The Scottish government has recently published a consultation paper on certain draft identity management and privacy principles. The draft principles have been developed with a view to ensuring that public services in Scotland are better placed to manage the process of proving identity (e.g. in the case of benefit claims) in a way that protects individual privacy. The deadline for responses is 23 November 2009
Tag: data protection
Reforming the Information Tribunal
A letter was circulated yesterday (4th August) to “stakeholders” of the Information Tribunal, giving information about the implications for the Information Tribunal of the new unified tribunal structure.
The new structure involves a system of First Tier tribunals and Upper Tribunals. The Information Tribunal will be one of a number of tribunals that transfer into the General Regulatory Chamber (GRC), one of the First Tier tribunals.
According to the letter, from January 2010 information rights cases will generally be heard in the GRC, with an appeal to the Administrative Appeals Chambers of the Upper Tribunal on a point of law. However, in some circumstances cases will be heard in the first instance in the Upper Tribunal. This will be where the appeal is complex, unusual, or particularly important. In additional national security appeals (under section 28 of the Data Protection Act 1998 or section 60 of the Freedom of Information Act 2000) will go straight to the Upper Tribunal.
The procedural rules for those tribunals moving into the GRC in September 2009 have now been finalised and laid before Parliament. This includes the Charity Tribunal, the Estate Agents Appeals Panel and the Consumer Credit Appeals Tribunal. For those jurisdictions moving to the GRC in January 2010 – including the Information Tribunal – any further specific procedural rules will be added by amendment once Parliament has approved the transfer. Approval is expected later this year.
Podcast on employment vetting
Thanks to CPDcast, I have recently recorded a podcast on the subject of employment vetting. It deals with various subjects, including CRB checks and the new ISA barring regime. If you want to listen, it’s available here. I hope to be able to post a code here in a few days (with the agreement of CPDcast) which will enable readers of this blog to listen for free. It’s also worth looking at the rest of the site; they are very strong on information law subjects.
Disclosing Disciplinary Records Under FOIA
The Information Tribunal has recently handed down a decision in which it upheld the Commissioner’s conclusion that information as to judges’ serious misconduct was exempt from disclosure under the personal data exemption provided for under s. 40(2)(c) FOIA – Guardian Newspapers v IC (EA/2008/0084). The decision is interesting not least because it highlights the Tribunal’s continuing reluctance to treat personal data concerning disciplinary matters as being disclosable under FOIA (see further on this point the earlier cases of Waugh v IC & Doncaster College (EA/2007/0060) and Roger Salmon v IC & King’s College (EA/2007/0135)). Notably, the Tribunal also held that the information in question was exempt under s. 31(1)(c) FOIA (administration of justice exemption).
The central issue in the appeal was whether disclosure of the information would contravene the first data protection principle (DPP1) contained in Schedule 1 to the Data Protection Act 1998 (DPA) and, hence, render the information absolutely exempt from disclosure under s. 40(2)(c) FOIA. The Tribunal held that DPP1 would be contravened. In reaching this conclusion, the Tribunal took into account in particular the facts that:
· the DPA contained an exclusion which prevented judicial office holders themselves gaining access to data which revealed assessments of their ‘suitability to hold judicial office’ and it would be an odd result if third parties could access such data under FOIA but the data subjects themselves could not (para. 91);
· some of the information would amount to sensitive personal data which would require that one of the stringent conditions contained in Schedule 3 be met in order for the disclosure to be in accordance with DPP1 (para. 92);
· some information was already in the public domain as to the fact and scope of reprimands or serious actions (para. 93);
· the judges themselves would have a reasonable expectation that their disciplinary record would be kept confidential (para. 96);
· there would a risk that judges would suffer great distress if the information were to be disclosed and, further, that their future authority and their future employment prospects would be jeopardised (para. 97).
In addition the Tribunal held that s. 31(1)(c) FOIA was engaged in respect of the information and that the public interest weighed in favour of maintaining that exemption. In reaching this conclusion, the Tribunal took into account in particular the fact that, in its view, disclosure of the information would undermine a judge’s authority while carrying out his or her judicial function and would otherwise disrupt the judicial process by encouraging legal representatives to seek adjournments by reason of alleged concerns about the judge’s good standing (para. 106). 11KBW’s Karen Steyn appeared on behalf of the Ministry of Justice.
Lock up your data
The importance of ensuring the security of personal data has been highlighted in a recent press release from the ICO dated 4 June 2009. The ICO has found Salford Royal NHS Foundation Trust in breach of the Data Protection Act, after a desktop computer containing sensitive personal information relating to around 3,500 patients was stolen. Although the computer was password protected, it was not encrypted or secured to a desk.
A formal undertaking has been signed by the Trust. It will ensure that: appropriate security measures are in place to restrict access to areas where personal information is stored; desktop computers are secured to desks to prevent easy removal; any personal data required to be held on a portable device is suitably encrypted; and personal details are not retained on any computer for longer than is required.
Mick Gorrill, Assistant Information Commissioner at the ICO, emphasised that the worrying trend of personal data losses must be rectified. He said:
“I am increasingly concerned about the way some NHS organisations are failing to securely hold people’s health and personal information. Organisations must implement appropriate safeguards to ensure personal details about patients do not fall into the wrong hands.”
Many thanks to Andrew Smith, currently a pupil at 11KBW, for preparing a first draft of this post.
Doing it by the book
The Information Commissioner’s Office has today announced the latest version of the Privacy Impact Assessment Handbook. As the title indicates, its purpose is to help organisations to identify and address the privacy risks of their activities.
Following the HMRC data breach in November 2007, the Cabinet Office introduced a requiring for all central Government departments and their agencies to conduct Privacy Impact Assessments (PIAs) when developing new systems. The ICO encourages all organisations to incorporate data protection safeguards into any new project involving personal information.
The handbook is in two parts: Part I (the first two chapters) gives an overview of the PIA process, with detailed information about privacy, common risks, and possible solutions; Part II then gives a practical guide to conducing a PIA. There are also four appendices, with examples of screening questions, checklist templates, and privacy strategies.
The handbook should help organisations to make reasoned judgments about the privacy implications of new projects or technological innovations. Some of the recommendations may overlap with privacy work already being done by organisations. A PIA does not have to be conducted as a totally separate exercise; indeed, it may be helpful to look at privacy issues in a broader policy context.
Many thanks to Andrew Smith, currently a pupil at 11KBW, for researching this post and preparing a first draft.