment”.

As well as prompting one to question some journalists’ obsession with probes, this also leads one to look at the basis for these stories. It appears to lie in a quote from an ICO spokesman, given I think originally to the online IT news outlet The Register

The Register asked the office of the UK’s Information Commissioner if it planned to probe Facebook following widespread criticism of its motives.

“We’re aware of this issue, and will be speaking to Facebook, as well as liaising with the Irish data protection authority, to learn more about the circumstances,” a spokesman told us.
So, the ICO is aware of the issue and will be speaking to Facebook and to the Irish Data Protection Commissioner’s office. This doesn’t quite match up to the rather hyperbolic news headlines. And there’s a good reason for this – the ICO is highly unlikely to have any power to investigate, let alone take action. Facebook, along with many other tech/social media companies, has its non-US headquarters in Ireland. This is partly for taxation reasons and partly because of access to high-skilled, relatively low cost labour. However, some companies – Facebook is one, LinkedIn another – have another reason, evidenced by the legal agreements that users enter into: because the agreement is with “Facebook Ireland”, then Ireland is deemed to be the relevant jurisdiction for data protection purposes. And, fairly or not, the Irish data protection regime is generally perceived to be relatively “friendly” towards business.
 
These jurisdictional issues are by no means clear cut – in 2013  a German data protection authority tried to exercise powers to stop Facebook imposing a “real name only” policy.
 
Furthermore, as the Court of Justice of the European Union recognised in the recent Google Spain case, the issue of territorial responsibilities and jurisdiction can be highly complex. The Court held there that, as Google had
 
[set] up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State
 
it was processing personal data in that Member State (Spain). Facebook does have a large UK corporate office with some responsibility for sales. It is just possible that this could give the ICO, as domestic data protection authority, some power to investigate. And if or when the draft European General Data Protection Regulation gets passed, fundamental shifts could take place, extending even, under Article 3(2) to bringing data controllers outside the EU within jurisdiction, where they are offering goods or services to (or monitoring) data subjects in the EU.
 
But the question here is really whether the ICO will assert any purported power to investigate, when the Irish DPC is much more clearly placed to do so (albeit it with terribly limited resources). I think it’s highly unlikely, despite all the media reports. In fact, if the ICO does investigate, and it leads to any sort of enforcement action, I will eat my hat*.
 
*I reserve the right to specify what sort of hat

Leave a comment

Filed under Data Protection, Directive 95/46/EC, enforcement, facebook, journalism, social media, Uncategorized

Tagged as , , ,

July 3, 2014 · 4:23 pm

A green light for publishing FOI requesters names? I hope not

The Information Commissioner’s Office (ICO) today issued a statement about the data protection implications of public authorities publishing the names of people who have made requests under the Freedom of Information Act 2000 (FOIA). It was issued to journalist Jules Mattsson (it may have been issued to others) and I credit him for pursuing it. It arose out of concerns expressed on Twitter yesterday that a council had uploaded a disclosure log in which the names of requesters were unredacted*.

When the Justice Committee undertook its post-legislative scrutiny of FOIA in 2012 it made a recommendation (¶82) that names of requesters be published in disclosure logs

it can be argued that someone seeking to exercise freedom of information rights should be willing for the fact they have requested such information to be in the public domain; we therefore recommend that where the information released from FOI requests is published in a disclosure log, the name of the requestor should be published alongside it

But this was rejected by the government in its response to the report (¶25)

The Government does not share the view that publishing the names of requesters in disclosure logs would be beneficial in terms of burdens. Such a move would have implications for the data protection of requesters..

