Month: October 2014

Yet Another CCTV Code

picture camCCTV is a hot topic. Following complaints by Big Brother Watch, the ICO has taken enforcement action involving both number plate recognition cameras and cameras recording people’s conversations in taxis.

On 20th May 2014, the Information Commissioner’s Office (ICO) launched a consultation on a revised Code of Practice on CCTV. The previous version was published in 2008. On 15th October the ICO published the 44 page code of practice on surveillance cameras and personal information. Jonathan Bamford, Head of Strategic Liason at the ICO, states in his blog post launching the code:

“Today’s updated CCTV code is one that is truly fit for the times that we live in. The days of CCTV being limited to a video camera on a pole are long gone. Our new code reflects the latest advances in surveillance technologies and their implementation, while explaining the key data protection issues that those operating the equipment need to understand.”

There are no major changes in the code when compared with the previous version. The ICO once again emphasises fundamental Data Protection Act (DPA) principles e.g. informing people about the information being collected about them, keeping data collected secure and having effective retention and disposal schedules.

The new and emerging technologies section of the code covers the key surveillance technologies that the ICO believes will become increasingly popular in the years ahead. Jonathan Bamford says:

The days of CCTV being limited to a video camera on a pole are long gone. Our new code reflects the latest advances in surveillance technologies and their implementation, while explaining the key data protection issues that those operating the equipment need to understand.”[A1]

The code emphasises the importance of conducting a privacy impact assessment before undertaking surveillance using CCTV, especially when fitted to drones e.g. broadcasters seeking to gather footage for production purposes, police forces conducting surveillance on suspects, or construction companies monitoring job progress. Concerns have been expressed about the legal use of drones. The BBC reports, “Drones which could seriously injure or kill are being flown over cities and towns across England, despite laws designed to protect the public.” The code refers to drones as ‘unmanned aerial vehicle’ (UAV) and the overarching systems in which UAV’s are used as ‘unmanned aerial systems’ (UAS). Key points include:

· Organisations should ensure there is an on/off button for recording in UAS’ and have “strong justification” for continuously recording via the system.

· Continuous recording must be both “necessary and proportionate” for the purpose the business is pursuing.

· The Fair Processing Code under Principle 1 of the DPA must be complied with. Website notices, social media, highly visible clothing and signage telling the public about the use of drones for filming in the area can help to do this.

Many councils now use body worn cameras to, amongst other things, help deal with combating anti-social behaviour or to help gather evidence for parking enforcement. These small inconspicuous devices can record both sound and images. This can mean that they are capable of being much more intrusive than traditional town centre CCTV. The code states that the use of such cameras needs to be justified. Safeguards must be put in place to ensure they are only used when needed. Strong security is essential in case the devices fall into the wrong hands. The code identifies other practical steps to help users of these devices stay on the right side of the law.

The new ICO code is said to complement the Surveillance Camera Code (PoFA code) which came into force last year. Made pursuant to the Protection of Freedoms Act 2012 (PoFA) the latter governs the use of surveillance camera systems including CCTV and Automatic Number Plate Recognition (ANPR).

The ICO code applies to all data controllers (public and privacy sector) throughout the UK but the PoFA code currently only applies, in the main, to local authorities and policing authorities in England and Wales. The Scottish Government has produced its CCTV Strategy for Scotland. The strategy provides a common set of principles that operators of public space CCTV systems in Scotland must follow. The principles aim to ensure that these systems are operated fairly and lawfully and are using technologies compatible with the DPA.

As regards the legal effects of the PoFA Code:

“A failure on the part of any person to act in accordance with any provision of this code does not of itself make that person liable to criminal or civil proceedings. This code is, however, admissible in evidence in criminal or civil proceedings, and a court or tribunal may take into account a failure by a relevant authority to have regard to the code in determining a question in any such proceedings” (paragraph 1.16).

The Surveillance Camera Commissioner (SCC) has been appointed by the Home Secretary but has no enforcement or inspection powers unlike the ICO. He “should consider how best to ensure that relevant authorities are aware of their duty to have regard for the Code and how best to encourage its voluntary adoption by other operators of surveillance camera systems” (paragraph 5.3). The ICO says of its revised CCTV code:

“This code is consistent with the [Home Office] code and therefore following the guidance contained in this document will also help you comply with many of the principles in that code”.

It is essential that all CCTV operators, both in the public and private sector, read the new ICO code and revise their policies and procedures accordingly. Whilst the code is not legally binding, it will be taken into account by the Commissioner and the courts in deciding whether the DPA has been complied with.

Steve Morris will explain the new code and the wider law on CCTV surveillance in our full day workshop. Want a new practical qualification for the modern Data Protection Officer? Click here

 

Peter Paul and Mayhem.

