Virgin Berth

If there could be anything worse than the provenance and target of a Wallasey brick spawning an industry of conspiracy theorists, then it’s probably the Burning Question of whether Virgin Trains East Coast’s release of CCTV images of Jeremy Corbyn spurning unoccupied seats to enjoy the proletarian solidarity of the vestibule floor breached Data Protection laws. If I get through today without reading The Canary’s take on the matter, I will be a happy man.

Of course, the only sensible answer to the question is “It doesn’t matter“. But let’s ignore that obvious fact in favour of the following.

First, if Virgin Trains released unpixelated images of other passengers, this would be a breach of the first Data Protection principle on the basis that it would be unfair. There is no legitimate interest in doing so, and it is plainly unfair to publish images of ordinary passengers minding their own business. There is NO CHANCE ON EARTH than the Information Commissioner will take any action against Virgin for this as there is no harm to the passengers concerned, and harm is a vital threshold for any enforcement action. Individual passengers could sue, but again, they would have to demonstrate at least distress. I went from London to Edinburgh on Virgin East Coast once so I have some sympathy with this argument.

Of course, nobody would give a toss about this if it were not for the perceived slight to JC, so let’s get to that.

The first Data Protection principle requires that personal data should be processed fairly, lawfully and according to a set of conditions. Virgin’s disclosure must clear all three hurdles.

Fair – in the general sense of the word, I believe that the processing of Corbyn’s data was fair. Presumably without the company’s consent, Corbyn filmed a publicity stunt about the state of their trains. Even if the content was true, I believe Corbyn opened the door for Virgin to reply about the state of the train that Corbyn was on. Fairness does have a separate, specific meaning, which requires the organisation to tell the Data Subject who they are, what purposes the data is being used for, and anything else necessary to make the processing fair.

I can’t find the privacy notice for Virgin Trains East (if it’s not on the trains, that’s a breach), but Virgin Trains West Coast has a detailed policy on its website that includes improving customer service, monitoring operational incidents and verifying claims. If something similar is on the East Coast trains, I don’t think Corbyn has much room for complaint. I think that responding to an unauthorised publicity stunt on one of their trains is probably compatible with verifying claims and monitoring operational incidents. And besides, the Information Commissioner’s Office has invented and long tolerated a notion of ‘reasonable expectations’ – that you can do anything with personal data that the person would reasonably expect you to do. If Corbyn didn’t expect Virgin to look at their CCTV to verify his claim that the train was ‘ram-packed‘ (or even ‘rammed’ or ‘jam-packed’), he’s an idiot.

There is the nugget of an issue here – the public perception of CCTV is that it is used solely as a means of detecting and investigating crime. It isn’t – it’s used for a variety of civil, disciplinary and publicity purposes and there’s nothing in the Data Protection Act to prevent this. However, companies like the West and East Virgins tend to stress security and crime over all things when dealing with CCTV, and this creates an expectation of its own. Everything depends on the information available on the train that JC travelled on.

There is one exemption that might come to Virgin’s aid – Section 32 renders all of the First Principle void (and most of the others) if a disclosure is made for ‘journalistic purposes’ and the public interest in publication is incompatible with compliance with the principles. The language is important – one does not need to be a journalist, only to be processing for the purposes of journalism. This opens the door to widespread and enthusiastic flouting of DPA by all sorts of corporate interests, but I find it hard to dismiss the possibility altogether.

Lawful – I believe that the disclosure was lawful. A train is not a private place (except in the toilets and this probably not the time for me to raise the urban myth about CCTV in train toilets), and Corbyn’s personal data in this context is not confidential or private. I can see no other law that disclosing this data would breach, so I think they’re in the clear.

Condition – Schedule 6(2) of the Data Protection Act states that data can be processed (in this context, disclosed) if it is necessary for the purposes of a legitimate interest, as long as the processing does not prejudice the rights, freedoms or legitimate interests of the subject. Corbin made a claim about the conditions he found on a particular train – I believe that Virgin unquestionably have a legitimate interest in disclosing Corbyn’s personal data in order to comment on the accuracy of his claim. If Virgin released images of Corbyn unprompted, legitimate interests are out of the window. But Corbyn started the ball rolling, and I cannot see how the use of overt CCTV for this purpose prejudices his interests. Of course, if the images were used in a misleading way, again, legitimate interests is dead, but frankly, that’s a much bigger problem.

Other conditions might be engaged but unless Virgin have actively defamed Corbyn by photoshopping them to look like the train had seats when it didn’t (which is what I presume The Canary’s take is), I believe that the use of images was adequate, relevant, and not excessive (principle 3), and accurate (principle 4). One might question how long the images have been retained for (principle 5), but there is no statutory time period – Virgin simply have to justify that the retention period matches the purposes outlined under the first principle.

