Leveson: What future for Data Protection?

LevesonThe Leveson Report has finally been published.

The Report recommends that a tougher form of self-regulation backed by legislation should be introduced to uphold press standards. Much has already been written (http://www.bbc.co.uk/news/uk-20543936) and will continue to be written about this central recommendation and whether it is good or bad for democracy and a free press. But amid the furore about whether the Prime Minister should or should not accept the central recommendation, it is easy to forget that the report will also have implications for Data Protection Act and the Information Commissioner.

One of the areas that Lord Justice Leveson was required to consider was ‘the extent to which the current policy and regulatory framework has failed, including in relation to data protection’.

I started writing a blog post on the way back from London, and got as far as the above, when an e mail from the good people at 11KBW  (Panopticon Blog) landed in my inbox.

On well if you can’t beat them, read them! Here is their excellent analysis of the DP recommendations of Leveson:

http://www.panopticonblog.com/2012/11/29/leveson-inquiry-report-spotlight-on-proposed-data-protection-reforms/

I was only training round the corner and passed the QE2 centre where LJ Leveson was giving his press conference. Perhaps, I should have camped out overnight to beat the Panopticon Team?

FOI and Datasets: Draft Code of Practice

The Protection of Freedoms Act will amend the Freedom of Information Act 2000 so that in the future public authorities will have greater obligations in relation to the release and publication of datasets. The key points of Section 102 of the Act (which amend section 11 of FOI) are:

  • There will be a new duty on public authorities, when releasing datasets, to adhere to any request to do so in electronic form which allows their re-use where reasonably practicable.
  • Any dataset containing copyright material (where the authority holds the copyright) must be made available for re-use under a specified licence.
  • Publication schemes will in future contain a requirement to publish datasets, which have been requested, as well as any updated versions.
  • Such datasets will also have to be published in an electronic form capable of re use and any copyright material must be available for re use in accordance with the terms of a specified licence.
  • Public authorities will be able to charge a fee for allowing re use of any datasets containing copyright material.

These provisions are likely to come into force in April 2013.  If you want to know more read Ibrahim Hasan’s detailed article

A recently launched mobile phone application provides a useful insight into what could be possible if public authority datasets are fully exploited. (Read about Fearsquare).

New Draft Code and Licenses

The Government recently began an online consultation about a new set of guidance to accompany the new dataset provisions. This includes a new Code of Practice (datasets), which will sit alongside the existing Section 45 Code of Practice under FOI. The new draft code also outlines the licensing framework which public authorities must use when making copyright material within datasets available for re-use.

The new draft Code of Practice (datasets) aims to make it clear as to what is meant by the terms set out in the new provisions in the FOI Act. For example, what is meant by “an electronic form which is capable of re-use” or a “re-usable format” for the purposes of the Act.

The consultation is the first I have seen where the Government is using a “crowdsourcing” method. Responders can see, in real time, what other peoples’ views on the draft code are as opposed to submitting their views to an email address and then waiting for the summary of responses to be published after the consultation is over. The aim is to enable responders to have a conversation with each other as to whether a particular paragraph, sentence or word in the new code could be improved upon.

The new code contains three standard licences available to public authorities when allowing re use of copyright material contained in a dataset which is disclosed under FOI. The first two are the Open Government Licence and the Non-Commercial Government Licence. Both allow re use of the information without charge including copying, publishing, distributing and adapting the information as well as combining it with other information. The new code encourages authorities to use the Open Government License wherever possible. The Non-Commercial Government licence is slightly more restrictive because it contains a clause preventing the use of the information “in any manner that is primarily intended for or directed toward commercial advantage or private monetary compensation.” It will be interesting to see if public authorities routinely offer this licence (even though it would be against the spirit of the Act and the new code) just to prevent the private sector from profiting from the dataset.

