We asked you to submit your annual report questions to the Information Commissioner:
Question 1: As Information Commissioner, if you could have three wishes in the year ahead (relating to UK private sector organisations' compliance with privacy legislation, to EU policy - or anything else), what would these be?
Response: My three wishes? Businesses to wake up to the fact that 90% of consumers are fairly or very concerned about the privacy of personal information held about them - and to think through the implications for reputation when mistakes are made. Website operators to take their 'consent' obligations seriously under the Privacy and Electronic Communications Regulations - because I'll be after them if they don't . And more private sector operators to take advantage of the free audit consultancy offered by the ICO to run the ruler over DP compliance. Why wouldn't you?
Question 2: Please can you give us an indication of how the Data Protection law is going to be changing in light of the changes being proposed at EC-level? Specifically, will the law change in relation to the use of sensitive personal data for medical research purposes or will it still be permissible to use such data for such purposes on the terms set out in the Directive, as implemented by the DPA?
Response: Until the Commission publish their draft proposal (likely to be November) we won't know what changes there will be at EU level. Even once published, the draft is likely to take years to be negotiated and will inevitably change during the negotiations. Only once the EU-level text is agreed or close to agreement will we know what the UK law might look like.
Question 3: The ICO guidance regarding the changes to the rules on using cookies following the the publication of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 is vague about third party cookies. What should organisations do about third party cookies when preparing for compliance?
Response: We appreciate that there are still unanswered questions on third parties cookies. Obviously, the process of getting consent for these cookies is more complex, and our view is that everyone has a part to play in making sure that the user is aware of what is being collected and by whom.
We would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device.
We’ve already said that we don’t want to issue generalised instructions to businesses on how to comply – this would only hinder rather than help them to find a solution that works best for them and their customers. We’ve also given businesses a 12 month lead in period to help give them time to work out ways to gain consent.
Question 4: Of the civil penalties issued so far which authorities/organisations paid within the time scale to attract the discount?
Response: All of them apart from ACS law who were subject to a bankruptcy order and thus not able to pay within the time scale to attract the discount.
Question 5: Does the ICO intend to use webcast more in the future for cascading information?
Response: Probably – we think it’s gone very well but will evaluate properly once we have more feedback.
Question 6: I am aware that organisations with which I work transfer data across the Atlantic. Which is the “trump card” – the EU data protection regulations, or the Patriot Act. How can I ensure I know if my data is being released/reviewed in the US when it was provided to a European organisation?
Response: Organisations should firstly say on their notification entry whether they transfer personal information overseas. However, they don’t always need to tell individuals this as part of fair processing, for example, if they outsource an administrative part of their business. The Patriot Act is US legislation applying to US companies, they have a legal obligation to comply with requests, regardless of laws from other parts of the world.
The best way for an individual to know what is happening to their data is to ask the organisation whether they transfer it overseas, who to and for what reason. Individuals are unlikely to be able to find out if a US organisation has had a request for their personal data under the Patriot Act, as if you receive a request under the Act, you are prohibited from revealing its existence.
Question 7: I have just watched the webcast with interest and admiration. An excellent example to set in delivering information to a wide audience.
I was particularly interested in the impressive figures given in managing case loads. Resolving more complaints in quicker time with fewer staff and less money is a great achievement and the measurables cannot be disputed. You stated that the quality of decision notices has not deteriorated, something that cannot be measured. I read a lot of decision notices and my professional view is that I completely agree - the quality has not deteriorated at all.
Which leads me to an obvious question - could you share with us how you have achieved this? This is something that would be of great benefit to a huge number of public sector bodies at the moment, all of whom are being asked to do more with less.
Response: Thanks for the comments. We’re pleased, but not complacent.
First of all, we do have some quality measures. These aren’t as objective as the closure figures, but the percentage of successful appeals to the Tribunal has not increased, and we take this as a broad indicator of quality. In addition, external commentators have noted that our decisions remain consistently sound. We also acknowledge that quality relates to the overall service provided. It’s not just about the content of our decision, it’s about how long it takes us to reach it.
How have we done it? A lot of hard work by staff who are now experts in the field, coupled with some streamlined processes and tight management based on stretching, but achievable targets. These targets were driven by clear priorities and we met them following a concerted and co-ordinated effort by everyone involved. The big process change involved reducing the number of stages that a decision notice has to pass through before sign off. Very often, the caseworker and the signatory are now the only two involved in the case.
Of course, this only works because we now have better sharing of information and expertise within teams and because we encourage a culture of continuous improvement. All with the aim of providing a better service for those who want to use their information rights.
We have more work to do and will continue to work hard to meet the twin challenges of increased referrals and less resources.
Question 8: Why have we seen just one fine on a private company when there are clearly many breaches happening?
We apply the same published criteria to all cases where we believe that a monetary penalty might be appropriate. (insert link to guidance) In doing this, we do not distinguish between the public and private sectors.
Question 9: What does the commissioner propose to actually do about the NHS outside of just giving warnings? Will the NHS ever be fined?
Response: The ICO is currently investigating cases that involve the NHS. If the situation merits it, we will not hesitate to issue a civil monetary penalty against an organisation within the NHS.
Question 10: Section 77 of the Freedom of Information Act, reflecting human nature, recognises that some of those in public authorities will seek to prevent material being released (by altering, defacing, blocking, erasing, destroying or concealing relevant records).
In proceedings before the Information Tribunal in challenging a section 50 Decision Notice the ICO contended that it will assume that the Public Authority will provide all the relevant material which is subject to the request.
Please can you advise on why there has been reluctance and refusal on the part of your office to pursue prosecutions under section 77 which is a valuable weapon in the armoury of protection of information rights?
