Tag Archives: DPA

January 18, 2014 · 11:11 am

If not that, then this?

Does the dropping of criminal charges against police officers under data protection and computer misuse legislation open the door to investigation of their employer’s civil liabilities?

The BBC reports that criminal charges have been dropped against three Nottinghamshire police officers. The charges appear to have been originally brought under the Data Protection Act 1998 (DPA) and Computer Misuse Act 1990 (CMA), and, according to the Police Federation it seems they were dropped because

prosecutors had found issues with training and advice on data protection for officers

Under section 55 of the DPA it is an offence to knowingly or recklessly, without the consent of the data controller, obtain or disclose personal data or the information contained in personal data. But the elements of the offence are not made out if the person doing this acted, for instance, in the reasonable belief that he or she had a lawful right to obtain or disclose the data, or if the obtaining was necessary for the purpose of preventing or detecting crime. Similarly, the offence of unauthorised access to computer material under section 1 of the CMA is only committed if the person knows that the access is unauthorised. If inadequate training and advice on access to data is given to employees of a data controller, then it will be difficult – as this story seems to reveal – to bring prosecutions. Effectively, the mens rea element of the offence is lacking.

However, perceptive readers of this blog might have noticed something: if incidents of inappropriate access to personal data have occurred, as appears to have been the case here, and the individuals accessing the data have been inadequately trained, does that not raise issues about the employer’s (the data controller’s) compliance with the seventh data protection principle in Schedule One of the DPA? This provides that

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data

The Information Commissioner’s Office (ICO) has repeatedly stressed that appropriate staff training is essential for compliance with the seventh principle. The ICO has the power, under section 55A of the DPA, to serve a civil monetary penalty notice on a data controller which has seriously contravened the DPA, where the contravention is of a kind likely to cause substantial damage or substantial distress. One wonders whether the ICO will now look into Nottinghamshire Police’s compliance with the Act, in view of the fact that incidents serious enough to bring now-dropped criminal charge took place, and the fact that they appear to have taken place against a background of inadequate staff training.

5 Comments

Filed under Breach Notification, Data Protection, Information Commissioner, monetary penalty notice, police, Privacy

Tagged as ,

January 13, 2014 · 4:42 pm

Why I’ve opted-out of care.data

Last week, after months of (over)thinking about it, I sent my GP a letter, based on the excellent template by the tireless MedConfidential refusing consent for identifiable data from my electronic medical records to be transferred to the Health and Social Care Information Centre (HSCIC).

I won’t rehearse the eloquent arguments against the current care.data proposals that you can read on MedConfidential’s site, and elsewhere (for instance GP Neil Bhatia’s excellent site). Nor will I rehearse arguments in favour. I have written about the subject in the past, and I don’t want to add to the general clamour. What I do want to say is why I have opted-out:

  • I’ve been struck by the inaccuracy and disingenuousness of the information which is being given to us in support of care.data. We are told, for instance, that “Your date of birth, full postcode, NHS Number and gender rather than your name will be used to link your records in a secure system, managed by the HSCIC. Once this information has been linked, a new record will be created. This new record will not contain information that identifies you”. This is cleverly worded: it does not say (because it would not be true) that this data will be anonymised, but it certainly tries to give that impression.
  • I have, ever since I first became aware of this issue, noted that there has been a lack of openness on the part of proponents. This has manifested itself in many ways, and people should be aware that the current leafleting campaign (as flawed as it is – note that it is not personally addressed to individuals, but simply sent to households, and doesn’t contain a form enabling people to opt-out) would not have come about were it not for concerns raised about this lack of openness.
  • I’ve noted the emotive campaign launched by leading charities in support of the campaign. But I’ve also noted the response by MedConfidential  which highlights that the charities’ campaign doesn’t draw attention to secondary usage of the information gathered, which could potentially be by pharmaceutical and other commerical companies, universities and other academic organisations, information intermediaries and think-tanks. On a general level, I do not think that amassing of personal data can ever be without potential risks and drawbacks, some of which include – the risk of breaches of data security, the risk of people failing to seek medical advice because of privacy fears, commercial use – and none of which are addressed in the charities’ campaign.
  • Finally, and, for me, crucially, if I fail to opt-out now, I’ve lost my chance – my data once uploaded cannot be deleted. However, opting out now does not preclude opting in in future. So, should I subsequently become convinced that societal and individual benefits from this amassing of electronic personal data outweigh my strong concerns about privacy and consent, I can change my mind in a way I couldn’t if I failed to opt out now.

