ICO – Legal Babble

April 26, 2022April 26, 2022

Systemic Failures at ICO Exposed

The purpose of ICO – the Information Commissioner’s Office – is to stated on their website to be to…

…uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

However when ICO themselves are subject to a data access request they are prepared to break the law regarding such.

Given that ICO is charged with upholding the law in relation to data access requests this evasiveness ensures that they have lost the moral authority to be able to enforce data access legislation when things go wrong.

More damming though is that a recent investigation revealed ICO’s means of investigating disclosure breaches is so weak and inept as to render it futile to raise issues before them.

Put simply here’s what happened…

I made a data access request to Wakefield Council. The Council only provided four pages to begin with, then produced more but significantly failed to include the first 53 pages of data from the request, so ICO were informed after the Council had been given ample chance to correct matters.

The original matter put to ICO as a formal complaint was:

The final response is seen attached. Not only has the data requested not been provided but also the Council has directed me to the wrong agency to seek the answers / disclosure wanted. This is clear in the attached PDF. In fact the majority of the questions I am directed to seek answers to elsewhere comprise of information from Wakefield Council that only they have access to. The response of the Council is therefore misdirection as well as a breach of the relevant Act in failing to provide the data requested on 12.4.21.

Therefore I refer this matter to you for assessment on if the Council has fulfilled its obligations in respect of provision of data. The attached Word file contains all correspondence from April 2021 onwards.

Wakefield Council is the preferred workplace of people too inept to survive in a commercial environment.

ICO responded after some months and their Case Officer Rachel Webster stated:

In my view I have fully considered the data protection issues you have raised and in light of the Council’s response I do not believe there are any outstanding data protection issues that we would want to pursue further with the Council at this time. As I have explained in correspondence to you our role is not to necessarily resolve every aspect of an individual’s complaint to their satisfaction.

My reply to this was sent shortly after, on 30.3.22 and stated:

There are 54 pages outstanding that have not been produced from a data access request. This is something I have been clear about across this process and the disclosures remain outstanding.

What proof have the Council shown to ICO that the relevant data has been produced?

Further that ICO tried to shuffle off responsibility for adjudicating on the data access failure by the Council. Outrageously Webster suggested:

I understanding you are currently taking legal action against the Council and it may be that these issues are resolved as part of that process.

Now here’s where things get funky.

In my email of 30.3.22 I requested:

It is for ICO to resolve the issues put before it: the Council has failed to produce data as the result of many requests to do so and was in breach of the law in repeated failures to disclose. ICO’s responsibility is to chase such matters and ensure compliance outside of any other process.

And of course I stated:

What proof have the Council shown to ICO that the relevant data has been produced?

And ICO’s response to this on 7.4.22 was:

We take information provided by organisations in response to data protection complaints in good faith. As a decision by our office is only a view or an opinion rather than a final determination we do not have to request evidence/proof from organisations concerned. In this case the Council believe they have fully complied with your request however it is clear from your correspondence that you disagree that this is the case and the information is outstanding. We have raised your concerns with the Council and we’re satisfied with the Council’s response and that at this time there is no further action for us to take in relation to your case.

That’s right. You read that correctly.

ICO does not seek out or require proof from organisations that they have complied with their responsibilities. Indeed in a situation such as this where a member of the public asserts that they have not then ICO will accept the comments of the organisation that they have over and above any evidence that the public has provided.

ICO then attempted to fob me off with some data in response to a request I made. The data was not that which I requested.

I in fact requested all communication between Wakefield Council and ICO. My response to ICO was sent 9.4.22 and stated:

Further that the data supplied does not support comments made in your emails to me about information supplied by the Council to ICO.

ICO claim that the Council’s attempt at a get-out-of-gaol-free card in this matter was to state that they had a particular defence in law as to why the data had not been provided. The data produced by ICO between them and the Council did not contain this claim from the local authority. So where did it come from? A further data access request was made to ICO for proof that the Council had stated to ICO what ICO claimed the Council had stated.

Simple enough you would have thought. Especially in the light of ICO’s failure to produce the relevant data in copies of correspondence with the Council.

ICO failed to produce this data. I wrote back to state:

Given ICO’s stated position as regulator for data access / information rights issues this is simply not good enough. At a minimum I would expect fulfilment of the data access request made and chased 7.4.22. That such disclosure from ICO should show that ICO has interacted with the Council on the matter of IC-134978-B9K1 and that the Council has responded appropriately back to the matters raised in this complaint.

ICO shot back with:

Thank you for your email below. I note your comments and can provide the following response. I can reassure you I have considered all the information provided by you and the Council in relation to this case.

This amounts to two failures to provide data requested. In the second instance ICO purposefully fail to address the renewed request for specific data from their office.

Given that the data I provided showed that the Council had clearly withheld disclosure for no legitimate reason it seems odd that ICO should prefer the Council’s response, especially in a situation in which they appear to have provided ICO with no supporting data.

It’s a relief to anyone who brings a data access complaint to ICO to learn that, as stated in theur response to me of 30.3.22:

…our role is not to necessarily resolve every aspect of an individual’s complaint to their satisfaction. Rather we consider data protection complaints that are brought to us partly in order to identify issues with an organisations information rights policies/procedures.

Which in practical terms means that ICO will ignore issues in complaints brought by the public which it finds irksome to deal with. This may mean that if enquiries with a misconducting organisation are going to be long and drawn-out that ICO will ignore complex aspects of the complaint made. Historically even in matters where there is a significant breach of the law by an organisation ICO also fails to act punitively and instead builds up a file of data on the organisation’s failings.

