Out of control

Heralded by an annoying quiz that seemed to bamboozle everyone who tried it (and which has mysteriously vanished from the website *UPDATE* it can be found here), the ICO has issued new guidance on data processors. It is called, with admirable brevity, ‘Data controllers and data processors: what the difference is and what the governance implications are’. The problem it aims to solve is mentioned early on:

We are producing this guidance because of the increasing difficulty organisations can face in determining whether they or the organisations they are working with have data protection responsibility

I’m not entirely sure the guidance is any help. Let’s take one of the examples from the second part of the guidance: the market research company. Despite the fact that the organisation which contracts the Market Research company “retains overall control of the data in terms of commissioning the research and determining the purpose the data will be used for” (i.e. does what a data controller does), the ICO guidance decides that the research company is the data controller because it decides which customers to select and what questions to ask. The research happens only because the client wants it to, and only to find out what the client wants to know, but somehow, 2 + 2 makes 5 and the research company is a data controller. The same is true – apparently – for third party payment handling companies, for IT services companies (the example used is a third party doing vehicle monitoring on behalf of a car hire company), for accountants, and solicitors. As soon as a data processor does anything beyond the laborious following of technical instructions, the ICO sees them as controllers.

This is wrong, and it is stupid. In all of these examples, the client decides what data will be processed and why, and their contractor does the work on their behalf. The ICO is not skilfully negotiating what it calls the “complexity of modern business relationships”, something that few of the ICO’s staff ever experience unless they leave Wilmslow. It is turning white into black, and with consequences.

Following the ICO’s train of thought, if organisations want to share data with a lawyer, a solicitor, a market research company, an IT services company, they are obliged to tell data subjects that their data is being shared. This is what happens when one data controller shares data with another. They must identity a condition for processing the data – e.g. consent, or a legal obligation. You might think this sounds like it is the data subject’s interests and perhaps a good thing, but there’s more.

A data controller decides who to share data with. It determines the level of security, the retention period and the purposes for which the data will be used. Your market research company may choose to retain your customer data and use it for other projects. Your solicitor or accountant may chose to sell your customer data to claims management companies. A data processor that retains or reuses its client’s data without the client’s consent is likely to commit a criminal offence. A data controller that decides how to use data that it holds – even if received from someone else – is simply doing what a data controller does. The ICO’s view of market research companies is particularly eccentric given that they have previously ordered organisations to retrieve data from market research companies under FOI, on the sound reasoning that the market research company held the data solely for the organisation’s purposes.

But this is not the punchline. I’ve blogged several times about the ICO’s apparent blindness to the existence of the Royal Mail and courier companies. They’ve finally been good enough to publish their position. Couriers are neither controller or processor because “Processing personal data, including holding it, implies a degree of access to or ability to control or use the data itself, not just physical possession of the letters or parcels that contain the data”. I completely disagree with this proposition. The extended definition of processing includes ‘transmission’ and ‘destruction’, both of which can be carried out without access to the data concerned.

However, let us assume that the author is correct. Couriers are in “physical possession of the mail but may not open it to access any personal data or other content”. The same is true of an archiving company, which does not even move data from A to B, but simply takes delivery of a sealed box and returns it or destroys it without access to the data. The same is true of specialist IT firms that destroy hard drives and other data storage by means of physical destruction (for example, using the industrial guillotine promised but not delivered by the data processor in the NHS Surrey case, the identity of which the ICO insists on keeping secret). The Data Protection Act does not put couriers into this state of limbo, so the ICO have to explain why their interpretation applies to couriers but not other types of organisations who are in exactly the same situation.

This is important because the ICO has in the past served civil monetary penalties totalling more than £500,000 on organisations for breaches involving data processors who fit the same bill. In both cases, Brighton and Sussex University NHS Trust and NHS Surrey received their penalty because they did not have proper contracts with data processors who were in “physical possession of the drives but “may not open it to access any personal data or other content”. In both cases, an errant data processor sold hard drives instead of destroying them. Just as the Royal Mail handles sealed envelopes, these processors handled physically sealed drives. Opening the envelope without permission is exactly the same as connecting the hard drive to read its contents. But according to this new guidance, the Royal Mail is not a data processor and failure to have a proper contract is no breach, but hard drive renderers are data processors and failure to have a proper contract is a breach with a price of £200,000 – £325,000.

