Tag Archives: Christopher Graham

What’s happening with changes to anti-spam laws?

In October last year the Department for Culture Media and Sport (DCMS) announced a consultation to lower, or even remove, the threshold for the serving financial penalties on those who unlawfully send electronic direct marketing. I wrote at the time that

There appears to be little resistance (as yet, at least) to the idea of lowering or removing the penalty threshold. Given that, and given the ICO’s apparent willingness to take on the spammers, we may well see a real and significant attack on the scourge

The Information Commissioner’s Office (ICO) and DCMS both seemed at the time to be keen to effect the necessary legislative changes to amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) so that, per the mechanism at section 55A of the Data Protection Act 1998 (DPA), adopted by PECR by virtue of regulation 31, either a serious contravention alone of PECR, or a serious contravention likely to cause annoyance, inconvenience or anxiety, could give rise to a monetary penalty without the need to show – as now – likely substantial damage or substantial distress.

However, today, the Information Commissioner himself, Christopher Graham, gave vent to frustrations about delay in bringing about these changes:

Time and time again the Government talks about changing the law and clamping down on this problem, but so far it’s just that – talk. Today they are holding yet another roundtable to discuss the issue, and we seem to be going round in circles. The Government need to lay the order, change the law and bring in a reform that would make a real difference

So what has happened? Have representatives of direct marketing companies lobbied against the proposals? It would be interesting to know who was at today’s “roundtable” and what was said. But there was certainly an interesting tweet from journalist Roddy Mansfield. One hopes a report will emerge, and some record of the meeting.

One wonders why – if they are – marketing industry bodies might object to the proposed changes. The financial penalty provisions would only come into play if marketers failed to comply with the law. Spammers would get punished – the responsible companies would not.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Information Commissioner, marketing, monetary penalty notice, PECR, spam texts

No data protection “fines” for audited NHS bodies

UPDATE: 03.02.15 GPOnline have commendably now amended their piece on this END UPDATE

GPOnline warns its readers today (02.02.15) that

GP practices face compulsory audits from this month by the information commissioner to check their compliance with data protection laws, and could be fined heavily if they are found to have breached rules.

While it’s good that it is on the ball regarding the legal change to the Information Commissioner’s Office (ICO) audit powers, it is, in one important sense, wrong: I can reassure GP practices that they are not risking “fines” (more correctly, monetary penalty notices, or MPNs) if breaches of the law are found during an ICO audit. In fact, the law specifically bars the ICO from serving an MPN on the basis of anything discovered in the process of an audit.

Under s41A of the Data Protection Act 1998 (DPA) the ICO can serve a data controller with a notice “for the purpose of enabling the Commissioner to determine whether the data controller has complied or is complying with the data protection principles”. Until yesterday, this compulsory audit power was restricted to audits of government departments. However, the Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014, which commenced on 1 February 2015, now enables the ICO to perform mandatory data protection audits on NHS bodies specified in the schedule to the Order.  Information Commissioner Christopher Graham has said

We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens

And I think he chose those words carefully (although he used the legally inaccurate word “fine” as well). Section 55A of the DPA gives the ICO the power to serve a monetary penalty notice, to a maximum of £500,000, if he is “satisfied” that – there has been a serious contravention of the DPA by the data controllers and it was of a kind likely to cause substantial damage or substantial distress and the data controller knew or ought to have known that this would happen. However section 55A(3A) provides that the ICO may not be so “satisfied”

by virtue of any matter which comes to the Commissioner’s attention as a result of anything done in pursuance of…an assessment notice

This policy reason behind this provision is clearly to encourage audited data controllers to be open and transparent with the ICO, and not be punished for such openness. GP practices will not receive an MPN for any contraventions of the DPA discovered during or as a result of a section 41A audit.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Information Commissioner, monetary penalty notice, NHS

Chris Graham and the cost of FOI tribunals

When Information Commissioner (IC) Christopher Graham speaks, people listen. And so they should: he is the statutory regulator of the Freedom of Information Act 2000 (FOIA) whose role is “to uphold information rights in the public interest”. A speech by Graham is likely be examined carefully, to see if it gives indications of future developments, and this is the reason I am slightly concerned by a particular section of his recent speech at an event in Scotland looking at ten years of the Scottish FOI Act.

