Category: ICO

Posted on

Systemic Failures at ICO Exposed

The purpose of ICO – the Information Commissionerโ€™s Office – is to stated on their website to be toโ€ฆ

โ€ฆuphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

However when ICO themselves are subject to a data access request they are prepared to break the law regarding such.

Given that ICO is charged with upholding the law in relation to data access requests this evasiveness ensures that they have lost the moral authority to be able to enforce data access legislation when things go wrong.

More damming though is that a recent investigation revealed ICOโ€™s means of investigating disclosure breaches is so weak and inept as to render it futile to raise issues before them.

Put simply hereโ€™s what happenedโ€ฆ

I made a data access request to Wakefield Council. The Council only provided four pages to begin with, then produced more but significantly failed to include the first 53 pages of data from the request, so ICO were informed after the Council had been given ample chance to correct matters.

The original matter put to ICO as a formal complaint was:


The final response is seen attached. Not only has the data requested not been provided but also the Council has directed me to the wrong agency to seek the answers / disclosure wanted. This is clear in the attached PDF. In fact the majority of the questions I am directed to seek answers to elsewhere comprise of information from Wakefield Council that only they have access to. The response of the Council is therefore misdirection as well as a breach of the relevant Act in failing to provide the data requested on 12.4.21.

Therefore I refer this matter to you for assessment on if the Council has fulfilled its obligations in respect of provision of data. The attached Word file contains all correspondence from April 2021 onwards.

Wakefield Council is the preferred workplace of people too inept to survive in a commercial environment.

ICO responded after some months and their Case Officer Rachel Webster stated:

In my view I have fully considered the data protection issues you have raised and in light of the Councilโ€™s response I do not believe there are any outstanding data protection issues that we would want to pursue further with the Council at this time. As I have explained in correspondence to you our role is not to necessarily resolve every aspect of an individualโ€™s complaint to their satisfaction.

My reply to this was sent shortly after, on 30.3.22 and stated:  

There are 54 pages outstanding that have not been produced from a data access request. This is something I have been clear about across this process and the disclosures remain outstanding.  

What proof have the Council shown to ICO that the relevant data has been produced? 

Further that ICO tried to shuffle off responsibility for adjudicating on the data access failure by the Council. Outrageously Webster suggested:

I understanding you are currently taking legal action against the Council and it may be that these issues are resolved as part of that process.

Now hereโ€™s where things get funky.

In my email of 30.3.22 I requested:

It is for ICO to resolve the issues put before it: the Council has failed to produce data as the result of many requests to do so and was in breach of the law in repeated failures to disclose. ICOโ€™s responsibility is to chase such matters and ensure compliance outside of any other process.

And of course I stated:

What proof have the Council shown to ICO that the relevant data has been produced?  

And ICOโ€™s response to this on 7.4.22 was:

We take information provided by organisations in response to data protection complaints in good faith. As a decision by our office is only a view or an opinion rather than a final determination we do not have to request evidence/proof from organisations concerned. In this case the Council believe they have fully complied with your request however it is clear from your correspondence that you disagree that this is the case and the information is outstanding. We have raised your concerns with the Council and we’re satisfied with the Council’s response and that at this time there is no further action for us to take in relation to your case.

Thatโ€™s right. You read that correctly.

ICO does not seek out or require proof from organisations that they have complied with their responsibilities. Indeed in a situation such as this where a member of the public asserts that they have not then ICO will accept the comments of the organisation that they have over and above any evidence that the public has provided.


ICO then attempted to fob me off with some data in response to a request I made. The data was not that which I requested.

I in fact requested all communication between Wakefield Council and ICO. My response to ICO was sent 9.4.22 and stated:

Further that the data supplied does not support comments made in your emails to me about information supplied by the Council to ICO.

ICO claim that the Councilโ€™s attempt at a get-out-of-gaol-free card in this matter was to state that they had a particular defence in law as to why the data had not been provided. The data produced by ICO between them and the Council did not contain this claim from the local authority. So where did it come from? A further data access request was made to ICO for proof that the Council had stated to ICO what ICO claimed the Council had stated.

Simple enough you would have thought. Especially in the light of ICOโ€™s failure to produce the relevant data in copies of correspondence with the Council.

ICO failed to produce this data. I wrote back to state:

Given ICO’s stated position as regulator for data access / information rights issues this is simply not good enough. At a minimum I would expect fulfilment of the data access request made and chased 7.4.22. That such disclosure from ICO should show that ICO has interacted with the Council on the matter of IC-134978-B9K1 and that the Council has responded appropriately back to the matters raised in this complaint.  

ICO shot back with:

Thank you for your email below. I note your comments and can provide the following response. I can reassure you I have considered all the information provided by you and the Council in relation to this case.

This amounts to two failures to provide data requested. In the second instance ICO purposefully fail to address the renewed request for specific data from their office.

Given that the data I provided showed that the Council had clearly withheld disclosure for no legitimate reason it seems odd that ICO should prefer the Councilโ€™s response, especially in a situation in which they appear to have provided ICO with no supporting data.