What steps will be taken to review the policy and approach of the ICO with regard to section 77 (including reviewing requests for prosecutions and the evidence submitted in connection therewith) to ensure that the vision of the ICO can command the confidence of stakeholders by providing relevant and timely outcomes responsive which are responsive to the mischief of obstructing the release of information.
With regard to the ‘blocking’ part of the offence what steps have been and will be taken to address the concern that some dealing with matters on behalf of public authorities can effectively block the release of information (at least until it will not be useful) because of the approach of the ICO including the delays in processing requests?
Response: There is no ICO policy not to pursue prosecutions under section 77 of the FOI Act. If allegations are made or evidence comes to light that a section 77 offence may have been committed, these are investigated. Referrals are made by case officers handling the section 50 to the ICO’s enforcement team, who have skills and experience of criminal investigations.
The practical difficulty, which we have raised on many occasions with the Ministry of Justice, is the fact that section 77 offences are summary only and subject to the 6 month limitation under the Magistrates Courts Act, i.e. a prosecution must be brought within six months of the offence occurring. Given the timescales for compliance with a request laid down by the Act, the requirement for an internal review and the time taken for a complaint to be made and investigated by the ICO, commencing a prosecution within six months of the destruction of information on receipt of an FOI request is almost impossible. Nevertheless there have been a number of occasions where we have pursued section 77 issues, taking statements and referring to allegations in Decision Notices and, where appropriate, expressing our concerns about actions taken at whichever public authority is concerned.
The problem caused by the time limit has been flagged by the ICO and others on a number of occasions. We have voiced our support for amendments to the Act which would allow the time limit to run from the date of detection of a possible offence. Another possibility would be to make section 77 offences triable either way. We understand the issue is likely to be addressed in the post-legislative scrutiny of the FOI Act which the government has said is to be undertaken by the Justice Committee in the autumn. We will continue to press for reform to make section 77 more useful and usable. We agree with the questioner that it is, or at least should be, “a valuable weapon in the armoury of protection of information rights”.
The questioner comments on the ICO assuming that all relevant information is submitted by a public authority in response to an ICO request for it in the course of an investigation. Again, if there is reason to believe that not all the relevant information within the scope of a request has been revealed we do pursue that. If necessary we can issue an Information Notice. Where the section 50 complaint follows a “no recorded information held” response to a request, obviously that is the focus of our investigation and we require a full explanation. However, we do not work on the basis of an automatic assumption that public servants are liars or criminals.
We often come across situations where complainants find it hard to accept that information about a matter which is of great importance to them has not been retained by the public authority or that notes of, say, a phone call were not made. Standards of public administration vary greatly in practice. The ICO does pursue these issues conscientiously when investigating section 50 complaints, but we have to make reasonable judgements according to what we find in each case, applying the legal test of the balance of probabilities. For a section 77 offence to be made out, a significantly higher probability test has to be satisfied. But if there is evidence that an offence has been committed, or would have been committed but for technical knock-out because of the time limit, we do pursue the matter.
Finally on the issues of delays, the Annual Report highlights the ICO’s work on monitoring compliance with time limits imposed by the FOI Act. This initiative is driving up standards, not only among the monitored public bodies but by those who want to avoid the ICO’s attention. Coupled with the ICO’s own improved performance in bringing FOI complaints to a conclusion and the government’s drive on proactive transparency, the opportunities for procrastination which may have been around in previous years are no longer there.
Question 11: Do private companies also have an obligation to disclose any data breaches they have?
My line of thought is that if they are not obliged to report customer complaints to the ICO, then there may be a significant number of breaches occurring that the ICO is not aware of and subsequently the public is not being made aware of. We seem to be seeing a huge quantity of breaches occurring but mainly in the public sector. Just wondering why that may be?
Response: All data controllers have a responsibility under the Data Protection Act 1998 to ensure appropriate and proportionate security of the personal data they hold. There are also specific requirements in the Privacy and Electronic Communications (EC Directive) Regulations 2003 for public electronic communications service providers to take appropriate technological and organisational measures to safeguard the security of their services.
No organisations have an obligation to report data breaches to the ICO under the Data Protection Act. From 26 May 2011 public electronic communications service providers are required to notify the Commissioner, and in some cases individuals themselves, of personal data security breaches.
However, some organisations chose to put in place their own requirements to notify the ICO of data breaches under the Data Protection Act and many of those are in the public sector. Although there is no legal obligation in the DPA for data controllers to report breaches of security the Information Commissioner believes serious breaches should be brought to the attention of his Office and, where appropriate, to the attention of the individuals involved.
Question 12: Do private companies also have an obligation to disclose any data breaches they have?
My line of thought is that if they are not obliged to report customer complaints to the ICO, then there may be a significant number of breaches occurring that the ICO is not aware of and subsequently the public is not being made aware of. We seem to be seeing a huge quantity of breaches occurring but mainly in the public sector. Just wondering why that may be?
Response: All data controllers have a responsibility under the Data Protection Act 1998 to ensure appropriate and proportionate security of the personal data they hold. There are also specific requirements in the Privacy and Electronic Communications (EC Directive) Regulations 2003 for public electronic communications service providers to take appropriate technological and organisational measures to safeguard the security of their services.
No organisations have an obligation to report data breaches to the ICO under the Data Protection Act. From 26 May 2011 public electronic communications service providers are required to notify the Commissioner, and in some cases individuals themselves, of personal data security breaches.
However, some organisations chose to put in place their own requirements to notify the ICO of data breaches under the Data Protection Act and many of those are in the public sector. Although there is no legal obligation in the DPA for data controllers to report breaches of security the Information Commissioner believes serious breaches should be brought to the attention of his Office and, where appropriate, to the attention of the individuals involved.
We believe that some form of compulsory notification for serious security breaches would be a useful addition to any new legislation.
Back to the Annual Report page