First Two GDPR Enforcement Notices – Lessons Learnt

Fingerprint scanning provides security access biometrics identification with Business Technology Safety Internet Network Ui.

The Information Commissioner’s Office (ICO) recently served only its second Enforcement Notice for breaches of the GDPR.

The first Enforcement Notice was issued in July 2018 against a Canadian company, AggregateIQ Data Services Ltd (AIQ). Strangely it was not published on the ICO’s website but was mentioned in the ICO’s report: “Investigation into the use of data analytics in political campaigns“. Pursuant to section 149 of the Data Protection Act 2018, the notice required AIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.”

The ICO found that AIQ had violated Article 5 and 6 of the GDPR, by processing personal data unbeknown to the data subjects, for undeclared purposes and without a lawful basis for such processing. It had also failed to provide the transparency information, as required under Article 14 of the GDPR.

On 9thMay 2019, the Second Enforcement Notice was served on Her Majesty’s Revenue and Customs (HMRC) ordering it to delete personal data it collected unlawfully as part of a Voice ID system. The background to the notice is thatHMRC adopted a voice authentication, in January 2017, which asked callers to some of its helplines to record their voice as their password. A complaint from Big Brother Watch to the ICO revealed that callers were not given further information or advised that they did not have to sign up to the service. There was no clear option for callers who did not wish to register. In short, HMRC did not have adequate consent  from its customers to collect the data.

In the notice, the Information Commissioner says that HMRC appears to have given “little or no consideration to the data protection principles when rolling out the Voice ID service.” She highlights the scale of the data collection – seven million voice records – and that HMRC collected it in circumstances where there was a significant imbalance of power between the organisation and its customers. It did not explain to customers how they could decline to participate in the Voice ID system. It also did not explain that customers would not suffer a detrimental impact if they declined to participate.

It was also found that a data protection impact assessment (DPIA), that appropriately considered the compliance risks associated with processing biometric data, was not in place before the system was launched. The ICO plan to follow up the enforcement notice with an audit that will assess HMRC’s compliance with good practice in the processing of personal data.

  • Recording voices which can be used to identify the speaker is biometric data. This is classed as Special Category Data under GDPR.
  • If Data Controllers are planning to rely on consent as a legal basis to process such data, then they must remember that any consent obtained must be explicit (see the ICO guidance on informed consent).
  • Large scale use of biometric data is also “high risk” processing and will require a DPIA.
  • Data Controllers must be able to demonstrate their GDPR compliance by putting appropriate technical and organisational measures in place.

Steve Wood says:

“With the adoption of new systems comes the responsibility to make sure that data protection obligations are fulfilled and customers’ privacy rights addressed alongside any organisational benefit. The public must be able to trust that their privacy is at the forefront of the decisions made about their personal data.”

More on these and other developments will be in our GDPR Update webinar and full day workshop presented by Ibrahim Hasan. Act Now runs a full day workshop which can teach you how to do a DPIA. For those seeking a GDPR qualification, our practitioner certificate is the best option.

 

Act Now Launches New FOI Practitioner Certificate

 

Act Now is pleased to announce the launch of its brand new FOI Practitioner Certificate.

This course is one of the first of its kind, in a way that only Act Now delivers – practical, on the ground skills to help you fulfil your role as an FOI Officer.

This new certificate course is ideal for those wishing to acquire detailed knowledge of FOI and related information access legislation (including EIR) in a practical context. It has been designed by leading FOI experts including Ibrahim Hasan and Susan Wolf – formerly a senior lecturer on the University of Northumbria’s LLM in Information
Rights Law.

The course uses the same format as our very successful GDPR Practitioner Certificate. It takes place over four days (one day per week) and involves lectures, discussion and practical drafting exercises. This format has been extremely well received by over 1000  delegates who have completed the course. Time will also be spent at the end of each day discussing what issues delegates may face when implementing/advising on the FOI topics of the day.

The four teaching days are followed by an online assessment and a practical project to be completed within 30 days.

Why is this course different?

  • An emphasis on practical application of FOI rather than rote learning
  • Lots of real life case studies and exercises
  • An emphasis on drafting Refusal Notices
  • An online Resource Lab with links, guidance and over 5 hours of videos
  • Modern assessment methods rather than a closed book exam

 Who should attend?

This course is suitable for anyone working within the public sector who needs to learn about FOI and related legislation in a practical context, as well as those with the requisite knowledge wishing to have it recognised through a formal qualification. It is most suitable for:

  • FOI Officers
  • Data Protection Officers
  • Compliance Officers
  • Auditors
  • Legal Advisers

Susan, says:

“FOI and EIR are almost 14 years old. Since the Act and Regulations came into force there have been many legal developments and court decisions that have given practitioners a much greater understanding of the legal provisions and how they should be applied in practice. With this in mind, we have written this course to ensure that it equips public sector officers with all the necessary knowledge and skills they need to respond to freedom of information requests accurately and efficiently. This course, with its emphasis on the law in practice, will enable trainees to become more accomplished and confident FOI practitioners”

Susan will share her vast experience gained through years of helping organisations comply with their information rights legislation obligations. This, together with a comprehensive set of course materials and guidance notes, will mean that delegates will not only be in a position to pass the course assessment but to learn valuable skills which they will be able to apply in their workplaces for years to come.

