e-newsletter edition 7

The Information Commissioner's Office (ICO) is the UK's independent public body. We promote access to official information and protect personal information.

We enforce the Data Protection Act, the Freedom of Information Act, the Privacy and Electronic Communications Regulations and the Environmental Information Regulations, regulating the organisations that come within their remits.

We provide guidance to organisations and individuals to promote awareness of information rights and obligations, ensure compliance with the law and encourage good practice.

We rule on eligible complaints and can take action when the law is broken.

The Information Commissioner's Office will be hosting a conference entitled "Surveillance society: turning debate into action" at the Bridgewater Hall in central Manchester.

The conference aims to build on our previous work on "A Surveillance Society" and will be looking forward to actions that can be taken to deal with the consequences of a surveillance society. We intend to launch the Privacy Impact Assessment Handbook, a new tool for the UK, at the conference and will also present the results of research we have commissioned into public attitudes to surveillance.

The conference will run from 10.15 until 16.30 followed by a drinks reception until 18.30 in the evening. There is no charge for attendance but places are limited and will be allocated strictly on a first come, first served basis. Please visit our dedicated web page http://www.ico.gov.uk/Home/Global/surveillance_society_conference_details.aspx for more details.

The ICO is currently reviewing our communications strategy for the next three years. The review comes at a time when awareness of data protection and information rights and of the ICO is the highest ever, revealed by our annual tracking market research. The ICO is now looking to the future to ensure that our communications will continue to be effective. Do you have views on our communications, such as our website and publications? Comments and suggestions are welcome. Please send them to Stuart Bodsworth, External Relations Officer, at stuart.bodsworth@ico.gsi.gov.uk by 24 December 2007.

On 2 October 2007 the Information Commissioner's Office in Northern Ireland organised a high level data sharing conference at the Culloden Hotel in Belfast. The event brought together over 120 data protection professionals from across the devolved administrations of the United Kingdom and partners in the Republic of Ireland. The ICO team included both Deputy Information Commissioners and the Assistant Information Commissioners from Northern Ireland, Scotland and Wales. The event's host, Assistant Information Commissioner (Northern Ireland) Marie Anderson, said: "Public sector organisations in Northern Ireland currently face unique challenges when sharing personal information because of differences in law as well as the far-reaching review of public administration. The Data Protection Act is a valuable framework for sharing information between or within organisations and should not be seen as a barrier. Our framework code of practice for sharing personal information will provide organisations with the means to establish good practice in this area."

The Information Commissioner's Welsh office held a series of free breakfast seminars on data protection and identity theft in North Wales at the end of September. These were aimed at small and medium enterprises to inform them about their responsibilities under data protection legislation.

Anne Jones, Assistant Information Commissioner (Wales), said, "There's a great deal of confusion and misunderstanding around what the Data Protection Act does and does not allow businesses to do. We wanted to get rid of some of that confusion and show that compliance makes good business sense. Wales has a high proportion of small businesses, and we were aware of the need to provide clear advice to the sector"

The seminars covered issues such as the retention and secure disposal of personal information, identity theft, marketing, notification, the privacy implications of using CCTV and monitoring employees. It highlighted the importance of protecting personal information as a matter of business reputation.

Michael Learmond, Regional Organiser for the Federation of Small Businesses, said: "Not only were they informative and educational, but entertaining too! The feedback has been excellent, with attendees feeling they now have a much clearer understanding of their responsibilities under the Act as well as gaining invaluable tips on how to avoid identity theft".

The Information Commissioner's Office (ICO) has issued a Framework Code of Practice for Sharing Personal Information. The new document explains in plain English how public and private sector organisations that need to share people's personal information can set up their own arrangements to ensure that, where personal information is shared, good practice is adopted.

The framework helps organisations decide when to share information, what information to share, highlights the consequences of sharing and deals with the issue of consent. The framework outlines factors such as security, accuracy of information and retention periods that organisations need to consider when sharing personal information with another organisation or within their own organisation. It is designed to be flexible, enabling organisations to adopt it wholesale or to extract some of its content and integrate this into existing policies and systems.

The ICO will be able to endorse organisations' own codes of practice subject to the right to audit arrangements on the ground.

The Framework Code of Practice for Sharing Personal Information is available at http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/pinfo-framework.pdf

The ICO issues guidance in the form of good practice notes, it's your information notices and technical guidance.

