Tag Archives: ICO

October 3, 2013 · 2:34 pm

Two more years for Chris Graham?

I think one mark of a true information rights nerd is whether they read minutes of meetings at the Information Commissioner’s Office (ICO), which are published, with a generally admirable commitment to transparency, on their website.

While browsing some recent minutes (of the Management Board meeting of 22 July) I noticed something interesting, which I wasn’t aware of (and haven’t seen anyone else pick up on?). Under a heading of “Major issues affecting the ICO” is

The Ministry of Justice has confirmed the Government’s intention to recommend to HM The Queen that Christopher Graham is reappointed as Information Commissioner [IC] for a period of two years following his current tenure ending in June next year.

The IC is a Crown appointment and his or her tenure is set at five years (paragraph 2(1) of Schedule 5 of the Data Protection Act 1998) but, by virtue of paragraph 2(5) he or she may be reappointed, provided he or she is not over 65, or has not already served for fifteen years. The reappointment of Christopher Graham (born 1950) will (if it happens) take him to that retirement age of of 65.

This is hardly shock news: all three of Graham’s predecessors as IC (formerly “Data Protection Registrar”) were reappointed after their initial terms of office, and he has, on most objective analyses, performed well in office: he got rid of the appalling backlog of Freedom of Information cases he inherited, and has been an effective stern-faced enforcer of data protection breaches. What he hasn’t done, yet, is see the implementation of the General Data Protection Regulation – the updating of the creaking 18-year-old current European data protection regime. But, given the apparently interminable wrangling about that instrument, one wonders whether an extra two years, starting in June 2014, will even help him achieve that.

Leave a comment

Filed under Data Protection, Freedom of Information, Information Commissioner

Tagged as ,

October 3, 2013 · 12:35 pm

Unintended FOI consequences

A nice little example of how a Freedom of Information (FOI) request can sometimes bring about an unexpected change, and advance a cause which has little to do with FOI.  Although in this instance I’m undecided whether this was a good thing or not.

On 3 January this year the Information Commissioner’s Office (ICO) issued a decision notice in respect of two requests for information made to Thames Valley Police (TVP) relating to

an incident in which the complainant’s driveway was blocked by the vehicle of someone he believes was visiting TVP headquarters

The ICO was satisfied, on the correct test of the balance of probabilities that TVP did not hold this information.

Nonetheless, the requester appealed that decision to the First-tier Tribunal (Information Rights), which has just issued a decision, in the form of a Consent Order disposing of the proceedings. The Schedule to the Consent Order explains

Thames Valley Police will give full and reasonable consideration to the reinstatement of 6 monthly liaison meetings with residents living in the vicinity of TVP HQ South with the objective of avoiding any unreasonable impact of operational activities on local residents

In consequence of this (and the agreement of the ICO) the request and the appeal have been withdrawn by the requester. So, a satisfactory outcome for the parties was achieved (although one notes that if the meetings are not arranged to the satisfaction of the requester, he will submit a further FOI request about the original incident!).

Of course, it would be have been preferable if this compromise could have been agreed in February 2011, when the requests first started. And a large amount of public money has been expended on something which is only very loosely, if at all, related to the aim of FOI (as stated in the explanatory notes to the Act): to provide a right of access to recorded information held by public authorities.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal

Tagged as ,

September 28, 2013 · 8:44 am

It’s our Right to Know, Mr ICO

On 29 August the Information Commisioner’s Office (ICO) served a monetary penalty notice (MPN) of £100,000 on Aberdeen City Council. MPNs can be served on a data controller under section 55A of the Data Protection Act 1998 (DPA) for a serious contravention of the Act of a sort likely to cause serious damage or serious distress. In this instance, the ICO explained

sensitive information relating to social services involvement with several individuals [was] published online. The information included details relating to the care of vulnerable children.

The circumstances under which this happened were

a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website

Many people in the field of information rights have concerns that there is a significant lack of understanding on the part of many about the risk of inadvertently disclosing personal data on the web. In view of this, I though I would simply ask the ICO, and the Council, what website was involved, in order to inform my understanding. So I tweeted

What “website” were the files uploaded to?

I reminded the ICO and the Council on several occasions about this, and pointed out it was a valid request under the Freedom of Information Act 2000 (FOIA) and Freedom of Information (Scotland) Act 2002 (FOI(S)A), even though I had really only wanted a quick factual reply. The Council have asked me to contact them separately to make the FOI(S)A request, and I’m aware the Scottish Information Commissioner takes a different view on tweeted requests to her counterpart for the rest of the UK, so I’ve banged in a request at WhatDoTheyKnow. The ICO, by contrats, did treat my tweet as a valid request (although I got no acknowledgment of this, contrary to their good practice guidance) and responded yesterday on the twentieth working day, with a link to their disclosure log

Those who know me will be unsurprised to know that I don’t accept the refusal, and also unsurprised to know that, on International Right to Know Day 2013 I’ve submitted a crashingly pompous request for ICO to conduct an internal review. Here it follows, in all said crashing pomposity:

Please review your refusal to disclose information.

