Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

Section 56 is here! Oh no it isn’t! Oh yes it is!

Interstate56

Section 56 prevents employers from requiring people to use their subject access rights under the DPA to obtain and then provide certain records, as a condition of employment. It also prevents contracts from requiring certain records as a condition for providing or receiving a service. Section 56 does not, however, prevent such requests where the record is required by law or is justified in the public interest.

Section 56 was due to be commenced on 1 December 2014. Commencement was delayed because of a technical issue encountered when finalising arrangement for introduction. This issue has now been resolved.

Section 56 was commenced on 10 March 2015. There is a SI 2015/312, entitled, ‘The Data Protection Act 1998 (Commencement No. 4) Order 2015′.

It makes it a criminal offence to require an individual to make a subject access request and supply it to a potential employer for the purpose of obtaining or continuing in employment. It also relates to a supplier of goods, facilities and services to the public who require the production of a record to access that service. The ICO webinar suggests insurance might be such a case. They also suggest it applies to volunteers who help your organisation even they may not be in employment.

Most practitioners called it Enforced Subject Access. In November 2014 the ICO ran a webinar outlining what this means and it’s worth look. See the webinar on youtube at https://www.youtube.com/watch?v=zTYBvr-tb5U. It’s 36 minutes long so set aside a lunch hour and buy your sandwich first. It does a good job looking into all the minor points and ends up with a few good examples of how it will be used.

It’s quite a logical and straightforward concept. Why on earth would you require someone to produce their police record to progress their application for employment? Certain jobs with vulnerable people involve disclosures from the Disclosure & Barring Service and Disclosure Scotland is widely used but employers in these area know about this. Making people outside these areas obtain and produce a relevant record is clearly wrong.

There are some defences to a Section 56 charge – the usual suspects of under enactment, rule of law, court and also in the public interest but specifically excludes prevention or detection of crime from the public interest.

Now it’s time to watch the webinar, download the ICO guidance from https://ico.org.uk/for-organisations/enforced-sar/ and wait for the first case involving section 56.

Looking for a DP qualification? The Act Now Data Protection Practitioner Certificate is a practical four day course. The syllabus is endorsed by the Centre for Information Rights based at the University of Winchester. 

Controlling, Lying and Blocking: Ways for the individual to win the privacy arms race?

This is a version of Marion Oswald’s speech at the launch of the Centre for Law & Information Policy at the Institute of Advanced Legal Studies on 24 February 2015.

DPA5My talk is about controlling, lying and blocking. Could these activities enable an individual to win the privacy arms race against the data collection, surveillance, behavioural tracking and profiling abilities of search engines, marketers, social networking sites and others?

When we think about an arms race, we might imagine two sides evenly matched, both equally able to equip themselves with weapons and defences. But when it comes to individuals versus data collectors, the position is considerably unbalanced, the equivalent of a cavalry charge against a tank division.

It’s not however as if the individual is without protections. Let’s take consent, a key principle, as we know, of European data protection law. Consent based on privacy policies is rather discredited as an effective means of enforcing privacy rights over data held by commercial third parties. If I might quote Lillian Edwards, ‘consent is no guarantee of protection on Facebook and its like, because the consent that is given by users is non-negotiable, non-informed, pressurised and illusory.’[i] So what about regulatory enforcement? In the UK, it could be described as mostly polite, in the rest of Europe, sometimes a little more robust. The FTC in the US has had some notable successes with its enforcement action based on unfair practices, with Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, advocating privacy as being part of the ‘bottom line.’[ii] It remains to be seen whether market pressures will drive good faith changes in privacy practices – alternative subscription, advertising-free business models have failed to make much headway in terms of market share. The so-called ‘right-to-be-forgotten’ has been much debated and I would question how much the Google Spain decision[iii] adds to the individual’s armoury, the original publication remaining unaffected. And as for personal data anonymisation, this could be subject of a whole afternoon’s debate in itself!

What can individuals do if they want to take matters into their own hands, and become a ‘privacy vigilante’?[iv] Here are three possibilities: first, personal data stores (or ‘personal information management services’) are said by their promoters to enable individuals to take back control over their personal data and manage their relationship with suppliers. Pentland from MIT describes a PDS as ‘a combination of a computer network that keeps track of user permissions for each piece of personal data, and a legal contract that specifies both what can and can’t be done with the data, and what happens if there is a violation of the permissions.’[v]

Secondly, blocking. Systems could prevent tagging of individuals by third parties and set privacy defaults at the most protective. Lifelogging technologies could prevent the display of any recognisable image unless that individual has given permission.[vi] Individuals could deploy a recently invented Google Glass detector, which impersonates the Wi-fi network, sends a ‘deauthorisation’ command and cuts the headset’s internet connection.[vii]

Finally, obfuscation, by which technology is used to produce false or misleading data in an attempt, as Murray-Rust et al. put it, to ‘cloud’ the lens of the observer.[viii] It’s the technological equivalent of what most of us will have already done online: missing off the first line of our address when we enter our details into an online form; subtly changing our birthday; accidentally/on-purpose giving an incorrect email address in exchange for a money-off voucher. A personal data store could, for instance, be used to add ‘chaff’ (adding multiple data points amongst the real ones), or simulating real behaviour such as going on holiday. Brunton & Nissenbaum describe obfuscation as a ‘viable and reasonable method of last-ditch privacy protection.’[ix] On the face of it, obfuscation may seem to be an attractive alternative approach, providing individuals with a degree of control over how much ‘real’ information is released and some confidence that profiling activities will be hampered.

