Tag Archives: ICO

October 25, 2014 · 9:29 am

If at first you don’t succeed…

The Information Commissioner’s Office (ICO) has uploaded to its website (24 October) two undertakings for breaches of data controllers’ obligations under the Data Protection Act 1998 (DPA). Undertakings are part of the ICO’s suite of possible enforcement actions against controllers.

One undertaking was signed by Gwynedd Council, after incidents in which social care information was posted to the wrong address, and a social care file went missing in transit between two sites. The other, more notably, was signed by the Disclosure and Barring Service (DBS), who signed a previous undertaking in March this year, after failing to amend a question (“e55″) on its application form which had been rendered obsolete by legislative changes. The March undertaking noted that

Question e55 of the application form asked the individuals ‘Have you ever been convicted of a criminal offence or received a caution, reprimand or warning?’ [Some applicants] responded positively to this question even though it was old and minor caution/conviction information that would have been filtered under the legislation. The individual’s positive response to question e55 was then seen by prospective employers who withdrew their job offers

This unnecessary disclosure was, said the ICO, unfair processing of sensitive personal data, and the undertaking committed DBS to amend the question on the form by the end of March.

However, the latest undertaking reveals that

application forms which do not contain the necessary amendments remain in circulation. This is because a large number of third party organisations are continuing to rely on legacy forms issued prior to the amendment of question e55. In the Commissioner’s view, the failure to address these legacy forms could be considered to create circumstances under which the unfair processing of personal data arises

The March undertaking had also committed DBS to ensure that supporting information provided to those bodies with access to the form be

kept under review to ensure that they continue to receive up to date, accurate and relevant guidance in relation to filtered matters

One might cogently argue that part of that provision of up-to-date guidance should have involved ensuring that those bodies destroyed old, unamended forms. And if one did argue that successfully, one would arrive at the conclusion that DBS could be in breach of the March undertaking for failing to do so. Breach of an undertaking does not automatically result in more serious sanctions, but they are available to the ICO, in the form of monetary penalties and enforcement notices. DBS might consider themselves lucky to have been given a second (or third?) chance, under which they must, by the end of of the year at the latest ensure that unamended legacy application forms containing are either rejected or removed from circulation.

One final point I would make is that no press release appears to have been put out about yesterday’s undertakings, nothing is on the ICO’s home page, and there wasn’t even a tweet from their twitter account. A large part of a successful enforcement regime is publicising when action has been taken. The ICO’s own policy on this says

Publicising our enforcement and regulatory activities is an important part of our role as strategic regulator, and a deterrent for potential offenders

Letting “offenders” off the publicising hook runs the risk of diminishing that deterrent effect.

2 Comments

Filed under Data Protection, enforcement, Information Commissioner, undertaking

Tagged as ,

October 24, 2014 · 3:02 pm

The Crown Estate and behavioural advertising

A new app for Regent Street shoppers will deliver targeted behavioural advertising – is it processing personal data?

My interest was piqued by a story in the Telegraph that

Regent Street is set to become the first shopping street in Europe to pioneer a mobile phone app which delivers personalised content to shoppers during their visit

Although this sounds like my idea of hell, it will no doubt appeal to some people. It appears that a series of Bluetooth beacons will deliver mobile content (for which, read “targeted behavioural advertising”) to the devices of users who have installed the Regent Street app. Users will indicate their shopping preferences, and a profile of them will be built by the app.

Electronic direct marketing in the UK is ordinarily subject to compliance with The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). However, the definition of “electronic mail” in PECR is “any text, voice, sound or image message sent over a public electronic communications network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service”. In 2007 the Information Commissioner, upon receipt of advice, changed his previous stance that Bluetooth marketing would be caught by PECR, to one under which it would not be caught, because Bluetooth does not involve a “public electronic communications network”. Nonetheless, general data protection law relating to consent to direct marketing will still apply, and the Direct Marketing Association says

Although Bluetooth is not considered to fall within the definition of electronic mail under the current PECR, in practice you should consider it to fall within the definition and obtain positive consent before using it

This reference to “positive consent” reflects the definition in the Data Protection directive, which says that it is

any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed

And that word “informed” is where I start to have a possible problem with this app. Ever one for thoroughness, I decided to download it, to see what sort of privacy information it provided. There wasn’t much, but in the Terms and Conditions (which don’t appear to be viewable until you download the app) it did say

The App will create a profile for you, known as an autoGraph™, based on information provided by you using the App. You will not be asked for any personal information (such as an email address or phone number) and your profile will not be shared with third parties

autograph (don’t forget the™) is software which, in its words “lets people realise their interests, helping marketers drive response rates”, and it does so by profiling its users

In under one minute without knowing your name, email address or any personally identifiable information, autograph can figure out 5500 dimensions about you – age, income, likes and dislikes – at over 90% accuracy, allowing businesses to serve what matters to you – offers, programs, music… almost anything