The third type of licence is the Charged Licence. This has been published by The National Archives in beta form . It can be used by public authorities that have reason to charge for the re-use of the dataset information they hold or produce. As I have said before, this provides an opportunity for public authorities to raise some much needed revenue. However it will be interesting to see if the Secretary of State exercises his power (under new Section 11B of FOI) to make regulations prescribing “the amount of any fee payable or providing for any such amount to be determined in such manner as may be prescribed, provide for a reasonable return on investment.

The consultation ends on 10th January 2013. Public authorities need to think now what datasets they may receive requests for and what their approach to licensing their re use will be.

FOI Update webinar – This and other FOI developments and cases will be discussed in our forthcoming FOI Update web seminar: http://www.actnow.org.uk/content/93

Privacy Conference – Call for Papers

The Fifth Northumbria Information Rights Conference will take place on Wednesday 1 May 2013 at the Centre for Life, Newcastle Upon Tyne, UK.   The theme of the conference will be “Changing notions of privacy”.

The aim of the conference is both to explore developing understandings of privacy, and the tensions that exist between privacy, openness and freedom of expression. The following topics will be explored within the overall theme, and papers will be grouped for presentation accordingly:

  • What is privacy?
  • Privacy v freedom of expression
  • Technology and the challenges of protecting privacy
  • Privacy in a commercial context
  • Privacy and the Freedom of Information Act 2000
  • Privacy or openness
  • Privacy and the Data Protection Act 1998

The university will also consider abstracts which do not fall within these themes but which are nonetheless relevant to the overall theme.

This call is open to academics, postgraduate students and practitioners from all disciplines, but particularly law, politics, information science and records management. Ibrahim Hasan presented a paper to this conference last year examining the Government’s proposals to change RIPA and whether they were a sledgehammer to crack a nut. We would urge our readers to get involved.

Those interested in presenting a paper are invited to submit abstracts to the conference administrator Maureen Cooke: email maureen.cooke@northumbria.ac.uk. Abstracts should be submitted by 7th December 2012. They should not exceed 300 words. Submission must be by Word document e-mail attachment at the email address shown above and should include, in addition to the abstract, your title, name and organisation/institutional affiliation and your email address for correspondence.

All proposals will be reviewed, and successful applicants will be notified at the latest by 21st December 2012. Please contact maureen.cooke@northumbria.ac.uk for any general enquiries about the conference or telephone 0191 243 7597.

RIPA, CHIS and the IPT

A recent legal case about undercover police officers’ activities whilst investigating protest groups, has raised the importance of RIPA forms being completed correctly and care being taken when authorising them.

Ten women have launched  a legal action claiming they were tricked into forming “deeply personal” relationships with undercover police officers acting as a Covert Human Intelligence Source (CHIS) under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA). The case is the first civil action to be brought before a court.

Three of the women referred to in court had intimate relationships with Mark Kennedy, who spent seven years living as an environmental campaigner. Kennedy’s deployment was made public last year after activists worked out he was a police spy.

Lawyers for the police are currently applying to have the case moved from the High Court to “a secret Tribunal”. Normally cases involving a breach of RIPA are heard by the Investigatory Powers Tribunal (IPT). Most cases heard by the Tribunal are in private and not open to the media. Very few judgements are published. Most cases are about conduct by, or on behalf of, the Intelligence Services (MI5, MI6and GCHQ). The Tribunal has the power to award damages to complainants and to quash or cancel any authorisation to do the surveillance.

Not surprisingly, the IPT is the forum of choice for the police in this case. According to a report in The Guardian:

“Monica Carrs Frisk QC, representing the police, said their argument was not about denying the women remedy, but determining the correct forum for determining their claims.The police argue the case should be heard in the investigatory powers tribunal, as it was set up specifically to consider allegations of unjustifiable surveillance by the state.They also argue they may be unable defend the case because they have a long-established policy of neither confirming nor denying the identity of undercover police officers.”