Are these methods ways for the individual to win the privacy arms race? As things stand, I have my doubts, although that is not to say that a legal and regulatory regime could not be created to support these methods. PDSs raise numerous questions about contract formation, incorporation, offers and counter-offers. Service providers would need to be prepared to change their business models fundamentally if PIMS are to fulfil their potential. In the short term, there appears to be little commercial incentive for them to do so.

In terms of blocking, systems could adopt protective measures but they don’t, because they don’t have to. Google Glass blockers may well fall foul of computer misuse legislation if used by members of the public rather than the network owner. In the UK, there would be a risk of a section 3 offence under the Computer Misuse Act 1990 – an unauthorised act with intent to impair the operation of any computer. Haddadi et al. suggest the ‘continuous broadcast of a Do-Not-Track beacon from smart devices carried by individuals who prefer not to be subjected to image recognition by wearable cameras’ although the success of this would depend on regulatory enforcement and whether device providers received and conformed to such requests.[x] It would be rather ironic, however, if one had to positively broadcast one’s presence to avoid image recognition.

As for obfuscation or lying on the internet, Murray-Rust et al. distinguish between official data, where obfuscation may be a criminal offence, and other data that can be obfuscated ‘without legal consequence.’[xi] The distinction is unlikely to be so clear cut: both on the civil side, and on the criminal side (fraud and computer misuse spring to mind), and this is something that I’ll be writing about in the future.

I would like to finish with this question about privacy vigilantism: by continuing to shift responsibility onto the individual, is this letting society off-the-hook for finding better solutions to privacy concerns?[xii] I think it probably is. Finding better solutions will require even closer interaction between computer scientists, lawyers and policy-makers.

Marion Oswald is a Senior Fellow and Head of the Centre for Information Rights at the University of Winchester (marion.oswald@winchester.ac.uk @_UoWCIR). This article was first published by the Society for Computers & Law and is reproduced with the author’s kind permission.

The 2nd Winchester Conference on Trust, Risk, Information & the Law on 21 April 2015 will be exploring the theme of the privacy arms race. To book, please click here.

[i] Lillian Edwards, Privacy, law, code and social networking sites, in Research Handbook on Governance of the Internet, (2013) Edward Elgar (Cheltenham) Ian Brown (Ed), 309-352, 324-328

[ii] Jessica Rich, Director, Bureau of Consumer Protection, Federal Trade Commission Beyond Cookies: Privacy Lessons for Online Advertising, AdExchanger Industry Preview 2015, January 21, 2015, 4 http://www.ftc.gov/system/files/documents/public_statements/620061/150121beyondcookies.pdf

[iii] Google Spain v AEPD and Mario Costeja Gonzalez (C-131/12), 13 May 2014

[iv] Marion Oswald, Seek, and Ye Shall Not Necessarily Find: The Google Spain Decision, the Surveillant on the Street and Privacy Vigilantism, 99-115, Digital Enlightenment Yearbook 2014 (K. O’Hara et al. (Eds)

[v] A. Pentland, Social Physics: How Good Ideas Spread – The Lessons from a New Science, The Penguin Press, New York, 2014

[vi] C. Gurrin, R. Albatal, H. Joho, K. Ishii, ‘A Privacy by Design Approach to Lifelogging’, Digital Enlightenment Yearbook 2014 (K. O’Hara et al. (Eds), 49-73, 68

[vii] A. Greenberg, Cut Off Glassholes’ Wi-Fi With This Google Glass Detector, Wired, June 3, 2014, http://www.wired.com/2014/06/find-and-ban-glassholes-with-this-artists-google-glass-detector/

[viii] D. Murray-Rust, M. Van Kleek, L. Dragan, N. Shadbolt, Social Palimpsests – Clouding the Lens of the Personal Panopticon, 75-96, 76, Digital Enlightenment Yearbook 2014 (K. O’Hara et al. (Eds)

[ix] Finn Brunton, Helen Nissenbaum, ‘Vernacular resistance to data collection and analysis: A political theory of obfuscation’ First Monday, Volume 16, Number 5, 2 May 2011 http://firstmonday.org/article/view/3493/2955

[x] H. Haddadi, A. Alomainy, I. Brown, Quantified Self and the Privacy Challenge in Wearables, Society for Computers & Law, 5 August 2014 http://www.scl.org/site.aspx?i=ed38111

[xi] nviii,90

[xii] nix

Data Protection, the Law and Social Media: Keeping Your Boat Afloat

 [ File # csp10560861, License # 2907340 ] Licensed through http://www.canstockphoto.com in accordance with the End User License Agreement (http://www.canstockphoto.com/legal.php) (c) Can Stock Photo Inc. / buchachon

Paul Gibbons writes…

Social media have been good for me. Without my FOIMan blog and Twitter feed, I would never have been asked to deliver training for Act Now Training, or indeed offered many of the wonderful opportunities that have come my way in the last few years. I’ve made a whole new career off the back of them. Not only has my profile been raised by my use of these tools, but I’ve been able to learn from a whole range of knowledgeable people online – expanding my awareness and horizons way beyond anything I’d have considered possible just five years ago.

