Tag Archives: police

ACPO: contractor’s error, or data controller’s liability?

I blogged a week or so ago about the worrying fact that the Association of Chief Police Officers (ACPO) were encouraging people to send sensitive personal data over an unsecure HTTP connection.

 a tweet…by Information Security consultant Paul Moore alerted that ACPO’s criminal records office has a website which invites data subjects to make an online request but, extraordinarily, provides by an unencrypted http rather than encrypyted https connection. This is such a basic data security measure that it’s difficult to understand how it has happened…

Well now, thanks to Dan Raywood of ITSecurity Guru, we have a bit more information about how it did happen. Dan had to chase ACPO several times for a comment, and eventually, after he had run the story, they came back to him with the following comment:

The ACPO Criminal Records Office (ACRO) became aware of the situation concerning the provision of personal data over a HTTP rather than a encrypted HTTPS connection on Tuesday February 24. This was caused by a contractual oversight. The Information Commissioner was immediately advised. The secure HTTPS connection was restored on February 25. We apologise for this matter.

It’s good to know that they acted relatively quickly to secure the connection, although one is rather led to wonder whether or when – had not Paul Moore raised the alert – ACPO would have otherwise noticed the problem.

But there is potentially a lot of significance in the words “caused by a contractual oversight”. If ACPO are saying that a contractor is responsible for the website, and that it was the contractor’s error which caused the situation, they should also consider the seventh data protection principle in the Data Protection Act 1998 (DPA), which requires a data controller (which ACPO is, in this instance) to take

Appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

but also

Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—

(a)choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

(b)take reasonable steps to ensure compliance with those measures

What this means is that a failure to choose a data processor with appropriate security guarantees, and a failure to make sure the processor complies with those guarantees, can mean that the data controller itself is liable for those failings. If the failings are of a kind likely to cause substantial damage or substantial distress, then there is potential liability to a monetary penalty notice, to a maximum of £500,000, from the Information Commissioner’s Office (ICO).

In truth, the ICO is unlikely to serve a monetary penalty notice solely because of the likelihood of substantial damage or substantial distress – it is much easier to take enforcement action when actual damage or distress has occurred. Nonetheless, one imagines the ICO will be asking searching questions about compliance with the contract provisions of the seventh principle.

Thanks to IT Security Guru for permission to use the ACPO quote. Their story can be seen here.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under 7th principle, Data Protection, data security, Information Commissioner, police

ACPO encourage the sending of identity documents over insecure connection

ACPO – the Association of Chief Police Officers – are inviting people to send online data protection subject access request including copies of proof of identity, such as passports or bank statements over an insecure http connection. This is almost certainly in breach of ACPOs obligations under the Data Protection Act.

One of the most important rights under data protection law is that of “subject access”. Section 7 of the Data Protection Act 1998 (DPA) provides, in broad terms, that a person may require an organisation to say whether it is processing data about that person, and if so, to be given a copy of it. It was, for instance, through exercise of this subject access right that six journalists recently discovered that they were on the National Domestic Extremism and Disorder Intelligence database. The DPA recognises the importance of this right by enshrining it in its Schedule One Principles – the sixth principle obliges data controllers to process personal data in accordance with data subjects’ rights under the Act.

The following principle – the seventh – is the one which deals with data security, and it requires data controllers to have appropriate measures in place to safeguard against loss of personal data. The Information Commissioner’s Office (ICO) explains why this is important:

Information security breaches may cause real harm and distress to the individuals they affect – lives may even be put at risk. Examples of the harm caused by the loss or abuse of personal data (sometimes linked to identity fraud) include
– fake credit card transactions;
– witnesses at risk of physical harm or intimidation;
– offenders at risk from vigilantes;
– exposure of the addresses of service personnel, police and prison officers, and women at risk of domestic violence…

But a tweet yesterday (22.02.15) by Information Security consultant Paul Moore alerted that ACPO’s criminal records office has a website which invites data subjects to make an online request but, extraordinarily, provides by an unencrypted http rather than encrypyted https connection.

image1

This is such a basic data security measure that it’s difficult to understand how it has happened – and to confirm their identity people are being encouraged to send highly confidential documents, such as passports, over an unsecure connection. The ICO points out that

Failure to provide the first assurance (encryption) means that any sensitive information transmitted will be viewable via any computer system on the route between the two systems

At a time when there are moves to encrypt all web traffic, the failure to offer encryption on such profoundly sensitive issues as information held by police, and identity documents, is jaw-dropping. The ICO was copied in to subsequent tweets, and it will be interesting to see what action they take.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under Data Protection, data security, Information Commissioner, police

Is an FOI request from an investigative journalist ever vexatious?