At its absolute worst, the release of Corbyn’s images might be unfair if the privacy notices on the train do not reasonably envisage the possibility of something like this happening. If Mr Corbyn was damaged in some way by this, the seriousness of the breach is increased, but not by much. It would be unlawful, but I see no public interest in taking action. Politics is a dirty business. Corbyn’s party breaches Data Protection all the time, so if he wants to take this up, he should do some digging in his own backyard.

And reserve a bloody seat next time.

UPDATE (24/8/16): The Information Commissioner has stated that they are “making enquiries” into Virgin’s disclosure of the CCTV images. The two possible enforcement routes available are a monetary penalty or an enforcement notice. The penalty requires the ICO to establish that there has been a serious breach of the Data Protection Act, likely to cause substantial damage or distress, and the data controller (Virgin Trains East Coast) either deliberately set out to breach the DPA, or knew (or ought to have known) that the breach would occur, and that the damage / distress would follow as a consequence. If you think that this incident meets that threshold, would you be interested in buying a used car?

The alternative is an enforcement notice. The enforcement notice can only apply if there is an ongoing breach that the data controller cannot or will not remedy. In other words, if Virgin promised never to disclose CCTV for publicity purposes again, it would be very difficult for the ICO to issue an enforcement notice. It would be disproportionate to take such significant action if it was clear that Virgin would not do the same thing again.

All this may be disappointing to those who wish to see Virgin, and its bearded figurehead, chastised for their assault on the integrity of JC, but this is not a serious breach. The NHS ignored opt-outs from the sharing of medical data for thousands of people over a prolonged period of time, and the worst that happened is that they were asked to sign an undertaking (an unenforceable public promise to behave better) at a time which best suited them in publicity terms. If you think that embarrassing Corbyn is worse than that, you ought to be ashamed of yourself.

The one good thing is that I don’t think the Labour Leader of Stockport Council, who moonlights as a Group Manager at the ICO, will end up dealing with the case. But who knows?

How to succeed in backlogs without really trying

First, two disclaimers.

1) The ICO’s previous FOI backlog was disgraceful, and it developed on Richard Thomas’s watch. Chris Graham and his staff deserve great credit for trying to kill it off. The fact that an organisation can no longer make a decision knowing that they won’t answer for it for two years is a success, and a shorter distance between request and decision is A Good Thing.

2) I am not the first person to complain about the Information Commissioner’s approach to late requests – @FOIMonkey, an applicant called Gordon Spitze and What Do They Know’s Ganesh Sittampalam got there before me.

And now to business. In September 2011, I made an FOI request to a government department. I have not received a response. In November, I requested an internal review on the basis that my original request had not been dealt with. I have not received a response. The department has gone through phases of sending me polite reassurance, promising that they’ll deal with my request soon, but mainly, when I contact them, they ignore me.

If anyone in the department happens to be reading this, can I just pass this on: section 77 of the Freedom of Information Act states that where a record has been requested: “Any person to whom this subsection applies is guilty of an offence if he alters, defaces, blocks, erases, destroys or conceals any record held by the public authority, with the intention of preventing the disclosure by that authority of all, or any part, of the information to the communication of which the applicant would have been entitled.”

Ahem.

Moving swiftly on, it’s pretty obvious that they are not going to respond to my request. Even a refusal would oblige them to move up to the formal internal review, getting my request closer to the Information Commissioner’s Office on a matter of substance. So eventually, I tired of waiting, and made a complaint to the Information Commissioner’s Office at the end of February about the absence of a response.

And here’s where we get to the problem (well, the other problem). After a short interlude, I received a response telling me that my complaint was not going to be investigated. They promised to write to the Department asking them to respond to my request. They ended by saying “This case has now been closed with the delayed response element showing as ‘withdrawn’ on our records.” Which the more eagle-eyed of my readers will recognise as, to use the technical term, bullshit.

I contacted them to point out that I had not withdrawn my request. The next email came from a manager (always an interesting sign, especially when you haven’t asked for it). In the email, the manager stated that the initial response was incorrect: “we stopped using the phrase ‘withdrawn’ in our correspondence some time ago as we felt it was a term which potentially lacked clarity”. It didn’t lack clarity at all. It was completely clear and totally untrue, and I might add, a potential breach of the Data Protection Act’s fourth data protection principle, which states that personal data should be accurate. It’s inaccurate to say that I have withdrawn my complaint when the ICO has closed it. Those still wanting I-Spy points will notice a subtle distinction in that sentence as well. They stopped using the phrase ‘withdrawn’ in their correspondence, but they didn’t stop marking them as withdrawn. Only when I pressed them did the manager finally confirm that my request was now marked as ‘closed’.

