e-newsletter edition 6

The Information Commissioner's Office (ICO) is the UK's independent public body set up to promote access to official information and to protect personal information. We enforce the Data Protection Act, the Freedom of Information Act, the Privacy and Electronic Communications Regulations and the Environmental Information Regulations, regulating the organisations that come within their remits.

We provide guidance to organisations and individuals to promote awareness of information rights and obligations, ensure compliance with the law and encourage good practice.

We rule on eligible complaints and can take action when the law is broken.

In a speech to launch his annual report Richard Thomas called on UK chief executives to take the security of employees' and customers' personal information more seriously. The call follows a number of unacceptable security breaches over the last year, involving leading names such as Orange and several high street banks. He said, 'Over the last year we have seen far too many careless and inexcusable breaches of people's personal information. The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying. Organisations that fail to process personal information in line with the principles of the Data Protection Act not only risk enforcement action by the ICO, they also risk losing the trust of their customers.'

The Information Commissioner also called for stronger audit and inspection powers for his Office. Currently the ICO can only audit organisations' information handling practices with their consent. The Commissioner wants the right to inspect and audit practices where poor practice is suspected.

The report highlights that the ICO received almost 24,000 enquiries and complaints concerning personal information in 2006/07. The ICO has prosecuted 16 individuals and organisations in the last 12 months and two Parliamentary inquiries have started, following the Commissioner's call for a debate on the UK's 'surveillance society'.

The ICO has now received almost 6,000 complaints under the Freedom of Information Act and has closed over 75% of those. Following changes within the ICO 82% more decision notices were issued in 2006/07 than in the previous 12 months. The ICO has issued over 339 decision notices in 2006/07 26% of the Commissioner's rulings upheld the initial decision by the public authority while 39% of decision notices issued by the ICO ruled in favour of the complainant. In 35% of cases the Commissioner upheld some elements of the complaint in favour of the complainant and agreed with the public authority on others.

As part of the ICO's corporate planning, we are keen to get your views on how we work. In particular we would welcome your comments on the following questions:

• Where do you think the ICO should be directing more of its limited resources?
• What do you think the ICO does best?
• What do you think is the main weakness of the ICO?

Please forward your responses to: Beth.gibbons@ico.gsi.gov.uk all replies will be analysed and considered during the preparation of our next three year plan. We hope you will be able to take this opportunity to help us improve our services.

The email alert facility on the Information Commissioner's website has been upgraded. After users reported problems with the old system the ICO has made the e-alerts more reliable.

If you want to be the first to know about any changes and updates on our website go to our email alert subscription page and sign up for our e-alerts.

The Information Commissioner's Office is conducting a consultation, running until 28 September, for our new Data protection strategy

The strategy sets out how we go about minimising data protection risk. It is aimed at our major stakeholders and spells out the basis on which we select the issues on which to engage, the outcomes we seek, and the approach taken to engagement.

If you have comments on the strategy we will be happy to receive them by email to mail@ico.gsi.gov.uk. Alternatively please send your response to our Wilmslow office using the Customer Service Team address on page two of the consultation document.

The ICO is about to launch a consultation on a revised code of practice for CCTV. The current code was last updated in 2000.

If you would like to contribute to the consultation look out for it on the CCTV page of the ICO website soon.

The ICO has commissioned research into the use of Privacy Impact Assessments (PIAs). PIAs are a widely-used tool in other parts of the world, and the ICO hopes to learn from examples of good practice to design a methodology for use in the UK. The research team, led by Professor Charles Oppenheim from Loughborough University, will also be producing a user-friendly handbook to put PIAs into practice. The report and handbook will be launched in December.

The Information Commissioner's Office (ICO) has found Orange Personal Communications Services Ltd and Littlewoods Home Shopping in breach of the Data Protection Act.