But even if I remove my FOIMan cape for a moment, social media has had a significant impact on me. I keep in touch with old friends via Facebook. My CV is widely available to hundreds of business contacts via LinkedIn. Before I book a holiday or dine out, I check Trip Advisor. If I want to know how decisions are made by my local council or indeed the Ministry of Justice, I can submit an FOI request via WhatDoTheyKnow. With an election on the way I can find out my MP’s voting record by consulting TheyWorkForYou, and perhaps write to them to ask what their position is on a particular issue. If I feel particularly strongly about that issue I might add my details to an online petition. Social media in their many forms pervade our lives. Many of us would be lost without them.

And it’s not just individuals that are becoming reliant on it. These tools provide novel ways to engage with the people who use them. Businesses have not been slow to exploit them for marketing and public relations purposes. Politicians – often accused of being remote from their electorate – have, with varying success, used them to speak directly to parts of that group. Academics conduct surveys, then disseminate their research, both via social media. A recent study found that 40% of students use social media as their primary form of communication with lecturers. Journalists also use it to research and report on stories. No television broadcast is complete these days without a hashtag allowing the viewers to interact. The police have used them to investigate or prosecute criminal acts. Central government encourages civil servants to embrace Twitter as a tool to communicate about public policy and gain insights into people’s reaction to it. Local government too, has found social media a productive way to interact with local citizens. We’re only beginning to see the ways in which social media can benefit our businesses, government, work and lifestyles.

However, as with most things, there are downsides. There are the trolls lurking not under a bridge but under assumed names on Twitter, ready to spread their malice. It’s easy to get carried away and post in haste – repenting at our leisure. Just as social media can make careers and boost reputations, it can destroy them overnight. It empowers individuals, and many companies and public bodies have been keen to use it to give a human face to their corporate image. But those same individuals can use it intentionally or not to disfigure that public face. They can disclose confidential information more easily, expose the business to liability for breach of copyright or defamation, and breach the Data Protection Act by discussing personal matters relating to clients, customers or colleagues.

Don’t believe me? Take the social worker who posted information on Facebook about a child protection court case she was involved in, potentially allowing the family to be identified. Or the companies at the centre of Twitter storms. Or sued for using a photographer’s images without permission. In a recent post on my FOIMan site, I highlighted an academic who posted internal correspondence relating to an FOI request on WhatDoTheyKnow, in the process potentially damaging the institution’s reputation, relationships with their colleagues, and almost certainly causing their employer to breach the Data Protection Act’s first data protection principle (to handle personal data fairly and lawfully) in the process. Even those organisations whose employees should know better have had to take disciplinary action: between 2009 and 2014, 519 disciplinary actions were taken against police officers for social media related transgressions, and the Crown Prosecution Service reported that nine of its staff had been disciplined for similar reasons over that period. Not for nothing has the Ministry of Defence warned its employees that “Loose Tweets Sink Fleets”.

The temptation in the face of this litany of institutional and individual disaster is to adopt the ostrich position. Ban your employees from using social media altogether. Avoid their corporate use. This won’t work. For a start, you will miss out on all the benefits highlighted at the start of this piece and more. But besides, it’s way too late for that. Pandora is not just out of the box but is running the show. You could impose contractual obligations on your staff requiring them not to use social media, or at least not to discuss their work there. If you do though you may find yourself losing staff who choose to work for a more progressive employer. In any case, it may be too late, as the Kent Police and Crime Commissioner discovered when she appointed a 17 year old to the post of Youth Police and Crime Commissioner.

You can’t stop your customers or the public writing about you on social media, but if you’re not using it, you’ll only find out what they’re saying about you too late. You’ll have no way to react to adverse comment online save through the traditional media which may not go to press until your business has collapsed clothed only in the tatters of its reputation.

So if you can’t avoid the risks of social media altogether, what can you do? The next best thing is to mitigate those risks. Like any other tool that you use, you need policies setting out acceptable use. You need to secure your most valuable and sensitive information. You need to raise awareness of your policies and legal restrictions so that your employees understand what they are allowed (or even encouraged) to do using social media, and also what they shouldn’t do – and what the consequences of doing it will be.

Where can you find out more about the risks that social media poses to your organisation? Or indeed the opportunities it offers? What should you include in a social media policy? Do you need to keep records of your social media use, and if so, how?

Well, social media itself will offer many solutions if you’re brave enough to jump in. But if you want a guide, my new training course on Data Protection, the Law & Social Media will provide answers to the questions above, and will point you to resources to help your organisation and its employees use social media effectively whilst avoiding the pitfalls. The course runs for the first time in Manchester on 20 April, and in London on 22 April 2015, and can also be run as an in-house course for your Data Protection, Communications and other staff. Get in touch with Act Now Training now for more details or book through their website.

