Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

Facebook, Social Networks and the Need for RIPA Authorisations

canstockphoto12584745By Ibrahim Hasan

Increasingly local authorities are turning to the online world, especially social media, when conducting investigations. There is some confusion as to whether the viewing of suspects’ Facebook accounts and other social networks requires an authorisation under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA). In his latest annual report the Chief Surveillance Commissioner states (paragraph 5.42):

“Perhaps more than ever, public authorities now make use of the wide availability of details about individuals, groups or locations that are provided on social networking sites and a myriad of other means of open communication between people using the Internet and their mobile communication devices. I repeat my view that just because this material is out in the open, does not render it fair game. The Surveillance Commissioners have provided guidance that certain activities will require authorisation under RIPA or RIP(S)A and this includes repetitive viewing of what are deemed to be “open source” sites for the purpose of intelligence gathering and data collation.”

Careful analysis of the legislation suggests that whilst such activity may be surveillance, within the meaning of RIPA (see S.48(2)), not all of it will require a RIPA authorisation. Of course RIPA geeks will know that RIPA is permissive legislation anyway and so the failure to obtain authorisation does not render surveillance automatically unlawful (see Section 80).

There are two types of surveillance, which may be involved when examining a suspect’s Facebook or other social network pages; namely Directed Surveillance and the deployment of a Covert Human Intelligence Source (CHIS). Section 26 of the Act states that surveillance has to be covert for it to be directed:

“surveillance is covert if, and only if, it is carried out in a manner that is calculated to ensure that persons who are subject to the surveillance are unaware that it is or may be taking place” (my emphasis)

If an investigator decides to browse a suspect’s public blog, website or “open” Facebook page (i.e. where access is not restricted to “friends”, subscribers or followers) how can that be said to be covert? It does not matter how often the site is accessed as long as the investigator is not taking steps to hide his/her activity from the suspect. The fact that the suspect is not told does about the “surveillance” does not make it covert. Note the words in the definition of covert; “unaware that it is or may be taking place.” If a suspect chooses to publish information online they can expect the whole world to read it including law enforcement and council investigators. If he/she wants or expects privacy it is open to them to use the available privacy settings on their blog or social network.

The Commissioner stated in last year’s annual report:

“5.31 In cash-strapped public authorities, it might be tempting to conduct on line investigations from a desktop, as this saves time and money, and often provides far more detail about someone’s personal lifestyle, employment, associates, etc. But just because one can, does not mean one should. The same considerations of privacy, and especially collateral intrusion against innocent parties, must be applied regardless of the technological advances.” (my emphasis)

I agree with the last part of this statement. The gathering and use of online personal information by public authorities will still engage Human Rights particularly the right to privacy under Article 8 of the European Convention on Human Rights. To ensure such rights are respected the Data Protection Act 1998 must be complied with. A case in point is the monitoring last year of Sara Ryan’s blog by Southern Health NHS Trust. Our data protection expert Tim Turner wrote recently about the data protection implications of this kind of monitoring.

Where online surveillance involves employees then the Information Commissioner’s Office’s (ICO) Employment Practices Code (part 3) will apply. This requires an impact assessment to be done before the surveillance is undertaken to consider, amongst other things, necessity, proportionality and collateral intrusion. Whilst the code is not law, it will be taken into account by the ICO and the courts when deciding whether the DPA has been complied with. In December 2014, Caerphilly County Borough Council signed an undertaking after an ICO investigation found that the Council’s surveillance of an employee , suspected of fraudulently claiming to be sick, had breached the DPA.

