CIVIL MONETARY PENALTIES FOR SECURITY BREACHES OF PERSONAL DATA

January 13th, 2010 by James Goudie QC

The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010, SI 2010/31, and the Draft Data Protection (Monetary Penalties) Order 2010, create a framework for the Information Commissioner to serve a monetary penalty notice on a data controller if he is satisfied there has been both a serious contravention by the data controller of the data protection principles and that the contravention was of a kind likely to cause substantial damage or distress.   Such contraventions must be either deliberate or something which the data controller knew would occur (or ought to have known) and of a kind likely to cause substantial damage or substantial distress, but in respect of which he failed to take reasonable steps to prevent.   

 

The Regulations prescribe the maximum amount of a monetary penalty.  They also set out the minimum details to be contained in a notice of intent, and in a monetary penalty notice.

 

The Order sets out procedural details of the issue of a monetary penalty notice following a notice of intent.  It also contains details of when enforcement action can be taken, and the power to cancel or vary a monetary penalty notice issued by the Information Commissioner, as well as details of appeal rights of data controllers.    

Posted in INFORMATION LAW | Comments Off on CIVIL MONETARY PENALTIES FOR SECURITY BREACHES OF PERSONAL DATA

REDACTION IS NOT PART OF THE COST OF COMPLIANCE

January 6th, 2010 by Robin Hopkins

Public authorities will wish to note the Information Tribunal’s recent confirmation of the Commissioner’s view that the costs of redaction do not count towards the cost of complying with a request, and should thus be ignored for the purposes of s. 12 FOIA.

 

That section contains an exemption where the estimated cost of compliance with a request under FOIA would exceed the appropriate limit set by the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004. By regulation 4(3)(d), the ‘”allowable tasks” for the purposes of the cost calculation include “extracting the information from a document containing it”. In its recent decision in Chief Constable of South Yorkshire Police v Information Commissioner (EA/2009/0029), the Tribunal held that this did not extend to redaction.

 

A differently constituted Tribunal had reached the same decision in Jenkins v IC and DEFRA (EA/2006/0067), but had observed that the point was not free from doubt. The more recent decision – which deals with both statutory construction and matters of principle – appears to have dispelled this doubt.

 

 

 

 

 

Tags: ,
Posted in INFORMATION LAW | Comments Off on REDACTION IS NOT PART OF THE COST OF COMPLIANCE

Home Office publishes response to its consultation on communications data

November 16th, 2009 by Robin Hopkins

The Home Office has published a summary of responses to its April 2009 consultation paper on ‘communications data’, i.e. information about a communication that does not include the content of the communication itself. At present, such data is owned by communications service providers and accessed by certain public authorities under disparate statutory powers for the purposes of combating, for example, fraud, terrorism and other serious crime. The government is considering an overhaul so as to bring all communication types (such as web chat) and all relevant service providers (some of whose contractual positions place them beyond the current statutory arrangements) within the system.

 

The attendant tension between individual liberty and public protection is reflected in the 221 responses to this consultation.

 

A substantial minority of respondents objected in principle to any ‘surveillance’ of communications. A majority (albeit a fairly narrow one) agreed that communications data served an important public purpose and that the government should therefore act to maintain the capability of public authorities to make use of this type of information.

 

As to what form this action should take, only one element of the government’s proposed approach was widely welcomed, namely its rejection of a central database for holding all data of this type. Reservations were otherwise expressed about technological feasibility, data security and the proportionality of public authorities’ use of communications data.

 

Nonetheless, such reservations were not deemed forceful or widespread enough to deter the government from its proposed course. A number of respondents’ suggestions have been rejected, including the specifying of categories of data which should not be retained, and the requirement for a magistrate’s authorisation before communications data can be accessed.

The government is also satisfied that the DPA 1998 and RIPA 2000 provide sufficient safeguards against abuse of such data. A legislative review is, however, proposed, to see if a single means of authorised access (through RIPA 2000) would be practicable. Fresh or consolidating legislation appears likely.

