e-newsletter edition 5

The Information Commissioner's Office (ICO) is the UK's independent public body set up to promote access to official information and to protect personal information. We enforce the Data Protection Act, the Freedom of Information Act, the Privacy and Electronic Communications Regulations and the Environmental Information Regulations, regulating the organisations that come within their remits.

We provide guidance to organisations and individuals to promote awareness of information rights and obligations, ensure compliance with the law and encourage good practice.

We rule on eligible complaints and can take action when the law is broken.

It has been confirmed that Richard Thomas will continue in post until June 2009. The Information Commissioner serves for a term of up to five years and, after the first term, is eligible for re-appointment for a further five years. Richard Thomas was appointed the Information Commissioner in November 2002 and he is being re-appointed for a further term but, at his own request, only until his 60th birthday in June 2009.

The Information Commissioner has independent status, reporting directly to Parliament, with responsibility for enforcing the Freedom of Information Act 2000, Data Protection Act 1998 and related legislation. The functions of his office include promoting good practice, ruling on complaints under this legislation, providing information to individuals and organisations and taking appropriate action when the law is broken

Richard Thomas's previous career has encompassed public, private and voluntary sectors:

• Director of Public Policy at Clifford Chance (the international law firm);
• Director of Consumer Affairs at the Office of Fair Trading;
• Head of Public Affairs and Legal Officer at the National Consumer Council;
• Solicitor with the Citizens Advice Bureau Service and Freshfields.

He has also previously held various public appointments, including membership of the Lord Chancellor's Civil Justice Review Advisory Committee and the Boards of the Financial Ombudsman Service and the National Consumer Council.

Our new website has been live for six months, and we'd like to find out what you think of it. We have commissioned an online survey to find out whether it suits your needs and what we can do to improve it.

Please click on the following link to complete the survey, which will be running until 8 June 2007 ICO website survey

May 2007 - The Information Commissioner published a paper that sets out the ICO's general approach to information sharing. It is aimed primarily at public bodies and considers: threats to privacy and integrity; choice and consent; transparency and information; data quality and security, and the impact of public law.

Information sharing

Iain.Bourne@ico.gsi.gov.uk

In his evidence to the Home Affairs Select Committee on 1 May 2007, the Information Commissioner, Richard Thomas, proposed new safeguards - including privacy impact assessments and the use of privacy enhancing approaches - to ensure public confidence in initiatives and technologies which could otherwise accelerate the growth of a surveillance society. He also called for stronger powers to allow the ICO to carry out inspections and audits. The ICO submission in full

Also on 1 May the ICO published a postscript to the Surveillance Studies Network's September 06 report which was originally prepared for the International Conference on 'A Surveillance Society? ' in November 2006.

Banks breach data protection

March 2007 - After an investigation into complaints concerning the disposal of customer information the ICO found 11 banks and other financial institutions in breach of the Data Protection Act. Alliance & Leicester, Barclays Bank, Co-operative Bank, Clydesdale Bank, HFC Bank, HBOS, Nationwide Building Society, Natwest Royal Bank of Scotland, Scarborough Building Society, United National Bank and The Post Office were all found to have discarded personal information in waste bins / receptacles outside their premises.

The ICO has now required these organisations to sign a formal undertaking to comply with the principles of the Data Protection Act. Failure to meet the conditions of the undertaking is likely to lead to further enforcement action by the ICO and could result in prosecution.
Media release

Bank and credit card charges

The Office of Fair Trading's announcement that any penalty charge over £12 in a standard credit card contract was likely to be unfair has led to large numbers of people asking their credit card providers for copies of old statements.

Many financial institutions are struggling to supply them within the 40 days allowed by the Data Protection Act. We are monitoring this closely and due to the number of complaints we are receiving about failed subject access requests we are also contacting to the financial institutions concerned on a monthly basis.

We have published advice on our website setting out what individuals need to do before complaining to the ICO. Where an organisation is persistently failing to comply with the Act, the matter will be considered for regulatory action. In such cases, the Commissioner will attempt to resolve the matter by informal regulatory methods but he may use his formal enforcement powers in cases where such informal methods prove unsuccessful.

The ICO provides information about individual's rights to see any information that is held about them: see our Subject access guidance note.

