Howe’s that? It’s just not cricket, Mr Graham and Mr Smith.

The anatomy of a request

One of the daily challenges of an FOI Officer is gaining the necessary contributions from colleagues that are required to fulfill the primary requirement of FOI – to establish the information held within the scope of the request. A request handler is often heavily reliant on the co-operation of colleagues to locate and understand the information requested.

With that in mind, I refer to the two Decision Notices issued against the ICO in relation to their handling of a requests for legal advice regarding the decision not to prosecute journalists in connection with Operation Motorman.

The history of the various requests for Motorman legal advice is quite complex and I don’t intend to try and break them down in great detail, but I would like to highlight some troubling aspects of the Information Commissioner and his Deputy’s conduct, so a short narrative is necessary.

On September 16th 2011, addressing the non-prosecution of journalists as part of Operation Motorman, Mr Graham submitted the following evidence to the Leveson Inquiry:

“External legal advice at the time suggested that for this reason it would not be in the public interest to pursue possible prosecutions. This was also because of the difficulty in
proving that the journalists involved knew that the information they were seeking could only be obtained by unlawful means”.

On Septemebr 15th 2011, the Deputy Commissioner, David Smith, made a robust public defence of the ICO’s decision not to prosecute journalists, and specifically tackled an accusation from an ex employee that the failure to prosecute journalist was as a result of a fear of the press, with the following rationale given in a guest article in The Independent

“Any suggestion that the decision not to pursue prosecutions against journalists was driven by a fear of the press is entirely false. We exposed the involvement of the press in the first place. Our decision was based on expert legal advice that pursuing prosecutions would not be in the public interest, because of the difficulty in proving beyond all reasonable doubt that the journalists who received information from Mr Whittamore knew it could only be obtained illegally”.

At this time, the ICO received a request from regular requester, frequent blogger and all round thorn(pain) in the (back)side Tim Turner. Mr Turner, presumably on seeing the ICO’s article in the Independent, requested the legal advice in question.

So, the scene at this point is that ICO maintain they were ‘as disappointed as anyone’ with the outcome of Motorman and refer to expert legal advice as the key reason why journalists weren’t prosecuted. As a primary function of FOI is to hold officials (and their accounts) open to scrutiny, one can understand why an interested and inquisitive mind would want to see the legal advice, especially as its contents were seemingly being relied upon as justification for a high profile decision.

Upon receipt of the request, the request handler, as one might expect, contacted David Smith to seek the location of the legal advice. He replied that

“I haven’t got a copy of any written legal advice. I understand that the advice came from our barrister Bernard Thorogood but I am not sure whether it was in writing or just oral. Stephen McCartney and /or Simon Ebbitt might be able to help because they have access to all the Motorman documentation”.

Firstly, it’s not easy to reconcile the above statement with Mr Smith’s later contention in the Internal Review that his reference to legal advice

“was on the basis of his understanding of the totality of internal and external advice and the contents of the What Pricy Privacy report. He has clarified that he was not referring to any one piece of advice or recorded information”.

If the latter statement is true, why didn’t he tell the request handler that, so that a response could be framed explaining this position? Why reference a specific piece of advice, even noting the name of the author? Granted, perhaps Mr Smith genuinely wasn’t sure if there was a record of external legal advice of the type reported and thus wished for the request handler to try and locate it, as part of the requirement of Section 1. If that’s the case then his response might be just about be reasonable from an FOI handling perspective, although it does bring into question the integrity behind his article for the Independent in which he was very unambiguous about the position, quoting expert legal advice and it’s specific contents.

He certainly didn’t tell the Independent that he was writing about his understanding of the position. Aside from anything else, it is troubling such a high profile statement about a high profile topic would be handled with such imprecision.

Back to the request…

Having received Mr Smith’s steer, the Internal Compliance Manager and request handler checked with those named, who also had no recollection of seeing such legal advice. They subsequently carried out a comprehensive search of all the Motorman records and they couldn’t find anything either. They therefore  wrote to the great and the good to inform them that they had not located any information and that it was important for all to be aware of this, given ‘it was likely to attract some attention’. This is standard stuff for a request handler – cast the net for the information and keep an awareness for the potential fallout from the (non) disclosures.

