April 12, 2012 · 5:18 pm

When ARE emails subject to FOIA?

Information held in private email accounts can be subject to the Freedom of Information Act 2000. Conversely, information held in the email accounts of the public authority can, in some circumstances, not be subject to FOIA. A recent decision by the Information Commissioner (ICO) confirms this.

There has been much recent discussion and argument about the extent to which information contained in “private” email accounts (such as “gmail”, “hotmail” etc) can be said to be “held on behalf of” a public authority under FOIA. The ICO issued guidance in December 2011 that says in unequivocal terms

 FOIA applies to official information held in private email accounts (and other media formats) when held on behalf of the public authority.

No one sensible who knows anything about FOIA is likely to disagree with this.

In a Decision Notice against the Department for Education (DfE), issued after this guidance was published, the ICO applied these principles to a request for information made by the Financial Times’ Christopher Cook. Cook, in an interesting twist, already had leaked “private” emails in his possession, and was seeking information corroborating certain details about them. He showed one of these emails to the ICO, whose subsequent Decision Notice said

 The Commissioner has reviewed this email and found that whilst it was sent from a private email account it was held on behalf of the DfE for the purposes of the Act. By failing to disclose details of the email the DfE breached section 1 of the Act

(It is understood that the DfE is going to appeal this Decision Notice to the Information Tribunal.)

What has been overlooked, to a certain extent, in all this is the corollary of the proposition that “FOIA applies to official information held in private email accounts (and other media formats) when held on behalf of the public authority” which is, that FOIA does not apply to private information held in public authority email accounts, when it is not held on behalf of that authority.

Thus, for example, an email from a employee, or an elected member, of a public authority asking her partner to feed the cat this evening, is highly unlikely to be considered to be information “held” by the public authority for the purposes of FOIA. This is because section 3(2)(a) of FOIA says

information is held by a public authority if…it is held by the authority, otherwise than on behalf of another person

Private information might physically be stored on the email servers of the public authority, but for the purposes of FOIA it is being “held on behalf of” the employee (for our purposes here we don’t need to consider whether the terms of employment actually allow the employee to use the employer’s systems to engage in private correspondence).

In a Decision Notice published on 27 March the ICO has affirmed this position. A complainant had sought copies of emails received or sent by a councillor at Camden Council, on his “camden.gov.uk” address. The complainant argued

…that use of a camden.gov.uk email address for correspondence explicitly renders any correspondence on that email account part of the business of the council

The ICO rejected this submission:

 the Commissioner observes that none of these emails are about council business but instead relate either to correspondence between the councillor and constituents in his role as a ward councillor, or to personal matters of the councillor, or business which is external to his council activities… Because this information is not council business, it cannot be argued to be held by the councillor on behalf of the council. It may instead be considered to be held by the council, on behalf of the councillor as an individual, solely by virtue of being hosted on the council’s email systems.

Those previously concerned about the implications of the ICO’s guidance on private emails might take some reassurance from this statement about the limits of FOIA. However, there may also be a lesson for public authorities themselves: it is not safe always to assume that an email sent from or received by an employee’s work email account is subject to FOIA.

8 Comments

Filed under Freedom of Information, Information Commissioner, Uncategorized

March 16, 2012 · 5:29 pm

Open Justice Charter versus Privacy Rights

 The Guardian has published an article suggesting court lists should be freely available as part of a drive towards open data. William Perrin, in his own words a local active citizen, proposes (“with the government’s drive to transparency and open data “) a charter for transparency in the courts under which

people should be able to find out easily, on the internet:
what cases are expected to come up in a court from the time that they are scheduled
name, address and specific charges in all cases available from the time the case is scheduled (see footnote)
the full names, including first names, of judges, prosecution and defence lawyers, witnesses, and other professionals who speak during proceedings (e.g. magistrates’ clerks giving legal advice) from when they are known
judgements handed down from the end of the working day on which the case is concluded

Footnote

In criminal cases, the following basic information should be readily available
The full spelling of a defendant’s name
Their date of birth and full home address, including door number and postcode
The charges against them (including an opportunity to read them)
Written copies of any reporting restrictions applicable in the case

Perrin appreciates some of the risks

All the above is subject to contempt of court and protection of vulnerable defendants and witnesses

but

The longstanding openness of courts must not be compromised by data protection. In particular, well meaning but misplaced concerns about the data protection act and copyright must not stop the recording and transmission of information presented in open court.

