Category: Privacy

RIPA Part 2 Inspections: Common Criticisms by the OSC

examThe Office of Surveillance Commissioners (OSC) is responsible for overseeing the use of covert surveillance by designated public authorities by carrying out regular inspections. (Appendix E of the Chief Surveillance Commissioner’s Annual Report (2012-13) lists those whom the OSC inspects and how often.) In the UK the inspections check councils’ compliance with Part 2 of the Regulation of Investigatory Powers Act 2000(RIPA) (and in Scotland The Regulation of Investigatory Powers (Scotland) Act 2000 (RIP(S)A)) for use directed surveillance, intrusive surveillance and covert human intelligence sources (CHIS).

As part of our provision of tailored in house training, we have to read OSC inspection reports. The following is a list of common mistakes highlighted by the OSC. They are not attributable to any particular organisation.

FORMS

  • Use of out of date forms
  • No Unique Reference Number (URN)
  • Not amending forms so that only those grounds are present which are available to the public authority e.g. councils – preventing or detecting crime
  • Pre completed forms
  • Use of cut and paste in boxes/repetitive narrative

AUTHORISATION PROCESS

  • Rubber stamping – no real thought given to authorisation
  • Necessity, proportionality and collateral intrusion not fully understood/considered by investigators and authorisers
  • Likelihood of obtaining Confidential Information not fully considered
  • Some ‘open source’ internet research is being conducted which may actually meet the criteria of Directed Surveillance and therefore require authorisation
  • Confusion re: reviews and renewals
  • Lack of understanding of when a person is a CHIS
  • Two many Authorising Officers
  • Authorising Officers are not making adequate provision for destruction of product that is collateral intrusion or of no value to the operation
  • Several authorities are pooling resources but then not obtaining authorisations and keeping records in relation to a proper designated authority
  • Confusion about interference with property powers under Police Act 
1997
  • NB councils cannot do this
  • More robust management and quality assurance procedures required 


RECORD KEEPING

  • Central records not compliant with the Code of Practice
  • Inadequate monitoring, recording and audit of surveillance equipment
  • Inadequate handling and storage of surveillance product/evidence 


POLICIES AND PROCEDURE DOCUMENTS

  • Inadequate/no RIPA policy
  • In adequate guidance document (or out of date)
  • No CCTV protocol/procedure
  • OSC may wish to visit your CCTV control room

TRAINING AND AWARENESS

  • Inadequate training
  • Lack of regular training/refresher trainer
  • Inadequate record of those who have been trained
  • OSC may ask to see recent training materials

If you are considering refresher training for RIPA investigators and authorisers, please see our full program of RIPA Courses and our online webinars. We can also deliver tailored in house training at your premises.

Ever since the changes to the council surveillance regime, which came into force on 1st November 2012, the OSC has taken an interest in ensuring councils do not authorise surveillance under RIPA for “minor offences.” In addition they have been keen to ensure that council’s have an agreed protocol and procedure for presenting authorisation applications to the Magistrates’ Courts. Finally where surveillance needs to be done outside the scope of RIPA then a Non RIPA authorisation policy should be implemented and followed.

Do your RIPA documents need revision? Avoid re inventing the wheel! Our RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. Over 200 different organisations have bought this document (available on CD as well).

(Probably) The First Group Action For Damages under the Data Protection Act

DPA4

In December 2013 a group legal action was settled against the London Borough of Islington following breaches of the Data Protection Act 1998 and the Human Rights Act 1998. Anna Thwaites, partner at Hodge Jones & Allen LLP, and Ruth Brander, counsel from Doughty Street Chambers, acted for the claimants.

Anna explains the background and legal basis for the claims below:

Hodge Jones & Allen LLP & Doughty Street Chambers acted for 14 Claimants in a Group Action against the London Borough of Islington after it leaked their personal data to unauthorised third parties on two separate occasions in 2012.

The First Breach – April 2012

In April 2012, Islington Council sought injunctions against thirteen youths for anti-social behaviour. The injunctions were served on ten of these between 20th and 24th April 2012. On 26th April it became known to the council that personal information regarding residents who had made complaints about anti-social behaviour had been disclosed to the injunctees. An unredacted spread sheet of Anti-Social Behaviour (ASB) Hotline calls and concierge reports had been included. These contained complaints from 50 individuals. In many cases this included the name, telephone number and estate/street name.

The police retrieved seven out of the ten injunction packs issued to the individuals. The police also warned the injunctees that they should not use the information to contact any witness. In the immediate aftermath, there was a police presence on the Andover Estate and some residents moved from their properties to new locations.

An Information Commissioner’s Office (ICO) investigation was instigated and various recommendations made. The Council agreed to a voluntary inspection rather than a monetary fine. 

The Second Breach – 26 June to 14 July 2012

Whilst responding to a Freedom of Information Act request on the website ‘What Do They Know,’ the Council sent an Excel spreadsheet containing details of housing allocations to an organisation called mySociety. The spreadsheet included sensitive personal data on people offered social housing by the Council. This included their name, address, gender, ethnicity, religion, sexuality, relationship status and assessment of housing priority needs. Over 2,400 residents were affected.

Between 26 June and 14 July 2012, there were 7 download requests on this website. It is not possible to know whether any of the people downloading this information accessed the Excel spreadsheets containing this highly personal and sensitive information.

Following this breach there was an ICO investigation and the Council was fined £70,000. This was in addition to the compensation paid to the individual Claimants.

The Claims

We acted for four Claimants affected by the first breach, eight Claimants affected by the second breach and two Claimants affected by both breaches.

The Claimants’ principal claims were for stress, distress and frustration. Some Claimants believed the breach exacerbated existing psychological or psychiatric conditions. Very few Claimants had incurred financial losses arising from the Council’s breaches.

Around April 2013, Letters of Claim were sent to the Council for each Claimant alleging a breach of the Data Protection Act 1998 and Human Rights Act 1998 following a breach of Article 8 ECHR (the right to family and private life).

The parties entered into a limitation standstill agreement in respect of the Human Rights Act claim. Under section 7(5) of the Human Rights Act 1998, a claim must be brought before the end of the period of one year beginning with the date on which the act complained of took place or such longer period as the court considers equitable having regard to all of the circumstances. This was the best way to preserve the Claimants’ position without issuing court proceedings.