When the Kennedy case came to light, Her Majesty’s Inspectorate of Constabulary (HMIC) conducted a report into the circumstances. It concluded that, whilst undercover officers deployed into protest communities gathered intelligence which enabled the police to prevent acts of serious violence, there was serious intrusion into the lives of others, and this risk needs to be better managed in the future.

More will come about these cases especially if (as is likely) the civil case remains in the High Court. The circumstances shows the importance of all public authorities, not just the police, considering the applicability of Part 2 of RIPA , especially the CHIS provisions, very carefully when engaging staff to “go undercover”. In addition to the usual considerations of necessity and proportionality, the CHIS authorisation form  requires a risk assessment to be done, together with a need to have a separate CHIS Handler and a Controller. Detailed records also need to be kept in accordance with the RIPA (Source Records) Regulations 2000 (SI 2000/2725). If these roles were carried out correctly then abuses of RIPA, as in this case, would be very rare.

Of course local authorities are very infrequent users of the CHIS process (and they certainly do not authorise CHIS operations involving sleeping with the targets!). Any potential for abuse has been minimised even further by the Protection of Freedoms Act 2012 (sections 37 and 38) which came into force on 1st November 2012. This changes the procedure for the authorisation of local authority surveillance under RIPA. From 1st November, local authorities have been required to obtain the approval of a Magistrate for the use of any one of the three covert investigatory techniques available to them under RIPA namely Directed Surveillance, the deployment of a Covert Human Intelligence Source and accessing communications data. On 5th November, Gateshead Council received (what could be) the first Magistrates’ approval.

The case of Mark Kennedy (and others) does beg the question; Is it time the police were required to seek judicial approval for surveillance under RIPA? Should we even stop there? What about surveillance abuses by the press which have come to light as a result of the Leveson Inquiry? Is it time to RIPA it up and start again?

Act Now can help you prepare for the new RIPA process. We have an update  course in December in London. If you would like advice on what needs to be done or customised in house training, please get in touch.

Finally all RIPA authorities need to revise their guidance and policy documents. See our RIPA Policy and Procedures Toolkit.

Nobody cares for me. Signed DC.

Dear Mr xxxxxxxx, 

As a registered user of www.tpexpress.co.uk we are legally required under the Data Protection Act 1998 to contact you with the information outlined below.

Please note: This is not a marketing communication and does not affect your opt-in/out preferences for marketing emails.

What is changing?
We will be changing our online booking system during November and we are writing to you to notify you of the change in data controller from thetrainline.com to ourselves as a result of this change.

What does this mean to you?
Your retail contract will be exclusively with:
First/Keolis Transpennine Limited (FTPE),
50 Eastbourne Terrace,
Paddington,
London,
W2 6LG
Company Registration Number 04113923

Can anyone tell me which section of the Act requires a Data Controller to inform a data subject of a change of data controller? Or is it just good business practice? Or just plain “we don’t know what we’re doing”?

Answer on a postcard please to

DPO, Customer Relations, Some Train Operator, Leaves on the line, Adelstrop.

What’s the difference between PCC & BCC

The picture that said a thousand suppliers.

Fresh from being elected with less than 10% of the electorate in favour of him a recently appointed Police Commissioner writes to all the suppliers to tell them the email addresses of all their suppliers (and a few extra organisations – such as rape crisis centres, police officers, probation officers and some personal email addresses).  Still no harm done eh? No law broken, no real personal data involved. No brain cells used in the distribution of this list.

Makes me feel like Phillip Schofield. (When I say this it doesn’t mean I feel like him as in desire him – more like feel I’m in a similar predicament…)

First Magistrates’ Approval of RIPA Surveillance

Gateshead Council MAY HAVE become the first local authority in the country to successfully obtain Magistrates’ approval for covert surveillance under new laws which came into force on 1st November 2012.