Itโ€™s a relief to anyone who brings a data access complaint to ICO to learn that, as stated in theur response to me of 30.3.22:

โ€ฆour role is not to necessarily resolve every aspect of an individualโ€™s complaint to their satisfaction. Rather we consider data protection complaints that are brought to us partly in order to identify issues with an organisations information rights policies/procedures.

Which in practical terms means that ICO will ignore issues in complaints brought by the public which it finds irksome to deal with. This may mean that if enquiries with a misconducting organisation are going to be long and drawn-out that ICO will ignore complex aspects of the complaint made. Historically even in matters where there is a significant breach of the law by an organisation ICO also fails to act punitively and instead builds up a file of data on the organisationโ€™s failings.

A case review was requested and completed 22.4.22 by Lead Case Officer Alison Fletcher.

Again this failed to address the issue of the data requested from Wakefield Council to ICO which supported the comments made by ICO, as had all the prior responses from Rachel Webster. A further response from Alison Fletcher also failed to address the issue of the data not being supplied

Does ICO have a specific reason for withholding the data requested? Likely this is a matter of professional reputation. That a full disclosure of the data I requested would show that ICO failed to investigate this matter to a reasonable standard and perhaps that the Council did not provide them with the data ICO claimed they did. This has to be the case since I provided sufficient evidence to show Wakefield Council had breached its responsibility in law to provide all the data I originally requested from them. The sign of a weak investigation is in the reply provided by ICO which stated:

We take information provided by organisations in response to data protection complaints in good faith. As a decision by our office is only a view or an opinion rather than a final determination we do not have to request evidence/proof from organisations concerned

As I mentioned the practical effect of this is that if an organisation claims not to have breached the law then ICO simply accept what the organisation have said without evidence and contrary to any evidence provided by the public, however strong.

This is indicative of ICO being an organisation that is unfit for purpose. You might of course argue that they are functioning perfectly: that one part of the State has acted to deflect and cover the illegality of another.

However it is ICOโ€™s careful avoidance of producing data requested showing what the Council stated to them which suggests most strongly that they are unable to properly police the wild west of data legislation.

Just to recap in relation to the seriousness of the malfeasance from ICO. When data was produced showing correspondence from the Council to ICO nothing supporting the comments claimed to have been made by the Council had been sent to ICO, who then went on to be unable to produce the info from the Council supporting what they say the Council had said.

When the body charged with taking others to task for failure to observe information rights law believes itself to be exempt from such laws โ€“ and likely making up excuses for organisationโ€™s failures – can there be any doubt that ICO cannot remain much longer in its present form?

Service standards from The Information Commissionerโ€™s Office are frankly not very good!
Posted on

In It Together? Is ICO Incapable of Holding Certain Bodies to Account?

Introduction

This blog entry gives a glimpse into how The Information Commissionerโ€™s Office (ICO) operates. ICO is charged with supervision of information rights in the UK and acting to assist when things go wrong.

Much anecdotal evidence suggests ICO may act to shield certain favoured organisations.

On 5.7.21 I contacted The Information Commissionerโ€™s Office with a complaint. This stated:

For a civil hearing on 9.6.21 a copy of any criminal record regarding me was requested. CPS supplied erroneous data to the Court. The error was a serious and significant oneโ€ฆ This is not only offensive but also a matter to cause exceptional damage within the hearing. Such [the retention and supply of incorrect data] being an exceptionally serious offence.

In 2019 I had been made aware that this incorrect offence was recorded against me and had requested a correction. It appears CPS [The Crown Prosecution Service] did not correct the error, as they admitted only after the hearing.

The incorrect data was supplied to The High Court sitting at Leeds County Court for a hearing on 9.6.21. This caused embarrassment, distress and actual loss.

CPS were informed of the error prior to the hearing. They failed to correct the record prior to the hearing and failed to inform the Court prior to the hearing also.

CPS did not correct the error for the hearing as the transcript of the hearing also shows: the matter of them providing incorrect data to the Court became a significant issue within the proceedings and I was left unable to prove that this record of this offence was wrong. Since the record however came from an official source the Court will have been inclined to believe it.

Accordingly I looked to ICO on this matter to enforce my right to be protected from the incompetence clearly shown by CPS on this matter and the effects that this has had on me.

I sought from ICO first a detailed ruling in relation to this matter that CPS has breached the law. I sought also that CPS should be subject of a fine or other action from ICO in relation to the significance of the error made. Especially when they failed to correct a prior record showing the data to be in error and failed to act to correct the record when informed of the error prior to proceedings.

Finally I required assistance from ICO to correct the records of CPS.
CPS have previously stated in 2019 that the error has been corrected only for it to be repeated again in June 2021: this shows that they cannot be trusted to hold correct data or act properly in line with their legal obligations. Spoiler alert: neither can ICO!

One thing in their credit it that CPS admitted to ICO the error in a letter sent to me. However account details a series of errors that should not have been made had CPS been compliant with and following the law.

CPS Legal Services claimed to ICO that the record was corrected with the Court. What they failed to state was that the record was only corrected a substantial time after the hearing had concluded. A data request to the Court showed this and caught CPS out. It might be thought that ICO would look more severely on this matter for this. They failed to even properly consider all of the data put in front of them.

This blog entry therefore details how and why ICO are unwilling or unable to hold CPS to account even in a situation in which there has been a clear and catastrophic data mishandling.

What Went Wrong

CPS failed to correct data held on me in error in 2019. ICO were aware of this matter at the time. Art. 16 of GDPR relates to the right to rectification. Data was held on me in error by CPS showing a supposed offence had been committed when in fact it had not. The nature of this offence was exceptionally serious and so the onus was on CPS to create and maintain correct records even more strongly than normal due to the exceptional damage such incorrect data could create if released to a third party. CPS previously claimed to have corrected the record in January 2019 but it subsequently emerged that this was not done, breaching my relevant rights (Article 16) and CPSโ€™ legal obligations in the process.

In a matter at The High Court sitting at Leeds in June 2021 however a copy of this incorrect data on me was produced. I contacted CPS prior to the hearing to inform that an urgent correction was required. They failed to make this correction prior to the hearing. This amounts to an exceptionally serious data error and is the cause of loss and embarrassment.

On 5.7.21 I wrote to ICO and made the following complaint regarding CPS:

I refer also to the email to CPS in respect of their illegal retention of incorrect data on me and their sharing of this to third parties in June 2021.

A series of questions are asked of CPS in the email from me below of 3.8.21. I also request additional data from them. I exercise my Article 16 GDPR rights also. CPS’s response to this of 11.8.21 is to ignore all these matters and refuse further correspondence. I consider this to be the criminal office of attempting to conceal, destroy or hide data from disclosure.

The consequences of CPS getting an individualโ€™s data wrong are serious, significant and occur more often than expected.


On 23.12.21, some five months after alerting ICO of this matter they wrote back to me to request further information. The Case Officer for ICO was Ian Sangan.

By the end of January 2022 there had been no movement in the complaint made to ICO and so I chased the matter up. This produced a response one day later which stated:

We have considered the information available in this case, and we are of the view that CPS have presently complied with their obligations under data protection law. We will now outline the reasons why we believe this to be the case.

We can see that the last meaningful correspondence received from the CPS was July 2021. Our view is that the CPS addressed the issues surrounding the erroneous data still held on record, and advised this has been rectified and removed. The CPS have also advised that the relevant court appear to have been notified of the rectification, and were made aware of the lack of reliability of this data. The CPS have clarified to you that this was rectified prior to the hearing itself.

We can see that the organisation historically received a rectification request in 2018, and that some of the erroneous data remained on your record. Ultimately this is not something that the ICO can reasonably ignore. As such, we have today contacted the organisation and provided them with some best practice advice going forward.


In other words for a matter of a major data error with that data released to a third party, and data which the Data Controller claimed had been corrected in 2019 ICO chose to take no action bar some advice to CPS. It is difficult to imagine a more serious breach of GDPR and the obligation to retain correct data on a person than the failure to correct information pointed out to be in error in 2018 and yet retained until 2021, then supplied to a civil court in proceedings. This is what has happened here. That this matter is not treated with the seriousness it so clearly merits forms the initial issue in a complaint of poor service to ICO.

It is of course clear that the data provided by the Court showed that CPS only corrected the record with the Court AFTER the hearing had taken place, and this data was provided to CPS which makes their comment that The CPS have also advised that the relevant court appear to have been notified of the rectification, and were made aware of the lack of reliability of this data even more puzzling. 


I appealed the decision of ICO on that basis and also that:

The ICO findings admit that you are aware that data was not corrected in 2018 and CPS admit this also. ICO has not concluded that CPS breached GDPR in the retention and supply of data in error. This is the minimum that can be expected in this matter in respect of an adjudication from CPS’ professional regulator for data issues. The original issue is the creation and retention of incorrect data in 2017 โ€“ 2018 which ICO ruled on in 2018. The seriousness of the matter is increased by the failure to correct under Article 16 in 2018 following the ICO ruling then.  

ICO in effect failed to assess if my Article 16 rights were breached by failure to correct the record acknowledged by CPS to be held in error in 2019.  

ICOโ€™s response was to refer the matter to a reviewing officer. The response was:

In this case the CPS acknowledge their mistake in their letter of 02 July 2021 when they stated that they had retained a reference to a convictionโ€ฆ which was incorrect. In their letter of 02 August 2021 they stated; โ€˜This file has now been rectified and the information removed as soon as the error was notedโ€™.


No interest in the significance of such an error or the consequences of it. The creation and retention of incorrect data is ignored by ICO as is the continued retention of it past 2019 despite CPS being aware of the error from that point. In effect ICO fail to reach the obvious conclusion suggested by the data supplied to them that CPS failed in their key duties and then attempted to cover the error up by lying that the record had been corrected with the suggestion this was done in time for the hearing.

It is my view that historically the CPS retained incorrect personal data about you which they went on to share with Leeds County Court and at that time it appears that this would have infringed data protection legislation. However when Ian Sangan assessed your case he was doing so based upon the knowledge that the CPS had rectified the inaccurate information in 2018. On this basis he reached his view in January 2022 that the CPS were complying with data protection legislation. With regards to the erroneous data that was held on your record prior to 2018; the actions of the CPS in sharing inaccurate information with Leeds County Court appear not to have been compliant with data protection law, at that time.

Clearly CPS failed to correct the data in 2018 / 2019! Apart from the judgment that inaccurate data was shared with the Court no action was taken by ICO. Truly a toothless watchdog!  

ICOโ€™s John Turner wrote to me on 16.2.22 to state:
If you would like to complain about the service you have received from us I would remind you that you may be able to complain to the Parliamentary and Health Service Ombudsman via your MP.

He of course failed to mention that the matter could be put to the First Tier Tribunal who deal with matters related to information rights issues and complaints about ICO handling of matters. Possibly this was deliberate to avoid such clear evasions of responsibility by ICO being adjudicated against.  

Evidence of an inability or unwillingness on the part of ICO to properly hold organisations to account is growing.


On 12.8.22 I wrote to CPS again to state:

In your response of 11.8.21 you fail to take action in respect of the request at c) to show that the records have been corrected. This is a second breach of my Article 16 rights. I have strong grounds to believe that you continue to retain wrong data on me with the potential to cause significant damage if this is released to third parties.

I believe CPS continue to hold incorrect data and that ICO has failed to take action to assist

Following all this two data access requests made of CPS on 16.2.22 and 2.3.22.

Neither of these requests has received a response or acknowledgment from CPS who are again in breach of the law. The time period given under law has now lapsed and the Data Controller has now broken the law by failure to respond. The matter was referred to ICO.

You will likely not be surprised to hear that the response came from ICOโ€™s master of deflection John Turner who stated:
I can concur that there has been no communication between ICO and CPS since 28 January 2022. The only communications on the case since that date have been between the ICO and you.

Following your request for a case review this was conducted on 14 February 2022 and you were sent a copy. There was no purpose to involve the CPS in the review and they were not contacted. 

I re-iterate your case is now closed and the ICO will not be taking further action  

โ€ฆin other words the issue raised of two further breaches of information rights law by CPS has been cuffed off and ignored by ICO.

Conclusions

A significant series of breaches of the law have been committed by CPS and yet ICOโ€™s investigation into these has been weak, evasive and failed to consider key evidence which shows that CPS sought to mislead ICO.



A more recent data access request to CPS has again breached the law by their failure to reply or disclose the data. Again in this matter the response of ICO is exceptionally weak and evasive. They are taking exceptional steps to avoid action to enforce the law.

ICO appears to have a โ€œspecial relationshipโ€ with certain other organisations. For example it is exceptionally unlikely that they will hold such as NHS Digital to account for even very significant errors with patient records. It appears that they hold the same relationship with CPS and there must be some form of agreement for ICO not to take regulatory action equivalent to the errors these organisations commit. Instead ICO performs a series of twists and turns to avoid assessment of relevant data showing significant misconduct has taken place.

This has the effect of weakening trust in ICOโ€™s ability to hold organisations which misconduct their data handling responsibilities to account and will eventually result in ICO being closed down as unfit for purpose. Unless of course the purpose is to assist state-run bodies in evading accountability.

Posted on

Active Discrimination by Ministry of Justice?

I have been contacted by the carer of a disabled lady who has detailed a level of misconduct from such as The Information Commissionerโ€™s Office (ICO), HMCTS, Judicial Conduct Investigations Office & others that makes for shocking reading.

The lady concerned has learning disabilities and for the purpose of this blog entry and to preserve her anonymity weโ€™ll call her Liz. She required ICO to modify their communications with her in order to assist her disabilities. ICO failed to do this, which if course made communication with them very much more difficult, and so she launched a Judicial Review. This brought her into contact with the civil court system where arguably she suffered worse discrimination than originally from ICO.

The Equality Act 2010 and the United Nations Convention on disability rights are supposed to help to enforce, protect and promote the rights of disabled people to access public services and promote equality of access to such.

However as is so often the case in modern Britain the aim falls far short of the reality. As Iโ€™ve said Lizโ€™s issues began when The Information Commissionerโ€™s Office failed to communicate with her in a format she could read and understand; she has limited reading and comprehension skills.

Things frequently go from bad to worse when an organisation fails to make adaptations to assist the disabled. This is true of ICO but the same issues were experienced in Lizโ€™s dealings with The Ministry of Justice.

I should add at this point that all of the organisations mentioned in this blog entry will also have guidelines in respect of how to treat everyone equally. They have all fallen far short of this leading to mistreatment and injustice.

An email to me from this ladyโ€™s carer shows that further injustice happens from HMCTSโ€ฆ

โ€œWhen she has attempted to request accessibility from HMCTS, regarding Judicial Reviews against The Ombudsmanโ€™s refusing to send her written correspondence, refusal to contact her by phone and when she phones their services to request accessibility, complaints responses and S.A.R’s.โ€

When Liz called HMCTS she was apparently verbally abused by their staff over the phone. Liz has communication difficulties and it is easy for someone to misinterpret these in a phone call. There are recordings of such calls to Manchester Civil Justice Centre.

