Blog 1

Personal Data and Disclosure

It never ceases to amaze me how many data controllers (those people or organisations in charge of your personal data) refuse to let you have copies on the grounds they are protecting your data – protecting them from you! The media are full of stories about organisations both public and private which are nevertheless quite happy to give or sell your data to others or even leave it in skips or on the train.

In the Sunday Times (25 August), we heard of yet another example of the police refusing to provide the name and address (personal data) of the registered keeper of a vehicle which had demolished a wall on the grounds that, “it was against data protection rules”. The owner of the wall or perhaps I should say now, pile of rubble, wanted to sue the driver for the cost of repair. Of course the police have no right to refuse such a request if the requestor is considering legal action (which he was). Section 35 of the Data Protection Act refers. It was a, ‘cop out’; the police must, ‘cough’’.

There is a huge misunderstanding about data protection laws. You may wish to make a change on a holiday booking but the call centre won’t talk to you if you didn’t make the booking even though you are one of the party going on holiday and just want to change your own details. It is quite understandable that they don’t want to make amends which are not approved by the ‘lead name’ but they can talk to anyone providing that the lead name has given permission. In addition, they wouldn’t get into trouble if they talked to someone without permission provided that it was reasonable to do so. In reality, they are just using ‘data protection’ as an excuse for implementing their own safeguards which is a bit naughty.

The main two provisions in the Data Protection Act 1998 which are useful for data subjects (ordinary people) are firstly to obtain your personal data – to see what organisations are holding about you – and secondly, to rectify any inaccuracies.

Providing you send proof of who you are (to make sure it’s not someone else trying to take a peek at your data) and you specify what you want, then data controllers have 40 days in which to reply. If you discover something that is inaccurate, you can ask the data controller to rectify it. If you have proof that the data are inaccurate, then data controllers will make the corrections. If they don’t, then you can ask the Information Commissioner to send an enforcement notice or you can even issue legal proceedings. If the inaccuracies are trivial such as spelling errors, then let them go. Only if the inaccuracies are affecting your life should you pursue rectification – a major blot on your credit record for example (that shouldn’t be there).

Bear in mind that responding to a request for personal data is very tedious for the data controller and so the task is usually delegated to a junior member of staff who is given a set of rules to follow such as redacting (putting a black marker pen) through names of other people (because their name is their personal data). This may sound reasonable but it can lead to a moronic response. One of our correspondents asked for his personal data from the Home Office. He was much amused to find that the name, ‘Jack Straw’ had been redacted. How would he know that this name had been redacted? Because the title, ‘Home Secretary’ was next to the redaction! Of course this was when Jack Straw was Home Secretary so most people would have known the name of the Home Secretary. It was hardly a state secret!

Both the Freedom of Information Act 2000 and the Data Protection Act 1998 are very powerful tools for the individual against an ever-encroaching State. The former revealed the scandal of MPs expenses; the latter is used by individuals to discover what information companies and the Government keep about them and to rectify those data if they are inaccurate and damaging.

It is surprising how often organisations assume powers they don’t have. It’s usually worth checking what legislation they rely on - ask them. We have found that often it is a fiction.

 

Blog 2

The Strange Thinking of the Information Commissioner

The Data Protection Act 1998 (DPA) came into being because of a European Directive. Each Member State is allowed to implement the Directive in their own ways because their existing laws will be different. The DPA requires the data controller – the organisation processing your personal data – to rectify, block, erase or destroy any inaccurate personal data. The data subject (you) may have to do this through the court though only state organisations will resist. Commercial organisations are only too happy to set matters right because it is in their commercial interests. State organisation hate to be told what to do so will normally only comply after a court order has been issued and sometimes not even then.

One case in which we were involved had the Judge so frustrated that he told the Data Controller, that the Secretary of State had to appear in person before him if the data were not rectified. Sadly, the matter was resolved at that point. It would have been fun and good publicity to have a government minister appear in a county court or if he didn’t, he would be arrested for contempt of court!

