Tag Archives: ICO

August 9, 2014 · 4:31 pm

Lay, Laddie, Lay

In which I suggest the Information Commissioner could lay a report at Westminster drawing attention to compliance with time limits under the FOIA Act

The Scottish Information Commissioner (SIC), Rosemary Agnew, this week used the powers available to her under section 46(3) of the Freedom of Information (Scotland) Act 2002 (FOISA) to lay a report before the Holyrood Parliament. The report draws MSPs’ (and others) attention to

the issue of failure [by Scottish public authorities] to respond to information requests, and to stimulate debate about what we can collectively do to address it

The background is that approximately 25% of complaints to Agnew’s office in 2013/14 were about failures to respond to requests for information. Section 46(3) of FOISA permits the laying of reports “from time to time” by the SIC with respect to her functions. It thus confers a broad discretion on the SIC to draw attention to matters of concern to her. The report says

– Many public authorities have shown that it is possible to respond on time to large volumes of requests, but too many authorities are still not doing so. Delays and obfuscation are not only damaging to authorities’ relationships with individual requesters but also Scotland’s reputation for openness and transparency.
– The FOI experience is not consistent for all requesters or types of requesters
– Failure to respond is an issue, but it is not uniform across all Scottish public authorities.  Issues are more acute in some authorities than others

Requesters in the rest of UK experience similar difficulties, and similar lack of consistency, whereby some authorities are exemplary in the timeliness of responses to FOI requests, and some are very poor. As that last link indicates, the rUK Information Commissioner (IC) does monitor authorities for FOI compliance. He has also issued informal undertakings and even on occasions issued enforcement notices against authorities performing particularly poorly. However, what evidence there is does not suggest that this has led to overall improvements. Since 2009 the number of decision notices issued annually by the IC in which section 10 (“time for compliance”) was a factor have been as follows: 223 in 2009, 276 in 2010, 371 in 2011, 227 in 2012, 223 in 2013. These figures represent approximately 25% of all cases. They are not directly comparable with the SIC’s figures (which represent complaints made, rather than decisions notices issued) but they do suggest similar problems both sides of the border.

The IC does have essentially the same powers as the SIC to lay reports before Parliament (under section 49(2) of the Freedom of Information Act 2000 (FOIA)). However he has never exercised this FOIA power (there have been a couple of reports laid relating to data protection concerns). Given the serious concerns expressed by commentators about certain authorities’ attitude to FOIA, perhaps a report to Parliament would be a way of promoting debate – and improved compliance – which regulatory action has, to date, failed to achieve.

Leave a comment

Filed under Cabinet Office, FOISA, Freedom of Information, Information Commissioner

Tagged as ,

August 5, 2014 · 11:18 am

Watch out lawyers – the ICO has you in his sights

The Information Commissioner’s Office (ICO) has “sounded the alarm” to the legal profession regarding breaches of the Data Protection Act 1998 (DPA). In a press release today it says it is

warning barristers and solicitors to keep personal information secure, especially paper files. This follows a number of data breaches reported to the ICO involving the legal profession

Fifteen incidents (which, of course, are not in themselves, breaches of the DPA)  involving members of the legal profession have been reported to the ICO in the last three months, and the release goes on to point out that

The information handled by barristers and solicitors is often very sensitive. This means that the damage caused by a data breach could meet the statutory threshold for issuing a financial penalty. Legal professionals will also often carry around large quantities of information in folders or files when taking them to or from court, and may store them at home. This can increase the risk of a data breach

This of course is shorthand for what enforcement of the DPA really entails. Solicitors and barristers will often be data controllers pursuant to section 1(1) of the DPA (but not always – in-house lawyers are employees, and their employer will generally be the relevant data controller) and as such they will have an obligation under section 4(4) DPA to comply with the data protection principles of Schedule One. The seventh principle requires a data controller to take

Appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

and this is what the ICO refers to (or should refer to) when it talks about a “data breach”: a data security incident (such as loss of files) might occur as a result of a seventh principle breach, but, equally, it might not (I blogged at length on this distinction previously).

