Hard to think of two more poorly run institution than HMCTS and itโs parent organisation The Ministry of Justice.
This is a very simple post detailing a simple but significant error. So no lengthy explanation as to whatโs happened on this occasion!
HMCTS shared my personal financial details with a third party.
Thatโs it. Thatโs basically all that can be said in the post.
But wait!
Stop and think for a few moments and we can see this is matter is actually considerably more significant and serious than it first looks.
The letter from The Information Commissionerโs Office (ICO) finding against HMCTS can be seen below.
But the operative paragraph from it is simple and plain:
The nub of the issue.
Why should this matter?
Personal data in the care of such as HMCTS and MoJ has the potential to cause significant damage if released inappropriately. Release to a third party with no requirement for or rights to such data can and does cause significant issues.
The simple fact is that the incompetence of County Court staff knows no bounds.
Indeed the vindictiveness of their management towards anyone who has received appalling service from HMCTS also knows no bounds. In this matter an out-of-court settlement was agreed upon to be paid fourteen days from the agreement. Some three months after this agreement I was still awaiting payout.
HMCTS and MoJ are simply two organisations which have ceased to function in any meaningful way and the amount of time spent on damage limitation, denying errors have occurred and attempting to maintain an image of professionalism would be better spent actually running courts efficiently in the first instance.
BEING the story of how a data access request led to a breach of the law by West Yorkshire Police.
Few people would argue against the notion that West Yorkshire Police has an international reputation for corruption and incompetence. One of the less enviable roles to have at the force is in the Data Management departments dubbed, rather imaginatively as Information Compliance and Right of Access. Those pesky members of the public requesting data theyโre perfectly entitled to must grate! This in those departments you stand as gatekeeper for great swathes of your information that must not be released as it could show your brother officers out to be inept, lazy or actually corrupt.
Consequently the job of anyone in a data access role at West Yorkshire Police is more akin to a doorman at the gates of Hell stopping Desmond from escaping than the role suggested in legislation as a facilitator of access to information.
Consider Section 77 of the Freedom of Information Act which states that a person…
โis guilty of an offence if he alters, defaces, blocks, erases, destroys or conceals any record held by the public authority, with the intention of preventing the disclosure by that authority of all, or any part, of the information to the communication of which the applicant would have been entitled”.
…at West Yorkshire Police data access employees certainly consider this. Particularly the blocking and concealing aspects. And it probably keeps them awake at night.
A data access request was made to Right of Access department at West Yorkshire Police in early October 2020.
Eventually the data was provided (in February 2021) and as is par for the course this was considerably outside of the time limits allowed in law for the production of it and is thus is a breach of the law.
Additionally the mishandling of the original requests suggests misconduct in public office and willingness to commit a Section 77 offence on the part of a person or persons at Right of Access dept. It is for you, dear reader, to decide if this also constitutes a criminal offence of misconduct in public office.
A complaint was made to the (equally imaginatively named) Professional Standards Department (PSD) which they fudged. They were then instructed to re-investigate the complaint by The Office of the Police and Crime Commissioner (OPCC) for West Yorkshire.
Part of the re-investigation instructions relate to data that was clearly withheld by Right of Access Dept. from PSD in contravention of their duty of care and candour. That this withholding of data skewed the result of the PSD investigation resulting in the matter being referred to OPCC.
I’m willing to take a pretty safe bet that Right of Access did not inform PSD of the matters below in the original complaint investigation…
Eland Road Police Station, Leeds.
The original request for data made in October 2020 resulted in a letter of 4.11.20 from Right of Access dept. which stated that the request was rejected for 60 days as ROA had decided to impose an arbitrary and illegal ban on my making data access requests. The illegality of the ban was pointed out to ROA.
The pointing out that the ban was illegal appears to have generated a change of heart. A few days later (16.11.20) this ban was lifted and a further letter of 16.11.20 assigns the request a reference number. Great! Itโs finally moving forwards! The letter of 16.11.20 claims the request is being processed.
However illogically the following day the request was then again refused in a letter from Right of Access dept. of 17.11.20.
This attracted an internal review request from me. The response from ROA to this was:
โinternal reviews [has been set up]… an independent member of the team who was not involved in this decision will assess your requests and whether they should be processed.
The matter was also referred to the independent watchdog for data access rights, The Information Commissionerโs Office (ICO) as a formal complaint.
ICO considers that 40 days is sufficient for the production of an internal review. The internal review was of course not concluded after this time and so the reviews were both chased with ROA after 40 days on 12.1.21.
West Yorkshire Police staff hard at work.
The result of the internal reviews were inconclusive and weak in that they upheld the original failure to produce the data without giving sustainable grounds in law.
Now hereโs a hot tip next time a police force refuses your data access rights:
In order to act as a check on Right of Access dept. at West Yorkshire Police (experience leads me to not believe a word they say) I occasionally request the same data as has been requested from ROA from another police force to check matters such as the right of access in law to the data and entitlement to the same. This is something I specifically do as in the case discussed here where there is an outright refusal to supply the data. Having an uninvolved second party check what youโve been told is truthful is frequently invaluable.
A letter in response from Humberside Police from them confirmed the rights to the same type of data requested from West Yorkshire Police.
So I wrote back to ROA on 20.1.21:
I refer to the attached correspondence with Humberside Police in relation to [reference number given]. In this correspondence I requested from that force the same documentation that has been requested from West Yorkshire Police…
Following the usual game of silly bastards that police force’s like to play in their initial response letter the data was provided in accordance with the obligation on Humberside Police in law.
The same legal obligation that has compelled Humberside Police to provide a copy of the data also obliges West Yorkshire Police to provide the same to me. Your internal review of the matter and the provision of the same from a local force must mean that the law compelling disclosure of this data from Humberside also compels the disclosure from your force.
I await a copy of the data requested…
A copy of the covering letter from Humberside Police confirming the right of access to the data requested was also sent to ROA on 19.1.21.
ROA wrote back on 21.1.21 saying the matter is with the ICO but that I am not prevented from making further requests.
I request again on this date a copy of all the data originally requested in October 2020. This request is acknowledged on 22.1.21. The data was finally provided in February 2021.
After the original refusals and messing around by ROA it must have galled the that theyโd been backed into a corner with no further escape route. If the data is obtainable from one force it must logically be obtainable from all.
The point of the lengthy backstory above is this: ROA habitually seek to retain data that the production of would prove embarrassing to West Yorkshire Police. This purposeful retention of data breaches the law as it activates both yours and my Section 77 rights under data access legislation and the illegal retention of it is an example of misconduct in public office as the law is habitually flouted to avoid the production of data access requests.
In the above matter once the entitlement to data had been established from another force ROA had no option than to provide the data requested, but of course prior to this the data had been subject to so much hand-wringing and wrangling to avoid its disclosure, including the illegal imposition of a ban on requests being made and the arbitrary refusal of a legal and legitimate data access request.
Conclusion
I should not have to fact-check the legal position with requests to other police forces when a request for data has been refused by West Yorkshire Police. But it does help! Equally I should not have to do this for the purpose of getting ROA department backed into a corner from which they cannot continue to refuse access to data. Again though this does help! This is wasting my time and public money simply because ROA sees its position as a gatekeeper for information rather than accepting its actual position in law as a facilitator.
Section 77 cited above is clear: it is an offence to attempt to block access to data that the public has a right to.
Recently The Office of the Police and Crime Commissioner for West Yorkshire Police has had a number of members of the public complain about the policeโs Right of Access dept. Will this lead to a broader investigation of systemic and purposeful effort to block public access to data by delay, dithering and denial? Watch this space.
Currently the scandal around COVID-19 and the supply of contracts for PPE to friends of Conservative Party MPโs and Tory party donors hangs over Britain like an unpleasant smell.
But there’s a similar NHS procurement scandal with a somewhat longer history. This shows that – if anything – lessons are never learned which it comes to NHS outsourcing. The fast and cheap route is often the chosen path and this leads to incalculable consequences for individual patients.
TPP – or The Phoenix Partnership as they are otherwise styled – are a company based in Horsforth, Leeds and provide computer systems and software for GP’s surgeries in the British NHS.
Their website claims that their systems assist in:
increasing efficiency, driving innovation and empowering patients.
