National insecurity

In all the furore over the announcement of the Government’s draft Investigatory Powers Bill, one detail caught my eye. The Daily Telegraph published an article by Peter Wanless, Chief Executive of the NSPCC. Mr Wanless was keen that whatever else, we did not forget about the children:

We have heard plenty from groups extolling privacy principles and spies unveiling foiled terrorist threats, but let’s also hear the voices of thousands of children placed in jeopardy while the trade in abusive images continues to flourish

I don’t doubt Mr Wanless’ sincerity in combating the menace of child abuse and exploitation, but I found this a bit odd. How exactly does an article like this come into being? Did Wanless contact the Telegraph, keen to offer his support for the proposed legislation? Was it the other way around, with the Telegraph searching for an appropriately unimpeachable source to back up Theresa May’s plans? Or was it box number three: is it the Home Office who brought the article about, contacting Wanless and asking him to contribute?

You may disagree, but I find the idea of the Home Office persuading charity bosses to back Government policy in the press – especially without acknowledging it in the article – a deeply unattractive proposition. To find out whether this was the explanation, I made an FOI request four weeks ago to the Home Office, asking for correspondence between the Home Office and Wanless on the subject of the new bill.

A day before the deadline, I received an interesting email from the Home Office’s FOI team:

Although the Act carries a presumption in favour of disclosure, it provides exemptions which may be used to withhold information in specified circumstances. Some of these exemptions, referred to as ‘qualified exemptions’, are subject to a public interest test. This test is used to balance the public interest in disclosure against the public interest in favour of withholding the information. The Act allows us to exceed the 20 working day response target where we need to consider the public interest test fully.”

So far, so not much of a problem: this is an entirely legal move. The deadline can be extended for this reason. The one mistake that organisations often make at this point is not quoting an exemption, as if the public interest test floats free. But this is not what they did:

The information which you have requested is being considered under the exemption in section 23 (1) of the Act, which relate to information supplied by, or relating to, the bodies dealing with security matters.

The first thing to say is that this response appears to confirm that the Home Office has been in correspondence with Mr Wanless about the bill, which is interesting enough in itself (no correspondence, no need for an exemption). However, there are two more interesting elements. On the one hand, the response suggests that the correspondence contains information provided by the security services. Given that Wanless’ article is effectively a PR exercise, this is remarkable, if not scandalous and appalling. On the other hand, Section 23 is not a qualified exemption; it is an absolute exemption and has no public interest test. Either the Home Office don’t understand FOI properly, or they are just spouting legally inaccurate bollocks to avoid responding to my request on time.

Ever keen to help, I emailed the Home Office to point out that Section 23 is an absolute exemption and to enquire whether they in fact meant Section 24 (which applies to national security issues more widely, and does have a public interest test). With remarkable speed, the Home Office replied. I was invited to disregard the original email, and provided with the following explanation:

We apologise for the delay in sending you a substantive response. We always aim to respond to requests within the statutory period under the Freedom of Information Act (FOIA). Unfortunately, due to pressing business and other Ministerial priorities, it is not always possible to do so, and in this instance, we regret that we have not been able to respond within the statutory period.

What to make of it? Is it still reasonable to assume that the Home Office did put Mr Wanless up to it? Am I the first person to receive the phoney Section 23 letter? If they are going to delay replying, doesn’t the Home Office care enough to at least pick an exemption with a PI test, or just go for the old Dransfield Vexatious routine? At the very least, I think it is reasonable to assume that the Home Office is not really considering the use of an exemption, and is merely stalling on what might be an embarrassing answer. If there was a genuine exemption at play, they would have corrected their mistake in the follow-up. If they really did think Section 23 applied, I would have got a refusal.

Whatever happens next, reader, I have a feeling it will be worth looking out for.

Eye in the sky

There’s nothing that says ‘Silly Season’ more than a Twitterstorm about a photograph of the top of a comedian’s head. After the National Police Air Service (NPAS) tweeted an image of the comedian Michael McIntyre, inviting their followers to guess who it was (it was Michael McIntyre), a variety of human rights lawyers, legal commentators, data protection experts and morons weighed in to give their view. In itself, the incident was not significant and seemingly no harm was done to Mr McIntyre. However, there are serious questions to be answered here. While I could forgive the Information Commissioner for brushing it off as a lot of fuss about nothing, they shouldn’t.

