Tag Archives: ICO

July 16, 2014 · 2:58 pm

ICO v ICO?

UPDATE: 16 July 2014 – in the comments to this piece the ICO adds some further details on the “non-trivial” incident: “We are unable to provide details of the breach at this stage, as the information involved is linked to an ongoing criminal investigation.”

The ICO had a “non-trivial” data security incident last year. Can it “fine” itself? Will/has it?

There was an interesting teaser in the Information Commissioner’s Annual Report. As The Times reports

Christopher Graham, the Information Commissioner (ICO), revealed yesterday that his office had suffered a “non-trivial data security incident” within the last 12 months, which prompted a full internal investigation

The ICO, of course, processes personal data and in doing so assumes the role of the data controller (according to section 1(1) of the Data Protection Act 1998 (DPA)). It also assumes the obligation to comply with the data protection principles, and the liability for contravening them. In 2012 the ICO responded to a Freedom of Information Act 2000 (FOIA) request for its “data breach log” with a document that showed admirable commitment to recording even the smallest of potential data security incidents (“person taking photographs outside building”, “theft of small amount of money”). In that instance there were two incidents identified as “high risk”, but the ICO declined to provide information, and the requester, it seems, did not pursue the matter.

This time, with national media picking the story up, the matter may be pushed further. At the moment the ICO is apparently declining to offer any further comment to the media, advising The Times that

You will have to fill out a freedom of information request

which doesn’t really sit that well with their normal commitment to transparency.

But to what extent can or should the ICO investigate its own compliance with the DPA? The Act does not provide for any derogation for the ICO from its obligations, and nor does it provide for any alternative to “self regulation”. Nor, moreover, does it appear to provide for any delegation to a third party to investigate. When it deals with complaints about its own handling of FOIA requests it habitually issues decision notices about itself (sometimes even finding against itself). It does this by distinguishing between “the ICO” (the entity dealing with the request) and “the Commissioner” (the entity dealing with the complaint). I would imagine that a similar nominal separation would be used if it came to formal enforcement action being contemplated in response to a data security incident.

I emphasis the word “if” in the previous sentence, because, although The Times says

The ICO, which can levy fines of up to £500,000 for data protection breaches, did not disclose whether it had fined itself for the breach

it is clear in fact that no such enforcement action resulted in this instance. This is clear because, firstly, the ICO’s own Monetary Penalty Guidance says that any monetary penalty notice (for which “fine” is a convenient, if not strictly correct, shorthand) will be published on its website. None has been published (believe me – I check these things very regularly). And secondly, and more fundamentally, the ICO’s report says that the incident in question

did not amount to a serious breach of the Data Protection Act [emphasis added]

By section 55A a monetary penalty can only be served for a serious contravention of the data controller’s obligations under the DPA. If the incident was not a serious contravention, the statutory threshold for a monetary penalty is simply not met. So, regardless of what other information about the incident might be winkled out of the ICO, we are not going to have a story of “ICO fines ICO”.

However, on a final point, I note that the ICO expects data controllers to report serious data security incidents to the ICO. So the question arises – did the ICO report this to the ICO, or did the ICO assess this as not serious enough to refer to the ICO?  How did the ICO get to know? Could it have been a leak by the ICO? Or even by the ICO? These questions deserve answers*.

*no they don’t

8 Comments

Filed under Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice

Tagged as , ,

July 7, 2014 · 7:21 am

Privacy issues with Labour Party website

Two days ago I wrote about a page on the Labour Party website which was getting considerable social media coverage. It encourages people to submit their date of birth to find out, approximately, of all the births under the NHS, what number they were.

I was concerned that it was grabbing email address without an opt-out option. Since then, I’ve been making a nuisance of myself asking, via twitter, various Labour politicians and activists for their comments. I know I’m an unimportant blogger, and it was the weekend, but only one chose to reply: councillor for Lewisham Mike Harris, who, as campaign director for DontSpyOnUs, I would expect to be concerned, and, indeed, to his credit, he said “You make a fair point, there should be the ability to opt out”. Mike suggested I email Labour’s compliance team.