Nonetheless, the ICO will often give a shot across the bows of a particular group or industry, prior to taking formal enforcement action, such as the serving of monetary penalty notices, to a maximum of £500,000. The likelihood of any individual barrister or solicitor or any but the very largest firms getting such a large penalty is very very low (the ICO’s own rules state that he must take into account the impact on a data controller of a penalty). That said, all lawyers would do well to check their compliance with the DPA, and with their information security obligations.

1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner, monetary penalty notice

Tagged as , ,

August 5, 2014 · 10:07 am

Lib Dems in breach of ePrivacy laws?

As I’ve written on several occasions recently, the sending of direct marketing emails without the consent of the recipient is, as a general principle, unlawful under European and domestic law.

The Information Commissioner’s Office (ICO) guidance makes clear that promotion of a political party, campaign or candidate is “direct marketing” for the purposes of the Privacy and Electronic Communication (EC Directive) Regulations 2003 (PECR):

We take a broad view of what constitutes marketing and are satisfied that it is not only the offer for sale of goods or services but also includes the promotion of the aims and ideals of any organisation including political campaigns.
On 20 July I noted this on the Liberal Democrats’ home page
 
libdem
A campaign to end Female Genital Mutilation is a worthy one (and not a party political issue) and one I’m happy to put my name to. However, I did have my suspicions, so set up a new email address, entered that into the box, and clicked “I agree”. There was no indication of what would happen with my email address once I had done this, although there was, at the very foot of the page, a small unobtrusive link to a “privacy policy” (of which more later).
 
What did happen was, firstly, and straight away, I received the following email
receipt1
 which was fair enough. At the foot of that email was this message
receipt
again, fair enough, and that should be the end of my engagement with the Lib Dems.
  
But, you will perhaps be unsurprised to hear, it wasn’t. Two days later I received this, from Lynn Featherstone MP
featherstone
which at least was on the subject of FGM, but I was surprised she considered herself my “friend”. And two days after that I found I’d made another friend:
nick
So, a few days after I’d expressed my support for a non-party-political campaign, I was on first name terms with a political party leader, who was sending me an unsolicited marketing email. Which takes us back to PECR, and consent, and my myriad previous blog posts.
 
I thought I’d check exactly what the Lib Dems website privacy policy says. Of course there’s the usual guff about taking privacy seriously, but it goes on to say
If you provide your email address…we may use the email address to send you further information in the future. You may at any point request not to receive such information any more.
And there it is, in clear terms – a statement of non-compliance with the law. They cannot, under regulation 22(2) of PECR, infer consent to receive marketing emails merely because someone has provided an email address. I will be complaining to the Lib Dems, and, if necessary, the Information Commissioner’s Office.

2 Comments

Filed under consent, Data Protection, Information Commissioner, marketing, PECR, privacy notice

Tagged as , , , ,

August 4, 2014 · 3:10 pm

Lords’ Committee on Social Media and Criminal Offences – lacking a DPA expert?

In its generally sensible report on Social Media and Criminal Offences the House of Lords’ Communications Committee dealt with the subject of “Revenge Porn” (defined as “the electronic publication or distribution of sexually explicit material (principally images) of one or both of the couple, the material having originally been provided consensually for private use” which seems to me worryingly to miss a key factor – that the publication or distribution will be done with harmful intent). The committee considered what criminal offences might be enaged by this hateful practice, but also observed (¶41) that

a private remedy is already available to the victim. Images of people are covered by the Data Protection Act 1988 (as “personal data”), and so is information about people which is derived from images. Images of a person count as “sensitive personal data” under the Act if they relate to “sexual life”. Under the Act, a data subject may require a data controller not to process the data in a manner that is “causing or is likely to cause substantial damage or substantial distress to him or to another”.

