November 4, 2013 · 12:06 pm

NADPO annual conference

In what little spare time I have I perform the role of Secretary of NADPO – the National Association of Data Protection and Freedom of Information Officers. NADPO holds its annual conference in London on 22 November. The call to members has gone out, and also to members of the Data Protection Forum, with whom we have informal reciprocal arrangements.  Now, for the first time, we have decided to make any spare places publicly available.

The line-up is as impressive as ever (if not more so): we have Jonathan Bamford, from the Information Commissioner’s Office, the BBC’s Martin Rosenbaum , Dr Ian Brown, from the Oxford Internet Institute, David Allen Green, author of the highly regarded Jack of Kent blog, and legal commentator for The Financial Times, S A Mathieson, senior analyst for EHI Intelligence and a freelance journalist and Antonis Patrikios, Director at Field Fisher Waterhouse’s Privacy and Information team. We also have the Law Commission, who will be talking about, and seeking attendees’ views on, their scoping project on Data Sharing between public bodies.

Spare places, if any are available, will be offered to those who express interest on a first-come-first-served basis, at a ridiculous bargain rate of £50.

The conference takes place at Field Fisher Waterhouse’s offices in Vine Street, EC3N.

If you’re interested in attending feel free to contact me using the form on this page.

← Back

Thank you for your response. ✨

Leave a comment

Filed under Uncategorized

October 25, 2013 · 4:02 pm

One for the insomniacs – Upper Tribunal on EIRs and commercial confidentiality

In May 2012 I blogged about a case in the First-tier Tribunal (Information Rights) (FTT).  It was an appeal by  Swansea Friends of the Earth against a decision of the Information Commissioner (IC) not to require the Environment Agency to disclose  information relating to financial guarantee arrangements put in place a landfill site operator, as a condition for obtaining a permit to operate a waste landfill site near Swansea.

I was critical of the FTT’s approach to breach of confidence, as it applies to the Environmental Information Regulations 2004 (EIR). However, with the handing down of judgment by the Upper Tribunal, following an appeal by Natural Resources Wales, as successor to the Environment Agency, I see I was wrong on two points (one minor, one major), right on another, and my key point was left undecided. Exciting stuff folks – hold on to your hats!

My minor error was to repeat the FTT’s description of Megarry J’s classic tri-partite breach of confidence test in Coco v A N Clark (Engineers) Ltd [1969] RPC 44 as being a common law doctrine. As the Upper Tribunal points out

That, to be correct, is a decision about the equitable doctrine of confidential communication (not the common law) that may arise otherwise than by contract between the parties

Silly me. Silly FTT.

Natural Resources Wales argued before the Upper Tribunal that

there was a statutory obligation in place [militating against disclosure], so that the Agency did not have to rely on equitable grounds

And this goes to my major error, which was to overlook, in striving to make a point of general application about the modern development of the law of confidence, that in this specific case the IC’s original Decision Notice had found that information in question was confidential for the purposes of Regulation 12(5)(e) of the EIR firstly because the provisions of the Pollution Prevention and Control (England and Wales) Regulations 2000 (PPCR) (which were the regulations – since revoked and remade – which applied to the licence in question) effectively made it so, and only secondly because the information and the circumstances by which it came into the Environment Agency’s control met the Coco v Clark tests.

Regulation 12(5)(e) provides that

a public authority may refuse to disclose information to the extent that its disclosure would adversely affect…the confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest

The Upper Tribunal held that the FTT had erred in law, saying (paragraphs 51-52), as had the IC in the first instance, that relevant provisions of the PPCR meant that confidentiality was “provided by law to protect a legitimate economic interest”:

disclosure of the relevant information would adversely affect confidentiality “where such confidentiality is provided by law to protect a legitimate economic interest”… Here that must be regarded as a reference across to regulation 31 of the 2000 Regulations. Regulation 31(1)(a) makes an express reference to commercial confidentiality. The factual background to these appeals makes it plain that the figures in question here were figures produced within the 2000 Regulations framework and were subject to the necessary application and ruling to protect confidentiality of them

So it was not necessary to consider whether the information was also covered by the equitable doctrine of confidence.