Privacy types might notice the jarring words in that blurb. Apparently the software can quickly “figure out” thousands of potential identifiers about a user, without knowing “any personally identifiable information”. To me, that’s effectively saying “we will create a personally identifiable profile of you, without using any personally identifiable information”. The fact of the matter is that people’s likes, dislikes, preferences, choices etc (and does this app capture device information, such as IMEI?) can all be used to build up a picture which renders them identifiable. It is trite law that “personal data” is data which relate to a living individual who can be identified from those data or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. The Article 29 Working Party (made up of representatives from the data protection authorities of each EU member state) delivered an Opinion in 2010 on online behavioural advertising which stated that

behavioural advertising is based on the use of identifiers that enable the creation of very detailed user profiles which, in most cases, will be deemed personal data

If this app is, indeed, processing personal data, then I would suggest that the limited Terms and Conditions (which users are not even pointed to when they download the app, let alone be invited to agree them) are inadequate to mean that a user is freely giving specific and informed consent to the processing. And if the app is processing personal data to deliver electronic marketing failure to comply with PECR might not matter, but failure to comply with the Data Protection Act 1998 brings potential liability to legal claims and enforcement action.

The Information Commissioner last year produced good guidance on Privacy in Mobile Apps which states that

Users of your app must be properly informed about what will happen to their personal data if they install and use the app. This is part of Principle 1 in the DPA which states that “Personal data shall be processed fairly and lawfully”. For processing to be fair, the user must have suitable information about the processing and they must to be told about the purposes

The relevant data controller for Regent Street Online happens to be The Crown Estate. On the day that the Queen sent her first tweet, it is interesting to consider the extent to which her own property company are in compliance with their obligations under privacy laws.

This post has been edited as a result of comments on the original, which highlighted that PECR does not, in strict terms, apply to Bluetooth marketing

4 Comments

Filed under consent, Data Protection, Directive 95/46/EC, Information Commissioner, marketing, PECR, Privacy, tracking

Tagged as , , , ,

October 22, 2014 · 4:58 pm

Upper Tribunal rules on complying “promptly” with an FOI request

The Upper Tribunal has ruled on what “promptly” means in the FOI Act. The answer’s no surprise, but it’s helpful to have binding authority

The Freedom of Information Act 2000 (FOIA) demands that a public authority must (subject to the application of exemptions) provide information to someone who requests it within twenty working days. But it goes a bit further than that, it says (at section 10(1))

a public authority must comply…promptly and in any event not later than the twentieth working day following the date of receipt

But what does “promptly” mean in this context? This issue has recently been considered by the Upper Tribunal, in John v ICO & Ofsted 2014 UKUT 444 AAC. Matters before the Information Commissioner (IC) and the First-tier Tribunal (FTT) had turned on when the initial request for information had been made and responded to. The IC held that Ofsted had failed to respond within twenty working days, and Ofsted appealed this. Mr John argued before the FTT that although the IC had found in his favour to the extent that it held that Ofsted had failed to respond within twenty working days, it had failed to deal with the issue of whether Ofsted had responded promptly. The FTT found in Ofsted’s favour, but did not, Upper Tribunal Judge Jacobs observed, deal with Mr John’s argument on promptness. That was an error of law, which Judge Jacobs was able to remedy by considering the issue himself.

“Promptly” he observed, has a range of dictionary meanings, some of which relate more to attitude (“willingly”, or “unhesitatingly”) and others more to time (“immediate”, or “without delay”). The context of section 10(1) of FOIA “is concerned with time rather than attitude, although the latter can have an impact on the former”. It is clear though that “promptly” does not mean, in the FOIA context, “immediately” (that, said Judge Jacobs, would be “unattainable”) but is more akin to “without delay”:

There are three factors that control the time that a public authority needs to respond. First, there are the resources available to deal with requests. This requires a balance between FOIA applications and the core business of the authority. Second, it may take time to discover whether the authority holds the information requested and, if it does, to extract it and present it in the appropriate form. Third, it may take time to be sure that the information gathered is complete. Time spent doing so, is not time wasted.

What is particularly interesting is that Judge Jacobs shows a good understanding of what the process for dealing with FOIA requests might be within Ofsted, and, by extension, other public authorities:

A FOIA request would have to be registered and passed to the appropriate team. That team would then have to undertake the necessary research to discover whether Ofsted held the information requested or was able to extract it from information held. The answer then had to be composed and approved before it was issued.

In the instant case all this had been done within twenty working days:

I regard that as prompt within the meaning and intendment of the legislation. Mr John has used too demanding a definition of prompt and holds an unrealistic expectation of what a public authority can achieve and is required to achieve in order to comply with section 10(1).

This does not mean, however, that it might not be appropriate in some cases to enquire into how long an authority took to comply.