This new course builds on Act Now’s reputation for delivering practical training at an affordable price:

This new course widens the choice of qualifications for IG practitioners and advisers. Ibrahim Hasan (Director of Act Now Training) commented:

“We are pleased be able to launch this new qualification. Because of its emphasis on practical skills, we are confident that it will become the qualification of choice for current and future FOI Officers and advisers.”

To learn more please visit our website.

All our courses can be delivered at your premises at a substantially reduced cost.
Contact us for more information.

The Facebook Data Breach Fine Explained

 

On 24th October the Information Commissioner imposed a fine (monetary penalty) of £500,000 on Facebook Ireland and Facebook Inc (which is based in California, USA) for breaches of the Data Protection Act 1998.  In doing so the Commissioner levied the maximum fine that she could under the now repealed DPA 1998. Her verdict was that the fine was ‘appropriate’ given the circumstances of the case.  For anyone following the so-called Facebook data scandal the fine might seem small beer for an organisation that is estimated to be worth over 5 billion US Dollars. Without doubt, had the same facts played out after 25th May 2018 then the fine would arguably have been much higher, reflecting the gravity and seriousness of the breach and the number of people affected.

The Facts

In summary, the Facebook (FB) companies permitted Dr Aleksandr Kogan to operate a third-party application (“App”) that he had created, known as “thisisyourdigitallife” on the FB platform. The FB companies allowed him and his company (Global Science Research (GSR) to operate the app in conjunction with FB from November 2013 to May 2015. The app was designed to and was able to obtain a significant amount of personal information from any FB user who used the app, including:

  • Their public FB profile, date of birth and current city
  • Photographs they were tagged in
  • Pages they liked
  • Posts on their time lime and their news feed posts
  • Friends list
  • Facebook messages (there was evidence to suggest the app also accessed the content of the messages)

The app was also designed to and was able to obtain extensive personal data from the FB friends of the App’s users and anyone who had messaged the App user. Neither the FB friends or people who had sent messages were informed that the APP was able to access their data, and nor did they give their consent.

The APP was able to use the information that it collected about users, their friends and people who had messaged them, in order to generate personality profiles. The information and also the data derived from the information was shared by Dr Kogan and his company with three other companies, including SCL Elections Ltd (which controls the now infamous Cambridge Analytica).

In May 2014 Dr Kogan sought permission to migrate the App to a new version of the FB platform. This new version reduced the ability of apps to access information about the FB friends of users. FB refused permission straight away. However, Dr Kogan and GSR continued to have access to, and therefore retained, the detailed information about users and the friends of its users that it had previously collected via their App. FB did nothing to make Dr Kogan or his company delete the information.  The App remained in operation until May 2015.

Breach of the DPA

The Commissioner’s findings about the breach make sorry reading for FB and FB users. Not only did the FB companies breach the Data Protection Act, they also failed to comply or ensure compliance with their own FB Platform Policy, and were not aware of this fact until exposed by the Guardian newspaper in December 2015.

The FB companies had breached s 4 (4) DPA 1998  by failing to comply with the 1stand 7th data protection principles. They had:

  1. Unfairly processed personal data in breach of 1st data protection principle (DPP1). FB unfairly processed personal data of the App users, their friends and those who exchanged messages with users of the APP. FB failed to provide adequate information to FB users that their data could be collected by virtue of the fact that their friends used the App or that they exchanged messages with APP users. FB tried, unsucesfully and unfairly, to deflect responsibility onto the FB users who could have set their privacy settings to prevent their data from being collected. The Commissioner rightly rejected this. The responsibility was on Facebooks to inform users about the App and what information it would collect and why. FB users should have been given the opportunity to withhold or give their consent. If any consent was purportedly  given by users of the APP or their friends, it was invalid because it was not freely given , specific or informed. Conseqauntly, consent did not provide a lawful basis for processing
  2. Failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data, in breach of the 7th data protection principle (DPP7). The processing by Dr Kogan and GSR was unauthorised (it was inconsistent with basis on which FB allowed Dr Kogan to obtain access of personal data for which they were the data controller; it breached the Platform Policy and the Undertaking. The processing by DR Kogan and his company was also unlawful, because it was unfair processing.  The FB companies failed to take steps (or adequate steps) to guard against and unlawful processing.  (See below). The Commissioner considered that the FB companies knew or ought to have known that there was a serious risk of contravention of the data protection principle sand they failed to take reasonable steps to prevent such a contravention.