The point on which I was right (in my original post) was regarding whether, or the extent to which, regulation 12(5)(e) of the EIR was directly comparable to the similar section 41 of the Freedom of Information Act 2000 (FOIA). I said

This extension of the FOIA confidentiality principles into the EIR is controversial…

and the Upper Tribunal judge says

the tests in section 41 and regulation 12 are separate and cannot be read together to include in one something in the other simply because they deal with similar issues

which is pretty unequivocal (and see also Chichester District Council v IC and Friel (GIA 1253 2011), cited as authority for the lack of analogy between the two).

Finally, another point I hadn’t addressed (although Phil Bradshaw did, in the comments to my original post) concerns the failure by the FTT to distinguish between the location of information in documents, with the information itself. The FTT had said

the information came into existence through a process of negotiation between the parties

but this surely was not the case – rather, documents, containing information, came into existence through a process of negotiation. But the information itself was caught by regulation 12(5)(e)

the focus is on this information, not on any particular document or form in which those figures are recorded or any process by which they emerged. I accordingly agree with the challengers that in so far as the First-tier Tribunal concerned itself with the specific location of those figures in specific documents produced as part of the licensing process rather than the information itself it was wrong in law

So there you have it. A rip-roaring convoluted run-through of why an obscure old blog post by me was slightly wrong and slightly right. I aim to please.

Leave a comment

Filed under Confidentiality, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

Tagged as ,

October 11, 2013 · 4:06 pm

The Moanliness of the Long-distance Runner

Another in the Let’s Blame Data Protection series, in which I waste a lot of energy on something not really worth the effort

The Bournemouth Daily Echo reports that

Hundreds of disgruntled runners who took part in the inaugural Bournemouth Marathon Festival have accused event organisers of withholding information by failing to provide full race results.

and, with rather dull predicability, there’s a familiar apparent culprit

GSi Events Ltd, the team behind the BMF, has published the top ten runners in the various age categories, but is refusing to publish all the results on the grounds of data protection.

But does data protection law really prevent publication of this sort of information? The answer, I think, is “no”, and the reason for this is tied to issues of fairness and consent

The first data protection principle, in Schedule One of the Data Protection Act 1998 (DPA) says that personal data (broadly, information relating to an identifiable individual) must be “processed” (publication is one form of processing) fairly and lawfully.

The concept of fairness is not an easy one to grasp or define, but helpfully the DPA provides a gloss on it, which, to paraphrase, is that if people are properly informed about how their data is going to be processed (who is doing the processing, and for what purpose)  then a key element of “fairness” is met. The Information Commissioner’s Privacy Notices Code of Practice explains

A privacy notice should be genuinely informative. Properly and thoughtfully drawn up, it can make your organisation more transparent and should reassure people that they can trust you with their personal information

The first data protection principle goes on to say that (in particular) personal data shall not be processed at least one of the conditions in Schedule 2 of the Act is met (and Schedule 3, in the case of higher-category sensitive personal data). One of those conditions is

The data subject has given his consent to the processing.

“Consent” is not defined in the DPA, but it is given a definition in the EC Data Protection Directive, to which the DPA gives domestic effect. The Directive says that consent

shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed

“Specific” and “signifies” are generally taken to mean that implied consent is not valid in this context, (although the practice of implying consent to processing is widespread). Nonetheless, it seems clear that, with a privacy notice, sensibly drafted, the organisers of the Bournemouth Marathon could easily have said to those registering to race “your race result/time will be published, unless you object”. When one looks at the actual privacy notice, however, such a term is absent. 

I suppose that means one could argue that, under the current privacy notice, publishing the race details would be in breach of the DPA. I suppose I could also construct a counter-argument to that to the effect that publication is necessary in pursuance of legitimate interests of the race organisers (for instance to show that it was a real flipping race) when balanced against the legitimate interests of the racers.

But ultimately, come on, it’s just silly to blame data protection: the vast, vast majority of people take part in a marathon knowing that it’s a public event, where they’ll gather plaudits or attract ridicule. Any expectation of privacy of race results is effectively non-existent.

Publish the damn race results, take the infinitesimal risk of someone complaining (a complaint which no one, i.e. the Information Commissioner and the courts, will take seriously or be able to offer a remedy to) and sort your privacy notice out for next year.