A wise person pointed out to me recently that it’s important to know what the ICO thinks, even when they’re wrong. That’s true, but only so you can argue with them properly. In the end, this is only guidance, and it doesn’t change the law. I imagine the Tribunal will make mincemeat of it should the ICO ever be foolhardy enough to base any action on its contents, but I doubt it will ever come to that. Should you wish to read advice on data processors, track down the old ICO guidance (called ‘Identifying Data Controllers and Data Processors’, and dated 14/03/2012). It’s a little bit laborious but only because whoever wrote it shows real awareness of the murky territory they were trying to navigate. It’s still good, balanced guidance and for all practical purposes has not been superseded by the new one. Until someone notices and corrects what I can only assume the intern has done, tread carefully.

UPDATE: Thanks to C.Miller in the comments for pointing out where the missing quiz can actually be found.


The British Pregnancy Advisory Service has just received a Civil Monetary Penalty of £200,000 for breaching the seventh principle of the Data Protection Act. A hacker, intent on vandalising the BPAS website, discovered a vulnerability in its coding. The details of thousands of women who had requested a call back about BPAS’ various abortion and contraception services were stored on the site, and the hacker was able to steal them.

The hacker, James Jeffery, threatened to reveal the names of the individuals, and has subsequently been convicted for offences under the Computer Misuse Act. There is no question that Jeffery’s threats to invade the privacy of innocent women were disgraceful, and he has rightly been punished. BPAS has announced that it intends to challenge the ICO’s CMP, and I don’t argue with that. The Information Commissioner’s recent interview with the Independent suggests that he doesn’t properly understand how his powers work, and the loss of the Scottish Borders CMP appeal (a CMP I don’t believe should ever have been issued) suggests he is not alone. The ICO’s use of its CMP powers is disproportionately focused on security and the public sector. The absence of an enforcement strategy for inaccuracy, which can be at least as harmful as poor security, is a disgrace.

However, whatever you think of the narrow issues of the size and nature of the BPAS CMP, the organisation’s approach to the case is a matter of real concern. I’ve written in the past about the annoying habit of data controllers to claim, in the face of some obvious and avoidable cock-up, that they take data protection very seriously when all of the evidence suggests that they don’t. Inevitably, BPAS joined in: “bpas takes any data breach immensely seriously and we were appalled that any information we hold had been compromised“.

Jeffery’s criminal actions are not a shield for BPAS’ failings. I agree with the ICO’s characterisation of them as ‘unforgivable‘. As the ICO CMP notice explains – and BPAS does not dispute – BPAS did not even know that a copy of all requests for a callback was retained on their website, making a series of assumptions about the way their website worked without actually finding out. In retaining callback requests for many years, BPAS breached the fifth data protection principle by keeping information for longer than they needed it. By storing sensitive (in the dictionary sense of the word) personal data insecurely, they breached the seventh principle, which requires organisations to take appropriate technical steps to prevent both ‘unauthorised’ and ‘unlawful’ processing. This means that data controllers have to try to prevent criminal breaches as well as accidents and cock-ups – the greater the risk of a criminal attack, the stronger the security needs to be.

Every organisation is potentially at risk from a hacker and so needs basic steps. BPAS routinely handle medical information, and describe themselves as the UK’s leading abortion provider. The likelihood of BPAS being hacked is much greater than it would be for other organisations, and the consequences for their clients of data being hacked are more damaging. What security is ‘appropriate’ for BPAS is much greater than the norm, and yet their approach had all the competence and planning of a parish council. They deserve to be criticised and perhaps punished, as they have betrayed the trust of every woman who has contacted them. Whatever your view of abortion rights, women should be able to contact an abortion provider in complete confidence. For several years, BPAS has failed to deliver on this. Jeffery was only able to access the data because BPAS left it there.

