Category: Police

ICO Issues Two FOI Enforcement Notices

Under the Freedom of Information Act 2000, an Enforcement Notice may be served where the Information Commissioner is satisfied that a public authority has failed to comply with any of the requirements of Part I of the Act. If a public authority fails to comply with a Notice, the Commissioner may commence court proceedings under section 54 of the Act, which may be dealt with as contempt of Court.

The ICO recently served an Enforcement Notice on both Devon and Cornwall Police and Barking, Havering and Redbridge Hospitals NHS Trust for their ongoing FOI failings which have seen hundreds of information requests go unanswered.

Devon and Cornwall Police

In 2023, as part of the ICO’s routine work to monitor public authorities’ compliance, the ICO found that between 2022 and 2024 the percentage of requests responded to by Devon and Cornwall Policewithin the statutory FOI timeframe (20 working days) was consistently low (between 39% and 65%). Their rate of response to internal review requests was also poor, averaging between 0% and 22%. The Force had a backlog of older FOI requests which had increased from 77 in December 2023 to 251 in June 2024.

The ICO Enforcement Notice orders the Force to devise and publish an action plan in the next 30 days which must detail how they will comply with their duties to respond to information requests in a timely manner. It has also been given six months to clear the existing backlog.

Barking, Havering and Redbridge Hospitals NHS Trust

The ICO first contacted the Trust in June 2023 due to a number of complaints received about its late compliance with FOI requests. The ICO found that, over 12 months, the Trust had only responded to 29% of requests during the statutory timeframe, with January 2024 seeing just 2.5% of requests responded to in a timely manner.

The Trust had a backlog of 589 requests in April 2024, which increased to 785 by June 2024. The ICO Enforcement Notice gives the Trust 35 days to devise and publish an action plan to clear this backlog by the end of the year.

Since last year, the ICO has pursued a tougher FOI enforcement policy. Recently it issued Enforcement Notices against three other police forces for poor FOI performance which has led to significant backlogs in their responses.

Our FOI Intermediate Certificate strengthens the foundations established by our FOI Practitioner CertificateIt will help you become an adept FOI practitioner by delving deeper into the intricacies of the FOIA, equipping you with the skills and confidence to navigate its complexities.

FOI Enforcement Action Against the Police

Under section 10 of the the Freedom of Information Act 2000 (FOI) public authorities, have 20 working days to answer a request for information. Last week we wrote about a new report by openDemocracy, Transparency Under Threat: Monitoring FOI compliance in the UK, which claims that many authorities are consistently failing to comply with the statutory deadline. 

Since last year, the Information Commissioner’s Office (ICO) has pursued a tougher FOI enforcement policy. Recently it issued Enforcement Notices against three police forces for poor FOI performance which has led to significant backlogs in their responses:

  • Dyfed Powys Police (DPP) – Compliance levels fell as low as 6% (June 2023) and the Information Commissioner received 13 complaints in 2023 in relation to timeliness of responses. By 9 November 2024, DPP is required to respond to all information requests which were outside of 20 working days when the Enforcement Notice was served on 9 May 2024.
  • Metropolitan Police Service (MPS) – Compliance levels were consistently low between 60% to 67% from April 2023 to February 2024. By 1 November 2024, MPS is required to respond to the backlog of 362 cases which were outside of 20 working days when the enforcement notice was served on 1 May 2024.
  • South Wales Police (SWP) – Compliance levels fell to 45% in July 2023 and as of 31 April 2024 167 requests were overdue, with one case being 122 days old. By 20 December 2024, SWP is required to respond to all information requests which were outside of 20 working days when the enforcement notice was served on 20 June 2024.

This and other FOI developments will be discussed in detail on our forthcoming FOI Update workshop.

Facial Recognition Technology and the Risk of Misidentification

In 2023 the Information Commissioner’s Office (ICO) launched an investigation into Facewatch, a company which provides live facial recognition technology (FRT) to the retail sector. Facewatch’s system scans people’s faces in real time as they enter a store and alerts if a “subject of interest” has entered. It is used in numerous stores in the UK, including Budgens, Sports Direct and Costcutter, to identify shoplifters. 

The ICO concluded its investigation by giving Facewatch the go ahead, even though in its letter (closing the investigation) it highlighted a number of breaches. Stephen Bonner, Deputy Commissioner for Regulatory Supervision, wrote in a blog post:

“Based on the information provided by Facewatch about improvements already made and the ongoing improvements it is making, we are satisfied the company has a legitimate purpose for using people’s  information for the detection and prevention of crime. We’ve therefore concluded that no further regulatory action is required.”

But FRT may have an accuracy issue. This weekend the BBC reported on a number of cases where FRT had misidentified people. “Sara” was wrongly accused of being a shoplifter after being flagged by the Facewatch system. She says after her bag was searched she was led out of the shop, and told she was banned from all stores using the technology.