A case review was requested and completed 22.4.22 by Lead Case Officer Alison Fletcher.

Again this failed to address the issue of the data requested from Wakefield Council to ICO which supported the comments made by ICO, as had all the prior responses from Rachel Webster. A further response from Alison Fletcher also failed to address the issue of the data not being supplied

Does ICO have a specific reason for withholding the data requested? Likely this is a matter of professional reputation. That a full disclosure of the data I requested would show that ICO failed to investigate this matter to a reasonable standard and perhaps that the Council did not provide them with the data ICO claimed they did. This has to be the case since I provided sufficient evidence to show Wakefield Council had breached its responsibility in law to provide all the data I originally requested from them. The sign of a weak investigation is in the reply provided by ICO which stated:

We take information provided by organisations in response to data protection complaints in good faith. As a decision by our office is only a view or an opinion rather than a final determination we do not have to request evidence/proof from organisations concerned

As I mentioned the practical effect of this is that if an organisation claims not to have breached the law then ICO simply accept what the organisation have said without evidence and contrary to any evidence provided by the public, however strong.

This is indicative of ICO being an organisation that is unfit for purpose. You might of course argue that they are functioning perfectly: that one part of the State has acted to deflect and cover the illegality of another.

However it is ICO’s careful avoidance of producing data requested showing what the Council stated to them which suggests most strongly that they are unable to properly police the wild west of data legislation.

Just to recap in relation to the seriousness of the malfeasance from ICO. When data was produced showing correspondence from the Council to ICO nothing supporting the comments claimed to have been made by the Council had been sent to ICO, who then went on to be unable to produce the info from the Council supporting what they say the Council had said.

When the body charged with taking others to task for failure to observe information rights law believes itself to be exempt from such laws – and likely making up excuses for organisation’s failures – can there be any doubt that ICO cannot remain much longer in its present form?

Service standards from The Information Commissioner’s Office are frankly not very good!

April 11, 2022April 11, 2022

In It Together? Is ICO Incapable of Holding Certain Bodies to Account?

Introduction

This blog entry gives a glimpse into how The Information Commissioner’s Office (ICO) operates. ICO is charged with supervision of information rights in the UK and acting to assist when things go wrong.

Much anecdotal evidence suggests ICO may act to shield certain favoured organisations.

On 5.7.21 I contacted The Information Commissioner’s Office with a complaint. This stated:

For a civil hearing on 9.6.21 a copy of any criminal record regarding me was requested. CPS supplied erroneous data to the Court. The error was a serious and significant one… This is not only offensive but also a matter to cause exceptional damage within the hearing. Such [the retention and supply of incorrect data] being an exceptionally serious offence.

In 2019 I had been made aware that this incorrect offence was recorded against me and had requested a correction. It appears CPS [The Crown Prosecution Service] did not correct the error, as they admitted only after the hearing.

The incorrect data was supplied to The High Court sitting at Leeds County Court for a hearing on 9.6.21. This caused embarrassment, distress and actual loss.

CPS were informed of the error prior to the hearing. They failed to correct the record prior to the hearing and failed to inform the Court prior to the hearing also.

CPS did not correct the error for the hearing as the transcript of the hearing also shows: the matter of them providing incorrect data to the Court became a significant issue within the proceedings and I was left unable to prove that this record of this offence was wrong. Since the record however came from an official source the Court will have been inclined to believe it.

Accordingly I looked to ICO on this matter to enforce my right to be protected from the incompetence clearly shown by CPS on this matter and the effects that this has had on me.

I sought from ICO first a detailed ruling in relation to this matter that CPS has breached the law. I sought also that CPS should be subject of a fine or other action from ICO in relation to the significance of the error made. Especially when they failed to correct a prior record showing the data to be in error and failed to act to correct the record when informed of the error prior to proceedings.

Finally I required assistance from ICO to correct the records of CPS.
CPS have previously stated in 2019 that the error has been corrected only for it to be repeated again in June 2021: this shows that they cannot be trusted to hold correct data or act properly in line with their legal obligations. Spoiler alert: neither can ICO!

One thing in their credit it that CPS admitted to ICO the error in a letter sent to me. However account details a series of errors that should not have been made had CPS been compliant with and following the law.

CPS Legal Services claimed to ICO that the record was corrected with the Court. What they failed to state was that the record was only corrected a substantial time after the hearing had concluded. A data request to the Court showed this and caught CPS out. It might be thought that ICO would look more severely on this matter for this. They failed to even properly consider all of the data put in front of them.

This blog entry therefore details how and why ICO are unwilling or unable to hold CPS to account even in a situation in which there has been a clear and catastrophic data mishandling.

What Went Wrong

CPS failed to correct data held on me in error in 2019. ICO were aware of this matter at the time. Art. 16 of GDPR relates to the right to rectification. Data was held on me in error by CPS showing a supposed offence had been committed when in fact it had not. The nature of this offence was exceptionally serious and so the onus was on CPS to create and maintain correct records even more strongly than normal due to the exceptional damage such incorrect data could create if released to a third party. CPS previously claimed to have corrected the record in January 2019 but it subsequently emerged that this was not done, breaching my relevant rights (Article 16) and CPS’ legal obligations in the process.

In a matter at The High Court sitting at Leeds in June 2021 however a copy of this incorrect data on me was produced. I contacted CPS prior to the hearing to inform that an urgent correction was required. They failed to make this correction prior to the hearing. This amounts to an exceptionally serious data error and is the cause of loss and embarrassment.

