Section 36 of FOI: An Appellant’s Perspective

Norman Baird writes:FOI4

The University of London International Programmes offers an LLB degree by distance learning. It is studied by thousands of students worldwide. With such a large number of students, the University relies on a large number of lecturers from a variety of universities to mark the exam scripts. The University provides some academic support – in the form of written guides and recorded lectures – but relies on private institutions to provide face-to-face tuition. I am Academic Director of one such institution. I made an FOI request for the marking guidelines issued to the markers.

My request was declined. The University relied on S.36(2)(c) which is engaged if, in the reasonable opinion of the Qualified Person(QP), disclosure would or would be likely to prejudice the effective conduct of public affairs. If it is engaged it is then subject to a public interest test. The University stated that :

“disclosing the marking guidelines, in this case and as a precedent, would fundamentally affect one of the University’s core functions, that of robust exam assessment”.

And this opinion was arrived at on the basis of three subsidiary claims of particular harms. These are, somewhat confusingly, also described in terms of prejudices.

First, the University contended that “the disclosure of the marking guidelines… would be likely to prejudice the effective operation of the University’s examiners in preparing the most robust and effective guidelines…”

Second, that “disclosure of the marking guidelines would be likely to prejudice the actions and efforts of students, who may try to adapt their essay answers to marking guidelines developed at examiner level for examiners, resulting in mistakes in comprehension and lower attainment scores.”

Third, the University maintained that “disclosure would be likely to prejudice the nature of the guidelines, where a requirement to establish a process to publish marking guidelines will transform them from useful internal assessment tools to just another external facing study aid, of which a wide range of provision already exists.”

The Information Commissioner found in favour of the University and so I appealed to the First Tier Tribunal (Information Rights) on the grounds that the opinion was neither reasonable in substance nor reasonably arrived at. In addition, I contended that the public interest in favour of disclosure outweighed the arguments against. But in the limited space here I only want to look at a couple of my submissions.

My first ground was that the Qualified Person, Vice-Chancellor (V-C) Professor Geoffrey Crossick, had not expressed an opinion as required by the section. This had been added to my grounds of appeal at a late stage as it was only when the University responded to my initial appeal that I first saw the ‘opinion’ signed by the Qualified Person. He had been provided with an ‘evidence pack’ in which he was advised that, in the opinion of the International Academy of the University, disclosure would be prejudicial. He had written:

“I have now reviewed the evidence with respect to the FOI request asking for… the marking guidelines. It is my conclusion that the opinion – that disclosing the marking guidelines, in this case and as a precedent, would fundamentally affect one of the University’s core functions, that of robust exam assessment – is reasonable in substance.

I confirm that, in my capacity as qualified person, that this exemption is engaged with respect to the request for marking guidelines.”

He states that the opinion (of the International Academy) that disclosure would be prejudicial was a reasonable one. Now, it is clear that one person may recognise another’s opinion as reasonable without sharing that opinion. The section requires the QP to express his opinion that prejudice would or would be likely to be caused. The V-C did not do so.

And it is not possible to conclude from his final sentence that he believed that prejudice would result. He appears to have formed the view that, provided he thought the opinion was reasonable, the section was engaged. In effect, he expressed himself in terms consistent with the role of the Information Commissioner and not that required of a Qualified Person.

It is notable that the V-C was not consulted again at the internal review stage and there was no other evidence that, in his opinion, disclosure would be prejudicial. In addition, the advice given in the evidence pack with which the V-C had been provided the advice was ambiguous. Although S.36(2)(c) was reproduced, the V-C had been advised that the University’s opinion was that disclosure would be prejudicial and that he was required to ‘authorise’ the exemption.

My second ground of appeal was that the ‘opinion’ was not reasonably arrived at. There were a number of limbs to this submission including the fact that the subsidiary claims were unsupported by evidence, were barely comprehensible and there was no evidence that anyone involved in making the decision or advising the V-C had actually read the documents.

But I would like to focus on one submission as it appears to me to be central to the way in which the ‘opinion’ and the Decision Notice (DN) should be approached. It is well established that although the opinion need only be a reasonable opinion and not the most reasonable it must be ‘rational’, ‘not illogical’, ‘not arbitrary’. I submitted that there was a lack of logical coherence between the opinion and the subsidiary harms upon which it rests.

The ‘opinion’ was that disclosure would prejudice robust exam assessment. The subsidiary claims, however, are expressed in terms of likely effects. To conclude that prejudice to the assessment system would occur because prejudice to students and examiners is likely is as illogical and irrational as concluding that consumption of a drug would be fatal on the grounds that it is likely to induce a fatal heart attack and/or terminal cancer.

The response to this argument by the Information Commissioner was that although the University and the Decision Notice had claimed throughout that disclosure ‘would’ cause prejudice the overall tenor of the opinion and the DN was that the ‘would be likely’ limb was being relied on. In effect, the IC is saying that although he said one thing he meant another. As I argued at the Tribunal, if the opinion is to be read so that it is consistent with the subsidiary claims it is impossible for a requester to argue that the opinion and the subsidiary claims are incoherent.

