Don’t Expect ICO to argue your case

When applying to the Information Commissioner under s50 FOIA to overturn a refusal by a public authority it is important to marshal all your arguments and understand what is available to you.

This was illustrated in a decision in September , case number FS50546586 where the requester sought information from the Ministry of Justice relating to the Court Proceedings Database including the names of offenders found guilty of offences under the Housing Act 2004 held on that database. Disclosure was refused by the MoJ on the basis of the personal data exemption.

Not surprisingly ICO overturned this in relation to those convicted who were companies, as it was not personal data, and the applicant was quite pleased with his partial victory. See

But what of the guilty who were private individuals. ICO correctly found that in their case the information requested was sensitive personal data. Such data cannot be released if to do so would breach the data protection principles and here we are concerned with Principle 1 : “Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless— (a) at least one of the conditions in Schedule 2 is met, and (b)in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

The ICO carefully considered fairness in relation to the individuals and concluded that disclosure would indeed be fair. He then looked for a Schedule 3 condition and considered the only possible candidates : 1. explicit consent and 5. information  made public as a result of steps deliberately taken by the data subject. He was satisfied that neither of these applied and that was the end of the matter.

The Commissioner must uphold the MoJ’s application of the exemption at section 40(2) in respect of the sensitive personal data in this case. He does so not on the basis that disclosure would be unfair but on the basis that there is no applicable Schedule 3 condition. The personal data is therefore exempt from disclosure.

But surely he should have considered Para 3 of the Schedule to The Data Protection (Processing of Sensitive Personal data) Order 2000, of which I suspect the applicant was blissfully unaware.

The disclosure of personal data— (a)is in the substantial public interest; (b)is in connection with— (i)the commission by any person of any unlawful act … (c)is for the special purposes as defined in section 3 of the Act (i.e. journalism) ; and (d)is made with a view to the publication of those data by any person and the data controller reasonably believes that such publication would be in the public interest.

Given the basis of ICO’s decision on fairness it must have been very strongly arguable that this could properly be applied – applicant was a journalist after all. This has been used successfully in the past see e.g. discussion of the Nick Griffin case on the excellent Panopticon blog

And if a Schedule 3 condition ( in the extended sense) could be found it is not hard to find a suitable condition in Schedule 2

Posted in FOI | Leave a comment

Does Alan Duncan MP read his printed emails?

One must assume that Alan Duncan does read his emails but we have recently learned that he does tend to print them out. This possibly reprehensible exercise has led Mr. Duncan to introduce a Private Member’s Bill to outlaw the inclusion of “useless” legal disclaimers at the bottom of emails:

His beef is that when you print out such an emails you eventually waste several forests worth of paper “as page after page spews out”.

Mr Duncan actually makes a valid point about the limited contractual or legal validity of such disclaimers. However they can serve a useful purpose in advising unintended recipients what they should do, as good and responsible citizens, if they receive something which was not for them, and in a worst case scenario might protect them from doing something they later regret. Not as much as the sender will regret it, of course, as anything truly confidential or sensitive should have been encrypted and not accessible to a wrong recipient. Indeed the presence of such a disclaimer may be leading some senders into a false sense of security, and blinding them from the need to take other precautions.

However it was the printing issue, not the security issue which really upset Mr. Duncan. That small bubble of the Twittersphere which concerns itself with Information Governance matters has had a quiet titter about this. Any self-respecting Records Manager has been advising for many years that emails are (by and large) not for printing, and should be retained, if necessary, in the electronic world, preferably as part of a properly designed records management system, rather than in an ever-bloating Inbox. I do hope Mr Duncan’s departmental information team knows about these printed copies.

But has Mr Duncan actually read these exponentiating (actually an arithmetic-progression but lets ignore the maths) pages. Whilst I have seen some wordy disclaimers, I do not recall any which would merit the description “page after page”. No. I fear what Mr Duncan is actually experiencing is the endless repetition of material in a lengthy email conversation. With many users including senders text by default (bad idea in my view) when replying to an email, the last email in a 20 email exchange will include all 20 emails, and yes, if the actual exchanges are short, most of that when printed will consist of headers, footers, and disclaimers.

