Uni rapped for Data Protection breach

Prof Alan Gilbert

The University of Manchester has landed itself in trouble with the Information Commissioner’s Office (ICO) after a staff member’s blunder resulted in the personal deatils of more than 1,700 students being e-mailed to 469 other students.

The university’s vice-chancellor Prof Alan Gilbert has now had to sign a formal undertaking to improve data security to ensure that a similar incident does not occur in the future.

The formal undertaking (link) reveals that a chain of mistakes within the University led to the e-mail being sent out to students.

It says: “The Information Commissioner was provided with a report from the data controller, regarding the accidental publication of a computerised spreadsheet which contained the personal data of some 1,755 students.

This data included information relating to certain students ‘disabilities’ (“sensitive personal data” as defined by the Act). The information was published when a member of the University staff accidentally sent it as an attachment to an email, forwarded to some 469 students.

The information accidentally published was forwarded to the staff member by a colleague, when they had requested a list of the email addresses of certain students.

An extract of the full student record was provided, despite the fact that the staff member had no business need to acquire the full information, which included “sensitive personal information”. This was due to a fault in the relevant procedure, which has since been addressed.

The data controller did not on this occasion ensure adequate measures were taken, including ensuring compliance with training and procedures, to prevent the inappropriate internal transfer of the information, and its subsequent publication via the email attachment.

The Commissioner has taken into account the fact that the personal data in question related to details of disability, and could therefore potentially result in significant distress being caused to the individuals concerned.”

Mick Gorrill, Assistant Information Commissioner at the ICO, said: “The Data Protection Act clearly states that organisations, including universities, must take appropriate measures to ensure that personal information is kept secure. This case reinforces the importance that only those authorised should have access to sensitive personal information such as a student’s disabilities and other health details. Despite the absence of a justifiable reason, the staff member was able to access the information and send it to students and peers which could cause significant distress to individuals concerned.

“Under the Data Protection Act, organisations must ensure that their policies on the transfer, sharing and publication of personal information are adequate and that staff members are aware and understand those policies. Manchester University recognises the seriousness of this case and has agreed to take immediate remedial action.”

Richard Thomas dodges the dole queue

Memo to new staff: "Don't mention the veto"

For those readers of FoINews who have been e-mailing me concerned at the future job prospects of the outgoing Information Commissioner Richard Thomas, I have good news.

The fall out over the Ministerial Veto has obviously been brushed over as Mr Thomas has been given a new job under the umbrella of the Ministry of Justice - and was appointed by the Jack Straw. No hard feelings there then.

When Mr Thomas leaves the hot seat at the Information Commissioner’s Office at the end of June he will hop into the top seat at the newly formed Administrative Justice and Tribunals Council.

Mr Thomas, who has been given a four-year appointment in the post, said: “The Administrative Justice and Tribunals Council has a key role in improving public justice – promoting confidence in the arrangements for resolving disputes between citizens and the public sector.

‘I am looking forward to taking up this role and carrying forward the excellent start which the Council has made under Lord Newton’s leadership.’

(link)

You’ll have to Imagine what’s in my files

What would John have made of the use of S.23 combined with S.24

The Metropolitan Police Service (MPS) has received a dressing down over the way it dealt with a Freedom of Information request relating to files it holds on John Lennon.

A recent decision notice (link) from the Information Commissioner raps the MPS for failing to deal with the request properly and not coming up with any justification for the exemptions it claimed related to the material.

The saga began in September 2006 when a woman asked for all the information from the John Lennon files which were held by Special Branch. The former Beatle, who was shot by a crazed fan in New York 25 years ago, was known to have been on the radar of the security services in the 1960s because of his left-wing views.

MPS decision makers refused to confirm or deny if it held the information claiming it would be covered by S.23 (information to security bodies), S.24 (national security), S.31 (law enforcement), S.38 (health and safety) and S.40 (personal information).

In a damning verdict of the way the MPS processed the request the Information Commissioner has now ordered the force to state if it holds the information.

The Information Commissioner says: “In the absence of any explanation from the public authority, either at the refusal notice or internal review stage, or in its correspondence with the Commissioner, as to its reasoning for why these exemptions are engaged or, in relation to why the public interest favours the maintenance of these exemptions….. the Commissioner concludes that these exemptions are not engaged.

“The Commissioner also finds that the public authority failed to comply with procedural requirements……… through its inadequate handling of the request. The public authority is required……. to provide a confirmation or denial of whether it holds information falling within the scope of the request.”

The decision notice makes clear that just because the material in question is held by a security force does not necessarily mean that it is covered by S.23 or S.24. The MPS had four opportunities to explain why the information was covered by the exemptions but did not appear to make an attempt to provide a reasoning for its decision, the Information Commissioner said.