(In passing, I struggle to understand his contrasting of “codified” data protection and copyright and “uncodified” open justice. If by “codified” he is referring to written laws and procedures then I would refer him to, in particular,  rule 39.2(1) of the Civil Procedure Rules, which provides that “The general rule is that a hearing is to be in public”. This is reinforced by our Convention rights, given full domestic effect in the Human Rights Act 1998. Article 6 says

In the determination of his civil rights and obligations or of any criminal charge against him, everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal established by law. Judgement shall be pronounced publicly by the press… (emphasis added))

Justice certainly should be, as a general principle, open. It is an ancient concept – it goes to the heart of the judicial system.  Lord Halsbury famously said, in 1913

Publicity is the very sole of justice…and the surest of all guards against improbity (Scott v Scott 1913 AC 417)

and Lord Diplock, in 1979

The application of this principle of open justice has two aspects: as respects proceedings in the court itself it requires that they should be held in open court to which the press and public are admitted and that, in criminal cases at any rate, all evidence communicated to the court is communicated publicly. As respects the publication to a wider public of fair and accurate reports of proceedings that have taken place in court the principle requires that nothing should be done to discourage this (Attorney-General  v Leveller Magazine Ltd. and Others [1979] A.C. 440)

At the recent Justice Wide Open event at CityUniversity, I saw Perrin speak eloquently about his experiences of trying to engage as a member of public in his local courts. He and other speakers gave dispiriting accounts of misinformed court staff and the paucity of reporters covering court news.  Addressing these shortfalls is a worthy aim, and I would not want to be seen as in any way criticising someone for doing that. Perrin, however, appears to see data protection (and perhaps to a lesser extent, the law of copyright) as contributing to an erosion of open justice.

The DPA has its origins – in part – in concerns about the potential for harm caused by electronic processing of personal information. As far back as 1972 the Younger Committee on Privacy had recognised public concerns about the accumulation by the state of electronic databanks. Electronic processing power has increased immeasurably since then, and it is in the light of that increase that we must consider proposals to open up the personal data of those appearing in court.

The DPA gives effect to theUK’s obligation under Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. In very broad terms it requires that those who “process” “personal data” in the role of “data controller” do so in compliance with the Act and specifically with eight data protection principles (at Schedule 1). Failure to do so can in some circumstances constitute a criminal offence. The DPA is enforced primarily by the Information Commissioner (IC) who has various powers, including one to impose monetary penalties (to a maximum of £500,000 for serious breaches of the Act).

Personal data are

data which relate to a living individual who can be identified from that data

so, clearly, someone’s name, address and criminal charge would be personal data

“Processing” is defined as

obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data

Publishing court listings on the internet would be classed as “carrying out an operation on the data”. Under Perrin’s proposals it would appear to be, at least in the first instance, the courts themselves which would be disclosing. The courts would certainly be classed as data controllers (the “person who…determines the purposes for which and the manner in which any personal data are…processed”). They would, therefore, have to process the personal data in accordance with the Act.

Just because personal data are or might be considered to be in the public domain, this does not necessarily authorise further processing. In R (on the application of Robertson) v City Of Wakefield Metropolitan Council [2001] EWHC Admin 915 the High Court held that the sale of the electoral register to commercial concerns was in breach of section 11 of the DPA (which gives data subjects the right to object to direct marketing based on their personal data) and of their Article 8 rights. Kay J rejected a submission that because an individual could not object to public right of inspection of the electoral register, there was not an actionable breach of these Article 8 rights arising from the sale of the same (and he could have equally rejected a similar submission on DPA grounds). The collection and publishing of personal data in the form of an electoral register available for physical public inspection was prescribed in law, and was a legitimate form of processing; its sale to commercial interests was not.

For similar reasons the Information Commissioner advises planning authorities that, although they may have a statutory duty to maintain, and make available for physical public inspection, a register of planning applications including objections

Extreme care should be taken to avoid any unnecessary disclosure of telephone numbers, email addresses and signatures. The need for the local authority to hold such information is obviously of benefit to all parties. However, there is no requirement to make it publicly available on the Internet… The recommendation…is that the applicant’s telephone number, email address and signature should not be visible via a website or other online system.

The DPA says that information about criminal offences will almost certainly be “sensitive personal data”, which includes

Personal data consisting of information as to… the commission or alleged commission by [the data subject] of any offence, or…any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Such data must be processed fairly and lawfully, but also at least one condition in Schedule 3 must be met. In simple terms, Schedule 3 will, broadly, for the current purposes, only permit processing of sensitive personal data if the data subject has explicitly consented to it,  if it is required by law or if it is necessary for the purposes of legal proceedings or the administration of justice.

Even the posting outside the court room of lists is processing of sensitive personal data, and, although there is some inconsistency (I have heard, for instance, that some courts tweet the names of defendants) the general approach is that these lists are not published widely by the court service. (To the limited extent that they are published I would suggest that the processing would be justified by an argument that it is necessary for the purposes of legal proceedings or the administration of justice.)

The problem with publishing, on the internet, the sort of information Perrin’s charter proposes, is that the internet has few limits, whether special, technological or temporal.

Anyone, in any country, could harvest the data published. They could amass huge data banks not just of criminals, but those who have merely been charged with an offence, as well as witnesses. If that information is then tied to their address (and date of birth) hugely sensitive databases could be created, about which there might be little knowledge, and over which there might be little control. In 2009 the Information Commissioner prosecuted a man called Ian Kerr for running a secret blacklist of containing information about construction workers’ personal relationships, trade union activity and employment history. Kerr created the blacklist on behalf of an organisation called The Consulting Association. The Commissioner only had jurisdiction because this processing of personal data took place in theUK. A blacklist amassed from court data, and hosted outside the EU, could be hugely damaging to the employment prospects of countless people, whether they be convicted, charged and not convicted, or even merely witnesses.