Breach of FB Platform Policy

Although the FB companies operated a FB Platform Policy in relation to Apps, they failed to ensure that the App operated in compliance with the policy, and this constituted their breach of the 7th data protection principle. For example, they didn’t check Dr Kogan’s terms and conditions of use of the APP to see whether they were consistent with their policy (or presumably whether they were lawful). In fact they failed to implement a system to carry out such a review. It was also found that the use of the App breached the policy in a number of respects, specifically:

  • Personal data obtained about friends of users should only have been used to improve the experience of App users. Instead Dr Kogan and GSR was able to use it for their own purposes.
  • Personal data collected by the APP should not be sold or third parties. Dr Kogan and GSR had transferred the data to three companies.
  • The App required permission from users to obtain personal data that the App did not need in breach of the policy.

The FB companies also failed to check that Dr Kogan was complying with an undertaking he had given in May 2014 that he was only using the data for research, and not commercial, purposes. However perhaps one of the worst indictments is that FB only became aware that the App was breaching its own policy when the Guardian newspaper broke the story on December 11 2015. It was only at this point, when the story went viral, that FB terminate the App’s access right to the Facebook Login. And the rest, as they say, is history.

Joint Data Controllers

The Commissioner decided that Facebook Ireland and Facebook Inc were, at all material times joint data controllers and therefore jointly and severally liable. They were joint data controllers of the personal data of data subjects who are resident outside Canada and the USA and whose personal data is processed by or in relation to the operation of the Facebook platform. This was on the basis that the two companies made decisions about how to operate the platform in respect of the personal data of FB users.

The Commissioner also concluded that they processed personal data in the context of a UK establishment, namely FB UK (based in London) in respect of any individuals who used the FB site from the UK during the relevant period. This finding was necessary in order to bring the processing within scope of the DPA and for the Commissioner to exercise jurisdiction of the two Facebook companies.

The Use of Data Analytics for Political Purposes

The Commissioner considered that some of the data that was shared by Dr Kogan and his company, with the three companies is likely to have been used in connection with, or for the purposes of, political campaigning. FB denied this as far as UK residents were concerned and the Commissioner was unable, on the basis of information before her, whether FN was correct. However, she nevertheless concluded that the personal data of UK users who were UK residents was put at serious risk of being shared and used in connection with political campaigning. In short Dr Kogan and/or his company were in apposition where they were at liberty to decide how to use the personal data of UK residents, or who to share it with.

As readers will know, this aspect of the story continues to attract much media attention about the possible impact of the data sharing scandal on the US Presidential elections and the Brexit referendum. The Commissioner’s conclusions are quite guarded, given the lack of evidence or information available to her.

Susan Wolf will be delivering these upcoming workshops and the forthcoming FOI: Contracts and Commercial Confidentiality workshop which is taking place on the 10th December in London. 

Our 2019 calendar is now live. We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now. 

Need to prepare for a DPO/DP Lead role? Train with Act Now on our hugely popular GDPR Practitioner Certificate.

 

Data Protection Reform after Brexit. Does GDPR still matter?

According to the new Prime Minister “Brexit means Brexit.” But what does Brexit mean for UK Data Controllers who are planning for implementation of the new General Data Protection Regulation (GDPR)? The short answer is keep calm and carry on.

GDPR received formal adoption by the European Parliament in April 2016 and was published on 4th May in the Official Journal. This means that it will be directly applicable throughout EU member states (without the need for implementing legislation) from 25th May 2018. Following the referendum result, you might be forgiven for thinking that you can shred your copy of the Regulation or indeed cancel your place on our very popular GDPR workshop.

The UK may have voted to leave the EU but formal divorce proceedings cannot begin until it notifies the EU of its intention to invoke Article 50 of the Lisbon Treaty. This gives negotiators two years from the date of notification to conclude new arrangements. The newly appointed Secretary of State for Exiting the European Union, David Davis, has said Article 50 should be “triggered before or by the beginning of next year.” Therefore the UK could leave the EU by December 2018 at the earliest. Consequently there would be at least six months where UK Data Controllers would have to abide by all the provisions of GDPR. In reality exiting the EU could take much longer than two years and so we could be stuck with GDPR for much longer.

In the unlikely event that Brexit negotiations are concluded before May 2018, the DPA is still living on borrowed time. Immediately after the Brexit vote the Information Commissioner’s Office (ICO), released a statement saying:

“If the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’—in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”

In a speech on 4th July 2016 the then Minister for Data Protection, Baroness Neville-Rolfe, touched on the future of data protection: (HT Panopticon Blog)

One thing we can say with reasonable confidence is that if any country wishes to share data with EU Member States, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection. This will be a major consideration in the UK’s negotiations going forward….”

The law firm, Bird and Bird, have set out the options available to the UK in terms of exiting the EU and its implications for data protection. Each of these options makes it likely that either the GDPR or a very close cousin will be required in the UK after Brexit takes effect.

Regardless of what data protection path the UK chooses, UK companies with European customers and operations have to continue with preparations. This is because GDPR will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies will be directly responsible for GDPR compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data.

