Tag Archives: Christopher Graham

Police, poems and FOI

In which I am inspired into literary expression by a rather bizarre ICO decision notice saying that a poem sent by a senior police officer on his mobile device is exempt from disclosure under the “personal data” provisions of the Freedom of Information Act

Mr Plod once sent friends a rhyme
Which was rumoured to be out of line
When a request was lodged
To see what it was
His bosses politely declined

Chris Graham agreed with the force
Saying “It’s personal data because
He’s easy to spot
From the words that we’ve got:
It’s exempt from disclosure, of course!”

A Tribunal may have to decide later
– As the statutory arbitrator –
If it’s rather perverse
To suggest that a verse
Can possibly be personal data.

1 Comment

Filed under Data Protection, Freedom of Information, Information Commissioner, police

Transparent as mud

Our Prime Minister is committed to transparency in government. In June 2010 he set up a Public Sector Transparency Board containing some of the great and good in the field of open data and transparency: you’d struggle to pick better people than Tom Steinberg, Nigel Shadbolt, Rufus Pollock and Tim Berners-Lee (I’m not hyperlinking him – if you don’t know who he is then find out who invented hyperlinks). The Board is chaired by Francis Maude, Minister for the Cabinet Office, who has written – at the same time as he was lambasting Tony Blair’s dispiriting comments on freedom of information –  that

If I ever sit down to write my own memoirs, freeing up government information will not number amongst my regrets. In fact, I very much hope that it will be one of my very proudest achievements.

Mr Cameron seems to feel the same way:

In the years to come, people will look back at the days when government kept all its data – your data – in vaults and think how strange it was that the taxpayers – the people who actually own all this – were locked out.

Now, it so happens that there has been, in recent months, much debate about whether – or rather, to what extent – private emails written by those connected with the Department for Education are “caught” by the Freedom of Information Act 2000 (FOIA).  (Read the BBC’s Martin Rosenbaum and the Financial Times’ Chris Cook on this, I insist). The Information Commissioner has been very clear that his view is that information concerning official business held in private email accounts is subject to FOIA (he’s right, by the way) but Michael Gove, Secretary of State for Education, told the House of Commons Education Select Committee that

The advice that we had received from the Cabinet Office was that anything that was held on private email accounts was not subject to Freedom of Information requests.

So, when, Lisa Nandy, MP for Wigan, tabled a question in parliament on 6 February asking if the Cabinet Office would publish

guidance on private emails and the Freedom of Information Act referred to in the Education Select Committee evidence session of 31 January 2012 as having been issued to the Department for Education.

It was, let’s say, not very encouraging for those of us who support the “transparency agenda” (as it seems it must be called) that she received the following response

Information relating to internal discussion and advice is not normally disclosed

Yep. That’s right – internal information about how a goverment department handles requests under FOIA, is not to be disclosed.

It might be thought odd, or interesting, or both, that the minister who replied to Ms Nandy was Francis Maude, MP. I’ll leave you to write your own jokes.

1 Comment

Filed under Freedom of Information, Information Commissioner, transparency


I’m a customer of the mobile phone service provider O2. They’re OK. Probably much the same as the rest, but I’ve been with them for a few years now, and I’ve had no real problems with them. And every so often they give me an “upgrade” to a nice shiny new smartphone which half fools me into thinking I’m getting a nice deal.

This morning a corner (my favourite corner) of twitter was buzzing with news of a potential security flaw (or was it deliberate coding?) discovered by a twitter user by the name of @lewispeckover which meant that customers using O2’s mobile network to access the internet were inadvertently revealing their mobile phone number in the headers delivered when they visited a website. As Lewis succinctly put it

So, @O2 send my phone no in an HTTP header to every site I browse. WTF? Is this normal?

No, it’s not normal. Some people have very good reasons for not wanting their mobile numbers handed to third parties, especially when they aren’t aware that it’s being done, and I’m one of them (actually, I haven’t got a “very good reason”, other than I just don’t like it). I had intended blogging about why this incident might involve breaches of the first, second, seventh and eighth data protection principles in the Data Protection Act 1998 (DPA), regulations 6 and 7 of the Privacy and Electronic Communications Regulations 2003 (PECR) and chapter II of the Regulation of Investigatory Powers Act 2000 (RIPA). However, as the news got picked up, first by specialist media then mainstream, and as I realised that people were complaining in numbers to the Information Commissioner (IC), who regulates compliance with both the DPA and the PECR (although not RIPA), I decided that the issue was in the appropriate hands.

But I still intended, when I got home from work tonight, making a complaint to that statutory regulator. This is a) an issue that concerns me, b) one I know something about, c) one that has made me a bit angry, and d) one I’m prepared to rant about. However, I noted, on my bus journey home, browsing the internet on my shiny smartphone via O2’s network, that the IC had updated his home page, and was saying

Today we’ve received a large number of complaints about an alleged data breach on the O2 mobile phone network.

We now have enough information to take this matter further, so there is no need for customers to complain to us.

Great. They’re taking the matter further. But hang on – they don’t want us to complain now, because they have enough information? Well, that’s a bit presumptuous, and risky (how do they know they’ve got enough information?). But also, it’s quite concerning. The IC has many powers available to him if he finds that a data controller has breached the DPA or the PECR. In assessing how bad a breach might be, he has to take into account various factors. For instance, from his own guidance on imposing Monetary Penalty Notices,

The number of individuals actually or potentially affected by the contravention

Hang on a minute.

The number of individuals actually or potentially affected by the contravention


I just question how can you can properly assess how many people have been affected by an alleged contravention if you discourage people from complaining about that alleged contravention?

And not satisfied with this attempt at dissuasion, the IC took to tweeting the same message, earlier this evening. He clearly doesn’t want any more people to send him complaints, but this could lead to a misleading assessment of the number of people actually affected. I’m sure that O2, in assisting the IC in his subsequent investigation, will tell him how many people were potentially affected, but, if were them, I would say “well, only a small number actually complained, so it wasn’t that bad a breach, after all”.

And this is not the first time the IC has done this. Currently, the first question and answer on his “Data Protection for the Public” FAQs page are

Q: I have received a letter from Welcome Financial Services Limited. What should I do?

We have recently been informed of a data breach involving Welcome Financial Services Limited including its business Shopacheck. We believe they are taking steps to inform those affected. We will be making enquiries into the circumstances of the apparent breach of the Data Protection Act before deciding what action, if any, needs to be taken.

As we are already aware of this issue and in contact with Welcome Financial Services Limited, there is no need to submit further complaints to this office. [emphasis added, as if you needed to know]

I do try to defend the IC and his office, and I know they are always sorely lacking funds, but when a regulator, who is supposed to be receptive to complaints about alleged failures to comply with laws he regulates, actively discourages people from complaining, my enthusiasm for defending falters.

To the IC I ask, do you want me to complain, and say how I have been affected by O2’s handling of my personal data? And if not, why not?


Filed under Data Protection, Information Commissioner, PECR, Privacy

Potential big DPA fine for NHS Trust

The Argus, a Brighton newspaper, is reporting that Brighton and Sussex University Hospitals NHS Trust has been served with a “notice of intent to fine” by the Information Commissioner (IC), for a breach of the Data Protection Act 1998 (DPA). The sum proposed is £375,000.

Assuming the story is true, the notice of intent to fine would be, strictly, a notice of intent, under s55B of the DPA, to impose a Monetary Penalty Notice (MPN). MPNs were introduced into the DPA by the provisions of Criminal Justice Act 2003. They provide a means whereby the IC can impose financial sanctions on Data Controllers for serious contraventions of the data protection principles. The maximum amount for an MPN is £500,000, and the sums levied are not retained by the IC, but go to the consolidated fund.

The paper says

The incident relates to the theft of 232 drives out of 1,000 being decommissioned.

The Sussex Health Informatics Service was responsible for the disposal of the drives on the trust’s behalf and had appointed an individual to carry out the job.

In December 2010 it emerged four hard drives had been bought by a data recovery organisation on eBay.

The buyer contacted the trust and the drives were collected with the information destroyed.

An investigation revealed that 232 hard drives in total had been stolen and sold on.

The trust worked with the ICO, NHS Counter Fraud and Sussex Police and all the drives have been recovered.

The trust says there was a very low risk of any of the data being passed into the public domain.

Several points arise from this.

At a proposed £375,000 this MPN, if imposed, would be by far the highest so far served on a data controller. The previous highest – £130,000 – was imposed in December last year on Powys County Council.

The fact that news of the proposed MPN has come out before it has been actually served (that is, at the “notice of intent” stage) is perhaps connected with the fact that the Argus reports that “The trust says it will be contesting the fine”. By s55B(5) of the DPA a data controller in receipt of an MPN may appeal to the Information Tribunal against both the issue of the MPN, and the amount. If the Trust are contesting the fine now, they may ultimately decide to appeal to the Tribunal. This would be interesting: most of the guidance on sanctions for serious contraventions of the DPA comes from the IC himself, and from previous MPNs and undertakings. Many data controllers would find it helpful also to have some judicial analysis to draw on in these circumstances.

