Feeds

What is wrong with the Data Protection Act?

FOI infraction saga hits the buffers

Top 5 reasons to deploy VMware with Tegile

Bad news guys! I have just received my Tribunal Decision which throws out my attempt to find out what is wrong with the UK’s Data Protection Act. The decision means that 60 million data subjects and one-third of a million data controllers will not fully understand why the European Commission thinks that the UK’s implementation of Data Protection Act has been deficient since 2004. I think this is a shocking state of affairs.

The result of this decision is important for another reason. The jungle drums are increasingly beating out the message that the European Commission is thinking of enacting a new data protection regime by regulations. Will such regulations address the identified problems with the UK Act? Well, if the public doesn’t know what these problems are, then it won’t be able to judge.

I asked the Ministry of Justice (MoJ) for a summary of the information held about the infraction proceedings, because an earlier FOI request for the full detail had failed. I was hoping that (a) the summary might exist or (b) the summary information might be scattered around in emails and documents already held, and that finally, this summary would not be exempt. And thirdly, because of the House of Lords decision in CSA v SIC, I also argued a new point: even if the summary information did not exist, CSA v SIC implied that this step did not need the creation of new information*.

By contrast, the Commissioner, in his Decision Notice which has been upheld by the Tribunal, said that the summary information is only relevant to the form in which existing information is presented to the requestor. It followed that this meant that any exemption had to be applied to the full existing information as the summary was only relevant when information is to be given to the applicant. And because in my case (ie, my previous failed FOI request), the full information was still exempt, the question of providing a summary was irrelevant.

It is this view which has prevailed. However, I am disappointed that the tribunal decision did not document any rebuttal of any of the arguments I had presented. To redress this omission why I have attached the relevant arguments so that blog readers can take a look if interested (download at end). I am still of the opinion that asking for "summary information" is a valid FOI request!

FOI practitioners should read the following

What is interesting for FOI specialists is the Tribunal Decision in relation to the “time of the request”. My request was made on 1 October 2009. The MoJ did not respond till 3 February 2010 – hardly 20 working days! I immediately asked for a review which was completed on 25 August 2010 – hardly 20 working days as recommended by the ICO for the internal review period. (These are delays which the Tribunal Decision categorises as “some delay” and “less serious delay” – hardly a problem then!).

At the end of June 2010, the MoJ received a substantive response from the European Commission about the deficiencies in the Data Protection Act 1988 (and responded to them).

My question to readers with a FOI interest is as follows: if my request was made in October 2009, can the information received by the MoJ in June 2010 form part of the request, because clearly this information was not held at the time of the request?

The answer is “yes” because the internal review process had not been completed.

The Tribunal Decision relies on the Commissioner’s argument for this, but this in turn relies on just one Tribunal Decision. However, I have placed in the public domain*, a fully referenced justification of why the Tribunal came to this position which mentions several such Decisions. The Tribunal decided not to refer to this document.

The message for FOI practitioners is this: if the FOI Internal Review process gets stretched out, subsequent information relating to the request received after the time of the request might need to be included in the review and possibly disclosed to the applicant.

Concluding comment

It is interesting to note that the Tribunal, at the end of its Decision, records the fact that I am entitled to a heavily redacted summary of information held by the MoJ in June 2009.

This is, of course, was one of the arguments that I was running: namely, non-exempt, summary information exists, and can be extracted from the full, existing exempt information.

It’s a funny old inconsistent world!

References*

  • The arguments in relation to my request is here (PDF).
  • The Tribunal Decisions relating to the “time of the request” is here (PDF).
  • The Tribunal Decision Notice can be downloaded here (PDF).
  • CSA v SIC reference is: Common Services Agency v Scottish Information Commissioner ([2008] UKHL 47 [2008] 1 WLR 1550.

Note: Some details of the deficiencies in the UK Act have been published under FOI. See “Privacy: New government revelations amplify concerns surrounding deficiencies in UK’s Data Protection Act.

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Intelligent flash storage arrays

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.