In the light of this, BPAS’ public approach to the CMP causes me great concern. Most of the statement on their website is about Jeffery’s actions, trying to create the impression that the fault is largely with him. A quote from the Chief Executive, Ann Furedi, makes this explicit. She says: “bpas was a victim of a serious crime by someone opposed to what we do“. BPAS is not the victim here; the victims of Jeffery’s actions were the people who contacted the organisation. BPAS is at pains to play down the significance of the information that was stolen: “These were not personal medical records of women who had undergone treatment at bpas and such records were never at risk“. Given that the BPAS website makes it clear that their main activity is abortion, were the records to be revealed (something made possible because of BPAS’ poor security), they would have been data about women who were likely to be seeking an abortion. No amount of sophistry can reduce the sensitivity of this information. As the ICO points out: “Some of the call back details were from individuals whose ethnicity and social background could have led to physical harm or even death if the information had been disclosed by the attacker“. It isn’t good enough for BPAS to claim that the risk to these women was entirely down to Jeffery; they put their clients in this position, especially given that hacking and criminal attack is regrettably but obviously part of the landscape in which they work. A statement made in 2012 at the time of the incident was even worse, as it claimed “the confidentiality of women receiving treatment was never in danger“, neglecting to say that the confidentiality of many women who contacted them possibly seeking treatment was unprotected.

Behind the scenes, BPAS may well be putting their house in order diligently and enthusiastically. Their public statements paint the organisation as a victim, but they are also guilty of significant failings and it may be that they realise that and simply don’t want to admit it publicly. It doesn’t give me confidence that they’re going to improve security and a more transparent admission of what went wrong would be better. The worst thing about their attempt to manage the bad news and spin their way out of the headlines however, has nothing to do with security or their position or the ICO fine. In none of the BPAS’ public statements, or the interviews I have heard Furedi give is there an apology to the women. They see the ICO’s actions as “appalling” and are horrified by what has happened to them, but for the women, there isn’t even regret.

Everyone thinks Data Protection is about computers and policies and dry, tedious sections of the law. It’s not. Data Protection is about people. It is about protecting their data, communicating with them, and it’s about the actions of people who handle data. It’s a uniquely human topic. The important issue here is not BPAS’ reputation. It is the protection of the identities of the people who BPAS exist to serve. BPAS let them down and should apologise to them now.

A poor lookout

I doubt I will ever wholly approve of anyone in the role of Information Commissioner until the Ministry of Justice comes to its senses and gives the job to me. However, I have always much preferred the verve and acerbity of Christopher Graham to the overcautious lawyerly approach of his predecessor, Richard Thomas. I don’t believe that Thomas would have been willing to enforce in the way Graham has managed (albeit that Mr Graham’s approach is fixated on one part of the public sector, and one part of one data protection principle), and he was nowhere near as good on the media stage – important for anyone in the role.

However, Graham’s interview with the Independent – timed presumably to coincide with the extension of his tenure to the legal maximum of 7 years –   was dispiriting.

Some of the flaws in the article are not attributed directly to Graham – the text describes action taken under PECR as an attempt to ‘prosecute’, which is incorrect because it was a civil action. It’s entirely possible that this was the Indie’s mistake but it doesn’t help anyone to understand what the ICO does (presumably one aim of doing the interview) and it should have been corrected. But when the text later describes the Commissioner as having a ‘right to compulsory audit’ local government, this is also wrong. The ICO can do mandatory audits of Government and there was a consultation to give it powers to do the same for the NHS. Compulsory audits for local government aren’t on the table. This is a mistake that Christopher Graham has made before, so I suspect it came from him, but it’s also a sign of the limit on the current Commissioner’s ambitions. Where is the evidence that he wants such powers?

Something that can definitely be attributed to Mr Graham is his crass, discourteous description of local government as ‘hopeless’. Every council delegate at next week’s ICO Data Protection Officer’s Conference should make it their business to challenge him on it, and frankly, councils should stop cowering in front of the ICO, stop reporting incidents to his office and stop cooperating with its entirely voluntary audits unless they actively want one. The weekend’s big data protection story was the theft of data from Aviva and subsequent sale to claims management companies. Graham has done an admirable job of agitating for bigger fines for data theft, but part of the ICO’s beloved seventh principle requires organisations to take steps to prevent ‘unlawful processing’. It’s not just about catching the thieves afterwards, but attempting to thwart them in advance. I am certain that the ICO doesn’t have a clue whether the financial services industry is exemplary or hopeless in this regard. Mr Graham hasn’t even asked for the mandatory audit powers to find out. Councils are an easy target because they constantly move data around and FOI means that, unlike the private sector, they can’t keep their dirty laundry hidden. The ‘hopeless’ remark may have been off-the-cuff, but it suggests knowledge that his office hasn’t put the hours in to possess. Besides, Mr Graham is a journalist and would know that such a remark would make the final edit, so it’s an insulting message he wanted to send. I’d love to know what word he uses to describe the ICO’s non-existent enforcement of the FOI Act, to the extent that some government departments openly thumb their noses at his office, and thus at him.