 Tim Turner blogged in his usual meticulous style on these data protection implications yesterday, and I am not going to rehearse the points he makes. Indeed, the ICO in its statement more or less agrees with Tim’s comments on fairness, and necessity, when it comes to the publication of requesters’ names

Individuals who make…requests must have their details handled fairly. Many people who have made a request would not expect to have their name linked to published details of the request they have made. If a public authority is considering publishing this information then they must consider why publishing the requester’s name is necessary/ While there is a need for authorities to be transparent about the [FOI] process, in most cases this would not extend to releasing people’s name simply to deter requesters

There then follow some (correct) observations that journalists and politicians might have different expectations, before the statement says

At the very least people should be told that their details will be published and given the opportunity to explain to the council why their name should not be disclosed. If having raised it with the authority a person is not happy with the way their details have been handled then we may be able to help

So what the ICO appears to be doing is agreeing that there are data protection implications, but, as long as authorities give requesters a privacy notice, announcing that they’re not going to do anything (unless people complain). It’s not often I take issue with the excellent Matt Burgess, who runs FOI Directory, but he claims that “the ICO has criticised the Council”. With respect, I don’t see any targeted criticism in the ICO’s statement, and I fear some public authorities will see it as a green light to publishing names.

As source does inform me that an ICO spokesman has said that they are going to be in touch with the council in question, to find out the full details. However, I wonder if the statement shows an approach more in line with the ICO’s new, largely reactive (as opposed to proactive), approach to data protection concerns (described on my blog by Dr David Erdos as having worrying implications for the rule of law), but I fear it risks the exposure of the personal data of large numbers of people exercising their right to information under a statutory scheme which, at heart, is meant to be applicant-blind. As the ICO implies, this could have the effect of deterring some requesters, and this would be, in the words of the always perceptive Rich Greenhill, a type of reverse chilling effect for FOIA.

 *I’m not going to link to the information: I don’t think its publication is fair. 

 

 

UPDATE: 05.07.14

The Council appears to have taken the information down, with Jules Mattsson reporting on 3 July that they are reviewing the publication of requesters’ names.

6 Comments

Filed under Data Protection, Freedom of Information, Information Commissioner

Tagged as , ,

June 30, 2014 · 4:02 pm

What’s so foolish about FOI?

The television presenter Phillip Schofield took to Twitter recently to draw attention to a Freedom of Information (FOI) request to Avon and Somerset Police. He did so because the request had asked about the cost to the force of Mr Schofield’s attendance at an open day.

Message to Tom Hodder .. No Fee!! My bro works for the police, it was a family day out!

I’ve no problem with his drawing attention to it, nor with his naming the person, but I thought it was rather unpleasant that he chose to use the hashtags #WastingPoliceTime #Fool. As Mr Schofield, and the response on WhatDoTheyKnow.com, say, the cost was nil, but I don’t suppose Mr Hodder was to know that: Mr Schofield was described on his own employer’s site as having been invited to attend, and he promotes himself as someone for hire for “personal appearances”. I didn’t know Mr Schofield’s brother works for the police, and I suspect Mr Hodder didn’t either.

Wasting Police Time is a term used to describe a criminal offence. What Mr Hodder was doing was exercising his statutory right to ask a public authority for information (in this instance about the expenditure of public funds), and I see nothing wrong in what he asked (nor, indeed, in the response by the police. I am sure Mr Schofield wasn’t seriously suggesting the commission of a criminal offence, but his use of the term, and the epithet “fool” seem mean-spirited. And, of course, as he might have expected, many of his fans jumped to his defence and to verbally attack Mr Hodder.

All this seems rather ironic when one considers Mr Schofield’s involvement in 2012 in another “transparency” story. This was when he confronted the prime minister with a list of alleged child sex abusers which he had found online, but which he failed to shield from the studio cameras – a stunt which Jonathan Dimbleby described as “cretinous”. This led to his employer having to pay the late Lord McAlpine (whose name was on the list) £125,000 to settle a defamation claim. Even the apology which followed the incident had a mean-spirited air about it, when Mr Schofield appeared to blame the cameraman.

Mr Schofield has one of the largest followings on Twitter (2.99 million, at the time of writing). People with that sort of following carry some responsibility, and if they criticise named individuals they should do so fairly. I think it would be in order if he apologised to Mr Hodder.

 

 

2 Comments

Filed under Freedom of Information, police, social media

Tagged as ,

June 29, 2014 · 12:35 pm

I DON’T KNOW WHAT I’M DOING

As surprising as it always is to me, I’m occasionally reminded that I don’t know everything. But when I’m shown not to know how my own website works, it’s more humbling.

A commenter on one of my blog posts recently pointed out the number of tracking applications which were in operation. I had no idea. (I’ve disabled (most of) them now).