Last week, in the Court of Appeal, the indefatigable, if rather hyperbolic, Mr Dransfield was trying to convince three judges that his request, made long ago, to Devon County Council, for information on Lightning Protection System test results relating to a pedestrian bridge at Exeter Chiefs Rugby Ground, was not vexatious. If he succeeds in overturning what was a thorough, and, I think, pretty unimpeachable ruling in the Upper Tribunal, then we may, at last, have some finality on how to interpret section 14(1) of the Freedom of Information Act 2000 (FOIA):

a public authority [is not obliged] to comply with a request for information if the request is vexatious

But what is certain is that the Court of Appeal will not hand down a ruling which would allow a public authority to feel able merely to state that a request is vexatious, and do nothing more to justify reliance on it. But that is what the Metropolitan Police appear to have done in an extraordinary response to FOIA requests from the Press Gazette. The latter has been engaging in a campaign to expose what it believes to be regular use of surveillance powers to monitor or investigate actions of journalists. This is both a serious subject and a worthy campaign. Investigative journalism, by definition, is likely to involve the making of enquiries, sometimes multiple ones, sometimes speculative, “to discover the truth and to identify lapses from it”. It is inevitable that an investigative journalist will from time to time need to make use of FOIA, and the Information Commissioner’s Office (ICO) advises that

[public] authorities must take care to differentiate between broad requests which rely upon pot luck to reveal something of interest and those where the requester is following a genuine line of enquiry

The ICO doesn’t (and couldn’t) say that a FOIA request from an investigative journalist could never be classed as vexatious, but I think the cases when that would happen would be exceptional. The Upper Tribunal ruling by Wikeley J that Mr Dransfield is seeking to overturn talked of “vexatious” as connoting

a manifestly unjustified, inappropriate or improper use of a formal procedure

and

It may be helpful to consider the question of whether a request is truly vexatious by considering four broad issues or themes – (1) the burden (on the public authority and its staff); (2) the motive (of the requester); (3) the value or serious purpose (of the request) and (4) any harassment or distress (of and to staff)

although it was stressed that these were neither exhaustive, nor a “formulaic checklist”.

It is difficult to imagine that the motive of the Press Gazette journalists can be anything but well-intended, and similarly difficult to claim there is no value or serious purpose to the request, or the other requests which need to be considered for context. Nor has there been, as far as I am aware, any suggestion that the requests have caused Met staff any harassment or distress. So we are (while noting and acknowledging that we are not following a checklist) only likely to be talking about “the burden on the public authority and its staff”. It is true that some requests, although well-intentioned and of serious value, and made in polite terms, have been accepted either by the ICO or the First-tier Tribunal (FTT), as being so burdensome to comply with that (even before considering whether FOIA costs limits are engaged) they merit rejection on vexatiousness grounds. In 2012 the FTT upheld an appeal from the Independent Police Complaints Commission, saying that

A request may be so grossly oppressive in terms of the resources and time demanded by compliance as to be vexatious, regardless of the intentions or bona fides of the requester. If so, it is not prevented from being vexatious just because the authority could have relied instead on s.12 [costs limits]

and last year the FTT similarly allowed a late submission by the Department of Education that a request from the journalist Laura McInerney for information about Free School applications was vexatious because of the burden it would impose:

There is no question here of anything in the tone of the request tending towards vexatiousness; nor does anyone doubt Ms McInerney’s genuine motives…There is value in openness and transparency in respect of departmental decision making. That value would be increased by the academic scrutiny which the disclosed material would receive…In our judgment, however, these important considerations are dwarfed by the burden which implementation of the request places on DFE.