In the interim I’d noticed that elsewhere on the Labour website there were other examples of emails being grabbed in circumstances where people would not be sure about the collection. For instance: this “calculator” which purports to calculate how much less people would pay under Labour for energy bills, which gives no privacy notice whatsoever. Or even this, on the home page, which similarly gives no information about what will happen with your data

homepage

Now, some might say that, if you’re giving your details to “get involved”, then you are consenting to further contact. This is probably true, but it doesn’t mean the practice is properly compliant with data collection laws. And this is not unimportant; as well as potentially contributing to the global spam problem, poor privacy notices/lack of opt-out facilities at the point of collection of email address contribute to the unnecessary amassing of private information, and when it is done by a political party, this can even be dangerous. It should not need pointing out that, historically, and elsewhere in the world, political party lists have often been used by opposition parties and repressive governments to target and oppress activists. Indeed, the presence of one’s email on a party marketing database might well constitute sensitive personal data – as it can be construed as information on one’s political opinions (per section 2 of the Data Protection Act 1998).

So, these are not unimportant issues, and I decided to follow Mike Harris’s suggestion to email Labour’s compliance unit. However, the contact details I found on the overarching privacy policy merely gave a postal address. I did notice though that that page said

If you have any questions about our privacy policy, the information we have collected from you online, the practices of this site or your interaction with this website, please contact us by clicking here

But if I follow the “clicking here” link, it takes me to – wait for it – a contact form which gives no information whatsoever about what will happen if I submit it, other than the rather stalinesque

The Labour Party may contact you using the information you supply

And returning to the overarching privacy policy didn’t assist here – none of the categories on that page fitted the circumstances of someone contacting the party to make a general enquiry.

I see that the mainstream media have been covering the NHS birth page which originally prompted me to look at this issue. Some, like the Metro, and unsurprisingly, the Mirror, are wholly uncritical. The Independent does note that it is a clever way of harvesting emails, but fails to note the questionable legality of the practice. Given that this means that more and more email addresses will be hoovered up, without people fully understanding why, and what will happen with them, I really think that senior party figures, and the Information Commissioner, should start looking at Labour’s online privacy activities.

(By the way, if anyone thinks this is a politically-motivated post by me, I would point out that, until 2010, when I voted tactically (never again), I had only ever voted for one party in my whole life, and that wasn’t the Conservatives or the Lib Dems.)

6 Comments

Filed under Data Protection, Information Commissioner, marketing, PECR, Privacy, privacy notice, social media, tracking

Tagged as , , , , ,

July 6, 2014 · 11:52 am

DVLA, disability and personal data

Is the DVLA’s online vehicle-checker risking the exposure of sensitive personal data of registered keepers of vehicles?

The concept of “personal data”, in the Data Protection Act 1998 (DPA) (and, beyond, in the European Data Protection Directive EC/95/46) can be a slippery one. In some cases, as the Court of Appeal recognised in Edem v The Information Commissioner & Anor [2014] EWCA Civ 92 where it had to untangle a mess that the First-tier tribunal had unnecessarily got itself into, it is straightforward: someone’s name is their personal data. In other cases, especially those which engage the second limb of the definition in section 1(1) of the DPA (“[can be identified] from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller” it can be profoundly complex (see the House of Lords in Common Services Agency v Scottish Information Commissioner (Scotland) [2008] UKHL 47, a judgment which, six years on, still makes data protection practitioners wake up in the night screaming).

When I first looked at the reports that the DVLA’s Vehicle Tax Check service enabled people to see whether the registered owner of a car was disabled, I thought this might fall into the complex category of data protection issues. On reflection, I think it’s relatively straightforward.

I adopt the excellent analysis by the benefitsandwork.co.uk site

A new vehicle check service on the DVLA website allows visitors to find out whether their neighbours are receiving the higher rate of the mobility component of disability living allowance (DLA) or either rate of the mobility component of personal independence payment (PIP)…The information that DVLA are making available is not about the vehicle itself. Instead they are publishing personal information about the benefits received by the individual who currently owns the car or for whom the car is solely used.

It’s difficult to argue against this, although it appears the DVLA are trying, because they responded to the initial post by saying

The Vehicle Enquiry Service does not include any personal data. It allows people to check online what information DVLA holds about a vehicle, including details of the vehicle’s tax class to make sure that local authorities and parking companies do not inadvertently issue parking penalties where parking concessions apply. There is no data breach – the information on a vehicle’s tax class that is displayed on the Vehicle Enquiry Service does not constitute personal data. It is merely a descriptive word for a tax class

but, as benefitsandwork say, that is only true insofar as the DVLA are publishing the tax band of the car, but when they are publishing that the car belongs to a tax-exempt category for reasons of the owner’s disability, they are publishing something about the registered keeper (or someone they care for, or regularly drive), and that is sensitive personal data.