ICO to investigate Barclays Bank

On 25 April the Information Commissioner's Office (ICO) launched an investigation into Barclays Bank following the recent BBC Whistleblower programme which exposed alleged breaches of customer privacy at the high street bank.
Media release

Private investigator guilty of trading personal information

On 23 April a private investigation firm, Infofind Ltd, pleaded guilty to obtaining and selling personal information after illegally 'blagging' the personal details of over 250 individuals from the Department for Work and Pensions. The firm and its Managing Director, Nick Munroe, were both convicted of 44 counts of unlawfully obtaining and selling personal information at Kingston Magistrates' Court and fined £3,200, following a successful prosecution by the Information Commissioner's Office.
Media release

Personal data found in public waste bins

The ICO recently received a complaint that personal data had been recovered from unsecured waste bins outside the premises of Cash Generators in Bridge Street, Nuneaton. Items recovered included paperwork showing the names and addresses and other information linked to purchases made at the premises. Following an investigation into the matter, the director of the company agreed to sign an undertaking to ensure the company's future compliance with the Data Protection Act
Signed undertaking

Unsolicited direct marketing faxes

Following an investigation into unsolicited direct marketing faxes, a director of the company involved - ADC organisation Ltd - has agreed to sign an undertaking to ensure the company's future compliance with the regulations.

Philips (electronics) is authorised by the ICO to transfer personal information overseas

The ICO has authorised Philips to transfer employees' and clients' personal information outside the European Economic Area using strict procedures known as binding corporate rules. This process enables Philips to share information on its employees and clients within the multi-national company. The authorisation applies to information that falls under the Information Commissioner's jurisdiction, primarily personal data held in the UK.
Media release

The ICO and the Bar Council for Northern Ireland have been working together to ensure that all NI barristers notify as data controllers under the Data Protection Act 1998. Any individual or business who enters details about identifiable individuals onto a computer must notify the ICO. Failure to do so is a criminal offence. Media release

In March Richard Thomas delivered a keynote speech to the International Association of Privacy Professionals' Summit in Washington DC. He outlined the benefits of a more harmonised and consistent world-wide approach to protecting people's personal information and regulating privacy breaches. As the United States considers the possibility of wider Federal privacy laws, Richard suggested that European laws may need some revision to achieve a closer consensus.

Keynote speech - Richard Thomas

The Data Protection Act 1998 came into force in March 2000. A number of 'transitional relief' arrangements were included in the legislation. These arrangements provided a set period of time for data controllers to bring their personal information handling practices and records fully in line with the 1998 Act.

There is one remaining transitional relief arrangement, which relates to certain manual (non-digitised) records created before 24 October 1998, including those held in structured manual filing systems. At the moment a data controller who processes such data is not bound by most of the requirements of the first five principles of the 1998 Act and individuals do not have a general right to go to court to correct inaccurate personal information. All other transitional relief periods have already expired.

At midnight on 23 October 2007 the final transitional relief period will expire. Therefore, from 24 October this year the Data Protection Act 1998 will apply in full to all personal information covered by the Act and data controllers will need to ensure that the way personal information is processed is compliant with all the provisions of the Act. Individuals will also have full rights to go to court to rectify any inaccurate information about them that pre-dates 24 October 1998 under Section 14 of the Act.

The Act does not require that data controllers digitise or computerise old manual records.

Change to our logo

Data controllers may have recently noticed a change in the design of our letterhead. This has come about as we update our stationery to ensure a consistent corporate look across all areas of our work.

The ICO issues guidance in the form of good practice notes, it's your information notices and technical guidance.

The purpose of a good practice note is to present organisations with data protection and freedom of information advice in a simple, easily understood form. The notes are written in plain English with no jargon. Typically they are aimed at people who have limited time to absorb information about their obligations. The focus of the notes is often therefore quite narrow and will aim to address questions that are often asked of our helpline or advice teams.

'It's your information' is the equivalent of the good practice note but is aimed at the public. These will not only cover individuals' rights but topics where the public may be concerned or want more information, perhaps because of press coverage of a particular issue.

The technical guidance notes are aimed at anyone who may have a special interest or particular problem. They will often provide ICO's interpretation of the legal requirements in the legislation including exemptions and exceptions. They can also cover newly developing technologies.

Since the last e-newsletter in February the following guidance has been issued:

• February 07 - Police information - 'It's your information'
   
  The Data Protection Act gives individuals the right to have a copy of the personal information the police hold about them. The ICO issued 'It's your information' guidance to help individuals find out whether the police hold information about them - and if they do, how to get a copy - or if they don't, get a statement from the police saying that they don't.
   
  It does not cover criminal records checks for employment purposes. If a criminal records check is required for your work, then your employer should explain how to apply for this.
   
• March 07 - Calling Telephone Preference Service registered customers - Good practice note
   
  This guidance explains the position regarding calling existing customers for marketing purposes when they are currently registered on the Telephone Preference Service (TPS) or who subsequently register.
   
