e-newsletter edition 4

The ICO has appointed Steve Wood to the post of Assistant Commissioner. He will be responsible for leading the FoI policy team which develops policy relating to Freedom of Information Act issues and provides advice on the substance, quality and consistency of freedom of information complaints.

Steve is recognised as one the country's leading commentators on the Freedom of Information Act and is a respected member of the FOI community. He currently edits the website http://foia.blogspot.com/ and is founding editor of "Open Government: a journal on freedom of information".

He will join the Information Commissioner's Office from Liverpool John Moores University where he is currently Programme Leader for the BSc E-Business programme. He previously worked for HM Treasury and the Cabinet Office as Intranet and Extranet Manager.

The Lord Chancellor has announced that the Government will amend the Data Protection Act 1998, to introduce custodial penalties of up to two year's imprisonment for people and organisations found guilty of breaching section 55 of the Data Protection Act. Section 55 makes it a criminal offence to obtain personal data from Data Controllers without their consent. It is also an offence to sell personal data that are illegally obtained.

The Government's plan to amend the Data Protection Act is in response to a proposal made by the Information Commissioner. In early 2006 the Commissioner placed a special report before Parliament, 'What price privacy' in which he detailed how a market has been created for illegally obtained personal data. In December 2006 the Commissioner followed up his initial report with 'What price privacy now?'

The Culture, Media and Sport committee has recently announced a new inquiry into self-regulation of the press and the efficacy of the Press Complaints Commission Code of Practice, with particular reference to the recent case of illegal access to voicemail messages, the trade in personal data identified by the ICO and the treatment of public figures by photographers working on behalf of the press.

ICO Richard Thomas has been asked to attend the inquiry which is to address the following questions:

• Whether self-regulation by the press continues to offer sufficient protection against unwarranted invasions of privacy;
• If the public and Parliament are to continue to rely upon self-regulation, whether the Press Complaints Commission Code of Practice needs to be amended;
• Whether existing law on unauthorised disclosure of personal information should be strengthened; and
• What form of regulation, if any, should apply to online news provision by newspapers and others.

The ICO's office in Wales is now well settled in their new permanent home in the historic area of Mount Stuart Square in Cardiff Bay.

To mark the occasion a small launch event was held on 13 December which brought together Freedom of Information and Data Protection practitioners, members of ICO executive team and locally based staff.

Welcoming guests to the new office Anne Jones, Assistant Commissioner (Wales) commented that having a permanent base and better facilities meant that ICO (Wales) was now better placed to both build on work already done and to further engage with stakeholders in Wales.

Tel No. 029 2044 8044
Email wales@ico.gsi.gov.uk

The ICO website is now supported by the Browesaloud screen reader. Browesaloud reads aloud web pages for people who have difficulty reading text online. You can download this free service by clicking on the texthelp logo situated on the ICO's website homepage.

The ICO has conducted research into how individuals currently protect their personal information. The survey was published on European Day Protection day 29 January 2007 and showed that:

• 19% have fallen victim to identity theft
• 32% admit to throwing away bank and credit card statements without shredding them first
• 25% admit to not routinely checking their bank or credit card statements for unfamiliar transactions
• 45% of people use the same PIN or password on more than one account
• 36% have made an online card transaction without checking the security of the site
• 88% click on links to websites from an email instead of typing in the URL
• 81% of people have never requested a copy of their credit file
• 33% say they receive over 50 unwanted sales calls, marketing emails and 'junk mail' each month
• 21% of 16-25s admit to throwing away bank and credit card statements without checking them first
• 16% of 16-25s have entered sensitive personal information on a blog, social networking site or in a chat room

The Personal information toolkit was launched on European data protection day and explains how people can protect, access and correct their personal information. It also advises people how they can reduce unwanted sales call and junk mail.

Another element of this campaign to raise awareness are two public information films: Man in the Mirror and Mistaken Identity. These highlight the problems people can face if they are victims of identity crime or inaccurate information is held about them. They also draw the viewer's attention to the ICO's personal information toolkit.

The films have been produced by COI and will be distributed to over 100 terrestrial and digital TV channels including the BBC. As public information films are not commercials and shown in donated airtime, they will be available for use indefinitely.

14 November 2006 - Husband and wife team convicted of obtaining personal information unlawfully

Stephen and Sharon Anderson of St Ives in Cambridgeshire have been convicted of illegally obtaining and selling personal information. Mrs Anderson was fined a total of £4,200 and Mr Anderson was fined £3,300. Each was ordered to pay a contribution to prosecution costs of £3,694.