At this stage, bearing in mind the ICO had publically referenced expert/external legal advice and that Mr Graham had specifically quoted it in his submission to a high profile Inquiry, one may have thought this would have caused something of a reaction, but Mr Graham still offered no comment.

For the avoidance of any doubt, we should note that both Mr Smith and Mr Graham (and the wider distribution list) were asked for a copy of the legal advice. They weren’t asked for the legal advice referred to by Mr Smith, Mr Thomas or indeed Mr Graham. Any legal advice held should surely have been volunteered.

To put that in context, the ICO were happy to run a dual approach to telling the public and Leveson that External Legal advice told them not to proceed, whilst simply telling an FOI requestor who requested the legal advice that no information was held, without any additional explanation.

A subsequent request saw the ICO acknowledge “there was no evidence the document ever existed”, but no amendments were made to the Inquiry evidence, or the public position. Oddly, they didn’t want to confirm this, as they didn’t want to pre-empt Richard Thomas’ evidence to the Inquiry. Surely by referencing the legal advice in the first instance they had already committed to their position?

If the ICO had previously genuinely believed they had external legal advice, it was now being flagged that they did not. The Internal Review into Mr Turner’s request from the (other) Deputy Commissioner even noted that None of those who were involved in Operation Motorman and its immediate consequences are still at the ICO, so we are largely working on the documents retained”, yet conversely he still defended the “accuracy of David Smith’s statement”. How can one say you are relying on documents, find no documents, yet still believe it’s correct to quote and rely upon legal advice when you also accept that it never existed?

A further request went in for the legal advice Mr Graham was referring to and 2 specific pieces of legal advice were produced, despite these being 2 pieces of advice that had explicitly been ruled outside of the scope of the initial request on the back of David Smith’s statement. As an aside, the provided advice certainly didn’t compare to the description Mr Graham had given to Leveson. The Decision Notice in that case noted the ICO had since changed their position and that Mr Graham’s evidence was referring to the full body of legal advice.

Whether Mr Graham was referring to two particular documents or the wider body of legal advice, surely he should have explained this to his staff when he was first asked about the existence of legal advice?  It was even flagged to him that the likely response, which did not appear at all helpful, ‘would likely get a reaction’ but he was quite happy for his own staff to send a reply that was at best disengenous and at worst downright wrong. 

If Mr Graham and Mr Smith had explained the basis for their clear statements was infact based around their understandings and/or the complete body of evidence, then it would have saved all concerned an awful lot of time. Some may feel it perhaps would have exposed their public line as not credible. Personally I feel they thought they had some legal advice on the basis that’s what Mr Thomas told them, and as such just blindly followed his statements. Hardly a robust way to deal with an accusation from a previous employee but these are incredibly busy people and we all make mistakes. Refusing to correct or acknowledge these oversights is perhaps less understandable. The simple fact remains that the ICO has no such legal advice and those high profile statements to the contrary were baseless – the requests should have led to a rethink. FOI can sometimes lead to embarassing disclosures, but so long as lessons are learnt, isn’t that the whole point?

Anyway, returning to the central thrust of my blog, if the Information Commissioner and his Deputy cannot find the time to show sufficient respect to his FOI request handlers, then what kind of example does that set for public authority employees of all grades?

The situation reminds of the withering quote Geoffrey Howe served up about Margaret Thatcher in his resignation speech to the House:

“It is rather like sending your opening batsmen to the crease only for them to find, the moment the first balls are bowled, that their bats have been broken before the game by the team captain”.

The requests here were doomed – how can a request handler properly comply with the spirit and wording of the legislation if the skipper doesn’t provide them with the context that they require – and indeed lets them spend hours searching for information that never existed.

I like and respect both David Smith and Chris Graham, but that doesn’t make them immune from criticism – or, again borrowing from the Howe themed vernacular, a savaging from a dead sheep.

Posted in Uncategorized | Leave a comment

CMP’s – what happens next?

The First Tier Tribunal recently overturned the ICO monetary penalty to Scottish Borders and I believe their reasons for doing have left a number of problematic issues. In very brief terms, the initial CMP was issued after former employees’ pension records were found in an over-filled paper recycle bank in a supermarket car park, having been dumped there by data processor. No contract was in place with the data processor and it sounded like the disposal of the files wasn’t really considered by the Council.