What DVLA is doing is not publishing the car’s tax class – that remains the same whoever the owner is – they are publishing details of the exempt status of the individual who currently owns it. That is personal data about the individual, not data about the vehicle

As the Information Commissioner’s guidance (commended by Moses LJ in Edem) says

Is the data being processed, or could it easily be processed, to: learn; record; or decide something about an identifiable individual, or; as an incidental consequence of the processing, either: could you learn or record something about an identifiable individual; or could the processing have an impact on, or affect, an identifiable individual

Ultimately benefitsandwork’s example (where someone was identified from this information) unavoidably shows that the information can be personal data: if someone can search the registration number of a neighbour’s car, and find out that the registered keeper is exempt from paying the road fund licence for reasons of disability, that information will be the neighbour’s personal data, and it will have been disclosed to them unfairly, and in breach of the DPA (because no condition for the disclosure in Schedule 3 exists).

I hope the DVLA will rethink.

 

11 Comments

Filed under Confidentiality, Data Protection, Directive 95/46/EC, disability, Information Commissioner, Privacy

Tagged as , ,

July 5, 2014 · 9:03 am

Labour Party website – unfair processing?

Earlier this year I wrote about a questionable survey on the Conservative Party website, which failed to comply with the legal requirements regarding capture of email addresses. It is perhaps unsurprising to see something similar now being done in the name of the Labour Party.

An innocuous looking form on Labour’s donation pages lies underneath a statement that almost 44 million babies have been delivered under NHS care since 1948. The form invites people to find out what number their birth was. There are of course lots of this type of thing on the internet: “What was number one when you were born?” “Find out which Banana Split you are” etc. But this one, as well as asking for people’s date of birth, asks for their (first) name, email address and postcode. And, sure enough, underneath, in small print that I suspect they hope people won’t read, it says

The Labour Party and its elected representatives may contact you about issues we think you may be interested in or with campaign updates. You may unsubscribe at any point

So, they’ll have your email address, your first name and a good idea of where you live (cue lots of “Hi Jon” emails, telling me about great initiatives in my area). All very predictable and dispiriting. And also almost certainly unlawful: regulation 22(2) of The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) says that

a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender

This Labour web page impermissibly infers consent. The European Directive  to which PECR give domestic effect makes clear in recital 40 that electronic marketing requires that prior, explicit consent  be obtained. Furthermore the Information Commissioner’s Office (ICO), issues clear guidance on PECR and marketing, and this says

Organisations must give the customer the chance to opt out – both when they first collect the details, and in every email or text. Organisations should not assume that all customers will be happy to get marketing texts or emails in future…It must be simple to opt out. When first collecting a customer’s details, this should be part of the same process (eg online forms should include a prominent opt-out box…

The ICO’s guidance on political campaigning is (given the likelihood of abuse) disappointingly less clear, but it does say that “An organisation must have the individual’s consent to communicate with them [by email]”. I rather suspect the Labour Party would try to claim that the small print would suffice to meet this consent point, but a) it wouldn’t get them past the hurdle of giving the option to opt out at the point of collection of data, and b) in the circumstances it would crash them into the hurdle of “fairness”. The political campaigning guidance gives prominence to this concept

It is not just in an organisation’s interests to act lawfully, but it should also have respect for the privacy of the individuals it seeks to represent by treating them fairly. Treating individuals fairly includes using their information only in a way they would expect

I do not think the majority of people completing the Labour Party’s form, which on the face of it simply returns a number relating to when they were born, would expect their information to be used for future political campaigning. So it appears to be in breach of PECR, not fair, and also, of course (by reference to the first principle in Schedule One) in breach of the Data Protection Act 1998. Maybe the ICO will want to take a look.

UPDATE:

I see that this page is being pushed quite hard by the party. Iain McNicol, General Secretary, and described as “promoter” of the page has tweeted about it, as have shadow Health Secretary Andy Burnham and Ed Miliband himself. One wonders how many email addresses have been gathered in this unfair and potentially unlawful way.