On 5.7.21 I wrote to ICO and made the following complaint regarding CPS:

I refer also to the email to CPS in respect of their illegal retention of incorrect data on me and their sharing of this to third parties in June 2021.

A series of questions are asked of CPS in the email from me below of 3.8.21. I also request additional data from them. I exercise my Article 16 GDPR rights also. CPS’s response to this of 11.8.21 is to ignore all these matters and refuse further correspondence. I consider this to be the criminal office of attempting to conceal, destroy or hide data from disclosure.

The consequences of CPS getting an individual’s data wrong are serious, significant and occur more often than expected.

On 23.12.21, some five months after alerting ICO of this matter they wrote back to me to request further information. The Case Officer for ICO was Ian Sangan.

By the end of January 2022 there had been no movement in the complaint made to ICO and so I chased the matter up. This produced a response one day later which stated:

We have considered the information available in this case, and we are of the view that CPS have presently complied with their obligations under data protection law. We will now outline the reasons why we believe this to be the case.

We can see that the last meaningful correspondence received from the CPS was July 2021. Our view is that the CPS addressed the issues surrounding the erroneous data still held on record, and advised this has been rectified and removed. The CPS have also advised that the relevant court appear to have been notified of the rectification, and were made aware of the lack of reliability of this data. The CPS have clarified to you that this was rectified prior to the hearing itself.

We can see that the organisation historically received a rectification request in 2018, and that some of the erroneous data remained on your record. Ultimately this is not something that the ICO can reasonably ignore. As such, we have today contacted the organisation and provided them with some best practice advice going forward.

In other words for a matter of a major data error with that data released to a third party, and data which the Data Controller claimed had been corrected in 2019 ICO chose to take no action bar some advice to CPS. It is difficult to imagine a more serious breach of GDPR and the obligation to retain correct data on a person than the failure to correct information pointed out to be in error in 2018 and yet retained until 2021, then supplied to a civil court in proceedings. This is what has happened here. That this matter is not treated with the seriousness it so clearly merits forms the initial issue in a complaint of poor service to ICO.

It is of course clear that the data provided by the Court showed that CPS only corrected the record with the Court AFTER the hearing had taken place, and this data was provided to CPS which makes their comment that The CPS have also advised that the relevant court appear to have been notified of the rectification, and were made aware of the lack of reliability of this data even more puzzling.

I appealed the decision of ICO on that basis and also that:

The ICO findings admit that you are aware that data was not corrected in 2018 and CPS admit this also. ICO has not concluded that CPS breached GDPR in the retention and supply of data in error. This is the minimum that can be expected in this matter in respect of an adjudication from CPS’ professional regulator for data issues. The original issue is the creation and retention of incorrect data in 2017 – 2018 which ICO ruled on in 2018. The seriousness of the matter is increased by the failure to correct under Article 16 in 2018 following the ICO ruling then.

ICO in effect failed to assess if my Article 16 rights were breached by failure to correct the record acknowledged by CPS to be held in error in 2019.

ICO’s response was to refer the matter to a reviewing officer. The response was:

In this case the CPS acknowledge their mistake in their letter of 02 July 2021 when they stated that they had retained a reference to a conviction… which was incorrect. In their letter of 02 August 2021 they stated; ‘This file has now been rectified and the information removed as soon as the error was noted’.

No interest in the significance of such an error or the consequences of it. The creation and retention of incorrect data is ignored by ICO as is the continued retention of it past 2019 despite CPS being aware of the error from that point. In effect ICO fail to reach the obvious conclusion suggested by the data supplied to them that CPS failed in their key duties and then attempted to cover the error up by lying that the record had been corrected with the suggestion this was done in time for the hearing.

It is my view that historically the CPS retained incorrect personal data about you which they went on to share with Leeds County Court and at that time it appears that this would have infringed data protection legislation. However when Ian Sangan assessed your case he was doing so based upon the knowledge that the CPS had rectified the inaccurate information in 2018. On this basis he reached his view in January 2022 that the CPS were complying with data protection legislation. With regards to the erroneous data that was held on your record prior to 2018; the actions of the CPS in sharing inaccurate information with Leeds County Court appear not to have been compliant with data protection law, at that time.

Clearly CPS failed to correct the data in 2018 / 2019! Apart from the judgment that inaccurate data was shared with the Court no action was taken by ICO. Truly a toothless watchdog!

ICO’s John Turner wrote to me on 16.2.22 to state:
If you would like to complain about the service you have received from us I would remind you that you may be able to complain to the Parliamentary and Health Service Ombudsman via your MP.

He of course failed to mention that the matter could be put to the First Tier Tribunal who deal with matters related to information rights issues and complaints about ICO handling of matters. Possibly this was deliberate to avoid such clear evasions of responsibility by ICO being adjudicated against.

Evidence of an inability or unwillingness on the part of ICO to properly hold organisations to account is growing.

On 12.8.22 I wrote to CPS again to state:

In your response of 11.8.21 you fail to take action in respect of the request at c) to show that the records have been corrected. This is a second breach of my Article 16 rights. I have strong grounds to believe that you continue to retain wrong data on me with the potential to cause significant damage if this is released to third parties.

I believe CPS continue to hold incorrect data and that ICO has failed to take action to assist

Following all this two data access requests made of CPS on 16.2.22 and 2.3.22.

Neither of these requests has received a response or acknowledgment from CPS who are again in breach of the law. The time period given under law has now lapsed and the Data Controller has now broken the law by failure to respond. The matter was referred to ICO.