Recently on the ICO’s Blog,  the message was reiterated that GDPR is still relevant and preparation must continue:

“We’ve been working hard on producing a set of guidance on GDPR, with an overview of the law being the first substantive part of that. We still think it will be useful to publish this overview. This is because once implemented in the EU, the GDPR will be relevant for many organisations in the UK – most obviously those operating internationally. The other main reason is that the GDPR has several new features – for example breach notification and data portability. Therefore, we thought it would still be useful to familiarise information rights professionals with the GDPR’s main principles and concepts.”

 Data Controllers have two years to prepare for the biggest change to the EU data protection regime in 20 years.  Many provisions such as breach notification and the new DP Principles will require careful planning. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, a “wait and see” approach would be very risky.

How Act Now can help

The next two years need to be spent wisely. Training and awareness (see our poster) at all levels needs to start now. We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised data protection/GDPR workshops as well as to carry out health checks and audits. GDPR requires many Data Controllers to appoint a dedicated Data Protection Officer. Our GDPR Practitioner Certificate, with an emphasis on the practical skills requited to implement GDPR, is an ideal qualification for those aspiring for such positions.

And if you like our image, it, as well as some others are available as A3 Posters for the office for only £5 for three!  Take a look at the link below.

http://www.actnow.org.uk/posters

The GDPR Practitioner Certificate (GDPR.Cert) is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

Sainsbury’s and Data Protection – They have your number (and it’s not on your nectar card).

It shocked me on Sunday morning (a few months ago) when driving into our local Sainsbury’s car park. Through bleary eyes I suddenly saw my registration number flash up on a display in front of me. It also said my 2 hours of free parking would end in precisely 1 hour and 59 minutes. After parking and doing a bit of investigating I found that they’d fitted cameras at the only entrance (which was also the exit) so they could snap you on the way in and on the way out and thereby obtain evidence (or not) of your length of stay. This isn’t new. Many car parks have been doing this for years but it does raise a few issues.

Filming and collecting personal data is OK as long as a Schedule 2 condition of the Data Protection Act is fulfilled. (I suppose going off on one for a moment that filming at a hospital car park might require a Schedule 3 condition but that’s an argument for another day). The simplest one is Schedule 2 condition is consent as the other 5 require a necessary element. Do Sainsbury’s have your consent? Did you know that filming was going to happen before you attempted to enter their car park or did it only register when your number plate was staring back at you. If you were filmed before you knew you’d been filmed the consent is out of the window.

Once inside the car park you could see signs that told you more about the filming. Looks good to start with but the small print really is small and is also 8 feet up in the air (that old joke again!). I couldn’t actually read the small print. Basic fact remains that the Fair Processing Notice whatever the quality of it was only available after the processing took place.

So far we’ve missed out on an obvious Schedule 2 condition and missed the fair processing element of Principle One. What else could go wrong? If the sensible Sainsbury’s shoppers don’t overstay their welcome they won’t be troubled by a bit of DPA non-compliance. But if they do go over their limit will Sainsbury’s do nothing or will they take the registration number they acquired unlawfully and unfairly and further process it by finding out more personal data about the driver and sending him/her a penalty notice?

It may be that they’ve explained all this very well somewhere but as an everyday shopper in a rush I didn’t see it. It may also be that holding the information about a car than its owner and its address is proportionate if by so doing they allow you to stay a couple of minutes extra checking out the different brands of Prosecco but it could also be argued that it is not. A recent court judgment about parking is interesting:

https://www.supremecourt.uk/cases/docs/uksc-2013-0280-judgment.pdf

It seems to come down in favour of disproportionate penalties for parking and while it may be appealed the current climate is not very temperate.

The fact remains that Sainsbury’s have obtained your car’s number plate without giving you fair warning and are holding it and probably further processing it.

The old joke? What lies on its back 8 feet up in the air.

Answer: A dead spider!

The Act Now Data Protection Practitioner Certificate is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.

Jumping on the charity bashing gravy train.

Returned from holiday to a mountain of mail. Usually this is good fun but recently it’s turned into a nightmare of more and more charity mailings. First off today was British Heart Foundation. A good cause and I walk voluntarily into their charity shops regularly to find bargains and do my bit. But because of recent publicity about charity mailings I took a hard line. I rang them up and asked to be taken off their mailing list. The operator was polite and efficient. She asked for the code next to my address beginning 52A so she could add me to their suppression list but when I quoted it she said I wasn’t actually on their mailing list. Strange – I am looking at a letter addressed to me at my address asking for money from BHF.

She was quick to explain however that it was a one off mailing using data supplied by a 3rd party so they didn’t actually process my name and address. They just used it. I trotted out the well worn definition of processing that all BCS certificate holders know and she did admit that it looked as if they were processing after all. I asked who was the 3rd party and it turned out to be Senior Rail Card.

