July 27, 2013 · 8:57 am

Back to Blacklists

Could action taken by the ICO in 2009 still have a part to play if construction industry blacklisting has continued? (acknowledgement: Tim Turner made some of these points back in January this year)

In 2009 the Information Commissioner prosecuted Ian Kerr, the then chief officer of a body called the Consulting Association. The Consulting Association had been holding a blacklist of people within the construction industry seen as “troublemakers” (a blacklist inherited from the Economic League, as detailed in Tim Turner’s superb post on the subject) and making this information available to clients on payment of a fee. The fall-out from this continues to this day, with, on the one hand civil claims being pursued, for what I understand to be common law “unlawful means conspiracy” and defamation, and on the other hand, the reports that the Information Commissioner’s Office (ICO) has been asked by Business Secretary, Vince Cable, to investigate allegations that the practice has continued to this day, on major construction projects like the Olympic Park and Crossrail (by the way, the extraordinary testimony of Gail Cartmail of Unite, in that last link, is essential reading).

The ICO’s prosecution of Kerr was for the relatively minor (and relatively rarely enforced) offence under the Data Protection Act 1998 (DPA) of failing to register with the ICO for his processing of personal data. No other sanction was, apparently, open to the ICO at the time. This was because the current regime of civil Monetary Penalty Notices (MPNs) for serious contraventions of the DPA had not then commenced.

As Chris Pounder pointed out at the time, there is even a query, applying the strict definitions of “data” in section 1(1), whether a blacklist held solely on paper, and arranged in, say, date order (rather than by reference to individuals), is even caught by the DPA. If not, then enforcement by the ICO would not be possible. This is because “data” broadly applies only to electronically-processed information or information held as part of a filing system structured by reference to individuals or criteria relating to individuals. One hopes that any alleged blacklisters haven’t made a habit of reading Chris’s blog and subsequently exploited a loophole that remains open.

Putting to one side this “loophole” point, it is likely that any processing of personal data which unfairly and unlawfully deprived someone of employment would constitute a serious contravention of the DPA, probably causing substantial damage and distress, and thus potentially attracting an MPN. An MPN is a relatively powerful weapon in the ICO’s armoury, and in my opinion one that has been used well to drive up data protection standards and drive home the importance of data security. Whether a huge construction firm would notice a (maximum) £500,000 penalty is another matter.

And, of course, none of the money paid under an MPN goes to the victim of a serious DPA contravention (it goes to the government consolidated fund). However, it is open to a data subject in such circumstances to bring a claim in the county court under section 13 of the DPA. Compensation is available if specific damage can be shown, and, if damage can be shown, further compensation for distress can follow. It is not clear to me whether the current claims from the 2009 events contain DPA claims, but the fact that they are being reported primarily as claims for tortious conspiracy suggests that even if so, they are subsidiary to the latter.

However, there is one further sanction which Tim Turner alludes to, which might possibly be in play. When the ICO prosecuted Kerr it also took steps to close down the practice, by issuing DPA enforcement notices against fourteen construction companies who had been proved to have used the list or supplied information: Balfour Beatty Civil Engineering Limited; Balfour Beatty Construction Northern Limited; Balfour Beatty Construction Scottish & Southern Limited; Balfour Beatty Engineering Services (HY) Limited; Balfour Beatty Engineering Services Limited; Balfour Beatty Infrastructure Services limited; CB&I UK Limited; Emcor Engineering Services Limited; Emcor Rail Limited; Kier Limited; NG Bailey Limited; Shepherd Engineering Services Limited; SIAS Building Services Limited; Whessoe Oil & Gas Limited. An example of one of the enforcement notices is archived here. It required the company broadly to

Refrain from using, disclosing or otherwise processing any personal data obtained from Mr Kerr

but also to

Ensure that if any personal data relating to recruitment is obtained from a source other than the data subject, the data subject is, in so far as is practicable, provided with the information specified in paragraph 2(3) at Part II of Schedule 1 to the [DPA] in accordance with the First Data Protection Principle.

Ensure that if any personal data relating to recruitment is disclosed to a third party for use in connection with the recruitment of workers, the data subject is, in so far as is practicable, provided with the information specified in paragraph 2(3) at Part II of Schedule 1 to the [DPA] in accordance with the First Data Protection Principle.

