October 11, 2012 · 1:54 pm

An Irresponsible Press Release?

What is the basis for the ICO saying the private sector is better at data protection than the public?

I defended the Information Commissioner’s Office (ICO) today, over a poor Register headline which suggested they were “red-faced” about imposing monetary penalty notices on NHS bodies (of course they’re not). To their great credit, the Register reworded the headline. Shortly afterwards, the ICO issued a headline of their own in a press release

Private Sector leads the way on data protection compliance but room for improvement elsewhere

Behind this headline are four reports on the ICO’s Data Protection Act 1998 (DPA) audit activities over the last two years. Each report relates to a “sector”, so we have:

Audit outcomes, central government (February 2010 – July 2012)

Audit outcomes, local authorities (February 2010 – July 2012)

Audit outcomes, NHS (February 2010 – July 2012)

Audit outcomes, private sector (February 2010 – July 2012)

Ignore for a moment the fact that the distinction between “private” and “public” sector is increasingly an artificial one – what I want to focus on is the evidential basis for the assertions made by the ICO, and why I think they are potentially damaging to the interests of data subjects. The press release goes on to say

[the reports have] highlighted the positive approaches many private sector companies are adopting to look after people’s data. However concerns remain about data protection compliance within the local government sector and the NHS…Within the private sector, the ICO had a high level of assurance that 11 out of the 16 companies audited had policies and procedures in place to comply with the Act…In the health service only one of the 15 organisations audited provided a high level of assurance to the ICO, with the local government sector showing a similar trend with only one out of 19 organisations achieving the highest mark. Central government departments fair little better with two out of 11 organisations achieving the highest level of assurance.

Let’s stop for a second to consider the nature of the audits we are looking at. The ICO does not have a general power to audit data controllers without their consent, although he does have that power over central government data controllers. So how does a data controller come to consent to an ICO audit? Very commonly it’s a result of a self-reported data breach, or following an ICO investigation giving rise to DPA concerns. The three arms of the public sector represented in these reports are required or expected to comply with specific data protection guidance: for central government it is the Cabinet Office Data Handling Procedures, for Local Government the LGA/SOCITM Data Handling Guidelines (derived from the Cabinet Office procedures), and for the NHS, the very robust Information Governance Toolkit. Each of these contains explicit directions that a serious DPA breach be reported to the ICO.

There is, of course, no such guidance for the “private sector” (although the ICO encourages data controllers, whether public or private sector, to self-report breaches).

Similarly, public sector organisations are subject to public law obligations and public-law-based corporate governance procedures which create an expectation that any breaches be self-reported and an expectation that they will agree to a suggestion by the ICO of a consensual audit.

Private sector organisations, while they have corporate governance obligations, are quite different. Responsibility to shareholders or owners is not the same thing as a public obligation.

What this means is that there are huge questions about how representative is the sample of audited organisations cited by the ICO in support of the contention that the “private sector leads the way on data protection compliance”. Additionally, the numbers used to draw this conclusion are so small that, even if the sectors were fully comparable, I doubt whether they would have statistical significance.

I’m not going to list the numerous examples of private sector poor compliance which arguably give lie to the ICO’s contention. I’m not even going to moan much about the fact that we will see this headline unthinkingly regurgitated over the following weeks.

But what I am going to say is I think this was an irresponsible press release. It was irresponsible because I simply cannot accept the universal premise of a statement that “the private sector leads the way on data protection compliance”. And because I can imagine that, somewhere, while a public sector data protection officer is shrugging his or her shoulders and going about his or her task with an extra dose of world-weariness, somewhere else, a private sector management board is thinking that perhaps it doesn’t need to worry too much about data security, and regulation by the ICO.

UDPATE: 12.10.12

I’ve had an email from a nice spokesman from the ICO press office, who wanted to give some further context, and clarified one point. He said

Motivation for agreeing to audit is undoubtedly a relevant context to the results we published, particularly given that, as you highlight, the ICO doesn’t have the power to compel organisations to submit to an audit. It isn’t true, though, that public sector audits are often the result of self-reported data breaches. In fact, most of our audits come from the ICO writing to organisations and asking them to volunteer, not as a direct result of a breach being reported.