(as an aside these are managed by ATOC Ltd which manages the contract for the issue and use of the Senior Railcard on behalf of the Train Companies. Reference to a ‘Train Company’ or the ‘Train Companies’ means those Train Companies which, pursuant to a franchise agreement, operate Passenger Railway Services in Great Britain. Their website has a cookie policy but no privacy policy. Nowhere on their website do they assure you that they will only use your personal data to supply you with a senior railcard. Nowhere do they inform you that they will pass it on to anyone else.)

To be honest it wasn’t Senior Rail card who gave my details to BHF it was Media Lab group; BHF told me at the same time they told me about Senior Rail card.

Media Lab has a website where it says

“The media landscape may have changed, but the need for data hasn’t. That’s why at Medialab, we live and breathe data. It’s at the centre of everything we do. Our data-driven approach allows us to develop successful multi-channel media plans that are built on econometric analysis, innovation and a passion for our clients’ results. As a leading integrated direct response agency, we plan campaigns for the UK’s leading brands including National Trust, Post Office and Macmillan.”

Bizarrely for a data driven company they don’t have a privacy policy either. They were the company that gave my data to BHF. They got it from ATOC. I’m not sure how the transfer of data was made or whether money changed hands. We just don’t know. But I thought when I bought my senior rail card that my personal data would only be used or me to get cheap rail fares not donate to Heart charities or end up in the hands of List brokers.

The efficient BHF operator said she couldn’t delete me from their mailing list as I wasn’t actually on it. The list really belonged to Media Lab Group. They only used it to mail me. (Did someone at the back say Data Processor agreement and breach of Principle 7?).

However she had a solution to my predicament. She would add me to their database and immediately add me to their suppression list. Brilliant.

Next Alzheimers. Not as we first thought the Alzheimers Society (See comments) but another organisation working in this sector.

They also asked for money (or any donation will do) and they did have a privacy policy and also an undertaking issued by the ICO. They also gave me my Supporter reference number which was why they were contacting me. Because a year ago I filled in an online quiz to see if I was presenting any of the symptoms of dementia. At no time before, during or after the quiz did they give me any indication they would tap me up for money nor I asked if I wanted to become a supporter of theirs.

I rang them up to ask them to remove me from their mailing list but not a lot happened. When I say not a lot there was a recorded message saying “we apologise for the delay” then there was silence for the next 10 minutes at which point I gave up. They could have whistled a tune or even played a song but nothing. It was as if they  had forgotten to answer or they were hoping (like Doc Martin) that I had no patience.

They were right so I used the system they provided to communicate with them.  This time they supplied an SAE and a form where I could inform them of my preferences so I did. They’d used a jocular style to contact me without my consent so I replied in the same vein.

Only 20 more charity letters to deal with… How I hate coming home from holidays.

The Act Now Data Protection Practitioner Certificate is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.

Requesting Your Permission

I received an email last week. It was from someone I’d never heard of.

Translating this into PECR speak

We have a list of emails. We don’t think we have your consent to email you which would lead to us breaching PECR so we’re writing to ask for your permission which in itself is breach of PECR. By putting Request for Permission in the subject line we’re hoping you’ll think we know what we’re doing and that we’re a nice company.

I asked them by email to tell me where they obtained my email. A week later they hadn’t replied. I know a week is a long time in politics but a week is a light year in emails.

I upgraded my request to a Subject Access Request and suggested they pass my request to their DPO. Less than 3 hours later I had a reply which appeared to come from near the top.

Dear Sir

Thank you very much for your email and for reaching out to us with regards to our recent emails to you. We have carried out an investigation into your complaint as we take this type of matter very seriously.

As per your inquiry, we have recently acquired a new supplier called “Latest Mailing Database” (latestdatabase.com) who provided us a list of customers’ email addresses interested in travel. They have contractually reassured us that those listed have expressed their consent to be contacted by selected third party partners for marketing purposes.

Upon receiving your inquiry, we have realised that the reassurances we received from this company is in question. While we investigate this further, we have subsequently ceased the use of that mailing list they have provided and all the e-mails, including yours, have now been deleted from our Databases.

We apologise for any inconvenience caused.

Best regards,

Spiros XXXXXXX

Head of International Marketing and Business Development

At least I received a reply but the phrase “They have contractually reassured us that those listed have expressed their consent to be contacted by selected third party partners for marketing purposes” started to worry me. Also a list of people who are interested in travel. Isn’t that a list of everyone in the world? We all travel. Now if they’d asked for a list of those interested in sex and travel we’d have a snappy answer.

Globehunters have a privacy policy which looks pretty good. Just for fun I looked up their company name and their postcode on the ICO Register of Data Controllers. The ICO doesn’t have any record of their name and there are only 2 notifications from their postcode both from the next door building.

I couldn’t resist looking at his source for the emails.

http://www.latestdatabase.com A quick scan through showed their address was Majira Bypass Sajahanpur, Bogra, Bangladesh and they sold email lists. Google maps zeroes in rapidly on a company called seoexparte. A touching review of the company is available.

 

 

They had a privacy policy too. http://www.latestdatabase.com/privacy-security-policy/ which was last updated in 2009.