Revised RIPA Policy and Procedures Toolkit (2015)

capture-20150313-134335

The local authority surveillance regime((under the Regulation of Investigatory Powers Act 2000, (RIPA)) has seen a number of developments in the past few years. These include:

  • Since 1st November 2012, whenever exercising any powers under RIPA (doing Directed Surveillance, deploying a CHIS or accessing Communications Data) councils have had to obtain Magistrates’ approval. Directed Surveillance has also been made the subject of a new Serious Crime Test (Read about the changes in detail here). On the whole the changes are working well.
  • On 10th December 2014 revised versions of two RIPA codes of practice  RIPA codes of practice came into force.
  • More guidance has been published by the Information Commissioner on what to do when covert surveillance is not regulated by RIPA.
  • The Office of Surveillance Commissioners  continues to highlight poor form filling and record  keeping in his annual reports.

Now is the time to revise your RIPA policies and procedures to take account of these developments.

The revised Act Now RIPA procedures and guidance toolkit includes an updated version of our previous RIPA Forms Guidance document, which was bought by over one hundred different organisations. In addition there are detailed guidance notes on deciding when surveillance is caught by RIPA, how to authorise it and what to do about surveillance which is not regulated by RIPA. The toolkit is written in straightforward language (avoiding legal jargon) and includes flowcharts to assist understanding.

The full contents list includes:

Updated – Completing the RIPA Forms

  • Procedure for completing the forms
  • Common mistakes
  • All Directed Surveillance forms with full notes to assist completion
  • All CHIS forms with full notes to assist completion

Seeking Magistrates’ Approval

  • Step by step guide to the process
  • Judicial application/order form with full notes to assist completion

Updated – Undertaking Non RIPA Surveillance

  • When it is appropriate
  • Non – RIPA Surveillance Authorisation Form
  • New Non – RIPA Surveillance Cancellation Form

New – Employee Surveillance Guidance

  • When it is appropriate
  • Complying with the Data Protection Act 1998
  • The latest ICO decision
  • Privacy Impact Assessments

More here: http://www.actnow.org.uk/content/117

The normal price of the toolkit is £199 plus vat for a hard copy and £399 plus vat for an electronic version (plus hard copy) with a licence to make additional hard copies and to upload the toolkit on to an intranet site (for internal use only).

DISCOUNT – If you bought the previous the version on the toolkit you qualify for a 20% discount.

Scottish colleagues can buy the RIP(S)A version of the toolkit here: http://www.actnow.org.uk/content/84

For those of you looking for refresher training in this area, we have a full program of public workshops. We can also bring the training to you for a customised in house training course. Please get in touch for a quote.

Open the Floodgates! Water Companies Subject to EIR

On 23rd February 2015, the Upper Tribunal ruled that water companies are subject to the Environmental Information Regulations 2004 (EIR).

In Fish Legal v Information Commissioner and others [2015] UKUT 0052 (AAC) the Tribunal, applying the previous ruling of the Court of Justice of the European Union (ECJ) from December 2013 (Fish Legal and Emily Shirley v Information Commissioner, United Utilities Water plc, Yorkshire Water Services Ltd, Southern Water Services Ltd), ruled that that water companies are covered by EIR by virtue of their “special powers”. However the Tribunal rejected an argument that they were public authorities by virtue of the fact that they are under the control of other public authorities, such as OFWAT or the Environment Agency.

It’s a complex and the lengthy judgment. Those advising water companies need to read (and re read) all sixty pages. It could have widespread implications for other private organisations that are running public services, such as the electricity, gas, rail and telecommunications industries. However, the Upper Tribunal refused to lay down general principles for when the EIR would apply to such bodies.

It could be that the next round of this lengthy battle will see the parties square up in the Court of Appeal. Then again Thames Water and United Utilities (one of the parties to the appeal) seem to have changed their websites following this ruling to say that they are now covered by EIR and advising what to do to make a request.

The CON29 Drainage and Water Enquiry provides information regarding water and sewerage services for prospective property buyers. This has been a good source of income for the water companies who enjoy an almost monopoly over the information. Could personal search companies now turn their attention to water companies and try to obtain access to this information with a view to providing their own water and drainage search reports? If the battle over Con29 Local Land Charges information held by councils is anything to go by (currently at the ECJ for a preliminary ruling), EIR geeks are in for a treat!

We will be discussing these and other recent EIR developments in our EIR workshops.

CCTV Surveillance: Getting It Right

Steve Morris writes…

“I keep six honest serving men, they taught me all I know, their names are what, why, when, how, where and who…”

“I know a person small, she keeps ten million serving-men who get no rest at all! – One million how’s, two million where’s, and seven million whys!”

Rudyard Kipling 1902

Well it’s 2015 and we have an estimated 6 million (give or take a million or so!) surveillance cameras within the UK regulated sector, and that does not include those installed by private individuals. Cameras are no longer stuck on the end of poles recording peoples’ movements. They are worn by officials, installed on public transport and can even predict peoples’ behaviour.