What is meant by inaccurate personal data? Well, if the data are trivial, you may get a court to order rectification but have costs awarded against you for being petty. It’s the court’s way of punishing the innocent. If the data are affecting your life in a non-trivial way, then courts will usually order rectification etc. and you will not have to pay costs and may even get your own costs.

This week, we have discovered a very odd anomaly. We asked the Information Commissioner for a view on allegations, originally involving the Disclosure and Barring Service but applying in principle to all personal data. We believe that if an allegation is inaccurate, then it should be erased. For example, if a person is accused of sexual abuse of children by an ex-partner or is accused of serving time in prison for drug dealing and both these allegations are completely false, then one would have thought that they could be erased. Clearly they would affect the life of the data subject in a very serious way. How could he or she get a job let alone one working with children?

The official view of the Information Commissioner is, ‘“an allegation has been recorded in relation to... and the court has recorded a not guilty verdict” would not be in breach of the DPA’ (Jenny Manock, Advice Services Manager at the Information Commissioner – 01625 545788). As far as the Information Commissioner is concerned, once an allegation has been made, it cannot be erased even if totally inaccurate because it has been made and that is a fact. This is clearly a charter for mischief making. In other words, according to the Information Commissioner, you can only counter an allegation whether it be in a court of law or other source which can prove the allegation is wrong. If the allegation has not been proven wrong, all you can do is offer your side of things even if that is proof positive.

It is difficult to understand the logic (if any) behind this reasoning. If the allegation says that you have committed crimes, then you are allowed to have this inaccurate datum erased but not the allegation itself! Surely, you would have thought that the two were one and the same, but not in the eyes of the Information Commissioner. How can you separate an allegation from its content? Maybe one could say an allegation has been made but with no detail! Only the Red Queen from Alice in Wonderland would understand this logic.

It is a common expression that there is no smoke without fire and any allegation even if refuted, can raise questions in people’s minds. Why was this person accused of something? Just because he has been found not guilty, doesn’t mean he didn’t do it. The Information Commissioner is quite happy to allow this position to continue.

We think it is a disgrace. Even convicted criminals are allowed to wipe their slates clean after a period for many crimes but not innocent people. It is an odd world that the people in Wilmslow (the Information Commissioner) inhabit.

 

Blog 3

Her Majesty’s Court Service Has Only A Vague Idea About The Law

You would have thought that the one organisation which had a good grasp of the Law would be her Majesty’s Courts and Tribunals Service (HMCTS) which is part of the Ministry of Justice (MOJ). Sadly,that is not the case.

When taking proceedings against another person (civil law), in the past, each party had to send three copies of their submissions to the Court Service who stamped them as received and sent one copy to each party and kept one for the court. This made sense because both parties and the court would then have identical copies of all the material, so all would be singing from the same hymn sheet as they say. It is also a requirement of Administrative Law that this is done.

The MOJ decided as a cost cutting measure that each party would serve a copy of their material directly on the other party and send a copy to the court. Of course, anyone with above room temperature IQ would realise that it would be perfectly possible to send a full copy to the court and to keep a full copy themselves whilst sending a selection to the other party. This would put the other party at a serious disadvantage. That has to be tempting. After all, how would the other party know they hadn’t got everything? The Judge wouldn’t know either. It was a recipe for disaster and sure enough, it is a disaster.

One of our members spotted that the Judge in her case appeared to have material she did not and subsequently asked the Court for a copy of the file or at least to see the file so she could compare it with her own and check which documents she hadn’t got. What should have happened is that the Court Service should have invited her in to their offices or because no one is now allowed to see them in their natural habitat, they could have emerged and gone through the file page by page. It might have taken ten minutes. Instead they wrote to the Judge who wrote to the other party and asked if they had supplied the same material to the court as to the member. What is he likely to say for heaven’s sake? Is then our member supposed to meekly accept the word of her opponent? Once again she explained what the Court Service had to do to comply with her section 7 request under the Data Protection Act 1998 (supply a copy of her personal data which was to be found in the court file). You would have thought that by now, the Court Service would have grasped the situation and even possibly read the DPA, but no. Astonishingly, they did exactly the same thing again, asked the Judge to write another letter to the other side who replied by saying the same thing. What a waste of time!