Fair point, and I’m happy to clarify that most times the ICO invites organisations to volunteer for an audit not as a direct result of a breach being self-reported. Although I am pretty certain the ICO would not be sending that invite if he hadn’t determined, either as a result of a self-reported breach, or a complaint from a data subject, that there had been a breach of the DPA.

The spokesman went on to say

This is much the same as our approach to the private sector, though fewer private sector firms take up the opportunity, as we highlight in our report (perhaps due to the responsibility to shareholders versus public obligation argument you highlight in your blog).

I’m glad that there is, there, an implicit admission that audited public and private sector data controllers are not directly comparable. I rather wish the press release had said this.

But this next bit I’m not sure about

One of the purposes of this type of press release is to increase that take up and share best practice, by highlighting the availability of our audits.

Now, I’ve often, when training external (public sector) organisations, suggested to them that, if they feel relatively confident about their data protection compliance, they should consider inviting the ICO to audit them, because their auditors are fair, thorough and experienced (by the way, I advise those who are not confident about their compliance to get a consultant in first…). However, I’m not sure I could so readily recommend the ICO audit now, given what I maintain are the unfair comparisons which were drawn in this press release. Indeed, two public sector officers have now stated to me on twitter that this has actively dissuaded them from volunteering for an audit. That cannot be good.

8 Comments

Filed under Breach Notification, Data Protection, Information Commissioner

September 29, 2012 · 9:04 am

Private emails, FOI and Criminality

Private emails are subject to FOI searches, and it’s a crime intentionally to conceal relevant information.

So, it appears that the Department of Education (DfE) has conceded that business emails sent by private email accounts are subject to the Freedom of Information Act 2000 (FOIA), thus accepting what the right-thinking world, and, indeed, anyone with a glimmer of common sense knew all along.

Plaudits, or brickbats, according to your position on the merits of FOIA, should go to Christopher Cook of the Financial Times, who has pursued the Department of Education (DfE) on this with the enthusiasm of a Jack Russell terrier faced with a scurrying rat. Fellow hacks at the Independent had also joined themselves to the proceedings listed (but now withdrawn) in the First-tier Tribunal (Information Rights). The DfE had had the balls to launch a challenge to a previous decision by the Information Commissioner (ICO) that the information (held in private email accounts) requested by Chris should be released. The decision notice itself was clear, and difficult to argue with, as is the advice on the subject published by the ICO around the same time. One wondered what possible grounds the DfE had to base a successful appeal on, and the withdrawal of the appeal probably answers that point, although it appears the withdrawal was actually prompted by the imminent publication of Cabinet Office guidance.

Some are now predicting that there will be a deluge of FOI requests specifically targeted at information held in private emails, or text messages, and I think this is probably right. What is not clear is how they will be handled. The ICO’s guidance suggests that, faced with requests for information that could be held in private emails, public authorities should restrict themselves to asking the person to search their account and keeping a record to show that this was asked:

The public authority will then be able to demonstrate, if required, that appropriate searches have been made in relation to a particular request. The Commissioner may need to see this in the event of a…complaint

This suggests that, when investigating a complaint about refusal to disclose information, the ICO will restrict himself merely to satisfying himself that an authority has asked its staff to check emails. Absent any evidence that those staff have not been honest about the contents of those private emails, the ICO will take no further action. The reasons for this are, really, quite obvious: the powers open to a public authority to access private email accounts are limited. Although the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 allow an employer to “intercept” an employee’s private emails  (if sent using the employer’s systems) to determine whether they are business-related, those powers must be exercised with due regard to the employee’s privacy rights. The interception of private emails in a private email account (sent using the employer’s systems) must be necessary and proportionate. If an employee has told his or employer that their private emails contain no information caught by an FOI request it is doubtful, absent any evidence to the contrary, that a “trawl” of emails without the employee’s consent would be lawful (I’ve written for PDP journals on this subject – subscription needed).

