1

INFORMATION RIGHTS REPORT – Management Board 23 January 2012 1. Key developments 2. Cross sectoral work 3. Government and Society sector 4. Public Security sector 5. Public Service sector 6. Business and Industry sector 7. National Regions 8. International 1. Key Developments 1.1 The key developments expected in the next quarter are:

Post-legislative scrutiny of the FOI Act Announcement of and reaction to EC proposals for reform of

the Data Protection Directive Leveson Inquiry continues, with Christopher Graham

appearing on 26 January Further activity on FOI and use of private emails Final stages of Protection of Freedoms Bill

2. Cross-sectoral work 2.1 Leveson Inquiry Formal evidence hearings started on 14 November 2011. Amongst the Inquiry’s terms of reference is consideration of the extent to which the current regulatory framework has failed, including in relation to data protection; and the extent to which there was a failure to act on previous warnings about media misconduct. In this first phase the Inquiry is considering the relationship between the press and the public, including phone-hacking and other potentially illegal behaviour. We have liaised with and provided submissions and background documentation to the Inquiry Team. We have also provided support to the former Information Commissioner, Richard Thomas, who gave evidence to the Inquiry on 9 December 2012. Future work:

The Information Commissioner has been asked to give evidence to the Inquiry on 26 January 2012. We are coordinating briefing in preparation for his appearance. The

2

Inquiry will then move into the second phase looking at the relationship between the press and the police.

Outcomes:

Ensuring that the ICO’s current role in the regulation of the press is fully understood by the Inquiry, including the limitations on our powers and the rationale underpinning our decisions.

Contributing to the debate on the future regulation of the press.

Contact: Jenny Childs 2.2 Good Practice Audit In addition to the core activity of delivering data protection audits, the Good Practice department continues to broaden the scope of work undertaken. Work includes:

At the end of December, 30 audit reports had been completed in the year, as well as 12 follow up audits with a further nine audit visits completed. Recently published reports include the Department for Education, Northern Rock Plc and the Criminal Records Bureau. The first audit visits to cover handling requests for information under FOIA have also been completed this quarter.

The business case for the extension of compulsory audit powers to the NHS and local government sectors has been presented to the Ministry of Justice, as well as the proposed amendments to the Code of Practice for Assessment Notices.

The successful pilot of a self assessment questionnaire for schools has been completed, and this is now being extended throughout the UK. As at December, seven local authorities have agreed to sponsor this work with the schools in their area.

A programme of ‘advisory visits’ consisting of short, one day audits has been developed, with the first two reports resulting from this work being published in December.

Future action:

Work is ongoing to develop the 2012/13 audit programme to ensure it covers a range of organisations from both the public and private sector.

3

The roll out of the self assessment for schools will continue, with active promotion of the programme. Communication of the new advisory visit service will also be undertaken to encourage small and medium sized organisations to participate.

Guidance on the delivery of the audit powers under the amended Privacy and Electronic Communications Regulations will continue to be developed.

Outcomes:

The audits completed so far have been across a range of

sectors: central government (23%), local authorities (23%), NHS (18%), private companies (25%) and charities and others (11%)

In the quarter, all the high risk recommendations made in audit reports had been completed when we went back to check. 83% of medium and low risk recommendations had also been completed.

Subject access processes, information governance, and security measures continue to be the most common scope areas of the audits undertaken.

Contact: Louise Webb 2.3 Enforcement Work Includes

Jack Straw enquiry – Spam texts issue. Investigation continues, significant progress made to identify source. Further search warrant expected.

Unscrubbed hard drive initiative nearing completion with three DC’s likely to be subject to some form of regulatory action.

Sony breaches – responses received. Enforcement report being prepared

Civil Monetary Penalty cases - Approximately 20 cases under consideration for CMP. Six further cases have been issued with a Notice of Intent (total value £875,000) with a further three awaiting signature (total value £300,000).

FOIA section 10 (timely compliance in responding to requests) monitoring - third tranche is being prepared.

DPA Section 55 - We continue to raise the issue of the inadequate sentencing powers for offences and call for an effective deterrent.

4

Non notification project work shows the trend of a growing number of registrations continues. The total now exceeds 350,000. Slight decreases appear in the Employment Agency and NHS Doctor sectors.

o Councillors continue to surprise, increasing by another 119 to a total of 8,523 which means we've seen an extra 2,201 councillor registrations in the last 10 months.

o Estate and Letting Agents increased by a combined total of 54 and the number of dentists again increase to an all time high of 11,516.

o Solicitors and Accountants both show moderate increases whereas there is a slight drop of seven in the number of employment agencies on the register.

o There is a slight drop of four in the number of NHS doctors but the number of Private Doctors continues to surge upwards to an all time high of 14,363.

Future Work:

To review the effectiveness of the new self-reported security breach form, and to ensure that current public facing guidance is sufficient to meet our expectations on the types of security incidents we should be made aware of. In line with the new Information Rights Strategy, this may include clarifying our position on key priority areas by setting out clear thresholds for reporting and the consequences of not doing so.

To review the existing Regulatory Action Policy’s for FOIA and the DPA to ensure that they reflect the aims and desired outcomes of the new Information Rights Strategy.

To progress the pilot exercise to monitor compliance with section 7 DPA (subject access). Compliance data has been gathered and is being analysed. Target organisations will be identified with a view to further action being taken by the beginning of the new financial year.