 

3 Comments

Filed under consent, Data Protection, Information Commissioner, marketing, PECR

Tagged as , , ,

July 4, 2014 · 10:06 am

We’re looking into it

The news is awash with reports that the UK Information Commissioner’s Office (ICO) is “opening an investigation” into Facebook’s rather creepy research experiment, in conjunction with US universities, in which it apparently altered the users’ news feeds to elicit either positive or negative emotional responses. Thus, the BBC says “Facebook faces UK probe over emotion study”, SC Magazine says “ICO probes Facebook data privacy” and the Financial Times says “UK data regulator probes Facebook over psychological experiment”.

As well as prompting one to question some journalists’ obsession with probes, this also leads one to look at the basis for these stories. It appears to lie in a quote from an ICO spokesman, given I think originally to the online IT news outlet The Register

The Register asked the office of the UK’s Information Commissioner if it planned to probe Facebook following widespread criticism of its motives.

“We’re aware of this issue, and will be speaking to Facebook, as well as liaising with the Irish data protection authority, to learn more about the circumstances,” a spokesman told us.
So, the ICO is aware of the issue and will be speaking to Facebook and to the Irish Data Protection Commissioner’s office. This doesn’t quite match up to the rather hyperbolic news headlines. And there’s a good reason for this – the ICO is highly unlikely to have any power to investigate, let alone take action. Facebook, along with many other tech/social media companies, has its non-US headquarters in Ireland. This is partly for taxation reasons and partly because of access to high-skilled, relatively low cost labour. However, some companies – Facebook is one, LinkedIn another – have another reason, evidenced by the legal agreements that users enter into: because the agreement is with “Facebook Ireland”, then Ireland is deemed to be the relevant jurisdiction for data protection purposes. And, fairly or not, the Irish data protection regime is generally perceived to be relatively “friendly” towards business.
 
These jurisdictional issues are by no means clear cut – in 2013  a German data protection authority tried to exercise powers to stop Facebook imposing a “real name only” policy.
 
Furthermore, as the Court of Justice of the European Union recognised in the recent Google Spain case, the issue of territorial responsibilities and jurisdiction can be highly complex. The Court held there that, as Google had
 
[set] up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State
 
it was processing personal data in that Member State (Spain). Facebook does have a large UK corporate office with some responsibility for sales. It is just possible that this could give the ICO, as domestic data protection authority, some power to investigate. And if or when the draft European General Data Protection Regulation gets passed, fundamental shifts could take place, extending even, under Article 3(2) to bringing data controllers outside the EU within jurisdiction, where they are offering goods or services to (or monitoring) data subjects in the EU.
 
But the question here is really whether the ICO will assert any purported power to investigate, when the Irish DPC is much more clearly placed to do so (albeit it with terribly limited resources). I think it’s highly unlikely, despite all the media reports. In fact, if the ICO does investigate, and it leads to any sort of enforcement action, I will eat my hat*.
 
*I reserve the right to specify what sort of hat

Leave a comment

Filed under Data Protection, Directive 95/46/EC, enforcement, facebook, journalism, social media, Uncategorized

Tagged as , , ,

July 3, 2014 · 4:23 pm

A green light for publishing FOI requesters names? I hope not

The Information Commissioner’s Office (ICO) today issued a statement about the data protection implications of public authorities publishing the names of people who have made requests under the Freedom of Information Act 2000 (FOIA). It was issued to journalist Jules Mattsson (it may have been issued to others) and I credit him for pursuing it. It arose out of concerns expressed on Twitter yesterday that a council had uploaded a disclosure log in which the names of requesters were unredacted*.

When the Justice Committee undertook its post-legislative scrutiny of FOIA in 2012 it made a recommendation (¶82) that names of requesters be published in disclosure logs

it can be argued that someone seeking to exercise freedom of information rights should be willing for the fact they have requested such information to be in the public domain; we therefore recommend that where the information released from FOI requests is published in a disclosure log, the name of the requestor should be published alongside it

But this was rejected by the government in its response to the report (¶25)

The Government does not share the view that publishing the names of requesters in disclosure logs would be beneficial in terms of burdens. Such a move would have implications for the data protection of requesters..