Leave a comment

Filed under Data Protection, Let's Blame Data Protection

Tagged as

October 10, 2013 · 8:55 am

Let’s Blame Data Protection – the Gove files

Thanks to Tim Turner, for letting me blog about the FOI request he made which gives rise to this piece

On the 12th September the Education Secretary, Michael Gove, in an op-ed piece in the Telegraph, sub-headed “No longer will the quality, policies and location of care homes be kept a secret” said

A year ago, when the first shocking cases of sexual exploitation in Rochdale were prosecuted, we set up expert groups to help us understand what we might do better…Was cost a factor? Did we need to spend more? There was a lack of clarity about costs. And – most worrying of all – there was a lack of the most basic information about where these homes existed, who was responsible for them, and how good they were….To my astonishment, when I tried to find out more, I was met with a wall of silence

And he was in doubt about where the blame lay (no guesses…)

The only responsible body with the information we needed was Ofsted, which registers children’s homes – yet Ofsted was prevented by “data protection” rules, “child protection” concerns and other bewildering regulations from sharing that data with us, or even with the police. Local authorities could only access information via a complex and time-consuming application process – and some simply did not bother…[so] we changed the absurd rules that prevented information being shared

This seemed a bit odd. Why on earth would “data protection” rules prevent disclosure of location, ownership and standards of children’s homes? I could understand that there were potentially child protection concerns in the too-broad-sharing of information about locations (and I don’t find that “bewildering”) but data protection rules, as laid out in the Data Protection Act 1998 (DPA), only apply to information relating to identifiable individuals. This seemd odd, and Tim Turner took it upon himself to delve deeper. He made a freedom of information request to the Department for Education, asking

1) Which ‘absurd’ rules was Mr. Gove referring to in the first
statement?

2) What changes were made that Mr. Gove referred to in the second
statement?

3) Mr Gove referred to ‘Data Protection’ rules. As part of the
process that he is describing, has any problem been identified with
the Data Protection Act?

Fair play to the DfE – they responded within the statutory timescales, explaining

Regulation 7(5) of the Care Standards Act 2000 (Registration) (England) Regulations 2010 …prohibited Ofsted from disclosing parts of its register of children’s homes to any body other than to a local authority where a home is located. Whatever the original intention behind this limitation, it represented a barrier preventing Ofsted from providing information about homes’ locations to local police forces, which have explicit responsibilities for safeguarding all children in their area…we introduced an amendment to Regulation 7 with effect from April 2013

But their response also revealed what had been very obvious all along: this had nothing to do with data protection rules:

the reference to “data protection” rules in Mr Gove’s article involved the Regulations discussed above, made under section 36 of the Care Standards Act 2000. His comments were not intended as a reference to the Data Protection Act 1998

This is disingenuous: “data protection” has a very clear and statutory context, and to extend it to more broadly mean “information sharing” is misleading and pointless. One could perhaps understand it if Gove had said this in an oral interview, but his piece will have been checked carefully before publication, and personally I am in no doubt that blaming data protection has a political dimension. The government is determined, for some right reasons, and some wrong ones, to make the sharing of public sector data more easy, and data protection does, sometimes – and rightly – present an obstacle to this, when the data in question is personal data and the sharing is potentially unfair or unlawful. Anything which associates “data protection” with a risk to child safety, serves to represent it as bureaucratic and dangerous, and serves the government agenda.

And the rather delicious irony of all this – as pointed out on twitter by Rich Greenhill – is that the “absurd rules” (the Care Standards Act 2000 (Registration) (England) Regulations 2010) criticised by Gove were made on 24 August 2010. And the Secretary of State who made these absurd rules was, of course, the Right Honourable Michael Gove MP.

How absurd.

Leave a comment

Filed under Data Protection, data sharing, Freedom of Information, Let's Blame Data Protection, transparency

October 4, 2013 · 12:58 pm

Photographing sleeping people – data protection implications

Is it ever OK to photograph strangers on a train? asks Nell Frizzell, in a balanced, and nuanced, article in the Guardian

one new public transport phenomenon has recently crashed into my consciousness. Tumblr accounts dedicated to secretly photographing, uploading and then critiquing fellow commuters, have spored like bed bugs on a bus seat.

She correctly points out that domestic law, even to the extent that it gives effect to Article 8 of the European Convention on Human Rights, does not prevent, in general terms, the act of photographing an individual without their consent.

However, the practice she describes, of uploading photographs to social media sites, does engage, and, I would argue, breach, the Data Protection Act 1998 (DPA).