The couple used 'blagging' techniques to obtain personal information about individuals from a number of organisations including Her Majesty's Revenue and Customs, British Telecom and banks. On a number of occasions the 'blaggers' purported to be employees of these organisations and deceived the true members of staff into disclosing personal information about individuals.

12 December 2006 - 'Blagger' sentenced for unlawfully obtaining personal information

Anthony Gerald Clifford has been sentenced to an 18 month community penalty incorporating 150 hours community service after pleading guilty to 16 counts of illegally obtaining and selling personal information.

14 December 2006 - Liverpool City Council prosecuted for data protection offences

In the first prosecution brought by the Information Commissioner for failure to comply with an information notice, Liverpool City Council pleaded guilty to the offence and agreed to the Information Commissioner's Office auditing the authority's data protection procedures. The council was fined £300 and no application for costs was made. In his summing up, the District Judge at Liverpool Magistrates' Court said the council had shown an 'appalling breakdown of communication' and 'a clear lack of compliance' with the Data Protection Act 1998.

5 January 2007 - Accountancy firm fined for data protection offence

The Information Commissioner's Office (ICO) has successfully prosecuted an accountant for offences under the Data Protection Act. Abdul Ghafoor of Yorkshire Business Management was convicted following a trial and fined £350 and ordered to pay £500 costs by Bingley Magistrates' Court in West Yorkshire.

Under the Data Protection Act organisations that process individuals' personal information may be required to notify with the Information Commissioner at a cost of £35 per year. Yorkshire Business Management processes personal information but had failed to notify the Commissioner. The firm's own website contains a 'contact us' facility enabling members of the public to email the company - clear evidence that it processes personal information.

Privacy and Electronic Communications Regulations (PECR)

6 December 2006 - Unsolicited direct marketing calls

The Information Commissioner's Office served Enforcement Notices against five companies for making unsolicited direct marketing calls to individuals without their consent. Failure to comply with the Notices is a criminal offence and the ICO is likely to take further action to uphold people's privacy rights, including prosecution, unless the companies comply with the Notices. The action has been brought under the Privacy and Electronic Communications Regulations 2003 (PECR).

The ICO has ordered IDT Direct Limited, often known as Toucan, Staybrite Windows Limited, Zenith Windows Limited, Bowater Windows Limited and Bowater Home Improvement Limited to stop telephoning individuals for direct marketing purposes who have already expressly told the companies that they do not wish to be contacted, or who have registered with the Telephone Preference Service.

IDT Direct Limited has also been ordered to stop making automated calls unless it has individuals' prior consent.

29 Jan 2007. Liverpool Crown Court sentenced four men to prison for their part in fake data protection agencies. Francis Boyd pleaded guilty to dishonestly obtaining £401,545 from businesses demanding a payment to register under the Data Protection Act between 1 December 2002 and 2 April 2004. Between 1 March 2004 and 17 March 2005 Michael Boyd, Paul Barton and Mark Deary worked together obtaining £206,596 in a similar fashion.

Francis Boyd was sentenced to two and half years in prison, Michael Boyd was sentenced to eight months, Paul Barton 12 months and Mark Deary 18 months.

Passing sentence, the judge said this was 'a well planned and sophisticated enterprise.' It was a 'scam cloaked with the appearance of officialdom'.

If a business receives a letter out of the blue demanding more than £35 to register under the DPA this will be a scam. Our simple message to businesses is to throw the letter in the bin and not to pay the fee demanded.

Data controllers may notice a change in the design of ICO letter heads in the next few months. From the end of February we will stop using the old data protection logo and all documents will use the newer ICO logo.

The British Security Industry Association (BSIA) has written to the ICO with information about the new British Standard for the secure destruction of confidential material - BS 8470:2006.

BSI British Standards is the National Standards Body of the UK. It develops standards and standardization solutions to meet the needs of business and society. They work with government, businesses and consumers to represent UK interests and facilitate the production of British, European and international standards

Here is BSIA's letter to the ICO

Data controllers should be aware of the new British Standard for the secure destruction of confidential material - BS 8470:2006. The standard outlines the key requirements of a professional information destruction company, with security and compliance with the Data Protection Act being integral to this.

