Personal Data – Page 2 – Your Front Page For Information Governance News

Jumping on the charity bashing gravy train.

Returned from holiday to a mountain of mail. Usually this is good fun but recently it’s turned into a nightmare of more and more charity mailings. First off today was British Heart Foundation. A good cause and I walk voluntarily into their charity shops regularly to find bargains and do my bit. But because of recent publicity about charity mailings I took a hard line. I rang them up and asked to be taken off their mailing list. The operator was polite and efficient. She asked for the code next to my address beginning 52A so she could add me to their suppression list but when I quoted it she said I wasn’t actually on their mailing list. Strange – I am looking at a letter addressed to me at my address asking for money from BHF.

She was quick to explain however that it was a one off mailing using data supplied by a 3rd party so they didn’t actually process my name and address. They just used it. I trotted out the well worn definition of processing that all BCS certificate holders know and she did admit that it looked as if they were processing after all. I asked who was the 3rd party and it turned out to be Senior Rail Card.

(as an aside these are managed by ATOC Ltd which manages the contract for the issue and use of the Senior Railcard on behalf of the Train Companies. Reference to a ‘Train Company’ or the ‘Train Companies’ means those Train Companies which, pursuant to a franchise agreement, operate Passenger Railway Services in Great Britain. Their website has a cookie policy but no privacy policy. Nowhere on their website do they assure you that they will only use your personal data to supply you with a senior railcard. Nowhere do they inform you that they will pass it on to anyone else.)

To be honest it wasn’t Senior Rail card who gave my details to BHF it was Media Lab group; BHF told me at the same time they told me about Senior Rail card.

Media Lab has a website where it says

“The media landscape may have changed, but the need for data hasn’t. That’s why at Medialab, we live and breathe data. It’s at the centre of everything we do. Our data-driven approach allows us to develop successful multi-channel media plans that are built on econometric analysis, innovation and a passion for our clients’ results. As a leading integrated direct response agency, we plan campaigns for the UK’s leading brands including National Trust, Post Office and Macmillan.”

Bizarrely for a data driven company they don’t have a privacy policy either. They were the company that gave my data to BHF. They got it from ATOC. I’m not sure how the transfer of data was made or whether money changed hands. We just don’t know. But I thought when I bought my senior rail card that my personal data would only be used or me to get cheap rail fares not donate to Heart charities or end up in the hands of List brokers.

The efficient BHF operator said she couldn’t delete me from their mailing list as I wasn’t actually on it. The list really belonged to Media Lab Group. They only used it to mail me. (Did someone at the back say Data Processor agreement and breach of Principle 7?).

However she had a solution to my predicament. She would add me to their database and immediately add me to their suppression list. Brilliant.

Next Alzheimers. Not as we first thought the Alzheimers Society (See comments) but another organisation working in this sector.

They also asked for money (or any donation will do) and they did have a privacy policy and also an undertaking issued by the ICO. They also gave me my Supporter reference number which was why they were contacting me. Because a year ago I filled in an online quiz to see if I was presenting any of the symptoms of dementia. At no time before, during or after the quiz did they give me any indication they would tap me up for money nor I asked if I wanted to become a supporter of theirs.

I rang them up to ask them to remove me from their mailing list but not a lot happened. When I say not a lot there was a recorded message saying “we apologise for the delay” then there was silence for the next 10 minutes at which point I gave up. They could have whistled a tune or even played a song but nothing. It was as if they had forgotten to answer or they were hoping (like Doc Martin) that I had no patience.

They were right so I used the system they provided to communicate with them. This time they supplied an SAE and a form where I could inform them of my preferences so I did. They’d used a jocular style to contact me without my consent so I replied in the same vein.

Only 20 more charity letters to deal with… How I hate coming home from holidays.

The Act Now Data Protection Practitioner Certificate is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.

Requesting Your Permission

I received an email last week. It was from someone I’d never heard of.

Translating this into PECR speak

We have a list of emails. We don’t think we have your consent to email you which would lead to us breaching PECR so we’re writing to ask for your permission which in itself is breach of PECR. By putting Request for Permission in the subject line we’re hoping you’ll think we know what we’re doing and that we’re a nice company.

I asked them by email to tell me where they obtained my email. A week later they hadn’t replied. I know a week is a long time in politics but a week is a light year in emails.

I upgraded my request to a Subject Access Request and suggested they pass my request to their DPO. Less than 3 hours later I had a reply which appeared to come from near the top.

Dear Sir

Thank you very much for your email and for reaching out to us with regards to our recent emails to you. We have carried out an investigation into your complaint as we take this type of matter very seriously.

As per your inquiry, we have recently acquired a new supplier called “Latest Mailing Database” (latestdatabase.com) who provided us a list of customers’ email addresses interested in travel. They have contractually reassured us that those listed have expressed their consent to be contacted by selected third party partners for marketing purposes.

Upon receiving your inquiry, we have realised that the reassurances we received from this company is in question. While we investigate this further, we have subsequently ceased the use of that mailing list they have provided and all the e-mails, including yours, have now been deleted from our Databases.

We apologise for any inconvenience caused.

Best regards,

Spiros XXXXXXX

Head of International Marketing and Business Development

At least I received a reply but the phrase “They have contractually reassured us that those listed have expressed their consent to be contacted by selected third party partners for marketing purposes” started to worry me. Also a list of people who are interested in travel. Isn’t that a list of everyone in the world? We all travel. Now if they’d asked for a list of those interested in sex and travel we’d have a snappy answer.