An image of a person is potentially (and in these specific cases almost certainly) their personal data (particularly bearing in mind the observation by the Court of Appeal in Durant v Financial Services Authority [2003] EWCA Civ 1746 that for information to be personal data it “should have the putative data subject as its focus”). The DPA contains an exemption (at section 36) from all the provisions of the DPA for processing of personal data by an individual for the purposes of that individual’s personal, family or household affairs (including recreational purposes) (the “domestic purposes exemption”). It is possible, although arguable, that the mere taking (and no more) of a photograph of someone on a train, would be caught by this exemption. However, once such a photograph is uploaded to the internet, the exemption falls away. This is because the European Court of Justice held, in a 2003 ruling that binds all inferior courts, that personal data posted on the internet could not be caught by the domestic purposes exemption (Lindqvist (Approximation of laws) [2003] EUECJ C-101/01).

That said, the Information Commissioner’s Office (ICO), which regulates the DPA in the UK, has shown reluctance to accept this authoritative statement of the law regarding the online processing of personal data. I have previously written about this, in the context of the ICO’s social media DPA guidance, which sidesteps (or, rather, ignores) the point. However, it might be more difficult for a domestic court (bound by the authority of Lindqvist) to ignore it in the same way, in the event that any case came before one for determination.

But therein lies the (lack of) rub. Uploading a photograph, without consent, of someone sleeping on a train is unfair, and therefore in breach of the first Data Protection Principle (because no Schedule 2 condition exists which permits the processing). But I struggle to imagine the chain of events which could give rise to a claim (for instance, the data subject would have to contact the photographer, or the site, to require them to cease processing on the grounds that doing so was causing, or was likely to cause, substantial damage or substantial distress, and the photographer, or site, would have to refuse).

So, ultimately, even though I’d argue that these sites, and those who upload to them, breach the DPA, the unwillingness of the ICO to exercise jurisdiction, and the unlikelihood of any legal claim emerging, mean that they can probably continue with impunity, unfairness notwithstanding.

As photographer Paul Clarke said in an excellent blogpost on the subject earlier this year

Sticking to rigid rules of law won’t help us very much. This might feel (it does to me) like gross intrusion on privacy. But being offensive is not enough to make something an offence.

6 Comments

Filed under Data Protection, human rights, Information Commissioner, Privacy, social media

Tagged as , ,

October 4, 2013 · 8:20 am

CQC and data protection, redux

In June this year I blogged about the furore caused when the Care Quality Commission (CQC) initially refused, citing data protection law, to identify four members of staff who were alleged to have tried to cover up an critical internally-commissioned report into its oversight of the University Hospitals Morecambe Bay NHS Trust.

Even Christopher Graham, the Information Commissioner got involved, saying

This feels like a public authority hiding behind the Data Protection Act – it’s very common but you have to go by what the law says and the law is very clear

and, perhaps as a result of his intervention, the day after the news broke, the CQC changed position, saying

We have reviewed the issues again with our legal advisers (and taken into account the comments of the Information Commissioner). In light of this further consideration, we have come to the view that the overriding public interest in transparency and accountability gives us sufficient grounds to disclose the names of the individuals who were anonymised in the report.

I had wondered if the reason for the initial non-disclosure was because of doubt as to the veracity of the reported cover-up comments, perhaps in conjunction with a challenge by the data subjects, on the basis that publishing that they had made those comments was untrue, and potentially defamatory and, therefore, in breach of the Data Protection Act 1998 (DPA):

on the information currently available, there is perhaps a lack of hard evidence to establish to an appropriate level of certainty that the person or persons alleged to have suppressed the report did so, or did so in the way they are alleged to have done. For that reason, it could indeed be a breach of the DPA to disclose the names at this stage

Yesterday, news emerged that the CQC had published a statement on its website exonerating one of the people named

  • Anna Jefferson had not used “any inappropriate phrases” as attributed to her by one witness quoted in the Grant Thornton report; and

  • Anna Jefferson had not supported any instruction to delete an internal report prepared by a colleague – Louise Dineley.

The CQC regrets any distress Anna Jefferson has suffered as a consequence of this matter

So, it looks like someone was wrongly identified as committing an act of misconduct. Ms Jefferson is said to have been “deeply upset” by the allegations, and describes it as having been a “difficult time”.