Click here for YouTube footage of the news reports from the day Lennon was shot.

Police protection from beyond the grave

Police informants will get protection even after they die

Police informants will have their names protected from disclosure even after they have died, an Information Tribunal has ruled.

 

The decision (link) makes clear that police “grasses” need to be guaranteed anonymity beyond the grave or they would never come forward in the first place.

The Tribunal heard evidence from senior officers at the Metropolitan Police Service (MPS) saying that disclosure of the names of informants from the 19^th century still created a knock-on risk to modern-day policing.

The MPS were against releasing the names of the individuals, which were held in old police ledgers, stating the information was exempt from disclosure under S.30 (investigations).

In the original case before the Information Commissioner the MPS had said: “Informants expect their identities to be protected indefinitely. If we are unable to reassure them of total anonymity because of possible release under the Freedom of Information Act, the MPS will not be able to recruit future or sustain current informants.  

“Agreeing to become an agent or informant is a major step of trust often involving the informant taking physical risk, in betrayal of his own country, family, colleagues and sometimes in feelings of shame or guilt.

 “It is difficult to persuade potential agents to take this step and they have to be reassured that no one will ever know what they have done. We believe it is important and that nothing should be done to undermine the confidence of current and potential agents around security and intelligence services keeping identities secret. It would be a major deterrent to some potential agents if they thought their role might be revealed even long after the event.“

The original request for information was made in July 2005 by Mr Alex Butterworth, a historian and author, who was researching European anarchists of the 1880s and 1890s. He knew of the existence of the informants’ ledgers because a Dr L Clutterbuck, a retired Special Branch Officer, had referred to them in his doctoral thesis, completed some years ago, on policing Fenian terrorism.

Roger Pearce, a former Commander of Special Branch, gave evidence to the Tribunal and stated the groups from which informants were drawn were generally subject to an atmosphere of “absolute paranoia”. This strengthened the need to ensure that the necessary element of trust and confidence existed between a handler and the informant.

The Tribunal overturned the Information Commissioner’s original decision that the material should be released stating there was a “overriding if not exceptional public interest” in maintaining the S.30 exemption. It ruled that Mr Butterworth should be able to see the information in the ledgers but that all the names in them should be redacted.

Editor’s note: A strange case here that has taken almost four years to resolve. Much of the MPS’s difficulties in this case were caused by the rather ad-hoc way they had allowed access to documents before the FoI Act came into place. Its arguments were rather undermined in the case before the Commissioner in that they had allowed its former employee access to the documents.

Prof puts MoD data in the spotlight

Professor Alasdair Roberts

An academic who has made a study of all the information requests made to the Ministry of Defence (MoD) has spotted some interesting changes from the birth of FoI in January 2005.

Law and Public Policy professor Alasdair Roberts, of Suffolk University, in Boston, USA, looked at the data relating to 15,627 FoI requests logged with the MoD in the four years since the introduction of the Act.

His analysis uncovered:

• The number of requests has gradually been falling from the initial peak in 2005 and the decline is most marked among private individuals - he says this could be down to “growing awareness of the complexity of the law has discouraged requests”.
• MoD officials had a “Quick Response” category where answers were supposed to be dished out speedily - MPs and Peers had “Quick Response” stamped on 64% of their requests and were top of the table. Bottom of the pile came journalists who had “Quick Response” on just 32% of requests. However, the analysis showed that the allocation of the “Quick Response” tag didn’t count for much as MPs questions took on average 30 days to process while journalists took 32.
• For 2007 and 2008 the data showed the MoD made a full release of information in 60% of cases.
• Questions that resulted in the partial release of data took more time than any other and averaged 42 days. Partial release responses to journalists took 98 days and to lawyers took 63 days.

In the conclusion to the report, which can be downloaded, Professor Roberts says: “This research note is primarily intended to provide an illustration of the kind of analysis that can be undertaken with FOIA processing data extracted from FOIA management systems used by major government departments and released under FOIA.

 “This sort of analysis can contribute to a better public understanding of the ways in which the law works; and cultivate debate by raising interesting questions about the operation of the law.

 “In this note, for example, we have seen evidence of interesting secular trends — such as the suggestion of a change in the volume of requests, changes in processing time, and changes in the mix of requester types.

 “We have also seen some evidence that different applicants may have different experiences of FOIA administration even within one department. Of course, there are many ways in which this analysis might be improved.

 “Statistical tests could be added to determine the significance of some apparent differences and trends in FOIA administration. Data from other ministries might also be added; and the MoD data set could be supplemented with other forms of FOIA processing data.

 “Of course it is also possible to complement the quantitative analysis with qualitative analysis, including a review of interpretations put on this data by FOIA requesters and FOIA administrators.”