The section in question dealt with his envy of his Scottish counterparts. They, he observed, have relatively greater resources, and the Scottish Information Commissioner, unlike him, has a constitutional status that bolsters her independence, but also he envied

the simple and straightforward appeals mechanism in the Scottish legislation. The Scottish Commissioner’s decision is final, subject only to an appeal to the Court of Session on a point of law.

By contrast, in England, Wales and Northern Ireland, under section 57 of FOIA, there is a right of appeal to a tribunal (the First-tier Tribunal (Information Rights)). Under section 58(2) the Tribunal may review any finding of fact by the IC – this means that the Tribunal is able to substitute its own view for that of the commissioner. In Scotland, by contrast, as Graham indicates, the commissioner’s decision is only able to be overturned if it was wrong as a matter of law.

But there is another key difference arising from the different appellate systems: an appeal to the Tribunal is free, whereas in Scotland an application to the Court of Session requires a fee to be paid (currently £202). Moreover, a court is a different creature to a tribunal: the latter aims to “adopt procedures that are less complicated and more informal” and, as Sir Andrew Leggatt noted in his key 2001 report Tribunals for Users: One System, One Service

Tribunals are intended to provide a simple, accessible system of justice where users can represent themselves

It is very much easier for a litigant to represent herself in the Information tribunal, than it would be in a court.

Clearly, the situation as it currently obtains in England, Wales and Northern Ireland – free right of appeal to a Tribunal which can take a merits view of the case – will lead to more appeals, but isn’t that rather the point? There should be a straightforward way of challenging the decisions of a regulator on access to information matters. Graham bemoans that he is “having to spend too much of my very limited resources on Tribunals and lawyers” but I could have more sympathy if it was the case that this was purely wasted expenditure – if the appeals made were futile and changed nothing – but the figures don’t bear this out. Graham says that this year there have been 179 appeals; I don’t know where his figures are from, but from a rough totting-up of the cases listed on the Tribunal’s website I calculated that there have been about 263 decisions promulgated this year, of which 42 were successful. So, very far from showing an appeal to be a futile exercise, these figures suggest that approximately 1 in 5 was successful (at least in the first instance). What is also notable though, is the small but significant number of consent orders – nine this year. A consent order will result where the parties no longer contest the proceedings, and agree on terms to conclude them. It is speculation on my part but I would be very interested to know how many of those nine orders resulted from the IC deciding on the arguments submitted that his position was no longer sustainable.

What I’m getting at is that the IC doesn’t always get things right in the first instance; therefore, a right of appeal to an independent fact-finding tribunal is a valuable one for applicants. I think it is something we should be proud of, and we should feel sorry for FOI applicants in Scotland who are forced into court litigation (and proving an error of law) in order to challenge a decision there.

Ultimately, the clue to Graham’s disapproval of the right of appeal to Tribunal lies in the words “limited resources”. I do sympathise with his position – FOI regulation is massively underfunded by the government, and I rather suspect that, with better resourcing, Graham would take a different view. But I think his speech was particularly concerning because the issue of whether there should be a fee for bringing a case in the Tribunal was previously raised by the government, in its response to post-legislative scrutiny of FOIA. Things have gone rather quiet on this since, but might Graham’s speech herald the revival of such proposals?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.


Filed under access to information, Freedom of Information, Information Commissioner, Information Tribunal

Green light for spam texters – for now

The ICO has effectively conceded he has no current powers to issue monetary penalties on spam texters.