But it does not appear that the request in question from the Press Gazette was likely to go any way towards being grossly oppressive, or to being a burden which would “dwarf” the other considerations.

Moreover, and it does not appear to have been a point argued in the DfE case, there is an argument, explored through a series of cases in the Court of Justice of the European Union, and, domestically, in the Supreme Court, in Kennedy v ICO and Charity Commission, that Article 10 of the European Convention on Human Rights, providing as it does in part a right “to receive and impart information and ideas without interference by public authority” (subject to limitations that are prescribed by law, necessary and proportionate, and pursue a legitimate aim) might sometimes need to read down into FOIA, particularly where a journalist is the requester. Although the Supreme Court, by a majority, and on the facts (specifically in the context of a FOIA absolute exemption), rejected the submission in Kennedy, the argument in the abstract still has some weight – someone engaging in investigative journalism is clearly generally acting as a “social watchdog”, and the likelihood that they are making a FOIA request with bad motives, or without serious purpose, or in a way likely to harass or cause distress is correspondingly low. It seems to me that, absent the sort of “excessive burden” argument explored in the IPCC and DfE cases – and, as I say, the Met don’t seem to have advanced any such argument – to label a request from an investigative journalist as vexatious is to stand at the top of a slippery slope. One hopes that the Met review and reverse this decision.

p.s. In a world in which we are all journalists, this all has the potential to get very complicated.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

149 Comments

Filed under Article 10, Freedom of Information, journalism, police

Naming and shaming the innocent

Around this time last year I wrote two blog posts about two separate police forces’ decision to tweet the names of drivers charged (but not – yet, at least – convicted) of drink driving offences. In the latter example Staffordshire police were actually using a hashtag #drinkdriversnamedontwitter, and I argued that

If someone has merely been charged with an offence, it is contrary to the ancient and fundamental presumption of innocence to shame them for that fact. Indeed, I struggle to understand how it doesn’t constitute contempt of court to do so, or to suggest that someone who has not been convicted of drink-driving is a drink driver. Being charged with an offence does not inevitably lead to conviction. I haven’t been able to find statistics relating to drink-driving acquittals, but in 2010 16% of all defendants dealt with by magistrates’ courts were either acquitted or not proceeded against

The Information Commissioner’s Office investigated whether there had been a breach of the first principle of Schedule One of the Data Protection Act 1998 (DPA), which requires that processing of personal data be “fair and lawful”, but decided to take no action after Staffs police agreed not to use the hashtag again, saying

Our concern was that naming people who have only been charged alongside the label ‘drink-driver’ strongly implies a presumption of guilt for the offence. We have received reassurances from Staffordshire Police the hashtag will no longer be used in this way and are happy with the procedures they have in place. As a result, we will be taking no further action.

But my first blog post had raised questions about whether the mere naming of those charged was in accordance with the same DPA principle. Newspaper articles talked of naming and “shaming”, but where is the shame in being charged with an offence? I wondered why Sussex police didn’t correct those newspapers who attributed the phrase to them.

And this year, Sussex police, as well as neighbouring Surrey, and Somerset and Avon are doing the same thing: naming drivers charged with drink driving offences on twitter or elsewhere online. The media happily describe this as a “naming and shaming” tactic, and I have not seen the police disabusing them, although Sussex police did at least enter into a dialogue with me and others on twitter, in which they assured us that their actions were in pursuit of open justice, and that they were not intending to shame people. However, this doesn’t appear to tally with the understanding of the Sussex Police and Crime Commissioner who said earlier this year

I am keen to find out if the naming and shaming tactic that Sussex Police has adopted is actually working

But I also continue to question whether the practice is in accordance with police forces’ obligations under the DPA. Information relating to the commission or alleged commission by a person of an offence is that person’s sensitive personal data, and for processing to be fair and lawful a condition in both of Schedule Two and, particularly, Schedule Three must be met. And I struggle to see which Schedule Three condition applies – the closest is probably