This is all true, but the next bit is not

The Information Commissioner may award compensation to a person so affected 

The Information Commissioner (IC) has no such powers, and one wonders from where the committee got this impression (maybe they mistook the IC’s enforcement powers with the powers of the Local Government Ombudsman to make recommendations (such as payment of compensation)). In circumstances where someone wishes to complain about the processing of their personal data their only direct right (regarding the IC) is to ask him (pursuant to section 42) to assess whether the data controller’s processing was likely to have complied with its obligations under the Data Protection Act 1998 (DPA). All the substantive rights given to data subjects under the DPA (such as access to data, rectification, ceasing of processing, compensation etc) are enforceable only by the data subject through the courts. Moreover, in the case of “revenge porn” cases, they would involve the data subject requesting the data controller (who in most cases will be the person who has uploaded the images/content in question) to desist. This could clearly be a course of action fraught with difficulties.

The Committee goes on to point to another civil remedy – “An individual may also apply to the High Court for a privacy injunction to prevent or stop the publication of material relating to a person’s sexual life” – but observes (¶44) that

We are concerned that the latter remedy is available only to those who can afford access to the High Court. It would be desirable to provide a proportionately more accessible route to judicial intervention

Whilst remedies under the DPA are available through the County Court (or Sheriff’s Court in Scotland), rather than the High Court, this still involves expenditure, especially if the case is not amenable to the small claims track, and also involves potential exposure to costs in the event that the claim is unsuccessful.

Furthermore, in the event that the IC were asked to consider a complaint about “revenge porn”, it might be born in mind that he is reluctant to rule on matters regarding publication of private information on the internet. Section 36 of the DPA provides an exemption to the Act where the processing is only for “domestic purposes”. The Committee correctly says (¶41)

Personal data “processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes)” are exempt from this provision but the European Court of Justice has determined that posting material on the internet is not part of one’s “personal, family or household affairs”

And the Committee cites in support of this the Court of Justice of the European Union’s judgment in the case of Lindqvist. But the IC has traditionally been reluctant fully to grapple with the implications of Lindqvist, and, as I have noted previously, its guidance Social networking and online forums – when does the DPA apply?, which says

the ‘domestic purposes’ exemption…will apply whenever an individual uses an online forum purely for domestic purposes

is manifestly at odds with the CJEU’s ruling.

I would greatly hope that, if asked to consider the legality of the posting of “revenge porn”, the IC would not decline jurisdiction on the basis of the section 36 exemption, but his position on section 36 is problematic when it comes to regulation and enforcement of social media.

It is rather to be regretted that the Lords’ Committee was not better informed on these particular aspects of its report.

3 Comments

Filed under Data Protection, Information Commissioner, social media

Tagged as , ,

July 24, 2014 · 2:28 pm

ICO penalty after one million credit card details extracted from vulnerable website

The Information Commissioner’s Office (ICO) has served a monetary penalty notice (MPN) of £150,000 on online travel company Think W3 Ltd.

MPNs (sometimes wrongly described as “fines” *cough* http://ico.org.uk/enforcement/fines) are civil penalties which can be served by the ICO where it has determined that the data controller in question has contravened the Data Protection Act 1998 and the contravention was: serious, of a kind likely to cause substantial damage or substantial distress and the data controller knew or ought to have known that there was a risk the contravention would occur but failed to take steps to prevent it. The ICO classed this contravention as very serious.

The website of Essential Travel Ltd, a subsidiary and trading brand of Think W3, was subject to a major attack under which more than 1 million credit card records were extracted. The attack was the result of an SQL injection enabled by a coding error on a login page which (for the facilitation of home-working) was publicly available over the internet. It appears that the coding error, and the lack of suitable checks since, meant the site had been vulnerable since early 2006 until December 2012 (when the attack happened).