You will likely not be surprised to hear that the response came from ICO’s master of deflection John Turner who stated:
I can concur that there has been no communication between ICO and CPS since 28 January 2022. The only communications on the case since that date have been between the ICO and you.

Following your request for a case review this was conducted on 14 February 2022 and you were sent a copy. There was no purpose to involve the CPS in the review and they were not contacted.

I re-iterate your case is now closed and the ICO will not be taking further action

…in other words the issue raised of two further breaches of information rights law by CPS has been cuffed off and ignored by ICO.

Conclusions

A significant series of breaches of the law have been committed by CPS and yet ICO’s investigation into these has been weak, evasive and failed to consider key evidence which shows that CPS sought to mislead ICO.

A more recent data access request to CPS has again breached the law by their failure to reply or disclose the data. Again in this matter the response of ICO is exceptionally weak and evasive. They are taking exceptional steps to avoid action to enforce the law.

ICO appears to have a “special relationship” with certain other organisations. For example it is exceptionally unlikely that they will hold such as NHS Digital to account for even very significant errors with patient records. It appears that they hold the same relationship with CPS and there must be some form of agreement for ICO not to take regulatory action equivalent to the errors these organisations commit. Instead ICO performs a series of twists and turns to avoid assessment of relevant data showing significant misconduct has taken place.

This has the effect of weakening trust in ICO’s ability to hold organisations which misconduct their data handling responsibilities to account and will eventually result in ICO being closed down as unfit for purpose. Unless of course the purpose is to assist state-run bodies in evading accountability.

December 1, 2021December 17, 2021

West Yorkshire Police Caught Out Over Serious Misconduct Issue

When caught out the first reaction of many police officers is to lie.

The blog entry below relates to an illegal arrest and breach of PACE by West Yorkshire Police. Even by the low standards of that force this is a shocker.

This blog entry also relates to a effort to hide information by Plod’s Right of Access dept. and a clear effort to deceive by West Yorkshire Police Professional Standards dept.

The last two offences were exposed by the active intervention of The Information Commissioner’s Office (ICO) who have forced police to produce documents Plod has spent the best part of a year trying to hide precisely because they prove misconduct in public office.

The background to the complaint is related to an ultra vires arrest of myself on 22nd of May 2020 without legal justification or reasonable grounds. Here’s a little background:

In May 2020 I was sent in error documents and data intended for the Metropolitan Police. This data concerned Proceeds of Crime Act proceedings against an individual living in Kent and was sent to me accidentally by The Ministry of Justice.

The data amounted to a significant data breach containing as it did many personal and financial details for this man. Given the seriousness of this I informed The Information Commissioner’s Office that a significant data breach had taken place.

Four days later I was arrested by West Yorkshire Police on the request of The Ministry of Justice under allegations that I myself had breached The Data Protection Act.

This is of course not true. Emails obtained from the Data Security Manager at HMCTS Liverpool state that they intend to have me arrested “to give him a shock” following my referral of this matter to ICO. And of course the matter was not pursued beyond the inconvenience of arrest.

This arrest also resulted in the removal of electronic devices from my home containing legally privileged, legally professionally privileged and litigation privileged materials stored electronically on those devices. This is a breach of PACE 19.6. The subsequent examination of the contents of these devices by digital forensics officers at West Yorkshire Police without triage of the privileged contents amounts to a breach of common law, which Plod then tried to hide.

As you might expect from the generally inept nature of this force the efforts to hide the data on this illegal examination resulted in the eventual revelation of misconduct in public office.

A complaint about the illegal arrest was made to West Yorkshire Police Professional Standards (PSD) in June 2020.

Part of the response to this dated 14.8.21 from the reliably evasive PC Vicky Silver at West Yorkshire Police PSD states:

The devices which were seized from your home were booked into property stores under crime reference 13200256161 and itemised to be ‘Nokia Mobile phone’ Exhibit reference DMW1 and a ‘HP Laptop’ Exhibit reference DMW2, seized devices were booked into property with the intention for these to be examined, upon the MoJ being informed of the process and timescales involved they requested no further action be taken and for your devices to be returned. PS Shand confirmed no examination took place on your devices and they were not examined, nor switched on whilst in Police possession. The records held show the devices were only removed from property stores in order to affect their return to yourself.

Much of the above was a lie. The most significant elements of which West Yorkshire Police have now been caught out on.

PS Shand refers to Police Sgt. Anthony (Tony) Shand. The disclosures forced by ICO show that his testimony to PSD regarding the devices not being digitally examined was a lie.

The Information Commissioner’s Office has been involved in a data access request made to Right of Access at West Yorkshire Police from August 2020. This request was originally made 27.8.20.

West Yorkshire Police Right of Access dept. has ever since been attempting to withhold evidence such as radio traffic, CCTV footage and the record of what happened to the electronic devices when in police custody.

The below is an extract from a Right of Access dept. letter to me dated 5.3.21. It can be seen that both the image showing the property record is cropped and they also deny the items were taken out of the property store for digital examination.

Cropped at the point of items being booked in. ICO later compelled the release of the unedited data.

ICO as Right of Access department’s professional regulator has made an active intervention and compelled the release of documents from West Yorkshire Police which were previously withheld.

These documents show the booking out of the electronic devices when in the property store for digital forensic examination, thus breaching common law, as of course legally privileged materials were stored on them. The version seen above was cropped to hide the removal of the devices for examination, breaching common law in so doing.

A copy of the most recent disclosure showing the data which ICO forced police to disclose is below. This shows data wholly contrary to what was stated in the PSD complaint response, seen above, of August 2020 and Right of Access department’s response of March 2021. The devices clearly were removed on the dates shown for digital forensic examination. Below is seen the unedited version of the property record – that shown above was edited by Right of Access dept. to remove incriminating data.

Laptop booked out for forensic examination 26.5.20 and returned to property store 10.6.21.

Likewise phone booked out on same date and later returned when examined.

On this basis PS Tony Shand in his testimony to PSD and PC Vicky Silver both sought to purposefully mislead in the response to the complaint made.

Right of Access dept. also sought to mislead in their response to me of March 2021 and further edited the property record by cropping out the incriminating data.

Both departments and individuals at West Yorkshire Police have stated things that they know to be untrue in an effort to avoid professional embarrassment, an allegation of misconduct in public office and the breaching of Common Law in relation to privileged material on the electronic devices. There is also the breach of PACE 19.6 in the removal of the devices from my home.

Right of Access dept. attempted to withhold the relevant document until instructed by their professional regulator ICO to release the information. Indeed an examination of the images on this page shows that they deliberately cropped the first disclosure sent to me in March 2020 to hide data. This amounts to a breach of S.77 of FOI 2000 by West Yorkshire Police as there has been a purposeful effort to hide relevant data. This is a criminal offence under the relevant Act.

That there existed significant opportunity for WYP to produce the relevant data prior to ICO intervention but they avoided doing so to try to hide misconduct in relation to the electronic devices.

The purpose of withholding the data was to avoid professional embarrassment to West Yorkshire Police over a breach of Common Law in the retention and examination of legally privileged material contrary PACE 19.6 and the seizure and retention of the same without a warrant.

It is now clear from the disclosure made as the result of pressure from ICO that West Yorkshire Police has not only committed purposeful misconduct in public office over the seizure, retention and examination of legally privileged material without a warrant but also that they have attempted to cover this up by wholly misleading statements in the complaint response and the subsequent effort made to hide disclosure requested.

Had ICO not forcibly intervened in this matter then the degree of misconduct and breach of legally privileged material would have remained hidden.

Given that they lie so glibly over such a serious matter none of the other assertions made by West Yorkshire Police Professional Standards dept. in any complaint response can be trusted to be factual and truthful.

As anyone who has ever dealt with that department will be aware!

August 27, 2021August 27, 2021

HMCTS Under Fire From The Information Commissioner’s Office. Again!

Hard to think of two more poorly run institution than HMCTS and it’s parent
organisation The Ministry of Justice.

This is a very simple post detailing a simple but significant error. So no lengthy explanation as to what’s happened on this occasion!

HMCTS shared my personal financial details with a third party.

That’s it. That’s basically all that can be said in the post.

But wait!

Stop and think for a few moments and we can see this is matter is actually considerably more significant and serious than it first looks.

The letter from The Information Commissioner’s Office (ICO) finding against HMCTS can be seen below.

But the operative paragraph from it is simple and plain:

Why should this matter?

Personal data in the care of such as HMCTS and MoJ has the potential to cause significant damage if released inappropriately. Release to a third party with no requirement for or rights to such data can and does cause significant issues.

The simple fact is that the incompetence of County Court staff knows no bounds.

Indeed the vindictiveness of their management towards anyone who has received appalling service from HMCTS also knows no bounds. In this matter an out-of-court settlement was agreed upon to be paid fourteen days from the agreement. Some three months after this agreement I was still awaiting payout.

HMCTS and MoJ are simply two organisations which have ceased to function in any meaningful way and the amount of time spent on damage limitation, denying errors have occurred and attempting to maintain an image of professionalism would be better spent actually running courts efficiently in the first instance.

January 25, 2021January 25, 2021

Daylight Robbery! How Police Evade Accountability on Data Access Requests

In a November 2020 report The Information Commissioner (or ICO) wrote the forward to a report and stated:

“It is my hope that police forces, and other organisations, will read this report, understand their current position and identify actions they can take to improve or maintain good performance. We will continue to work with the police to support their compliance with information rights laws.”

Some hope of that!

When the Commissioner wrote of “their current position” she was using soft-soap language for what would have been more accurately described as clear flouting of the law and institutional efforts to evade disclosure of information.

The full report can be read at https://ico.org.uk/media/action-weve-taken/reports/2618591/timeliness-of-responses-to-information-access-requests.pdf

Let’s take a look at West Yorkshire Police as being a recent example of this failure to comply with both the law on data access requests, ICO guidance and their general obligations to maintain good relations with the public.

The Office of The Police and Crime Commissioner for West Yorkshire has for some months now been aware of suboptimal handling of data access requests by West Yorkshire Police. They have noted an increasing number of complaints from members of the public about poor service and inadequate provision of data by Information Access departments at that force.

A Professional Standards Department investigation into a complaint brought by a member of the public that subject access requests made had been delivered late, were missing data and had been purposefully frustrated by police was mishandled by Professional Standards Department. The Office of The Police and Crime Commissioner for West Yorkshire (the PCC) found that the investigation had been substandard in several areas.

As per usual for a police Professional Standards Department the conclusion to the investigation ran along the lines of “We have investigated ourselves and found nothing wrong”. This outcome is usually achieved by PSD adjusting the frame of reference to the complaint to disregard all that inconvenient evidence that proves the complaint is correct. This indeed appears to have been done in this instance.

Accordingly PCC wrote in their examination of the complaint handled by PSD:

“The decision I have reached is that the outcome of the complaint was not reasonable and proportionate… [that a proper complaint investigation involved] Full consideration of the Information Management Department’s handling of [the complainants] requests over the last year, including all the ones he brought to the complaint handler’s attention and the involvement of the ICO in those requests”

Which is as I stated: police complaints department ignoring evidence which proves the force has misconducted itself.

PCC wants a re-examination of major aspects of the complaint and also wants to see:

“Full consideration of the wider context concerning the timeliness of replies to Subject Access requests by West Yorkshire Police, including the engagement with the ICO. This should take into account the findings and recommendations from the ICO’s report from November 2020 “Timeliness of Responses to Information Access Requests by Police Forces in England, Wales and Northern Ireland”

…in other words the report I referenced above.

This is to say the least mildly inconvenient for police. An examination of the timelines for a dip-sample of data access requests made (but not fulfilled on time) is one of the easiest ways to see that police have broken the law in relation to these requests.

But of course if West Yorkshire Police were to investigate themselves and report to PCC the errors made in supplying data requested by members of the public then it would be impossible to hide the scale of information deliberately hidden.

So the response of Rene Prime, Reviewing Officer at Professional Standards Department to PCC states:

“Unfortunately, I do not agree with the actions you propose should be taken to resolve the complaint. I agree that full consideration should be given to [the complainant’s] contact and requests to Information Management over the last year and the issues that have arisen around those requests, however I do not consider that it is appropriate to consider the wider context of perceived issues within the Information Management Team.”

Which is as slippery a way as can be found to avoid PCC discovering the full extent of West Yorkshire Police’s efforts to evade the production of data requested by members of the public. This reply also in effect “cuffs off” (to use a West Yorkshire Police term) the recommendations of PCC which have been made in the light of the many other individual complaints from members of the public regarding failed data access requests.

The standard approach to data access requests made by police forces is not compatible with legislation allowing the public access to data.

Secretive, evasive and mendacious: police hate requests for information from the public.

Instead they seek to frustrate access requests, deny even the production of non-contentious materials and in most cases seek to delay the production of data beyond time limits in law so that the requester will be liable to forget all about the request and go away. At all stages the intention is to frustrate, vex and delay. This is often because the police operational mindset is focused towards evading any form of insight into their working practices or accountability. Ergo the more the public get to know about police methods and actions by data access requests the less the freedom for police to do more or less as they wish. An informed public is aware of the abuses of power and the bending of the law that the police perform daily.

The above correspondence gives you something of an insight into the attempts police make to avoid production of data which would make them accountable. This time last year the police complaints process was subtly changed to make the local PCC engage more with appeals into poorly handled complaints. It will be interesting in the light of the above to see if West Yorkshire Police’s PCC has the guts to challenge ongoing breaches of the law over data access requests to West Yorkshire Police.

December 31, 2020December 31, 2020

ICO Address Police Breaches of the Law on GDPR

Police forces are notoriously bad at responding to subject access requests (those are requests for your own personal data) as well as requests for data overall from the force, especially if the request for access is made by the public.

The Information Commissioner’s Office has recently published a report (link seen below) outlining just what an absolute catastrophe police responses to these requests are.

Click to access timeliness-of-responses-to-information-access-requests.pdf

As ever with such a report the real eye-opener are the recommendations made by ICO. In this instance these are nine points which show how UK police forces are failing to deal with data access requests in anything like an efficient and professional way. Often this is because the purpose of data access legislation clashes with police’s wish to keep information regarding errors in procedure and process wholly secret.

This report will cause consternation in particular at failing Humberside Police, a force subject to many eye-watering fines from ICO in the past for failures to comply with the law on data access by the public. The recommendations ICO suggest will likely be impossible for the force to implement.

West Yorkshire Police – as expected one of the forces most likely to break the law to try to avoid the production of data – said at a meeting convened by their Police and Crime Commissioner recently that they would be looking at increasing the staffing in the Information Management Department in the next year (budget permitting) to cope with the demands made upon it. “Looking at” and “budget permitting” is another way of saying that nothing will be done to address the problem.

December 23, 2020December 23, 2020

A Christmas Card from Humberside Police!

I’ve written on here many times before about how Humberside Police are particularly useless, even in a hotly contested field of local forces.

However even I fell off my chair at the sheer incompetence of the subject access response provided by their Information Compliance department this week.

A subject access request provided by the force amounts to a nonfeasance as the response:

1. Fails to provide the data requested.

2. Is issued outside the legal time limit for a response to be provided.

3. Repeats back the same information put in the original request.

Here’s the letter in full. I have redacted the header.

The key sentences are in the fourth and fifth paragraphs seen above. These are reproduced from the original request. Data cannot be obtained from the Police National Computer – however data that has been entered into the PNC by a local force can be obtained from the same regional police force. Hence the request to Humberside Police.

The substantive reply is seen below:

Here we focus on the second paragraph. It essentially repeats the data I put to police in the first instance.

Consequently the force has failed to react correctly to the subject access request in every conceivable aspect.

This suggests that the intention is to continue frustrate any further request made for the data using the rights conferred in italics in the letter to do so as the response to any further requests that might be made.

The Information Commissioner’s Office has been informed.

November 13, 2020November 13, 2020

The ICO: Keeping Your Personal Data Safe?

Brief post for today. Well a brief post by the standards of this blog!

In yesterday’s blog post one of the themes touched upon was how The Ministry of Justice had sent data in error to a third party. This was a serious breach of the data subject’s rights and potentially quite dangerous to the data subject as MoJ shared the subject’s name, address, date of birth and financial details.

The post discussed the attempts The Ministry of Justice made to get back at the accidental recipient of this data which included a false complaint to police to ensure he was arrested, although fully aware police would not be able to bring charges as no offence had taken place.

Elizabeth Denham, UK Information Commissioner

The Information Commissioner’s Office (ICO) is a quasi-Governmental organisation reliant on public funding. Their stated aim is to enforce data access rights of people in the UK and also to adjudicate on data protection issues: in other words to monitor that your personal data held by companies and Government organisations is kept safe.

So we can naturally expect ICO to fully comply with data protection legislation and be extra specially careful with their own handling of other people’s data.

Can’t we?

In a delicious piece of timing just after I’d written yesterday’s blog post about The Ministry of Justice emailing data to the wrong person ICO go and do the same by sending a letter in error to me which was intended for a third party, just like the error MoJ made!

I have of course deleted the email address of the intended recipient of this letter.

It seems that Dacorum Borough Council also suffers from the problem of email incontinence as they appear to have sent the intended recipient of the ICO letter some information despite claiming an apparent exemption over the data sent!

The ICO letter states:

I am aware that the council inadvertently provided you with the requested information.

Significantly the letter also states the grounds for the council attempting to withhold this data (but clearly not managing to) were under section 31 – that is a claimed exemption from disclosure as the data is related to law enforcement.

One might hope the ICO takes appropriate action against itself for this data breach.

In all honesty I wouldn’t hold my breath.

ICO’s present logo. Strange use of lower case letters and an inappropriate full stop.

Like many of the UK’s regulatory bodies such as The Parliamentary and Health Service Ombudsman or The Local Government Ombudsman the ICO has selective blindness in relation to even large scale and ongoing breaches of GDPR and The Data Protection Act.

Ultimately the best most complainants can hope for is a letter from the ICO informing them that their complaint has been upheld and that ICO will keep a record of the data protection concerns logged regarding the data controller complained of. This does not of course produce the data that has been requested! Occasionally ICO will assist by instructing the data controller to supply data if it is being clearly withheld. However if the data controller is sufficiently obstreperous there exists enough “trapdoors” in the relevant legislation that a (often misapplied) exemption will be used to avoid supply of the data.

The efforts organisations used to evade production of data include the mishandling of applications such as considering a subject access request for personal data as if it were a Data Protection Act request and so rejecting it without giving sufficient grounds to the requester. A further trick is to label everything as the personal data of a third party and thus exempt from disclosure: on this basis large scale parts of any data disclosed can be redacted (meaning blanked out).

In these circumstances ICO becomes like a turtle placed on its back: it spins around to no real effect.

Let’s look at the wider picture. A key thing to recall about most of the non-departmental public bodies supposed to supervise how the law or organisations work in Britain is that they rarely do. These supervisory bodies often exist instead to confirm the decisions made by the lower organisation or as a way to diffuse complaints safely and without litigation. Having said this ICO is better than most and does occasionally pursue misconducting organisations through the courts. But due to the pressure of time and resources they also habitually pursue only those organisations who have committed a blatant breach of the law which has been made public, or who would be less likely to defend themselves in court and thus drive up ICO’s expenses. The majority of the fines issued in successful judgments are not paid.

One example of this willingness to turn a blind eye on the part of ICO: a 2017 significant data breach by the NHS involving some 50,000 patients medical records – the largest loss of data in NHS history – was not prosecuted by ICO. This is a matter I will comment on in detail in a blog another day.

November 12, 2020November 12, 2020

Malfeasance at the Office of West Yorkshire Police and Crime Commissioner

The West Yorkshire Police and Crime Commissioner is Mark Burns-Williamson, a largely gaff-prone failed politician. Heaven knows there’s sufficient data out there in the public domain to show that by any stretch of the imagination the man is unsuited to any role requiring public trust.

My favourite one details how he sent an inadvisable letter in a “love triangle” which would ordinarily have rendered him open to criminal prosecution. This was however covered up by West Yorkshire Police’s (then) DCI Simon Bottomley leading to the eternal gratitude of Burns-Williamson to the force he is supposed to scrutinise.

It also appears his office is prepared to manipulate and ignore facts to protect the very organisation it should be holding to scrutiny.

This blog entry tells the story of one such incident.

Burns-Williamson demonstrates the degree to which he hold the local force to scrutiny.

In May 2020 The Ministry of Justice’s Data Access Office sent data to a person (who we will call the recipient) in error.

This data was information on a third party who lived in the London area. This amounted to a serious data breach as the disclosure included the subjects name, address, date of birth and bank account details etc. as well as other disclosures regarding a series Proceeds of Crime Act proceedings against the data subject.

The recipient of the data informed The Information Commissioner’s Office and The Ministry of Justice as well as the data subject whose information had been disclosed. He also posted regarding this on Twitter but did not reveal any confidential information in so doing.

Data Access at MoJ requested the recipient remove the mocking tweet. The recipient of the data refused citing his freedom of expression under The Human Rights Act and that no offence in civil or criminal law had been committed by the tweet.

Three days later the recipient of the data was arrested at his home by West Yorkshire Police on the basis that he had breached The Data Protection Act. The allegation being that he had shared the confidential data sent to him in error on Twitter.

This was palpably untrue as an examination of the tweet would have confirmed. However police did not examine the tweet for themselves but took it “on trust” from MoJ that a supposed offence had taken place. Of course it hadn’t but MoJ were burning with indignation that a serious data security error had been made public and to their official regulator on data matters the ICO.