 

clip_image002

A story of email marketing gone wrong. Surnames have been deleted to protect the guilty.

On 20 Sep 2014, at 12:53, Peter wrote:

Hi Paul,

I have seen your CV details on one of the job boards and I am very keen to discuss an OLE Design opportunity with you. 

What is the best number to contact you on?  Are you currently looking for opportunities?

The CV I can see for yourself is out of date so if you could forward me your updated CV that would be great.

Look forward to hearing from you.

Regards,

Cameron

Senior Consultant

A recruitment gency

A posh address in London

First time in my life I’ve been headhunted but as I’m nearly on the final lap of the 10,000 metres of life I don’t really want to be employed. Strange how the email address is different to the name of the sender. But I felt aggrieved enough to reply.

From: Paul


Dear Peter/Cameron

Nice to know you’ve seen my CV on a job board. I am currently 62 years old and not seeking work of any nature so I suspect you are being economical with the truth in your marketing approach. The out of date CV you talk about is not just out of date – it doesn’t exist. I don’t have a CV as my V is based on not working. I am not on any jobs boards (whatever they are).

I presume you acquired my email from a third party as I have no relationship with you at all and that you never considered the PECR 2003 which forbid cold emailing unless the soft opt in exists which it doesn’t so you are in breach of these regulations and liable to a monetary penalty of up to £500,000 if the regulator feels it appropriate.

An apology would be nice but I’m not expecting one. Have a nice day.

I did consider copying in the ICO and asking for them to consider it as a complaint under PECR but decided to be lenient.

On 1 Oct 2014, at 09:45, Peter wrote:

Dear Paul,

Many thanks for your email.  Thank you advising that you are not looking for work.  I can confirm we are not being “economical” in our approach.   I can confirm your CV does exist & the existence is on Railway People (www.railwaypeople.com) which was last updated in August 17th 2012.

As proof I felt best to show you a copy of the CV that is currently on Railway People.  As you will see the CV does exist.  As your details are on Railway People we wanted to check your current situation and whether a contract opportunity would be of interest, but you have confirmed you are now retired.  May I also confirm that we do not use any third party sources and did not acquire your details from any such source.

I can also confirm we are not in any breach of any regulations as your details are on the site.  Apologises if you feel aggrieved by the approach but we were only contacting you as your details are on the site.

Have a nice day.

At this point I looked at the website Railwaypeople.com and couldn’t enter the site on account of not having an account with them so rang the sales team. I met a nice young man who was sympathetic and very helpful. A few facts exchanged with him revealed that candidates who were looking for work in the railway industry uploaded their CVs (carefully fulfilling schedule 2,1 condition) and recruitment consultants would download CVs they thought looked interesting. (I suspect money changed hands here). There was person on the site with same name as me but he lived in Derby and had a different birthdate. Craig agreed to confirm this in writing.

On 1 Oct 2014, 09:45, Craig wrote:

Hello Paul,

As discussed, I can confirm that we hold no contact details for you on our RailwayPeople.com database.

I’m able to tell you that Peter from xxx Recruitment downloaded the CV of a candidate by the name of Paul xxxx with a similar email address to your own.

I’m assuming you have been emailed in error by Peter so I would double check with the agency if you still have concerns.

Regards,

Craig
Account Manager

From: Paul

Hi Peter

I’ve been in touch with Railway people and they have confirmed in writing that they do not have any CV for me (checking my home address and a few other key facts). They do have a Paul xxx based in Derby and linked to the railway industry and with a similar email address and told me you had viewed this.

All I can surmise is that somewhere between you picking up this person’s data you managed to turn his email address into mine. 

Regards

Paul (not the Derby one)

Hi Paul,

I can see where the confusion lies.  Apologise for the confusion & the email in the first place.

Regards,

Peter

So Peter found a CV on an internet site despite him assuring me in an email that “May I also confirm that we do not use any third party sources and did not acquire your details from any such source. It wasn’t my CV. He then emailed what he thought was a person in Derby but managed to spell the email address wrong and reached me. Not having any relationship with me and ignoring the soft opt in exemption (or maybe not even knowing of its existence) means he breached PECR.

First class service from Craig at Railway People. He acted quickly and correctly.

Missed the connection at Crewe for Peter. Emailed without consent; breached principle 4 DPA; argued he was right; breached regulations about electronic marketing (which is his day job) but had enough guts to apologise at the end.

All in a day’s work for a DPA/PECR nerd.