In June this year the Upper Tribunal dismissed the appeal by the Information Commissioner’s Office (ICO) against the quashing of a £300,000 monetary penalty notice (the MPN) served on spam texter Christopher Niebel. The MPN had been issued pursuant to the ICO’s powers under section 55A of the Data Protection Act 1998 to serve such a notice if there has been a serious contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) of a kind likely to cause substantial damage or substantial distress. The Upper Tribunal held that the First-tier Tribunal had not erred in law in finding that the ICO’s relevant interpretation of “distress” was unsustainable:

the tribunal took issue with the Commissioner’s guidance as to the meaning of “distress” and, in my opinion rightly so. According to that guidance, “Distress is any injury to feelings, harm or anxiety suffered by an individual” (at paragraph [12], emphasis added). The tribunal’s conclusion was that if this “involves the proposition that it is not possible to have ‘any injury to feelings’ which falls short of ‘distress’ then, it seems to us, that the definition is at odds with common experience and with the ordinary use of English [¶60]

As the law required evidence that Niebel’s company’s sending of spam texts had been of a kind likely to cause substantial distress, and as the ICO’s evidence did not match up to this, the MPN had been rightly quashed. Implicitly, the Upper Tribunal was suggesting that further MPNs of this kind would also not be sustainable, and, explicitly, it questioned whether, if Parliament wanted to give the ICO powers to financially punish spam texters, it would require a change in the law

[a] more profitable course of action, is for the statutory test to be revisited…a statutory test that was formulated in terms of e.g. annoyance, inconvenience and/or irritation, rather than “substantial damage or substantial distress”, might well have resulted in a different outcome.

To no real surprise, since the ICO lost this appeal, no further MPNs have been issued for spam texting (some have been served for spam telephone calls). Now the ICO, in a blog post by their Head of Enforcement Steve Eckersley has effectively conceded that the result of the Niebel litigation has been to remove their powers to serve MPNs for spam texts, saying it had “largely [rendered] our power to issue fines for breaches of PECR involving spam texts redundant”. And Eckersley picks up the call for a law change, confirming that there will be a consultation later this year (whether any of this will see results this side of the general election, however, is another question).  This call echoes one made by the Information Commissioner himself, who said in February

We have just got to lower that hurdle because I think if you ask most people they would say silent calls and unsolicited spam texts are one of the great curses of the age – and if the Information Commissioner can’t protect you it’s a poor lookout.
There are, of course, other strings to the ICO bow, and Eckersley refers to some of them
we are using our existing powers to hold companies to account and to disrupt their unlawful activities….and we are obtaining undertakings from and issuing enforcement notices, effectively cease-and-desist orders, to companies that breach PECR.
This sounds good, but leaves me rather puzzled: as the ICO has confirmed to me, no enforcement notices have been served and only one undertaking obtained, against companies or individuals who have sent spam texts in breach of PECR. Enforcement notices are a strong power – breach of one is a criminal offence – and only require the ICO to consider whether the PECR contravention has caused or is likely to cause any person damage or distress, not “substantial damage or substantial distress”. This lower threshold should make it much more difficult for enforcement to be resisted. Maybe some enforcement notices are on their way? One rather hopes so, because, for the moment, it looks like spam texters have received a green light.
Tim Turner points out to me that a conviction for breach of an enforcement notice is not a recordable offence it will not make its way on to the Police National Computer, and will not therefore generally result in disclosure for, e.g. employment purposes. Tim’s view, and it is a compelling one, is that for a lot of spammers the threat of a minor conviction for breach of a legal notice is not one which is likely to dissuade them from their practice.


Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, marketing, monetary penalty notice, nuisance calls, PECR, Upper Tribunal

Do bloggers need to register with the ICO?

A strict reading of data protection law suggests many (if not all) bloggers should register with the ICO, even though the latter disagrees. And, I argue, the proposal for an Information Rights Levy runs the risk of being notification under a different name

Part III of the Data Protection Act 1998 (DPA) gives domestic effect to Article 18 of the European Data Protection Directive (the Directive). It describes the requirement that data controllers notify the fact that they are processing personal data, and the details of that processing, to the Information Commissioner’s Office (ICO). It is, on one view, a rather quaint throwback to the days when processing of personal data was seen as an activity undertaken by computer bureaux (a term found in the predecessor Data Protection Act 1984). However, it is law which is very much in force, and processing personal data without a valid notification, in circumstances where the data controller had an obligation to notify, is a criminal offence (section 21(1) DPA). Moreover, it is an offence which is regularly prosecuted by the ICO (eleven such prosecutions so far this year).

