Feeds

What is wrong with the Data Protection Act?

FOI infraction saga hits the buffers

Secure remote control for conventional and virtual desktops

Bad news guys! I have just received my Tribunal Decision which throws out my attempt to find out what is wrong with the UK’s Data Protection Act. The decision means that 60 million data subjects and one-third of a million data controllers will not fully understand why the European Commission thinks that the UK’s implementation of Data Protection Act has been deficient since 2004. I think this is a shocking state of affairs.

The result of this decision is important for another reason. The jungle drums are increasingly beating out the message that the European Commission is thinking of enacting a new data protection regime by regulations. Will such regulations address the identified problems with the UK Act? Well, if the public doesn’t know what these problems are, then it won’t be able to judge.

I asked the Ministry of Justice (MoJ) for a summary of the information held about the infraction proceedings, because an earlier FOI request for the full detail had failed. I was hoping that (a) the summary might exist or (b) the summary information might be scattered around in emails and documents already held, and that finally, this summary would not be exempt. And thirdly, because of the House of Lords decision in CSA v SIC, I also argued a new point: even if the summary information did not exist, CSA v SIC implied that this step did not need the creation of new information*.

By contrast, the Commissioner, in his Decision Notice which has been upheld by the Tribunal, said that the summary information is only relevant to the form in which existing information is presented to the requestor. It followed that this meant that any exemption had to be applied to the full existing information as the summary was only relevant when information is to be given to the applicant. And because in my case (ie, my previous failed FOI request), the full information was still exempt, the question of providing a summary was irrelevant.

It is this view which has prevailed. However, I am disappointed that the tribunal decision did not document any rebuttal of any of the arguments I had presented. To redress this omission why I have attached the relevant arguments so that blog readers can take a look if interested (download at end). I am still of the opinion that asking for "summary information" is a valid FOI request!

FOI practitioners should read the following

What is interesting for FOI specialists is the Tribunal Decision in relation to the “time of the request”. My request was made on 1 October 2009. The MoJ did not respond till 3 February 2010 – hardly 20 working days! I immediately asked for a review which was completed on 25 August 2010 – hardly 20 working days as recommended by the ICO for the internal review period. (These are delays which the Tribunal Decision categorises as “some delay” and “less serious delay” – hardly a problem then!).

At the end of June 2010, the MoJ received a substantive response from the European Commission about the deficiencies in the Data Protection Act 1988 (and responded to them).

My question to readers with a FOI interest is as follows: if my request was made in October 2009, can the information received by the MoJ in June 2010 form part of the request, because clearly this information was not held at the time of the request?

The answer is “yes” because the internal review process had not been completed.

The Tribunal Decision relies on the Commissioner’s argument for this, but this in turn relies on just one Tribunal Decision. However, I have placed in the public domain*, a fully referenced justification of why the Tribunal came to this position which mentions several such Decisions. The Tribunal decided not to refer to this document.

The message for FOI practitioners is this: if the FOI Internal Review process gets stretched out, subsequent information relating to the request received after the time of the request might need to be included in the review and possibly disclosed to the applicant.

Concluding comment

It is interesting to note that the Tribunal, at the end of its Decision, records the fact that I am entitled to a heavily redacted summary of information held by the MoJ in June 2009.

This is, of course, was one of the arguments that I was running: namely, non-exempt, summary information exists, and can be extracted from the full, existing exempt information.

It’s a funny old inconsistent world!

References*

  • The arguments in relation to my request is here (PDF).
  • The Tribunal Decisions relating to the “time of the request” is here (PDF).
  • The Tribunal Decision Notice can be downloaded here (PDF).
  • CSA v SIC reference is: Common Services Agency v Scottish Information Commissioner ([2008] UKHL 47 [2008] 1 WLR 1550.

Note: Some details of the deficiencies in the UK Act have been published under FOI. See “Privacy: New government revelations amplify concerns surrounding deficiencies in UK’s Data Protection Act.

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Security for virtualized datacentres

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
US court SHUTS DOWN 'scammers posing as Microsoft, Facebook support staff'
Netizens allegedly duped into paying for bogus tech advice
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Verizon bankrolls tech news site, bans tech's biggest stories
No agenda here. Just don't ever mention Net neutrality or spying, ok?
Inside the EYE of the TORnado: From Navy spooks to Silk Road
It's hard enough to peel the onion, are you hard enough to eat the core?
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.