This newsletter provides a round up of freedom of information and data protection developments and outlines information and guidance available from the Information Commissioner's Office (ICO).
Monetary penalties of up to £500,000 could be levied on businesses and other organisations that breach the Data Protection Act. The new powers granted to the ICO are expected to come into force on 6 April 2010.
Information Commissioner Christopher Graham said: "These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act, but I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law."
Statutory guidance about how the ICO proposes to use this new power has been produced by the ICO, approved by the Secretary of State for Justice and laid before Parliament.
Christopher Graham has called for custodial sentences as a deterrent to stop the trade in unlawful personal information. The Information Commissioner said the 'existing paltry fines for Section 55 offences' were not enough to stop people from engaging in such lucrative criminal activity. He added: "The threat of jail, not fines, will prove a stronger deterrent."
Mr Graham was responding to the Government's proposal to introduce a custodial sentence for breaches of Section 55 of the Data Protection Act from April 2010. He said the ICO was preparing a prosecution file following an investigation into employees at a mobile telephone company who were selling details of customers' mobile phone contracts to competitors. Customers were then cold called prior to contract expiry dates to offer them new contracts.
A further investigation is continuing into how blaggers used forged identity documents to gain unlawful access to credit files held by a credit reference agency.
Press release
ICO submission to Ministry of Justice consultation
The ICO will have the power to audit government departments without their consent from April 2010. The move follows the passage of the Coroners and Justice Act on 12 November 2009.
This new power can also be extended to other public and private sector organisations but only following a 'designation' process. The ICO must first serve an assessment notice. An 'assessment notices' code of practice, covering areas such as the circumstances in which a notice can be served, the nature of the assessment process and the publication of assessment reports will follow shortly.
Royal Mail has apologised after a parcel was initially not delivered to a nine day old baby - as the baby was unable to sign for it. The ICO issued a statement on what it described as 'a data protection duck out.'
Failing to pay a £35 fee has led two recruitment firms to incur fines and costs of more than £2,500. Time Recruitment Ltd and Aston Baird Solutions Ltd, trading as Hilliards Associates, have been successfully prosecuted by the ICO for offences under the Data Protection Act.
Despite repeated warnings from the ICO the firms failed to notify as data controllers under the Data Protection Act.
Mick Gorrill, Assistant Information Commissioner, said: "These two prosecutions demonstrate that we stand ready to use our powers to prosecute the small minority of organisations that flout the Data Protection Act. The Act clearly states that organisations must be open about how they process personal information and in most cases those processing personal information must register with the ICO."
An accountancy firm from Newcastle-under-Lyme was also prosecuted and had to pay a fine and costs of more than £1,700.
Over 100 data breaches were reported to the Information Commissioner's Office in the final quarter of 2009. That brings the total number to 818 data breaches since November 2006.
Key concerns are the extent to which portable media containing unencrypted personal information are still being lost or stolen and the number of data breaches in the NHS. From April those who continue to be reckless or negligent about the encryption of portable media will run the risk of financial penalties. Concerns about the NHS have been raised with the Dept of Health.
Jack Straw, the Secretary of State for Justice, has exercised the ministerial veto blocking the disclosure of cabinet minutes on devolution.
Disclosure of the 1997 cabinet minutes had been ordered by the Information Commissioner in June 2009. He argued that the sensitivity of the material was reduced by the passage of time and its release would be in the public interest.
The Cabinet Office had appealed the decision to the Information Tribunal and a full hearing was expected in January 2010.
The Information Commissioner will now consider the reasons given by Jack Straw for exercising the veto. He remains concerned that the government may routinely use the veto whenever disclosure of the minutes of Cabinet proceedings is ordered, irrespective of the subject matter or age of the information.
This is the second time the veto has been exercised. It was first used in February 2009 to stop the publication of cabinet minutes relating to the war in Iraq.
Some of the UK's largest public bodies are making it harder than necessary for citizens to gain access to information about how public money is spent.
The ICO's Central Government Sector Monitoring Report shows that few of the authorities reviewed proactively released any detailed information about senior staff allowances and expenses.
Christopher Graham said: ""Public bodies need to be more open about how they spend public money. This report highlights that too many of the biggest public authorities could easily be more transparent. There is a real appetite to know how our taxes are spent and what is done in our name - especially in the current environment.
"Public bodies can help themselves by publishing more information up front before they are asked. I will be visiting public bodies to press home the advantages of openness and the importance of complying with the Act."
The ICO has new enforcement powers relating to the proactive provision of geographical or location based information by public authorities.
The powers are a result of the INSPIRE (Infrastructure for Spatial Information in the European Community) Regulations 2009 which came into force on 31 December 2009.
Although the regulations have come already come into effect they have a staged implementation. This year will see the creation and submission by public authorities of relevant "metadata" which will be handled by the 'UK Spatial Data Infrastructure Co-ordination Unit' at Defra. The ICO is not expected to have any eligible complaints to consider until 2011.
The Guardian newspaper has corrected an inaccurate story which claimed the ICO had accidentally released documents to a reporter. The article 'Campbell had Iraq dossier changed to fit US claims, 11 January 2010, was incorrect and the Guardian's correction appeared in the paper and online on Wednesday 13 January.
Christopher Graham said: "Organisations can have confidence that when they share confidential information with the ICO it stays confidential. I am glad that The Guardian has corrected their inaccurate story."
A new plain-English guide to data protection has been produced by the ICO. The guide uses practical business-based examples to help businesses and organisations to safeguard personal data and comply with the law.
Stephen Alambritis, Head of Public Affairs at the Federation of Small Businesses, welcomed the guide. He said: "Data protection lapses cost reputations and can affect the bottom line. But, many organisations tell us that data protection law is difficult to understand. This new no-nonsense guide will help the business community to understand and comply with the law."
Information Commissioner Christopher Graham added: "There are still too many organisations playing fast and loose with personal data. Security breaches, inaccurate records and instances of data being held for too long are too common. This new guide will help organisations comply with the law and demystify data protection."
To view the guide on the website go to: http://www.ico.gov.uk/for_organisations/data_protection_guide.aspx
To order hard copy click here: https://www.ico.gov.uk/tools_and_resources/request_publications.aspx
An online consultation has been launched by the ICO on a new draft code of practice. The Code will provide organisations with a practical and common sense approach to protecting individuals' privacy online.
The 12 week consultation gives organisations and the public the opportunity to read and comment on the draft guidance. The draft explains how the law applies and calls on organisations to give people the right degree of choice and control over their personal information, for instance by giving them clear privacy options or making it easier for people to erase their personal information at the end of a browsing session.
Ian Bourne, Head of Data Protection Projects at the Information Commissioner's Office, said: "The draft code of practice explains a difficult area of the law and provides practical advice on a range of online privacy issues. It urges organisations to do more to explain what they do with the information they collect about people and to make sure they use it in line with individuals' wishes."
The consultation ends on 5 March 2010.
Two new FOI guides have been published recently. The first explains when a company is publicly owned and therefore subject to the Freedom of Information Act.
The second guide provides practical help in the application of section 36 of the Freedom of Information Act, where releasing information would prejudice the effective conduct of public affairs.
The guidance indicates what the ICO will look for when a public authority has refused to provide information on these grounds. It explains how a complaint will be investigated and what the ICO will need to see to be satisfied that the exemption has been considered properly.
Keep up to date with the work of the ICO by following it on Twitter @ICOnews.
There is advice about using social networking sites and more on the ICO's young people's pages. In addition, a Facebook student group about data protection has also been set up and public information videos can be viewed on YouTube.
Click here to sign up.
Christopher Graham is the keynote speaker at the Data Protection Officers conference which takes place on 3 March 2010 at the Lowry Hotel, Manchester.
The event provides an opportunity to share ideas and experiences and hear from expert speakers. This year speakers include Deputy Information Commissioner David Smith, Christine Goodfellow, the Director for the Improving Information Sharing and Management Programme at the Department for Children, Schools and Families and Robin Wilton from Future Identity who will be discussing digital security and privacy.
There will also be a series of interactive workshops.
The Information Commissioner's Office has arranged two workshops for FOI practitioners. The first is on 9 March 2010 in Mansfield and is for NHS staff. The second is on 26 March in Haringey and is for Local Authority practitioners.
The sessions will provide opportunities for practitioners to meet ICO staff and each other, to ask questions and talk about current issues.
Further details can be obtained by emailing gpe@ico.gsi.gov.uk.
The ICO is grateful to the Nottinghamshire PCT and Haringey Council for making accommodation available for this purpose.
The ICO usually publicises the enforcement action it takes. Copies of press releases can be found by clicking here.
The Information Commissioner has issued practice recommendations to the UK Border Agency (UKBA) and Cardiff County Council. Both authorities have repeatedly failed to comply with the timescales for responding to requests for internal reviews set out in the Code of Practice and the Commissioner's guidance.
Gerrard Tracey, Assistant Information Commissioner, said: "Responses to internal reviews need to be prompt. The right to request an internal review is an important information right for members of the public. Authorities must understand that, although we will work with them to improve their practice, the informal resolution of compliance or conformity issues will not be pursued indefinitely. We will take action against those who show a lack of progress, commitment and engagement with regards to their responsibilities under the Act."
The ICO has issued a Practice Recommendation to the Ministry of Defence (MOD). The MOD has been ordered to improve its handling of internal reviews and ensure its standard completion target for internal reviews conforms to guidance issued under the Freedom of Information Act.
The ICO has found Bellgrange Mortgages and Insurance Services Ltd in breach of the Data Protection Act after clients' details were found in two large waste bins intended for the use of local residents. The organisation, based in Stanmore, has signed an official Undertaking to improve data security.
View PDF of the Bellgrange Mortgages and Insurance Services Ltd Undertaking
The ICO has found Northern Ireland's Department of Finance and Personnel in breach of the Data Protection Act after approximately 37,000 people's personal details were stolen.
View PDF of the Department of Finance and Personnel Undertaking
The ICO has found Shropshire Council in breach of the Data Protection Act following the loss of an unencrypted memory stick containing sensitive information relating to a large number of adult social care clients and members of staff.
View PDF of the Shropshire Council Undertaking
A formal Undertaking has been signed by Waseley Hills High School and Sixth Form Centre committing it to take a number of steps to ensure that personal data is processed in compliance with the Data Protection Act. The ICO found it in breach of the Data Protection Act after the theft of personal data of over 1,000 pupils and staff.
View PDF of the Waseley Hills High School and Sixth Form Centre Undertaking
A formal Undertaking has been signed by the Orbit Heart of England Housing Association after the ICO found them to be in breach of the Data Protection Act. Fifty-seven paper files containing personal data went missing during an office move. Forty-two of the files were recovered in full, but 15, which contain a significant amount of personal data relating to each tenant and, in some cases, members of his or her family, are still missing.
View PDF of the Orbit Heart of England Housing Association Undertaking
A formal Undertaking has been signed by Verity Trustees Ltd after the ICO found them to be in breach of the Data Protection Act. The Trustees reported the theft of a laptop computer containing the names, addresses, dates of birth, salaries and national insurance numbers of around 110,000 individuals.
View PDF of the Verity Trustees Ltd Undertaking
Formal Undertakings have been signed by Great Yarmouth and Waveney Primary Care Trust and Gloucestershire Primary Care Trust after the ICO found them in breach of the Data Protection Act.
View PDF of the Great Yarmouth and Waveney PCT Undertaking
View PDF of the Gloucestershire PCT Undertaking
Maidstone and Tunbridge Wells NHS Trust has pledged to improve the security of patients' personal information after the ICO found it in breach of the Data Protection Act. The Trust has signed an Undertaking declaring that any personal data held on a laptop computer or other removable media by the data controller will be identified and encrypted within six months.
View PDF of the Maidstone and Tunbridge Wells NHS Trust Undertaking
Ashford and St Peter's Hospitals NHS Trust has signed an Undertaking and agreed to improve data security after it informed the ICO of a data breach involving the loss or theft of three unencrypted USB sticks containing sensitive patient information. Each of the devices contained the full treatment and full diagnosis history relating to a number of cancer patients. The information on the USB sticks was in Word format - leaving the material easily accessible to anyone with a computer.
View PDF of the Ashford and St Peter's Hospitals NHS Trust Undertaking
The Information Commissioner has ordered the Department of Health to release a letter from a former Treasury minister concerning the NHS consultant contract. The Department of Health received a request under the Freedom of Information Act for the business case on the consultants' contract which it provided to HM Treasury in 2002. The requester also asked for a copy of HM Treasury's response.
For details of all decision notices issued by the ICO please visit the decision notices page of the ICO website.
We have already closed more cases in 2009/10 than we did during the whole of last year and reduced our caseload by 30%. This has meant we have halved the number over one year old and reduced those over two years old by 70%.
During the third quarter of the financial year 2009/2010 received 858 complaints under the Freedom of Information Act and Environmental Information Regulations.
This diagram outlines FOI cases received and resolved up until the end of September 2009
* Some cases can be prepared for handling but are later identified as cases to be removed from our casework handling system. Therefore these figures may be subject to change over time.
During the third quarter of the financial year 2009/10 we received 7,170 complaints under the Data Protection Act and 7,321 cases were closed. Comparing 2009/10 so far to the full year 2008/09, we have received 42% more complaints and closed 45% more.
This diagram outlines DP cases received and resolved up until the end of September 2009
* Some cases can be prepared for handling but are later identified as cases to be removed from our casework handling system. Therefore these figures may be subject to change over time.
We welcome your comments on our e-newsletter. If you have any comments or suggestions please email websitefeedback@ico.gsi.gov.uk.
Unsubscribe: To stop receiving the ICO e-newsletter please click here.
The ICO's mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
We enforce the Data Protection Act, the Freedom of Information Act, the Privacy and Electronic Communications Regulations and the Environmental Information Regulations, regulating the organisations that come within their remits.
We provide guidance to organisations and individuals to promote awareness of information rights and obligations, ensure compliance with the law and encourage good practice. We rule on eligible complaints and can take action when the law is broken.
