Category: Privacy

Disclosure of Staff Names under FOI

Most_Popular_Male_Names

When considering request for information under the Freedom of Information Act 2000(FOI) public authorities often face a dilemma about disclosing names of staff.

Names are generally considered to be personal data, being information relating to living identifiable individuals (as defined by the Data Protection Act 1998 (DPA)). (Although one Information Tribunal (as it was known then) decision, Harcup v Information Commissioner and Yorkshire Forward (EA/2007/0058), ruled they are not. (See episode 11 of my FOI Podcasts for a full discussion of this decision). Therefore the exemption under section 40(2) (third party personal data) will have to be considered.

For this exemption to be engaged a public authority must show that disclosure of the name(s) would breach one of theData Protection Principles. Most cases in this area focus on First Principle and so public authorities have to ask, would disclosure be fair and lawful? They also have to justify the disclosure by reference to one of the conditions in Schedule 2 of the DPA (as well as Schedule 3  in the case of sensitive personal data). In the absence of consent, most authorities end up considering whether disclosure is necessary for the applicant to pursue a legitimate interest and, even if it is, whether the disclosure is unwarranted due to the harm caused to the subject(s) (condition 6 of Schedule 2)?

The seniority of the staff, whose names are being requested, will of course be a key factor in deciding whether disclosure is fair. The first Information Tribunal decision on this issue, back in 2007, (Ministry of Defence v Information Commissioner and Rob Evans (EA/2006/0027)) concerned a request made by a journalist for a staff directory which included the names and contact details of individuals working for the Defence Exports Services Organisation. The MoD refused to disclose the information citing, amongst others, the exemption under section 40(2).

The Tribunal ruled that that the MoD could only withhold names of staff if they are particularly junior (below Civil Service B2 Level), not immediately responsible for the requested information and their name is not already available elsewhere (or would be expected to be through their performing a public-facing duty); or there is a clear and demonstrable threat to that individual’s health and safety if their name is made public.

As is clear from the MoD decision, seniority is just one factor to be taken into account. Public authorities should avoid the blanket non-disclosure of the names of all officers below a certain level of seniority. When it comes to the disclosure of names, what matters is what work the individuals are doing, rather than their seniority or grade. If a person is in a front facing role and his/her name is already in the public domain, then it will be difficult to withhold it.

In 2008 another Tribunal decision (The Department for Business, Enterprise and Regulatory Reform v Information Commissioner and Friend of the Earth (EA/2007/0072) examined whether names of private sector employees attending a meeting should be disclosed as well as those of civil servants. The request was for information about meetings and correspondence between Ministers and senior civil servants in the Department of Business, Enterprise and Regulatory Reform and employees from the Confederation of British Industry. Some of the documents relevant to the request included references to individuals who had attended such meetings as spokespersons or as note takers or bystanders. The Tribunal summarised the position as follows:

a. Senior officials of both the government department and lobbyist attending meetings and communicating with each other can have no expectation of privacy. The officials to whom this principle applies should not be restricted to the senior spokesperson for the organisation. It should also relate to any spokesperson.

b. Recorded comments attributed to such officials at meetings should similarly carry no expectation of privacy.

d. In contrast junior officials, who are not spokespersons for their organisations or merely attend meetings as observers or stand-ins for more senior officials, do have an expectation of privacy. This means that there may be circumstances where junior officials who act as spokespersons for their organisations are unable to rely on an expectation of privacy;

e. The question as to whether a person is acting in a senior or junior capacity or as a spokesperson is one to be determined on the facts of each case.

f. The extent of the disclosure of additional information in relation to a named official will be subject to usual test i.e. is disclosure necessary for the applicant to pursue a legitimate interest, and, even if it is, is the disclosure unwarranted due to the harm caused to the individuals by disclosure? This will largely depend on whether the additional information relates to the person’s business or professional capacity or is of a personal nature unrelated to business.