The notices do not appear to have been effective only for a fixed period, so one is to assume that they remain effective*. If any of the firms upon which they were served have sinced breached the terms of the notice they could potentially have committed an offence under section 47(1) of the DPA. That offence is triable either-way, and anyone found guilty is liable on summary conviction, to a fine not exceeding £5000, or on conviction on indictment, to an unlimited fine. And, by section 61 of the DPA, where, as here, the notices were served on bodies corporate, the bodies’ directors and some other officers can also be guilty of the offence of failing to comply with an enforcement notice if the offence is proved to have been committed with their consent or connivance or to be attributable to their neglect.

One wonders if the ICO’s 2009 enforcement proceedings may still have some part to play.

UPDATE: 15 August 2013

*The ICO has confirmed to me that they have no record of any of the Enforcement Notices being cancelled or varied, nor of any applications to cancel or vary being received. The ICO considers that the Enforcement Notices are still effective.

5 Comments

Filed under damages, Data Protection, employment, enforcement, Information Commissioner, monetary penalty notice

Tagged as ,

July 26, 2013 · 6:49 pm

It’s not fine.

About the rather odd Friday afternoon news that the ICO has served enforcement notices, not monetary penalties, on three police forces

In February 2011 the Information Commissioner (IC) served civil Monetary Penalty Notices (MPNs) under section 55A-E of the Data Protection Act 1998 (DPA) on Ealing and Hounslow Councils (£80,000 and £70,000 respectively), after two unencrypted laptops containing sensitive personal data of approximately 1700 individuals were stolen. The Councils had a joint working arrangement whereby Ealing would provide an out-of-hours service on behalf of both councils. The MPNs were fair enough – the IC and others had been saying for some time that encryption of hardware was a necessary data security measure, and even though Ealing Council had a policy on this, it issued the laptops to an employee in breach of it. Hounslow took the hit because they didn’t have a written contract in place to describe and prescribe the collaborative working arrangements it had entered into with Ealing.

One might have wondered, more than two years further on, what size of monetary penalty a data controller would receive if it had also entered into a joint working arrangement in the absence of a written contract, but had failed to carry out a risk assessment, simply relying on what turned out to have been inadequate security measures taken by one of parties, and several unencrypted laptops containing the sensitive personal data of approximately 4500 individuals were stolen.

The answer (unless MPNs are to follow) based on the IC’s news release and blog today about three police forces, appears to be that no MPNs of any size will be served. Rather, enforcement notices have been issued, requiring the police forces to appoint Senior Risk Information Owners (you mean they haven’t got them already?), encrypt all portable devices (you mean they don’t already?), ensure appropriate security measures are taken to protect personal data (you mean they aren’t already?), and ensure officers have received training on the security requirements of the DPA (you mean…etc, etc, etc).

Don’t get me wrong, enforcement notices are an important part of the IC’s regulatory weaponry (I just wish he’d use them on FOI miscreants) but they are a step down from MPNs, and they don’t really serve as a punishment for serious contraventions of the DPA, but merely act as a warning.

Clearly, considerable discretion is conferred on the IC as to what sort of enforcement action is appropriate, but, on the facts, and on comparison with previous MPNs, it is very hard to avoid the conclusion that: the contraventions of the DPA were serious; they were likely to cause damage or distress which was significant; and the police forces knew or ought to have known that there was a risk that a contravention of this kind would occur but failed to take reasonable steps to prevent it. In those circumstances, the relevant conditions for an MPN exist, and I struggle to understand why none transpired.

I do note that the laptop thefts were in August 2010, but this was after DPA provisions conferring the power on the IC to serve MPNs were commenced. I also note that the data subjects appear to have been criminals, but information about criminality is sensitive personal data under the DPA and accorded a higher level of protection.

I’ve asked the ICO on twitter if they can tell me why MPNs were not served. I don’t really expect an answer – it’s a thorny question, and probably doesn’t qualify as an FOI request, but I am, genuinely, interested to know. If anyone has any ideas, I’d like to hear them.

2 Comments

Filed under Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice, police

Tagged as ,

July 20, 2013 · 8:30 am

Good Lord!