Facebook Friends – A Friend Indeed

Of course the situation will be different if an investigator needs to become a “friend’ of a person on Facebook in order to communicate with them and get access to their profile and activity pages. For example, local authority trading standards officers often use fake profiles when investigating the sale of counterfeit goods on social networks. In order to see what is on sale they have to have permission from the suspect. This, in my view, does engage RIPA as it involves the deployment of a CHIS defined in section 26(8):

“For the purposes of this Part a person is a covert human intelligence source if—

(a) he establishes or maintains a personal or other relationship with a person for the covert purpose of facilitating the doing of anything falling within paragraph (b) or (c);

(b) he covertly uses such a relationship to obtain information or to provide access to any information to another person; or

(c) he covertly discloses information obtained by the use of such a relationship, or as a consequence of the existence of such a relationship”  (my emphasis)

Here we have a situation where a relationship (albeit not personal) is formed using a fake online profile to covertly obtain information for a covert purpose. In the case of a local authority, this CHIS will not only have to be internally authorised but also, since 1st November 2012, approved by a Magistrate.

This is a complex area and staff who do not work with RIPA on a daily basis can be forgiven for failing to see the RIPA implications of their investigations. From the Chief Surveillance Commissioner’s comments (below) in his annual report, it seems advisable for all public authorities to have in place a corporate policy and training programme on the use of social media in investigations:

“5.44 Many local authorities have not kept pace with these developments. My inspections have continued to find instances where social networking sites have been accessed, albeit with the right intentions for an investigative approach, without any corporate direction, oversight or regulation. This is a matter that every Senior Responsible Officer should ensure is addressed, lest activity is being undertaken that ought to be authorised, to ensure that the right to privacy and matters of collateral intrusion have been adequately considered and staff are not placed at risk by their actions and to ensure that ensuing prosecutions are based upon admissible evidence.”

We have a workshop on investigating E – Crime and Social Networking Sites, which considers all the RIPA implications of such activities. It can also be delivered in house.

In conclusion, my view is that RIPA does not apply to the mere viewing of “open” websites and social network profiles. However in all cases the privacy implications have to be considered carefully and compliance with the Data Protection Act is essential.

Ibrahim will be looking at this issue in depth in our forthcoming webinars.

Looking to update/refresh your colleagues’ RIPA Knowledge. Try our RIPA E Learning Course. Module 1 is free.

We also have a full program of RIPA Courses and our RIPA Policy and Procedures Toolkit contains standard policies as well as forms (with detailed notes to assist completion).

New RIPA E-Learning Course

capture-20150824-141930

Regular refresher training for those conducting covert surveillance under Part 2 of the Regulation of Investigatory Powers Act (RIPA) is a common recommendation by the Office of Surveillance Commissioners (OSC) following inspections. Up to now, public authorities have had a choice of sending their staff on external courses or engaging our RIPA experts to deliver customised in house training at their premises. Both these options have cost implications. Some authorities can only afford to train a handful of staff thereby running the risk of non compliance by others who may not know what RIPA is and when it is engaged.

Enter the new Act Now RIPA E Learning Course. From the comfort of their own desk public authority staff can now receive relevant and up to date training on covert surveillance regulated by Part 2 of RIPA (Directed Surveillance, CHIS and Intrusive Surveillance) including the authorisation process. From as little as £49 plus vat, five interactive modules can be accessed which have a stimulating and creative approach that engages and challenges the learner. Real-life scenarios, knowledge checks, case studies and examples are included to add relevance and increase comprehension and retention. A short final course assessment leads to a certificate.

This course is not just for new staff or those with little knowledge of RIPA. It will also help experience staff to refresh and update their knowledge as it takes into account the latest RIPA codes and new authorisation procedures. Those who are really confident can do the final course assessment first, to test and identify any gaps in their knowledge. These can then be filled by doing each module. The unscored quizzes and interactions within each module and the final scored assessment are designed to challenge even RIPA geeks!

Sam Lincoln, a former OSC chief inspector, has designed the course assisted by Ibrahim Hasan. Sam says:

“I was delighted to be commissioned by Ibrahim and his team at Act Now to produce this eLearning course. When I was Chief Inspector at the OSC I was aware that many local authorities, constrained by budget reductions, were attempting to provide their own training in-house. Despite valiant efforts the result was often regurgitation of the codes of practice and ‘death by PowerPoint’ lectures. I wanted to produce something that was more interesting and included interaction, feedback and assessment.”