13 Comments

Filed under Confidentiality, Data Protection, data sharing, Privacy

Tagged as ,

January 6, 2014 · 5:01 pm

Unintended data protection consequences of Defamation Act and ICO proposals?

Might changes to defamation law, and to the Information Commissioner’s practices, lead to an increase in court claims about accuracy of personal data?

A statement is not defamatory unless its publication has caused or is likely to cause serious harm to the reputation of the claimant

This is the bold subsection (1) to section 1 of the Defamation Act 2013, which was commenced in England and Wales on 1 January 2014. This – in part the culmination of a strong campaign – is a potentially significant change to domestic libel law, meaning that (in the words of the explanatory notes to the Act)

the bar [is raised] for bringing a claim so that only cases involving serious harm to the claimant’s reputation can be brought

But often where a bar is raised in one place, a gap will be found in another. I wonder if, along with another development -namely, the Information Commissioner’s proposals to change its approach to regulation of the Data Protection Act 1998 (DPA) – it might lead to an increase in DPA claims.

11KBW’s Robin Hopkins wrote an important article last year, whose title helpfully summarises its argument: The Data Protection Act in defamation cases: increasingly relevant, potentially primary? In it, he identified a possible trend, citing two cases in particular as illustration – The Law Society and others v Rick Kordowski [2011] EWHC 3185 (QB) and Desmond v Foreman, & Ors [2012] EWHC 1900 (QB), of

The Data Protection Act 1998…increasingly being deployed as part of a claimant’s arsenal in defamation claims […] in some circumstances, the DPA may appropriately play the lead role rather than a supporting one in a complaint about unjustifiable and damaging communications about individuals

There are a number of potential claims which an aggrieved individual can make using the DPA. For our purposes here, though, the relevant provisions are those at section 14, dealing with inaccuracy

If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order the data controller to rectify, block, erase or destroy those data and any other personal data in respect of which he is the data controller and which contain an expression of opinion which appears to the court to be based on the inaccurate data

Clearly, inaccuracy – normally in the form of an untruth – is an important part of a defamation claim. If, now, those claims formerly made in defamation which were not worth the wick, let alone the candle are (statutorily) barred by virtue of section 1 of the Defamation Act 2013, will persistent claimants seek another route? Inaccuracy of personal data is a prima facie contravention of the fourth data protection principle in Schedule One of the DPA, and section 14 is a legitimate and specific legal route by which a person may have that inaccuracy corrected.

It should be noted, though, that the court does retain discretion (n.b use of “may” in section 14) as to whether to order rectification etc. An alternative route has traditionally been, of course, by means of making a request for assessment, under section 42 of the DPA, to the Information Commissioner (IC), as to whether processing of one’s personal data has been or is being carried out in compliance with the DPA. Upon receipt of a valid request of this type, the IC is required (“shall make…”) to make an assessment (although he retains discretion as to what is an appropriate manner for it to be made). I say “traditionally” because, as David Erdos argued in a guest post on this blog recently, the IC, in a consultation on a future approach to dealing with DPA complaints and concerns

proposes to decide on its own account whether or not to assess the merits of a concern validly sent to it for assessment under the Data Protection framework

but, as David, notes, this proposal does not appear to be in accordance with the IC’s legal obligation to make an assessment in relevant circumstances.

Nonetheless, and to the extent that such a proposal (or a tweaking of it) might be held to be lawful, it certainly seems to signal a desire on the IC’s part to  (in Tim Turner’s words)

start ignoring more individual complaints, and concentrate on what it considers to be strategic priorities

If that is so, then might complainants who wish to challenge the accuracy of their personal data, more readily look to bring section 14 claims against the data controller? Might the IC be shifting its burden not only on to data controllers themselves, but also on to the already overloaded justice system?

Leave a comment

Filed under Data Protection, defamation, Information Commissioner

Tagged as , ,

January 4, 2014 · 8:33 am

ICO’s Consultation on Responding to Data Protection Concerns: An April Fool or Worrying Implications for the Rule of Law?