On Lord Selsdon and the subject of criminal offending under the Data Protection Act

There was much astonishment yesterday, after a peer of the realm, the 3rd Baron Selsdon, claimed in a debate about littering in the House of Lords that he sometimes gets private information about people throwing litter from cars, and later telephones them to admonish them:

I have followed them occasionally and, for a bit of fun, have taken a note of their vehicle registration numbers. Occasionally, because I have friends in the DVLA, I manage to find their telephone number and I give them a ring

Several media outlets point out that, if this were true, it could be a breach of the Data Protection Act 1998. For instance, the Independent says

If Lord Selsdon did access information from the DVLA in this way, there may have been a breach of the Data Protection Act 1998, which requires organisations such as the DVLA to keep personal information secure

This isn’t wrong, but it overlooks that not only could it be a DPA breach, it could also be a criminal offence committed by the noble Lord and his “friends in the DVLA”. I note that the Telegraph touches on this, but doesn’t clearly explain why the criminal law might be engaged (it focuses on the DPA requirement that organisations should keep data secure).

(It should be noted that I am not accusing Lord Selsdon or his friends of committing an offence – nothing has been proven and he has so far declined to comment, while the DVLA are said to be investigating. Additionally, it does occur to me that sometimes one exaggerates when one is trying to impress one’s P̶e̶e̶r̶s̶ peers – the 3rd Baron might simply have been gilding his oratory lily.)

Nonetheless, under section 55 of the DPA a criminal offence is committed if, “without the consent of the data controller” (which here is the DVLA itself, not its individual employees), a person “knowingly or recklessly…obtain[s] or disclose[s] personal data or the information contained in personal data”. An offence will not be committed if the obtaining or procuring was necessary “for the purpose of preventing or detecting crime” or if the person acted in the reasonable belief that he had the legal right to obtain or disclose the data, or that he had the consent of the data controller, or if the obtaining or disclosing were in the public interest. What “necessary”, “reasonable belief” and “public interest” mean must be considered in light of the purposes for which the obtaining or disclosing occurred. So, for instance, if a serious crime were averted by such an action the elements of the offence might not be made out, but, distasteful and irritating as some of us find it, littering is certainly not a serious crime. Equally, someone who mistakenly thinks he has the right to obtain or disclose data might avoid the offence, but someone who says that he did it “for a bit of fun” by contacting “friends” might not.

Examples of successful prosecutions for this offence are: a letting agent and one of its directors who obtained details about a tenant’s finances from a rogue council employee; a gambling industry worker who obtained and sold gamblers’ personal details; a GP’s receptionist who obtained medical data about her ex-husband’s new wife.

The offence is also very much in the headlines following Lord Justice Leveson’s inquiry into the culture, practices and ethics of the press, which recommended strengthening of prosecution and sentencing powers under the DPA. Some journalists are perhaps understandably concerned that the practice of investigative reporting could be compromised by too robust a statutory scheme which criminalises the obtaining or disclosure of information by unofficial means.

Lord Selsdon will no doubt be regretting his apparent throwaway remarks.

1 Comment

Filed under Data Protection, journalism

Tagged as

July 19, 2013 · 12:11 pm

Bank-bashing by the Court of Appeal

The conduct was…intimidatory and controlling…If that amounts to good banking practice, that is a very sorry misassessment by the banks of what commercial morality and indeed legality requires

The Court of Appeal has held that the Bank of Scotland is liable for harassment in making hundreds of calls to  someone who exceeded her overdaft limit.

With the Information Commissioner taking recent robust action we all know that the making of unwanted calls by commercial organisations can be a breach of The Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998.

However, a recent Court of Appeal judgment has held that this practice can also constitute harassment, even when the calls are made by one’s own bank, in pursuit of a debt.

In Roberts v Bank of Scotland the claimant – a valiant litigant in person – had sought and was awarded damages in the County Court in the sum of £7500, under section 3 of the Protection from Harassment Act 1997. The Bank appealed, both on liability and quantum, and I suspect they wish they hadn’t.

The claim was made after the Bank made 547 calls in little more than a year, arising from minor instances of exceeding overdraft limits. Ms Roberts did not want to speak to call centre operatives, and had apparently sought unsuccessfully to speak to her local branch manager. Many of the calls were intimidatory, albeit couched in polite language. Despite Ms Roberts repeatedly asking for them to cease, she was told the calls would continue.

