This newsletter provides a round up of freedom of information and data protection developments and outlines information and guidance available from the Information Commissioner's Office (ICO).
The ICO has received 277 reports of data breaches since the HMRC loss last November and is investigating the most serious 30.
In a speech at the RSA on 29 October, Richard Thomas highlighted the risks associated with large databases, the need for tougher sanctions to deter data breaches and called on chief executives to take responsibility for the personal information their organisations hold.
He said: "It is alarming that despite high profile data losses, the threat of enforcement action, a plethora of reports on data handling and clear ICO guidance, the flow of data breaches and sloppy information handling continues. We have already seen examples where data loss or abuse has led to fake credit card transactions, witnesses at risk of physical harm or intimidation, offenders at risk from vigilantes, fake applications for tax credits, falsified Land Registry records and mortgage fraud. Addresses of service personnel, police and prison officers and battered women have also been exposed. Sometimes lives may be at risk."
He continued: "The number of breaches brought to our attention is serious and worrying. I recognise that some breaches are being discovered because of improved checks and audits as a welcome result of taking data security more seriously. More laptops have now been encrypted and thousands of staff have been trained. But the number of breaches notified to us must still be well short of the total. How many PCs and laptops are junked with live data? How many staff do not tell their managers when they have lost a memory stick, laptop or disc? Many losses are probably simply undetected."
Organisations that process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction of or damage to it.
The ICO has produced guidance for organisations about some of the things that need to be considered in the event of a data security breach, for example the loss of a hard drive, memory stick or disk containing personal details.
ICO guidance on data security breach management
ICO guidance on reporting a data breach to the ICO
£43,350 - £58,650 pa + benefits + pension • Wilmslow
As the UK's independent authority, our challenge is to promote access to official information, while protecting your personal information from prying eyes. In this vital, high profile role, it will be the target you focus on achieving too as you lead our Data Protection Casework and Freedom of Information Casework Divisions. From investigating complaints to analysing trends and identifying future developments, you'll drive the performance of both teams and promote continuous improvement across all areas. If you've senior level operational management experience, discover how you could help to protect the nation, advance your career and play an integral part in our future. For further details and an application form, please visit www.icocareers.co.uk or call 01625 545 735. Closing date: 14 November 2008.
The ICO is committed to Equal Opportunities in employment and welcomes applications from all sections of the community.
Richard Thomas retires from the ICO in June 2009. The Ministry of Justice has started the recruitment process for a new Information Commissioner.
In the meantime it's business as usual at the ICO where we'll continue to deliver our commitments as promised in our corporate and business plans. ICO Corporate plan.
Richard Thomas meets
the ICO's Student
Brand Ambassadors
The ICO has launched a Student Brand Ambassador programme in partnership with the Campus Group (a company dedicated to student and youth marketing campaigns). The campaign will run from October 2008 to December 2008.
15 students from universities throughout the UK have been recruited to promote key ICO messages on and off campus. The campaign primarily targets students and is aimed at alerting them to the risks associated with their personal information and the importance of protecting it.
Under the campaign the students will work with local and university media, letting agents, and other student support groups to promote the campaign's key messages.
On Wednesday 26 November 2008 the Information Commissioner's Office will be hosting the 'Privacy by Design' conference at the Lowry Hotel in Manchester. The centrepiece of this free conference will be the publication of a report commissioned by the ICO, promoting the concept of privacy by design.
The conference is now full, and the report will be available online from 26 November.
To read more about the conference, click here.
The ICO's Scottish Office is hosting its first conference, at Discovery Point, Dundee, on 6 November 2008. Titled 'Data Protection: Managing Data, Managing Risk', the conference brings together data protection practitioners from the public and private sectors to identify and share best practice in security.
The event is now full and a conference report will be available in the next e-newsletter.
As well as David Smith and Ken Macdonald from the ICO, speakers include David Buchanan-Cook from KPMG, Alan Dobie from the Scottish Business Crime Centre and Robert Forman from the Scottish Government. Workshops will be led by Dr Alison McCallum (NHS Lothian), Dougie Smith (Inverclyde Council) and Mick Gorrill and Stephen McCartney (both ICO).
