A request was made in August 2020 for data from a subdivision of The Ministry of Justice. The response (issued outside the time limits for such in law) stated:
This is actually a two-headed matter. A complaint of poor service thrown in with a data access request for the data which proves the grounds of the complaint are correct and that multiple errors occurred. Needless to say the subdivision ignored the complaint and requested I make the data access request to London, as seen above.
You will see how this letter refers me to Data Access office as being the correct source of the data required. So Data Access were contacted in late September 2020 and the data again requested from them.
Some five months later and several chase-ups by email and Data Access deny they are the source of the data. The data is apparently best obtained from the office I originally wrote to.
There is little that can be said for this game of piggy-in-the-middle except to say that I will not play it.
The source of the apparent information that they cannot fulfil this data access request are unnamed โsenior managers” whose details I have requested. Odd how itโs always some unnamed person as the source of an instruction that sends the public on a wild goose chase.
The disclosure team for MoJ are ultimately responsible for the production of data access requests made to sub departments within MoJ. The requests made in mid-2020 are indeed data access requests. They seek specific data and this is clear from the requests themselves. It is the job of Disclosure Team to work with the sub department of MoJ I first communicated with to obtain the data from them and then relay it to me.
It looks very much like both offices are attempting to evade the production of data via a game of piggy-in-the-middle and delay. Unsurprisingly the subsidiary office originally contacted has failed to respond to the initial complaint linked to this data request.
This request has been before Data Access office since September 2020 and has only just received the response of “go back to the start”. Taking this delay in response alone as a single issue would render the handling of the request wholly unacceptable and a breach of the relevant law.
By seeking to frustrate the request in this way The Ministry of Justice has earned itself a referral to The Information Commissionerโs Office.
I write in relation to the Julian Assange extradition attempt by the US government. This has received a ruling today which has stated that Assange cannot be extradited to America on the basis of mental health concerns.
It is widely considered that the case against Assange has been cooked up as revenge against Wikileaks publication of atrocities by the US military in the Middle East. That such was designed to frighten any journalist in the future from exposure of similar state backed horrors.
As this post will detail The Ministry of Justice in the UK is quite prepared to commit abuse of process to also persecute those who publish material which exposes its wrongdoing and incompetence.
Assange in transit in a prison van from Belmarsh high security prison where he has been held.
The ruling in the case is that extradition cannot take place as America cannot guarantee the safety of Assange in a US prison in the light of his apparent suicidal ideations. These thoughts probably stem from his continued persecution for many years over Wikileaks publication of video footage of atrocities committed by the US military against civilians.
The points made regarding the safety of the US prison system of course apply equally – if not more so – to British prisons. Belmarsh was the choice of prison for Assange on the basis of the additional security given to inmates there.
The other thing that struck me about the judgment is that the extradition to America was refused not on grounds which assert and re-enforce the freedom of the press or the ability of such as Wikileaks to publish material which challenges authority but on the grounds of safety for the defendant.
The decision was made by a District Judge. Anyone familiar enough with the British legal system will likely be aware that the judge has chosen an anaemic third way in order to dismiss the case for extradition. No wonder the decision is likely to be appealed! Rather than outright confrontation of the prosecution case which was designed both as an act of revenge against Assange and a threat to any future journalists exposing official misconduct the judge chose a way which avoids these prosecution arguments being confronted and carefully debunked.
If a decision was made to extradite on the basis of the case put on behalf of the prosecution then the risk to press freedom in future would have been grave. As it is the case has been a warning shot to anyone thinking of publishing contentious material regarding state backed misconduct.
The judge has accepted the proposition advanced by Assangeโs legal team that an American prison is not sufficiently safe for someone with suicidal thoughts.
Were he still alive Jeffrey Epstein would also likely agree that an American prison is an insufficiently safe environment for people who have – like Assange – embarrassed or risk embarrassing those who hold the levers of power in America.
We donโt have to look to a high-profile case such as this to see official misuse of power in an act of revenge against those who publish material which would embarrass authority, as our own Minisry of Justice in Britain are quite prepared to carry out misconduct in public office in this way.
In May this year I was sent material in error by MoJ. This was a letter intended for the Metropolitan Police in relation to Proceeds of Crime Act proceedings against an individual in the Kent area.