Upon reviewing the course our RIPA expert and trainer, Steve Morris, said:

“I have had an opportunity to review the finished product and have to say it is a great mix of knowledge, animation and assessment, using many different learning delivery methods to keep the learner engaged. Sam provides clear well-paced narration and his choice of words make the modules easy to follow and understand. I would say the modules are ideal for anyone involved with the management and application of RIPA, whatever their position.”

The Act Now RIPA E Learning Course is suitable for staff in all public authorities but particularly those in local authorities working in trading standards, environmental health, planning, licensing and enforcement.

Want to know more? Watch module 1 for FREE and join our live demonstration webinar.

Office of Surveillance Commissioners (OSC) Annual RIPA Report (2015) – Key Points

file2871316133148

The Chief Surveillance Commissioner, Sir Christopher Rose, published his final annual report on 25th June 2015. A lot of the report is typical of someone in his position who is leaving office, having a few parting moans. Then again, a £56,000 maintenance fee from the Home Office (paragraph 3.3) for a relatively simple website is well worth moaning about)!

The report covers the period from 1st April 2014 to 31st March 2015 and should be read by public authorities, especially councils, who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)). It details statistics relating to the use of these tactics and information about how the Office of Surveillance Commissioners (OSC) conducts its oversight role.

Non-law enforcement agencies (including councils) authorised Directed Surveillance on 2207 occasions in the reporting period. The Department for Work and Pensions completed 25% of these. This continues a downward trend over the last few years. Last year there were 4,412 of such authorisations. Much of this downward trend is due to the continued impact of the changes, which took effect on 1st November 2012; namely magistrates’ approval for council surveillance and a new six-month threshold test for Directed Surveillance.

A total of 373 authorisations were presented to a magistrate for approval under The Protection of Freedoms Act 2012 during the reporting period. Just 17 were rejected. The Commissioner continues to be sceptical about the need for the changes saying, “I remain to be convinced of the value of this additional approval procedure which, obviously, promotes delay.”

The Commissioner, just like in his previous report, has expressed concern about the level of RIPA knowledge amongst magistrates:

“I have good reason to believe that training provision for magistrates in relation to RIPA and The Protection of Freedoms Act 2012 has been minimal and several councils have ended up providing this themselves to enable the new procedure to work effectively: this is commendable but not, presumably, what Parliament contemplated.” (Para 5.27)

Social Networks

The Commissioner advises caution when conducting online investigations especially where this involves examining social networking sites. A RIPA authorisation may be required in some cases:

“5.42 Perhaps more than ever, public authorities now make use of the wide availability of details about individuals, groups or locations that are provided on social networking sites and a myriad of other means of open communication between people using the Internet and their mobile communication devices. I repeat my view that just because this material is out in the open, does not render it fair game. The Surveillance Commissioners have provided guidance that certain activities will require authorisation under RIPA or RIP(S)A and this includes repetitive viewing of what are deemed to be “open source” sites for the purpose of intelligence gathering and data collation.”

From the Commissioner’s comments at paragraph 5.44 it seems advisable that councils should have in place a corporate policy and training programme on the use of social media in investigations:

“Many local authorities have not kept pace with these developments. My inspections have continued to find instances where social networking sites have been accessed, albeit with the right intentions for an investigative approach, without any corporate direction, oversight or regulation. This is a matter that every Senior Responsible Officer should ensure is addressed, lest activity is being undertaken that ought to be authorised, to ensure that the right to privacy and matters of collateral intrusion have been adequately considered and staff are not placed at risk by their actions and to ensure that ensuing prosecutions are based upon admissible evidence.”

We have a workshop on investigating E – Crime and Social Networking Sites, which considers all the RIPA implications of such activities.