To mark the launch of Stupid aid week (1-5 September) the ICO urged organisations not to hide behind the Data Protection Act unnecessarily when dealing with individuals' requests for help or information. The week highlighted common misunderstandings such as the belief held by some organisations that data protection stops them giving out any personal information or prevents them from dealing with certain types of enquiries.
A good 'duckout' example was the story of a Marks & Spencer employee who told the mother of a seven year old that they could not talk to her about the delivery of her son's Superman suit because it would infringe his data protection rights.
If you have any of your own examples of 'data protection duckouts' we'd love to hear them: please email robert.parker@ico.gsi.gov.uk.
The ICO has hired RAND Europe to conduct research into the EU Data Protection Directive.
The project team has begun its research work and selected stakeholders are being invited to a workshop in November.
The research has been commissioned amid growing fears that the current European Directive is no longer fit for purpose, and because European data protection law needs to be modernised to meet the technological and social challenges of the 21st century. The research will consider how individuals' rights can be enhanced in a rapidly evolving information society and will provide EU bodies, national governments and the data protection community with proposals for improving regulatory approaches to protecting privacy and personal information.
The study will be published in Spring 2009.
The ICO has been invited to become a member of the EnCoRe project's user advisory group.
EnCoRe is a collaborative project being undertaken by UK industry and academia. Their vision is to make giving consent [to share personal information] as reliable and easy as turning on a tap, and revoking that consent as reliable and easy as turning it off again.
Funding is being provided by the Technology Strategy Board, Engineering and Physical Sciences Research Council, and Economic and Social Research Council.
The Get Safe Online internet safety and security initiative is now in its fourth year. A summit meeting at Somerset House in London on 17 November will start this year's awareness week. Organised by GetSafeOnline.org the meeting will:
To register your interest please reply to admin@getsafeonline.org.
GetSafeOnline.org is a joint initiative between the Government, the Serious Organised Crime Agency (SOCA) and private sector sponsors from the worlds of technology, retail and finance.
To mark National Identity Fraud Prevention Week in September, the ICO invited individuals to test how well they look after their personal information by completing the Personal information healthcheck quiz, which is still available on the the ICO's website.
The online quiz provides advice to individuals on how to protect personal details and reduce the risk of identity fraud.
The ICO is leading the international network of data protection communicators, an idea conceived at the 28th International Data Protection and Privacy Commissioners conference in 2006. The aim of the group is to provide a network of contacts for those in data protection authorities working on data protection and privacy communications, offering support, information and advice. It also hopes to provide a means of benchmarking data protection and privacy communications activities, and to carry out specific international projects or liaison on international communications issues, as required by the Commissioners.
For more information please contact susan.fox@ico.gsi.gov.uk.
The ICO issues guidance in the form of good practice notes, 'It's your information' notices and technical guidance. Since the last newsletter in July the ICO has published the following:
25 September 2008: The ICO issued the Department for Communities and Local Government with an enforcement notice after it failed to supply an individual with information it held about that person.
Press release
Enforcement notice
30 September 2008: The ICO found Virgin Media Limited in breach of the Data Protection Act following the loss of an unencrypted CD containing the personal details of more than 3000 customers.
30 July 2008: The ICO successfully prosecuted London accountant, Mr Aziz Arian of Arian and Co Accountants. Mr Arian was fined £400 and ordered to pay costs of £518.40, plus a victims' surcharge of £15.
21 August 2008: The ICO successfully prosecuted Middlesex accountant, Mr Satish Lakhani of Lake and Co Accountants. Mr Lakhani was fined £300 and ordered to pay costs of £483.40, plus a victims' surcharge of £15.
18 September 2008: The ICO successfully prosecuted Waltham Forest accountant, David Wenham of David J Wenham and Co. Mr Wenham was fined £450 and ordered to pay costs of £587.40, plus a victims' surcharge of £15.
Liberal democrats breach PECR
25 Sep 08: The ICO took enforcement action against the Liberal Democrats after finding the party in breach of the Privacy and Electronic Communications Regulations. This follows complaints from the public and an investigation by the ICO into the party's use of automated phone calls.