On 29 August you served a Monetary Penalty Notice on Aberdeen City Council

“after a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website, publishing sensitive information about several vulnerable children and their families, including details of alleged criminal offences”

I asked, on 30 August, “What ‘website’ were the files uploaded to?”

You have refused to disclose, claiming the exemption at section 44 of the Freedom of Information Act 2000, which provides an exemption “if disclosure [of the information] (otherwise than under this Act) by the public authority holding it…is prohibited by or under any enactment”. You say disclosure is prohibited, because “the information was provided to the ICO in confidence as part of our regulatory activities” and that the provisions of section 59(1) of the Data Protection Act 1998 forbid disclosure. Section 59(1) says

“No person who is or has been the Commissioner, a member of the Commissioner’s staff or an agent of the Commissioner shall disclose any information which—

(a)has been obtained by, or furnished to, the Commissioner under or for the purposes of the information Acts [of which FOIA is one],

(b)relates to an identified or identifiable individual or business, and

(c)is not at the time of the disclosure, and has not previously been, available to the public from other sources

unless the disclosure is made with lawful authority”

I am happy to concede that a) and b) are met here, but not c). This is because section 59(2) explains what “with lawful authority” means. Firstly, and largely as an aside, section 59(2)(a) says that a disclosure is made with lawful authority if

“the disclosure is made with the consent of the individual or of the person for the time being carrying on the business”

I am surprised you do not feel that, in your role as a public authority but also as the regulator for Freedom of Information, it would be prudent and transparent simply to ask the Council whether it consents. Nonetheless, on a strict reading of the law, I concede that you do not have an obligation to do so.

Secondly (and I note you do not even address this important provision), section 59(2)(e) says that disclosure is made with lawful authority if

“having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”

I would argue that analysis of whether this provision permits disclosure requires a two-fold test. Firstly, is disclosure necessary in the public interest? Secondly, if it is, do the rights and freedoms or legitimate interests of any person militate against this public-interest disclosure?

On the first point, I am not aware of any direct authority on what “necessary” means in section 59(2)(e) of DPA, but I would argue that it imports the meaning adopted by leading European authorities. Thus, as per the high Court in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 “‘necessary”…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends”. It is my view that there is a pressing social need to recognise the risks of indavertent uploading to the internet, by public authorities and others, of sensitive personal data, especially when this is by automatic means. Other examples of recent incidents and enforcement action illustrate this. For instance, as your office is aware, there have been reports that a regional Citizens’ Advice Bureau has indavertently made available on the internet very large amounts of such data, probably because of a lack of technical knowledge or security which resulted in automatic caching by Google of numerous files https://informationrightsandwrongs.com/2013/09/24/citizens-advice-bureaucracy/. Also for instance, as you are aware, there have been many many examples of indavertent internet publishing of personal data in hidden cells in spreadsheets http://www.ico.org.uk/news/blog/2013/the-risk-of-revealing-too-much. There is a clear lack of public understanding of the risks of such indavertent disclosures, with a consequent risk to the privacy of individuals’ often highly sensitive personal data. Any information which the regulator of the DPA can disclose which informs and improves public understanding of these risks serves a pressing social need and makes the disclosure “necessary”.

On the second point, I simply fail to see what rights and freedoms or legitimate interests of any person can be engaged, let alone suffer a detriment by disclosing what public website the Council employee uploaded this to. If there are any, it would be helpful if your response to this Internal Review could address this. It may be that you would point to the information having been provided to you in confidence, but I similarly fail to see how that can be: was this an express obligation of confidence, or have you inferred it? In either case, I would question (per one the elements of the classic formulation for a cause of action in breach of confidence given by Megarry J in Coco v A.N.Clark (Engineers) Ltd [1969] R.P.C. 41) whether the information even has the necessary quality of confidence (this was a public website after all).

I hope you can reconsider your decision.

best wishes

1 Comment

Filed under Confidentiality, Data Protection, FOISA, Freedom of Information, human rights, Information Commissioner, monetary penalty notice, transparency

Tagged as , ,

August 30, 2013 · 5:30 pm

ICO – no Code of Practice for data protection and the press

On the 12th of August the Information Commissioner’s Office (ICO) announced that, following a period of consultation, it would not – contrary to previously-stated intentions – be issuing a Code of Practice on Data Protection and the Press. The proposed Code had been in response to Lord Justice Leveson’s recommendations that the ICO produce

comprehensive good practice guidelines and advice on appropriate principles and standards to be observed by the press in the processing of personal data

As the ICO’s Steve Wood says in the blogpost

Leveson did not stipulate a code but we proposed it as a possible vehicle for the guidance

Indeed they did, stating at the time that it was not

the ICO’s intention to purport to set ethical standards for journalists, or to interfere with the standards which already apply under relevant industry guidance, such as the Editors’ Code of Practice, the Ofcom Broadcasting Code, and the BBC Producers’ Guidelines. Nevertheless, the existing industry guidance does not consider the requirements of data protection law in any detail, and the ICO’s code will complement existing industry standards by providing additional coverage of this issue

However, the latest announcement – that the ICO is “looking to produce a guidance document” rather than carrying through with the issuing of a Code of Practice – is accompanied by the publishing of a summary of consultation responses to the draft Code of Practice. In fairness to the ICO, those who responded appeared not to want a Code, and, as any public authority will be aware, a consultation in name only (e.g. one with a predetermined outcome) is unlikely to be a lawful one. We are not told specifically who these responses were from, but that they were from “several media companies, individuals, regulators and representative bodies” (although there were only 16 responses overall, a figure which perhaps shames us all, or, alternatively, supports a view that not that many people were particularly aware of or bothered about the consultation). Seven responses specifically rejected the idea of a Code of Practice, with some concerns being

a code of practice implies a new set of rules or regulations;
risk of the ICO becoming a ‘mainstream de facto regulator of the press’;
risk of a proliferation of codes; and
risk of potential confusion with existing codes such as the Editors’ Code.

After pausing to note that the now-proposed ICO guidance will apparently be issued in draft (for further consultation) before the end of the year, which is a long, long way from meeting Leveson’s recommendation that any guidance be implemented within six months of his report,  it might be helpful to look at just why some respondents might have been unhappy with a Code of Practice, as opposed to “mere” guidance.

As is well-known, there is a very broad exemption, at section 32, from most of the obligations of the Data Protection Act 1998 (DPA) where:

(a)the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,
(b)the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and
(c)the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes [emphasis added]

This, broadly, means that, as long as personal data is processed with a view to journalistic publication (note: not that it has to be published) it is exempt from effectively all of the DPA (although not the 7th “security” principle) as long as the press body “reasonably believes” publication would be in the public interest. This has generally been taken to mean that it will be extremely difficult for a data subject to enforce her rights against, or for the ICO to regulate the activities of, the press. And, indeed, instances of successful DPA claims, or successful enforcement, against the press, are rare (privacy cases against the press, where they have included DPA claims, have tended to see the latter sidelined or dropped in favour of meatier claims in tort – see e.g. Douglas v Hello [2005] EWCA Civ 595 (where the DPA claim did succeed in the first instance, but only resulted in nominal damages) and Campbell v MGN [2002] EWCA Civ1373 (where, by contrast, the section 32 defence succeeded)). As Leveson LJ says

the effect of the development of the case law has been to push personal privacy law in media cases out of the data protection regime and into the more open seas of the Human Rights Act [page 1070 of Leveson Report]

 As everyone knows, the press kicked back strongly against parliament’s proposal of a Royal Charter for the press (that proposed Charter itself being the result of a rowing back by the political parties from Leveson’s proposal for some form of direct statutory underpinning of any regulatory scheme (“Guaranteed independence, long-term stability, and genuine benefits for the industry, cannot be realised without legislation”)). Both proposed Charters (the parliamentary-backed one and the Pressbof-backed one ) are to be considered by the Privy Council.

What has perhaps not been so widely-known, or widely-understood was that an ICO Code of Practice, if it had been designated by the Secretary of State (by means of an Order pursuant section 32(3)(b) of the DPA), would itself have constituted a form of statutory underpinning. This is because a Code designated in this way could have been taken into account by a court, or by the ICO, when determining whether personal data had been processed (for the special purposes) by the data controller in the reasonable belief that it had been in the public interest. The now-proposed “mere” guidance will not have the same status.

This might seem a minor point, and perhaps it is (bear in mind that there are already other Codes of Practice designated pursuant to section 32(3)(b), including the Press Complaints Commission Code of Practice) but, although we don’t know specifically who responded to the ICO’s consultation, it is safe to say that those who did included in their number organisations strongly opposed to (and alive to the threat of) any form of what they perceive to be statutory regulation of the press.

In this post I draw heavily on previous posts by Chris Pounder, on his Hawktalk blog, and if, as he suggested earlier this year, the then-proposed ICO Code raised the prospect of enhanced protection for ordinary data subjects, it is perhaps the case that the dropping of the proposal means no such enhanced protection.

