Taking Information Rights Seriously

1
Taking Information Rights Seriously

• Steele Raymond Annual Lecture
• 16 November 2005
• Bournemouth University
• Richard Thomas
• Information Commissioner

2
Information Commissioners Mission

• Promoting public access to official information
  and protecting your personal information

3
Everyone Elses Mission

• "Know where to find the information and how to
  use it - that's the secret of success"
• Albert Einstein

4
Taking rights seriously

• Knowledge is power (Annual Report 2005)
• The key to both Data Protection and Freedom of
  Information
• Freedom of Information brings official
  information into the open (Power to the
  people)
• Data Protection safeguards information about
  individuals (Not too much information about
  people)
• Both focus on good information handling
• Both create important information rights

5
Freedom of Information

• Open Government The Right to Know
• Presumption of disclosure unless good reason for
  secrecy
• Trust in government
• Transparency is crucial to accountability and
  democratic process
• Brings knowledge to the people as the ultimate
  custodians of power
• Serves as a reminder that governments serve the
  people, not vice-versa

6
The Right to Know Jan. 2005

• Any person can make a Request.
• for any information held by any of 115,000
  public authorities
• Duty to respond within 20 working days
• Presumption of disclosure
• 23 exemptions most Qualified
• Greater public interest?
• Information Commissioner rules on complaints and
  promotes good practice

7
Examples of Exemptions

• Accessible by other means s.21(A)
• National security s.24 (Q)
• Prejudicial to Defence s.26 (Q)
• Prejudicial to law enforcement s.31(Q)
• Relates to formulation of government policy
  s.35 (Q)
• Endangering Health and Safety s.38 (Q)
• Personal information (breaching DPA) s.40 (A)
• Information provided in confidence s.41 (A)
• Prejudice to commercial interests s43 (Q)

8
Public interest test

• Public Interest considerations favouring
  disclosure include
• Informing debate on key issues
• Promoting accountability and transparency for
  decisions and spending
• Tackling fraud and corruption
• Promoting probity, competition and VFM
• Helping people understand and challenge decisions
  affecting them
• Clarifying incomplete or misleading information
• Promoting health and safety

9
Freedom of Information - Emerging Impressions

• High media profile
• Making an impact - being taken seriously
• Larger public bodies generally well-prepared
• Significant disclosures achieved
• Refusals largely unchallenged
• Resource intensive in early days
• Boundaries being tested
• Culture changing, but not yet changed

10
Progress report

• Requests to government (June) 21,867
• Requests to all public auths. (June) 60,000
• Complaints Received by ICO (Oct) 2,034
• Cases Closed 709
• Open Cases 1,325
• Decision Notices 70

11
Variety of Disclosures

• Cost and use of official cars
• Restaurant health inspections
• Compensation paid to IRA suspects
• Attempts to stop Zimbabwe cricket tour
• Wounded in Iraq
• Fraudulent expense claims during F M crisis
• Heart surgeons performance rates
• Discrimination by universities
• CJD in school dinners

12
.details disclosed under the FOI Act. (Press
cuttings for one weekend - 24/10/05)

• Govt. thinking on plans for freight railway from
  Liverpool to Channel Tunnel
• E-mails about Tate Gallery decision to buy art
  from Trustee for 700,000
• Vaccinations in 1st Gulf War
• Increases in knife crime
• Declining school standards
• HMT mooting of inflation target in 1990
• 800,000 spent on investigation into death of
  Princess Diana in 1st year
• 50,000 p.a. for armoured car driver for PMs
  wife
• NO details of 46k symposium of West / Islam
  culture clash

13
Taking Rights Seriously Data Protection 3rd
social issue

• Preventing crime 88
• Improving education 84
• Protecting personal information 83
• NHS 83
• Equal rights 81
• Protecting freedom of speech 80
• National security 78
• Environmental issues 74

14
Top concerns include.

• Passing details to unknown organisations 85
• Not keeping information securely 85
• Using information for unintended purposes 84
• Requesting too much info. 74
• Holding info. for too long 69