Chapter 2 of Part 2 of the Protection of Freedoms Act 2012 (sections 37 and 38) changes the procedure for the authorisation of local authority surveillance under the Regulation for Investigatory Powers Act 2000 (RIPA). From 1st November, local authorities have been required to obtain the approval of a Magistrate for the use of any one of the three covert investigatory techniques available to them under RIPA namely Directed Surveillance, the deployment of a Covert Human Intelligence Source and accessing communications data.

The Home Office has now published its RIPA Magistrates’ Approval Guidance both for local authorities and the Magistrates’ Court. However until recently, no council had reported a successful application to the Magistrates. We believe, Gateshead Council is the first to do so.

Colin Howey, Senior Trading Standards Officer, explains what they did:

“Like most authorities we were a bit anxious about the new RIPA regime. Whilst we wanted to continue to use covert surveillance techniques in a necessary and proportionate manner, we were concerned about the cost and resource implications of the new Magistrates’ approval process.

Following a full day training workshop we were more confident about what was required. But the new process was still untested.

On 5th November though we obtained what may well be the country’s first judicial approval of a RIPA authorisation. Gateshead Magistrates’ Court approved our use of Directed Surveillance to investigate some serious trading standards offences.

We carefully followed the procedure as set out in the Home Office RIPA Magistrates’ Approval Guidance.  We were also careful to ensure the surveillance was necessary on the amended grounds set out in The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) (Amendment) Order 2012, SI 2012/1500  which also came into force on 1 November 2012. This makes Directed subject to a new Serious Crime Test.

Once we obtained the internal authorisation in the usual way we contacted the Gateshead Magistrates’ Court to arrange a hearing.  They asked us to e mail through the original RIPA authorisation form as well as the completed judicial application/order form.

The hearing was attended by the investigating officer and the Council Solicitor. The court was also aware that it was the first RIPA application it had received so a District judge heard the application advised by the Clerk of the Court.  The hearing was in private. The judge considered the RIPA authorisation and the judicial application/order form.  He asked one or two relevant questions to satisfy himself that the surveillance was necessary and proportionate and then signed the judicial order form

The whole thing was relatively straightforward. It only took the judge fifteen minutes to consider and approve the application.

My tips for those who need to make a similar application are:

1. Train your staff – All investigators and authorising officers need to know about the new process.  Those who will be attending court need to be trained in completing the new judicial application/order form.

2. Designate staff who will be attending the Magistrates Court -This is done under section 223 of the Local Government Act 1972.  It is worth giving staff a letter of designation to take to the court when making the application.

3.  Contact your local Magistrates Court now to discuss how they will deal with RIPA applications. Like ours they may want documents e mailed to them beforehand. This will also save time on the day.”

Our thanks to Colin Howey and the Regulatory Services Team at Gateshead Council for this fascinating insight. The training provided to Gateshead Council was conducted by Ibrahim Hasan, of Act Now Training.

Did your council achieve a RIPA approval before Gateshead? Use the comment field to let us know.

Act Now can help you prepare for the new RIPA process. We have an update  course in December in London. If you would like advice on what needs to be done or customised in house training, please get in touch.

Finally all RIPA authorities need to revise their guidance and policy documents. See our RIPA Policy and Procedures Toolkit.

How not to write a social media statement.

It’s the coming thing – having a social media policy. Cases such as Wetherspoons vs Preece illustrate the value of having one but there’s good ‘uns and inevitably bad ‘uns.

A family member recently accepted a job in a ski-ing company and they included the following in their T & Cs about Social Media. What do you think of it?

So a young person who’s going out with his mates for a few beers after work needs to seek legal advice before letting alcohol pass his lips in case he says something he wasn’t planning to say about his employer.

You can imagine two young thrusting lawyers sitting in  a bar.

  • “What’s your line then?”
  • “I look after unwittingly defaming people on social media”
  • “Business good?”
  • “Never better”

Do you commit libel? Sounds a bit strong.., Do Drivers commit speed? Do shoplifters commit shoplifting.