In short Mr Duncan has focussed on the wrong problems. Why print ? Why include prior text?

One solution Mr Duncan proposes is probably not a sensible idea. He suggests that the disclaimer should be a simple link. However if we accept that the real purpose is as a warning rather than attempting to create a legal obligation, this may un-necessarily dilute the warning effect. The better solution would be a short bold warning / disclaimer plus a ‘further-information’ link to more detail on a website – or not to send sensitive stuff by an open channel.

Of course there could be a relatively simple technological fix to this printing problem, for those cases where printing emails could be justified. All that would be required would be an amendment to the relevant standards such as SMPT to require a code to be embedded in an email at the start of any ‘prior text’, and for printer manufacturers to provide a default setting of ‘print nothing after this point’. I fear we are 20 years too late for that.

Posted in FOI | Leave a comment

Defamation, Data Protection and Journalism

It has for some time been recognised that, with changes to the law of defamation, there might be increasing use of an alternative cause of action under section 13 of the Data Protection Act 1998 (“DPA”). This is not perhaps surprising, as defamation necessarily involves the use of personal data (often sensitive) and data protection law, subject to some important exceptions, prevents any use of personal data which is unfair or inaccurate. For a lawyers perspective on these issues see this article on the highly-recommended Panopticon Information Law blog: .

That is not to say however that aggrieved plaintiffs will be likely to obtain a damages bonanza of the type which has been awarded in some historical defamation cases. In the view of the Court of Appeal in Halliday v Creation Consumer Finance Ltd: “… it is not the intention of the legislation to produce some kind of substantial award. It is intended to be compensation..” ([2013] EWCA Civ 333, at paragraph 36). In that case damages of only £1 were awarded under s13(1) DPA and an additional £750 for distress under s13(2). In another recent case CR v Chief Constable PSNI ([2014] NICA 54, at paragraph 24) the total awarded under DPA was simply £1. Similarly where there is a successful claim for breach of confidence, it is unlikely that anything additional will be awarded for the breach of DPA, which will usually be established,  as a breach of confidence makes the use of personal data unlawful and therefore a breach of the first data protection principle. For example in Weller and others v Associated Newspapers Ltd ([2014] EWHC 1163 QB at paragraph 23) the court considered that the claim under DPA “did not add anything of significance to the primary claims for damages”.

The situation becomes even more complicated where the alleged defamation is published in the course of “journalism”. Then the exemption under s32 DPA may well come into play. In essence processing personal data for the purposes of journalism may be exempted from key provisions of the DPA if in the reasonable opinion of the data controller compliance with a particular provision would be incompatible with the journalistic purpose. This is potentially a very wide exemption. In theory it could even justify publishing unfair and inaccurate data by dis-applying the first and fourth data protection principles, although it is hard to imagine forming a reasonable opinion to that effect.

This exemption was discussed in a recent PressGazette article: “Victims of media abuse may turn to the Data Protection Act now that it is harder to bring libel actions” ( ). That article however rather oversimplifies the effect of the s32 exemption and is in fact inaccurate in suggesting that the PSNI case referred to above resulted in an award of £20000 under DPA. That sum was awarded for negligence in relation to Post Traumatic Stress Disorder. The DPA award was a miserly £1.

The article suggests that the s32 exemption does not apply to a claim for compensation under s13 DPA. That is not strictly correct. Although s32 does not specifically mention s13, a s13 claim will usually be based on a breach of s4(4) of the Act i.e. a breach of one or more of the data protection principles, and s32(2) allows a defence in such a case, unless the principle breached is only s7. This would not usually the case as a plaintiff would typically be alleging against a publisher breaches of the first (unfair or unlawful for breach of confidence), third (irrelevant or excessive) and fourth (inaccurate) principles.

In summary, whilst disgruntled plaintiffs may be pleased to have a DPA claim in their armoury, it is not going to be a panacea for a multitude of new substantial claims. Firstly damages will often be quite limited, and may not add to other causes of action such as breach of confidence, and in many cases the s32 exemption may well bite. In that context it should be noted that the availability of this defence may not be limited to ‘traditional’ journalistic sources – see. e.g. “Are we all journalists” . But that is another story.