The police are also increasingly using FRT it at live events as well as on the streets. Again not without problems. Civil liberty groups, such as Big Brother Watch, are worried that the accuracy of FRT is yet to be fully established. In February Shaun Thompson was approached at London Bridge by police using FRT and told he was a wanted man. He was held for 20 minutes and his fingerprints were taken. He says he was released only after handing over a copy of his passport. It was a case of mistaken identity. Big Brother Watch have launched a campaign, including taking legal action, to stop the use of FRT . 

The ICO’s has also expressed concerns about the use of FRT in the employment context as well as in schools. On 23rd February 2024, it issued Enforcement Notices to public service provider Serco Leisure, Serco Jersey and seven associated community leisure trusts under the UK GDPR. The notices required the organisations to stop using facial recognition technology (FRT) and fingerprint scanning to monitor employee attendance. The ICO’s investigation found that Serco Leisure and the trusts had been unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities for the purpose of attendance checks and subsequent payment for their time.

The ICO issued a letter, in January 2023, to North Ayrshire Council (NAC) following their use of FRT to manage ‘cashless catering’ in school canteens. The Financial Times reported that, “nine schools in North Ayrshire will start taking payments for school lunches by scanning the faces of pupils, claiming that the new system speeds up queues and is more Covid-secure than the card payments and fingerprint scanners they used previously.”

In 2019 the ICO published an Opinion on law enforcement use of LFR (Live Facial Recognition) This was followed in 2021 with an Opinion on the use of LFR in public places, setting out key requirements for those considering using this technology. 

Our forthcoming CCTV workshop is ideal for those who want to explore the GDPR and privacy issues around all types of CCTV cameras including those using FRT. 

Police Misuse of Body Worn Camera Footage 

Last week the BBC reported that police officers made offensive comments about an assault victim while watching body camera footage of her exposed body.  

The woman had been arrested by Thames Valley Police and placed in leg restraints before being recorded on body-worn cameras. While being transported to Newbury police station, she suffered a seizure which resulted in her chest and groin being exposed. A day later she was released without charge. 

A female officer later reviewed the body camera footage, which the force told Metro.co.uk was for ‘evidential purposes’ and ‘standard practice’. The BBC reports that three male colleagues joined her and made offensive comments about the victim.
The comments were brought to the attention of senior police officers by a student officer, who reported his colleagues for covering up the incident. The student officer was later dismissed; though the police said this was unrelated to the report. 

The policing regulator says Thames Valley Police should have reported the case for independent scrutiny. The force has now done so, following the BBC investigation. 

This is not the first time the BBC has highlighted such an issue. In September 2023 it revealed the findings of a two-year investigation. It obtained reports of misuse from Freedom of Information requests, police sources, misconduct hearings and regulator reports. It found more than 150 camera misuse reports with cases to answer over misconduct, recommendations for learning or where complaints were upheld. (You can watch Bodycam cops uncovered on BBC iPlayer) 

The most serious allegations include: 

  • Cases in seven forces where officers shared camera footage with colleagues or
    friends – either in person, via WhatsApp or on social media 

  • Images of a naked person being shared between officers on email and cameras used to covertly record conversations 

  • Footage being lost, deleted or not marked as evidence, including video, filmed by Bedfordshire Police, of a vulnerable woman alleging she had been raped by an inspector – the force later blamed an “administrative error” 

  • Switching off cameras during incidents, for which some officers faced no sanctions – one force said an officer may have been “confused”

Body worn cameras are used widely these days by not just police but also  council officers, train guards, security staff, and parking attendance (to name a few). 

There is no all-encompassing law regulating body worn cameras.  Of course they are used to collect and process personal data therefore will be subject to the UK GDPR. Where used covertly they also be subject to Regulation of Investigatory Powers Act 2000.  

The Information Commissioner’s Office (ICO) provides comprehensive guidelines on the use of CCTV, which are largely considered to extend to body worn cameras(BWCs) for security officers. There is a useful checklist on its website which recommends:  

  • Providing a privacy information  to individuals using BWCs, such as clear signage, verbal announcements or lights/indicators on the device itself and having readily available privacy policies. 
  • Training staff using BWV to inform individuals that recording may take place if it is not obvious to individuals in the circumstances. 
  • Having appropriate retention and disposal policies in place for any footage that is collected. 
  • Having efficient governance procedures in place to be able to retrieve stored footage and process it for subject access requests or onward disclosures where required. 
  • Using technology which has the ability to efficiently and effectively blur or mask footage, if redaction is required to protect the rights and freedoms of any third parties. 

Our one-day CCTV workshop will teach you how to plan and implement a CCTV/BWC project including key skills such as completing a DPIA and assessing camera evidence.
Our expert trainer will answer all your questions including when you can use CCTV/BWC, when it can be covert and how to deal with a request for images.  
 
This workshop is suitable for anyone involved in the operation of CCTV, BWCs and drones including DPOs, investigators, CCTV operators, enforcement officers, estate managers and security personnel.