Professional information destruction involves the secure destruction of confidential material in all its forms by shredding or disintegration. Such material includes paper records, computer hard drives, CDs/DVDs and even company uniforms. Information destruction companies that comply with, and are inspected to, BS 8470 have committed to transporting, storing and destroying their clients' confidential waste to the requirements of the Data Protection Act.

The new standard covers the following areas: material specific shred sizes; requirements regarding the installation of a monitored intruder alarm and a monitored CCTV system; a prerequisite for the security vetting of all staff; and obligations with regard to the security of collection vehicles and on-site destruction vehicles.

The British Security Industry Association led the way in the development of the standard, which will provide customers with further confidence that their information destruction company works to the highest of standards. All BSIA information destruction section members must be inspected to ISO 9001:2000 by a UKAS accredited certification body, and are vetted to the new BS8470 standard as part of their ISO audit procedure.

For more details on information destruction and the new standard, visit www.bsia.co.uk/shredding

Never before has so much personal information been collected about children. And the volume is set to increase dramatically. Information about children, and those associated with them, is collected for the best of motives. We all wish to protect children from abuse and other forms of harm. We all wish to see every child fulfil their potential with the best possible education, healthcare and social and emotional development. We all wish to stop children drifting into crime and anti-social behaviour. There are - and always will be - fierce, and often emotional, controversies about how such lofty aspirations are to be achieved in practice.

The ICO issues paper - Protecting children's personal information highlights the importance of safeguarding children's personal information and the issues that should be considered when designing and using such databases.

The ICO issues paper was published at the same time as the research report by the Foundation for Information Policy Research (FIPR)Children's Databases - Safety and Privacy, which outlines what information is currently held on children.

FIPR report - Children's Databases - Safety and Privacy

In recent months the ICO's data protection audit team have undertaken an extensive programme of audits. With the consent of an organisation the ICO's audit team will assess the processing of personal data by reviewing data protection related polices and guidance, interview staff responsible for the handling of personal data and inspect records.

Organisations may be audited:

• because there are systemic problems but where an audit would be a more appropriate remedy than regulatory action;
   
• where they are selected as part of a 'sector' programme and findings may assist not only the individual organisation but also provide an insight into sectoral practice.

For more details please contact Chris.Turner@ico.gsi.gov.uk
Tel: 01625 545795

In the last edition of the newsletter we talked about an Information Sharing Framework Code of Practice, and asked for public sector volunteers to help us with our work. We have now assembled a group of 13 whose work involves information-sharing. Their help will be invaluable in terms of producing a practical piece of work that will help information and data protection practitioners in their day to day work.

As a first stage the group has been sent a questionnaire asking them to identify the potentially confusing areas of data protection law. The responses will help us to get a better idea of what the framework code should look like and what areas it should cover.

We will keep you informed of the progress in this important work

Iain.Bourne@ico.gsi.gov.uk

The ICO issues guidance in the form of Good Practice Notes, Technical guidance and it's your information notices.

The purpose of a good practice note is to present organisations with data protection and freedom of information advice in a simple, easily understood form. The notes are written in plain English with no jargon. Typically they are aimed at people who have limited time to absorb information about their obligations. The focus of the notes is often therefore quite narrow and will aim to address questions that are often asked of our helpline or advice teams.

It's your information. This is the equivalent of the good practice note but is aimed at the general public. These will not only cover individuals' rights but topics where the public may be concerned or want more information, perhaps because of press coverage of a particular issue.

The purpose of technical guidance notes is to provide guidance to organisations on ICO's policy and approach to the specific technical requirements of the Data Protection and Freedom of Information Acts. They will often provide ICO's interpretation of the legal requirements in the legislation including exemptions and exceptions. They can also cover newly developing technologies.

Since the last e newsletter in November the following guidance has been issued:

It's your Information:

1 - Your rights to police information

This guidance is for individuals to:

find out whether the police hold information about them;
get a copy of their police record; or
get a statement from the police saying that they have no information to give.

Technical guidance

2 - Council tax

We have now replaced our technical guidance note on the use of personal information held for collecting and administering Council Tax.

The guidance contains a series of questions that local authorities should ask themselves in order to decide whether the Data Protection Act allows them to use Council Tax information for other purposes. It also explains our approach to enforcement, saying that we will not use our enforcement powers unless there is evidence of genuine unfairness or unwarranted detriment being caused to individuals. Local authorities, in particular, should find the guidance useful in terms of allowing them to make the best use of the information they hold whilst protecting the people the information is about.