On one view, then, nothing much has changed with the concession by the DfE, although no doubt many new FOI requests will be made as a result. What has changed, perhaps, is the focus on individuals’ personal responsiblity under FOIA. Currently, section 77 creates an offence if a person alters, defaces, blocks, erases, destroys or conceals a record in response to an FOI request. If a trawl of emails on a public authority’s systems is required this will normally fall to IT, or similar, and employees have little say – or, if you like, given the existence of back-up systems – limited opportunity to commit a section 77 offence. Now, if the same employee is asked whether private emails contain specific information, and he or she untruthfully says “no”, criminality – the mens rea – will be relatively easy to make out.

The question is, how would we find out?

6 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal, Privacy, RIPA, Uncategorized

Tagged as , ,

September 13, 2012 · 4:31 pm

The Public Interest in the Hillsborough Disaster

How could the Cabinet Office have originally decided the public interest favoured non-disclosure of information held about the Hillsborough Disaster?

On 15 December 2009 Alan Johnson, the then Secretary of State for the Home Department, announced that an Independent Panel would be appointed to enable disclosure of information relating to the 1989 Hillsborough disaster, and the events which followed it. The Panel would lead to

maximum possible public disclosure of governmental and other agency documentation on the events that occurred and their aftermath

As we all know, the Panel has now published an extraordinary amount of information, with a devastating covering report. It was not the Panel’s role to apportion blame for the tragedy but the disclosure has finally led to unequivocal public and political acceptance that, in the words of the Prime Minister, and despite previous despicable insinuations or outright pronouncements to the contrary

Today’s report is black and white. The Liverpool fans “were not the cause of the disaster”.

The efforts of bereaved families and those close to them in effecting this outcome can never be overstated. But a small part was attempted to be played using the Freedom of Information Act 2000. On 23 April 2009 a BBC journalist made an FOI request to the Cabinet Office for

Copies of all briefings and other information provided to Margaret Thatcher in April 1989 relating to the Hillsborough disaster [and] Copies of minutes and any other records of meetings attended by Margaret Thatcher during April 1989 at which the Hillsborough disaster was discussed.

The request was turned down. The Cabinet Office, rather than the 20 working days permitted by law, took nine months (they’re traditionally not very good at this FOI compliance thing, you must understand) to state that the information was exempt from disclosure under sections 31(1)(a), 31(1)(b), 31(1)(g) – which deal with prejudice to law enforcement – and sections 35(1)(a), 35(1)(b) and 35(1)(d) – which deal with information relating to the formulation or development of government policy, Ministerial communications and the operation of any Ministerial private office. All of these exemptions, if engaged, required consideration whether the public interest in disclosure outweighed the public interest in maintaining the exemption. In all instances, the decision was against disclosure: the public interest did not – according to those at the Cabinet Office determining this request – favour disclosure.

On appeal the Information Commissioner disagreed. He said

 the Commissioner considers it clear that the public interest in disclosure of information relating to the Hillsborough disaster – constituting improved public knowledge and understanding of the causes of and reaction to this event (and in relation to this specific information how the Government of the day reacted) – means that the balance of the public interest favours disclosure

He did not accept the Cabinet Office’s argument that the fact that the Independent Panel had now been set up was relevant to a decision as to whether the application of the exemptions was correct

 [the Panel] did not exist at the time of the request, or within 20 working days following the receipt of the request by the public authority. This Notice concerns whether the information should have been disclosed within 20 working days from the receipt of the request, and any factor that did not apply at the time of the request is not relevant

Notwithstanding this, the BBC ultimately agreed to withdraw its request, given the imminence of the outcome of the Panel’s work. And now we know the truth.

The Prime Minister went on to say in his statement

 At the time of the Taylor Report [Margaret Thatcher] was briefed by her private secretary that the defensive and – I quote – ‘close to deceitful’ behaviour of senior South Yorkshire officers was ‘depressingly familiar’. And it is clear that the then government thought it right that the Chief Constable of South Yorkshire should resign. But… governments then and since have simply not done enough to challenge publicly the unjust and untrue narrative that sought to blame the fans.