A guest post by Dr David Erdos, University Lecturer in Law and the Open Society, University of Cambridge

In the run up to Christmas, the Information Commissioner’s Office (ICO)  published a document entitled “Our new approach to data protection concerns”, which set out on a consultation basis how from 1 April 2014 it intends to deal with the concerns/complaints it receives vis-à-vis the Data Protection Act 1998.

It has been clear for some time that, rather in contrast to how it deals with complaints under the Freedom of Information Act 2000, the ICO’s approach to many of the approximately 40,000 Data Protection complaints it receives has been cursory. The proposals forwarded in the Consultation Document are nevertheless (to my mind at least) rather startling. In sum (and without any April Foolery intended!), the document states that from 1 April, the Office proposes to decide on its own account whether or not to assess the merits of a concern validly sent to it for assessment under the Data Protection framework. A quote on page 6 of the document is particularly enlightening. This states that in the future the ICO will respond to such concerns in the following fashion:

We may make an assessment under section 42 of the DPA where we think this adds value or where the customer has asked us to do so. We may simply offer advice to both parties and ask the organisation to take ownership of their customer or client’s concern. We will decide how we can best tackle each concern on a case by case basis. (emphasis added)

(Relatedly, it also seems to be no accident that the consultation is squarely aimed at those who are regulated by the ICO i.e. Data Controllers (indeed all the discrete questions asked could only be answered by them!) even though such a radical proposal obviously has serious implications for Data Subjects as well).

The ICO’s suggested approach is hugely problematic from a rule of law point of view. Section 42 of the Data Protection Act is crystal clear that “any person who is, or believes himself to be, directly affect by any processing of personal data” may make a request for assessment to the ICO “as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions” of the Act. On receiving such a request the Commissioner “shall make an assessment” (s. 42 (1)) (emphasis added). This duty is an absolute one and whether it has been carried out must also be communicated to the person who made the request (s. 42 (4)). All this is a transposition of Article 28(4) of the Directive which states that

Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of persona data. The person concerned shall be informed of the outcome of the claim.

The Directive particularly emphasises that the authority must hear claims for checks on the lawfulness of any restriction on Data Protection rights adopted by Member States under Article 13 of the Directive and that the person who made the claim shall “be informed that a check has taken place”. It is true that the UK legislation includes some language granting a degree of discretion to the Commissioner as to how he goes about making assessments. However, the obligation to carry out a legal assessment of processing vis-à-vis the Data Protection framework is mandatory. In contrast the ICO’s Consultation Document sees responding to concerns/complaints from the public with such an assessment as discretionary. From now on, it is suggested, a very large number of concerns/complaints will only be treated as a “source of intelligence” (p. 8) for the Office.

It is, of course, possible to have some sympathy for the ICO’s fear of being over-burdened by complaints, especially those which appear to be frivolous or vexatious. Even if this was accepted, however, one might reasonably worry about giving a regulatory agency, particularly one concerned with human rights, the sort of carte blanche discretion the ICO are envisaging in this Consultation. This discretion sits particularly uneasily with the pan-European commitment in the EU’s Charter of Fundamental Rights to recognise Data Protection as a discrete fundamental individual right, the duties arising from which are to be “subject to control” by the data protection agencies (Article 8). In any case, what is far more relevant from a rule of law perspective is that such a wide discretion is not part of the current legislative framework at either the national or the pan-EU level. To the contrary, the ICO has a statutory duty to consider all bona fide requests for assessment. This is a key right given to data subjects under the current Data Protection scheme. The ICO should not be seeking to unilaterally resile from it.

The ICO’s Consultation Document can be accessed here (http://www.ico.org.uk/about_us/consultations/our_consultations) and responses should be sent to consultations@ico.org.uk by 31 January 2014.

7 Comments

Filed under Data Protection, Information Commissioner

Tagged as ,

January 2, 2014 · 1:33 pm

Shaming the not guilty

UPDATE
9 January 2014, after a bit of prompting, the Information Commissioner’s Office have confirmed to me that they are looking into whether Staffordshire Police’s twitter campaign was compliant with the Data Protection Act
END UPDATE

Is Staffordshire Police’s social media campaign naming those charged with drink-driving offences fair and lawful?

A month ago I wrote about media coverage of Sussex Police’s crackdown on drink-driving. I was concerned that the impression was being given by the media that the police were “naming and shaming” people who had merely been charged – not convicted – with the offence. I asked Sussex Police if they were happy with the words attributed to them by the Eastbourne Herald but they chose not to reply (which I suppose is one way of dealing with enquiries from the public).

I have to concede that, in that instance, it was not clear whether the police themselves were suggesting people were guilty of an offence before any conviction. However, I heard today (thanks @primlystable) that Staffordshire Police have been running a campaign which is much more overt in its suggestion that people who have been charged with drink-driving offences can be called “drink drivers”. They have been running a social media campaign using the hashtag #drinkdriversnamedontwitter, and, they announce, there has been “overwhelming support” for it

Overwhelming support #drink drivers named on twitter

Staffordshire Police has received tremendous support for its name and shame tactic to reduce the number of drink-drivers.

Nearly 500 people completed an on-line survey asking whether they supported naming people charged with drink-drive offences and whether it would help people think about the consequences of this type of offence.

But the blurring of the line in that press release between the guilty and the not-proven-guilty is highly problematic. If someone has merely been charged with an offence, it is contrary to the ancient and fundamental presumption of innocence to shame them for that fact. Indeed, I struggle to understand how it doesn’t constitute contempt of court to do so, or to suggest that someone who has not been convicted of drink-driving is a drink driver. Being charged with an offence does not inevitably lead to conviction. I haven’t been able to find statistics relating to drink-driving acquittals, but in 2010 16% of all defendants dealt with by magistrates’ courts were either acquitted or not proceeded against 1.

I asked the Attorney General’s Office (by twitter) what it thought of the use of the hashtag against the names of those merely charged with an offence, but, in saying

Tweets are same details automatically given to Magistrates’court and made public at hearing – not contempt in this case

I think they rather missed the point – it wasn’t the naming of charged people which concerned me, it was the association of the name with the hashtag. And, in an excellent response on twitter @richgreenhill said

You’d be similarly sanguine about tweeting certain names and “#phonehacker” right now?

But I’ve also asked the Information Commissioner’s Office (ICO) whether the practice is compliant with Staffordshire Police’s obligations under the first data protection principle (Schedule 1 of the Data Protection Act 1998 (DPA)) to process personal data fairly and lawfully. The ICO has shown itself commendably willing recently to challenge unfair processing, and has, for instance, served DPA enforcement notices against Southampton City Council for making it a licensing requirement that taxi drivers have continuous CCTV-with-audio in their cabs, and against Hertfordshire Police for its automatic number-plate recognition “ring of steel” around Royston. I would urge the ICO to consider whether this current campaign warrants some regulatory action.

As I was writing this piece I saw a news item in which a traffic lawyer has called for the Staffordshire Police and Crime Commissioner (PCC) to resign as a result of the campaign, saying

By his comments he is now presuming that everyone named by his officers are guilty as charged even before they have appeared before a court. In other words he is demonstrating a cavalier disregard for the presumption of innocence.

His comments have potentially prejudiced every drink driving case before it is heard.

This pitches it stronger than I have, but I also note that Matthew Ellis, the PCC, has said in response

No-one will be named where there is any doubt

That is deeply concerning: it is no part of the police’s role to determine or pronounce on someone’s guilt or innocence.

1.Ministry of Justice, Criminal Justice Statistics, Quarterly Update to December 2010

16 Comments

Filed under Data Protection, human rights, Information Commissioner, police, social media

Tagged as , ,

December 30, 2013 · 1:47 pm

Making Motorman names public

UPDATE: 7 January 2014

In the comments to this piece the requester has informed me that the ICO is appealing this decision. Given how long the Upper Tribunal takes to turn things round, I don’t think we’ll be seeing these names for some time (if at all – if the ICO succeeds). I’ll keep the original post up though for the time being

END UPDATE.

So…will we get to see the names of the Operation Motorman journalists within the next week? Or will there need to be a bit of an extra push?

I tweeted earlier today to the effect that time is nearly up for the Information Commissioner’s Office (ICO) to disclose names of some of the journalists named in the ICO “What Price Privacy” report as having engaged the services of rogue private investigator Steve Whittamore, who was convicted in 2005  under the Data Protection Act 1998 (DPA) of offences of illegally obtaining personal data.

My blog post from earlier this month describes how the First-tier Tribunal ordered on 29 November 2013, after a rather convoluted series of hearings on the papers, that the ICO disclose within 35 days

many, but not all, of the names of journalists recorded…as clients of the investigator at the heart of Operation Motorman…together with the names of the media outlet with which [they were recorded as having been] associated at the time

By my calculations, those 35 days are up at 17:00 next Monday (see part 2.8 of Civil Procedure Rules and rule 12(1) of The Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009). This is, of course, unless the ICO has appealed the decision, but, as at 19 December, no such appeal appeared to have been lodged.

It is possible, however – bear in mind that the Order was for disclosure within 35 days – that the information has already been disclosed to the applicant – a Mr Christopher Colenso-Dunne. If that is the case, and if the applicant chooses not to make it public, then we may not yet see those names (it has been suggested to me that the person by that name for whom Google gives a search return may not be the applicant here). The Freedom of Information Act 2000 (FOIA) does not, in strict terms, oblige a public authority to make information public. Rather, it must “communicate” information to a person who has requested it (subject to the application of any exemptions). Although it is often said that disclosure under FOIA is to be taken as disclosure to the world at large, this operates as a concept, not a requirement. Some public authorities do, however, operate a “disclosure log” where some or all information disclosed under FOIA is made publicly available.

The ICO itself has a disclosure log, although it restricts this to responses “which we feel are of wider public interest”. There also appears to be a bit of lag in uploading responses (the last was one from 18 October).

One would certainly hope that, if the ICO is not appealing the decision, it will proactively disclose the information ordered to be disclosed. But, just in case, I’ve made a FOIA request for the same information, via whatdotheyknow.com, where it would be available for anyone to see (and which, of course, I’ll withdraw if the information becomes public in the interim).

3 Comments

Filed under Data Protection, Freedom of Information, Information Commissioner, Information Tribunal, journalism

Tagged as , ,

December 24, 2013 · 2:20 pm

The seriousness of personal data breaches

Our privacy is, for good reason, important to all of us.

What a person has in his or her bank account, what a person chooses to write and to whom, what telephone calls a person chooses to make and to whom and other matters of that kind are, save in exceptional circumstances, the business of the individual and of nobody else.

The law recognises that right and protects it.

So begin the sentencing remarks of His Honour Judge McCreath in the Southwark Crown Court on 20 December. The sentences in question were imposed on three men who had been found guilty of offences under section 55 of the Data Protection Act 1998 (DPA). They took place against the background of the bidding for tenancy of the Olympic Stadium. The fines given were not insignificant: £100,000 for Howard Hill, £13,250 for Lee Stewart and £10,000 for Richard Forrest.

It is often said that the sanctions for a criminal breach of the DPA are inadequate. The Information Commissioner regularly recommends the commencement of statutory provisions which would allow a custodial sentence to be imposed in appropriate circumstances, and, indeed, after Lord Justice Leveson made the same recommendation, the government announced it would consult on whether to make the necessary Order to effect this.

It is certainly true that some sentences for the offence (of knowingly or recklessly, without the consent of the data controller, obtaining or disclosing personal data or the information contained in personal data) seem derisory. One stark example was the meagre £150 fine for a probation officer who revealed a domestic abuse victim’s new address to the alleged perpetrator. However, it should be noted, and the Olympic Stadium offenders’ sentences illustrate this, that the offence is, by virtue of section 60(2) of the DPA, an either-way offence. The always illuminating ukcriminallawblog has an excellent post explaining what this means:

[either way offences] are offences that can be tried either (hence their name) in the Magistrates’ or the Crown Court. These are generally cases where the culpability (the harm caused to society) is wide ranging and therefore sometimes they will be very minor offences and sometimes very serious ones…For example, theft is either way. It can vary from someone who shoplifts a packet of crisps up to somebody who steals millions of pounds from a bank.

On a plea of non-guilty to a section 55 charge the prosecution will be transferred to a crown court if it appears to the magistrates’ court that the likely sentence exceeds their maximum sentencing power of a £5000 fine. Once transferred, the fine is potentially unlimited. This is why the fines were so high in these cases.

I won’t rehash what is in the very clear and instructive sentencing remarks. But what I will say is that the seriousness with which a section 55 DPA offence is viewed by a court is inherently tied up with what value society attaches to privacy and security of personal data.

That value changes over time, and varies according to the evidence of the impact DPA contraventions have on the individuals affected.

4 Comments

Filed under Data Protection, Information Commissioner

Tagged as , ,

December 14, 2013 · 9:28 am

Data protection compensation – an alternative route?

Compensation for data protection breaches can be difficult to secure – but if the data controller is a public authority there may be an alternative to legal claims

One of the outcomes of what was by any standards a disastrous breach of the Data Protection Act 1998 (DPA) was announced this week, when Hodge Jones & Allen LLP (who might want to proofread their press releases a bit better) issued a statement saying that they had secured compensation payments totalling £43,000 for fourteen residents who had brought claims against Islington Council. They were among fifty residents whose personal data was mistakenly given to ten people upon whom the Council was serving anti-social behaviour orders (ASBOs). As the Islington Gazette reported at the time

council staff passed details of 51 people, many of whom had complained about antisocial behaviour (ASB) on the council’s flagship ASB hotline, to 10 thugs who had been causing trouble on the Andover estate, off Seven Sisters Road, Holloway…The gang, who had been smoking drugs and abusing passers-by, now have the names, street names and phone numbers where given of the residents, after the information was inadvertently attached to injunctions banning them from the estate…Police activity has been stepped up on the Andover, but many victims of the breach are from other areas.

The Gazette also reported that six families were to be rehoused, no doubt at considerable cost to the Council.

The law firm’s announcement (which also appears to relate to claims made by people who, in a separate incident involving the same council, had their personal data inadvertently exposed on a website) means, of course, that any claims will not go to trial, and we will not get the chance of a judicial determination of whether, or to what extent it is possible for claimants in these circumstances to gain compensation for pure distress, in the absence of actual damage.

Data Protection lawyers and practitioners will be well aware of this issue, and I wrote about it earlier this year. To crib my own post:

Section 13(1) of the Data Protection Act (DPA) provides a right to compensation for a data subject who has suffered damage by reason of any contravention by a data controller of any of the requirements of the Act.  The domestic authorities are clear that “damage” in this sense consists of pecuniary loss. Thus, section 13(1) is a “gateway” to a further right of compensation under section 13(2)(a), for distress. The right to distress compensation cannot be triggered unless section 13(1) damage has been suffered….[the position is unclear as to] whether nominal, as opposed to substantial, damages under section 13(1), could suffice to be a gateway to distress compensation, and, indeed, whether the DPA effectively transposes the requirements of the European Data Protection Directive to which it gives effect

In the instant cases, it is actually possible that substantial actual damage could have been suffered, but, more probably, these again were cases where (no doubt very high levels of) distress would have lacked compensation for want of the section 13(1) gateway.

In terms of the Council itself, as data controller, it was served by the Information Commissioner’s Office (ICO) with a monetary penalty notice (MPN) of £70,000 for the DPA contravention which led to the “website incident”, and it appears that enforcement action may well result from the ASBO incident (one wonders if the ICO was awaiting the outcome of these legal claims). The ICO will need to determine whether it was a serious contravention of the DPA, of a kind likely to cause substantial damage or substantial distress (for analysis of what this requires, see my recent post here). Such MPNs do not though, in any case, compensate victims, but serve to punish the data controller (and the money goes into the government’s consolidated fund).

The Local Government Ombudsman

One does not know what the specific arrangements were between the claimants and their lawyers, but, unless the work was pro bono some fees will no doubt be owed from the former to the latter. It does occur to me that the claimants had an alternative way of seeking a remedy. The Local Government Ombudsman (LGO) investigates complaints made by people alleging administrative fault (“maladministration”) causing injustice, arising from actions or inactions of local authorities. In 2008 the LGO issued a report following investigation of a complaint that Basildon Council had

published personal and sensitive information about traveller families and their children on its website and in a report that was considered in the open part of a Council committee meeting, where copies were available to members of the public and the press who attended. The information included medical details, and the names and ages of all the children living on the site

But what is particularly interesting is that the LGO’s investigation was informed by a prior finding by the ICO in this matter (uncontested at the time by the Council) that the Council had been likely to have contravened the first data protection principle. The LGO has the power to recommend compensation payments, and in this case recommended each complainant be paid £300. Those payments were eventually effected, albeit after judicial review proceedings (an LGO recommendation is not actually binding on a council, although in the vast majority of cases they are complied).

It does seem to me that the Islington claimants could possibly have gained similar, or more compensation, by making a complaint to the LGO. It also seems to me that – where a DPA contravention by a local authority causes distress but no damage – aggrieved data subjects could consider whether the LGO could assist. And on a similar basis, where the contravention has been by a government department, or the NHS, or some other public bodies, whether the Parliamentary and Health Service Ombudsman could assist.

Leave a comment

Filed under damages, Data Protection, Information Commissioner, monetary penalty notice, ombudsman

Tagged as ,

December 13, 2013 · 7:18 am

Implications of the Home Office data breach

What sanctions might result from the recent Home Office data breach, and how does it relate to the transparency agenda?

News emerged yesterday, through the rather unusual route of a statement to Parliament by Mark Harper, Minister for Immigration, that a spreadsheet containing the personal information of almost 1600 people had been inadvertently published by the Home Office on a government website. The minister’s statement says

between 15 and 28 October 2013 some personal data was available on the Home Office website as part of a spreadsheet alongside the regular data set in error. This was identified by Home Office officials on 28 October 2013 and the personal information was  removed immediately. The personal data related to the names of 1,598 main applicants in the family returns process, their date of birth and limited details about their immigration case type and status

On these conceded facts this would appear to be a clear breach of the Data Protection Act 1998 (DPA), and, specifically, the principles of Schedule 1 to the Act which require that processing be fair and lawful, and that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data. But what are the implications of this?

By virtue of section 4(4) of the DPA a data controller – in this instance the Home Office – must comply with those principles. A serious contravention of them, of a kind which is likely to cause substantial damage or substantial distress, can (by section 55A) invoke the powers of the Information Commissioner’s Office (IC) to serve a monetary penalty notice, to a maximum of £500,000. Whether the IC would exercise his discretion to do so would depend on various factors. Firstly, he would need to satisfy himself whether the personal data involved was “sensitive”. Sensitive personal data is afforded greater protection by the DPA, and breaches involving it are accordingly more serious. We are told that the information involved here consisted of people’s names, dates of birth, and their immigration status. Information about a person’s racial or ethnic origin is sensitive personal data – could one derive or infer that from the mistakenly disclosed information? This will be an important question to answer. But, additionally and more simply, it seems that these were “illegal immigrants” – the data was related to immigration family returns, and this would certainly seem to imply either the commission or alleged commission of an offence by those whose data was exposed, and this would also move the data into the category of “sensitive”.

Whether the apparent contravention was likely to cause substantial damage or substantial distress is less clear. The minister points out that there appear to have been fewer than thirty page views, but that we don’t know whether any of those people accessed or downloaded the data. But this perhaps overlooks the part of the statutory scheme which talks about whether the contravention was “of a kind likely” to cause the damage or distress. If for instance, this incident, which we are told is being investigated by the IC, is a symptom of inappropriate or insufficient data security measures, then that factor, rather than this discrete incident, could potentially give rise to sanctions. Also relevant might be what efforts the Home Office has taken to ensure that cached versions of the data have been removed from the internet – it is remarkably easy for information quickly to be captured and mirrored elsewhere, by automated web services.

The IC’s powers are not limited, however, to issuing monetary penalties. He can also issue enforcement notices requiring data controllers to take specified actions, and a breach of an enforcement notice can be a criminal offence. Less seriously, he can simply make a determination as to whether there is likely to have been a breach of the DPA. And he can take informal action, requiring a responsible person at the ministry to sign an undertaking to improve compliance.

The transparency agenda

What I also find noteworthy is that the minister prefaces his statement with remarks about the government’s commitment

to openness and transparency to enable the public to hold the government and other public bodies to account. This government has made more data available than ever before…

These are laudable aims and actions, but, I have written before that the transparency agenda carries with it risks that, in the rush to publish more and more data, there will be privacy and data protection breaches. And if the government and the IC, as regulator, do not do more to alert people to these risks they must be aware that they risk being seen as complicit in such breaches. As I said in my piece for The Guardian

The IC must work with the government to offer advice direct to chief executives and those responsible for risk…So far these disclosure errors do not appear to have led to harm to those individuals whose private information was compromised, but, without further action, I fear it is only a matter of time.

1 Comment

Filed under Data Protection, enforcement, Home Office, Information Commissioner, monetary penalty notice, parliament, transparency

Tagged as ,

December 12, 2013 · 5:44 pm

Restrictions on use of information in litigation

Rule 31.22 of the Civil Procedure Rules provides in terms that a party to litigation can only use a document disclosed to him/her by another party (in the course of those proceedings) for the purposes of those proceedings:

A party to whom a document has been disclosed may use the document only for the purpose of the proceedings in which it is disclosed…

The exceptions to this rule are where the document has been read to or by the court or referred to, at a public hearing, or where the other party consents to its use, or by permission of the court.

A recent judgment of Mr Justice Tugendhat deals with this rule, but also has a rather odd appearance in the wings by the Information Commissioner’s Office (ICO). The case involves an application for a strike-out of a claim by a company (“IG Index”) engaged in spread betting on financial products, which had been the defendant in proceedings in the Employment Tribunal (ET). In the course of those ET proceedings the then claimant (“Cloete” – now defendant), a former network services engineer (who, it was said, had previously raised with his then employer concerns about data security at the company) had provided the defendant company (pursuant to a disclosure order of the ET judge) with a USB stick containing lists of clients of the company (including bank payment details), which it appeared to the company had been copied or retained by the claimant in breach of covenants protecting confidential information.

Separately to the ET proceedings the company claimed orders requiring the delivery up of the documents, and was successful in gaining interim relief for this, and for destruction by Cloete of any electronic copies, ordering him at the same time to pay IG Index’s costs. Cloete complied with these Orders, while at the same time withdrawing his ET claims.

At the full hearing, at which, as Tugendhat J observed, nothing of substance was still sought by IG Index (their substantive relief having been achieved by the delivery up and destruction of the information) what remained in dispute between the parties was, effectively, costs.

However, Cloete now sought strike out on the basis that the only reason IG Index had come to know of the contents of the USB stick was through the disclosure in the ET proceedings. Accordingly, he argued, the use of that information was in breach of CPR 31.22. Tugendhat J agreed, noting, importantly, that the rule applies

to protect not only the documents themselves, but also the contents of those documents, that is to say, the information derived from the disclosed documents

So IG Index’s knowledge that Cloete had, or had had, the documents, was information derived from the disclosed documents. Accordingly, the strike out claim succeeded:

The use of the information in the present proceedings cannot be said to be for the purposes of the Employment Tribunal Proceedings…Nor is the relevant information in this case the property of the Claimant…in my judgment the use of this information for the purpose of advancing a claim for damages is plainly and obviously a breach of the prohibition

There might, it was observed, be cases where to bar a claim in circumstances such as these would give rise to an injustice, but this was not one of those cases, and, in any event, sub-rule (b) (whereby a court can grant permission for use of the material) was available to avoid any such injustice.

The Information Commissioner

What I refer to as the “rather odd” appearance in these proceedings of the Information Commissioner’s Office (ICO) arises because Cloete claimed that he hadn’t retained the information at the centre of the case from the time when he had been employed by IG Index. Rather, while he was employed, he had passed it to the ICO, to express concerns about IG Index’s data security. He only got the documents back, according to his statement to the court, when they were

sent to him by the Information Commissioner six months after his employment had been terminated…following a subject access request he made to the Information Commissioner’s Office on 17 December 2012. On 16 January 2013 the Listed Items were attached to an e-mail he received in response to that request. However, he stated that he did not appreciate at the time he received the e-mail that the Listed Items were attached

One must be careful not to make unwarranted criticism of the ICO – I note that they were not involved in the proceedings at all, and had no opportunity to challenge or clarify Cloete’s statement. However, if that statement accurately reflected what happened it would be odd, to say the least, for the ICO to return this confidential information to someone who had no apparent lawful reason to have it, and also odd that it would have been sent in response to a subject access request under the Data Protection Act 1998, which entitles someone, in broad terms, to copies of their own personal data (not that of clients of their former employer). It would be interesting to know more about this.

Leave a comment

Filed under Data Protection, employment, Information Commissioner

Tagged as ,