Earlier this year the ICO embarked on an extensive programme to refresh freedom of information guidance for individuals and public authorities.
The list below sets out what has been produced or updated since the last newsletter issued in July 2008.
New guidance:
Updated guidance:
The ICO has received enquiries from authorities that are merging or undergoing boundary changes on 1 April 2009, asking whether they need to adopt the new publication scheme. The answer is yes they do. We expect all existing bodies to comply with legal requirements by adopting and operating in accordance with the approved model publication scheme from 1 January 2009.
The ICO is producing a free DVD to help organisations respond to freedom of information requests. Available by Christmas and lasting around 15 minutes, viewers will meet some interesting characters who will take them through the importance of records management, keeping up to date with guidance, adopting approved publication schemes together with information and comment about relevant exemptions, refusal notices and good customer service.
To receive your copy by Christmas please email a request to: robert.parker@ico.gsi.gov.uk.
The ICO has invited bids to research and produce a report to gain further understanding of government policy making in the context of freedom of information.
The project will examine policy formulation and development in central government. It will inform the Commissioner's policy framework for casework, on the freedom of information exemption 'information which relates to the formulation or development of government policy'.
During the second quarter of the financial year 2008/2009 we received 758 complaints under the Freedom of Information Act and Environmental Information Regulations.
This diagram outlines foi cases received and resolved up until the end of September 2008.
For details of all decision notices issued by the ICO go to the decision notices page of the ICO website.
Some notable decisions announced since publication of the last e-newsletter include:
1 Aug 2008 - ICO orders names of work-related deaths to be released
The ICO has ordered the Health and Safety Executive to disclose the names of individuals who have died in work-related incidents - but only after the coroner's inquests had opened.
8 Aug 2008 - ICO agrees Nuclear Decommissioning Authority right to withhold draft papers on radioactive waste storage methods
Under the Environmental Information Regulations (EIR), the ICO has ruled that the Nuclear Decommissioning Authority (NDA) was right to refuse a request to see the draft report into potential areas of radioactive waste storage methods in the UK. The ICO agrees that the draft report represents a dated review and that the final report, already in the public domain, provides a more current guide to where the NDA intends to focus its future activities.
21 Aug 2008 - ICO orders Hampshire Constabulary to disclose details of cars provided to chief officers
The ICO has ordered the Chief Constable of Hampshire Constabulary to disclose the make and model of vehicles provided for personal use to two Assistant Chief Constables.
9 Oct 2008 - ICO orders release of Ofsted inspectors' notes
The ICO has ordered Ofsted to release a redacted version of the handwritten evidence forms completed during an inspection of St Patrick's Primary School in Bristol.
13 Oct 2008 - ICO agrees King's College right to withhold drug testing procedures
The ICO has ruled that the standard operating procedures used by King's College London, when testing for the use of performance enhancing substances, should not be disclosed.
14 Oct 2008 - ICO rules against BERR over details of Employment Tribunal cases
The ICO has ordered the Department for Business, Enterprise and Regulatory Reform (BERR) to release the names and addresses of organisations involved in Employment Tribunal cases.
17 Oct 2008 - ICO orders two housing associations in Northern Ireland to respond to EIR requests
In two separate decisions the ICO has ruled that two housing associations in Northern Ireland are public authorities for the purpose of requests under the Environmental Information Regulations (EIR) and is ordering them to release information on property development - or issue a formal notice stating why the information should not be disclosed.
We welcome your comments on our e-newsletter. If you have any comments or suggestions please e-mail websitefeedback@ico.gsi.gov.uk.
Unsubscribe: To stop receiving the ICO e-newsletter please follow the link.
The ICO is the UK's independent public body set up to promote access to official information and protect personal information.
We enforce the Data Protection Act, the Freedom of Information Act, the Privacy and Electronic Communications Regulations and the Environmental Information Regulations, regulating the organisations that come within their remits.
We provide guidance to organisations and individuals to promote awareness of information rights and obligations, ensure compliance with the law and encourage good practice.
We rule on eligible complaints and can take action when the law is broken.