The section is a powerful one for a Public Authority. It has been described as a ‘get out of jail free card’ and so it is submitted that it ought to be construed narrowly and applied strictly. It is not particularly difficult to express the opinion correctly. And although the Decision Notice is not to be read as though it is a judgment of the Court of Appeal, a requester who appeals is at a great disadvantage if all its inconsistencies are smoothed over to ensure the appearance of logical consistency and coherence.

It has been said (and was repeated at the Tribunal) that a requester will find it difficult to establish that an opinion was not ‘ a reasonable opinion reasonably arrived’. That will certainly be true if an opinion can be found when none was expressed and if the central requirements of reasonableness – rationality and logical coherence – are ignored or fudged.

I look forward to reading the opinion of the Tribunal but I am not optimistic.

Norman Baird has been lecturing on Criminal Law and Jurisprudence for approximately 30 years and runs law courses in London and abroad. He also publishes a blog:

Ibrahim Hasan will be discussing this and other recent FOI decisions in our FOI Update workshops in 2014.

Do you want an international recognised qualification in FOI? The BCS/ISEB Certificate in Freedom of Information starts in March 2014 in London and Manchester.

Net Loss or Net Gain


Great news.  If you use East coast trains extensively you can collect Reward points. This festive season you can maybe win a thousand or even (gasp) a million if you sign up now.

That’s enough to get you free Wi-Fi on your next East Coast journey…enjoy VIP treatment in a First Class Lounge…or save up for a great choice of gifts like fine wine, free train travel and lots more. It’s fast, free and easy to join so get on board today and who knows, Father Christmas could be delivering an extra gift with love from us!

Unfortunately if you exercise your right not to receive marketing material from East Coast guess what happens to these millions of points.

When you use wifi on an East Coast Train this is what you see.

To get internet access, please enter your email address.

Remember Me. Please untick if you do not wish to receive marketing communications from East Coast.

Please note that unticking this box will suspend your Rewards membership, meaning you are not able to earn or use Rewards Points.

Freely Given Consent? I’m sure other phrases will spring to mind…

Ho, Ho, Ho

A waste of energy


We’re renovating a house which we don’t live in.

1) An energy company writes to say they’ve called twice to read the meter but no-one is in.
Yes because we don’t live there.
In the letter they say please make an appointment for them to read your meter. Partner and joint owner of the house rings up to do so. Energy company refuse to talk to her as bill is in my name. Data Protection…
She grumbles. They say OK we’ll make an appointment but we won’t tell you when it is. My partner points out the obvious error. They withdraw their offer.
 2) They talk to me today as they need to make an appointment for meter replacement. The team that does that finish at 5 and it’s after 5. Can we ring you monday – No I’m actually training all day – will you talk to my partner. I can authorise her to talk to you. They say yes but this authorisation will expire when the call centre operative goes home at 8pm today.
It’s not Eon. I’ve been saving this graphic for a while. It hits the spot.

A comprehensive Privacy Policy.

DPA11I decided to look at Miley Cyrus’s website. Don’t know why. I just picked a teenage pop singer at random. I found however that I couldn’t just look at her website, I had to register before entering her website. I admit that I’m in socio-economic group A++ and age group 55  to 65 so my next action was probably not typical of a teenage hero-worshipper but I clicked on Privacy Policy to see what would happen if I registered to become a Mileyite.

The privacy policy was in the smallest font I have ever see. It was also in a dusky pink graduated to deep purple background. It was hard work reading it so I right clicked, manipulated it into Arial 14 black and white using a well known word processor and before long I had 6 pages of top quality claptrap. Have a look…

Privacy Policy

This policy is effective as of November 29, 2011, and reflects only non-material changes and clarifications from the previous version.

Please read these terms of use carefully as they contain important information regarding your legal rights, remedies and obligations. these include various limitations and exclusions, and a dispute resolution clause that governs how disputes will be resolved.

This Privacy Policy, effective November 29, 2011, is designed to help you, the user, understand how Ground(ctrl)™ (“us”, “we”, or “our”) collects and then uses the personal information you provide us when signing up as a new “member.” We do this so you can make informed decisions both when deciding whether to become a member and when using this service.

By accessing and/or using this web site, you are (1) becoming a member of the Ground(ctrl)™ social networking community (the “network”) and (2) accepting the practices described in this Privacy Policy.

We would like to thank you for becoming a member of the network—a network that takes each member’s privacy rights seriously. If you have any questions concerning the network’s Privacy Policy, please contact us at the mailing address, telephone number, or email address at the end of this page.

About ground(ctrl)™

Ground(ctrl)™, as a third-party administrator, maintains and administers the network and this web site. The intent of this web site, and other similar sites maintained and administered by us, is to create a social networking community wherein members can communicate with each other as well as interact with and promote their favorite musicians’ careers.

To enhance each member’s social networking experience, we request and display personal information to other members and visitors. This information is necessary to allow members to identify each other, expand their network of friends, promote each member’s favorite musicians through contests and other incentives, and to repay members for their interaction with the network through contests and prizes.