Until now, nearly all MPNs have been imposed on local authorities. I’ve previously questioned why this was, and posited that it would be a high risk move for the IC to serve an MPN on the NHS:

one wonders what sort of critical media coverage might ensue, as well as what the effect on the reputation of the DPA regime would be, if the IC were to impose hefty monetary penalties on the NHS. And as the sums levied go not towards improving general data security, but rather straight into the government consolidated fund, one begins to see why it might not be a particularly attractive option: a regulator who takes direly-needed money from the NHS, and places it in the government’s wallet, could well struggle to maintain popularity with the media and the public.

If this MPN is served, as intended, then the IC might be faced with headlines equating (for example) £375,000 to the amount it costs to employ a nurse, or a doctor or provide essentail but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances.

1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner

Biting the Hand that Feeds – a Risky Business?

Bloggers in the fields of UK Information Rights can sometimes be critical of the Information Commissioner’s Office (ICO) (we can?). But that’s really because we love the IC and his people. Or, at least, we strongly support the existence of the office, and the principle functions it carries out. There may be disagreements on the decisions and actions taken, but many frustrations are caused by the restrictions on his powers, or as a result of the limited funding he gets.

I noticed earlier this week that Francis Maude, Minister for the Cabinet Office, had told parliament that his Department’s shocking record on compliance with Freedom of Information Act 2000 (FOIA) timescales (in the last quarter only 48% of response met the 20-working-day deadline) was in part as a result of the fact that

The Cabinet Office deals with FoI requests in relation to cabinet papers under the last government which takes some time to be dealt with because we need to consult with ministers in the last government.

As I suggested on twitter, it would be nice if we all could blame our predecessors for our heavy workload (I for one still can’t forgive Rupert Baxter for handing over that tricky planning file to me in 2002) but this really is not good enough as an excuse.

In the same period in which the Cabinet Office achieved 48% compliance, the Ministry of Justice (MoJ) achieved a still very poor 75% (by contrast the Department of Health achieved 99%, the Department for Culture, Media and Sport 96% and the Department for Work and Pensions 93% – all these figures are from the MoJ’s own quarterly stats) The MoJ is the sole provider, by means of grant in aid, of funding for the IC’s Freedom of Information work (the IC also receives approximately £15 million from the notification fee that data controllers pay to operate under the Data Protection Act 1998 (DPA), but this is ring-fenced for DPA work). This FOI grant amounted last year to approximately £5.5 million. However, that grant is at risk of reduction, and the IC is concerned about that. His risk register has recently been disclosed and this shows as a “red risk” a “gap between FOI resources and incoming casework affects FOI and DP casework…” and it is clear that this risk potentially leads on to others, such as the “ICO reputation suffers because some of the risks facing the ICO materialise…”. None of this is real news, of course. Christopher Graham himself told the Home Affairs Select Committee

Like all public authorities, we are having to take our slice of the cuts. We are responding to that constructively, trying to achieve better for less. But the fact is that if we are asked to do more and more under the transparency and accountability agenda, we will need the resources to do it.

Now consider this: the IC is under a statutory duty to operate so as to ensure the observance by public authorities of their requirements under FOIA. One means by which he does this is to monitor authorities which repeatedly or seriously fail to respond to freedom of information requests within the appropriate timescales. This monitoring can be a precursor to further action, and the Cabinet Office was subject to such further action when it signed an undertaking with the IC in June this year to improve its performance.
The IC says that he is likely to monitor authorities if, among other criteria, “(for those authorities which publish data on timeliness) it appears that less than 85% of requests are receiving a response within the appropriate timescales”. Well, as we have seen, it certainly appears, from the published data, that less than 85% of requests to the MoJ are receiving a response within the appropriate timescales. Interestingly, in the previous quarter the figure was 83%, the quarter before that 87% and the quarter before that 88%. A downward trend like that is arguably further evidence of a need for monitoring, and it would be interesting to know if the IC takes this into account, or whether, perhaps, he takes an annual average from those quarterly stats.
So a simple question arises – when the next group of authorities whose compliance is begin monitored is announced, will it include the MoJ? Will the IC risk biting the hand that feeds him?


Filed under Freedom of Information