When Liz asks for responses to her complaints due to her communication difficulties staff fail to respond appropriately or make proper allowances for her disabilities. This is of course the nub of her original complaint to the Courts in the first place! She has also been supplied the personal data of another HMCTS service user, although this is not unusual given that organisationโ€™s haphazard approach to data protection & privacy.

Most damming of all is the response of Customer Investigations at the MoJโ€™s head office.

This is the final port of call to get a complaint response outside of referring a complaint against HMCTS to civil action. There are also apparently call recordings retained where Richard Redgrave, the head of Customer Investigations starts laughing and finds it funny that his original land line is inactive and been inactive for the 18 months this lady has attempted to phone him on it. There has been a similar inappropriate responses from The Parliamentary and Health Service Ombudsman.

The courts have failed to provide the lady with any adaptation and assistance with access to their services with the seeming result that her civil claim failed and there are presently costs against her. Any correspondence from the Court is problematic as this lady cannot read. Again a required adaptation has not been made. Rather more cruelly a Civil Restraint Order was made against her and this of course results in further disadvantage.

I have a list of several named Court staff who have apparently treated this lady appallingly on the account given by her carer.

The adaptations that are needed for her to be able to deal with the Court effectively and understand the process are not extensive but are clear and evident. The level of learning difficulties experienced means that the Court has a higher level of duty of care towards someone who has such restrictions in their everyday life. Indeed there is a simple moral duty here also.

I donโ€™t know why the Courts have failed Liz so badly.

I suspect that it would be more time-consuming and awkward to make the adaptations she needs and that because of speech issues phone calls from her would be very difficult to understand. This requires time and patience. It is not beyond the ability of any organisation however! It is equally not beyond the ability of MoJ to ensure that all service users are treated equally and fairly.

What looks like deliberate cruelty from several members of HMCTS staff takes considerably more explaining though.

That they have not treated Liz kindly, made appropriate adaptations to accommodate her disabilities and even at times shown outright cruelty is an indication of how they would treat the rest of us if they thought they could get away with it.

Posted on

The Biggest Sensitive Personal Data Loss in NHS History.

Currently the scandal around COVID-19 and the supply of contracts for PPE to friends of Conservative Party MPโ€™s and Tory party donors hangs over Britain like an unpleasant smell.

But there’s a similar NHS procurement scandal with a somewhat longer history. This shows that – if anything – lessons are never learned which it comes to NHS outsourcing. The fast and cheap route is often the chosen path and this leads to incalculable consequences for individual patients.

TPP – or The Phoenix Partnership as they are otherwise styled – are a company based in Horsforth, Leeds and provide computer systems and software for GP’s surgeries in the British NHS.

Their website claims that their systems assist in:

increasing efficiency, driving innovation and empowering patients.

…all of which is the usual marketing hot air.

The standard package sold to surgeries is an error-riddled piece of software called SystmOne. This is used by about a third of GP practices in England and holds the records of million of patients.

The present incarnation of this software was introduced in 2012 The Information Commissioner’s Office, the public body concerned with protection of individuals data, has long had concerns about the quality of the software and its ability to protect the sensitive personal data of patients.

A series of coding errors on SystmOne caused – from 2017 onwards – an incredibly significant and serious data loss.

Pictured is TPP founder Frank Hester with former PM David Cameron. Hester has been a part of trade missions led by Cameron and former MP Kenneth Clarke. Hester himself was awarded an OBE – tellingly at about the same time his company was managing to loose the sensitive personal data of some 140,000 people. Tellingly following the revelation of the scandal he has not seen fit to hand this OBE back.

TPP’s parent company made ยฃ9.1m operating profit on ยฃ48.5m sales in 2015-16. This was concurrent with the data error discussed in this article and the company has more than ยฃ56.2m net assets making it easily worth ยฃ100m. That the company cannot summon the resources to then produce software which enables GPโ€™s surgeries to keep patient data confidential is quite astonishing.

There have been concerns with the security of data from TPP software even before the knowledge of 140,000 patientโ€™s records being shared became public.

Here’s an extract from an article from Digital Health, dated May 2017. This is around a year before TPP saw fit to inform NHS Digital of the poor quality of its product and the consequences of this. The full article can be seen at www.digitalhealth.net/2017/03/hester-hits-back-over-tpp-data-security-concerns

It states:

“…it comes as the BMA wades into the increasingly murky debate over who controls access to the GP records of millions of patients.โ€

โ€œThe doctorโ€™s trade union is now calling on the thousands of GPs using TPPโ€™s SystmOne electronic record to โ€œurgently consider any action they need to takeโ€, including switching off the systemโ€™s โ€œenhanced data sharing functionโ€.
โ€œIt has become clear that if patient records are being shared through TPPโ€ฆ GPs are unable to specify which other organisations can have access to their patientsโ€™ recordsโ€

โ€œSome media have reported [www.telegraph.co.uk/news/2017/03/17/security-breach-fears-26-million-nhs-patients/] that it allowed patient records to be viewed by โ€œthousands of strangersโ€ not involved in their care. TPP has disputed these claims, stating that patients records cannot be accessed without their permission, except in emergencies.

Around 12 months later the errors caused by TPP failing to construct their software correctly led to some 140,000 persons having their personal medical data shared without their consent. This amounted to the biggest data loss in NHS history.

Not that it takes a coding error alone for SystmOne to share your data. If you do not explicitly opt out of having your data shared then the software will enable potentially thousands of third parties to be able to access your patient records.

Often this means that such data is shared with American organisations who pay the NHS for bulk healthcare data. In short then unless you explicitly tell your surgery not to share your data then SystmOne will automatically monetise your data to share with third parties for which the NHS will be paid. It takes an enquiry with NHS Digital to discover exactly who has had access to your data. No doubt your surgery and the NHS overall would rather you didn’t know about the monetisation of your sensitive personal data.

No wonder that in the 2017 article in Digital Health we can see Hester fighting tooth and nail to prevent any restrictions on TPP products being able to share patient data with third parties!

Now to focus back on the issue of the major data loss.

In respect of the 140,000 persons whose data was share against their express wishes the following was said in The House of Commons on 2 July 2018 by the Parliamentary Under-Secretary of State for Health who issued a statement to Parliament in which she said:

โ€œNHS Digital recently identified a supplier defect in the processing of historical patient objections to the sharing of their confidential health data. An error occurred when 150,000 Type 2 objections set between March 2015 and June 2018 in GP practices running TPPโ€™s system were not sent to NHS Digital. As a result, these objections were not upheld by NHS Digital in its data disseminations between April 2016, when the NHS Digital process for enabling them to be upheld was introduced, and 26 June 2018. This means that data for these patients has been used in clinical audit and research that helps drive improvements in outcomes for patients.โ€

โ€œSince being informed of the error by TPP, NHS Digital acted swiftly and it has now been rectified. NHS Digital made the Department of Health and Social Care aware of the error on 28 June. NHS Digital manages the contract for GP Systems of Choice on behalf of the Department of Health and Social Care.โ€

She went on to say…

โ€œTPP has apologised unreservedly for its role in this matter and has committed to work with NHS Digital so that errors of this nature do not occur again. This will ensure that patientsโ€™ wishes on how their data is used are always respected and acted upon.โ€

โ€œNHS Digital will write to all TPP GP practices today to make sure that they are aware of the issue and can provide reassurance to any affected patients. NHS Digital will also write to every affected patient. Patients need to take no action and their objections are now being upheld.โ€

โ€œThere is not, and has never been, any risk to patient care as a result of this error. NHS Digital has made the Information Commissionerโ€™s Office and the National Data Guardian for Health and Care aware.โ€

The full text of the statement can be found at:

www.parliament.uk/business/publications/written-questions-answers-statements/written-statement/Commons/2018-07-02/HCWS813

On discover of this – the largest data loss in NHS history – The Information Commissioner’s Office immediately sprang into action. And as expected did nothing. This is par for the course for ICO.

At present it is not known what the commercial relationship between TPP and NHS Digital may comprise. Therefore it cannot be said if one has indemnified the other from the consequences of data losses. This may be why ICO fails to act.

Look at the extracts below from a letter sent from ICO to NHS Digital. As far as Iโ€™m aware this is the first publication of this document in any media:

All of tale of failure is par for the course in modern Britain.

Shoddy companies such as TPP gain contracts for services to the public sector but produce shoddy work. When errors happen it’s a “learning experience” for all concerned rather than one in which heads roll. Supervisory organisations such as ICO fail to act as appropriate. And the gravy train keeps on running!

Posted on

A Christmas Card from Humberside Police!

Iโ€™ve written on here many times before about how Humberside Police are particularly useless, even in a hotly contested field of local forces.

However even I fell off my chair at the sheer incompetence of the subject access response provided by their Information Compliance department this week.

A subject access request provided by the force amounts to a nonfeasance as the response:

1. Fails to provide the data requested.

2. Is issued outside the legal time limit for a response to be provided.

3. Repeats back the same information put in the original request.

Hereโ€™s the letter in full. I have redacted the header.

The key sentences are in the fourth and fifth paragraphs seen above. These are reproduced from the original request. Data cannot be obtained from the Police National Computer – however data that has been entered into the PNC by a local force can be obtained from the same regional police force. Hence the request to Humberside Police.

The substantive reply is seen below:

Here we focus on the second paragraph. It essentially repeats the data I put to police in the first instance.

Consequently the force has failed to react correctly to the subject access request in every conceivable aspect.

This suggests that the intention is to continue frustrate any further request made for the data using the rights conferred in italics in the letter to do so as the response to any further requests that might be made.

The Information Commissionerโ€™s Office has been informed.

Posted on

The Information Commissionerโ€™s Office: Mark Your Own Homework

The rights of the public in the UK to access data held by state-run organisations are enforced by The Information Commissionerโ€™s Office. I say enforced but effectively unless thereโ€™s a very significant series of large-scale errors or deliberate mischief ICO chooses to look the other way.

Theyโ€™ll more often choose to look the other way in the event that the miscreant organisation is a public body: a large-scale data breach by the NHS in 2017 / 2018 attracted only a note from ICO to NHS Digital gently chiding their error.

Some of the means of looking the other way include ICO issuing a โ€œfindingโ€ that the organisation youโ€™ve requested data from has failed to comply with the law, or a โ€œrecommendationโ€ that that misconducting organisation complies with the law. Neither of these two results has sufficient force to compel a turnaround from the data controller if theyโ€™re determined to dig in their heels. None of these weak regulatory methods described above actually produce the data youโ€™ve requested: if the organisation is sufficiently obstreperous youโ€™ll need to enforce your right of access to the data via civil legal action.

Yes, folks. Youโ€™ve guessed it! Another supposed โ€œwatchdogโ€ that turns out to be toothless, doddering and tame.

At the beginning of the pandemic hitting the UK in March 2020 ICO issued guidance to organisations over handling data access requests which effectively boiled down to โ€œdonโ€™t misuse the fact that thereโ€™s a national emergency to get around your statutory obligationsโ€.

Eight months on and the initial finger-wagging approach has been replaced with a new edict from ICO: mark your own homework.

Organisations that infringe the law on data access issues are now routinely in receipt of this standard form letter the first page of which appears below:

Easier than enforcing the law: ICO states the bleeding obvious to data controllers breaching the law.

The โ€œseriously and robustlyโ€ in the above extract doesnโ€™t apply to any actions ICO have taken in my experience of the organisation. Even in the face of large scale data breaches for which ample evidence of a data subjectโ€™s Section 173 rights being infringed exists ICO still takes the lethargic approaches mentioned above.

Briefly yours and my Section 173 rights are this:

Extract from CPS website.

The letter sent out by ICO continues:

…all of which explains the obligations on an organisation that they are already / should already be aware of.

One wonders what the point is of informing an organisation thatโ€™s already purposefully screwed up such as a subject access request what their obligations are. If the body is determined to withhold data for the purpose of – for example – preventing revelation of their own misconduct then a weakly worded letter from ICO will not make them correct their ways.

Misconducting organisations must be quaking in their boots regarding the powers and sanctions bit in the second to last paragraph, knowing ICO is notoriously weak on enforcement.

Thus the Merry-Go-Round of the UKโ€™s weak regulatory and enforcement structure rumbles on.

Posted on

The ICO: Keeping Your Personal Data Safe?

Brief post for today. Well a brief post by the standards of this blog!

In yesterdayโ€™s blog post one of the themes touched upon was how The Ministry of Justice had sent data in error to a third party. This was a serious breach of the data subjectโ€™s rights and potentially quite dangerous to the data subject as MoJ shared the subjectโ€™s name, address, date of birth and financial details.

The post discussed the attempts The Ministry of Justice made to get back at the accidental recipient of this data which included a false complaint to police to ensure he was arrested, although fully aware police would not be able to bring charges as no offence had taken place.

Elizabeth Denham, UK Information Commissioner

The Information Commissionerโ€™s Office (ICO) is a quasi-Governmental organisation reliant on public funding. Their stated aim is to enforce data access rights of people in the UK and also to adjudicate on data protection issues: in other words to monitor that your personal data held by companies and Government organisations is kept safe.

So we can naturally expect ICO to fully comply with data protection legislation and be extra specially careful with their own handling of other peopleโ€™s data.

Canโ€™t we?

In a delicious piece of timing just after Iโ€™d written yesterdayโ€™s blog post about The Ministry of Justice emailing data to the wrong person ICO go and do the same by sending a letter in error to me which was intended for a third party, just like the error MoJ made!

I have of course deleted the email address of the intended recipient of this letter.

It seems that Dacorum Borough Council also suffers from the problem of email incontinence as they appear to have sent the intended recipient of the ICO letter some information despite claiming an apparent exemption over the data sent!

The ICO letter states:

I am aware that the council inadvertently provided you with the requested information.

Significantly the letter also states the grounds for the council attempting to withhold this data (but clearly not managing to) were under section 31 – that is a claimed exemption from disclosure as the data is related to law enforcement.

One might hope the ICO takes appropriate action against itself for this data breach.

In all honesty I wouldnโ€™t hold my breath.

ICOโ€™s present logo. Strange use of lower case letters and an inappropriate full stop.

Like many of the UKโ€™s regulatory bodies such as The Parliamentary and Health Service Ombudsman or The Local Government Ombudsman the ICO has selective blindness in relation to even large scale and ongoing breaches of GDPR and The Data Protection Act.

Ultimately the best most complainants can hope for is a letter from the ICO informing them that their complaint has been upheld and that ICO will keep a record of the data protection concerns logged regarding the data controller complained of. This does not of course produce the data that has been requested! Occasionally ICO will assist by instructing the data controller to supply data if it is being clearly withheld. However if the data controller is sufficiently obstreperous there exists enough โ€œtrapdoorsโ€ in the relevant legislation that a (often misapplied) exemption will be used to avoid supply of the data.

The efforts organisations used to evade production of data include the mishandling of applications such as considering a subject access request for personal data as if it were a Data Protection Act request and so rejecting it without giving sufficient grounds to the requester. A further trick is to label everything as the personal data of a third party and thus exempt from disclosure: on this basis large scale parts of any data disclosed can be redacted (meaning blanked out).

In these circumstances ICO becomes like a turtle placed on its back: it spins around to no real effect.

Letโ€™s look at the wider picture. A key thing to recall about most of the non-departmental public bodies supposed to supervise how the law or organisations work in Britain is that they rarely do. These supervisory bodies often exist instead to confirm the decisions made by the lower organisation or as a way to diffuse complaints safely and without litigation. Having said this ICO is better than most and does occasionally pursue misconducting organisations through the courts. But due to the pressure of time and resources they also habitually pursue only those organisations who have committed a blatant breach of the law which has been made public, or who would be less likely to defend themselves in court and thus drive up ICOโ€™s expenses. The majority of the fines issued in successful judgments are not paid.

One example of this willingness to turn a blind eye on the part of ICO: a 2017 significant data breach by the NHS involving some 50,000 patients medical records – the largest loss of data in NHS history – was not prosecuted by ICO. This is a matter I will comment on in detail in a blog another day.

Posted on

Anatomy of Child Protection Failures in Doncaster.

In Doncaster in early January 2020 a child died. His name was Keigan Oโ€™Brien.

Doncaster overall has an appalling reputation as a place in which children can grow up safely and free from fear of harm. Several incidents in recent years have put the city’s child protection measures into the national spotlight. At one point the relevant responsibilities would have rested with the local authority.

Doncaster Council offices, Waterdale

However Doncaster Children’s Services Trust (DCST) is an offshoot organisation set up by Doncaster Council. This follows a series of disastrous child protection failures from Doncaster Council (itself a noticeably underperforming local authority) and the establishment of DCST was clearly to place some element of distance between the Council and child protection services in the city. A useful tactic for the senior organisation avoiding blame and bad publicity. But the service provided by DCST is still the same appallingly poor standard as when matters were under the Council’s jurisdiction.

Tellingly the most recent OFSTED reports that DSCT show on their own site end in 2018.

The head of DCST is Jim Foy, the improbably titled LADO or Local Authority Designated Officer. The title is of course a hangover from the days when the service was an in-house Council run operation. 

On the occasions this correspondent has encountered him Jim Foy seems a man hopelessly disengaged with the job he has to do and the overall impression is of a man who is the cause of chaos in his employment which others run then around correcting. This is bad enough in any post but in one with the responsibilities of LADO the consequences of failure are catastrophic to service users, their families and the local community.

And so it proved when Jim Foy – in the course of his duties – recorded data on a person who had engaged in a new relationship with a clerical support worker in a Doncaster area school. Not only did he record the data wrongly but he also recorded a matter which was not an offence in British criminal law. He failed to spot either of these errors. He then used this incorrect data to confront the clerical support worker and used it to try to force her out of her employment.
When later faced with clear evidence that he had recorded the data incorrectly Jim Foy refused to amend or correct the error. Instead only after matters were investigated by the UK’s data regulator, The Information Commissioner’s Office, which found against DCST was the data reluctantly corrected.

The DPA 1998 states at 10(1) that a data controller is required to cease processing of personal data on ground that process of that data likely to cause damage / distress and is unwarranted.

Principal 4 also states that data held on an individual should be both accurate and kept up to date.

The error caused by DCST is twofold then: the recording of incorrect data in the first instance and the failure to correct it in the second. It is assumed that Jim Foy is sufficiently aware of these regulations and how they impact on his responsibilities although the persistent failure to correct the error when notified suggests otherwise.

In a civil case at Doncaster Civil Justice Centre North this week the defence of DCST to the claim of breach of the relevant legislation was not accepted by the judge who saw through the (admittedly very weak) set of arguments defence barrister presented.

The wider issue in this matter is that if DCST is recording data on people wrongly then how can they hope to build a genuine picture of the potential threats to children in their area? The consistent failure of DCST to protect children in the Doncaster region is evidence of where these kinds of systemic failure leads.

There is a cost to the public purse of this. So far there have been five hearings in this claim settled this week at a figure of around ยฃ1,000.00 costs to DCST each time they have sent counsel and instructed solicitor. Conservative estimates therefore put the costs to then local taxpayer of defence of a matter which was doomed to fail in any event (including pre-trial preparation etc) at around ยฃ9,000.00. This is over the matter of a simple piece of data recorded wrongly from one telephone call.

Nor is this the worst part of this matter.

In a December 2019 hearing and – presumably desperate to gain some form of hold on the Claimant and tactical advantage in the case via obtaining information on him – Jim Foy overheard a conversation at court in the case which resulted in him making enquiries regarding the Claimant’s children which by any examination breach the Claimant’s Article 8 right to privacy. These enquiries were made not only to the databases that DCST would use as a matter of course but also to local police forces.

Jim Foy was running around gathering this data with questionable legality and no operational remit to do so at the same time Keigan O’Brien was being placed in peril by the actions of his parents.

Also at the same time Jim Foy was giving training sessions (https://buy.doncaster.gov.uk/Event/102055) on safeguarding children in the local area.

All this of course could only happen in DCST where actual child protection concerns come second to maintaining underperforming staff in post and ensuring the continuation of the organisation.

Design a site like this with WordPress.com
Get started