Common inspection findings

At paragraph 5.47 of the report, the Commissioner lists the main issues that he has commented upon in his inspection reports:

  • Unsubstantiated and brief, or, conversely, excessively detailed intelligence cases
  • Over-formulaic consideration of potential collateral intrusion and an explanation of how this will be managed
  • Limited proportionality arguments by both applicants and Authorising Officers – the four key considerations (identified by my Commissioners and adopted within the Home Office Codes of Practice), if addressed in turn, should provide a suitably reasoned argument
  • More surveillance tactics and equipment authorised at the outset than appear to have been utilised when reviews and cancellations are examined
  • A regurgitation of the original application content at reviews, including a “cut and paste” proportionality entry that fails to address why the activity is still justified, in place of a meaningful update to the Authorising Officer about what has taken place in the intervening period
  • At cancellation, a rarity of meaningful detail for the Authorising Officer about the activity conducted, any collateral intrusion that has occurred, the value of the surveillance and the resultant product; and whether there has been any tangible outcome
  • Similarly, paltry input by Authorising Officers at cancellation as to the outcome and how product must be managed, and any comment about the use or otherwise of all that had been originally argued for and authorised
  • In the case of higher level authorisations for property interference and intrusive surveillance, an over-reliance by Senior Authorising Officers on pre-­prepared entries that alter little from case to case, or at times, regardless of who is acting as the Authorising Officer
  • In those same cases, often poorly articulated personal considerations as to the matters of necessity, collateral intrusion and proportionality; no or few entries at reviews; and little meaningful comment at cancellation
  • On the CHIS documentation, less common, but still encountered, the failure to authorise a CHIS promptly as soon as they have met the criteria; and in many cases (more typically within the non-law enforcement agencies) a failure to recognise or be alive to the possibility that someone may have met those criteria
  • A huge variation in the standard of risk assessments, whereby some provide an excellent “pen picture” of the individual concerned and the associated risks, whilst others can be over-generic and are not timeously updated to enable the Authorising Officer to identify emergent risks
  • Discussions that take place between the Authorising Officer and those charged with the management of the CHIS under Section 29(5) of RIPA are not always captured in an auditable manner for later recall or evidence, though this is starting to improve following our advice
  • As resources become stretched within police forces, the deputy to the person charged with responsibilities for CHIS under Section 29(5)(b) often undertakes those functions: as with an Authorising Officer, this is a responsibility which cannot be shared or delegated

Finally the Commissioner says that during inspections his staff have found that there is “a continuing lack, in many public authorities, of on-going refresher training for officers who may have been trained many years ago, or who have not been eligible for specialised training by dint of career progression or role.”

Those who have an OSC inspection in the Autumn should read Sam Lincoln’s e book which he has written for us entitled “How To Impress An OSC Inspector.” Get in touch if you want a free copy.

Last year new codes of practice under Part 2 of RIPA were introduced.

STOP PRESS… STOP PRESS… STOP PRESS… STOP PRESS…

ONLINE RIPA TRAINING

Looking for an e-learning solution for your RIPA training needs? http://www.actnow.org.uk/content/185

———————————————————————————————————-

Now is the time to consider refresher training for RIPA investigators and authorisers. We have a full program of RIPA Courses and can also deliver these at your premises, tailored to the audience. If you want to avoid re inventing the wheel, our RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance.

New RIPA Communications Data Code of Practice

In March 2015 a new Code of Practice for the Acquisition and Disclosure of Communications Data by public authorities, including councils, under Part I Chapter 2 of the Regulation of Investigatory Powers Act 2000(RIPA), came into force.  It contains several policy changes, which will require careful consideration.

The key change is the need to ensure the independence of the Designated Person (DP). This is the person within the public authority who has to be satisfied that acquiring the communications data is necessary and proportionate and who signs off the application. Paragraph 3.12 of the new code states that DPs must be independent from operations and investigations when granting authorisations, or giving notices related to those operations.

This policy change was brought about in response to the European Court of Justice (ECJ) Judgment which struck down the Data Retention Directive (2006/24/EC) as the Directive did not include sufficient safeguards as to why and by whom such data may be accessed. The Judgment noted that the Directive contained no safeguards in relation to access to the retained data, including in relation to the independence of the person authorising access to the retained data.