Information Commissioner decisions requiring disclosure of Cabinet minutes, and similar information, have four times been subject to a ministerial veto to maintain secrecy. Was the initial refusal of the BBC’s FOI request for this Hillborough disaster information simply reflective of a government approach which automatically seeks to exempt any Cabinet minutes from disclosure? I rather hope so, because the alternative is that officials, and ministers, thought that the public interest did not favour disclosure of information relating to what some are calling the biggest cover-up in British history.

UPDATE

I’ve been reflecting on this. I think it’s only fair to point out that, arguably, because the Cabinet Office took so long (nine months, remember) to get round to responding to the request, by the time they did so, the Independent Panel was set up. So, by that argument, the person looking at the request never actually determined that the public interest did or did not favour disclosure, until it was clear that it was going to be published in the future. The Information Commissioner did not accept that point

This Notice concerns whether the information should have been disclosed within 20 working days from the receipt of the request, and any factor that did not apply at the time of the request is not relevant. This situation applies regardless of the lengthy delay

and was correct in law not to, but in fairness to the Cabinet Office officials, they might have handled the request differently (by the time they got round to it) if the Independent Panel, with its remit to disclose, had not been set up.

10 Comments

Filed under BBC, Cabinet Office, Freedom of Information, Information Commissioner, police, Uncategorized

August 31, 2012 · 10:22 am

Data Security and Churnalism

On the lazy reporting of a silly story about increases in data breaches

Over the past couple of days the following have all published stories on the fact that data breaches in the UK have “rocketed” or “spiked” by an “alarming” 1000% over the last five years.

Computer Business Review
Techweek Europe
The Nextweb
Public Service
Help Net Security
V3.co.uk
Computing.co.uk
SC Magazine
UKAuthority.com
The Register
Computer World UK
The BBC

These are mostly well-respected news sources, serving either the tech industries or the public sector. All of them report this story as though the news that self-reporting to the Information Commissioner of serious data breaches is a bad thing. I’ve given the links to the stories not because I want to increase their clicks, but to show the remarkable similarity between them. This is not surprising, as they are all picking up on a press release by Imation (ironically, as a non-hack, I don’t have access to it) which was issued following an FOI request to the Information Commissioner. The response to the request showed that, indeed, in 2007-08 the number of breaches reported to the ICO was 79, and in 2011-12 it was 828. But does that really mean that “Data breaches in the UK have increased tenfold in the past five years” as the BBC put it?

The answer, certainly, is “no”.

The reporting of breaches has increased by that proportion. But that is not particularly surprising. As far as I recall the first guidance issued by the ICO on reporting serious breaches was only issued in July 2010.  Before that while there may have been an inferrable assumption that serious breaches should be reported, there was not much in the way of clear direction or expectation until relatively recently. This expectation has become much more explicit since the ICO gained powers to issue civil monetary penalties for serious breaches. Now, all major data controllers know that when there is a serious breach of data security it needs to be reported to the ICO (and for telecoms providers, there is a lawful requirement to do so under the Privacy and Electronic Communications (EC Directive) Regulations 2003).

But is it a bad thing that numbers of reported incidents has increased? Of course not. All breaches of data security are to be regretted, and lessons learnt to avoid they don’t recur. But data controllers need to be encouraged to recognise breaches, and put their hands up when they happen. The ICO even considers self-reporting to be a mitigating factor when assessing what action he should take.

I doubt that many, if any of the people writing for the websites I link to above really think that data security breaches (rather than reports of breaches) have increased 1000% over five years. I’m sure their writers and reporters are very busy, and an eye-catching press release makes for easy copy. But these websites (with the execption of the BBC) are important and specialist sources of information. For them to resort to “churnalism” (a form of journalism in which press release…are used to create articles…without undertaking further research or checking) at the expense of common-sense, especially when it might lead to greater reluctance to self-report, is greatly to be regretted.