1 Comment

Filed under Data Protection, human rights, Information Commissioner, journalism, Leveson

Tagged as , , ,

August 23, 2013 · 6:56 am

Pivot tables and databreaches

About a year ago I first became aware of reports of disturbing inadvertent disclosures of personal data (often highly sensitive) by public authorities who had intended only to disclose anonymous and/or aggregate data. These incidents were occurring both in the context of disclosures under the Freedom of Information Act 2000 (FOIA) and in the context of proactive disclosure of datasets. Mostly they were when what had been disclosed was not just raw data, but the spreadsheet in which the data was presented. Spreadsheet software is often very powerful, and not all users necessarily understand its capabilities (I don’t think I do). By use of pivot tables data can be sorted, summarised etc, but also, from the uninitiated or unwary, hidden. If the person who created or maintained a spreadsheet containing a pivot table is not involved in the act of publicly disclosing it it is possible that an apparently innocuous disclosure will contain hidden personal data.

Clearly such errors are likely to constitute breaches – sometimes very serious breaches – of the Data Protection Act 1998 (DPA) Those of us who were aware of a number of these inadvertent breaches were also aware that, if public authorities were not alerted to the risk a) the practice would continue and b) potentially large numbers of “disclosive” datasets would remain out in the open (in disclosure logs, on WhatDoTheyKnow, in open data sets etc). But we were also aware that, if the situation was not managed well and quietly, with authorities given the opportunity to correct/withdraw errors, inquisitive or even malicious sorts might go trawling open datasets for disclosures which could potentially be very damaging and distressing to data subjects.

It was with some relief, therefore that, following an earlier announcement by WhatDoTheyKnow, the Information Commissioner’s Office (ICO) finally gave a warning, and good guidance, on 28 June (although this relief was tempered by finding out, via Tim Turner, that the ICO had known about, and apparently done nothing about, the problem for three years). At the same time the ICO announced that it was “actively considering a number of enforcement cases on this issue”.

It appears that, according to an announcement on its own website, Islington Council is the first recipient of this enforcement. The Council says it has

accepted a £70,000 fine from the Information Commissioner’s Office (ICO) after a mistake led to personal data being released

after it

responded to a Freedom of Information (FOI) request asking for information including the ethnicity and gender of people the council had rehoused. The response, in the form of Excel spreadsheet tables, included personal information concealed behind the summary tables

Fair play to Islington for acknowledging this and agreeing immediately to pay the monetary penalty notice. And if some of the other reported breaches I heard about were as bad as they sounded £70,000 will be at the lower end of the scale.

(thanks to @owenboswarva on twitter for flagging this up)

UPDATE:

The ICO has now posted details of the MPN, and this clarifies that the disclosure was made on WhatDoTheyKnow and was only identifed when one of their site administrators noticed it.

Leave a comment

Filed under Breach Notification, Data Protection, Freedom of Information, Information Commissioner, monetary penalty notice, transparency

Tagged as , ,

August 22, 2013 · 5:28 pm

Academic Freedom and FOI

Pointed observations in a judgment which are not directly related to the matters pleaded are usually worth noting. Those in a recent case involving the PACE trial and Queen Mary, University of London, are essential reading for academics and support staff who deal with FOI

In a ruling handed down this week the First-tier Tribunal (Information Rights) (“FTT”) has upheld the Information Commissioner’s (IC) decision that Queen Mary, University of London, was entitled to rely on the exemption at section 36(2)(b)(1) and (2) of the Freedom of Information Act 2000 in refusing to disclose minutes of the Trial Steering Committee and Trial Management Groups of the Pace Trial. The trial had been set up to compare and test the effectiveness of four of the main treatments currently available for people suffering from chronic fatigue syndrome (CFS), also known as myalgic encephalomyelitis (ME), but it attracted considerable criticism from some quarters. In the words of the FTT

There has been a storm of comments about this study. There had been deeply wounding personal criticisms of individuals concerned and over the years individuals in this field of research and treatment have withdrawn from research in the face of hostile irrational criticism and threats.

The FTT found that the exemption was engaged:

it is pellucidly clear that the progress and conduct of research in this area would be hampered by the publication of minutes of meetings such as sought by this request because individuals would be less willing to engage in research, participate in steering committees, provide guidance, debate issues about the conduct of research as fully and frankly as they otherwise would; as fully and frankly as would most benefit the research and the patients it is intended to help

and the public interest favoured maintaining the exemption:

the appellant’s arguments in favour of disclosure of the minutes when so much has been made available publicly in relation to this research and been subjected to such high levels of independent scrutiny do not outweigh the considerable weight to be given to the public interest in maintaining the safe space for academic research

But the FTT then made wide-ranging and significant observations about the concept of academic freedom and its relation to FOI. The decision cites Article 13 of The Charter of Fundamental Rights of the European Community:

Freedom of the arts and sciences The arts and scientific research shall be free of constraint. Academic freedom shall be respected.