• April 07 - Advice for elected and prospective members of Local authorities
   
  This good practice note aims to provide elected and prospective members of local authorities with guidance about how the Data Protection Act 1998 applies to them.
   
• April 07 - Advice to local authorities on disclosing personal information to Elected members
   
  This good practice note aims to advise local authorities on what they need to consider when deciding whether to disclose personal information to elected members of a council. Elected members can find guidance specifically for them on our website

The ICO's last e newsletter announced details of the Publication Scheme Development and Maintenance Initiative. The intention, through consultation, is to develop a 'model approach' to the development of publication schemes, and to encourage proactive release of information as a matter of course.

We are providing four full day workshops for each of the following sectors:

• Central government departments
• Non-departmental public bodies
• Local government (councils)
• Local government (services)
• Health
• Education
• Police

To date we have held workshops in Salford, London, Belfast and Llandrindod Wells and are ensuring representatives from each of the sectors have the opportunity to feed into the development of future publication schemes. This feedback and collaborative approach will enable the development of model schemes. Some information resources have been produced as a result of the initiative, including a newsletter and sector specific circulars. These can be accessed through the publication scheme section of our website.

If you have any questions or would like more information please contact:

sue.markey@ico.gsi.gov.uk

During the fourth quarter of the financial year 2006/2007 we received 718 complaints under the Freedom of Information Act and Environmental Information Regulations.

• 664 cases were closed;
• 98 decision notices were issued; and
• 20 appeals were received by the Information Tribunal in this period.

Practice recommendations

Where the Information Commissioner considers that the practice of a public authority does not conform with that proposed in the codes of practice he may give that authority a practice recommendation.

A practice recommendation will specify the steps the Commissioner considers should be taken to bring about the conformity. It will be in writing and will refer to the particular provisions of the code of practice with which the Commissioner considers the public authority's practice does not conform.

11 May 2007

Following a recent decision notice and an audit of complaints received regarding freedom of information requests, the Information Commissioner has issued Liverpool City Council with a practice recommendation under the section 45 Code of Practice. For details, see Liverpool City Council practice recommendation.

Media release

In each newsletter we highlight a number of the most interesting decision notices we issued in the previous quarter. For a more comprehensive service you can set up an RSS link (really simple syndication feed) from the RSS section on the ICO website to your own computer that will alert you each time a new decision notice is put on the ICO site.

Since the beginning of 2005 the ICO has issued over 550 decision notices. Of these, 35% have been upheld, 37% have not been upheld and 28% have been partially upheld. When a decision notice is issued, the ICO informs both parties of their right to appeal to the Information Tribunal.

Decisions announced since publication of the last e-newsletter in February include:

13 February 2007 - ICO rules on the ICO

The Information Commissioner ruled that Information Commisioner was right to not to disclose documents held by the Information Commissioner's Office in connection with its investigation of two Freedom of Information complaints.

Decision notice

20 February 2007 - Vexatious FOI request placed unreasonable burden on a public authority

The Information Commissioner concluded that West Midlands Passenger Transport Executive was entitled to refuse to answer a request for information on the grounds that it was vexatious. Between January and November 2005 the same person made 15 requests concerning the authority's financial relationship with four bus companies.

Decision notice

22 February 2007- Caught on camera

South Yorkshire Police have been ordered to release a photograph of a police crew bus caught speeding. In upholding the complaint the Commissioner said the public interest would be best served by releasing the photograph.

Decision notice

28 February 2007 - Office of Government Commerce - gateway reviews

The OGC has been ordered to disclose copies of eight letters sent by the OGC to the relevant Permanent Secretaries following their department's projects receiving a double red warning in Gateway reports and also any replies from the Permanent Secretaries.

Decision notice

9 March 2007 - More information released on ASBOs

The London Borough of Camden has been ordered to release details of the identities of some residents who have been made the subject of Anti-Social Behavioural Orders (ASBOs)

Decision notice

26 March 2007 - Foreign and Commonwealth Office

The complainant asked the Foreign and Commonwealth Office for any information that it held relating to the Rhodesian Army's raid on Joshua Nkomo's headquarters in Lusaka in April 1979. Having viewed the information, the Commissioner accepted that some of the information had been correctly withheld but considered that some of it could be released.

Decision notice

26 March 2007 - Tony Blair's Christmas card list

The Information commissioner ruled the majority of names on the Prime Minister's Christmas card list should not be published but that the names of foreign leaders and heads of state on the list should be released, together with the names of headings used in the list and the number of recipients listed under each heading.