Posted in GDPR | Leave a comment

The curious case of charging for environmental information

In the ICO’s guidance, , on “Charging for Environmental Information (Reg8) updated (version 1.3) in June 2014 he concedes, based on East Sussex County Council v Information Commissioner and Property Search Group (EA/2013/0037), , – see paragraph 17 – that a reasonable charge for supplying environmental information CAN include “The cost of staff time spent locating, retrieving and extracting the information” – Paragraph 14.

What then are we to make of his Guide to the Environmental Information Regulations, , updated (version 2.2) five months later in November 2014 which states at Page 32 : “ Any charge should be ‘reasonable’ … It should NOT include the cost of staff time in identifying, locating or retrieving the information from storage. ”

Curiously,ICO seems to be saying you can do this, but I would prefer if you didn’t.

Even curiouser, in the June guidance ICO says he had had a change of heart on this issue and did not think the previous law on the point derived from Kirklees Council v Information Commissioner and PALI Ltd [2011] UKUT 104, , was “now sustainable”, which is rather an odd proposition given that this was an Upper Tribunal case and, as we know, the Upper Tribunal is a Superior Court of Record, which means that its decisions create legally binding precedent – similar to the High Court. So ICO has, it seems, overruled legal precedent by making a concession in a lower court case.

Curiousest of all, I am not actually convinced the Kirklees case decided any such thing, being based on arcane questions relating to charging for information in the public Land Charges register – so perhaps that puts us back to square one. If nothing else ICO needs to sort out his guidance, otherwise he may face a rash of disgruntled appellants from both sides of the battlefield who have followed the wrong advice – whichever that is.

Posted in EIR, FOI | Leave a comment

Images as Personal data

One of the less obvious consequences of the Ryneš decision which I discussed in a recent post is what it says about the nature of images. At paragraphs 21-22 of the judgement:

The term ‘personal data’ …  covers, according to the definition under Article 2(a) of Directive 95/46, ‘any information relating to an identified or identifiable natural person’, an identifiable person being ‘one who can be identified, directly or indirectly, in particular by reference … to one or more factors specific to his physical … identity’. Accordingly, the image of a person recorded by a camera constitutes personal data within the meaning of Article 2(a) of Directive 95/46 inasmuch as it makes it possible to identify the person concerned.

Clearly and unequivocally the court considers an identifiable image is personal data.  No discussion of the purpose of processing or the potential impact on the subject. No consideration as to whether the person taking or holding the image  is using it to learn something about the individual.

Experienced data protection professionals will no doubt be familiar with the ICO guidance on determining “what is personal data” : see

The discussion by and conclusions of the ICO on pages 15-16 of this guidance, about the same photographs being personal data in the hands of one person, but not in the hands of another, based on purpose and impact  are clearly, following  Ryneš, now unsupportable*. Just as it is now pretty clear that (given context sufficient to identify) a name is personal data (Edem v ICO & FSA [2014] EWCA Civ 92),  so now a photograph, of sufficient quality to identify IS personal data. Of course the taking, holding and use of photographs may be permitted or exempt from restrictions for many reasons but it must now be regarded as personal data even in those cases where the ICO guidance says it is not.

* To be fair if you follow the logic of the guidance the ICO conclusions in the examples were always a bit suspect. They come under Q5: – “Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual? “. In those example photograph cases where the ICO considered the answer to this question was no, the logic of the guidance was that you then ask questions 6, 7 and 8 and a yes answer to any of those, which is likely in the case of photographs (I do not intend here to discuss Durant v FSA) always indicated “personal data” in contradiction of the purpose based  conclusion under Q5.


Posted in GDPR | Leave a comment

Video Surveillance and the domestic purposes exemption

The recent EU case of Ryneš ( ) raises some interesting issues for users of CCTV systems on domestic premises.

