Tales from the Crypt

If you don’t work in local government, you may never have encountered the Local Government Ombudsman, an organisation devoted to giving nutcases somewhere to grind their axes investigating possible maladministration in councils. The scope of the LGO’s work includes everything that councils do, but inevitably many complaints are about the most sensitive areas: child protection, looked after children, adoption, and adult social care. In dealing with complaints from the public, the LGO gets access to genuinely and (in Data Protection terms) legally sensitive information. Inevitably, given that councils have been the target of more ICO civil monetary penalties than any other sector, largely because councils are dumb enough to keep dobbing themselves in to Wilmslow, many are keen to use the most secure way of sending this confidential data to the Ombudsman.

It may seem odd, therefore, that the LGO sent an email to councils last month, containing the following message:

Encrypt or not to encrypt – that is the question …..

We’ve had a number of issues accessing encrypted emails which have been sent to us by councils. Whilst we appreciate that your information security policy may dictate how you send information to us, if there is any discretion please only send encrypted emails when it’s absolutely necessary.

Someone mentioned the gist of it to me, but I made an FOI request to the LGO to be certain that they really were sending out such a daft message. The LGO’s Information and Records Manager rather sweetly explained in their response to me that “our intention in sending this request was discourage councils encrypting emails that contain no sensitive personal or confidential data. Of course, if councils are sending sensitive personal data we would expect them to encrypt it – as we would do ourselves“. This is a useful piece of context for someone asking for the information under the auspices of FOI. However, this isn’t what they said to the numerous council link officers who received the email, and who were expected to act upon its contents. It’s almost the opposite.

Encrypting devices within an organisation is an easier proposition, as all the devices and connecting software are already part of the same system. The problem with encrypting email is undoubtedly that it involves different systems and protocols butting heads in the attempt to make a connection. The LGO pointed out to me that their case management system contains its own email system which can make receipt of an encrypted email difficult. But this is the LGO’s problem and nobody else’s. Councils have no choice about whether to supply data – one of the ‘key facts’ about the LGO on their website is that “We have the same powers as the High Court to obtain information and documents“. Given the ICO’s historic fondness for fining the sector for data security lapses, if councils opt for encryption by default, they should be applauded, especially by the organisation set up to investigate their conduct.

This will inevitably pose problems for the LGO internally, but the solution to this is not to encourage councils to reverse sensible changes in behaviour that another regulator has been pushing them into. They are a regulator whose job it is to deal with a diverse and multilayered sector with widely disparate cultures and practices, and they have to be capable of swallowing the inconvenient implications of it this. However difficult it might be to cope with, especially without the clarification provided to me in my FOI response (and as far as I know, to no-one else), the LGO’s current advice is damaging and unsafe. Councils should ignore it, and the LGO should withdraw it.

Concerns

At the end of July, the Information Commissioner issued a Civil Monetary Penalty on Think W3, an online travel company. Think W3 had flawed security and audit processes, and when a hacker gained access to Think W3’s customer data via a subsidiary company, the ICO (I think reasonably) concluded that the flawed framework was to blame. Think W3 received a Civil Monetary Penalty of £150,000.

When the ICO published the notice on their website, on page 3 of the notice, a sentence or two was tantalisingly redacted. My friend and fellow blogger Jon Baines wrote about the case at the time, noting in particular that Think W3 were not a random small travel company, but a wholly owned subsidiary of Thomas Cook. Thomas Cook bought the company in 2010 and sold it in January this year. The ICO made no mention of Thomas Cook, but Jon made short work of identifying the connection. He suggested to me that perhaps the missing sentence in the CMP was a reference to the parent company, and so I decided to make an FOI request to the Commissioner to find out whether he was right.

The ICO responded (by remarkable coincidence, on the last of the available 20 working days) by providing me with the redacted information:

Both companies were part of the Thomas Cook Group at the time of the below mentioned incident until they were sold on 24 January 2014.