The Information We Collect

When you visit this web site, you provide us with three types of information:

  1. Web site information collected by us through your interaction with this web site;
  2. Personal information you knowingly and voluntarily disclose to us when signing up as a member and through the continued use of this service; and
  3. Personal information you knowingly and voluntarily disclose to use when using this service.

First, when you or any member signs on to this service, we collect your IP address, your browser type, and certain information from your browser using “cookies”. A cookie is a piece of data stored on a computer that is tied to information about the user. You can easily remove or block this cookie using the settings in your browser if you wish to disable this feature. To confirm that you are logged into the service, we use session ID cookies that immediately terminate once you close your browser.

Second, when signing up as a member to this web site, and during membership, we collect several pieces of personal information to enhance the network. This information includes the following:

  • Your first and last name
  • For the purpose of addressing you personally
  • Your email address and encrypted password
  • To provide you with access to your personal account, and to send notifications about activity on the website
  • Street address, city, state, postal code, country
  • To verify billing information for orders you place on the website and/or ship merchandise to you
  • Your location
  • So you may optionally share your geographic location with other members of the website
  • Birth date
  • So that you may optionally share your age with other members of the website
  • AIM, Yahoo screen name, Jabber, ICQ screen names
  • So that you may optionally share your instant message information with other users of the site
  • Flickr user id and Twitter user name
  • So that you may optionally display recent photos and twitter posts on your profile page
  • Links to your third-party sites
  • So that you may optionally share favorite or other personal websites with other members of the site
  • An avatar image
  • So that you may optionally provide a visual representation of yourself next to items you publish on the site

We will not collect any more any information that is necessary for you to participate in the Ground(ctrl)™ social networking community.

Third, when using this service, you may change your member profile, send messages to other members, receive messages from other members, form relationships, view photos, share photos, post blog comments, post links to other web sites (including web sites not controlled by ground(ctrl)™), transmit information through various channels, participate in musician campaigns, earn points toward promotional items, and redeem those points for promotional items (collectively the “User Content”).

Children’s Online Privacy Protection Act Of 1998

This privacy policy is provided in conformity with the Children’s Online Privacy Protection Act of 1998 (“COPPA”). COPPA requires that we notify parents and legal guardians and obtain consent from parents and legal guardians before we collect, use and/or disclose personal information from children under thirteen (13) years of age.

If parents or legal guardians have any questions regarding their child’s use of this web site, they may contact the operator of this website at the following address, phone number or email:

Additional operators maintaining information collected through this website include: Miley Cyrus .

The personal information we collect from children under thirteen (13) years of age, and the manner in which we use such information, is identical to the collection and use of any other member’s information. Please refer to sections entitled “The Information We Collect” and “How We Use the Information” for a detailed discussion of how we collect and use personal information from all members, including children under thirteen (13).

As a means of verifying parental consent, we may require that verification be given to us in one of two ways. First, we may require permission by email from what we are told is the parent’s email address. Thereafter, we will respond to that email address to verify that we have received such permission. Second, we may require that the parent consent by providing us with their full name, a valid credit card number and an expiration date. We will not charge your credit card. We will merely use the information to confirm your consent and once verification is or is not made, we will immediately destroy such information.

We do not require any additional information from children under thirteen (13) other than the minimum amount of information we need in order for the child to participate. Parents may review the personal information we collect on that parent’s child by mailing a request to us at the operator address listed above. The parent, after reviewing such information from us, may have it deleted and/or refuse to allow further collection by sending us an email using the password sent with the physical file that we mail to you. The parent also has the option to agree to the collection and use of the child’s information without consenting to the disclosure of the information to third parties.

Correcting, Updating or Removing Your Information

At any time, members can correct, update, or remove any of their personal information by logging into their account and accessing the “Edit Profile” feature.

How We Use the Information

We collect the personal information listed above so that we can provide you with personalized features and an enhanced and efficient web site experience. We usually retain this information so you can, for example, view messages you have already read or check campaign dates you are already aware of. You understand and acknowledge that copies of your User Content may remain viewable in cached and/or archived pages or if other members have copied and/or stored your User Content, even after your information has been removed.

When you sign up as a member to the network, you create your own profile. Your profile information, including your name and your photo are displayed to other members in the network so that you may interact and communicate with them. On occasion, we may use your name and email address to send you notifications about the network’s new services, promotional items, merchandise, band news, and transactions involving your accumulated points. Generally, you may opt out of such emails by clicking on the “unsubscribe” link in the email. However, the network expressly reserves the right to send you notices about your account even if you opt out of all voluntary email notifications.

Without identifying you as an individual, the network may provide third parties with information contained in your profile for data gathering purposes (ex: gathering data on how many members like both band A and band B so that personalized advertisements, promotions, etc. can be sent to those particular members). We believe that this information gathering allows each member to get the most out of the network’s benefits—e.g., the distribution of band information that, based on your profile, matters to you.