The decision of the court is quite clear. If the CCTV is set up so as to also record people in public spaces, e.g. the adjoining street or footpath then the exemption does not apply. See paragraph 33 of the judgement (my emphasis):

To the extent that video surveillance … covers, even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is a purely ‘personal or household’ activity for the purposes of the second indent of Article 3(2) of Directive 95/46.

Consequences include, under the current Data Protection Act 1998 and associated regulations:

  • The operator needs to register as a data controller since, without the s36 exemption from Part III of the Act, no other exemption from notification seems to apply
  • Running the system without such notification is a criminal offence (ss 17 and 21 of the Act
  • The system would probably be unlawful (principle 1 fairness) unless the operator could reasonably show that he could not record on-premises without inevitably covering some public space
  • The operator must respond to subject access requests from anyone who may have been recorded in the public space, and may need to be able to remove third party images if supplying a copy of the data
  • The operator needs to have similar regard to the need for clear and visible signage as would apply to other CCTV surveillance
  • If the operator takes a risk, perhaps rightly surmising that the ICO is unlikely to proactively enforce the strict legal position, and does not register he must respond to any request for information about the system within 21 days under s24. Failure to so respond is a criminal offence.

The judgement itself says very little about the rationale. In addition to paragraph 33 it adds at 35:

Article 3(2) of Directive 95/46 must be interpreted as meaning that the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision.

The combination of these provisions as set out in the judgement, without explanation, would seem to lead to the logical conclusion that activities such as: recording video on a mobile phone; cyclists using a helmet camera; or using a car dash camera would be equally outside the s36 exemption. These activities meet the criteria in paragraphs 33-35 of the judgement. That is however probably not the intention of the court. We need to look at the advocate general’s opinion ( ) to see that domestic CCTV is in effect a special case which can be distinguished from these other activities. See paragraph 33:

recordings of this kind taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.

It is of course much more difficult, and therefore has much less impact on privacy, to draw such conclusions from non-static recording. It is probably safe to assume for now at least, that this decision only applies to the specific case of a home CCTV. Indeed the advocate general effectively says as much at paragraph 30

the present question … relates to a type of fixed surveillance system which covers a public space as well as the door of the house opposite, thereby enabling the identification of countless individuals without them having been informed of such surveillance beforehand. By contrast, the legal questions associated with recordings made using mobile phones, camcorders or digital cameras are of a different nature, and so will not be addressed in this Opinion.

It will be interesting to see over the coming months whether and to what extent ICO amends his guidance on these issues. One possibility might be a specific exemption from notification for domestic CCTV, but it is at least doubtful whether that could be achieved. S17(3) limits exemption to cases where processing is “unlikely to prejudice the rights and freedoms of data subjects” and such a conclusion would seem to fly in the face of the judgement which is strongly based on the need to protect the “fundamental rights and freedoms of natural persons, in particular their right to privacy” – see paragraph 27.

See also the discussion here:

Continue reading

Posted in GDPR | Leave a comment

The Local Safeguarding Children Board as Data Controller

What is a Local Safeguarding Children Board (LSCB)? It is a statutory body which local authorities responsible for children’s social services are required to set up under s13 Children Act 2004.

  • Each local authority in England must establish a Local Safeguarding Children Board for their area

The responsibilities of the LSCB are essentially set out in the Act and in The Local Safeguarding Children Boards Regulations 2006. These include:

  • developing policies and procedures for safeguarding and promoting the welfare of children
  • communicating the need to safeguard and promote the welfare of children, monitoring and evaluating the effectiveness of what is done by the authority and their Board partners
  • participating in the planning of services for children in the area of the authority;
  • undertaking reviews of serious cases

Participants in an LSCB are referred to in the legislation as Board partners. Apart from the functions, and reference to statutory guidance, the Act and Regulations are largely silent as to an LSCB’s powers. There is for example no granting of powers to employ persons or hold property. Consideration of s15 of the Act suggests that in effect staff, goods, services, accommodation and other resources will be provided by Board partners. LSCBs are required to have lay members – each LSCB must have at least two individual lay members who reside in the area – and it is notable that s13(5B) of the Act gives the authority, but not the LSCB, power to pay the lay members.

