Tag Archives: ICO

There’s nothing like transparency…

…and this is nothing like transparency

Those of us with long memories will remember that, back in 2007, in those innocent days when no one quite knew what the Freedom of Information Act 2000 (FOIA) really meant, the Information Commissioner’s Office (ICO), disclosed some of its internal advice (“Lines to Take” or “LTTs”) to its own staff about how to respond to questions and enquiries from members of the public about FOIA. My memory (I hope others might confirm) is that ICO resisted this disclosure for some time. Now, the advice documents reside on the “FOIWiki” pages (where they need, in my opinion, a disclaimer to the effect that some of the them at least are old, and perhaps out-of-date).

Since 2007 a number of further FOIA requests have been made for more recent LTTs – for instance, in 2013, I made a request, and had disclosed to me, a number of LTTs on data protection matters.

It is, therefore, with some astonishment, that I note that a recent FOIA request to ICO for up-to-date LTTs – encompassing recent changes to data protection law – has been refused, on the basis that, apparently, disclosure would, or would be likely to, inhibit the free and frank exchange of views for the purposes of  deliberation, and would otherwise prejudice, or would be likely otherwise to prejudice, the effective conduct of public affairs. This is problematic, and concerning, for a number of reasons.

Firstly, the exemptions claimed, which are at section 36 of FOIA, are the statute’s howitzers – they get brought into play when all else fails, and have the effect of flattening everything around them. For this reason, the public authority invoking them must have the “reasonable opinion” of its “qualified person” that disclosure would, or would be likely to, cause the harm claimed. For the ICO, the “qualified person” is the Information Commissioner (Elizabeth Denham) herself. Yet there is no evidence that she has indeed provided this opinion. For that reason, the refusal notice falls – as a matter of law – at the first hurdle.

Secondly, even if Ms Denham had provided her reasonable opinion, the response fails to say why the exemptions are engaged – it merely asserts that they are, in breach of section 17(1)(c) of FOIA.

Thirdly, it posits frankly bizarre public interest points purportedly militating against disclosure, such as that the LTTs “exist as part of the process by which we create guidance, not as guidance by themselves”, and “that ICO  staff should have a safe space to provide colleagues with advice for them to respond to challenges posed to us in a changing data protection landscape”, and – most bizarre of all – “following a disclosure of  such notes in the past, attempts have been made to utilise similar documents to undermine our regulatory procedures” (heaven forfend someone might cite a regulator’s own documents to advance their case).

There has been such an enormous amount of nonsense spoken about the new data protection regime, and I have praised ICO for confronting some of the myths which have been propagated by the ignorant or the venal. There continues to be great uncertainty and ignorance, and disclosing these LTTs could go a long way towards combatting these. In ICO’s defence, it does identify this as a public interest factor militating in favour of disclosure:

disclosure may help improve knowledge regarding the EIR, FOIA or  the new data protection legislation on which the public desire information as evidenced by our increase in calls and enquiry handling

And as far as I’m concerned, that should be the end of the matter. Whether the requester (a certain “Alan Shearer”) chooses to challenge the refusal is another question.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Freedom of Information, GDPR, Information Commissioner, transparency

ICO – “we’re very sorry we fined you”

***Update, 3 September. ICO have now published their apology – although scant on details it does state that “there were significantly fewer complaints than previously evidenced” and that this information led to the withdrawal of the MPN.***

It’s not unusual for the recipient of a monetary penalty notice (MPN) to appeal to the Information Tribunal. It’s not entirely unusual for such appeals to be settled by consent of the parties (normally when one of them concedes that its case is not tenable).