 

 

 

 

 

 

 

 

1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner, PECR

Tagged as ,

August 28, 2012 · 10:05 am

(Data?) Protection for Maine Coons

News that the Police Union of Senior Staff  has called for controls over ownership of Maine Coon cats, following the serious concerns raised by recent misidentification of one as the Essex Lion, raises interesting points about the extent to which cat-lovers should be required to place their pets on a central register.

So, the Essex Lion turns out in all probability to have been a Maine Coon cat. Those of us who questioned whether Essex Police were potentially over-reacting to the reports now accept that problems with perspective can confuse the best of us.

Although there is no need at all for those caught up in the scare to be embarrassed, Felix Silvester, spokesman for the Police Union of Senior Staff – an organisation representing senior police spokespersons – has announced that the Union are calling for registration of Maine Coon cats:

These animals are not like normal cats. For one thing, they are bigger. For another they are quite possibly fiercer. The fact that the Essex Lion scare went on for as long as it did is unavoidably connected to the fact that there is no register of Maine Coon cats. If there had been one I’m sure it’s the first thing Essex Police would have checked. The Police Union of Senior Staff is calling for a compulsory register of all Maine Coons.

This raises important points both for animal rights and privacy activists. Although the concept of “personal data” in the Data Protection Act does not currently extend to animals, a proposed European Commission directive may change that. The Directive 12/666/EC on Monitoring Information on Animals and Other Wildlife states that

the definition of personal data…should be extended to all domestic animals, and some ruminants

While this is wholly sensible, and something respected commentators have been calling for for some time, it must be observed that none of the protections afforded to human data subjects will extend to feline ones. Cats could find themselves subject to unlimited detention and inhumane treatment (because they are not human).

I remain deeply suspicious of Mr Silvester’s comments, and do not think that the embarrassment of an entire police force justifies such draconian measures as a compulsory register.

4 Comments

Filed under satire

Tagged as

August 25, 2012 · 11:20 am

What the Papers Say

It appears that a police officer has inadvertently disclosed operational notes regarding arrangements for the arrest of Julian Assange. This is not the first time a blunder like this has happened, and it should serve as a reminder that physical data needs to handled just as securely as electronic data.

In 2009 Britain’s then most senior counter-terrorism officer, Bob Quick, arrived at Downing Street for an important meeting. He’d probably been reading up on the issues during the journey there, and was clutching a file as he emerged from his car. Unfortunately for him, photographers were able to capture the contents of the document he was holding face up. Marked “Secret” (the second highest category in the government protective marking Security Policy Framework) it contained information some of which still cannot be disclosed because a DA-Notice applies. It led to anti-terror raids being brought forward, and it also led to his resignation.

Now we learn that a rather less senior police officer has been photographed in similar circumstances, outside the Ecuadorian Embassy wherein lies the persecuted activist/suspected rapist (delete according to your leanings) Julian Assange. Apparently the information relates to possible arrest plans.

Now, when I have to carry papers from one building to another at work, I make damn sure that they’re secured in an opaque binder, and as far as I know the eyes of the world’s press are not on me when I’m doing so. Information security and data protection are not just about taking care with electronic data: I recently did a quick analysis of the monetary penalty notices handed down by the Information Commissioner, and found that around two-thirds arose from a breach of security involving physical data*.

Modern photographic developments mean that millions of people have the ability quickly to capture compromising or damaging information, and internet publishing means that the same information can be uploaded and circulated within seconds. The European Association for Visual Data Security (yep, there is one) recently produced a white paper on the subject. In its article about the white paper The Register gave some examples of shoulder-surfing, in addition to Bob Quick’s infamous incident

a senior UK civil servant at the department of Business, Innovation and Skills fell asleep on a commuter train, leaving highly sensitive information displayed on his screen. A fellow passenger took two photographs of the information while it was displayed on the screen, which made their way into a Daily Mail story about the breach…[and] in August 2011 the UK’s International Development Secretary was photographed leaving Number 10 Downing Street with sensitive government papers relating to Afghanistan on display. These papers were caught on camera by news photographers and film crews.