How can you tell you’ll unwittingly do something? Or to  really screw it up how can you tell you’ll wittingly do something?

You can’t express your views while you are employed by this company (but it’s only seasonal so by Easter you can say what you want again (Err… no. This contract forbids you from speaking out for the remaining 75 years of your life (my family member is one of those lucky people who will live to be 100)

The final sentence is just plain bizarre. I’d better not sign this contract in case I’m in breach of it…

Who writes this rubbish? I know, of course, but I can’t possibly tell you as I might unwittingly say something I might regret for nearly a century.

Practically Speaking by FOIMan

Recently I was fortunate enough to be asked to take part in a panel discussion at City University about the Justice Select Committee’s post-legislative scrutiny of FOI. After each of us had said our piece, we got to my favourite part of these kind of events – questions from the audience. And one student journalist asked whether it was right that FOI Officers often shared details of requests from journalists with Press Officers in their organisations. Wasn’t it wrong that FOI Officers should feel an obligation to work with the spin doctors?

There is obviously a debate around how closely FOI Officers should work with Press Officers on FOI requests. But the thrust of my response was that FOI Officers DO have an obligation to their organisation. We do a job. Our organisations pay our wages.  Whilst many FOI Officers do take a principled approach to their work, ultimately they have to do what their employer tells them.

One of the principal aims of my blog (http://www.foiman.com/) when I started it was to talk about FOI from the perspective of the practitioner. And FOI from the practitioner’s perspective is very much a practical exercise. Hopefully it is clear from the way I write that I am a supporter of FOI and increasing openness in the public sector and beyond. But fundamentally I have to make FOI work on a day-to-day basis. That isn’t always easy.

And recently I’ve been running a training course for Act Now Training where we’ve explored what it really means to be an FOI Officer. What are the practical skills that an FOI Officer needs?

The obvious thing is knowledge of the legislation, and that technical side of the role gets plenty of attention. What needs to go into a response? How do you refuse vexatious requests? Where do you go for help?

Before we can even begin to answer requests, we need to know how to arm our organisations with the right IT systems, get our websites FOI-friendly, and ensure that records are being well managed. On the course we discuss the pros and cons of disclosure logs. Can they help reduce the volume of FOI requests or do they provoke more?

But the part of the course that gets us most animated is when we look at dealing with scepticism from colleagues. Every FOI Officer has encountered resistance from time to time, and to me, knowing how to deal with that is probably the most important part of the job. Most of the time opposition to FOI within public bodies is not about any strong political opposition to the legislation. It’s about ordinary people who care as much about their job as we FOI Officers do about ours. Or journalists do about theirs. To persuade them to adjust their priorities is a matter of patience and diplomacy. When we’re at our best!

If you’re an FOI Officer and want to go back to basics, or just explore the different aspects of your role with fellow practitioners, I’ll be running Practical FOI once more this year in a couple of weeks’ time on 16 November in London. And there will be more next year if you can’t make that date.

Paul Gibbons runs the very popular FOI Man Blog and tweets as @FoIManUK.

The Cat came back

Halloween and a postcard dropped through the letterbox. It was from the local vet. The one who earlier this year couldn’t make a diagnosis about our Tiddles and refused to hand over his medical records so we could take a second opinion. Tiddles didn’t make it and we told the vet not expecting to hear from them again.

The postcard was addressed to me and said it was time for our pet’s jabs but after the postcode on a line all of its own was the single word – Tiddles. We were clearly upset; how insensitive of the surgery to mail me about a  recent bereavement. If it had been a hospital and a dead child it might have even hit the media. We weren’t even a customer as we were dissatisfied with the service. It still didn’t feel right.

Any breaches of the law here? Principle 4 – Accuracy? Section 10? Right to object to prevent processing likely to cause damage and distress?

Probably not but it’s another entry in the catalogue of errors.

%d bloggers like this: