ICO e-newsletter - 10th Edition

This newsletter provides a round up of freedom of information and data protection developments and outlines information and guidance available from the Information Commissioner's Office (ICO).

The ICO's annual report was presented to Parliament on 14 July and launched a day later to stakeholder audiences in central London. The presentation of the report coincided with enforcement notices against HMRC and the Ministry of Defence. The presentation also included comments by Richard Thomas on speculation that the Home Office is planning a database to hold details of the telephone and internet communications of the entire British population.

View annual report and summary

Read accompanying press release

Read extracts from Richard's speech

The government is seeking views on proposed changes to the inspection powers and funding arrangements of the Information Commissioner's Office. Specifically, there are proposals to:

• promote good practice;
• ensure compliance by enhancing the Commissioner's inspection powers under the Data Protection Act 1998; and
• amend the structure for funding the Information Commissioner's data protection duties.

MOJ consultation - ICO inspection and fees

The Criminal Justice and Immigration Act has received Royal Assent creating tough new sanctions for the ICO. This new legislation will, when it comes into force, give the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act.

View ICO press release

In June the ICO appointed a new Assistant Commissioner for Northern Ireland. Aubrey McCrory will lead the Belfast office, developing links with central and local government as well as representative groups. He will have responsibility for engaging regularly with organisations and public authorities across Northern Ireland to raise awareness of the role and functions of the ICO in Northern Ireland, resolving freedom of information complaints and advising on data protection issues in the private, public and community and voluntary sectors.

In July three new senior case officers will join the Belfast Office to undertake a range of complaints and advice work.

The ICO is pleased to present two major developments to the website www.ico.gov.uk - a refreshed homepage and a much-improved search facility.

Both are designed to improve the service we give to our customers through our website, and are the result of detailed user testing conducted last year. Regular users will notice that the homepage is now much more 'newsy' and dynamic. It includes a scrolling news feed and clearer links to get you to where you want to go, while the left-hand menu, 'quick links' drop-down list and other familiar features remain. The new search employs the ease of use and functional benefits of Google into our site. For more information about our use of Google, read our privacy statement.

The ICO's Disability Equality Scheme has now been finalised. It has changed considerably from the draft, as a result of valuable feedback from staff and stakeholders.

Disability equality scheme.

If you have a disability and require any assistance when accessing ICO services, please contact the helpline on 08456 306060 or 01625 545745 where a member of the Customer Services Team will be happy to help.

Despite more than 20 years of data protection legislation in the UK and efforts to encourage the adoption of privacy friendly technologies, adoption of these technologies is still low, and rather than building in data protection and privacy safeguards, they are bolted on at a later date. The ICO is about to start work on a project aimed at exploring privacy by design. It will explore the barriers to uptaking privacy-enhancing technologies as well as to the culture of designing in privacy protection. It will look at, some of the solutions available and what needs to be done to improve the level of engagement in this area.

With the current drive for increased information sharing, large centralised databases and increasing use of biometrics, the ICO sees the concept of privacy by design as being an essential safeguard against potential threats to individuals' information and privacy. The ICO wants to bridge the gap between what is possible and what is being implemented in both the public and private sectors.

As part of this project, the ICO will publish a report which will form the basis for a conference to be held in December of this year. Anyone wishing to get involved should email Judith Jones at judith.jones@ico.gsi.gov.uk.

The ICO is about to start work on a code of practice dealing with all aspects of collecting information about people. This is one of the most important areas of data protection, but also one where levels of compliance are extremely variable. The code will address issues such as drafting privacy notices, standards of explanation for individuals and the issues that arise when collecting information about groups such as children.

We are very keen to illustrate our work with examples drawn from real life. So, if you have any examples of innovative, genuinely informative or otherwise appealing ways of explaining the collection of personal information, please send them to us. We are also keen on seeing examples of bad practice - the overly legalistic, the counter-intuitive or the downright deceptive.

If you would like to be part of a small critical reader and consultation group or if you have any examples please contact shona.ritchie@ico.gsi.gov.uk

The ICO is currently investigating a large number of complaints about automated telephone calls referring to 'debt reduction schemes' or 'government debt initiatives'. The messages usually ask the recipient to press '5' for more information.