Image technology has advanced tremendously in recent years. Data captured by CCTV systems is often automatically interacting with other databases with the capability of providing very intrusive information about the private lives and activities of innocent individuals as well as offenders and those that pose a risk to society.

We are also going through economically difficult times. CCTV and other surveillance technology can be seen a cost effective answer to the resource problem. However, without careful planning and regular review, it can be a costly option that might in fact provide little or no benefit and/or land an organisation in trouble with the various regulators in this sector. The Information Commissioner’s Office (ICO) has taken enforcement action involving both number plate recognition systems and cameras  recording customers’ conversations in taxis.

The ICO is not the only regulator in this area. The Surveillance Camera Commissioner is tasked with raising awareness of the Surveillance Camera Code. Made pursuant to the Protection of Freedoms Act 2012 it governs the use of surveillance camera systems including CCTV and Automatic Number Plate Recognition (ANPR) operated by the police and councils in England and Wales.

The Office of the Surveillance Commissioner has oversight in relation to the covert surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000  (RIPA). This often involves the deployment of covert CCTV cameras. Recently Ibrahim Hasan alerted you to the revisions of the two RIPA codes of practice.

So why quote Rudyard Kipling’s poem from 1902?

The overall question revolves around whether a ‘scatter gun approach’ (obtaining lots of private data from lots of cameras) is actually a practical, cost effective use of resources. Furthermore is this approach a lawful, necessary and proportionate approach to addressing a ‘pressing social need’ or problem? Or would a smaller number of cameras providing images and data of the quality required, when it is required, be a better use of resources?

Compliance with the various codes and laws which govern CCTV, is easy if key questions are addressed at the outset:

  1. What is the pressing social need or lawful grounds for the CCTV surveillance activity? What type(s) of devices and system is appropriate? What personal data is going to be collected? What policies and processes should we have?
  2. Why do we need this surveillance in this place? Why is surveillance the option we have chosen?
  3. When should the system be capturing and recording information? When is it right to share this information?
  4. How will the system be managed? How much private information are we obtaining about individuals? How will we ensure it is kept secure?
  5. Where will the cameras be positioned? Where will we store the data?
  6. Who will we be watching? Who will have access to the collected information?

Looking for an opportunity to discuss these questions and many others, and to examine the regulatory requirements in relation to the decision making process? Attend one of my CCTV workshops and be brought right up to date with the latest laws, codes of practice and guidance.

Steve Morris is an ex police officer and one of our experts in surveillance law trainers.

Freedom of Information Case-law Roundup

Big Railroad Model-3

Section 5 of the Freedom of Information Act (FOI) enables the Secretary of State to designate a body as a public authority if it appears to the Secretary of State :

(a)… to exercise functions of a public nature, or

(b) is providing under a contract made with a public authority any service whose provision is a function of that authority.

The Freedom of Information (Designation as Public Authorities) Order 2015 was recently debated in the House of Lords. It will make Network Rail subject to FOI from March 2015. Much has been said about extending the reach of FOI to private companies delivering public services. Don’t expect anything to happen before the election.

Fees and 16

How far does a public authority have to go in providing advice and assistance to an applicant whose request is over the fees threshold (£450/£600)?

On 22nd October 2014, in Commissioner of Police for the Metropolis v The Information Commissioner and Donnie Mackenzie, [2014] UKUT 479 (AAC) , the Upper Tribunal ruled that the standard imposed by section 16 is set at a relatively low level. It agreed with the First Tier Tribunal (Information Rights) (FTT), in Beckles v Information Commissioner (EA/2011/0073 & 0074), that:

“S.16 requires a public authority, whether before or after the request is made, to suggest obvious alternative formulations of the request which will enable it to supply the core of the information sought within the cost limits. It is not required to exercise its imagination to proffer other possible solutions to the problem.”

Time limits

Section 10(1) of FOI sets out the time limit for dealing with a request for information:

“a public authority must comply…promptly and in any event not later than the twentieth working day following the date of receipt.”

Under the Environmental Information Regulations (EIR) the response to a request must be made “as soon as possible and no longer than 20 working days after the date of receipt”. In Keating v Information Commissioner and Oxford City Council (EA/2013/0226) the FTT said that whether it is an FOI or EIR request the principle is the same:

“In our judgement, whichever time limit applies, it is necessary to be realistic. Whilst both pieces of legislation contemplate a speedy response, the urgency intended is not such as to require a public authority to “drop everything” in order to reply.”

We now have a binding authority for this principle, in the form of an Upper Tribunal decision (John v ICO & Ofsted 2014 UKUT 444 AAC.).

Third Party Personal Data

Section 40 provides an exemption from disclosure of personal data about the requestor as well as that of third parties. With regards to the latter, the public authority must show that disclosure would breach of one of the Data Protection Principles (usually the first one). In the absence of consent this usually requires consideration of condition 6(1) of Schedule 2 of the Data Protection Act 1998:

“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”

In a recent Upper Tribunal Decision, Goldsmith International Business School v IC and Home Office (GIA/1643/2014), the judge endorsed the ICO’s 8 rules when applying the test in condition 6. These are essential reading for all FOI officers.