When is wifi free?

clip_image002

Free (friː/) – adjective: free; without charge, free of charge, for nothing, complimentary, gratis, gratuitous, at no cost; for free, on the house.

adverb: free; without cost or payment. (Avoid freely)

Seems obvious when you ask Google for the definition. No payment of any sort means the goods or service is free. It’s an invitation to enter into a contract but nothing is to be given in exchange for the service of providing wifi. But what if you were asked for something in exchange? What if a shop said wifi is free if you give me an ice cream? Would that make the wifi no longer free? An ice cream certainly exists in a solid form (OK I’ll concede that it has a specific half life) but what if the price was a big kiss or a promise to buy something. Do they exist? Are they tangible? Do they have any value? Does it matter? What if the price was your email address? What if the price was your consent to receive marketing material?

I stayed in a hotel recently that presented me with a card on arrival with my free wifi code. Not even bothering to switch on the TV or use the bathroom (usual bored, middle aged businessman preoccupations) I fired up the laptop.

clip_image004

It’s not an easy screen to read but the word free appears four times. All I had to do is tell them my details.

Why?

If no payment is required no bill will be sent. I could use the code without them knowing anything about me. Starbucks manage to do this without any problems but many purveyors of “free” items need to know your name. Worse they need to know my email. Worse than that they had pre-ticked the yes to Marketing box. I unticked it and tried to subscribe without agreeing to terms and conditions but the system prompted me to a) agree the T&C and b) tick the Marketing box.

I complained to reception saying this wasn’t free. No problems Sir. Click on the Conference button at the top of the screen as you’re in a conference here tomorrow aren’t you (wink, wink) and they won’t ask those questions.

I did but just to be sure I decided to read the T&C. First line said by accepting them I would agree to receiving marketing. Trying to buy without ticking them wouldn’t work.

I told reception and she pointed out that all I had to do was use a code and a password and not give any identifiers (like the ones she had taken on the piece of paper I filled in at reception where the code and password was stored next to my personal details).

Feel free to like this article. Just don’t send money. Or ice creams.

Yet Another Local Government Transparency Code – A Gift for Armchair Auditors?

SwordThe Coalition Government likes “armchair auditors”.

Within weeks of coming to power in 2010, it released all items of local authority expenditure over £500. The Secretary of State for Communities and Local Government, Eric Pickles, said at the time that the move would “unleash an army of armchair auditors and quite rightly make those charged with doling out the pennies stop and think twice about whether they are getting value for money”.

Section 3 of the Local Government, Planning and Land Act 1980 gives the Secretary of State the power to issue a code of practice about the publication of information by local authorities relating to the discharge of their functions. Back in May, Eric Pickles used this power to issue (what was then) a new Local Government Transparency Code. (See my earlier blog post.)

Now, an updated version of the Code , dated October 2014, has been issued. It applies in England only and replaces the previous version. The code requires councils (as well as, amongst others, National Park Authorities, Fire and Waste Authorities and Integrated Transport Authorities) to proactively publish certain categories information (in Part 2 of the code) whilst also recommending that they go beyond the minimum (in part 3 of the code). It follows last year’s consultation on Improving Local Government Transparency: “Making ‘The Code of Recommended Practice for Local Authorities on Data Transparency ’ enforceable by regulations.”

Ministers will imminently make and lay regulations (The Local Government (Transparency Requirements) (England) Regulations 2014)) to make it a legal requirement for local authorities to publish the data specified in Part 2 of the code. Subject to Parliamentary processes, Part 2 should become mandatory by 7 November 2014.

Part 2.1 of the code sets out information, which must be published at least quarterly. This includes:

  • Each individual item of expenditure exceeding £500 e.g. invoices, grant payments, expense payments, rent etc.
  • Government Procurement Card transactions
  • Procurement information which includes details of every invitation to tender for contracts to provide goods and/or services with a value that exceeds £5,000, together with any contract, commissioned activity, purchase order, framework agreement and any other legally enforceable agreement, also with a value that exceeds £5,000.

Part 2.2 of the code sets out nine sets of data which must be published annually. This includes local authority land, grants to voluntary bodies , trade union facility time, parking information and senior salaries. In relation to trade union facility time, authorities should publish the amount spent on providing support and facilities to trade unions within their workforces, and specify which unions. In relation to parking charges, categories include the number of off-street parking places and the revenue raised from them; the number of on-street parking places and the revenue they raise; as well as the revenue from parking fines and the number of free parking spaces available.

The main difference between the May and October codes is that the latter has added three datasets to the list of information which must be published: namely information about how the authority delivers waste services, uses the parking revenue it collects and tackles fraud.