As always, the ICO was unable to leave it at a bald answer (hint to FOI officers, less is often more). They explained the redaction as follows:

“The information was redacted following concerns raised by Thomas Cook, about its inclusion. The concerns focused on the fact that Thomas Cook considered it to be irrelevant and potentially prejudicial. They have said that Think W3 Ltd operated independently of other companies in the Thomas Cook Group and the system that was the subject of the security breach was in no way connected to the systems used in any other part of the Thomas Cook Group. Further, that the Essential Travel computer system that was the subject of the security breach was a legacy system that was used by Think W3 Ltd/Essential Travel before those companies became part of the Thomas Cook Group in 2010 and that system has at no time been connected to the systems used by any other part of the Thomas Cook Group.

As these concerns were only raised at a time when the civil monetary penalty notice was final and could not be altered the information could not be removed, but had to be redacted”

My request was made on the same day that the notice was published, and the response was provided to me within a calendar month. If disclosure is not prejudicial now, it was not prejudicial then. As I said above, it took Mr Baines minutes to make the connection between Think W3 and Thomas Cook, so any notion of prejudice is fanciful. Moreover, Thomas Cook’s claim that their ownership of the company at the time of the breach is “irrelevant” is twaddle. For one thing, Thomas Cook owned the errant company during the time of the incident and more importantly, during the period when their security was inadequate. They also paid the CMP, which makes their claim of irrelevance an insult to our collective intelligence.

Crucially, no matter how independently Thomas Cook allowed Think W3 to operate, what happened in Think W3 reflects on Thomas Cook. The public – providing their data to the range of companies owned by the group – are entitled to know that Thomas Cook do not check whether proper controls are in place in its members. The ICO should have rejected these wholly spurious claims out of hand, and instead, they meekly complied: the information “had to be redacted“.

There are two important reasons why these redactions run entirely counter to what the ICO should be about. Firstly, there are quite a few of us who believe that the ICO’s enforcement of the Data Protection Act is unfairly skewed against the public sector. Out of dozens of Data Protection CMPs since 2010, only a handful have been against private sector companies. Nevertheless, senior figures in the ICO cling to the idea that ‘market forces’ play a part in deterring organisations from misuing our data. Personally, I don’t believe them, but editing the notice prevents the ICO’s own pet theory from being tested. Market forces cannot be influenced as the ICO wishes if they themselves hide the information.

The other problem is that the ICO is not just the regulator of Data Protection, but also of Freedom of Information. Instead of championing openness and transparency, the ICO cravenly removed the Thomas Cook reference when there was no reason to do so other than Thomas Cook’s (pointless) sensitivities. There was no exemption under FOI (as my request demonstrated), just a regulator all too keen to accommodate big data controllers. Indeed, although they have told me what they removed, the redacted notice is, at the time of writing, still on the website.

This is far from the first time the ICO has issued a redacted CMP notice, and it probably won’t be the last. But this one demonstrates that the reasoning behind such censorship is flawed, and we should be quick to ask questions when they do it again.

I see dead people

Before 2010, the ICO operated a brisk production line of undertakings to tackle the self-reported security breaches that came in the wake of the HMRC lost discs fiasco. Now they have the power to issue civil monetary penalties, the production line keeps humming. The obsession with security is such that even CMPs like the ones aimed at Belfast Health and Social Care Trust (which is as much about retention as security or St Georges Healthcare Trust and Stoke on Trent Council (both exclusively about accuracy) are branded as security breaches, as if only one DP principle exists. Enforcement shouldn’t be solely about public sector security, and a few CCTV and private sector wildcards do not change the overall picture.

A glance at their annual report explains why: the ICO has a fixation with figures, statistics, numbers, numbers, numbers, all the livelong day. Self-reported security breaches feed the numbers monster much more efficiently than complex decisions about fairness or adequacy, which have to be sought out before they even are made. All of the principles are breached by all sorts of organisations every day of the week, but because they don’t tell anyone or the ICO doesn’t notice, nothing happens. But wait for people to confess their security SNAFUs, and it’s like shooting fish in a barrel.

This tactic has now tipped into self-parody, with the ICO ensuring that the fish are dead first. In June 2013, Stockport Primary Care Trust was fined £100000 (£80000 if paid on time) for leaving patient records in a vacated building, and NHS Surrey were fined £200000 (£160000 if paid on time) for not controlling their IT contractor. Both organisations were wound up in April 2013, which means that the CMPs were served on successor bodies.

I don’t know why different organisations have inherited responsibility for PCTs, and the ICO doesn’t appear certain, claiming to have fined NHS England for NHS Surrey’s breach in the press release, and the Department of Health in the notice itself. NHS England told me in an FOI response that they asked the ICO to change this, but there is no evidence the ICO wanted to correct their mistake. The confusion is nevertheless irrelevant – neither DoH nor NHS England played any part in the breaches. They are not even real local successors like the Clinical Commissioning Groups where the PCT managers might now be plying their trade. They’re bystanders.

I’d have more respect for the ICO if they enforced the first or sixth DP principles, or didn’t rely almost entirely on the confessional / masochistic tendency in public sector Data Controllers to identify DPA breaches. Nevertheless, if the two former PCTs were open for business, I could not fault the ICO for taking action. But I can only see two main reasons to issue a CMP. The first reason is to educate everyone else. However, the ICO has already issued bigger CMPs for the same issues (£325,000 for Brighton NHS Trust for non-recycled hard drives, £225,000 for Belfast Health and Social Care Trust’s documents in an abandoned building).

The key reason for a CMP is to punish the organisation and in particular, the senior managers who allowed the breach to happen. The CMP recipient in NHS Surrey’s case is the ‘Department of Health Regional Legacy Management Team’ who presumably hold a budget to clean up after the dissolution of the PCTs. But the chief effect of the ICO’s intervention is to recycle some money back to the Treasury – that’s all. No awkward decisions for the PCT board, no hand-wringing in front of the local media – outcomes that concentrate the mind of even the most recalcitrant of managers. NHS Surrey is gone. DoH can legitimately say it’s nothing to do with them, so beyond a few headlines and extra figures for the 2013-14 annual report, what’s the point? It’s probably frustrating to have done the work only to drop the case, but as soon as you know you’re flogging a dead horse, is the effort of finishing the job really worth it? Wouldn’t the ICO staff be better employed going after organisations that are still processing personal data?

Well, funny I should mention that. Perhaps the only valid reason to inject Frankensteinian life into these cadavers can be found when you look at NHS Surrey’s case. According to the ICO,

the Head of the data controller’s IT team was contacted by the Director of a company (the “company”) who was looking for new business

and

The IT team explained that the hard drives would have to be physically destroyed because they may store confidential medical information. The company’s Director provided an assurance to the IT team that the hard drives would be crushed by an industrial guillotine.”

I want one of those. Having guillotined the hard drives, “the company” would then sell off the other components. On this basis, they did the work for NHS Surrey for free. The Trust’s Information Governance Head was – you’ll be surprised to learn – not involved in the decision. “The company” then received as many as 1500 PCs between 2010 and 2012 before third parties buying hard drives on auction sites revealed that the hard drives were in fact being sold on. Those of you with good memories will remember another hard-drives-on-auction-sites case involved a contractor who was also not paid.

If NHS Surrey still existed, the clowns who agreed to this without a formal contract would deserve a hard time. Even now, the ICO presumably knows who they are, and could name them. Given Christopher Graham’s determination that the CQC three should be outed, one can only wonder that his views on transparency are not more widely understood within Wycliffe House.