At the conclusion of the Council’s Pre-Action Protocol Investigations, they admitted liability in July 2013 for breaches of the Data Protection Act and Article 8 ECHR for all but one of the Claimants. In relation to this Claimant, they advised that the Claimant had been erroneously informed that their data had been breached, when in fact it had not. The Council made Part 36 offers in settlement to all Claimants ranging from £500 to £5,000.

Following settlement negotiations, all claims settled in December 2013 without the need to issue court proceedings. The Claimants were awarded over £43,000 in compensation. The awards ranged from £1,000 to £5,000 depending on how the breach impacted on each Claimant.

As part of the terms of settlement, the Council provided an unreserved apology and provided a detailed letter to each Claimant outlining how the breach happened, how it was discovered, the changes made subsequently and lessons learnt. All of the Claimants’ cases were funded under Conditional Fee Agreements under the pre 1 April 2013 regime.

Thoughts on the Case

It was clear from the outset that there had been a breach of the Data Protection Act, but in order to be entitled to compensation under section 13(2) a Claimant must suffer damage.

The difficulty with these cases is that many of the Claimants were unable to establish a financial loss or a personal injury arising from the Council’s contravention. This issue was not explored in depth during litigation given the Council’s early admission of liability and Part 36 offers in settlement, but the case of Halliday v Creation Consumer Finances [2013] 3 CMLR 4 would have assisted the Claimants on this point.

In this case, the Court was prepared to award nominal damages of £750 for distress to reflect a breach of the Data Protection Act, even if there was insufficient evidence to establish a substantial breach. The Court did not penalise the Claimant for being unable to establish a financial loss arising from the breach. The Claimants’ cases are clearly analogous and this case also provided some helpful guidance on the level of compensation the Courts may award depending on the facts of the case.

Another factor which potentially led to early settlement is that Article 8 ECHR does not have the same requirement as the Data Protection Act to establish ‘damage,’ although there is very little case law on the level of damages the Court may award in this type of case. Traditionally compensation for breaches of the Human Rights Act have been less generous than compensation awarded by the domestic courts.

It would also be interesting to see if the Council’s approach would have changed if the claims were brought on the basis of the Data Protection Act alone or outside the time limits for a Human Rights Act claim.

However, these cases clearly demonstrate that a failure to comply with the Data Protection Act 1998 and/ or Article 8 ECHR will be at a Defendant’s peril. This was an extremely costly mistake for the Council, who failed to learn from their mistakes and breached the Data Protection Act 1998/ Article 8 ECHR not only once but twice in as many months.

It is hoped that, following the ICO investigation and litigation, the same mistakes will not be made again. A clear message has been sent to Public Authorities of the potential consequences of failing to comply with their obligations to safeguard citizen’s personal data. This case also shows how Data Controllers can be held accountable for their actions.

Keep up to date with the latest DP developments by attending our workshops and online courses.

Definition of Personal Data: Durant Revisited

DPA22December 2013 marked the 10-year anniversary of one of Data Protection’s most notorious developments, but it came and went without any great fanfare.

It’s not really surprising that the Information Commissioner’s Office (ICO)  didn’t issue a press release celebrating the Durant judgment’s birthday, as they have been quietly attempting to erase it from history. The result of a long-running dispute between a former Barclays Bank customer and the now defunct Financial Services Authority, Durant v Financial Services Authority [2003] EWCA Civ 1746 was a significant case. The Court of Appeal judges took a sharp look at the definition of personal data, what kinds of manual files are covered by subject access, and the purposes for which subject access can be used – with controversial results. I happened to speak to a former colleague at the ICO a day after Durant was published, and he described the atmosphere as ‘panic’.

Some of Durant is helpful – the judgement proposes that personal data:

should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest”.

Those who have worked on Data Protection for a long time will have encountered the view that the mere mention of a person’s name in an email meant that they were entitled to receive it. Durant torpedoed that notion. Other elements remain contentious – the ICO has never agreed with the assertion in paragraph 27 that subject access should not be used “to obtain discovery of documents that may assist him in litigation or complaints against third parties”, The new ICO Subject Access Code rejects this notion altogether, despite the fact that the lower courts have followed the principle every since. However, Durant’s most irksome element – ‘biographical significance’ – has been put in its place by the same court that invented it.

Mr Durant sought data about the FSA’s investigation into his complaints about Barclays, and his lawyers used an expansive interpretation of ‘personal data’ to stake his claim. The FSA’s focus was on Barclays and its practices, which meant that much of the correspondence Durant wanted was about the bank. He also wanted the names of the FSA staff that had dealt with his complaint. Unfortunately, Auld LJ linked the sensible idea of focus to a notion of ‘biographical significance’ test, stating that personal data must be “information that affects [a person’s] privacy, whether in his personal or family life, business or professional capacity”. This was a complicating and potentially unhelpful development. Focus makes sense – an email in which your name is mentioned in passing may well not be about you. But biographical significance is an unnecessary and restrictive innovation.

For example, when looking at a CCTV image with a person in the centre and bystanders in the background, the idea of ‘focus’ allows you to distinguish between the obvious subject of the image and the others. But asking whether the image is biographically significant raises the possibility that a clear picture of a living, identifiable person isn’t actually personal data if it has no private connotations. Is an image of me walking down the street biographically significant? Many have adopted biographical significance as a rule of thumb, a test to apply whenever the question of personal data was raised. In the public sector, it could mean that data about people that wasn’t biographically significant could be disclosed under the Freedom of Information Act 2000 (FOI) because it wasn’t technically ‘personal data’. In the private sector, anything not ‘biographically significant’ could be legally invisible, subject to none of Data Protection’s requirements.

The ICO’s approach to Durant – after the alleged panic subsided – was initially mixed, but for quite a few years it has been consistent. As some sort of riposte to Durant, in 2007 they published technical guidance on the meaning of ‘personal data’ called ‘Determining what is personal data’ – rather than Durant’s narrow, privacy-piercing interpretation. There are few references to Durant anywhere in the ICO’s output, but the technical guidance makes clear that testing ‘biographical significance’ is far from being an automatic or necessary step – it is for borderline cases when context and common sense don’t get you to the answer.