Police were aware that no offence had occurred.

The bar for arrest for any offence is set very high as recent cases such as Rachid v. The Chief Constable of West Yorkshire Police (2020) show. Instead police took it on trust from The Ministry of Justice that an offence had occurred in a situation in which the Security Manager for MoJ’s correspondence (seen by this blogger) reveals his desire to give the recipient “a nasty shock”.

The recipient’s home was entered by police on his arrest. In the middle of the Spring 2020 pandemic a vulnerable family member who was shielding was subject to interaction with police who did not wear PPE or take any form of precautions regarding introducing COVID-19 infection into the home. Electronic devices were removed and the home was ransacked in the search. The officer leading this was PC Alan Jackson. Police actions amount to trespass to property (since there were no reasonable grounds for arrest) alongside trespass to goods and wrongful arrest.

The home of the recipient of data was raided by police without PPE in the middle of the spring pandemic.

Predictably no charges were brought. Emails seen between the Officer in Charge (OIC) and The Ministry of Justice reveal MoJ immediately loose interest when the recipient was arrested which fits in with the prior email claiming MoJ wanted to give him a nasty shock. No further action resulted to the recipient from either Police or MoJ.

A complaint was duly made by the recipient to West Yorkshire Police Professional Standards Department (PSD). Their internal investigation under The Police Reform Act 2002 confirmed – but only internally to the police – that the arrest was wrongful on the basis that WYP had not seen or been provided by MoJ with any indication that a criminal offence had taken place. Other aspects of the complaint made were ignored by PSD and not investigated.

An organisation such as West Yorkshire Police which has an international reputation for both corruption and incompetence needs to be able to head off complaints and minimise them early on. The investigation concluded in a document called an Assessment and Progress Log that there had indeed been no reasonable grounds for arrest, therefore logically the arrest was unlawful. This document was an internal document not for public or complainant’s consumption.

Police of course cannot admit that they have erred to the complainant. It opens the door for civil action for wrongful arrest and payment of compensation. It also amount to loss of professional reputation.

Thus the results of the PSD investigation which were presented to the complainant in August 2020 were totally at odds with the actual true findings of the investigation. The official line was that nothing untoward had occurred and that the arrest was legitimate: the unseen internal report stated quite the opposite. A copy of this report has since been obtained from WYP and examined.

If you find that the above shocks you then I would respectfully point out you may have little experience of the police complaints process and the extent to which it seeks to hide the conduct of misconducting and underperforming officers.

The complainant found some 21 issues with the PSD investigation response which were either suboptimal or evaded examination of the facts. Of course if you’re prepared to commit mendacity on such a scale as a police complaints office then it’s best to keep any communication simple. The response provided by PSD’s Vicky Silver was clearly exceptionally evasive and the errors in it were manifest.

Police Professional Standards Departments go to any length to dismiss valid complaints.

The complaint was progressed as an appeal to The Office of The Police and Crime Commissioner for West Yorkshire, this being a body with supposed oversight of the local force. Karen Gray at PCC was tasked with the examination of the appeal.

It is a basic element of any investigation that the investigator should have access to all of the data available to be able to reach a reasoned conclusion. This is common sense. In the course of the PCC’s investigation they either failed to obtain copies of documents such as the PSD Assessment and Progress Log or else were provided with a copy of the relevant data but chose to ignore it in favour of a rubber-stamped approval of the earlier PSD investigation.

Thus the office of West Yorkshire Police and Crime Commissioner have shown themselves to be either as throughly dishonest or professionally incompetent as the police force they are supposed to supervise. Further they are prepared to support the local force in their dishonesty.

A further complaint was made regarding the failure of the PCC to obtain all relevant data meaning that the Karen Gray investigation was fundamentally flawed. This was responded to more recently by PCC’s Jane Owen who has stated that Karen Gray could not have been aware of the Assessment and Progress Log on the basis that it was produced after the conclusion of the original PCC review.

However the document in question from PSD is dated 5.6.20.

Therefore it was produced BEFORE the complaint was referred to PCC by around two months. The response that it was not available in the original PSD investigation is therefore an outright lie.

It is of course inconceivable that an investigation properly conducted would not have requested a copy of, assessed and examined the PSD Assessment and Progress Log which was in existence by this point and therefore PSD’s position that Karen Gray had access to all of the required documentation to enable correct conclusions is not only incorrect but also deliberately misleading.

The essence of the complaint to PSD regarding wrongful arrest etc. was proven – as that office was well aware – by 5.6.20.

All subsequent efforts of PSD and the office of the PCC for West Yorkshire have sought to bury the facts under an increasing mound of guff and nonsense.

PSD chose to issue a response completely opposite to the facts they had themselves established and The Office of The Police and Crime Commissioner has assisted them in this cover-up and continues to do so.

In a desperate final attempt to avoid further scrutiny Jane Owen writes:

I have concluded that you have used the Office of the Police and Crime Commissioner’s complaints process to try and change the outcome of your complaint… and the subsequent review undertaken by this office but – in line with the statutory guidance that has been issued that sets out how reviews have to be handled – you do not have a further right of review

Is it any wonder that both West Yorkshire Police and The Office of the Police and Crime Commissioner have such a poor reputation both locally and nationally?

Certainly both are prepared to bend the truth into impossible angles to avoid any admission of error or loss of professional reputation. Perversely this ends up in a situation as described above in which loss of face and reputation end up occurring both from the original issue and the labyrinthine efforts made to conceal it.