These days, it is remarkably easy to find oneself in the position of being a data controller (“a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed”). There are, according to the ICO, more than 370,000 data controllers registered. Certainly, if you are a commercial enterprise which in any way electronically handles personal data of customers or clients it is almost inevitable that you will be a data controller with an obligation to register. The exemptions to registering are laid out in regulations, and are quite restrictive – they are in the main, the following (wording taken from the ICO Notification Handbook)

Data controllers who only process personal information for: staff administration (including payroll); advertising, marketing and public relations (in connection with their own business activity); and accounts and records.
Some not-for-profit organisations.
Maintenance of a public register.
Processing personal information for judicial functions.
Processing personal information without an automated system such
as a computer.
But there is one other, key exemption. This is not within the notification regulations, but at section 36 of the DPA itself, and it exempts personal data from the whole of the Act if it is
processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes)
Thus, if you, for instance, keep a record of your children’s medical histories on your home computer, you are not caught by any of the DPA (and not required to notify with the ICO).Where this becomes interesting (it does become interesting, honestly) is when the very expansive interpretation the ICO gives to this “domestic purposes exemption” is considered in view of the extent to which people’s domestic affairs – including recreational purposes – now take place in a more public sphere, whereby large amounts of information are happily published by individuals on social media. As I have written elsewhere, the Court of Justice of the European Union (CJEU) held in 2003, in the Lindqvist case, that the publishing of information on the internet could not be covered by the relevant domestic purposes exemption in the Directive. The ICO and the UK has, ever since, been in conflict with this CJEU authority, a point illustrated by the trenchant criticism delivered in the High Court in the judgment by Tugendhat J in The Law Society v Kordowski.

But I think there is a even more stark illustration of the implications of an expansive interpretation of the section 36 exemption, and I provide it. On this blog I habitually name and discuss identifiable individuals – this is processing of personal data, and I determine the purposes for which, and the manner in which, this personal data is processed. Accordingly, I become a data controller, according to the definitions at section 1(1) of the DPA. So, do I need to notify my processing with the ICO? The answer, according to the ICO, is “no”. They tell me

from the information you have provided it would be unlikely that you would be required to register in respect of your blogs and tweets
But I don’t understand this. I cannot see any exemption which applies to my processing – unless it is section 36. But in what way can I seriously claim that I am processing personal data only for my domestic (including recreational) purposes. Yes, blogging about information rights is partly a recreation to me (some might say that makes me odd) but I cannot pretend that I have no professional aims and purposes in doing so. Accordingly, the processing cannot only be for domestic purposes.I have asked the ICO to confirm what, in their view, exempts me from notification. I hope they can point me to something I have overlooked, because, firstly, anything that avoids my having to pay an annual notification fee of £35 would be welcome, and secondly, I find it rather uncomfortable to be on the receiving end of my own personal analysis that I’m potentially committing a criminal offence, even if the lead prosecutor assures me I’m not.

The point about the notification fee leads to me on to a further issue. As I say above, notification is in some ways rather quaint – it harks back to days when processing of personal data was a specific, discrete activity, and looks odd in a world where, with modern technology, millions of activities every day meet the definition of “processing personal data”. No doubt for these reasons, the concept of notification with a data protection authority is missing from the draft General Data Protection Regulation (GDPR) currently slouching its way through the European legislative process. However, a proposal by the ICO suggests that, at least in the domestic sphere, notification (in another guise), might remain under new law.The ICO, faced with the fact that its main funding stream (the annual notification fees from those 370,000-plus data controllers) would disappear if the GDPR is passed in its proposed form, is lobbying for an “information rights levy”. Christopher Graham said earlier this year

I would have thought  an information rights levy, paid for by public authorities and data controllers [is needed]. We would be fully accountable to Parliament for our spending.

and the fact that this proposal made its way into the ICO’s Annual Report  with Graham saying that Parliament needs to “get on with the task” of establishing the levy, suggests that it might well be something the Ministry of Justice agrees with. As the MoJ would be first in line to have make up the funding shortfall if a levy wasn’t introduced, it is not difficult to imagine it becoming a reality.