Names of legal Advisers

Names of staff are clearly personal data. We have examined the application of section 40(2) in a number of FTT decisions (read our blog post here). The test is, is there a legitimate interest in knowing the names and is disclosure necessary to satisfy that interest?

In November 2014 the FTT (in Timothy Couzens v IC EA/2014/0146) upheld the Care Quality Commission’s refusal to supply the names of individuals who provided it with legal advice on the de-registration of a care agency. The FTT found that Couzens had “provided no persuasive argument that disclosure of the names in question would contribute to transparency, given that the substance of the legal advice has been disclosed, as a result of the CQC waiving its right to rely upon the exemption provided by FOIA section 42 (legal professional privilege).”

Staff Salaries

Is there a difference between a request for salaries of administrative staff and that of academics in a university?

Yes, according to a recent FTT decision involving King’s College, London (EA/2014/0054). The case concerned a request to the college for the job titles and departments of those staff (academic and none academic) earning over £100,000 per annum, in bands of £10,000. The FTT ruled that salaries of most non-academic staff employed by the college should be disclosed. Read this excellent analysis by lawyers at SGH Martineau.

Local authority colleagues will know that a certain amount of salary information has to be proactively published in compliance with the Local Government Transparency Code.

Motive Blind

FOI is normally motive and purpose blind. The FTT decision in Hepple v IC and Durham County Council (EA/2013/0168) shows that this is not an absolute rule.

The background is that the Council received an FOI request for a copy of the investigators’ report into a disciplinary incident at a pupil referral unit run by the council. At that time, disciplinary proceedings were pending against each of the suspended members of staff.

The council refused the request, relying on a number of exemptions including section 38 (health and safety). The FTT upheld the decision of the ICO on this point mainly because the requester had sent text messages to some of the individuals involved “with the purpose of menacing those whose addresses the Appellant had acquired”. The FTT said “assessing an information request on this “motive blind” basis ought not to prevent us from considering the potential risk to safety posed by the requester him/herself”.

Legal Advice

The Section 42 exemption is often relied upon by public authorities when refusing to disclose legal advice. It is a qualified exemption. A few decisions have required disclosure of legal advice on public interest grounds but these have been few and far between. Indeed, following the Tribunal decision in Bellamy v The Information Commissioner which stated that there is an inherent public interest in maintaining privilege, most authorities were almost treating section 42 as an absolute exemption.

A September 2014 decision of the FTT reminds us that the public interest in disclosing legal advice has to be considered carefully. The Bingham Centre for the Rule of Law v Information Commissioner (EA/2014/0097) concerned a request to the Home Office for independent legal advice, which was referred to in a Home Office report, entitled “Intercept as Evidence.” The FTT disagreed with the ICO’s decision giving more weight to public interest factors in favour of disclosure.

Ibrahim Hasan will be discussing these and other recent FOI decisions in his FOI Update workshop . If you want an internationally recognised qualification in FOI, please consider our BCS FOI Certificate course.

A Decade of FOI in Scotland: Celebrating Success, Securing Rights for the Future

Erin Ferguson examines the Scottish Information Commissioner’s special report…capture-20150211-092345

Freedom of information (FOI) legislation has recently celebrated its tenth anniversary in the United Kingdom. Overall, the UK FOI regime has been deemed successful. 400,000 requests for information have been made in the past ten years, leading to some notable disclosures and helping to establish a greater culture of transparency in public services.

Nevertheless, the Scottish Information Commissioner Rosemary Agnew recently warned that the scope of FOI in Scotland (under the Freedom of Information (Scotland) Act 2002) has reduced and that people now have less access to information than they did a decade ago.

On 19 January Agnew published a special report entitled “FOI 10 Years On: Are the Right Organisations Covered?” The report is limited to the Scottish experience, but addresses a challenge faced throughout the UK. That is, how can FOI obligations be extended to cover the wide range of organisations that now have responsibility for public service delivery?

Agnew called the introduction and implementation of the FOI Act one of Scotland’s “major success stories,” but warned that changes in public service delivery are eroding information access rights. As functions are outsourced or transferred to arm’s-length organisations, they no longer fall within the scope of the FOI Act. The transfer of social housing, for example, from local authorities to housing associations means that 15,000 households in Scotland have now lost information access rights. This affects not only access to information, but also access to justice. The loss of appeal rights to the Scottish Information Commissioner means that the public are faced with the more costly option of appealing through the courts. It is clear that FOI plays an important role in encouraging transparency and promoting civic engagement, so how can this be preserved?

The report noted that the FOI Act was introduced with the intention of extending coverage to additional bodies. A Section 5 Order allows Ministers to designate additional organisations as public bodies, but Agnew reported that this mechanism has been ‘woefully underused.’ Ministers have only exercised these powers on a handful of occasions (e.g. on 1st April 2014), and whilst it is difficult to say why they have not made greater use of this mechanism, the report speculated that lack of political will and misunderstandings over what constitute a public function might be among the reasons. Therefore, Ministers will need support in order to make greater use of the Section 5 Order.

