Hard to think of two more poorly run institution than HMCTS and itโs parent organisation The Ministry of Justice.
This is a very simple post detailing a simple but significant error. So no lengthy explanation as to whatโs happened on this occasion!
HMCTS shared my personal financial details with a third party.
Thatโs it. Thatโs basically all that can be said in the post.
But wait!
Stop and think for a few moments and we can see this is matter is actually considerably more significant and serious than it first looks.
The letter from The Information Commissionerโs Office (ICO) finding against HMCTS can be seen below.
But the operative paragraph from it is simple and plain:
The nub of the issue.
Why should this matter?
Personal data in the care of such as HMCTS and MoJ has the potential to cause significant damage if released inappropriately. Release to a third party with no requirement for or rights to such data can and does cause significant issues.
The simple fact is that the incompetence of County Court staff knows no bounds.
Indeed the vindictiveness of their management towards anyone who has received appalling service from HMCTS also knows no bounds. In this matter an out-of-court settlement was agreed upon to be paid fourteen days from the agreement. Some three months after this agreement I was still awaiting payout.
HMCTS and MoJ are simply two organisations which have ceased to function in any meaningful way and the amount of time spent on damage limitation, denying errors have occurred and attempting to maintain an image of professionalism would be better spent actually running courts efficiently in the first instance.
Brief post for today. Well a brief post by the standards of this blog!
In yesterdayโs blog post one of the themes touched upon was how The Ministry of Justice had sent data in error to a third party. This was a serious breach of the data subjectโs rights and potentially quite dangerous to the data subject as MoJ shared the subjectโs name, address, date of birth and financial details.
The post discussed the attempts The Ministry of Justice made to get back at the accidental recipient of this data which included a false complaint to police to ensure he was arrested, although fully aware police would not be able to bring charges as no offence had taken place.
Elizabeth Denham, UK Information Commissioner
The Information Commissionerโs Office (ICO) is a quasi-Governmental organisation reliant on public funding. Their stated aim is to enforce data access rights of people in the UK and also to adjudicate on data protection issues: in other words to monitor that your personal data held by companies and Government organisations is kept safe.
So we can naturally expect ICO to fully comply with data protection legislation and be extra specially careful with their own handling of other peopleโs data.
Canโt we?
In a delicious piece of timing just after Iโd written yesterdayโs blog post about The Ministry of Justice emailing data to the wrong person ICO go and do the same by sending a letter in error to me which was intended for a third party, just like the error MoJ made!
I have of course deleted the email address of the intended recipient of this letter.
It seems that Dacorum Borough Council also suffers from the problem of email incontinence as they appear to have sent the intended recipient of the ICO letter some information despite claiming an apparent exemption over the data sent!
The ICO letter states:
I am aware that the council inadvertently provided you with the requested information.
Significantly the letter also states the grounds for the council attempting to withhold this data (but clearly not managing to) were under section 31 – that is a claimed exemption from disclosure as the data is related to law enforcement.
One might hope the ICO takes appropriate action against itself for this data breach.
In all honesty I wouldnโt hold my breath.
ICOโs present logo. Strange use of lower case letters and an inappropriate full stop.
Like many of the UKโs regulatory bodies such as The Parliamentary and Health Service Ombudsman or The Local Government Ombudsman the ICO has selective blindness in relation to even large scale and ongoing breaches of GDPR and The Data Protection Act.
Ultimately the best most complainants can hope for is a letter from the ICO informing them that their complaint has been upheld and that ICO will keep a record of the data protection concerns logged regarding the data controller complained of. This does not of course produce the data that has been requested! Occasionally ICO will assist by instructing the data controller to supply data if it is being clearly withheld. However if the data controller is sufficiently obstreperous there exists enough โtrapdoorsโ in the relevant legislation that a (often misapplied) exemption will be used to avoid supply of the data.
The efforts organisations used to evade production of data include the mishandling of applications such as considering a subject access request for personal data as if it were a Data Protection Act request and so rejecting it without giving sufficient grounds to the requester. A further trick is to label everything as the personal data of a third party and thus exempt from disclosure: on this basis large scale parts of any data disclosed can be redacted (meaning blanked out).
In these circumstances ICO becomes like a turtle placed on its back: it spins around to no real effect.
Letโs look at the wider picture. A key thing to recall about most of the non-departmental public bodies supposed to supervise how the law or organisations work in Britain is that they rarely do. These supervisory bodies often exist instead to confirm the decisions made by the lower organisation or as a way to diffuse complaints safely and without litigation. Having said this ICO is better than most and does occasionally pursue misconducting organisations through the courts. But due to the pressure of time and resources they also habitually pursue only those organisations who have committed a blatant breach of the law which has been made public, or who would be less likely to defend themselves in court and thus drive up ICOโs expenses. The majority of the fines issued in successful judgments are not paid.
One example of this willingness to turn a blind eye on the part of ICO: a 2017 significant data breach by the NHS involving some 50,000 patients medical records – the largest loss of data in NHS history – was not prosecuted by ICO. This is a matter I will comment on in detail in a blog another day.
Severe concerns exist regarding the safety of those being compelled to attend HMCTS civil courts
The official line from HMCTS is clear. That courts in the UK are COVID-19 secure.
The facts tell a different story altogether.
Outbreaks at half a dozen courts in the North East and North West circuits such as Leeds and Liverpool in the last few weeks show that HMCTSโ position is at best ill-informed and hopelessly optimistic. There have been further instances of the virus spreading at other courts across the UK. The PCS union has expressed severe concerns to its members regarding the safety of their workplaces, as has The Bar Council.
PCS members are encouraged to walk out of an unsafe working environment. Given the level of workplace bullying known to go on at civil courts such as York County Court itโs highly unlikely any member of court staff would do this.
Civil court users are not so lucky.
I have a hearing in case at Doncaster next week. The Defendant in the claim has already expressed surprise that the hearing is still set to go ahead despite a second national lockdown.
I have also expressed my own surprise to court staff who simply directed me to a webpage with the usual platitudes and informed that the hearing was still set for next week. The attitude towards safety concerns raised was dismissive and lethargic. This is simply not good enough in a pandemic.
None of the valid concerns I have expressed in communication with the court have received a response.
The simple fact is that a public building cannot be made COVID-19 secure any more than HMCTS can claim to have ensured a building is totally free of dust, oxygen or carbon atoms. Thus everyone attending a hearing at any court will be exposed to a potential risk of a severe illness, as will any of their family members when the attendee returns home.
If HMCTS were an organisation which is able to get the basics of running the civil system right then there would be more confidence in the claim that courts are COVID-19 secure. But the hopelessly inept, slapdash approach that characterises HMCTS pre-pandemic does not inspire confidence.
When people are being compelled to attend civil hearings in circumstances where there have been severe outbreaks in court buildings and staff appear dismissive of safety concerns one has to consider what the priorities of HMCTS are. Public health isnโt one of them.
Legal Babble 