Many data controllers have been tempted to use Durant as a way of shrinking Data Protection down to a comfortable size. Indeed, when considering FOI cases involving personal data, the First Tier Tribunal appears to see the test as an inherent part of the decision, and biographical significance is often a feature of FOISA decisions by the Scottish Information Commissioner. Nevertheless, the ICO’s 2007 interpretation of Durant is logical. LJ Auld himself said that biographical significance was a notion “that may be of assistance” rather than a fundamental key to understanding personal data. Just as important was the balance provided by Buxton LJ, who noted at the end of the judgement that the tests were “a clear guide in borderline cases”. The Durant case was – in effect – about Mr Durant’s case, and didn’t change Data Protection as much as some have suggested.

For confirmation of this, fast-forward to Edem v IC & Financial Services Authority [2014] EWCA Civ 92, a Court of Appeal decision on a different case concerning another unhappy FSA (now the Financial Conduct Authority) complainant published this month. Mr Durant wanted to use Data Protection subject access to obtain his own data, and everything connected with it. Mr Edem wanted to use FOI to find out data about other people – specifically, the names and job titles of the junior staff who had dealt with his complaint. The FSA and Information Commissioner agreed that the data was personal, and that disclosure was unfair. So far, so uncontroversial. A spanner was thrown into the works by the First Tier Tribunal, to which Mr Edem appealed the ICO Decision. Using the biographical significance test, the FTT found that names and job titles were not biographically significant, and the focus of the information sought by Mr Edem was the investigation. The Edem FTT case was like a hall of mirrors, distorting and reflecting Durant to the extent that a type of information Mr Durant couldn’t get from the FSA under DP was now available to Mr Edem under FOI.

An appeal to the Upper Tribunal restored the ICO position, and so Mr Edem went to the Court of Appeal. A few cases – mainly resulting from appeals on FOISA decisions – have gone high enough in the UK court system to challenge Durant, but all skirted Durant itself. The Edem case was different – Durant and biographical significance had to be looked at head-on. The result is good news for common sense and data subjects, but bad for anyone who wants to finagle their way out of an awkward subject access request.

Paragraph 17 of the Edem Court of Appeal case isn’t the death knell for Durant, but it’s a healthy and heavy dose of context:

The First Tier Tribunal were wrong to apply Auld LJ’s “notions” in this case”.

When trying to work out whether a person’s name is personal data, the Court says that biographical significance is irrelevant. The question is whether the data identifies a living individual, and without any complicating or contradictory factors, the data is all you need. My name is Tim Turner, and while that’s not enough to find the bearded Act Now Trainer on the internet (there are country singers and ice hockey players and the man who played the Invisible Man in TV in the 1950s to sort through), it’s easily enough to locate information about me in any of the places I have worked. The Court of Appeal in Edem wholly endorses the ICO view of biographical significance as an occasional add-on, and uses Buxton LJ’s comments from Durant itself to back up that approach.

If it was wrong to overplay the effect of Durant, it’s equally wrong to overplay Edem. For the public sector, Durant was always blunted by the onset of FOI – if you successfully argued that data wasn’t personal data about the subject access applicant, they could always ask for it under FOI. The new judgment doesn’t give new rights to data subjects or expand Data Protection’s reach. A person who wants to use Data Protection to get access to large amounts of information to which they have some loose or stretched connection will come to grief just as Mr Durant did. But the Edem case does restore logic – data that identifies a person, even in a relatively benign or innocuous way – is personal data. The Eight DP Principles apply. Even when at work and doing mundane professional tasks, the DPA is likely to be engaged. An apparent loophole has not been closed – the Edem case simply confirms that it was a lot smaller than it may have appeared. The ICO approach is vindicated, and both the First Tier Tribunal and bloody-minded data controllers may have to think again.

Tim Turner is one of Act Now’s well-known data protection experts. He will be considering this and other latest Data Protection developments in his forthcoming DP Update workshops . Read more of Tim’s expert analysis on his blog. Readers wanting to see how the Durant case has been applied in previous decisions should read Ezsias v The Welsh Ministers (2007).

A comprehensive Privacy Policy.

DPA11I decided to look at Miley Cyrus’s website. Don’t know why. I just picked a teenage pop singer at random. I found however that I couldn’t just look at her website, I had to register before entering her website. I admit that I’m in socio-economic group A++ and age group 55  to 65 so my next action was probably not typical of a teenage hero-worshipper but I clicked on Privacy Policy to see what would happen if I registered to become a Mileyite.

The privacy policy was in the smallest font I have ever see. It was also in a dusky pink graduated to deep purple background. It was hard work reading it so I right clicked, manipulated it into Arial 14 black and white using a well known word processor and before long I had 6 pages of top quality claptrap. Have a look…

Privacy Policy

This policy is effective as of November 29, 2011, and reflects only non-material changes and clarifications from the previous version.

Please read these terms of use carefully as they contain important information regarding your legal rights, remedies and obligations. these include various limitations and exclusions, and a dispute resolution clause that governs how disputes will be resolved.

This Privacy Policy, effective November 29, 2011, is designed to help you, the user, understand how Ground(ctrl)™ (“us”, “we”, or “our”) collects and then uses the personal information you provide us when signing up as a new “member.” We do this so you can make informed decisions both when deciding whether to become a member and when using this service.

By accessing and/or using this web site, you are (1) becoming a member of the Ground(ctrl)™ social networking community (the “network”) and (2) accepting the practices described in this Privacy Policy.

We would like to thank you for becoming a member of the network—a network that takes each member’s privacy rights seriously. If you have any questions concerning the network’s Privacy Policy, please contact us at the mailing address, telephone number, or email address at the end of this page.

About ground(ctrl)™

Ground(ctrl)™, as a third-party administrator, maintains and administers the network and this web site. The intent of this web site, and other similar sites maintained and administered by us, is to create a social networking community wherein members can communicate with each other as well as interact with and promote their favorite musicians’ careers.

To enhance each member’s social networking experience, we request and display personal information to other members and visitors. This information is necessary to allow members to identify each other, expand their network of friends, promote each member’s favorite musicians through contests and other incentives, and to repay members for their interaction with the network through contests and prizes.

The Information We Collect

When you visit this web site, you provide us with three types of information:

  1. Web site information collected by us through your interaction with this web site;
  2. Personal information you knowingly and voluntarily disclose to us when signing up as a member and through the continued use of this service; and
  3. Personal information you knowingly and voluntarily disclose to use when using this service.

