Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

‘The Great CPS Data-breach!’

canstockphoto6448307

 

 

 

 

 

 

 

 

 

 

 

 

No, this isn’t a new multi-million pound blockbuster, but instead a £200,000 error the Crown Prosecution Service probably wishes it had never made.

On the 4th November 2015 the Information Commissioners Office (ICO) issued a £200,000 monetary penalty notice under the Data Protection Act 1998 on the Crown Prosecution Service (CPS) for the lack of effective security and controls around DVD videos of police interviews after they were stolen (while being stored on laptops) from a 3rd party private film studio.

Imagine the scene, it’s the year 2002 and new technologies are coming in, for the recording & editing of films.  So you, as a modern and practical Crown Prosecution Service, look for a company that can offer these things quicker, better and cheaper than you can do in-house. So you commission an informal 6 month trial with a guy with a studio based in Manchester. After 6 months he seems to do a good job, he’s no George Lucas but you’ll roll with him beyond the 6 months.

Now as these things do, your ‘video editing man’ changes offices to a new location that, by all accounts, is a little bit lacking in basic things (like security and working CCTV). But no matter, we can’t judge those on where they operate and the service isn’t affected – if anything it’s a nice new shiny studio.

However, on a day in September 2014 (the 11th to be precise) a burglar just happens to wonder past and manages to get into the studio, steals 3 laptops that are currently being worked on by your video editor and runs off with them. The police catch up with ‘him’ 8 days later and as luck would have it, they also recover the laptops. But that’s OK, as it’s only 43 data subjects, you got the laptops back and there is a password on each of the laptops right?

Well unfortunately no, that isn’t OK. And the Information Commissioner agrees. In the ICO’s decision notice he outlines that various things were not in place here that really should have been given the level of sensitivity of the data concerned. Below are extracts from the 5 main areas the ICO cites as the mean breaches of the DPA.

  1. Unencrypted DVDs containing the videos were delivered to X using a national courier firm. The sole proprietor used public transport to take the DVDs to X premises if a case was urgent.
  1. The CPS was not aware of any security risks posed by editing videos of police interviews at X premises either in 2002 or 2006.
  1. The CPS had no guarantee that the sole proprietor would store the unencrypted DVDs in a lockable cabinet and return or securely destroy the DVDs at the end of the case.
  1. The CPS failed to monitor the sole proprietor in relation to any security measures taken by him.
  1. The CPS did not have a DPA compliant contract with the sole proprietor in relation to the processing.

All the usual culprits are there;

  • Lack of encryption,
  • Lack of secure transfer of data,
  • Lack of 3rd party auditing and,
  • Lack of 3rd party contract.

But above all what this notice outlines is a fundamental lack of understanding or awareness of what data is being processed here. The DVDs contained information relating to the witness and victims of crimes of a sexual or violent nature. It is reported that at least 1 of the files concerned that was stolen related to a high profile individual. And that’s just on these DVDs. What about all the other DVDs that have entered that studio since 2002?

While there is no evidence in the ICOs decision notice that other losses have occurred, the circumstances around this theft have been in place since 2002. It could be lucky that only one theft has occurred, but then again how we do know that this is indeed the only theft?

I know when these notices come out those of us that have been fighting the good data protection fight for some time will pick apart the incident and indeed say, “If you’d only have done this…” but the points we raise are all valid. This is very much a case of where everything is wrong. Not one aspect of this situation works in the CPS’ favour. Well apart from the fact the laptops were eventually recovered. But as the ICO points out, there is no proof that the DVDs were not accessed as only a password existed on them. So technically that doesn’t really help you either.

To help avoid the loss of any personal data there are a couple of best practice steps that organisations can take.

  1. Write a standard DPA clause or contract for use by and any all 3rd party suppliers and get it inserted in all contracts but current and future. If the current ones already have one then fine, make sure it’s at the same level or better than your template and go from there.
  1. If its sensitive personal data and it’s leaving your premises as a basic rule always ensure it is encrypted to a decent standard at all times. There is rarely an acceptable situation where the sending of sensitive personal data on a DVD out of the business that doesn’t have a decent level of encryption on it. If such a scenario does come up, then guard & monitor it and manage & document the risk.
  1. If you’ve got a 3rd party going anywhere near your sensitive personal data then watch and monitor them closely. They are as much a threat to your information as internal staff, and you wouldn’t (hopefully) leave your internal staff to handle sensitive personal data in any way they see fit so why would you for a 3rd party?

Having worked in the Social Care & legal industries I know how easy it is to become desensitised to the data that you hold and process daily. But always remember and be aware of the sensitivity of the data in your hands. That’s very easier said than done but that principle, once engrained in your thinking, then means you’ll stop and think before commissioning something or sending something that you really shouldn’t have.

Now I’m going to do some jiggery-pokery here, and bear with me on this as it’s not going to be exact but let’s see if we can work out what a fine would be under the new Data Protection Regulation. Now I accept that this is not an exact science as the text is still draft and the exact mechanism for fines is not agreed yet but let’s just imagine.

So, under the current framework the ICO can fine up to £500,000 for such a breach but instead valued the breach at the £200,000 level based on the severity, compensating controls, political nonsense etc. That works out as two fifths or 40% of the full amount he can fine.

Under the GDPR council text, because of the level of failing here in various areas, I believe that this breach would meet the definitions outlined in Article 79a (3a-h). Sections 1 & 2 of Article 79a do outline breaches but article 1 outlines relatively small offences and article 2 only covers some of the breaches outlined here. The limit of such a fine under that section is 1 million Euros or 2% of global annual turnover for the previous year (if an undertaking). If we assume the limit would be 1 million Euros (give the public sector nature of the controller) then let’s apply the same % as the ICO applied here.

40% of 1 million is 400,000 euros. In today’s currency (as of 13th November and according to google) that equates to a fine of £283,556.79 under the GDPR. Not much of an increase when you think about it.

However, if this fine was for an “undertaking” (currently not defined in the GDPR but the link contains the UK definition) the fine value could increase substantially. If we were to take the CPS public finances as an example their turnover for 2014 was £581.9 million pounds. 2% of that is £11,638,000. If we then take 20% of the 11.6 million we end up at a fine of £2,327,600 under the GDPR.

Now the above is not an exact science, as I’ve stated, as the mechanisms for determining fine amount are still to be agreed but those mechanisms will need to be as proportional as possible. By just using the current model (which the ICO seems to defend) the same incident could mean the difference between a fine of just under £300k for a public sector body (not an undertaking) or a fine of £2.3 million for a private sector undertaking.

Seems a little disproportionate does it not?

 

Scott Sammons an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.

Read more about the EU Data Protection Regulation. Attend our full day workshop.

Sainsbury’s and Data Protection – They have your number (and it’s not on your nectar card).

Sains

It shocked me on Sunday morning (a few months ago) when driving into our local Sainsbury’s car park. Through bleary eyes I suddenly saw my registration number flash up on a display in front of me. It also said my 2 hours of free parking would end in precisely 1 hour and 59 minutes. After parking and doing a bit of investigating I found that they’d fitted cameras at the only entrance (which was also the exit) so they could snap you on the way in and on the way out and thereby obtain evidence (or not) of your length of stay. This isn’t new. Many car parks have been doing this for years but it does raise a few issues.

Filming and collecting personal data is OK as long as a Schedule 2 condition of the Data Protection Act is fulfilled. (I suppose going off on one for a moment that filming at a hospital car park might require a Schedule 3 condition but that’s an argument for another day). The simplest one is Schedule 2 condition is consent as the other 5 require a necessary element. Do Sainsbury’s have your consent? Did you know that filming was going to happen before you attempted to enter their car park or did it only register when your number plate was staring back at you. If you were filmed before you knew you’d been filmed the consent is out of the window.

Once inside the car park you could see signs that told you more about the filming. Looks good to start with but the small print really is small and is also 8 feet up in the air (that old joke again!). I couldn’t actually read the small print. Basic fact remains that the Fair Processing Notice whatever the quality of it was only available after the processing took place.

So far we’ve missed out on an obvious Schedule 2 condition and missed the fair processing element of Principle One. What else could go wrong? If the sensible Sainsbury’s shoppers don’t overstay their welcome they won’t be troubled by a bit of DPA non-compliance. But if they do go over their limit will Sainsbury’s do nothing or will they take the registration number they acquired unlawfully and unfairly and further process it by finding out more personal data about the driver and sending him/her a penalty notice?

It may be that they’ve explained all this very well somewhere but as an everyday shopper in a rush I didn’t see it. It may also be that holding the information about a car than its owner and its address is proportionate if by so doing they allow you to stay a couple of minutes extra checking out the different brands of Prosecco but it could also be argued that it is not. A recent court judgment about parking is interesting:

https://www.supremecourt.uk/cases/docs/uksc-2013-0280-judgment.pdf

It seems to come down in favour of disproportionate penalties for parking and while it may be appealed the current climate is not very temperate.

The fact remains that Sainsbury’s have obtained your car’s number plate without giving you fair warning and are holding it and probably further processing it.

The old joke? What lies on its back 8 feet up in the air.

Answer: A dead spider!

The Act Now Data Protection Practitioner Certificate is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.