The Upper Tribunal’s opinion accords with the approach taken in 2009 by the FTT, when it held that

The plain meaning of the language of the statute is that requests should be responded to sooner than the 20 working days deadline, if it is reasonably practicable to do so. (Gradwick v IC & Cabinet Office EA/2010/0030)

It also accords with the IC’s approach in guidance and decision notices under FOIA, and its approach under the Environmental Information Regulations 2004 (where the requirement is that “information shall be made available…as soon as possible and no later than 20 working days”).

Most FOI officers will greet this judgment as a sensible and not unexpected one, which acknowledges the administrative procedures that are involved in dealing with FOIA requests. Nonetheless, as a binding judgment of an appellate court, it will be helpful for them to refer to it when faced with a requester demanding a response quicker than is practicable.

Appeals and Cross Appeals

A further issue determined by the Upper Tribunal concerned what should happen if both parties to a decision notice disagree with some or all of its findings and want to appeal, or at least raise grounds of appeal: must there be an appeal and cross-appeal, or can the respondent party raise issues in an appeal by the other party? Judge Jacobs ruled, in a comprehensive a complex analysis that merits a separate blog post (maybe on Panopticon?), that “although cross-appeals are permissible, they are not necessary”

 

 

2 Comments

Filed under Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

Tagged as ,

September 29, 2014 · 1:18 pm

Brooks Newmark, the press, and “the other woman”

UPDATE: 30.09.14 Sunday Mirror editor Lloyd Embley is reported by the BBC and other media outlets to have apologised for the use of women’s photos (it transpires that two women’s images appropriated), saying

We thought that pictures used by the investigation were posed by models, but we now know that some real pictures were used. At no point has the Sunday Mirror published any of these images, but we would like to apologise to the women involved for their use in the investigation

What I think is interesting here is the implicit admission that (consenting) models could have been used in the fake profiles. Does this mean therefore, the processing of the (non-consenting) women’s personal data was not done in the reasonable belief that it was in the public interest?

Finally, I think it’s pretty shoddy that former Culture Secretary Maria Miller resorts to victim-blaming, and missing the point, when she is reported to have said that the story “showed why people had to be very careful about the sorts of images they took of themselves and put on the internet”

END UPDATE.

With most sex scandals involving politicians, there is “the other person”. For every Profumo, a Keeler;  for every Mellor, a de Sancha; for every Clinton, a Lewinsky. More often than not the rights and dignity of these others are trampled in the rush to revel in outrage at the politicians’ behaviour. But in the latest, rather tedious, such scandal, the person whose rights have been trampled was not even “the other person”, because there was no other person. Rather, it was a Swedish woman* whose image was appropriated by a journalist without her permission or even her knowledge. This raises the question of whether such use, by the journalist, and the Sunday Mirror, which ran the exposé, was in accordance with their obligations under data protection and other privacy laws.

The story run by the Sunday Mirror told of how a freelance journalist set up a fake social media profile, purportedly of a young PR girl called Sophie with a rather implausible interest in middle-aged Tory MPs. He apparently managed to snare the Minister for Civil Society and married father of five, Brooks Newmark, and encourage him into sending explicit photographs of himself. The result was that the newspaper got a lurid scoop, and the Minister subsequently resigned. Questions are being asked about the ethics of the journalism involved, and there are suggestions that this could be the first difficult test for IPSO, the new Independent Press Standards Organisation.

But for me much the most unpleasant part of this unpleasant story was that the journalist appears to have decided to attach to the fake twitter profile the image of a Swedish woman. It’s not clear where he got this from, but it is understood that the same image had apparently already appeared on several fake Facebook accounts (it is not suggested, I think, that the same journalist was responsible for those accounts). The woman is reported to be distressed at the appropriation:

It feels really unpleasant…I have received lot of emails, text messages and phone calls from various countries on this today. It feels unreal…I do not want to be exploited in this way and someone has used my image like this feels really awful, both for me and the others involved in this. [Google translation of original Swedish]

Under European and domestic law the image of an identifiable individual is their personal data. Anyone “processing” such data as a data controller (“the person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed”) has to do so in accordance with the law. Such processing as happened here, both by the freelance journalist, when setting up and operating the social media account(s), and by the Sunday Mirror, in publishing the story, is covered by the UK Data Protection Act 1998 (DPA). This will be the case even though the person whose image was appropriated is in Sweden. The DPA requires, among other things, that processing of personal data be “fair and lawful”. It affords aggrieved individuals the right to bring civil claims for compensation for damage and distress arising from contraventions of data controllers’ obligations under the DPA. It also affords them the right to ask the Information Commissioner’s Office (ICO) for an assessment of the likelihood (or not) that processing was in compliance with the DPA.