In summary, the FTT judgement confirmed that the information that was lost included “name, date of birth, national insurance number and salary. In some cases the files contained bank account details, a signature…”. The Tribunal accepted that there was breach of the 7th principle and that it was a serious breach. They effectively overturned the ICO’s decision on the basis that it wasn’t a breach “of a kind likely to cause substantial damage or substantial distress”. There was some typical legal analysis around the definition of “likely”, that can perhaps be boiled down to their conclusion that “it is insufficient to point to such consequences merely being a possibility”.

The tribunal also concluded that what had happened was a surprising outcome, not a likely one and indeed they further offered that they thought the safe destruction of the files was the likely outcome (“we would not describe any other outcome as likely”). Given the files weren’t actually safely destroyed that’s quite a bold assertion – we can all have our theories but sometimes the facts can speak for themselves.

The tribunal sought to make a clear distinction between the contravention/breach and the trigger incident. This is entirely understandable, indeed myself and others have previously highlighted that the ICO has sometimes appeared to be fining for the incident itself rather than the breach. The breach here was not ensuring they had selected a data processor offering sufficient safeguards and not evidencing that agreement in writing. The trigger incident was the files ending up in Tesco’s car park. It is incidents that the ICO asks to be informed of, not breaches – an incident might not always be a breach of the DPA and of course a breach doesn’t need an accompanying incident. As an aside, it would therefore be fascinating to know how the ICO would react if a Data Controller was to notify them that they hadn’t trained staff in Data Protection, or that they didn’t have a policy for using fax machines – both breaches that have previously been the subject of CMP’s when the breach resulted in a trigger incident.

The problem I have here is the Tribunal appear to be saying that they can only consider the breach itself, yet they still require the ICO to “construct a likely chain of events which would lead to substantial damage or distress”. I think that is a very difficult burden whereby the circumstances flowing from the beach are essentially not allowed to be considered.

If an unencrypted disc containing personal data of millions of people goes missing in the post, one would presume that is a breach, a serious breach and (depending on the data) one of a kind likely to cause substantial damage/distress.  If the disc then turns up a day after the incident is reported to the ICO, that doesn’t make the breach disappear, but it does make the chance of damage/distress all but disappear. To me it is a serious breach that fulfils the criteria irrespective of what harm actually comes from the incident, but I wonder how would the Tribunal assess the likelihood of damage in these circumstances?

It strikes me that the Tribunal overlooked the phrasing “a breach of a kind likely to cause…”, a phrase that I think is significant as it changes the meaning of the sentence.  I interpret the full phrase to essentially be saying “is this the type of breach that has the potential to cause damage/distress”. When you give processers personal data without any safeguards then you have opened the data subjects up to potential damage, so for me it is a breach of a kind likely to cause damage/distress, irrespective of what happens next.

Whether it does or doesn’t cause actual harm is probably always going to be down to the specifics of the incident that flows from the breach. If an unencrypted laptop containing witness details is stolen in a burglary, I would say that fulfils all the criteria. But if the same laptop was discovered by Police searching their colleague’s house, there would be no likelihood of damage/distress to the witnesses. But the breach remains the same and that’s a breach of a kind likely to cause damage. Similarly the chap who had his unencrypted hard drive stolen from his car– the breach occurred when he failed to encrypt his laptop, not when he had it pinched. Obviously now he has had it stolen the likelihood of mis-use is much greater, but again we must recall the assessment is of the breach itself. With breaches like these any number of outcomes could occur, some likley, some probably exceptionally unlikely, but you have no control and are entrusting the data to fate.

Trigger incidents will often flow from a breach – the unencrypted laptop containing witness details might be wiped before it’s sold on in the pub or it might end up on being sold to the local gangster to intimidate the witnesses. I would regard the latter example as extremely unlikely, but I don’t think that’s a sufficient assurance to the people whose data and security has been compromised.

I’m not sure if it’s a drafting error in the legislation but the idea a breach must carry a likelihood of significant damage or distress, as opposed to “merely a possibility” is a difficult standard to achieve. Further, the CMP is about punishing the lack of compliance, not the incident and therefore I don’t see why the ICO should be expected to speculate about the likelihood of potentially harmful scenarios.

What I also found a little odd is that the judgement didn’t even consider the issue of the significant distress, focussing solely on the question as to whether damage would occur. The issue seemed to solely come down to an assessment of whether identity fraud would be likely to take place – and as someone  who works for a Pension company it’s a surprising and comforting that the tribunal doesn’t seem to hold that names, addresses, NI numbers, bank account details, signatures and salary/pension details are especially problematic fields of data.

The ICO’s amended power to issue a CMP can possibly be traced back to the furore around the infamous HMRC data loss, but based on their reasoning here,  I can’t see the Tribunal would have regarded that as fulfilling the criteria for a CMP either – as effectively they would have been left with the same equation re likelihood of identity fraud.

I’d also imagine Sony and Welcome Finance, amongst others, are kicking themselves for not appealing earlier CMPs involving this type of data given the judgement here. Strangely the ICO appear unmoved by the Tribunal’s logic, as their most recent CMP again quotes the potential for identity theft.

Looking back through the ICO’s CMPs I can’t think of many where there was a real likelihood of substantial damage. The biggest fine, to BSUH being an example where it would be very difficult to construct a likely chain of events leading to damage to the data subject. I doubt the data subjects were ever told their data ended up on Ebay so nor would there technically even be distress. That outcome didn’t become likely when they undertook to destroy hundreds of harddrives without a contract – but it did become a possibility, which I think is enough to justify a CMP – even if the Tribunal doesn’t.

Posted in Uncategorized | 1 Comment

The case for the defence.

As the ex ICO employee who issued the refusal of the names of the 2 Councils in Jon’s blog, I feel there are a number of errors in his analysis. I am infamously constrained by Section 59 of the DPA, but I can of course discuss the significant amount of information already in the public domain, along with the considerably less significant personal views I hold.

The first observation I would offer is that although Jon begins the piece by discussing the regulatory role of the ICO, the decision to which he objects and blogs about was issued in the ICO’s role as a Public Authority under FOI. Of course, the context in which an ICO request handler operates cannot be entirely dismissed, but nor should we forget the guiding principle is the Act itself and in that regard the ICO is simply A.N. Other public authority. Should my decision really have been made with a commitment to ‘transparency at the ICO’, at the expense of the applying what I considered the provisions of the Act? I saw myself as a practitioner working for the ICO, rather than an ICO employee working as a practitioner.

So whilst Jon may have indeed “trusted the ICO to apply the law properly”, he did so in a manner no different to any other request he makes to any other public authority. As he says, the right of an internal review, complaint to the ICO and then the Tribunal were all (thankfu££y) not pursued here, so it was simply my assessment as to whether it was reasonable in the circumstances to disclose the names. If my response here feels a little a prickly, that’s why – because his trust issue (and subsequent public complaint) was with me as a request handler, not the wider functions of the ICO as a regulator. I’m big enough and ugly enough to accept criticism and I know I was representing the ICO, but at the same time I think a sensible critic should recognise there is a degree of autonomy in a first response. Christopher Graham certainly didn’t sign off on my response.

Those who object to the silver standards of the ICO may perhaps reflect upon the bronzed budget which they expect to deliver gold plated results. Such critics are almost certainly more interested in the legislation than I am – and definitely more intelligent, but I would question whether they are more objective. There’s a palpable excitement at any perceived ICO mistake.

Returning specifically to the blogpost, the key point that appears to have been overlooked, is that the decision not to (pro-actively) publish the Undertakings was taken elsewhere in the ICO, which happened at the time the Undertakings were signed. Both the initial request for the Undertakings themselves and follow up for the names, were made in that underlying context. That decision was made outside of FOI and at the ICO’s discretion. I honestly don’t know whether or not there was, as Tim alludes to, a degree of negotiation to get the DC’s to sign, but as I noted it’s a discretion that is rarely exercised, so the idea that the ICO is undermining it’s regulatory functions by delaying publication in a tiny fraction of cases is a little fanciful.

It is clear from the refusal notices that the initial decisions were made following representations from the DC’s that the release may have adverse consequences. It is important to remember that is the position that I, as the request handler, inherited. I therefore maintain it was correct to give weight to the fact that (rightly or wrongly) the organisations had been told the Undertakings wouldn’t be publicised in the usual manner. If you think, as Jon appears to, that the initial decision risked damaging the reputation of the ICO and undermining the ICO’s functions, fair enough – but from an FOI perspective, surely that initial agreement requires some further consideration? It appears Jon disagrees, as his own analysis was that if the argument concerning commercial prejudice was unsound, the argument for a Section 22 refusal ‘falls away’. No mention is made of the DCs expectations of confidentiality when signing the Undertaking. For the avoidance of doubt, I repeat that I wasn’t bound by the initial assurance, rather I did not disregard it.

My decision also considered that a Data Controller (or to be precise 2 public authorities) were telling me that if I released their names there was a chance it would damage their commercial interests for the exact same reasons why the ICO had previously agreed not to publish the Undertaking a few months earlier. I would maintain that is a very legitimate consideration to at least take onboard. The word ‘prejudice’ was loosely used in the refusal notices, which in hindsight might be unfortunate given it carries a more specific meaning in FOI terms.

Surprisingly, Jon hasn’t addressed whether he think the News International Undertaking that was also withheld would have prejudiced the linked criminal trial, so in the absence of comment my assumption would be he accepts that particular premise. My own opinion is that I very much doubt it would have done, just like I very much doubt these further Undertakings (or specifically the identity of the DC) would have caused commercial detriment. I’m not short of an opinion, but I’m equally aware it not always the right one and again therefore I needed to be mindful of the strongly held opinions of better placed individuals.

I should also clarify that my analysis wasn’t set against the requirements of Section 43, rather it was simply an assessment of reasonableness and a public interest consideration in relation to Section 22. In other words they didn’t need to totally convince me, rather they flagged a potential risk which helped shape my consideration as to whether disclosure was reasonable in the circumstances. Again, that left me to make a judgement. I don’t think that Ed Milliband will ever be Prime Minister – but I wouldn’t rule it out, so should I make an assessment of what is reasonable based on my opinion, or should I take a more rounded view of the circumstances and opinions of others? In a nutshell, I’m not arguing whether prejudice would occur to criminal or commercial matters, or indeed whether the wrong brother will become PM, but is it at least a reasonable proposition that those things might happen? My view is the same on all accounts, unlikely but not impossible.

The Undertakings themselves are entirely unremarkable and I can fully understand why there is still a lack of understanding surrounding what the commercial impact may have been. I can also share that the end result (i.e. withholding the names) was not the outcome I instinctively expected when taking this request, before I calibrated those entirely fictional public interest scales. But there is a curiosity here in Jon’s position, one on hand accepting he still doesn’t have an appreciation as to what the commercial arguments are, but on the other arguing that the refusal notice(s) show improper weighting of competing rights and interests. To put that another way, he doesn’t know why the Councils objected, he doesn’t know why the ICO Enforcement department agreed, or why I withheld the information – but we were all wrong to do so. By all means disagree, but to disagree (and blog) on the basis you don’t understand is a tough one to swallow, particularly whilst simultaneously confessing “it’s not a big enough thing for me” to request the facts about.

With an acknowledgement that I might be being over analytical, I also find it odd that the refusal notices should be characterised as a ‘fuss’. This was an (FOI) demand driven event and the fuss of having to consult with 3 DC on 2 separate occasions wasn’t of my doing. That was my job, so it’s not a complaint, merely an observation.

Similarly, given the blog was around weighing up competing interests, it’s only fair to highlight the lack of explanation with regard to why it was reasonable to disclose the names of the DC’s or why there was a public interest in releasing simply the identity of the DCs in question? I accept there was some discussion regarding the Communicating Enforcement Activities policy, but I’m not sure this addresses the specific reasons for disclosure under FOI at the time of the request.

By applying Section 22, there was of course a commitment to publish the Undertakings in their entirety. What was the compelling public interest in releasing the names themselves at that time? Where was my incentive to override the aforementioned concerns? Was it reasonable to dismiss the representations and risk a loss to taxpayers money, just to provide their names, which in isolation added very little?

Believe it or not, I’m intensely relaxed at the idea I may have got my decision in this request wrong, I’m sure all practitioners have been overturned at some point. But that doesn’t raise questions of trust, it just shows that request handlers will be a mix of the good, the bad and the ugly – or my case 2 of the 3.

More generally, I think there is a point to be made here that practitioners at the ICO are burdened by the same challenges as practitioners elsewhere – unhelpful busy colleagues, private sector stakeholders who don’t understand FOI and requestors who are often baying for someone’s blood – all of which is conducted in an increasingly public glaze and to the soundtrack of a 20day ticking time clock.

Whilst Jon (politely) took issue with the decision not release these 2 undertakings, another observer somewhat over-excitedly thought the decision not to release the NI one was a sign of “collusion, cover up and corruption”. Everyone is entitled to their opinion – mine is that latter individual needs to get out more and learn some manners. If I’d withheld News International’s name and released the names of the 2 Councils, I’m pretty sure that the regular critics would be chiming in with their favorite allegation that the ICO is frightened of big business etc. That’s the tightrope a high profile FOI public authority request handler walks. I enjoyed the work, but it’s nice to have the freedom to explain that the thinking behind the output.

Posted in Uncategorized | 1 Comment

You cannot be serious (can you)?

The First Tier Tribunal recently upheld the ICO’s Civil Monetary Penalty of CLCH, which I think has generally has been taken as an approval of the ICO’s CMP logic and procedures. I’m not convinced, as I think some pretty important questions remain unanswered about the ICO’s handling and thought process in this area. I should share that I previously sat in on CMP meetings so have a little inside knowledge, although my former employers will no doubt be encouraged that I take enough interest in the legislation to know what Section 59 does (and doesn’t) apply to.


In anycase, if I was going to share my inside line, I rather follow the lead of the former Head of Enforcement, who went to work for FFW who coincidentally have since pocketed a staggering 168k representing a public authority in single case CMP. Moral of the story – that type of knowledge is to be sold, not to be told (feel free to contact me Sony legal department ahead of your forthcoming appeal).

We know from the recent appeal that the ICO divide CMP’s into 3 categories, Serious, Very Serious and Most Serious, with each category having a financial band. Aside from the slightly inelegant language, that seems a broadly sensible approach.

What has become apparent to me, however, is that 1) there is no consideration of where breaches occur without an associated incident and 2) there is no criteria, explanation or perhaps even logic on how breaches are classified into each band.

In making this analysis, I would accept that I may well be wrong here, because I haven’t made an FOI request for any information held in relation to the above. That’s because I wouldn’t wish to needlessly add to the testing workload of my former colleagues, especially because recent events have shown us how much a team of 12 people can struggle to keep on top of things when the majority are women. Only joking sisters, love you really!

Moving on from the satirical sexism, lets address my first contention, essentially that the ICO’s CMPs only react to data incidents, not DPA breaches. I’d begin by noting that at no point does the CMP guidance introduce the concept of punishing for a particular incident – it’s for the breach of the DPA itself. The ICO isn’t there to provide punitive redress to those who may have been wronged in someway – but to punish for a serious breach of the DPA. As I’ll expand upon below, it’s quite possible for a concerning incident involving personal data  to occur that perhaps doesn’t even equate to a breach of the DPA.

If the ICO was indeed issuing CMP’s for serious DPA breaches, as opposed to punishing incidents, then if I self reported that my organisation didn’t encrypt laptops containing sensitive personal data (we do), would that not be a serious 7th principle breach and one likely to cause damage and distress in the event they were lost/stolen? It would fit each of the criteria required to impose a fine. Yet the ICO hasn’t fined one organisation for a breach where there wasn’t an incident. Why wait for the incident to occur before taking action against a breach? Furthermore, most of the published discussion around CMP’s focuses on the incident, such as the numbers affected and the type of information lost in that particular case. Admittedly it could be argued that where there is not an incident, it is much harder to demonstrate that breach would be of a kind likely to cause damage/distress, but from my anecdotal experience, I don’t think that is how things are looked at.

Similarly, with reference to the second strand of my perspective, the breach appears to be determined to be serious by the ICO almost entirely because of the specifics of the incident. There is minimal consideration of what the Data Controller did wrong in DPA terms.

Over 90% of the ICO CMP’s have been for breaches of the 7th Principle, so I will focus my analysis around that principle. The gist of the principle is basically the greater the amount information and  sensitivity of that information, the more measures should be put into place to protect it – a proportionate approach. 

To breach that principle, you would have failed to have  put ‘appropriate’ measures in place. So for it to be a ‘serious breach’, the ICO should probably establish the deficit between the measures actually in place and the measures that should have been in place. If the gap is significant, one could then move on to looking at whether the breach was of a sort likely to cause substantial damage/distress.

The CMP for Sony typically sidesteps this issue of ‘seriousness’, instead concluding

“The contravention is serious because the measures taken by the data controller did not ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing and the nature of the data to be protected”.

I find that analysis exceptionally weak. Firstly, where the measures don’t match the risk, it is by definition a breach – where does the increased severity to a serious breach derive from? The ICO’s summary here appears to be saying that because it is a breach, it is a serious breach. I’m not saying it’s not serious, simply highlighting that there is no explanation offered by the ICO. Further, given we know that this case has ended up with a £250k fine, the ICO have in their mind infact held this to be a very serious breach. Shouldn’t the language used be comparable to the conclusion formed?

When considering the aggrevating factors, it does mention that the “contravention was particularly serious because of the nature and amount of personal data”, but that again is weak because of the implication that any breach involving large amounts of data is a serious one. Again,the incident might be serious, but I’m not convinced it makes the breach itself serious, not least because there might be a case where the data controller just made one small mistake and that led to an incident that would be likely to cause damage and distress for a large number of people. Is that more, or less of a serious breach than a data controller being completely reckless with 1 person’s data thus causing huge damage?

The FTT commented in the CHC appeal that they thought the ICO could have classified that case as “very serious” on the basis of the number of organisational failings – essentially judging the seriousness of the breach against the failings against the 7th principle. The ICO has not stated in it’s written guidance that such factors will be considered at all and it’s missing from the CMP’s, again suggesting they are more focussing more on the incident and working backwards from there. 

For example, information could be lost or accidentally disclosed as a result of an error by a data processor. Where the data controller is considered to have followed all the appropriate steps for selecting and monitoring the data processor, it might be the case that technically a breach of the DPA at all – or perhaps more accurately not the 7th principle. If you select a specialist data processor, ensure you have a watertight contract and audit them regularly, would you not be well placed to argue you had taken appropriate measures to keep information secure, even where an incident then occured? Or likewise if you train staff regularly and have the best policies in the country but an employee decides to leave sensitive papers stuffed in a hedge?

Had the data controller followed all of the correct steps but not carried out regular audits of the Data Processor, then in my mind that would be a breach of the 7th principle – but not a serious one in the sense the gap between what they should have done and what they did do was relatively small. A serious breach would be just flinging out the outsourcing to the cheapest provider, with no contract and no checks. The reality is that incidents usually occur as a result of a breach, but the extent to which the incident has been caused by technical and organisational failings will of course differ and that’s where I feel the ICO is somewhat blinkered.

To again take the example of Sony, they had online security, it just wasn’t sufficient enough to withstand a targeted and sophisticated criminal attack. It strikes me that the breach itself was at the lower end of the spectrum, in terms of assessing the difference between what they should have done, and what they actually did. What would the fine have been if they had no security at all?

I’m not suggesting that the numbers affected and level the (potential) damage/distress should be ignored, as that would be a bit perverse. Indeed, I would like to see those factors considered in conjunction with the severity of the DPA breach by the data controller (e.g. severity of breach x numbers affected x potential damage/distreess). But above all, I’d like to see those handing out the fines being clear about their reasoning.

On a slightly different note, something also caught my attention about the recent CMP to the Nursing and Midwifery Council. Incidentally, whilst it might be a bit of a pipedream to think I might catch the eye of the Sony Appeal lawyers, it’s more of a lifelong dream to catch the eye of a gaggle of Nurses. They were essentially subject to be a CMP because they didn’t have a policy to encrypt DVD’s containing evidence sent to a fitness to practice hearing. The guidance in such matters is very clear, so in some ways there is no debate, but it did cross my mind that had they sent the very same information (apparently witness interviews) in paper form, then would they have faced similar action? Sending personal information on a disk shouldn’t really be considered more insecure than sending the same information in paper form. If a bundle of papers had vanished having using a courier, would that have seen a 6 figure fine?

I’m not setting out to be a vocal critic of the ICO, as aside from anything else I think that market is saturated, so I should perhaps balance my criticism of the ICO by acknowledging that on the whole the CMP’s seem to be broadly consistent, reflective of a logical precedent based approach. I just feel that it would also be good to take a step back and think about the basis behind some of the fines – admittedly easier said than done when faced with a constant stream of breaches (sorry, incidents) to invesitgate. Hopefully my analysis will therefore help. If so I seek no plaudits – although I wouldn’t mind of those generous free dinners (page 7) the Commissioner manages to get through the expenses policy(page 14), disproving the old adage that there’s no such thing as a free lunch (page 1).

Posted in Uncategorized | 1 Comment

What Price Frivolity and Freedom?

The blogosphere is full of well written and impressively articulated arguments in support – or perhaps more accurately in defence – of FOIA, but I’ve always found it surprising that those who have spent time at the coalface don’t feel greater frustration with the legislation and it’s wider cost. I write this as someone who spent 2 and a half years dealing with information requests, many of which were frivolous by any reasonable interpretation of the word. I’m a fan of FOI but feel that misuse of the Act weakens it’s reputation and subsequently it’s wider effectiveness – whilst also diverting valuable resources in tough times.

The current legislation makes no allowance for the use of frivolous requests, the bar is instead set considerably higher at ‘Vexatious’, meaning that sarcastic requests about Zombies, are afforded a level of respect and attention that most sensible observers would find a matter of regret. Ok, not all silly questions take long to deal with, but the fact remains that such requests have to be formerly responded to, can then be subject of an internal review, complaint to the ICO and referral to the Information Tribunal – all at no cost to individuals who often appear to use the Act as simply a continuation of a complaint.

On a similar basis, the cost of FOI is something that usually attracts huge criticism by those who defend it. Ironically, those who seek transparency of public spending recoil in horror when the costs of FOI are openly examined or discussed. Let me be clear, and let us all be honest, Freedom of Information does not come cheaply – so whilst it might be free at the point of sale, we are collectively still paying for it.

Those who make a disproportionate number of requests clearly have the most to lose from a proposed charging regime. So we should perhaps consider very carefully the motives of an individual who admits to making around 700 requests a year whilst aligning himself to the campaign to resist charging. He may well be a principled campaigner raising issues of great importance and identifying significant costs savings – but clearly self interest is also in engaged.

By way of example I was expected to do circa 180 requests a year, with my modest salary hovering around £25,000. Sure, I had some ad hoc Governance project work to carry out as well, but a crude starting calculation takes it to around £140 a request. The cost of employing me was probably morelike well over £40k+ when you factor in pension and NI contributions etc. My calculation also doesn’t consider the cost of colleagues time in providing input to a response (think how much time alone is spent on Section 36 considerations by senior/expensive staff?). I don’t know how one would ever arrive at an calculation, as the Justice Committee have just suggested, but the ballpark figures are interesting nonetheless. So Mr Benson’s 700 requests a year are costing probably costing considerably over £100,000 – thats before any costs of his Internal Reviews and other stages of complaint are factored in.

I was one of 6 dedicated request handlers in an organisation employing around 350 people. Some may argue that being transparent in times of recession saves money, but even if others believes that, I don’t. Let me put it this way, if you ran a private company with 350 employees, would you really shell out for 6 full time staff (plus managers) to allow people to scrutinise you in the belief it would save you money and identify cost savings? I wouldn’t. Loyalists argue that there is a cost limit (essentially implying a £450 limit on the cost of a request) but the time spent considering, redacting and preparing a response are not considered, hence a position where requests can take 5 months to process .

A Nottingham City Councillor claimed FOI was costing his Council £500,000 a year and came under strong attack for his statement. He may or may not have been overegging the pudding, but to suggest that the true figure was just £64,000 is equally wide of the mark, given it takes no account of printing costs, preparing and attending ICO Complaints and Tribunal hearings, the management of a disclosure log etc. For the record, my money is firmly on the £500,000 being alot more accurate than the £64,000, but in both cases it appears the authors are letting their respective opinions on FOI dictate the figures.

Meanwhile, Nottingham’s rivals down the Brian Clough way, Derby City Council, somehow managed to spend just £31,500 apparently responding to 939 requests, which suggests that either a) they were a damn sight more hardworking than me, b) that figure is bollocks or my own vote c) both of the above.

A more sensible argument would surely be that whilst it costs, FOI is a necessary cost of democracy. That’s certainly my take on it. But the point I have been clumsily fumbling around with here is that if you have confidence in your position, you shouldn’t be afraid of facts and nor should you avoid any criticism of the current legislation. Those with such an interest in FOI should be amongst the first to want to know what it costs and find ways to cut the crap. Nor should they attack those who wish to prioritse caring for the elderly (councils), dealing with more crime (the police) or rising pupil numbers  over providing information about student wanking pranks.

Posted in Uncategorized | 1 Comment