The fact that the MPN was at the lower end of the scale available is probably because of the need (laid out in guidance) for the ICO to consider the data controller’s financial ability to pay a penalty. What I find interesting here is that Think W3 Ltd were a company wholly owned by Thomas Cook Group, who acquired 100% of it in 2010 until January this year. Company law normally provides that liability of a company within a group attaches to that company alone, so the assets of the Group were not available to be taken into account by the ICO, but, given that the seventh data protection principle was already being contravened, in a very serious manner, at the time of the 2010 aquisition, some questions might now be asked of those in charge at the time. And it is noteworthy that Thomas Cook appear to be prepared to pay the penalty, rather than new owners Holiday Extras.

1 Comment

Filed under Data Protection, Information Commissioner, monetary penalty notice

Tagged as ,

July 22, 2014 · 5:37 pm

ICO responds to my concerns about PECR compliance

In assessing one’s own compliance with the law, or in advising a client on the law, or in pontificating on one’s blog about the law, one is well advised to refer not only to the law itself (whether in the form of legislation or precedent at common law), but also codes of practice, and guidance. When the law in question is the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which are enforced and overseen by the Information Commissioner’s Office (ICO), it is natural that one would refer – in addition to PECR themselves, and the European Directive 2002/58/EC to which PECR give domestic effect – to the ICO’s own PECR guidance, and, particularly when it comes to electronic marketing, the guidance on Direct Marketing.

So, when the latter guidance says

Organisations must give the customer the chance to opt out – both when they first collect the details, and in every email or text. Organisations should not assume that all customers will be happy to get marketing texts or emails in future…It must be simple to opt out. When first collecting a customer’s details, this should be part of the same process (eg online forms should include a prominent opt-out box…

it would be reasonable to assume that an organisation which did not do this would be, at least if not in direct breach of PECR, sailing close to the wind. The relevant regulation (22(2)) of PECR says that

a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender

and recital 40 of the originating Directive says that electronic marketing requires that prior, explicit consent be given before electronic marketing can take place.

One could reasonably argue that, until such unsolicited electronic marketing takes place, there is no active breach of PECR, but it should surely be conceded that any practice of collecting email addresses, by – say – a political party, in circumstances where explicit consent to receiving subsequent electronic political marketing, is questionable.

I have blogged a number of times in recent weeks about such harvesting of email addresses, and it was prompted by a “widget” on the Labour Party website. I asked the ICO for a statement specifically about that “widget”, and this is what their spokesman said:

In general terms, if an organisation wishes to retain individuals’ contact details it should make them aware of this before their information is collected.  This appears to be the case in the NHS baby number service. We also advise organisations that web pages should explain how personal information will be used, and this can be via a link to the organisation’s privacy policy. We would also want to ensure that individuals can unsubscribe from emails if they receive them, as appears to be the situation here. 

We have published detailed guidance for political parties for campaigning or promotional purposes. On 1 May 2014, the Information Commissioner wrote to the main UK political parties reminding them of the need to follow data protection and electronic marketing rules. Political campaigning is an area that attracts close public scrutiny. We shall continue to encourage political parties to demonstrate best practice and be open and upfront with people when explaining how their personal details will be used

Now, this is a reasonable and accurate statement about the collection of personal data and compliance with the first Data Protection Principle in Schedule One of the Data Protection Act 1998 – tell people what you are gathering their data for, and how it will be used, and you will probably have broadly complied with the duty to process personal data “fairly”.

However, it seems to overlook – with its reference to “general terms” – the specific requirements of PECR. It seems clear to me that any subsequent email from Labour will have been sent because they have inferred, rather than having received notification of, (explicit) consent.

PECR is not my strongest area. Seriously – am I missing something?

4 Comments

Filed under consent, Data Protection, Information Commissioner, marketing, PECR

Tagged as , ,

July 18, 2014 · 5:11 pm

Big Political Data

I’ve written over the past few months about questionable compliance by the Conservative, Labour, Liberal Democratic and Scottish National Parties with their obligations under the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003. And, as I sat down to write this post, I thought I’d check a couple of other parties’ sites, and, sure enough, similar issues are raised by the UKIP and Plaid Cymru sites

ukipplaid

No one except a few enthusiasts in this area of law/compliance seems particularly concerned, and I will, no doubt, eventually get fed up with the dead horse I am flogging. However, a fascinating article in The Telegraph by James Kirkup casts a light on just why political parties might be so keen to harvest personal data, and not be transparent about their uses of it.