In January 2011, the First Tier Tribunal (Information Rights) considered disclosure of names in Dun v IC and National Audit Office (EA/2010/0060). The disputed information concerned the NAO’s enquiry into the FCO’s handling of employee grievances of a whistleblowing variety. The Tribunal was clear that no blanket policy should apply, and that fairness depends on the particular responsibilities and information with which the case is concerned. This decision is discussed in detail in episode 21 of my FOI Podcasts.

Where there is a risk to staff safety if their names are disclosed, then the public authority will be right to err on the side of caution. In Wild v IC and Chief Constable of Hampshire Constabulary (EA/2010/0132) the Appellant requested the dates of pre-hunt meetings in the last five years and the names of police officers attending pre-hunt meetings with organisers of the Isle of Wight Hunt. The Police responded, providing dates, but refusing to disclose the names of the officers in attendance.

The Commissioner considered the section 40(2) exemption and concluded that the disclosure would result in a breach of the First Data Protection principle.  He accepted that the disclosure may lead to the harassment of the officers identified and consequently the disclosure would be unfair to those officers. The Tribunal upheld the Commissioner’s decision.

Don’t forget condition 6 of schedule 2 of the DPA. A public authority will have to consider whether disclosure of a name is necessary for the applicant to pursue a legitimate interest, and, even if it is, whether the disclosure is unwarranted due to the harm caused to the individual by the disclosure.

A more recent Tribunal decision (January 2013), McFerran v IC (EA/2012/0030) involved a police search of a property owned by Shropshire County Council. At the police’s request, two junior council officers were present, but they had not been involved in any of the decision-making. The requester wanted the names of the council officers as well as their immediate superior. The council refused, relying on s. 40(2).

The Commissioner ordered disclosure of the name of the more senior officer, but not of the two juniors. The Tribunal agreed with this decision and dismissed the requester’s appeal, observing that:

“although… there is clearly a legitimate public interest in transparency of activity by public authorities, which impinges on the personal freedom of householders, there is insufficient information provided to add significant weight to the general public interest in transparency in public affairs. The Appellant has not satisfied us, either, that his attempts to have the matter investigated are being thwarted by the absence of the names of the individuals in question. If there is sufficient information about the event to interest those responsible for an investigation the absence of names will not deter them.”

This decision illustrates that, when it comes to junior officials, the requestor will have to show that there is legitimate interest in knowing the names of officers where they are junior. A general argument about openness and transparency will not suffice.

In Armit v IC and Home Office (EA/2012/0041) the UKBA redacted the names of the officials in a document entitled ‘Tourist Selection Indicators and Selection Techniques’ which fell within the scope of the request. The Tribunal agreed with this approach, taking account of the requester’s failure to identify a legitimate interest in public disclosure of the names of those officials:

“We do not accept the argument that the officials would not have expected their names within the document to be made public and were not given compelling evidence of this. We were given no information as to their specific grading but they were described in the document as ‘lead contributer’ and ‘lead postholder’. They clearly have some responsibility in relation to the work.  We were given no compelling evidence that disclosing their names would result in victimisation, insult or any form of danger.  However, we do accept that the officials would prefer not to have their names identified and that might in itself represent a certain right and freedom or legitimate interests in itself. In any event, to process personal data, it needs to be necessary to pursue the purposes of legitimate interests pursued by others.  In this case, we do not find that the Appellant has shown any legitimate interest in the names of the officials being disclosed to the public under FOIA. We conclude that the information is therefore exempt from disclosure.”

Another recent Tribunal decision on the disclosure of names is Roberts v IC and Dyfed Powys Police Authority (EA/2012/0032).

The issue of disclosure of names pursuant to an FOI request is a difficult one. As can be seen from this discussion of Tribunal decisions, a number of different factors have to be weighed in the balance. A blanket approach will not work.

Whilst on the subject of names, does an FOI requestor have to give his/her real name? Read the answer here  as well as a really bad joke!

Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshop  on 13th March 2013.

Do you want an international recognised qualification in FOI?                           The ISEB Certificate in Freedom of Information  starts in Birmingham on 26th March 2013.