There are potentially up to 150 LSCBs in England. The actual number is somewhat less as authorities are able to share functions and create a joint LSCB for more than one Council area.

A perennial problem for those managing data protection issues in local authorities is whether the LSCB is required to register as a data controller with the Information Commissioner’s Office under s18 of the Data Protection Act 1998 (DPA), or whether they can simply rely on the registrations of their constituent ‘partners’ such as the local authority, health board or police.

This is not just a trivial issue as, if registration is required, failure to do so makes it likely that any processing of personal data by the body is a criminal offence – combined effect of DPA sections 17 and 21. This offence may be committed not only by the LSCB but criminal liability would potentially also attach to individual Board members, including lay members.

So what is the legal status of the LSCB? It is not an incorporated company. Despite the reference to ‘Board partners’ it is not in fact a partnership in the full legal sense as that would require a business being carried out with a view to profit. It is simply an unincorporated association. Nothing in the setting up of LSCBs referred to above requires it to be anything more. It does not need to own property, employ staff, or initiate legal actions.

It is often suggested that an unincorporated association is not a legal entity (See e.g. HMRC at ) and that it cannot:

  • enter into contracts;
  • sue or be sued;
  • take on a lease or own property; or
  • employ staff

The first two points above are important as data controllers may need to enter into data processing agreements (contract) and may need to be sued e.g. for damages under s13 DPA. Unfortunately it is not that simple. As long ago as 1901 it was decided that some unincorporated associations can indeed be sued (and by implication can sue).

If the Legislature has created a thing which can own property, which can employ servants, and which can inflict injury, it must be taken, I think, to have impliedly given the power to make it suable in a Court of Law for injuries purposely done by its authority and procurement. (The Taff Vale Railway Co – v – The Amalgamated Society of Railway Servants [1901] UKHL 1)

In addition an unincorporated association can be prosecuted. That may not always have been the case but is now clear law (See e.g. HSE prosecution guidance and R v RL and JF [2008] EWCA Crim 1970).

By analogy one must therefore consider whether the DPA creates a thing (the data controller) which has the required responsibilities and powers to give it sufficient legal status to enable it to register as a data controller, even if it is an unincorporated association.

S1(1) DPA tells us:

data controller” means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;

‘Person’ is not defined in the DPA. The starting point is thus the definition in the Interpretation Act 1978, Schedule 1: “Person” includes a body of persons corporate or unincorporate. This definition is subject to the limitation in s5 of the Interpretation Act: In any Act, unless the contrary intention appears, words and expressions listed in Schedule 1 to this Act are to be construed according to that Schedule.

There does not appear to be any contrary intention in the DPA. In fact s65(1)(b) recognises that for the Information Commissioner’s purpose of serving notices person includes a ‘body corporate or unincorporate’. Most, but not all, such notices are required by the Act to be served on the data controller. The Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council) definition of data controller also anticipates that an unincorporated body may be data controller as it refers to “the natural or legal person, public authority, agency or any other body” – Article 2(d). An LSCB is accordingly a person for the purpose of the definition of a data controller. But does it determine the purpose and manner of processing personal data?

The purposes of an LSCB are of course not self-determined. They are laid down by statute. However s1(4) DPA is clear:

Where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller.

Whilst some of the statutory purposes may be fulfilled without processing identifiable personal data, it is clear that others cannot – e.g. conducting a serious case review would be, in practice, impossible without reference to information which would remove any likelihood of anonymity.  It is also clear from a consideration of the LSCB functions (above) that it is, at least jointly, responsible for determining the manner of processing.

The courts have clearly recognised the status of a safeguarding board : see [2013] EWHC 1711 (QB) where the Worcestershire SCB was a party to a Public Interest Immunity action.

An LSCB accordingly fulfils all of the requirements of the definition of a data controller and its unincorporated status can be no bar to the consequences of that. It seems therefore that LSCBs should notify the Information Commissioner and register as data controllers in their own right. This will have some significant consequences.