On one view, a levy makes perfect sense – a “tax” on those who process personal data. But looked at another way, it will potentially become another outmoded means of defining what a data controller is. One cannot imagine that, for instance, bloggers and other social media users will be expected to pay it, so it is likely that, in effect, those data controllers whom the ICO currently expects to notify will be those who are required to pay the levy. One imagines, also, that pour encorager les autres, it might be made a criminal offence not to pay the levy in circumstances where a data controller should pay it but fails to do so. In reality, will it just be a mirror-image of the current notification regime?

And will I still be analysing my own blogging as being processing that belongs to that regime, but with the ICO, for pragmatic, if not legally sound, reasons, deciding the opposite?

1 Comment

Filed under Data Protection, Directive 95/46/EC, Europe, GDPR, parliament

The seriousness of personal data breaches

Our privacy is, for good reason, important to all of us.

What a person has in his or her bank account, what a person chooses to write and to whom, what telephone calls a person chooses to make and to whom and other matters of that kind are, save in exceptional circumstances, the business of the individual and of nobody else.

The law recognises that right and protects it.

So begin the sentencing remarks of His Honour Judge McCreath in the Southwark Crown Court on 20 December. The sentences in question were imposed on three men who had been found guilty of offences under section 55 of the Data Protection Act 1998 (DPA). They took place against the background of the bidding for tenancy of the Olympic Stadium. The fines given were not insignificant: £100,000 for Howard Hill, £13,250 for Lee Stewart and £10,000 for Richard Forrest.

It is often said that the sanctions for a criminal breach of the DPA are inadequate. The Information Commissioner regularly recommends the commencement of statutory provisions which would allow a custodial sentence to be imposed in appropriate circumstances, and, indeed, after Lord Justice Leveson made the same recommendation, the government announced it would consult on whether to make the necessary Order to effect this.

It is certainly true that some sentences for the offence (of knowingly or recklessly, without the consent of the data controller, obtaining or disclosing personal data or the information contained in personal data) seem derisory. One stark example was the meagre £150 fine for a probation officer who revealed a domestic abuse victim’s new address to the alleged perpetrator. However, it should be noted, and the Olympic Stadium offenders’ sentences illustrate this, that the offence is, by virtue of section 60(2) of the DPA, an either-way offence. The always illuminating ukcriminallawblog has an excellent post explaining what this means:

[either way offences] are offences that can be tried either (hence their name) in the Magistrates’ or the Crown Court. These are generally cases where the culpability (the harm caused to society) is wide ranging and therefore sometimes they will be very minor offences and sometimes very serious ones…For example, theft is either way. It can vary from someone who shoplifts a packet of crisps up to somebody who steals millions of pounds from a bank.

On a plea of non-guilty to a section 55 charge the prosecution will be transferred to a crown court if it appears to the magistrates’ court that the likely sentence exceeds their maximum sentencing power of a £5000 fine. Once transferred, the fine is potentially unlimited. This is why the fines were so high in these cases.

I won’t rehash what is in the very clear and instructive sentencing remarks. But what I will say is that the seriousness with which a section 55 DPA offence is viewed by a court is inherently tied up with what value society attaches to privacy and security of personal data.

That value changes over time, and varies according to the evidence of the impact DPA contraventions have on the individuals affected.


Filed under Data Protection, Information Commissioner

CQC and data protection, redux

In June this year I blogged about the furore caused when the Care Quality Commission (CQC) initially refused, citing data protection law, to identify four members of staff who were alleged to have tried to cover up an critical internally-commissioned report into its oversight of the University Hospitals Morecambe Bay NHS Trust.

Even Christopher Graham, the Information Commissioner got involved, saying

This feels like a public authority hiding behind the Data Protection Act – it’s very common but you have to go by what the law says and the law is very clear

and, perhaps as a result of his intervention, the day after the news broke, the CQC changed position, saying

We have reviewed the issues again with our legal advisers (and taken into account the comments of the Information Commissioner). In light of this further consideration, we have come to the view that the overriding public interest in transparency and accountability gives us sufficient grounds to disclose the names of the individuals who were anonymised in the report.

I had wondered if the reason for the initial non-disclosure was because of doubt as to the veracity of the reported cover-up comments, perhaps in conjunction with a challenge by the data subjects, on the basis that publishing that they had made those comments was untrue, and potentially defamatory and, therefore, in breach of the Data Protection Act 1998 (DPA):

on the information currently available, there is perhaps a lack of hard evidence to establish to an appropriate level of certainty that the person or persons alleged to have suppressed the report did so, or did so in the way they are alleged to have done. For that reason, it could indeed be a breach of the DPA to disclose the names at this stage

Yesterday, news emerged that the CQC had published a statement on its website exonerating one of the people named

  • Anna Jefferson had not used “any inappropriate phrases” as attributed to her by one witness quoted in the Grant Thornton report; and

  • Anna Jefferson had not supported any instruction to delete an internal report prepared by a colleague – Louise Dineley.

The CQC regrets any distress Anna Jefferson has suffered as a consequence of this matter

So, it looks like someone was wrongly identified as committing an act of misconduct. Ms Jefferson is said to have been “deeply upset” by the allegations, and describes it as having been a “difficult time”.

In a postscript to my original blog post I wondered idly about

the rather interesting (if unlikely) possibility that the persons now named could complain to the ICO for a determination as to whether disclosure was in fact in breach of their rights under the DPA

It is possible that the statement on the CQC website is in fact an attempt to avoid this, or alternative, legal action. I wonder if Christopher Graham is going to revisit his comments.

1 Comment

Filed under Confidentiality, Data Protection, defamation, Information Commissioner

Two more years for Chris Graham?

I think one mark of a true information rights nerd is whether they read minutes of meetings at the Information Commissioner’s Office (ICO), which are published, with a generally admirable commitment to transparency, on their website.

While browsing some recent minutes (of the Management Board meeting of 22 July) I noticed something interesting, which I wasn’t aware of (and haven’t seen anyone else pick up on?). Under a heading of “Major issues affecting the ICO” is

The Ministry of Justice has confirmed the Government’s intention to recommend to HM The Queen that Christopher Graham is reappointed as Information Commissioner [IC] for a period of two years following his current tenure ending in June next year.

The IC is a Crown appointment and his or her tenure is set at five years (paragraph 2(1) of Schedule 5 of the Data Protection Act 1998) but, by virtue of paragraph 2(5) he or she may be reappointed, provided he or she is not over 65, or has not already served for fifteen years. The reappointment of Christopher Graham (born 1950) will (if it happens) take him to that retirement age of of 65.

This is hardly shock news: all three of Graham’s predecessors as IC (formerly “Data Protection Registrar”) were reappointed after their initial terms of office, and he has, on most objective analyses, performed well in office: he got rid of the appalling backlog of Freedom of Information cases he inherited, and has been an effective stern-faced enforcer of data protection breaches. What he hasn’t done, yet, is see the implementation of the General Data Protection Regulation – the updating of the creaking 18-year-old current European data protection regime. But, given the apparently interminable wrangling about that instrument, one wonders whether an extra two years, starting in June 2014, will even help him achieve that.

Leave a comment

Filed under Data Protection, Freedom of Information, Information Commissioner

The loophole to avoid enforcement?

Cabinet Office, FOI, Financial Times, Christopher Graham, blah blah blah

To recap. The Financial Times recently ran a resounding editorial on FOI, the ICO and the Cabinet Office, lauding the first, criticising the second’s lack of enforcement against the first, and lambasting the third. The Information Commissioner himself, Christopher Graham, replied in rather hurt tones, defending his office. Both Paul Gibbons (FOIMan) and Tim Turner have blogged on this. Here are my oar-sticking-in-coattail-hanging observations.

