ICO condemns partial release of Operation Motorman files
The ICO has said that it was an irresponsible act to publish details of more than 1,000 alleged requests by News International journalists to the private investigator Steve Whittamore. The requests for information were for ex-directory telephone numbers, criminal record checks and vehicle registration details, and were published by the Guido Fawkes website on 10 April, run by blogger, Paul Staines. The personal data of the victims had been redacted.
Staines understands that there have been two applications to the Leveson enquiry on press standards to release the Operation Motorman files.
The ICO said it "strongly condemns" the partial publication of the Operation Motorman files that include some 17,000 entries in total. The ICO recovered the Motorman files during its investigation on Whittamore in 2005. The ICO now says that many people have already made a subject access request to the ICO for their personal information contained in the notebooks, and that the ICO has established a fast-track service to speed up the process.
ICO outlines its position on US Patriot Act
Following a recent ICO seminar on cloud computing, the ICO says that ‘under normal circumstances a cloud provider is the data processor on behalf of the cloud client who is the data controller’. However, cloud providers that are asked to release personal data under the US Patriot Act, and do so, will be regarded as the data controller in respect of that disclosure.
‘This is because it is making the decision to disclose based on a legal obligation it is under regardless of the client’s wishes. Regulatory action against the client is unnecessary because the client has not acted wrongly simply because it has chosen a provider which is subject to foreign law enforcement agency requests. Regulatory action against a provider, in its role as a data controller, is unlikely because it is responding to a request it is legally obliged to comply with. However if the request comes from a country which has questionable rule of law – then we would have to consider the issue on the facts of the matter’, the ICO says.
The ICO is planning to issue guidance on the cloud, and will seek stakeholders’ input once the first draft is ready.
FOI covers information held on private email accounts
The ICO’s decision that information held on a private email account, not an organisation’s email account, is information held on behalf of the organisation. This has implications to any organisation that allows personal IT use at work as such emails are covered by FOIA. This case relates to the Department of Education, which may appeal within 28 days of the decision to the First-tier Tribunal (Information Rights).
The ICO issued a statement on 2 March:
“The Information Commissioner has issued his decision in the case involving a request for information in an email sent by the Secretary of State for Education on a private email account. The Commissioner’s decision is that the information amounted to departmental business and so was subject to freedom of information laws, being held on behalf of the Department for Education. The Department is now required either to disclose the requested information (the subject line of the email and the date and time it was sent) or issue a refusal notice in accordance with the FOI Act giving reasons for withholding it.”
The decision notice of 1 March is at www.ico.gov.uk/news/latest_news/2012/statement-department-for-education-decision-notice-02032012.aspx
Toshiba signs ICO undertaking after a security breach
The ICO has informed that Toshiba Information Systems (UK) have breached the Data Protection Act after the personal details of 20 competition entrants were compromised by a security flaw on their website.
Toshiba had by accident posted entrants’ personal details, including names, addresses and dates of birth, as well as contact information, on their website. The web design error had been made by a third party developer, the ICO says.
Stephen Eckersley, the ICO’s Head of Enforcement said:
“We are pleased that Toshiba Information Systems (UK) have committed to ensuring that any changes to applications on their website are thoroughly tested by both the developer and themselves, in order to keep the personal information they are collecting secure. We would urge other UK organisations with interactive websites to make sure they have suitable checks in place before collecting peoples’ details online.”
Toshiba Information Systems’ (UK) commitment to take action to keep the personal data they handle secure includes the introduction of appropriate and proportionate data security testing on relevant Web applications before they are launched.
The Undertaking can be seen at www.ico.gov.uk/what_we_cover/taking_action/dp_pecr.aspx
The programme for Privacy Laws & Business’s 25th Anniversary International Conference, Overcoming Privacy Hurdles, 2-4 July at Fitzwilliam College, Cambridge is now available at www.privacylaws.com/Documents/Annual%20Conference/ac25/AC25_programme.pdf