In a postscript to my original blog post I wondered idly about

the rather interesting (if unlikely) possibility that the persons now named could complain to the ICO for a determination as to whether disclosure was in fact in breach of their rights under the DPA

It is possible that the statement on the CQC website is in fact an attempt to avoid this, or alternative, legal action. I wonder if Christopher Graham is going to revisit his comments.

1 Comment

Filed under Confidentiality, Data Protection, defamation, Information Commissioner

Tagged as , ,

October 3, 2013 · 3:40 pm

Leveson, LJ – defender of the press

Lord Justice Leveson, new President of the Queen’s Bench Division, is not the most popular judge amongst journalists and press barons.

So, in the week before the Privy Council meets to decide which system of press regulation will prevail, his detractors might take a moment to read a recent judgment of his in the Court of Appeal (Jolleys, R. v [2013] EWCA Crim 1135).

The appeal, by the Press Association, represented by the formidable Mike Dodd, was from a decision of a Recorder in Swindon Crown Court, purporting to have been made under section 39 of the Children and Young Persons Act 1933 preventing media reporting of information relating to the youngest (15-year-old) child of the defendant in the case (despite the fact that some of the information had been in the public domain prior to the making of the order). It was said that the court specifically prevented a reporter present from making representations prior to its making:

the order was put into place until it would be “properly argued” by counsel and “by somebody from the press if need be” [para 4]

This was, as Leveson LJ identified, in breach of rule 16 of the Criminal Procedure Rules, which provides that the court must not impose a rerporting restriction “unless each party and any other person affected…is present; or has had an opportunity (i) to attend, or (ii) to make representations”:

It cannot be suggested that the press were not affected by the order; indeed, it was specifically to restrict what could be reported that the order was made. This failure to allow representations at that stage represented a serious inroad into the respect owed to the press concerned to report criminal proceedings. [para 6]

Section 39 of the Children and Young Persons Act 1933 provides that

In relation to any proceedings in any court the court may direct that –

a. no newspaper report of the proceedings shall reveal the name, address, or school, or include any particulars calculated to lead to the identification, of any child or young person concerned in the proceedings, either, as being the person by or against, or in respect of whom proceedings are taken, or as being a witness therein;

b. no picture shall be published in any newspaper as being or including a picture of any child or young person so concerned in the proceedings as aforesaid;

except in so far (if at all) as may be permitted by the court.

And the Press Association successfully argued that “concerned in the proceedings” in section 39(a) could not be extended to a child who was merely the son of a defendant, but otherwise unconnected:

In relation to criminal proceedings, this can only include a child or young person who is the victim of an alleged offence, or the defendant or a witness; in civil proceedings, it could also include a child or young person on behalf of whom an action was being brought, for example, in relation to a road traffic accident or medical negligence. [para 12]

and this was supported by the unanimous view of the House of Lords in Re S (A Child) (Identification: Restrictions on Publication) [2005] AC 593  and the Court of Appeal in Re Trinity Mirror and others (A and another intervening) [2008] EWCA Crim 50 in which latter case the court had also rejected the proposition that a court’s inherent jurisdiction justified the making of an order to similar effect on Article 8 grounds

We must however add that we respectfully disagree with the judge’s further conclusion that the proper balance between the rights of these children under Article 8 and the freedom of the media and public under article 10 should be resolved in favour of the interests of the children. In our judgment, it is impossible to over emphasise the importance to be attached to the ability of the media to report criminal trials…If the court were to uphold this ruling so as to protect the rights of the defendant’s children under article 8, it would be countenancing a substantial erosion of the principle of open justice to the overwhelming disadvantage of public confidence in the criminal justice system, the free reporting of criminal trials and the proper identification of those convicted and sentenced in them [paras 32 and 33 of Re Trinity Mirror and others]

Leveson LJ identified other problems with the Recorder’s approach

he [also] approached the issue from the wrong direction. It was for anyone seeking to derogate from open justice to justify that derogation by clear and cogent evidence…The order was made when defence counsel asserted the likelihood of the defendant’s son suffering “the most extraordinary stigma through no fault of his own” which caused the Recorder to ask the reporter what the need for identifying the son was, rather than whether it was necessary to restrict his identification. [para 16]

and the point was made that a section 39 order, although generally obeyed in spirit as well as letter by the press, may not be the most appropriate form of order, applying as it does only to reports in newspapers, and in sound and television broadcasts: social media are not caught by it (“any further developments in this area of the law must be for Parliament”). This purported order had been “loosely” made, and Leveson LJ stressed that

