Hard to think of two more poorly run institution than HMCTS and itโs parent organisation The Ministry of Justice.
This is a very simple post detailing a simple but significant error. So no lengthy explanation as to whatโs happened on this occasion!
HMCTS shared my personal financial details with a third party.
Thatโs it. Thatโs basically all that can be said in the post.
But wait!
Stop and think for a few moments and we can see this is matter is actually considerably more significant and serious than it first looks.
The letter from The Information Commissionerโs Office (ICO) finding against HMCTS can be seen below.
But the operative paragraph from it is simple and plain:
The nub of the issue.
Why should this matter?
Personal data in the care of such as HMCTS and MoJ has the potential to cause significant damage if released inappropriately. Release to a third party with no requirement for or rights to such data can and does cause significant issues.
The simple fact is that the incompetence of County Court staff knows no bounds.
Indeed the vindictiveness of their management towards anyone who has received appalling service from HMCTS also knows no bounds. In this matter an out-of-court settlement was agreed upon to be paid fourteen days from the agreement. Some three months after this agreement I was still awaiting payout.
HMCTS and MoJ are simply two organisations which have ceased to function in any meaningful way and the amount of time spent on damage limitation, denying errors have occurred and attempting to maintain an image of professionalism would be better spent actually running courts efficiently in the first instance.
In a November 2020 report The Information Commissioner (or ICO) wrote the forward to a report and stated:
โIt is my hope that police forces, and other organisations, will read this report, understand their current position and identify actions they can take to improve or maintain good performance. We will continue to work with the police to support their compliance with information rights laws.โ
Some hope of that!
When the Commissioner wrote of โtheir current positionโ she was using soft-soap language for what would have been more accurately described as clear flouting of the law and institutional efforts to evade disclosure of information.
Letโs take a look at West Yorkshire Police as being a recent example of this failure to comply with both the law on data access requests, ICO guidance and their general obligations to maintain good relations with the public.
The Office of The Police and Crime Commissioner for West Yorkshire has for some months now been aware of suboptimal handling of data access requests by West Yorkshire Police. They have noted an increasing number of complaints from members of the public about poor service and inadequate provision of data by Information Access departments at that force.
A Professional Standards Department investigation into a complaint brought by a member of the public that subject access requests made had been delivered late, were missing data and had been purposefully frustrated by police was mishandled by Professional Standards Department. The Office of The Police and Crime Commissioner for West Yorkshire (the PCC) found that the investigation had been substandard in several areas.
As per usual for a police Professional Standards Department the conclusion to the investigation ran along the lines of โWe have investigated ourselves and found nothing wrongโ. This outcome is usually achieved by PSD adjusting the frame of reference to the complaint to disregard all that inconvenient evidence that proves the complaint is correct. This indeed appears to have been done in this instance.
Accordingly PCC wrote in their examination of the complaint handled by PSD:
โThe decision I have reached is that the outcome of the complaint was not reasonable and proportionate… [that a proper complaint investigation involved] Full consideration of the Information Management Departmentโs handling of [the complainants] requests over the last year, including all the ones he brought to the complaint handlerโs attention and the involvement of the ICO in those requestsโ
Which is as I stated: police complaints department ignoring evidence which proves the force has misconducted itself.
PCC wants a re-examination of major aspects of the complaint and also wants to see:
โFull consideration of the wider context concerning the timeliness of replies to Subject Access requests by West Yorkshire Police, including the engagement with the ICO. This should take into account the findings and recommendations from the ICOโs report from November 2020 โTimeliness of Responses to Information Access Requests by Police Forces in England, Wales and Northern Irelandโ
…in other words the report I referenced above.
This is to say the least mildly inconvenient for police. An examination of the timelines for a dip-sample of data access requests made (but not fulfilled on time) is one of the easiest ways to see that police have broken the law in relation to these requests.
But of course if West Yorkshire Police were to investigate themselves and report to PCC the errors made in supplying data requested by members of the public then it would be impossible to hide the scale of information deliberately hidden.
So the response of Rene Prime, Reviewing Officer at Professional Standards Department to PCC states:
โUnfortunately, I do not agree with the actions you propose should be taken to resolve the complaint. I agree that full consideration should be given to [the complainantโs] contact and requests to Information Management over the last year and the issues that have arisen around those requests, however I do not consider that it is appropriate to consider the wider context of perceived issues within the Information Management Team.โ
Which is as slippery a way as can be found to avoid PCC discovering the full extent of West Yorkshire Policeโs efforts to evade the production of data requested by members of the public. This reply also in effect โcuffs offโ (to use a West Yorkshire Police term) the recommendations of PCC which have been made in the light of the many other individual complaints from members of the public regarding failed data access requests.
The standard approach to data access requests made by police forces is not compatible with legislation allowing the public access to data.
Secretive, evasive and mendacious: police hate requests for information from the public.
Instead they seek to frustrate access requests, deny even the production of non-contentious materials and in most cases seek to delay the production of data beyond time limits in law so that the requester will be liable to forget all about the request and go away. At all stages the intention is to frustrate, vex and delay. This is often because the police operational mindset is focused towards evading any form of insight into their working practices or accountability. Ergo the more the public get to know about police methods and actions by data access requests the less the freedom for police to do more or less as they wish. An informed public is aware of the abuses of power and the bending of the law that the police perform daily.
The above correspondence gives you something of an insight into the attempts police make to avoid production of data which would make them accountable. This time last year the police complaints process was subtly changed to make the local PCC engage more with appeals into poorly handled complaints. It will be interesting in the light of the above to see if West Yorkshire Policeโs PCC has the guts to challenge ongoing breaches of the law over data access requests to West Yorkshire Police.
Currently the scandal around COVID-19 and the supply of contracts for PPE to friends of Conservative Party MPโs and Tory party donors hangs over Britain like an unpleasant smell.
But there’s a similar NHS procurement scandal with a somewhat longer history. This shows that – if anything – lessons are never learned which it comes to NHS outsourcing. The fast and cheap route is often the chosen path and this leads to incalculable consequences for individual patients.
TPP – or The Phoenix Partnership as they are otherwise styled – are a company based in Horsforth, Leeds and provide computer systems and software for GP’s surgeries in the British NHS.
Their website claims that their systems assist in:
increasing efficiency, driving innovation and empowering patients.
…all of which is the usual marketing hot air.
The standard package sold to surgeries is an error-riddled piece of software called SystmOne. This is used by about a third of GP practices in England and holds the records of million of patients.
The present incarnation of this software was introduced in 2012 The Information Commissioner’s Office, the public body concerned with protection of individuals data, has long had concerns about the quality of the software and its ability to protect the sensitive personal data of patients.
A series of coding errors on SystmOne caused – from 2017 onwards – an incredibly significant and serious data loss.
Pictured is TPP founder Frank Hester with former PM David Cameron. Hester has been a part of trade missions led by Cameron and former MP Kenneth Clarke. Hester himself was awarded an OBE – tellingly at about the same time his company was managing to loose the sensitive personal data of some 140,000 people. Tellingly following the revelation of the scandal he has not seen fit to hand this OBE back.
TPP’s parent company made ยฃ9.1m operating profit on ยฃ48.5m sales in 2015-16. This was concurrent with the data error discussed in this article and the company has more than ยฃ56.2m net assets making it easily worth ยฃ100m. That the company cannot summon the resources to then produce software which enables GPโs surgeries to keep patient data confidential is quite astonishing.
There have been concerns with the security of data from TPP software even before the knowledge of 140,000 patientโs records being shared became public.
“…it comes as the BMA wades into the increasingly murky debate over who controls access to the GP records of millions of patients.โ
โThe doctorโs trade union is now calling on the thousands of GPs using TPPโs SystmOne electronic record to โurgently consider any action they need to takeโ, including switching off the systemโs โenhanced data sharing functionโ. โIt has become clear that if patient records are being shared through TPPโฆ GPs are unable to specify which other organisations can have access to their patientsโ recordsโ
โSome media have reported [www.telegraph.co.uk/news/2017/03/17/security-breach-fears-26-million-nhs-patients/] that it allowed patient records to be viewed by โthousands of strangersโ not involved in their care. TPP has disputed these claims, stating that patients records cannot be accessed without their permission, except in emergencies.
Around 12 months later the errors caused by TPP failing to construct their software correctly led to some 140,000 persons having their personal medical data shared without their consent. This amounted to the biggest data loss in NHS history.
Not that it takes a coding error alone for SystmOne to share your data. If you do not explicitly opt out of having your data shared then the software will enable potentially thousands of third parties to be able to access your patient records.
Often this means that such data is shared with American organisations who pay the NHS for bulk healthcare data. In short then unless you explicitly tell your surgery not to share your data then SystmOne will automatically monetise your data to share with third parties for which the NHS will be paid. It takes an enquiry with NHS Digital to discover exactly who has had access to your data. No doubt your surgery and the NHS overall would rather you didn’t know about the monetisation of your sensitive personal data.
No wonder that in the 2017 article in Digital Health we can see Hester fighting tooth and nail to prevent any restrictions on TPP products being able to share patient data with third parties!
Now to focus back on the issue of the major data loss.
In respect of the 140,000 persons whose data was share against their express wishes the following was said in The House of Commons on 2 July 2018 by the Parliamentary Under-Secretary of State for Health who issued a statement to Parliament in which she said:
โNHS Digital recently identified a supplier defect in the processing of historical patient objections to the sharing of their confidential health data. An error occurred when 150,000 Type 2 objections set between March 2015 and June 2018 in GP practices running TPPโs system were not sent to NHS Digital. As a result, these objections were not upheld by NHS Digital in its data disseminations between April 2016, when the NHS Digital process for enabling them to be upheld was introduced, and 26 June 2018. This means that data for these patients has been used in clinical audit and research that helps drive improvements in outcomes for patients.โ
โSince being informed of the error by TPP, NHS Digital acted swiftly and it has now been rectified. NHS Digital made the Department of Health and Social Care aware of the error on 28 June. NHS Digital manages the contract for GP Systems of Choice on behalf of the Department of Health and Social Care.โ
She went on to say…
โTPP has apologised unreservedly for its role in this matter and has committed to work with NHS Digital so that errors of this nature do not occur again. This will ensure that patientsโ wishes on how their data is used are always respected and acted upon.โ
โNHS Digital will write to all TPP GP practices today to make sure that they are aware of the issue and can provide reassurance to any affected patients. NHS Digital will also write to every affected patient. Patients need to take no action and their objections are now being upheld.โ
โThere is not, and has never been, any risk to patient care as a result of this error. NHS Digital has made the Information Commissionerโs Office and the National Data Guardian for Health and Care aware.โ
On discover of this – the largest data loss in NHS history – The Information Commissioner’s Office immediately sprang into action. And as expected did nothing. This is par for the course for ICO.
At present it is not known what the commercial relationship between TPP and NHS Digital may comprise. Therefore it cannot be said if one has indemnified the other from the consequences of data losses. This may be why ICO fails to act.
Look at the extracts below from a letter sent from ICO to NHS Digital. As far as Iโm aware this is the first publication of this document in any media:
All of tale of failure is par for the course in modern Britain.
Shoddy companies such as TPP gain contracts for services to the public sector but produce shoddy work. When errors happen it’s a “learning experience” for all concerned rather than one in which heads roll. Supervisory organisations such as ICO fail to act as appropriate. And the gravy train keeps on running!
Iโve written on here many times before about how Humberside Police are particularly useless, even in a hotly contested field of local forces.
However even I fell off my chair at the sheer incompetence of the subject access response provided by their Information Compliance department this week.
A subject access request provided by the force amounts to a nonfeasance as the response:
1. Fails to provide the data requested.
2. Is issued outside the legal time limit for a response to be provided.
3. Repeats back the same information put in the original request.
Hereโs the letter in full. I have redacted the header.
The key sentences are in the fourth and fifth paragraphs seen above. These are reproduced from the original request. Data cannot be obtained from the Police National Computer – however data that has been entered into the PNC by a local force can be obtained from the same regional police force. Hence the request to Humberside Police.
The substantive reply is seen below:
Here we focus on the second paragraph. It essentially repeats the data I put to police in the first instance.
Consequently the force has failed to react correctly to the subject access request in every conceivable aspect.
This suggests that the intention is to continue frustrate any further request made for the data using the rights conferred in italics in the letter to do so as the response to any further requests that might be made.
The Information Commissionerโs Office has been informed.
The rights of the public in the UK to access data held by state-run organisations are enforced by The Information Commissionerโs Office. I say enforced but effectively unless thereโs a very significant series of large-scale errors or deliberate mischief ICO chooses to look the other way.
Theyโll more often choose to look the other way in the event that the miscreant organisation is a public body: a large-scale data breach by the NHS in 2017 / 2018 attracted only a note from ICO to NHS Digital gently chiding their error.
Some of the means of looking the other way include ICO issuing a โfindingโ that the organisation youโve requested data from has failed to comply with the law, or a โrecommendationโ that that misconducting organisation complies with the law. Neither of these two results has sufficient force to compel a turnaround from the data controller if theyโre determined to dig in their heels. None of these weak regulatory methods described above actually produce the data youโve requested: if the organisation is sufficiently obstreperous youโll need to enforce your right of access to the data via civil legal action.
Yes, folks. Youโve guessed it! Another supposed โwatchdogโ that turns out to be toothless, doddering and tame.
At the beginning of the pandemic hitting the UK in March 2020 ICO issued guidance to organisations over handling data access requests which effectively boiled down to โdonโt misuse the fact that thereโs a national emergency to get around your statutory obligationsโ.
Eight months on and the initial finger-wagging approach has been replaced with a new edict from ICO: mark your own homework.
Organisations that infringe the law on data access issues are now routinely in receipt of this standard form letter the first page of which appears below:
Easier than enforcing the law: ICO states the bleeding obvious to data controllers breaching the law.
The โseriously and robustlyโ in the above extract doesnโt apply to any actions ICO have taken in my experience of the organisation. Even in the face of large scale data breaches for which ample evidence of a data subjectโs Section 173 rights being infringed exists ICO still takes the lethargic approaches mentioned above.
Briefly yours and my Section 173 rights are this:
Extract from CPS website.
The letter sent out by ICO continues:
…all of which explains the obligations on an organisation that they are already / should already be aware of.
One wonders what the point is of informing an organisation thatโs already purposefully screwed up such as a subject access request what their obligations are. If the body is determined to withhold data for the purpose of – for example – preventing revelation of their own misconduct then a weakly worded letter from ICO will not make them correct their ways.
Misconducting organisations must be quaking in their boots regarding the powers and sanctions bit in the second to last paragraph, knowing ICO is notoriously weak on enforcement.
Thus the Merry-Go-Round of the UKโs weak regulatory and enforcement structure rumbles on.
Brief post for today. Well a brief post by the standards of this blog!
In yesterdayโs blog post one of the themes touched upon was how The Ministry of Justice had sent data in error to a third party. This was a serious breach of the data subjectโs rights and potentially quite dangerous to the data subject as MoJ shared the subjectโs name, address, date of birth and financial details.
The post discussed the attempts The Ministry of Justice made to get back at the accidental recipient of this data which included a false complaint to police to ensure he was arrested, although fully aware police would not be able to bring charges as no offence had taken place.
Elizabeth Denham, UK Information Commissioner
The Information Commissionerโs Office (ICO) is a quasi-Governmental organisation reliant on public funding. Their stated aim is to enforce data access rights of people in the UK and also to adjudicate on data protection issues: in other words to monitor that your personal data held by companies and Government organisations is kept safe.
So we can naturally expect ICO to fully comply with data protection legislation and be extra specially careful with their own handling of other peopleโs data.
Canโt we?
In a delicious piece of timing just after Iโd written yesterdayโs blog post about The Ministry of Justice emailing data to the wrong person ICO go and do the same by sending a letter in error to me which was intended for a third party, just like the error MoJ made!
I have of course deleted the email address of the intended recipient of this letter.
It seems that Dacorum Borough Council also suffers from the problem of email incontinence as they appear to have sent the intended recipient of the ICO letter some information despite claiming an apparent exemption over the data sent!
The ICO letter states:
I am aware that the council inadvertently provided you with the requested information.
Significantly the letter also states the grounds for the council attempting to withhold this data (but clearly not managing to) were under section 31 – that is a claimed exemption from disclosure as the data is related to law enforcement.
One might hope the ICO takes appropriate action against itself for this data breach.
In all honesty I wouldnโt hold my breath.
ICOโs present logo. Strange use of lower case letters and an inappropriate full stop.
Like many of the UKโs regulatory bodies such as The Parliamentary and Health Service Ombudsman or The Local Government Ombudsman the ICO has selective blindness in relation to even large scale and ongoing breaches of GDPR and The Data Protection Act.
Ultimately the best most complainants can hope for is a letter from the ICO informing them that their complaint has been upheld and that ICO will keep a record of the data protection concerns logged regarding the data controller complained of. This does not of course produce the data that has been requested! Occasionally ICO will assist by instructing the data controller to supply data if it is being clearly withheld. However if the data controller is sufficiently obstreperous there exists enough โtrapdoorsโ in the relevant legislation that a (often misapplied) exemption will be used to avoid supply of the data.
The efforts organisations used to evade production of data include the mishandling of applications such as considering a subject access request for personal data as if it were a Data Protection Act request and so rejecting it without giving sufficient grounds to the requester. A further trick is to label everything as the personal data of a third party and thus exempt from disclosure: on this basis large scale parts of any data disclosed can be redacted (meaning blanked out).
In these circumstances ICO becomes like a turtle placed on its back: it spins around to no real effect.
Letโs look at the wider picture. A key thing to recall about most of the non-departmental public bodies supposed to supervise how the law or organisations work in Britain is that they rarely do. These supervisory bodies often exist instead to confirm the decisions made by the lower organisation or as a way to diffuse complaints safely and without litigation. Having said this ICO is better than most and does occasionally pursue misconducting organisations through the courts. But due to the pressure of time and resources they also habitually pursue only those organisations who have committed a blatant breach of the law which has been made public, or who would be less likely to defend themselves in court and thus drive up ICOโs expenses. The majority of the fines issued in successful judgments are not paid.
One example of this willingness to turn a blind eye on the part of ICO: a 2017 significant data breach by the NHS involving some 50,000 patients medical records – the largest loss of data in NHS history – was not prosecuted by ICO. This is a matter I will comment on in detail in a blog another day.
Legal Babble 