  • Many data controllers use data processors, and this would inevitably be the case for an LSCB. Typically for example the LSCB will use local authority IT and email systems. The seventh data protection principle requires a contract in writing to underpin the data processing agreement between the LSCB and the authority. Despite the ‘normal’ common law rule against contracts by an unincorporated association the legislative intention will have precedence.
  • S13 DPA entitles a data subject to sue a data controller in certain circumstances. It specifically refers to “proceedings against a person”. Given the legislative intention, that ‘person’ must include an unincorporated data controller (principle derived from The Taff Vale Railway Co – v – The Amalgamated Society of Railway Servants). LSCB Board members will have joint and several liability for any damages and they should be aware of this. In particular lay members might reasonably be given an indemnity on appointment.
  • Similarly there would be joint and several liability of LSCB Board members for any penalties imposed under s55A DPA.
  • DPA provides that the data controller is subject to a number of criminal sanctions. As we have seen the LSCB can be prosecuted. For example assume for a moment that Anyplace LSCB is a data controller but fails to notify the Information Commissioner under the registration process. As soon as it processes any personal data an offence is committed under s21 DPA. The LSCB may be prosecuted. Each Board member may be prosecuted. Whilst it is perhaps inconceivable that the ICO / Director of Public Prosecutions would prosecute a lay member of the Board, they should at least be advised of the potential liability as part of the appointment process, so that they can actively ensure compliance.

On the other hand an LSCB is not, as such, a designated public authority for the purpose of Freedom of Information requests. There is no specific designation in the Freedom of Information Act (FOIA) or subsequent statutory instruments and an LSCB could not fall within the category of a company “wholly owned by the wider public sector” as (a) it has lay members and (b) it is not a “body corporate” as required by FOIA s6(3)(3).

In practice it seems only a minority of LSCB’s have registered as a data controller. A search of the register in December 2014 using the term “Safeguarding” produced only 16 matches. Whether or not the LSCB or sponsoring council agrees with the conclusion above, it should certainly make a clear decision for itself as the requirements of data processing, and the drafting and implementation of data sharing protocols, cannot sensibly be addressed unless the roles and responsibilities of each party are clear.

Posted in GDPR | Leave a comment

A consistent line

The Information Commissioner’s Office (ICO) has today published its draft Code of Practice on Subject Access Requests  (SAR) for consultation.

There is nothing in the draft code which will cause major surprise. It is largely a rehashing, and minor expansion of material which already exists in his general data protection guidance, and specialist guidance on matters such as accessing information in complaints files, or dealing with requests involving other people’s information.

On first consideration the following matters appear to stand out.

1. A lack of recognition that for public authorities any SAR falls within s1 Freedom of Information Act 2000 (FOIA) so that e.g. the duty to advise and assist applies.

This occasionally leads to a lapse in distinguishing good from mandatory practice. For example on page 10 the draft code suggests that you do not need to respond to a request which is not in writing. For a public authority ignoring the verbal request would be a failure to provide advice and assistance to a persons who propose to make a request for information. Similarly page 41 refers to good practice in providing explanations which should be mandatory for a local authority.

2. In dealing with exemptions the draft code really does not get to grips with the problem, which many find difficult, of dealing with an SAR on those occasions when you simply cannot tell the requester at all about some personal data’s existence or  processing, e.g. if there is a note in your file of a police enquiry where, particularly if they have used the ACPO form, the police will have requested non-disclosure. The draft code (top of page 46) refers correctly to denying subject access, but gives no assistance on the right way to do this, and lacks the necessary warning about not giving a misleading answer such as “We enclose all the personal data which we hold…” .  I would also have expected here a discussion (for public authorities at least) of when and why there may be a need to use s4o(5)(b)(ii) FOIA in such cases.

3. Finally, and again not surprisingly, the ICO continues his warning about misreading the decision in Ezsias v Welsh Commissioners [2007] All ER (D) 65 (Dec) which appears in the existing Disproportionate Effort guidance.

In doing so he ignores subsequent cases which have strongly indicated that this guidance is wrong. See Elliot v Lloyds TSB Bank PLC & Anor [2012] EW Misc 7 (CC)  discussed on the excellent Panopticon blog . See also there Karim Abadir v Imperial College

Whilst ICO is entitled to take his own view in these areas it is hardly satisfactory to have a situation where there are two routes to enforce an SAR: through the courts under s7(9) Data Protecton Act 1998 (DPA) or via the ICO using the s42 DPA assessment process.