Finally after waiting for more than the 40 day maximum that HMCTS had to respond, she threatened them with asking the Information Commissioner to issue an Enforcement Notice. Finally, they passed the matter to the MOJ who asked for ID and £10 to be paid by cheque or credit card. The MOJ has been told twice that they must accept cash but obviously they need to be told repeatedly before they get the message. They must accept legal tender – note the word ‘legal’ which you would have thought might spark something. They just don’t like handling cash but they cannot refuse it.

So HMCTS and the MOJ don’t understand the law even though it was explained to them and they broke it. Aren’t the MOJ and HMCTS suppose to uphold the Law? It’s no wonder this Country has problems when such people can’t do the job they are paid to do.

 

Blog 4

The Information Commissioner

In discussions with the Information Commissioner over the past few months, an interesting issue has arisen. Allegations can never be erased or deleted under the Data Protection Act 1998 simply because it is a fact that they have been made. The content of the allegation may not be erased either, even though it may be entirely false and even if proved to be entirely false in court.

So, if someone says that you are a drug-dealing, child abusing mass murderer, all you can do is add a statement to say that you are not. The Information Commissioner has created a mischief-makers charter. The whole point of the Data Protection Act and the Directive which gave it life is that data subjects can erase inaccurate personal data (Article 12).

There is no smoke without fire. If allegations cannot be erased even if entirely fictitious, then readers of the allegations will be left wondering if there was perhaps a little truth in the allegations or why would they have been made? Readers may also wonder if the person who has made the decision that the allegations are nonsense got it right. Maybe there just wasn’t enough evidence to say that they were true but in fact they were wholly or partially true. We all know of innocent people who have been sent to jail or guilty people who have not.

We think that the view of the Information Commissioner is completely wrong and that the European Directive intended to remove all references to such allegations.

 

Blog 5

Talk about a Big Brother move.

Facebook says the feature will be used for harmless things, like identifying the song or TV show playing in the background, but it actually has the ability to listen to everything -- including your private conservations -- and store it indefinitely.

 Not only is this move just downright creepy, it’s also a massive threat to our privacy. This isn’t the first time Facebook has been criticized for breaching our right to privacy, and it’s hoping this feature will fly under the radar. No such luck for Facebook. If we act now, we can stop Facebook in its tracks before it has a chance to release the feature.

Facebook says it'll be responsible with this feature, but we know we can't trust it. After all, just a few months ago Facebook came under fire for receiving millions of dollars for working with the National Security Agency’s PRISM, a wide-scale and highly controversial public electronic data surveillance program -- something its CEO Mark Zuckerberg initially denied. 

This is also the company that lied about its now-scuttled Beacon program -- an advertisement system that sent our “private” data from external websites to Facebook.

It seems like every few months, there's another big Facebook privacy scandal and yet the social media giant is pushing this new app anyway. Why? The information it gathers by listening to its 1.2 billion users worldwide can be sold for huge profits to advertisers and corporations looking for better information on consumer tastes and preferences.

Facebook is acting in the best interests of its bank account, not its users. This has gone too far -- we have to stop it now. Our advice? Quit Facebook and delete whatever you can.

 

Blog 6

HMRC Plans to Sell our Personal Data to Private Companies

Government plans to share taxpayers' data with private firms were condemned as "borderline insane" by a senior Tory MP.

Under the proposals, HM Revenue and Customs would be allowed to release anonymised information to third parties including companies, researchers and public bodies where there is a public benefit.

The Guardian reported that HMRC documents said "charging options" were being examined by officials, indicating that firms could pay to access the data.

