This newsletter provides a round up of freedom of information and data protection developments and outlines information and guidance available from the Information Commissioner's Office (ICO).
Richard Thomas
Information
Commissioner
Commenting on the recent announcements by the government Richard Thomas said:
"I welcome the government's commitment to strengthen the powers of my Office - the ICO - enabling us to carry out inspections of organisations which collect and use personal information and to put in place new sanctions for the most serious breaches of data protection principles. These new arrangements will not be burdensome or onerous for organisations; they are a vital step to ensure there is proper protection for personal information. It goes without saying that it is essential that the ICO is properly resourced to discharge any new responsibilities effectively"
"Twenty five million records going missing from the HMRC is one of the most significant breaches in the history of data protection. This incident and its aftermath mark a turning point for data protection in the UK. Safeguarding large amounts of personal information - valuable assets for any organisation - has to be taken seriously from the top.
Privacy matters more than ever before, especially as so much of our personal information is now collected and shared. Public trust and confidence must be earned through tighter security and other data protection safeguards. Retaining trust and confidence also relies on organisations not collecting or sharing excessive information in the first place. I will expect government and other organisations to carry out rigorous privacy impact assessments before new large collections of data are stored or shared.
In December 2007 the Prime Minister asked Richard Thomas and Dr Mark Walport, of the Wellcome Trust, to undertake a review of the sharing of personal information and the protections that. If you have a particular interest in information sharing, please complete the review questionnaire at http://www.justice.gov.uk/publications/data-sharing-review-consultation.htm
The deadline for completion is February 15.
Individuals' awareness of their rights under the Data Protection Act has reached an all time high, according to new research published by the ICO (see our Annual track research here).
Ninety per cent of individuals know that they have a right to see information that an organisation holds about them compared to 74% three years ago. The nationwide survey reveals that 87% of individuals know they have the right to correct inaccurate personal information held about them - a 10% increase from three years ago.
The research highlights how protecting personal information is becoming an increasing concern for many individuals. Nine out of 10 adults worry that organisations are failing to keep their personal information secure while six in 10 believe they have lost control over the way their personal information is collected and processed. The research also shows that 94% of individuals are concerned that organisations are selling their personal details to other organisations without permission. People now consider protecting their personal information as the second most socially important issue above the NHS, national security and environmental issues.
In November the ICO commissioned a survey of young people to help draw attention to its new web pages for young people and its recently published guidance about social networking web sites.
The survey found that 71% would not want a college, university or potential employer to conduct an internet search on them unless they could first remove content from social networking sites. However, almost six in 10 have never considered that what they put online now might be permanent and could be accessed years into the future. Two thirds (eight in 10 girls aged 16-17) accept people they don't know as 'friends' on social networking sites, and over half leave parts of their profile public specifically to attract new people. More than seven in 10 are not concerned that their personal profile can be viewed by strangers and 7% don't think privacy settings are important and actively want everyone to see their full profile.
Anne Jones
Announcing the conference which is taking place in Llandrindod Wells, the ICO's assistant commissioner for Wales, Anne Jones said,
"Information sharing initiatives are on the increase all around, and undoubtedly add to public sector working efficiency. Recent high profile losses of personal information have heightened public concern around the issues, and have raised the stakes considerably. Yet organisational understanding of how to comply with data protection legislation and how to ensure adequate protection for personal information remains patchy.
Hosted by the Wales Regional Office, this one-day conference aimed at the public sector in Wales will raise awareness of the issues, provide practical advice on compliance with the Data Protection Act and provide an opportunity to learn about best practice from the experience of those already involved in information sharing. The day will be of value to both strategic managers and data protection practitioners."
For further information please contact wales@ico.gsi.gov.uk by the end of February
The ICO has published as series of 'When and how to complain' guides for individuals.
When and how to complain: data protection
The ICO is committed to promoting equality and diversity in all we do. We want to eliminate barriers that prevent people accessing our services or enjoying employment opportunities within the ICO.
We are currently developing a Disability Equality Scheme, and are seeking feedback and views on our draft scheme. If you have any questions about the scheme or would like to comment on the draft, please contact us with the words 'Disability Equality Scheme' in the title of your letter or fax, or email deirdre.rogers@ico.gsi.gov.uk
The ICO's privacy impact assessment (PIA) handbook was launched at the Surveillance society: turning debate into action conference in December.
Privacy Impact Assessments are a process of ensuring that privacy concerns are identified at the early stage of an initiative, so they can be addressed and so that safeguards can be built in rather than bolted on as an expensive afterthought. We have called for the use of these in the past with major public policy developments like ID cards. We have also reinforced the need for privacy impact assessments when we have given evidence to parliamentary enquiries and in our other publications such as the Information Sharing Framework Code of Practice.
Have a look at our Privacy impact assessment handbook here and try it out in your organisation - we are keen for feedback.
The study and handbook were developed for the Information Commissioner by an international team of experts coordinated by the University of Loughborough. This is groundbreaking work and has provoked much interest with some government departments already wanting to use it. We are eager to encourage use of the handbook and to learn the lesson of how well it works in practice.
Over the next year we are keen to work closely with those organisations using it so we can learn about their experiences and consider whether any amendments may be necessary. We want the PIA handbook to stand the test of time so leaning from early experiences and making any necessary revisions will be essential.
Details of a study on the use of PIAs around the world was also presented at the conference.
The ICO commissioned a qualitative research study in September 2007 to explore the public's true concerns about surveillance. The research covered views on the gathering, recording, processing, monitoring, analysing, sorting and flow of personal information, and movements, lifestyle habits and behaviours.
Public opinion was sought on the effect of surveillance on privacy, society, levels of choice, power and empowerment, and also on what safeguards are necessary to control any perceived risks.
The results of the study will contribute to the public debate on the surveillance society and were presented at the 'Surveillance Society: Turning Debate into Action' conference on 11 December 2007.
A Surveillance Society: Summary of research
A Surveillance Society: Full research report
Under powers granted by Parliament, the ICO launched its new CCTV code of practice at the House of Commons on 28 January. The code replaces one first issued in 2000.
The code outlines the key issues which organisations and businesses must consider when routinely capturing images of individuals on their CCTV equipment.
In recent research carried out by the ICO seven out of ten individuals said they oppose the idea of CCTV cameras which record their conversations and over half of individuals are not aware that the use of CCTV cameras is covered by the Data Protection Act.
The ICO will be holding its Data Protection Officer conference on Monday 10 March 2008 in Manchester's Bridgewater Hall.
The event is targeted specifically at Data Protection Officers who deal with Data Protection Act compliance and practice issues in their organisations on a day-to-day basis. The conference aims to recognise the successes of Data Protection Officers in ensuring compliance with the Data Protection Act and will be an opportunity for individuals operating within these roles to share their experiences and best practice. We will also have speakers discussing key data protection issues on the day.
There have been a number of reports recently of laptop computers, containing personal information which have been stolen from vehicles, dwellings or left in inappropriate places without being protected adequately.
The Information Commissioner has formed the view that in future, where such losses occur and where encryption software has not been used to protect the data, enforcement action is likely to be pursued.
For more see Encryption - our views
The ICO will shortly be inviting bids to carry out research to establish views on the central features that an improved EU data protection directive should contain. More information about this project, including an invitation to tender, will appear on the ICO website later in February.
Scotland's eCare has been recognised at an international awards ceremony on good practice in data protection. On Tuesday, 11 December, the Data Protection Agency of the Region of Madrid awarded the eCare framework one of two "special mention" awards. The aim of the annual prize is to expand the awareness of best practices in data protection by government bodies across Europe.
eCare is a partnership between the Scottish Government, Health Boards, Local Authorities and other agencies throughout Scotland to take forward electronic information sharing. Its core objective is to streamline information sharing activity between agencies to better improve the lives of those for whom they care.
For more details please visit www.scotland.gov.uk
The ICO issues guidance in the form of good practice notes, it's your information notices and technical guidance. Since the last newsletter in November the ICO has published the following new guidance:
Good practice notes:
The purpose of a good practice note is to present organisations with data protection and freedom of information advice in a simple, easily understood form. The notes are written in plain English with no jargon. They are aimed at people who have limited time to absorb information about their obligations. The focus of the notes is often therefore quite narrow and will aim to address questions that are often asked of our helpline or advice teams.
It's your information.
These are the equivalent of a good practice note but are aimed at the public. They will not only cover individuals' rights but topics where the public may be concerned or want more information, perhaps because of press coverage of a particular issue.
Technical guidance notes.
These are aimed at anyone who may have a special interest or particular problem. They will often provide ICO's interpretation of the legal requirements in the legislation including exemptions and exceptions. They can also cover newly developing technologies.
25 January 2008
The Information Commissioner's Office has found Marks & Spencer PLC in breach of the Data Protection Act. This follows the theft of an unencrypted laptop which contained the personal information of 26,000 M&S employees. The ICO has now issued Marks & Spencer with an Enforcement Notice which orders the company to ensure that all laptop hard drives are fully encrypted by April 2008.
Marks & Spencer enforcement notice
16 January 2008
The ICO has found Carphone Warehouse, and its sister company TalkTalk, in breach of the Data Protection Act after investigating complaints concerning the way in which both organisations processed and stored personal information.
View PDF of the Carphone Warehouse enforcement notice
TalkTalk Telecom enforcement notice
20 December 2007Following the issuing of Enforcement Notices against four police forces in November, the Information Commissioner has now issued an Enforcement Notice against Greater Manchester police requiring it to delete old conviction data.
Greater Manchester Police enforcement notice
11 December 2007
The ICO has required the Department of Health to sign a formal undertaking to comply with the principles of the Data Protection Act following an investigation into a security breach on the Medical Training Application Service (MTAS) website.
The ICO was alerted in May 2007 to the security breach which allowed for the sensitive personal details relating to junior doctors, including religious beliefs and sexual orientation, to be accessible to anyone using the site.
In order to protect against unauthorised access the Department of Health has been required to encrypt any personal data on their website which could cause distress to individuals if disclosed. Regular penetration and vulnerability testing must also be carried out on applications and systems to minimise unauthorised access. The Information Commissioner has also ruled that staff must be trained on compliance with the Data Protection Act.
Department of Health undertaking
13 November 2007
The ICO has required the Foreign and Commonwealth office to sign a formal undertaking to comply with the principles of the Data Protection Act following an investigation into the online application facility for UK visas.
The ICO was alerted in May to a security breach on the VFS online visa application facility. The ICO immediately launched an investigation into the site. The security breach meant that the personal data of people applying for visas to enter the UK was visible to others visiting the website. The FCO cooperated fully with the ICO during the course of the investigation and provided the ICO with an independent report into the breach.
Section 55
An assistant bank manager who revealed the earnings of Scottish premier league football team players on a BBC website has been fined £400.
Robbie Hastie pleaded guilty at Edinburgh Sheriff Court to knowingly or recklessly disclosing the information without consent. Hastie was working for HBOS in Loanhead when he posted the information on a fans forum message board.
14 November 2007
The ICO served an enforcement notice against Acorn Business finance Ltd. following numerous complaints about unsolicited faxes.
A record 536 barristers in Northern Ireland are now registered as data controllers thanks to an initiative between the Information Commissioner's Office (ICO) and the Northern Ireland Bar Council. This initiative is a welcome move and has set a national precedent for organisations to recognise and comply with the Data Protection Act.
Under the Data Protection Act organisations that process personal information about individuals must notify with the ICO, and if they fail to do so they can be prosecuted. To ensure every member of the Northern Irish Bar notifies, barristers can no longer obtain a practicing certificate unless they notify with the Information Commissioner. As part of the initiative with the Bar Council the ICO produced registration packs which were completed by the Bar on behalf of its members.
A solicitor has been successfully prosecuted by the Information Commissioner's Office (ICO) for failing to notify under the Data Protection Act 1998.
Peter D Greenhalgh of Glossop was ordered to pay costs of £804 and given a six months conditional discharge by Manchester City Magistrates Court.
Under the Data Protection Act, organisations and businesses across the country are required to notify with the Information Commissioner if they process information electronically which relates to individuals. The cost for notifying is £35 per year.
The proposed new model scheme and definitions documents are available to view here: New model scheme and definitions document
The deadline for comments has been extended to 29th Feb.
Thank you to those who have already submitted comments the overall response has been very positive and we have received invaluable input regarding class definitions.
It is not possible for us to reply to every submission, however we will produce a report containing all of the comments we received and our response to them later in year.
Every public authority subject to the Freedom of Information Act 2000 (FOIA) is required to adopt and maintain a publication scheme. A publication scheme is a commitment to routinely and proactively provide information to the public.
During 2007, the ICO held a series of workshops around the country with freedom of information practitioners in order to develop the new model publication scheme.
Now in its fourth year, the London Conference presents sessions by leading experts on all aspects of compliance with the Freedom of Information Act and other related information legislation. There is a special panel discussion regarding managing the disclosure risk, which addresses risks associated with various confidential and commercially sensitive information held by organisations. On the second day, delegates attend individual workshops on specific aspects of freedom of information practice, allowing participants to focus on the areas that are most important for them and their organisations. Workshops at the 2008 Conference cover public sector data sharing, commercial contracts, confidentiality, handling complex requests for information, issues in the NHS, and information law issues in higher education.
Graham Smith, Deputy Information Commissioner, will deliver the keynote address: Freedom of information in practice: breaking bad habits and rising to new challenges
For more information on the conference, visit www.foiconference.co.uk
The Information Commissioner's Office is currently conducting the survey, Freedom of Information: Three Years On. The aim of the research is to understand how the Freedom of Information Act is working in practice, what public authorities' perceptions of the Act are and how they see it working in the future. The results will be published in March and the study will be compared with the findings from Freedom of Information: one year on and two years on.
During the third quarter of the financial year 2007/2008 we received 556 complaints under the Freedom of Information Act and Environmental Information Regulations.
This diagram outlines FOI cases received and resolved up until the end of December 2007
For more details of all decision notices issued by the ICO go to the decision notices page of the ICO website. Some decisions announced since publication of the last e-newsletter include:
Date: 14 November 2007
Public Authority: Brighton and Hove Council
Summary: The complainant requested a copy of a waste management contract Brighton & Hove City Council has agreed with an independent waste management contractor. The BHCC withheld some sections of the contract on the basis that Regulation 12(5)(e) (commercial confidentiality of information) applied. The Commissioner's decision in this matter is that the BHCC has not dealt with the complainant's request in accordance with the Regulations in that some sections of the redacted information should have been supplied to the complainant.
View PDF of Decision Notice FER0073984
Date: 8 November 2007
Public Authority: London Borough of Camden
Summary: The complainant asked London Borough of Camden for a copy of all Community Housing Group properties under the local authority. In a further request the complainant asked various questions in relation to evictions. The Commissioner agrees with the Council's decision not to supply the information under section 40(2) of the Act and the reasoning applied by the Council.
View PDF of Decision Notice FS50115331
Date: 3 December 2007
Public Authority: Department for Culture Media and Sport
Summary: The complainant made a request for documents held in relation to the takeover of Manchester United. DCMS confirmed it held information relevant to the request but refused to disclose this as it related to the formulation of government policy and was legal advice and therefore exempt under sections 35 and 42 of the Act. The Commissioner investigated and found that section 35 was engaged but that the public interest in maintaining the exemption did not outweigh the public interest in disclosure of the information. The Commissioner also found that section 42 was not engaged as the information did not attract legal advice privilege. The Commissioner requires the public authority to disclose the information within 35 calendar days of this notice.
View PDF of Decision Notice FS50121684
Date: 19 December 2007
Public Authority: Her Majesty's Revenue and Customs (HMRC)
Summary: The complainant requested a copy of information provided by named personal representatives of the estate of an individual who died on 2 May 1991. In particular, the complainant requested a copy of the HMRC Account for the estate, and copies of corrective accounts that had been filed by the personal representatives. The public authority refused to disclose the requested information.
The Commissioner's decision is that the exemption provided in section 40 of the Act applied to prohibit disclosure of the requested information.
View PDF of Decision Notice FS50081722
Date: 8 Janaury 2008
Public Authority: Home Office
Summary: The complainant made successive requests to the public authority for information relating to the Identity Cards Bill: the memorandum (and drafts) advising on European Convention of Human Rights obligations which were submitted to the Legislative Programme Committee of the Cabinet; background briefing papers for Ministers in response to amendments tabled by opposition parties at the Committee Stage; and similar information at the Report Stage. The public authority withheld the information, citing section 35(1)(a) of the Freedom of Information Act 2000 ('the Act') for all of the requests; section 42 for the first and second requests; and section 36(2)(b)(i) for part of the second request. The Commissioner concluded that all of the information in the second request fell within section 35 so that section 36(2)(b)(i) was not engaged. He decided that the information in all three requests had been properly withheld under section 35(1)(a) because the public interest in maintaining the exemption outweighed the public interest in disclosure.
View PDF of Decision Notice FS50097518
Date: 8 January 2008
Public Authority: Information Commissioner's Office
Summary: The complainant made a request to the Information Commissioner's Office for the postcodes of all employees at the ICO. The ICO disclosed to the complainant the first half of the postcode but refused to disclose the second half under section 40(2) of the Act, 'personal data'. The Commissioner has investigated and found that the information withheld is personal data and that disclosure would breach the first data protection and was therefore exempt under section 40(2) of the Act.
View PDF of Decision Notice FS50169424
Date: 14 January 2008
Public Authority: Mersey Care NHS Trust
Summary: The complainant requested copies of five critical incident reports from the Trust. Each of the reports referred to is the final report of an internal inquiry carried out by the Trust following a murder involving one of its patients. The public authority declined to provide the information on the basis of the exemptions contained in sections 40(3)(a), 41 and 36(2)(c) of the Freedom of Information Act 2000 (FOIA). After considering the case the Commissioner upheld the Public Authority's decision to withhold the information under section 40(3)(a) of the FOIA.
View PDF of Decision Notice FS50130130
Date: 16 January 2008
Public Authority: House of Commons
Summary: The complainant asked for full details, including receipts and invoices, of spending by Tony Blair, John Prescott, Gordon Brown, Michael Howard, Charles Kennedy and Jonathan Sayeed during the year 2003 - 2004. The House of Commons refused the request on the grounds that it is the personal data of the MPs concerned and that disclosure would be unfair and present a security risk. The Commissioner decided that although the information is the personal data of the named MP's and a number of other third parties disclosure of some of the information would not be unfair and therefore would not breach section 40(2) of the Act.
We welcome your comments on our e-newsletter. If you have any comments or suggestions please e-mail websitefeedback@ico.gsi.gov.uk
Unsubscribe: To stop receiving the ICO e-newsletter please follow the link.
The ICO is the UK's independent public body. We promote access to official information and protect personal information.
We enforce the Data Protection Act, the Freedom of Information Act, the Privacy and Electronic Communications Regulations and the Environmental Information Regulations, regulating the organisations that come within their remits.
We provide guidance to organisations and individuals to promote awareness of information rights and obligations, ensure compliance with the law and encourage good practice.
We rule on eligible complaints and can take action when the law is broken.