The Appeal Court had no hesitation in dismissing the Bank’s appeal, and did so in extraordinarily disapproving terms.

This was, undoubtedly, a course of conduct which amounted to harassment and which the bank knew or ought to have known amounted to harassment:

…the bank’s conduct in the present case easily crosses the threshold. It was harassment which could have been prosecuted in the criminal courts. In the event, and fortunately for the bank, this matter simply comes before the civil courts as a claim for damages [¶45]… The bank must have been perfectly well aware of the phone calls which it was making [¶47]

and the Bank could not fall back on the fact that it was pursuing a debt – there were other ways to do this, given that Ms Roberts had repeatedly asked for calls to cease. Although initially “it made perfectly good sense for the bank to write to the claimant and also to telephone her” this did not mean that all future calls were legitimised

The existence of a debt…does not give the creditor the right to bombard the debtor with endless and repeated telephone calls. The debtor is fully entitled to say that he does not wish to talk to the creditor. In those circumstances, the creditor is thrown back upon his full legal remedies. That is what the courts are there to provide…the claimant made it abundantly plain that she did not wish to receive telephone calls from the bank. She was perfectly entitled to adopt this position. Once the bank had tried to telephone the claimant a few times and had received the same response on each occasion, it was obvious that telephoning the claimant would achieve nothing. Thereafter, there was no possible justification for continuing to ring the claimant up [¶32-33]

All three judges were clearly very unsympathetic to the Bank’s arguments. A selection of their asides:

If [counsel for the Bank] is right in saying that the only practicable means by which a bank can contact defaulting customers is the method adopted in this case, then banks had better build into their costings the damages which from time to time they will be called upon to pay to those customers.[¶50]

The conduct was, as the judge said, intimidatory and controlling. In short, it was, in my judgment, obviously unlawful harassment. If that amounts to good banking practice, that is a very sorry misassessment by the banks of what commercial morality and indeed legality requires [¶62]

The bank should respect the rule of law and therefore it should, in the light of the judgments of this court, revise its systems and desist from any tortious conduct, and not simply factor into its working and operating costs the fact that from time to time the bank will have to pay damages for harassment [¶65]

That last comment, and indeed the judgment as a whole,  is pretty ominous for any organisation seeking to pursue and persuade debtors by a process of repeated phone calls (for which, now read “potential harassment”) when the recipient has asked them to desist. Lord Justice Jackson suspects his comments might be greeted with “derision in the boardrooms of the banks”: I suspect they may be also be greeted with consternation, and concern about the future of an element of banking practice which has effectively gone on unchecked for years. They would hardly have brought this appeal, over for what is for them a minute sum of money, unless they thought the case had wider implications which threatened their business practices.

They now will need to lick their wounds, and reconsider their approach to commercial morality and legality.

postscript

From this post on the excellent choptheknot blog it appears that similar principles were followed in another case involving the Bank of Scotland: Johnson v Bank of Scotland plc [2013] All ER (D) 193

2 Comments

Filed under damages, Data Protection, harassment, nuisance calls, PECR, Privacy

July 18, 2013 · 2:21 pm

FOI timescales decisive for public law claim

An FOI request is used to show when the clock for bringing a claim starts ticking

As I am neither Scottish, not a lawyer, I make a foray into Scottish law with a distinct lack of confidence. However, I notice an interesting* case in the Scottish Court of Session, where the dates relating to a request for information were crucial in deciding whether a claim could continue.

The pursuer (equivalent to the claimant in England and Wales) was Nationwide Gritting Services (NGS), and it is aggrieved at, as it claims, missing out on the opportunity in 2010 and 2011 to tender to supply de-icing salt to Transport Scotland. The preliminary matter before Lord Woolman was whether the claim for breach of the then-in-force Public Contracts (Scotland) Regulations 2006 (“the Regulations”) was time-barred. The key issue, for the purposes of deciding when the time limits for making the claim began (applying the authority of the European Court of Justice in Uniplex (UK) Ltd v NHS Business Services Authority), was to determine the date on which NGS knew or ought to have known of the alleged infringement.

The claim had to be brought within three months of the date when the grounds for bringing the proceedings first arose. NGS served the summons in the present action on 28 August 2012. Accordingly, the critical date is 28 May 2012. The Scottish Ministers contend that NGS had the grounds to bring proceedings prior to that date (¶5)

Although there had been media coverage of salt-procurement matters in 2010, and some contact between an agent of NGS and Transport Scotland in 2010, it was only when another customer stated that Transport Scotland had purchased de-icing salt that NGS decided to make enquiries. On 30 April 2012 it sent an email headed “Formal Request for Information on Procurement Process for Salt” to Transport Scotland. It is not clear whether it cited the Freedom of Information (Scotland) Act 2002 (FOISA) but it appears that Transport Scotland properly treated it as a request under the same, because they replied on 30 May 2012 – the twentieth working day following receipt. Thus, contended NGS, 30 May was the date on which it had the requisite knowledge to bring a claim under the Regulations.

The judge agreed. Although NGS might have had “suspicions” in 2010 and 2011 that Transport Scotland had acquired salt, it had no “hard information”. When it received “hearsay evidence” from its customer it acted to enquire whether this was correct. The wording of its FOISA request (even though it had stated that NGS was “of the opinion” that proper process had not been followed) should not be taken to mean that it had “sufficient information to make an informed decision”. Only on 30 May 2012 had NGS’s suspicions “ripened into hard knowledge”.

Consequently, the claim can proceed:

as at 28 May 2012, NGS only suspected that an infringement has occurred. That suspicion was unsupported. Accordingly the grounds for bringing proceedings had not arisen by that date (¶30)

Of course, on one view this make perfect sense and is uncontroversial. People don’t normally make FOI requests unless they want to receive new information.

I don’t for a second claim the case is ground-breaking, but it is interesting for showing that the strict deadlines applying to FOI requests can potentially be useful for drawing a line in the sands of litigation.

(*Indulge me – happen to find judicial analysis of salt procurement interesting.)

Leave a comment

Filed under FOISA, Freedom of Information

Tagged as

July 17, 2013 · 5:07 pm

The Fog of War (on Drugs)

A recent Freedom of Information (FOI) request to Nottinghamshire police by a local newspaper resulted in the press headline

Police winning war on production of cannabis in county

The request was apparently for “the number of cannabis farms discovered” in the county, and the number of arrests in relation to production of the drug. Over a five year period the data showed that both were down, by 19% and 25% respectively. The paper reported that

Police say the figures prove a crackdown on cannabis production is having an impact

Do the figures prove that? I don’t think so. In fact, I think you could just as reasonably extrapolate that, for instance, police are actually “losing the war on drugs” and have chosen to expend fewer resources in discovering the farms, or, that producers have got a lot better at hiding them. The figures don’t “prove” these assertions either, but each seems to me to be as valid a conclusion as the one reported.

I read the article in light of an exchange on twitter about whether public authorities, when responding to FOI requests, were entitled to include a statement to be used in the event that the requester wished to publish an article.

Provided that the response to the FOI request itself is compliant with legal requirements I see no problem with this approach, which is really only an extension of the practice of providing explanatory comment to FOI disclosures.

What I would be critical of, though, is an unquestioning approach by journalists to such accompanying statements.

Leave a comment

Filed under Freedom of Information, journalism

Tagged as ,

July 15, 2013 · 5:18 pm

Mere assertions are not enough, my lord

In which I take on the President of the Queen’s Bench Division (over a meaningless throwaway assertion)

The law does not like mere assertions. Evidence is normally sought, or pleaded, upon which to base an assertion. So, when describing the taking and retention of handwritten notes by its member, the Parole Board apparently says, in something called the Parole Board Handbook (which I can’t find online anywhere)

Personal notes held by members in handwritten from in notebooks and retained by them do not constitute personal data as defined in the [Data Protection Act] and will not be subject to it or the Freedom of Information Act.

one is tempted to ask “why not?”

The temptation only increases when the President of the Queen’s Bench Division, who quotes the above handbook, in a judicial review case about the taking of and making available a record of the Parole Board’s proceedings, says

…notes taken by the chair for his or her own use or notes made by a judge or chair where there is an audio or visual recording of the proceedings…do not constitute the record. Nor do they constitute personal data

[emphasis added]

I am not concerned with the judge’s first assertion, which is supported by citation of previous authority, but with his second. Why do handwritten notes, taken by a member of the Parole Board, not constitute personal data?

At this point we need to navigate our way through section 1(1) of the Data Protection Act 1998 (DPA) which defines what personal data means. And before we consider what “personal data” means, we have to know what “data” means:

“data” means information which—

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,

(b) is recorded with the intention that it should be processed by means of such equipment,

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68; or

(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d)

It seems to me that handwritten notes of a Parole Board member are not being processed, and not intended to be so processed, by means of “equipment operating automatically etc”, so (a) and (b) are out. Nor, I am willing to assume, are they recorded (or intended to be recorded) as part of a filing system, so (c) is out. Nor are they a health, education or publicly accessible record as defined by section 68, so out goes (d).

However, we then come to (e). The notes are recorded information. And the question as to whether they are held by a public authority is answered by reference to Schedule One of the Freedom of Information Act 2000 (FOIA) (because, as the DPA says, “‘public authority’ means a public authority as defined by the Freedom of Information Act 2000″). And there, nestling comfortably in part VI of Schedule One (the list of public authorities) are the words “The Parole Board”.

So, a Parole Board member’s handwritten notes of a hearing are, I submit, “data” for the purposes of section 1(1)(e) of the DPA. And as a hearing of the Parole Board is convened to consider a person’s liberty, or lack thereof, the notes are certainly going to be “data which relate to a living individual who can be identified…from those data”.

Bingo! The notes are, despite what the learned judge, and the Parole Board themselves (apparently) say, “personal data”. If I’m right, they are subject to the DPA (which is not of course to say that there might not be exemptions to disclosure). Moreover, as the board members in a very real sense are the Parole Board, I find it difficult to see how the notes are also not information held by a public authority for the purposes of FOIA (again, which is not to say that there might not be very obvious exemptions to disclosure under FOIA).

In the case itself, the Chairman’s notes from the applicant’s hearing turned out to have been destroyed, in line with a policy of destruction after nine months. (In a rather obvious indication that at least some people applying their minds to the subject thought that DPA was engaged, the reason for this was given as that Parole Board felt “there was an obligation under Data Protection legislation not to keep personal data longer than was necessary”). The court declined to grant an order, because the Parole Board had already begun a review of its retention and disposal policy prior to the instant hearing, but it did declare that the policy of destruction after nine months could not be lawful.

I hope I’m never in a position of having been a prisoner at an unsuccesful Parole Board hearing, but in the unlikely event that I am, I will make a subject access request under section 7 of the DPA, because I will argue that the members’ handwritten notes are my personal data, to which I am entitled.

p.s.

I’ve wondered if I’m missing something here. I would honestly be very pleased to be corrected if so.

2 Comments

Filed under Data Protection, Freedom of Information, Rehabilitation of offenders

Tagged as

July 13, 2013 · 9:17 am

Sony and confidentiality of proceedings

Why I think Sony are wrong to claim they withdrew their databreach fine appeal because of concerns about disclosing sensitive information

So, Sony have withdrawn their appeal of the £250,000 Monetary Penalty Notice served on them by the Information Commissioner (ICO), following the 2011 hack of the Playstation Network which exposed the details of millions of subcribers. I blogged at the time

my suspicious nature makes me wonder if they will ultimately pursue the appeal. Although it will cost them nothing, this isn’t about cost, but reputation, and do Sony really want to risk another day of bad headlines about their data security, in the event that they lose the appeal?

Whether the fear of further publicity was a factor in the withdrawal is impossible to say, but Sony’s public statements about the withdrawal hark back to another point I noted at the time. The ICO’s notice was heavily redacted,  clearly to avoid disclosing commercially confidential or sensitive aspects of Sony’s network security, in line with ICO commitment to do so (7.3 in his Monetary Penalty Guidance). However Sony, in withdrawing their appeal to the First-tier Tribunal, now say

After careful consideration we are withdrawing our appeal. This decision reflects our commitment to protect the confidentiality of our network security from disclosures in the course of the proceeding. We continue to disagree with the decision on the merits

This rather disingenuously overlooks the fact that the Rules which govern tribunal proceedings expressly allow for parts of the hearing to be in private (Rule 35.2 of The Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009). So, while they are entitled to continue to disagree with the decision on the merits (reminds me of the cricket umpire who, when confronted with a batsman saying “That wasn’t out!” replied “Oh no? Let’s see what the newspapers say in the morning”) everyone else can be satisfied that Sony were correctly served a £250,000 Monetary Penalty Notice for a serious contravention of the Data Protection Act 1998, and that they chose not to pursue their right of appeal. And they’ve missed their chance for a 20% early payment discount (although that’s hardly going to worry their financial backers).

It’s a victory for the ICO, as well: he is often criticised for failing to take on the big private sector tech and social media companies. In this case, he did, and he won.

2 Comments

Filed under Confidentiality, Data Protection, enforcement, Information Commissioner, Information Tribunal, monetary penalty notice

Tagged as ,

July 12, 2013 · 10:16 am

The future of the ICO’s funding and functions

In February of this year the House of Commons Justice Committee took evidence from the Information Commissioner and his two deputies, and in March published a lengthy, sympathetic and wide-ranging report on The functions, powers and resources of the Information Commissioner. The Committee has now published the government response, which was in the form of a letter from Lord McNally, Minister of State for Justice. With the greatest of respect for the Ministry of Justice, the response seems to be little more than a deft kick into touch. Here are some examples.

Funding

The report raised various concerns about future funding for the Information Commissioner’s Office (ICO). Firstly, it noted that the ICO cannot use the money it receives for FOI work in the form of grant-in-aid for Data Protection work, and not can it use the funding it receives for Data Protection work from notification fees for FOI work. The report recommended that

The Government should consider relaxing the governing rules around virement and overheads

Lord McNally’s response says

…my officials have been working with the ICO to explore the potential for greater flexibility in the way the ICO apportions shared costs between the Freedom of Information (FOI) and Data Protection (DP) funding streams, in line with the Committee’s recommendation

Which adds little, if any, new information.

The report also noted that, if the European draft General Data Protection Regulation (GDPR) is passed in its current form, the ICO’s main funding for Data Protection work – notification fees – will be removed. It recommended

The Government needs to find a way of retaining a feebased self-financing system for the data protection work of the Information Commissioner, if necessary by negotiating an option for the UK to retain the notification fee or introduce an alternative fee. If the Government fails to achieve this, the unappealing consequence will be that funding of the ICO’s data protection work will have to come from the taxpayer.

To which Lord McNally replied

The work we intend to undertake in partnership with the ICO will include drawing upon research commissioned by the ICO into future funding options, and analysis they have done into the effectiveness of the tiered notification fee system which has been in place since 2009. I would like to reassure the Committee that the Government is committed to ensuring that the Information Commissioner is appropriately resourced.

Er, OK, but does that really say anything at all?

Independence of ICO

The Committee had linked the issue of adequacy of resources to the ICO’s relationship with the executive. If the regulator is reliant on government grant, can it be truly sufficiently independent? Their recommendation was