First, when you or any member signs on to this service, we collect your IP address, your browser type, and certain information from your browser using “cookies”. A cookie is a piece of data stored on a computer that is tied to information about the user. You can easily remove or block this cookie using the settings in your browser if you wish to disable this feature. To confirm that you are logged into the service, we use session ID cookies that immediately terminate once you close your browser.

Second, when signing up as a member to this web site, and during membership, we collect several pieces of personal information to enhance the network. This information includes the following:

  • Your first and last name
  • For the purpose of addressing you personally
  • Your email address and encrypted password
  • To provide you with access to your personal account, and to send notifications about activity on the website
  • Street address, city, state, postal code, country
  • To verify billing information for orders you place on the website and/or ship merchandise to you
  • Your location
  • So you may optionally share your geographic location with other members of the website
  • Birth date
  • So that you may optionally share your age with other members of the website
  • AIM, Yahoo screen name, Jabber, ICQ screen names
  • So that you may optionally share your instant message information with other users of the site
  • Flickr user id and Twitter user name
  • So that you may optionally display recent photos and twitter posts on your profile page
  • Links to your third-party sites
  • So that you may optionally share favorite or other personal websites with other members of the site
  • An avatar image
  • So that you may optionally provide a visual representation of yourself next to items you publish on the site

We will not collect any more any information that is necessary for you to participate in the Ground(ctrl)™ social networking community.

Third, when using this service, you may change your member profile, send messages to other members, receive messages from other members, form relationships, view photos, share photos, post blog comments, post links to other web sites (including web sites not controlled by ground(ctrl)™), transmit information through various channels, participate in musician campaigns, earn points toward promotional items, and redeem those points for promotional items (collectively the “User Content”).

Children’s Online Privacy Protection Act Of 1998

This privacy policy is provided in conformity with the Children’s Online Privacy Protection Act of 1998 (“COPPA”). COPPA requires that we notify parents and legal guardians and obtain consent from parents and legal guardians before we collect, use and/or disclose personal information from children under thirteen (13) years of age.

If parents or legal guardians have any questions regarding their child’s use of this web site, they may contact the operator of this website at the following address, phone number or email:

Additional operators maintaining information collected through this website include: Miley Cyrus .

The personal information we collect from children under thirteen (13) years of age, and the manner in which we use such information, is identical to the collection and use of any other member’s information. Please refer to sections entitled “The Information We Collect” and “How We Use the Information” for a detailed discussion of how we collect and use personal information from all members, including children under thirteen (13).

As a means of verifying parental consent, we may require that verification be given to us in one of two ways. First, we may require permission by email from what we are told is the parent’s email address. Thereafter, we will respond to that email address to verify that we have received such permission. Second, we may require that the parent consent by providing us with their full name, a valid credit card number and an expiration date. We will not charge your credit card. We will merely use the information to confirm your consent and once verification is or is not made, we will immediately destroy such information.

We do not require any additional information from children under thirteen (13) other than the minimum amount of information we need in order for the child to participate. Parents may review the personal information we collect on that parent’s child by mailing a request to us at the operator address listed above. The parent, after reviewing such information from us, may have it deleted and/or refuse to allow further collection by sending us an email using the password sent with the physical file that we mail to you. The parent also has the option to agree to the collection and use of the child’s information without consenting to the disclosure of the information to third parties.

Correcting, Updating or Removing Your Information

At any time, members can correct, update, or remove any of their personal information by logging into their account and accessing the “Edit Profile” feature.

How We Use the Information

We collect the personal information listed above so that we can provide you with personalized features and an enhanced and efficient web site experience. We usually retain this information so you can, for example, view messages you have already read or check campaign dates you are already aware of. You understand and acknowledge that copies of your User Content may remain viewable in cached and/or archived pages or if other members have copied and/or stored your User Content, even after your information has been removed.

When you sign up as a member to the network, you create your own profile. Your profile information, including your name and your photo are displayed to other members in the network so that you may interact and communicate with them. On occasion, we may use your name and email address to send you notifications about the network’s new services, promotional items, merchandise, band news, and transactions involving your accumulated points. Generally, you may opt out of such emails by clicking on the “unsubscribe” link in the email. However, the network expressly reserves the right to send you notices about your account even if you opt out of all voluntary email notifications.

Without identifying you as an individual, the network may provide third parties with information contained in your profile for data gathering purposes (ex: gathering data on how many members like both band A and band B so that personalized advertisements, promotions, etc. can be sent to those particular members). We believe that this information gathering allows each member to get the most out of the network’s benefits—e.g., the distribution of band information that, based on your profile, matters to you.

Sharing Your Information with Third Parties

This web site is about sharing information with others of your choosing, and a limited number of third parties, to enhance each member’s promotional and informational-sharing experience. Except as otherwise described in this Privacy Policy, the network does not disclose personal information to any third party unless the network believes that disclosure is necessary to:

  1. Enforce the network’s Terms and Conditions of Use Agreement;
  2. Protect the network’s rights;
  3. Coincide with legal requirements (ex: responding to a subpoena, search warrant, or any other legal process served upon Ground(ctrl)™). We will not reveal information until we have a good faith belief that the law enforcement information and/or private litigant request meets the applicable legal standards;
  4. Protect the safety of it’s members; or
  5. Enhance each member’s promotional and informational-sharing  experience.

The network may provide services jointly with other companies and we may share customer information with that company in connection with your use of that service.

Your name, network names, and profile picture thumbnail will be available in search results across the network and those limited pieces of information may be made available to third party search engines. This is primarily so your friends can find you and send a friend request. People who see your name in searches, however, will not be able to access your profile information unless they have a relationship to you that allows access based on the privacy settings.

Ground(ctrl)™ expressly reserves the right to transfer personal information to a successor in interest that acquires the rights to that information as a result of the sale of Ground(ctrl)™, or the sale of a substantial portion of its assets to that successor in interest.