and section 202 of the Education Reform Act 1988 which places an obligation on the University Commissioners to

ensure that academic staff have freedom within the law to question and test received opinion, and to put forward new ideas and controversial or unpopular opinions, without placing themselves in jeopardy of losing their jobs or privileges they may have their institutions

and the FTT stresses the “profound importance” of academic freedom, noting that the IC has an obligation, as an emanation of the state, to give effect to Article 13. The judgment notes that the purpose of universities is to disseminate and generate knowledge and that disclosure of information is their primary purpose (“the activity which imbues the University with its moral significance”). In rather remarkable terms, the seeking of and disclosure of information (from academic institutions) under FOIA is unfavourably compared to this academic dissemination:

A parallel process of dissemination through FOIA is unlikely to be as effective or robust as the process of lectures, seminars, conferences and publications which are the lifeblood of the University. They are likely to be a diversion from the effective evaluation, publication and scrutiny of research through the academic processes. All too often such requests are likely to be motivated by a desire not to have information but a desire to divert and improperly undermine the research and publication process – in football terminology – playing the man and not the ball

One might pause to question whether this unfairly overplays the likelihood of FOIA requests being detrimental to academia, and also overstates the amount of information which is disseminated to the general public through academic research. Part of the reason for FOIA is that it enables the public to access information that public authorities specifically choose not to proactively disclose. One sees similar arguments at play in the apparent prioritising of the “transparency agenda” over FOIA disclosure.

There follows, though, a sensible suggestion for what researchers might consider at the outset of projects. With a view to the obligation to publish and maintain a publication scheme, institutions are advised that

it might well be worth considering at the start of a major project such as this setting out a publication strategy identifying what materials will be produced in the course of the project, which materials will be published and when (this will enable s22 to be considered if FOIA requests are received for such material), and which are unlikely to be published under FOIA as exemptions may be engaged

and the IC is (again with a nod to his Article 13 obligations) prompted to issue guidance on this.

Finally, the judgment suggests that the University missed a trick with this specific request

properly viewed in its context, this request should have been seen as vexatious- it was not a true request for information-rather its function was largely polemical and as such in the light of recent Upper Tribunal judgements might have been more efficiently and effectively handled if treated as vexatious

The Tribunal Judge, Christopher Hughes, has a wealth of experience in the field of academic and medical research. These are crucial observations about the relationship between FOI and academia. We already have a new exemption on its way specifically for academic research (by way of clause 19 of the Intellectual Property Bill) but this decision appears to reinforce the protection that academic research and associated information will be given from FOIA disclosure.

Postscript:

The BMJ has an article on this judgment (behind the paywall, but letters in response are here (thanks to Zuton who has commented below for drawing this to my attention).

8 Comments

Filed under Freedom of Information, Further education, Information Commissioner, Information Tribunal, Uncategorized

Tagged as ,

August 21, 2013 · 3:30 pm

Monetary penalties – focus on the breach, not the incident

The Information Tribunal’s judgment in the successful appeal by Scottish Borders Council shows that the ICO needs to focus on the contravention itself, not an incident which might arise from it

looking at the facts of the case, what did happen was in our view a surprising outcome, not a likely one

Sections 55A-E of the Data Protection 1998 (DPA), inserted by the Criminal Justice and Immigration Act 2008, provide for the Information Commissioner (IC) to serve a data controller with a monetary penalty notice (MPN) to a maximum of £500,000 if

  • he is satisfied that there has been a serious contravention of the controller’s obligations to comply with the data protection principles in Schedule One of the DPA, and
  • the contravention was of a kind likely to cause substantial damage or substantial distress, and
  • the contravention was either deliberate or the controller either knew or ought to have known that there was a risk that the contravention of its occurring and that it would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.

In its judgment, handed down today, on what is effectively* a successful appeal by Scottish Borders Council, the First-tier Tribunal (Information Rights) (“FTT”) has given guidance on, what is required in order for the IC to be satisfied that a serious contravention was likely to cause substantial damage or substantial distress. In particular, the FTT has clarified that, where the DPA talks about a “serious contravention”, the IC must focus on that, and not on any incident which might follow.

The Monetary Penalty Notice

The events giving rise to the original MPN (still currently on the IC’s website) are laid out by the FTT in the first two paragraphs of the judgment

Outside Tesco in South Queensferry there are some bins for recycling waste paper. They are of the “post box” type. On 10 September 2011 a member of the public found that one of the bins was overflowing. The material at the top, easily accessible, consisted of files containing pension records kept by a local authority (“Scottish Borders”). It turned out that a data processing company had transferred the information from hard copy files to CDs at Scottish Borders’ request. The data processor had then disposed of about 1,600 manual files in the post box bins at Tesco and at another supermarket in the town.

The police took into their possession all those files which they could reach. They then secured the bins and, with the cooperation of Scottish Borders, it was ascertained that the files concerned had now either been pulped without manual intervention or were now back in the safe keeping of the council.

The IC imposed an MPN of £250,000, finding that there had been a serious contravention of the obligation to comply with the seventh data protection principle (DPP7) which states that

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

and that, where, as here, processing of personal data is carried out by a data processor on behalf of a data controller, the latter must choose as the former one who provides sufficient guarantees in respect of its data security measures, and ensure that such processing is carried out under a suitable written contract (I paraphrase).

The contravention here was the failure by the Council to ensure that it engaged an appropriate data processor (to dispose of the pensions records) in an appropriate way (by means of an adequate contract, properly monitored and adequately evidenced in writing).

The IC said that contravention was likely to cause substantial damage or substantial distress (query, which?) to those whose confidential data was seen by a member of the public and that

If the data has been disclosed to untrustworthy third parties then it is likely that the contravention would cause further distress and also substantial damage to the data subjects such as exposing them to identity fraud and possible financial loss

Arguments and findings

The FTT found that there was a contravention. The Council had a long-standing (some 25-30 years) agreement with the data processor but it appears that the contractual arrangement was largely based on informal agreements and assurances. Although it was to an extent evidence in writing, this was still inadequate. Accordingly

the arrangements made by Scottish Borders for processing pension records in July and August 2011 were in contravention of the DPA

Further, the FTT was satisfied that the contravention was serious

the duties in relation to data processing contracts in paras 11 and 12 of schedule 1 are at the heart of the system for protecting personal data under DPA. It is fundamental that the data controller cannot be allowed to contract out its responsibilities [and] the contravention was not an isolated human error. It was systemic

However, counsel for the IC, the redoubtable Robin Hopkins, reminded the FTT that they must focus on the contravention which gave rise to the MPN. In this case, this was distinguishable from the events described in the first two paragraphs of the judgment: the contravention was the breach of DPP7, not the discovery of the data. On this basis, the FTT did not accept that the contravention had been of a kind likely to cause substantial damage or substantial distress. Evidence was taken from David Smith, Deputy IC, and the IC developed an argument focusing on the risks of identity theft, but the FTT seems to have felt that the evidence was either unconvincing (regarding the likelihood of identity theft) or still focused wrongly on what it calls the “trigger point” (the disposal/finding of the files in the bin) rather than the contravention itself. As to the latter

it seems to us that the fact that the data processor was a specialist contractor with a history of 25-30 years of dealings with Scottish Borders carries weight. He was no fly by night. The council had good reason to trust the company.

And, therefore

Focussing on the contravention we have been unable to construct a likely chain of events which would lead to substantial damage or substantial distress. What did happen was of course startling enough. Again, though, looking at the facts of the case, what did happen was in our view a surprising outcome, not a likely one.

This illustrates a fundamental point, but one, it seems, of great significance. It will, no doubt, be seized upon eagerly by any data controller in receipt of a notice of intent to serve an MPN. (It was also, I should acknowledge, anticipated by observations by Tim Turner and Andrew Walsh, both former ICO employees). However, the FTT do stress that although this case did not involve a contravention of a kind likely to cause substantial damage or substantial distress

No doubt some breaches of the seventh DPP in respect of some data might be of such a kind

What now?

I said earlier this was “effectively a successful appeal”. It was in fact an appeal on a preliminary issue (on the liability of the Council to pay an MPN) and under the Data Protection (Monetary Penalties) Order 2010 the FTT may either allow the appeal or substitute such other notice or decision which could have been served or made by the IC. The FTT’s concerns about the Council’s procedures in relation to data processing contracts were “too serious” for them simply to allow the appeal, and they are – pending discussions between the IC and the Council – considering whether to issue an enforcement notice.

Notwithstanding the outcome of those discussions, this is an important judgment to be read alongside the unsuccessful MPN appeal by the Central London Community Healthcare NHS Trust. Until an MPN case gets appealed further we will not have binding authority, but the lines are perhaps becoming a bit clearer for data controllers, and, indeed for the ICO.

There were some interesting comments and observations by the FTT on “other issues canvassed in the course of [the] appeal but which it has not been necessary to resolve”. I hope to post a follow-up about these in due course.

Leave a comment

Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, monetary penalty notice

Tagged as ,

August 18, 2013 · 10:46 am

Data Protection audits in the NHS

Do the results of an anonymous survey into data protection practices and attitudes of junior doctors provide justification for compulsory audits?

Continue reading

4 Comments

Filed under Data Protection, Information Commissioner, NHS

Tagged as ,

August 8, 2013 · 4:00 pm

The loophole to avoid enforcement?

Cabinet Office, FOI, Financial Times, Christopher Graham, blah blah blah

To recap. The Financial Times recently ran a resounding editorial on FOI, the ICO and the Cabinet Office, lauding the first, criticising the second’s lack of enforcement against the first, and lambasting the third. The Information Commissioner himself, Christopher Graham, replied in rather hurt tones, defending his office. Both Paul Gibbons (FOIMan) and Tim Turner have blogged on this. Here are my oar-sticking-in-coattail-hanging observations.

A key measure used by the Information Commissioner’s Office (ICO) to assess public authorities’ compliance with the Freedom of Information Act 2000 (FOIA) is the percentage of requests which are responded to within the statutory twenty day timescales. The guidance on this says

The ICO is may contact authorities [sic] if…(for those authorities which publish data on timeliness) – it appears that less than 85% of requests are receiving a response within the appropriate timescales.

Let’s ignore the obvious and worrying point that this is an encouragement not to publish such data. Fortunately for our purposes, government departments do commit to doing so, and quarterly reports covering the whole of central government are published. I can’t actually find them all on one page, so here are the reports for the last four quarters

April-June 2012
July-September 2012
October-December 2012
January-March 2013 

If you scroll through those datasets you’ll see that, over the last four quarters, the Cabinet Office has managed to respond to FOI requests within the statutory time limit or with a permitted extension in 92, 93, 95 and 86% of cases. Pretty good eh? This keeps them out of reach of the ICO radar. And, in fact, just prior to this, the Cabinet Office had been monitored by the ICO, and been required to sign an undertaking to improve, after appalling previous statistics had showed compliance in only 42 and 55% of cases in two quarters. After this monitoring period (the MoD were also monitored) the ICO announced

Both authorities have now improved their response times with over 85% of information requests being answered within the time limit of 20 working days and are working hard to deal with outstanding requests where responses have been unduly delayed. The ICO will continue to offer support and advice to help both Departments to ensure that outstanding requests are cleared as soon as possible.

However, what does “with a permitted extension” mean? It means, that in complex cases where a public authority needs more time to consider whether the public interest favours disclosure, it can disapply the twenty-working-day deadline and extend its time for compliance indefinitely, subject to reasonableness (although the ICO says it should be no more than an extra 20 days, he cannot enforce that). So let’s go back to those figures and see how the Cabinet Office would do if there wasn’t this potential loophole. If one simply asks “what percentage of requests were responded to within 20 working days?”, the figures are in fact 77, 77, 79 and 74%. Of course, without access to individual cases it is impossible to say whether these multiple extensions to consider public interest were made legitimately or not. However, the Cabinet Office appears to claim the extension much more than most other departments (the Foreign and Commonwealth Office has similar figures, however).

I am sure the Cabinet Office will claim that the reason it does this is because it has to deal with more complex cases. Maybe that’s the case, but it would be nice if someone could look into it. And, of course, the ICO could. The guidance on how authorities are selected for monitoring doesn’t stop at the 85%-compliance measure. It also says they may contact authorities if 

our analysis of complaints received by the ICO suggests that we have received three or more complaints citing delays within a specific authority within a six month period [or if there is] Evidence of a possible problem in the media or other external sources.

To which I say, ICO, the evidence is clear (look at Tim’s analysis, look at Paul’s, even look again at Chris Cook’s). Compliance stats are not the only measure (and even then they may hide the true picture). The triggers for enforcement are there, but is there a will?

And finally.

3 Comments

Filed under Cabinet Office, Freedom of Information, Information Commissioner, transparency

Tagged as , ,

August 6, 2013 · 4:11 pm

On the tweet where you live

Do Home Office tweets of people arrested on suspicion of committing immigration offences engage data protection law?

The recent sordid campaign by the Home Office to publicise their “crackdown on illegal immigration” involved the tweeting of pictures of people apparently arrested in connection with immigration offences. I’m loath to post links because any further publicity risks undermining my point in this piece, but suffice to say that two pictures in particular were posted, one of a man being escorted (police officers at either side of him, holding his arms) from what look like retail premises, and one of a man being led by other officers into a cage in the back of a van. In both cases, the person’s face has been blurred by pixelation. There have been suggestions that the broader aspects of the campaign (disgracefully, vans have been deployed displaying advertisements saying “In the UK illegally? Go home or face arrest“) might be unlawful for breach of the Public Sector Equality Duty, and some have argued that to use the hashtag #immigrationoffenders to accompany pictures of people only suspected of crime might be to prejudge a trial, and could even constitute contempt of court. However, I would argue that the tweets also engage, and potentially breach, data protection law.

For the sake of this argument I will work on the presumption that, because the images of their faces have been obscured no third party can recognise the individuals concerned (I think this is actually probably wrong – potential identifying features, such as location and clothing are still displayed, and it is quite likely that friends, relative, colleagues could identify them). However, this does not mean that the images are outwith the Data Protection Act 1998 (DPA) and the European Data Protection Directive 95/46/EC to which it gives effect. The former defines personal data as

data which relate to a living individual who can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller [emphasis added]

In this instance the Home Office (or its agents) must itself know who the people in the images are (they will have had sufficient identifying information in order to effect an arrest) so, in their hands, the images constitute the personal data of the people in them. As the Information Commissioner’s Office (ICO) explains

It is important to remember that the same piece of data may be personal data in one party’s hands while it may not be personal data in another party’s hands…data may not be personal data in the hands of one data controller…but the same data may be personal data in the hands of another data controller…depending on the purpose of the processing and the potential impact of the processing on individuals

So the taking, retaining and publishing of images of people whose identities are obscured but who can be identified by the data controller will constitute the processing of personal data by that data controller. Consequently, the legal obligations for fair and lawful processing apply: section 4(4) of the DPA imposes a duty on a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller. Lord Hoffman explained this, in the leading FOI (and DPA) case on identification 

As the definitions in section 1(1) DPA make clear, disclosure is only one of the ways in which information or data may be processed by the data controller. The duty in section 4(4) is all embracing. He must comply with the data protection principles in relation to all “personal data” with respect to which he is the data controller and to everything that falls within the scope of the word “processing”. The primary focus of the definition of that expression is on him and on everything that he does with the information. He cannot exclude personal data from the duty to comply with the data protection principles simply by editing the data so that, if the edited part were to be disclosed to a third party, the third party would not find it possible from that part alone without the assistance of other information to identify a living individual. Paragraph (b) of the definition of “personal data” prevents this. It requires account to be taken of other information which is in, or is likely to come into, the possession of the data controller. Common Services Agency v Scottish Information Commissioner (Scotland) [2008] UKHL 47

So the Home Office cannot merely edit the data (by pixelation) and thus exclude it from the duty to process it in accordance with the data protection principles: these images are personal data. Moreover, they will come under the subset known as sensitive personal data, because they consist of information as to the commission or alleged commission by the data subject of any offence (they might also fall into this subset because they show the racial or ethnic origin of the data subject, but this is less certain).

The first data protection principle requires that

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
As this is sensitive personal data, a Schedule 3 condition must be met in order for the processing to be fair and lawful. Try as I might, I cannot find one that is (I adopt the list as explicated by the ICO)

  • The individual who the sensitive personal data is about has given explicit consent to the processing.
  • The processing is necessary so that you can comply with employment law.
  • The processing is necessary to protect the vital interests of: – the individual (in a case where the individual’s consent cannot be given or reasonably obtained), or- another person (in a case where the individual’s consent has been unreasonably withheld).
  • The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents. Extra limitations apply to this condition.
  • The individual has deliberately made the information public.
  • The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights.
  • The processing is necessary for administering justice, or for exercising statutory or governmental functions.
  • The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality.
  • The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.

It will be noted that the two conditions emphasised by me in italics might be thought to apply, but one notes the word “necessary”. In no way were these tweets “necessary” for the purposes to which those conditions relate. By contrast, when authorities publish photographs of wanted criminals, the necessity test will normally be made out. It is, I suppose, just possible that the data subjects gave their explicit consent to the tweets, but that’s vanishingly unlikely. (A question does arise as to what conditions permit the processing by the police of pixelated images of potential offenders in programmes such as “Police, Camera, Action” and “Motorway Cops”: it may be that this has never been challenged, but it may also be that the data controller is in fact the film company, who might be protected by the exemption from much of the DPA if the processing of data is for journalistic purposes).

(I would observe, in passing, that many customary practices to do with publication of information about crimes or suspicion of criminal behaviour are potentially in breach of these provisions of the DPA if they are construed strictly. Although there is the journalistic exemption mentioned above, those to whom that exemption arguably does not apply (bloggers, tweeters, police, other public authorities) are at risk of breach if they, for instance, publish identifying information about people who have criminal convictions or are suspected of having committed a crime. This area of the law, and its implications for open justice, have not, I think, been fully played out yet. For discussions about it see my post and others linked here.)

If no Schedule 3 condition can be met, the processing will not be in accordance with the first data protection principle, and the data controller will be in breach of section 4(4) of the DPA. What flows? Well, probably very little – the data subjects have a right to serve a notice (under section 10 of the DPA) requiring the cessation of processing which is causing or likely to cause substantial unwarranted damage or distress. Additionally, they have a right either to bring a civil claim for damages (very difficult to show) or to complain to the ICO. However, data subjects like this are not necessarily going to want to assert their rights in a strident way. The ICO himself could intervene – he has the power to take enforcement action if he is satisfied a data controller has contravened or is contravening the data protection principles (and, much to his credit, he has recently issued notices against a Council which was requiring taxi drviers to instal CCTV/audio recording facilities in all cabs, and against a Police force which was operating a “ring of steel” ANPR network). It appears though that the Home Office twitter account has gone quiet (it hasn’t tweeted in several days). Perhaps there have been second thoughts not just about the legality, but also the morality, of the campaign. I am always the optimist.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Home Office, human rights, Information Commissioner, journalism, police

Tagged as , ,