With the potential removal of the notification fee through the EU Regulation, we reiterate our recommendation that the Information Commissioner should become directly responsible to, and funded by, Parliament
Previously, during a Westminster Hall debate in January, justice minister Helen Grant had been clear that the government did not think this was appropriate. Lord McNally though was – again – equivocal
Whilst there are currently no plans for the Information Commissioner to be a Parliamentary body or to be funded by Parliament, the work we are taking forward on the ICO’s long-term funding and operating model will consider the range of recommendations that have been made by your Committee and others, including Lord Justice Leveson in relation to the future powers, governance and accountability arrangements of the ICO. I look forward to updating the Committee in due course.
Custodial data protection offences
On the subject of whether, finally, custodial sanctions for section 55 data protection offences should be commenced (see Pounder et al, passim), the Committee was clear
We call on the Government to adopt our previous recommendation, as well as that of the Home Affairs Committee, the Joint Committee on the Draft Communications Data Bill and the Leveson Inquiry, and commence sections 77 and 78 of the Criminal Justice and Immigration Act 2008 to allow for custodial sentences for breach of section 55 of the Data Protection Act 1998.
On this at least Lord McNally had a small piece of actual news. The government is to consult on Lord Justice Leveson’s proposals on data protection arising from his inquiry into the culture, practices and ethics of the press
It is…the Government’s view that the recommendations require careful consideration by a wide audience. We therefore intend to conduct a public consultation on the full range of data protection proposals, including on whether to make an Order introducing custodial sentences under section 77 CJIA (a statutory requirement), which will seek views on their impact and how they might be approached.
Compulsory data protection audits
Finally, the Committee had noted the reluctance of some public sector organisations to submit to the offer of a data protection audit by the ICO. They found it “shocking” that this should be the case (sensitive souls eh?) and recommended that the power of compulsory audit should be extended (it currently applies to government departments)
We recommend the Secretary of State bring forward an order under section 41 A of the Data Protection Act to meet the recommendation of the Information Commissioner that his power to serve Assessment Notices be extended to NHS Trusts and local councils.
Lord McNally confirmed that consultation was already under way regarding the extension of this ICO audit power to compel NHS bodies to submit, but he was – you’ve guessed it – equivocal on whether local government would be similarly compelled
There are currently no plans to extend the Information Commissioner’s powers of compulsory audit to local government but the Department for Communities and Local Government are taking a partnership approach to improving local government’s compliance with data protection principles.
I can’t help seeing Lord McNally’s response as little more than a polite nod to the Justice Committee. It promises very little (other than a consultation on Leveson’s data protection proposals, which, given the continuing wrangles over the GDPR, I can’t see achieving much quickly) and delivers nothing immediate. However, the ICO tweeted this morning that it welcomed the response regarding funding and powers, so maybe the future of the independent regulator of transparency and privacy is being decided behind closed doors.

1 Comment

Filed under Data Protection, Europe, Freedom of Information, Information Commissioner, transparency, Uncategorized

Tagged as , , ,

July 11, 2013 · 6:45 am

Is the BBC spying on whistleblowers?

A couple of the normal BBC-baiting newspapers report that that organisation has been “accused of spying on whistleblowers”, after a Freedom of Information request revealed that the BBC’s Investigation Service monitored emails of 30 workers last year. The Telegraph says this

raised fears that BBC management is engaged in a crack down on people it suspects of whistle-blowing about their concerns over the running of the corporation

There seems to be absolutely no evidence for this. To me it looks more like an employer intercepting communications on business systems in order to prevent or investigate potential unlawful behaviour. The law provides for this, and the paper reports that the BBC even said

The BBC Investigations Service does not target whistleblowers. The four cases of leaked information involved other matters such as the release of commercially sensitive information or the release of internal information – none of the four cases of leaked information could be considered as whistleblowing in any sense. The BBC has a clear policy protecting the right to whistleblow

The circumstances under which email communication can be intercepted by an employer are clearly prescribed by law. The much-maligned and -misunderstood Regulation of Investigatory Powers Act 2000 (RIPA) corrected the previous domestic position that workplace surveillance could not amount to an infringement of an employee’s Article 8 rights (a position criticised by the European Court of Human Rights in Halford v UK). The provisions of section 1 of RIPA create a criminal offence of unlawful interception of a communication (transmitted either by public or private telecommunications system) where the interception occurs without lawful authority. However, secondary legislation, made under RIPA, prescribes what “lawful authority” can mean within an employment context. The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (the “LBP Regulations”) provide inter alia that interception of emails will be lawful if it is done for the purposes of preventing or detecting crime, or for the purpose of investigating or detecting the unauthorised use of that or any other telecommunication system. This can be done without consent or notification as long as the business informs users of its systems in advance (normally by way of a policy) that emails may be intercepted for relevant purposes (I wrote on this in detail in None of our business? Private emails, FOI and lawful interception (PDP FOI Journal, Nov/Dec 2011
Volume 8, Issue 2, subscription only)).

So, provided the BBC have a policy informing staff that their emails could be intercepted (and I would be amazed if they don’t) they will have done nothing wrong, and nothing that a responsible employer, and public service provider, should be blamed for doing. Do the Telegraph and the Mail think the BBC should not investigate alleged unlawful – perhaps criminal – behaviour on the part of its staff?

Leave a comment

Filed under BBC, employment, interception, RIPA, surveillance

Tagged as ,