A key measure used by the Information Commissioner’s Office (ICO) to assess public authorities’ compliance with the Freedom of Information Act 2000 (FOIA) is the percentage of requests which are responded to within the statutory twenty day timescales. The guidance on this says

The ICO is may contact authorities [sic] if…(for those authorities which publish data on timeliness) – it appears that less than 85% of requests are receiving a response within the appropriate timescales.

Let’s ignore the obvious and worrying point that this is an encouragement not to publish such data. Fortunately for our purposes, government departments do commit to doing so, and quarterly reports covering the whole of central government are published. I can’t actually find them all on one page, so here are the reports for the last four quarters

April-June 2012
July-September 2012
October-December 2012
January-March 2013 

If you scroll through those datasets you’ll see that, over the last four quarters, the Cabinet Office has managed to respond to FOI requests within the statutory time limit or with a permitted extension in 92, 93, 95 and 86% of cases. Pretty good eh? This keeps them out of reach of the ICO radar. And, in fact, just prior to this, the Cabinet Office had been monitored by the ICO, and been required to sign an undertaking to improve, after appalling previous statistics had showed compliance in only 42 and 55% of cases in two quarters. After this monitoring period (the MoD were also monitored) the ICO announced

Both authorities have now improved their response times with over 85% of information requests being answered within the time limit of 20 working days and are working hard to deal with outstanding requests where responses have been unduly delayed. The ICO will continue to offer support and advice to help both Departments to ensure that outstanding requests are cleared as soon as possible.

However, what does “with a permitted extension” mean? It means, that in complex cases where a public authority needs more time to consider whether the public interest favours disclosure, it can disapply the twenty-working-day deadline and extend its time for compliance indefinitely, subject to reasonableness (although the ICO says it should be no more than an extra 20 days, he cannot enforce that). So let’s go back to those figures and see how the Cabinet Office would do if there wasn’t this potential loophole. If one simply asks “what percentage of requests were responded to within 20 working days?”, the figures are in fact 77, 77, 79 and 74%. Of course, without access to individual cases it is impossible to say whether these multiple extensions to consider public interest were made legitimately or not. However, the Cabinet Office appears to claim the extension much more than most other departments (the Foreign and Commonwealth Office has similar figures, however).

I am sure the Cabinet Office will claim that the reason it does this is because it has to deal with more complex cases. Maybe that’s the case, but it would be nice if someone could look into it. And, of course, the ICO could. The guidance on how authorities are selected for monitoring doesn’t stop at the 85%-compliance measure. It also says they may contact authorities if 

our analysis of complaints received by the ICO suggests that we have received three or more complaints citing delays within a specific authority within a six month period [or if there is] Evidence of a possible problem in the media or other external sources.

To which I say, ICO, the evidence is clear (look at Tim’s analysis, look at Paul’s, even look again at Chris Cook’s). Compliance stats are not the only measure (and even then they may hide the true picture). The triggers for enforcement are there, but is there a will?

And finally.


Filed under Cabinet Office, Freedom of Information, Information Commissioner, transparency

The future of the ICO’s funding and functions

In February of this year the House of Commons Justice Committee took evidence from the Information Commissioner and his two deputies, and in March published a lengthy, sympathetic and wide-ranging report on The functions, powers and resources of the Information Commissioner. The Committee has now published the government response, which was in the form of a letter from Lord McNally, Minister of State for Justice. With the greatest of respect for the Ministry of Justice, the response seems to be little more than a deft kick into touch. Here are some examples.


The report raised various concerns about future funding for the Information Commissioner’s Office (ICO). Firstly, it noted that the ICO cannot use the money it receives for FOI work in the form of grant-in-aid for Data Protection work, and not can it use the funding it receives for Data Protection work from notification fees for FOI work. The report recommended that

The Government should consider relaxing the governing rules around virement and overheads

Lord McNally’s response says

…my officials have been working with the ICO to explore the potential for greater flexibility in the way the ICO apportions shared costs between the Freedom of Information (FOI) and Data Protection (DP) funding streams, in line with the Committee’s recommendation

Which adds little, if any, new information.