Of course, the recycling company would be an appropriate target itself, but as a data processor it is out of the ICO’s enforcement reach. However, if this outfit is still trading and actively touting for business, every actual and potential customer needs to know about their role in this sorry business. Whether the failure to protect the hard drives was a mistake or a deliberate act, the company’s customers need to know whom they are dealing with. If the ICO had picked the NHS Surrey case as a vehicle to name and shame the errant processor, I would have cheered them on. Instead, they go after a dead organisation and give “the company” anonymity.

I asked both the Department of Health and ICO for the names of the company and the director and both refused. The Department of Health refused, citing (perhaps satirically) concerns about the data protection rights of the Director. The ICO relied on Section 44 of the FOI Act, which prevents organisations from breaching existing legal barriers on disclosure. If the law says you can’t disclose, Section 44 kicks in. But the ICO has a problem. The specific legal barrier in their case – Section 59 of the Data Protection Act – does indeed prevent the disclosure of information about any organisation or business obtained as part of an investigation but not if the ICO has ‘lawful authority’ to give it out. So is it all over? Quite simply, no, and I’m challenging both decisions.

Section 59(2)(e) states that, having regard to the right and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest. Without the information being in the public domain, it is impossible for data controllers to comply with the Seventh Data Protection principle, in that they need to find data processors that can give sufficient guarantees of security. It is absolutely necessary and the ICO’s hands are not tied.

In my experience, the ICO treats Section 59 as a no-questions-asked absolute exemption, ignoring the public interest element. Of course, they exercise their own judgement about what to disclose all the time – if Section 59 was an absolute ban, they couldn’t have published much of what was into the CMP notice that kicked this blog off in the first place. But the ICO cannot hide behind Section 59. The Supreme Court has recently had the opportunity to consider the meaning of the word ‘necessary’ in the DPA. In the case of South Lanarkshire Council v Scottish IC [2013] UKSC 55, the Court confirmed that ‘necessary’ need only mean ‘reasonably necessary’ and does not have to be ‘absolutely or strictly necessary’. On this basis, how can anyone say that having regard to the legitimate interests of Data Controllers in the South East and beyond, there is not an overwhelming public interest in making public who the data processor is?

Admittedly, there will be consequences for the company if they are known. Without a credible explanation of what went on, their business would suffer. Even with one, they would be at a great disadvantage when compared to all the disposal companies who had not sold hundreds of their customer’s hard drives on the internet without permission. But the ICO should not tiptoe around this. The company probably could not offer its attractive “free” service if it properly disposed of the drives. But even if disclosure puts them out of business, that’s nobody’s problem but theirs. If processors know that they act with total impunity, what is to stop this organisation or another from making the same mistake again?

The ICO should not lightly divulge information it receives from the organisations it is investigating. There is much that they find out in the course of their enquiries that should legitimately remain secret. But Section 59 is not intended to prevent legitimate disclosures. It does not stop the dissemination of important information that needs airing in the public interest – it is specifically written to allow this. It is, therefore, remarkable that the ICO believes that it is more important for it to issue penalties to phantoms.

We Take Public Relations Very Seriously

This week, the Information Commissioner’s Office issued its latest Data Protection civil monetary penalty, a £150,000 fine on Greater Manchester Police following the theft of an unencrypted pen-drive. The police perspective was available via the Manchester Evening News, in a comment from Assistant Chief Officer Lynne Potts:

This was very much an isolated incident. We take all matters relating to the storage of data very seriously and have stringent measures in place to ensure the safe storage of data.

I was the Data Protection officer in an organisation that suffered a DP breach. These were not the days of hundred thousand pound CMPs, but we were still under a lot of pressure and the local media circled around the story with thinly disguised glee. You couldn’t blame them – a stolen laptop is a lot more newsworthy than the usual fodder of shed fires and pub fights. Throughout, our PR department’s aim was to put forward the corporate perspective and try to see that what was reported was accurate. The only disagreement I had with them during the whole process was when the first press statement was issued about the incident. It was entirely unobjectionable, apart from one thing. They wanted to say at the end: “We take Data Protection very seriously”.

I thought it was a stupid time to say this. The current evidence was that we didn’t and the public would be entitled to point this out. The sentence would be more accurate if it read “We usually take Data Protection very seriously” or “We take Data Protection very seriously, but not seriously enough on this occasion”. I felt that a simple statement about what had happened and what we were doing about it was the right approach. Anything else was like the PR Department of Chernobyl shooting out a press release one day after the isolated incident about how seriously they take nuclear safety. But I was told that it is vital in PR terms to include what was described as the “reassurance statement”.

I don’t know if this term is widely in use, but the technique is evident everywhere. Every time some Data Protection or Privacy SNAFU comes sliding into view, it will be followed by the reassurance statement. We may have sent your private information to someone else, stored it on an unencrypted device, published it on the internet, or left it down the side of your house. We may have put it on hard drives that we asked a sub-contractor who we don’t know to dispose of for free. We may have loaded data about nearly half of the population onto CDs and lost them somewhere. We may have driven unwelcome around streets slurping up your emails via Wi-Fi in every country that has roads. But We Take Data Protection Very Seriously.

I’ve rarely been to an organisation that didn’t give a toss about Data Protection. The quality of compliance varies wildly, the understanding of its implications even more so. In my experience, DP is not the same as FOI, where the reassurance statement of “I’m a big supporter of FOI / transparency” is sometimes just a barefaced lie – a bit of Pinocchio magic could have turned some of the Justice Select Committee’s post-legislative scrutiny into a jousting match. Organisations generally do take DP seriously, but when things go wrong, they find it very difficult to admit that a serious mistake has been made, and they’ll do their best to put things right.

If the statement said “We’re really sorry about this cock-up, and we’re going to do lots of practical things to see if we can stop it from happening again, or at the very least, make it less bad if it does”, I would not be writing this blog, and I would be much more reassured that GMP takes all matters relating to the storage of data very seriously.

If the “isolated incident” is the one where the officer left his back door open, a man walked into his house and stole his car keys, his wallet and then his car, and the wallet contained an unencrypted pen-drive containing the names and other identifiers of members of the public who had reported concerns about drug-dealing to the police, then yes, I’ll buy that. I bet that doesn’t happen every day. But if the isolated incident is the unsafe storage of data, which GMP takes “very seriously”, then Potts’ statement (which I assume was written by someone in PR) is anything but reassuring. The Information Commissioner’s monetary penalty notice makes clear that an amnesty that took place in the force after the incident recovered more than a thousand unencrypted devices, and a previous similar incident in 2010 had not led to improvements in data security. The unencrypted drive wasn’t an isolated incident; it was evidence of a systemic problem with data security that affected the entire force.

Most of the time, the ‘Very Seriously’ press statement is harmless bullshit. It’s just a sentence on the end of a press release, something to fill the space between the adverts. But combined with the nonsense about an ‘isolated incident’, GMP’s words ring hollow. Either they don’t understand what they’ve been fined for or they’re trying to massage the truth to avoid an embarrassing headline, which turns out to be a complete waste of time and insults the intelligence of readers. A glance at the comments on the MEN news story suggests that no one was convinced, although one contributor perhaps left logic behind in the midst of their outrage: “Someone high up in the force is ultimately responsible. They should be dealt with. Hung, drawn and quartered, then put before a court.

Compared to the delusional hubris of the most reckless CMP recipients, GMP’s PR waffle could have been a lot worse. I would bet that there are people in the force who, behind this smokescreen, are diligently putting things right if they haven’t done so already. But in every organisation I have ever worked, there have been far more PR officers than Data Protection or IG staff and I bet that GMP is the same. Perhaps some of those people could be more usefully employed taking action to prevent problems, rather than reassuring us about how seriously those problems are taken.

UPDATE: in the same week, an unfortunate incident is reported to have afflicted a housing organisation (to be fair to them, it’s as likely to be human error as anything else). But what do we find their statement?