Where such orders are made, they should be restricted to the language of the legislation

Mike Dodd had stated that the problems identified by this case were not uncommon, and the appeal was brought to

highlight what he contends is a continuing problem for journalists and the media, namely the willingness of courts to make unnecessary orders or to assume powers that they do not have. He submits that the courts all too often seem unaware of the guidance that is available and leave it to individual reporters (who will not be as versed in the law as the court, with the assistance of counsel, should be) to attempt to challenge the approach.

This concern was recognised

The requirements of open justice demand that judges are fully mindful of the underlying principles which this judgment has sought to elucidate

and Leveson LJ calls for – in those cases where “there is the slightest doubt, or any novel approach is suggested” regarding the appropriateness of a section 39 order being made – notice to be given in good time but also (without prejudice to the right of the press to advance its own arguments) for counsel “to research and develop the arguments to assist the court in a balanced way”.

Who said Leveson was an enemy of the press?

Leave a comment

Filed under human rights, journalism, Leveson, Open Justice

Tagged as

October 3, 2013 · 2:34 pm

Two more years for Chris Graham?

I think one mark of a true information rights nerd is whether they read minutes of meetings at the Information Commissioner’s Office (ICO), which are published, with a generally admirable commitment to transparency, on their website.

While browsing some recent minutes (of the Management Board meeting of 22 July) I noticed something interesting, which I wasn’t aware of (and haven’t seen anyone else pick up on?). Under a heading of “Major issues affecting the ICO” is

The Ministry of Justice has confirmed the Government’s intention to recommend to HM The Queen that Christopher Graham is reappointed as Information Commissioner [IC] for a period of two years following his current tenure ending in June next year.

The IC is a Crown appointment and his or her tenure is set at five years (paragraph 2(1) of Schedule 5 of the Data Protection Act 1998) but, by virtue of paragraph 2(5) he or she may be reappointed, provided he or she is not over 65, or has not already served for fifteen years. The reappointment of Christopher Graham (born 1950) will (if it happens) take him to that retirement age of of 65.

This is hardly shock news: all three of Graham’s predecessors as IC (formerly “Data Protection Registrar”) were reappointed after their initial terms of office, and he has, on most objective analyses, performed well in office: he got rid of the appalling backlog of Freedom of Information cases he inherited, and has been an effective stern-faced enforcer of data protection breaches. What he hasn’t done, yet, is see the implementation of the General Data Protection Regulation – the updating of the creaking 18-year-old current European data protection regime. But, given the apparently interminable wrangling about that instrument, one wonders whether an extra two years, starting in June 2014, will even help him achieve that.

Leave a comment

Filed under Data Protection, Freedom of Information, Information Commissioner

Tagged as ,

October 3, 2013 · 12:35 pm

Unintended FOI consequences

A nice little example of how a Freedom of Information (FOI) request can sometimes bring about an unexpected change, and advance a cause which has little to do with FOI.  Although in this instance I’m undecided whether this was a good thing or not.

On 3 January this year the Information Commissioner’s Office (ICO) issued a decision notice in respect of two requests for information made to Thames Valley Police (TVP) relating to

an incident in which the complainant’s driveway was blocked by the vehicle of someone he believes was visiting TVP headquarters

The ICO was satisfied, on the correct test of the balance of probabilities that TVP did not hold this information.

Nonetheless, the requester appealed that decision to the First-tier Tribunal (Information Rights), which has just issued a decision, in the form of a Consent Order disposing of the proceedings. The Schedule to the Consent Order explains

Thames Valley Police will give full and reasonable consideration to the reinstatement of 6 monthly liaison meetings with residents living in the vicinity of TVP HQ South with the objective of avoiding any unreasonable impact of operational activities on local residents

In consequence of this (and the agreement of the ICO) the request and the appeal have been withdrawn by the requester. So, a satisfactory outcome for the parties was achieved (although one notes that if the meetings are not arranged to the satisfaction of the requester, he will submit a further FOI request about the original incident!).