Tags: , , , , , ,
Posted in INFORMATION LAW | Comments Off on Home Office publishes response to its consultation on communications data

Abortion statistics: identification of patients and doctors held to be unlikely

November 2nd, 2009 by Robin Hopkins

In 2003, the Department of Health significantly reduced the detail of publicly available statistics on abortion operations: for example, no information was any longer to be released about post-24-week abortions carried out on the grounds of foetal medical defects. The Department relied principally on s. 40 FOIA in refusing the Prolife Alliance’s request for more detailed data. The Information Tribunal has, however, ordered the statistics to be disclosed: see Department of Health v IC (Additional Party: the Pro Life Alliance) (EA/2008/0074). The Tribunal agreed with the Department that the requested abortion statistics, although entirely anonymised, did constitute personal data because they were not anonymous in the hands of the data controller. The Department’s principal concern, namely the inferential identification of doctors or patients, was not, however considered ‘likely’ in the circumstances. This factual finding meant that, in the Tribunal’s view, the release of the requested personal data was fair and lawful and that (under paragraph 6(1) of Schedule 2 to the DPA) the potential prejudice to patients and doctors was outweighed by legitimate third party interests in (inter alia) monitoring compliance with abortion law, identifying abortion trends, informing public debate and encouraging accountability of medical practitioners. The decision is of note for its detailed analysis of the ways in which individuals might be identified from statistical data, and for the Tribunal’s reliance on the Corporate Officer of the House of Commons litigation (in its various stages) for guidance on the balancing test under paragraph 6(1) of Schedule 2 to the DPA.

Tags: , ,
Posted in INFORMATION LAW | Comments Off on Abortion statistics: identification of patients and doctors held to be unlikely

The application of FOIA to public service broadcasters

October 7th, 2009 by Ben Hooper

Two High Court judgments were handed down last week on what has become known as the BBC’s “derogation” – its limited entry in Sch. 1 to FOIA, under which FOIA applies to the BBC only “in respect of information held for purposes other than those of journalism, art or literature”. Channel 4 and S4C (the Welsh television channel) have entries in Sch. 1 to the same effect.

 

The cases were Sugar v. BBC and BBC v. Information Commissioner. The former concerned a request for an internal BBC report into Middle East reporting, the latter concerned four sets of requests for various items of financial information relating to the BBC’s programme output. In both cases, Irwin J rejected the submission advanced by all parties that a test of dominant purpose should be used when applying the derogation (i.e. that where information was held for a variety of purposes, it would outside FOIA if it was predominantly held for the purposes of “journalism, art of literature”). Instead, Irwin J applied a de minimis approach and held that, on a proper construction of the derogation, “the BBC has no obligation to disclose information which they hold to any significant extent for the purposes of journalism, art or literature, whether or not the information is also held for other purposes.” (See para. 65 of Sugar).

 

It is as yet unclear whether this aspect of the judgments will be challenged on appeal. Unless and until it is, it would seem that the scope for applying FOIA to information held by the public service broadcasters is more limited than was previously thought to be the case.

Tags: , ,
Posted in INFORMATION LAW | Comments Off on The application of FOIA to public service broadcasters

The Law Officers’ Convention and the Ministerial Code – High Court Judgment

August 7th, 2009 by Robin Hopkins

The recent judgment in HM Treasury v Information Commissioner and Evan Owen [2009] EWHC 1811 (Admin) saw the High Court quash a decision by the Information Tribunal requiring HM Treasury to disclose whether or not it held advice from the Law Officers on the compatibility of the Financial Services and Markets Bill with the Human Rights Act.

By a long-standing constitutional Convention – recognised in the Ministerial Code – the fact that the Law Officers have been consulted is not disclosed outside government without the consent of the Attorney General. This is specifically accommodated in the qualified exemption under section 35(1)(c) FOIA. The Tribunal, however, had upheld the Commissioner’s decision that the public interest favoured disclosure in this case.

Blake J held that, in so doing, the Tribunal failed to afford due weight to three factors. First, the fact that section 35(1)(c) aimed not to supplant the Convention, but to preserve it subject to a public interest test. Secondly, the views of experienced civil servants on the consequences of departing from the Convention. Thirdly, those factors counting against disclosure that were based on generalised rather than specific harm. The Tribunal had also failed to evaluate for itself the strength of the public interest in disclosure in light of the extensive legal advice that had already been publicised on this issue.

Given that similar factors have been discussed in a number of other High Court judgments referred to by Blake J, this judgment makes a notable contribution to the jurisprudence on the public interest balancing test.

Tags: , ,
Posted in INFORMATION LAW | Comments Off on The Law Officers’ Convention and the Ministerial Code – High Court Judgment

Reforming the Information Tribunal

August 5th, 2009 by Timothy Pitt-Payne QC

A letter was circulated yesterday (4th August) to “stakeholders” of the Information Tribunal, giving information about the implications for the Information Tribunal of the new unified tribunal structure.

The new structure involves a system of First Tier tribunals and Upper Tribunals. The Information Tribunal will be one of a number of tribunals that transfer into the General Regulatory Chamber (GRC), one of the First Tier tribunals.