The new code requires public authorities to satisfy the Interception of Communications Commissioner’s Office (IOCCO) that they have sufficient measures in place to ensure the DP’s independence. IOCCO have set out certain guidelines. In a nutshell, a DP must not be directly responsible for the operation or investigation (i.e. they should not have a strategic or tactical influence on the investigation). He/she should be far enough removed from the applicant’s line management chain which will normally mean they are not within the same department or unit. Applicants should not be able to choose who the DP will be on a case by case basis (save for in urgent circumstances). Finally, there should be a defined group of DPs in an organisation i.e. a recognised list defined by role and/or position.

Public authorities will need to ensure that they have a formal procedure setting out the arrangements in place to ensure independence. This will be examined by IOCCO during their inspection. It will also explore how the DPs are selected to consider applications and will audit compliance with the code.

There are exceptions to the rule of independence of DPs set out in the IOCCO Circular of the 1st June 2015 advising public authorities of the changes. These exceptions mainly relate to urgent authorisations and where very small teams of investigators mean that independence would be difficult. These exceptions will not normally apply to local authorities.

In all circumstances where public authorities use DPs who are not independent from an operation or investigation (save for the exceptions) this must be notified to the IOCCO at the next inspection. The details of the public authorities and the reasons such measures are being undertaken may be published and included in the IOCCO report.

What Should You Do Now?

  1. Prepare for an IOCCO inspection. The Commissioner still inspects councils despite their infrequent use. Read here what a typical inspection involves.
  1. Review your current DP authorisations and procedures. You may need to nominate additional (independent) DPs
  1. Review training for DPs. Paragraph 3.8 of the code says:

“Individuals who undertake the role of a designated person must  have current working knowledge of human rights principles and  legislation, specifically those of necessity and proportionality, and how they apply to the acquisition of communications data under Chapter II and this code.”

Do all your DP’s have this knowledge to undertake their role?

Act Now is offering live and interactive webinars for DPs tailored to your organisation. The webinars last for one hour which include an online test. All participants receive a certificate of completion. Get in touch for a quote.

How To Impress An OSC Inspector – Free E Book

How to impress an OSC inspector

In recent weeks reports reviewing RIPA by the Independent Reviewer of Terrorism and the Royal United Services Institute have been published. Both reports emphasised the need for clearer law and stronger oversight.

Some may presume that their recommendations persuade the Government to replace the Regulation of Investigatory Powers Act (RIPA), its amendments and related legislation, with something entirely new. That presumption may prove accurate.

However, I believe that any replacement is unlikely to substantially adjust the basic tenet of RIPA which is founded on Human Rights legislation. In particular, it is likely to retain the basic principles of necessity and proportionality along with the requirement for public authorities to produce a verifiable and contemporaneous audit of decisions and actions.

Whether or not local authorities in United Kingdom will be enabled by similar discretionary power remains to be seen. But if the effect of the Protection of Freedoms Act is illustrative, taking away the protection of law does not necessarily prevent covert surveillance conducted intentionally or accidentally. It merely removes protection from liability … neither public authorities nor citizens are properly protected.

Unless, as is the case with an interception, forms of covert surveillance are made unlawful without a warrant or authorisation, it is likely that investigatory powers will remain discretionary. Discretion – even if later approved by a designated official external to the relevant investigating authority – attracts misuse by officials if not official misuse.

The demand for better oversight is a key recommendation in both reports and there is an increasing expectation that the public is better informed regarding the potential for or actual abuse of discretionary powers.

Suffice to say that the Office of Surveillance Commissioners, or a body with similar or enhanced responsibility, will remain. Inspection is likely to be a key method to assess compliance and performance.

Impressing an inspector – and thus providing a mechanism to protect reputation and improve trust – should remain a concern to all those who are enabled to conduct surveillance covertly.

In my new E Book “How To Impress An OSC Inspector”, I provide my personal insights regarding how a local authority might best approach an OSC inspection. The information in the book remains relevant regardless of future change to legislation. It is directed at local authorities but is relevant to other public authorities.

You can download the E Book here.

I would be interested in your views. Please feel free to comment (below) or directly by email.

Sam Lincoln was formerly Chief Surveillance Inspector with the Office of Surveillance Commissioners for seven years.

STOP PRESS… STOP PRESS… STOP PRESS… STOP PRESS…

ONLINE RIPA TRAINING

Looking for an e-learning solution for your RIPA training needs? http://www.actnow.org.uk/content/185

———————————————————————————————————-

Act Now has revised its RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. Now is the time to consider refresher training for RIPA investigators and authorisers. We have a full program of RIPA Courses and can also deliver these at your premises, tailored to the audience.

The FOI response arriving on platform two is 18 months late…

The request went in at the end of 2013. You can read the post again here and only 18 months after the original request during which time the east cost franchise changed hands. East Coast (government owned) failed to reply for 14 months and when I wrote to Virgin trains (the new owners) earlier this year I didn’t expect much but today the reply arrived.

“I am contacting further to your correspondence regarding information relating to taxis arranged from London King’s Cross station.

I apologise for the delay in responding to you; regrettably an administrative error prevented a previous response from being sent and I am sorry for any inconvenience this may have caused.

You have requested to know the number of times we supplied taxis to passengers arriving at Kings Cross on delayed trains, the total cost of these taxis and the total number of passengers and taxis involved. We do not have records comprehensive enough to fully provide this information however we have reviewed our taxi invoices for 2014 which shows that in that year there was a total of 1800 taxi jobs arranged with a total cost of £254,024.62. Regrettably we are unable to advise of the number of people these taxi jobs were arranged for or the reason why the taxis were arranged as this information is not recorded.”

Well done to Virgin – a Blue Riband to you. Poor show from East Coast – a purple shirt and tie set for your avoidance of FOI for 14 months.

Give your career a boost by gaining an internationally recognised qualification in FOI. No time/budget to attend courses? Keep up to date with all the latest FOI decisions by viewing our live one-hour web seminars.

I Don’t Believe It! Fees for FOI Tribunal Appeals

Just when you thought FOI was safe (“Oh no we didn’t! Not after that Cabinet Office packed the new FOI Commission with people who don’t particularly care about FOI”, I hear you say), The Ministry of Justice has announced a consultation into changes to fees for, amongst others, FOI appeals at tribunal stage.

If the proposal goes ahead, it will cost £100 to apply for an appeal to the First Tier Tribunal (Information Rights) or the Upper Tribunal (if the case is transferred), and £500 for an oral hearing. Christopher Knight of 11 KBW has produced a helpful summary in this post on the Panopticon Blog.

This proposal is not a great surprise. In July 2012, the Justice Select Committee published its Report into Post-Legislative Scrutiny of the Freedom of Information Act 2000. The Government published its official response in December 2012 and paragraph 24 mentioned the possibility of introducing tribunal fees despite the Committee never suggesting it.

Introducing tribunal fees is clearly an attempt to curtail the public’s right to know in the guise of cost saving. The Campaign for Freedom of Information are mounting a vigorous defence of FOI. We should all try and contribute. Readers can also sign the 38 Degrees Petition to protect FOI laws.

Tribunal fees will have a big impact on the number of challenges to public authority decisions. Overworked FOI Officers may initially see cause for celebration. However if fewer appeals are heard the quality of FOI caselaw on important matters of interpretation will suffer. Consequently application of the FOI exemptions, as well as other provision, will become more difficult. This alone is a good reason for a robust response to the consultation from the public sector.

The consultation paper and the impact assessment on tribunal fees are both on the Ministry of Justice website. The deadline for responses is 15th September 2015.

What else is afoot for FOI? I looked into my crystal ball, after the election, to predict how FOI could change now we have a Conservative majority government. It will be interesting to see how many of my predictions come true when the FOI Commission reports back in November.