The processing is necessary…for the administration of justice
But “necessary”, in the DPA, imports a proportionality test of the kind required by human rights jurisprudence. The High Court, in the MPs’ expenses case cited the European Court of Human Rights, in The Sunday Times v United Kingdom (1979) 2 EHRR 245  to the effect that

while the adjective “necessary”, within the meaning of article 10(2) [of the European Convention on Human Rights] is not synonymous with “indispensable”, neither has it the flexibility of such expressions as “admissible”, “ordinary”, “useful”, “reasonable” or “desirable” and that it implies the existence of a “pressing social need.”
and went on to hold, therefore that “necessary” in the DPA

should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends
So is there a pressing social need to interfere with the rights of people charged with (and not convicted of) an offence, in circumstances where the media and others portray the charge as a source of shame? Is it proportionate and fairly balanced to do so? One consideration might be whether the same police forces name all people charged with an offence. If the intent is to promote open justice, then it is difficult to see why one charging decision should merit online naming, and others not.But is the intent really to promote open justice? Or is it to dissuade others from drink-driving? Supt Richard Corrigan of Avon and Somerset police says

This is another tool in our campaign to stop people driving while under the influence of drink or drugs. If just one person is persuaded not to take to the road as a result, then it is worthwhile as far as we are concerned.

and Sussex police’s Chief Inspector Natalie Moloney says

I hope identifying all those who are to appear in court because of drink or drug driving will act as a deterrent and make Sussex safer for all road users

which firstly fails to use the word “alleged” before “drink or drug driving”, and secondly – as Supt Corrigan – suggests the purpose of naming is not to promote open justice, but rather to deter drink drivers.

Deterring drink driving is certainly a worthy public aim (and I stress that I have no sympathy whatsoever with those convicted of such offences) but should the sensitive personal data of who have not been convicted of any offence be used to their detriment in pursuance of that aim?

I worry that unless such naming practices are scrutinised, and challenged when they are unlawful and unfair, the practice will spread, and social “shame” will be encouraged to be visited on the innocent. I hope the Information Commissioner investigates.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under Data Protection, human rights, Information Commissioner, Open Justice, police, social media

Twitter timeline changes – causing offence?

@jamesrbuk: Well that’s jarring: Twitter just put a tweet into my feed showing a still from the James Foley beheading video, from account I don’t follow

When the Metropolitan Police put out a statement last week suggesting that merely viewing (absent publication, incitement etc) the video of the beheading of James Foley, they were rightly challenged on the basis for this (conclusion, there wasn’t a valid one).

But what about a company which actively, by the coding of its software, communicates stills from the video to unwilling recipients? That seems to be the potential (and actual, in the case of James Ball in the tweet quoted above) effect of recent changes Twitter has made to its user experience. Tweets are now posted to users’ timelines which are not from people followed, nor from followers of people followed

when we identify a Tweet, an account to follow, or other content that’s popular or relevant, we may add it to your timeline. This means you will sometimes see Tweets from accounts you don’t follow. We select each Tweet using a variety of signals, including how popular it is and how people in your network are interacting with it. Our goal is to make your home timeline even more relevant and interesting

I’m not clear on the algorithm that is used to select which unsolicited tweets are posted to a timeline, but the automated nature of it raises issues, I would argue, about Twitter’s responsibility and potential legal liability for the tweets’ appearance, particularly if the tweets are offensive to the recipient.

Section 127 of the Communications Act 2003 says

A person is guilty of an offence if he—

(a)sends by means of a public electronic communications network a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or

(b)causes any such message or matter to be so sent.

The infamous case of DPP v Chambers dealt with this provision, and although Paul Chambers was, thankfully, successful in appealing his ridiculous conviction for sending a menacing message, the High Court accepted that a tweet is a message sent by means of a public electronic communications network for the purposes of the Communications Act 2003 (¶25).

A still of the beheading video certainly has the potential to be grossly offensive, and also obscene. The original tweeter might possibly be risking the committing of a criminal offence in originally tweeting it, but what of Twitter, inserting into an unwilling recipient’s timeline?