Their UK customer list boasted 2 million records or just $300

Listing Include:

* Frist Name (sic)

* Last Name

* Age

* address

* Email Address

* Ip address

* Phone number

They also have a blog (http://www.latestdatabase.com/appearance-adele-gaga/) and although it would be churlish to mock their poor English if they’re operating in a global marketplace and assuring their customers contractually of the quality of their product it might be a good idea to use a spell checker.

They also seem to run http://emailmarketinglists.bloggets.net. And http://buyemaillists.yolasite.com/contact.php and https://emaillistsforsales.wordpress.com and http://mailinglsit.over-blog.com and http://issuu.com/emaillistsforsale and I gave up at this point.

So where are we now? For £190 a start up company has bought 2 million customer emails. This means that my email is worth 1/100th of a penny. When prodded they realize that they may have bought in a dodgy list so apologise and take my name off their list. A good response but no mention of my Subject Access Request. No Notification for their business and a lead to a major list seller who may just not check their lists that well.

All in day’s work for a PECR vigilante. I’ll see if Spiros comes back.

Act Now Training is one of the UK’s leading provider of seminars and workshops on all aspects of Data Protection, Freedom of Information, Surveillance Law and Records Management. More details www.actnow.org.uk

Information, Documents or Both – What is available under FOI?

It is an oft-repeated phrase that the Freedom of Information Act (FOI) provides a right of access to information but not documents. A recent Court of Appeal decision shows that it is not that straightforward an issue.

Section 1 contains the general right of access and uses the term “request for information.” But what exactly is “information”? Section 84 defines it as “information recorded in any form.” This includes information held on paper, computer, video, audiotapes as well as that contained in manuscript notes. No mention is made of access to the actual documents containing the information. However this does not mean that documents cannot be requested.

A request for a document will generally be a valid request for all of the information contained within that document (including visual format, design, layout etc). In considering whether the public authority has complied with the request, the question is whether all of the information recorded in the document has been provided. It will not be sufficient to rephrase the document or provide an outline or summary of its contents unless the applicant has specifically expressed a preference for a digest or summary under section 11(1)(c).

This matter has now been put beyond doubt by a Court of Appeal decision this week. Judges dismissed an appeal by the Independent Parliamentary Standards Authority (IPSA), the body that oversees MPs’ expenses claims, from a decision of the Upper Tribunal requiring it to release copies of MPs’ invoices and receipts. This is the latest in a serious of appeals by IPSA in an attempt to overturn the original decision of the Information Commissioner.

In April 2013 the First Tier Tribunal (Information Rights), ruled that images of MPs’ expense claim receipts were information to which the FOI applied (IPSA v Information Commissioner (EA/2012/0242)). The background to the request was that, following the MPs’ expenses scandal, the then newly-formed IPSA, decided that it would not routinely publish images of the receipts submitted to IPSA by MPs in support of their expenses claims.  Only text transcribed from the submitted receipts would be published.

A journalist made an FOI request for the actual receipts submitted by a number of MPs. The question arose as to whether images of those receipts held by IPSA contained “information” within the meaning of section 1 of FOI, which was not captured by the transcription process favoured by IPSA. The Tribunal concluded that the definition of information (in this case) included logos, letterheads, handwriting, manuscript comments, and even the layout and style of the requested documents. These were not disclosed to the requestor as a result of providing a transcription, rather than a copy, of the relevant receipts.

Last year the Upper Tribunal’s Judge Williams (in Independent Parliamentary Standards Authority v IC & Leapman [2014] UKUT 33 (AAC)) dismissed the appeal by IPSA. At Paragraph 22 of the judgement he said:

“It is to me also trite to note that the wording on a typical receipt or invoice is only part of what a recipient sees when looking at it. Typically there will be verbal and numerical content to be read and understood, but there will also be visual content to be seen, rather than read, but which may also require to be understood for the recipient to have appreciated the whole of the experience, if I may term it that, communicated by the receipt or invoice.”

In the judge’s view information is more than just the words and figures on a piece of paper. Sometimes the nature of the request will mean that the only way to convey all the information on a document is to disclose the original or at least a copy. He gave the example of Land Registry plans, drawings and photographic evidence of a particular building.

In coming to his decision the judge took note of the Scottish Court of Session decision in Glasgow CC v SIC [2009] CSIH 73 under the Freedom of Information (Scotland) Act 2002 (FOISA). As a general point of principle, the Commissioner and the Tribunal is not bound by Court of Session decisions on FOISA, although they may be considered persuasive where the terms of FOISA mirror the terms of FOI. In the Scottish case the applicant specifically wanted the public authority to provide copies of the documents, although he acknowledged that the same information was available elsewhere. The Court confirmed that FOISA entitles requesters to the information within a document, rather than a copy of the document itself. To the extent that this request was specifically for copies of the documents over and above the information they contained, it was invalid. The Court rejected an argument that the copy documents were “information” distinct from the information contained within them.