Don’t forget on 18th July 2015 the new Re-use of Public Sector Information Regulations 2015 (ROPSI) came into force, replacing the 2005 version. They contain some important changes to the UK public sector information re use regime.

Ibrahim Hasan will be reviewing the latest FOI developments and caselaw in detail, in our forthcoming FOI Update webinar.

Aberdeen NOW! Act Now Training comes to Aberdeen!

Aberdeen

Are you based in Aberdeen? Is travelling to Edinburgh time consuming and expensive? Well we have some great news for you… Act Now Training is coming to Aberdeen!

Act Now Training is the UK’s leading provider of seminars and workshops on all aspects of Data Protection, Freedom of Information, Surveillance Law and Records Management. We are pleased to announce new workshops in Aberdeen which:

· are very competitively priced at just £265 plus vat

· run for a full day from 10am to 4pm

· refreshments and lunch provided

· include comprehensive delegate training materials

Log on to our website or click on the links below for all our available courses coming up in September. Book early to avoid disappointment.

Data Protection Act: An A-Z Guide

Freedom of Information (Scotland) Act: An A-Z Guide

Practitioner Certificate in The Freedom of Information (Scotland) Act

Managing Subject Access Requests

All our courses will be held at the Jury’s Inn Hotel. Adjoining the Union Square Shopping Centre, this modern, city-centre hotel is a 3-minute walk from Aberdeen Railway Station making it the perfectly placed, centrally located venue for all your training needs.

We look forward to seeing you!

Re Use Re Loaded – New Public Sector Information Regulations In Force

On 18th July 2015 the new Re-use of Public Sector Information Regulations 2015 (ROPSI) came into force, replacing the 2005 version. They contain some important changes to the UK public sector information re use regime.

The new Regulations implement Directive 2013/37/EU, which amends Directive 2003/98/EC on the re-use of public sector information (the 2003 Directive). The aim of the latter was to remove obstacles that stood in the way of re-using public sector information. Key obligations for public authorities (including the health, local government and central government sectors) include:

  • being transparent and open about the terms and fees for re-use of information they hold
  • where licences are required to re use information, standard terms and conditions should be offered
  • having accurate notices and statements on documents and websites
  • producing an Asset List so that potential re-users of information know what is available
  • having a complaints process

A full article on the 2005 Regulations can be downloaded here. Key changes made by the new Regulations include:

  • Adding the previously excluded cultural sector (libraries, museums and archives) to the scope of the Regulations
  • Making it an obligation to allow re-use of most public sector information. Previously this was optional.
  • Extending the scope of the information available for re use to not just that which is accessible but anything produced held or disseminated with a public authority’s public task (unless restricted or excluded).
  • Marginal cost pricing is the default (subject to some exceptions) when it comes to charging for re use. Previously a profit could be made.

For the first time the UK re use regime will have teeth similar to FOI. Once the public sector body’s internal complaints procedures have been exhausted, a complainant may turn to the Information Commissioner, who can make a binding decision. A further appeal can be made to the First-Tier Tribunal.

How will the new Regulations overlap with the new dataset obligations under the FOI?  As a result of amendments made by the new Regulations, the requirements relating to datasets under FOI are now as follows.

If you are a public authority making a dataset available in response to an FOI request, you must, so far as is reasonably practicable, make it available in a re-usable, electronic form. You must also make requested datasets available in your publication scheme in a re-usable form unless you are satisfied that it is not appropriate to do so.

However, if the dataset falls under ROPSI, for example because it is produced as part of your “public task”, then you must calculate any charges for allowing re-use and deal with any licences under ROPSI and not FOI. This applies to providing the dataset in response to a request and making it available in the publication scheme.

So, for an FOI public authority, for any dataset that is covered by ROPSI, FOI applies to the format in which it is made available, but ROPSI applies to the charges and licences for re-use.

If the dataset does not fall under ROPSI because you are an FOI public authority but not a public sector body for the purposes of ROPSI, then the provisions in FOI regarding charges and licences for re-use will apply to it. Read the Information Commissioner’s Guide here. Expect lots of appeals to the ICO over these provisions.