Whereas previous debates on whether to extend FOI coverage have focused too narrowly on the structure of institutions and how they are funded, greater consideration should be given to the nature of the functions performed. As it is ultimately up to the Ministers to decide what constitutes a function of a public nature, a factor based approach can help to determine whether an organisation should be designated a public body for FOI purposes. Factors would include whether the organisation is taking the place of a public authority in carrying out a particular function and whether the functions are derived from or underpinned by statute. (A full list of factors can be found on p.18 of the report.)

The factor based approach would make the designation of additional bodies more open and transparent, and might also help to alleviate some of the challenges that have arisen from extending FOI coverage. Academies and Free Schools, for example, were brought in under the UK FOI Act in 2010. Since then, there have been some notable releases of information, but also some well-known instances in which information has been withheld, leading to lengthy appeals. The Department for Education (DfE) has withheld information on free school applications, relying on exemptions under Section 35 (information related to formulation of government policy) and Section 43 (information likely to prejudice the commercial interests of any party) to withhold information. Although this is merely one example and should not be understood of evidence of a widespread phenomenon, it does demonstrate that a tension remains when balancing the public interest in disclosure against the public interest in withholding information. Will extending FOI coverage to additional bodies simply lead to greater use of exemptions? Or will the factor based approach help to clarify which functions should be covered and why?

There is no straightforward answer to these questions, but the report suggested that support for newly designated bodies can help to ensure smoother implementation. Likewise, the public will need support as the gaps and inconsistencies created by changing models of service delivery has led to some confusion over which rights they hold. After all, as page 9 of the report says, ‘the existence of a right is one thing; making it straightforward to use is something else entirely.’

Erin Ferguson is a PhD Researcher at University of Strathclyde Law School. She blogs (http://www.erincferguson.com) and tweets (https://twitter.com/fergusonerin).

Act Now Training runs the Practitioner Certificate in the Freedom of Information (Scotland) Act 2002 which is endorsed by the Centre for FOI (based at Dundee University). The course structure is designed to thoroughly examine the law as well as the practical aspects of dealing with FOISA (and EI(S)R) requests on a day-to-day level. Read what the tutor has to say and have a go at the FOISA test.

The ‘Big Regulation’: big progress or big elephant? @privacyminion on the draft EU DP Regulation

So time has gone on a little bit and we are now 3 years down the line from when the European Commission released its proposed revised Data Protection framework on January 25th 2012. Some may say that progress has been slow but is that truly the case? We appear to have come a long way from a proposal that was written off as a “non-starter” to a piece of legislation that has seen more political discussion and campaigning than any other piece of legislation in the EU’s history.

So where are we then? In my last post (and apologies that it has been a while since my last post) we went through some of the key agreed texts from the European Parliament and outlined what the next steps in the Regulation’s journey might be. On the whole the ‘official’ actions coming out of the EU have been quiet over the last 10 months or so mainly due to the changes in Parliament Members and the change to the European Presidency.

On December 4-5 2014 at the Justice and Home Affairs Council meeting several of the key points around the Regulation were discussed. While official statements were limited there were some key areas that were discussed and some ‘formal’ stances announced.

‘One Stop Shop’: On the whole the Council and Parliament seem in favour of this idea however there is still intense discussion around how this will be implemented in practice. What is certain however is that both the Parliament and Council won’t allow for the Commission to have the final say on EU wide Data Protection issues as proposed in the Commission’s text. Very much a “we will have anything except that” view point. All institutions however have agreed that DP Authorities will and indeed do need more resources and technical capability.

Right to erasure, data access, and correction:  The contested so-called “right to be forgotten” has been limited by the Parliament so that only those publishing personal data in breach of data protection law are obliged to ensure every copy is deleted. The regulation currently seems to call for a meaningful balance between freedom of expression and freedom of information on the one hand, and the protection of personal data on the other. While there is an understanding in Parliament that the “right to be de-listed” as spelt out in the Google Spain judgement of the European Court of Justice in May 2014 is already contained in the text, the Council is still discussing the need to add specific wording.

Informed consent: Data Subjects essentially must be informed about what happens with their data, and they must (in principle at least) consciously agree to the data processing that is outlined (or indeed reject it without suffering harm by doing so). While the Parliament text insists on “explicit” consent as proposed by the Commission, the Council’s current version of the draft law proposes a more vague “unambiguous” consent, which seems to allow for interpretation on obtaining consent.

Legitimate Interest: The Parliament has narrowed down the “legitimate interest” of the data controller (which would allow for data collection and processing without consent) to what can reasonably be expected by the data subjects affected. The Council however are currently discussing allowing a change of the purpose of the data processing based on “legitimate interest” of the data controller. There are calls from supporters of the original text for this notion to be dropped as they state it weakens the individual’s rights under the regulation however such a hardening of legitimate interests does has massive impacts for industries that currently use legitimate interests under the current EU Directive. For example, the credit referencing industry in the UK.