Any organisation which needs to handle data outside its own office walls should make very sure it can’t be seen by prying eyes.

 

 

 

*It’s difficult accurately to categorise them. For instance, a fax is both electronic and physical, and a lost hard-drive is loss of physical data, but seriousness is tied to the electronic contents of said drive.

Leave a comment

Filed under Confidentiality, Data Protection, Information Commissioner, monetary penalty notice, police, Uncategorized

August 24, 2012 · 3:14 pm

Why won’t you read my secret guidance?!

The Office of Surveillance Commissioners (OSC) is in charge of reviewing the exercise of powers and duties under the Regulation of Investigatory Powers Act 2000 (RIPA) and the equivalent Scottish Act. It does not regulate RIPA (that is the role of the judiciary) but conducts inspections, provides reports and issues guidance. That guidance is, effectively, secret.

I can understand why details of specific instances of lawful surveillance must not be disclosed publicly. I have never fully understood why guidance from the person appointed to review the exercise and performance of powers and duties conferred or imposed by or under RIPA should not be disclosed publicly

The Office of Surveillance Commissioners’ remit is

keeping under review (except in relation to the interception of communications and the intelligence services) the exercise and performance of powers and duties conferred or imposed by or under Part II (covert surveillance) and Part III (encryption) of RIPA and its Scottish equivalent RIP(S)A

(interestingly that website contains a typo – this remit is contained in section 62 of RIPA, not section 63).

This is an important role (which is in addition to the OSC’s remit under the Police Act 1997 to review authorisations by law enforcement agencies “for operations involving entry on, or interference with, property or wireless telegraphy, without the consent of the owner”). RIPA is muchmaligned, although, ironically enough, in key areas it merely provides a regulatory framework for intrusions  into private lives which were formerly permissible at common law (i.e. the sort of surveillance RIPA regulates perhaps always used to happen, it’s just that it was not prima facie unlawful).

However, the Chief Surveillance Commissioner never seems happy with his lot. In his latest report he bewails the limits on his office’s funding

The Home Secretary is required…to provide me with the support necessary to fulfil my responsibilities. The support I receive continues to be, in some respects, inadequate. In particular, information technology for many years has failed to meet the demands of remote, secure and mobile working which is an integral part of the inspection process. Promises of improvement are not fulfilled and there appears little urgency to resolve recurring problems. Similarly, I have to rely on archaic facsimile machines which repeatedly malfunction. (¶3.13)

If true, this is pretty shoddy. I would suggest that if anyone needs to be sure about their information security it’s the Chief Surveillance Commissioner (and why is he still reliant on “facsimile machines”?).

He is also unhappy with some authorities he has inspected

My Inspectors are not lawyers and they address their reports to me. Their reports are subject to my endorsement which I will make clear in my covering letter to the chief officer of the authority inspected. It is therefore important that conversations with them during an inspection are not misquoted or shared with others without prior agreement…There have been a few occasions when correspondence from me to a single public authority has been promulgated by that authority to others as a general interpretation. Usually my guidance relates to specific facts and may not be applicable in circumstances which may appear to be, but which on analysis are not, similar.(¶3.3-3.4)

This reluctance to be open about things he and his inspectors say carries through – in spades – to the guidance he produces. In the most recent report he says

my Commissioners from time to time publish guidance in a single document for use by public authorities. I do not wish to apply a security marking to my guidance but, despite clear instructions, I am dismayed at thoughtless disclosure of a document which provides information which necessarily alludes to covert tactics. The Home Office has not yet provided me with a website capable of balancing the need for transparency to the public with controlled access to specific guidance by a limited audience.

and refers back to the previous year’s report which provided reasoning for not publishing it

my small office does not have the capacity to answer the inevitable influx of requests for clarification this would invite…law enforcement agencies in particular are concerned that tactics might unnecessarily be revealed…it is not a comprehensive document which covers every eventuality and it might be misconstrued or misused; and…it is not my remit to provide free legal advice, though I proffer guidance to public authorities which I have a responsibility to review, in order to raise standards and promote consistency (¶3.4)

although not before regretting it is not always readily available to those who need it

If I continue to find this document is not readily available to those who need it, or is not promoted by national associations, I may make it publicly available on my website

Which seems to me to be a case not of threatening to take your bat home with you, but going home and leaving your bat behind.