3 - Access to pupils' information held by schools

England
Wales
Northern Ireland

This guidance is aimed at state primary and secondary schools and Boards of Governors to help them understand their responsibilities under the Data Protection Act 1998 regarding requests for access to pupils' information. Special schools including those that are not maintained by the local education authority are covered by this guidance. Local education authorities may also find it useful. The note also covers the separate right of access that parents have to access the official educational records of their child.

Good Practice Notes:

4 - The use of violent warning markers

This guidance explains to those working with the public how best to manage violent warning markers.

Violent warning markers are a means of identifying and recording individuals who pose, or could possibly pose, a risk to the members of staff who come into contact with them.

5- Disclosures of personal information under the Taxes Management Act 1970

This guidance aims to clarify the data protection implications of disclosures of information requested under the Taxes Management Act 1970. It is aimed at those organisations who do not routinely receive requests under this legislation.

6 - Checklist for handling requests for personal information (subject access requests)

This guidance sets out clear advice for small and medium sized businesses to help them deal with requests from individuals for access to information an SME might keep about them.

7 - Electronic mail marketing

The Privacy and Electronic Communications Regulations 2003 place restrictions on how companies can carry out unsolicited direct marketing by electronic mail. This guidance explains how the Regulations apply to electronic mail, which activities they cover and gives some good practice recommendations.

The Information Commissioner has received a number of enquiries from people who have seen articles in the media relating to the introduction of electronic care records across England. Many of these individuals have expressed concern at the plans and are worried that their health records will be available to everyone across the NHS. In addition many of those who have raised concerns with the Commissioner have also asked what the ICO's view of the electronic records programme is and whether or not he has been consulted by the Department of Health.

The ICO statement provides the answers to these questions and also information about the changes to the way health records are maintained and the way these will be introduced.

The information in the note relating to the implementation and operation of the new systems is based on details provided to the ICO by NHS Connecting for Health, the Department of Health agency responsible for the electronic health records programme.

In each quarter's newsletter we select and highlight a number of decision notices issued in the previous quarter. For a more comprehensive service you can set up an RSS link (really simple syndication feed) from the RSS section on the ICO website to your own computer that will alert you each time a new decision notice is placed on the ICO site.

In September 2006 the Information Commissioner’s Office announced details of the Publication Scheme Development and Maintenance Initiative. The intention, through consultation, is to develop a ‘model approach’ to the development of publication schemes.

So far we have undertaken:

• To develop a list of core classes for all public sector bodies.
• To produce a comprehensive guide specific to each public authority sector.
• To progress all sectors towards a culture of maximum release and a form of model scheme to enable a consistency of core classes across public authorities.
• To identify and disseminate good practice, in relation maintaining publication schemes.
• To direct and support public authorities to creatively consider how to promote and publish the information they make readily available.

We have also completed a number of the sector workshops: the central government workshop took place on 9 January with that for Non departmental public bodies the following day; we also ran the first workshops for all sectors in Wales during the week beginning 15 January 2007. This month we have held the first of the local government days and will also hold the first health sector workshop. The local government services and education and also the first in Northern Ireland will commence in March.

We are very pleased to have had many volunteers, from all sectors, coming forward to take part in the workshops and their contributions thus far have been invaluable.

We are delighted to announce that we have also enrolled an Advisory Panel made up of experts and interested parties who will provide a ‘sounding board’ for ideas and bring a user perspective to the work as it develops, providing feedback when appropriate.

If you have any questions or would like more information please contact:

sue.markey@ico.gsi.gov.uk

During the third quarter of the financial year 2006/2007 we received 526 complaints under the Freedom of Information Act and Environmental Information Regulations.

• 469 cases were resolved;
• 59 Decision Notices were issued; and
• 20 appeals were received by the Information Tribunal in this period.

When a Decision Notice is issued, the ICO informs both parties of their right to appeal to the Information Tribunal.

Decisions announced since publication of the last e newsletter in November include:

21 November 2006 - Robin Hood airport, Doncaster

The Commissioner required Doncaster council to disclose the relevant sections of a detailed noise report.

Full transcript of decision notice FS50102786

27 November 2006 - National Health Service University

The Commissioner ordered the Department of Health to release the Wells Report on the National Health Service University within 35 days. The commissioner also notes the department failed to respond to the request within the 20 working day time limit.

Full transcript of decision notice FS50070878

29 November 2006 - Thames Gateway Bridge public consultation

The Commissioner is of the view that Transport for London should reconsider the request for copies of the consultation questionnaires under the Environmental Information Regulations 2004 and not the Freedom of information act.