 Tim Turner blogged in his usual meticulous style on these data protection implications yesterday, and I am not going to rehearse the points he makes. Indeed, the ICO in its statement more or less agrees with Tim’s comments on fairness, and necessity, when it comes to the publication of requesters’ names

Individuals who make…requests must have their details handled fairly. Many people who have made a request would not expect to have their name linked to published details of the request they have made. If a public authority is considering publishing this information then they must consider why publishing the requester’s name is necessary/ While there is a need for authorities to be transparent about the [FOI] process, in most cases this would not extend to releasing people’s name simply to deter requesters

There then follow some (correct) observations that journalists and politicians might have different expectations, before the statement says

At the very least people should be told that their details will be published and given the opportunity to explain to the council why their name should not be disclosed. If having raised it with the authority a person is not happy with the way their details have been handled then we may be able to help

So what the ICO appears to be doing is agreeing that there are data protection implications, but, as long as authorities give requesters a privacy notice, announcing that they’re not going to do anything (unless people complain). It’s not often I take issue with the excellent Matt Burgess, who runs FOI Directory, but he claims that “the ICO has criticised the Council”. With respect, I don’t see any targeted criticism in the ICO’s statement, and I fear some public authorities will see it as a green light to publishing names.

As source does inform me that an ICO spokesman has said that they are going to be in touch with the council in question, to find out the full details. However, I wonder if the statement shows an approach more in line with the ICO’s new, largely reactive (as opposed to proactive), approach to data protection concerns (described on my blog by Dr David Erdos as having worrying implications for the rule of law), but I fear it risks the exposure of the personal data of large numbers of people exercising their right to information under a statutory scheme which, at heart, is meant to be applicant-blind. As the ICO implies, this could have the effect of deterring some requesters, and this would be, in the words of the always perceptive Rich Greenhill, a type of reverse chilling effect for FOIA.

 *I’m not going to link to the information: I don’t think its publication is fair. 

 

 

UPDATE: 05.07.14

The Council appears to have taken the information down, with Jules Mattsson reporting on 3 July that they are reviewing the publication of requesters’ names.

6 Comments

Filed under Data Protection, Freedom of Information, Information Commissioner

Tagged as , ,

June 18, 2014 · 5:21 pm

The Partridge Review reveals apparently huge data protection breaches

Does the Partridge Review of NHS transfers of hospital episode patient data point towards one of the biggest DPA breaches ever?

In February this year Tim Kelsey, NHS England’s National Director for Patients and Information, and vocal cheerleader for the care.data initiative, assured the public, in an interview on the Radio 4 Today programme, that in the twenty five years that Hospital Episode Statistics (HES) have been shared with other organisations

the management of the hospital episode database…there has never been a single example of that data being compromised, the privacy of patients being compromised…

When pressed by medConfidential‘s Phil Booth about this, and about risks of reidentification from the datasets, Tim repeated that no patient’s privacy had been compromised.

Some of us doubted this, as news of specific incidents of data loss emerged, and even more so as further news emerged suggesting that there had been transfers (a.k.a. sale) of huge amounts of potentially identifiable patient data to, for instance, the Institute and Faculty of Actuaries. The latter news led me to ask the Information Commissioner’s Office (ICO) to assess the lawfulness of this processing, an assessment which has not been completed four months later.

However, with the publication on 17 June of Sir Nick Partridge’s Review of Data Releases by the NHS Information Centre one questions the basis for Tim’s assertions. Sir Nick commissioned PwC to analyse a total of 3059 data releases between 2005 and 2013 (when the NHS Information Centre (NHSIC) ceased to exist, and was replaced by the Health and Social Care Information Centre HSCIC). The summary report to the Review says that

It disappoints me to report that the review has discovered lapses in the strict arrangements that were supposed to be in place to ensure that people’s personal data would never be used improperly

and it reveals a series of concerning and serious failures of data governance, including

  • lack of detailed records between 1 April 2005 and 31 March 2009
  • two cases of data that was apparently released without a proper record remaining of which organisation received the data
  • [no] evidence that Northgate [the NHSIC contractor responsible for releases] got permission from the NHS IC before making releases as it was supposed to do
  • PwC could not find records to confirm full compliance in about 10% of the sample

 Sir Nick observes that

 the system did not have the checks and balances needed to ensure that the appropriate authority was always in place before data was released. In many cases the decision making process was unclear and the records of decisions are incomplete.

and crucially

It also seems clear that the responsibilities of becoming a data controller, something that happens as soon as an organisation receives data under a data sharing agreement, were not always clear to those who received data. The importance of data controllers understanding their responsibilities remains vital to the protection of people’s confidentiality

(This resonates with my concern, in my request to the ICO to assess the transfer of data from HES to the actuarial society, about what the legal basis was for the latter’s processing).

Notably, Sir Nick dispenses with the idea that data such as HES was anonymised:

The data provided to these other organisations under data sharing agreements is not anonymised. Although names and addresses are normally removed, it is possible that the identity of individuals may be deduced if the data is linked to other data

 And if it was not anonymised, then the Data Protection Act 1998 (DPA) is engaged.

All of this indicates a failure to take appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data, which the perspicacious among you will identify as one of the key statutory obligations placed on data controllers by the seventh data protection principle in the DPA.

Sir Nick may say

 It is a matter of fact that no individual ever complained that their confidentiality had been breached as a result of data being shared or lost by the NHS IC

but simply because no complaint was made (at the time – complaints certainly have been made since concerns started to be raised) does not mean that the seventh principle was not contravened, in a serious way.  And a serious contravention of the DPA of a kind likely to cause substantial damage or substantial distress can potentially lead to the ICO serving a monetary penalty notice (MPN) to a maximum of £500,000 (at least for contraventions after April 2010, when the ICO’s powers commenced).

The NHSIC is no more (although as Sir Nick says, HSCIC “inherited many of the NHS IC’s staff and procedures”). But that has not stopped the ICO serving MPNs on successor organisation in circumstances where their predecessors committed the contravention.  One waits with interest to see whether the ICO will take any enforcement action, but I think it’s important that they consider doing so, because, even though Sir Nick makes nine very sensible recommendations to HSCIC, one could be forgiven – having been given clear assurances previously, by the likes of Tim Kelsey and others – for having reservations as to future governance of our confidential medical data. I would suggest it is imperative that HSCIC know that their processing of personal data is now subject to close oversight by all relevant regulatory bodies.

 

 

 

 

 

 

 

 

 

2 Comments

Filed under care.data, Confidentiality, Data Protection, data sharing, Information Commissioner, monetary penalty notice, NHS, Privacy

Tagged as , , ,

June 12, 2014 · 1:44 pm

The Ministry of Poor Record Keeping?

If the Ministry of Justice really can’t search the text of emails for information, how can it comply with the FOI Code of Practice on Records Management?

In performing his functions under the Freedom of Information Act 2000 (FOIA) the Information Commissioner (IC) must promote the observance by public authorities of codes of practice issued under section 45 and section 46 of FOIA. Section 46 provides for a code of practice to be issued by the Lord Chancellor as to desirable practice for public authorities for the keeping, management and destruction of their records. A code was duly issued by the then Lord Chancellor Lord Irvine in 2002.

So, when deciding whether, for instance, a public authority has complied with its obligations under part 1 of FOIA (i.e. has it properly responded to a request for information?) the IC should, I submit, take into account where necessary whether the authority is complying with the Records Management Code.

With this in mind, consider the Ministry of Justice’s (MoJ) reported response to an FOI request for any mentions on its systems of the Howard League for Penal Reform. As Ian Dunt reports, the MoJ said that

On this occasion, the cost of determining whether we hold the information would exceed the limit set by the Freedom of Information Act

I have seen the MoJ response in question, and I accept that it is legitimate for a public authority to refuse to disclose information if the costs of determining whether it is held exceeds the limit prescribed by regulations (although authorities have an obligation under section 16 FOIA to advise and assist applicants as to how they might reframe their request to fall within the cost limits, and the MoJ have failed to do this). However, while the response refers to a necessity to search paper records, it also says

A manual search is required as central search functions (for example, those on email systems) would not identify all correspondence  – for example, if the Howard League for Penal Reform was mentioned in the body of the text

This appears to suggest, as Ian says, that “they can only search electronically for the headline of an email, not the body of a message”

If this is true (which seems extraordinary, but one is sure it must be, because intentionally to conceal information which otherwise should be disclosed under FOIA is an offence) it would appear to be contrary to the desirable practice in the Records Management Code, which says that

Records systems should be designed to meet the authority’s operational needs and using them should be an integral part of business operations and processes. Records systems should…enable quick and easy retrieval of information. With digital systems this should include the capacity to search for information requested under [FOIA]

It would be most interesting if the Howard League were to refer this to the IC for a decision. The IC rarely these days mentions the Records Management Code, but as the Code itself says

Records and information are the lifeblood of any organisation. They are the basis on which decisions are made, services provide and policies developed and communicate

Not only does poor records management affect compliance with FOIA (and other legal obligations), but it is not conducive to the reduction of back-office costs, developing new ways of working, and driving economies of scale (all things, of course, which the current Lord Chancellor prays in aid of his potentially devastating changes to legal aid provision).

p.s. As @Unity_MoT points out on twitter, if the MoJ struggles to search its systems to respond to FOIA requests, how does it undertake searches for responding to subject access requests under section 7 of the Data Protection Act 1998? See e.g. page 17 of the IC Code of Practice on Subject Access:

Not only should your systems have the technical capability to search for the information necessary to respond to a SAR, but they should also operate by reference to effective records management policies

 

Leave a comment

Filed under Freedom of Information, Information Commissioner, records management

Tagged as ,

June 9, 2014 · 3:08 pm

ICO’s power to refuse to decide cases is rarely used

The “filter” of section 50(2)(c) of the FOI Act allows the Information Commissioner to refuse to make a decision on frivolous or vexatious applications. It is rarely used. What an exciting intro to a blog post eh?

The First-tier Tribunal (Information Rights) (FTT), recently refused an application by Leeds City Council for an award of costs against a requester whose requests had been held by the Information Commissioner (IC), and the FTT itself, as vexatious under section 14(1) of the Freedom of Information Act 2000 (FOIA). Alistair Sloan has blogged about the decision itself, and I would commend his piece to readers, but an observation by the judge led me make an FOI request of my own.

After noting that

it must be possible, depending on the circumstances, for the maker of a request regarded by everyone else as vexatious, to defend his or her position on that point without automatically being treated under the costs Rules as behaving unreasonably

the judge adverted to section 50(2)(c) of FOIA. This permits to IC to not make a decision whether a public authority has complied with its FOIA obligations if the application for the decision is itself “frivolous or vexatious”. (This must be distinguished from a decision as to whether the original FOI request to the public authority was, pursuant to section 14(1), vexatious). It gives the IC an exception to the general requirement to make a formal decision on all cases where the applicant asks for one. The judge said

it is right to remember the protections which already exist for public authorities in the context of vexatious requests or hopeless appeals. Before a right of appeal is even a gleam in the Tribunal’s eye, there must be a complaint to the Information Commissioner (ICO). If the complaint to the ICO appears to be “frivolous or vexatious,” then there is no need for him even to make any decision appealable to the Tribunal. See Section 50(2) FIA

but then went on to note that he was

not aware of any published information about the extent to which the ICO makes use of this important provision.

 Ever keen to help our judiciary, I asked the IC, via What Do They Know. With admirable promptness they disclosed to me that, in the years for which records are retained (2007 onwards), the IC has declined to serve a decision notice because he considers the application vexatious or frivolous only 18 times (which breaks down into 16 frivolous and 2 vexatious).

Clearly, the IC considers this exceptional power to be just that – one that should be used only in exceptional cases, and maybe its use in 0.3% of cases accords with that. But in my research for this piece I did dig up again the IC’s submission to the Justice Committee for the latter’s 2012 post-legislative scrutiny of FOIA, and I noticed that there was this comment

For some reason Parliament made a distinction between this provision [section 50(2)(c)] and that in section 14(1) applying to requests to public authorities.

This strikes me as odd. It is quite clear that there is an important distinction between a vexatious request to a public authority and a frivolous or vexatious application for a decision. A requester could make a request to a public authority which was not in any way vexatious, yet choose to pursue the matter by applying for a decision in a way that made that application frivolous or vexatious. And it seems to me that this was what Judge Warren in the FTT was alluding to, and why it would be highly unusual – and potentially oppressive – to award costs against someone appealing a refusal of a vexatious request. Rule 10(1)(b) of the relevant tribunal rules does allow for the award of costs for unreasonably bringing (as opposed to conducting) the proceedings, but the availability of the filter of section 50(2)(c) FOIA should mean that it would be extraordinarily unusual for such an award ever to be made.

