ICO News. Have you ever seen a fire station on fire? Or a snow plough stuck in the snow? Read on…

ICO about us1

3rd September 2014

For those who don’t know me, I am, amongst other things, a freedom of information campaigner.  My reason for doing this is simple: well-justified disgust at what seems to be a growing number of power abusing, wayward public bodies, stuffed to the gills with senior level wasters and chancers.

They do exist by the way.  Take it from me.  I’ve met, mingled and worked with these weird, strangely motivated people, until my luck eventually ran out one day in 2003 – and then again in 2009.

My ‘problem’, from their point of view, was I was ‘not marching in step with the rest of the team’.

Which is completely true.  And how unusually perceptive of both employers to arrive separately at this conclusion.

I have what’s regarded as a burden: an unusually strong sense of injustice.  This, coupled with a tendency to open my mouth and make my feelings known, caused me to receive the wrong kind of attention, and ultimately to lose my job at two local councils.

I’m not saying I’m without fault and completely above criticism.  I was a salary / perks / annual holidays slave for 7 years at Wirral Council, and spent 5 long years prostituting myself at Cheshire West and Chester Council – before I finally saw the light.  Unlike most workers though, who plough on regardless without blinking an eye, or who quickly adjust their stride and make a career out of ‘marching in step with the rest of the team’ i.e. abusing, I am not capable of remaining silent or joining in.

Sorry about that.

I’m not condemning all public bodies globally; by no means, but when crooked public servants start flexing their muscles, thieving, lying, abusing their power, empire building, or going the whole hog and making their employees’ or service users’ lives an absolute misery, and then when the heat rises, denying  it all and covering up, I will speak up and expose them.

So, because I’m no longer working full time (I’m completely unemployable now), I write very boring emails to the perpetrators.  It’s what a lot of British people do these days in this ultra-restrained society of ours.  Instead of screaming, “TO HELL WITH IT !!!”, uprooting our lives, arming our families with pitchforks, stripping off, painting our bodies with warpaint and taking to the streets in search of blood and vengeance… we sit for long periods in front of a keyboard, tapping away.

I wrote and sent one of my tedious emails to Wirral Borough Council on 17th April 2013:

https://www.whatdotheyknow.com/request/with_compromise_agreements_not_b

The upshot was the council branded my request ‘vexatious’, and said I’d accused them of lying – ha!

Prior to this, they’d accused me of being ‘obsessive’.  A request can’t be obsessive, but a person can, at least in the minds of WBC’s “team” of highly-qualified solicitors.  So they again smeared me publicly, shut up shop and held on grimly to the public’s information…

bad faith and lying

They’d done this twice before on earlier requests, and as it turned out, I overturned them both times.  They quickly scuttled away, licking their wounds, hoping against hope that this final one would come good and they could finally land a blow against snitches, busybodies and do-gooders (like me) with our mendacious meddling, our vile vexatiousness and our ‘orrible obsessions.

But the council’s monitoring officer let the side down, flattered to deceive once again, and his carefully choreographed campaign of vexation fell to pieces all around him, including the ‘I’d branded them liars’ nonsense.

I had my public victory to enjoy and savour – my hat-trick in the bag.

The ICO loses the plot

A few months back, I’d asked a caseworker at the ICO to draw up a Decision Notice on this long-running “vexatious” case, which would hopefully set out the detail and chart the progress made during its 17 month existence.  I’d been waiting for some time, and at long last, something arrived from them today.

An A4 white envelope dropped onto the doormat.  It was addressed to me.

An A4 cover page summarised the contents of the envelope.  It too was addressed to me.

7 x A4 pages then nestled in my hand (the Decision Notice itself).  This was not addressed to me.  

 data breach definition - 4th September 2014So, there we have it.  Would readers agree that an ICO Decision Notice (a legal document) that contained somebody else’s full address would be ‘confidential data’, and that because I was now viewing it, I would not be authorised to do so?

Would readers also agree that it was an unknown ICO employee who had unintentionally sent me another requester’s address, and had breached the very rules that the ICO is there to enforce?

Perhaps readers will conclude that the regulator of the nation’s data had committed its very own data breach?

Statutory Law applies to all, and even when the offending organisation is the ICO, certain procedures have to be followed in the event of any data breach.

So I’ve now taken steps (within 24 hours, as required) to put the situation right.  I’ve filled in and submitted the following form, attached it to an email and sent it to the ICO:

From: Paul C Sent: 04 September 2014 12:14 To: ‘casework@ico.org.uk’ Subject: FS50516384

FAO [caseworker name redacted]

Dear [caseworker name redacted],

There has been what looks like an unintentional security / data breach, which I discovered yesterday afternoon (3rd September 2014).

Please find a copy of your ‘raising a concern’ form attached,

Best regards,

Paul Cardin

ICO “Raising a Concern” form

ICO security breach notification1

ICO security breach notification2

5th September 2014

The ICO were quick to respond.  Here’s an email, received today:

From: casework@ico.org.uk [mailto:casework@ico.org.uk] Sent: 05 September 2014 14:07 To: Paul C Subject: Acknowledgement (ICO Case FS50516384)[Ref. FS50516384]

5 September 2014

Case Reference Number FS50516384

Dear Mr Cardin Thank you for raising this issue with me. I have referred your letter to the relevant team for investigation, and have advised them that you have requested a response within 28 calendar days.  

Yours sincerely (Case officer name redacted) Case Officer, Information Commissioner’s Office Direct Dial: 01625- etc.

____________________________________________________________________

To which I replied:

From: Paul C Sent: 05 September 2014 15:02 To: ‘casework@ico.org.uk’ Subject: RE: Acknowledgement (ICO Case FS50516384)[Ref. FS50516384]

Dear [Case officer name redacted],

You’re being a little vague here.  Who are ‘the relevant team’ please?

Many thanks,

Paul Cardin

____________________________________________________________________

And he came back with:

From: casework@ico.org.uk [mailto:casework@ico.org.uk] Sent: 05 September 2014 16:30 To: Paul C Subject: ICO FS50516384[Ref. FS50516384]

5 September 2014

Case Reference Number FS50516384

Dear Mr Cardin

I’ve referred it to my Group Manager, Mr White in the first instance, but there is a team that prepare and dispatch the Decision Notices, and I understand it is that team that will be investigating what has happened. Hope that makes more sense, I’m away next week on leave – but you should hear shortly from that team.

Yours sincerely [Case officer name redacted] Case Officer, Information Commissioner’s Office Direct Dial: 01625- etc. 

____________________________________________________________________

Ah, so the people who cocked-up appear to be the “team” to do the investigating.  That’s reassuring.

Good to see that the ICO also employ “teams”, just like Wirral Council – they’re absolutely slewing with the bastards.

Hopefully, they’re all ‘marching in step with each other’.  This has not been easy, so I’m pretty sure they will be…

And finally…

Here’s how the ICO respond when one of their regulated data controllers messes up

ICO assistant commissioner data breach statement

I’ve decided to print a copy of my fellow FoI requester, [name redacted]’s 7 page decision notice.

Here’s a plain language version of it.  But I’ve been forced to redact it, Wirral Council style:

7 pages redacted

 

About Wirral In It Together

Campaigner for open government. Wants senior public servants to be honest and courageous. It IS possible!
This entry was posted in FoI Requests, General. Bookmark the permalink.

12 Responses to ICO News. Have you ever seen a fire station on fire? Or a snow plough stuck in the snow? Read on…

  1. There are two classes of people in the world. Those that are allowed to make “mistakes” and get away with it, and everybody else who are never allowed to makes mistakes ever, are held responsible for every mistake they make, and are held responsible even for the mistakes they didn’t make. The former group are feudal overlords who view everybody else as serfs. The latter are citizens who would prefer to live in a democracy where everyone is held responsible for their actions and the greater the power the greater the responsibility expected.

  2. John Brace says:

    Decision notices are made public. However the name and address of FOI requesters is not.

    The breach is one of data protection in sending you the wrong information. Easily done when you have lots of envelopes to stuff though… I’m puzzled as to why they use post though and not email!

  3. Tim Turner says:

    It’s only a breach if the ICO does not have proper procedures in place, and fail to train their staff to minimise the likelihood of mistakes. If this is simple human error by a single member of staff, and the ICO has done all that it reasonably could to prevent the incident from occurring, then it’s not a breach of the Data Protection Act, it’s an incident. I’m not saying that the ICO has all such necessary measures in place, but flinging the word ‘breach’ around is to prejudge the matter.

    • “If…”

      I’ll fling the word ‘breach’ around as and when I see fit – and if it fits into the majority of available definitions of a data breach, then a data breach it is, in my eyes. This is the ICO, and somebody at the ICO didn’t do their job properly; they failed. Despite any measures that may have been put in place to prevent this person transgressing, transgress they did…. at the ICO of all places. A regulator should be pounced upon if they breach their OWN guidelines. Even if it is, as you generously suggest, human error, or an ‘incident’, it makes them look pathetic.

      I ended up being placed into the position of reading somebody else’s address, when I was not authorised. I now know where this person lives. This third party now knows where I live, and THEY are not authorised. So it’s a double data breach.

      And let’s face it, the ICO are not exactly the most honest bunch of souls that ever graced the halls of a government office are they? So we can assume that if we endeavoured to discover whether they HAD put measures in place to train their staff, we’d get the message back that yes, of course they did. And who’s going to question them? The regulator, oh, silly me, that’s THEM.

      But would we put our house on the chance that they were telling the truth? Of course not… they fib, they dodge, they smear, they hide below the parapet, they lay supine. All the cowards’ attributes are there in spades in corporate form at such institutions. You’d know. You worked there didn’t you once?

      I suspect you’ve been teaching this subject rather too long and it may have warped your grasp on what’s real – real world experiences. There’s a very real world out here. Come and join us, eh!

    • Alan M Dransfield says:

      Human error my ass and when are you going to wake up and exit the ICO bed?

  4. Tim Turner says:

    Making a mistake isn’t a breach of the legislation. The Data Protection Act is legislation and not ‘guidelines’. The ICO’s guidance doesn’t say that staff can’t make a mistake. The ICO isn’t a Government office (Yeah, cheers for nit-picking this crucial technicality…Ed). Most importantly, an incident isn’t a breach: in the real world, it’s just an incident. Stuff happens. (In the real world, someone who knows my address can now come round to ours and threaten me, or I can go round to his and abuse him – consequences dear boy, consequences – a situation stupidly enabled by “The protector of the nation’s data and information”…Ed)

    • John Brace says:

      I took a politician and his party to court over an alleged breach of s.7 . The Deputy Judge agreed with me and granted me a court order.

      At that stage would you say it’s a breach as the “incident” has been ruled on by a court?

      A lot of the data protection provisions are civil, not criminal matters, therefore it’s balance of probabilities proof and not criminal standards of proof, the latter of which includes intent.

  5. Tim Turner says:

    Breaches of S7 are easy to identify as S7 is fairly concrete. You’re entitled to information subject to a few specific elements / exemptions. One wouldn’t need a court to work out that an organisation that failed to disclose a person’s personal data without a legitimate reason had breached S7. However, Mr Cardin’s ‘breach’ is evidenced solely by a document being in the wrong envelope (Two documents in two wrong envelopes – Ed). From the outside, it’s impossible to say whether that is an incident or a breach because what the Data Controller (i.e. the Commissioner) is required to do in this context is less concrete. If (important word “if” – Ed) they have appropriate measures in place, they haven’t breached the Act. Mr Cardin may be right to guess that the ICO doesn’t such measures in place and he may be right that they wouldn’t admit it if they didn’t. His strong opinion, however, isn’t the same as fact. We know there has been an incident. We don’t know there has been a breach.

    Mr Cardin may luxuriate in the happy position of never making mistakes himself, but the rest of us are mere mortals, and it’s an incredibly high standard by which he judges us all.

    • John Brace says:

      I disagree with you over s.7 being simple. This case involved financial loss that was incurred to the person as a result of the s.7 breach.

      Essentially three elements had been requested in the subject access request, the answer given by the defendants were:

      a) one element related to an unrecorded telephone call between two defendants
      b) one element related to an email where a claim of legal professional privilege (an email)
      c) one element related to an email to two of the defendants which had been deliberately deleted.

      Although a court order was granted, the information supplied in response to it related to a different time period to the s.7 request, which is technically contempt of court.

      In the case of (b) and (c) the defendants wouldn’t show the Deputy Judge the information requested.

      It took 2 hearings over eight months.

      Hearing 1 (half an hour) (an undefended application to change the defendants back to the original two) as one of the two defendants wanted to change the two defendants in the case to a former employee (who’s since been made a Lord)

      Hearing 2 (two hours) as one of the two defendants (a politician) actually turned up with someone else too.

      Documents had been served by the defendants on the court (a defence and an email) but not on the Claimant in a breach of court rules. These things (as well as the 22 or so pages in the bundle) are why things take so long and make them complex.

      If it had been undefended and not involved a financial loss I agree with you that proving a “strict liability” case should be a simple matter lasting 4 months at most with minimal court time. However attempts were made to derail things by one of the two defendants…

  6. It’s tough never making mistakes and being right all the time, but I get by, haha.

    e.g. I think I’m right in saying, “It’s wrong, morally wrong, to accept large sums in public money from a council you know has been deliberately and repeatedly abusive towards learning disabled people over a period of several years.”

    My elevated status above mere mortals means I know that I would never seek or accept work from, or work for someone else who has “taken the abusers’ coin” (repeatedly).

    But… Tim Turner knows better! Sod the learning disabled abuse; the promise of cash-a-plenty; the perks; the inducements; the security; the networking; the annual leave… they all have a certain draw – a certain magnetic quality. Here is your link:

    https://wirralinittogether.wordpress.com/2014/03/05/it-pays-well-to-train-councils-in-information-governance-dp-foi-ripa/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s