However, section 32 of the DPA also gives journalism a very broad exemption from almost all of the Act, if the processing is undertaken with a view to publication, and the data controller reasonably believes that publication would be in the public interest and that compliance with the DPA would be incompatible with the purposes of journalism. As the ICO says

The scope of the exemption is very broad. It can disapply almost all of the DPA’s provisions, and gives the media a significant leeway to decide for themselves what is in the public interest

The two data controllers here (the freelancer and the paper) would presumably have little problem satisfying a court, or the ICO, that when it came to processing of Brooks Newmark’s personal data, they acted in the reasonable belief that the public interest justified the processing. But one wonders to what extent they even considered the processing of (and associated intrusion into the private life of) the Swedish woman whose image was appropriated. Supposing they didn’t even consider this processing – could they reasonably say they that they reasonably believed it to have been in the public interest?

These are complex questions, and the breadth and ambit of the section 32 exemption are likely to be tested in litigation between the mining and minerals company BSG and the campaigning group Global Witness (currently stalled/being considered at the ICO). But even if a claim or complaint under DPA would be a tricky one to make, there are other legal issues raised. Perhaps in part because of the breadth of the section 32 DPA exemption (and perhaps because of the low chance of significant damages under the DPA), claims of press intrusion into private lives are more commonly brought under the cause of action of “misuse of private information “, confirmed – it would seem – as a tort, in the ruling of Mr Justice Tugendhat in Vidal Hall and Ors v Google Inc [2014] EWHC 13 (QB), earlier this year. Damage awards for successful claims in misuse of private information have been known to be in the tens of thousands of pounds – most notably recently an award of £10,000 for Paul Weller’s children, after photographs taken covertly and without consent had been published in the Mail Online.

IPSO expects journalists to abide by the Editor’s Code, Clause 3 of which says

i) Everyone is entitled to respect for his or her private and family life, home, health and correspondence, including digital communications.

ii) Editors will be expected to justify intrusions into any individual’s private life without consent. Account will be taken of the complainant’s own public disclosures of information

and the ICO will take this Code into account when considering complaints about journalistic processing of personal data. One notes that “account will be taken of the complainant’s own public disclosures of information”, but one hopes that this would not be seen to justify the unfair and unethical appropriation of images found elsewhere on the internet.

*I’ve deliberately, although rather pointlessly – given their proliferation in other media – avoided naming the woman in question, or posting her photograph

4 Comments

Filed under Confidentiality, consent, Data Protection, Information Commissioner, journalism, Privacy, social media

Tagged as , , , , ,

September 21, 2014 · 9:24 am

Theft of police video interviews – a data protection issue for the CPS?

The theft of recordings of police interviews with victims of sexual abuse from a Manchester firm has potentially serious data protection implications for the CPS

UPDATE: 22 September – the Manchester Evening News reports that the burglary took place at a flat. No doubt the ICO, and the CPS will want to know whether the storage of hardware by the firm was appropriate to the sensitivity of the data held. END UPDATE

The 7th principle in Schedule One of the Data Protection Act 1998 requires a data controller to have appropriate technical and organisational measures in place to safeguard against loss etc. of personal data. Furthermore, if the data controller is appointing a contractor to process personal data, it should select that contractor on the basis that it has equivalent measures in place, ensure that the contractor only acts on instructions from the data controller and all of this should be evidenced in writing. Failure to comply with this 7th principle is a contravention of the data controller’s obligation under section 4(4), and serious contraventions, of a kind likely to cause substantial damage or substantial distress, can attract enforcement action from the Information Commissioner (ICO), including monetary penalty notices (MPNs), to a maximum of £500,000. Note the “likely” – a near miss, in data security terms, can still lead to an MPN. It is the failure to have appropriate measures in place (or a suitable contract) which is the contravention of the DPA – not the data security incident in itself.

With this in mind, the Crown Prosecution Service (CPS) must be considering its vulnerability to enforcement action by the ICO, following reports of thefts of highly sensitive recordings of video interviews with victims of alleged sexual abuse from a Manchester video editing firm contracted by the CPS. This may be the case even though the stolen material has apparently been recovered. The Mail reports that

The CPS said it was now demanding an ‘urgent explanation’ of the security arrangements that had been in place

but this in itself points towards a possible prior lack of suitable oversight of the contractual arrangements

Keith Vaz, Chair of the Commons Home Affairs Committee, has expressed surprise that a private firm was involved (which shows either a certain naivety, or disingenuity) but has also said that he will be challenging the Head of the CPS about the security breach when she appears before the committee next month. One suspects the ICO will also be challenging her to explain what arrangements were in place to ensure compliance with the DPA.

1 Comment

Filed under Data Protection, Information Commissioner, monetary penalty notice

Tagged as ,

September 19, 2014 · 5:08 pm

RIPA errors…but also serious data protection breaches?