Sharing Your Information with Third Parties

This web site is about sharing information with others of your choosing, and a limited number of third parties, to enhance each member’s promotional and informational-sharing experience. Except as otherwise described in this Privacy Policy, the network does not disclose personal information to any third party unless the network believes that disclosure is necessary to:

  1. Enforce the network’s Terms and Conditions of Use Agreement;
  2. Protect the network’s rights;
  3. Coincide with legal requirements (ex: responding to a subpoena, search warrant, or any other legal process served upon Ground(ctrl)™). We will not reveal information until we have a good faith belief that the law enforcement information and/or private litigant request meets the applicable legal standards;
  4. Protect the safety of it’s members; or
  5. Enhance each member’s promotional and informational-sharing  experience.

The network may provide services jointly with other companies and we may share customer information with that company in connection with your use of that service.

Your name, network names, and profile picture thumbnail will be available in search results across the network and those limited pieces of information may be made available to third party search engines. This is primarily so your friends can find you and send a friend request. People who see your name in searches, however, will not be able to access your profile information unless they have a relationship to you that allows access based on the privacy settings.

Ground(ctrl)™ expressly reserves the right to transfer personal information to a successor in interest that acquires the rights to that information as a result of the sale of Ground(ctrl)™, or the sale of a substantial portion of its assets to that successor in interest.

Third-Party Advertising

Advertising may appear on this web site and may be delivered to members by one of our web advertising partners. Those web advertising partners may download cookies to your computer that allow the ad server to recognize your computer each time they send you an online advertisement. The web advertising partners may also use other technologies such as JavaScript and “web beacons” (also known as “1×1 gifs”) to measure the effectiveness of their ads and to personalize advertising content. As a consequence, ad servers may compile information about where you, or others using your computer, saw their advertisements and determine which ads you, or others using your computer, clicked on. The purpose of this information is to allow an ad network to deliver targeted advertisements that they believe will interest you. This privacy policy covers the use of cookies by our network only and does not cover the use of cookies by any third-party advertiser.

Comments, Blogs, Messages, and Links

Please be aware that whenever you voluntarily post any information as a comment, blog, message, link, photo, video, and/or other information, that information can be accessed by the public and can then be used by those people to send you unsolicited communications. Additionally, if you post a link to your network web site on any third party site, your public profile will be viewable by any third party that clicks on your link. If you do not wish to have your public profile viewable to any third party, you should not post links to your network web site on third party sites.

This web site may contain links to other sites, including links posted by you or other members. We are not responsible for the privacy practices of other web sites. As such, we encourage our members to read the privacy statements of each and every web site they visit after clicking on these third-party links. This Privacy Policy applies solely to the information collected in the use of our network and this web site.


Each member’s account is secured by a member-created password. The network employs reasonable measures to protect member information that is stored within our database, and we restrict the access to member information only to those employees who need access to perform their job functions, such as our customer service personnel and technical staff.

Note: We cannot guarantee the security of each member’s account information as unauthorized entry or use, software or hardware failure, and other uncontrollable factors may compromise the security of each member’s personal information at any time. The network does, however, consider security of each member’s personal information a priority and we take reasonable security steps to protect that information.

Disclaimer of Liability for Unauthorized Viewing of Personal Information

You post User Content, as described above, on this web site at your own risk. Despite our reasonable efforts to keep your User Content inaccessible to those not authorized to view it, be aware that no perfect security measure(s) exist to insure impenetrability. Additionally, we cannot control the actions of other members that you may choose to share your page and User Content with. We are not responsible for the circumvention of any privacy settings or security measures contained in this web site. Consequently, we cannot and do not guarantee that the User Content you provide and/or post on this web site will not be viewed by unauthorized individuals.

Changes in the Privacy Policy’s Terms of Use, Notices and Revisions

We may change this privacy policy from time to time. We reserve the right to change our Privacy Policy and our Terms of Use Agreement at any time. Non-material changes and clarifications will take effect immediately, and material changes will take effect within 30 days of their posting on this site. If we do make changes, we will post those changes and indicate at the top of this page the Privacy Policy’s new effective date.

Through this process, members will always be aware of what information we collect, how we use it, and who we may disclose it to. Each member is bound by any change to this Privacy Policy if he or she uses the site after said changes have been posted. If, however, we change this Privacy Policy so that we are using personal information in a manner materially different from the manner as stated at the time of collection, we will notify the members here, by email, or through notice on our home page.

Your use of this web site and our network, and any disputes arising from it, is subject to this Privacy Policy and our Terms of Use Agreement and all of its dispute resolution provisions including arbitration, limitation on damages and choice of law. We strongly encourage you to refer to this Policy on an ongoing basis so that you understand the most current Privacy Policy terms. Unless stated otherwise, our current Privacy Policy applies to all information that we have about you and your account.

Contacting This Web Site

If you have any questions regarding this Privacy Policy, the practices of this web site, or your dealings with this web site, please contact us at the following mailing address, phone number, or email address:

  • ground(ctrl)
  • 120 K. Street Suite 3rd Floor
  • Sacramento, CA 95814
  • Toll Free: 1 (877) GND-CTRL
  • Phone (916) 443-9202
  • Fax (916) 443-9204

If you’ve read this far well done. You’ve probably decided that One Direction are a safer bet…

Or are they?

Data Protection Update workshop – Analysis of the latest DPA cases, developments and news from the ICO. Our next workshops are in Manchester on the 18th November and in London on the 27th November. If you don’t have time to attend our full day workshops try our DP Update webinar on the 28th November.

BCS Data Protection Course – How I Passed

Sarah BrowBCS Logo4ne, Information Compliance and Records Management Assistant at Greater Manchester Police, recently passed the BCS (ISEB) Certificate in Data Protection exam with Act Now. These are her top tips for passing:

  • Give up any notions of a social life for 2 months – I did it – My friends and boyfriend supported my decision, because they knew how important it was to me.
  • Let the fear guide you – How many times do you really want to do the three hour exam???  Revise hard so failure isn’t an option.
  • Speak to those in the know – I’d only worked in Data Protection for six months when I began the course, so I ran anything I was unsure about by my colleagues, boss, and of course my Act Now trainer.  The more you talk to people, the more you’ll begin to understand the tricky concepts, and how they fit into the bigger picture.
  • Get your mitts on revision materials – I lent DP books from my local library (Peter Carey, Data Protection (3rd edition), and Data Protection and Compliance in Context by BCS were invaluable).
  • You can’t get around reading the Act I’m afraid – Filter your reading.  Start with maybe a text book explanation, then Act Now notes, then crack open the Act.
  • Rewrite the Act – To remember the Sections and Subsections (and very late on in my revision when I understood everything, but needed to memorise key parts), I spent one beautiful Saturday rewriting the Data Protection Act. I summarised all the key sections as an aide-memoir to the Act itself.  From then on, I had a 6 page document with the answers to pretty much any question the exam could throw at me.
  • Flash cards – A great way to punish your friends and loved ones for all their support – make them test you!!!  (They’ll hate you, my boyfriend actually said the words “I want to die” while going through my 100+ card pile, but by the same stretch he now knows the definition of consent off by heart because I do!)
  • Work in whatever way works for you – I’m a visual and kinetic learner – I learn by seeing things and doing things, so repeated copying is well up my street.  Find out what your learning style is and work with it! (Google what is my learning style, and be amazed!)
  • Mnemonics – I had one for the principles, one for Schedule 2 conditions, one for Schedule 3 conditions, one for categories of sensitive personal data, one for register-able particulars, and many to cover the various Principle 8 options.  Get creative!  Mine included names of people I know, characteristics of them, some of them were just plain bonkers.   Just come up with something memorable.
  • Basics – It sounds really obvious, but learn your basics off by heart.  Know the exact wording of the principles and the schedule 2 and 3 conditions.  They come into everything, so get them right!
  • Read before the class – You get an itinerary, so don’t go in to the class thinking you’ll learn everything there and then.  Go into the class with a broad understanding of what will be discussed, then you can build on that knowledge in class.  Plus you’ll be ready with questions which will help you, and your comrades!
  • Do the homework – End of.
  • Revision videos – When it comes to revision time, take a look at the Act Now revision videos which are available to all Act Now delegates in their online resource lab.  They cover all the nasty areas that everyone struggles with.

And finally a word for Act Now.

My Act Now Data Protection course got me more than just a certificate.  The course has given me a wealth of knowledge of Data Protection, in general, and more confidence in my current role.  My trainer, Phil Bradshaw, has a strong background in law, and is extremely experienced in the application of the Data Protection Act.  The course leaves you well prepared for the exam, but by no means do they simply train you up to pass.  They teach you everything you need to know so that you will pass! Suffice to say, I would recommend it to any Data Protection practitioner.

For more on more on how to pass the BCS (ISEB) exam see our earlier blog posts . Feel free to try the sample test.

Our next ISEB courses start in London and Manchester in December. More Information on our website or email us.

Scottish Information Commissioner’s Annual Report


The Scottish Information Commissioner has published her annual report for 2012/13.  Key facts are as follows:

  • The Office of the Scottish Information Commissioner (OSIC) received 594 FOI appeals in the year. This was an increase of 14% on last year, and an increase of 49% over the last 5 years.
  • 27% of appeals related to a failure to respond within FOI timescales.  This is the largest proportion of such appeals to date.
  • The OSIC found completely in the requesters’ favour in 37% of cases, completely in authorities’ favour in 37% and partially in favour of requesters / authorities in the remainder.
  • OSIC closed 564 cases, a 9% increase on last year.
  • OSIC has introduced new resources to advise and assist public authorities and requesters.
  • OSIC has announced its strategy for improving performance of FOI in Scotland by adding value.

FOI continues to be used predominantly by members of the public, as illustrated by the examples in report.  These show the range of important “real-life” community issues for which FOI is used on a daily basis.

During the year Act Now Training received valuable feedback from the Scottish Information Commissioner in respect of our certificated course; the Practitioner Certificate in the Freedom of Information (Scotland) Act 2002. The course is also endorsed by the Centre for FOI based at Dundee University.

If you’re considering joining the course, what can you expect? Read what the tutor has to say and have a go at the FOISA test.

Forthcoming Webinars

EI(S)Rs 2004: An Introduction
18th Oct 2013  @ 10:00am |

The FOI (Scotland) Act 2002: An Introduction
28th Nov 2013 @ 10:00am |

FOISA 2002: An Update28th Nov 2013 @ 11:30am –

Recordings also available – Please email for more details

The shortest Data Protection Policy in the world?

shortestYoungest son has been looking for work and was interviewed for some warehouse job with a big name in retail and had this thrust under his nose while being interviewed. Luckily the modern scourge of camera phone proved very useful at this point and he showed me this image when he returned home. Is it a Policy? Who is the data controller? Why do applicants have to sign to agree that their application form goes to a prospective employer? Why do they need medical details?  The questions go on and on.  Contradiction in the final paragraph.  And they’ve squeezed all this into just over 50 words. Is it possible to write a Data Protection Policy that will fit into 140 characters? Who writes this stuff?

Use of Social Media in Investigations

canstockphoto10560861All investigators, when tackling rogue traders, fraudsters or errant employees, need to make use of the Internet as an investigatory tool. Unfortunately there is a lack of knowledge of Internet investigation techniques amongst investigators especially those working in the public sector. The Internet can reveal a treasure trove of free information, which can even lead to the perpetrators’ door (literally).

Do you have a smartphone and therefore an on-line account for managing email, contacts and messages? Do you use it for accessing applications such Instagram, Flickr (for storing photographs online) and Facebook?

If these applications are used, without properly controlled account settings, then available on-line (for all to see) is your private information, your photographs and other personal data. Even information that you yourself have not uploaded or stored can be mined for more personal information. You might have had photographs taken by a professional, for example for the sale of a home, or at events or weddings, or even by friends and family. These images are then posted on web sites and/or stored on-line (perhaps on Instagram, and Flickr ) often without your knowledge. The images will retain tagging and geo data used by the photographer to catalogue their albums. This might be your postcode, email address, name, or other identifying information. Someone who knows what to look for and where to look can discover a lot about you!

Worrying! But also very useful if you are investigating an individual for criminal or civil offences (or just disciplinary matters). Here are a few examples where such information was used by investigators to find out about individuals clearly “up to no good.”

Case Study 1 – The Malicious Blogger

A Chief Executive of a public sector organisation received an email containing particularly threatening and abusive language and menacing comments. Enquiries about the routing of the email revealed it had been sent from an Internet café.

Just twenty-five minutes of open source research produced a result. The advanced search facilities within Google, and a couple of search facilities specific to social networking sites, identified the full details of the sender. Step one was to search the email address, which revealed a posting on a blog, which in turn revealed a publicly listed unique user name. This was searched and the user was found on a couple of unpleasant blogs linking with others. This in turn led to another user name which was very close to the individual’s real name. This in turn led to his Facebook account, tagged images, and other unpleasant on-line postings. A few minutes later the home address of the perpetrator together with very current photographs were discovered. He was found to be a professional working for a public authority!

Case Study 2 – The Rogue Employee

An employee was suspected of working on his own business whilst off sick from work. Resource intensive and potentially controversial covert surveillance was one of many options considered. However, from just a mobile number this individual was traced to an EBay account using the EBay advanced search facility. As well as identifying the goods for sale through this business venture, the username for this EBay account was linked to a website with a Twitter account. Tweets by this person revealed the exact times and dates when he was working on his own business. Much of what he was doing was taking place when he was at work. A web of business networking and LinkedIn activity was also unravelled detailing far more than what the investigators had imagined.

These are just a couple of examples of investigations where auditors/investigators benefitted from having a thorough knowledge of online investigation techniques. It doesn’t always work this easily but my new course explains the most effective techniques. I also provide practical guidance on how to capture online evidence to accepted national standards.

Any form of surveillance of individuals raises a lot of legal issues (see Ibrahim Hasan’s recent article on the law of employee surveillance). There are pitfalls especially relating to privacy, Data Protection and RIPA to name a few. This course will also give delegates an opportunity to network with others who face the same challenges.

Steve Morris is an ex police officer and one of our expert RIPA course trainers. Steve’s new E Crime and Social Networking Course is proving very popular amongst auditors and investigators wanting to know how to make best use of the Internet when conducting investigations.

@FOIManUK on Records management – Just Do It!

RM3At the 2012 Information and Records Management Society (IRMS) Conference, Northumbria University academic Julie McLeod asked the audience a simple question. She asked how many of those present worked for an organisation that had articulated a vision for electronic records management. Less than 10% of the audience raised their hands.

On first sight, that’s a pretty startling statistic. The IRMS is the main industry body for records managers. If anyone could be expected to have articulated a vision for electronic records management, it was the people in that room.

But the truth is, I’m not that surprised by Julie’s experience.

Firstly, I think it’s partly to do with what Julie asked. If she’d asked whether those present had a records management policy, I suspect a much bigger proportion would have put their hands up. And many records management policies probably include a statement saying how the organisation aspires to manage electronic records. That’s a vision – but those present probably didn’t think of it as such.

But what about those who just don’t have any statement? I suspect a lot of people in that room didn’t have anything – no policy, no strategy, no vision. And I think I know why.

The people responsible for records management in a lot of organisations are nervous of getting it wrong. And all the talk of visions, strategies and programmes isn’t helping. All the competing theories and evolving attitudes are hard to keep up with. 10 years ago, public bodies were being encouraged to adopt electronic document and records management systems. Now it’s rare to hear a success story about such systems, and hardly anyone thinks they’re a good idea. How do you come up with a vision for the future operation of your organisation when the future keeps changing?

What’s more, in most organisations, the person responsible for records management may be relatively junior. Often they will be someone who was drafted into the role; it might only be part of their job.

But it is important that records management is addressed. Any business needs to manage its information. Back at the start of my career I worked for a pharmaceutical company. Our records management unit ensured that they were able to prove that they discovered their marketed drugs first – some of those records were worth billions to the business.

And it is necessary for compliance with legislation. For example, if you look at many civil monetary penalties issued by the Information Commissioner’s Office, you will find that poor records management played a part.

And public authorities of course are subject to the Freedom of Information Act. Section 46 of the Act requires the Lord Chancellor to issue a Code of Practice on the management of records. The Code of Practice was written by the National Archives and sets out the features that they expect to see in public authorities’ records management.Whilst not a statutory requirement, the Information Commissioner is unlikely to look kindly on a public authority that fails to meet its FOI obligations due to records management failings. Indeed he has been known to issue a practice recommendation to an authority insisting that they improve their records management.

So organisations – especially public sector ones – need to do something about records management. But what?

We can start by using the Code of Practice as a guide. What do the experts at the National Archives think should be in place?

And we can stop letting “the best be the enemy of the good”. Julie McLeod’s straw poll, as well as the more detailed research she was reporting on at the conference showed that many organisations had done very little. What actually needs to happen is something. We should improve records management one step at a time. We must be pragmatic.

That’s what I’m going to attempt to do in my new course for Act Now Training on Records Management and the Section 46 Code of Practice. I’ll explain the different requirements of the Code and practical things you can do to meet them. That’s obvious. But I’ll also tell you not to panic. Don’t try to do it all at once. What are the key things you can do that will improve your records management almost overnight? You will leave with an action plan for your organisation – so you’ll instantly be ahead of 90% of those conference delegates I mentioned. The key words are “Just Do It.”

Paul Gibbons (aka FOIMan) blogs at He also delivers our Practical FOI course.

The Law of Employee Surveillance

RIPA4Decreasing public sector budgets and increasingly affordable technology mean that more and more employers are turning to surveillance to catch errant or work shy employees. But this area is a legal minefield. Mistakes can end up with adverse headlines in the media or worse still legal action. In August, West Yorkshire Fire Service was criticized in the papers when a 999 operator, who was on sick leave, found a GPS tracker planted on her car by a private detective hired by her bosses.

A public sector employer wanting to conduct lawful staff surveillance must first ask the question, which legislation applies? If the surveillance involves covert techniques or equipment, it is easy to assume that Part 2 of the Regulation of Investigatory Powers Act 2000 (“RIPA”) applies and that the surveillance must be the subject of an written authorisation by a senior officer and, in the case of a local authority employer, Magistrates’ approval. However, the Investigatory Powers Tribunal has ruled in the past that not all covert surveillance of employees is regulated by RIPA.

In C v The Police and the Secretary of State for the Home Department (14th November 2006, No: IPT/03/32/H), a former police sergeant (C), having retired in 2001, made a claim for a back injury he sustained after tripping on a carpet in a police station. He was awarded damages and an enhanced pension due to the injuries. In 2002, the police instructed a firm of private detectives to observe C to see if he was doing anything that was inconsistent with his claimed injuries. Video footage showed him mowing the lawn. C sued the police claiming that they had carried out Directed Surveillance under RIPA without an authorisation. The Tribunal first had to decide if it had jurisdiction to hear the claim. The case turned on the interpretation of the first limb of the definition of Directed Surveillance i.e. was the surveillance “for the purposes of a specific investigation or a specific operation?”

The Tribunal ruled that this was not the type of surveillance that RIPA was enacted to regulate. It made the distinction between the ordinary functions and the core functions of a public authority:

“The specific core functions and the regulatory powers which go with them are identifiable as distinct from the ordinary functions of public authorities shared by all authorities, such as the employment of staff and the making of contracts. There is no real reason why the performance of the ordinary functions of a public authority should fall within the RIPA regime, which is concerned with the regulation of certain investigatory powers, not with the regulation of employees or of suppliers and service providers.”

The Tribunal also stated that it would not be right to apply RIPA to such surveillance for a number of reasons:

  1. RIPA does not cover all public authorities, and there was no sense in police employee surveillance being conducted on a different legal footing than, for example, the Treasury, which does not have the same surveillance rights under RIPA.
  2. The Tribunal has very restrictive rules about evidence, openness and rights of appeal. The effect of these would lead to unfairness for employees of RIPA authorities when challenging their employers’ surveillance as compared to those who were employed by non RIPA authorities.

This case suggests that, even where employee surveillance is being carried out for the purpose of preventing or detecting crime, the question has to be; is it for a core function linked to one of the authority’s regulatory functions? In the local authority context this would include, amongst others, trading standards, environmental heath and licensing. If the surveillance is not being done for one of these purposes it will not be Directed Surveillance and consequently will not be regulated by RIPA.

Of course just because RIPA may not apply, it does not mean that the employer can do what it likes. Whatever type of surveillance is conducted, the right to privacy, under Article 8 of the European Convention on Human Rights, protects employees within the work environment.  This means that the surveillance must be carried out in a manner that is in accordance with the law and is necessary and proportionate. There have been a number of cases where employers have been criticised by the courts for failing to take account of the human rights issues when doing surveillance of employees e.g. Copland v UK (3rd April 2007 ECHR) concerning communications surveillance and Jones v Warwick University ((2003) 3 All ER 760) concerning a claim for personal injury. Compliance with the Data Protection Act 1998 (DPA) will be evidence that the surveillance has also been done in compliance with Article 8.

All employers, be they public or private sector, have to comply with the DPA when doing surveillance, as they will be gathering and using personal information about living individuals. The Information Commissioner has published the Data Protection Employment Practices Code, which sets out rules to be followed when dealing with employees’ personal data.

Part 3 of the code covers all types of employee surveillance from video monitoring and vehicle tracking to email and Internet surveillance. Indeed those public authorities who are doing surveillance of their employees which now, in the light of the above Tribunal case, cannot be authorised under RIPA also have to pay special attention to the code. Whilst the code is not law, it can be taken into account by the Information Commissioner and the courts in deciding whether the DPA has been complied with.

One of the other main recommendations of the code is that senior management should normally authorise any covert surveillance of employees. They should satisfy themselves that there are grounds for suspecting criminal activity or equivalent malpractice. They should carry out an impact assessment and consider whether the surveillance is necessary and proportionate to what is sought to be achieved i.e. the same considerations that public sector employers subject to RIPA would have to consider when doing a RIPA authorisation. This assessment is best done in writing using a “Non-RIPA” surveillance form (Our RIPA Policy and Procedures Toolkit contains such a form).

If covert surveillance of an employee results in his/her dismissal, the matter will usually end up before the Employment Tribunal in the form of unfair dismissal proceedings. Here the Tribunal will also have to consider whether evidence has been gathered fairly and lawfully. In City And County Of Swansea v Gayle UKEAT 0501_12_1604 (16 April 2013) Swansea Council conducted covert video surveillance on the claimant, when he was for good reason suspected of playing squash during work time, whilst claiming payment for being at work at the time.  The surveillance confirmed he was seen at the sports centre on a succession of Thursdays when he should have been at work.

The Employment Tribunal upheld a claim for unfair dismissal (though awarding nil compensation, for contributory conduct) because of the Tribunal’s distaste for the employer’s use of covert surveillance. Its view was that Article 8 (right to privacy) was engaged and broken in doing so. It took account of the council’s lack of awareness of its obligations under the DPA and the Code.

These views were rejected on appeal to the Employment Appeal Tribunal. The appeal was allowed with a substituted finding that the dismissal was not unfair. The Tribunal did not accept that here there was any breach of Article 8(1) so as to require the Tribunal to consider the requirements of 8(2) at all.  If, however, the Tribunal had done so it would have been bound to consider the legitimate aim which the Council claimed to have.  Here one of two such aims might have been identified.  The first was the prevention of crime, the second the protection of the rights and freedoms of others, the “others” here being the employers whose money was at stake and who had contractual rights in agreement with the claimant that he would behave in a way in which as it happened he did not.

This is an interesting case for employers. Dismissals will not necessarily be unfair when covert surveillance is used as part of the dismissal process. Employees acting fraudulently on employer’s time cannot expect their actions to be kept private from the employer. However, employers would be well advised to tread with caution. Following the correct procedures and being mindful of their obligations under the DPA (as well as Human Rights) will inevitably put an employer in a better position.

Employee surveillance may not always engage RIPA. However data protection and human rights laws will always have to be carefully considered. In cases of surveillance of staff e-mail and internet usage Section 4 of RIPA and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 will also need to be considered. For more on the latter please see our online training course (Email and Internet Monitoring: How to do it lawfully).

Act Now can help you get to grips with this difficult area. Please see our full program of surveillance law courses which can also be customised and delivered at your premises. If you want a quick update try our forthcoming webinars.

Listen to Ibrahim Hasan’s interview on BBC File on Four on Secrecy and Surveillance: of

%d bloggers like this: