A Public (dis)Service

When I started this blog I had no idea what direction it would take me in, but I held a desire to be able to speak freely about my opinion of DPA and FOI – a freedom that my previous role within the institutionally conservative ICO did not afford me. I’m an opinionated and perhaps contrary character so much of what I write will probably reflect those traits and follow a pattern of challenging those whose positions I disagree with. With all that in mind, I offer no apology for a strong focus and reaction to the latest offerings of those who have again rallied against the ICO’s criticism of the Local Government and/or wider public sector.

Much of the excitement came from Chris Graham’s reported remark that the Local Government sector was “hopeless” at DP. Unfortunately no context of the remark was given, although with predictable relish some choose to take that as an attack on the DP officers themselves whilst another anonymous public sector employee barked their laughable belief that Chris Graham should resign and again took the statement to be aimed at “all” Councils.

Previous to that comment, Tim Turner recently wrote about his “belief in the ICO’s anti-public sector bias”, and anyone who had a different view was “weirdly biased”. He further argued that the ICO was “arbitrarily going after the whole local government sector”, so some of my analysis will look at these bold assertions.

As a starting proposition, I certainly agree that the public sector report more security incidents to the ICO, undoubtedly partly due to certain mandatory reporting in the NHS and possibly more generally due to  a sense of civic duty.

I don’t have (the energy to find) more up to date figures, but of 730 self reported incidents from 2012-2013, 263 were from the private sector, yet only 1 private sector fine was issued during that period. So, is the alleged anti local government and public sector bias proven by these figures showing that the ICO takes more action against the public sector? Well, that’s certainly one conclusion but a more logical one however, is that the Public Sector – and specifically the Health and Local Government sectors – process more data that is of a kind likely to cause damage/distress and thus its more likely they will be the recipients of CMP’s.

This rhetoric is backed up by the following comments by the ICO’s Simon Rice, who argued that

by its very nature, the public sector processes more sensitive data than the majority of the private sector, and our framework says that the penalty must be for the most serious cases – that you can only fine in the most serious cases

He went on to speculate elsewhere that

the failings in public and private sector organisation may be as great, but the impact of breaches by public sector organisations tends to be much greater

Generalisations can be dangerous, but they can also be applicable, and in this case it appears a reasonable statement, not least because it’s a position even the public sector bias critics subscribe to – note Tum Turner’s Local Government observations that “the likelihood of their data going missing is considerably greater than any other sector”.

Further evidence comes from Jonathan Baines, who notes “Local authorities, by their nature, handle large amounts of particularly sensitive data, but so do most, if not all, NHS bodies” along with further comments on the risk of accidentally releasing data that “councils and NHS bodies …are probably the highest risk ones”.

So, all the analysis of the numbers of breaches is built on the shaky foundations that it’s a level playing field, when we all appear to agree that its anything but. The public sector and particularly local government and health are processing more sensitive data and are more likely to face problems, so its a logical conclusion that they will be more likely to have serious breaches of a kind likely to cause damage etc. There is a slightly different debate we could have about the underlying purpose of a CMP and indeed the wider effectiveness, but that’s for another day.

A bias, to me, would be prevalent if the ICO looked the same issue in different ways on the basis of the sector involved. There is no evidence the ICO do this, although there evidence Tim does believe different sectors differently, as he told us so as a footnote to his own blog that he “would prefer to see more CMPs levied on the private sector, whose attention is more focussed on the bottom line”.

The public sector generally is certainly very underesourced and I’m not immune to that, but Data Controllers processing the most sensitive data in the most complex ways are the very first people one would expect to have basic measures in place like home working policies and mandatory staff training. Nobody is asking a small local authority to have the same measures to protect their website as Sony, but surely they have the capacity and certainly a duty to do the very basics? And yes, incidents would still happen, but you must do your best to prevent them – that’s the fundamental point of the 7th principle, your measures must essentially be proportionate to the risk (and your resources).

The public authorities who have been fined have, on the whole, shown a significant shortfall of their responsibilities – in many cases “hopeless” seems entirely apt. However, calling a sector “hopeless” might well be an over generalisation and I agree the lack of context makes it a clumsy and unhelpful comment.That said, I don’t think that by focusing a press statement or indeed CMP’s against the public sector that the private sector will become complacent, not least because there is evidence that the publicity surrounding the fines to public authorities for their data handling practices has led to an increasing number of private companies seeking independent assurance of their internal data protection standards.

If it was the case that the ICO did indeed believe the public sector should be held to higher standards then that would be an evidence of bias – and totally perverse. I do struggle to accept the unsupported assertion that market forces will lead to higher standards – if I was going out of my way to defend the statement I would assume it is a nod towards the fact that you have no choice about much of the processing carried out by the public sector, whereas if RBS routinely lose my data I can upsticks to Barclays. As an amusing aside, the former lost a copy of my passport when opening an account, although creatively told me they hadn’t lost it, and the reason they needed another copy was because they must have sent it the wrong processing centre and anything sent to the wrong place gets securely shredded. They didn’t lose my custom, merely £60 in compensation –but that choice was mine, a luxury I don’t enjoy with my Doctor, Social Worker or Teacher.

For the life of me I can’t understand why the ICO would be biased against public sector. Their wider enforcement is pitiful on FOIA (solely dealing with the public sector) yet plentiful for PECR (almost entirely only applicable the private sector) so the idea they are routinely scared of the private sector doesn’t appear well founded or consistent across their other functions. The closest I can get for thinking why the ICO might hesitate against the private sector is a fear of taking on a sector who might initially be considered more likely to contest the ICO’s findings through costly and potentially embarrassing Appeals. However, both of the Appeals against DP CMP’s have come from public sector bodies. It’s thus an incredibly self serving argument to highlight

“The only CMP successfully overturned was on a public sector organisation (£250,000 on Scottish Borders Council”, because the only CMP challenged was from a public sector organisation. That particular analysis also neglects to mention that the CMP’s served to Sony, Welcome Finance and the Bank of Scotland were served on a similar (apparently flawed) reliance on the compromised data putting the data subjects at risk of identity fraud/financial loss. In hindsight, they look like very dubious CMP’s against the private sector.