Moreover, this information could be kept indefinitely. Rehabilitation of offenders, and the laws that underpin the rehabilitation could be greatly compromised if this sort of court data is openly available for anyone to retain and archive. In S and Marper v United Kingdom 30562/04 [2008] ECHR 1581 the European Court of Human Rights held that the indefinite retention of DNA samples of people who had been arrested or charged, but not convicted of an offence, was a violation of Article 8 of the Convention, and observed that

The protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life, as guaranteed by Article 8 of the Convention. The domestic law must afford appropriate safeguards to prevent any such use of personal data as may be inconsistent with the guarantees of this Article

Marper was concerned with the indefinite retention of sensitive information under a state measure authorising its retention. Perrin’s charter is silent on how long the information it describes should be retained, or remain published, and it would be interesting to see how it would fit into the proposed new European data protection framework [pdf] which proposes a “right to be forgotten” (a right which in fact arguably already exists under principle 3 and 5 of the DPA), but even if the state or an emanation of the state deleted the data at a later date, it is difficult to see how any restrictions could be imposed on the information which would prevent its retention (even if such retention was unlawful) by private individuals, or organisations, or even other emanations of the state.

The permanence of internet-published information, and the ease with which it can be harvested and disseminated, could also greatly increase the risk of witness (and judge, and lawyer, and court official) intimidation or retribution, and most strategies for prevention [pdf] of this understandably focus on restricting the amount of information.

And, ultimately, mistakes and crimes often occur with the electronic processing of personal data. Given the huge financial pressures the court system is currently experiencing, it is very difficult to imagine that there could never be a data breach, and if one occurred it would potentially involve the personal data of vulnerable victims of crime, as well as witness, and those accused.

For these reasons, and absent any major change in the UK data protection statutory scheme (which in turn would suggest there would have had to have been a major change in the European framework) I have doubts that Perrin’s charter, as currently presented, could operate without the people acting under it being at risk of breach of the DPA, and potentially in violation of Article 8.

Those who work in the field of data protection are often accused of putting barriers in the way of progress, and of effective working. I don’t accept this: I’m an advocate of good data protection, but I’m also an advocate of freedom of information, transparency and open justice. It seems clear that the court system could be better at promoting open justice without disproportionately infringing private rights. However, I don’t think that Perrin’s charter is the way forward, because I do not feel it goes anywhere near far enough in adequately protecting the personal information of those who would be publicised under it.

Addendum 9 May 2012

Since writing this blog post my attention has been drawn to the Magistrates Court Act 1980 (thanks @Greg_Callus on twitter). Section 8 deals with restrictions on reporting of commital proceedings, and, by way of s8(4) permits publication of

(a)the identity of the court and the names of the examining justices;

(b)the names, addresses and occupations of the parties and witnesses and the ages of the accused and witnesses;

(c)the offence or offences, or a summary of them, with which the accused is or are charged;

(d)the names of the legal representatives engaged in the proceedings;

(e)any decision of the court to commit the accused or any of the accused for trial, and any decision of the court on the disposal of the case of any accused not committed;

(f)where the court commits the accused or any of the accused for trial, the charge or charges, or a summary of them, on which he is committed and the court to which he is committed;

(g)where the committal proceedings are adjourned, the date and place to which they are adjourned;

(h)any arrangements as to bail on committal or adjournment;

(i)whether a right to representation funded by the Legal Services Commission as part of the Criminal Defence Service was granted to the accused or any of the accused.

These provisions of the MCA appear to have been drafted in order to prevent the risk of prejudice to forthcoming trials, rather than with a view to protecting any privacy rights of accused. Nonetheless, they clearly, in general terms, permit publication of the sort of information proposed by Will Perrin’s Open Justice Charter. Whether the ICO would consider that they were sufficient to mean that a Schedule 3 DPA condition were met is another matter. The Data Protection (Processing of Sensitive Personal Data) Order 2000 does provide a Schedule 3 condition if the disclosure “is in the substantial public interest…[and]…is in connection with…the commission by any person of any unlawful act (whether alleged or established)…[and]…is for the special purpose [of journalism]”. However, can a blog, even one as clearly public-focussed as Perrin’s, be classed as “journalism”?

The MCA was enacted long before the internet as we know it was even conceived (it was amended in 1990 to encompass television broadcasts) and the DPA was enacted in the modern internet’s infancy. “Journalism” has no fixed definition, probably for very pragmatic reasons, but modern technology means that many people, such as bloggers, social commentators, twitter users, etc, are engaging, to a greater or lesser extent, in activities which might broadly be defined as journalism.

This leads on to wonder, in an age when “we are all journalists”, might we all benefit from the common law and statutory protections afforded to journalism? And, if so, in what way could journalism benefit from being a special category under laws such as the DPA?

5 Comments

Filed under Uncategorized

February 17, 2012 · 4:30 pm

Police complaints, a databreach and a High Court injunction

I notice an interesting application in the High Court.