All this seems to reveal an attitude rather, shall we say, paternalistic and ante-Freedom of Information Act. Needless to say, someone tried, a couple of years ago, to use FOIA to get a copy (asking the OSC, which is not a public authority for the purposes of FOIA, nonetheless to use the Act’s spirit as a model for discretionary disclosure). Although the OSC refused, the requestor, on the admirable whatdotheyknow.com site*, later found that a local authority had helpfully uploaded a copy as part of a committee report. Perhaps this was one of the naughty authorities lambasted by the OSC. If so, he hasn’t done much about it, because the report is still there, happily providing guidance and – I hope – not actually causing him any trouble whatsoever.

 

*I’ve not linked to it, out of deference to the OSC – I can tug my forelock with the best of ’em – but a bit of googling will get you there in no time.

 

 

 

 

 

1 Comment

Filed under Freedom of Information, RIPA, surveillance, surveillance commissioner

August 24, 2012 · 12:34 pm

Initial thoughts on a suspiciously missing judgment

A guest post by anonymous blogger “Juvenal”

Finding court judgments should be easy. And finding a judgment of the Supreme Court should be easier still. Could it be possible that a landmark judgment has suddenly “disappeared”. Even that it might never have been reported in the first place??

That is the shocking conclusion I have come to after reading the excellent analysis by blogger @loveandgarbage of the landmark case of Smith v DPP and Commissioner of the Metropolitan Police [2011] UKSC 666. He points out that the judgment should be at http://www.supremecourt.gov.uk/docs/uksc-2011-0666-judgment.pdf but that goes, suspiciously, to a blank page. Every effort is being made to find out what is going on.

Making an FOI request seemed to me to be the best way forward. Under FOI, unless an exemption applies, a public authority must disclose information to a requester. So, even though the Supreme Court holds an absolute exemption under section 32, I thought it was worth a try. I was shocked to be told that the information was “not held” and that I was being classed as vexatious for asking for a judgment that never even existed. Can you imagine anything more suspicious?

5 Comments

Filed under satire

Tagged as

August 2, 2012 · 8:33 am

The Bludgeoning of the Decision Notice

With the latest ministerial veto, is a quaint British tradition emerging?

So, the Attorney General has exercised his powers of veto under section 53 of the Freedom of Information Act 2000 (FOIA) for the third time this year. The only one of his predecessors to use the veto – Jack Straw – only managed to use it twice in one year, so Mr Grieve must now be considered champion at wielding this most blunt of legislative instruments.

Section 53 allows an accountable person (who can be any member of the Cabinet but who, by what appears to be a convention in making, has always thus far been the Attorney General) to issue a certificate to the Information Commissioner (ICO) telling him, in effect, that he got it wrong when ordering disclosure of information under FOIA.

The target of this week’s veto was, for the second time, an ICO decision that Cabinet minutes from March 2003 relating to the decision to go to war in Iraq, and to the then Attorney General’s legal advice regarding the military action, should be disclosed by the Cabinet Office. This decision notice, issued only on 4 July this year was in very similar terms to one issued by the ICO in February 2008, which was the subject of a Straw veto in February 2009, although only after the decision in favour of disclosure had been upheld by the Information Tribunal.