According to the letter, from January 2010 information rights cases will generally be heard in the GRC, with an appeal to the Administrative Appeals Chambers of the Upper Tribunal on a point of law. However, in some circumstances cases will be heard in the first instance in the Upper Tribunal. This will be where the appeal is complex, unusual, or particularly important. In additional national security appeals (under section 28 of the Data Protection Act 1998 or section 60 of the Freedom of Information Act 2000) will go straight to the Upper Tribunal.

The procedural rules for those tribunals moving into the GRC in September 2009 have now been finalised and laid before Parliament. This includes the Charity Tribunal, the Estate Agents Appeals Panel and the Consumer Credit Appeals Tribunal. For those jurisdictions moving to the GRC in January 2010 – including the Information Tribunal – any further specific procedural rules will be added by amendment once Parliament has approved the transfer. Approval is expected later this year.

Tags: , , ,
Posted in INFORMATION LAW | Comments Off on Reforming the Information Tribunal

Lock up your data

June 5th, 2009 by Timothy Pitt-Payne QC

The importance of ensuring the security of personal data has been highlighted in a recent press release from the ICO dated 4 June 2009. The ICO has found Salford Royal NHS Foundation Trust in breach of the Data Protection Act, after a desktop computer containing sensitive personal information relating to around 3,500 patients was stolen. Although the computer was password protected, it was not encrypted or secured to a desk.

A formal undertaking has been signed by the Trust. It will ensure that: appropriate security measures are in place to restrict access to areas where personal information is stored; desktop computers are secured to desks to prevent easy removal; any personal data required to be held on a portable device is suitably encrypted; and personal details are not retained on any computer for longer than is required.

Mick Gorrill, Assistant Information Commissioner at the ICO, emphasised that the worrying trend of personal data losses must be rectified. He said:

“I am increasingly concerned about the way some NHS organisations are failing to securely hold people’s health and personal information. Organisations must implement appropriate safeguards to ensure personal details about patients do not fall into the wrong hands.”

Many thanks to Andrew Smith, currently a pupil at 11KBW, for preparing a first draft of this post.

Tags: , ,
Posted in INFORMATION LAW | Comments Off on Lock up your data

Doing it by the book

June 5th, 2009 by Timothy Pitt-Payne QC

The Information Commissioner’s Office has today announced the latest version of the Privacy Impact Assessment Handbook.  As the title indicates, its purpose is to help organisations to identify and address the privacy risks of their activities.

Following the HMRC data breach in November 2007, the Cabinet Office introduced a requiring for all central Government departments and their agencies to conduct Privacy Impact Assessments (PIAs) when developing new systems. The ICO encourages all organisations to incorporate data protection safeguards into any new project involving personal information.

The handbook is in two parts: Part I (the first two chapters) gives an overview of the PIA process, with detailed information about privacy, common risks, and possible solutions; Part II  then gives a practical guide to conducing a PIA.  There are also four appendices, with examples of screening questions, checklist templates, and privacy strategies.

The handbook should help organisations to make reasoned judgments about the privacy implications of new projects or technological innovations. Some of the recommendations may overlap with privacy work already being done by organisations. A PIA does not have to be conducted as a totally separate exercise; indeed, it may be helpful to look at privacy issues in a broader policy context.

Many thanks to Andrew Smith, currently a pupil at 11KBW, for researching this post and preparing a first draft.

 

Tags: , ,
Posted in INFORMATION LAW | Comments Off on Doing it by the book

Who blacklists the blacklisters?

May 11th, 2009 by Timothy Pitt-Payne QC

In March this year the Information Commissioner took enforcement action against the Consulting Association, which had been operating a secret blacklist of employees in the construction industry, including details of trade union activity.  Today the Department for Business, Enterprise and Regulatory Reform has announced that new regulations will be introduced to outlaw the use of blacklists in this way.  There is a power to regulate under section 3 of the Employment Relations Act 1999, but so far it has never been used.  A consultation exercise is promised for early summer.  Draft regulations were previously prepared in 2003, and there was full consultation; so this time round the consultation will be shorter than the normal 12 week period.

It is very interesting to see such a direct link between action by the ICO, and new regulations.  The Government line had previously been that there was no evidence that regulations were needed.  The ICO has now provided them with their missing evidence.

Blacklists have a long history.  The Economic League attracted controversy in the 1980s (and was eventually disbanded in 1994); apparently it had a list of 22,000 political subversives, including one Gordon Brown MP.

Employment vetting is much in the news at present and is clearly attracting great interest.  We are currently considering an exciting project in this area:  watch this space!

Tags: ,
Posted in INFORMATION LAW | Comments Off on Who blacklists the blacklisters?

« Older Entries
Newer Entries »