Similarly, section 2 of the Terrorism Act 2006 creates an offence if a person is reckless at whether the distribution or circulation of a terrorist publication constitutes a direct or indirect encouragement or other inducement to the commission, preparation or instigation of acts of terrorism (it’s possible this is the offence the Met were -oddly – hinting at in their statement).

I’m not a criminal lawyer (I’m not even a lawyer) so I don’t know whether the elements of the offence are made out, nor whether there are jurisdictional or other considerations in play, but it does strike me that the changes Twitter has made have the potential to produce grossly offensive results.

Leave a comment

Filed under police, social media

The Savile Tapes – ICO says request for audio was vexatious

There is no index of character so sure as the voice – Benjamin Disraeli, Tancred

In October 2013 Surrey Police disclosed, in response to a request made under the Freedom of Information Act 2000 (FOIA) the transcripts of police interviews (under caution) of Jimmy Savile. The Information Commissioner’s Office ICO) has now ruled on a related request, which was for the actual audio recordings of the same interview, and, rather surprisingly, the ICO has agreed with the Police that they did not have to comply with the request, on the grounds that it was vexatious.

Until relatively recently it was difficult to rely on section 14(1) of FOIA (“a public authority [need not] comply with a request for information if the request is vexatious”) simply because the costs burden of dealing with it was too great. The ICO’s guidance did advise that one of the factors to bear in mind when considering whether a request was vexatious was “Would complying with the request impose a significant burden in terms of expense and distraction?”, but in general, for a public authority to refuse to comply with a FOIA request because of the costs, it had to be able to claim that the cost of compliance exceeded the appropriate limit (section 12 FOIA). However, a decision of the First-tier Tribunal (FTT) in 2012 appeared to shift the ground somewhat. Although FTTs’ decisions are not precedent, it was notable that a public authority (the IPCC in this case) was said to be entitled to rely on section 14(1) on the basis that

A request may be so grossly oppressive in terms of the resources and time demanded by compliance as to be vexatious, regardless of the intentions or bona fides of the requester. If so, it is not prevented from being vexatious just because the authority could have relied instead on s.12

As the always-excellent Pantopticon blog said at the time

This will be welcomed by those who find themselves unable to rely on section 12 due to the restricted list of activities which can be taken into account for cost purposes

but the context in that particular case meant that, in fact, the intentions and bona fides of the requester were relevant

The present requests were, in our opinion, not just burdensome and harassing but furthermore wholly unreasonable and of very uncertain purpose and dubious value…We are by no means convinced of [the requester’s] good faith in making it

In the leading case on section 14(1) – IC v Dransfield [2012] UKUT 440 (AAC) – Wikeley J said that it was helpful, when considering whether a FOIA request is vexatious, to consider four “broad issues or themes”

(1) the burden (on the public authority and its staff); (2) the motive (of the requester); (3) the value or serious purpose (of the request) and (4) any harassment or distress (of and to staff)

but that ultimately, the test amounts to

is the request vexatious in the sense of being a manifestly unjustified, inappropriate or improper use of FOIA?

The ICO’s guidance, amended in light of Dransfield reframes this slightly and says that the

the key question a public authority must ask itself is whether the request is likely to cause a disproportionate or unjustified level of disruption, irritation or distress

The ICO draws on this guidance in the Savile decision, but, notably, appears to give considerable credence to the police’s evidence regarding the disruption – the burden – that redacting the audio of the interviews would cause, but does not appear to have interrogated this assertion in any depth. Moreover, the ICO notes its lack of expert knowledge on the subject of redaction, but nothing (other than, presumably, limited resources) prevented it from consulting an expert. Given that this appears to have been the primary evidence for the finding of vexatiousness (the ICO accepted that the requester’s motives were not intended to cause disruption or harassment) and given that the ICO accepted that there was a “qualitative difference” between the written transcripts and the audio (“The speed, volume, expressiveness and intonation of the actual speech may be considered to shed more light on how Savile responded to what was put to him in the interview”) it is difficult to see how the ICO decided that request could have been vexatious, rather than just of a level of annyoance and disruption it accepts a public authority must absorb. The request, using Wikeley J’s formulation, was not improper, it was not inappropriate – and was it really, therefore, a “manifestly unjustified use of FOIA”?

One hopes the bar of vexatiousness has not been lowered too far.

 

31 Comments

Filed under Freedom of Information, Information Commissioner, police, vexatiousness

Jackals among the tombs*

The Information Commissioner has ordered disclosure by the Metropolitan Police of the ages of the deceased children whose identities were used by the ‘Special Demonstration Squad’

UPDATE 23.09.14: The latest listings from the Information Tribunal reveal that the Met are appealing the ICO decision :END UPDATE

UPDATE 07.01.15: The Met clearly decided to withdraw their appeal, and disclosed the information :END UPDATE

In Frederick Forsyth’s novel The Day of the Jackal the protagonist uses a heartless, but, at the time of the novel’s writing, well-known, method of assuming a false identity. He visits graveyards until he finds the gravestone of a dead child who would have been born about the same time as him, then purchases the child’s birth certificate, which he uses to obtain a fake passport. In 2003 Forsyth said

I asked a forger how to get hold of a passport. He told me there were three ways. Steal one and substitute a photograph. Bribe an official for one ‘en blanc’ in which you can fill in your details. Or apply for one under a false name

In February 2013 the Home Secretary, Theresa May, announced that the existing investigation into undercover policing in the Metropolitan Police Service would now be headed by the Chief Constable of Derbyshire Police. This was in part because of serious allegations aired in the Guardian about a covert police officer apparently adopting the identity of a baby named Rod Richardson, who had died at the age of two days old, in 1973.

The ensuing first report into what had become Operation Herne found that there was

 both documentary proof and witness accounts to confirm that the genuine details of deceased children were extensively used by members of the SDS until around 1995 so as to create cover identities and thereby enable the officers to infiltrate a range of violent protest groups

It described the practice as “morally repugnant”, effectively excused it as being necessary within the constraints of the time, but did acknowledge that

There is understandable public, political and media concern about the use of the identities of deceased children, irrespective of the context, of the operational rationale, of any perceived necessity and of any legal considerations

 Although it said that the issue should not detract from the importance of the tactic of undercover policing.

Perhaps the Met had this in mind when they refused to disclose, in response to a request made under the Freedom of Information Act 2000 (FOIA), the mere ages of the 42 dead children whose identities the report either confirmed were or were considered as highly likely to have been (ab)used. The Met placed perhaps most weight on the fact that disclosing this information would allow officers to be identified (thus engaging the FOIA exemption at section 40(2)), but the Information Commissioner’s Office (ICO) was distinctly unimpressed with this argument

 the Commissioner does not consider the age of a child who dies at some point over a forty year period meets the criteria of being the ‘personal data’ of an undercover officer as the age alone is simply too far removed to make any such link

Nor, for a similar reason, were the exemptions at section 38 (prejudice to health and safety) and section 24 (safeguarding national security) engaged: if officers could not be identified from this information then their health and safety could not be prejudiced and there was no compromise to the need to safeguard national security.

The ICO did concede that exemptions at section 30 was engaged. This exemption deals – broadly – with investigations conducted by relevant public authorities into potential criminal offences, and information which relates to the obtaining of information from confidential sources. However, and ultimately, the public interest favoured disclosure. The ICO found particularly compelling, as will many, the following submission from the requester

There is…a clear public interest with regards to the hundreds of thousands of families who lost a child during the relevant period. Any of these families may fear that their relative’s details were used by police officers without consent. The question of whether the 42 families should be told is complex. By confirming which ages were used, the MPS would also be confirming which ages were not used. This information could help answer the questions of tens of thousands of families for each any [sic] age that is identified as not having been used

Perhaps, if it transpires (the Met can, of course, appeal) this FOIA disclosure will, even more than most, serve a public interest.

*Faith, like a jackal, feeds among the tombs, and even from these dead doubts she gathers her most vital hope – Herman Melville

1 Comment

Filed under Freedom of Information, Information Commissioner, police

Police building register of domestic CCTV for crime investigation purposes?

This is a flyer apparently being distributed by Thames Valley Police (TVP).

flyer

It invites householders who have private CCTV systems to register with TVP, who want to use those systems “in order to assist us in future investigations”.

Surveillance camera footage can undoubtedly be of great use in the investigation and prosecution of crime. But there is a potential problem for householders who decided to register with TVP, and I’d be interested to know if the latter have taken this into account.

The problem is this: CCTV cameras involve the processing of data, and where they capture images of identifiable individuals, it is personal data that they are processing. Purely domestic processing of personal data is exempt from all of the obligations under the Data Protection Act 1998, but when the processing is no longer purely for domestic purposes, then legal obligations potentially attach themselves to those doing the processing. The Information Commissioner’s Office (ICO) CCTV Code of Practice (both the current 2008 version and an updated version currently in draft) explains

The use of cameras for limited household purposes is exempt from the DPA. This applies where an individual uses CCTV to protect their home from burglary, even if the camera overlooks the street or other areas near their home

But the corollary of this is that if its use is not purely for the “household purposes” of protecting one’s home from bulgary, then the exemption no longer applies. If householders are determining that the purpose for which they will process personal data is to assist TVP in criminal investigations, then they are data controllers.

This can’t simply be TVP wanting a register of CCTV-operating households to assist them if a crime happens on those specific premises, because that would be pointless: in those circumstances the householder would draw the footage to the police’s attention. No, this must be that TVP want to be able to access footage of relevant incidents outwith the individual household. 

I’ve asked TVP if they have any policy statement or guidelines on this initiative, and will update as and when they reply.

1 Comment

Filed under Data Protection, police, Privacy, surveillance, surveillance commissioner

What’s so foolish about FOI?

The television presenter Phillip Schofield took to Twitter recently to draw attention to a Freedom of Information (FOI) request to Avon and Somerset Police. He did so because the request had asked about the cost to the force of Mr Schofield’s attendance at an open day.

Message to Tom Hodder .. No Fee!! My bro works for the police, it was a family day out!

I’ve no problem with his drawing attention to it, nor with his naming the person, but I thought it was rather unpleasant that he chose to use the hashtags #WastingPoliceTime #Fool. As Mr Schofield, and the response on WhatDoTheyKnow.com, say, the cost was nil, but I don’t suppose Mr Hodder was to know that: Mr Schofield was described on his own employer’s site as having been invited to attend, and he promotes himself as someone for hire for “personal appearances”. I didn’t know Mr Schofield’s brother works for the police, and I suspect Mr Hodder didn’t either.

Wasting Police Time is a term used to describe a criminal offence. What Mr Hodder was doing was exercising his statutory right to ask a public authority for information (in this instance about the expenditure of public funds), and I see nothing wrong in what he asked (nor, indeed, in the response by the police. I am sure Mr Schofield wasn’t seriously suggesting the commission of a criminal offence, but his use of the term, and the epithet “fool” seem mean-spirited. And, of course, as he might have expected, many of his fans jumped to his defence and to verbally attack Mr Hodder.

All this seems rather ironic when one considers Mr Schofield’s involvement in 2012 in another “transparency” story. This was when he confronted the prime minister with a list of alleged child sex abusers which he had found online, but which he failed to shield from the studio cameras – a stunt which Jonathan Dimbleby described as “cretinous”. This led to his employer having to pay the late Lord McAlpine (whose name was on the list) £125,000 to settle a defamation claim. Even the apology which followed the incident had a mean-spirited air about it, when Mr Schofield appeared to blame the cameraman.

Mr Schofield has one of the largest followings on Twitter (2.99 million, at the time of writing). People with that sort of following carry some responsibility, and if they criticise named individuals they should do so fairly. I think it would be in order if he apologised to Mr Hodder.

 

 

2 Comments

Filed under Freedom of Information, police, social media

A public interest test in the Data Protection Act?

Mr Justice Cranston has suggested that there is a public interest factor when considering whether disclosure of personal data would be “fair” processing. I’m not sure that is right.

The first data protection principle (DPP1) in Schedule 1 of the Data Protection Act 1998 (DPA) says that personal data must be processed “fairly” (and lawfully). But what does “fairly” mean?

In an interesting recent case (AB v A Chief Constable [2014] EWHC 1965 (QB)) the High Court determined that, on the very specific facts, it would not be fair, in terms of DPP1, and common law legitimate expectation, for a Chief Constable to send a second, non-standard, reference to the new employer of a senior police officer who was subject to disciplinary investigation. (The judgment merits close reading – this was by no means a statement of general principle about police references). The reason it would not be fair was because the officer in question had tendered his resignation upon the sending of the initial, anodyne, reference, and the force had terminated misconduct proceedings:

He was thus in the position that for the Force to send the second reference would most likely leave him without employment and without the opportunity to refute the gross misconduct allegations. In these special circumstances it would be a breach of the Data Protection Act 1998 and undermine his legitimate expectations for the second reference to be sent [¶94]

Something in particular struck me about the judge’s analysis of DPP1, although, given the outcome, it was not determinative. He rejected a submission from the claimant officer that the duty of fairness in the DPP1 and the European Data Protection Directive was a duty to be fair primarily to the data subject. Rather, correctly identifying that the privacy rights in the Directive and the DPA are grounded in article 8 of the European Convention on Human Rights and in general principles of EU law, he held that

The rights to private and family life in Article 8 are subject to the countervailing public interests set out in Article 8(2). So it is here: assessing fairness involves a balancing of the interests of the data subject in non-disclosure against the public interest in disclosure [¶75]

I am not sure this is right. Recital 28 of the Directive says

Whereas any processing of personal data must be lawful and fair to the individuals concerned [emphasis added]

and recital 38 suggests that whether processing is “fair” is in large part dependent on whether the data subject is made aware of the processing and the circumstances under which it takes place. These recitals give way to the descriptions in Articles 10 and 11 which both talk about “fair processing in respect of the data subject” (again, emphasis added). Similarly Part II of Schedule One to the DPA provides interpretation to DPP1, and says that in determining whether personal data are processed fairly

regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed

Admittedly this introduces “any person”, which could be someone other than the data subject, but more general considerations of public interest are absent. It is also notable that the Information Commissioner’s position in guidance seems predicated solely on the belief that it is the data subject’s interests that are engaged in an analysis of “fairness”, although the guidance does conceded that processing might cause some detriment to the individual without it being unfair, but I do not think this is the same as taking into account public interest in disclosure.

To the extent that a public interest test does manifest itself in DPP1, it is normally held to be in the conditions in Schedules 2 and 3. DPPP1 says that, in addition to the obligation to process personal data fairly and lawfully, a condition in Schedule 2 (and, for sensitive personal data, Schedule 3) must be met. Many of these conditions contain tests as to whether the processing is “necessary”, and that “necessity test” constitutes a proportionality test, as described by Latham LJ in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 (Admin)

‘necessary’…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends

To import a public interest test into the word “fairly” in DPP1 seems to me to be a potentially radical step, especially when disclosures of personal data under the Freedom of Information Act 2000 (FOIA) are being considered. As I say – I doubt that this is correct, but I would welcome any contrary (or concurring) opinions.

(By the way, I at first thought there was a more fundamental error in the judgment: the judge found that a rule of law was engaged which ordinarily would have required the Chief Constable to send the second reference:

the public law duty of honesty and integrity would ordinarily have demanded that the Chief Constable send the Regulatory Body something more than the anodyne reference about the claimant [¶93]

If a rule of law necessitates disclosure of personal data, then the exemption at section 35 DPA removes the requirement to process that data fairly and lawfully. However, I think the answer lies in the use of the word “ordinarily”: in this instance the doctrine of legitimate expectation (which the claimant could rely upon) meant that the public law duty to send the second reference didn’t apply. So section 35 DPA wasn’t engaged.)

 

 

 

 

 

7 Comments

Filed under Confidentiality, Data Protection, human rights, police