Globehunters have a privacy policy which looks pretty good. Just for fun I looked up their company name and their postcode on the ICO Register of Data Controllers. The ICO doesn’t have any record of their name and there are only 2 notifications from their postcode both from the next door building.

I couldn’t resist looking at his source for the emails.

http://www.latestdatabase.com A quick scan through showed their address was Majira Bypass Sajahanpur, Bogra, Bangladesh and they sold email lists. Google maps zeroes in rapidly on a company called seoexparte. A touching review of the company is available.

They had a privacy policy too. http://www.latestdatabase.com/privacy-security-policy/ which was last updated in 2009.

Their UK customer list boasted 2 million records or just $300

Listing Include:

* Frist Name (sic)

* Last Name

* Age

* address

* Email Address

* Ip address

* Phone number

They also have a blog (http://www.latestdatabase.com/appearance-adele-gaga/) and although it would be churlish to mock their poor English if they’re operating in a global marketplace and assuring their customers contractually of the quality of their product it might be a good idea to use a spell checker.

They also seem to run http://emailmarketinglists.bloggets.net. And http://buyemaillists.yolasite.com/contact.php and https://emaillistsforsales.wordpress.com and http://mailinglsit.over-blog.com and http://issuu.com/emaillistsforsale and I gave up at this point.

So where are we now? For £190 a start up company has bought 2 million customer emails. This means that my email is worth 1/100th of a penny. When prodded they realize that they may have bought in a dodgy list so apologise and take my name off their list. A good response but no mention of my Subject Access Request. No Notification for their business and a lead to a major list seller who may just not check their lists that well.

All in day’s work for a PECR vigilante. I’ll see if Spiros comes back.

Act Now Training is one of the UK’s leading provider of seminars and workshops on all aspects of Data Protection, Freedom of Information, Surveillance Law and Records Management. More details www.actnow.org.uk

Information, Documents or Both – What is available under FOI?

It is an oft-repeated phrase that the Freedom of Information Act (FOI) provides a right of access to information but not documents. A recent Court of Appeal decision shows that it is not that straightforward an issue.

Section 1 contains the general right of access and uses the term “request for information.” But what exactly is “information”? Section 84 defines it as “information recorded in any form.” This includes information held on paper, computer, video, audiotapes as well as that contained in manuscript notes. No mention is made of access to the actual documents containing the information. However this does not mean that documents cannot be requested.

A request for a document will generally be a valid request for all of the information contained within that document (including visual format, design, layout etc). In considering whether the public authority has complied with the request, the question is whether all of the information recorded in the document has been provided. It will not be sufficient to rephrase the document or provide an outline or summary of its contents unless the applicant has specifically expressed a preference for a digest or summary under section 11(1)(c).

This matter has now been put beyond doubt by a Court of Appeal decision this week. Judges dismissed an appeal by the Independent Parliamentary Standards Authority (IPSA), the body that oversees MPs’ expenses claims, from a decision of the Upper Tribunal requiring it to release copies of MPs’ invoices and receipts. This is the latest in a serious of appeals by IPSA in an attempt to overturn the original decision of the Information Commissioner.

In April 2013 the First Tier Tribunal (Information Rights), ruled that images of MPs’ expense claim receipts were information to which the FOI applied (IPSA v Information Commissioner (EA/2012/0242)). The background to the request was that, following the MPs’ expenses scandal, the then newly-formed IPSA, decided that it would not routinely publish images of the receipts submitted to IPSA by MPs in support of their expenses claims. Only text transcribed from the submitted receipts would be published.

A journalist made an FOI request for the actual receipts submitted by a number of MPs. The question arose as to whether images of those receipts held by IPSA contained “information” within the meaning of section 1 of FOI, which was not captured by the transcription process favoured by IPSA. The Tribunal concluded that the definition of information (in this case) included logos, letterheads, handwriting, manuscript comments, and even the layout and style of the requested documents. These were not disclosed to the requestor as a result of providing a transcription, rather than a copy, of the relevant receipts.

Last year the Upper Tribunal’s Judge Williams (in Independent Parliamentary Standards Authority v IC & Leapman [2014] UKUT 33 (AAC)) dismissed the appeal by IPSA. At Paragraph 22 of the judgement he said:

“It is to me also trite to note that the wording on a typical receipt or invoice is only part of what a recipient sees when looking at it. Typically there will be verbal and numerical content to be read and understood, but there will also be visual content to be seen, rather than read, but which may also require to be understood for the recipient to have appreciated the whole of the experience, if I may term it that, communicated by the receipt or invoice.”

In the judge’s view information is more than just the words and figures on a piece of paper. Sometimes the nature of the request will mean that the only way to convey all the information on a document is to disclose the original or at least a copy. He gave the example of Land Registry plans, drawings and photographic evidence of a particular building.

In coming to his decision the judge took note of the Scottish Court of Session decision in Glasgow CC v SIC [2009] CSIH 73 under the Freedom of Information (Scotland) Act 2002 (FOISA). As a general point of principle, the Commissioner and the Tribunal is not bound by Court of Session decisions on FOISA, although they may be considered persuasive where the terms of FOISA mirror the terms of FOI. In the Scottish case the applicant specifically wanted the public authority to provide copies of the documents, although he acknowledged that the same information was available elsewhere. The Court confirmed that FOISA entitles requesters to the information within a document, rather than a copy of the document itself. To the extent that this request was specifically for copies of the documents over and above the information they contained, it was invalid. The Court rejected an argument that the copy documents were “information” distinct from the information contained within them.