Of course, it would be have been preferable if this compromise could have been agreed in February 2011, when the requests first started. And a large amount of public money has been expended on something which is only very loosely, if at all, related to the aim of FOI (as stated in the explanatory notes to the Act): to provide a right of access to recorded information held by public authorities.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal

Tagged as ,

September 29, 2013 · 5:56 pm

A million data breaches?

Is it realistic for the ICO to expect all SMEs to encrypt hardware? And if those SMEs don’t, is it realistic to expect the ICO to enforce against what must be mass non-compliance?

Accurate figures for annual thefts and losses of laptops in the UK are not easy to come by – perhaps the most commonly-cited figure is the estimated 1 million from Sony’s Vaio Business Report 2013. On any analysis, though, it’s a relatively common occurrence.

A large proportion of these will be laptops containing personal data of people other than the owner of the device. And in many cases the device, or part of it, will be used for business purposes, often by small and medium-sized enterprises (SMEs). Personal data processed solely for domestic purposes is outwith the obligations of the Data Protection Act 1998 (DPA), but any personal data processed for business purposes is caught by the Act, and the person or business processing that data is likely to be a data controller.

As data controller, they will have an obligation inter alia to take “Appropriate technical and organisational measures …against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” (Principle 7 of Schedule One, DPA). A serious contravention of this obligation, of a sort likely to cause serious damage or serious distress, can lead to the Information Commissioner’s Office (ICO) serving the data controller with a Monetary Penalty Notice (MPN), under section 55A, to a maximum of £500,000.

And so it was this week that the ICO served Jala Transport Ltd, an oddly-named loans company, with an MPN of £5000 after

a hard drive containing financial details relating to all of the sole proprietor’s approximately 250 customers…[was stolen] from the business owner’s car while it was stationary at a set of traffic lights in London

The hard drive was in a case, with documents and some cash, and has still not been recovered.

Despite one’s possible distaste for the nature of the business involved (it may be difficult to muster much sympathy for a loans company), this case raises some interesting points, specifically for small-to-medium enterprises (SMEs) but also in general.

The MPN itself reveals that the business did not have a backup of the hard drive. This is a ridiculous oversight, when secure storage is simple, and cheap. But

it was taken home at the end of each working day for business continuity purposes and to reduce the risk of damage or theft

However, by not

closing the car window and placing the briefcase in the boot of his car or out of sight

this unsuccessful but probably well-meaning attempt at data security -and a business continuity plan – became an aggravating factor.

However, what really did for the proprietor was, “crucially”, that although the laptop was password-protected, it was not encrypted, and this led the ICO to repeat previous warnings about the need for encryption in these circumstances

We have continued to warn organisations of all sizes that they must encrypt any personal data stored on portable devices, where the loss of the information could cause clear damage and distress to the customers affected…if the hard drive had been encrypted the business owner would not have left all of their customers open to the threat of identity theft and would not be facing a £5,000 penalty following a serious breach of the Data Protection Act

Several questions are raised by this case, and this approach by the ICO. Firstly, encryption, for individual devices, is not necessarily straight-forward, and carries its own risks. This is not to say that attempts should not be made at either full disk encryption or file/folder encryption, but not all SMEs necessarily have the time or expertise to explore this effectively. Secondly, one notes that one of the reasons the MPN was imposed was because the ICO felt that the serious contravention of the DPA was of a sort likely to lead to serious damage in the form of identity theft. It was a very similar argument that the Information Tribunal recently refused to accept as being a likely consequence of another serious contravention, when it upheld Scottish Borders Council’s recent MPN appeal. £5000 is not a huge amount, and the time and expense of pursuing an appeal might be too much, but it will be interesting to see if one is lodged.

Finally – following on from the point that encryption of single standalone devices isn’t necessarily straightforward – one has to wonder how many of those estimated one million lost and stolen laptops were encrypted, and, of those that weren’t, how many contained personal data which required the relevant data controller to observe the security obligations of the DPA. Jala Transport appears to have taken the admirable, but perhaps ill-conceived, decision to report the theft to the ICO itself (and may now be regretting that decision).

If all the data controllers of those thousands and thousands of laptops lost or stolen annually reported the loss to the ICO, how many would have to own up to lack of encryption, and be liable to a similar or possibly larger MPN? And could the ICO possibly cope with the workload?

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner, Information Tribunal, monetary penalty notice, Uncategorized