The report also noted that, if the European draft General Data Protection Regulation (GDPR) is passed in its current form, the ICO’s main funding for Data Protection work – notification fees – will be removed. It recommended

The Government needs to find a way of retaining a feebased self-financing system for the data protection work of the Information Commissioner, if necessary by negotiating an option for the UK to retain the notification fee or introduce an alternative fee. If the Government fails to achieve this, the unappealing consequence will be that funding of the ICO’s data protection work will have to come from the taxpayer.

To which Lord McNally replied

The work we intend to undertake in partnership with the ICO will include drawing upon research commissioned by the ICO into future funding options, and analysis they have done into the effectiveness of the tiered notification fee system which has been in place since 2009. I would like to reassure the Committee that the Government is committed to ensuring that the Information Commissioner is appropriately resourced.

Er, OK, but does that really say anything at all?

Independence of ICO

The Committee had linked the issue of adequacy of resources to the ICO’s relationship with the executive. If the regulator is reliant on government grant, can it be truly sufficiently independent? Their recommendation was

With the potential removal of the notification fee through the EU Regulation, we reiterate our recommendation that the Information Commissioner should become directly responsible to, and funded by, Parliament
Previously, during a Westminster Hall debate in January, justice minister Helen Grant had been clear that the government did not think this was appropriate. Lord McNally though was – again – equivocal
Whilst there are currently no plans for the Information Commissioner to be a Parliamentary body or to be funded by Parliament, the work we are taking forward on the ICO’s long-term funding and operating model will consider the range of recommendations that have been made by your Committee and others, including Lord Justice Leveson in relation to the future powers, governance and accountability arrangements of the ICO. I look forward to updating the Committee in due course.
Custodial data protection offences
On the subject of whether, finally, custodial sanctions for section 55 data protection offences should be commenced (see Pounder et al, passim), the Committee was clear
We call on the Government to adopt our previous recommendation, as well as that of the Home Affairs Committee, the Joint Committee on the Draft Communications Data Bill and the Leveson Inquiry, and commence sections 77 and 78 of the Criminal Justice and Immigration Act 2008 to allow for custodial sentences for breach of section 55 of the Data Protection Act 1998.
On this at least Lord McNally had a small piece of actual news. The government is to consult on Lord Justice Leveson’s proposals on data protection arising from his inquiry into the culture, practices and ethics of the press
It is…the Government’s view that the recommendations require careful consideration by a wide audience. We therefore intend to conduct a public consultation on the full range of data protection proposals, including on whether to make an Order introducing custodial sentences under section 77 CJIA (a statutory requirement), which will seek views on their impact and how they might be approached.
Compulsory data protection audits
Finally, the Committee had noted the reluctance of some public sector organisations to submit to the offer of a data protection audit by the ICO. They found it “shocking” that this should be the case (sensitive souls eh?) and recommended that the power of compulsory audit should be extended (it currently applies to government departments)
We recommend the Secretary of State bring forward an order under section 41 A of the Data Protection Act to meet the recommendation of the Information Commissioner that his power to serve Assessment Notices be extended to NHS Trusts and local councils.
Lord McNally confirmed that consultation was already under way regarding the extension of this ICO audit power to compel NHS bodies to submit, but he was – you’ve guessed it – equivocal on whether local government would be similarly compelled
There are currently no plans to extend the Information Commissioner’s powers of compulsory audit to local government but the Department for Communities and Local Government are taking a partnership approach to improving local government’s compliance with data protection principles.
I can’t help seeing Lord McNally’s response as little more than a polite nod to the Justice Committee. It promises very little (other than a consultation on Leveson’s data protection proposals, which, given the continuing wrangles over the GDPR, I can’t see achieving much quickly) and delivers nothing immediate. However, the ICO tweeted this morning that it welcomed the response regarding funding and powers, so maybe the future of the independent regulator of transparency and privacy is being decided behind closed doors.

1 Comment

Filed under Data Protection, Europe, Freedom of Information, Information Commissioner, transparency, Uncategorized