Firstly, it is a Data Protection breach to tweet a photograph of an individual in such circumstances. If you are new to this blog (Hi, how are you, that’s a lovely item of clothing you have on), then you might not understand my impatience with the argument that McIntyre was in public and therefore DP does not apply, McIntyre has no expectations of privacy, blah, blah, stupid blah. I’ve dealt with it many times before. Data Protection applies whenever personal data is gathered: filming someone in the street is less intrusive and therefore less likely to breach the DPA fairness and excessive provisions than filming someone in the shower, but the law still applies.Data Protection always requires the person gathering the data to meet a data protection condition. Nothing in the Act removes this requirement if the data is gathered from a public place, which is why the Information Commissioner has published detailed codes of practice on public space CCTV since the current DPA’s inception, and has had to revise it significantly twice because of CCTV’s complexity. If you don’t agree, tell me in the comments which section of the Act says that I am wrong.

While I am writing this, Radio 4’s Today programme is covering the story, and John Humphrys has just asked the crucial question: “what on earth does this have to do with policing?“. That’s what makes it a breach, because the answer is ‘nothing’. Policing organisations have wider scope to process personal data than other bodies, but only for national security and crime prevention & detection. Celeb-spotting comes under neither heading. NPAS would need to demonstrate that tweeting a picture of McIntyre was fair, lawful, and was necessary for a legitimate interest causing no unwarranted harm to McIntyre’s interests (the only data protection condition for processing that would apply here. They would have to show that the use of personal data outside the original policing purpose (which is what they’re up there for) was not incompatible. They would need to demonstrate that the use of McIntyre’s image was relevant to the policing purpose and not excessive. If you’re wondering, what I’m doing here is simply running through the Data Protection principles, and I’ve got multiple breaches just from the first three.

Even this innocuous image could have caused harm. The woman standing next to McIntyre in the picture is his publicist and they were leaving Global Radio’s studios after an interview. But what if NPAS inadvertently tweeted a picture of a celebrity and the person they were having an affair with? In 1995, CCTV operators in Brentwood Council once saw a man walking down the street carrying a knife and contacted the police. After the incident was resolved, Brentwood proudly shared images of the man to show how their CCTV system had tackled a dangerous individual, and his identity was subsequently revealed in the media. Except that Mr Peck wasn’t a danger to anyone but himself, and the Council obliged Mr Peck to reveal the details of his suicide attempt to family and friends who may not otherwise have known, as well as effectively libelling him. After eight years, Mr Peck rightly won a privacy case at the European Court of Human Rights. Bodies with the power to watch and record us should not casually toss images of us around without a proper justification.

I have wider concerns. If NPAS are merrily spotting celebrities and tweeting the results to thousands of people, what else are they doing? What do they do if they spot someone that they know? Will we get down-top shots of young women? Fat-shaming tweets if they see someone who is massively obese? The ICO’s CCTV Code of Practice places a strong emphasis on the requirement for CCTV operators to receive detailed training, but this casually intrusive incident doesn’t suggest that it’s working. In fact, I suspect that this incident is the tip of an iceberg that goes very deep. We’ve already seen police CCTV operators jailed for voyeurism; if the police don’t treat their surveillance with single-minded professionalism, that’s where this will end up. The tweet has been deleted, but if someone somewhere isn’t investigating what else has gone wrong, they should be.

The question of who should be doing that is a good one. NPAS describes itself as “a truly national (England and Wales) policing service“. It is hosted by West Yorkshire Police, but provides air support to all police forces in England and Wales. When scouring the skies of London for stand-up comedians, it is clearly providing a service to the Metropolitan Police. There are therefore a range of possibilities as to who is responsible, in Data Protection parlance, who is the Data Controller? Is NPAS a data processor for each force, in which case Met Police should answer for what happened here (and more importantly for the other more serious breaches of DP that I suspect have occurred). Is NPAS a data controller jointly with the Met Police, so they are both responsible? This is my guess, but my esteemed colleague Jon Baines has already noted that NPAS hasn’t completed a Data Protection notification, which if they are a Data Controller would be a criminal offence. If NPAS is a processor for the forces, each one of them would need to subject NPAS to a legally binding contract meeting all of the requirements of the 7th Data Protection principle. It’s a mess, but not one that the forces and Information Commissioner should be allowed to ignore.

I have already met a few people on Twitter whose knee-jerk understanding of Data Protection convinces them that this is nonsense. It’s not a breach, it’s not even personal data. It’s all in the public domain, and there’s nothing to see here but Michael McIntyre’s head. If those people are happy with this, they’re saying that the next time they furtively pick their nose, adjust their balls or their boobs while nobody is looking, or just walk down the street minding their own business, the police can record it and broadcast it to the world, and that’s just fine. I don’t think they should be allowed to make that decision for everyone else.