 Editor’s note: So much for the MoD being blind to who is making the request. ‘Quick Response’, who decides if a question gets that stamped on it? But I don’t want to attack the MoD as my experience is that of all the Government departments they are the fairest and most professional when it comes to FoI requests. Heaven knows what this study would have looked like if it had been using data from the National Offender Management Unit at the Ministry of Justice!

Password blunder blamed for prison data breach

The missing memory card mysteriously vanished in the prison

Another health trust has been blamed for losing the sensitive medical details of its patients - this time the records of 6,360 prisoners and ex-prisoners which were put on to a memory stick.

The health trust in question - NHS Central Lancashire - has blamed the mistake on “human error”. Its report into the matter found that the memory stick was encrypted but the password was written on a note attached to the card.

The USB stick was being used to back up clinical databases at HMP Preston when it was lost on 30 December. Despite a search the stick has not been found.

NHS Central Lancashire said procedures on data security had not been adhered to but that it had now taken action to remind staff of their responsibilities.

Prisoner surnames, their broad age range, prison number, cell location, prison clinic appointment times and review dates were all included in the information.

An “immediate and urgent” review of data policies was undertaken to ensure consistency regarding the use of USBs after the incident, the trust said.

All data sticks across the PCT were recalled and staff were reminded how to handle personal and sensitive information of patients and employees.

The Trust’s chief executive Joe Rafferty said: “There was a failure in the system which led to this incident happening and we have taken steps to make sure this doesn’t happen again.

“We are pleased that the Information Commissioner’s Office has recognised the swift action taken by NHS Central Lancashire following the information security breach and that, as a result, at present no formal action will be taken.”

Editor’s note: Yet another example of a health trust managing to lose its patients’ data (see previous post ‘Carers careless…..). I suspect they will not learn until somebody sues them for it, and then they will realise there are financial implications to their incompetence. For an example of how even a relatively small health trust will try to spin the facts have a look at its press release (link). Please post any suggestions that the password might have been. Fletch? Porridge? Doh?

Flight of fancy shot down by ICO

The CAA has responsibility for ensuring air safety in the UK

Two safety audit reports on a cargo airline should be released into the public domain despite pleas from the Civil Aviation Authority (CAA) that the documents should be kept confidential.

 

In a recent decision notice (link) the Information Commissioner’s Office ruled the CAA has incorrectly applied a S.31 (law enforcement) exemption to the information when a request to view the documents had been lodged under the Freedom of Information Act.

The original request, which was made more than two years ago, asked the CAA to hand over a copy of the safety audit report it had compiled on MK Airlines.

The CAA refused claiming the information was covered by the S.31 exemption in that its disclosure would be likely to prejudice its functions.

Basically the CAA said that it has responsibilities and authority under the Civil Aviation Act and the Air Navigation Act. It said that if the information were disclosed then other airlines and organisations it came into contact with would be less likely to co-operate and this erosion of trust would ultimately lead to the CAA being less likely to carry out its responsibilities properly.

However, the ICO rejected these arguments. Once again he reverted back to the Information Tribunal’s assessment of “likely to prejudice” from the decision of John Connor Press Associates v Information Commissioner (link) in which it was stated it should be a “real and significant risk” rather than a “hypothetical possibility”.

It said that the CAA had shown no clear evidence of the prejudice that it might suffer and that it was in the interest of airlines to co-operate with the CAA because they have to if they want to get a licence. The Commissioner also said that the CAA did not need the co-operation of the airlines but could compel them to provide information or risk losing their operators licence.

The Commissioner ruled S.31 was not engaged and did not even then go on to consider the public interest test.

He said: “The ability of the public authority to ascertain the competence of persons purporting to be airline operators or investigate and subsequently confirm the competence of current airline operators is embodied in the regulatory powers……

“It follows therefore that it is in the best interests of persons intending to become, or continue as airline operators to comply with specific requirements, and meet or maintain set standards.

“The trust and openness between the public authority and the aviation industry in this respect is one which is beneficial to both parties, and more so to airline operators or they risk losing their licence.

“In the face of the suggestion that disclosure could result in a lack of openess, the Commissioner is still not persuaded that this would be likely to prejudice the public authority’s ability to exercise its functions………. As noted above, the public authority could compel MK Airlines to provide it with the necessary information to enable it ascertain its suitability as an air operator or risk losing its air operator licence.”

Editor’s note: Once again a public authority found guilty for slapping an exemption on without any real thought of what the prejudice might actually be and how it might occur. The simple fact of the matter is that airlines HAVE to co-operate with the CAA if they want to keep flying. The fact these reports may now become public knowledge has the potential to embarrass both sides but that is not an exemption. This has important consequences for other public authorities, particularly police forces, who must show how they will be prejudiced if they want to apply an exemption.