More of a concern is Graham’s remark that ““People have been challenging me on the bus about care.data. That’s the talking point but Snowden hasn’t been, which is kind of a surprise.” There are two things that bother me about this. Firstly, it suggests that Graham is out of touch with the public. It is not the ICO’s job to represent the public, it is their job to ensure that data controllers comply with the law (technically, the courts have more of a role in upholding individual rights than the ICO does). But nevertheless, Graham’s expectation that people would be button-holing him about the security services rather than the NHS is a tad elitist. The NSA’s spying on us all is obnoxious, but care.data is much more likely to have a direct effect on the man on the 130 bus to Wilmslow. More crucially, however, Snowden is not really on Graham’s territory. There is a very broad exemption in the DPA that you may not agree with, but which puts any activity ‘necessary’ for national security completely outside the DPA, and off the ICO’s radar. If the Commissioner was more concerned with matters that are more directly covered by his legislation, he might have avoided giving such inaccurate advice on care.data and pseudonymisation when on the BBC Breakfast sofa. It’s interesting that the Commissioner admits that his office failed to persuade NHS England to write to all citizens about care.data, which suggests that the stakeholder engagement approach doesn’t bear fruit.

Most depressing of all, however, is Graham’s complaint about the loss of the Scottish Borders appeal. Borders won their appeal because the ICO failed to establish a crucial part of the test that the law has set for them. The ICO has to show that it is “likely” that the breach – in this case, the failure to have a proper contract in place with a company scanning and disposing of records – would cause damage or distress. The ICO’s approach in Borders (and others) was to assume.  For the ICO, lost records = identity theft. The civil burden of proof is lower than the criminal one, but it should not simply be what a clever man reckons. I made an FOI request for any evidence of the ICO’s claim that a lost passport number leads to identity theft, and they admitted that they don’t have any. If they propose to fine an organisation £250,000, the ICO ought to have more than an assumption and crucially, the law requires that they have more. But Mr Graham doesn’t appear to understand that: he complains: “I couldn’t prove that someone of malicious intent had picked up all this personal information and was going to be doing people down”. This is not why the case was lost (although it’s true that he couldn’t prove that).

The Information Commissioner is a single appointee helped by hundreds of staff, but nevertheless, a single appointee who is given all of the powers and obligations. Mr Graham must understand how his powers work. Papers spilling out of a bin isn’t a breach. It’s an incident. The Commissioner cannot issue a CMP for papers spilling out of a bin, or any other incident in itself. In Borders, he had to establish that there was a breach: there was no contract, so job done. Then he had to show that incidents like the papers in the bin were foreseeable and likely to cause damage or distress. People sometimes don’t have proper contracts with long-standing and trusted suppliers. Is it likely that this will lead to the supplier dumping paper records in a recycling bin? Will this lead to damage and distress? Honestly, I don’t know, but that’s what Mr Graham couldn’t prove to the satisfaction of the Tribunal and frankly, I think the test should be rigorous if the stakes are as high as a quarter of a million pounds. The Deputy Commissioner David Smith was chided by the Tribunal at the time for focussing too much on the incident, and here the Commissioner makes the same fundamental mistake.

Most of the other matters I’ve raised here are presentational and you might say trivial; this final one isn’t. The role of the Commissioner is to be a figurehead, a public face to play up the big picture, but if Mr Graham wants to complain about losing Tribunal cases, he has to know why he lost, and I’m not sure from the evidence that he does. If he, and the office as a whole don’t learn the lessons, the important powers they were given under the tenure of his hesitant predecessor will become worthless. He’s still a more impressive figure than his predecessor, and almost certainly the most successful holder of the office so far. But this interview shows a Commissioner sniping at everyone but unsure of the details: not hopeless, but equally, not inspiring.