Full transcript of decision notice FS50079628

04 December 2006 - Salmon fishing

The Commissioner requires DEFRA to release the advice given to a minister about salmon fishing on the River Teign within 35 working days.

Full transcript of decision notice FS50103099

11 December 2006 - National Archives, 1911 census

The Commissioner requires the National Archives to disclose the requested information about the 1911 census.

However, the Commissioner stressed that that this Decision must be confined to the circumstances relating to the information requested in this case. This is not - and cannot be - a decision that the entirety of the 1911 census must now be disclosed. Nor does it create any precedent in the sense that all other requests for specific information within the 1911 or other census schedules must succeed.

Full transcript of decision notice FS50101391

11 December 2006 - Location and success rate of speed cameras

The Commissioner has upheld the decision of the Cheshire Constabulary to withhold this information.

Full transcript of decision notice FS50099068

11 December 2006 - Children In Need presenter fees

The commissioner has ordered the BBC to disclose how much its staging of the Children In Need charity appeal programme cost in 2005; how much of the money raised was spent on televising the appeal and how much individual presenters and other personalities including Terry Wogan, Eamon Holmes and Natasha Kaplinsky were paid.

Full transcript of decision notice FS50102474

15 December 2006 - General Medical Council

The information commissioner ruled that the General Medical Council had been right to withhold the complaints histories of six named doctors.

Full transcript of decision notice FS50064698

3 January 2007 - Council property addresses

The Information Commissioner, Richard Thomas, has ordered Braintree District Council to release the addresses of council properties owned by the authority.

He did not accept that the health and safety of Council tenants would be put at risk by publishing the list, although he did agree to the withholding of specific addresses if their disclosure might put particular vulnerable individuals at risk.

Full transcript of decision notice FS50066606

10 January 2007 - Liverpool City Council

The Commissioner decided that notes, minutes, correspondence and reports etc regarding prostitution in the West Everton area were not exempt from disclosure.

Full transcript of decision notice FS50079486

22 January 2007 - Pension fund investments.

The Commissioner's decision is that the information relating to private equity investments made by Tameside Metropolitan Borough Council on behalf of the Greater Manchester Pension Fund (GMPF) should be disclosed. In this instance he concluded that the public interest in knowing that public funds are being invested wisely overrides the public interest in protecting confidentiality. The Commissioner also believes that a disclosure would not prejudice the commercial interests of any party.

The same decision has been reached in cases involving Wolverhampton and Hertfordshire councils.

Full transcript of decision notice FS50083667

29 January 2007 - Councillor expense claims

The Information Commissioner ordered Doncaster Metropolitan Borough Council to reveal the names of some of the councillors and officials who repaid money to the council after making excessive expenses claims. The council had refused to release the information suggesting that it would contravene the Data Protection Act

Full transcript of decision notice FS50074871

The Constitutional Affairs Committee will hold a one-off evidence session to look at the draft new FOI fees legislation on 6 March 2007. Chairman of the Committee Rt Hon Alan Beith said:

"We are extremely concerned that the Government might go ahead with these changes, which are very widely opposed. That's why we are taking further evidence at this stage."

ICO Richard Thomas has been asked to give evidence.

The Department for Constitutional affairs (DCA) has published new FOI Fees Regulations in draft, which it states 'will allow public authorities to take into account more comprehensively the work involved in dealing with an FOI request'. The DCA's review indicated that these changes would lead to 'a substantial increase in the number of FOI requests which would exceed the (cost) threshold' and could therefore be refused

In its June 2006 report, Freedom of Information: one year on, the Committee heard that the existing fees regime was working well. And since authorities could already include time spent finding information in their calculations, the argument that officials were spending weeks finding information would not "justify a review of the fees regulations, but it would demonstrate a serious shortcoming in some public authorities' records management systems".

The committee expressed the view that it saw no reason to review the fees and felt that "frivolous" requests could be dealt with in the existing provisions.

The Information Commissioner has issued Nottingham City Council with a practice recommendation following an investigation into its handling of an information request.

In addition, the ICO has asked The National Archives to conduct an assessment of the records management capabilities of the Council.

FOI enforcement

We welcome your comments on our e-newsletter. If you have any comments or suggestions please e-mail websitefeedback@ico.gsi.gov.uk

Unsubscribe: To stop receiving the ICO e-newsletter please follow the link.