data loss – Legal Babble

April 11, 2022April 11, 2022

In It Together? Is ICO Incapable of Holding Certain Bodies to Account?

Introduction

This blog entry gives a glimpse into how The Information Commissioner’s Office (ICO) operates. ICO is charged with supervision of information rights in the UK and acting to assist when things go wrong.

Much anecdotal evidence suggests ICO may act to shield certain favoured organisations.

On 5.7.21 I contacted The Information Commissioner’s Office with a complaint. This stated:

For a civil hearing on 9.6.21 a copy of any criminal record regarding me was requested. CPS supplied erroneous data to the Court. The error was a serious and significant one… This is not only offensive but also a matter to cause exceptional damage within the hearing. Such [the retention and supply of incorrect data] being an exceptionally serious offence.

In 2019 I had been made aware that this incorrect offence was recorded against me and had requested a correction. It appears CPS [The Crown Prosecution Service] did not correct the error, as they admitted only after the hearing.

The incorrect data was supplied to The High Court sitting at Leeds County Court for a hearing on 9.6.21. This caused embarrassment, distress and actual loss.

CPS were informed of the error prior to the hearing. They failed to correct the record prior to the hearing and failed to inform the Court prior to the hearing also.

CPS did not correct the error for the hearing as the transcript of the hearing also shows: the matter of them providing incorrect data to the Court became a significant issue within the proceedings and I was left unable to prove that this record of this offence was wrong. Since the record however came from an official source the Court will have been inclined to believe it.

Accordingly I looked to ICO on this matter to enforce my right to be protected from the incompetence clearly shown by CPS on this matter and the effects that this has had on me.

I sought from ICO first a detailed ruling in relation to this matter that CPS has breached the law. I sought also that CPS should be subject of a fine or other action from ICO in relation to the significance of the error made. Especially when they failed to correct a prior record showing the data to be in error and failed to act to correct the record when informed of the error prior to proceedings.

Finally I required assistance from ICO to correct the records of CPS.
CPS have previously stated in 2019 that the error has been corrected only for it to be repeated again in June 2021: this shows that they cannot be trusted to hold correct data or act properly in line with their legal obligations. Spoiler alert: neither can ICO!

One thing in their credit it that CPS admitted to ICO the error in a letter sent to me. However account details a series of errors that should not have been made had CPS been compliant with and following the law.

CPS Legal Services claimed to ICO that the record was corrected with the Court. What they failed to state was that the record was only corrected a substantial time after the hearing had concluded. A data request to the Court showed this and caught CPS out. It might be thought that ICO would look more severely on this matter for this. They failed to even properly consider all of the data put in front of them.

This blog entry therefore details how and why ICO are unwilling or unable to hold CPS to account even in a situation in which there has been a clear and catastrophic data mishandling.

What Went Wrong

CPS failed to correct data held on me in error in 2019. ICO were aware of this matter at the time. Art. 16 of GDPR relates to the right to rectification. Data was held on me in error by CPS showing a supposed offence had been committed when in fact it had not. The nature of this offence was exceptionally serious and so the onus was on CPS to create and maintain correct records even more strongly than normal due to the exceptional damage such incorrect data could create if released to a third party. CPS previously claimed to have corrected the record in January 2019 but it subsequently emerged that this was not done, breaching my relevant rights (Article 16) and CPS’ legal obligations in the process.

In a matter at The High Court sitting at Leeds in June 2021 however a copy of this incorrect data on me was produced. I contacted CPS prior to the hearing to inform that an urgent correction was required. They failed to make this correction prior to the hearing. This amounts to an exceptionally serious data error and is the cause of loss and embarrassment.

On 5.7.21 I wrote to ICO and made the following complaint regarding CPS:

I refer also to the email to CPS in respect of their illegal retention of incorrect data on me and their sharing of this to third parties in June 2021.

A series of questions are asked of CPS in the email from me below of 3.8.21. I also request additional data from them. I exercise my Article 16 GDPR rights also. CPS’s response to this of 11.8.21 is to ignore all these matters and refuse further correspondence. I consider this to be the criminal office of attempting to conceal, destroy or hide data from disclosure.

The consequences of CPS getting an individual’s data wrong are serious, significant and occur more often than expected.

On 23.12.21, some five months after alerting ICO of this matter they wrote back to me to request further information. The Case Officer for ICO was Ian Sangan.

By the end of January 2022 there had been no movement in the complaint made to ICO and so I chased the matter up. This produced a response one day later which stated:

We have considered the information available in this case, and we are of the view that CPS have presently complied with their obligations under data protection law. We will now outline the reasons why we believe this to be the case.

We can see that the last meaningful correspondence received from the CPS was July 2021. Our view is that the CPS addressed the issues surrounding the erroneous data still held on record, and advised this has been rectified and removed. The CPS have also advised that the relevant court appear to have been notified of the rectification, and were made aware of the lack of reliability of this data. The CPS have clarified to you that this was rectified prior to the hearing itself.

We can see that the organisation historically received a rectification request in 2018, and that some of the erroneous data remained on your record. Ultimately this is not something that the ICO can reasonably ignore. As such, we have today contacted the organisation and provided them with some best practice advice going forward.

In other words for a matter of a major data error with that data released to a third party, and data which the Data Controller claimed had been corrected in 2019 ICO chose to take no action bar some advice to CPS. It is difficult to imagine a more serious breach of GDPR and the obligation to retain correct data on a person than the failure to correct information pointed out to be in error in 2018 and yet retained until 2021, then supplied to a civil court in proceedings. This is what has happened here. That this matter is not treated with the seriousness it so clearly merits forms the initial issue in a complaint of poor service to ICO.

It is of course clear that the data provided by the Court showed that CPS only corrected the record with the Court AFTER the hearing had taken place, and this data was provided to CPS which makes their comment that The CPS have also advised that the relevant court appear to have been notified of the rectification, and were made aware of the lack of reliability of this data even more puzzling.

I appealed the decision of ICO on that basis and also that:

The ICO findings admit that you are aware that data was not corrected in 2018 and CPS admit this also. ICO has not concluded that CPS breached GDPR in the retention and supply of data in error. This is the minimum that can be expected in this matter in respect of an adjudication from CPS’ professional regulator for data issues. The original issue is the creation and retention of incorrect data in 2017 – 2018 which ICO ruled on in 2018. The seriousness of the matter is increased by the failure to correct under Article 16 in 2018 following the ICO ruling then.

ICO in effect failed to assess if my Article 16 rights were breached by failure to correct the record acknowledged by CPS to be held in error in 2019.

ICO’s response was to refer the matter to a reviewing officer. The response was:

In this case the CPS acknowledge their mistake in their letter of 02 July 2021 when they stated that they had retained a reference to a conviction… which was incorrect. In their letter of 02 August 2021 they stated; ‘This file has now been rectified and the information removed as soon as the error was noted’.

No interest in the significance of such an error or the consequences of it. The creation and retention of incorrect data is ignored by ICO as is the continued retention of it past 2019 despite CPS being aware of the error from that point. In effect ICO fail to reach the obvious conclusion suggested by the data supplied to them that CPS failed in their key duties and then attempted to cover the error up by lying that the record had been corrected with the suggestion this was done in time for the hearing.

It is my view that historically the CPS retained incorrect personal data about you which they went on to share with Leeds County Court and at that time it appears that this would have infringed data protection legislation. However when Ian Sangan assessed your case he was doing so based upon the knowledge that the CPS had rectified the inaccurate information in 2018. On this basis he reached his view in January 2022 that the CPS were complying with data protection legislation. With regards to the erroneous data that was held on your record prior to 2018; the actions of the CPS in sharing inaccurate information with Leeds County Court appear not to have been compliant with data protection law, at that time.

Clearly CPS failed to correct the data in 2018 / 2019! Apart from the judgment that inaccurate data was shared with the Court no action was taken by ICO. Truly a toothless watchdog!

ICO’s John Turner wrote to me on 16.2.22 to state:
If you would like to complain about the service you have received from us I would remind you that you may be able to complain to the Parliamentary and Health Service Ombudsman via your MP.

He of course failed to mention that the matter could be put to the First Tier Tribunal who deal with matters related to information rights issues and complaints about ICO handling of matters. Possibly this was deliberate to avoid such clear evasions of responsibility by ICO being adjudicated against.

Evidence of an inability or unwillingness on the part of ICO to properly hold organisations to account is growing.

On 12.8.22 I wrote to CPS again to state:

In your response of 11.8.21 you fail to take action in respect of the request at c) to show that the records have been corrected. This is a second breach of my Article 16 rights. I have strong grounds to believe that you continue to retain wrong data on me with the potential to cause significant damage if this is released to third parties.

I believe CPS continue to hold incorrect data and that ICO has failed to take action to assist

Following all this two data access requests made of CPS on 16.2.22 and 2.3.22.

Neither of these requests has received a response or acknowledgment from CPS who are again in breach of the law. The time period given under law has now lapsed and the Data Controller has now broken the law by failure to respond. The matter was referred to ICO.

You will likely not be surprised to hear that the response came from ICO’s master of deflection John Turner who stated:
I can concur that there has been no communication between ICO and CPS since 28 January 2022. The only communications on the case since that date have been between the ICO and you.

Following your request for a case review this was conducted on 14 February 2022 and you were sent a copy. There was no purpose to involve the CPS in the review and they were not contacted.

I re-iterate your case is now closed and the ICO will not be taking further action

…in other words the issue raised of two further breaches of information rights law by CPS has been cuffed off and ignored by ICO.

Conclusions

A significant series of breaches of the law have been committed by CPS and yet ICO’s investigation into these has been weak, evasive and failed to consider key evidence which shows that CPS sought to mislead ICO.

A more recent data access request to CPS has again breached the law by their failure to reply or disclose the data. Again in this matter the response of ICO is exceptionally weak and evasive. They are taking exceptional steps to avoid action to enforce the law.

ICO appears to have a “special relationship” with certain other organisations. For example it is exceptionally unlikely that they will hold such as NHS Digital to account for even very significant errors with patient records. It appears that they hold the same relationship with CPS and there must be some form of agreement for ICO not to take regulatory action equivalent to the errors these organisations commit. Instead ICO performs a series of twists and turns to avoid assessment of relevant data showing significant misconduct has taken place.

This has the effect of weakening trust in ICO’s ability to hold organisations which misconduct their data handling responsibilities to account and will eventually result in ICO being closed down as unfit for purpose. Unless of course the purpose is to assist state-run bodies in evading accountability.

February 26, 2021February 26, 2021

“Spaffing” Money Up The Wall

There’s a lot of talk at the moment about public money being wasted. Much of this revolves around issues such as PPE for healthcare workers or the Test and Trace app. It would seem that the Government have used emergency situations created by the coronavirus pandemic as a means to transfer public money into private hands. Often the people enriched appear to be friends and donors to the Conservative Party.

But hold on a moment!

If you wanted an object lesson in “spaffing” public money up the wall there’s few who do this better than The Ministry of Justice.

Take a look at the extract from a Freedom of Information Act request seen below.

So that’s £27K that the public purse isn’t going to get back! Note that this has been spent on defence of a case regarding The Ministry of Justice failing in its obligations to keep service users data safe and private.

It would actually have been easier for all concerned and considerably cheaper for MoJ to have ensured the safety and privacy of service users data to begin with. But this assumes that enough of a damn is given about the privacy of service users data by that department.

December 10, 2020December 14, 2020

The Information Commissioner’s Office: Mark Your Own Homework

The rights of the public in the UK to access data held by state-run organisations are enforced by The Information Commissioner’s Office. I say enforced but effectively unless there’s a very significant series of large-scale errors or deliberate mischief ICO chooses to look the other way.

They’ll more often choose to look the other way in the event that the miscreant organisation is a public body: a large-scale data breach by the NHS in 2017 / 2018 attracted only a note from ICO to NHS Digital gently chiding their error.

Some of the means of looking the other way include ICO issuing a “finding” that the organisation you’ve requested data from has failed to comply with the law, or a “recommendation” that that misconducting organisation complies with the law. Neither of these two results has sufficient force to compel a turnaround from the data controller if they’re determined to dig in their heels. None of these weak regulatory methods described above actually produce the data you’ve requested: if the organisation is sufficiently obstreperous you’ll need to enforce your right of access to the data via civil legal action.

Yes, folks. You’ve guessed it! Another supposed “watchdog” that turns out to be toothless, doddering and tame.

At the beginning of the pandemic hitting the UK in March 2020 ICO issued guidance to organisations over handling data access requests which effectively boiled down to “don’t misuse the fact that there’s a national emergency to get around your statutory obligations”.

Eight months on and the initial finger-wagging approach has been replaced with a new edict from ICO: mark your own homework.

Organisations that infringe the law on data access issues are now routinely in receipt of this standard form letter the first page of which appears below:

Easier than enforcing the law: ICO states the bleeding obvious to data controllers breaching the law.

The “seriously and robustly” in the above extract doesn’t apply to any actions ICO have taken in my experience of the organisation. Even in the face of large scale data breaches for which ample evidence of a data subject’s Section 173 rights being infringed exists ICO still takes the lethargic approaches mentioned above.

Briefly yours and my Section 173 rights are this:

The letter sent out by ICO continues:

…all of which explains the obligations on an organisation that they are already / should already be aware of.

One wonders what the point is of informing an organisation that’s already purposefully screwed up such as a subject access request what their obligations are. If the body is determined to withhold data for the purpose of – for example – preventing revelation of their own misconduct then a weakly worded letter from ICO will not make them correct their ways.

Misconducting organisations must be quaking in their boots regarding the powers and sanctions bit in the second to last paragraph, knowing ICO is notoriously weak on enforcement.

Thus the Merry-Go-Round of the UK’s weak regulatory and enforcement structure rumbles on.

November 13, 2020November 13, 2020

The ICO: Keeping Your Personal Data Safe?

Brief post for today. Well a brief post by the standards of this blog!

In yesterday’s blog post one of the themes touched upon was how The Ministry of Justice had sent data in error to a third party. This was a serious breach of the data subject’s rights and potentially quite dangerous to the data subject as MoJ shared the subject’s name, address, date of birth and financial details.

The post discussed the attempts The Ministry of Justice made to get back at the accidental recipient of this data which included a false complaint to police to ensure he was arrested, although fully aware police would not be able to bring charges as no offence had taken place.

Elizabeth Denham, UK Information Commissioner

The Information Commissioner’s Office (ICO) is a quasi-Governmental organisation reliant on public funding. Their stated aim is to enforce data access rights of people in the UK and also to adjudicate on data protection issues: in other words to monitor that your personal data held by companies and Government organisations is kept safe.

So we can naturally expect ICO to fully comply with data protection legislation and be extra specially careful with their own handling of other people’s data.

Can’t we?

In a delicious piece of timing just after I’d written yesterday’s blog post about The Ministry of Justice emailing data to the wrong person ICO go and do the same by sending a letter in error to me which was intended for a third party, just like the error MoJ made!

I have of course deleted the email address of the intended recipient of this letter.

It seems that Dacorum Borough Council also suffers from the problem of email incontinence as they appear to have sent the intended recipient of the ICO letter some information despite claiming an apparent exemption over the data sent!

The ICO letter states:

I am aware that the council inadvertently provided you with the requested information.

Significantly the letter also states the grounds for the council attempting to withhold this data (but clearly not managing to) were under section 31 – that is a claimed exemption from disclosure as the data is related to law enforcement.

One might hope the ICO takes appropriate action against itself for this data breach.

In all honesty I wouldn’t hold my breath.

ICO’s present logo. Strange use of lower case letters and an inappropriate full stop.

Like many of the UK’s regulatory bodies such as The Parliamentary and Health Service Ombudsman or The Local Government Ombudsman the ICO has selective blindness in relation to even large scale and ongoing breaches of GDPR and The Data Protection Act.

Ultimately the best most complainants can hope for is a letter from the ICO informing them that their complaint has been upheld and that ICO will keep a record of the data protection concerns logged regarding the data controller complained of. This does not of course produce the data that has been requested! Occasionally ICO will assist by instructing the data controller to supply data if it is being clearly withheld. However if the data controller is sufficiently obstreperous there exists enough “trapdoors” in the relevant legislation that a (often misapplied) exemption will be used to avoid supply of the data.

The efforts organisations used to evade production of data include the mishandling of applications such as considering a subject access request for personal data as if it were a Data Protection Act request and so rejecting it without giving sufficient grounds to the requester. A further trick is to label everything as the personal data of a third party and thus exempt from disclosure: on this basis large scale parts of any data disclosed can be redacted (meaning blanked out).

In these circumstances ICO becomes like a turtle placed on its back: it spins around to no real effect.

Let’s look at the wider picture. A key thing to recall about most of the non-departmental public bodies supposed to supervise how the law or organisations work in Britain is that they rarely do. These supervisory bodies often exist instead to confirm the decisions made by the lower organisation or as a way to diffuse complaints safely and without litigation. Having said this ICO is better than most and does occasionally pursue misconducting organisations through the courts. But due to the pressure of time and resources they also habitually pursue only those organisations who have committed a blatant breach of the law which has been made public, or who would be less likely to defend themselves in court and thus drive up ICO’s expenses. The majority of the fines issued in successful judgments are not paid.

One example of this willingness to turn a blind eye on the part of ICO: a 2017 significant data breach by the NHS involving some 50,000 patients medical records – the largest loss of data in NHS history – was not prosecuted by ICO. This is a matter I will comment on in detail in a blog another day.