Much has been written about the potentially illiberal nature of the section 53 power – which seems to be a possibly unique example in statute of an executive override over the judiciary. It is ironic that some former and current government figures have argued so strongly for Cabinet minutes to be totally exempt from FOIA disclosure, when the veto can be wielded so easily and decisively (although they would no doubt counter-argue that it is only being used so often because of the lack of a class exemption applying to such information). Indeed, the Justice Committee, in its recent report as part of the post-legislative scrutiny of FOIA, said

we remind everyone involved in both using and determining that space that the Act was intended to protect high-level policy discussions…We also recognise that the realities of Government mean that the ministerial veto will have to be used from time to time to protect that space

There is no bar on someone requesting the same information again from the Cabinet Office, nor any mechanism to allow the ICO not to keep issuing decision notices in favour of disclosure. Given this (and given the words of the Justice Committee) perhaps we are seeing the beginnings of a quaint British tradition, like The Dragging of the Speaker of the Commons or The Searching of the Cellars. I shall call it The Bludgeoning of the Decision Notice.

5 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal

June 15, 2012 · 2:47 pm

MPs and data protection offences, part three

In previous posts I have written about the apparent failure by several MPs to register with the Information Commissioner’s Officer (ICO) for data protection purposes. I have pointed out that a failure by someone to do so in circumstances where they should constitutes a criminal offence. In the last post I related that I had made a Freedom of Information Act (FOIA) request to the IC asking him what he was doing about these potential offences. I have now received the response.

In general terms Section 21 of the Data Protection Act 1998 creates a criminal offence if a data controller processes personal data without an entry being made in the register held by the ICO: the power to prosecute lies primarily with the ICO itself. MPs process personal data, and the very large majority properly register this processing (which costs them £35 a year – in contrast to the £500 notification fee for larger data controllers). However, FOI requests over recent months have revealed that several MPs have not only failed to do so, but their failure has continued despite the ICO reminding them of their obligation.

On 10 May I wrote to the ICO, naming the then 22* MPs who had not registered, and asking

Please inform me…

1. What enforcement action has been taken against these MPs?

2. How many reminders each has been given (I understand you normally operate a two-reminder, then enforcement, system)

3. In addition to these 22, how many other MPs have not renewed
their notification? (as more than seven months have elapsed I
presume there will be some additional notifications which have
lapsed)

(As for the third question, I was sent a spreadsheet showing (as at 24 May) all MPs and their notification record. (Interestingly, two MPs who have been elected to the House of Commons in the last two years have no registration showing at all – Debbie Abrahams and Louise Mensch)).

As for the second question, the ICO’s reply comes with an attachment showing that – with three exceptions – the 22 MPs in question had all received two reminders (one had received only one reminder, and two – because of a technical glitch – had received none). The reply also came with some explanatory comments to the effect that

it is the responsibility of the Data Controller to assess their data processing at that point and make a determination as to whether notification is still required…We provide a reminder service to notified entities to help them maintain their notification. However, because there are legitimate reasons why many Data Controllers may not need to renew their notification once it expires, we do not actively pursue all 350,000 of our annual renewals.

These points are well-made. However, regarding the first question (what enforcement action had taken place) I was told

no enforcement action has been taken against these MP’s.

By explanation a distinction was drawn between the “reminder” service, and the non-notification enforcement activities of the ICO, and

Our non notification activities are targeted at particularly high risk or under represented groups or sectors.

This seems to suggest that, even where non-notification – a potential criminal offence, remember – by MPs is drawn to the IC’s attention he will not take enforcement action unless MPs form part of a group of data controllers who are being specifically targetted by the ICO.

I’m really struggling with this. I understand the extreme resource pressures the ICO has to cope with, and I even understand that taking action against MPs ((perhaps as far as prosecuting them) is not a very attractive proposition for a sometimes beleaguered regulator, but the evidence points towards named MPs failing persistently to comply with a legal obligation – even when reminded by the regulator. If law makers break the law, and the enforcer turns a blind eye, why would anyone else feel the need to obey that law?

The full request can be seen at http://www.whatdotheyknow.com/request/enforcement_of_section_18_dpa/new

*One of the 22 – Shailesh Vara – appears since to have registered

13 Comments

Filed under Uncategorized