To continue with the development of a training aid for organisations to assist in raising awareness of the potential for organisations to be targeted by ‘blaggers’ committing section 55 offences.,

Outcomes:

In the T Mobile case both defendants have paid in full following a hearing on 10 June 2011 where Hames was ordered to pay confiscation of £28,700, with a period of 15 months custody in default and Turley to pay £45,000

5

confiscation with a period of 18 months in default. Both were given 6 months to pay.

A receptionist who unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking has been found guilty of an offence under section 55 of the Data Protection Act. Usha Patwal, of Romford, was given a two year conditional discharge and ordered to pay £614 prosecution costs by Havering Magistrates Court on 16 December 2011.

Proceedings were instigated in Caernarfon Magistrates Court for a prosecution under s17 of the DPA 1998. At the hearing on 1st December 2011 the defendant pleaded guilty to the offence and was given a 6 month conditional discharge and costs of £614 to be paid to the ICO. This was a notification matter in respect of a firm of estate agents in Caernarfon, North Wales.

Proceedings have been instigated at Highbury Corner Magistrates’ Court and a first hearing date has been listed for Monday 27th February 2012 at 10am in respect of a section 55 offence involving information unlawfully obtained from the DWP.

A Preliminary Enforcement Notice has been served on a County Council in relation to a failed subject access request. Written representations from the data controller are being considered.

An enforcement notice was served on Powys County Council in relation to a contravention subject to a Civil Monetary Penalty as detailed below.

FOIA section 10 monitoring - Satisfactory compliance was achieved in eight cases leading to case closures following second round of monitoring. Undertakings for six PAs are due to be sent on Wednesday 11 January. For tranche three, we have identified five more Central Government Departments for potential inclusion. Longer term monitoring of the two Government Departments from round one are due to be concluded mid January when a decision on any further regulatory action will be taken.

Following the introduction of the civil monetary penalty powers in April 2010, a total of nine final civil monetary penalty notices have been issued amounting to a total of £701,000 in fines. All but one has taken advantage of the 20% discount for early payment meaning total payments received amount to £560,000. One payment of £1000 remains outstanding due to the data controller being subject to a bankruptcy order.

6

CIVIL MONETARY PENALTIES ISSUED TO DATE Data Controller

Date of CMP

Date payment

due

CMP levied

CMP paid(20% off if paid

before date

payment due)

Date paid

Powys County Council

5.12.11 5.1.12 130,000 104,000 3.1.12

North Somerset Council

9.11.11 9.12.11 60,000 48,000 18.11.11

Worcestershire County Council

17.11.11 16.12.11 80,000 64,000 15.12.11

Surrey County Council

6.6.11 5.7.11 120,000 96,000 30.6.11

Andrew Jonathan Crossley

9.5.11 7.6.11 1,000 overdue n/a

Ealing Council

4.2.11 8.3.11 80,000 64,000 4.3.11

Hounslow Council

4.2.11 8.3.11 70,000 54,000 2,000

2.3.11 10.3.11

A4e Limited

22.11.10 22.12.10 60,000 48,000 29.11.10

Hertfordshire County Council

22.11.10 22.12.10 100,000 80,000 13.12.10

Contact: Sally Poole 2.4 ICO Publication Schemes Consultation Work includes: In addition to the formal publication schemes consultation launched in September (mentioned in last quarter’s report) the ICO has run a version of the consultation focused on the general public. In November the ICO launched this version of the consultation under the banner of “Tell me more”. The public were invited to answer a series of questions in a web based questionnaire. The ICO also commissioned three focus groups to discuss proactive disclosure and publication schemes.

7

Future action: Both aspects of the publication scheme consultation closed on 21 December. The ICO received 59 responses to the main consultation and 150 responses to the “Tell me more” questionnaire. Policy Delivery will analyse the responses during January and then prepare a set of recommendations and plan for publication scheme work in 2012. The analysis will also feed into the ICO’s evidence to the Justice Committee for the Post Legislative Scrutiny of FOI. Contact: Ged Tracey 2.5 New guidance – section 36 – prejudice to the effective

conduct of public affairs Work includes: In November the ICO published new guidance on section 36 of the FOI Act. This exemption is often difficult to apply and adjudicate on because it is engaged by a qualified person (the only FOI exemption to do so) and the opinion of the qualified person must be reasonable. The guidance has revised the ICO approach, to take a more straightforward interpretation of reasonableness, drawing back from the two part test advocated by the Information Tribunal. The guidance also includes an editable template for public authorities to use to capture the opinion of the qualified person. The guidance has been promoted and explained by Policy Delivery staff at an event for central government FOI practitioners. Internal briefings have also been run. Contact: Carl Wiper 2.6 Key decision of First-Tier Tribunal (Information Rights) Issue: Whether the Duchy of Cornwall (not a public authority under the FOI Act) is a public authority under the Environmental Information Regulations (EIR). The Tribunal allowed an appeal by the complainant, finding that the Duchy of Cornwall is a public authority under the EIR, overturning the ICO’s decision. The Duchy has since appealed the decision to the Upper Tribunal and permission has been granted. Contact: Mark Thorogood

