National insecurity

In all the furore over the announcement of the Government’s draft Investigatory Powers Bill, one detail caught my eye. The Daily Telegraph published an article by Peter Wanless, Chief Executive of the NSPCC. Mr Wanless was keen that whatever else, we did not forget about the children:

We have heard plenty from groups extolling privacy principles and spies unveiling foiled terrorist threats, but let’s also hear the voices of thousands of children placed in jeopardy while the trade in abusive images continues to flourish

I don’t doubt Mr Wanless’ sincerity in combating the menace of child abuse and exploitation, but I found this a bit odd. How exactly does an article like this come into being? Did Wanless contact the Telegraph, keen to offer his support for the proposed legislation? Was it the other way around, with the Telegraph searching for an appropriately unimpeachable source to back up Theresa May’s plans? Or was it box number three: is it the Home Office who brought the article about, contacting Wanless and asking him to contribute?

You may disagree, but I find the idea of the Home Office persuading charity bosses to back Government policy in the press – especially without acknowledging it in the article – a deeply unattractive proposition. To find out whether this was the explanation, I made an FOI request four weeks ago to the Home Office, asking for correspondence between the Home Office and Wanless on the subject of the new bill.

A day before the deadline, I received an interesting email from the Home Office’s FOI team:

Although the Act carries a presumption in favour of disclosure, it provides exemptions which may be used to withhold information in specified circumstances. Some of these exemptions, referred to as ‘qualified exemptions’, are subject to a public interest test. This test is used to balance the public interest in disclosure against the public interest in favour of withholding the information. The Act allows us to exceed the 20 working day response target where we need to consider the public interest test fully.”

So far, so not much of a problem: this is an entirely legal move. The deadline can be extended for this reason. The one mistake that organisations often make at this point is not quoting an exemption, as if the public interest test floats free. But this is not what they did:

The information which you have requested is being considered under the exemption in section 23 (1) of the Act, which relate to information supplied by, or relating to, the bodies dealing with security matters.

The first thing to say is that this response appears to confirm that the Home Office has been in correspondence with Mr Wanless about the bill, which is interesting enough in itself (no correspondence, no need for an exemption). However, there are two more interesting elements. On the one hand, the response suggests that the correspondence contains information provided by the security services. Given that Wanless’ article is effectively a PR exercise, this is remarkable, if not scandalous and appalling. On the other hand, Section 23 is not a qualified exemption; it is an absolute exemption and has no public interest test. Either the Home Office don’t understand FOI properly, or they are just spouting legally inaccurate bollocks to avoid responding to my request on time.

Ever keen to help, I emailed the Home Office to point out that Section 23 is an absolute exemption and to enquire whether they in fact meant Section 24 (which applies to national security issues more widely, and does have a public interest test). With remarkable speed, the Home Office replied. I was invited to disregard the original email, and provided with the following explanation:

We apologise for the delay in sending you a substantive response. We always aim to respond to requests within the statutory period under the Freedom of Information Act (FOIA). Unfortunately, due to pressing business and other Ministerial priorities, it is not always possible to do so, and in this instance, we regret that we have not been able to respond within the statutory period.

What to make of it? Is it still reasonable to assume that the Home Office did put Mr Wanless up to it? Am I the first person to receive the phoney Section 23 letter? If they are going to delay replying, doesn’t the Home Office care enough to at least pick an exemption with a PI test, or just go for the old Dransfield Vexatious routine? At the very least, I think it is reasonable to assume that the Home Office is not really considering the use of an exemption, and is merely stalling on what might be an embarrassing answer. If there was a genuine exemption at play, they would have corrected their mistake in the follow-up. If they really did think Section 23 applied, I would have got a refusal.

Whatever happens next, reader, I have a feeling it will be worth looking out for.

The Bad Samaritan

The Samaritans have launched a new tool for the persecution of the vulnerable… Sorry, a nannyish attempt to spy on your friends, No, I mean, they’re trying to use technology to do what real friends would be doing anyway…. I’ll try this again. There’s this app they have. You’ve probably heard of it; it runs in the background monitoring tweets of those you follow on Twitter, and analyses them to look for indications that a person may be in need of support. The Samaritans are convinced it’s marvellous and has no Data Protection or privacy implications.

The Data Protection Act 1998 applies to the processing of any personal data, anywhere by any person. Certain areas are carved out – the use of personal data for national security purposes is inevitably and depressingly exempt, as is the use of data for purely personal, domestic reasons, and to an extent, the use of data for journalism. Beyond that, although the Data Protection principles are flexible, they apply to all uses of personal data.

At no point in the text of the Data Protection Act does it say that personal data that is public or published is exempt from the Act’s provisions. There is no section that says that, and no section that can be interpreted as meaning that. Moreover, I can use the same quote I used from the Information Commissioner’s Code of Practice on Online data that I used in my last blog about monitoring of blogs:

“If you collect information from the internet and use it in a way that’s unfair or breaches the other data protection principles, you could still be subject to enforcement action under the DPA even though the information was obtained from a publicly available source.”.

And “You should only use their information in a way they are likely to expect and to be comfortable with.”

As the Samaritans have claimed that their app is entirely legal and has no Data Protection implications, I am certain that they will have no problem answering the following questions:

Principle 1:

  • No consent is being obtained; which data protection conditions allow the Samaritans to monitor and – crucially – to analyse and interpret the state of mind of Twitter users without consent?
  • How are data subjects to be informed that their tweets are being monitored and – crucially – analysed with a notification to any third party who chooses to register?
  • The first principle requires the processing of data to be ‘fair’: what steps have the Samaritans taken to ensure that those registering to receive notifications via the app have no malicious intentions towards the subject and will not use the notification for malicious purposes?

Principle 2:

  • What assessment has been carried out to ensure that the processing (i.e. attempting to identify the subject’s state of mind in order to notify secretly a third party of that) is compatible with the subject’s original purpose in publication? How is that original purpose identified?

Principle 3:

  • How have the Samaritans established that their gathering of data and analysis of Twitter users’ state of mind is relevant and not excessive?

Principle 4:

  • Principle 4 states that personal data ‘shall’ be accurate for the purpose – there is no qualification to this. How have the Samaritans ensured that the analysis of a Twitter user’s state of mind is accurate when alerting a third party to it?

Principle 6:

  • What provisions have the Samaritans in place to provide the following:
  • Subject Access: data subjects are entitled to know what data is held about them, and who has received it. Will data subjects be told who has received alerts about them if they ask? If not, which exemption applies?
  • Section 10 Right to object to damaging / distressing processing: data subjects have a right to object to damaging processing – will such requests be honoured? If not, why not?
  • Section 12: Data subjects have a right to request that any automated processing will be carried out by a human being. Will Section 12 requests be honoured and if not. why not? How many members of Samaritans staff are available to carry out the analysis?

Principle 7:

  • What technological and organisational security measures are in place to ensure that the analysis of Twitter users state of mind (potentially sensitive personal health data as defined by the Act)?

Principle 8

  • How have the Samaritans ensured that the sharing of personal data about Twitter users’ state of mind is restricted to the European Economic Area? If it has not, how is the sharing of information about Twitter users’ state of mind outside the EEA justified under Principle 8.

For the record, I think the 30 day retention period of data (principle 5) may be OK.