Third-Party Advertising

Advertising may appear on this web site and may be delivered to members by one of our web advertising partners. Those web advertising partners may download cookies to your computer that allow the ad server to recognize your computer each time they send you an online advertisement. The web advertising partners may also use other technologies such as JavaScript and “web beacons” (also known as “1×1 gifs”) to measure the effectiveness of their ads and to personalize advertising content. As a consequence, ad servers may compile information about where you, or others using your computer, saw their advertisements and determine which ads you, or others using your computer, clicked on. The purpose of this information is to allow an ad network to deliver targeted advertisements that they believe will interest you. This privacy policy covers the use of cookies by our network only and does not cover the use of cookies by any third-party advertiser.

Comments, Blogs, Messages, and Links

Please be aware that whenever you voluntarily post any information as a comment, blog, message, link, photo, video, and/or other information, that information can be accessed by the public and can then be used by those people to send you unsolicited communications. Additionally, if you post a link to your network web site on any third party site, your public profile will be viewable by any third party that clicks on your link. If you do not wish to have your public profile viewable to any third party, you should not post links to your network web site on third party sites.

This web site may contain links to other sites, including links posted by you or other members. We are not responsible for the privacy practices of other web sites. As such, we encourage our members to read the privacy statements of each and every web site they visit after clicking on these third-party links. This Privacy Policy applies solely to the information collected in the use of our network and this web site.

Security

Each member’s account is secured by a member-created password. The network employs reasonable measures to protect member information that is stored within our database, and we restrict the access to member information only to those employees who need access to perform their job functions, such as our customer service personnel and technical staff.

Note: We cannot guarantee the security of each member’s account information as unauthorized entry or use, software or hardware failure, and other uncontrollable factors may compromise the security of each member’s personal information at any time. The network does, however, consider security of each member’s personal information a priority and we take reasonable security steps to protect that information.

Disclaimer of Liability for Unauthorized Viewing of Personal Information

You post User Content, as described above, on this web site at your own risk. Despite our reasonable efforts to keep your User Content inaccessible to those not authorized to view it, be aware that no perfect security measure(s) exist to insure impenetrability. Additionally, we cannot control the actions of other members that you may choose to share your page and User Content with. We are not responsible for the circumvention of any privacy settings or security measures contained in this web site. Consequently, we cannot and do not guarantee that the User Content you provide and/or post on this web site will not be viewed by unauthorized individuals.

Changes in the Privacy Policy’s Terms of Use, Notices and Revisions

We may change this privacy policy from time to time. We reserve the right to change our Privacy Policy and our Terms of Use Agreement at any time. Non-material changes and clarifications will take effect immediately, and material changes will take effect within 30 days of their posting on this site. If we do make changes, we will post those changes and indicate at the top of this page the Privacy Policy’s new effective date.

Through this process, members will always be aware of what information we collect, how we use it, and who we may disclose it to. Each member is bound by any change to this Privacy Policy if he or she uses the site after said changes have been posted. If, however, we change this Privacy Policy so that we are using personal information in a manner materially different from the manner as stated at the time of collection, we will notify the members here, by email, or through notice on our home page.

Your use of this web site and our network, and any disputes arising from it, is subject to this Privacy Policy and our Terms of Use Agreement and all of its dispute resolution provisions including arbitration, limitation on damages and choice of law. We strongly encourage you to refer to this Policy on an ongoing basis so that you understand the most current Privacy Policy terms. Unless stated otherwise, our current Privacy Policy applies to all information that we have about you and your account.

Contacting This Web Site

If you have any questions regarding this Privacy Policy, the practices of this web site, or your dealings with this web site, please contact us at the following mailing address, phone number, or email address:

  • ground(ctrl)
  • 120 K. Street Suite 3rd Floor
  • Sacramento, CA 95814
  • Toll Free: 1 (877) GND-CTRL
  • Phone (916) 443-9202
  • Fax (916) 443-9204

If you’ve read this far well done. You’ve probably decided that One Direction are a safer bet…

Or are they?

Data Protection Update workshop – Analysis of the latest DPA cases, developments and news from the ICO. Our next workshops are in Manchester on the 18th November and in London on the 27th November. If you don’t have time to attend our full day workshops try our DP Update webinar on the 28th November.

The shortest Data Protection Policy in the world?

shortestYoungest son has been looking for work and was interviewed for some warehouse job with a big name in retail and had this thrust under his nose while being interviewed. Luckily the modern scourge of camera phone proved very useful at this point and he showed me this image when he returned home. Is it a Policy? Who is the data controller? Why do applicants have to sign to agree that their application form goes to a prospective employer? Why do they need medical details?  The questions go on and on.  Contradiction in the final paragraph.  And they’ve squeezed all this into just over 50 words. Is it possible to write a Data Protection Policy that will fit into 140 characters? Who writes this stuff?

Use of Social Media in Investigations

canstockphoto10560861All investigators, when tackling rogue traders, fraudsters or errant employees, need to make use of the Internet as an investigatory tool. Unfortunately there is a lack of knowledge of Internet investigation techniques amongst investigators especially those working in the public sector. The Internet can reveal a treasure trove of free information, which can even lead to the perpetrators’ door (literally).

Do you have a smartphone and therefore an on-line account for managing email, contacts and messages? Do you use it for accessing applications such Instagram, Flickr (for storing photographs online) and Facebook?

If these applications are used, without properly controlled account settings, then available on-line (for all to see) is your private information, your photographs and other personal data. Even information that you yourself have not uploaded or stored can be mined for more personal information. You might have had photographs taken by a professional, for example for the sale of a home, or at events or weddings, or even by friends and family. These images are then posted on web sites and/or stored on-line (perhaps on Instagram, and Flickr ) often without your knowledge. The images will retain tagging and geo data used by the photographer to catalogue their albums. This might be your postcode, email address, name, or other identifying information. Someone who knows what to look for and where to look can discover a lot about you!

Worrying! But also very useful if you are investigating an individual for criminal or civil offences (or just disciplinary matters). Here are a few examples where such information was used by investigators to find out about individuals clearly “up to no good.”

Case Study 1 – The Malicious Blogger

A Chief Executive of a public sector organisation received an email containing particularly threatening and abusive language and menacing comments. Enquiries about the routing of the email revealed it had been sent from an Internet café.

Just twenty-five minutes of open source research produced a result. The advanced search facilities within Google, and a couple of search facilities specific to social networking sites, identified the full details of the sender. Step one was to search the email address, which revealed a posting on a blog, which in turn revealed a publicly listed unique user name. This was searched and the user was found on a couple of unpleasant blogs linking with others. This in turn led to another user name which was very close to the individual’s real name. This in turn led to his Facebook account, tagged images, and other unpleasant on-line postings. A few minutes later the home address of the perpetrator together with very current photographs were discovered. He was found to be a professional working for a public authority!

Case Study 2 – The Rogue Employee

An employee was suspected of working on his own business whilst off sick from work. Resource intensive and potentially controversial covert surveillance was one of many options considered. However, from just a mobile number this individual was traced to an EBay account using the EBay advanced search facility. As well as identifying the goods for sale through this business venture, the username for this EBay account was linked to a website with a Twitter account. Tweets by this person revealed the exact times and dates when he was working on his own business. Much of what he was doing was taking place when he was at work. A web of business networking and LinkedIn activity was also unravelled detailing far more than what the investigators had imagined.

These are just a couple of examples of investigations where auditors/investigators benefitted from having a thorough knowledge of online investigation techniques. It doesn’t always work this easily but my new course explains the most effective techniques. I also provide practical guidance on how to capture online evidence to accepted national standards.

Any form of surveillance of individuals raises a lot of legal issues (see Ibrahim Hasan’s recent article on the law of employee surveillance). There are pitfalls especially relating to privacy, Data Protection and RIPA to name a few. This course will also give delegates an opportunity to network with others who face the same challenges.

Steve Morris is an ex police officer and one of our expert RIPA course trainers. Steve’s new E Crime and Social Networking Course is proving very popular amongst auditors and investigators wanting to know how to make best use of the Internet when conducting investigations.

The Law of Employee Surveillance

RIPA4Decreasing public sector budgets and increasingly affordable technology mean that more and more employers are turning to surveillance to catch errant or work shy employees. But this area is a legal minefield. Mistakes can end up with adverse headlines in the media or worse still legal action. In August, West Yorkshire Fire Service was criticized in the papers when a 999 operator, who was on sick leave, found a GPS tracker planted on her car by a private detective hired by her bosses.

A public sector employer wanting to conduct lawful staff surveillance must first ask the question, which legislation applies? If the surveillance involves covert techniques or equipment, it is easy to assume that Part 2 of the Regulation of Investigatory Powers Act 2000 (“RIPA”) applies and that the surveillance must be the subject of an written authorisation by a senior officer and, in the case of a local authority employer, Magistrates’ approval. However, the Investigatory Powers Tribunal has ruled in the past that not all covert surveillance of employees is regulated by RIPA.

In C v The Police and the Secretary of State for the Home Department (14th November 2006, No: IPT/03/32/H), a former police sergeant (C), having retired in 2001, made a claim for a back injury he sustained after tripping on a carpet in a police station. He was awarded damages and an enhanced pension due to the injuries. In 2002, the police instructed a firm of private detectives to observe C to see if he was doing anything that was inconsistent with his claimed injuries. Video footage showed him mowing the lawn. C sued the police claiming that they had carried out Directed Surveillance under RIPA without an authorisation. The Tribunal first had to decide if it had jurisdiction to hear the claim. The case turned on the interpretation of the first limb of the definition of Directed Surveillance i.e. was the surveillance “for the purposes of a specific investigation or a specific operation?”

The Tribunal ruled that this was not the type of surveillance that RIPA was enacted to regulate. It made the distinction between the ordinary functions and the core functions of a public authority:

“The specific core functions and the regulatory powers which go with them are identifiable as distinct from the ordinary functions of public authorities shared by all authorities, such as the employment of staff and the making of contracts. There is no real reason why the performance of the ordinary functions of a public authority should fall within the RIPA regime, which is concerned with the regulation of certain investigatory powers, not with the regulation of employees or of suppliers and service providers.”

The Tribunal also stated that it would not be right to apply RIPA to such surveillance for a number of reasons:

  1. RIPA does not cover all public authorities, and there was no sense in police employee surveillance being conducted on a different legal footing than, for example, the Treasury, which does not have the same surveillance rights under RIPA.
  2. The Tribunal has very restrictive rules about evidence, openness and rights of appeal. The effect of these would lead to unfairness for employees of RIPA authorities when challenging their employers’ surveillance as compared to those who were employed by non RIPA authorities.

This case suggests that, even where employee surveillance is being carried out for the purpose of preventing or detecting crime, the question has to be; is it for a core function linked to one of the authority’s regulatory functions? In the local authority context this would include, amongst others, trading standards, environmental heath and licensing. If the surveillance is not being done for one of these purposes it will not be Directed Surveillance and consequently will not be regulated by RIPA.

Of course just because RIPA may not apply, it does not mean that the employer can do what it likes. Whatever type of surveillance is conducted, the right to privacy, under Article 8 of the European Convention on Human Rights, protects employees within the work environment.  This means that the surveillance must be carried out in a manner that is in accordance with the law and is necessary and proportionate. There have been a number of cases where employers have been criticised by the courts for failing to take account of the human rights issues when doing surveillance of employees e.g. Copland v UK (3rd April 2007 ECHR) concerning communications surveillance and Jones v Warwick University ((2003) 3 All ER 760) concerning a claim for personal injury. Compliance with the Data Protection Act 1998 (DPA) will be evidence that the surveillance has also been done in compliance with Article 8.

All employers, be they public or private sector, have to comply with the DPA when doing surveillance, as they will be gathering and using personal information about living individuals. The Information Commissioner has published the Data Protection Employment Practices Code, which sets out rules to be followed when dealing with employees’ personal data.

Part 3 of the code covers all types of employee surveillance from video monitoring and vehicle tracking to email and Internet surveillance. Indeed those public authorities who are doing surveillance of their employees which now, in the light of the above Tribunal case, cannot be authorised under RIPA also have to pay special attention to the code. Whilst the code is not law, it can be taken into account by the Information Commissioner and the courts in deciding whether the DPA has been complied with.

One of the other main recommendations of the code is that senior management should normally authorise any covert surveillance of employees. They should satisfy themselves that there are grounds for suspecting criminal activity or equivalent malpractice. They should carry out an impact assessment and consider whether the surveillance is necessary and proportionate to what is sought to be achieved i.e. the same considerations that public sector employers subject to RIPA would have to consider when doing a RIPA authorisation. This assessment is best done in writing using a “Non-RIPA” surveillance form (Our RIPA Policy and Procedures Toolkit contains such a form).

If covert surveillance of an employee results in his/her dismissal, the matter will usually end up before the Employment Tribunal in the form of unfair dismissal proceedings. Here the Tribunal will also have to consider whether evidence has been gathered fairly and lawfully. In City And County Of Swansea v Gayle UKEAT 0501_12_1604 (16 April 2013) Swansea Council conducted covert video surveillance on the claimant, when he was for good reason suspected of playing squash during work time, whilst claiming payment for being at work at the time.  The surveillance confirmed he was seen at the sports centre on a succession of Thursdays when he should have been at work.

The Employment Tribunal upheld a claim for unfair dismissal (though awarding nil compensation, for contributory conduct) because of the Tribunal’s distaste for the employer’s use of covert surveillance. Its view was that Article 8 (right to privacy) was engaged and broken in doing so. It took account of the council’s lack of awareness of its obligations under the DPA and the Code.

These views were rejected on appeal to the Employment Appeal Tribunal. The appeal was allowed with a substituted finding that the dismissal was not unfair. The Tribunal did not accept that here there was any breach of Article 8(1) so as to require the Tribunal to consider the requirements of 8(2) at all.  If, however, the Tribunal had done so it would have been bound to consider the legitimate aim which the Council claimed to have.  Here one of two such aims might have been identified.  The first was the prevention of crime, the second the protection of the rights and freedoms of others, the “others” here being the employers whose money was at stake and who had contractual rights in agreement with the claimant that he would behave in a way in which as it happened he did not.

This is an interesting case for employers. Dismissals will not necessarily be unfair when covert surveillance is used as part of the dismissal process. Employees acting fraudulently on employer’s time cannot expect their actions to be kept private from the employer. However, employers would be well advised to tread with caution. Following the correct procedures and being mindful of their obligations under the DPA (as well as Human Rights) will inevitably put an employer in a better position.

Employee surveillance may not always engage RIPA. However data protection and human rights laws will always have to be carefully considered. In cases of surveillance of staff e-mail and internet usage Section 4 of RIPA and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 will also need to be considered. For more on the latter please see our online training course (Email and Internet Monitoring: How to do it lawfully).

Act Now can help you get to grips with this difficult area. Please see our full program of surveillance law courses which can also be customised and delivered at your premises. If you want a quick update try our forthcoming webinars.

Listen to Ibrahim Hasan’s interview on BBC File on Four on Secrecy and Surveillance: of http://www.bbc.co.uk/programmes/b03bdsyk

Data Sharing Consultation – Do we need new laws?

The Law Commission has opened a consultation on the law around sharing of personal information between public sector organisations. Law Commissioner Frances Patterson QC says:

“It could be that more data sharing would improve public services but, if that is so, we need to understand why data is not being shared.  Is there a good reason to prevent data sharing?  Or is the law an unnecessary obstacle?  Are there other reasons stopping appropriate data sharing?  These are the questions we want to answer in this consultation.”

The legalitiecanstockphoto1632442s of data sharing is a subject which often confuses public sector officials. Local authorities, in particular, are often stumped by the “To Share or Not to Share” question, even if the sharing is for very good reasons (e.g. child protection or crime prevention). In some cases, even internal departments have felt constrained from updating each other about a change of a service user’s address.

More often than not, the Data Protection Act 1998 (DPA) is made the scapegoat for officials’ failure to fully understand the law. It is wrongly perceived as a barrier to data sharing despite offering a range of justifications (e.g. consent, legal obligation, protecting vital interests etc. (Schedule 2)).

Many attempts have been made to resolve this “problem”. In May 2011, the Information Commissioner published a statutory Code of Practice on data sharing. The code explains how the DPA applies to the sharing of personal data both within and outside an organisation. It provides practical advice to the public, private and third sectors, and covers systematic data sharing arrangements as well as one off requests for information. Under Section 52 of the DPA, the code can be used as evidence in any legal proceedings and can be taken into account by the courts and the Commissioner himself when considering any issue.

Despite the clear guidance in the code, the Government has sometimes toyed with the idea of new laws. Last year, according a story in the Guardian newspaper, proposals were to be published by the Cabinet Office minister, Francis Maude, which would make it “easier” for government and public-sector organisations to share confidential information supplied by the public:

“In May, we will publish proposals that will make data sharing easier – and, in particular, we will revisit the recommendations of the Walport-Thomas Review that would make it easier for legitimate requests for data sharing to be agreed with a view to considering their implementation,” said Maude, adding that current barriers between databases made it difficult for public sector workers to access relevant information.

“It’s clearly wrong to have social workers, doctors, dentists, Job Centres, the police all working in isolation on the same problems.”

The Guardian reported that the proposals are expected to include fast-track procedures for ministers to license the sharing of data in areas where it is currently prohibited, subject to privacy safeguards.  I could not find the proposals on the web. Anybody know whether they were ever published?

Confusion around data sharing continues to reign! The tragic case of Daniel Pelka is one example. The recent report into the four-year-old’s death, published by the independent Coventry Safeguarding Children Board identified a number of missed opportunities where professionals across a number of agencies should have done more to protect Daniel. Amongst other things, it concluded that the sharing of information and communications between all agencies was not robust enough.

Ill informed comments about the current law (especially the DPA) do not help. In a recent Daily Telegraph article by Michael Gove, the Education Minister claimed that, whilst tying to understand the underlying causes of child exploitation, he discovered that OFSTED “was prevented by “data protection” rules, “child protection” concerns and other bewildering regulations from sharing that data with us, or even with the police.” There is nothing in the DPA which prevents this. Don’t just take my word for it. Read the Information Commissioner’s riposte to the learned Mr Gove.

Do we really need new laws on data sharing or a better awareness of the existing ones? My view is that the current law is adequate to regulate yet allow responsible data sharing. The DPA and the Data Sharing Code need to be properly understood. They can be a tool allowing responsible data sharing. Most public sector data sharing will be lawful if organisations comply with the Eight Data Protection Principles; particularly the First Principle which requires information to be processed fairly and lawfully. There are also numerous exemptions in the Act including where sharing is required for the purpose of prevention or detection of crime (section 29).

