Welcome to the December issue of the Information Agenda from P-PACT
Well, we said back in January that 2010 should be a critical year for IG - and that's exactly the way it's turned out.
The size and scope of fines for breaches of the Data Protection Act were finally clarified making it into law just before Parliament was dissolved. A few months later the first six-figure penalty hot and (as discussed below) a public authority was the recipient.
A new government arrived in May with a renewed focus on openness and accountability. A powerful new office within the Cabinet office is directing activities and disclosures across central and local government are coming thick and fast. The focus is very much on expenditure and value for money, a key theme in 2010 to day the least!
Colleagues in the health service have seen the arrival of the most detailed and prescriptive IG Toolkit to date. While the precise future of the Toolkit remains uncertain we have seen a very considerable increase in the uptake of our courses for SIROs and Information Asset Administrators the most popular being those we hold in house for all those involved from a single organisation information risk has a very high profile at the moment and this is bound to continue to be the case in 2011.
More information about all our training courses including the new programme for the spring of 2011 can be found at www.publicpartners.org/learning
Those in higher education have seen the fallout from the University of East Anglia's leaked climate research emails raise the profile of FOI. We've all seen the perils of inadequate data security. A steady stream of press releases from the ICO has criticised one institution after another for data failings. Meanwhile many thousands of classified US diplomatic documents have found their way onto the Web via the Wikileaks Website - all thanks to one disgruntled government employee. Unsurprisingly IT security and access rights are being reviewed across Whitehall!
It's been a landmark year then though there's barely time to reflect as we approach 2011. As always the information agenda moves on relentlessly.
Case law and media watch
The first six-figure DPA fine arrives...
In 2008 framework legislation was put in place to empower the Information Commissioner to levy substantial fines for 'serious' breaches of the DPA
Statutory guidelines on the application of these fines were drawn up by the ICO and became law in April this year. In November the first tranche of fines were issued for offences committed after April 6th.
Just to recap – fines may be levied where:
- There has been a serious contravention of the DPA. That means losing or misusing personal data. The ICO says that seriousness may be measured by 'the nature of the personal data concerned (or) the number of individuals ... affected'.
- The contravention would be likely to cause substantial damage or distress to the individuals affected. This includes worry and anxiety.
- The data controller knew or ought to have known that there was a risk that the contravention might occur and failed to take reasonable steps to prevent it.
Fines may be up to £500.000 with the quantum influenced by aggravation or mitigating factors.
Unquestionably the most significant of the November fines was a penalty of £100.000 levied against Hertfordshire County Council (HCC) for sending two faxes containing sensitive personal data to the wrong numbers. Frankly, it's sent shockwaves through the public sector.
HCC's first offence was to send documents related to a child sex abuse case to a member of the public rather than their barristers. It seems that the phone number was input manually (digit by digit) and the wrong STD code was used. In addition the responsible staff member failed to use a fax-header sheet which would have explained to the recipient what to do on receipt of a misdirected fax.
HCC took immediate action to correct its processes but this was inadequate and incredibly just two weeks later another member of staff sent a fax related to care proceedings to another wrong number. Yet again the number was manually input though a fax-header sheet was used this time and the data was destroyed by the recipient before it was read.
The ICO justified a six-figure fine by confirming that:
- The data concerned was highly confidential
- The disclosure was certain to cause distress to vulnerable individuals
- Remedial actions taken after the first incident were inadequate
A very direct message then that the penalties for carelessness in handling personal data may be severe. Organisational processes must be robust and clearly communicated. Messages to staff on security must be frequent and unambiguous.
Implications for faxing personal data
One part of the ICO's Monetary Penalty Notice to HCC that should become required reading for all IG practitioners is clear advice on best practice in sending sensitive faxes. The following points are all worth repeating:
- Preset (autodial) numbers should be used in preference to manual dialling. Numbers should be audited for accuracy.
- Fax-header sheets must always be used explaining to recipients what to do if a message is received in error.
- With especially sensitive material staff should phone ahead (to indicate a fax will be sent) and make sure that they get confirmation of receipt.
- A log of secure faxes in and out should be kept.
If these safeguards don't form the basis of your fax policy it's time to review it.
The ICO's clarity leaves little room for debate.
FOI s40 (2)
The information Tribunal has just wrapped up a case considering (yet again) the disclosure of third party personal data and the application of s40 (2) of the Freedom of Information Act.
The Case concerned a request to disclose the names of police offices who had attended meetings with organisers of fax hunts on the Isle of Wight. The officers had apparently attended in a professional capacity in order to discuss supervision of the hunts. The Tribunal considered where the boundary between legitimate disclosure of professional activity and infringement of privacy lay. As always in s40 (2) considerations of this kind Data Protection Principle One was key. The Tribunal found that disclosure would not be 'fair and lawful' as it would expose officers to the 'substantial risk' of harassment from anti-hunt campaigners. It was credible evidence of harassment that swung the tribunal here convincing them that officers would genuinely see their home lives impacted by disclosure. As we always say when dealing with the Regulator - evidence is the most persuasive tool.
FOI s12 – Clarity from the Information Tribunal
Another Tribunal case on FOI concluded in late November. This one raised a couple of points to note for those considering engaging s12 of the Act - that's the exemption that applies when compliance with a request exceeds the statutory cost ceiling (£450 for most of us).
In this case documents from a police investigation were requested. As it turned out the documents were stored chaotically across 26 unnumbered boxes, with no index. It was estimated that manually searching all the containers would take over 18 hours and s12 was applied. The Tribunal agreed with this, noting along the way that:
- Any estimate of costs must be 'sensible, realistic and supported by cogent evidence'.
- That once s12 is engaged there is no reason to search up to the limit. If responding to the whole request would cost £450 then there is no duty to complete any part of it.
So does this mean that keeping old records in disarray excuses a public authority from FOI compliance? The Tribunal was critical of the chaotic filing arrangements, saying it was 'astonished'. Interestingly the judgment also offered advice to the appellant on how she could apply for the information under the Data Protection Act and got a commitment that none of the boxes would be destroyed for at least two years to allow her to seek access again. The public authority won the argument then, but may well end up having to release the data anyway.
Compliance update
FOI 2.0?
The ICO has coined a phrase to welcome the government's new transparency initiative in publishing central government spending over £25.000. He's called it FOI version 2.0.
It's a catchy tagline that was widely picked up by the media. Web 2.0 of course is about a user-centred experience that supports collaboration, dialogue and interaction. The ICO clearly sees proactive mass data release of this kind as having the potential to achieve a similar impact. Who will use the data and what value will they get from it though? We're unlikely to know for some time, but for now the Government and the regulator seem to be on the same page about FOI 2.0.
BSI Web accessibility standard
There's news from the BSI on the publication of a new standard. BS 8878 is a Web accessibility code of practice. It is a non-technical standard that instructs organisations on the policies and processes they should follow when seeking to make their websites fully accessible to disabled users.
It supports compliance with the Equality Act 2010 and should enable public web communications to reach the widest possible audience. A welcome development then.
Information security news
Still not got the message on encryption?
Organisations and individuals still seen to take excessive risks with sensitive personal data and continue to fall foul of the ICO. The message with digital data in transit is very clear though – encryption is the only way.
Stoke-on-Trent City Council is the latest public authority to sign an undertaking with the Information Commissioner. A Council employee lost a memory stick containing information on 40 looked-after children including court reports and care proceedings documents. It was unencrypted and not even password protected.
In following-up the ICO's censure the Council has taken rapid action to implement encryption and train staff.
If you're wondering how the Council escaped a find, the incident occurred just before the ICO's new powers became law. It seems certain that a day or two later and Stoke City Council would have been facing a hefty payout.
What's next?
Disclosure rules and the private sector
Extending the reach of public sector disclosure rules to private and voluntary sector bodies providing services of a public nature has been a topic of debate for the last debate. Two recent developments take the debate forward a little bit...
In late November the Information Tribunal confirmed that water companies are not subject to EIR. It was argued that although private (and shareholder owned) water companies 'exercise environmental responsibilities under the control of a public body' under the terms of the EIR.
The judgement is long and technical but rules clearly that water companies (and by implication other privatised utilities) do not meet the criteria to be covered by the Regulations.
On another front, the Scottish CBI has lashed out powerfully at a proposal to extend the Scottish FOI Act directly to private businesses providing public services, arguing that 'At a time when public finances are so tight, and efficiency and innovation in the delivery of our public services ought to be at a premium, private sector provision ought to be supported and extended, not made more difficult'.
The Scottish ICO made a sensible counter argument though saying "Billions of pounds are being spent from the public purse to pay contractors to provide health, education and prison services. It is reasonable to expect them to respond to requests for information about what they are delivering". Both views have merit and the Scottish Parliament will ultimately decide.
Happy Christmas from the ICO!
Don't let anyone accuse the ICO of not entering into the spirit of the season. A recent press release reminded us all that 'The Data Protection Act does not prevent family and friends from taking photographs at school concerts or plays this Christmas'. Thank goodness for that!
On a serious note though, the press release was accompanied by a short, but useful guidance note on taking photographs in schools - which is not just relevant at Christmas.
Best wishes for the festive season and the coming year from all of us at P-PACT. The next Information Agenda will reach you early in February 2011.
With very best wishes
Christine
Christine Gifford and the team at P-PACT