It’s much rarer, however, for a consent order to have attached to it a requirement that the Information Commissioner’s Office should apologise for serving the MPN in the first place. But that’s exactly what has recently happened. A consent order dated 25 September 2018 states that, by consent, the appeal by STS Commercial Limited is allowed, and that

The Commissioner will publish [for four weeks] on the Information Commissioner’s Office website in the section “News, blogs and speeches”, the following statement:

On 6 July 2018 the ICO announced that the Information Commissioner had imposed a fine of £60,000 on STS Commercial Ltd for allowing its lines to be used to send spam texts. STS Commercial Ltd appealed that penalty and upon considering the grounds of appeal, the ICO accepts that the appeal should be allowed and no monetary penalty should be imposed. The ICO apologises to STS Commercial Ltd.

Already, most of the traces of the MPN have been removed from the ICO’s website (and Google returns broken links), although the apology itself does not appear to have yet been uploaded.

Section 55B(5) of the Data Protection 1998 provides for the right of appeal, in respect of MPNs served by the ICO under section 55A for contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003. And paragraph 37 of the Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 provides that the Tribunal may

make a consent order disposing of the proceedings and making such other appropriate provision as the parties have agreed

One wonders what on earth occurred that has led not just to the appeal being disposed of, but such contrition from the ICO!

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under Information Commissioner, Information Tribunal, monetary penalty notice, PECR

The wheels of the Ministry of Justice

do they turn so slowly that they’ll lead to the Lord Chancellor committing a criminal offence?

On 21 December last year, as we were all sweeping up the mince piece crumbs, removing our party hats and switching off the office lights for another year, the Information Commissioner’s Office (ICO) published, with no accompanying publicity whatsoever, an enforcement notice served on the Secretary of State for Justice. The notice drew attention to the fact that in July 2017 the Ministry of Justice (MoJ) had had a backlog of 919 subject access requests from individuals, some of which dated back to 2012. And by November 2017 that had barely improved – to 793 cases dating back to 2014.

I intended to blog about this at the time, but it’s taken me around nine months to retrieve my chin from the floor, such was the force with which it dropped.

Because we should remember that the exercise of the right of subject access is a fundamental aspect of the fundamental right to protection of personal data. Requesting access to one’s data enables one to be aware of, and verify the lawfulness of, the processing. Don’t take my word for it – look at recital 41 of the-then applicable European data protection directive, and recital 63 of the now-applicable General Data Protection Regulation (GDPR).

And bear in mind that the nature of the MoJ’s work means it often receives subject access requests from prisoners, or others who are going through or have been through the criminal justice system. I imagine that a good many of these horrendously delayed requests were from people with a genuinely-held concern, or grievance, and not just from irritants like me who are interested in data controllers’ compliance.

The notice required MoJ to comply with all the outstanding requests by 31 October 2018. Now, you might raise an eyebrow at the fact that this gave the MoJ an extra eight months to respond to requests which were already incredibly late and which should have been responded to within forty days, but what’s an extra 284 days when things have slipped a little? (*Pseuds’ corner alert* It reminds me of Larkin’s line in The Whitsun Weddings about being so late that he feels: “all sense of being in a hurry gone”).

Maybe one reason the ICO gave MoJ so long to sort things out is that enforcement notices are serious things – a failure to comply is, after all, a criminal offence punishable on indictment by an unlimited fine. So one notes with interest a recent response to a freedom of information request for the regular updates which the notice also required MoJ to provide.

This reveals that by July this year MoJ had whittled down those 793 delayed cases to 285, with none dating back further than 2016. But I’m not going to start hanging out the bunting just yet, because a) more recent cases might well be more complex (because the issues behind them will be likely to be more current, and therefore potentially more complex, and b) because they don’t flaming well deserve any bunting because this was, and remains one of the most egregious and serious compliance failures it’s been my displeasure to have seen.

And what if they don’t clear them all by 31 October? The notice gives no leeway, no get-out – if any of those requests extant at November last year remains unanswered by November this year, the Right Honourable David Gauke MP (the current incumbent of the position of Secretary of State for Justice) will, it appears, have committed a criminal offence.

Will he be prosecuted?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Data Protection, Directive 95/46/EC, GDPR, human rights, Information Commissioner, Ministry of Justice, Uncategorized

Rennard, the facts

Has the former LibDem Campaigns guru been engaging in unsolicited electronic marketing?