Decision notice

27 March 2007 - Information held by the BBC for the purpose of journalism, art or literature - schedule one

The information commissioner has decided the BBC correctly relied upon the Schedule 1 derogation - information held for the purposes of journalism, art or literature - and is not obliged to supply a copy of a programme broadcast Radio 4 in July 2005 called "The Moon Trees''.

Decision notice

27 March 2007- BBC ordered to release details of payments made to insurers

The Commissioner does not believe that releasing details of insurance payments will prejudice the BBC or the insurers' commercial interests and therefore has ordered the BBC to disclose the amounts paid.

Decision notice

4 April 2007 - Information Commissioner backs BBC in refusing to answer vexatious requests

The Information Commissioner ruled that the BBC was justified in refusing requests on the grounds they were vexatious. The BBC received approximately 90 requests relating to its hospitality expenditure and employee expenses claims.

Decision notice

04 April 2007 The Information Commissioner agrees with the Ministry of Defence

that copies of memoranda of understanding dating from 1973 for the supply of armaments and support to the Saudi Arabian armed forces should not be disclosed.

Decision notice

17 April 2007. The information commissioner ruled the Commission for Patient and Public Involvement in Health should release

a copy of an internal report prepared by the Commission for Patient and Public Involvement in Health following an investigation into the relationship between some NHS Patients' Forum members and their support organisation

Decision notice

23 April 2007 - General Medical Council right to withhold complaint numbers

The information commissioner has agreed the General Medical Council were right to withhold the number of complaints against a particular doctor and also the dates of those complaints.

Decision notice

9 May 2007 - Leeds City Council to release residents' questionnaire responses

The Information Commissioner, Richard Thomas, has ordered Leeds City Council to release residents' responses to a public consultation questionnaire which were held on the council's behalf by the market research company, Swift Research Ltd, in such a way that individual respondents may not be identified.

Decision notice

The ICO published research in March 2007 that shows that four out of five public authorities have a positive attitude towards the Freedom of Information Act, two years after its introduction. Eighty three per cent of public authorities believe the Act has helped create a culture of greater openness in the public sector and 59% of respondents agreed that freedom of information had reduced unnecessary secrecy. Over half of public authorities questioned said that since the Act was introduced they now publish more information as a matter of course. However, a third of respondents felt their organisation would release less information under the Act if permitted to charge for consideration time.

Three quarters of respondents said they had received requests for information under the Act. Information regarding decisions made by public authorities and statistics about organisations were the most requested pieces of information. According to the research requests for personal information about staff was the most common reason for refusing disclosure under the Act. One-third of public authorities turned down requests for commercially sensitive information.

The research in full

Since the last e-newsletter in February the following guidance has been issued:

• Time limits on considering the public interest - Good practice guidance 4
   
  The Freedom of Information Act requires public authorities to comply with requests for information within 20 working days following receipt of the request. In cases where a public authority is considering the application of an exemption that is subject to a public interest test (known as a qualified exemption), the Act requires the authority to reach its decision "within such time as is reasonable in the circumstances." The Act does not define the word "reasonable", but in our view it is not acceptable for a public authority to take, as a matter of course, several weeks to assess the public interest considerations. The ICO is therefore providing this good practice guidance on what the Commissioner considers to be a reasonable length of time. This should help public authorities to give an estimate to applicants, when they need to consider the public interest of when a decision is likely to be made and communicated.
• Time limits on carrying out internal reviews following requests for information under the Freedom of Information - Good practice guidance 5
   
  The Information Commissioner considers it important that internal reviews are completed as promptly as possible and so is introducing this guidance setting out what he considers to be a reasonable timescale for public authorities to undertake an internal review following a request by an applicant.
• Parish, town and community councils
   
  This guide to the Freedom of Information Act and the Environmental Information Regulations provides an outline for parish, town and community councils of their responsibilities for these laws.
  Basic guide on compliance for first tier councils
• Freedom of information and access to information about the deceased
   
  This new technical guidance aims to help public authorities understand and resolve those areas that are the subject of frequent enquiries relating to freedom of information and access to information about the deceased. It sets out the Information Commissioner's approach to dealing with requests of this type.
  Freedom of information: Access to information about the deceased

We welcome your comments on our e-newsletter. If you have any comments or suggestions please e-mail websitefeedback@ico.gsi.gov.uk

Unsubscribe: To stop receiving the ICO e-newsletter please follow the link.

Robert Parker
Communications Planning Manager

01625 545847

www.ico.gov.uk

Promoting public access to official information and protecting your personal information