 The Independent Police Complaints Commission (IPCC) has been granted an injunction (actually, a second injunction) requiring that the first defendant, a Mark Warner, disclose to the IPCC the identity of the second defendant -“person(s) unknown” – who Mr Warner has indicated is holding certain information about a third party, as well as the circumstances in which they came to be in the possession of those person(s) unknown.

 The reason I’m posting about this is that it appears that the IPCC disclosed the information about the third party in error to Mr Warner while responding to a subject access request under section 7 of the Data Protection Act 1998 (DPA).

 Mr Warner apparently received some of his own data in response to that section 7 request, but feels that there is further information to which he is entitled, and for his own reasons, has refused to return the papers relating to the third party sent to him by mistake, saying (in a telephone conversation with the IPCC):

If I do not get [the further material which he wants the IPCC to provide to him] within a reasonable timeframe I will not only hang onto the information which I have been sent in error, but I will identify it to Fleet Street

 The IPCC brought the current application not only to protect its own rights, but the Article 8 rights of the third party.

 One wonders if the Information Commissioner has been informed. Inadvertent disclosure of personal data of a third party, of a kind which requires a high court injunction to identify the “person(s) unknown”, sounds like a serious contravention of the DPA of a kind likely to cause substantial damage or distress. Such contraventions can attract monetary penalty notices of up to £500,000.

 As several local authorities know to their cost.

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner, police, Privacy

February 12, 2012 · 4:32 pm

In Praise of the ICO (or how to avoid a £500k fine)

In the UK if you process personal data, you must comply in relevant part with your obligations under the Data Protection Act 1998 (DPA). This applies whether you are one of the world’s largest companies, or a sole-practitioner law firm, whether you’re a self-employed barrister, or the Lord Chief Justice of Northern Ireland. All of those hyperlinks go to examples of enforcement action taken by the Information Commissioner (IC) and are part of a regime which currently enables the IC, as statutory regulator, to impose, in appropriate cases, a civil monetary penalty notice of up to £500,000 for a serious contravention of the DPA. And when the draft European Commission Data Protection Regulation is ultimately passed, a similar contravention could risk a penalty of €1,000,000 or 2% of turnover for very large organisations. It is in any data controller’s interest to take all offers of advice and support to avoid the risk of sanctions under the DPA.

However much the IC and his office are criticised for failure to act, or failure to target the right data controllers, there are some things for which he and his office deserve praise. By section 51(1) of the DPA he must “promote the following of good practice by data controllers” and, by section 51(7) he

may, with the consent of the data controller, assess any processing of personal data for the following of good practice and shall inform the data controller of the results of the assessment

This is a power to conduct consensual audits. (There is also a power under s41A to conduct audits without consent, on central government bodies, and the IC would like that power extended, but I digress). In my view, if you are an organisation processing large amounts of and/or sensitive data, you would be mad not to consider this (with a couple of reservations I will address below).

Any in-depth audit of a statutory part of an organisation’s business will not normally come cheap (ask one of the “Big Four” accountancy firms how much their services cost, and then realise why they are called the Big Four). The IC could, with the Secretary of State’s agreement, charge for this service but (probably with a mind to his section 51(1) duty) he doesn’t.

So, you can ask for a in-depth audit of your compliance with the DPA. You can learn what the IC feels is best practice, get advice on improving poor practice and build positive relationships between your organisation and the IC’s office, and, in the event of a future major data breach,  it might well act as mitigation, because it would show at least that you are aware of your obligations and prepared to engage positively with the IC’s office. And all of this for free.

If you are a smaller organisation there is more informal approach by way of an Advisory Visit, again offered for free by the IC. Advisory visits involve a one-day visit and result in a short report.

The reservations I refer to earlier apply only really if your compliance is poor, and this is obvious to you. The IC, as a general approach, publishes summaries of his audits. What you really don’t want is for the IC to make a finding of “limited assurance” or “very limited assurance”. Additionally, although the IC will not publish any summary without your agreement, he will publish a note stating that an audit took place. Speculation being what it is, the fact that an organisation has not agreed to publication might not be viewed positively. So, if you suspect that your compliance is poor, my advice would be to get one of the specialist data protection advisory companies to audit you to. And appoint a good data protection officer (or pay more attention (and money) to him or her).

2 Comments

Filed under Data Protection, Information Commissioner, Uncategorized

Tagged as ,

February 10, 2012 · 2:30 pm

Transparent as mud

Our Prime Minister is committed to transparency in government. In June 2010 he set up a Public Sector Transparency Board containing some of the great and good in the field of open data and transparency: you’d struggle to pick better people than Tom Steinberg, Nigel Shadbolt, Rufus Pollock and Tim Berners-Lee (I’m not hyperlinking him – if you don’t know who he is then find out who invented hyperlinks). The Board is chaired by Francis Maude, Minister for the Cabinet Office, who has written – at the same time as he was lambasting Tony Blair’s dispiriting comments on freedom of information –  that

If I ever sit down to write my own memoirs, freeing up government information will not number amongst my regrets. In fact, I very much hope that it will be one of my very proudest achievements.

Mr Cameron seems to feel the same way:

In the years to come, people will look back at the days when government kept all its data – your data – in vaults and think how strange it was that the taxpayers – the people who actually own all this – were locked out.

Now, it so happens that there has been, in recent months, much debate about whether – or rather, to what extent – private emails written by those connected with the Department for Education are “caught” by the Freedom of Information Act 2000 (FOIA).  (Read the BBC’s Martin Rosenbaum and the Financial Times’ Chris Cook on this, I insist). The Information Commissioner has been very clear that his view is that information concerning official business held in private email accounts is subject to FOIA (he’s right, by the way) but Michael Gove, Secretary of State for Education, told the House of Commons Education Select Committee that

The advice that we had received from the Cabinet Office was that anything that was held on private email accounts was not subject to Freedom of Information requests.

So, when, Lisa Nandy, MP for Wigan, tabled a question in parliament on 6 February asking if the Cabinet Office would publish

guidance on private emails and the Freedom of Information Act referred to in the Education Select Committee evidence session of 31 January 2012 as having been issued to the Department for Education.

It was, let’s say, not very encouraging for those of us who support the “transparency agenda” (as it seems it must be called) that she received the following response

Information relating to internal discussion and advice is not normally disclosed

Yep. That’s right – internal information about how a goverment department handles requests under FOIA, is not to be disclosed.

It might be thought odd, or interesting, or both, that the minister who replied to Ms Nandy was Francis Maude, MP. I’ll leave you to write your own jokes.

1 Comment

Filed under Freedom of Information, Information Commissioner, transparency

Tagged as , ,

January 25, 2012 · 8:12 pm

STOP BOTHERING US!

I’m a customer of the mobile phone service provider O2. They’re OK. Probably much the same as the rest, but I’ve been with them for a few years now, and I’ve had no real problems with them. And every so often they give me an “upgrade” to a nice shiny new smartphone which half fools me into thinking I’m getting a nice deal.

This morning a corner (my favourite corner) of twitter was buzzing with news of a potential security flaw (or was it deliberate coding?) discovered by a twitter user by the name of @lewispeckover which meant that customers using O2’s mobile network to access the internet were inadvertently revealing their mobile phone number in the headers delivered when they visited a website. As Lewis succinctly put it

So, @O2 send my phone no in an HTTP header to every site I browse. WTF? Is this normal?

No, it’s not normal. Some people have very good reasons for not wanting their mobile numbers handed to third parties, especially when they aren’t aware that it’s being done, and I’m one of them (actually, I haven’t got a “very good reason”, other than I just don’t like it). I had intended blogging about why this incident might involve breaches of the first, second, seventh and eighth data protection principles in the Data Protection Act 1998 (DPA), regulations 6 and 7 of the Privacy and Electronic Communications Regulations 2003 (PECR) and chapter II of the Regulation of Investigatory Powers Act 2000 (RIPA). However, as the news got picked up, first by specialist media then mainstream, and as I realised that people were complaining in numbers to the Information Commissioner (IC), who regulates compliance with both the DPA and the PECR (although not RIPA), I decided that the issue was in the appropriate hands.

But I still intended, when I got home from work tonight, making a complaint to that statutory regulator. This is a) an issue that concerns me, b) one I know something about, c) one that has made me a bit angry, and d) one I’m prepared to rant about. However, I noted, on my bus journey home, browsing the internet on my shiny smartphone via O2’s network, that the IC had updated his home page, and was saying

Today we’ve received a large number of complaints about an alleged data breach on the O2 mobile phone network.

We now have enough information to take this matter further, so there is no need for customers to complain to us.

Great. They’re taking the matter further. But hang on – they don’t want us to complain now, because they have enough information? Well, that’s a bit presumptuous, and risky (how do they know they’ve got enough information?). But also, it’s quite concerning. The IC has many powers available to him if he finds that a data controller has breached the DPA or the PECR. In assessing how bad a breach might be, he has to take into account various factors. For instance, from his own guidance on imposing Monetary Penalty Notices,

The number of individuals actually or potentially affected by the contravention

Hang on a minute.

The number of individuals actually or potentially affected by the contravention

Er.

I just question how can you can properly assess how many people have been affected by an alleged contravention if you discourage people from complaining about that alleged contravention?

And not satisfied with this attempt at dissuasion, the IC took to tweeting the same message, earlier this evening. He clearly doesn’t want any more people to send him complaints, but this could lead to a misleading assessment of the number of people actually affected. I’m sure that O2, in assisting the IC in his subsequent investigation, will tell him how many people were potentially affected, but, if were them, I would say “well, only a small number actually complained, so it wasn’t that bad a breach, after all”.

And this is not the first time the IC has done this. Currently, the first question and answer on his “Data Protection for the Public” FAQs page are

Q: I have received a letter from Welcome Financial Services Limited. What should I do?

We have recently been informed of a data breach involving Welcome Financial Services Limited including its business Shopacheck. We believe they are taking steps to inform those affected. We will be making enquiries into the circumstances of the apparent breach of the Data Protection Act before deciding what action, if any, needs to be taken.