If I want to market my product or service to you as an individual, the general rule is that I cannot do so by email unless I have your prior consent informing me that you wish to receive it. This applies to me (if, say, I’m promoting this blog by email), it applies to any business, it applies to political parties, and it also applies to Baron Rennard of Wavertree, when he is promoting his new memoirs. However, a recent media story about the Lord Rennard’s promotional activities suggests he may not be aware of his legal obligations here, and for someone who has held senior roles within the Liberal Democrats, someone renowned as a “formidable and widely respected practitioner of political campaigning”, this is rather concerning.

The law (regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended)) outlaws the sending of unsolicited email marketing to individuals, unless the recipient has previously consented to receive the marketing (the exception to the general rule is that email marketing can be sent if the sender has obtained the recipient’s email address “in the course of the sale or negotiations for the sale of a product or service to that recipient” and if it is explained to the recipient that they can opt out – this is often known as the “soft opt-in“).

Lord Rennard is reported as saying

I have emailed people from my address book, or using publicly available email addresses, about the publication of a volume of memoirs

But just because one already holds someone’s email address, or just because an email address is in the public domain, this does not justify or permit the sending of unsolicited marketing. The European Directive which the PEC Regulations implement makes clear that people have a right to respect for their correspondence within the context of electronic communications, and that this right is a part of the fundamental rights to respect for protection of personal data, and respect for a private and family life. It may be a lot to expect the average person sending an email promoting a book to know this, but when the sender is someone whose reputation is in part based on his skills as a political campaigner, we should surely expect better (I say “in part” because, of course, the Lord Rennard is known for other things as well).

At a time when the use of digital data for political campaigning purposes is under intense scrutiny, it will be interesting to see what the Information Commissioner (who is said to be investigating Rennard’s marketing exercise) says. It might not seem the most serious of issues, but it encapsulates a lot.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, Information Commissioner, marketing, PECR

On the breach

Failure to notify the ICO in a timely manner of a personal data breach under PECR carries a £1000 fixed penalty notice – why not something similar under wider data protection law?

When the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) were amended in 2011 to implement the Citizens’ Rights Directive, an obligation was placed upon providers of a public electronic communications service  (“service providers”) to notify personal data breaches to the Information Commissioner’s Office (ICO) “without undue delay”, and in 2013 article 2(2) of European Commission Regulation 611/2013 provided , in terms, that “without undue delay” would mean “no later than 24 hours after the detection of the personal data breach, where feasible”. The 2011 amendment regulations also gave the ICO the power to serve a fixed penalty notice of £1000 on a service provider which failed to comply with notification obligations.

Thus it was that in 2016 both EE and Talk Talk were served with such penalties, with the latter subsequently unsuccessfully appealing to the Information Tribunal, and thus it was that, last week, SSE Energy Supply were served with one. The SSE notice is interesting reading – the personal data breach in question (defined in amended regulation 2 of PECR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”) consisted solely of the sending of one customer email (containing name and account number) to the wrong email address, and it appears that it was reported to the ICO two days after SSE realised (so, effectively, 24 hours too late). If this appears harsh, it is worth noting that the ICO has discretion over whether to impose the penalty or not, and, in determining that she should, the Commissioner took into account a pour encourager les autres argument that

the underlying objective in imposing a monetary penalty is to promote compliance with PECR. The requirement to notify…provides an important opportunity…to assess whether a service provider is complying with its obligations under PECR…A monetary penalty in this case would act as a general encouragement towards compliance…

As any fule kno, the looming General Data Protection Regulation (“GDPR”) expands to all data controllers this obligation to notify the ICO of qualifying personal data breaches. Under GDPR the definition is broadly similar to that in PECR (“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”) and a breach qualifies for the notification requirements in all cases unless it is “unlikely to result in a risk to the rights and freedoms of natural persons”. Under GDPR, the window for notification is 72 hours.