Freedom of Information: The Future

canstockphoto3157426

Is the future bright for Freedom of Information?

In July the Commission on Freedom of Information was established by the Cabinet Office (which now has responsibility for FOI). Its terms of reference are:

“[To] review the Freedom of Information Act 2000 (‘the Act’) to consider whether there is an appropriate public interest balance between transparency, accountability and the need for sensitive information to have robust protection, and whether the operation of the Act adequately recognises the need for a ‘safe space’ for policy development and implementation and frank advice. The Commission may also consider the balance between the need to maintain public access to information, and the burden of the Act on public authorities, and whether change is needed to moderate that while maintaining public access to information.”

The Commission will be chaired by Lord Burns, and will comprise the Rt Hon Jack Straw, Lord Howard of Lympne, Lord Carlile of Berriew and Dame Patricia Hodgson. The motivation/credentials of the panel members have been questioned by some who argue that they are establishment figures who are not interested in openness or transparency. Jack Straw, in particular, has previously called for FOI to be rewritten. The Commission’s, recently published, consultation paper does suggest that it is considering sweeping restrictions to the legislation. The questions seem to be based around the misconceptions that FOI is harming the decision making process and costing public authorities too much. (See Ben Worthy’s analysis in his excellent blog post.)The Commission will publish its findings by the end of November but here are my predictions.

Strengthening the ministerial veto under section 53 is a “dead cert” (in betting parlance). In March the Guardian’s successful challenge to the application of the veto to the disclosure of Prince Charles’ letters to government departments, was confirmed by the Supreme Court. Hours before publication of the letters, Downing Street said David Cameron would to try to build up a cross-party consensus with the aim of guaranteeing that ministers will be able to veto the publication of documents under FOI requests in exceptional circumstances.

It is also very likely that the FOI Fees Regulations will be amended to make it easier to refuse requests for information on costs grounds. In July 2012, the Justice Select Committee published its Report into Post-Legislative Scrutiny of the Freedom of Information Act 2000. The Committee concluded that FOI was working well. It had “contributed to a culture of greater openness across public authorities, particularly at central Government level” and “is a significant enhancement to our democracy… [It] gives the public, the media and other parties a right to access information about the way public institutions… are governed.”

The Committee recommended that consideration be given to reducing the amount of time an authority needs to take in searching for and compiling information:

“We would suggest something in the region of two hours, taking the limit to 16 hours rather than 18, but anticipate the Government would want to carry out further work on how this would affect the number of requests rejected.”

The Government, in its official response, said that it doubts that much will be achieved through the reduction of the costs limit. Though it was in favour of allowing additional factors to be taken into account in deciding whether the 18/24 hour cost limit has been reached:

“The Government does not share the assessment of the Committee that it is unfeasible to develop an objective and fair methodology for calculating the cost limit which includes further time spent dealing with information in response to a request. As such, the Government is minded to explore options for providing that time taken to consider and redact information can be included in reaching the cost limit.”

So whilst the Committee rejected the suggestion that reading, consideration and redaction time should also be taken into account when deciding whether the 18/24 hour limit has been reached, it could be that the Fees Regulations are amended to allow this.

At present the costs of different FOI requests can be aggregated only where the requests relate to the same or similar information and have been received within a 60 consecutive working day period. The Government may change this to make it even easier to aggregate costs. At paragraph 19 of its response, it stated:

“We will also look at addressing where one person or group of people’s use of FOIA to make unrelated requests to the same public authority is so frequent that it becomes inappropriately or disproportionately burdensome.”

According to the Telegraph an up front fee of up to £20 could be proposed for making an FOI request. This could lead to a large drop in requests as happened when Ireland introduced a €15 charge (which was eventually dropped).

Other matters on the table for discussion in the consultation paper include making it more difficult to obtain public authorities’ internal discussions (or excluding some from access altogether) and changing the way FOI is enforced. The case for strengthening the Act does not seem to be on the Commission’s agenda. The Campaign for Freedom of Information is coordinating the fight against possible restrictions to FOI. Over 140 media bodies, campaign groups and others have written to the Prime Minister.

In a separate move, the consultation paper and the impact assessment on tribunal fees were recently published on the Ministry of Justice website. The deadline for responses ended on 15th September. In future it could cost £100 to appeal, against an Information Commissioner Decision Notice, to the First Tier Tribunal (Information Rights) or the Upper Tribunal (if the case is transferred), and £500 for an oral hearing.

Tribunal fees will have a big impact on the number of challenges to public authority decisions. Overworked FOI Officers may initially see cause for celebration. However, if fewer appeals are heard the quality of FOI case-law on important matters of interpretation will suffer. Consequently application of the FOI exemptions, as well as other provisions, will become more difficult.