Paragraph 45 of the Court of Session judgment states:

“Where the request does not describe the information requested… but refers to a document which may contain the relevant information, it may nonetheless be reasonably clear in the circumstances that it is the information recorded in the document that is relevant.”

However paragraph 48 should be noted:

“The difference between the original and a copy… does not consist in any difference between the information recorded in each document: that information, if the copy is true and accurate, will be identical.” (my emphasis)

To quote one of our FOI trainers (Philip Bradshaw), much will also in practice depend on the wording of the request. Contrast “How much did you spend on pencils?” with “Can I have a copy of your pencil invoices”. You can clearly provide in permanent form all the recorded information within scope of the first request without copies, but not perhaps for the second.

In the IPSA case, the judge ruled that transcriptions of the requested receipts would not be “true and accurate”, as they would not contain all the same information as on the originals e.g. logos, style, layout etc.

This is an interesting decision especially for those public authorities who often insist, when refusing to supply actual documents (such as minutes of meetings) that FOI is about access to information not documents. Sometimes the requestor is interested in the document, which contains the requested information, as it will give a further insight into its background and the thoughts/observations of the producers/subjects of the document.

IPSA has been given time to consider taking the case to the Supreme Court.

Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshops which are delivered in one hour online sessions as well as full day face to face sessions.

Is my PD my PD?

Myopic readers will have noticed that the selling of spectacles has migrated to the internet. There are many suppliers who will take your order, make up your glasses and post them to you for a very reasonable price. They don’t do eye tests obviously but you can have one done elsewhere and the optician will give you a copy of your prescription which you can take to any other optician including the web. So money savers everywhere will take up this option and consequently will save money on their next pair of specs. They may not hold them in their hands or perch them on their nose until they are finished but they will save money. After sales service is another issue and I have no experience of this.

Er… No.

What high street opticians do is take other measurements when doing the test and use these to tailor the spectacles to each individual. They will have a range of frames for people to try on and they will crucially measure and use your Pupillary Distance when preparing your spectacles. They’ll use expensive accurate machines to do this and it will make better fitting lenses for you.

You can do it yourself with a ruler, a mirror and a large dose of optimism or you can find a friend to help you. Unsurprisingly there are web opticians who will guide you.

But when the optician hands you your prescription as they are required to do they don’t volunteer your Pupillary Distance. Web opticians will suggest you ask for it but intimate that your optician may charge you for a figure fairly close to 63mm. If you’re Mr or Mrs Average this may not be a crucial issue but anyone with a strong prescription may need to have the best data available to make up their new spectacles.

But is your Pupillary Distance your personal data? It certainly relates to you and may even be sensitive data. If it is why can’t you have it without charge? What gives opticians the right to withhold it from you? I’ve squinted at the Opticians Act 1989 and the sight testing regulations 1989 but nowhere does it say what must or must not be done. Can you make a Subject Access request for it? Is the going rate the £10 that Subject Access can cost? Shouldn’t it be free? Or is it not Personal data? Can an optician tell me he holds no personal data on me?

Just because it’s easy to measure it yourself (badly) but hard to measure it accurately (at an optician) and will have a significant impact on your vision does it make it special in any way? You can weigh yourself every morning and know the result without anyone charging you for it.

Other health providers will carry out measurements of various parts of your body (and mind) and will give you the results. What makes Opticians different? Is there a legal power to charge? Or is it protectionism that keeps the high street Opticians trading and holds back the web offshoot?

A trawl through the web shows plenty of blogs and opinions  where optomotrists either label their customers as morons or cheapskates or alternatively (and encouragingly) suggest a small fee for a professional service in the hope they will retain the customer but the issue doesn’t seem easily resolved. More like on a case by case basis (that’s spectacle cases to you…).

Hmmm. If only there was an access mechanism I could use to obtain information from public bodies. Spoiler Alert.

What about Freedom of information? Surely Opticians involved with General Ophthalmic Services are covered by the Act?

If an Optician fails to answer my SAR on the grounds it isn’t personal data they cannot thereafter cite section 40 (or 38) as a valid exemption. The cost of using FOI might even be lower than the £10 the DPA allows.

My two requests are in. By the very nature of DP & FOI surely one must succeed or maybe I’ll find a philanthropic myopic interested in the topic and he’ll see his way to giving me what I want without a charge.

Watch this space between my eyes.

Keep up to date with the latest DP developments by attending our workshops and online courses.

Freedom of Information Case-law Roundup

Section 5 of the Freedom of Information Act (FOI) enables the Secretary of State to designate a body as a public authority if it appears to the Secretary of State :

(a)… to exercise functions of a public nature, or

(b) is providing under a contract made with a public authority any service whose provision is a function of that authority.

The Freedom of Information (Designation as Public Authorities) Order 2015 was recently debated in the House of Lords. It will make Network Rail subject to FOI from March 2015. Much has been said about extending the reach of FOI to private companies delivering public services. Don’t expect anything to happen before the election.

Fees and 16

How far does a public authority have to go in providing advice and assistance to an applicant whose request is over the fees threshold (£450/£600)?