But under GDPR, and under the Data Protection Bill currently in Parliament, there is no provision for similar fixed penalty notices for notification failures (although, of course, a failure to notify a breach could constitute a general infringement under article 83, attracting a theoretical non-fixed maximum fine of €10m or 2% of global annual turnover). Is Parliament missing a trick here? If the objective of the PECR fixed penalty notice is to promote compliance with PECR, then why not a similar fixed penalty notice to promote compliance with wider data protection legislation? In 2016/17 the ICO received 1005 notifications by service providers of PECR breaches (up 63% on the previous year) and analysing/investigating these will be no small task. The figure under GDPR will no doubt be much higher, but that is surely not a reason not to provide for a punitive fixed penalty scheme for those who fail to comply with the notification requirements (given what the underlying objective of notification is)?

I would be interested to know if anyone is aware of discussions on this, and whether, as it reaches the Commons, there is any prospect of the Data Protection Bill changing to incorporate fixed penalties for notification failures.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Breach Notification, Data Protection, Data Protection Bill, enforcement, GDPR, Information Commissioner, monetary penalty notice, PECR

My small business advice…let’s be blunt.

In recent months I’ve seen plenty of articles and comments, on regular and social media, to the effect that either the government, or the Information Commissioner’s Office (ICO), or both, must do more to educate businesses about the General Data Protection Regulation (GDPR) and to help them comply with its requirements.

My response to this is blunt: when setting up and when running a business, it is for the owner/directors/board to exercise appropriate diligence to understand and comply with the laws relating to the business. Furthermore, the costs of this diligence and compliance have to be factored into any new or ongoing business plan. Even more bluntly – if you can’t afford to find out what the applicable law is, and you can’t afford to comply, then you haven’t got a viable business.

(Less bluntly, there is of course a wealth of information, mostly from the ICO, about what GDPR means and how to comply. Ultimately, however, data protection law is principles-based and risk-based and no one but those responsible for running it can reasonably say what compliance means in the context of that particular business).

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner

This old world will never change

Complacency about data protection in the NHS won’t change unless ICO takes firm action

Back in September 2016 I spoke to Vice’s Motherboard, about reports that various NHS bodies were still running Windows XP, and I said

If hospitals are knowingly using insecure XP machines and devices to hold and otherwise process patient data they may well be in serious contravention of their [data protection] obligations

Subsequently, in May this year, the Wannacry exploit indicated that those bodies were indeed vulnerable, with multiple NHS Trusts and GP practices subject to ransomware demands and major system disruption.

That this had enormous impact on patients is evidenced by a new report on the incident from the National Audit Office (NAO), which shows that

6,912 appointments had been cancelled, and [it is] estimated [that] over 19,000 appointments would have been cancelled in total. Neither the Department nor NHS England know how many GP appointments were cancelled, or how many ambulances and patients were diverted from the five accident and emergency departments that were unable to treat some patients

The NAO investigation found that the Department of Health and the Cabinet Office had written to Trusts

saying it was essential they had “robust plans” to migrate away from old software, such as Windows XP, by April 2015. [And in] March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry

Although the NAO report is critical of the government departments themselves for failure to do more, it does correctly note that individual healthcare organisations are themselves responsible for the protection of patient information. This is, of course, correct: under the Data Protection Act 1998 (DPA) each organisation is a data controller, and responsible for, among other things, for ensuring that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data.

Yet, despite these failings, and despite the clear evidence of huge disruption for patients and the unavoidable implication that delays in treatment across all NHS services occurred, the report was greeted by the following statement by Keith McNeil, Chief Clinical Information Officer for NHS England

As the NAO report makes clear, no harm was caused to patients and there were no incidents of patient data being compromised or stolen

In fairness to McNeil, he is citing the report itself, which says that “NHS organisations did not report any cases of harm to patients or of data being compromised or stolen” (although that is not quite the same thing). But the report continues

If the WannaCry ransomware attack had led to any patient harm or loss of data then NHS England told us that it would expect trusts to report cases through existing reporting channels, such as reporting data loss direct to the Information Commissioner’s Office (ICO) in line with existing policy and guidance on information governance

So it appears that the evidence for no harm arising is because there were no reports of “data loss” to the ICO. This emphasis on “data loss” is frustrating, firstly because personal data does not have to be lost for harm to arise, and it is difficult to understand how delays and emergency diversions would not have led to some harm, but secondly because it is legally mistaken: the DPA makes clear that data security should prevent all sorts of unauthorised processing, and removal/restriction of access is clearly covered by the definition of “processing”.

It is also illustrative of a level of complacency which is deleterious to patient health and safety, and a possible indicator of how the Wannacry incidents happened in the first place. Just because data could not be accessed as a result the malware does not mean that this was not a very serious situation.

It’s not clear whether the ICO will be investigating further, or taking action as a result of the NAO report (their response to my tweeted question – “We will be considering the contents of the report in more detail. We continue to liaise with the health sector on this issue” was particularly unenlightening). I know countless dedicated, highly skilled professionals working in the fields of data protection and information governance in the NHS, they’ve often told me their frustrations with senior staff complacency. Unless the ICO does take action (and this doesn’t necessarily have to be by way of fines) these professionals, but also – more importantly – patients, will continue to be let down, and in the case of the latter, put at the risk of harm.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under 7th principle, Data Protection, data security, enforcement, Information Commissioner, NHS

DCMS Statement of Intent on the Data Protection Bill

Not so much a Statement of Intent, as a Statement of the Bleeding Obvious

The wait is not quite over. We don’t yet have a Data Protection Bill, but we do have a Statement of Intent from DCMS, explaining what the proposed legislation will contain. I though it would be helpful to do a short briefing note based on my very quick assessment of the Statement. So here it is

IT’S JUST AN ANNOUNCEMENT OF ALL THE THINGS THE UK WOULD HAVE TO IMPLEMENT ANYWAY UNDER EUROPEAN LAW

By which I mean, it proposes law changes which will be happening in May next year, when the General Data Protection Regulation becomes directly applicable, or changes made under our obligation to implement the Police and Crime Directive. In a little more detail, here are some things of passing interest, none of which is hugely unexpected.

As predicted by many, at page 8 it is announced that the UK will legislate to require parents to give consent to children’s access to information society services (i.e. online services) where the child is under 13 (rather than GDPR’s default 16). As the UK lobbied to give member states discretion on this, it is no surprise.

Exemptions from compliance with majority of data protection law when the processing is for the purposes of journalism will remain (page 19). The Statement says that the government

believe the existing exemptions set out in section 32 strike the right balance between privacy and freedom of expression

But of potential note is the suggestion that

The main difference will be to amend provisions relating to the ICO’s enforcement powers to strengthen the ICO’s ability to enforce the re-enacted section 32 exemptions effectively

Without further details it is impossible to know what will be proposed here, but any changes to the existing regime which might have the effect of decreasing the size of the media’s huge carve-out will no doubt be vigorously lobbied against.

There is confirmation (at pp17 and 18) that third parties (i.e. not just criminal justice bodies) will be able to access criminal conviction information. Again, this is not unexpected – the regime for criminal records checks for employers etc was unlikely to be removed.

The Statement proposes a new criminal offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, something the Commons Science and Technology Committee has called for. Those who subsequently process such data will also be guilty of an offence. The details here will be interesting to see – as with most privacy-enhancing technology, in order for anonymisation to be robust it needs to stress-tested – such testing will not be effective if those undertaking do so at risk of committing an offence, so presumably the forthcoming Bill will provide for this.

The Bill will also introduce an offence of altering records with intent to prevent disclosure following a subject access request. This will use the current mechanism at section 77 of the Freedom of Information Act 2000. Whether that section itself will be amended (time limits for prosecutions militate against its effectiveness) remains unknown.

I also note that the existing offence of unlawfully obtaining personal data will be widened to those who retain personal data against the wishes of the data controller, even where it was initially obtained lawfully. This will probably cover those situations where people gather or are sent personal data in error, and then refuse to return it.

There is one particular howler at page 21, which suggests the government doesn’t understand what privacy by design and privacy by default mean:

The Bill will also set out to reassure citizens by promoting the concept of “privacy by default and design”. This is achieved by giving citizens the right to know when their personal data has been released in contravention of the data protection safeguards, and also by offering them a clearer right of redress

Privacy by design/default is about embedding privacy protection throughout the lifecycle of a project or process etc., and has got nothing at all to do with notifying data subjects of breaches, and whether this is a drafting error in the Statement, or a fundamental misunderstanding, it is rather concerning that the government, which makes much of “innovation” (around which privacy by design should be emphasised), fails to get this right.

So that’s a whistle stop tour of the Statement, ignoring all the fluff about implementing things which are required under GDPR and the Directive. I’ll update this piece in due course, if anything else emerges from a closer reading.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

11 Comments

Filed under Data Protection, GDPR, Information Commissioner, journalism

On some sandy beach

[EDITED 25.07.17 to include references to “sandpits” in the report of the Deepmind Health Independent Review Panel]

What lies behind the Information Commissioner’s recent reference to “sandbox regulation”?

The government minister with responsibility for data protection, Matt Hancock, recently spoke to the Leverhulme Centre. He touched on data protection:

a new Data Protection Bill in this Parliamentary Session…will bring the laws up to date for the modern age, introduce new safeguards for citizens, stronger penalties for infringement, and important new features like the right to be forgotten. It will bring the EU’s GDPR and Law Enforcement Directive into UK law, ensuring we are prepared for Brexit.

All pretty standard stuff (let’s ignore the point that the “right to be forgotten” such as it is, exists under existing law – a big clue to this being that the landmark case was heard by the CJEU in 2014). But Hancock went on to cite with approval some recent words of the Information Commissioner, Elizabeth Denham:

I think the ICO’s proposal of a data regulatory “sandbox” approach is very impressive and forward looking. It works in financial regulation and I look forward to seeing it in action here.

This refers to Denham’s recent speech on “Promoting privacy with innovation within the law”, in which she said

We are…looking at how we might be able to engage more deeply with companies as they seek to implement privacy by design…How we can contribute to a “safe space” by building a sandbox where companies can test their ideas, services and business models. How we can better recognise the circular rather than linear nature of the design process.

I thought this was interesting – “sandbox regulation” in the financial services sector involves an application to the Financial Conduct Authority (FCA), for the testing of “innovative” products that don’t necessarily fit into existing regulatory frameworks – the FCA will even where necessary waive rules, and undertake not to take enforcement action.

That this model works for financial services does not, though, necessarily mean it would work when it comes to regulation of laws, such as data protection laws, which give effect to fundamental rights. When I made enquiries to the Information Commissioner’s Office (ICO) for further guidance on what Denham intends, I was told that they “don’t have anything to add to what [she’s] already said about engaging with companies to help implement privacy by design”.

The recent lack of enforcement action by the ICO against the Royal Free NHS Trust regarding its deal with Google Deepmind raised eyebrows in some circles: if the unlawful processing of 1.6 million health records (by their nature sensitive personal data) doesn’t merit formal enforcement, then does anything?

Was that a form of “sandbox regulation”? Presumably not, as it doesn’t appear that the ICO was aware of the arrangement prior to it taking place, but if, as it seems to me, such regulation may involve a light-touch approach where innovation is involved, I really hope that the views and wishes of data subjects are not ignored. If organisations are going to play in the sand with our personal data, we should at the very least know about it.

**EDIT: I have had my attention drawn to references to “sandpits” in the Annual Report of the Deepmind Health Independent Review Panel:

We think it would be helpful if there was a space, similar to the ‘sandpits’ established by the Research Councils, which would allow regulators, the Department of Health and tech providers to discuss these issues at an early stage of product development. The protection of data during testing is an issue that should be discussed in a similar collaborative forum. We believe that there must be a mechanism that allows effective testing without compromising confidential patient information.

It would seem a bit of a coincidence that this report should be published around the same time Denham and Hancock were making their speeches – and I would argue that this only bolsters the case for more transparency from the ICO about how this type of collaborative regulation will take place.

And I notice that the Review Panel say nothing about involving data subjects in “product development”. Until “innovators” understand that data subjects are the key stakeholder in this, I don’t hold out much hope for the proper protection of rights.**

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, enforcement, human rights, Information Commissioner

FOI enforcement – if not now, when?

Recent ICO decision notices show the Home Office and MoJ repeatedly simply failing to respond to FOI requests. Surely the time has come for ICO action?

The Information Commissioner’s Office (ICO) recently stated to me that they were not monitoring the Home Office’s and Ministry of Justice’s (MoJ) compliance with the statutory timescales required by section 10 of the Freedom of Information Act 2000 (FOIA)

This was despite the fact that they’d published decision notices about delays by those two government bodies which reported that “The delay in responding to this request will be logged as part of ongoing monitoring of the MoJ’s compliance with the FOIA”. This was not formal monitoring, I was told; rather, it was informal monitoring. Ah. Gotcha.

So what does trigger formal monitoring? Interestingly, the ICO’s own position on this has recently changed, and got a bit stricter. It’s generally meant to be initiated in the following circumstances:

our analysis of complaints received by the ICO suggests that we have received in the region of 4 to 8 or more complaints citing delays within a specific authority within a six month period

(for those authorities which publish data on timeliness) – it appears that less than 90% of requests are receiving a response within the appropriate timescales. [this used to be 85%]

Evidence of a possible problem in the media, other external sources or internal business intelligence.

Despite the apparent increase in robustness of approach, the ICO do not appear to be monitoring any public authorities at the moment. The last monitoring took place between May and July 2016 when Trafford Council were in their sights. Although they are not mentioned in the relevant report, an ICO news item from July last year says that the Metropolitan Police, who have been monitored off and on for a period of years without any real outward signs of improvement, were also still being monitored.

But if they aren’t monitoring the compliance of any authorities at the moment, but particularly the Home Office and the MoJ, one is led to wonder why, when one notes the pattern in recent ICO decision notices involving those two authorities. Because, in 16 out of the last 25 decision notices involving the Home Office, and 6 out of the last 25 involving the MoJ, the ICO has formally issued decision notices finding that the authorities had failed to comply with the FOI request in question, by the time the decision notice was issued.

At this point, it might be helpful to explain the kind of chronology and process that would lead up to the issuing of such decision notices. First, a request must be made, and there will have been a failure by the authority to reply within twenty working days. Then, the requester will normally (before the ICO will consider the case) have had to ask for an internal review by the authority of its handling of the request. Then, the requester will have complained to the ICO. Then, the ICO will have normally made informal enquiries of the authority, effectively “geeing” them up to provide a response. Then, as still no response will have been sent, the ICO will have moved to issuing a formal decision notice. At any point in this process the authority could (and should) still respond to the original request, but no – in all of these cases (again – 16 of the last 25 Home Office decisions, 6 of the last 25 MoJ ones) the authorities have still not responded many months after the original request. Not only does this show apparent contempt for the law, but also for the regulator.

So why does the ICO not do more? I know many FOI officers (and their public authority employers) who work their socks off to make sure they respond to requests in a timely manner. In the absence of formal monitoring of (let alone enforcement action against) those authorities who seem to ignore their legal duties much of the time, those FOI officers would be forgiven for asking why they bother: it is to their credit that bother they still do.

Elizabeth Denham became Information Commissioner in July last year, bringing with her an impressive track record and making strong statements about enforcing better FOI compliance. Her first few months, with GDPR and Brexit to deal with, will not have been easy, and she could be forgiven for not having had the time to focus on FOI, but the pressing question now surely is “if not now, when?”

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Freedom of Information, Home Office, Information Commissioner