Uni database to be opened to public scrutiny

The student accommodation didn't quite look like the brochure pictures

A database which holds details on the state of repair of every university building and the cost of upgrading them will be opened up to public inspection following a decision by the Information Commissioner.

The Higher Education Funding Council for England (HEFCE) has failed in a bid to keep the database secret on the basis it was exempt from disclosure under S.41 (breach of confidence) of the Freedom of Information Act.

Following an appeal to the Information Commissioner’s Office (ICO) a decision notice (link) has been issued stating release of the information would not be an actionable breach of confidence.

The appeal was linked to a complex request for information about statistics held on a database by the HEFCE that were provided to it by all Higher Education Institutions in England.

In the database property such as halls of residences, lecture theatres and libraries have been categorised on a sliding scale from Condition A to Condition D. These results are then fed from the institutions to the HEFCE which maintains the database.

The HEFCE said that it could not give the information to the applicant as to do so would be a breach of confidence.

Following a protracted exchange between the ICO and HEFCE the Information Commissioner decided the data had the quality and obligation of confidence but refused to accept that release would result in a detriment to the bodies that supply the statistics.

The HEFCE successfully argued there was an obligation of confidence as its documents sent out to universities and colleges stated: “The Funding Council treat all information they receive from individual institutions as confidential unless it is collected specifically for publication.”

But the HEFCE’s arguments on detriment met with less favour. It claimed release of the data would:

• Undermine its own database as institutions would no longer submit statistics - The ICO said this argument was “tenuous” and he “was not convinced”.
• Individual institutions might find it harder to recruit staff and students if their reputation was damaged by the publication of the data  - The ICO said the information was “high level statistical data” which in his opinion was too high for an inference to be drawn which would impact on a university’s ability to recruit staff and students.
• Institutions could end up besieged by approaches from suppliers offering their services to upgrade and repair their buildings - the ICO refused to accept this argument and even noted that the HEFCE agreed some universities might even benefit from this process.

In conclusion the Information Commissioner said: “Therefore after considering the arguments and evidence presented by the HEFCE the Commissioner does not believe that the disclosure of the information requested in this case would have a detrimental impact on the interests of the confiders. As such he is not persuaded that the disclosure of this information would result in an actionable breach of confidence. For that reason he does not believe that section 41 is engaged.”

Editor’s Note: This decision notice brings up some interesting points, particularly when viewed alongside the other recent S.41 exemption ruling in the case of the Department of Business, Enterprise and Regulatory Reform (BERR). See my post on the subject ‘The answer to the question…’ In this case the Commissioner accepts that an obligation of confidence is created by the wording associated with the documentation that is part of the disclosure process. However, he sees above this and rules that there is no real detriment to the institutions so no actionable breach of confidence exists. This is important because it means any organisation that holds third party data cannot rely on S.41 any more without looking into the specifics of what the data is. My own experience of this is that organisations often employ S.41 on the basis they know the third party would rather they didn’t reveal the information but without examining if a genuine detriment would occur and then failing to establish if there was a public interest, under breach of confidence, for that bond to be broken.

Court battle looms over sex offenders’ addresses

Child sex killer Stuart Leggate: Would you want to know if he moved into your road?

An important test case looks set to be heading to the Court of Session in Scotland in relation to the disclosure of where paedophiles are housed.

Three Scottish Housing Associations have been trying to use the Act to establish if they have become “dumping grounds” for sex offenders when they are released from prison.

Requests to Strathclyde Police and then the Scottish Information Commissioner have been refused on the basis that disclosure would be a breach under the Data Protection Act of the individuals’ personal data.

The Housing Associations argue that they do not want exact addresses but postcodes so it can be seen if such individuals are being foisted on to them.

The Associations say accurate data on the subject would allow a more informed debate about the topic of how and where paedophiles are housed.

It is believed the Associations have been attempting to get hold of the statistical data since the 2004 murder of schoolboy Mark Cummings in Royston, Glasgow, by Stuart Leggate, who had previous convictions for sexually assaulting children and was on the sex offenders’ register (link).

For more details on the case see the following article from The Herald (link).

Editor’s note: In the early days of FoI in England my successful appeal ended with police forces in England increasing the geographical data they gave out about sex offenders (link). However, it is still very wide and nowhere near as specific as the Housing Associations in this case are requesting. I understand the concerns about vigilante attacks but if you were a parent living in this accommodation or an official tasked with housing families wouldn’t you like to know who the neighbours are?

Police ticked off for “catalogue of failings”

When was it that I lodged that appeal with GMP?

 

Read the rest of this entry »