In both the guidance and draft code (see page 24)  ICO stresses that Ezsias is not authority for suggesting that a disproportionate effort test applies to finding the information required to respond to an SAR.  However ICO wishes to parse it that is hard to reconcile with paragraph 93 of the judgement in Ezsias, which simply states “Under the 1998 Act, upon receipt of a request for data, a data controller must take reasonable and pro-portionate steps to identify and disclose the data he is bound to disclose.” Those reasonable and pro-portionate steps may well in many (or most) cases need to be extensive, but there should be no need to restrict the basic test laid down by the courts.

The ICO is also apparently on a collision course with the courts over the effect of the same authorities on the ability to refuse to deal with an SAR as constituting an abuse. See draft code page 49-50. This arises from the same line of cases mentioned above. The ICO seems to be saying that the courts may decline to exercise their discretion under s7(9) to enforce but in identical circumstances he would exercise his discretion to enforce under s42. The underlying problem appears to be the well known  ICO dislike of the Durant decision and its clear statement that the purpose of an SAR is  “… to check whether the data controller’s processing of the data unlawfully infringes his privacy … to take such steps as the Act provides … to protect it … [it is] not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved … not to obtain discovery of documents that may assist in litigation or complaints”.

So the courts are not so much exercising a discretion but taking the view that complaint is mis-founded as the purpose has nothing to do with privacy. I have little doubt however that ICO will continue this approach which is unlikely to be resolved, this side of the new directive, unless someone challenges an enforcement notice after taking the Durant / Ezsias approach.


Posted in FOI | Leave a comment

E-Crime Wales

E-Crime Wales provides a useful set of resources including a free to download  “Preventing E-Crime for dummies” which in around 112 pages covers a number of topics such as :

  • Defending your IT Network
  • A Dozen Best Security Practices
  • Ten Tips to Prevent Data Loss Today

Loads of fact-sheets too including gems such as :

  • Security Auditing Planning and Review
  • Cloud Computing Security Considerations
  • Managing Risks of Employee Behaviour

Being supported by the Welsh Assembly Government some sections, not surprisingly, have a Welsh flavour, but for the most part the advice and resources are of general application.

Posted in GDPR, Information Security | Leave a comment


In a recent Information Tribunal decision, Mathieson v Information Commissioner and Chief Constable of Devon & Cornwall, the First Tier Tribunal upheld an Information Commissioner decision and declined to order disclosure of the locations of ANPR (Automatic Number Plate Recognition) cameras. The Tribunal was satisfied that s24 FOIA (purposes of national security) and all limbs of s31(1) (prejudice to detection of crime etc.) were all engaged and determined the public interest against disclosure.

However what is missing from the judgement and earlier decision notice is any consideration of the duty to advise and assist, in particular consideration of whether a more limited disclosure e.g. location by postcode district rather than precise location might have been possible without engaging the exemptions, or with a different public interest conclusion. This is no doubt technically correct, as where the terms of a request are clear, as this was, the s45 FOIA Code of Practice does not require any assistance be provided to the applicant, and accordingly there can be no breach of s16. This illustrates a regrettable limitation of the s45 Code. By contrast, if the request had fallen to be considered under EIR,  the equivalent code under Regulation 9, there may well have been a breach as that code requires an authority to “be flexible in offering advice and assistance most appropriate to the circumstances of the applicant” and that can include advice on a more limited disclosure if the actual information requested is exempt. The aim is to help applicants make good use of the Regulations, not as in FOI to ensure accurate but unhelpful refusals.

It was also an interesting example of an FOI refusal being upheld when it was, for the most part accepted that the information was effectively in the public domain, because the cameras were not covert, and the locations could be tracked down easily if sufficient resources were devoted to the exercise.

I wonder if the cameras are sufficiently distinctive to enable a smart programmer to search for them by interrogating google streetview …

Posted in FOI | Comments Off on ANPR