March 1, 2025 · 9:20 am

Concerns over the Public Authorities (Fraud, Error and Recovery) Bill

When it comes to proposed legislation, most data protection commentary has understandably been on the Data (Use and Access) Bill, but it’s important also to note some of the provisions of the Public Authorities (Fraud, Error and Recovery) Bill, introduced in the Commons on 25 January.

The abandoned Tory Data Protection and Digital Information Bill would have conferred powers on the DWP to inspect bank accounts for evidence of fraud. To his credit, the Information Commissioner John Edwards, in evidence given on that earlier Bill, had warned about the “significant intrusion” those powers would have created, and that he had not seen evidence to assure him that they were proportionate. This may be a key reason why they didn’t reappear in the DUA Bill.

The Public Authorities (Fraud, Error and Recovery) Bill does, however, at clause 74 and schedule 3, propose that the DWP will be able to require banks to search their own data to identify whether recipients of Universal Credit, ESA and Pension Credit meet criteria for investigation for potential fraud.

But such investigative powers are only as good as the data, and the data governance, in place. And as the redoubtable John Pring of Disability News Service reports, many disabled activists are rightly concerned about the potential for damaging errors. In evidence to the Bill Committee one activist noted that “even if there was an error rate of just 0.1 per cent during this process, that would still mean thousands of people showing up as ‘false positives’, even if it just examined those on means-tested benefits”.

The Bill does not appear to confer any specific role on the Information Commissioner in this regard, although there will be an independent reviewer, and – again, creditably – the Commissioner has said that although he could not be the reviewer himself, he would expect to be involved.

It is worth also reading the concerns of the Public Law Project, contained in written evidence to the Bill committee.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, data sharing, Information Commissioner

Tagged as ,

February 19, 2025 · 1:03 pm

FOI doesn’t need a “purpose”

[reposted from my LinkedIn account]

At the close of an otherwise unobjectionable and unsurprising refusal of a Freedom of Information Act 2000 appeal (on the issue of a vexatious request), the Information Tribunal judge says this:

“FOIA exists to safeguard freedom of information. It was not enacted to serve as a tool for furthering personal campaigns and causes, however heartfelt they may be.”

When Parliament enacted FOIA it expressly declined to insert a “purpose clause”. As its explanatory notes say “A request for information can be made by any individual or body, regardless of the purpose of the application.” So if someone wants to use FOIA as a tool for furthering personal campaigns and causes, then (as long as their requests are not, as they were here, vexatious) they jolly well can. And judges should respect this.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Information Tribunal, judgments, Uncategorized

Tagged as

February 19, 2025 · 9:41 am

The state of central government transparency

[reposted from my LinkedIn account]

This is one of the most extraordinary FOIA judgments I’ve ever seen, and it says an awful lot about the approach to transparency at the centre of the civil service.

The Cabinet Office have been trying to resist disclosure under FOIA of copies of blank ministerial declaration of interest forms, on grounds that to do so would be prejudicial to the conduct of public affairs, because among other things [checks notes] “Disclosure may lead to speculative scrutiny regarding why certain elements are included in the forms, potentially leading to amendments to the form which undermines its effectiveness”.

But there’s also an extraordinary citation of a piece of evidence given by a Cabinet Office witness – the “Director of Propriety and Ethics” – to the effect that the system for Minister declaring interests relies heavily on the trust and candour of Ministers, and the effect of disclosure would be that they “may be reluctant to provide the same level of detail” than they do currently.

Let’s just think about that. Ministers have a constitutional and ethical duty to declare interests, but this relies on trust and candour, and disclosure of a blank declaration form might mean that those we trust to be candid in their ethical duty to declare those interests might decide to be less trustworthy and candid as a result? What a sorry state of affairs.

Fortunately, the Information Tribunal, like the Information Commissioner’s Office before, had no truck with these arguments, and refused the Cabinet Office’s appeal.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Cabinet Office, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as ,

February 12, 2025 · 9:45 am

RIP ePrivacy Regulation

[reposted from my LinkedIn account]

The ePrivacy Regulation is dead (as is – also very notably – the AI Liability Directive). The former has been a long time dying: it was first proposed in 2017, and then was subject to almost unprecedented lobbying by tech interests, which lobbying seems to have finally prevailed.

For the time being at least, then, the EU will continue to operate under a crucial law dealing with privacy of online (and telephonic) behaviour and communications which emanates from 2002 (Directive 2002/58/EC), an era when the internet as we now know it was unimaginable.

And in the UK, still effectively tied legislatively for reasons of trade and security to the EU, we will similarly (unless there’s a major jolt to our laws) still be working under the PEC Regulations of 2003 (which implemented Directive 2002/58/EC).

A slight irony is that the Data (Use and Access) Bill will almost certainly pass into UK law one of the key planned provisions of the now-shelved ePrivacy Regulation: to bring financial penalties for ePrivacy infringements onto the same level as those for GDPR/UK GDPR infringements.

So, in that regard at least, the UK will be able to say we have a stricter regime than the EU.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under DUAB, Europe, PECR

Tagged as ,

February 7, 2025 · 4:17 am

Clarity needed on NHS publication of reports into homicides

[reposted from my LinkedIn account]

Does the law need clarifying on the publication of reviews into homicides by those receiving mental health services from the NHS?

The Times led recently on stories that NHS England was refusing to publish the full independent report into the health care and treatment of Valdo Calocane prior to his manslaughter of three people in Nottingham in 2023. NHSE apparently argued that data protection and patient confidentiality concerns prevented them publishing anything but a summary. Under pressure from victims’ families, and the media, NHSE about-turned, and the full report is reported to contain damning details of failings in Calocane’s treatment which were not in the summary version.

Now The Times reports that this is part of a pattern, since last year, of failure to publish full reviews of homicides by mental health patients, contrary to previous practice. It says that NHSE received legal advice that the practice “could breach data protection rules and the killers’ right to patient confidentiality”. The charity Hundred Families talks of cases where the names of victims are not published, or even the identity of the NHS Trust involved.

Of course, without seeing the advice, it is difficult to comment with any conviction, but I did write in recent days about how the law can justify publication where it is “necessary for a protective function” such as exposing malpractice, or failures in services. And it’s important to note that, in many cases, such reports show failings that mean that killers themselves have been let down by the adequacy of treatment: publication can surely, in some cases, cast light on this so that similar failings don’t happen in the future. In any case, guidance says that those preparing reports should do so with a view to their being published, and so confidentiality concerns should be taken into account in the drafting.

However, if NHSE remains concerned about the legality of publication, and if its legal advice continues to say that data protection and medical confidentiality law militated against disclosure, it strikes me that this might call for Parliament to legislate. I also believe that it would be welcomed if the Information Commissioner’s Office issued a statement on the legal issues arising.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Confidentiality, Data Protection, Information Commissioner, NHS

Tagged as , ,

February 6, 2025 · 7:47 am

Is the legal sector really suffering a flood of databreaches?

[reposted from my LinkedIn account]

There have been various articles in the media recently, reporting a significant rise in personal data breaches reported by the legal sector to the Information Commissioner’s Office. I have some real doubts about the figures.

An example article says

A new analysis of data from the Information Commissioner’s Office (ICO) by NetDocuments has revealed a sharp increase in data breaches across the UK legal sector. In the period between Q3 2023 and Q2 2024, the number of identified data breaches in the UK legal sector rose by 39% (2,284 cases were reported to the ICO, compared to 1,633 the previous year)

But something didn’t seem right about those numbers. The ICO say that they have received 60,607 personal data breach reports since their current reporting methods began in Q2 2019 (see their business intelligence visualised database), so it seemed remarkable to suggest that the legal sector was scoring so highly. And, indeed, when I look at the ICO BI data for self-reported personal data breaches, filtered for the legal sector, I see only 197 reported in Q3 2023, and, coincidentally, 197 in Q2 2024 (see attached visuals) – an increase from one relatively low number to another relatively low number of precisely 0%.

A serious question to those more proficient with data than I am – am I missing something?

If I’m not, I really think the ICO should issue some sort of corrective statement.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, data security, Information Commissioner, personal data breach

Tagged as , ,

February 5, 2025 · 8:04 am

Is information held by external solicitors “held” for the purposes of FOIA?

[reposted from my LinkedIn account]

Where an external solicitor’s firm holds information in relation to advice given by the solicitor on instructions by a public authority client, is the information held by the solicitor “on behalf of” the public authority, for the purposes of section 3(2)(b) of the Freedom of Information Act 2000?

While the matter is live, the answer is probably “yes”, but what if the public authority client has long since destroyed its own records, but the solicitor’s firm has retained its records for its own regulatory or risk purposes? Here, the answer is probably “no”.

And that is the situation which came before the Information Tribunal recently. The requester was seeking information from Sheffield City Council about a development scheme from 2007/2008. The Council had said that it would have destroyed its own records, and said that to determine whether the information was held would necessitate the inspection of 28 box files held by law firm Herbert Smith Freehills, who had been instructed by the Council at the relevant time. To even determine whether the information was held or not would exceed the costs limits in section 12 of FOIA. The ICO, in the decision notice being appealed, had agreed.

As I was reading the first few paragraphs of the Tribunal judgment, I said to myself “hang on – is this info being held by HSF on behalf of the Council, or is it being held for HSF’s purposes?” I was limbering up my fingers to write a post criticising everyone for not spotting this, so I was then pleased to see that the Tribunal, of its own volition, identified it as an issue and sought submissions from the ICO and the Council on it.

After some back and fro (it is not entirely clear from the judgment who said what in their submissions, and there was a side issue as to whether in fact the Environmental Information Regulations applied) the evidence was pretty clear that the Council had had no intention to retain the information, nor to entrust it to HSF. Accordingly, the information was not “held” for the purposes of FOIA.

I’m not sure I understand why the Tribunal did not substitute a different decision notice to reflect this (it simply dismissed the requester’s appeal), but ultimately nothing really turns on that.

What one can take from this is that solicitors and their clients (especially public authority clients) should, jointly and separately, make clear in agreements and policies what the status is of information retained by solicitors after an instruction has ceased, and how requests for such information should be dealt with.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as , ,

February 4, 2025 · 6:15 am

NHS England and publication of the Calocane report

[reposted from my LinkedIn account]

[Edited to add: the day following the upload of this post NHS England did an about turn, and published the report in full, saying “The NHS has taken the decision to publish the report in full in line with the wishes of the families and given the level of detail already in the public domain”]

NHS England is reported to be refusing, partly on data protection grounds, to publish the full independent review report into the care and treatment of Valdo Calocane prior to his manslaughter of three people in Nottingham in 2023.

The report is said to be over 200 pages long, and although a summary will be published, families of the victims are calling for the full report (which they only saw after pressure from their lawyers) to be published on public interest grounds, saying “we have grave concerns about the conduct of the NHS”.

So does data protection law prevent disclosure?

The report will clearly contain details of Calocane’s health, and as such it constitutes a special category of personal data, requiring a condition for processing from Article 9 of the UK GDPR. The most likely candidate would be Article 9(2)(g):

processing is necessary for reasons of substantial public interest, on the basis of domestic law….

The domestic law provisions referred to are contained in schedule 1 to the Data Protection Act 2018. And at first glance, it is not straightforward to identify a provision which would permit disclosure.

However, paragraph 11 potentially does. It deals with processing which is necessary for a “protective function”, must be carried without the consent of the data subject so as not to prejudice that protective function and which is necessary for reasons of substantial public interest. A “protective function” includes a function which is intended to protect members of the public against failures in services provided by a body or association.

Reports into homicides by patients in receipt of mental health care are commissioned by NHS England under the Serious Incident Framework “Supporting learning to prevent recurrence”, and this says that “publication of serious incident investigation reports and action plans is considered best practice”, although “reports should not contain confidential personal information unless…there is an overriding public interest”.

I’m not saying it’s a straightforward legal question, as to whether the report can be published, but an argument can be made that there is a substantial, overriding, public interest in disclosure in order that the public can be aware of any failings and understand what actions are being taken to address them. No doubt though that NHS England’s argument would be that this is achieved by publication of the summary report.

I imagine, in any case, that freedom of information requests will be made for the full report, so ultimately we may see the Information Commissioner’s Office, and maybe the courts, rule on this.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, Data Protection Act 2018, NHS, UK GDPR

Tagged as ,

January 30, 2025 · 7:54 am

Exceptionally unlikely: ICO and judicial review

[reposted from my LinkedIn account]

Where Parliament has entrusted a specialist body with bringing prosecutions, such as the Serious Fraud Office, or the Information Commissioner’s Office (ICO), it is “only in highly exceptional circumstances” that a court will disturb a decision made by that body (see Lord Bingham in R(Corner House and others) v Director of the Serious Fraud Office [2008] UKHL 60)).

Such was the situation faced by the claimant in an unsuccessful recent application for judicial review of two decisions of the ICO.

The claimant, at the time of the events in question, was a member of the Labour Party and of the Party’s “LGBT+Labour” group, She had been concerned about an apparent disclosure of the identity and trans status of 120 members of a “Trans Forum” of the group, of which she was also a member, and of what she felt was a failure by the LGBT+Labour group to inform members of the Forum of what had happened.

She reported this to the ICO as potential offences under sections 170 and 173 of the Data Protection Act 2018 (it’s not entirely clear what specific offences would have been committed), and she asked whether she was “able to discuss matters relating to potential data breaches with the individuals involved”. The ICO ultimately declined to prosecute, and also informed her that disclosing information to the individuals could in itself “potentially be a section 170 offence”.

The application for judicial review was i) in respect of the “warning” about a potential prosecution in the event she disclosed information to those data subjects, and her subsequent rejected request for a commitment that she would not be prosecuted, and ii) in respect of the decision not to prosecute LGBT+Labour.

Neither application for permission succeeded. In the first case, there was no decision capable of being challenged: it was an uncontroversial statement by the ICO about a hypothetical and fact-sensitive future situation, and in any event she was out of time in bringing the application. In the second case, there were no “highly exceptional circumstances” that would enable the court “to consider there was a realistic prospect of showing that the ICO had acted outside the wide range of its discretion when deciding not to prosecute”.

One often sees suggestions that the ICO should be JRd over its failure to take action (often in a civil context). This case illustrates the deference that the courts will give to its status and expertise both as regulator and prosecutor. Outside the most exceptional of cases, such challenges are highly unlikely to succeed.

Peto v Information Commissioner [2025] EWHC 146 (Admin)

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under crime, Data Protection, Data Protection Act 2018, Information Commissioner, judgments, judicial review

Tagged as ,

January 28, 2025 · 6:20 am

Closed MI5 material in the Information Tribunal

You don’t know what you don’t know.

A recent judgment in the Information Tribunal is a good example of this platitude in the context of access to information held by public authorities.

The applicant had asked MI5, under the Environmental Information Regulations 2004 (EIR) for information on its CO2 emissions (by reference to the Greenhouse Gas Protocol). MI5 refuse to disclose in reliance on the exception to disclosure at regulation 12(5)(a), on the grounds that disclosure would adversely affect national security. This refusal was upheld by the Information Commissioner’s Office.

Perhaps unsurprisingly, the applicant was sceptical. The judgment notes that

she said that MI5 had not demonstrated a causal link between the disclosure of the information and the claimed adverse effect of that disclosure; MI5 had not provided any evidence that the adverse effect of disclosure was more likely than not to occur. She described the position of MI5 to be based on assumptions and that they had overlooked the difficulty of inferring accurate information from emissions data

The Information Tribunal can, though, consider closed material in EIR and FOI processing (ie information and evidence which the applicant cannot see/hear). And in this case, MI5 adduced closed evidence, in the form of “damage assessments” which

included submissions as to how the emissions data could be used and the nature of the conclusions that could be drawn from those data, whether analysing the data alone, by also using data in the public domain or by using comparators” and “identified stark and very accurate conclusions that could be drawn from the raw data itself with simple calculations

In the face of such evidence, the Tribunal inevitably dismissed the applicant’s appeal.

The judgment is well worth reading as an illustration of how the closed material procedure works.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Environmental Information Regulations, Information Tribunal, national security

Tagged as ,