Paragraph 45 of the Court of Session judgment states:

“Where the request does not describe the information requested… but refers to a document which may contain the relevant information, it may nonetheless be reasonably clear in the circumstances that it is the information recorded in the document that is relevant.”

However paragraph 48 should be noted:

“The difference between the original and a copy… does not consist in any difference between the information recorded in each document: that information, if the copy is true and accurate, will be identical.” (my emphasis)

To quote one of our FOI trainers (Philip Bradshaw), much will also in practice depend on the wording of the request. Contrast “How much did you spend on pencils?” with “Can I have a copy of your pencil invoices”. You can clearly provide in permanent form all the recorded information within scope of the first request without copies, but not perhaps for the second.

In the IPSA case, the judge ruled that transcriptions of the requested receipts would not be “true and accurate”, as they would not contain all the same information as on the originals e.g. logos, style, layout etc.

This is an interesting decision especially for those public authorities who often insist, when refusing to supply actual documents (such as minutes of meetings) that FOI is about access to information not documents. Sometimes the requestor is interested in the document, which contains the requested information, as it will give a further insight into its background and the thoughts/observations of the producers/subjects of the document.

IPSA has been given time to consider taking the case to the Supreme Court.

Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshops which are delivered in one hour online sessions as well as full day face to face sessions.

Is my PD my PD?

Myopic readers will have noticed that the selling of spectacles has migrated to the internet. There are many suppliers who will take your order, make up your glasses and post them to you for a very reasonable price. They don’t do eye tests obviously but you can have one done elsewhere and the optician will give you a copy of your prescription which you can take to any other optician including the web. So money savers everywhere will take up this option and consequently will save money on their next pair of specs. They may not hold them in their hands or perch them on their nose until they are finished but they will save money. After sales service is another issue and I have no experience of this.

Er… No.

What high street opticians do is take other measurements when doing the test and use these to tailor the spectacles to each individual. They will have a range of frames for people to try on and they will crucially measure and use your Pupillary Distance when preparing your spectacles. They’ll use expensive accurate machines to do this and it will make better fitting lenses for you.

You can do it yourself with a ruler, a mirror and a large dose of optimism or you can find a friend to help you. Unsurprisingly there are web opticians who will guide you.

But when the optician hands you your prescription as they are required to do they don’t volunteer your Pupillary Distance. Web opticians will suggest you ask for it but intimate that your optician may charge you for a figure fairly close to 63mm. If you’re Mr or Mrs Average this may not be a crucial issue but anyone with a strong prescription may need to have the best data available to make up their new spectacles.

But is your Pupillary Distance your personal data? It certainly relates to you and may even be sensitive data. If it is why can’t you have it without charge? What gives opticians the right to withhold it from you? I’ve squinted at the Opticians Act 1989 and the sight testing regulations 1989 but nowhere does it say what must or must not be done. Can you make a Subject Access request for it? Is the going rate the £10 that Subject Access can cost? Shouldn’t it be free? Or is it not Personal data? Can an optician tell me he holds no personal data on me?

Just because it’s easy to measure it yourself (badly) but hard to measure it accurately (at an optician) and will have a significant impact on your vision does it make it special in any way? You can weigh yourself every morning and know the result without anyone charging you for it.

Other health providers will carry out measurements of various parts of your body (and mind) and will give you the results. What makes Opticians different? Is there a legal power to charge? Or is it protectionism that keeps the high street Opticians trading and holds back the web offshoot?

A trawl through the web shows plenty of blogs and opinions where optomotrists either label their customers as morons or cheapskates or alternatively (and encouragingly) suggest a small fee for a professional service in the hope they will retain the customer but the issue doesn’t seem easily resolved. More like on a case by case basis (that’s spectacle cases to you…).

Hmmm. If only there was an access mechanism I could use to obtain information from public bodies. Spoiler Alert.

What about Freedom of information? Surely Opticians involved with General Ophthalmic Services are covered by the Act?

If an Optician fails to answer my SAR on the grounds it isn’t personal data they cannot thereafter cite section 40 (or 38) as a valid exemption. The cost of using FOI might even be lower than the £10 the DPA allows.

My two requests are in. By the very nature of DP & FOI surely one must succeed or maybe I’ll find a philanthropic myopic interested in the topic and he’ll see his way to giving me what I want without a charge.

Watch this space between my eyes.

Keep up to date with the latest DP developments by attending our workshops and online courses.

Freedom of Information Case-law Roundup

Section 5 of the Freedom of Information Act (FOI) enables the Secretary of State to designate a body as a public authority if it appears to the Secretary of State :

(a)… to exercise functions of a public nature, or

(b) is providing under a contract made with a public authority any service whose provision is a function of that authority.

The Freedom of Information (Designation as Public Authorities) Order 2015 was recently debated in the House of Lords. It will make Network Rail subject to FOI from March 2015. Much has been said about extending the reach of FOI to private companies delivering public services. Don’t expect anything to happen before the election.