A What Do They Know applicant asked for the withdrawn FOI requests at the end of 2011. Between 2009 and 2011, 2136 requests were ‘Closed – withdrawn informally resolved’ and 2273 were ‘Closed – withdrawn robust’. These internal figures imply that thousands of requests were withdrawn, when my case strongly suggests that they weren’t, possibly across both categories. Was someone trying to create the impression that far more requests are withdrawn than is actually the case? And if so, why? And if I was being paranoid, does the fact that all requests seem to be marked ‘Closed’ affect what I’ve been told?

To complicate matters further, despite the internal figures released under FOI suggesting that 554 were ‘withdrawn robust’, and 652 were ‘withdrawn informally resolved’ in 2011, the Information Commissioner’s Annual Report for 2011 states that of the 4000+ FOI complaints received in 2011, only 2% were ‘withdrawn’. The Annual Report has to be correct as it is submitted to Parliament, and yet when it’s hard to square with the figures released figures under FOI. So what’s going on?

The recipient of my request is not going to answer my request unless someone makes them – it’s obvious that they’re sitting on my request until other matters are resolved. In 2006, when the ICO’s backlog was as long as your arm and contacting them was pointless, I had to write to the Permanent Secretary of the Home Office in similar circumstances to get an endlessly delayed FOI response on ID Cards (full credit to him – he wrote back to me to apologise and I got my response in days, albeit in the negative). Those days are supposed to be gone.

One purpose of killing the backlog is surely to give the Commissioner the ability to intervene quickly and effectively when things are going wrong. But polite letters are useless when dealing with a recalcitrant body and the ICO should stop acting like a shy maiden aunt in such situations. Given that the facts are not in dispute – my antagonists don’t say that my request is invalid, or that they have responded – a decision notice is the only step. To any readers in Wilmslow (some have already outed themselves) – with DP and FOI being the law, you don’t have to ask people to comply with it, you can tell them to. With your powers. Which is what they’re for. Which makes it easier for all the people who are complying already to justify keeping up the good work. Which benefits everyone.

A certain amount of triage is necessary – for example, a complainant might go to the ICO when they haven’t made a valid request, or when they’ve been refused and don’t want to bother with an internal review. The ICO has the power to refuse to deal with FOI complaints if they are frivolous or vexatious. Rather than refusing to deal with entirely legitimate and fundamental complaints about non-response – which flouts the very basis of the Act – maybe they can strike down some of the daft complaints (I’ll write them a list, pro bono, based on the last year’s decisions).

The ICO’s annual report proudly states that 31% of the FOI casework was closed in 30 days or less – but it’s legitimate to wonder how they achieve this. The polite, effectively unofficial letter they sent to my public authority didn’t work and I effectively had to make a second complaint. This is actually a good sign – they didn’t mess me about and because my case was reopened. I know a lot of other applicants who have struggled to get a case reopened so quickly, if at all.

The majority of public authorities don’t need attention from the Commissioner in the first place and it is massively unfair to them for the ICO to molly-coddle the minority. I refer you to the ICO’s feeble strategy towards the Cabinet Office in a huge number of decisions outlined here if you want evidence. Chris Graham talks a good game – he sounds much more convincing than his predecessor when he talks about taking strong action. But recent decision notices show that the hand wringing hasn’t stopped, even with the Cabinet Office (see last paragraph).

It’s obvious that decisions get made must faster than before, and I don’t detect any issue of the quality of decisions getting worse. If anything, it’s the opposite. But nevertheless, the ICO cannot ultimately say that it has slayed the backlog if it doesn’t tackle the most fundamental FOI issue properly, or if there is any suspicion of books being cooked. Preventing big and small public authorities from simply ignoring requests is important. Many of the organisations I train have superb FOI response rates that would shame most Government departments – a more courageous and effective response to the heavy FOI complaints workload would be to dish out some Enforcement Notices to the worst offenders. No Minister or Permanent Secretary wants their department to labour under the discipline of knowing that FOI failures might end in prosecution. As the Commissioner’s own introduction to the ICO Plan says “when we need to enforce, enforce we shall” (his emphasis). Rather than outsourcing bits of their complaints-handling process to complainants, some action to match the rhetoric would be reassuring. An enforcement power is not a toy.

In the absence of a blog post, here’s my spam

I get a lot of 419 spam-hawking people emailing my various accounts, and in the absence of three blog posts I can’t seem to get right (one about Network Rail, a second about the ICO which I really want to make worthy of the title ‘How to Succeed in Backlogs Without Really Trying’, and a third about David Cameron & FOI), I thought I would share this one. In terms of sheer detail and immediacy, I think it’s unsurpassable. If you get better ones, tweet me.

McCARRAN INTERNATIONAL AIRPORT
Las Vegas, Nevada
Airport Shuttle Keeper

Good Day,

Sorry for the delay in this message, On Friday we were checking over some files and packages in the office and we discover an ATM CARD which was addressed to your name, Home address and email (I think it is a winning funds) I believe you can remember a dealing that has to do with some cooperate body or individual about this said funds to be delivered to you through an (ATM CARD) but I do not have idea why it was on hold at our Airport up-to-date.

So we contacted the Authorities and they asked us to get in contact with Senator David Mark, to get an approval to figure out what was in the package, After checking over the ATM CARD, we discovered a total sum of $10,000,000.00 ($10 Million USD) through the router figurative machine who check on balance through the number on the ATM CARD, so we reported back to the Senator David Mark and we were asked to deliver the package to you from this office. (Senator David Mark, Senate President of Federal Republic of Nigeria)

We need you to reconfirm your full name and  Home address if shown as it is on the package we have here.

If you want it to be delivered to you immediately, it will cost you just $225 which is the charges for the insurance certificate and delivery of the ATM CARD meanwhile your funds is safe with our securities service so please have that in mind.

Below is the payment information, payment should be made via money gram or western union and also send us your address as well for the delivery so that it won’t be delivered to the wrong address and someone else will receive a miracle he or she never worked so hard for to get.

NAME: DANIEL OKAH
CITY:  GARKI
STATE:  ABUJA
COUNTRY:  NIGERIA
Amount:  $225

The information above is where the ATM CARD was stopped at McCARRAN INTERNATIONAL AIRPORT in Las Vegas, Nevada.

THIS MAIL IS NOT A SPAM OR SCAM MESSAGE, WE CAN DELIVER YOUR FUNDS TOMORROW IF WE RECEIVED REPLY FROM YOU, I HAVE INCLUDED MY NAME AND MY SSN FOR YOU TO KNOW I AM FOR REAL AND NOT A SCAM IF YOU NEED TO VERIFY ME, SO STOP DEALING WITH ANY BODY IF YOU HAVE SOME SCAMMERS YOU ARE DEALING WITH AND FOCUS ON GETTING YOUR FUNDS HERE IN THE STATES, YOU HAVE BEEN WARNED NOT TO DISCLOSE THIS DEAL TO NO ONE OR ELSE TERMINATION FROM THE HOUSE OF SENATE WILL PENETRATE ON YOUR FUNDS DUE TO THE FACT THAT YOU WERE TRYING TO CONTACT ANOTHER PERSON TO FIND OUT WHAT THIS IS, SO NO MISTAKE OF SUCH WILL BE TOLERATED.

CHARLES SWIDER
Supervisor Manager
MY SSN NUMBER: 016-38-1497
Email: officeoffice272@inteligweb.com.br
For:  Airport Shuttle Keeper

Goodbye Blogger

I have three inflammatory blog posts on the go at the moment and for various reasons I either cannot finish them or cannot post them (if you know me, you will be able to guess why not). So in the meantime, I have decided to jump on the bandwagon leaving Blogger in droves because of Google’s privacy policy.

I’m still not entirely sure how I feel about the Google policy itself, but I don’t want to alienate those who read my blog, and who do feel strongly about it.

I should also apologise for the fact that I am using the same blog theme as Paul Bernal, another fine blogger who made the same journey before I did (http://paulbernal.wordpress.com/). I didn’t know that when I switched to WordPress there would be so few themes I like, and it was either this one, the Chunk one being used by Save FOI (www.savefoi2012.wordpress.com) or the fantastic Saul Bass-inflected ‘Vertigo’ one, which really would go with a movie blog, but is irrelevant to this one. I can’t get the Chunk one to do what I want it to, and this one seems easier. I doubt anyone will think I am passing off, but if you think you’re in the wrong place and wanted to read about privacy, human rights and internet issues written with a sense of humour, you’re in the wrong place. Click on the link for Paul’s blog above. Round here, we take the piss out of the Information Commissioner even when it isn’t called for (it usually is), mouth off without much evidence when privacy and transparency are threatened, and occasionally launch quixotic broadsides against innocent parties like www.whatdotheyknow.com which turn out to be a lot less fun than was expected. Generally it’s an outlet for those days when I am working from home and putting something off.

So while I resolve my fact-checking / defamation issues, why not enjoy some old gold from the 2040 info law blog annals…