The National Archives is the UK policy lead on public sector information. Its website contains useful resources on this topic. All public sector organisations need to carefully consider the new Regulations and how they will impact on the information they produce and disclose.

Want to know more? Ibrahim Hasan will explain the new Regulations in detail our live one-hour web seminar.

Give your career a boost by gaining an internationally recognised qualification in FOI.

Requesting Your Permission

I received an email last week. It was from someone I’d never heard of.

Email

Translating this into PECR speak

We have a list of emails. We don’t think we have your consent to email you which would lead to us breaching PECR so we’re writing to ask for your permission which in itself is breach of PECR. By putting Request for Permission in the subject line we’re hoping you’ll think we know what we’re doing and that we’re a nice company.

I asked them by email to tell me where they obtained my email. A week later they hadn’t replied. I know a week is a long time in politics but a week is a light year in emails.

I upgraded my request to a Subject Access Request and suggested they pass my request to their DPO. Less than 3 hours later I had a reply which appeared to come from near the top.

Dear Sir

Thank you very much for your email and for reaching out to us with regards to our recent emails to you. We have carried out an investigation into your complaint as we take this type of matter very seriously.

As per your inquiry, we have recently acquired a new supplier called “Latest Mailing Database” (latestdatabase.com) who provided us a list of customers’ email addresses interested in travel. They have contractually reassured us that those listed have expressed their consent to be contacted by selected third party partners for marketing purposes.

Upon receiving your inquiry, we have realised that the reassurances we received from this company is in question. While we investigate this further, we have subsequently ceased the use of that mailing list they have provided and all the e-mails, including yours, have now been deleted from our Databases.

We apologise for any inconvenience caused.

Best regards,

Spiros XXXXXXX

Head of International Marketing and Business Development

At least I received a reply but the phrase “They have contractually reassured us that those listed have expressed their consent to be contacted by selected third party partners for marketing purposes” started to worry me. Also a list of people who are interested in travel. Isn’t that a list of everyone in the world? We all travel. Now if they’d asked for a list of those interested in sex and travel we’d have a snappy answer.

Globehunters have a privacy policy which looks pretty good. Just for fun I looked up their company name and their postcode on the ICO Register of Data Controllers. The ICO doesn’t have any record of their name and there are only 2 notifications from their postcode both from the next door building.

I couldn’t resist looking at his source for the emails.

http://www.latestdatabase.com A quick scan through showed their address was Majira Bypass Sajahanpur, Bogra, Bangladesh and they sold email lists. Google maps zeroes in rapidly on a company called seoexparte. A touching review of the company is available.

 

Email 2

 

They had a privacy policy too. http://www.latestdatabase.com/privacy-security-policy/ which was last updated in 2009.

Their UK customer list boasted 2 million records or just $300

Listing Include:

* Frist Name (sic)

* Last Name

* Age

* address

* Email Address

* Ip address

* Phone number

They also have a blog (http://www.latestdatabase.com/appearance-adele-gaga/) and although it would be churlish to mock their poor English if they’re operating in a global marketplace and assuring their customers contractually of the quality of their product it might be a good idea to use a spell checker.

They also seem to run http://emailmarketinglists.bloggets.net. And http://buyemaillists.yolasite.com/contact.php and https://emaillistsforsales.wordpress.com and http://mailinglsit.over-blog.com and http://issuu.com/emaillistsforsale and I gave up at this point.

So where are we now? For £190 a start up company has bought 2 million customer emails. This means that my email is worth 1/100th of a penny. When prodded they realize that they may have bought in a dodgy list so apologise and take my name off their list. A good response but no mention of my Subject Access Request. No Notification for their business and a lead to a major list seller who may just not check their lists that well.

All in day’s work for a PECR vigilante. I’ll see if Spiros comes back.

Act Now Training is one of the UK’s leading provider of seminars and workshops on all aspects of Data Protection, Freedom of Information, Surveillance Law and Records Management. More details www.actnow.org.uk