Fees and 16

How far does a public authority have to go in providing advice and assistance to an applicant whose request is over the fees threshold (£450/£600)?

On 22^nd October 2014, in Commissioner of Police for the Metropolis v The Information Commissioner and Donnie Mackenzie, [2014] UKUT 479 (AAC) , the Upper Tribunal ruled that the standard imposed by section 16 is set at a relatively low level. It agreed with the First Tier Tribunal (Information Rights) (FTT), in Beckles v Information Commissioner (EA/2011/0073 & 0074), that:

“S.16 requires a public authority, whether before or after the request is made, to suggest obvious alternative formulations of the request which will enable it to supply the core of the information sought within the cost limits. It is not required to exercise its imagination to proffer other possible solutions to the problem.”

Time limits

Section 10(1) of FOI sets out the time limit for dealing with a request for information:

“a public authority must comply…promptly and in any event not later than the twentieth working day following the date of receipt.”

Under the Environmental Information Regulations (EIR) the response to a request must be made “as soon as possible and no longer than 20 working days after the date of receipt”. In Keating v Information Commissioner and Oxford City Council (EA/2013/0226) the FTT said that whether it is an FOI or EIR request the principle is the same:

“In our judgement, whichever time limit applies, it is necessary to be realistic. Whilst both pieces of legislation contemplate a speedy response, the urgency intended is not such as to require a public authority to “drop everything” in order to reply.”

We now have a binding authority for this principle, in the form of an Upper Tribunal decision (John v ICO & Ofsted 2014 UKUT 444 AAC.).

Third Party Personal Data

Section 40 provides an exemption from disclosure of personal data about the requestor as well as that of third parties. With regards to the latter, the public authority must show that disclosure would breach of one of the Data Protection Principles (usually the first one). In the absence of consent this usually requires consideration of condition 6(1) of Schedule 2 of the Data Protection Act 1998:

“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”

In a recent Upper Tribunal Decision, Goldsmith International Business School v IC and Home Office (GIA/1643/2014), the judge endorsed the ICO’s 8 rules when applying the test in condition 6. These are essential reading for all FOI officers.

Names of legal Advisers

Names of staff are clearly personal data. We have examined the application of section 40(2) in a number of FTT decisions (read our blog post here). The test is, is there a legitimate interest in knowing the names and is disclosure necessary to satisfy that interest?

In November 2014 the FTT (in Timothy Couzens v IC EA/2014/0146) upheld the Care Quality Commission’s refusal to supply the names of individuals who provided it with legal advice on the de-registration of a care agency. The FTT found that Couzens had “provided no persuasive argument that disclosure of the names in question would contribute to transparency, given that the substance of the legal advice has been disclosed, as a result of the CQC waiving its right to rely upon the exemption provided by FOIA section 42 (legal professional privilege).”

Staff Salaries

Is there a difference between a request for salaries of administrative staff and that of academics in a university?

Yes, according to a recent FTT decision involving King’s College, London (EA/2014/0054). The case concerned a request to the college for the job titles and departments of those staff (academic and none academic) earning over £100,000 per annum, in bands of £10,000. The FTT ruled that salaries of most non-academic staff employed by the college should be disclosed. Read this excellent analysis by lawyers at SGH Martineau.

Local authority colleagues will know that a certain amount of salary information has to be proactively published in compliance with the Local Government Transparency Code.

Motive Blind

FOI is normally motive and purpose blind. The FTT decision in Hepple v IC and Durham County Council (EA/2013/0168) shows that this is not an absolute rule.

The background is that the Council received an FOI request for a copy of the investigators’ report into a disciplinary incident at a pupil referral unit run by the council. At that time, disciplinary proceedings were pending against each of the suspended members of staff.

The council refused the request, relying on a number of exemptions including section 38 (health and safety). The FTT upheld the decision of the ICO on this point mainly because the requester had sent text messages to some of the individuals involved “with the purpose of menacing those whose addresses the Appellant had acquired”. The FTT said “assessing an information request on this “motive blind” basis ought not to prevent us from considering the potential risk to safety posed by the requester him/herself”.

Legal Advice

The Section 42 exemption is often relied upon by public authorities when refusing to disclose legal advice. It is a qualified exemption. A few decisions have required disclosure of legal advice on public interest grounds but these have been few and far between. Indeed, following the Tribunal decision in Bellamy v The Information Commissioner which stated that there is an inherent public interest in maintaining privilege, most authorities were almost treating section 42 as an absolute exemption.

A September 2014 decision of the FTT reminds us that the public interest in disclosing legal advice has to be considered carefully. The Bingham Centre for the Rule of Law v Information Commissioner (EA/2014/0097) concerned a request to the Home Office for independent legal advice, which was referred to in a Home Office report, entitled “Intercept as Evidence.” The FTT disagreed with the ICO’s decision giving more weight to public interest factors in favour of disclosure.

Ibrahim Hasan will be discussing these and other recent FOI decisions in his FOI Update workshop . If you want an internationally recognised qualification in FOI, please consider our BCS FOI Certificate course.

Peter Paul and Mayhem.

A story of email marketing gone wrong. Surnames have been deleted to protect the guilty.

On 20 Sep 2014, at 12:53, Peter wrote:

Hi Paul,

I have seen your CV details on one of the job boards and I am very keen to discuss an OLE Design opportunity with you.

What is the best number to contact you on? Are you currently looking for opportunities?