A final observation from me. The wording of section 50(2)(c) seems to make it clear that, as the IC would make no decision in a case where the application is frivolous or vexatious, then no possible right of appeal to the FTT could exist (and, therefore, judicial review would be the only legal remedy available). This would be in contrast to cases such as Sugar and (currently at case management stage in the Upper Tribunal) Cross v IC  where what is at issue is whether a decision by the IC that an organisation is not a public authority for the purposes of FOIA constitutes an appealable “decision”.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal, judiciary, vexatiousness

Tagged as ,

May 30, 2014 · 8:46 am

Data Protection in the Court System

The Lord Chief Justice’s welcome call for a modern ICT system for the courts of England and Wales does, at the same time, raise concerns about the data protection compliance of the current systems

If a representative of a public sector data controller, responsible for processing huge amounts of manual and electronic sensitive data (of all categories), were to concede that their systems for handling this data “were recognised as outdated more than 15 years ago” it would – one imagines – raise a few eyebrows in Wilmslow. Outdated systems are, by default, systems which are unlikely to indicate compliance by the relevant data controller with the seventh data protection principle:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

A serious contravention of the obligation to comply with that principle can lead to monetary penalty notices to a maximum sum of £500,000, as many data controllers know to their cost.

But such a concession is just what the Lord Chief Justice of England and Wales appeared to make at the Annual Lecture of the Society of Computers and Law on 20 May in London. In his lecture he referred to

 re-entering information on different systems, using and holding paper files, diaries that are manual and unreliable telephonic and video communications

He spoke of how

Once papers are misfiled they are lost. In a number of parts of the country it is difficult to find people to do the filing at a wage which HMG is prepared to pay

and that

Save for using Outlook, judges have no electronic filing system for their administration. Outside the most senior Judiciary, very little clerical support is available for the judges

 All of this is enough to make most data security and data protection officers have sleepless (and screamful) nights.

In fairness to Lord Thomas, a) he was reflecting his own personal views, and b) his lecture, which laid out the history of how things had got to this state, was admirably aimed at seizing an opportunity to modernise. However, it did make me wonder how the judicial system appears to have largely avoided the steely enforcement glare of the Information Commissioner. I think this is probably, in part, because it is highly complicated when looked at through the lens of the Data Protection Act 1998 (DPA). The DPA distinguishes between data controllers and data processors, with former attracting all the legal obligations and liabilities under the Act. A data controller is, by section 1(1) of the DPA

a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed

Applying this to the situations which obtain in the court system is not an easy task (although it isn’t uniquely difficult – the distinction between data controller and processor is a notoriously complex, and perhaps increasingly artificial, one to establish). It seems to me that, with the sorts of personal data being processed as part of a legal claim or trial before a court, there may be multiple data controllers doing different things with the same or similar data – the parties, their legal representatives, the court staff, and the judiciary are those which immediately come to mind. In such circumstances we are probably talking about data controllers in common (“where data controllers share a pool of personal data, each processing independently of the other”*).

What is certain is that the Judicial Office for England and Wales considers the judiciary to be data controllers at least for some personal data and some acts of processing which take place within the court system. In a document entitled “Judicial Responsibilities and the Data Protection Act 1998” it says that

It is now acknowledged that individual judicial office-holders are data controllers in circumstances in which they determine the purpose for which and the manner in which any personal data is processed. This is so in relation to data processed in the exercise of any judicial functions

And another document “IT and Information Security Guidance for the Judiciary” contains generally sensible advice to judiciary on ICT security, but fine words butter no parsnips, and if the reality, as suggested by the Lord Chief Justice’s lecture (and, indeed, anecdotal evidence I have seen and heard) does not match up to the intentions of that document, then it would point to potentially serious contraventions of the DPA.

In April 2013 the Information Commissioner’s Office published the summary outcome of a data protection audit it had performed – by consent – on HM Courts and Tribunals Service. The audit gave the ICO “reasonable assurance” but one notes that it focused on data protection governance, training, and subject access requests, and did not appear to encompass security. And, for the reasons discussed earlier in this post, HMCTS are only one of the data controllers in play in the court system. In the rather unlikely event that the ICO decided to seek to audit them, would judges pass so easily?

*ICO Data Protection Legal Guidance, page 16

Leave a comment

Filed under Data Protection, Information Commissioner, judiciary, monetary penalty notice

Tagged as ,