8

2.7 Data Sharing Awareness event Work includes: Despite considerable promotional activity surrounding the data sharing code of practice, which launched in May 2011, there is still a surprising lack of awareness of the ICO’s work on data sharing amongst important public sector decision makers. Some public sector bodies are still misunderstanding the role of the DPA in data sharing, sometimes seeing unnecessary barriers in the DPA or not correctly identifying data protection risks. The ICO is working on an event with the Ministry of Justice and the Cabinet Office to raise awareness of the data sharing code and discuss the challenges of data sharing with senior officials. This will include central and local government. Future action: The event is planned for February. Francis Maude (Minister for the Cabinet Office) has pledged his support for the event. Contact: Iain Bourne 3. Government and Society Sector 3.1 Post Legislative Scrutiny of the Freedom of Information Act Having been announced in January 2011, the post-legislative scrutiny is now underway. The MoJ Memorandum was issued on 19 December and the House of Commons Justice Committee issued a call for evidence the following day. Written evidence has to be submitted by 3 February. Oral evidence sessions will follow and we expect the Commissioner to be called. However, the programme will be directed by the Committee, chaired by Sir Alan Beith and as yet there is no timetable. Areas which the ICO expects to be covered include:

the extension of the Act to a wider range of public bodies how transparency will be secured for newly created or private

sector bodies delivering public services (eg under NHS reforms)

the resource burden of FOI in straitened times the charging regime vexatious or nuisance requests

9

access to cabinet papers and other information on government policy-making (see separate item below)

timely delivery of outcomes open data and the role of publication schemes in proactive

disclosure We will take the opportunity to raise the issue of ICO funding, including the impact of cuts in grant-in-aid on our FOI and EIR work. We will also tell the story of significant progress and continuous improvement in our complaint handling activity, including the Tribunal appeals process. Contact: Graham Smith 3.2 Government Policy and Cabinet Information Comments by Sir Gus O’Donnell as outgoing Cabinet Secretary about the impact of FOI on the policy-making process in government including access to Cabinet material revived the profile of this issue. Our decision to order disclosure of some 1997/98 Cabinet committee papers on devolution (previously vetoed) has been appealed to the Tribunal with a hearing scheduled in March. The possibility of a second veto, either before or after the Tribunal appeal (subject obviously to the outcome of the appeal) remains a live issue. The current profile of the debate over a referendum on independence for Scotland adds an interesting twist. However, the issues raised go far beyond access to Cabinet material. There are powerful advocates for restricting access to information on live, often contentious policy formulation. The ICO’s decision last year to order the release of the Department of Health risk register on NHS reforms is seen as a landmark decision prompting a range of comment. That decision too has been appealed by the DoH to the Tribunal. All this serves to guarantee that the nature of the relevant exemptions, and whether they should remain subject to the public interest test or become absolute, will be a major topic of discussion in the post-legislative scrutiny. Contact: Graham Smith 3.3 Protection of Freedoms Bill The Bill has just completed the Committee Stage in the House of Lords. We provided a detailed paper on the revised Bill when it entered the Lords, and a number of peers picked up on the issues

10

we raised and tabled amendments. This prompted a more thorough debate of topics of interest to the ICO, for example on enforced subject access (section 56). Areas of relevance to the ICO included the destruction of fingerprints and DNA profiles; processing of biometric information of children in schools; regulation of CCTV and other surveillance camera technologies; safeguarding vulnerable groups and criminal records; FOIA amendments and the appointment and tenure of the Information Commissioner. Future work: We shall continue to engage with the relevant government departments and other stakeholders to influence and clarify areas of concern arising from the Bill, as it reaches its implementation phase. Outcomes: Our briefing on enforced subject access influenced an amendment on the issue. Although not accepted, the government gave a commitment to take action on the issue. Lord Goodhart will reintroduce the amendment at Report Stage if there is no progress. The Information Commissioner’s term is to be extended to seven years. The Home Office’s response to the consultation on the Surveillance Camera Code does not call for a single code but stresses the importance of having a coherent regulatory framework; and the need to avoid confusion and to reduce bureaucracy. Contact: Judith Jones 3.4 Department for Education – special advisers and private email accounts Work includes: On 15 December the ICO issued guidance on the use of private emails and information held under the Freedom of Information Act. The guidance was issued to all public authorities following a number of allegations that special advisers at the Department of Education were using private email accounts to avoid freedom of information obligations. Allegations have also been made that the practice is prevalent in other public authorities. There was considerable media coverage of the ICO’s press release. The ICO also published a report about a good practice visit to Department, following the allegations. The report made recommendations about changes to the department’s policies and procedures.

11

Future action: The ICO still has a number of section 50 FOI complaints to consider, related to specific FOI requests. The focus of the complaints is whether any official information within the scope of the requests is held in private email accounts. There is also a further case related to text messages. The ICO has also started a preliminary investigation into allegations that individuals at the DfE may have deleted pr blocked access to requested information. This could amount to a criminal offence under section 77 of the Act. The ICO has also approached the Ministry of Justice for its assistance in coordinating further good practice visits with other government departments. Contact: Steve Wood 3.5 Stakeholder event for the central government sector We held our first central government workshop in liaison with The National Archives. The aim was to deliver key ICO messages and to receive intelligence of any significant emerging issues in this sector of relevance to the ICO. A significant number of our key stakeholders in the sector attended the event, which focussed on freedom of information issues including complaint handling and new guidance. A significant number of our key stakeholders in the sector attended the event. Future action: An evaluation of feedback and suggested future topics will feed into the organisation of a future event. Outcome: A well attended workshop which received positive feedback from an informed and influential group of stakeholders. Contact: Sue Markey 3.6 Memorandum of Understanding with The National Archives We have been working with The National Archives (TNA) to update the Memorandum of Understanding to reflect operational and

12

organisational developments at the ICO and TNA. The MOU establishes a framework for co-operation, describes the respective roles of both organisations and how we will work together to achieve our separate and common goals. It aims to facilitate contact and discussion on matters of common interest, particularly by sharing knowledge, information, expertise and best practice; set out the basis on which we will co-operate in respect of complaints relating to the re-use of information held by public sector bodies and also provide a framework for co-ordination of audit and assessment work. Future work: We expect the document to be formally signed by Oliver Morley, Chief Executive of TNA and Chris Graham this spring. Outcome: We have agreed a draft with TNA which now needs to be circulated and signed off at senior level in both organisations Contact: Sue Markey 3.7 Bill of Rights Consultation Work includes: The ICO submitted a response to the consultation run by the Commission on a Bill of Rights – “Discussion paper - Do we need a Bill of Rights?” The ICO response highlighted the relevance of data protection and freedom of information to a possible Bill of Rights, noting the benefit in recognising both as UK constitutional rights. The response also highlighted the risk that a new Bill of Rights covering DP and FOI could introduce further jurisdictional complexity to the legal landscape for the existing legislation. Future action: No work yet scheduled as it now depends on the next stages of the Commission’s work following the consultation. Contact: Jonathan Holbrook

13

4. Public Security Sector 4.1 Surveillance Following the Information Commissioner’s meeting with the Chief Surveillance Commissioner, the Interception of Communications Commissioner and the Interim CCTV Regulator, we circulated a draft “road map” to explain the functions of each Commissioner and to highlight areas where there is overlap. Future work: The latest draft will now be circulated to the President of the Investigatory Powers Tribunal (IPT) and the Intelligence Services Commissioner. We shall develop a strategy for a more joined up approach to the regulation of surveillance which impacts on personal privacy. Outcome: Common agreement has been reached on the need for a more joined up approach to the discharge of separate regulatory functions in the area of surveillance that touch on personal privacy. Contact: Meagan Mirza 4.2 ELMER Suspect Financial Transactions Database Following the inspection of the database at the request of the House of Lords European Union Committee (‘the Committee’) and the recommendations we made, we engaged with SOCA to assist them in formulating a retention policy for the records on the database which were effectively being retained indefinitely at the time of our report. The Commissioner and Head of Strategic Liaison gave evidence to the Committee in November 2011 about SOCA’s progress against our recommendations and we also followed this up with SOCA in a meeting in December to discuss progress. Future work: We will continue to engage with SOCA to monitor progress and to consider whether the retention period can be refined further based on evidence of use/access to older records.

14

Outcome: As at 19 December 584,351 records had been deleted from the database. Lord Hannay of the Committee praised the work of the ICO stating ‘the hundreds of thousands of people who do not know that their financial transactions are listed on this database have reason to be grateful to the Information Commissioner for his review and his proposals’. Contact: Jonathan Bamford/Meagan Mirza 4.3 Firearms/Shotgun Licences and Medical Records We provided written evidence to the Home Affairs Select Committee in 2011 as they were considering the issue of Firearms Control. One of the proposals considered by the Committee was to ‘tag’ the medical records of every individual who held a firearms or shotgun licence. This was to enable GPs to contact police if they were concerned about the health of a patient and the potential for harm (to others or to themselves). The view of the ICO is that it would be disproportionate (and therefore unfair) to flag the medical records of every patient and this was taken on board by the Committee. We have been working with the BASC (British Association of Sports and Conservation), BSSC (British Shooting Sports Council), ACPO (Association of Chief Police Officers), BMA (British Medical Association) and the GMC (General Medical Council) to resolve this and have now agreed a way forward. Future work: ICO to work with all parties to agree the wording of the correspondence and with ACPO and the BMA on the forms sent to applicants for licences. Outcome: Resolved what was a very contentious issue and all parties agreed that letters would be sent by the police to GPs. These would be filed on the patient’s record but do not constitute a ‘tag’ and all parties were agreeable to this course of action. Contact: Meagan Mirza 4.4 Police Reform We continue to monitor changes across the policing landscape. We also continue to sit on the Police National Databases Board which is

15

addressing the issue of governance of national systems however it is unclear where some functions currently managed by the NPIA will be transferred to. It has already been announced that some functions such as crime mapping which will be passing across to the Home Office however we need to understand where other functions may be transferred. We are also aware of the legacy issues with the demise of Police Authorities and we are already being contacted by Police Authorities to advise in this regard. There are also legacy issues which we are advising on in relation to the closure of the Forensic Science Service and we provide advice on this through the National DNA Strategy Board which we sit on. Future work: Criminal Justice is a priority issues area for the ICO and we will be monitoring developments in this area closely. We will be meeting with the Home Office and other key stakeholders throughout the transition to provide advice and to ensure that any data protection and FOI concerns are fully considered. Contact: Meagan Mirza 4.5 Criminal record disclosures Criminal justice is one of the information rights priority issues and we have been trying to influence government policy to address some of our concerns about criminal records. The Independent Advisor for Criminality Information Management (Mrs Sunita Mason) published phase two of her review of the criminal records regime. Strategic Liaison was a member of her advisory panel and interviewed separately as part of the review process. Future work: We will be pressing for the implementation of recommendations and include this in our work on the Protection of Freedoms Bill particularly on enforced subject access Outcome: Many of our longstanding concerns have been reflected in the recommendations in her report. These include restricting disclosure of PNC information, examining the possibility of an independent body looking after criminal records rather than the police and including offences like s.55 of the DPA as offences recorded on the PNC. There is also a recommendation that basic criminal record checks should be introduced in England and Wales with comments

16

that Section 56 DPA making enforced subject access unlawful should be commenced as soon as possible. The government has responded positively to nearly all recommendations and particular good news is that they will commit to looking at Disclosure Scotland providing the basic disclosure for England and Wales. This would mean enforced subject access is made unlawful at long last. Contact: Jonathan Bamford 5. Public Service Sector 5.1 Medical Research The topic of the sharing of medical research data, the restrictions in doing so and the view from the ICO is heightening. Future work:

Developing our ‘key messages’ in regard to research data in a bullet point list to ensure that all areas of the office understand the ICO stance with regard to anonymisation, the balance between privacy and openness

Working with colleagues to gain a better understanding of the broader European approach to the issues.

Including the issue in a draft letter from the Commissioner to Sir David Nicholson which will update the Chief Exec. NHS in regard to present ‘hot topics’

Capitalise upon opportunities to communicate the ICO view

Outcomes:

We met with Peter Knight, Director of Dept. of Health’s Research Capability Programme to discuss the programme’s pilot work on medical research.

Continue to be involved on the ‘Honest Brokers Project’. The NHS Information Centre is likely to be the first Honest Broker however there is still some work to be completed in relation to the detail of the proposals.

We met with the new Health Research Authority who will have responsibility in the new structures for authorising research.

Contact: Dawn Monaghan

17

5.2 NHS De-identification standard Work includes: Policy Delivery have been attending meetings of the project board for the NHS de-identification standard for health records. The NHS standard will define the methods NHS bodies should use to anonymise health records. Future action: The ICO will provide comments on the draft standard and will ensure that this work joins up with the ongoing work on the code of practice on anonymisation, which is due to be published for consultation at the end of March 2012. Contact: Iain Bourne 5.3 Identification of problem/priority areas in the Health sector Health is a priority area and current work includes conducting quarterly analysis on complaints/enquiry/enforcement/audit trends and then trying to ascertain the causes. One cause identified is the lack of training and engagement of the medical profession in information governance. Future Work:

Follow through on the processes and vehicles we can use in conjunction with key stakeholders in communicating clear, consistent and memorable messages to the medical profession.

Draft a business plan detailing the scope and advantages of using Y Touring Company to tour universities and perform to under graduates.

Meeting with the Royal College of General Practitioners to explore ways in which to engage this sector.

Outcomes:

Discussed with Stephen Powis, Medical Director at the Royal Free Hospital in Hampstead who agreed that this topic is becoming increasingly important. He has offered support in helping us get this message across to the relevant bodies responsible for the overarching provision of post-graduate medical training in the UK.

18

Discussion with Paul Buckley, Director of Training at the GMC who has agreed to work with us to improve the awareness and quality of IG training in the undergraduate, post graduate and refresher training courses.

Met with Nigel Townsend Y Touring Company, who has developed a theatre play/debate dealing with the importance of information governance in the medical arena.

Contact: Dawn Monaghan 5.4 Misuse of FAX This issue is prevalent in the Health sector and Local Government. Statistics from our complaints work and reported breaches show little slow down in he use of the tool to communicate sensitive personal data even though Civil Monetary Penalties have been served in relation to the topic. Future Work:

Draft ‘key messages’ regarding the use of FAX for use when in contact with stakeholders, for inclusion in the E newsletter.

Work with DoH, DCLG and LGA to re iterate the policies and guidance in relation to the use of FAX, ensuring that the ‘message’ is DON’T use FAX for the transfer of personal data when more secure means are available.

Include the misuse of FAX in an ‘update’ letter to Sir David Nicholson

Outcomes:

Contacted key stakeholders in Health and Local Gov. to re iterate the problems we have identified with the use of FAX

Provided Enforcement with the DoH policies and guidance in relation to the use of FAX.

Contact: Dawn Monaghan 5.5 Trend detected in Local Government DPA Breaches/information relating to vulnerable individuals An increased amount of breaches and complaints are being received relating to activities in local authorities. In working with internal departments trends have been identified:

19

Lack of DP awareness and in particular around security and training in connection with the transportation and off-site use of paper records, especially in the social care field:

Local authority social care professionals are treated differently from other local authority staff eg they are regarded as professionals and so less training is provided:

Seven out of the nine Civil Monetary Penalties served have centred on social care.

Contact: David Evans 5.6 Notification of Councillors The requirement for councillors to notify remains a live issue politically (but note elsewhere in this report the high number of new councillor notifications). Future work: Discussions with MoJ and DCLG to clarify positions Developed ‘line’ to be communicated through key stakeholders and appropriate channels. Outcomes: Discussions with National Association of Local Councils about the work being undertaken by the MoJ and the DCLG and confirmation communicated that until discussions where completed the ICO would not be actively pursuing councillors for non-notification. Contact: David Evans 5.7 CCTV including audio in taxis We have been considering into the use of CCTV with sound recording in taxi cabs in Oxford and Southampton. We have concerns that the policies and practices in these locations are contrary to our CCTV code, and that if we do not follow through other local authorities throughout the country may adopt a similar stance. Future work:

Await response from Oxford required by end of Jan 2012 Ensure that the authorities change their policies and

procedures to follow the guidance in the CCTV code of practice.

Issue communication to re iterate our stance on the issue If refusal to change pass to enforcement team.

20

Outcomes:

Considerations of the present policies and justifications put forward by Oxford council.

Discussions with Oxford and Southampton Councils. Letters written to the authorities to re iterate our stance and

to ask for their response. Contact: David Evans 5.8 Embedding Information Rights into the education systems of the United Kingdom The University of Edinburgh has completed phase one of its research study. It has concluded that it is feasible for the ICO to take work forward to meet this objective and suggested various options. The report and a decision on whether to commission phase two of the work will be taken at the next meeting of the Information Rights Committee (IRC). Future work:

IRC to take decision as to whether to proceed to phase two practical detailed proposals and if so commissioning of Phase Two

Outcome:

Phase one report received on time, considered by cross office group and recommendations made to IRC.

Contact: Jonathan Bamford / Victoria Cetinkaya 6. Business and Industry Sector 6.1 Motor Insurance Bureau Database We have been working to assess the data protection and privacy risks associated with the ‘askMID’ roadside insurance checking service. A driver who has been involved in an accident can use that service to access the MIB database at the scene of the accident by using a mobile device. In doing so, the driver can ascertain if other drivers involved in the accident are covered by a valid insurance policy.

21

Future work: MIB are to remain in contact with BIG in order to discuss the askMID service and future proposals regarding use of MID. Outcome: The information returned to the searcher is not detailed enough to represent a significant privacy risk and this service could be presented as providing a new and convenient way of accessing data via a smart phone. However, BIG arranged a meeting with MID to remind them of the need to ensure that security is adequate and take into account perception issues – how third parties might react if someone looks up their details at the scene of an accident. MIB also told not to proceed with plans to use a database search to initiate a claim with the requestor’s insurer. Issues surrounding referral fees and the transfer of data in the insurance industry make this a contentious issue and we felt this could be a step too far in terms of the purposes for which the service has been established. Contact: Alastair Barter 6.2 Privacy and Electronic Communications We have been working on guidance and our enforcement approach relating to revised cookie rule Future work: Publication of the guidance and associated activity has led to meetings arranged with British Retail Consortium, Google and Pharma industry on their compliance efforts. Further work will be undertaken to support the International Chambers of Commerce efforts with regard to provision of better information to individuals. Discussions with Consumer Focus and Which about basic information aimed at users. Outcome: We have undertaken numerous meetings and speaking engagements involving marketing industry, government, internet companies. Along with Policy Delivery, we prepared and disseminated the updated guidance. This guidance and IC’s report was published in early December, supported by press activity and speaking engagements. Contact: David J Evans

22

6.3 CCTV-Internet Eyes We are concerned to protect the public from unwarranted risks arising from irresponsible use of CCTV technology Future work: Scrutiny of their activity, liaison with colleagues in Enforcement Outcome: Internet Eyes have been the subject of a great deal of regulatory attention. Their controversial scheme raises a number of significant privacy concerns. Short of formal enforcement action we have to make sure that the risks we have identified do not arise in practice. The company were determined to introduce a new element to the service which involved sending personal data overseas. Strategic Liaison made them aware of the compliance risks but the company remained set on a course of action ICO could not live with particularly in light of the fact that the company had already signed formal undertakings. Strategic Liaison arranged to meet a representative of the company and explain that the risks were real and significant and that the consequences of them going ahead with the plan were far from trivial. The company agreed not to implement the plan even though it severely impacts on the potential for growing the business. Contact: David J Evans 7. National Regions Wales 7.1 National Assembly for Wales: Information Rights Awareness Work includes:

We have built on the work of the previous quarter by providing information rights awareness training for Labour and Plaid Cymru Assembly Members, in liaison with the Assembly Commission. The session with Plaid was particularly constructive, with almost 100% turnout and positive engagement with the agenda, evidenced by the discussion and issues raised.

23

Future action: Follow-up training for AMs’ support staff is planned for the

next quarter, again on a party political basis. We also have meetings arranged in January with the First Minister and the Presiding Officer (Wales equivalent of the Speaker), with Christopher Graham. This is primarily ‘meet and greet’, although the meeting’s agenda will also cover the Welsh Government’s FOI compliance record.

Outcomes:

In addition to raised levels of awareness, the sessions have led to subsequent discussions on specific IR issues with individual AMs, and also with the Minister with specific responsibility for Freedom of Information.

Contact: Anne Jones 7.2 Welsh health sector: NHS Wales Informatics Service (NWIS) Work includes:

We have continued our involvement with NWIS this quarter on several levels. Firstly, at the quarterly meeting of the NHS Wales Information Governance Board (WIGB). This is the Welsh equivalent of England’s NIGB. Officially, we only have observer status at the Board, however in practice, we have significant input and our opinions are actively sought. The purchase of ‘Fair Warning’, a system to audit staff access to electronic records, and issues around email security formed a large part of the discussions. Secondly, we have advised on the collection of data for equality monitoring of NHS staff across Wales. Regulations created for Wales as a result of the Equality Act 2010 are considerably more prescriptive than in other parts of the UK, and adequate levels of security and access control around this sensitive data are already causing significant problems. Thirdly, we are now regular attendees at WHIGNET meetings, a network specifically set up for information governance staff in NHS Wales.

Future action:

Participation in future NWIS and WIGB meetings, contributing in terms of advice and sharing our experience as regulator. Implementation of the Equality Act Regulations will require

24

further discussions, not only in relation to NHS staff but also to patients.

Outcome:

Advice on common causes of NHS security breaches has been noted and is likely to result in a renewed focus on staff training and awareness around the issue of email security, and our powers to issue monetary penalties have added considerable leverage to the argument in favour of the purchase of the auditing software.

Contact: Anne Jones / Alex Mathias 7.3 Wales Audit Office Work includes:

We have renewed contact with the Wales Audit Office, exchanged updates on relevant areas of work and identified areas where an element of working together might be to mutual advantage. The WAO is currently undertaking data quality audits in the Welsh health sector, and also has plans to review the effectiveness of the Caldicott self-assessment arrangements within Wales. We also discussed the possibility of closer working between WAO and ICO through a shadowing/secondment opportunity in both directions.

Future action:

An awareness session will be run for WAO staff in the new year, the secondment issue will be investigated further on both sides, and the WAO will keep us informed on the Caldicott audit, with a view to our involvement, if appropriate and feasible.

Contact: Anne Jones / Alex Mathias 7.4 Powys County Council CMP and Big Brother Watch report Work includes:

As expected, the issuing of the largest CMP to date to Powys CC caused ripples across the whole of the public sector in Wales, and led directly to contact from several organisations, for example the Children’s Commissioner for Wales. BBC

25

Wales linked the issuing of the CMP to the Big Brother Watch report on UK local government security breaches, which resulted in TV and radio interviews, and the ICO being widely quoted in the local Welsh media.

Outcome:

We plan to work more closely with the Children’s Commissioner in the future, and have identified areas where our agendas coincide, for example in the initiative to embed information rights into the curriculum within Wales.

Contact: Anne Jones / Alex Mathias 7.5 Schools self-assessment audit (Good Practice) Work includes:

Good Practice’s recent pilot for self-assessment audit in schools in the Merthyr Tydfil area has generated significant amounts of interest in the education sector in Wales, and although the project itself will now be rolled out across the rest of the UK, within Wales we intend to capitalise on the local appetite for the pilot, and have begun promoting it beyond the Merthyr area.

Outcomes:

Awareness of the pilot has generated requests for ICO representation at meetings, and for awareness sessions. We now have upcoming meetings with the North Wales Information Governance Group in Anglesey, and with the Association of Directors of Education in Wales (ADEW).

Contact: - Alex Mathias

Northern Ireland

7.6 Steps to Work Programme

Work includes:

Advising on good practice regarding the registration of participants in the Steps to Work Programme with the NI Dept of Employment and Learning (DEL) following our discovery that DEL was advocating immediate faxing of registration forms from participating voluntary organisations for auditing

26

purposes. These forms included name, d.o.b. and NI nos. After our intervention, DEL undertook to revise their procedures in relation to this programme.

Future Action:

Revised procedures will be submitted to the NI office for comment prior to their adoption.

Outcomes:

Improved practice in transmission of personal information. Contact: Nigel Treanor

7.7 Department of Health, Social Services and Public Safety (DHSSPSNI)

Work includes:

Provision of advice to the DHSSPSNI surrounding the handling and use of patient information including the data protection implications for the administration of scheme identifying cancer patients eligible for a one-off fuel allowance payment. This scheme was being funded by the Office of the First and Deputy First Minister and the ICO was contacted following its announcement by the First Minister. Recommendations in relation to good information handling were made to DHSSPSNI as a part of this advice.

Future action:

Continued support where necessary relating to operational aspects of the scheme.

Outcomes:

The work will help to build in data protection safeguards into the running of this scheme and help to strengthen working relations with the ICO and DHSSPNI.

Contact: Catherine Vint 7.8 NI DNA Database Work includes:

Acting as an observer on the newly-established Governance Board of the NI DNA database to advise on compliance with the DPA (and FoIA) as required.

Future action:

Consideration of the draft terms of reference of the Board and, in particular, the implications for the control of the Board.

27

Outcomes:

Ongoing advice regarding good practice in data handling of sensitive personal data.

Contact: Ken Macdonald Scotland

7.9 Data Linkage Operations Group Work includes:

Membership of a multi-disciplinary working group to explore the feasibility of establishing a Scotland-wide Data Linkage Framework for Statistics and Research. Established by the Scottish Government, the Group is working with a wide range of partners to establish a collaborative framework that will facilitate data linkages for research and statistical purposes, to be conducted safely, securely, legally, ethically and efficiently.

Future action:

Continued participation in the Group to provide advice and support to ensure privacy risk is identified and addressed.

Outcomes: Increased awareness and credibility of the ICO as Regulator

and source of advice and support. Contact: Maureen Falconer

7.10 The Scottish Justice System

Work includes:

Promotion of good practice in various agencies involved in the justice system. This draws in part upon previous work with the Scottish Children’s Reporters Administration (SCRA) but also includes the Scottish Government Justice Directorate, the Scottish Prison Service, Children’s Hearings Scotland, the Parole Board Scotland and Rape Crisis Scotland.

Future action:

As well as providing guidance on the development of policies and procedures, it is expected that the Justice Directorate will be included in the forthcoming audit of the Scottish Government, while smaller scale compliance reviews will be undertaken locally.

28

Outcomes:

Improved handling of information within and between organisations in the Justice System.

Contact: Sheila Logan 7.11 Data Sharing in the “Tell Us Once” Programme Work includes:

The provision of advice to the Registrar-General of Scotland regarding the disclosure of registration details by Local Registration Officers to the Dept of Work & Pensions in relation to the “Tell Us Once” programme

Future Action:

Further discussions with the Registrar General and local authorities.

Outcome:

A consistent approach to the disclosures being made by the Registrar General and the LROs

Contact: Ken Macdonald 8. International Activities 8.1 Review of EU Data Protection Directive We are continuing to work with our European colleagues to provide a collective response to future proposals to amend the Directive and align this with our work at national level on possible changes to UK law. Future action:

We expect the publication date of the legislative proposal to be 25 or 26 January.

Once published the cross-office group will carry out detailed analysis of both legislative proposals to develop the ICO view.

We will publish initial views using the blog and intend to hold Q&A sessions with staff to answer any questions such as on ICO policy views and the legislative process.

29

We will take part in the Art 29 future of privacy subgroup meeting in January to prepare an initial Art 29 response.

Outcomes:

We have organised a stakeholder event for MEPs at the European Parliament, hosted by Sarah Ludford, for 28 February 2012.

Contact: Emma Butler 8.2 Article 29 Working Party We take part in the Working Party and try to ensure that its work takes account of our own information rights approach. The meetings and our involvement in the work fulfils our legal obligation to co-operate with other DPAs under the Directive and national law. Current work includes:

Opinions on biometrics; cloud computing; facial recognition European Commission questions relating to the Foreign

Account Tax Compliance Act (US legislation); Future action:

Subgroup meeting in January to prepare final work programme 2012-2013 to be adopted at the February plenary.

Health data subgroup to submit opinion for adoption at February plenary on EpSoS pilot project (exchange of medical records within the EU)

Outcomes:

A29 opinion in response to on-line behavioural advertising code of practice adopted

Borders, Travel and Law Enforcement (BTLE) subgroup: letter to European Parliament (following their request for input) setting out views on EU-US PNR agreement adopted and sent.

Letters adopted relating to PCAOB (US tax authority); internal market information system; and IATA (air travel).

Contact: Emma Butler

30

8.3 European Open Strategy – review of the European Public Sector Information Directive Work includes – On 12 December the European Commission announced a series of proposals to amend the Directive on the re-use of Public Sector Information and to promote Open Data. The Commission proposes to update the 2003 Directive on the re-use of public sector information by:

Massive expansion of the reach of the Directive to include libraries, museums and archives for the first time; the existing 2003 rules will apply to data from such institutions

Making it a general rule that all documents made accessible by public sector bodies can be re-used for any purpose, commercial or non-commercial, unless protected by third party copyright;

Establishing the principle that public bodies should not be allowed to charge more than costs triggered by the individual request for data (marginal costs); in practice this means most data will be offered free or virtually free of charge, except where charges are properly justified

Making it compulsory to provide data in commonly-used, machine-readable formats, to ensure data can be effectively re-used

Introducing regulatory oversight to enforce these principles The National Archives and the Cabinet Office will have the joint policy lead on negotiating the Directive and the ICO have been in contact with them about the implications of the proposals. The proposals are of interest to the ICO as access to information and re-use are increasingly converging as part of the open data agenda. Amendments to the FOI Act in the Protection of Freedoms of Bill put regulation of re-use on the face of the Act for the first time. By invitation, Graham Smith attended a board meeting of the Advisory Panel for Public Sector Information (APPSI) in December. APPSI has a regulatory role under the Re-use of Public Sector Information Regulations. The purpose of the meeting was to discuss the future of FOI and re-use regulation, and touched on the prospective future roles of the ICO and APPSI in this area. Future work – the ICO will discuss the implications of the Directive with the Cabinet Office and the National Archives. The ICO has been invited to speak at a European Conference on the re-use of public sector information 23/24 January. Contact: Steve Wood

31

8.4 EU-level supervisory bodies EU-level supervisory bodies This work covers the Europol Joint Supervisory Body, the Schengen Joint Supervisory Authority, the Customs Joint Supervisory Authority, Customs co-ordinated supervision with EDPS, and Eurodac supervision. The UK is only an observer at the Schengen JSA. We have a legal obligation to attend these meetings and be involved in the work, in particular as regards supervision at national level. Current work includes:

Written report of second TFTP inspection (Europol’s role in providing data to US Treasury on bank transactions)

Europol new way of working with analysis work files. Future action:

Draft activity report 2008-2011 being produced Europol JSB annual March inspection: UK expected to be part

of inspection team Customs JSA working document on list of authorities having

access to CIS and FIDE: DPAs to check whether national authorities fulfil requirements via a checklist by 15 March 2012.

Customs JSA working document on data subject access rights: DPAs to send questionnaire to national bodies and get replies by the end of May 2012.

Outcomes:

UK participation in Europol JSB inspection team. Contact: Emma Butler Other international co-operation Work includes:

Overseas visits to ICO Co-operation with other DPAs – queries and cases;

information sharing and enforcement Reviews of data protection legislation / frameworks

32

Future action:

International conference working group developing practical tools for DPA information sharing and enforcement co-operation: developing work programme / tasks.

Enforcement co-operation meting hosted by Canada in May to look at key issues of concern as well as to report back on working group progress.

Input into developing GPEN (Global Privacy Enforcement Network).

Next phase of accountability project: February meeting. Outcomes:

Enforcement co-operation resolution co-drafted by UK adopted at international conference.

UK to co-chair with Canada the working group developing practical tools for DPA co-operation.

Contact: Emma Butler

/ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 300 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages true /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 1200 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 1200 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile () /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False

/CreateJDFFile false /Description > /Namespace [ (Adobe) (Common) (1.0) ] /OtherNamespaces [ > /FormElements false /GenerateStructure false /IncludeBookmarks false /IncludeHyperlinks false /IncludeInteractive false /IncludeLayers false /IncludeProfiles false /MultimediaHandling /UseObjectSettings /Namespace [ (Adobe) (CreativeSuite) (2.0) ] /PDFXOutputIntentProfileSelector /DocumentCMYK /PreserveEditing true /UntaggedCMYKHandling /LeaveUntagged /UntaggedRGBHandling /UseDocumentProfile /UseDocumentBleed false >> ]>> setdistillerparams> setpagedevice