Further, if the ICO really was into going after perceived soft targets, then surely they wouldn’t be looking at a sector such as the NHS, with all of the emotive arguments that can be made about the money coming at the expense of the patient care.

Infact, from working in the office at the time of the first wave of CMP’s, there was actually something of a relief when the first appeal was made because it offered a broad reassurance that the ICO approach was reasonable. I can also assure those who suspect otherwise that when fining underresourced schools, hospitals and police forces, it isnt done with any relish. Likewise, a CMP of £200,000 for a Charity doesn’t feel great, but the idea is surely to protect the data of the individuals more than to make moral judgments about the raison d’etre of the Data Controller. I therefore cannot agree that Charities should be subject to lower penalties, as I feel it carries an implication is that they should be allowed to have lower standards because they are pursuing altruistic goals – and in this case even that statement assume you support the work of the BCAS.

I worked at the ICO and now I work in the private sector and have straddled the sectorial divide with complete indifference. I didn’t regard myself as a beleaguered public sector worker anymore than I now think I’m on the other side of the coin, lay awake at night wondering how to exploit consumers. I’m paid to do a similar job and it just so happens that my employer is in the business of making money for providing a service, not taking it to provide a service. If the ICO criticized the financial sector for poor compliance I certainly wouldn’t take offence, personally I’d probably enjoy the fact that competitors were not hitting high standards. I acknowledge those within Local Government may regards themselves a little differently and more collectively than that, but the spikiness of a sector to criticism within the sector seems disproportionate and I do wonder whether it’s linked the increasingly polarised political sphere.

Nevertheless, it was with considerable astonishment I read these reported comments from public sector governance officers. Seemingly, on the back of some mildly unflattering press releases from the ICO about public sector audit results, they would no longer volunteer for a free audit. Simultaneously making arguments about budgetary constraints whilst turning down a free audit on the basis that the results might be used to make generalisations about ones sector seems perverse. The loyalty should surely be to your employers (and customers), not to safeguard the reputation of your wider sector?

David Smith recently answered a question at the ICO conference by giving his opinion that the private sector is better than the private sector at DPA. His thought process (11m 55s) was that as customer data is a key asset of  business, business will take that the security of that data more seriously

I doubt there will be any specific information held in the form requested to prove this point, but I think it’s a reasonable and well placed opinion based on anecdotal experience of being a Deputy Commissioner for Data Protection who signs off the Civil Monetary Penalties and who has access to the full details of the self reported breaches. There are only 4 honest answers you can give to who you think is better– private, public, the same or don’t know. Whether you agree or disagree, was his answer a reasonable one – especially when again considering the underresourced and undersupported nature of the public sector?

The caveat I would add, which I think the Deputy Commissioner would have been wise to have included, is that is comments were on the context of keeping data secure. I think it would fascinating to know which sector he believes processed data more fairly, because personally I think this is an area where the private sector will be more inclined to push the boundaries, spurred by the same commercial interests that motivate them keep the data secure.

Whilst critics should acknowledge that those processing the most senstivie data in the most complex way means they are naturally more likely to end up involved in breaches of a kind likely to cause damage, equally so the ICO should recognise that their compliance might not be comparatively worse. Indeed, I note from a recent ICO statement on their new approach to handling casework that

With any report we publish summarising the number of concerns raised with us we will always include a statement to explain that organisations processing high volumes of personal information are likely to generate a proportionate number of concerns to the regulator.

Personally, I don’t actually think the ICO needs to go overboard in contextualising every set of figures it releases to pander to the sensitivities of certain sectors, but if they believe in the above statement, then surely they should apply a similar rhetoric to all areas of their work?

I’ve not given huge thought to which sector is better, as despite my 2500 words here, I don’t actually think its especially important. However, if we are looking at Private sector compliance bias then it’s surely pertinent to raise, or at least be aware of, the fact that losses of customer data in the financial services will often be looked at by the FCA. For example, Zurich were fined a comparatively eye watering £2.3million for losing an unencrypted disc. The date of that fine preceded the ICO’s CMP powers but had it not, it still would have been left to the FCA to handle, because of their greater powers. But that raises an interesting point – the FCA has stronger powers for mandatory reporting and stronger fining powers. Yet since 2010 there hasn’t been a single fine from the FCA for a data loss.

These are interesting political times, the polarisation of debate is quite clear and the divide between the private and public sector is increasingly apparent. Whoever, or whatever is to blame for that general shift, I don’t think we should artificially extend the battleground to the ICO’s approach. I think public sector compliance professionals should concentrate on getting their own house in order before they worry about ICO press releases which may (or may not) turn out to be misguided. I’m sure the vast majority are already do so, in which case they arent would have little to fear from the ICO.

Advertisements
Posted in Uncategorized | Leave a comment

Howe’s that? It’s just not cricket, Mr Graham and Mr Smith.

The anatomy of a request

One of the daily challenges of an FOI Officer is gaining the necessary contributions from colleagues that are required to fulfill the primary requirement of FOI – to establish the information held within the scope of the request. A request handler is often heavily reliant on the co-operation of colleagues to locate and understand the information requested.

With that in mind, I refer to the two Decision Notices issued against the ICO in relation to their handling of a requests for legal advice regarding the decision not to prosecute journalists in connection with Operation Motorman.

The history of the various requests for Motorman legal advice is quite complex and I don’t intend to try and break them down in great detail, but I would like to highlight some troubling aspects of the Information Commissioner and his Deputy’s conduct, so a short narrative is necessary.

On September 16th 2011, addressing the non-prosecution of journalists as part of Operation Motorman, Mr Graham submitted the following evidence to the Leveson Inquiry:

“External legal advice at the time suggested that for this reason it would not be in the public interest to pursue possible prosecutions. This was also because of the difficulty in
proving that the journalists involved knew that the information they were seeking could only be obtained by unlawful means”.

On Septemebr 15th 2011, the Deputy Commissioner, David Smith, made a robust public defence of the ICO’s decision not to prosecute journalists, and specifically tackled an accusation from an ex employee that the failure to prosecute journalist was as a result of a fear of the press, with the following rationale given in a guest article in The Independent

“Any suggestion that the decision not to pursue prosecutions against journalists was driven by a fear of the press is entirely false. We exposed the involvement of the press in the first place. Our decision was based on expert legal advice that pursuing prosecutions would not be in the public interest, because of the difficulty in proving beyond all reasonable doubt that the journalists who received information from Mr Whittamore knew it could only be obtained illegally”.

At this time, the ICO received a request from regular requester, frequent blogger and all round thorn(pain) in the (back)side Tim Turner. Mr Turner, presumably on seeing the ICO’s article in the Independent, requested the legal advice in question.

So, the scene at this point is that ICO maintain they were ‘as disappointed as anyone’ with the outcome of Motorman and refer to expert legal advice as the key reason why journalists weren’t prosecuted. As a primary function of FOI is to hold officials (and their accounts) open to scrutiny, one can understand why an interested and inquisitive mind would want to see the legal advice, especially as its contents were seemingly being relied upon as justification for a high profile decision.

Upon receipt of the request, the request handler, as one might expect, contacted David Smith to seek the location of the legal advice. He replied that

“I haven’t got a copy of any written legal advice. I understand that the advice came from our barrister Bernard Thorogood but I am not sure whether it was in writing or just oral. Stephen McCartney and /or Simon Ebbitt might be able to help because they have access to all the Motorman documentation”.

Firstly, it’s not easy to reconcile the above statement with Mr Smith’s later contention in the Internal Review that his reference to legal advice

“was on the basis of his understanding of the totality of internal and external advice and the contents of the What Pricy Privacy report. He has clarified that he was not referring to any one piece of advice or recorded information”.

If the latter statement is true, why didn’t he tell the request handler that, so that a response could be framed explaining this position? Why reference a specific piece of advice, even noting the name of the author? Granted, perhaps Mr Smith genuinely wasn’t sure if there was a record of external legal advice of the type reported and thus wished for the request handler to try and locate it, as part of the requirement of Section 1. If that’s the case then his response might be just about be reasonable from an FOI handling perspective, although it does bring into question the integrity behind his article for the Independent in which he was very unambiguous about the position, quoting expert legal advice and it’s specific contents.

He certainly didn’t tell the Independent that he was writing about his understanding of the position. Aside from anything else, it is troubling such a high profile statement about a high profile topic would be handled with such imprecision.

Back to the request…

Having received Mr Smith’s steer, the Internal Compliance Manager and request handler checked with those named, who also had no recollection of seeing such legal advice. They subsequently carried out a comprehensive search of all the Motorman records and they couldn’t find anything either. They therefore  wrote to the great and the good to inform them that they had not located any information and that it was important for all to be aware of this, given ‘it was likely to attract some attention’. This is standard stuff for a request handler – cast the net for the information and keep an awareness for the potential fallout from the (non) disclosures.

At this stage, bearing in mind the ICO had publically referenced expert/external legal advice and that Mr Graham had specifically quoted it in his submission to a high profile Inquiry, one may have thought this would have caused something of a reaction, but Mr Graham still offered no comment.

For the avoidance of any doubt, we should note that both Mr Smith and Mr Graham (and the wider distribution list) were asked for a copy of the legal advice. They weren’t asked for the legal advice referred to by Mr Smith, Mr Thomas or indeed Mr Graham. Any legal advice held should surely have been volunteered.

To put that in context, the ICO were happy to run a dual approach to telling the public and Leveson that External Legal advice told them not to proceed, whilst simply telling an FOI requestor who requested the legal advice that no information was held, without any additional explanation.

A subsequent request saw the ICO acknowledge “there was no evidence the document ever existed”, but no amendments were made to the Inquiry evidence, or the public position. Oddly, they didn’t want to confirm this, as they didn’t want to pre-empt Richard Thomas’ evidence to the Inquiry. Surely by referencing the legal advice in the first instance they had already committed to their position?

If the ICO had previously genuinely believed they had external legal advice, it was now being flagged that they did not. The Internal Review into Mr Turner’s request from the (other) Deputy Commissioner even noted that None of those who were involved in Operation Motorman and its immediate consequences are still at the ICO, so we are largely working on the documents retained”, yet conversely he still defended the “accuracy of David Smith’s statement”. How can one say you are relying on documents, find no documents, yet still believe it’s correct to quote and rely upon legal advice when you also accept that it never existed?

A further request went in for the legal advice Mr Graham was referring to and 2 specific pieces of legal advice were produced, despite these being 2 pieces of advice that had explicitly been ruled outside of the scope of the initial request on the back of David Smith’s statement. As an aside, the provided advice certainly didn’t compare to the description Mr Graham had given to Leveson. The Decision Notice in that case noted the ICO had since changed their position and that Mr Graham’s evidence was referring to the full body of legal advice.

Whether Mr Graham was referring to two particular documents or the wider body of legal advice, surely he should have explained this to his staff when he was first asked about the existence of legal advice?  It was even flagged to him that the likely response, which did not appear at all helpful, ‘would likely get a reaction’ but he was quite happy for his own staff to send a reply that was at best disengenous and at worst downright wrong. 

If Mr Graham and Mr Smith had explained the basis for their clear statements was infact based around their understandings and/or the complete body of evidence, then it would have saved all concerned an awful lot of time. Some may feel it perhaps would have exposed their public line as not credible. Personally I feel they thought they had some legal advice on the basis that’s what Mr Thomas told them, and as such just blindly followed his statements. Hardly a robust way to deal with an accusation from a previous employee but these are incredibly busy people and we all make mistakes. Refusing to correct or acknowledge these oversights is perhaps less understandable. The simple fact remains that the ICO has no such legal advice and those high profile statements to the contrary were baseless – the requests should have led to a rethink. FOI can sometimes lead to embarassing disclosures, but so long as lessons are learnt, isn’t that the whole point?

Anyway, returning to the central thrust of my blog, if the Information Commissioner and his Deputy cannot find the time to show sufficient respect to his FOI request handlers, then what kind of example does that set for public authority employees of all grades?

The situation reminds of the withering quote Geoffrey Howe served up about Margaret Thatcher in his resignation speech to the House:

“It is rather like sending your opening batsmen to the crease only for them to find, the moment the first balls are bowled, that their bats have been broken before the game by the team captain”.

The requests here were doomed – how can a request handler properly comply with the spirit and wording of the legislation if the skipper doesn’t provide them with the context that they require – and indeed lets them spend hours searching for information that never existed.

I like and respect both David Smith and Chris Graham, but that doesn’t make them immune from criticism – or, again borrowing from the Howe themed vernacular, a savaging from a dead sheep.

Posted in Uncategorized | Leave a comment

CMP’s – what happens next?

The First Tier Tribunal recently overturned the ICO monetary penalty to Scottish Borders and I believe their reasons for doing have left a number of problematic issues. In very brief terms, the initial CMP was issued after former employees’ pension records were found in an over-filled paper recycle bank in a supermarket car park, having been dumped there by data processor. No contract was in place with the data processor and it sounded like the disposal of the files wasn’t really considered by the Council.

In summary, the FTT judgement confirmed that the information that was lost included “name, date of birth, national insurance number and salary. In some cases the files contained bank account details, a signature…”. The Tribunal accepted that there was breach of the 7th principle and that it was a serious breach. They effectively overturned the ICO’s decision on the basis that it wasn’t a breach “of a kind likely to cause substantial damage or substantial distress”. There was some typical legal analysis around the definition of “likely”, that can perhaps be boiled down to their conclusion that “it is insufficient to point to such consequences merely being a possibility”.

The tribunal also concluded that what had happened was a surprising outcome, not a likely one and indeed they further offered that they thought the safe destruction of the files was the likely outcome (“we would not describe any other outcome as likely”). Given the files weren’t actually safely destroyed that’s quite a bold assertion – we can all have our theories but sometimes the facts can speak for themselves.

The tribunal sought to make a clear distinction between the contravention/breach and the trigger incident. This is entirely understandable, indeed myself and others have previously highlighted that the ICO has sometimes appeared to be fining for the incident itself rather than the breach. The breach here was not ensuring they had selected a data processor offering sufficient safeguards and not evidencing that agreement in writing. The trigger incident was the files ending up in Tesco’s car park. It is incidents that the ICO asks to be informed of, not breaches – an incident might not always be a breach of the DPA and of course a breach doesn’t need an accompanying incident. As an aside, it would therefore be fascinating to know how the ICO would react if a Data Controller was to notify them that they hadn’t trained staff in Data Protection, or that they didn’t have a policy for using fax machines – both breaches that have previously been the subject of CMP’s when the breach resulted in a trigger incident.

The problem I have here is the Tribunal appear to be saying that they can only consider the breach itself, yet they still require the ICO to “construct a likely chain of events which would lead to substantial damage or distress”. I think that is a very difficult burden whereby the circumstances flowing from the beach are essentially not allowed to be considered.

If an unencrypted disc containing personal data of millions of people goes missing in the post, one would presume that is a breach, a serious breach and (depending on the data) one of a kind likely to cause substantial damage/distress.  If the disc then turns up a day after the incident is reported to the ICO, that doesn’t make the breach disappear, but it does make the chance of damage/distress all but disappear. To me it is a serious breach that fulfils the criteria irrespective of what harm actually comes from the incident, but I wonder how would the Tribunal assess the likelihood of damage in these circumstances?

It strikes me that the Tribunal overlooked the phrasing “a breach of a kind likely to cause…”, a phrase that I think is significant as it changes the meaning of the sentence.  I interpret the full phrase to essentially be saying “is this the type of breach that has the potential to cause damage/distress”. When you give processers personal data without any safeguards then you have opened the data subjects up to potential damage, so for me it is a breach of a kind likely to cause damage/distress, irrespective of what happens next.

Whether it does or doesn’t cause actual harm is probably always going to be down to the specifics of the incident that flows from the breach. If an unencrypted laptop containing witness details is stolen in a burglary, I would say that fulfils all the criteria. But if the same laptop was discovered by Police searching their colleague’s house, there would be no likelihood of damage/distress to the witnesses. But the breach remains the same and that’s a breach of a kind likely to cause damage. Similarly the chap who had his unencrypted hard drive stolen from his car– the breach occurred when he failed to encrypt his laptop, not when he had it pinched. Obviously now he has had it stolen the likelihood of mis-use is much greater, but again we must recall the assessment is of the breach itself. With breaches like these any number of outcomes could occur, some likley, some probably exceptionally unlikely, but you have no control and are entrusting the data to fate.

Trigger incidents will often flow from a breach – the unencrypted laptop containing witness details might be wiped before it’s sold on in the pub or it might end up on being sold to the local gangster to intimidate the witnesses. I would regard the latter example as extremely unlikely, but I don’t think that’s a sufficient assurance to the people whose data and security has been compromised.

I’m not sure if it’s a drafting error in the legislation but the idea a breach must carry a likelihood of significant damage or distress, as opposed to “merely a possibility” is a difficult standard to achieve. Further, the CMP is about punishing the lack of compliance, not the incident and therefore I don’t see why the ICO should be expected to speculate about the likelihood of potentially harmful scenarios.

What I also found a little odd is that the judgement didn’t even consider the issue of the significant distress, focussing solely on the question as to whether damage would occur. The issue seemed to solely come down to an assessment of whether identity fraud would be likely to take place – and as someone  who works for a Pension company it’s a surprising and comforting that the tribunal doesn’t seem to hold that names, addresses, NI numbers, bank account details, signatures and salary/pension details are especially problematic fields of data.

The ICO’s amended power to issue a CMP can possibly be traced back to the furore around the infamous HMRC data loss, but based on their reasoning here,  I can’t see the Tribunal would have regarded that as fulfilling the criteria for a CMP either – as effectively they would have been left with the same equation re likelihood of identity fraud.

I’d also imagine Sony and Welcome Finance, amongst others, are kicking themselves for not appealing earlier CMPs involving this type of data given the judgement here. Strangely the ICO appear unmoved by the Tribunal’s logic, as their most recent CMP again quotes the potential for identity theft.

Looking back through the ICO’s CMPs I can’t think of many where there was a real likelihood of substantial damage. The biggest fine, to BSUH being an example where it would be very difficult to construct a likely chain of events leading to damage to the data subject. I doubt the data subjects were ever told their data ended up on Ebay so nor would there technically even be distress. That outcome didn’t become likely when they undertook to destroy hundreds of harddrives without a contract – but it did become a possibility, which I think is enough to justify a CMP – even if the Tribunal doesn’t.

Posted in Uncategorized | 1 Comment

The case for the defence.

As the ex ICO employee who issued the refusal of the names of the 2 Councils in Jon’s blog, I feel there are a number of errors in his analysis. I am infamously constrained by Section 59 of the DPA, but I can of course discuss the significant amount of information already in the public domain, along with the considerably less significant personal views I hold.

The first observation I would offer is that although Jon begins the piece by discussing the regulatory role of the ICO, the decision to which he objects and blogs about was issued in the ICO’s role as a Public Authority under FOI. Of course, the context in which an ICO request handler operates cannot be entirely dismissed, but nor should we forget the guiding principle is the Act itself and in that regard the ICO is simply A.N. Other public authority. Should my decision really have been made with a commitment to ‘transparency at the ICO’, at the expense of the applying what I considered the provisions of the Act? I saw myself as a practitioner working for the ICO, rather than an ICO employee working as a practitioner.

So whilst Jon may have indeed “trusted the ICO to apply the law properly”, he did so in a manner no different to any other request he makes to any other public authority. As he says, the right of an internal review, complaint to the ICO and then the Tribunal were all (thankfu££y) not pursued here, so it was simply my assessment as to whether it was reasonable in the circumstances to disclose the names. If my response here feels a little a prickly, that’s why – because his trust issue (and subsequent public complaint) was with me as a request handler, not the wider functions of the ICO as a regulator. I’m big enough and ugly enough to accept criticism and I know I was representing the ICO, but at the same time I think a sensible critic should recognise there is a degree of autonomy in a first response. Christopher Graham certainly didn’t sign off on my response.

Those who object to the silver standards of the ICO may perhaps reflect upon the bronzed budget which they expect to deliver gold plated results. Such critics are almost certainly more interested in the legislation than I am – and definitely more intelligent, but I would question whether they are more objective. There’s a palpable excitement at any perceived ICO mistake.

Returning specifically to the blogpost, the key point that appears to have been overlooked, is that the decision not to (pro-actively) publish the Undertakings was taken elsewhere in the ICO, which happened at the time the Undertakings were signed. Both the initial request for the Undertakings themselves and follow up for the names, were made in that underlying context. That decision was made outside of FOI and at the ICO’s discretion. I honestly don’t know whether or not there was, as Tim alludes to, a degree of negotiation to get the DC’s to sign, but as I noted it’s a discretion that is rarely exercised, so the idea that the ICO is undermining it’s regulatory functions by delaying publication in a tiny fraction of cases is a little fanciful.

It is clear from the refusal notices that the initial decisions were made following representations from the DC’s that the release may have adverse consequences. It is important to remember that is the position that I, as the request handler, inherited. I therefore maintain it was correct to give weight to the fact that (rightly or wrongly) the organisations had been told the Undertakings wouldn’t be publicised in the usual manner. If you think, as Jon appears to, that the initial decision risked damaging the reputation of the ICO and undermining the ICO’s functions, fair enough – but from an FOI perspective, surely that initial agreement requires some further consideration? It appears Jon disagrees, as his own analysis was that if the argument concerning commercial prejudice was unsound, the argument for a Section 22 refusal ‘falls away’. No mention is made of the DCs expectations of confidentiality when signing the Undertaking. For the avoidance of doubt, I repeat that I wasn’t bound by the initial assurance, rather I did not disregard it.

My decision also considered that a Data Controller (or to be precise 2 public authorities) were telling me that if I released their names there was a chance it would damage their commercial interests for the exact same reasons why the ICO had previously agreed not to publish the Undertaking a few months earlier. I would maintain that is a very legitimate consideration to at least take onboard. The word ‘prejudice’ was loosely used in the refusal notices, which in hindsight might be unfortunate given it carries a more specific meaning in FOI terms.

Surprisingly, Jon hasn’t addressed whether he think the News International Undertaking that was also withheld would have prejudiced the linked criminal trial, so in the absence of comment my assumption would be he accepts that particular premise. My own opinion is that I very much doubt it would have done, just like I very much doubt these further Undertakings (or specifically the identity of the DC) would have caused commercial detriment. I’m not short of an opinion, but I’m equally aware it not always the right one and again therefore I needed to be mindful of the strongly held opinions of better placed individuals.

I should also clarify that my analysis wasn’t set against the requirements of Section 43, rather it was simply an assessment of reasonableness and a public interest consideration in relation to Section 22. In other words they didn’t need to totally convince me, rather they flagged a potential risk which helped shape my consideration as to whether disclosure was reasonable in the circumstances. Again, that left me to make a judgement. I don’t think that Ed Milliband will ever be Prime Minister – but I wouldn’t rule it out, so should I make an assessment of what is reasonable based on my opinion, or should I take a more rounded view of the circumstances and opinions of others? In a nutshell, I’m not arguing whether prejudice would occur to criminal or commercial matters, or indeed whether the wrong brother will become PM, but is it at least a reasonable proposition that those things might happen? My view is the same on all accounts, unlikely but not impossible.

The Undertakings themselves are entirely unremarkable and I can fully understand why there is still a lack of understanding surrounding what the commercial impact may have been. I can also share that the end result (i.e. withholding the names) was not the outcome I instinctively expected when taking this request, before I calibrated those entirely fictional public interest scales. But there is a curiosity here in Jon’s position, one on hand accepting he still doesn’t have an appreciation as to what the commercial arguments are, but on the other arguing that the refusal notice(s) show improper weighting of competing rights and interests. To put that another way, he doesn’t know why the Councils objected, he doesn’t know why the ICO Enforcement department agreed, or why I withheld the information – but we were all wrong to do so. By all means disagree, but to disagree (and blog) on the basis you don’t understand is a tough one to swallow, particularly whilst simultaneously confessing “it’s not a big enough thing for me” to request the facts about.

With an acknowledgement that I might be being over analytical, I also find it odd that the refusal notices should be characterised as a ‘fuss’. This was an (FOI) demand driven event and the fuss of having to consult with 3 DC on 2 separate occasions wasn’t of my doing. That was my job, so it’s not a complaint, merely an observation.

Similarly, given the blog was around weighing up competing interests, it’s only fair to highlight the lack of explanation with regard to why it was reasonable to disclose the names of the DC’s or why there was a public interest in releasing simply the identity of the DCs in question? I accept there was some discussion regarding the Communicating Enforcement Activities policy, but I’m not sure this addresses the specific reasons for disclosure under FOI at the time of the request.

By applying Section 22, there was of course a commitment to publish the Undertakings in their entirety. What was the compelling public interest in releasing the names themselves at that time? Where was my incentive to override the aforementioned concerns? Was it reasonable to dismiss the representations and risk a loss to taxpayers money, just to provide their names, which in isolation added very little?

Believe it or not, I’m intensely relaxed at the idea I may have got my decision in this request wrong, I’m sure all practitioners have been overturned at some point. But that doesn’t raise questions of trust, it just shows that request handlers will be a mix of the good, the bad and the ugly – or my case 2 of the 3.

More generally, I think there is a point to be made here that practitioners at the ICO are burdened by the same challenges as practitioners elsewhere – unhelpful busy colleagues, private sector stakeholders who don’t understand FOI and requestors who are often baying for someone’s blood – all of which is conducted in an increasingly public glaze and to the soundtrack of a 20day ticking time clock.

Whilst Jon (politely) took issue with the decision not release these 2 undertakings, another observer somewhat over-excitedly thought the decision not to release the NI one was a sign of “collusion, cover up and corruption”. Everyone is entitled to their opinion – mine is that latter individual needs to get out more and learn some manners. If I’d withheld News International’s name and released the names of the 2 Councils, I’m pretty sure that the regular critics would be chiming in with their favorite allegation that the ICO is frightened of big business etc. That’s the tightrope a high profile FOI public authority request handler walks. I enjoyed the work, but it’s nice to have the freedom to explain that the thinking behind the output.

Posted in Uncategorized | 1 Comment

You cannot be serious (can you)?

The First Tier Tribunal recently upheld the ICO’s Civil Monetary Penalty of CLCH, which I think has generally has been taken as an approval of the ICO’s CMP logic and procedures. I’m not convinced, as I think some pretty important questions remain unanswered about the ICO’s handling and thought process in this area. I should share that I previously sat in on CMP meetings so have a little inside knowledge, although my former employers will no doubt be encouraged that I take enough interest in the legislation to know what Section 59 does (and doesn’t) apply to.

Sec59

In anycase, if I was going to share my inside line, I rather follow the lead of the former Head of Enforcement, who went to work for FFW who coincidentally have since pocketed a staggering 168k representing a public authority in single case CMP. Moral of the story – that type of knowledge is to be sold, not to be told (feel free to contact me Sony legal department ahead of your forthcoming appeal).

We know from the recent appeal that the ICO divide CMP’s into 3 categories, Serious, Very Serious and Most Serious, with each category having a financial band. Aside from the slightly inelegant language, that seems a broadly sensible approach.

What has become apparent to me, however, is that 1) there is no consideration of where breaches occur without an associated incident and 2) there is no criteria, explanation or perhaps even logic on how breaches are classified into each band.

In making this analysis, I would accept that I may well be wrong here, because I haven’t made an FOI request for any information held in relation to the above. That’s because I wouldn’t wish to needlessly add to the testing workload of my former colleagues, especially because recent events have shown us how much a team of 12 people can struggle to keep on top of things when the majority are women. Only joking sisters, love you really!

Moving on from the satirical sexism, lets address my first contention, essentially that the ICO’s CMPs only react to data incidents, not DPA breaches. I’d begin by noting that at no point does the CMP guidance introduce the concept of punishing for a particular incident – it’s for the breach of the DPA itself. The ICO isn’t there to provide punitive redress to those who may have been wronged in someway – but to punish for a serious breach of the DPA. As I’ll expand upon below, it’s quite possible for a concerning incident involving personal data  to occur that perhaps doesn’t even equate to a breach of the DPA.

If the ICO was indeed issuing CMP’s for serious DPA breaches, as opposed to punishing incidents, then if I self reported that my organisation didn’t encrypt laptops containing sensitive personal data (we do), would that not be a serious 7th principle breach and one likely to cause damage and distress in the event they were lost/stolen? It would fit each of the criteria required to impose a fine. Yet the ICO hasn’t fined one organisation for a breach where there wasn’t an incident. Why wait for the incident to occur before taking action against a breach? Furthermore, most of the published discussion around CMP’s focuses on the incident, such as the numbers affected and the type of information lost in that particular case. Admittedly it could be argued that where there is not an incident, it is much harder to demonstrate that breach would be of a kind likely to cause damage/distress, but from my anecdotal experience, I don’t think that is how things are looked at.

Similarly, with reference to the second strand of my perspective, the breach appears to be determined to be serious by the ICO almost entirely because of the specifics of the incident. There is minimal consideration of what the Data Controller did wrong in DPA terms.

Over 90% of the ICO CMP’s have been for breaches of the 7th Principle, so I will focus my analysis around that principle. The gist of the principle is basically the greater the amount information and  sensitivity of that information, the more measures should be put into place to protect it – a proportionate approach. 

To breach that principle, you would have failed to have  put ‘appropriate’ measures in place. So for it to be a ‘serious breach’, the ICO should probably establish the deficit between the measures actually in place and the measures that should have been in place. If the gap is significant, one could then move on to looking at whether the breach was of a sort likely to cause substantial damage/distress.

The CMP for Sony typically sidesteps this issue of ‘seriousness’, instead concluding

“The contravention is serious because the measures taken by the data controller did not ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing and the nature of the data to be protected”.

I find that analysis exceptionally weak. Firstly, where the measures don’t match the risk, it is by definition a breach – where does the increased severity to a serious breach derive from? The ICO’s summary here appears to be saying that because it is a breach, it is a serious breach. I’m not saying it’s not serious, simply highlighting that there is no explanation offered by the ICO. Further, given we know that this case has ended up with a £250k fine, the ICO have in their mind infact held this to be a very serious breach. Shouldn’t the language used be comparable to the conclusion formed?

When considering the aggrevating factors, it does mention that the “contravention was particularly serious because of the nature and amount of personal data”, but that again is weak because of the implication that any breach involving large amounts of data is a serious one. Again,the incident might be serious, but I’m not convinced it makes the breach itself serious, not least because there might be a case where the data controller just made one small mistake and that led to an incident that would be likely to cause damage and distress for a large number of people. Is that more, or less of a serious breach than a data controller being completely reckless with 1 person’s data thus causing huge damage?

The FTT commented in the CHC appeal that they thought the ICO could have classified that case as “very serious” on the basis of the number of organisational failings – essentially judging the seriousness of the breach against the failings against the 7th principle. The ICO has not stated in it’s written guidance that such factors will be considered at all and it’s missing from the CMP’s, again suggesting they are more focussing more on the incident and working backwards from there. 

For example, information could be lost or accidentally disclosed as a result of an error by a data processor. Where the data controller is considered to have followed all the appropriate steps for selecting and monitoring the data processor, it might be the case that technically a breach of the DPA at all – or perhaps more accurately not the 7th principle. If you select a specialist data processor, ensure you have a watertight contract and audit them regularly, would you not be well placed to argue you had taken appropriate measures to keep information secure, even where an incident then occured? Or likewise if you train staff regularly and have the best policies in the country but an employee decides to leave sensitive papers stuffed in a hedge?

Had the data controller followed all of the correct steps but not carried out regular audits of the Data Processor, then in my mind that would be a breach of the 7th principle – but not a serious one in the sense the gap between what they should have done and what they did do was relatively small. A serious breach would be just flinging out the outsourcing to the cheapest provider, with no contract and no checks. The reality is that incidents usually occur as a result of a breach, but the extent to which the incident has been caused by technical and organisational failings will of course differ and that’s where I feel the ICO is somewhat blinkered.

To again take the example of Sony, they had online security, it just wasn’t sufficient enough to withstand a targeted and sophisticated criminal attack. It strikes me that the breach itself was at the lower end of the spectrum, in terms of assessing the difference between what they should have done, and what they actually did. What would the fine have been if they had no security at all?

I’m not suggesting that the numbers affected and level the (potential) damage/distress should be ignored, as that would be a bit perverse. Indeed, I would like to see those factors considered in conjunction with the severity of the DPA breach by the data controller (e.g. severity of breach x numbers affected x potential damage/distreess). But above all, I’d like to see those handing out the fines being clear about their reasoning.

On a slightly different note, something also caught my attention about the recent CMP to the Nursing and Midwifery Council. Incidentally, whilst it might be a bit of a pipedream to think I might catch the eye of the Sony Appeal lawyers, it’s more of a lifelong dream to catch the eye of a gaggle of Nurses. They were essentially subject to be a CMP because they didn’t have a policy to encrypt DVD’s containing evidence sent to a fitness to practice hearing. The guidance in such matters is very clear, so in some ways there is no debate, but it did cross my mind that had they sent the very same information (apparently witness interviews) in paper form, then would they have faced similar action? Sending personal information on a disk shouldn’t really be considered more insecure than sending the same information in paper form. If a bundle of papers had vanished having using a courier, would that have seen a 6 figure fine?

I’m not setting out to be a vocal critic of the ICO, as aside from anything else I think that market is saturated, so I should perhaps balance my criticism of the ICO by acknowledging that on the whole the CMP’s seem to be broadly consistent, reflective of a logical precedent based approach. I just feel that it would also be good to take a step back and think about the basis behind some of the fines – admittedly easier said than done when faced with a constant stream of breaches (sorry, incidents) to invesitgate. Hopefully my analysis will therefore help. If so I seek no plaudits – although I wouldn’t mind of those generous free dinners (page 7) the Commissioner manages to get through the expenses policy(page 14), disproving the old adage that there’s no such thing as a free lunch (page 1).

Posted in Uncategorized | 1 Comment

What Price Frivolity and Freedom?

The blogosphere is full of well written and impressively articulated arguments in support – or perhaps more accurately in defence – of FOIA, but I’ve always found it surprising that those who have spent time at the coalface don’t feel greater frustration with the legislation and it’s wider cost. I write this as someone who spent 2 and a half years dealing with information requests, many of which were frivolous by any reasonable interpretation of the word. I’m a fan of FOI but feel that misuse of the Act weakens it’s reputation and subsequently it’s wider effectiveness – whilst also diverting valuable resources in tough times.

The current legislation makes no allowance for the use of frivolous requests, the bar is instead set considerably higher at ‘Vexatious’, meaning that sarcastic requests about Zombies, are afforded a level of respect and attention that most sensible observers would find a matter of regret. Ok, not all silly questions take long to deal with, but the fact remains that such requests have to be formerly responded to, can then be subject of an internal review, complaint to the ICO and referral to the Information Tribunal – all at no cost to individuals who often appear to use the Act as simply a continuation of a complaint.

On a similar basis, the cost of FOI is something that usually attracts huge criticism by those who defend it. Ironically, those who seek transparency of public spending recoil in horror when the costs of FOI are openly examined or discussed. Let me be clear, and let us all be honest, Freedom of Information does not come cheaply – so whilst it might be free at the point of sale, we are collectively still paying for it.

Those who make a disproportionate number of requests clearly have the most to lose from a proposed charging regime. So we should perhaps consider very carefully the motives of an individual who admits to making around 700 requests a year whilst aligning himself to the campaign to resist charging. He may well be a principled campaigner raising issues of great importance and identifying significant costs savings – but clearly self interest is also in engaged.

By way of example I was expected to do circa 180 requests a year, with my modest salary hovering around £25,000. Sure, I had some ad hoc Governance project work to carry out as well, but a crude starting calculation takes it to around £140 a request. The cost of employing me was probably morelike well over £40k+ when you factor in pension and NI contributions etc. My calculation also doesn’t consider the cost of colleagues time in providing input to a response (think how much time alone is spent on Section 36 considerations by senior/expensive staff?). I don’t know how one would ever arrive at an calculation, as the Justice Committee have just suggested, but the ballpark figures are interesting nonetheless. So Mr Benson’s 700 requests a year are costing probably costing considerably over £100,000 – thats before any costs of his Internal Reviews and other stages of complaint are factored in.

I was one of 6 dedicated request handlers in an organisation employing around 350 people. Some may argue that being transparent in times of recession saves money, but even if others believes that, I don’t. Let me put it this way, if you ran a private company with 350 employees, would you really shell out for 6 full time staff (plus managers) to allow people to scrutinise you in the belief it would save you money and identify cost savings? I wouldn’t. Loyalists argue that there is a cost limit (essentially implying a £450 limit on the cost of a request) but the time spent considering, redacting and preparing a response are not considered, hence a position where requests can take 5 months to process .

A Nottingham City Councillor claimed FOI was costing his Council £500,000 a year and came under strong attack for his statement. He may or may not have been overegging the pudding, but to suggest that the true figure was just £64,000 is equally wide of the mark, given it takes no account of printing costs, preparing and attending ICO Complaints and Tribunal hearings, the management of a disclosure log etc. For the record, my money is firmly on the £500,000 being alot more accurate than the £64,000, but in both cases it appears the authors are letting their respective opinions on FOI dictate the figures.

Meanwhile, Nottingham’s rivals down the Brian Clough way, Derby City Council, somehow managed to spend just £31,500 apparently responding to 939 requests, which suggests that either a) they were a damn sight more hardworking than me, b) that figure is bollocks or my own vote c) both of the above.

A more sensible argument would surely be that whilst it costs, FOI is a necessary cost of democracy. That’s certainly my take on it. But the point I have been clumsily fumbling around with here is that if you have confidence in your position, you shouldn’t be afraid of facts and nor should you avoid any criticism of the current legislation. Those with such an interest in FOI should be amongst the first to want to know what it costs and find ways to cut the crap. Nor should they attack those who wish to prioritse caring for the elderly (councils), dealing with more crime (the police) or rising pupil numbers  over providing information about student wanking pranks.

Posted in Uncategorized | 1 Comment