On salaries the code requires publication of more information than is currently required under the Accounts and Audit (England) Regulations 2011. Local authorities must now place a link on their website to these published data or place the data itself on its website, together with a list of responsibilities (for example, the services and functions they are responsible for, budget held and number of staff) and details of bonuses and ‘benefits in kind’, for all employees whose salary exceeds £50,000. The key differences between the requirements under this new code and the Regulations referred to above is the addition of a list of responsibilities, the inclusion of bonus details for all senior employees whose salary exceeds £50,000 and publication of the data on the authority’s website. What effect will this have on FOI requests for salary information? Certainly senior figures will find it hard to claim that they have an expectation of privacy when it comes to FOI requests for similar information. (More on salaries here.)

Part 3 of the new code sets out the information, which is recommended to be published, but there is no requirement to do so. This is about providing more detail to information already published under the required category in Part 2, e.g. more details about expenditure, procurement, grants etc. For example instead of just publishing details of expenditure over £500 on a quarterly basis, local authorities are encouraged to publish expenditure over £250 on a monthly basis or better still in real time.

Existing restrictions on disclosing information still apply though. Paragraph 14 of the code states:

“Where information would otherwise fall within one of the exemptions from disclosure under the Freedom of Information Act 2000, the Environmental Information Regulations 2004, the Infrastructure for Spatial Information in the European Community Regulations 2009 or falls within Schedule 12A to the Local Government Act 1972 then it is in the discretion of the local authority whether or not to rely on that exemption or publish the data.”

However where a qualified exemption under FOI applies, the appearance of the requested information in one of the categories set out in the code will have a big impact on the public interest in support of disclosure.

How should data under the new code be published? The code states that it should be in a format and under a licence that allows open re-use, including for commercial and research activities, in order to maximise value to the public. The Open Government Licence, published by the National Archives, should be used as the recommended standard. Where any copyright or data ownership concerns exist with public data these should be made clear. Data covered by Part 2 of the code must be published in open and machine-readable formats.

The DCLG has also published an accompanying FAQ Guide which gives further guidance on how to practically apply the new code.

Despite Part 2 of the code being legally enforceable soon (see above), does the code have any teeth? The code does not have an enforcer like the Information Commissioner under FOI. Indeed the DCLG has pointed out in the FAQs that it is not the Commissioner’s role to enforce the code. It does though suggest that complainants can issue a judicial review claim in the High Court (unlikely with public funding of such cases being virtually ceased) or complain to the Local Government Ombudsmen. It also suggests they make an FOI request for the same information!

It will also be interesting to see how this new code works with the new dataset obligations under the FOI, which came into force on 1st September 2013 via the Protection of Freedoms Act.

On 10 March 2014 the Government launched the consultation on a draft transparency code for parish councils with a turnover not exceeding £25,000, which will act as a substitute from routine external audit. The Government published its response to the consultation on 6th August and intends to lay regulations to make the code mandatory later on this year. (More for those advising Parish Councils here.)

The Government believes that transparency about how local authorities spend money and deliver services, and how decisions are made within authorities, gives local people the information they need to hold their local authority to account and participate in local democratic processes. It claims that the availability of data can also help secure more efficient and effective local services and open new markets for local business, the voluntary and community sectors, and social enterprises to run services or manage public assets.

Will armchair auditors make use of this new information? Time will tell but readers would be right to be sceptical.

Give your career a boost by gaining an internationally recognised qualification in FOI. No time/budget to attend courses? Keep up to date with all the latest FOI decisions by viewing our live one-hour web seminars.

New FOI Exemption Comes Into Force Today

file2651343124575A new exemption under the Freedom of Information Act 2000 comes into force today (1st October 2014).

One of the key recommendations of the House of Commons Justice Select Committee in its (July 2012) report into post-legislative scrutiny of the Freedom of Information Act 2000 was the introduction of a new exemption for research data. The Government accepted this recommendation in its official response late last year. (There is a brief analysis of the main recommendations of the Committee and how the Government has responded on our blog (http://tinyurl.com/pznfyex)).

Section 20 of the Intellectual Property Act 2014, which received Royal Assent on Wednesday 14 May, inserts a new qualified exemption.  Subsection 1(a) of new section 22A provides that information is exempt from disclosure if it relates to information obtained in the course of, or derived from, a programme of continuing research that is intended for future publication.  Subsection (1)(b) however, provides that the information will be exempt only if disclosure would, or would be likely to, prejudice a matter listed in that subsection.  Public authorities will not be required to confirm or deny that they hold section 22A information if, or to the extent that, compliance would, or would be likely to prejudice, any of the matters mentioned in subsection (1)(b). 

Any public authority can use this new exemption, not just universities. It mirrors the Freedom of Information (Scotland) Act 2002, which has had a research data exemption (Section 27(2)) since its inception.

Ibrahim Hasan will be conducting full day FOI Update workshop on 9th October in Manchester. He is also running the BCS FOI Certificate course in November.