The data sent to me in error constituted a considerable Data Protection Act breach and covered the name, address, date of birth and bank details of the individual and other compromising data. Such data in the wrong hands could have resulted in considerable fraud committed against the data subject by the misuse of his personal details. I informed both The Information Commissionerโs Office and the data subject about this.
I also posted – with no small amount of schadenfreude – the tweet seen below. No aspect of the content of this tweet breached revealed data on the data subject and thus was not actionable. It simply and quite rightly embarrassed MoJ as an organisation which is incompetent in the handling of personal data.
Despite the fact that MoJ were wholly in the wrong over this entire matter they decided to go on the offensive and instructed West Yorkshire Police to arrest me in relation to offences under The Data Protection Act.
Police, having seen no evidence of any offence committed in civil or criminal law, nevertheless took the word of MoJ as gospel and in so doing broke the law themselves not least by committing a wrongful arrest.
I was arrested and held in custody at the police station. It was relegated much later in an email chain from the Head of Security at MoJ that the purpose of this was โto give him a shockโ. Iโd embarrassed MoJ in public with the tweet and reported the data breech to ICO. Consequently MoJ wished to revenge itself and were prepared to commit misconduct in public office to do so.
Of course the other thing the emails between MoJ and West Yorkshire Police also reveal is the sudden loss of interest in the matter when I was arrested – the arrest being the short, sharp shock MoJ was aiming for. An internal investigation by police also admits there were no grounds for arrest and no offence had been committed.
The point of my explaining all this shabby behaviour and breach of duty of care from two shifty little organisations is clear. Just as Assange has been intimidated and subject to abuse of process because of what he published so have I.
Such actions from organisations such as MoJ and West Yorkshire Police serve to wholly undermine public confidence in the organisations themselves and damage their own reputation. Further it exposes the organisations as being comprised of the inept, the incompetent and the petty-minded.
If MoJ or West Yorkshire Police would like a right of reply to the content of this article then I am happy to publish any point of view they may give. I may equally produce further evidence in response which confirms the facts already stated above!
The rights of the public in the UK to access data held by state-run organisations are enforced by The Information Commissionerโs Office. I say enforced but effectively unless thereโs a very significant series of large-scale errors or deliberate mischief ICO chooses to look the other way.
Theyโll more often choose to look the other way in the event that the miscreant organisation is a public body: a large-scale data breach by the NHS in 2017 / 2018 attracted only a note from ICO to NHS Digital gently chiding their error.
Some of the means of looking the other way include ICO issuing a โfindingโ that the organisation youโve requested data from has failed to comply with the law, or a โrecommendationโ that that misconducting organisation complies with the law. Neither of these two results has sufficient force to compel a turnaround from the data controller if theyโre determined to dig in their heels. None of these weak regulatory methods described above actually produce the data youโve requested: if the organisation is sufficiently obstreperous youโll need to enforce your right of access to the data via civil legal action.
Yes, folks. Youโve guessed it! Another supposed โwatchdogโ that turns out to be toothless, doddering and tame.
At the beginning of the pandemic hitting the UK in March 2020 ICO issued guidance to organisations over handling data access requests which effectively boiled down to โdonโt misuse the fact that thereโs a national emergency to get around your statutory obligationsโ.
Eight months on and the initial finger-wagging approach has been replaced with a new edict from ICO: mark your own homework.
Organisations that infringe the law on data access issues are now routinely in receipt of this standard form letter the first page of which appears below:
Easier than enforcing the law: ICO states the bleeding obvious to data controllers breaching the law.
The โseriously and robustlyโ in the above extract doesnโt apply to any actions ICO have taken in my experience of the organisation. Even in the face of large scale data breaches for which ample evidence of a data subjectโs Section 173 rights being infringed exists ICO still takes the lethargic approaches mentioned above.
Briefly yours and my Section 173 rights are this:
Extract from CPS website.
The letter sent out by ICO continues:
…all of which explains the obligations on an organisation that they are already / should already be aware of.
One wonders what the point is of informing an organisation thatโs already purposefully screwed up such as a subject access request what their obligations are. If the body is determined to withhold data for the purpose of – for example – preventing revelation of their own misconduct then a weakly worded letter from ICO will not make them correct their ways.
Misconducting organisations must be quaking in their boots regarding the powers and sanctions bit in the second to last paragraph, knowing ICO is notoriously weak on enforcement.
Thus the Merry-Go-Round of the UKโs weak regulatory and enforcement structure rumbles on.
Brief post for today. Well a brief post by the standards of this blog!
In yesterdayโs blog post one of the themes touched upon was how The Ministry of Justice had sent data in error to a third party. This was a serious breach of the data subjectโs rights and potentially quite dangerous to the data subject as MoJ shared the subjectโs name, address, date of birth and financial details.
The post discussed the attempts The Ministry of Justice made to get back at the accidental recipient of this data which included a false complaint to police to ensure he was arrested, although fully aware police would not be able to bring charges as no offence had taken place.
Elizabeth Denham, UK Information Commissioner
The Information Commissionerโs Office (ICO) is a quasi-Governmental organisation reliant on public funding. Their stated aim is to enforce data access rights of people in the UK and also to adjudicate on data protection issues: in other words to monitor that your personal data held by companies and Government organisations is kept safe.
So we can naturally expect ICO to fully comply with data protection legislation and be extra specially careful with their own handling of other peopleโs data.
Canโt we?
In a delicious piece of timing just after Iโd written yesterdayโs blog post about The Ministry of Justice emailing data to the wrong person ICO go and do the same by sending a letter in error to me which was intended for a third party, just like the error MoJ made!
I have of course deleted the email address of the intended recipient of this letter.
It seems that Dacorum Borough Council also suffers from the problem of email incontinence as they appear to have sent the intended recipient of the ICO letter some information despite claiming an apparent exemption over the data sent!
The ICO letter states:
I am aware that the council inadvertently provided you with the requested information.
Significantly the letter also states the grounds for the council attempting to withhold this data (but clearly not managing to) were under section 31 – that is a claimed exemption from disclosure as the data is related to law enforcement.
One might hope the ICO takes appropriate action against itself for this data breach.
In all honesty I wouldnโt hold my breath.
ICOโs present logo. Strange use of lower case letters and an inappropriate full stop.
Like many of the UKโs regulatory bodies such as The Parliamentary and Health Service Ombudsman or The Local Government Ombudsman the ICO has selective blindness in relation to even large scale and ongoing breaches of GDPR and The Data Protection Act.
Ultimately the best most complainants can hope for is a letter from the ICO informing them that their complaint has been upheld and that ICO will keep a record of the data protection concerns logged regarding the data controller complained of. This does not of course produce the data that has been requested! Occasionally ICO will assist by instructing the data controller to supply data if it is being clearly withheld. However if the data controller is sufficiently obstreperous there exists enough โtrapdoorsโ in the relevant legislation that a (often misapplied) exemption will be used to avoid supply of the data.
The efforts organisations used to evade production of data include the mishandling of applications such as considering a subject access request for personal data as if it were a Data Protection Act request and so rejecting it without giving sufficient grounds to the requester. A further trick is to label everything as the personal data of a third party and thus exempt from disclosure: on this basis large scale parts of any data disclosed can be redacted (meaning blanked out).
In these circumstances ICO becomes like a turtle placed on its back: it spins around to no real effect.
Letโs look at the wider picture. A key thing to recall about most of the non-departmental public bodies supposed to supervise how the law or organisations work in Britain is that they rarely do. These supervisory bodies often exist instead to confirm the decisions made by the lower organisation or as a way to diffuse complaints safely and without litigation. Having said this ICO is better than most and does occasionally pursue misconducting organisations through the courts. But due to the pressure of time and resources they also habitually pursue only those organisations who have committed a blatant breach of the law which has been made public, or who would be less likely to defend themselves in court and thus drive up ICOโs expenses. The majority of the fines issued in successful judgments are not paid.
One example of this willingness to turn a blind eye on the part of ICO: a 2017 significant data breach by the NHS involving some 50,000 patients medical records – the largest loss of data in NHS history – was not prosecuted by ICO. This is a matter I will comment on in detail in a blog another day.
Legal Babble 