Feeds

What is wrong with the Data Protection Act?

FOI infraction saga hits the buffers

Providing a secure and efficient Helpdesk

Bad news guys! I have just received my Tribunal Decision which throws out my attempt to find out what is wrong with the UK’s Data Protection Act. The decision means that 60 million data subjects and one-third of a million data controllers will not fully understand why the European Commission thinks that the UK’s implementation of Data Protection Act has been deficient since 2004. I think this is a shocking state of affairs.

The result of this decision is important for another reason. The jungle drums are increasingly beating out the message that the European Commission is thinking of enacting a new data protection regime by regulations. Will such regulations address the identified problems with the UK Act? Well, if the public doesn’t know what these problems are, then it won’t be able to judge.

I asked the Ministry of Justice (MoJ) for a summary of the information held about the infraction proceedings, because an earlier FOI request for the full detail had failed. I was hoping that (a) the summary might exist or (b) the summary information might be scattered around in emails and documents already held, and that finally, this summary would not be exempt. And thirdly, because of the House of Lords decision in CSA v SIC, I also argued a new point: even if the summary information did not exist, CSA v SIC implied that this step did not need the creation of new information*.

By contrast, the Commissioner, in his Decision Notice which has been upheld by the Tribunal, said that the summary information is only relevant to the form in which existing information is presented to the requestor. It followed that this meant that any exemption had to be applied to the full existing information as the summary was only relevant when information is to be given to the applicant. And because in my case (ie, my previous failed FOI request), the full information was still exempt, the question of providing a summary was irrelevant.

It is this view which has prevailed. However, I am disappointed that the tribunal decision did not document any rebuttal of any of the arguments I had presented. To redress this omission why I have attached the relevant arguments so that blog readers can take a look if interested (download at end). I am still of the opinion that asking for "summary information" is a valid FOI request!

FOI practitioners should read the following

What is interesting for FOI specialists is the Tribunal Decision in relation to the “time of the request”. My request was made on 1 October 2009. The MoJ did not respond till 3 February 2010 – hardly 20 working days! I immediately asked for a review which was completed on 25 August 2010 – hardly 20 working days as recommended by the ICO for the internal review period. (These are delays which the Tribunal Decision categorises as “some delay” and “less serious delay” – hardly a problem then!).

At the end of June 2010, the MoJ received a substantive response from the European Commission about the deficiencies in the Data Protection Act 1988 (and responded to them).

My question to readers with a FOI interest is as follows: if my request was made in October 2009, can the information received by the MoJ in June 2010 form part of the request, because clearly this information was not held at the time of the request?

The answer is “yes” because the internal review process had not been completed.

The Tribunal Decision relies on the Commissioner’s argument for this, but this in turn relies on just one Tribunal Decision. However, I have placed in the public domain*, a fully referenced justification of why the Tribunal came to this position which mentions several such Decisions. The Tribunal decided not to refer to this document.

The message for FOI practitioners is this: if the FOI Internal Review process gets stretched out, subsequent information relating to the request received after the time of the request might need to be included in the review and possibly disclosed to the applicant.

Concluding comment

It is interesting to note that the Tribunal, at the end of its Decision, records the fact that I am entitled to a heavily redacted summary of information held by the MoJ in June 2009.

This is, of course, was one of the arguments that I was running: namely, non-exempt, summary information exists, and can be extracted from the full, existing exempt information.

It’s a funny old inconsistent world!

References*

  • The arguments in relation to my request is here (PDF).
  • The Tribunal Decisions relating to the “time of the request” is here (PDF).
  • The Tribunal Decision Notice can be downloaded here (PDF).
  • CSA v SIC reference is: Common Services Agency v Scottish Information Commissioner ([2008] UKHL 47 [2008] 1 WLR 1550.

Note: Some details of the deficiencies in the UK Act have been published under FOI. See “Privacy: New government revelations amplify concerns surrounding deficiencies in UK’s Data Protection Act.

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Heavy VPN users are probably pirates, says BBC
And ISPs should nab 'em on our behalf
Former Bitcoin Foundation chair pleads guilty to money-laundering charge
Charlie Shrem plea deal could still get him five YEARS in chokey
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.