21 June 2007
Following an investigation into the alleged sharing of user names and passwords by Customer Service Representatives at one of the company's call centres, the Information Commissioner's Office has required Orange Personal Communications Services Ltd to sign a formal undertaking to comply with the principles of the Data Protection Act.
Orange undertaking

20 June 2007
A customer of Littlewoods Shop Direct Home Shopping Ltd had complained to the ICO regarding receipt of unsolicited mailings. The company had, on two previous occasions, given an assurance that the customer's details had been removed from their customer lists, yet despite this the complainant still received unwanted mail from them. The company have signed an undertaking agreeing to suppress the customer's details from all company databases and to review procedures to ensure customer rights under Section 11 of the Data Protection Act 1998 are upheld.
Littlewoods undertaking

3 July 2007
Following an investigation by the ICO, Satellite Direct UK Ltd and Satcover Ltd, both of Hove, East Sussex, were found in breach of the Privacy and Electronic Communications Regulations after making unsolicited marketing calls to individuals using an automated calling system. As a result the Information Commissioner has required the two organisations to sign formal undertakings to stop making unsolicited marketing calls to individuals.
SatCover Ltd undertaking
Satellite Direct UK Ltd undertaking

The Information Commissioner's Office (ICO) is urging recruitment agencies to meet their obligations under the Data Protection Act. Under the Act, most organisations that process individuals' personal information electronically must notify with the ICO. Failure to notify with the ICO can result in prosecution and fines. Recently, the ICO has successfully prosecuted a number of organisations for failing to notify. These included a recruitment company which had to pay a £2,000 fine.

Media release

The Data Protection Act 1998 came into force in March 2000. A number of 'transitional relief' arrangements were included in the legislation. These arrangements provided a set period of time for data controllers to bring their personal information handling practices and records fully in line with the 1998 Act.

There is one remaining transitional relief arrangement, which relates to certain manual (non-digitised) records created before 24 October 1998, including those held in structured manual filing systems. At the moment a data controller who processes such data is not bound by most of the requirements of the first five principles of the 1998 Act and individuals do not have a general right to go to court to correct inaccurate personal information. All other transitional relief periods have already expired.

At midnight on 23 October 2007 the final transitional relief period will expire. Therefore, from 24 October this year the Data Protection Act 1998 will apply in full to all personal information covered by the Act and data controllers will need to ensure that the way they process personal information is compliant with all the provisions of the Act. Individuals will also have full rights to go to court to rectify any inaccurate information about them that pre-dates 24 October 1998 under Section 14 of the Act.

The Act does not require that data controllers digitise or computerise old manual records.

The ICO will shortly be issuing new guidance to reflect the new (Article 29) definition of personal data recently published by the European Commission.

The ICO issues guidance in the form of good practice notes, it's your information notices and technical guidance.

The purpose of a good practice note is to present organisations with data protection and freedom of information advice in a simple, easily understood form. The notes are written in plain English with no jargon. They are aimed at people who have limited time to absorb information about their obligations. The focus of the notes is often therefore quite narrow and will aim to address questions that are often asked of our helpline or advice teams.

• Collecting personal information using websites
  • This note provides guidance to organisations wanting to collect personal information using websites and will help in the design of privacy statements

• Local authorities disclosures to elected members
  • This note aims to advise local authorities on what they need to consider when deciding whether to disclose personal information to elected members of a council.

• Advice on Data Protection Act obligations for local authority elected members
  • This good practice note aims to provide elected and prospective members of local authorities with guidance about how the Data Protection Act 1998 applies to them.

'It's your information' is the equivalent of the good practice note but is aimed at the public. These will not only cover individuals' rights but topics where the public may be concerned or want more information, perhaps because of press coverage of a particular issue.

• Bankruptcy FAQs
  • This note aims to answer questions we receive about bankruptcy and credit reference files from:
    • people who are bankrupt;
    • people who are discharged from bankruptcy; and
    • people whose bankruptcy has been annulled.

• Your personal information and the electoral register
  • This note explains to people how they can restrict the sale of their personal information on the electoral register.

The technical guidance notes are aimed at anyone who may have a special interest or particular problem. They will often provide ICO's interpretation of the legal requirements in the legislation including exemptions and exceptions. They can also cover newly developing technologies.

At the FOI live event in April Richard Thomas said his office would shortly be launching a freedom of information charter aimed at individuals and organisations who propose to make requests under the Freedom of Information Act and the Environmental Information Regulations (EIR). The charter is published today and can be found here. Access to official information

The ICO is confident that most members of the public and other requesters are exercising their rights under the Act sensibly and responsibly. However, it is recognised that some individuals and some organisations may abuse these rights, whether they mean to or not. This charter sets out how the ICO believes these rights can be used responsibly for the benefit of all involved in the freedom of information process: applicants and public authorities. Following this charter will help users to make legitimate requests for information.

Please let Steve Wood have any further comments

The Freedom of Information Act places an obligation on public authorities to adopt a publication scheme agreed by the ICO. In order to help authorities fulfil this obligation the ICO is hard at work producing sector specific model publication schemes to allow public authorities to simply take a model scheme off the shelf, confident that it is acceptable and practical for the sector they operate in.

The first draft of the new model publication scheme for central government departments will be shared with sector representatives at the forth Development and Maintenance Initiative (DMI) workshop held on 24 July.

During the first quarter of the financial year 2007/2008 we received 694 complaints under the Freedom of Information Act and Environmental Information Regulations.

• 677 cases were closed;
• 80 decision notices were issued; and
• 32 appeals were received by the Information Tribunal in this period.

In each newsletter we highlight a number of the most interesting decision notices we issued in the previous quarter. For a more comprehensive service you can set up an RSS link (really simple syndication feed) from the RSS section on the ICO website to your own computer that will alert you each time a new decision notice is put on the ICO site.

In the year 2006/07 the ICO issued 339 decision notices. Of these, 26% were upheld, 39% were not upheld and 35% were partially upheld. When a decision notice is issued, the ICO informs both parties of their right to appeal to the Information Tribunal.

Decisions announced since publication of the last e-newsletter in May include:

Case Ref: FS50093255
Date: 02/07/2007
Public authority: Southampton University Hospitals NHS Trust
Summary: The request was for copies of incident reports completed by staff, about alleged abusive and aggressive behaviour by the complainant and his wife. The reports were provided with the names of the staff removed. The complainant then asked specifically for those names. The public authority refused to disclose the information. The Commissioner decided that the information was exempt from disclosure under section 40(2) of the Act.

Case Ref: FS50100127
Date: 09/07/2007
Public authority: British Waterways Marinas (BWM)Ltd
Summary: The request was for an objection to the complainant operating a sailing school from a BWM marina. The public authority withheld the information, due to "commercial confidentiality", but did not specify an exemption. As a publicly-owned company BWM Ltd was a public authority for the purposes of the Act. Because the complainant was a sole trader the requested information formed part of his personal data. The Commissioner found that the information was exempt under section 40(1) of the Act but that the public authority should have specified an exemption and should have treated the request as a subject access request under section 7 of the Data Protection Act.

Case Ref: FS50153399
Date: 09/07/2007
Public authority: Trafford Metropolitan Borough Council
Summary: The request was for information about bids the council had received when offering a property for sale by informal tender. The information was withheld as it could prejudice the commercial interests of the council. The Commissioner reviewed the council's decision and decided that it had failed to demonstrate how its commercial interests would be prejudiced by disclosing the information therefore ordering disclosure.

Case Ref: FER0131423
Date: 21/06/2007
Public authority: Bath and North East Somerset Council
Summary: The complainant asked for a copy of legal advice given in connection with sewage and drainage issues at Mines Project. The request was declined because of Legal Professional Privilege, under the EIR regulation 12(5)(b). After reviewing the information, the Commissioner concluded that the information was subject to legal professional privilege and that the information was exempt from disclosure as the public interest favoured maintaining the exemption.

Case Ref: FS50078603
Date: 05/06/2007
Public authority: London Borough of Southwark
Summary: The complainant asked for information about criteria used to determine staff grades within the Hay job evaluation scheme. The council refused the request on the grounds that it would prejudice the commercial interests of Hay Group. The Commissioner decided that the council had incorrectly withheld the information and that it should therefore be released. The council also failed to address the public interest when withholding the requested information.

Case Ref: FS50109031
Date: 14/06/2007
Public authority: South Warwickshire NHS Trust
Summary: The complainant requested an audit report for 2004-2005. The Trust refused to provide this information because it would prejudice the effective conduct of public affairs, and would inhibit the free and frank provision of advice and the free and frank exchange of views for the purposes of deliberation. After reviewing the information the Commissioner decided that the public interest lay in disclosing the information.

The above decisions have been summarised for this newsletter, to read a more complete version of these and other decision notices go to the decision notices page of the ICO website.

We welcome your comments on our e-newsletter. If you have any comments or suggestions please e-mail websitefeedback@ico.gsi.gov.uk

Unsubscribe: To stop receiving the ICO e-newsletter please follow the link.