A circular from the Interception of Communications Commissioner’s Office raises concerns about some public authorities’ data protection compliance

The benighted (although often misrepresented) Regulation of Investigatory Powers Act 2000 (RIPA) had at least the ostensible worthy aim of ensuring that, when public authorities conducted investigations which were intrusive on people’s private lives, those investigations took place in accordance with the law. Thus, under Chapter II of Part 1 of RIPA, authorisations may be granted within an organisation to acquire, or an application made to require a postal or telecommunications operator to disclose, communications data (“communications data”, in the words of the Statutory Code of Practice “embraces the ‘who’, ‘when’ and ‘where’ of a communication but not the content, not what was said or written”). If the acquisition is done in accordance with RIPA, and the Code of Practice, it will in general terms be done lawfully.

The acquisition and disclosure of communications data under RIPA is overseen by the Interception of Communications Commissioner who is appointed pursuant to section 57 RIPA. It is the Commissioner’s role to review the exercise and performance of relevant persons’ functions under the Act. From time to time his office (IOCCO) will also issue circulars, and one such landed on the desks of Senior Responsible Officers of relevant public authorities earlier this month. Laudably, IOCCO has also uploaded it to its website and its contents are worrying not just because they indicate errors in complying with RIPA authorisations and applications, but also with the data protection compliance of the authorities involved. The circular, from the Head of IOCCO, Jo Cavan, states that

in the first six month period of the reporting year (January to June 2014) there have been 195 applicant errors – of which 153 (78%) were, according to the reports submitted to IOCCO, caused by the applicant submitting the wrong communications address. [emphasis in original]

As I say, the provisions of RIPA at least implicitly acknowledge that acquisition and disclosure of communications data will be highly intrusive actions. But failure to ensure that the data acquired is accurate means that such intrusion has taken place into the private communications of people totally uninvolved in the investigations being undertaken, as the circular highlights

In all cases the applicant error led to communications data being acquired relating to members of the public who had no connection to the investigation or operation being undertaken

but most chillingly

one of these errors led to executive action being taken against a member of the public who had no connection to the investigation being undertaken

Although no indication is given of what the deceptively bland phrase “executive action” actually consisted of.

The fourth principle in Schedule One of the Data Protection Act 1998 (DPA) requires in terms that data controllers take reasonable steps to ensure the accuracy of personal data they process. Failure to comply with that obligation potentially gives rise to civil claims by data subjects, and, in qualifying serious cases, civil enforcement action by the Information Commissioner’s Office, which can serve monetary penalty notices to a maximum of £500,000.  Moreover, the seventh principle in Schedule One of the DPA requires to data controllers to take appropriate technical and organisational measures to safeguard against the unfair or unlawful processing of personal data. IOCCO’s Circular notes that

It is unsatisfactory to note that the telephone numbers / email addresses / Internet Protocol (IP) addresses were, in the vast majority of cases, derived from records available to the applicant in electronic form and as such could have been electronically copied into the application to ensure accuracy. SROs must develop, implement and robustly enforce measures to require applicants to electronically copy communications addresses into applications when the source is in electronic form (for example forensic reports relating to mobile phones, call data records etc). Communications addresses acquired from other sources must be properly checked to reduce the scope for error. It is not acceptable for public authorities to simply state that applicants have been reminded to double check communications addresses to prevent recurrence

This points to possible failure by the authorities in question to take appropriate DPA principle 7 measures.

IOCCO’s enforcement powers in this regard are limited, although the circular notes that the Commissioner shall, where appropriate, notify affected individuals of the existence and role of the Investigatory Powers Tribunal (IPT) . However, complainants would not be restricted simply to complaining to the IPT – the Surveillance Roadmap (“a shared approach to the regulation of surveillance in the United Kingdom”) agreed between the UK’s surfeit of privacy commissioners, allows for the possibility of someone aggrieved by intrusive obtaining of communications data making a complaint to the Information Commissioner’s Office (ICO) as well as the IPT. It does state that “the ICO does not have the necessary [sic] powers to investigate breaches of RIPA and will only make a decision as to whether it is likely or unlikely that an organisation has complied with the DPA”, but it does strike me that a complaint to the ICO is a lot easier to make than an application to the IPT. Or, alternatively, a civil claim (under section 13 DPA) through the courts on the basis that the public authority in question had contravened its obligations opens up the possibility of a damages award. This might be a more attractive option for an complainant, because, although damages are a remedy available in the IPT (under s67(7) RIPA), it is notable that there is no right of appeal from an IPT decision (s67(8)).

One last point – the Surveillance Roadmap tries to draw lines separating the functions of the various commissioners. This is sensible, and aims to avoid overlap and duplication of functions, but one wonders if the ICO might be interested in looking at the DPA compliance of the authorities who erred so notably in the cases seen by IOCCO.