The purpose of a good practice note is to present organisations with data protection and freedom of information advice in a simple, easily understood form. The notes are written in plain English with no jargon. They are aimed at people who have limited time to absorb information about their obligations. The focus of the notes is often therefore quite narrow and will aim to address questions that are often asked of our helpline or advice teams.

• Training checklist for small and medium sized organisations
  • This note outlines some of the practical implications of the Data Protection Act 1998 (the Act) and is intended as a basic training framework for general office staff in small and medium sized organisations.
• The exemption from notification for 'not-for-profit' organisations
  • This note answers a number of questions regularly raised by charities and voluntary organisations about the exemption from the requirement to notify under the Act for 'not-for-profit' organisations.
• Publication of examination results by schools
  • This note explains to boards of governors, head teachers and school data protection officers how the Act affects the publishing of examination results.

'It's your information' is the equivalent of the good practice note but is aimed at the public. These will not only cover individuals' rights but topics where the public may be concerned or want more information, perhaps because of press coverage of a particular issue.

• Use and disclosure of Vehicle information
  • There are occasions when the DVLA gives out information about the keeper of a vehicle to the police, local authorities, private companies or individuals. This note will help you understand when these disclosures can take place and what to do if you think information about you has been used inappropriately.
• Sharing information about you
  • This note explains what information sharing is and why it happens. It also tells people what to expect from organisations that are sharing information and what to do about any concerns.
• How to access your information
  • This note aims to tell you what rights you have under the Act to get a copy of the information that is held about you. These rights are known as subject access rights.

The technical guidance notes are aimed at anyone who may have a special interest or particular problem. They will often provide ICO's interpretation of the legal requirements in the legislation including exemptions and exceptions. They can also cover newly developing technologies.

• Privacy and Electronic Communications (EC Directive) Regulations 2003
  • This note has been amended following discussions with Department of Business, Enterprise and Regulatory Reform and others. PECR Regulations only apply to messages sent over a public electronic communications network. It has now been concluded that Bluetooth messages are not in fact sent using such a network. We have amended our guidance accordingly. It is for government to decide whether the law should be changed to cover such marketing. We would like to stress that regardless of whether a particular technology is covered by PECR, consumers are increasingly aware of, and concerned about, the sophisticated methods of sending marketing to them and it is good practice to take their concerns into account when devising a responsible marketing strategy.
• Determining what is personal data
  • This note explains and illustrates the ICO's view of what is personal data for the purposes of the Act. Phil Jones, Assistant Information Commissioner, said: "We have recognised for some time the need to provide more help to those who have to make difficult decisions on whether data is subject to the Data Protection Act. The guidance relies heavily on examples to illustrate circumstances when data relates to an identifiable, living individual."
• Frequently asked questions and answers about relevant filing systems
  • This note will help data controllers decide whether the personal information they have is held in a 'relevant filing sytem' as defined by the Act.
• Filing defaults with credit reference agencies
  • This note provides advice to credit grantors on the conditions under which information about defaults is filed with the credit reference agencies. Only if credit grantors file defaults information in broadly comparable circumstances to each other will credit reference agency records provide meaningful information about the financial standing of individuals, and be processed in a way that is fair to those individuals. The guidance sets common standards for filing defaults while recognising that some differences exist with the wide range of credit products available.

The ICO has ordered the Police services in Humberside, Northumbria, Staffordshire and the West Midlands to delete old and no longer relevant criminal convictions from the Police National Computer (PNC).

Following complaints from four individuals the ICO found that information held by the four forces was excessive and not relevant to policing purposes.

The Information related to people who had, in their youth, committed a single offence resulting in a caution or a small fine. Retention of the information is causing distress and harm to the individuals and providing no benefits to policing.

The police services involved have appealed to the Information tribunal.

http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx

The Information Commissioner's Office (ICO) is urging local authorities to protect residents from identity theft by restricting the amount of personal information, such as phone numbers and signatures, published on their websites.

The ICO has recently upheld a complaint by a member of the public against Perth and Kinross Council, which had published his signature on the Internet. Ken Macdonald, Assistant Commissioner for Scotland at the ICO, has written to all Scottish local authorities to remind them of their obligations under the Data Protection Act. Ken Macdonald said: "In an age where the threat of identity theft is increasingly real, individuals must be able to trust organisations to look after their personal information. Public authorities have a legal obligation to keep residents' personal information secure. In addition, individuals should be informed which elements of their personal information will be published on the Internet."

Local authorities have an obligation to publish certain information, such as details of planning applications or applications for various trading licences, some of which will include individuals' personal information. However, it is important that they do not publish other personal information unnecessarily as this may breach the Data Protection Act.

This time of year is one of the busiest for the Information Commissioner's Office Notification department, with renewals coming in thick and fast. Meanwhile new notifications from solicitors, accountants and employment agencies are still arriving in response to the recent targeting exercises in those sectors.

As part of a follow-up exercise the ICO will soon be focusing in more closely again on solicitors and accountants who have not got round to meeting their obligations under the Data Protection Act yet. Most organisations that process individuals' personal information electronically must notify as Data Controllers with the ICO. Failure to notify with the ICO can result in prosecution and fines.

Date: 14 September 2007
Northern Ireland Office found in breach of data protection
The ICO has found the Northern Ireland Office (NIO) in breach of the Data Protection Act after it failed to supply an individual with information it held on him.

The ICO investigated the NIO following a complaint from an individual that the authority had not responded to a subject access request. Under the Data Protection Act individuals have the right to find out what information an organisation holds on them.

The ICO has now required the NIO to sign a formal undertaking to ensure that all personal information is processed in accordance with the Data Protection Act. The NIO must also provide training to all employees who deal with subject access requests under the Act.

Date: Wednesday 25 July 2007
Chester man sentenced for defrauding businesses
A 37 year old man from Chester has been sentenced to 20 months in prison after pleading guilty to deceiving businesses into believing he was working on behalf of the Information Commissioner's Office and demanding businesses pay him a fee of between £95 and £135 to register under the Data Protection Act.

Simon Entwisle, Chief Operating Officer at the ICO, said: "We are very pleased with the outcome of this investigation. The ICO will continue to work with other authorities to bring people to justice who try to extort money from businesses in this way."

Date: 11 September 2007
The ICO has ordered two debt recovery companies to stop sending unwanted faxes to individuals and businesses. This action has been taken following hundreds of complaints to the ICO and the Fax Preference Service.

The ICO has issued Enforcement Notices against Clear Debt Solutions and ADC Organisation Ltd.

Failure to comply with the Enforcement Notices is a criminal offence.

Date: 30 August 2007
An ICO investigation found Weatherseal to be in breach of the Privacy & Electronic Communications Regulations after numerous complaints were received at both the ICO and the Telephone Preference Service. The Information Commissioner required the company to sign a formal undertaking to cease making unsolicited marketing calls in breach of the Regulations.

Weatherseal undertaking

Date: 15 August 2007
Following numerous complaints, an ICO investigation found Space Kitchens & Bedrooms to be in breach of the Regulations. The company agreed to sign an undertaking to cease breaching the Regulations.

Space Kitchens & Bedrooms undertaking

Date: 14 August 2007
A Letter of Understanding exists between the ICO and OFCOM. The purpose of this is to enable both organisations to use resources most effectively, strengthen mutual cooperation and adopt recognised good regulatory practice in PECR enforcement and related activity.

Letter of Understanding between the Office of Communications and the Information Commissioner's Office

When the Data Protection Act 1998 came into force in March 2000 a number of transitional relief arrangements were included in the legislation. These arrangements provided period of time for data controllers to bring their personal information handling practices and records fully in line with the 1998 Act.

The last of those transitional relief arrangement, which relates to certain manual (non-digitised) records created before 24 October 1998, including those held in structured manual filing systems expired at midnight on Tuesday 23 October.

The transitional relief meant that data controllers who processes data in that form were not bound by most of the requirements of the first five principles of the Act and individuals do not have a general right to go to court to correct inaccurate personal information.

The Data Protection Act 1998 now applies in full to all personal information covered by the Act and data controllers will need to ensure that the way they process personal information is compliant with all the provisions of the Act. Individuals will also have full rights to go to court to rectify any inaccurate information about them that pre-dates 24 October 1998 under Section 14 of the Act.

The Act does not require that data controllers digitise or computerise old manual records.

The ICO is preparing to launch its new approach to improving the dissemination of public information.

The results of a series of sector-specific workshops held over the past year in England, Wales and Northern Ireland have been collated and used to develop proposals for the revised ICO policy on proactive disclosure through publication schemes.

The policy will outline the three elements necessary for public disclosure;

• A model publication scheme developed and approved by the ICO. The model can be adopted wholesale and provides a simple means by which public authorities can proactively disclose information.
• A manual which will be sector-specific on the type of information that should be proactively disclosed.
• A commitment by public authorities to provide a means by which the information covered by the scheme can be easily identified and accessed

The new draft schemes will be released to public authorities for comment in mid November.

During the second quarter of the financial year 2007/2008 we received 659 complaints under the Freedom of Information Act and Environmental Information Regulations.

• 662 cases were closed;
• 99 decision notices were issued; and
• 39 appeals were received by the Information Tribunal in this period.

Decisions announced since publication of the summer edition of the e-newsletter include:

Case Ref: FS50082569
Public Authority: National Institute for Health and Clinical Excellence (NICE)
Summary: The complainant requested an executable version of the economic model used by NICE in its assessment of Donepezil, Rivastigmine, Galantamine and Memantine, drugs used to treat Alzheimer's. NICE refused to provide the information citing the exemptions in sections 36 and 41 of the Act. The Commissioner has decided that NICE appropriately relied upon section 41 when refusing to supply the information.

Case Ref: FS500143838
Public Authority: Dr IM Gilmour
The request was for a copy of the complete medical records of a deceased patient. The request was refused because the family of the deceased had expressly refused consent to disclose the information. In refusing the request the public authority failed to consider the request as a request for information under the Act and in doing so breached section 17 of the Act. However the Commissioner has concluded the information was exempt by virtue of section 41 of the Act.

Case Ref: FS50156208
Public Authority: Independent Police Complaints Commission ('the public authority')
The complainant asked for information from three complaint files relating complaints he had made about another public authority. The Commissioner concluded that the information would constitute the complainant's personal data if it were held and would therefore be exempt from the Freedom of Information Act.

Case Ref: FS50086299
Public Authority: Cabinet Office
The complainant asked the Cabinet Office for minutes, correspondence and any other information about meetings between the Multinational Chairman's Group and the Prime Minister and his officials. The Cabinet Office provided some of the information but withheld the rest as exempt under sections 35(1)(a) and 36 of the Freedom of Information Act 2000 ('the Act'). The Commissioner decided that the Cabinet Office failed to explain adequately which exemption applied. It also failed to assess the public interest test properly. The Commissioner decided that some of the information is exempt but that the Cabinet Office failed to disclose other information to which the public interest in disclosure outweighs the public interest in maintaining the exemptions. The Commissioner requires that the Cabinet Office disclose this information.

Case Ref: FS50075781
Public Authority: Financial Services Authority (FSA)
The complainant requested that the FSA provide him with the names of any companies it had identified as using inappropriate charges in setting premiums when selling endowment mortgages. The request was refused on the grounds that exemptions under section 31 (law enforcement), section 43 (commercial interests) and section 44 (statutory prohibition) applied. The Commissioner's decision is that the exemptions under sections 31 and 44 of the Act do not apply and that while the exemption under section 43 is applicable, the public interest in disclosing the information outweighs that of maintaining the exemption.

Case Ref: FS50123921
Public Authority: City of York Council
The complainant requested information from City of York Council relating to the early retirement of the Director of Commercial Services. The Council withheld this information on the grounds the information requested constituted the Director's personal data and to release it would be unfair to him. The Commissioner is satisfied that the Council was correct to apply the exemption in this case; he does not therefore require the Council to take any further steps in respect of this request.

Case Ref: FS50118873
Public Authority: Royal Mail
The complainant requested information from Royal Mail including statistics on the number of thefts of mail from private vehicles being used to deliver mail. Royal Mail disclosed some of the information requested but withheld the statistics of thefts under section 30 and found that the public interest lay in maintaining the exemption. The Commissioner found that section 30 was not engaged. The Commissioner requires Royal Mail to disclose the requested information within 35 calendar days from date of this notice.

The above decisions have been summarised for this newsletter, to read a more complete version of these and other decision notices go to the decision notices page of the ICO website.

Nottingham City Council receives recommendations regarding its records management practice.

At the request of the Information Commissioner's Office (ICO) and with the agreement of the council, the National Archives (TNA) conducted a review of records management practice at Nottingham City Council.

The subsequent practice recommendation issued by the ICO highlights a lack of records management strategy, policies, procedures and most significantly resources.

The ICO is aware that the council has begun to address some of the problems with TNA and has made a number of suggestions which should help improve performance.

In May 2007, the ICO issued Nottingham City Council with a practice recommendation in relation to its handling of FOI requests. The ICO will continue to monitor the council's request handling and records management functions and will assess its progress against the recommendations in six months.

We welcome your comments on our e-newsletter. If you have any comments or suggestions please e-mail websitefeedback@ico.gsi.gov.uk

Unsubscribe: To stop receiving the ICO e-newsletter please follow the link.