Data Transfers: The Parliament continues to insist that companies are not allowed to hand over data from Europe directly to third countries´ authorities unless it is under a mutual legal assistance treaty or similar instrument based on European law. The original text contained wording to enhance this protection however this was removed after a period of lobbying by the US government. It made it back in to the Parliament’s text however doesn’t seem to be accepted for inclusion in the Council’s draft. After the Snowden revelations however there appears to be agreement that something is needed to protect against unlawful transfers of personal data.

Sanctions: The Commission originally proposed sanctions of up to two per cent of global annual turnover, and the Council seems to want to stick to this. The Parliament text looked to raise the possible sanctions to up to five per cent of the global annual turnover, or 100 Million Euros. It is unclear if the Council will support such a high percentage however it is widely accepted that such tough sanctions will discourage companies wilfully or neglectfully breaching data protection laws.

Coming up for 2015 so far we know that in March 12-13 the Council has issued a provisional agenda for the Next Justice and Home Affairs Council meeting and the DP Regulation is on there for further discussion (as it a lot of other legislation due for discussion). The Council still has not committed to a concrete timeline for coming to an approved updated Regulation text but given the current timelines and activity over that time I wouldn’t expect an agreed text until either late this year or early 2016.

Once the Council has agreed the text we then go into a ‘tri-party’ negotiation between the Council, the Parliament and the Commission. So we have come a long way, but still not far enough to have a good or ‘reasonably solid’ idea of what a final draft of the Regulation will look like. One thing is certain however, is that far from this being a “non-starter” or an elephant in the room, Data Protection is very much on everyone’s mind and this will come into force one way or another.

Scott Sammons is Senior Privacy Consultant at Ernst and Young and blogs under the name @privacyminion . Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate which is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.

To Brunei and Back – A tale of training far far away

IMG_6506Ibrahim Hasan reports on his recent trip to Brunei…

On Friday (29th January) Paul Gibbons and I returned from Brunei after delivering data protection audit training to government staff. We had a truly memorable trip. The hospitality, generosity and warmth of the Brunei people ensured that we made some fantastic new friends.

We delivered a two-day course to twelve staff (Information Security Officers (ISOs)) working in various government agencies including education, health and immigration. Whilst Brunei does not have data protection legislation, it does have a Data Protection Policy which applies to all government agencies. This is loosely based on the UK Data Protection Act and has been signed off at the highest level. All agencies are required to comply with the policy but there is no regulator like our Information Commissioner. Having said there was a real commitment on the part of the delegates and the organisers to implement best data protection practice.

IMG_6443

Having successfully completed the course, the ISOs will now audit government agencies to assess levels of compliance. They have been trained to consider DP policies and procedures as well as staff knowledge and awareness. They will produce a report which will be considered by the head of each agency.

The delegates seemed to really enjoy the course and even laughed at Paul’s jokes! Feedback was very positive with some encouraging testimonials :

“An inspiring workshop. The presenter was well understood, friendly and approachable.” HBHM, Health Technology Dept., Ministry of Health

“The experienced tutor and facilitator provided me with clear knowledge and awareness of Data Protection. I’m truly grateful for this experience.” NK, Public Services Department

“An eye-opening course…I am glad I attended this course.” HNHA, Department of Labour, Ministry of Home Affairs

“Good and interactive explanation/briefing on the Data Protection Policy.” DPHAI, Land Transport Department

In addition to the formal training there were some lively discussions during the breaks about the different approaches to Data Protection in the UK and Brunei. Other important subjects for discussion included the relative success of Liverpool, Arsenal and Manchester United!

This training was phase 2 of our Brunei consultancy project. Phase 1 involved developing a Data Protection Audit Manual, drafted by our colleague Tim Turner, based on the Brunei Data Protection Policy. This included guidance on DP audit planning, preparation and the use of DP audit templates. Many delegates commented that the manual was clear, comprehensive and very easy to follow.

This is one of many recent consultancy projects we have conducted. It enhances our reputation as one of the UK’s leading providers of in house training and consultancy in information law and information management. As more countries enact data protection legislation, we hope to be at the forefront of developing products and services that will enable those working in this field to develop their skills. Watch this space!

But all work and no play makes Jack a dull boy! Whilst the tourism industry in Brunei is not as developed as its neighbour Malaysia, there is still plenty to see and do (and eat). There are some stunning mosques which will impress people of all faiths and none.

IMG_6548

The food is a tasty mix of traditional Malay cuisine as well as dishes influenced by the many Chinese and Indians who have settled in Brunei. You can enjoy the delicious (and very cheap) street food in the Night Market or dine in style in the many upmarket restaurants. There is something for all tastes and budgets.

We also took the opportunity to ride a water taxi to the historic water village of Kampong Ayar. Over 1000 years old it boasts 500 houses built on stilts in the river. A further trip up the river allowed us to see a few monkeys and the odd (less cuddly) crocodile!

P1040519

Brunei is a fantastic country and well worth an inclusion on a Far East holiday itinerary. Want to see more photos? See our Twitter feed or search the hashtag “#ActNowinBrunei”.

Finally we would like to thank all our friends in Brunei who organised and attended this training and made us feel so much at home. Keep in touch.

Please take a moment to browse our in house training and consultancy pages. Feel free to get in touch to discuss your requirements in this area.