…all of which is the usual marketing hot air.
The standard package sold to surgeries is an error-riddled piece of software called SystmOne. This is used by about a third of GP practices in England and holds the records of million of patients.
The present incarnation of this software was introduced in 2012 The Information Commissioner’s Office, the public body concerned with protection of individuals data, has long had concerns about the quality of the software and its ability to protect the sensitive personal data of patients.
A series of coding errors on SystmOne caused – from 2017 onwards – an incredibly significant and serious data loss.
Pictured is TPP founder Frank Hester with former PM David Cameron. Hester has been a part of trade missions led by Cameron and former MP Kenneth Clarke. Hester himself was awarded an OBE – tellingly at about the same time his company was managing to loose the sensitive personal data of some 140,000 people. Tellingly following the revelation of the scandal he has not seen fit to hand this OBE back.
TPP’s parent company made ยฃ9.1m operating profit on ยฃ48.5m sales in 2015-16. This was concurrent with the data error discussed in this article and the company has more than ยฃ56.2m net assets making it easily worth ยฃ100m. That the company cannot summon the resources to then produce software which enables GPโs surgeries to keep patient data confidential is quite astonishing.
There have been concerns with the security of data from TPP software even before the knowledge of 140,000 patientโs records being shared became public.
“…it comes as the BMA wades into the increasingly murky debate over who controls access to the GP records of millions of patients.โ
โThe doctorโs trade union is now calling on the thousands of GPs using TPPโs SystmOne electronic record to โurgently consider any action they need to takeโ, including switching off the systemโs โenhanced data sharing functionโ. โIt has become clear that if patient records are being shared through TPPโฆ GPs are unable to specify which other organisations can have access to their patientsโ recordsโ
โSome media have reported [www.telegraph.co.uk/news/2017/03/17/security-breach-fears-26-million-nhs-patients/] that it allowed patient records to be viewed by โthousands of strangersโ not involved in their care. TPP has disputed these claims, stating that patients records cannot be accessed without their permission, except in emergencies.
Around 12 months later the errors caused by TPP failing to construct their software correctly led to some 140,000 persons having their personal medical data shared without their consent. This amounted to the biggest data loss in NHS history.
Not that it takes a coding error alone for SystmOne to share your data. If you do not explicitly opt out of having your data shared then the software will enable potentially thousands of third parties to be able to access your patient records.
Often this means that such data is shared with American organisations who pay the NHS for bulk healthcare data. In short then unless you explicitly tell your surgery not to share your data then SystmOne will automatically monetise your data to share with third parties for which the NHS will be paid. It takes an enquiry with NHS Digital to discover exactly who has had access to your data. No doubt your surgery and the NHS overall would rather you didn’t know about the monetisation of your sensitive personal data.
No wonder that in the 2017 article in Digital Health we can see Hester fighting tooth and nail to prevent any restrictions on TPP products being able to share patient data with third parties!
Now to focus back on the issue of the major data loss.
In respect of the 140,000 persons whose data was share against their express wishes the following was said in The House of Commons on 2 July 2018 by the Parliamentary Under-Secretary of State for Health who issued a statement to Parliament in which she said:
โNHS Digital recently identified a supplier defect in the processing of historical patient objections to the sharing of their confidential health data. An error occurred when 150,000 Type 2 objections set between March 2015 and June 2018 in GP practices running TPPโs system were not sent to NHS Digital. As a result, these objections were not upheld by NHS Digital in its data disseminations between April 2016, when the NHS Digital process for enabling them to be upheld was introduced, and 26 June 2018. This means that data for these patients has been used in clinical audit and research that helps drive improvements in outcomes for patients.โ
โSince being informed of the error by TPP, NHS Digital acted swiftly and it has now been rectified. NHS Digital made the Department of Health and Social Care aware of the error on 28 June. NHS Digital manages the contract for GP Systems of Choice on behalf of the Department of Health and Social Care.โ
She went on to say…
โTPP has apologised unreservedly for its role in this matter and has committed to work with NHS Digital so that errors of this nature do not occur again. This will ensure that patientsโ wishes on how their data is used are always respected and acted upon.โ
โNHS Digital will write to all TPP GP practices today to make sure that they are aware of the issue and can provide reassurance to any affected patients. NHS Digital will also write to every affected patient. Patients need to take no action and their objections are now being upheld.โ
โThere is not, and has never been, any risk to patient care as a result of this error. NHS Digital has made the Information Commissionerโs Office and the National Data Guardian for Health and Care aware.โ
On discover of this – the largest data loss in NHS history – The Information Commissioner’s Office immediately sprang into action. And as expected did nothing. This is par for the course for ICO.
At present it is not known what the commercial relationship between TPP and NHS Digital may comprise. Therefore it cannot be said if one has indemnified the other from the consequences of data losses. This may be why ICO fails to act.
Look at the extracts below from a letter sent from ICO to NHS Digital. As far as Iโm aware this is the first publication of this document in any media:
All of tale of failure is par for the course in modern Britain.
Shoddy companies such as TPP gain contracts for services to the public sector but produce shoddy work. When errors happen it’s a “learning experience” for all concerned rather than one in which heads roll. Supervisory organisations such as ICO fail to act as appropriate. And the gravy train keeps on running!
Police forces are notoriously bad at responding to subject access requests (those are requests for your own personal data) as well as requests for data overall from the force, especially if the request for access is made by the public.
The Information Commissionerโs Office has recently published a report (link seen below) outlining just what an absolute catastrophe police responses to these requests are.
As ever with such a report the real eye-opener are the recommendations made by ICO. In this instance these are nine points which show how UK police forces are failing to deal with data access requests in anything like an efficient and professional way. Often this is because the purpose of data access legislation clashes with policeโs wish to keep information regarding errors in procedure and process wholly secret.
Title page of ICOโs report.
This report will cause consternation in particular at failing Humberside Police, a force subject to many eye-watering fines from ICO in the past for failures to comply with the law on data access by the public. The recommendations ICO suggest will likely be impossible for the force to implement.
West Yorkshire Police – as expected one of the forces most likely to break the law to try to avoid the production of data – said at a meeting convened by their Police and Crime Commissioner recently that they would be looking at increasing the staffing in the Information Management Department in the next year (budget permitting) to cope with the demands made upon it. โLooking atโ and โbudget permittingโ is another way of saying that nothing will be done to address the problem.
The rights of the public in the UK to access data held by state-run organisations are enforced by The Information Commissionerโs Office. I say enforced but effectively unless thereโs a very significant series of large-scale errors or deliberate mischief ICO chooses to look the other way.
Theyโll more often choose to look the other way in the event that the miscreant organisation is a public body: a large-scale data breach by the NHS in 2017 / 2018 attracted only a note from ICO to NHS Digital gently chiding their error.
Some of the means of looking the other way include ICO issuing a โfindingโ that the organisation youโve requested data from has failed to comply with the law, or a โrecommendationโ that that misconducting organisation complies with the law. Neither of these two results has sufficient force to compel a turnaround from the data controller if theyโre determined to dig in their heels. None of these weak regulatory methods described above actually produce the data youโve requested: if the organisation is sufficiently obstreperous youโll need to enforce your right of access to the data via civil legal action.
Yes, folks. Youโve guessed it! Another supposed โwatchdogโ that turns out to be toothless, doddering and tame.
At the beginning of the pandemic hitting the UK in March 2020 ICO issued guidance to organisations over handling data access requests which effectively boiled down to โdonโt misuse the fact that thereโs a national emergency to get around your statutory obligationsโ.
Eight months on and the initial finger-wagging approach has been replaced with a new edict from ICO: mark your own homework.
Organisations that infringe the law on data access issues are now routinely in receipt of this standard form letter the first page of which appears below:
Easier than enforcing the law: ICO states the bleeding obvious to data controllers breaching the law.
The โseriously and robustlyโ in the above extract doesnโt apply to any actions ICO have taken in my experience of the organisation. Even in the face of large scale data breaches for which ample evidence of a data subjectโs Section 173 rights being infringed exists ICO still takes the lethargic approaches mentioned above.
Briefly yours and my Section 173 rights are this:
Extract from CPS website.
The letter sent out by ICO continues:
…all of which explains the obligations on an organisation that they are already / should already be aware of.
One wonders what the point is of informing an organisation thatโs already purposefully screwed up such as a subject access request what their obligations are. If the body is determined to withhold data for the purpose of – for example – preventing revelation of their own misconduct then a weakly worded letter from ICO will not make them correct their ways.
Misconducting organisations must be quaking in their boots regarding the powers and sanctions bit in the second to last paragraph, knowing ICO is notoriously weak on enforcement.
Thus the Merry-Go-Round of the UKโs weak regulatory and enforcement structure rumbles on.
Brief post for today. Well a brief post by the standards of this blog!
In yesterdayโs blog post one of the themes touched upon was how The Ministry of Justice had sent data in error to a third party. This was a serious breach of the data subjectโs rights and potentially quite dangerous to the data subject as MoJ shared the subjectโs name, address, date of birth and financial details.
The post discussed the attempts The Ministry of Justice made to get back at the accidental recipient of this data which included a false complaint to police to ensure he was arrested, although fully aware police would not be able to bring charges as no offence had taken place.
Elizabeth Denham, UK Information Commissioner
The Information Commissionerโs Office (ICO) is a quasi-Governmental organisation reliant on public funding. Their stated aim is to enforce data access rights of people in the UK and also to adjudicate on data protection issues: in other words to monitor that your personal data held by companies and Government organisations is kept safe.
So we can naturally expect ICO to fully comply with data protection legislation and be extra specially careful with their own handling of other peopleโs data.
Canโt we?
In a delicious piece of timing just after Iโd written yesterdayโs blog post about The Ministry of Justice emailing data to the wrong person ICO go and do the same by sending a letter in error to me which was intended for a third party, just like the error MoJ made!
I have of course deleted the email address of the intended recipient of this letter.
It seems that Dacorum Borough Council also suffers from the problem of email incontinence as they appear to have sent the intended recipient of the ICO letter some information despite claiming an apparent exemption over the data sent!
The ICO letter states:
I am aware that the council inadvertently provided you with the requested information.
Significantly the letter also states the grounds for the council attempting to withhold this data (but clearly not managing to) were under section 31 – that is a claimed exemption from disclosure as the data is related to law enforcement.
One might hope the ICO takes appropriate action against itself for this data breach.
In all honesty I wouldnโt hold my breath.
ICOโs present logo. Strange use of lower case letters and an inappropriate full stop.
Like many of the UKโs regulatory bodies such as The Parliamentary and Health Service Ombudsman or The Local Government Ombudsman the ICO has selective blindness in relation to even large scale and ongoing breaches of GDPR and The Data Protection Act.
Ultimately the best most complainants can hope for is a letter from the ICO informing them that their complaint has been upheld and that ICO will keep a record of the data protection concerns logged regarding the data controller complained of. This does not of course produce the data that has been requested! Occasionally ICO will assist by instructing the data controller to supply data if it is being clearly withheld. However if the data controller is sufficiently obstreperous there exists enough โtrapdoorsโ in the relevant legislation that a (often misapplied) exemption will be used to avoid supply of the data.
The efforts organisations used to evade production of data include the mishandling of applications such as considering a subject access request for personal data as if it were a Data Protection Act request and so rejecting it without giving sufficient grounds to the requester. A further trick is to label everything as the personal data of a third party and thus exempt from disclosure: on this basis large scale parts of any data disclosed can be redacted (meaning blanked out).
In these circumstances ICO becomes like a turtle placed on its back: it spins around to no real effect.
Letโs look at the wider picture. A key thing to recall about most of the non-departmental public bodies supposed to supervise how the law or organisations work in Britain is that they rarely do. These supervisory bodies often exist instead to confirm the decisions made by the lower organisation or as a way to diffuse complaints safely and without litigation. Having said this ICO is better than most and does occasionally pursue misconducting organisations through the courts. But due to the pressure of time and resources they also habitually pursue only those organisations who have committed a blatant breach of the law which has been made public, or who would be less likely to defend themselves in court and thus drive up ICOโs expenses. The majority of the fines issued in successful judgments are not paid.
One example of this willingness to turn a blind eye on the part of ICO: a 2017 significant data breach by the NHS involving some 50,000 patients medical records – the largest loss of data in NHS history – was not prosecuted by ICO. This is a matter I will comment on in detail in a blog another day.
In Doncaster in early January 2020 a child died. His name was Keigan OโBrien.
Doncaster overall has an appalling reputation as a place in which children can grow up safely and free from fear of harm. Several incidents in recent years have put the city’s child protection measures into the national spotlight. At one point the relevant responsibilities would have rested with the local authority.
Doncaster Council offices, Waterdale
However Doncaster Children’s Services Trust (DCST) is an offshoot organisation set up by Doncaster Council. This follows a series of disastrous child protection failures from Doncaster Council (itself a noticeably underperforming local authority) and the establishment of DCST was clearly to place some element of distance between the Council and child protection services in the city. A useful tactic for the senior organisation avoiding blame and bad publicity. But the service provided by DCST is still the same appallingly poor standard as when matters were under the Council’s jurisdiction.
Tellingly the most recent OFSTED reports that DSCT show on their own site end in 2018.
The head of DCST is Jim Foy, the improbably titled LADO or Local Authority Designated Officer. The title is of course a hangover from the days when the service was an in-house Council run operation.
On the occasions this correspondent has encountered him Jim Foy seems a man hopelessly disengaged with the job he has to do and the overall impression is of a man who is the cause of chaos in his employment which others run then around correcting. This is bad enough in any post but in one with the responsibilities of LADO the consequences of failure are catastrophic to service users, their families and the local community.
And so it proved when Jim Foy – in the course of his duties – recorded data on a person who had engaged in a new relationship with a clerical support worker in a Doncaster area school. Not only did he record the data wrongly but he also recorded a matter which was not an offence in British criminal law. He failed to spot either of these errors. He then used this incorrect data to confront the clerical support worker and used it to try to force her out of her employment. When later faced with clear evidence that he had recorded the data incorrectly Jim Foy refused to amend or correct the error. Instead only after matters were investigated by the UK’s data regulator, The Information Commissioner’s Office, which found against DCST was the data reluctantly corrected.
The DPA 1998 states at 10(1) that a data controller is required to cease processing of personal data on ground that process of that data likely to cause damage / distress and is unwarranted.
Principal 4 also states that data held on an individual should be both accurate and kept up to date.
The error caused by DCST is twofold then: the recording of incorrect data in the first instance and the failure to correct it in the second. It is assumed that Jim Foy is sufficiently aware of these regulations and how they impact on his responsibilities although the persistent failure to correct the error when notified suggests otherwise.
In a civil case at Doncaster Civil Justice Centre North this week the defence of DCST to the claim of breach of the relevant legislation was not accepted by the judge who saw through the (admittedly very weak) set of arguments defence barrister presented.
The wider issue in this matter is that if DCST is recording data on people wrongly then how can they hope to build a genuine picture of the potential threats to children in their area? The consistent failure of DCST to protect children in the Doncaster region is evidence of where these kinds of systemic failure leads.
There is a cost to the public purse of this. So far there have been five hearings in this claim settled this week at a figure of around ยฃ1,000.00 costs to DCST each time they have sent counsel and instructed solicitor. Conservative estimates therefore put the costs to then local taxpayer of defence of a matter which was doomed to fail in any event (including pre-trial preparation etc) at around ยฃ9,000.00. This is over the matter of a simple piece of data recorded wrongly from one telephone call.
Nor is this the worst part of this matter.
In a December 2019 hearing and – presumably desperate to gain some form of hold on the Claimant and tactical advantage in the case via obtaining information on him – Jim Foy overheard a conversation at court in the case which resulted in him making enquiries regarding the Claimant’s children which by any examination breach the Claimant’s Article 8 right to privacy. These enquiries were made not only to the databases that DCST would use as a matter of course but also to local police forces.
Jim Foy was running around gathering this data with questionable legality and no operational remit to do so at the same time Keigan O’Brien was being placed in peril by the actions of his parents.
All this of course could only happen in DCST where actual child protection concerns come second to maintaining underperforming staff in post and ensuring the continuation of the organisation.
Legal Babble 