As we are already aware of this issue and in contact with Welcome Financial Services Limited, there is no need to submit further complaints to this office. [emphasis added, as if you needed to know]

I do try to defend the IC and his office, and I know they are always sorely lacking funds, but when a regulator, who is supposed to be receptive to complaints about alleged failures to comply with laws he regulates, actively discourages people from complaining, my enthusiasm for defending falters.

To the IC I ask, do you want me to complain, and say how I have been affected by O2’s handling of my personal data? And if not, why not?

2 Comments

Filed under Data Protection, Information Commissioner, PECR, Privacy

Tagged as , ,

January 10, 2012 · 7:11 pm

Potential big DPA fine for NHS Trust

The Argus, a Brighton newspaper, is reporting that Brighton and Sussex University Hospitals NHS Trust has been served with a “notice of intent to fine” by the Information Commissioner (IC), for a breach of the Data Protection Act 1998 (DPA). The sum proposed is £375,000.

Assuming the story is true, the notice of intent to fine would be, strictly, a notice of intent, under s55B of the DPA, to impose a Monetary Penalty Notice (MPN). MPNs were introduced into the DPA by the provisions of Criminal Justice Act 2003. They provide a means whereby the IC can impose financial sanctions on Data Controllers for serious contraventions of the data protection principles. The maximum amount for an MPN is £500,000, and the sums levied are not retained by the IC, but go to the consolidated fund.

The paper says

The incident relates to the theft of 232 drives out of 1,000 being decommissioned.

The Sussex Health Informatics Service was responsible for the disposal of the drives on the trust’s behalf and had appointed an individual to carry out the job.

In December 2010 it emerged four hard drives had been bought by a data recovery organisation on eBay.

The buyer contacted the trust and the drives were collected with the information destroyed.

An investigation revealed that 232 hard drives in total had been stolen and sold on.

The trust worked with the ICO, NHS Counter Fraud and Sussex Police and all the drives have been recovered.

The trust says there was a very low risk of any of the data being passed into the public domain.

Several points arise from this.

At a proposed £375,000 this MPN, if imposed, would be by far the highest so far served on a data controller. The previous highest – £130,000 – was imposed in December last year on Powys County Council.

The fact that news of the proposed MPN has come out before it has been actually served (that is, at the “notice of intent” stage) is perhaps connected with the fact that the Argus reports that “The trust says it will be contesting the fine”. By s55B(5) of the DPA a data controller in receipt of an MPN may appeal to the Information Tribunal against both the issue of the MPN, and the amount. If the Trust are contesting the fine now, they may ultimately decide to appeal to the Tribunal. This would be interesting: most of the guidance on sanctions for serious contraventions of the DPA comes from the IC himself, and from previous MPNs and undertakings. Many data controllers would find it helpful also to have some judicial analysis to draw on in these circumstances.

Until now, nearly all MPNs have been imposed on local authorities. I’ve previously questioned why this was, and posited that it would be a high risk move for the IC to serve an MPN on the NHS:

one wonders what sort of critical media coverage might ensue, as well as what the effect on the reputation of the DPA regime would be, if the IC were to impose hefty monetary penalties on the NHS. And as the sums levied go not towards improving general data security, but rather straight into the government consolidated fund, one begins to see why it might not be a particularly attractive option: a regulator who takes direly-needed money from the NHS, and places it in the government’s wallet, could well struggle to maintain popularity with the media and the public.

If this MPN is served, as intended, then the IC might be faced with headlines equating (for example) £375,000 to the amount it costs to employ a nurse, or a doctor or provide essentail but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances.

1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner

Tagged as , ,

January 5, 2012 · 8:57 am

Shaft? You’re damn right

There was a heartening story in the Leicester Mercury a few days ago. Journalist  David MacLean praised Lynn Wyeth, Leicester City Council’s Head of Information Governance for her promotion of transparency (and her assistance in giving him “countless stories over the past two years”). The article illustrates how, when it comes to the Freedom of Information Act 2000 (FOIA), a relationship of mutual respect and openness between a public authority and the media can help both sides.

Contrast this with an item on Newbury Today’s site this morning. This is a follow-up to a recent series of FOIA requests made to police forces around the country. It appears that the Press Association asked for information relating to thefts of police property. I don’t know exactly what the request said (I don’t have a Press Association log-in, and the main release is unclear) and it has been variously reported as being specifically about thefts from police stations or simply thefts in general from the police (I rather suspect it was the latter, but if anyone can clarify this, I’d be most appreciative).

The Daily Mail highlighted that Thames Valley Police (TVP), with 90 incidents, “tops the list of crime-hit forces”. No public authority likes to be “top” of any of these type of lists, and the Newbury Today article shows TVP hitting back

…force spokesman Craig Evry…explained that the majority of the thefts took place from “trap cars” and added: “Thames Valley Police is one of several forces to use ‘trap houses’ and ‘trap vehicles.’ These are used in areas which police believe are being targeted by burglars or thieves.“When criminals break in, they could be recorded by cameras or any property taken may be remote tagged or marked with ultraviolet inks allowing police to quickly track it down. It’s a useful criminal reduction and evidence tool and criminals should realise that the home or vehicle they’re breaking into might be covered by hidden cameras. Hopefully using this technology might make them think twice about committing a crime.”

One initially wonders, why didn’t they say that in the first place? Well, they say they did:

The FoI response included the caveat: “Please note that of the above thefts recorded, all but six involved ‘trap vehicles’ deployed specifically to be targeted by offenders.”
Mr Evry said: “They simply misinterpreted the data.”

Most, if not all, FOI officers have been here. A request is received for “All the information on X”. Now, you hold this information, but, taken in isolation, it might be misinterpreted, so you add an explanation, or a disclaimer. However, for whatever reason, the disclaimer is lost in the bustle of preparing a story for print, and suddenly your nuanced explanation of the information is lost, and you are being lambasted in the press.

In fairness to the Press Association, it seems that the background details to their original story might have included TVP’s disclaimer. For instance, the Oxford Mail, writing three days before the Daily Mail, referred to it in their article. So maybe the fault is only with those media organisations who misinterpreted, or chose to misrepresent, the Press Association material. Nonetheless (and I can speak from bitter experience here) journalists may want to ask themselves whether the helpfulness of FOI officers might be inversely related to the likelihood of their getting shafted as a result of that helpfulness.

 

 

 

 

2 Comments

Filed under Freedom of Information, police

Tagged as

December 8, 2011 · 1:58 pm

Can the ICO Regulate the Internet?

It is…beyond doubt that the DPA was not designed to deal with the way in which the internet now works

says Tugendhat J in a crucial recently-published judgment (The Law Society & Ors v Kordowski [2011] EWHC 3185 (QB)), in which he lays into the Information Commissioner (IC), albeit in a polite, judgely manner.

The case concerned applications for injunctive relief against Kordowski, the publisher of the “Solicitors from Hell” website. The claims were in defamation, under the Protection of Harassment Act 1997, and the Data Protection Act 1998 (DPA). Unsurprisingly, given the focus of the blog, it is the last I focus on, although one must be aware it was only one of the causes of action discussed.

It transpires that the Chief Executive of the Law Society, on behalf of many solicitors who felt aggrieved by the contents of the website in question (which invited people to “rate” and comment on solicitors, with predictably defamatory results) had complained to the IC that the site was in breach of the provisions of the Data Protection Act 1998 (DPA). On 6 January this year the IC replied, in a three-page letter, apparently saying that the exemption at section 36 of the DPA effectively meant he lacked jurisdiction to determine whether there had been a breach:

 The inclusion of the “domestic purposes” exemption in the Data Protection Act (s.36) is intended to balance the individual’s rights to respect for his/her private life with the freedom of expression. These rights are equally important and I am strongly of the view that it is not the purpose of the DPA to regulate an individual right to freedom of expression – even where the individual uses a third party website, rather than his own facilities, to exercise this.

Fellow blogger Tim Turner has already recently criticised the IC’s invoking of s36 to avoid regulating the internet/blogosphere. He will be pleased to see Tugendhat J agreeing with him, in pretty stern and unequivocal language, that using that DPA “domestic purposes exemption” to avoid regulating websites and blogs is not an option open, in general terms, to the IC.

The IC had said in his letter

The situation would clearly be impossible were the Information Commissioner to be expected to rule on what it is acceptable for one individual to say about another be that a solicitor or another individual. This is not what my office is established to do. This is particularly the case where other legal remedies are available – for example, the law of libel or incitement.

The slapdown from Tugendhat J is

 I do not find it possible to reconcile the views on the law expressed in the Commissioner’s letter with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully. The authoritative statements of the law are to be found not only in the cases cited in this judgment (including para 16 above), but also by the Court of Appeal in Campbell v MGN Ltd [2002] EWCA Civ 1373 [2003] QB 633 paras [72] to [138], and in other cases. As Patten J made clear in Murray, where the DPA applies, if processing is unlawful by reason of it breaching the general law of confidentiality (and thus any other general law) there will be a contravention of the First Data Protection Principle within the meaning of s.40(1), and a breach of s.4(4) of the DPA. See also Douglas v Hello! Ltd [2003] EWHC 786 (Ch) [2003] 3 All ER 996 paras 230-239 and Clift v Slough Borough Council [2009] EWHC 1550 (QB) [2009] 4 All ER 756. The fact that a claimant may have claims under common law torts, or under HRA s.6, does not preclude there being a claim under, or other means of enforcement of, the DPA.

This, of course, places the IC in a very difficult situation (actually, according to him, an “impossible” one). In fairness to him, and in fairness to the judge, it is pointed out that IC was not in attendance nor represented in the proceedings, and it might be that he has a killer riposte up his sleeve. If not, he has a problem. Until now he has only had the criticism of mere people like Tim, or me, to lead him to question his approach to s36 and the internet.(Yes, yes, there was also the European Court of Justice, but the Lindqvist judgment was a very long time ago – effectively in pre-history – and therefore easy to sidestep). Now, given that a superior court of record has overruled him, and held that there were multiple breaches of the DPA in this case and that the IC was wrong in his application of the s36 domestic purposes exemption, he may find that his already over-stretched resources will have to cover complaints from people who feel that their rights under DPA have been both engaged, and breached, by other individuals on the Internet. Picking a theoretical example – a complaint from someone who objects to the uploading of a private photo of them to Facebook without their consent.

It also places bloggers, and social media users in general, in a potentially risky position. Tugendhat J distinguishes such internet publication from journalism (as does Hugh Tomlinson QC – who, uncoincidentally, I suspect, acted for the claimants in this case – in two important recent posts on the Inforrm blog). If we non-journalists are potentially subject to the DPA but lack the protection it offers to journalists, we could all find ourselves at risk not just of regulatory action from the IC, but those private actions which can also be brought under the Act.

One would hope that the new draft EC data protection regulation would grapple with “the practical difficulties raised by cases such as the present” but on first viewing I’m not sure it does. Whether the door would be open to the UK legislature to address the problem is a matter for conjecture. In the interim, however, with the publication of this judgment, the IC has some close reading to do.

2 Comments

Filed under Data Protection, Information Commissioner, Privacy

December 2, 2011 · 9:03 am

Mandatory breach reporting and the public interest

In May of this year the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 amended the existing Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “PECR”).

The regulations apply to different bodies in different circumstances (for instance those parts relating to cookies, which apply effectively to anyone using cookies on their website). However, a key amendment applies to specifically to providers of a public electronic communications service (broadly, telecoms companies and internet service providers): regulation 5A(2) of the PECR now says

If a personal data breach occurs, the service provider shall, without undue delay, notify that breach to the Information Commissioner.

This is the first appearance in domestic law of a mandatory requirement to inform the Information Commissioner (IC) of a data breach. “Data breach” itself  is defined as

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service

While a PECR data breach is not, expressly, a breach of the Data Protection Act 1998 (DPA) I cannot imagine circumstances in which a PECR breach would not also involve a breach of the provisions of the DPA (and – specifically and primarily – the seventh data protection principle). How the IC responds to notifications made to him under regulation 5A(2) will, therefore, be of interest to all data controllers.

This is because the imminent new European data protection instrument (either a new Directive or a Regulation) is likely to introduce mandatory data breach reporting into the Data Protection laws. It is not yet clear how far the requirement would extend. In an interview on 16 November with The Washington Post the EU Justice Commissioner, Vivian Reding, said

…we will now have such rules on notification for all sectors so citizens will know when their data has been breached, whether by criminal intent, accidental or other circumstances. We already have this rule for telecom companies but not for other sectors such as e-banking services, private-sector medical records and online shopping. We will extend the telecom rules to the Internet.

So will mandatory notification apply to “all sectors” or just (in addition to telcos/ISPs) “e-banking services, private-sector medical records and online shopping”? We’ll have to wait and see.

I made a Freedom of Information Act 2000 (FOIA) request to the IC asking how many mandatory notifications had been made to this office since the amended PECR came into effect, and by whom and whether the companies involved had informed data subjects of the breach. The IC’s response is that 76 notifications have been made (they don’t say, but I presume this is to the 3 November, the date of my request) and in 64 of these cases data subjects were also informed. By way of explanation for the latter figure the IC says

…it is not a requirement of the regulations for providers to tell the ICO whether or not they have notified data subjects. The service providers only have to inform subscribers where ‘the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user’. If that is the case they have to ‘without undue delay, notify that breach to the subscriber or user concerned.’

When it comes to disclosing the names of the companies involved, however, the IC is scratching his head. He has identified (at least this is how I read his response) that disclosing this information would prejudice the commercial interests of those companies, and that, therefore, section 43 of FOIA is engaged. Having decided this, however, he has to consider (under section 2(2)(b) of FOIA) whether

in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information

Section 10(3)(b) of FOIA allows authorities to extend the time for compliance with a request (from 20 working days) where they need to consider the public interest test. FOIA itslef unhelpfully only says that it can be extended by “such time as is reasonable in the circumstances” but the IC himself advises that the maximum time that should be taken, in total, is 40 working days. His office has advised me that this applies with my request for names of companies, and it

…may take up to an additional 20 working days to take this decision.  We therefore aim to provide you with a response to this part of your request for information by 23 December 2011

This is, of course, completely acceptable, and I’ll update this post when I get the response, but three things occur to me.

First, if or when mandatory breach notification is extended to other organisations, they will need to be aware that people may request information about such breaches from the IC, and that there is a clear public interest in such information.

Second, if the IC is wrestling with the public interest factors this is clearly a finely-balanced point, and if he comes down against disclosure then this might be a case worth appealing.

Third, surely the IC anticipated that he would get such requests? I’m surprised he hadn’t already considered this public interest point.

 

 

1 Comment

Filed under Breach Notification, Data Protection, Freedom of Information, PECR, Privacy