Kirkup points out how parties have begun an

extraordinarily extensive – and expensive – programme of opinion polls and focus groups generating huge volumes of data about voters’ views and preferences…Traditional polls and focus groups have changed little in the past two decades. They help parties discover what voters think, what they want to hear, and how best to say it to them. That is the first stage of campaigning. The second is to identify precisely which voters you need to speak to. With finite time and resources, parties cannot afford to waste effort either preaching to the converted or trying to win over diehard opponents who will never change sides. The party that finds the waverers in the middle gains a crucial advantage.

It seems clear to me that the tricks, and opacity, which are used to get people to give up their personal information, are part of this drive to amass more and more data for political purposes. It’s unethical, it’s probably unlawful, but few seem to care, and no one, including the Information Commissioner’s Office (which has, in the past taken robust action against dodgy marketing practices in party politics) has seemed prepared so far to do anything to prevent it. However, the ICO has good guidance for the parties on this, and in May this year, issued a warning to play by the marketing rules in the run-up to local and European elections. Let’s hope this warning, and the threat of enforcement action, extends to the bigger stage of the national elections next year.

 

 

 

 

2 Comments

Filed under Confidentiality, consent, Data Protection, Information Commissioner, marketing, PECR, Privacy

Tagged as , ,

July 18, 2014 · 4:41 pm

Naming and shaming no shows is a no-no

I know a couple who run a restaurant. And I know how the problem of no-shows can cause great economic damage to restaurants. Failing to show up, or to cancel in advance, is, moreover, incredibly rude. But the response, which I only became aware of today, of naming and shaming the no-show customers on twitter is a risky and probably unlawful one for restaurateurs to take.

In the instance I saw this morning a London restaurant had apparently searched for the twitter account of a person who they thought had failed to show, and had openly tweeted their displeasure. He, however, had email proof that he had cancelled in advance. The restaurant investigated, accepted this, and apologised (and the customer accepted, so I’m not going to name either of the parties).

However, the restaurant was processing the personal data of the customer when it took his booking, and their use of that data would be limited to what the customer was told at the time, or what he might reasonably expect. So, unless they had a very odd privacy notice, their permitted processing purposes would not have extended to the naming and shaming of him for failing to turn up. Thus, it would seem to be a breach of at least the both the first and the second data protection principle. Moreover, the rather cavalier approach to customer data wouldn’t make one confident about other aspects of data protection compliance.

I really do sympathise with restaurateurs: one of the alternative approaches to no-shows and late cancellers is punitive cancellation fees but that also has its drawbacks and detractors. However, there are not many areas of commerce where companies would be able to get away with such apparently unfair and unlawful processing of their customer’s personal data: announcing that someone has failed to attend at a certain restaurant potentially indicates quite a bit about the person’s tastes, means and location. It’s a risky thing for a restaurateur to do, especially when, as with the restaurant I saw tweeting earlier today, they haven’t registered their processing with the Information Commissioner’s Office (which, I would emphasise, is a criminal offence).

 

 

Leave a comment

Filed under Data Protection, Information Commissioner, privacy notice, social media

Tagged as , ,

July 16, 2014 · 7:17 pm

The days of wine and disclosures

I like FOI. I like wine. Here’s an FOI disclosure about wine.

In the early days of the Freedom of Information Act 2000 (FOI) there were frequent attempts to get the government to disclose detailed information about its wine cellar (see for instance this seemingly interminable request). Eventually, the Information Commissioner got fed up with the lack of FOI hospitality from the Foreign and Commonwealth Office (FCO), who seem to be responsible for this sort of thing, and started issuing decision notices requiring disclosure.