Down these mean streets a man must go

Especially given my last blog accused the Information Commissioner’s Office of incompetence, it’s nice to be able to celebrate an aspect of their work. Yesterday, the directors of ICU Investigations (geddit?) and the company itself were convicted of blagging data from a variety of organisations, for a variety of organisations. If you’re expecting me to find some aspect of this story to use a stick to beat the Commissioner with, not today. It’s a triumph. Five employees had already plead guilty, but by successfully prosecuting the Directors, the Commissioner has sent a powerful message to other organisations who might be tempted to blag and specifically, employers who might seek to blame errant staff. The only downside to the prosecution is the paltry punishments available to the court, but again, the ICO cannot be blamed for that. Christopher Graham has run a consistent campaign to transform the fines for data theft into something more effective, and this is no exception. His statement on the case said:

The public expects to see firmer action taken against people who break the rules in this area, and Parliament needs to recognise that. I spoke with the Home Secretary Theresa May on this matter earlier this week to urge her to introduce more effective sentences for these kinds of offences, and she has agreed to meet me to discuss the matter. That conversation needs to result in action.

So, to the ICO, I say keep up the good work. For everyone else associated with this story, some serious questions need to be answered. GP surgeries, hospitals, British Gas, EON Energy and TV Licensing were among the organisations that volunteered information to the blaggers. Principle 7 of the Data Protection Act requires organisations to have a range of technical and organisation measures in place, but checking that the man who phones up is who he says he is is one of the most basic. Very few of my trainees ever treats this news as a revelation. And yet ICU’s devious methods were to ring up and….. say they were someone they weren’t. BBC News played a number of call recordings, and one of them should be available here

The cheery, breezy manner is very effective, but there is no skill, no special technique. They rely solely on the person on the other end of the phone being too polite or hurried to question them. In case you’re wondering, a simple technique with an external organisation is ring them back via their switchboard number (which you find out yourself), not via any number they give you. All you need to do with a customer is ask them a question only they would know the answer to (a PIN number, a password, the last payment they made). It used to be common practice to ask for mother’s maiden name or first pet, but given the amount of this kind of info willingly disgorged by people onto Facebook, something account-related is probably better.

Everyone who gave information to ICU (and everyone who will today give information to one of ICU’s many competitors) is legally obliged to have in place procedures and training so that every person answering calls and emails is on their guard. And more importantly than the legal obligation, they owe their customers the courtesy of valuing and protecting their information. The BBC reported that one of the most frequent targets was TV Licensing, which is one of the BBC’s functions but which has for many years been outsourced to Capita. The overwhelming majority of us have no choice but to pay for a TV license, and we are owed more than the mealy-mouthed ‘we’ve tightened up procedures’ hogwash that the Corporation has squeaked out so far.

The organisations who gave out the information are not the only ones who should be examining their actions today. The ICO reports that ICU’s clients included Allianz Insurance PLC, Brighton & Hove Council, Leeds Building Society and Dee Valley Water.. A quick trip to ICU’s testimonials page also reveals recommendations from ‘a major gas supplier’ and ‘a rural local authority’. The first thing is that it’s entirely possible that ICU’s client list also included some of its targets. More importantly, there is a word that keeps popping up through the comments: ‘prompt‘. The scrolling news on ICU’s site has unsurprisingly not been updated to include the court case, but it does contain this fascinating product:

NEW Emergency Trace Reports
ICU supply emergency trace reports within 24 Hours for customers with urgent court deadlines or financial targets to meet. These will be offered at the same cost as 48 Hour Express services (for regular customers)

The ICO was quick to exonerate the clients: “The information requested could typically have been obtained legitimately, and there was no evidence clients were aware the data had been obtained by illegal means.” But I’d like to pick at that scab. I don’t think the Commissioner should look any further – there are clear guilty parties in this case and they’ve been dealt with. I’m certain that the clients didn’t know personal data was being stolen. The question is, were they at least naive in not asking whether it might be?

In the same way that organisations who gave out the information have to tighten their procedures (and ought to apologise), the clients should ask themselves where they thought the trace information was coming from. Of course, a Private Investigations firm might have techniques that we can only guess at. However, I have met and trained a lot of people who work in debt recovery which is exactly the kind of tracing that ICU could assist with. In-house debt recovery people spend a lot of time knocking on doors, talking to relatives and neighbours, visiting previous addresses. It’s slow, tedious and laborious work, and the information you get is sometimes useless because it is wrong or out of date. But it’s legal. I’ve helped a lot of organisations in their attempts to get address and other information from third party organisations. It requires patient explanation of the Data Protection Act and carries no guarantee of success. But it’s legal. And then, of course, there is the court order – expensive and time-consuming. But, by definition, it’s legal.

If any organisation can quickly provide you with accurate information about a person’s location, in my opinion, there are only two possibilities and I would welcome any suggestion about any other. Either the information is available publicly (via an official source, or Facebook similar social media site) or it is obtained by questionable, if not downright illegal means. If information is available publicly, then why are organisations hiring private detectives to find it? In my second plug for Act Now this week, you can even go on courses that teach you how to do it yourselves. If information cannot be obtained from a public source, then unless you believe in magic, it’s very hard to understand how it can be sourced quickly and yet also legally. The ICO rightly went after the private investigators here, but nobody should be complacent.

There is a black market in stolen information in the UK, and even the ICO’s admirable efforts here probably only scratch the surface. The problem will not be solved unless organisations stop leaking information, and ask themselves searching questions about how the information they use was obtained.


I see dead people

Before 2010, the ICO operated a brisk production line of undertakings to tackle the self-reported security breaches that came in the wake of the HMRC lost discs fiasco. Now they have the power to issue civil monetary penalties, the production line keeps humming. The obsession with security is such that even CMPs like the ones aimed at Belfast Health and Social Care Trust (which is as much about retention as security or St Georges Healthcare Trust and Stoke on Trent Council (both exclusively about accuracy) are branded as security breaches, as if only one DP principle exists. Enforcement shouldn’t be solely about public sector security, and a few CCTV and private sector wildcards do not change the overall picture.

A glance at their annual report explains why: the ICO has a fixation with figures, statistics, numbers, numbers, numbers, all the livelong day. Self-reported security breaches feed the numbers monster much more efficiently than complex decisions about fairness or adequacy, which have to be sought out before they even are made. All of the principles are breached by all sorts of organisations every day of the week, but because they don’t tell anyone or the ICO doesn’t notice, nothing happens. But wait for people to confess their security SNAFUs, and it’s like shooting fish in a barrel.

This tactic has now tipped into self-parody, with the ICO ensuring that the fish are dead first. In June 2013, Stockport Primary Care Trust was fined £100000 (£80000 if paid on time) for leaving patient records in a vacated building, and NHS Surrey were fined £200000 (£160000 if paid on time) for not controlling their IT contractor. Both organisations were wound up in April 2013, which means that the CMPs were served on successor bodies.

I don’t know why different organisations have inherited responsibility for PCTs, and the ICO doesn’t appear certain, claiming to have fined NHS England for NHS Surrey’s breach in the press release, and the Department of Health in the notice itself. NHS England told me in an FOI response that they asked the ICO to change this, but there is no evidence the ICO wanted to correct their mistake. The confusion is nevertheless irrelevant – neither DoH nor NHS England played any part in the breaches. They are not even real local successors like the Clinical Commissioning Groups where the PCT managers might now be plying their trade. They’re bystanders.

I’d have more respect for the ICO if they enforced the first or sixth DP principles, or didn’t rely almost entirely on the confessional / masochistic tendency in public sector Data Controllers to identify DPA breaches. Nevertheless, if the two former PCTs were open for business, I could not fault the ICO for taking action. But I can only see two main reasons to issue a CMP. The first reason is to educate everyone else. However, the ICO has already issued bigger CMPs for the same issues (£325,000 for Brighton NHS Trust for non-recycled hard drives, £225,000 for Belfast Health and Social Care Trust’s documents in an abandoned building).

The key reason for a CMP is to punish the organisation and in particular, the senior managers who allowed the breach to happen. The CMP recipient in NHS Surrey’s case is the ‘Department of Health Regional Legacy Management Team’ who presumably hold a budget to clean up after the dissolution of the PCTs. But the chief effect of the ICO’s intervention is to recycle some money back to the Treasury – that’s all. No awkward decisions for the PCT board, no hand-wringing in front of the local media – outcomes that concentrate the mind of even the most recalcitrant of managers. NHS Surrey is gone. DoH can legitimately say it’s nothing to do with them, so beyond a few headlines and extra figures for the 2013-14 annual report, what’s the point? It’s probably frustrating to have done the work only to drop the case, but as soon as you know you’re flogging a dead horse, is the effort of finishing the job really worth it? Wouldn’t the ICO staff be better employed going after organisations that are still processing personal data?