15
DP The legal framework

• ECHR Article 8
• Right to respect for private life subject to
  what is necessary in a democratic society in the
  interests of national security, public safety or
  the prevention of disorder or crime etc.
• DPA 1984
• EU DP Directive 1995
• Data Protection Act 1998
• Privacy Electronic Communications Regulations
  2003

16
Rationales for Data Protection

• Ensures transparency, access, accuracy and
  security of personal information
• Prevents too much information about the
  individual being held by government, commercial
  and voluntary organisations
• Restrain the power which would come from others
  having too much knowledge about our private lives
• A barrier to a Surveillance Society

17
Data Protection Principles

• Personal information (mainly) on computer..
• Fairly and lawfully processed
• Processed for specified purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept longer than necessary
• Processed in accordance with individual's rights
• Kept secure
• Restrictions on transfers outside EEA

18
Data Protection Rights

• Information about how your personal information
  will be used
• Opt-in, opt-out and other choices
• Restrictions on disclosures
• Subject Access right to a hard copy
• Prevention of harmful processing and direct
  marketing
• Rectification, blocking, erasure and destruction

19
ICO Strategic approach to DP

• Practical, down to earth approach to simplify
  for the majority who try to handle personal
  information well, and tougher for the minority
  who do not
• Enlightened self-interest, not red tape
• More effective for individuals
• Regulatory reform agenda

20
ICO Strategic Approach for DP

• Plain, straightforward guidance
• Demystify and simplify
• Address Data Protection myths
• Influence political agenda
• Helpline service
• Deal with individuals complaints - if legitimate
  grievance with substance and effective solution
• Selective to be Effective Regulatory Strategy

21
ICO Regulatory Strategy

• Purposeful action where obligations are
  deliberately or persistently ignored, examples
  need to be set or issues need to be clarified
• Targeted approach
• Initial drivers public concern, complaints,
  intelligence
• Choice of instrument - remedies, inspection,
  audit, enforcement, prosecution
• Criteria illustrative examples

22
Criteria

• Serious detriment to an individual
• Number of adversely affected individuals
• Need to clarify law or principle
• Risks of recurrence
• Need to set an example
• Remedial costs to organisation proportional to
  issue
• Deliberate, wilful or cavalier approach
• Responsibilities to those who are compliant
• No other means suitable
• Level of public interest
• Credibility of law and/or ICO

23
Illustrative examples

• Likely (especially after warning)
• Repeated security failures
• Just in case approach to holding detailed /
  sensitive data
• Adverse impact on career prospects
• Seriously intrusive marketing
• Professional breaches
• Denial of subject access to significant
  information

24
Illustrative examples

• Unlikely
• Accidental non-compliance
• Genuine small business ignorance
• Non-compliance which is not seriously intrusive
  or detrimental
• Other pressures may be more effective (e.g.
  reputational damage)
• Business vs. business dispute with no real
  detriment to customers
• Domestic breaches without abuse of trust

25
Current Data Protection issues

• Employment Code and Quick Guide
• Section 55 issues
• Identity Cards
• Childrens Indexes
• Connecting for Health
• IT infrastructure, CCTV etc
• Sleep-walking into a Surveillance Society?

26
Self-interest? Confidence in info-handling by
organisations

• Internet sites 16
• Retailers 20
• Telecoms companies 20
• Credit reference agencies 24
• Tax / benefits offices 30
• Govt. departments 42
• NHS 64
• Schools colleges 16

27
ChoicePoint

• Unauthorised access to personal data of 145,000
  citizens
• 750 frauds
• Share price dropped substantially 9 in one day
• Discontinued processing sensitive data
• Lost revenues 15 - 20 million
• Class action suits
• 11.5 million legal fees
• Requirements to notify all customers
• Citizens access to files

28
Taking Information Rights Seriously
29
Contact us...

• Information Commissioners Office
• Wycliffe House
• Water Lane
• Wilmslow
• SK9 5AF
• Switchboard 01625 545700
• Helpline 01625 545745
• e-mail mail_at_ico.gsi.gov.uk
• w/s www.ico.gov.uk