Under the Privacy and Electronic Communications (EC Directive) Regulations 2003 organisations should not make automated marketing calls unless they have prior consent. The ICO's enforcement team is currently investigating to establish who is responsible for making these calls and advising people who have received an automated call referring to a debt reduction scheme or initiative to complete a Privacy and Electronic Communications Regulations complaint form.

RAND Europe has been asked by the ICO to carry out a comprehensive assessment of the strengths and weaknesses of European data protection law and to identify promising avenues for reform.

We have commissioned the research amid growing fears that the current European Directive is no longer fit for purpose and because European data protection law needs to be modernised to meet the technological and social challenges of the 21st century. The research will consider how individuals' rights can be enhanced in a rapidly evolving information society and will provide EU bodies, national governments and the data protection community with proposals for improving regulatory approaches to protecting privacy and personal information.

The study will be published in Spring 2009.

Anyone wishing to help with this work, for example by participating in workshops or interview sessions, or by putting forward your own thoughts about the directive, should contact the research team at dataprotectionstudy@rand.org

The RAND Europe team, which also involved time.lex and GNKS-Consult, won the ICO's competitive tender against 19 other bids.

The ICO is pleased that the European Commission has recently announced its own study of the Directive. This is different to the ICO's work, but we see the two projects as being complementary and can see great advantages in the two studies being carried out together. The ICO will be encouraging the development of a mutually supportive relationship between the project teams.

Linked to its study on the Directive the European Commission is inviting applications with a view to setting up a group of experts to reflect on the data protection legal framework in the European Union

Click here for more information.

The ICO has published the findings of its Data Protection Officers' Conference. The conference took place in March this year and was attended by data protection officers working in the public, private and third sectors all over the country. The event was oversubscribed, with almost 400 individuals applying for the 120 places available.

Delegates took part in sector-specific workshop sessions focusing on data security and transparency. The outcomes of these workshops have been published on the ICO website along with the slides of speaker presentations and a summary of speaker topics. View outcomes

Speakers at the event included Amanda Chandler from Vodafone and Kathy Ford from Avon and Somerset Constabulary, who shared their experiences of the challenges facing data protection officers in the private and public sectors.

The ICO issues guidance in the form of good practice notes, 'It's your information' notices and technical guidance. Since the last newsletter in April the ICO has published the following new and updated guidance:

Updated guidance:

• Getting it right - A guide for small businesses
   
  
• Small business checklist
   
  
• It's your information - Unwanted marketing
   
  
• Data sharing between different local authority departments
   
  
• How does the Data Protection Act apply to recording and retaining professional opinions?

New guidance:

• Disclosure of employee information under TUPE

On 15 July 2008 the ICO served enforcement notices against HM Revenue and Customs and the Ministry of Defence. These followed the loss by HMRC of two compact discs holding the personal data of up to 25 million individuals and the theft of a Royal Navy recruiter's laptop computer holding personal data of up to approximately 600,000 recruits or potential recruits.

HMRC enforcement notice

MoD enforcement notice

On 30 June 2008 the ICO ordered Weatherseal Holdings Ltd, a double glazing company, to stop making cold calls to members of the public. The action has been brought following thousands of complaints from individuals to the ICO and the Telephone Preference Service

Weatherseal Holdings Ltd enforcement notice

The ICO is encouraging organisations in the public sector to seek recognition for good data protection practices by applying for a prestigious European award which aims to increase awareness of best practice in data protection around Europe. For further information see the awards website.

The main goal of the award is to raise awareness and promote sound data protection practice in the public sector throughout Europe. In previous years the prize has been awarded to the City Council of Vitoria-Gasteiz, the Government and Data Protection Commission of Austria, to the UK National Health Service and the City Council of Madrid.

The deadline for presenting applications to the Prize this year is 27 August.

On 20 June 2008 two private investigators pleaded guilty to obtaining and selling personal information after illegally 'blagging' the personal details of a customer from BT, in the course of a successful prosecution by the ICO.

Christopher Hackett, trading as Swift Investigations, and Darren Whalley of Managed Credit Services Ltd (MCS Ltd) were convicted of unlawfully obtaining and selling personal information at Wimbledon Magistrates' Court and fined £400 and £500 respectively. Both were also ordered to pay £400 towards prosecution costs.

The ICO's freedom of information Good Practice Team has been expanded and reorganised to produce and promote a programme of good practice among public authorities.

This will be done by providing targeted advice and developing new guidance for sectors and individuals, drawing on ICO knowledge, casework and Information Tribunal decisions. As part of this we will be revising the ICO's core set of freedom of information awareness guidance (approximately 30 items).

The team is organised on a sectoral basis and an important priority is to develop and maintain key stakeholder relationships with individual public bodies and forums in each of the sectors. Our new contacts are:

For local government, education and the police please contact:
david.evans@ico.gsi.gov.uk

For central government, health and other public bodies please contact:
sue.markey@ico.gsi.gov.uk

The ICO wrote to all public authority chief executives in May to urge them to release more official information. All public bodies have an obligation under the Freedom of Information Act to adopt a publication scheme which commits them to routinely publish certain sorts of information.

Present schemes expire on 31 December 2008 and a new model publication scheme, with definition notes for each sector, has been developed and approved by the Information Commissioner. Model publication scheme 2009

New schemes should be adopted by 1 January 2009 and the ICO will begin conducting spot checks shortly afterwards.

Following a decision notice served on the Police Service Northern Ireland (PSNI) in October 2007, the public authority instigated a review of its freedom of information procedures and policies. PSNI actively sought the involvement of the ICO throughout and we have contributed to and monitored the review and subsequent improvement plan. As part of this plan, PSNI organised an information management seminar in order to raise the profile of FOI and ensure that the relevant lessons were learnt and communicated throughout the service.

On 19 June 2008, over 100 senior managers from PSNI attended the seminar to hear presentations from the ICO's Deputy Commissioner Graham Smith and FOI Enforcement Manager John Pierre Lamb. For more details or receive a copy of the presentations please contact: JP.lamb@ico.gsi.gov.uk

The ICO welcomes the positive engagement and initiatives of the PSNI and will continue to work with the authority as they seek to improve their FOI request handling

During the first quarter of the financial year 2008/09 we received 707 complaints under the Freedom of Information Act and Environmental Information Regulations.

• 705 cases were closed;
• 58 decision notices were issued; and
• 21 appeals were received by the Information Tribunal in this period.

This diagram outlines FOI cases received and resolved up until the end of June 2008.

For details of all decision notices issued by the ICO go to the decision notices page of the ICO website.

Some decisions announced since publication of the last e-newsletter include:

ICO orders BBC to disclose annual staff costs for Eastenders.

The ICO's decision follows a request to the BBC for the total annual staff costs for the programme and the annual value of performers' contracts.

FS50115188 decision notice

ICO agrees that Commission for Local Administration in England (CLAE) were right not to disclose publicly available information

The ICO's ruling follows a request for copies of legal guidance provided to CLAE by its external auditors, the Department for Communities and Local Government and the Information Commissioner's Office.

FS50102256 decision notice

The ICO orders Mid Suffolk District council to release a commercial contract

The ICO ordered Mid Suffolk District council to release a contract with a commercial partner, including the financial details, concerning the work to carry out repairs and maintenance at Mid Suffolk Leisure Centre. The ICO has dismissed the possibility that releasing the contract would be likely to prejudice the commercial interests of the council or the contractor.

FS50131138 decision notice

The ICO orders the Department for Transport to release information

The ICO ordered the Department for Transport to release information relating to the proposal for a second runway at Stansted airport, under the Environmental Information Regulations.

FER0088851 decision notice

We welcome your comments on our e-newsletter. If you have any comments or suggestions please e-mail websitefeedback@ico.gsi.gov.uk

Unsubscribe: To stop receiving the ICO e-newsletter please follow the link.

The ICO is the UK's independent public body set up to promote access to official information and protect personal information.

We enforce the Data Protection Act, the Freedom of Information Act, the Privacy and Electronic Communications Regulations and the Environmental Information Regulations, regulating the organisations that come within their remits.

We provide guidance to organisations and individuals to promote awareness of information rights and obligations, ensure compliance with the law and encourage good practice.

We rule on eligible complaints and can take action when the law is broken.