Well, funny I should mention that. Perhaps the only valid reason to inject Frankensteinian life into these cadavers can be found when you look at NHS Surrey’s case. According to the ICO,

the Head of the data controller’s IT team was contacted by the Director of a company (the “company”) who was looking for new business


The IT team explained that the hard drives would have to be physically destroyed because they may store confidential medical information. The company’s Director provided an assurance to the IT team that the hard drives would be crushed by an industrial guillotine.”

I want one of those. Having guillotined the hard drives, “the company” would then sell off the other components. On this basis, they did the work for NHS Surrey for free. The Trust’s Information Governance Head was – you’ll be surprised to learn – not involved in the decision. “The company” then received as many as 1500 PCs between 2010 and 2012 before third parties buying hard drives on auction sites revealed that the hard drives were in fact being sold on. Those of you with good memories will remember another hard-drives-on-auction-sites case involved a contractor who was also not paid.

If NHS Surrey still existed, the clowns who agreed to this without a formal contract would deserve a hard time. Even now, the ICO presumably knows who they are, and could name them. Given Christopher Graham’s determination that the CQC three should be outed, one can only wonder that his views on transparency are not more widely understood within Wycliffe House.

Of course, the recycling company would be an appropriate target itself, but as a data processor it is out of the ICO’s enforcement reach. However, if this outfit is still trading and actively touting for business, every actual and potential customer needs to know about their role in this sorry business. Whether the failure to protect the hard drives was a mistake or a deliberate act, the company’s customers need to know whom they are dealing with. If the ICO had picked the NHS Surrey case as a vehicle to name and shame the errant processor, I would have cheered them on. Instead, they go after a dead organisation and give “the company” anonymity.

I asked both the Department of Health and ICO for the names of the company and the director and both refused. The Department of Health refused, citing (perhaps satirically) concerns about the data protection rights of the Director. The ICO relied on Section 44 of the FOI Act, which prevents organisations from breaching existing legal barriers on disclosure. If the law says you can’t disclose, Section 44 kicks in. But the ICO has a problem. The specific legal barrier in their case – Section 59 of the Data Protection Act – does indeed prevent the disclosure of information about any organisation or business obtained as part of an investigation but not if the ICO has ‘lawful authority’ to give it out. So is it all over? Quite simply, no, and I’m challenging both decisions.

Section 59(2)(e) states that, having regard to the right and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest. Without the information being in the public domain, it is impossible for data controllers to comply with the Seventh Data Protection principle, in that they need to find data processors that can give sufficient guarantees of security. It is absolutely necessary and the ICO’s hands are not tied.

In my experience, the ICO treats Section 59 as a no-questions-asked absolute exemption, ignoring the public interest element. Of course, they exercise their own judgement about what to disclose all the time – if Section 59 was an absolute ban, they couldn’t have published much of what was into the CMP notice that kicked this blog off in the first place. But the ICO cannot hide behind Section 59. The Supreme Court has recently had the opportunity to consider the meaning of the word ‘necessary’ in the DPA. In the case of South Lanarkshire Council v Scottish IC [2013] UKSC 55, the Court confirmed that ‘necessary’ need only mean ‘reasonably necessary’ and does not have to be ‘absolutely or strictly necessary’. On this basis, how can anyone say that having regard to the legitimate interests of Data Controllers in the South East and beyond, there is not an overwhelming public interest in making public who the data processor is?

Admittedly, there will be consequences for the company if they are known. Without a credible explanation of what went on, their business would suffer. Even with one, they would be at a great disadvantage when compared to all the disposal companies who had not sold hundreds of their customer’s hard drives on the internet without permission. But the ICO should not tiptoe around this. The company probably could not offer its attractive “free” service if it properly disposed of the drives. But even if disclosure puts them out of business, that’s nobody’s problem but theirs. If processors know that they act with total impunity, what is to stop this organisation or another from making the same mistake again?

The ICO should not lightly divulge information it receives from the organisations it is investigating. There is much that they find out in the course of their enquiries that should legitimately remain secret. But Section 59 is not intended to prevent legitimate disclosures. It does not stop the dissemination of important information that needs airing in the public interest – it is specifically written to allow this. It is, therefore, remarkable that the ICO believes that it is more important for it to issue penalties to phantoms.