Data Protection and Freedom of Information Update - January 2012Monday 16th January 2012
Out with the old, in with the new.
The start of 2012 brought to an end a busy year for the Information Commissioner. High profile businesses and the public sector alike felt the full force of the Data Protection Act in a number of high profile breaches to hit the news in 2011.
'Openness, transparency, education and awareness' -
just some of the buzz words for 2012 published by the ICO in its pre-Christmas strategy document. Let us not then dwell on the past, but look ahead to 2012.
The highly anticipated European Union draft legal framework for the protection of personal data was published in November last year. The EU's objectives, "to establish a harmonised and coherent framework allowing for a smooth transfer of personal data across borders within the EU", recognises that building trust in online technology is critical to sustained growth between Member States.
There is no word yet on when the new framework will be implemented, but it is expected to introduce, amongst other things, the compulsory notification of all data protection breaches within strict time limits and a penalty structure calculated on a percentage global annual turnover, rumoured to be as high as 5%.
The increasing use of mobile technology is likely to create another buzz word for 2012 - 'encryption'. A number of breaches by public sector health care providers in 2011 highlighted the risk of personal data getting into the wrong hands - lost and stolen laptops, USB sticks - whilst often innocent mistakes often lead to serious data protection breaches. Losing client trust, brand equity, together with the risk of losing corporate IP, in addition to a possible ICO imposed penalties means losing control of personal data is an expensive mistake.
26 May 2012 should already be a date on the organisational calendar. This key date ushers in the Privacy and Electronic Regulations 2003, which are fully implemented after a 12 month grace period. The regulations require businesses and organisations in the UK to obtain consent from website visitors before storing non-essential cookies on users' computers. Following this grace period, the ICO will take action against non-compliance. Website operators should ensure that they are fully aware of their obligations and must be able to show that they are taking positive steps toward compliance before the 26 May 2012 cut off date.
It is clear that 2012 brings a number of challenges and additional compliance costs to businesses. The ICO has already identified the risk of businesses cutting 'data protection corners' in a persistently difficult economic climate. The ICO emphasis, however, remains one of deterrence through education and the encouragement of the private and public sector to take a responsible approach to data protection. Ultimately the risk of losing brand reputation and having to destroy non-compliant data may prove to be a greater deterrent than statutory fines.
Arguably the public are set to benefit from increased regulation at a time of rapid advancement in global technology. The economic and social landscape is changing and personal data, identity and virtual identities are increasingly recognised as a commodity - to be valued and protected.
Case Ref: FS50369264
Public Authority: Rickmansworth School
Summary: The complainant requested information relating to the tendering of a cleaning contract in 2010. The school failed to provide the information within the statutory timescales. On the intervention of the Commissioner the complainant was provided with the required information. The complaint was upheld but no further action was required by the School.
Case Ref: FS50412611
Public Authority: University of Warwick
Summary: The university's failure to provide an electronic copy of a document held in its Modern Records Centre prompted a complaint to the Commissioner. The university justified its decision by reference to section 21 of the Freedom of Information Act - that the material was already available in another form. The Information Commissioner upheld the university's decision and no further action need be taken.
Case Ref: FER4014857
Public Authority: HM Treasury
Summary: A complex and lengthy request for information was made to HM Treasury which centred on the Government initiative to encourage the production of green energy through the installation of wind turbines.
The complainant, making the observation that currently all wind turbines were manufactured overseas and imported into the UK, asked for information that would allow a comparison of various tax calculations. The Commissioner found that HM Treasury had failed to issue a valid refusal notice within the specified period and in addition had relied on the incorrect regime. The Commissioner held that the request should have been dealt with under Environment Information Regulations and not the Freedom of Information Act. HM Treasury subsequently provided the requested information under the EIR and whilst the complaint was upheld no further action by the public authority was required.
Case Ref: FS50422187
Public Authority: Walberswick Parish Council
Summary: The complainant requested a copy of a speech made by a chairman at a local parish meeting. The Council refused to provide the information, as a result of which the complainant investigated the Council's internal complaints
procedure. The Council had initially refused the complainant's request on the basis that the information was protected by legal professional privilege. Subsequently the Council refused the information on the basis that repeated and vexatious requests had been made under the authority granted to them by section 14 of the Freedom of Information Act. Following the Commissioner's involvement, the Council advised that they were not able to provide the information because it could not be located. The Commissioner held that on the balance of probability, the Council were not able to trace the required information, but recorded a breach of Section 10 of FOIA which requires that a formal response to a request for information be made within 20 days.
Ashfords LLP is Authorised and Regulated by the Solicitors Regulation Authority. The information in this note is intended to be general information about English law only and not comprehensive. It is not to be relied on as legal advice nor as an alternative to taking professional advice relating to specific circumstances. Links to other sites and resources provided by third parties are included for your information only. We have no control over the content and accept no responsibility for them.