The CV I can see for yourself is out of date so if you could forward me your updated CV that would be great.

Look forward to hearing from you.

Regards,

Cameron

Senior Consultant

A recruitment gency

A posh address in London

First time in my life I’ve been headhunted but as I’m nearly on the final lap of the 10,000 metres of life I don’t really want to be employed. Strange how the email address is different to the name of the sender. But I felt aggrieved enough to reply.

From: Paul 

Dear Peter/Cameron

Nice to know you’ve seen my CV on a job board. I am currently 62 years old and not seeking work of any nature so I suspect you are being economical with the truth in your marketing approach. The out of date CV you talk about is not just out of date – it doesn’t exist. I don’t have a CV as my V is based on not working. I am not on any jobs boards (whatever they are).

I presume you acquired my email from a third party as I have no relationship with you at all and that you never considered the PECR 2003 which forbid cold emailing unless the soft opt in exists which it doesn’t so you are in breach of these regulations and liable to a monetary penalty of up to £500,000 if the regulator feels it appropriate.

An apology would be nice but I’m not expecting one. Have a nice day.

I did consider copying in the ICO and asking for them to consider it as a complaint under PECR but decided to be lenient.

On 1 Oct 2014, at 09:45, Peter wrote:

Dear Paul,

Many thanks for your email. Thank you advising that you are not looking for work. I can confirm we are not being “economical” in our approach. I can confirm your CV does exist & the existence is on Railway People (www.railwaypeople.com) which was last updated in August 17^th 2012.

As proof I felt best to show you a copy of the CV that is currently on Railway People. As you will see the CV does exist. As your details are on Railway People we wanted to check your current situation and whether a contract opportunity would be of interest, but you have confirmed you are now retired. May I also confirm that we do not use any third party sources and did not acquire your details from any such source.

I can also confirm we are not in any breach of any regulations as your details are on the site. Apologises if you feel aggrieved by the approach but we were only contacting you as your details are on the site.

Have a nice day.

At this point I looked at the website Railwaypeople.com and couldn’t enter the site on account of not having an account with them so rang the sales team. I met a nice young man who was sympathetic and very helpful. A few facts exchanged with him revealed that candidates who were looking for work in the railway industry uploaded their CVs (carefully fulfilling schedule 2,1 condition) and recruitment consultants would download CVs they thought looked interesting. (I suspect money changed hands here). There was person on the site with same name as me but he lived in Derby and had a different birthdate. Craig agreed to confirm this in writing.

On 1 Oct 2014, 09:45, Craig wrote:

Hello Paul,

As discussed, I can confirm that we hold no contact details for you on our RailwayPeople.com database.

I’m able to tell you that Peter from xxx Recruitment downloaded the CV of a candidate by the name of Paul xxxx with a similar email address to your own.

I’m assuming you have been emailed in error by Peter so I would double check with the agency if you still have concerns.

Regards,

Craig Account Manager

From: Paul

Hi Peter

I’ve been in touch with Railway people and they have confirmed in writing that they do not have any CV for me (checking my home address and a few other key facts). They do have a Paul xxx based in Derby and linked to the railway industry and with a similar email address and told me you had viewed this.

All I can surmise is that somewhere between you picking up this person’s data you managed to turn his email address into mine.

Regards

Paul (not the Derby one)

Hi Paul,

I can see where the confusion lies. Apologise for the confusion & the email in the first place.

Regards,

Peter

So Peter found a CV on an internet site despite him assuring me in an email that “May I also confirm that we do not use any third party sources and did not acquire your details from any such source. It wasn’t my CV. He then emailed what he thought was a person in Derby but managed to spell the email address wrong and reached me. Not having any relationship with me and ignoring the soft opt in exemption (or maybe not even knowing of its existence) means he breached PECR.

First class service from Craig at Railway People. He acted quickly and correctly.

Missed the connection at Crewe for Peter. Emailed without consent; breached principle 4 DPA; argued he was right; breached regulations about electronic marketing (which is his day job) but had enough guts to apologise at the end.

All in a day’s work for a DPA/PECR nerd.

The ICO and Seven Shades of Grey

If you’ve nothing to do at lunchtime and you’re an experienced DP person try the ICO quiz on the difference between Data Controllers and Data Processors. You can find it here. After all it’s not a hard quiz. Data Controllers determine the purpose and own the data; data processors just do as they’re told. For years we’ve had this easy to understand relationship and many organisations have outsourced some work involving personal data, drawn up the contract, monitored the performance of it and we all knew where we were. Data Controllers were liable for any problems and Data Processors just did as they were instructed.

Recent guidance from the ICO changes this. Instead of clear yes/no and black/white definitions the commissioner recommends that each relationship with another person processing your data is examined to see how much influence the other person has over how the data is processed. As a result there are no easy answers. Just some shades of grey.

If you are eager to do the quiz and go for it without reading the guidance prepare yourself for a shock. Better DP experts than yourself have taken the test and not performed at all well.

The guidance is well meaning but bends over backwards to accommodate every possible possibility that it’s not that useful.

Image credit www.jimbanks.com

IAPP Privacy and Freedom: A review by Lawrence Serewicz (@lldzne)

The IAPP has republished Alan Westin’s best-known book, Privacy and Freedom, which was first published in 1967. Despite its age, the new version, it is the same text with several introductory essays, provides context for a reader coming to it for the first time. The introductory essays, which include one by Westin on how he viewed his work and its impact, provide a useful context for the author, the book and its relevance.

Although the introductory essays offer an insight into the book’s impact and the author’s contribution to privacy professional field, a critical essay would have been welcome because the privacy landscape has changed dramatically. The change is more than technological because it includes the change in cultural attitudes to privacy. The cultural and technological changes have undermined his definition.

For most readers, Westin and his book are best known for providing a robust definition of privacy. His book, and his definition, helped start the debate on privacy, in particular, the fair information practices in the United States, which by turn helped influence the Data Protection Directive in the EU. Westin’s definition is the book’s strength and weakness.

“to control, edit, manage, and delete information about them[selves] and decide when, how, and to what extent information is communicated to others.”

The definition has its critics. Roger Clarke for example criticized the definition as favouring businesses and he provides an alternative definition. He defines it as

“Privacy is the interest that individuals have in sustaining a ‘personal space’, free from interference by other people and organisations”

What is common to privacy definitions is the idea of control, which suggests privacy as autonomy. However, neither definition pays enough attention to the context. Westin’s definition is rightly criticized for its focus on business. However, that is not its weakness. Instead, it is the political context. Westin’s first chapter on history of privacy fails to situate privacy within the context of the state system or within a political philosophical tradition. Without that context, we misunderstand the intrinsic limit to any individual’s control and what that control can meaningfully achieve. In this criticism, I suggest something more than a reliance on human rights. His view fails to recognize that far from controlling his or her data, the modern individual is a creature of the state to the extent that they do not own or control their personal data. For example, we do not own our National Insurance Number, nor do we own our birth registration nor our Driver’s Licence number, yet decisions about us and how those are communicated are beyond our influence, let alone our control. These are records created by and for the state. The individual has a claim on them but cannot be said to own or control them in any meaningful sense.

A second limit to the book is its impact. To be sure, the book helped start and shape the debate over privacy. It remains a touchstone for privacy professionals, but it has had little impact on the general understanding of privacy. Despite the book and its definition, privacy has become increasingly problematic and confused. The extent to which businesses have ignored Westin’s privacy definition is clear in the recent debates and concerns over privacy standards at Google and Facebook. Companies today succeed by exploiting privacy, personal data, and limiting the user’s ability to control or access the personal data held by them. Moreover, the right to be forgotten, which suggests the ability to delete data, remains unachieved despite Westin’s definition.

A related concern is Westin’s definition reflects a US perspective as privacy is approached differently in the UK from the US.[1] The contrast between the two systems limits the book’s final section on policy prescriptions. Although he stressed that privacy is not a technological problem, he failed to address the qualitative changes wrought by “big data”. The technological opportunity changes the way that organisations, and states, can exploit, privacy or personal data, which means personal data can become a commodity. What would have been interesting, though beyond the scope of his original book, is a chapter on personal data as a commodity. However, Westin’s definition still resonates.

Westin’s definition still resonates in the way the UK courts now deal with the tort of misuse of personal information.[2] The tension is revealed because Westin’s definition reflects a US approach to individual rights that is closer in spirit to the EU position than the one based on UK common law. We see this tension in the concern over the effect of disclosure, for example seeking an injunction or seeking damages as in the Weller decision for how others have benefitted from the personal information. However, in the cases, the individuals do not control their personal information in a meaningful sense. We may have redress on its use, but that is not control, which the Fairstar decision seems to suggest.[3]

Dr Lawrence Serewicz is a Principal Information Management Officer at Durham County Council. The views expressed in this article are his own and do not represent the views of the Council.

Looking for a Practical DP qualification to enhance your skills and boost your career prospects? The new Act Now Data Protection Practitioner Certificate course is booking up fast.

[1] http://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=3136&context=dlj

RJ Krotoszynski Jr – ‎1990 AUTONOMY, COMMUNITY, AND TRADITIONS OF LIBERTY: THE CONTRAST OF BRITISH AND AMERICAN PRIVACY LAW Duke Law Journal Vol 39 no. 6 1990:1398

[2] See for example, his summary of the tort and its legal context as well as recent cases exploring it. http://ukhumanrightsblog.com/2014/01/23/new-year-new-tort-of-misuse-of-private-information/

See also this analysis http://www.panopticonblog.com/2014/01/16/the-googlesafari-users-case-a-potential-revolution-in-dpa-litigation/ The Weller decision that is the most recent application of the misuse of personal information tort is here http://www.bailii.org/ew/cases/EWHC/QB/2014/1163.html [2014] EWHC 1163 (QB) The judgement provides a good summary of the case law leading to the decision. Imagine rights, let alone personal information rights, is another field to consider. http://inforrm.wordpress.com/2014/04/30/weller-article-8-and-the-recognition-of-image-rights-hugh-tomlinson-qc/

[3] http://www.bailii.org/ew/cases/EWHC/TCC/2012/2952.html fairstar [2012] EWHC 2952 (TCC), [2013] Bus LR D73, [2012] 2 CLC 795

What is “information” under FOI?

Section 1 of the Freedom of Information 2000 (FOI) contains the general right of access to information held by public authorities. But what exactly is “information”? Section 84 defines information as “information recorded in any form.” This includes information held on paper, computer, video, audiotapes as well as that contained in manuscript notes. FOI does not give access to information that is known to the public authority but is not available in some recorded form (see Ingle v Information Commissioner (EA/2007/0023) ).

Mere marks made on documents are also information according to an Information Tribunal decision from 2009 (O Connell v the Information Commissioner and Crown Prosecution Service (EA/2009/0010)). Here the Tribunal considered access to manuscript notes made by a defence barrister, during a criminal trial, on his client’s typed police interview record. The Information Commissioner’s view was that some of the notes, which consisted of asterisks and underlining of words on a document, were not information for the purposes of FOI.

The Tribunal rejected this submission. In its view, however tenuous and potentially misleading the material sought may be, it still constituted information; even if it was only information to the effect that certain marks had been made on certain sheets of paper held by the public authority. The Tribunal did however rule that the requested information was sensitive personal data, disclosure of which would breach the Data Protection Principles. Consequently it was exempt under section 40(2) being third party personal data.

It is an oft-repeated phrase that FOI provides a right of access to information rather than documents. However, a request for a copy of a document will generally be a valid request for all of the information contained within that document (including visual format, design, layout etc). In considering whether the public authority has complied with the request, the question is whether all of the information recorded in the document has been provided. It will not be sufficient to rephrase the document or provide an outline or summary of its contents unless the applicant has specifically expressed a preference for a digest or summary under section 11(1)(c).

In April 2013 the First Tier Tribunal (Information Rights), ruled that images of MPs’ expense claim receipts was information to which the FOI applied (IPSA v Information Commissioner (EA/2012/0242)). The background to the request was that, following the MPs’ expenses scandal, the then newly-formed Independent Parliamentary Standards Authority (IPSA), decided that it would not routinely publish images of the receipts submitted to IPSA by MPs in support of their expenses claims. Only text transcribed from the submitted receipts would be published.

The Upper Tribunal’s appeal decision in this case, has now put the matter beyond doubt. In Independent Parliamentary Standards Authority v IC & Leapman [2014] UKUT 33 (AAC) Judge Williams dismissed the appeal by IPSA. At Paragraph 22 of the judgement he said:

The Court stated at paragraph 45 of the judgment:

However paragraph 48 should be noted:

If you want to know more on the Scottish case, read the briefing note published by the Scottish Information Commissioner. The basic principles (and these apply equally to FOI requests) are:

The Freedom of Information (Scotland) Act 2002 (FOISA) provides a right of access to information and not a right of access to copies of specific documents.
Authorities should not automatically refuse requests for copies of documents, as long as it is reasonably clear from the request that it is the information recorded in the document that the applicant wants.
Requesting a document (e.g. a report, a minute or a contract) is a commonplace way to describe information. Where it is reasonably clear that a request is for the information contained in a document, the authority should respond to the request as one properly made under FOISA.
If a request is for a document, but it is not reasonably clear what information is being requested, the authority should contact the applicant to seek clarification.

These are interesting decisions especially for those public authorities who often insist, when refusing to supply actual documents (such as minutes of meetings) that FOI is about access to information not documents. Sometimes the requestor is interested in the document, which contains the requested information, as it will give a further insight into its background and the thoughts/observations of the producers/subjects of the document.

Finally to quote one of our FOI trainers (Philip Bradshaw):

“Much will also in practice depend on the wording of the request. Contrast “How much did you spend on pencils?” with “Can I have a copy of your pencil invoices”. You can clearly provide in permanent form all the recorded information within scope of the first request without copies, but not perhaps for the second.”

Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshops which are delivered in online sessions as well as face to face.

Freedom of Information Caselaw Roundup

The Freedom of Information Act 2000 (FOI) applies to information held by a public authority or held on its behalf by another person (Section 3(2)). What of information about people working for a public authority but who are legally employed by a third party?

This question arose recently in an appeal to the First Tier Tribunal (Information Rights) (FTT). In Hackett v Information Commissioner (EA/2012/0265), the (ULT), an education charity running 21 Academy schools, was asked for, amongst other things, details of senior staff members’ pay, pension contributions, other remuneration and expenses. The request was refused on the basis that the information was not held by ULT, but by the United Church School Trust (UCST) who employed the staff and who, as a non-publicly funded charity, is not subject to FOI.

The appellant argued that the corporate structure of ULT and UCST was an accounting process set up to avoid disclosure of the requested information which was about the spending of public money. In addition he submitted that both companies were subsidiaries of the United Church Schools Company and as such were, in effect, both part of one company.

The FTT upheld the decision of the Information Commissioner that the information was not held by ULT, but by UCST, and so not subject to FOI. It took account of the fact that the corporate structure had been urged on ULT by the Department for Education, the two charities had maintained a complete corporate separation and that the service agreement between ULT and UCST expressly referred to the senior staff being employed by UCST. Could this decision mean that more public bodies will adopt innovative structures to avoid public scrutiny of their finances?

The section 40 exemption applies to personal data disclosure of which would breach one of the Data Protection Principles. This usually involves considering whether disclosure would be fair and lawful under Principle 1. Not all personal data will be exempt from disclosure. Sometimes there is a legitimate interest in the public knowing some personal data.

In Innes v Information Commissioner (EA/2013/0044) the FTT ruled that the reasons for a head teacher’s long-term sickness absence from his school did not have to be disclosed as they constituted personal data, but whether the head teacher was being paid a salary during his absence should be disclosed. As head teacher, the individual in question occupied a senior position of responsibility at the school. He was no longer performing an active function at the school and whether or not he was being paid from public funds during the period of absence and inactivity is a legitimate matter of public interest and one which outweighs his right to privacy.

Personal Data under section 40 has the same meaning as in Section 1 of the Data Protection Act i.e. it has to be information, which relates to a living identifiable individual. The requested information does not always have to include a name. Even job title information can be personal data according to the FTT decision in London Borough of Barnet v Information Commissioner and another (EA/2012/0261). Here the requestor wanted the job titles of council employees who had attended a meeting at a solicitor’s firm in respect of a major council outsourcing project. Referring to a Supreme Court decision (South Lanarkshire Council v The Scottish Information Commissioner [2013] UKSC 55), the FTT ruled that disclosing details of a job title held by more than one local authority official could constitute processing personal data if there was a chance of those individuals being identified. The test was whether the subjects could be identified, not just by an ordinary member of the public but, by a “motivated intruder” (including the requestor himself with all the other information at his disposal).

Continuing on the same theme, in Yiannis Voyias v Information Commissioner (EA/2013/0003), the FTT held that the London Borough of Camden was correct to refuse to disclose the number of hours its employees worked and how much overtime they were paid. It was satisfied that disclosure of this information would lead to the identification of individuals and would be unfair. Therefore section 40 applied.

Personal data in Building Regulations applications held by councils is not exempt under section 40 just because it relates to another person’s property. In James Henderson v IC EA/2013/0055), the appellant’s neighbour was carrying out renovations on the other side of their shared wall. This resulted in cracks on his side of the wall, followed by a steel beam coming through the wall. He asked Brentwood Council for details of the works, as a Building Control application had been made to them.

The FTT held that full details of a Building Regulations application was personal data; but disclosing this information would not contravene the First Data Protection Principle. Therefore, the exemption set out in section 40(2) did not apply and the information was ordered to be disclosed. The FTT disagreed with the Commissioner, who held that the data subject would have had a reasonable expectation of privacy in relation to the information. In doing so the FTT took account of the fact that (a) before starting any work the data subject was obliged to make a formal application to the local authority which meant that the property and the work would be subject to inspections by their officers, (b) the property was to be rented out rather than lived in by him; and (c) the work had a direct effect on his neighbour’s property.

The Freedom of Information (Scotland) Act 2002 has a specific exemption to cover a deceased person’s health record. There is no such exemption in the 2000 Act. Sometimes the section 41 exemption (Breach of Confidence) can be claimed.

Two recent Tribunal decisions again emphasise the importance of checking whether the requestor is the deceased’s appointed personal representative. In Webber v IC and Nottinghamshire Healthcare NHS Trust (GIA/4090/2012), the appellant had made an FOI request for information (including hospital records) about the death of her son in 1999. The Commissioner and the FTT upheld the decision to refuse on section 41 grounds. The Upper Tribunal also dismissed the appeal. It ruled that disclosure would entail a Breach of Confidence which was actionable after the patient’s death. The appellant was not the personal representative of the deceased even though she could have applied to become so.

The Upper Tribunal also found that there would not have been a public interest defence to the Breach of Confidence. It gave weight to the fact that some of the information sought would or could come into the public domain or be obtained in another way: a coroners’ inquest, or through an application under the Access to Health Records Act 1990. This allows for requests for access to information to be made by, amongst others, the patients’ personal representative.

When considering disclosure of a deceased person’s information, consideration has to be given to any wishes expressed by the deceased before their death. In Trott and Skinner v Information Commissioner (EA/2012/0195) (March 2013) the appellants requested information relating to the care records of their deceased sister. East Sussex County Council confirmed that it held a relevant care file but refused to disclose it on the basis that it was provided in confidence. The FTT and the Commissioner were satisfied that the section 41 exemption was engaged. The requested information was confidential, disclosure of which would be a Breach of Confidence. Amongst other things it took account of the fact that the deceased was given the opportunity to indicate (in her home care agreement) that she agreed to let the Council “share personal information on care with family members/friends listed below.” She did not sign her agreement or list anybody in the space provided. The Tribunal also heard that on several occasions she was given specific assurances that her information would be kept confidential.

Furthermore the FTT was satisfied that the Breach of Confidence would be actionable. This was despite the fact that the sisters were the next of kin of the deceased. They were not the personal representatives of the deceased though. Neither the council nor the Commissioner had enquired as to who was. On further inquiry by the Tribunal, it was discovered that there was a will and therefore an Executor who has standing to act as the deceased’s personal representative. There was no evidence of consent for disclosure under FOI from this Executor. Therefore section 41 was engaged and there was no public interest defence to the disclosure.

Give your career a boost in 2014 by gaining an internationally recognised qualification in FOI. Keep up to date with all the latest FOI decisions in 2014 by attending our FOI Update workshops.

Tag: Personal Data

Jumping on the charity bashing gravy train.

Like this:

Requesting Your Permission

Like this:

Information, Documents or Both – What is available under FOI?

Like this:

Is my PD my PD?

Like this:

Freedom of Information Case-law Roundup

Like this:

IAPP Privacy and Freedom: A review by Lawrence Serewicz (@lldzne)

Like this:

What is “information” under FOI?

Like this:

Freedom of Information Caselaw Roundup

Like this:

New Podcast: Learning from a Journalist’s Use of FOI

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: