Feeds

What is wrong with the Data Protection Act?

FOI infraction saga hits the buffers

High performance access to file storage

Bad news guys! I have just received my Tribunal Decision which throws out my attempt to find out what is wrong with the UK’s Data Protection Act. The decision means that 60 million data subjects and one-third of a million data controllers will not fully understand why the European Commission thinks that the UK’s implementation of Data Protection Act has been deficient since 2004. I think this is a shocking state of affairs.

The result of this decision is important for another reason. The jungle drums are increasingly beating out the message that the European Commission is thinking of enacting a new data protection regime by regulations. Will such regulations address the identified problems with the UK Act? Well, if the public doesn’t know what these problems are, then it won’t be able to judge.

I asked the Ministry of Justice (MoJ) for a summary of the information held about the infraction proceedings, because an earlier FOI request for the full detail had failed. I was hoping that (a) the summary might exist or (b) the summary information might be scattered around in emails and documents already held, and that finally, this summary would not be exempt. And thirdly, because of the House of Lords decision in CSA v SIC, I also argued a new point: even if the summary information did not exist, CSA v SIC implied that this step did not need the creation of new information*.

By contrast, the Commissioner, in his Decision Notice which has been upheld by the Tribunal, said that the summary information is only relevant to the form in which existing information is presented to the requestor. It followed that this meant that any exemption had to be applied to the full existing information as the summary was only relevant when information is to be given to the applicant. And because in my case (ie, my previous failed FOI request), the full information was still exempt, the question of providing a summary was irrelevant.

It is this view which has prevailed. However, I am disappointed that the tribunal decision did not document any rebuttal of any of the arguments I had presented. To redress this omission why I have attached the relevant arguments so that blog readers can take a look if interested (download at end). I am still of the opinion that asking for "summary information" is a valid FOI request!

FOI practitioners should read the following

What is interesting for FOI specialists is the Tribunal Decision in relation to the “time of the request”. My request was made on 1 October 2009. The MoJ did not respond till 3 February 2010 – hardly 20 working days! I immediately asked for a review which was completed on 25 August 2010 – hardly 20 working days as recommended by the ICO for the internal review period. (These are delays which the Tribunal Decision categorises as “some delay” and “less serious delay” – hardly a problem then!).

At the end of June 2010, the MoJ received a substantive response from the European Commission about the deficiencies in the Data Protection Act 1988 (and responded to them).

My question to readers with a FOI interest is as follows: if my request was made in October 2009, can the information received by the MoJ in June 2010 form part of the request, because clearly this information was not held at the time of the request?

The answer is “yes” because the internal review process had not been completed.

The Tribunal Decision relies on the Commissioner’s argument for this, but this in turn relies on just one Tribunal Decision. However, I have placed in the public domain*, a fully referenced justification of why the Tribunal came to this position which mentions several such Decisions. The Tribunal decided not to refer to this document.

The message for FOI practitioners is this: if the FOI Internal Review process gets stretched out, subsequent information relating to the request received after the time of the request might need to be included in the review and possibly disclosed to the applicant.

Concluding comment

It is interesting to note that the Tribunal, at the end of its Decision, records the fact that I am entitled to a heavily redacted summary of information held by the MoJ in June 2009.

This is, of course, was one of the arguments that I was running: namely, non-exempt, summary information exists, and can be extracted from the full, existing exempt information.

It’s a funny old inconsistent world!

References*

  • The arguments in relation to my request is here (PDF).
  • The Tribunal Decisions relating to the “time of the request” is here (PDF).
  • The Tribunal Decision Notice can be downloaded here (PDF).
  • CSA v SIC reference is: Common Services Agency v Scottish Information Commissioner ([2008] UKHL 47 [2008] 1 WLR 1550.

Note: Some details of the deficiencies in the UK Act have been published under FOI. See “Privacy: New government revelations amplify concerns surrounding deficiencies in UK’s Data Protection Act.

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Combat fraud and increase customer satisfaction

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
Reprieve for Weev: Court disowns AT&T hacker's conviction
Appeals court strikes down landmark sentence
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.