Interesting times for FOI Officers (and trainers!).

Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshops  which are delivered in online sessions and at his public courses.

“What’s that Skip? Someone’s got your Metadata? Crikey!” – Subject Access and Metadata in Australia

canstockphoto13858300

While strolling through the web one day,

Outside the very merry month of May,

Oh, look what I should find,

The web is wonderful and kind,

By giving me a case on metadata.

In recognition of National Poetry day last week, that was my shockingly brilliant (!!) effort at a short rhyme in aid of this blog post. I know, stick to the day job right? (And yes, I know that we are in October and not May).

As the rhyme suggests however, I was indeed browsing the web and I did indeed come across an interesting legal case looking at rights of access and metadata in telecoms/internet providers in Australia. Something of particular relevance at the moment in the light of the Australian Government announcing its new Data Retention Law.

In the news article and legal case an Australian citizen, Mr Grubb, exercised his rights under the Australian Privacy Act 1988 to ask for all information Telstra (a phone company) held about him. His request specifically asked for the meta-data associated against him:

“…I’d like to request all of the metadata information Telstra has stored about my mobile phone service (XXX XXX XXX).

The metadata would likely include which cell tower I’m connected to at any given time, the mobile phone number of a text I have received and the time it was received, who is calling and who I’ve called and so on. I assume estimated longitude and latitude positions would be stored too. This is the type of data I would like to receive.”

Although Telstra provided some data to Grubb, it refused to hand over internet protocol address information, edited versions of incoming call records and website URL information stating that retrieving the information would take disproportionate effort and therefore was unreasonable.

An appeal, dated May 2015, was brought to the Office of the Australian Information Commissioner who found in favour of Data Subject in parts and the Data Controller in parts. But in very interesting parts.

The Commissioner supported Telstra in its exemption of some pieces of information to do with telephone numbers of 3rd parties, particularly where those numbers had registered with a Telephone Preference type service in Australia. Telstra argued that it had no effective method of determining those numbers and removing them from the list therefore the entire list of inbound numbers to the Data Subject’s telephone line would be exempt.

The Commissioner did however reject a number of claims made by Telstra about the difficulty in retrieving and linking data to a person’s identity. Telstra relied in part on this submission to argue that certain types of Grubb’s data was not “personal information” because it could not be linked to the Data Subject’s identity. However, the Commissioner in his decision drew attention to Telstra’s provision of data to law enforcement agencies to show that it has (and has used in the past) the ability to process and connect different types of metadata to individuals.

It’s also interesting that since the case was initiated Telstra’s approach to customer access to metadata has shifted significantly. Telstra customers will now be able to access the same metadata about them (save for shared information) that Telstra would provide to law enforcement agencies, on request without a warrant.

Now while Australia is a very long way away from Europe this case does pose some interesting questions. I ran a search online for cases where metadata was refused under a Subject Access Request (SAR) but could not find any in the public domain. As we all know there are a growing number of laws appearing that require telecoms companies to capture and store such metadata for government access but to date I’ve not seen a similar legal challenge whereby the data has been refused in a SAR.

For those that don’t have much experience with metadata the Oxford English dictionary defines metadata as “a set of data that describes and gives information about other data”. In this context, telecommunications data, is data that is associated with an account and its usage (e.g. masts used, websites visited, numbers called) which on their own do not automatically equate to personal data,  but do so when associated with one number form the metadata of that persons account. Therefore it is personal data as it can identify them and/or be associated with them.

The current subject access request code of practice from the UK Information Commissioner’s Office doesn’t specifically talk about metadata being or not being personal data or in scope for a SAR. Based on the principles of the Data Protection Act 1998 (DPA) and the fact that such metadata can and is requested by law enforcement agencies and is used to identify you; I would argue that this is Personal Data, as defined by the Act, and should be provided to a requestor under subject access.

How does this sit under the current proposed EU Data Protection Regulation text(s)? Well, you won’t find the term “metadata” in the Regulation text anywhere so there won’t be a crystal clear stance on it. Instead we will need to look at the definition of Personal Data as proposed.

In the European Council’s text Chapter 1, Article 4 (1) it defines Personal Data as;

 “any information relating to an identified or identifiable natural personal (“data subject an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person).”

So while the new proposed definition doesn’t specifically call out metadata it does seem to imply that it would be. For example, your mobile number and all data that can identify your location (phone mast data for example) would be considered Personal Data under that definition; which isn’t that far removed from DPA definition of Personal Data.

On that note, following a brief search online I have not been able to find any cases on SAR and telecoms in the public domain. I can find plenty of commentaries and a remotely similar financial services case. I would therefore be interested to see if anyone knows of one currently ongoing or that has been tested in the courts / tribunal so far to date?

Currently the UK Government is looking to revive the so-called “snooper’s charter” under the Draft Communications Data Bill. Therefore if government agencies are to spy / monitor / keep / ignore my personal data then I think that we should, at any point, see what that personal data is. I bet mine is really rather dull…but it’s my dull data dammit.

Scott Sammons an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.

Read more about the EU Data Protection Regulation. Attend our full day workshop.

Surveillance under RIPA: neither a strict legal framework nor rigorously overseen – Sam Lincoln

Interesting post from Sam Lincoln, an ex OSC Chief Inspector. Sam is the author of our RIPA E Learning course: http://www.actnow.org.uk/content/185

Jumping on the charity bashing gravy train.

Returned from holiday to a mountain of mail. Usually this is good fun but recently it’s turned into a nightmare of more and more charity mailings. First off today was British Heart Foundation. A good cause and I walk voluntarily into their charity shops regularly to find bargains and do my bit. But because of recent publicity about charity mailings I took a hard line. I rang them up and asked to be taken off their mailing list. The operator was polite and efficient. She asked for the code next to my address beginning 52A so she could add me to their suppression list but when I quoted it she said I wasn’t actually on their mailing list. Strange – I am looking at a letter addressed to me at my address asking for money from BHF.

She was quick to explain however that it was a one off mailing using data supplied by a 3rd party so they didn’t actually process my name and address. They just used it. I trotted out the well worn definition of processing that all BCS certificate holders know and she did admit that it looked as if they were processing after all. I asked who was the 3rd party and it turned out to be Senior Rail Card.

clip_image001

(as an aside these are managed by ATOC Ltd which manages the contract for the issue and use of the Senior Railcard on behalf of the Train Companies. Reference to a ‘Train Company’ or the ‘Train Companies’ means those Train Companies which, pursuant to a franchise agreement, operate Passenger Railway Services in Great Britain. Their website has a cookie policy but no privacy policy. Nowhere on their website do they assure you that they will only use your personal data to supply you with a senior railcard. Nowhere do they inform you that they will pass it on to anyone else.)

To be honest it wasn’t Senior Rail card who gave my details to BHF it was Media Lab group; BHF told me at the same time they told me about Senior Rail card.

clip_image002

Media Lab has a website where it says

“The media landscape may have changed, but the need for data hasn’t. That’s why at Medialab, we live and breathe data. It’s at the centre of everything we do. Our data-driven approach allows us to develop successful multi-channel media plans that are built on econometric analysis, innovation and a passion for our clients’ results. As a leading integrated direct response agency, we plan campaigns for the UK’s leading brands including National Trust, Post Office and Macmillan.”

Bizarrely for a data driven company they don’t have a privacy policy either. They were the company that gave my data to BHF. They got it from ATOC. I’m not sure how the transfer of data was made or whether money changed hands. We just don’t know. But I thought when I bought my senior rail card that my personal data would only be used or me to get cheap rail fares not donate to Heart charities or end up in the hands of List brokers.

The efficient BHF operator said she couldn’t delete me from their mailing list as I wasn’t actually on it. The list really belonged to Media Lab Group. They only used it to mail me. (Did someone at the back say Data Processor agreement and breach of Principle 7?).

However she had a solution to my predicament. She would add me to their database and immediately add me to their suppression list. Brilliant.

Next Alzheimers. Not as we first thought the Alzheimers Society (See comments) but another organisation working in this sector.

They also asked for money (or any donation will do) and they did have a privacy policy and also an undertaking issued by the ICO. They also gave me my Supporter reference number which was why they were contacting me. Because a year ago I filled in an online quiz to see if I was presenting any of the symptoms of dementia. At no time before, during or after the quiz did they give me any indication they would tap me up for money nor I asked if I wanted to become a supporter of theirs.

I rang them up to ask them to remove me from their mailing list but not a lot happened. When I say not a lot there was a recorded message saying “we apologise for the delay” then there was silence for the next 10 minutes at which point I gave up. They could have whistled a tune or even played a song but nothing. It was as if they  had forgotten to answer or they were hoping (like Doc Martin) that I had no patience.

They were right so I used the system they provided to communicate with them.  This time they supplied an SAE and a form where I could inform them of my preferences so I did. They’d used a jocular style to contact me without my consent so I replied in the same vein.

PS

Only 20 more charity letters to deal with… How I hate coming home from holidays.

The Act Now Data Protection Practitioner Certificate is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.

Scottish Information Commissioner’s Annual Report

edinburgh castle

2014/15 saw the 10th anniversary of FOI in Scotland. In September the Scottish Information Commissioner, Rosemary Agnew, published her annual report for 2014/15.  Ms Agnew enforces the Freedom of Information (Scotland) Act 2002 (FOISA).

Highlights of the report include:

  • Public awareness of FOI is at its highest ever level, at 84%
  • 474 FOIA appeals were received across the year, 59% of which were from members of the public
  • The Commissioner found wholly or partially in favour of requesters in 64% of her decisions
  • The proportion of appeals received under the Environmental Information (Scotland) Regulations 2004 rose to its highest ever level
  • Public bodies reported receiving 66,804 information requests in 2014/15
  • 94% of the public think that FOI is important in holding public bodies to account

In an excellent example of Open Data, the Commissioner has also published detailed information on the appeals received since 2005, broken down by public authority, region and sector, in Excel spreadsheets on her website.

Last year additional bodies were made subject to FOISA.

Act Now has a full programme of FOISA workshops in Scotland.

If you are new to FOI in Scotland or want to boost your career through gaining a qualification, our FOISA Practitioner Certificate is ideal. The four day course is endorsed by the Centre for FOI , based at Dundee University.

The next course in Edinburgh, starting next week, is fully booked but we have places in Aberdeen.

If you’re considering enrolling on the course, what can you expect? Read a successful candidate’s observations and have a go at the FOISA test.

Is the Freedom of Information Act ‘working effectively’?

Image by Kevan via Creative Commons

By Steven McGinty

In July, Parliamentary Secretary for the Cabinet Office, Lord Bridges, announced that there would be an independent cross-party review on Freedom of Information (FOI).

The UK’s FOI Act was introduced in 2000 (in Scotland, FOI legislation came into force in 2005). The Act requires public bodies to publish certain information about their activities and to respond to requests for information from the public.

Since its introduction, the FOI Act has facilitated the release of information from across government. The most high profile releases have involved MPs’ expenses and correspondence between British diplomats ridiculing the notion of a widespread increase in migration from Poland to the UK, once they joined the EU.

Lord Bridges explained that the review would focus on three main issues:

  • whether there is an appropriate balance between having a transparent and accountable government and the need for sensitive information to be protected;
  • whether the Act adequately recognises the need to have a ‘safe space’ for policy development and implementation;
  • whether there is an appropriate balance between the need for public access to information and the burden on public bodies of providing this.

However, is this review really necessary?

Over recent years, a number of public figures have voiced their concerns over the Act. Even the man who introduced it, former Prime Minister Tony Blair, has stated that he was a “naive foolish, irresponsible nincompoop” to introduce it. He also suggested that it undermined “sensible government”.

Similarly, the former head of the Civil Service, Lord O’Donnell has argued that the requirement to release Cabinet minutes risked preventing “real discussions” between ministers.

There has also been discontent from local government, struggling to shoulder the financial cost of the Act. For instance, Ken Thornber, leader of Hampshire County Council, stated that:

We spent £365,000 in 2010 answering freedom of information requests. What else could I do with that money? More social workers, more school inspectors, more spent on road maintenance.”

Although clearly frustrated by the Act, he doesn’t suggest withdrawing it. Instead, he proposes the idea of a £25 charge. His hope is that this would deter individuals from making ‘frivolous requests’.

In the 2010, University College London’s (UCL) Constitution Unit estimated that the cost of FOI requests for local government was £31.6 million. It also highlighted that civil servants spent 1.2m hours responding to nearly 200,000 requests.

Safeguards already exist

However, the review also has its opponents. For example, Sir Tim Berners-Lee, founder of the World Wide Web, has attacked the government’s decision. In particular, he criticises the UK Government for using its position at the top of the World Wide Web Foundation’s Open Data Barometer (annual worldwide survey of open government) to justify the review.

Anne Jellema, Chief Executive of the World Wide Web Foundation, has also added her disapproval. She explains that the UK’s position at the top of the Open Data Barometer should not be an excuse to undo the progress that has been made. In addition, she claims that the government is behind European countries on other transparency and accountability issues, such as state surveillance and freedom of the press.

The Campaign for Freedom of Information has raised concerns over the review panel. It highlights that there are no panel members with a proven commitment to transparency. Currently, the five person committee consists of high profile political figures, such as former Conservative Home Secretary Michael Howard and former Labour Foreign Secretary Jack Straw.

The Act has been praised for holding public bodies to account. For instance, the Daily Telegraph discovered that local authorities spent £2m on hotel bills over just 3 years, including stays at the Four Seasons in New York.

There are also those who maintain that safeguards are already in place. For example, section 35 of the Act provides a qualified exemption, which limits the release of information to the public. This safeguard is explicitly aimed at protecting the policy-making process.

