The Information Commissioner

April 26, 2022April 26, 2022

Systemic Failures at ICO Exposed

The purpose of ICO – the Information Commissioner’s Office – is to stated on their website to be to…

…uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

However when ICO themselves are subject to a data access request they are prepared to break the law regarding such.

Given that ICO is charged with upholding the law in relation to data access requests this evasiveness ensures that they have lost the moral authority to be able to enforce data access legislation when things go wrong.

More damming though is that a recent investigation revealed ICO’s means of investigating disclosure breaches is so weak and inept as to render it futile to raise issues before them.

Put simply here’s what happened…

I made a data access request to Wakefield Council. The Council only provided four pages to begin with, then produced more but significantly failed to include the first 53 pages of data from the request, so ICO were informed after the Council had been given ample chance to correct matters.

The original matter put to ICO as a formal complaint was:

The final response is seen attached. Not only has the data requested not been provided but also the Council has directed me to the wrong agency to seek the answers / disclosure wanted. This is clear in the attached PDF. In fact the majority of the questions I am directed to seek answers to elsewhere comprise of information from Wakefield Council that only they have access to. The response of the Council is therefore misdirection as well as a breach of the relevant Act in failing to provide the data requested on 12.4.21.

Therefore I refer this matter to you for assessment on if the Council has fulfilled its obligations in respect of provision of data. The attached Word file contains all correspondence from April 2021 onwards.

Wakefield Council is the preferred workplace of people too inept to survive in a commercial environment.

ICO responded after some months and their Case Officer Rachel Webster stated:

In my view I have fully considered the data protection issues you have raised and in light of the Council’s response I do not believe there are any outstanding data protection issues that we would want to pursue further with the Council at this time. As I have explained in correspondence to you our role is not to necessarily resolve every aspect of an individual’s complaint to their satisfaction.

My reply to this was sent shortly after, on 30.3.22 and stated:

There are 54 pages outstanding that have not been produced from a data access request. This is something I have been clear about across this process and the disclosures remain outstanding.

What proof have the Council shown to ICO that the relevant data has been produced?

Further that ICO tried to shuffle off responsibility for adjudicating on the data access failure by the Council. Outrageously Webster suggested:

I understanding you are currently taking legal action against the Council and it may be that these issues are resolved as part of that process.

Now here’s where things get funky.

In my email of 30.3.22 I requested:

It is for ICO to resolve the issues put before it: the Council has failed to produce data as the result of many requests to do so and was in breach of the law in repeated failures to disclose. ICO’s responsibility is to chase such matters and ensure compliance outside of any other process.

And of course I stated:

What proof have the Council shown to ICO that the relevant data has been produced?

And ICO’s response to this on 7.4.22 was:

We take information provided by organisations in response to data protection complaints in good faith. As a decision by our office is only a view or an opinion rather than a final determination we do not have to request evidence/proof from organisations concerned. In this case the Council believe they have fully complied with your request however it is clear from your correspondence that you disagree that this is the case and the information is outstanding. We have raised your concerns with the Council and we’re satisfied with the Council’s response and that at this time there is no further action for us to take in relation to your case.

That’s right. You read that correctly.

ICO does not seek out or require proof from organisations that they have complied with their responsibilities. Indeed in a situation such as this where a member of the public asserts that they have not then ICO will accept the comments of the organisation that they have over and above any evidence that the public has provided.

ICO then attempted to fob me off with some data in response to a request I made. The data was not that which I requested.

I in fact requested all communication between Wakefield Council and ICO. My response to ICO was sent 9.4.22 and stated:

Further that the data supplied does not support comments made in your emails to me about information supplied by the Council to ICO.

ICO claim that the Council’s attempt at a get-out-of-gaol-free card in this matter was to state that they had a particular defence in law as to why the data had not been provided. The data produced by ICO between them and the Council did not contain this claim from the local authority. So where did it come from? A further data access request was made to ICO for proof that the Council had stated to ICO what ICO claimed the Council had stated.

Simple enough you would have thought. Especially in the light of ICO’s failure to produce the relevant data in copies of correspondence with the Council.

ICO failed to produce this data. I wrote back to state:

Given ICO’s stated position as regulator for data access / information rights issues this is simply not good enough. At a minimum I would expect fulfilment of the data access request made and chased 7.4.22. That such disclosure from ICO should show that ICO has interacted with the Council on the matter of IC-134978-B9K1 and that the Council has responded appropriately back to the matters raised in this complaint.

ICO shot back with:

Thank you for your email below. I note your comments and can provide the following response. I can reassure you I have considered all the information provided by you and the Council in relation to this case.

This amounts to two failures to provide data requested. In the second instance ICO purposefully fail to address the renewed request for specific data from their office.

Given that the data I provided showed that the Council had clearly withheld disclosure for no legitimate reason it seems odd that ICO should prefer the Council’s response, especially in a situation in which they appear to have provided ICO with no supporting data.

It’s a relief to anyone who brings a data access complaint to ICO to learn that, as stated in theur response to me of 30.3.22:

…our role is not to necessarily resolve every aspect of an individual’s complaint to their satisfaction. Rather we consider data protection complaints that are brought to us partly in order to identify issues with an organisations information rights policies/procedures.

Which in practical terms means that ICO will ignore issues in complaints brought by the public which it finds irksome to deal with. This may mean that if enquiries with a misconducting organisation are going to be long and drawn-out that ICO will ignore complex aspects of the complaint made. Historically even in matters where there is a significant breach of the law by an organisation ICO also fails to act punitively and instead builds up a file of data on the organisation’s failings.

A case review was requested and completed 22.4.22 by Lead Case Officer Alison Fletcher.

Again this failed to address the issue of the data requested from Wakefield Council to ICO which supported the comments made by ICO, as had all the prior responses from Rachel Webster. A further response from Alison Fletcher also failed to address the issue of the data not being supplied

Does ICO have a specific reason for withholding the data requested? Likely this is a matter of professional reputation. That a full disclosure of the data I requested would show that ICO failed to investigate this matter to a reasonable standard and perhaps that the Council did not provide them with the data ICO claimed they did. This has to be the case since I provided sufficient evidence to show Wakefield Council had breached its responsibility in law to provide all the data I originally requested from them. The sign of a weak investigation is in the reply provided by ICO which stated:

We take information provided by organisations in response to data protection complaints in good faith. As a decision by our office is only a view or an opinion rather than a final determination we do not have to request evidence/proof from organisations concerned

As I mentioned the practical effect of this is that if an organisation claims not to have breached the law then ICO simply accept what the organisation have said without evidence and contrary to any evidence provided by the public, however strong.

This is indicative of ICO being an organisation that is unfit for purpose. You might of course argue that they are functioning perfectly: that one part of the State has acted to deflect and cover the illegality of another.

However it is ICO’s careful avoidance of producing data requested showing what the Council stated to them which suggests most strongly that they are unable to properly police the wild west of data legislation.

Just to recap in relation to the seriousness of the malfeasance from ICO. When data was produced showing correspondence from the Council to ICO nothing supporting the comments claimed to have been made by the Council had been sent to ICO, who then went on to be unable to produce the info from the Council supporting what they say the Council had said.

When the body charged with taking others to task for failure to observe information rights law believes itself to be exempt from such laws – and likely making up excuses for organisation’s failures – can there be any doubt that ICO cannot remain much longer in its present form?

Service standards from The Information Commissioner’s Office are frankly not very good!

October 30, 2021October 31, 2021

Active Discrimination by Ministry of Justice?

I have been contacted by the carer of a disabled lady who has detailed a level of misconduct from such as The Information Commissioner’s Office (ICO), HMCTS, Judicial Conduct Investigations Office & others that makes for shocking reading.

The lady concerned has learning disabilities and for the purpose of this blog entry and to preserve her anonymity we’ll call her Liz. She required ICO to modify their communications with her in order to assist her disabilities. ICO failed to do this, which if course made communication with them very much more difficult, and so she launched a Judicial Review. This brought her into contact with the civil court system where arguably she suffered worse discrimination than originally from ICO.

The Equality Act 2010 and the United Nations Convention on disability rights are supposed to help to enforce, protect and promote the rights of disabled people to access public services and promote equality of access to such.

However as is so often the case in modern Britain the aim falls far short of the reality. As I’ve said Liz’s issues began when The Information Commissioner’s Office failed to communicate with her in a format she could read and understand; she has limited reading and comprehension skills.

Things frequently go from bad to worse when an organisation fails to make adaptations to assist the disabled. This is true of ICO but the same issues were experienced in Liz’s dealings with The Ministry of Justice.

I should add at this point that all of the organisations mentioned in this blog entry will also have guidelines in respect of how to treat everyone equally. They have all fallen far short of this leading to mistreatment and injustice.

An email to me from this lady’s carer shows that further injustice happens from HMCTS…

“When she has attempted to request accessibility from HMCTS, regarding Judicial Reviews against The Ombudsman’s refusing to send her written correspondence, refusal to contact her by phone and when she phones their services to request accessibility, complaints responses and S.A.R’s.”

When Liz called HMCTS she was apparently verbally abused by their staff over the phone. Liz has communication difficulties and it is easy for someone to misinterpret these in a phone call. There are recordings of such calls to Manchester Civil Justice Centre.

When Liz asks for responses to her complaints due to her communication difficulties staff fail to respond appropriately or make proper allowances for her disabilities. This is of course the nub of her original complaint to the Courts in the first place! She has also been supplied the personal data of another HMCTS service user, although this is not unusual given that organisation’s haphazard approach to data protection & privacy.

Most damming of all is the response of Customer Investigations at the MoJ’s head office.

This is the final port of call to get a complaint response outside of referring a complaint against HMCTS to civil action. There are also apparently call recordings retained where Richard Redgrave, the head of Customer Investigations starts laughing and finds it funny that his original land line is inactive and been inactive for the 18 months this lady has attempted to phone him on it. There has been a similar inappropriate responses from The Parliamentary and Health Service Ombudsman.

The courts have failed to provide the lady with any adaptation and assistance with access to their services with the seeming result that her civil claim failed and there are presently costs against her. Any correspondence from the Court is problematic as this lady cannot read. Again a required adaptation has not been made. Rather more cruelly a Civil Restraint Order was made against her and this of course results in further disadvantage.

I have a list of several named Court staff who have apparently treated this lady appallingly on the account given by her carer.

The adaptations that are needed for her to be able to deal with the Court effectively and understand the process are not extensive but are clear and evident. The level of learning difficulties experienced means that the Court has a higher level of duty of care towards someone who has such restrictions in their everyday life. Indeed there is a simple moral duty here also.

I don’t know why the Courts have failed Liz so badly.

I suspect that it would be more time-consuming and awkward to make the adaptations she needs and that because of speech issues phone calls from her would be very difficult to understand. This requires time and patience. It is not beyond the ability of any organisation however! It is equally not beyond the ability of MoJ to ensure that all service users are treated equally and fairly.

What looks like deliberate cruelty from several members of HMCTS staff takes considerably more explaining though.

That they have not treated Liz kindly, made appropriate adaptations to accommodate her disabilities and even at times shown outright cruelty is an indication of how they would treat the rest of us if they thought they could get away with it.

August 27, 2021August 27, 2021

HMCTS Under Fire From The Information Commissioner’s Office. Again!

Hard to think of two more poorly run institution than HMCTS and it’s parent
organisation The Ministry of Justice.

This is a very simple post detailing a simple but significant error. So no lengthy explanation as to what’s happened on this occasion!

HMCTS shared my personal financial details with a third party.

That’s it. That’s basically all that can be said in the post.

But wait!

Stop and think for a few moments and we can see this is matter is actually considerably more significant and serious than it first looks.

The letter from The Information Commissioner’s Office (ICO) finding against HMCTS can be seen below.

But the operative paragraph from it is simple and plain:

Why should this matter?

Personal data in the care of such as HMCTS and MoJ has the potential to cause significant damage if released inappropriately. Release to a third party with no requirement for or rights to such data can and does cause significant issues.

The simple fact is that the incompetence of County Court staff knows no bounds.

Indeed the vindictiveness of their management towards anyone who has received appalling service from HMCTS also knows no bounds. In this matter an out-of-court settlement was agreed upon to be paid fourteen days from the agreement. Some three months after this agreement I was still awaiting payout.

HMCTS and MoJ are simply two organisations which have ceased to function in any meaningful way and the amount of time spent on damage limitation, denying errors have occurred and attempting to maintain an image of professionalism would be better spent actually running courts efficiently in the first instance.

November 13, 2020November 13, 2020

The ICO: Keeping Your Personal Data Safe?

Brief post for today. Well a brief post by the standards of this blog!

In yesterday’s blog post one of the themes touched upon was how The Ministry of Justice had sent data in error to a third party. This was a serious breach of the data subject’s rights and potentially quite dangerous to the data subject as MoJ shared the subject’s name, address, date of birth and financial details.

The post discussed the attempts The Ministry of Justice made to get back at the accidental recipient of this data which included a false complaint to police to ensure he was arrested, although fully aware police would not be able to bring charges as no offence had taken place.

Elizabeth Denham, UK Information Commissioner

The Information Commissioner’s Office (ICO) is a quasi-Governmental organisation reliant on public funding. Their stated aim is to enforce data access rights of people in the UK and also to adjudicate on data protection issues: in other words to monitor that your personal data held by companies and Government organisations is kept safe.

So we can naturally expect ICO to fully comply with data protection legislation and be extra specially careful with their own handling of other people’s data.

Can’t we?

In a delicious piece of timing just after I’d written yesterday’s blog post about The Ministry of Justice emailing data to the wrong person ICO go and do the same by sending a letter in error to me which was intended for a third party, just like the error MoJ made!

I have of course deleted the email address of the intended recipient of this letter.

It seems that Dacorum Borough Council also suffers from the problem of email incontinence as they appear to have sent the intended recipient of the ICO letter some information despite claiming an apparent exemption over the data sent!

The ICO letter states:

I am aware that the council inadvertently provided you with the requested information.

Significantly the letter also states the grounds for the council attempting to withhold this data (but clearly not managing to) were under section 31 – that is a claimed exemption from disclosure as the data is related to law enforcement.

One might hope the ICO takes appropriate action against itself for this data breach.

In all honesty I wouldn’t hold my breath.

ICO’s present logo. Strange use of lower case letters and an inappropriate full stop.

Like many of the UK’s regulatory bodies such as The Parliamentary and Health Service Ombudsman or The Local Government Ombudsman the ICO has selective blindness in relation to even large scale and ongoing breaches of GDPR and The Data Protection Act.

Ultimately the best most complainants can hope for is a letter from the ICO informing them that their complaint has been upheld and that ICO will keep a record of the data protection concerns logged regarding the data controller complained of. This does not of course produce the data that has been requested! Occasionally ICO will assist by instructing the data controller to supply data if it is being clearly withheld. However if the data controller is sufficiently obstreperous there exists enough “trapdoors” in the relevant legislation that a (often misapplied) exemption will be used to avoid supply of the data.

The efforts organisations used to evade production of data include the mishandling of applications such as considering a subject access request for personal data as if it were a Data Protection Act request and so rejecting it without giving sufficient grounds to the requester. A further trick is to label everything as the personal data of a third party and thus exempt from disclosure: on this basis large scale parts of any data disclosed can be redacted (meaning blanked out).

In these circumstances ICO becomes like a turtle placed on its back: it spins around to no real effect.

Let’s look at the wider picture. A key thing to recall about most of the non-departmental public bodies supposed to supervise how the law or organisations work in Britain is that they rarely do. These supervisory bodies often exist instead to confirm the decisions made by the lower organisation or as a way to diffuse complaints safely and without litigation. Having said this ICO is better than most and does occasionally pursue misconducting organisations through the courts. But due to the pressure of time and resources they also habitually pursue only those organisations who have committed a blatant breach of the law which has been made public, or who would be less likely to defend themselves in court and thus drive up ICO’s expenses. The majority of the fines issued in successful judgments are not paid.

One example of this willingness to turn a blind eye on the part of ICO: a 2017 significant data breach by the NHS involving some 50,000 patients medical records – the largest loss of data in NHS history – was not prosecuted by ICO. This is a matter I will comment on in detail in a blog another day.