And someone has just pointed out (and some others have confirmed) that, when visiting my blog on their iphone, it asks them whether they want to tell me their current location. I have no idea why. (I’m looking into it).

These two incidents illustrate a few things to me.

Firstly, for all my pontificating about data protection, and – sometimes – information security, I’m not particularly technically literate: this is a wordpress.com blog, which is the off-the-peg version, with lots of things embedded/enabled by default. Ideally, I would run and host my own site, but I do this entirely in my own time, with no funding at all.

Secondly, and following on from the first,  I am one among billions of people who run web applications without knowing a great deal about the code that they’re based on. In a world of (possibly deliberately coded) back-door and zero day vulnerabilities this isn’t that surprising. If even experts can be duped, what hope for the rest of us?

Thirdly, and more prosaically, I had naively assumed that, in inviting people to read and interact with my blog, I was doing so in a capacity of data controller: determining the purposes for which and the manner in which their personal data was to be processed. (I had even considered notifying the processing with the Information Commissioner, although I know that they would (wrongly) consider I was exempt under section 36 of the Data Protection Act 1998)). But if I don’t even know what my site is doing, in what way can I be said to determine the data processing purposes and manner? But if I can’t, then should I stop doing it? I don’t like to be nominally responsible for activities I can’t control.

Fourthly, and finally, can anyone tell me why my out-of-control blog is asking users to give me their location, and how I can turn the damned thing off?

UPDATE: 30.06.14

The consensus from lots and lots of helpful and much-appreciated comments seems to be a) that this location thingy is embedded in the wordpress software (maybe the theme software), and b) I should migrate to self-hosting.

The latter option sounds good, but I have to remind people that I DON’T KNOW WHAT I’M DOING.

UPDATE:05.07.14

The rather excellent Rich Greenhill seems to have identified the problem (I trust his judgement, but haven’t confirmed this). He says “WordPress inserts mobile-only getCurrentPosition from aka-cdn-nsDOTadtechusDOTcom/…DAC.js via adsDOTmopubDOTcom in WP ad script”…”Basically, WordPress inserts ads; but, for mobile devices only, the imported ad code also attempts to detect geo coordinates”.

So it dooes look like I, and other wordpress.com bloggers, who can’t afford the “no ads” option, are stuck with this unless or until we can migrate away.

UPDATE: 11.07.14

We are informed that the code which asks (some) mobile users for their location when browsing this blog has now been corrected. Please let me know if it isn’t.

3 Comments

Filed under Data Protection, Information Commissioner, Personal, social media, tracking

Tagged as ,

June 27, 2014 · 9:18 am

Google is not a library, Dr Cavoukian

The outgoing Ontario Information and Privacy Commissioner Ann Cavoukian, whose time in office has been hugely, and globally, influential (see in particular Privacy by Design) has co-written (with Christopher Wolf) an article strongly criticising the judgment of the Court of Justice of the European Union (CJEU) in the Google Spain case.

For anyone who has been in the wilderness for the last few weeks, in Google Spain the CJEU ruled that Google Spain, as a subsidiary of Google inc. operating on Spanish territory, was covered by the obligations of the European Data Protection Directive 95/46/EC, that it was operating as an entity that processed personal data in the capacity of a data controller, and that it was accordingly required to consider applications from data subjects for removal of search returns. Thus, what is loosely called a “right to be forgotten” is seen already to exist in the current data protection regime.

Many have written on this landmark CJEU ruling (I commend in particular Dr David Erdos’s take, on the UK Constitutional Law Blog) and I am not here going to go into any great detail, but what I did take issue with in the Cavoukian and Wolf piece was the figurative comparison of Google with a public library:

A man walks into a library. He asks to see the librarian. He tells the librarian there is a book on the shelves of the library that contains truthful, historical information about his past conduct, but he says he is a changed man now and the book is no longer relevant. He insists that any reference in the library’s card catalog and electronic indexing system associating him with the book be removed, or he will go to the authorities…

…The government agent threatens to fine or jail the librarian if he does not comply with the man’s request to remove the reference to the unflattering book in the library’s indexing system.

Is this a scenario out of George Orwell’s Nineteen Eighty-Four? No, this is the logical extension of a recent ruling from Europe’s highest court

(I pause briefly to say that if I never see another reference to Orwell in the context of privacy debate I will die a happy man).

I’m fond of analogies but Cavoukian’s and Wolf’s one (or maybe it’s a metaphor?) is facile. I think it could more accurately say

A man walks into a library. He sees that, once again, the library has chosen, because of how it organises its profit-making activities, to give great prominence to a book which contains information about his past conduct, which is no longer relevant, and which it is unfair to highlight. He asks them to give less prominence to it.

Cavoukian and Wolf accept that there should be a right to remove “illegal defamatory” content if someone posts it online, but feel that the issue of links to “unflattering, but accurate” information should be explored using “other solutions”. (I pause again to note that “unflattering” is an odd and loaded word to use here: Mr Gonzalez, in the Google Spain case, was concerned about out-of-date information about bankruptcy, and other people who might want to exercise a right to removal of links might be concerned by much worse than “unflattering” information).

I don’t disagree that other solutions should be explored to the issue of the persistence or reemergence of old information which data subjects reasonably no longer wish to be known, but people are entitled to use the laws which exist to pursue their aims, and the application by the CJEU of data protection law to the issues pleaded was, to an extent, uncontroversial (is Google a data controller? if it is, what are its obligations to respect a request to desist from processing?)

Cavoukian and Wolf criticise the CJEU for failing to provide sufficient instruction on how “the right to be forgotten” should be applied, and for failing to consider whether “online actors other than search engines have a duty to ‘scrub’ the Internet of unflattering yet truthful facts”, but a court can only consider the issues pleaded before it, and these weren’t. Where I do agree with them is in their criticism of the apparent failure by the CJEU, when giving effect to the privacy rights in Article 8 of the European Convention on Human Rights, and Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, to consider adequately, if at all, the countervailing rights to freedom of expression in Article 10 of the former and Article 11 of the latter. In this respect, the prior Opinion of the Advocate General was perhaps to be preferred.

The key word in my replacement library ananolgy above is “chosen”. Google is not a passive and inert indexing system. Rather, it is a dynamic and commercially-driven system which uses complex algorithms to determine which results appear against which search terms. It already exercises editorial control over results, and will remove some which it is satisfied are clearly unlawful or which constitute civil wrongs such as breach of copyright. Is it so wrong that (if it gives appropriate weight to the (sometimes) competing considerations of privacy and freedom of expression) it should be required to consider a request to remove unfair and outdated private information?

 

 

2 Comments

Filed under Data Protection, Directive 95/46/EC, Europe, human rights, Privacy

Tagged as , ,

June 25, 2014 · 6:24 pm

Wading through the rules: fairness for litigants in the Information Tribunal

Any judicial system needs to have rules to ensure effective and efficient case management: failure to do so risks delays, backlogs and, ultimately, breaches of natural justice and Article 6 Convention rights. Thus, we have the civil, the criminal, and the family procedure rules, and, within the tribunal system, the 2008 Upper Tribunal Rules, and a whole host of First-tier Tribunal Rules (the ones relating to Information Rights cases are the General Regulatory Chamber Rules 2009 (TPR)). In addition, there are Practice Notes (such as one for “Closed Material in Information Rights Cases”) and a range of forms and guidance.  There are even specific “Guidance notes for individuals representing themselves in freedom of information appeals in the general regulatory chamber of the first-tier tribunal” (which I shall call the “LiP Guidance” (with LiP meaning Litigant in Person)). (Interestingly, the only copy of this I can find online is hosted on a third party site.)

For such litigants in person, these sources of rules and guidance (and the navigating of them) are essential but complicated. A neat illustration of this point comes in a recent judgment of the Upper Tribunal on a Freedom of Information Act 2000 (FOIA) case.

In the First-tier Tribunal (FTT) a Mr Matthews had sought to appeal the Information Commissioner’s (IC) decision notice  that the Department for Business, Innovation and Skills (DBIS) didn’t hold the majority of information sought about the tendering process for the delivery of marketing workshops from Business Link West Midlands, and that what it did hold was exempt from disclosure under section 40(2) of FOIA. Mr Matthews, referring to the LiP Guidance (at paragraph 16) asked for, and expected, an oral hearing.

However, in responding to the notice of appeal, the IC applied successfully, under rule 8(2)(a) of the TPR to “strike out” one ground of appeal, and under rule 8(3)(c) to “strike out” the remainder.

Lawyers, and those who deal in this subject regularly, recognise that to “strike out” all grounds of appeal means the appeal is no more. But others might sympathise with Mr Matthews, who did not have any help on this matter from the LiP Guidance, and who, when asked by the Upper Tribunal judge, explained that what he had thought it meant was

that the way in which he had written his grounds out may be stuck through or altered, or sent back to him to change, but that the appeal itself would continue

So, we have Mr Matthews, still expecting an appeal with a hearing, but getting neither.

But was he entitled to a hearing, not of his substantive appeal, but to determine whether his appeal should be struck out? This was what was, in the main, at issue in the Upper Tribunal.

Rule 32(3) of the TPR says that the general rule that the FTT must hold a hearing before disposing of an appeal need not apply when deciding whether to strike out a party’s case. It does not preclude a hearing, though, but, rather, leaves it to the FTT’s discretion. In this instance the Upper Tribunal judge decided that the FTT erred in law in not exercising its discretion to hold a hearing and, alternatively or additionally, for failing to give any reasons for not holding a hearing.

Accordingly, the case is remitted to the FTT for it to hold an oral hearing of the strike-out application.

This might seem a very convoluted and unimportant judgment, but it shows the Upper Tribunal is alive to the difficulties faced by lay self-represented litigants in what should be more of an inquisitorial, rather than adversial, system. And it shows, as have other cases before it (see for instance Dransfield v IC & Devon Council, and IICUS v IC & BIS & Ray) that the Upper Tribunal is not unwilling to remit cases to the FTT on grounds of procedural unfairness.

3 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

Tagged as

June 24, 2014 · 8:59 am

Social media crimes at least 50% of front line policing? I don’t think so

UPDATE: The BBC have now amended the headline, but, as FullFact point out, there are still concerns about the accuracy of the story.

What looks like a silly and hyperbolic BBC headline about crimes on social media is getting a lot of coverage. On social media. Here I question whether it’s accurate. On social media

Trailing the always excellent Joshua Rozenberg programme Law in Action the BBC has run a story with a headline saying

Social media crimes ‘at least half’ of front-line policing

And Law in Action’s own page on the broadcast in question also says

Chief Constable Alex Marshall, head of the College of Policing…estimates that as much as half of a front-line officer’s daily workload is spent dealing with calls related to online disputes

I know the BBC has to publicise itself, and maybe the programme itself will support the assertions made, but the quotes attributed to Mr Marshall don’t do so. He says

[Reports of crime involving social media are] a real problem for people working on the front line of policing, and they deal with this every day…So in a typical day where perhaps they deal with a dozen calls, they might expect that at least half of them, whether around antisocial behaviour or abuse or threats of assault may well relate to social media, Facebook, Twitter or other forms

SO what he’s actually saying is that of the dozen or so calls that a front line officer receives a day, about half “may well” relate to social media. Now, I may be naive, but surely a front line police officer’s workload is about an awful lot more than receiving calls. Even if a call is often the precursor to further actions, Mr Marshall doesn’t suggest that the calls about social media inevitably lead to such further action. In fact, I would be amazed if they did, and, indeed, other remarks attributed to Mr Marshall and an unnamed officer suggest that many of these calls relate to obviously non-criminal matters, and the clear implication is that they will lead to no further action whatsoever.

Crimes involving or committed on social media are a serious societal and policing issue, and I am sure Law in Action itself will consider this in its usual measured and serious way, but for the BBC to suggest that the issue takes up more than half of front line policing resource seems to me to be hyperbolic and irresponsible.

Leave a comment

Filed under BBC, police, social media

June 18, 2014 · 5:21 pm

The Partridge Review reveals apparently huge data protection breaches

Does the Partridge Review of NHS transfers of hospital episode patient data point towards one of the biggest DPA breaches ever?

In February this year Tim Kelsey, NHS England’s National Director for Patients and Information, and vocal cheerleader for the care.data initiative, assured the public, in an interview on the Radio 4 Today programme, that in the twenty five years that Hospital Episode Statistics (HES) have been shared with other organisations

the management of the hospital episode database…there has never been a single example of that data being compromised, the privacy of patients being compromised…

When pressed by medConfidential‘s Phil Booth about this, and about risks of reidentification from the datasets, Tim repeated that no patient’s privacy had been compromised.

Some of us doubted this, as news of specific incidents of data loss emerged, and even more so as further news emerged suggesting that there had been transfers (a.k.a. sale) of huge amounts of potentially identifiable patient data to, for instance, the Institute and Faculty of Actuaries. The latter news led me to ask the Information Commissioner’s Office (ICO) to assess the lawfulness of this processing, an assessment which has not been completed four months later.

However, with the publication on 17 June of Sir Nick Partridge’s Review of Data Releases by the NHS Information Centre one questions the basis for Tim’s assertions. Sir Nick commissioned PwC to analyse a total of 3059 data releases between 2005 and 2013 (when the NHS Information Centre (NHSIC) ceased to exist, and was replaced by the Health and Social Care Information Centre HSCIC). The summary report to the Review says that

It disappoints me to report that the review has discovered lapses in the strict arrangements that were supposed to be in place to ensure that people’s personal data would never be used improperly

and it reveals a series of concerning and serious failures of data governance, including

  • lack of detailed records between 1 April 2005 and 31 March 2009
  • two cases of data that was apparently released without a proper record remaining of which organisation received the data
  • [no] evidence that Northgate [the NHSIC contractor responsible for releases] got permission from the NHS IC before making releases as it was supposed to do
  • PwC could not find records to confirm full compliance in about 10% of the sample

 Sir Nick observes that

 the system did not have the checks and balances needed to ensure that the appropriate authority was always in place before data was released. In many cases the decision making process was unclear and the records of decisions are incomplete.

and crucially

It also seems clear that the responsibilities of becoming a data controller, something that happens as soon as an organisation receives data under a data sharing agreement, were not always clear to those who received data. The importance of data controllers understanding their responsibilities remains vital to the protection of people’s confidentiality

(This resonates with my concern, in my request to the ICO to assess the transfer of data from HES to the actuarial society, about what the legal basis was for the latter’s processing).

Notably, Sir Nick dispenses with the idea that data such as HES was anonymised:

The data provided to these other organisations under data sharing agreements is not anonymised. Although names and addresses are normally removed, it is possible that the identity of individuals may be deduced if the data is linked to other data

 And if it was not anonymised, then the Data Protection Act 1998 (DPA) is engaged.

All of this indicates a failure to take appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data, which the perspicacious among you will identify as one of the key statutory obligations placed on data controllers by the seventh data protection principle in the DPA.

Sir Nick may say

 It is a matter of fact that no individual ever complained that their confidentiality had been breached as a result of data being shared or lost by the NHS IC

but simply because no complaint was made (at the time – complaints certainly have been made since concerns started to be raised) does not mean that the seventh principle was not contravened, in a serious way.  And a serious contravention of the DPA of a kind likely to cause substantial damage or substantial distress can potentially lead to the ICO serving a monetary penalty notice (MPN) to a maximum of £500,000 (at least for contraventions after April 2010, when the ICO’s powers commenced).

The NHSIC is no more (although as Sir Nick says, HSCIC “inherited many of the NHS IC’s staff and procedures”). But that has not stopped the ICO serving MPNs on successor organisation in circumstances where their predecessors committed the contravention.  One waits with interest to see whether the ICO will take any enforcement action, but I think it’s important that they consider doing so, because, even though Sir Nick makes nine very sensible recommendations to HSCIC, one could be forgiven – having been given clear assurances previously, by the likes of Tim Kelsey and others – for having reservations as to future governance of our confidential medical data. I would suggest it is imperative that HSCIC know that their processing of personal data is now subject to close oversight by all relevant regulatory bodies.

 

 

 

 

 

 

 

 

 

2 Comments

Filed under care.data, Confidentiality, Data Protection, data sharing, Information Commissioner, monetary penalty notice, NHS, Privacy

Tagged as , , ,