I’m pleased to see that disclosure is now, if not a matter of routine, not resisted by FCO (except for some intriguing little redactions – one wonder if they hide things like “this is the Minister for X’s favourite”). So, we now know that the government has reserves of, for instance, 139 bottles of Latour 1961, with a market value of £321,000. This is the highest value wine, but we (sorry, they) also hold 110 bottles of Chateau Margaux 1983 (market value £15k – not the best vintage, after all). And their Pétrus is only the 1978, but even so, the estimated market value of £250 seems very low.

It’s a shame the dataset isn’t in resuable format, but, we’re all in it together, so I’d invite others to search out some other interesting cellar items. Those Krug ’82 magnums look a steal at £125 a pop…

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency, Uncategorized

Tagged as ,

July 16, 2014 · 2:58 pm

ICO v ICO?

UPDATE: 16 July 2014 – in the comments to this piece the ICO adds some further details on the “non-trivial” incident: “We are unable to provide details of the breach at this stage, as the information involved is linked to an ongoing criminal investigation.”

The ICO had a “non-trivial” data security incident last year. Can it “fine” itself? Will/has it?

There was an interesting teaser in the Information Commissioner’s Annual Report. As The Times reports

Christopher Graham, the Information Commissioner (ICO), revealed yesterday that his office had suffered a “non-trivial data security incident” within the last 12 months, which prompted a full internal investigation

The ICO, of course, processes personal data and in doing so assumes the role of the data controller (according to section 1(1) of the Data Protection Act 1998 (DPA)). It also assumes the obligation to comply with the data protection principles, and the liability for contravening them. In 2012 the ICO responded to a Freedom of Information Act 2000 (FOIA) request for its “data breach log” with a document that showed admirable commitment to recording even the smallest of potential data security incidents (“person taking photographs outside building”, “theft of small amount of money”). In that instance there were two incidents identified as “high risk”, but the ICO declined to provide information, and the requester, it seems, did not pursue the matter.

This time, with national media picking the story up, the matter may be pushed further. At the moment the ICO is apparently declining to offer any further comment to the media, advising The Times that

You will have to fill out a freedom of information request

which doesn’t really sit that well with their normal commitment to transparency.

But to what extent can or should the ICO investigate its own compliance with the DPA? The Act does not provide for any derogation for the ICO from its obligations, and nor does it provide for any alternative to “self regulation”. Nor, moreover, does it appear to provide for any delegation to a third party to investigate. When it deals with complaints about its own handling of FOIA requests it habitually issues decision notices about itself (sometimes even finding against itself). It does this by distinguishing between “the ICO” (the entity dealing with the request) and “the Commissioner” (the entity dealing with the complaint). I would imagine that a similar nominal separation would be used if it came to formal enforcement action being contemplated in response to a data security incident.

I emphasis the word “if” in the previous sentence, because, although The Times says

The ICO, which can levy fines of up to £500,000 for data protection breaches, did not disclose whether it had fined itself for the breach

it is clear in fact that no such enforcement action resulted in this instance. This is clear because, firstly, the ICO’s own Monetary Penalty Guidance says that any monetary penalty notice (for which “fine” is a convenient, if not strictly correct, shorthand) will be published on its website. None has been published (believe me – I check these things very regularly). And secondly, and more fundamentally, the ICO’s report says that the incident in question

did not amount to a serious breach of the Data Protection Act [emphasis added]

By section 55A a monetary penalty can only be served for a serious contravention of the data controller’s obligations under the DPA. If the incident was not a serious contravention, the statutory threshold for a monetary penalty is simply not met. So, regardless of what other information about the incident might be winkled out of the ICO, we are not going to have a story of “ICO fines ICO”.

However, on a final point, I note that the ICO expects data controllers to report serious data security incidents to the ICO. So the question arises – did the ICO report this to the ICO, or did the ICO assess this as not serious enough to refer to the ICO?  How did the ICO get to know? Could it have been a leak by the ICO? Or even by the ICO? These questions deserve answers*.

*no they don’t

8 Comments

Filed under Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice

Tagged as , ,