The Register® — Biting the hand that feeds IT

Feeds

Been smacked by the ICO? Reveal your internal probes

Template FOI: Right, who left the laptop in the pub?

By Amberhawk Training, 2nd March 2012
  • print
  • alert

Agentless Backup is Not a Myth

If public authorities are subject to enforcement action by the Information Commissioner (eg, monetary penalty notice, undertaking, audit, enforcement notice etc), they should be prepared for internal reports into why the action was taken to become the target for Freedom of Information (FOI) requests.

This is the outcome of a recent Decision Notice involving the London Borough of Ealing. Implicitly, the comissioner is signalling that he thinks such reports and investigations should be published where practicable.

In February 2011, Ealing Council reported a theft of two laptops containing the details of around 1,700 individuals were stolen from an employee’s home (including sensitive personal data). Almost 1,000 of the individuals were clients of Ealing Council and both laptops were password protected but unencrypted – despite this being of Council policy. The ICO served Ealing Council with a Monetary Penalty Notice of £80,000.

On 30 May 2011, the Council received a FOI request for “... a copy of the report into the loss of the unencrypted laptop which resulted in an £80,000 fine from the ICO”. The council directed the applicant to the Monetary Penalty Notice published on the ICO’s website.

The requester wrote back explaining that it was the council’s own internal report into the matter that was being sought. The council refused to provide the requested information stating that the information was being withheld under the ‘prejudice to effective conduct of public affairs’ exemption (namely section 36(2)(b) of the FOIA) and that the public interest was in favour of non-disclosure. This position was upheld on internal review.

The ICO decided that the council had correctly applied the ‘prejudice to effective conduct of public affairs’ exemption but that it wrongly concluded that the public interest in maintaining the exemption outweighed the public interest in disclosure. The two main reasons for this decision were as follows:

  • Disclosure “would also contribute to public understanding of the issues documented in the publically available Monetary Penalty Notice”.
  • “Disclosure would demonstrate to the public that the council has taken robust steps to address the security implications of the incident and that measures have been put in place to ensure that there is not a recurrence. This would improve public confidence in the workings of the council”.

Now I am suggesting to you that these two arguments employed by the ICO could apply to almost any enforcement action by his office. So if your employer is a public authority and subject to enforcement action under the Data Protection Act, then expect FOI requests which will probably lead to the publication of your internal investigations into the problem.

Download the Decision Notice (PDF).

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Cloud storage: Lower cost and increase uptime

COMMENTS

House Rules Send Corrections
All Reader Comments (5)
Highly Rated
matthewtrump

This is part of my PhD

This request was submitted as part of the preliminary research I am conducting for my PhD looking at the drivers, methods, and outcomes of information security incident investigations.

If anyone would like to know more aobut my research, please drop me a line on m.t.trump@edu.salford.ac.uk

Matthew

P.S. Ealing Council still haven't released the document...

3
0
Anonymous Coward
Anonymous Coward

Being smacked by the ICO

is rather like being hit in the face with a small fish (a la Monty Python sketech).

3
0
Hayden Clark

Internal review? What review?

"The council refused to provide the requested information stating that the information was being withheld under the ‘prejudice to effective conduct of public affairs’ exemption"

In other words, they had not actually done any kind of review at all, as they did not consider that anything was wrong.

This is predicated on the idea that the "information security" policies the council has are purely for "compliance" purposes, and nobody can be expected to follow them.

1
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
136
breaking news
Jailed LulzSec hacker Cleary coughs to child porn images, will be freed soon
Some images of infants as young as six months
68
NSA whistleblower to tech firms, Obama: 'Grow a pair!'
Ed Snowden: Email tracking grabs 'IPs, raw data, content, headers, attachments, everything'
66
NSA: We COULD track you by your phone ... if we WANTED to
Honestly, too much work, can't be bothered
54
Google flings another £1m at online child sex abuse vid CRACKDOWN
See, see, we're trying, ad giant tells Daily Mail UK.gov
41
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
SCO vs. IBM battle resumes over ownership of Unix
Zombie lawsuit back and wants to suck the brains out of Linux
119
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Not just telcos, THOUSANDS of companies share data with US spies
It's all perfectly legal, trust us
68