A key challenge for any state is to strike the appropriate balance between effective governance and public accountability. Yet, with so many differing views, universal agreement is unlikely.  Therefore, no matter the outcome of the review, it’s likely that this debate will continue.

Steven McGinty is Research Officer at the Knowledge Exchange. This blog post has been republished with his kind permission.

Read Ibrahim Hasan’s FOI predictions here

Our forthcoming FOI workshops will look at these and other developments.

CCTV and the Law

By Steve Morris[ File # csp0356261, License # 1228612 ] Licensed through http://www.canstockphoto.com in accordance with the End User License Agreement (http://www.canstockphoto.com/legal.php) (c) Can Stock Photo Inc. / fintastique

The updated version of the Information Commissioner’s CCTV Code of Practice address the rising phenomena of surveillance technologies and methods. No longer are surveillance cameras passive image collectors, providing a resource for immediate use or historical evidence.

CCTV, ANPR, Body Worn Cameras, Aerial Drones, together with the associated analytical tools and software, are all technologies being used within many public and private sector organisations.

These technologies are invaluable for efficient and effective public protection as well as revenue collection and enforcement activities. Just one such example might be lone workers performing a caring function and for their safety, wearing audio and video recording equipment when they leave the safety of their own home. These persons then enter the private dwelling of a vulnerable person in need of assistance. In some instances the video and audio will be running throughout the whole of the attendance – often with a live feed to a control room. The benefits for the safety of the carer are clear, and the immediate response and advice by control room personnel is undoubtedly beneficial for the person requiring assistance. But this equipment is capturing images and conversation of an individual, and perhaps family and friends, within that person’s private home. The images and conversation, being witnessed by others many miles away is likely to be very intimate and private.

Does this vulnerable person or those responsible for them realise this is actually taking place?

Do they consent to it as a part of the provision of the service?

Before a public authority undertakes such activity it must conduct a privacy impact assessment, and perhaps obtain consent for the collection and processing of such information. Without such consideration – and a record of such assessment, then it might easily be argued that the organisation has not shown “Respect for the private life” in accordance with Article 8 of the European Convention on Human Rights, and the activity might be deemed to be unlawful – and indeed might be in breach of the Data Protection Act 1998. The Care Quality Commission has issued guidance on use of cameras in care homes.

The Surveillance Camera Commissioner, Tony Porter, pursuing compliance with a Code of Practice issued in accordance with the Protection of Freedoms Act has identified several aspects non-compliance when it comes to CCTV cameras:

  • Inadequate or non-existent privacy impact assessments
  • Equipment deployed with no respect or consideration for privacy or consideration for the benefit balanced with intrusion (proportionality)
  • Equipment in use not fit for purpose
  • Excessive use of surveillance
  • Removal of surveillance such as CCTV to reduce costs with little regard for the void left in relation to public safety and security

In a speech to the CCTV User Group, Mr Porter said budget cuts had led councils to decide to spend less on public space CCTV, meaning there was less money for staff training, poorer understanding of legal issues and a reduced service. He said councils could face greater scrutiny of their use of CCTV, including potential inspections and enforcement. Organisations should carry out annual reviews of their CCTV capacity but many failed to do so. He cited a West Midlands local authority which, upon review, reduced the number of ineffective cameras and saved £250,000 in the process.

Mr Porter, who has been in his post since March 2014, has written to council chief executives to remind them of the law and code of practice.

My latest series of one day CCTV law workshops examine the ‘surveillance landscape’ and the regulatory regime of the Information Commissioner, the Office of the Surveillance Commissioner, and the Surveillance Camera Commissioner. Attendees will be able to identify which regime(s) and codes of practice apply to their surveillance activity, and how to manage efficient, effective and lawful surveillance systems.

Steve Morris is an ex police officer and one of our expert surveillance law trainers. His CCTV law workshops take place in Manchester and London in October.

Permission Impossible? Consent and the new EU Data Protection Regulation

By Scott Sammons canstockphoto10615929

I recently took part in an ‘Information Awareness’ week for a local council. This was an event for council staff involving various training sessions revolving around a certain theme. Last year the sessions were on the theme of game shows and this year the theme was films.

I was lucky enough to draw the session title ‘Per-mission Impossible’ which would be looking at the subject of consent and permissions in their various forms. I make a point of not naming organisations I work with but credit for the title of this blog must go to them.

We had some really interesting discussions around what people believe are the current pitfalls and benefits with consent and what people think of the new world of consent as proposed by the European Union (EU) in their Data Protection Regulation.

We started with the current world and looked at the guidance from the Information Commissioner’s Office (ICO). Their Guide to Data Protection states;

“Consent is not defined in the Data Protection Act. However, the European Data Protection Directive (to which the Act gives effect) defines an individual’s consent as: …any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”

This is primarily aimed at Data Controllers who are looking to use consent as a justification for the processing of personal data especially, and more explicitly, where that data is sensitive in nature.

Bearing this in mind there is then a conversation to be had around what that actually means in the real world. You know, that world where you have a Data Subject on the phone or sat in front of you more interested in resolving their query or issue than understanding what is happening with their personal data. Personally I’ve always seen the matter of consents and permissions as a customer service issue. Yes, there are things that we must do as part of compliance and demonstrate as part of our compliance. However the method and delivery should very much be aligned with the customer service standards and processes of the organisation. As the phrase goes “tax doesn’t have to be taxing.” Well “permissions don’t have to be a mission”. (I know, it was the best I could come up with on short notice!).

If you treat the gaining and subsequent management of permissions as a “compliance task” then that mind-set will be to always see it as a nightmare and a hurdle to overcome. However if you approach it as you would any other aspect of customer service and apply good customer service principles, you will get much closer to a compliant permissions model. It also puts you in something of a good position for the future.

Another aspect of the discussion around permissions and consent management involves the question of how to effectively manage a consent or permission regardless of the channel in which it is being obtained.

Regardless of the channel in which you communicate with the Data Subject, the only effective method for tracking consents/permissions is an electronic database that either forms part of or interacts with your main customer database. But with that comes a series of concerns around ensuring that this system is kept relevant and up to date. For example, in a large organisation where a customer speaks to some random part of the organisation and expresses a preference how do you ensure that the preference is captured and updated accordingly throughout the organisation?

These are important discussions to be had now because, as I run through below, the requirement to effectively and clearly demonstrate that you are doing the above becomes more important when the proposed EU Data Protection Regulation comes into force.

Permissions of the Future: All roads lead to explicit…?

So in my last blog post I gave an update on the General Data Protection Regulation and said that I’d start to focus on individual parts. Well this is the first one (and apologies that it’s taken me a while).

In the Commission’s proposal for a new General Data Protection Regulation, it proposed that whenever a business relies on consent as a valid ground for processing personal data, that consent should be ‘explicitly’ given. This changes the current position where consent only needs to be ‘explicit’ where a business wants to rely on it as a basis for processing sensitive personal data. Put simply, for processing for marketing purposes for example (which is almost always on the basis of consent) everyone will be required to “opt in” rather than opt out under the current regime (for phone and post at least). [References: European Commission Regulation Text CH I ART 4: General Provisions – definitions (8), CH II ART 6: Principles – lawfulness of processing (a), CH II ART 7: Principles – Conditions for consent (1-4)]

When the draft text made it through the European Parliament, the Parliament gave its backing to the new definition of ‘consent’ suggested by the Commission. It too believed that consent needs to be “freely given specific, informed and explicit” and provided “either by a statement or by a clear affirmative action”. And, in contrast to today’s requirements, the burden of demonstrating that the legal standard of ‘consent’ has been achieved would lie with organisations. [References: European Parliament Regulation Text CH I ART 4: General Provisions – definitions (8), CH II ART 6: Principles – lawfulness of processing (a), CH II ART 7: Principles – Conditions for consent (2)]

In contrast, the Council said there was broad support for rules which would require organisations seeking to rely on consent to process personal data to ensure that the consent is “unambiguous”. This seems to back the broad legal standard for consent that exists under current EU data protection laws and not a radical change to explicit consent regardless of context. [References: European Council Regulation Text Comparison (so far) CH I ART 4: General Provisions – definitions, CH II ART 6: Principles – lawfulness of processing (a), CH II ART 7: Principles – Conditions for consent (1)]

This post does not explore the requirements around children’s data. However the principle of “informed and explicit” consent is replicated there. This will be the subject of a different post so watch this space.

Which of these texts is likely to survive, I hear you ask? Well like most things in the world of politics that is unclear. However, if you look at it from a numbers point of view then 2 of the 3 approving bodies favour explicit consent and a requirement to demonstrate when and where that consent was collected. If I was a betting man I’d say that some shift towards explicit consent is going to happen, but how far is anybody’s guess.

More importantly organisations should be looking at how they currently manage and capture consents. If this is something that they don’t do (for whatever reason) then it’s time to start looking at how this can be factored into processes and staff trained so it gets woven into customer service standards.

Scott Sammons an Information Risk and Security Officer in the medico-legal sector and blogs under the name @privacyminion. He is on the Exam Board for the Act Now Data Protection Practitioner Certificate.

Want to know more about the EU Data Protection Regulation? Attend our full day workshop: http://www.actnow.org.uk/courses/1540