 

 

 

 

Leave a comment

Filed under Data Protection, human rights, Information Commissioner, RIPA

Tagged as , ,

September 13, 2014 · 6:17 pm

Dancing to the beat of the Google drum

With rather wearying predictability, certain parts of the media are in uproar about the removal by Google of search results linking to a positive article about a young artist. Roy Greenslade, in the Guardian, writes

The Worcester News has been the victim of one of the more bizarre examples of the European court’s so-called “right to be forgotten” ruling.

The paper was told by Google that it was removing from its search archive an article in praise of a young artist.

Yes, you read that correctly. A positive story published five years ago about Dan Roach, who was then on the verge of gaining a degree in fine art, had to be taken down.

Although no one knows who made the request to Google, it is presumed to be the artist himself, as he had previously asked the paper itself to remove the piece,  on the basis that he felt it didn’t reflect the work he is producing now. But there is a bigger story here, and in my opinion it’s one of Google selling itself as an unwilling censor, and of media uncritically buying it.

Firstly, Google had no obligation to remove the results. The judgment of the Court of Justice of the European Union (CJEU) in the Google Spain case was controversial, and problematic, but its effect was certainly not to oblige a search engine to respond to a takedown request without considering whether it has a legal obligation to do so. What it did say was that, although as a rule data subjects’ rights to removal override the interest of the general public having access to the information delivered by a search query, there may be particular reasons why the balance might go the other way.

Furthermore, even if the artist here had a legitimate complaint that the results constituted his personal data, and that the continued processing by Google was inadequate, inaccurate, excessive or continuing for longer than was necessary (none of which, I would submit, would actually be likely to apply in this case), Google could simply refuse to comply with the takedown request. At that point, the requester would be left with two options: sue, or complain to the Information Commissioner’s Office (ICO). The former option is an interesting one (and I wonder if any such small claims cases will be brought in the County Court) but I think in the majority of cases people will be likely to take the latter. However, if the ICO receives a complaint, it appears that the first thing it is likely to do is refer the person to the publisher of the information in question. In a blog post in August the Deputy Commissioner David Smith said

We’re about to update our website* with advice on when an individual should complain to us, what they need to tell us and how, in some cases, they might be better off pursuing their complaint with the original publisher and not just the search engine [emphasis added]

This is in line with their new approach to handling complaints by data subjects – which is effectively telling them to go off and resolve it with the data controller in the first place.

Even if the complaint does make its way to an ICO case officer, what that officer will be doing is assessing – pursuant to section 42 of the Data Protection Act 1998 (DPA) – “whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of [the DPA]”. What the ICO is not doing is determining an appeal. An assessment of “compliance not likely” is no more than that – it does not oblige the data controller to take action (although it may be accompanied by recommendations). An assessment of “compliance likely”, moreover, leaves an aggrieved data subject with no other option but to attempt to sue the data controller. Contrary to what Information Commissioner Christopher Graham said at the recent Rewriting History debate, there is no right of appeal to the Information Tribunal in these circumstances.

Of course the ICO could, in addition to making a “compliance not likely” assessment, serve Google with an enforcement notice under section 42 DPA requiring them to remove the results. An enforcement notice does have proper legal force, and it is a criminal offence not comply with one. But they are rare creatures. If the ICO does ever serve one on Google things will get interesting, but let’s not hold our breath.

So, simply refusing to take down the results would, certainly in the short term, cause Google no trouble, nor attract any sanction.

Secondly (sorry, that was a long “firstly”) Google appear to have notified the paper of the takedown, in the same way they notified various journalists of takedowns of their pieces back in June this year (with, again, the predictable result that the journalists were outraged, and republicised the apparently taken down information). The ICO has identified that this practice by Google may in itself constitute unfair and unlawful processing: David Smith says

We can certainly see an argument for informing publishers that a link to their content has been taken down. However, in some cases, informing the publisher has led to the complained about information being republished, while in other cases results that are taken down will link to content that is far from legitimate – for example to hate sites of various sorts. In cases like that we can see why informing the content publisher could exacerbate an already difficult situation and could in itself have a very detrimental effect on the complainant’s privacy

Google is a huge and hugely rich organisation. It appears to be trying to chip away at the CJEU judgment by making it look ridiculous. And in doing so it is cleverly using the media to help portray it as a passive actor – victim, along with the media, of censorship. As I’ve written previously, Google is anything but passive – it has algorithms which prioritise certain results above others, for commercial reasons, and it will readily remove search results upon receipt of claims that the links are to copyright material. Those elements of the media who are expressing outrage at the spurious removal of links might take a moment to reflect whether Google is really as interested in freedom of expression as they are, and, if not, why it is acting as it is.

 

 
*At the time of writing this advice does not appear to have been made available on the ICO website.

5 Comments

Filed under Data Protection, Directive 95/46/EC, enforcement, Information Commissioner, Privacy

Tagged as , , , ,

September 9, 2014 · 5:19 pm

You can’t take it with you

A paralegal has been convicted for taking client data with him when he left his role. Douglas Carswell MP denies taking Tory Party data, but what of his civil obligations with the data he has retained?

I blogged recently about the data protection implications of the news that Douglas Carswell MP was resigning his seat and seeking re-election as a UKIP MP. I mused on the fact that UKIP were reported to be “purring” over the data he was bringing with him, and I questioned whether, if this was personal data of constituents, his processing was compliant with his obligations under the Data Protection Act 1998. Paul Bernal blogged as well, and Paul was quoted in a subsequent article in The Times (which now seems to have been moved, or removed), in which Carswell defended himself against allegations of illegality

“Any data that the Conservative Party gathered while I was a member of the Conservative party is, was and must remain the property of the Conservative party.” He said that the suggestion that he had taken such information was “desperate briefing from within the Tory machine” and was extremely regrettable. The former MP did say, however, that he planned to use his own private data gathered during nine years as a Conservative MP. He insisted that he would not be sharing this with UKIP

With respect to Mr Carswell, this still doesn’t convince me that no data protection concerns exist. If by his “own private data”, he means information about constituents which is their personal data, then I would still argue that such use could potentially be in contravention of his civil obligations under the first and second principles in Schedule One to the Data Protection Act 1998. As I said previously

If constituents have given Carswell their details on the basis that it would be processed as part of his constituency work as a Conservative MP they might rightly be aggrieved if that personal data were then used by him in pursuit of his campaign as a UKIP candidate

Even if he didn’t share such data with UKIP, data protection obligations would clearly be engaged.

It seems to me that his quote to The Times was perhaps to refute any possible allegations that his use of data was criminal. A recent prosecution by the Information Commissioner’s Office (ICO) illustrates how taking personal data from one job, or one role, to another, without the consent of the data controller, can be a criminal offence. The offender was a paralegal at a Yorkshire solicitor’s practice who, before he left the firm, emailed himself (presumably to a private address) information, in the form of workload lists, file notes and template documents. However, the information also contained the personal data of over 100 clients of the firm. Accordingly, he was convicted of the offence at section 55 of the DPA, of (in terms) unlawfully obtaining personal data without the consent of the data controller. The fine was, as they tend to be for section 55 offences, small – £300, plus a £30 victim surcharge and £438.63 prosecution costs – but the offender’s future job prospects in the legal sector might be adversely affected.

The ICO’s Head of Enforcement Steve Eckersley is quoted, and though he talks in terms of “employees”, his words might well be equally applicable to people leaving elected posts

Employees may think work related documents that they have produced or worked on belong to them and so they are entitled to take them when they leave. But if they include people’s details, then taking them without permission is breaking the law

Mr Carswell was wise not to retain data for which the Conservative Party was data controller. But I’m still not sure about the (non-criminal) implications of his use of data for which he is data controller.

Leave a comment

Filed under crime, Data Protection, Information Commissioner

Tagged as , , ,

September 7, 2014 · 5:01 pm

Helping the ICO (but will ICO accept the help?)

I think the ICO should consider operating a priority alert system when well-informed third-parties alert them to exposures of personal data. They certainly shouldn’t leave those third parties to do in-depth investigation.

My attention was recently drawn to the existence of sensitive personal data being made available online. Google’s bots are brute things, and will effectively cache anything they can, such as data exposed by an unsecured ftp server, and that is what appears to have happened in this case. I looked at the names of the files and folders exposed, and I felt very uncomfortable. I don’t want to see this information, and the people involved certainly wouldn’t want me to. Furthermore, neither would the data controller – a voluntary service organisation. And section 55 of the Data Protection Act 1998 (DPA) creates, in terms, an offence of obtaining personal data knowingly, without the consent of the data controller. Admittedly, if one does so and it is justified as in the public interest, then the elements of the offence are not made out, but my feeling was very much that, having seen very briefly the extent of the inadvertent exposure, I should go so far, and no further.

But what to do then? The short answer, is, to alert the data controller and refer the matter to the Information Commissioner’s Office (ICO). The ICO’s duties are to regulate and enforce the DPA, and promote the following of good practice by data controllers. Although their website is predicated on the basis that a person reporting a concern will have a direct interest in the situation, it is still possible to report a third party concern. However, when I recently reported the fact that a local authority was exposing huge amounts of personal data as open data, firstly, the case officer could not understand why the data in question allowed individuals to be identified, and secondly, asked me to explain why, by providing screenshots. (I should add that I never received a reply from the local authority.) And I know of two other people who have been asked by the ICO to provide specific and detailed examples, such as screenshots, of exposed personal data. The problem with this is that it is dragging concerned third parties directly into potential illegality: taking and emailing screenshots of personal data is processing, without the consent of the data controller, and will (or should) involve encryption (although the ICO doesn’t appear to offer this to third parties) and issues about retention. I’m not suggesting that people will be prosecuted for doing a beneficial civic act, but it is far from ideal.

As always, I understand and accept that the ICO is woefully underfunded. They can only afford to pay new case officers about £4.5k above the annual minimum wage, but I do think they should have a system in place for people to report serious exposures of personal data, and for these reports to be treated and investigated with some urgency. In my recent “open data” case, I didn’t receive any acknowledgment of receipt of my concerns (other than an automated one indicating my email had been received) and the case officer, when I did get a reply, rather impatiently explained that their service standards mean “that if you have reported a concern to us you can expect to receive a response within 30 days”. But I noted that the MS Word doc. that was sent to me was called “ICO to DS raising concerns”. I presume “DS” means “data subject”, but, of course, that is not what I was in this case. A data subject raising concerns is, in the vast majority of cases, not going to be reporting the public exposure of large amounts of sensitive personal data (most often they will be complaining about a discrete incident involving their own data).

I have spoken to people who have reported what were quite clearly horrendous exposures of personal data, but by the time the ICO looked at the case the problem had either been rectified by the data controller, or, for instance, the Google cache links had expired. Of course, that is good on one view, but when it comes to the ICO’s regulatory role, it effectively means that delays in considering these reports allow evidence of serious contraventions by data controllers to be erased.

Almost a year ago I was alerted to a horrendous exposure of highly sensitive personal data (I understand that, again, an unsecured ftp server was to blame). And I remember the frustration and consternation that I and others felt at the apparent delay by Newcastle Citizen’s Advice Bureau in getting the data removed from the web. I’m rather amazed we never heard anything from the ICO about that incident – did they complete their investigation? did they take action? if not, how on earth did the CAB manage to persuade them there wasn’t a serious DPA contravention warranting enforcement action? And, as far as I know, the CAB branch never acknowledged what had happened, nor apologised for it, nor thanked those who had alerted them to the situation.

There are many expert and well-informed people who are prepared to alert data controllers and the ICO to potentially harmful exposures of personal data. Could there not be some sort of priority alert system? (If necessary, it could be through some sort of “trusted third-party” list.) If data controllers, but particularly if the ICO, are not willing to embrace the sort of public-spiritedness which identifies and alerts them to exposures of personal data, then it’s a poor lookout for data subjects.

4 Comments

Filed under Breach Notification, Data Protection, Information Commissioner

Tagged as , ,

September 7, 2014 · 12:04 pm

Blackpool Displeasure Breach

I like watching football, but any real interest I had in following a club waned around the time David Hirst stopped scoring for fun for Sheffield Wednesday. I also came to be disillusioned by the advent of big money, with clubs run more and more as business concerns aimed at boosting the investments of shareholders.

So I hadn’t appreciated that convicted rapist Owen Oyston was still listed as Director of Blackpool F.C. Nor that his son Karl Oyston is Chairman. Nor that Karl’s son Sam runs the club’s hotel. It appears that at least some fans are highly critical of the Oyston dynasty, and this manifested itself in a rather puerile twitter exchange which was drawn to my attention this morning

Bw61QjoCAAEWYxL

To explain what’s going on here, a fan replies to a news item about the club’s manager, and calls the Oyston family “wankers”. Sam Oyston responds by identifying the seat the fan – presumably a season-ticket holder – occupies, and implies that if he continues to be rude the ticket will be withdrawn.

This is all very unsavoury, but it also raises concerns about the club’s handling of its fans’ personal data. The publishing of the seat number is not particularly worrying in itself: it refers to the fan’s physical place in a very public arena, and I doubt he would be bothered about it being publicised (he might even be proud, as it implies he is a dedicated fan). However, one must ask how, and why, the manager of a hotel run by the club has such ready access to customer details.

The first data protection principle of the Data Protection Act 1998 (DPA) requires that personal data be processed fairly (and lawfully) and the second principle requires that personal data “shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes”. If fans’ details are being accessed by the club’s hotel manager, in order to implicitly threaten them with removal of their right to attend matches, it would be difficult to see how this would be compatible with purposes for which they were obtained by the club, as data controller. I suppose it is just possible that the terms of the tickets explain that, say, abusive behaviour could lead to cancellation, but even so, it would be unlikely that this would cover what happened in the twitter exchange. One might also question whether, if someone apparently unconnected with the running of the club membership can access ticket data, the club has – in accordance with the seventh data protection principle – appropriate organisational measures in place to safeguard against unauthorised processing of personal data.

A data controller has a statutory obligation to comply with the data protection principles – a failure to do so opens it up to the possibility of civil claims being made against it, and civil enforcement action being taken by the Information Commissioner’s Office.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

7 Comments

Filed under Data Protection, Information Commissioner, social media

Tagged as , ,