Treasury minister David Gauke is overseeing the plan, with legislation being drawn up by HMRC, the newspaper reported.

In its response to a consultation on the proposals last year, HMRC insisted the principle of "taxpayer confidentiality" would be protected under the reforms.

The document states that the Government has "decided to proceed with the proposal to remove the legal restrictions that currently limit HMRC's ability to share anonymised individual level data for the purpose of research and analysis and deliver public benefits wider than HMRC's own functions".

HMRC accepts that "this must be done only where there are sufficient safeguards in place to protect taxpayer confidentiality".

But Tory former minister David Davis described the proposal as "borderline insane", telling The Guardian: "The officials who drew this up clearly have no idea of the risks to data in an electronic age.

"Our forefathers put these checks and balances in place when the information was kept in cardboard files, and data was therefore difficult to appropriate and misuse.

"It defies logic that we would remove those restraints at a time when data can be collected by the gigabyte, processed in milliseconds and transported around the world almost instantaneously."

Emma Carr, deputy director of Big Brother Watch, said: "There is a massive difference between aggregate data and information that is published at an individual level. The two carry vastly different privacy risks.

"The ongoing claims about anonymous data overlook the serious risks to privacy of individual level data being vulnerable to re-identification.

"Given the huge uproar about similar plans for medical records, you would have hoped HRMC would have learned that trying to sneak plans like this under the radar is not the way to build trust or develop good policy.

"Given those who abuse personal information cannot be sent to jail this is yet another instance where Government should be putting proper protections in place before any more data is shared, rather than just hoping nothing goes wrong. Given the sensitivity of people's financial records that is clearly an inadequate and dangerous approach to take."

An HMRC spokesman said: "No final decisions have been taken, but HMRC remains committed to safeguarding taxpayer confidentiality. "HMRC would only share data where this would generate clear public benefits, and where there are robust safeguards in place.

"Last year's consultation made it very clear that there would be a rigorous accreditation process for anyone wanting access to the data and that any access would take place in a secure environment. Those accessing data would be subject to the same confidentiality provisions as HMRC staff, including a criminal sanction for unlawful disclosure of taxpayer information.

"HMRC will be consulting further and will ask for views on whether to charge to cover the costs of processing and providing anonymised data. This would not be charging for the data itself, purely covering the costs of providing it."

We say that there is no reason why HMRC cannot anonymise the data before they sell it and only release data by a large area such as a postcode sector with thousands of people in it. Where there are fewer than say 500 people in a sector, then the data could be aggregated with adjacent sectors. But if HMRC do not plan to make a profit, then why do it anyway?

It shows once again that we do not live in a democracy. How many people would agree to this? Point proven.

 

Blog 7

Are We in Danger of Forgetting the Data Subject?

By The Data Protection Society

The purpose of data protection legislation is to protect the data subject. This is blindingly obvious and yet in all the complexities of preparing legislation, this simple objective can be forgotten. It is said that when you are up to your waist in alligators, it is difficult to remember that your original objective was to clear the swamp.

Current legislation may work well for multiple breaches of the Law by large organisations but provides little or no help to an individual data subject who has been damaged by inaccurate personal data or who simply wants to see his data.

If data controllers fail to respond to requests from data subjects, then in theory, the data subject may seek redress but in practice, it is almost impossible. We receive lots of examples of powerful data controllers simply ignoring the legitimate demands of the data subject. Here are just a few examples:

DVLA

A Member requested his personal data from DVLA as he was concerned that because he had a personalised number plate, his personal data may have been unlawfully accessed by one of the many thousands of people who have direct access to the DVLA Database. DVLA failed to comply with his section 7, Subject Access Notice. He then threatened DVLA with legal action. DVLA’s Legal Department accepted that they had no chance of winning such an action and, amazingly at that point, engaged the services of a barrister – to defend what they accepted was indefensible! After nine hearings and two and a quarter years, he won his case – and yes there had been unlawful disclosure which DVLA said were mere clerical errors. It cost the public purse £14,000.

 

Blog 8

Telephone Preference Service

Nuisance calls really are a nuisance! It’s rare that we would receive a call from someone we don’t know which is of value to us. If you are a business, it could be a new customer of course so we don’t all want to stop all of them.

 Many of us know that the Telephone Preference Service will add our name to a list which is checked by UK companies wishing to make unsolicited calls (doesn’t apply to calls from overseas). However, although once a person is on the list they stay, this does not apply to businesses which are removed after 12 months. This means that if you are running a business from home, for example, and have a business line, you need to renew your registration every year.

Your service provider such as BT, can also block all calls where you hear an automated voice reading out a text message. You can’t be selective though – it’s all text calls or none.

We wonder what the inventor of the telephone, Alexander Graham Bell would make of the way his fine idea is being misused by some. We also wonder what he would think of smart phones!

 

Blog 9

Right to be Forgotten is ‘Unworkable, Unreasonable and Wrong in Principle,' Say Lords

An influential House of Lords Committee has said that the so-called right to be forgotten stemming from a recent ruling by Court of Justice of the European Union is “wrong in principle” and has created “an unworkable and unreasonable situation.”

The House of Lords Home Affairs, Health and Education EU Sub-Committee said in its report that it had heard evidence from data protection experts, the Information Commissioner’s Office, the Minister for Justice and Civil Liberties, Simon Hughes, and Google.

The report says: “The Committee applauds the UK Government’s stance on the issue, and agrees that it must continue to fight to ensure that the updated Regulation no longer includes any provision on the lines of the Commission’s ‘right to be forgotten’ or the European Parliament’s ‘right to erasure.'"

Last week, the Society of Editors wrote to Prime Minister David Cameron over the issue describing the ruling as “deeply problematic for journalism” and called for greater transparency about the actions of search engines to comply with the ruling.  

Some local and regional newspapers such as the Oxford Mail, Surrey Comet and Bolton News have responded to the developments by prominently reporting on attempts to have their stories removed from search engine lists.

Chairman of the sub-committee Baroness Prashar said: “Although this was a short inquiry, it is crystal clear that the neither the 1995 Directive, nor the CJEU’s interpretation of it reflects the incredible advancement in technology that we see today, over 20 years since the Directive was drafted.

“Anyone anywhere in the world now has information at the touch of a button, and that includes detailed personal information about people in all countries of the globe.

“We believe that the judgment of the Court is unworkable for two main reasons. Firstly, it does not take into account the effect the ruling will have on smaller search engines which, unlike Google, are unlikely to have the resources to process the thousands of removal requests they are likely to receive.

“Secondly, we also believe that it is wrong in principle to leave search engines themselves the task of deciding whether to delete information or not, based on vague, ambiguous and unhelpful criteria, and we heard from witnesses how uncomfortable they are with the idea of a commercial company sitting in judgement on issues like that.

“We think there is a very strong argument that, in the new Regulation, search engines should not be classed as data controllers, and therefore not liable as ‘owners’ of the information they are linking to. We also do not believe that individuals should have a right to have links to accurate and lawfully available information about them removed, simply because they do not like what is said.

“Technology advances at ever increasing speeds and it is incredibly difficult for legislation to keep up - never mind ‘future proof’ - the unforeseen leaps that technology is bound to make. However, what we can do is ensure that the Regulations and Directives that we do draft are sensible, taking into account the current situation and the likelihood of ever-increasing amounts of available data, and decide not to try and enforce the impossible.”

We think the solution is comparatively simple. Data subjects should be able to delete data they have created such as on social media or, for example, addresses and credit card details they have entered on to websites. This can be done at present. If other people have created personal data about them, say a report of their bankruptcy, they should not as it is a fact and you cannot change history though you might like to rewrite it.

In any case, as has been pointed out, the Court of Justice required only that the index be removed; the original piece remains but is just difficult to find. If a personal datum is inaccurate, then there are already mechanisms in place to have it deleted or rectified. Surely it is the original piece that should have concerned the Court not the index to it.

Of course, the whole issue becomes absurd because the index on search engines based outside the EU are unaffected so all a user has to do is point his browser to another site to have full access.

The Court’s Ruling just makes it look foolish and out of touch.

Ministry of Justice

A Member requested her personal data under section 7 of the Data Protection Act which were contained in the court file relating to a minor civil case. The Court Service ignored the request. She then sent the same request directly to the Ministry of Justice (MOJ) which required identification and payment as they are entitled to. These were sent. The MOJ refused to accept cash. She reminded them that they cannot refuse legal tender and we told our Member that the Information Commissioner had instructed the MOJ over a year ago to implement a system to accept cash. The MOJ ignored the Information Commissioner who has decided to do nothing. The MOJ can therefore continue to refuse to comply with the Law and the only other option available to our Member is to issue legal proceedings on the MOJ – something not to be done lightly.

Information Commissioner

If an allegation is made against a person, even if false and even if the allegation itself says that it is false, it can never be erased. The Information Commissioner takes the view that under section 70(2) of the Data Protection Act, it is accurate and not misleading that an allegation has been made and therefore, it cannot be erased. This, to our mind, is a mischief-maker’s charter. A few weeks ago, the national media carried a story about a father who was falsely accused of sexual abuse by an Officer from the Children and Family Court Advisory and Support Service (CAFCASS). Even when the Officer was dismissed, he found other parents shunned him and wouldn’t allow their children to play with his daughter. That false allegation will remain as a stain on his character and the Data Protection Act is no help. People think there is no smoke without fire. It is therefore perfectly acceptable in the eyes of the Information Commissioner to allow untrue, unverified and malicious personal data to remain indefinitely as long as it is prefaced by, “an allegation was made that....”.

The European Commission

Each year, we hold a wake to commemorate the anniversary of a Submission to the Commission alleging that the Directive has not been properly implemented by the Government preventing a data subject from using the guarantee given to him by the Directive to use the power of the Directive to bring proceedings against a data controller in certain circumstances. Essentially, the English legal system has failed to provide a lex forum, a court, which will hear cases. The European Commission agreed and on the basis of the information provided, issued Infringement Proceedings against the UK Government. On 26 May, we mourn another year’s passing without a resolution. This is number eleven as it is eleven years since the Complaint was filed.

The Information Commissioner, the European Data Protection Supervisor, the European Ombudsman and the European Commissioner who oversees data protection, can or will do nothing. The European Commission has a free hand to do as they please.

What links all these cases is that the individual data subject is given no help save a possible ‘assessment’ from the Information Commissioner which may say that the data controller is likely to have breached the Act – something which the data controller may safely ignore. The Information Commissioner has the power to issue enforcement notices on data controllers on behalf of individual data subjects, but has a policy of not doing so. Not a single enforcement notice has been issued in the past three years on behalf of an individual data subject.

A data subject is advised by the Information Commissioner to seek legal; advice. Unless the breach of the Act is particularly damaging, this is a very expensive route. In one case, one of our members was asked to put down a deposit of £5,000 before a solicitor would even consider the case. This, of course, would not be the final sum. The alternative is for a data subject to represent himself which is extremely daunting and the cost implications if he were to lose could be significant.

One Member took this route for a simple action under section 7 and the costs amounted to £30,000. Costs are used by data controllers to prevent cases coming to court. Of course, It would frighten off all but the very brave or foolhardy.

Conclusion

We hear many stories such as these. A determined data controller can easily ignore all grievances of a data subject. In other words, the purpose of data protection legislation – to protect the data subject - is thwarted by the inability of individual data subjects to take action. They are on their own.

In spite of the excellent work of the Article 29 Committee and the good intentions of all involved in the drafting of legislation, unless the individual data subject can take swift action easily and cheaply, we are merely discussing how many angels can dance on the head of a pin.

www.dataprotectionsociety.co.uk