Proposed EU Data Protection Regulation and Research

Man Reading Book and Sitting on Bookshelf in LibraryDavid Erdos believes a bid to tighten European data protection will have a chilling impact on social science and humanities research.  He writes:

Even with the advent of Web 2.0, data protection law is still often seen as technical and only narrowly applicable. Technical abstruseness aside (and data protection’s reputation here is certainly deserved), this understanding could not be more wrong. The existing European data protection framework really is breathtaking in scope. It applies to anything done electronically with any information about an identified or identifiable person – possibly including the dead. According to the European Union, even innocuous details in the public domain are protected (perhaps even the title of an author’s book). Moreover, if the information reveals the particulars of, for example, a person’s ethnic origin, political opinions, religious belief, trade union membership, health or criminality, then it is classed as “sensitive” and subject to even tighter controls. The European data protection framework is not only broad but often onerous. Barring specific exceptions (including a liberal one that can be invoked for journalism, literature and the arts), there is a presumption that individuals will be informed about the processing of data about them and given a right to object, that the processing of “sensitive” personal information will be banned and that no personal information will be transferred outside the European Economic Area without “adequate protection”.

So the popular perception of data protection is woefully inaccurate – which leads to a radical underestimation of the threat these regulations pose to the enjoyment of other fundamental rights and the pursuit of legitimate activities. Nowhere is this more the case than in social science and humanities research. Since the advent of the EU’s framework in the 1990s, researchers have witnessed dramatic restrictions on their freedom to use “sensitive” data and to deploy covert methods. Coupled with the growth of sometimes intrusive “ethical review” policies, the barriers and burdens placed in the way of even ordinary, innocuous, yet socially beneficial research and on researchers have become considerable.

It might have been hoped that the proposed EU Data Protection Regulation would provide an opportunity to reverse this. But if the European Parliament’s recently published draft amendments are anything to go by, the converse is true.

Contunue reading here.

This article was originally published in the 14-20 February 2013 edition of Times Higher Education and is published with the author’s permission. You can also read it on the Constitutional Law website.

The draft EU DP Regulation will be examined in our forthcoming 1 hour Data Protection Update Webinar : http://www.actnow.org.uk/courses/930

Leveson: What future for Data Protection?

LevesonThe Leveson Report has finally been published.

The Report recommends that a tougher form of self-regulation backed by legislation should be introduced to uphold press standards. Much has already been written (http://www.bbc.co.uk/news/uk-20543936) and will continue to be written about this central recommendation and whether it is good or bad for democracy and a free press. But amid the furore about whether the Prime Minister should or should not accept the central recommendation, it is easy to forget that the report will also have implications for Data Protection Act and the Information Commissioner.

One of the areas that Lord Justice Leveson was required to consider was ‘the extent to which the current policy and regulatory framework has failed, including in relation to data protection’.

I started writing a blog post on the way back from London, and got as far as the above, when an e mail from the good people at 11KBW  (Panopticon Blog) landed in my inbox.

On well if you can’t beat them, read them! Here is their excellent analysis of the DP recommendations of Leveson:

http://www.panopticonblog.com/2012/11/29/leveson-inquiry-report-spotlight-on-proposed-data-protection-reforms/

I was only training round the corner and passed the QE2 centre where LJ Leveson was giving his press conference. Perhaps, I should have camped out overnight to beat the Panopticon Team?

Privacy Conference – Call for Papers

The Fifth Northumbria Information Rights Conference will take place on Wednesday 1 May 2013 at the Centre for Life, Newcastle Upon Tyne, UK.   The theme of the conference will be “Changing notions of privacy”.

The aim of the conference is both to explore developing understandings of privacy, and the tensions that exist between privacy, openness and freedom of expression. The following topics will be explored within the overall theme, and papers will be grouped for presentation accordingly:

  • What is privacy?
  • Privacy v freedom of expression
  • Technology and the challenges of protecting privacy
  • Privacy in a commercial context
  • Privacy and the Freedom of Information Act 2000
  • Privacy or openness
  • Privacy and the Data Protection Act 1998

The university will also consider abstracts which do not fall within these themes but which are nonetheless relevant to the overall theme.