The Law Commission consultation runs until 16 December 2013 and the paper may be accessed at: http://lawcommission.justice.gov.uk/. Responses can be emailed to data.sharing@lawcommission.gsi.gov.uk or sent by post.

More Information: Read our article for a full explanation of the ICO Data Sharing Code or watch this free webinar. We also run full day Multi Agency Information Sharing workshops.

The 2013 Surveillance Commissioner Report – Key Points

RIPA22The Chief Surveillance Commissioner published his 2013 annual report (covering the period from 1st April 2012 to 31st March 2013) on 18th July 2013. It is important reading for those public authorities who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA).

The report details statistics relating to the use of Part 2 of RIPA by public authorities and information about how the Office of the Surveillance Commissioner (OSC) conducts its oversight role. Non-law enforcement agencies (including councils) authorised Directed Surveillance on 5,827 occasions. This continues a downward trend over the last few years.

The report highlights a number of important issues some of which are listed below:

  • Common errors by RIPA authorities include miscommunication or failure to communicate the details of an authorisation; failure to conduct thorough reviews, renewals or cancellations; ignorance on the part of officers; or poor administration or processes.
  • The Commissioner says that all public authorities have struggled with the use of the Internet for investigations, particularly social networking sites. At paragraph 5.7 he advises caution on conflating the offline word with the online world. There may be cases where RIPA authorisation is required when doing research about a person on the Internet. He goes on to say, “… it is important to bear in mind that it is not always possible to give a definitive answer as to whether a particular activity requires authorisation: facts are infinitely variable. Where there is doubt authorisation is prudent.”  Act Now has developed a course on E-Crime and Social Networking Sites which examines all the relevant RIPA and wider legal issues.
  • Too many tactics requested by investigating officers are unused. Authorising officers and Senior Responsible Officers should monitor whether applicants are lazily requesting tactics out of habit rather than necessity.
  • Too many cancellations provide an insufficient record of surveillance actually conducted and the details of collateral intrusion. Rarely does guidance on the retention or destruction of product go beyond an inadequate reference to policy. It is vital that surveillance product that does not match the objectives stated in the authorisation is not retained on databases.
  • At paragraph 5.5, the Commissioner reiterates his view that RIPA is permissive legislation and there may be occasions where surveillance outside the scope of RIPA may be required. He points to the recent IPT decision in BA and others v Cleveland Police (IPT/11/129/CH). This is in keeping with Ibrahim Hasan’s view as explained on this blog.
  • Where there is an invasion of privacy and RIPA does not apply, due to all conditions not being met, then the Commissioner recommends use of a similar written authorisation mechanism where Article 8 issues (privacy) are considered.
  • The Commissioner also considers the changes, which took effect on  1st November 2012; namely magistrates’ approval for council surveillance and a new six month threshold test for Directed Surveillance.  On the whole they are working well. There were 142 approval requests made to a Magistrate in the reporting period of which only two were rejected.
  • Finally the Commissioner fires a shot across the bows of those authorities who drag their feet in accepting his recommendations. At paragraph 5.18 he says, “I expect the recommendations of my reports to be followed whether or not individual officers agree with them. Continued failure to do so – especially on the ground that current practices have been unchallenged in court proceedings – may result in publication of my guidance or recommendations to a wider audience.”

Now is the time to consider refresher training for RIPA investigators and authorisers. Please see our full program of RIPA Courses which have been revised to take account of all the latest developments. We can also deliver these courses at your premises, tailored to the audience. Finally, if you want to avoid re inventing the wheel, our RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. Over 200 different organisations have bought this document (available on CD as well).

Grandma’s spends

granGrandma had been getting worse day by day. She’s living in her own home with help from various agencies but she’s an easy target. Dementia has been diagnosed. Last year she paid a door to door salesman £1,800 by cheque for an item she didn’t want which was available on ebay for £45. It took a long time for the firm to accept that they had exploited an elderly woman and it took quite a while to get the money back. As a result of that Grandma’s cheque book was confiscated by her granddaughter. Pension was redirected to the bank instead of the Post Office and Grandma was given some spends. Problem solved. She couldn’t spend the not insignificant balance in her bank just the handful of tenners in her purse (and these mostly went on fags and fish & chips).

Then the spends started disappearing. £50 on Monday evening turned into £30 by Wednesday and Grandma complaining that she didn’t have enough. Daughter in law topped Grandma up to £40.  It turned into £10 by Friday and no-one knew where it was going. Grandma and Alzheimers didn’t help. Her short term memory was non existent. She didn’t go out much at all. She didn’t appear to buy much. Rarely did anyone call at the door. Carers & meals on wheels arrived, so did the hairdresser.

Eventually the conclusion was reached that it was either Grandma stashing it away for the future or someone else was involved. To resolve the issue a hidden camera would be installed. After a few quotes we settled on a local man who’d done this many times. 3 motion activated hidden cameras in lounge, kitchen and understairs cupboard. £375 a week. They went in last Monday.

” I can save you £375″ he joked as he twiddled his screwdriver, “It’s always the carer”.

Donning our DP hats for a moment…

  • Who is the data controller?
  • Who are the data subjects?
  • Is notification required?
  • Is there data processor issue?
  • What Schedule 2 or 3 condition justifies the processing?
  • Are the Subject information Provisions relevant?
  • Which exemptions might apply?
  • Is RIPA relevant?
  • Do we need a PIA?

The Security firm didn’t consider any of these questions. They just installed the cameras.

Two hours after installation (but a week later as we trawled through 800 images downloaded to our laptop from the card inside the cameras) we saw on image number 4 someone go into the understairs cupboard with Grandma’s handbag, hang it up on a hook, open it, take some notes from the purse and replace it. The Security man said the evidence was good enough for the police (being well versed in this sort of thing). It happened again on image 43 then again on image 267.

The culprit? It was someone the grand daughter knew well and who had been visiting grandma every day to check she was eating properly, doing odd jobs around the house and generally looking out for a vulnerable old lady. She was being paid for this service but had chosen to take a few pounds every day to boost her income.

The next stage is to confront the person; consider telling the police; consider informing her employer; find a new helper; let grandma know what has been going on and pay the security man who had a part time job as a fortune teller.

It was, as he predicted, the carer.