On 22nd October 2014, in Commissioner of Police for the Metropolis v The Information Commissioner and Donnie Mackenzie, [2014] UKUT 479 (AAC) , the Upper Tribunal ruled that the standard imposed by section 16 is set at a relatively low level. It agreed with the First Tier Tribunal (Information Rights) (FTT), in Beckles v Information Commissioner (EA/2011/0073 & 0074), that:

“S.16 requires a public authority, whether before or after the request is made, to suggest obvious alternative formulations of the request which will enable it to supply the core of the information sought within the cost limits. It is not required to exercise its imagination to proffer other possible solutions to the problem.”

Time limits

Section 10(1) of FOI sets out the time limit for dealing with a request for information:

“a public authority must comply…promptly and in any event not later than the twentieth working day following the date of receipt.”

Under the Environmental Information Regulations (EIR) the response to a request must be made “as soon as possible and no longer than 20 working days after the date of receipt”. In Keating v Information Commissioner and Oxford City Council (EA/2013/0226) the FTT said that whether it is an FOI or EIR request the principle is the same:

“In our judgement, whichever time limit applies, it is necessary to be realistic. Whilst both pieces of legislation contemplate a speedy response, the urgency intended is not such as to require a public authority to “drop everything” in order to reply.”

We now have a binding authority for this principle, in the form of an Upper Tribunal decision (John v ICO & Ofsted 2014 UKUT 444 AAC.).

Third Party Personal Data

Section 40 provides an exemption from disclosure of personal data about the requestor as well as that of third parties. With regards to the latter, the public authority must show that disclosure would breach of one of the Data Protection Principles (usually the first one). In the absence of consent this usually requires consideration of condition 6(1) of Schedule 2 of the Data Protection Act 1998:

“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”

In a recent Upper Tribunal Decision, Goldsmith International Business School v IC and Home Office (GIA/1643/2014), the judge endorsed the ICO’s 8 rules when applying the test in condition 6. These are essential reading for all FOI officers.

Names of legal Advisers

Names of staff are clearly personal data. We have examined the application of section 40(2) in a number of FTT decisions (read our blog post here). The test is, is there a legitimate interest in knowing the names and is disclosure necessary to satisfy that interest?

In November 2014 the FTT (in Timothy Couzens v IC EA/2014/0146) upheld the Care Quality Commission’s refusal to supply the names of individuals who provided it with legal advice on the de-registration of a care agency. The FTT found that Couzens had “provided no persuasive argument that disclosure of the names in question would contribute to transparency, given that the substance of the legal advice has been disclosed, as a result of the CQC waiving its right to rely upon the exemption provided by FOIA section 42 (legal professional privilege).”

Staff Salaries

Is there a difference between a request for salaries of administrative staff and that of academics in a university?

Yes, according to a recent FTT decision involving King’s College, London (EA/2014/0054). The case concerned a request to the college for the job titles and departments of those staff (academic and none academic) earning over £100,000 per annum, in bands of £10,000. The FTT ruled that salaries of most non-academic staff employed by the college should be disclosed. Read this excellent analysis by lawyers at SGH Martineau.

Local authority colleagues will know that a certain amount of salary information has to be proactively published in compliance with the Local Government Transparency Code.

Motive Blind

FOI is normally motive and purpose blind. The FTT decision in Hepple v IC and Durham County Council (EA/2013/0168) shows that this is not an absolute rule.

The background is that the Council received an FOI request for a copy of the investigators’ report into a disciplinary incident at a pupil referral unit run by the council. At that time, disciplinary proceedings were pending against each of the suspended members of staff.

The council refused the request, relying on a number of exemptions including section 38 (health and safety). The FTT upheld the decision of the ICO on this point mainly because the requester had sent text messages to some of the individuals involved “with the purpose of menacing those whose addresses the Appellant had acquired”. The FTT said “assessing an information request on this “motive blind” basis ought not to prevent us from considering the potential risk to safety posed by the requester him/herself”.

Legal Advice

The Section 42 exemption is often relied upon by public authorities when refusing to disclose legal advice. It is a qualified exemption. A few decisions have required disclosure of legal advice on public interest grounds but these have been few and far between. Indeed, following the Tribunal decision in Bellamy v The Information Commissioner which stated that there is an inherent public interest in maintaining privilege, most authorities were almost treating section 42 as an absolute exemption.

A September 2014 decision of the FTT reminds us that the public interest in disclosing legal advice has to be considered carefully. The Bingham Centre for the Rule of Law v Information Commissioner (EA/2014/0097) concerned a request to the Home Office for independent legal advice, which was referred to in a Home Office report, entitled “Intercept as Evidence.” The FTT disagreed with the ICO’s decision giving more weight to public interest factors in favour of disclosure.

Ibrahim Hasan will be discussing these and other recent FOI decisions in his FOI Update workshop . If you want an internationally recognised qualification in FOI, please consider our BCS FOI Certificate course.

Exit mobile version
%%footer%%