This call is open to academics, postgraduate students and practitioners from all disciplines, but particularly law, politics, information science and records management. Ibrahim Hasan presented a paper to this conference last year examining the Government’s proposals to change RIPA and whether they were a sledgehammer to crack a nut. We would urge our readers to get involved.

Those interested in presenting a paper are invited to submit abstracts to the conference administrator Maureen Cooke: email maureen.cooke@northumbria.ac.uk. Abstracts should be submitted by 7th December 2012. They should not exceed 300 words. Submission must be by Word document e-mail attachment at the email address shown above and should include, in addition to the abstract, your title, name and organisation/institutional affiliation and your email address for correspondence.

All proposals will be reviewed, and successful applicants will be notified at the latest by 21st December 2012. Please contact maureen.cooke@northumbria.ac.uk for any general enquiries about the conference or telephone 0191 243 7597.

RIPA, CHIS and the IPT

A recent legal case about undercover police officers’ activities whilst investigating protest groups, has raised the importance of RIPA forms being completed correctly and care being taken when authorising them.

Ten women have launched  a legal action claiming they were tricked into forming “deeply personal” relationships with undercover police officers acting as a Covert Human Intelligence Source (CHIS) under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA). The case is the first civil action to be brought before a court.

Three of the women referred to in court had intimate relationships with Mark Kennedy, who spent seven years living as an environmental campaigner. Kennedy’s deployment was made public last year after activists worked out he was a police spy.

Lawyers for the police are currently applying to have the case moved from the High Court to “a secret Tribunal”. Normally cases involving a breach of RIPA are heard by the Investigatory Powers Tribunal (IPT). Most cases heard by the Tribunal are in private and not open to the media. Very few judgements are published. Most cases are about conduct by, or on behalf of, the Intelligence Services (MI5, MI6and GCHQ). The Tribunal has the power to award damages to complainants and to quash or cancel any authorisation to do the surveillance.

Not surprisingly, the IPT is the forum of choice for the police in this case. According to a report in The Guardian:

“Monica Carrs Frisk QC, representing the police, said their argument was not about denying the women remedy, but determining the correct forum for determining their claims.The police argue the case should be heard in the investigatory powers tribunal, as it was set up specifically to consider allegations of unjustifiable surveillance by the state.They also argue they may be unable defend the case because they have a long-established policy of neither confirming nor denying the identity of undercover police officers.”

When the Kennedy case came to light, Her Majesty’s Inspectorate of Constabulary (HMIC) conducted a report into the circumstances. It concluded that, whilst undercover officers deployed into protest communities gathered intelligence which enabled the police to prevent acts of serious violence, there was serious intrusion into the lives of others, and this risk needs to be better managed in the future.

More will come about these cases especially if (as is likely) the civil case remains in the High Court. The circumstances shows the importance of all public authorities, not just the police, considering the applicability of Part 2 of RIPA , especially the CHIS provisions, very carefully when engaging staff to “go undercover”. In addition to the usual considerations of necessity and proportionality, the CHIS authorisation form  requires a risk assessment to be done, together with a need to have a separate CHIS Handler and a Controller. Detailed records also need to be kept in accordance with the RIPA (Source Records) Regulations 2000 (SI 2000/2725). If these roles were carried out correctly then abuses of RIPA, as in this case, would be very rare.

Of course local authorities are very infrequent users of the CHIS process (and they certainly do not authorise CHIS operations involving sleeping with the targets!). Any potential for abuse has been minimised even further by the Protection of Freedoms Act 2012 (sections 37 and 38) which came into force on 1st November 2012. This changes the procedure for the authorisation of local authority surveillance under RIPA. From 1st November, local authorities have been required to obtain the approval of a Magistrate for the use of any one of the three covert investigatory techniques available to them under RIPA namely Directed Surveillance, the deployment of a Covert Human Intelligence Source and accessing communications data. On 5th November, Gateshead Council received (what could be) the first Magistrates’ approval.

The case of Mark Kennedy (and others) does beg the question; Is it time the police were required to seek judicial approval for surveillance under RIPA? Should we even stop there? What about surveillance abuses by the press which have come to light as a result of the Leveson Inquiry? Is it time to RIPA it up and start again?

Act Now can help you prepare for the new RIPA process. We have an update  course in December in London. If you would like advice on what needs to be done or customised in house training, please get in touch.

Finally all RIPA authorities need to revise their guidance and policy documents. See our RIPA Policy and Procedures Toolkit.

Nobody cares for me. Signed DC.

Dear Mr xxxxxxxx, 

As a registered user of www.tpexpress.co.uk we are legally required under the Data Protection Act 1998 to contact you with the information outlined below.

Please note: This is not a marketing communication and does not affect your opt-in/out preferences for marketing emails.

What is changing?
We will be changing our online booking system during November and we are writing to you to notify you of the change in data controller from thetrainline.com to ourselves as a result of this change.

What does this mean to you?
Your retail contract will be exclusively with:
First/Keolis Transpennine Limited (FTPE),
50 Eastbourne Terrace,
Paddington,
London,
W2 6LG
Company Registration Number 04113923

Can anyone tell me which section of the Act requires a Data Controller to inform a data subject of a change of data controller? Or is it just good business practice? Or just plain “we don’t know what we’re doing”?

Answer on a postcard please to

DPO, Customer Relations, Some Train Operator, Leaves on the line, Adelstrop.

First Magistrates’ Approval of RIPA Surveillance

Gateshead Council MAY HAVE become the first local authority in the country to successfully obtain Magistrates’ approval for covert surveillance under new laws which came into force on 1st November 2012.

Chapter 2 of Part 2 of the Protection of Freedoms Act 2012 (sections 37 and 38) changes the procedure for the authorisation of local authority surveillance under the Regulation for Investigatory Powers Act 2000 (RIPA). From 1st November, local authorities have been required to obtain the approval of a Magistrate for the use of any one of the three covert investigatory techniques available to them under RIPA namely Directed Surveillance, the deployment of a Covert Human Intelligence Source and accessing communications data.

The Home Office has now published its RIPA Magistrates’ Approval Guidance both for local authorities and the Magistrates’ Court. However until recently, no council had reported a successful application to the Magistrates. We believe, Gateshead Council is the first to do so.

Colin Howey, Senior Trading Standards Officer, explains what they did:

“Like most authorities we were a bit anxious about the new RIPA regime. Whilst we wanted to continue to use covert surveillance techniques in a necessary and proportionate manner, we were concerned about the cost and resource implications of the new Magistrates’ approval process.

Following a full day training workshop we were more confident about what was required. But the new process was still untested.

On 5th November though we obtained what may well be the country’s first judicial approval of a RIPA authorisation. Gateshead Magistrates’ Court approved our use of Directed Surveillance to investigate some serious trading standards offences.

We carefully followed the procedure as set out in the Home Office RIPA Magistrates’ Approval Guidance.  We were also careful to ensure the surveillance was necessary on the amended grounds set out in The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) (Amendment) Order 2012, SI 2012/1500  which also came into force on 1 November 2012. This makes Directed subject to a new Serious Crime Test.

Once we obtained the internal authorisation in the usual way we contacted the Gateshead Magistrates’ Court to arrange a hearing.  They asked us to e mail through the original RIPA authorisation form as well as the completed judicial application/order form.

The hearing was attended by the investigating officer and the Council Solicitor. The court was also aware that it was the first RIPA application it had received so a District judge heard the application advised by the Clerk of the Court.  The hearing was in private. The judge considered the RIPA authorisation and the judicial application/order form.  He asked one or two relevant questions to satisfy himself that the surveillance was necessary and proportionate and then signed the judicial order form

The whole thing was relatively straightforward. It only took the judge fifteen minutes to consider and approve the application.

My tips for those who need to make a similar application are:

1. Train your staff – All investigators and authorising officers need to know about the new process.  Those who will be attending court need to be trained in completing the new judicial application/order form.

2. Designate staff who will be attending the Magistrates Court -This is done under section 223 of the Local Government Act 1972.  It is worth giving staff a letter of designation to take to the court when making the application.

3.  Contact your local Magistrates Court now to discuss how they will deal with RIPA applications. Like ours they may want documents e mailed to them beforehand. This will also save time on the day.”

Our thanks to Colin Howey and the Regulatory Services Team at Gateshead Council for this fascinating insight. The training provided to Gateshead Council was conducted by Ibrahim Hasan, of Act Now Training.

Did your council achieve a RIPA approval before Gateshead? Use the comment field to let us know.

Act Now can help you prepare for the new RIPA process. We have an update  course in December in London. If you would like advice on what needs to be done or customised in house training, please get in touch.

Finally all RIPA authorities need to revise their guidance and policy documents. See our RIPA Policy and Procedures Toolkit.

RIPA Policy and Procedure Toolkit (November 2012)

Major changes to the local authority surveillance regime (under RIPA) come into force this today.

  • Local authorities will need to obtain Magistrates’ approval for all surveillance done under RIPA.
  • Directed Surveillance will be subject to a new serious crime test

For detailed discussion on the changes please see our blog:

http://actnowtraining.blog/2012/10/17/1st-november-d-day-for-council-surveillance/

Now is the time to revise your RIPA polices and procedures and make your staff aware of the new rules. Ibrahim Hasan, one of the UK’s leading writers and trainers on public sector surveillance, has developed a RIPA procedures and guidance toolkit to assist you. Why reinvent the wheel?

The toolkit includes an updated version of our previous RIPA Forms Guidance document, which was bought by over one hundred different organisations. In addition there are detailed guidance notes on deciding when surveillance is caught by RIPA, how to authorise it and what to do about surveillance which is not regulated by RIPA. The toolkit is written in straight forward language (avoiding legal jargon) and includes flowcharts to assist understanding. For more information click on the link below:

http://www.actnow.org.uk/content/116

There is a 20% discount for those who bought the previous RIPA Forms Guidance (now updated and included in this toolkit.)

1st November: D-Day for Council Surveillance

1st of November 2012 will see big changes in the way local authorities carry out surveillance under Regulation fo Investigatory Powers Act 2000 (RIPA):

1. Magistrates’ Approval for all Surveillance

Sections 37 and 38 of the Protection of Freedoms Act 2012 amends RIPA so as to require local authorities to obtain the approval of a Magistrate for the use of any one of the three covert investigatory techniques available to them under RIPA; namely Directed Surveillance, the deployment of a Covert Human Intelligence Source (CHIS) and accessing communications data. Click on the links below for more

Details of the new legal provisions

How to apply for Magistrates’ approval

RIPA Policy and Procedures Toolkit

2. New Serious Crime Test for Directed Surveillance

From 1st November 2012, local authority Authorising Officers may not authorise Directed Surveillance unless it is for the purpose of preventing or detecting a criminal offence which punishable by a maximum term of at least 6 months of imprisonment (subject to exceptions).

Details of the new test

Will councils still be able to do surveillance for “minor offences”?

Read my view here

How Act Now Can Help

1. New procedures and guidance will have to be issued – see our RIPA Policy and Procedures Toolkit

2. Officers will need to be made aware of the new procedures. See our training courses. If you would like customised in house training, please get in touch.

I hate my boss, I’m drunk, E’s are good and here’s my new mobile.

A delegate on a recent course after an animated discussion on social networking  sent us the following link to “We know what you’re doing… A social networking privacy experiment by Callum Haywood“.

To use the words of the site All data is pulled directly from Facebook, it is not censored, and it is publicly accessible via the Graph API” . In other words the site ‘reads’ status updates which are publicly accessible from Facebook and if they meet the right criteria it categorises them into the following 4 groups:

  • Those who ‘hate their boss’ (and are likely to get fired)
  • Those who are hungover
  • Those who use drugs or condone the use of drugs
  • Those who have a new phone number and have listed it publicly online

Some are fairly anonymous and private but now and again you do get enough information to track some one down with some low level googling. Here’s the link. Watch the video as well.

http://www.weknowwhatyouredoing.com/