The Metropolitan Police Service (MPS) has announced it will no longer carry out roadside checks involving bailiff firms after a review took into account issues relating to “the legal position” and “trust and confidence in the police”. The checks had been suspended since May when campaign group NoToMob raised concerns about the operations.

It emerged that the MPS had not been following its own standard operating procedure, which states that roadside checks should only be carried out to pursue criminal warrants. NoToMob said it found that roadside checks in more than half of London boroughs mostly involved pursuing civil warrants such as unpaid parking debt.

The MPS ANPR Programme Board decided to review roadside stops after acknowledging there was a “risk in the potential for ill-planned operations, inadequate briefings and some civil enforcement agents inadvertently pushing the boundaries”. It said that vehicles could be stopped at the request of the bailiff with the “reasons not being made clear to drivers”. There was also the danger of vehicles being stopped for a policing purpose and then being “handed over” to the bailiff without an £explanation to the driver”. This, said the board, would lead to a loss of trust and confidence in the MPS.

As part of the review of roadside stops, the MPS carried out workshops, which were attended by NoToMob. In a letter to “interested parties involved in the review process” dated 16 December, MPS Commander Richard Martin said: “Having taken into account the legal position, stakeholder input, trust and confidence in the police and frontline policing practices, the Met will no longer undertake roadside operations with bailiffs. We trust this brings the matter to a conclusion for all involved.”

In a letter to Met Commissioner Bernard Hogan-Howe in April, NoToMob’s Graeme Jones stated: “I am given to understand that the cost of the Met side of these operations is borne by local tax payers through the local authority whilst the bailiff side of the operation is done free to the local authority. I think the public would be most concerned to know that their taxes are being used in connection with the Met for the recovery of civil parking and traffic debt.”

Safety flags: governments want the updated guidelines drawn up as quickly as possible

Things were different in 1995. Netscape was the world’s most popular browser, an online bookseller in Seattle, Amazon, had just gone live on the net and Facebook founder Mark Zuckerberg was 11. It was also the year that the EU introduced its current data protection rules.

 

A lot has changed since then — Netscape is no more, Amazon has revenues of $89bn and Facebook has 1.4bn users a month. The Data Protection Directive, however, still provides the backbone of the EU’s regulations.

 

Now, after three years of wrangling among member states, MEPs and the European Commission, we are close to the introduction of new regulations that will update data protection laws. But how will this affect companies?

 

1. Things will be the same across all 28 member states.

At the moment, all countries in the EU technically follow the same rules, but they interpret them differently. This has led to what some critics say is a “privacy patchwork”. The current EU rules on data protection take the form of a directive, which gives national governments significant leeway in how they are interpreted and enforced.

 

“All the 28 states have loopholes,” says Jan Philipp Albrecht, the MEP tasked with steering the legislation through the European parliament. “There are so many provisions that you can always find a way out.”

But the new rules on data protection will be binding in all member states and must be applied in the same way, whether in Ljubljana, Lisbon or London. Companies should expect the same treatment wherever they operate.

 

2. If you step out of line, expect a fine.

The new rules will have teeth. Sanctions, which are currently being debated by governments, will be much higher than the numbers normally imposed by regulators currently.

Fines of up to €100m — or 5 per cent of global revenue — are being debated. This will be a big change to the status quo in many member states, where fines are often token amounts. Britain’s data protection regulator, for instance, can bill only £500,000 for any breaches.

“This will put data protection on the same level as antitrust in terms of sanctions,” says Ian Birdsey, a privacy expert at law firm Pinsent Masons.

 

Before, a data protection breach was a reputational problem. But under the new rules, any missteps could swiftly qualify for a hefty financial penalty, too.

 

3. You may have to deal with more than one data protection agency, as well as a European one.

The original proposal had plans for a so-called “one-stop shop”. This would have meant that a data protection authority in one country would deal with complaints related to a company based there. So, Facebook users in, say, Finland, would have to complain to the Irish data protection commissioner if they felt aggrieved by the social network, which has its European head office in Dublin.

 

But this idea has been diluted, after some governments complained about the difficulty and expense of complaining in a foreign country, sometimes in a foreign language.

There are so many provisions that you can always find a way out

 

Instead, one data protection agency will take the lead — but other agencies will be able to be involved and express an opinion. Disputes will be settled by a new supranational regulator.

 

Florence Raynal, head of the department of European and international affairs at CNIL, France’s data protection authority, says: “Multinational companies are doing business across 28 territories. It’s about having a balanced collaboration, with of course a main contact point for the business.“

 

But how this will work in practice is still to be decided.

 

4. All businesses will have to consider data protection in all their services.

Now that everything from bank details to baby pictures exists online, regulators and consumers are far more concerned about data protection.

Companies need to be aware of this and implement privacy by design, according to William Long, a partner at Sidley Austin, a law firm. “We want to move away from notional data privacy compliance,” says Mr Long. In many cases, a data protection officer will become mandatory for some companies above a certain size, although this is still being debated.

 

5. But there is still some waiting to do.

There will be plenty of legislative twists and turns before companies will see the new rules. Most governments — particularly that of Germany, where data protection is a key political concern — want the regulation finalised as quickly as possible.

 

Before the end of the year, the text will be hammered out behind closed doors between the European Parliament, the Commission and member governments. While the text will not be ripped up and started again, significant tweaks are still likely to occur before it is due to come into force.

 

Your tech is spying on you – and how to turn it off

Thanks to Alex Hern of The Guardian

© Getty Images

So, your TV might be spying on you. It probably just wanted to join in with the rest of the technology in your life, because let’s face it: if you live in the 21st century you’re probably monitored by half a dozen companies from the moment you wake up to the moment you go to sleep. (And if you wear a sleep tracker, it doesn’t even stop then.)

Compared with some of the technology that keeps a beady eye fixed on you, the news that Samsung’s privacy policy warns customers not to discuss sensitive information in front of their smart TVs is actually fairly tame. The warning relates to a voice-recognition feature that has to be explicitly invoked, and which only begins transmitting data when you say the activation phrase “hi, TV”.

But other tech that spies on you might not be so genteel. The uncomfortable fact is that your personal data is just another way to pay for products and services these days.

The adage “if you are not paying for it, you’re not the customer; you’re the product being sold” was coined in 2010, a lifetime ago in web terms, but it’s as true today as it always has been. What’s changed now, though, is the number of ways companies are discovering to make sharing our data with them not something we grudgingly accept, but enthusiastically embrace. Sure, they tell us, you can turn it off. But do you really want to?

1. Facebook’s ‘like’ button

Even if you don’t use Facebook, you will have seen the company’s “like” button springing up in more and more places around the internet, like a nasty case of chicken pox. If you click on it, you can like the page of a company, person or brand, all without leaving the website you’re on.

The uncomfortable fact is that your personal data are just another way to pay for products and services

And then there’s Facebook share buttons and Facebook comments, both of which hook in to the company’s servers to provide their own features. But it’s a two-way relationship: the price you pay for being able to interact with Facebook even without going to their website is that they can see the other websites you’re on, following you around the internet and using that information to better target ads and content to you back on the mother ship.

How to stop it: if you log out of Facebook when you’re done, the site’s ability to track your browsing is severely hampered. Of course, equally hampered is your ability to like things and comment on posts. Are you happy making that trade-off?

2. Smartphone location services

If you have an iPhone, try this: click on settings, then privacy, then location services, system services and frequent locations. You’ll notice a list of all the cities you’re in regularly. Click on any specific city, and you’ll find that your phone knows all the locations you frequently visit. For me, that includes my home, local tube station and office, but also the pub I play Netrunner in, the house of one of my best friends and the comics shop I frequent.

Don’t feel smug if you use Android instead: Google keeps just as copious notes on your location and, unlike Apple, it is stored in the cloud, where it can theoretically be subpoenaed by law enforcement or accessed by a suspicious partner who happens to know your password.

How to turn it off: both companies let you turn off location histories from the same pages you can look at yours. But if you do that, they’ll get a lot worse at giving you accurate and useful location suggestions. There’s that pesky trade-off again. (We can manage quite well without these data; we did before smart phones were invented – DPS)

3. Uber

Perhaps it’s no surprise that a company that sells you cheap cabs through a slick app keeps data on your journeys. And that data is well-used by Uber to reassure customers that their journey is safe: the company will show you your ride history as well as information about your driver which can be crucial for solving disputes or, if the worst happens, ensuring justice.

But Uber hasn’t got the best history of using that data well. The company has had to apologise before for accessing a journalist’s journey details in order to make rhetorical points, as well as remove a piece of “data journalism” looking at ride histories in aggregate to find out how many of their customers were using the service for one-night stands. They titled the post “rides of glory”.

How to turn it off: the best way would be not to use Uber. But there’s that trade-off again: old-school taxis, whether hailed from the street or called from a dispatch office, are going to end up charging you a lot more for your newly anonymous journey. (Few people outside London use taxis frequently so this wouldn’t be a problem. For Londoners, if you must, use Uber sparingly – DPS)

4. Mobile phone networks

Your mobile phone works by sending encrypted communications to and from masts, known as “cells”. Of course, especially in a built-up area, there’s likely to be more than one cell in range of your phone at any given time, and things would get confusing if they were all trying to run the call at the same time. So your phone pairs with one particular cell, and “hands off” to a new one when you move around (the annoying clicks you get if you leave a phone next to an unshielded speaker is your phone checking in with a cell, to confirm it’s still alive).

If you’ve been paying attention, you’ll realise what this means: your mobile phone network has a record of where you’ve been, accurate to at least the range of the closest phone tower. In practice, it’s probably quite a bit more accurate than that, as they can triangulate in using information from other towers in your area.

How to turn it off: stop using a mobile phone. Seriously, this one isn’t going away. If you’ve got a removable battery, you can try taking that out when you don’t want to be tracked, but whenever you turn your phone back on, your mobile phone network is going to know where you are. (Maybe you need rehab to cure your mobile addiction. You could use multiple phones which would screw up the pattern – DPS)

5. Exif data in your pictures

Did you know that digital photographs contain information about the picture? Known as Exif data, the standard was created to hold stuff that photographers might find useful to know alongside the image, such as the focal length and aperture they used while taking it. It’s used by professionals to embed contact information and copyright details, as well.

Of course, as with most standards, there’s been a bit of feature-creep, and these days, Exif data can contain a whole lot more information. In fact, if you’ve taken a picture with a smartphone, or even a modern digital camera, there’s a good chance that the picture records where it was taken using the built-in GPS. That’s great for building maps of your holidays, but not so good if you’re trading snaps with strangers.

How to turn it off: most cameras let you disable embedding location data in the files, but the good news is that social networks are one step ahead of you – and this time, they’re on your side. Facebook and Twitter both strip the metadata from images uploaded to the site, causing a headache for users who need the extra information but protecting those who don’t know that they’re uploading potentially sensitive data. (Uploading pictures of yourself taken at home to your own or a benign website means anyone can find out where you live. OK if you have no enemies but maybe you forgot to return a borrowed lawnmower from your old neighbour – and then there’s all those ex-girlfriends/boyfriends.... DPS)

6. Facial recognition

Have you ever used Facebook’s tag suggest feature? The social network can scan through your uploaded pictures to find ones with friends in who haven’t been tagged, and offer you suggestions for who to add. It’s a wonderful time-saver over doing it the manual way, even if careless use can lead to some social faux pas (try to avoid tagging someone you don’t like just because they’re in the background of another picture).

But Facebook, and Google – which offers a similar feature – can only do that because it’s been running facial-recognition software on photos uploaded to the site for years. In September 2012, Facebook was even forced to disable the feature after the Irish data protection commissioner scolded it for doing so without permission.

How to turn it off: try to avoid being in photos or having friends. Easy!

DPS: Karl Marx said that religion is the opium of the people (masses). Now it is electronic gadgets. People are so addicted to their technology that they fail to notice how their lives are being changed by those in power and how their social skills are evaporating. Our advice? Switch off, de-tech, wake up, smell the coffee! You don’t have to bin all tech, just get (and keep) a sense of proportion.

 

Update

We are currently working on an interesting aspect of data protection concerning parking. DVLA discloses personal data of the registered keeper of vehicles who may have overstayed and incurred a penalty charge - often £120 or £60 if the charge is paid within 28 days - to members of the British Parking Association. We have good reason to believe that it is unlawful for someone who does not have an interest in the land to make a charge and that huge excess charges are unlawful in any case. We think that any excess charge for staying longer than you have paid for must be of a similar amount to the standard rate per hour charge at best. It is certain that parking companies cannot offer what amounts to a discount for early payment because this amounts to a penalty and parking companies are not allowed to charge a penalty. In any case, the registered keeper may or not be the driver.

If parking companies do not have the right to make excess charges or even charges at all then DVLA has no right to disclose the personal data of registered keepers. DVLA claim that they can disclose personal data to anyone who has a reasonable cause but we say that it cannot be reasonable for a parking company to demand the personal data of the registered keeper if they have no legal right to pursue the registered keeper in court. If the registered keeper refuses to pay an excess charge and the parking company can do nothing, then disclosure of personal data cannot be reasonable.

Once we have tied up a few loose ends, we hope to put together a D-I-Y guide to recovering any money drivers may have paid which they didn’t have to. Incidentally, the Protection of Freedoms Act makes no difference to this position even though it makes the registered keeper liable for the parking charges of a driver (who may not be the registered keeper of course). Under this Act, the registered keeper may escape the charge if he tells the parking company who the driver was or if the car was reported stolen. We think that it is morally wrong to make someone pay for the actions of others over whom they may have no control, no matter what.

We have written to Norman Baker, the Minister for Transport, and Mike Penning who used to look after DVLA and the DfT though he has subsequently been moved to Northern Ireland. We have also written to the DfT so none of them can say they weren’t warned about what is likely to befall them.

The Protection of Freedoms Act required parking companies which are members of the British Parking Association to set up an independent appeals organisation (POPLA) in exchange for having the legal right to obtain the name and address of the registered keeper. They also had to give up clamping which is now illegal. It appears that the adjudicators who hear appeals are mindful of the Law. As we say above, the parking companies must show that they have an interest in the land which means that they must disclose their contract with the landowner. So far, no motorist who has used this defence has lost an appeal because no parking company has disclosed their contract with the landowner. We suspect that they have no interest in the land and cannot ask for damages which are effectively to someone else’s property. How could you claim compensation from a vandal who damaged your neighbour’s car? It’s the same principle.

Google Evades English Law

A group of Apple device users are in the process of suing Google in England for disabling the safeguards on the Safari software enabling Google to track users’ behaviour on line. Google are claiming that they are not subject to English Law because they are based in California and the Republic of Ireland. If the corporate entity is not in England, they do have a good point. Look at it the other way round. If you sold some widgets by mail order to Botswana and some users didn’t like them for some reason, you wouldn’t be happy if you were sued in a Botswana court. How could a Botswana court impose any sanction on you? They couldn’t because they don’t have any power in England and you are based in England (if you are, of course!).

Google may generate lots of revenue in England but it is a company based overseas and that is where it must be sued.

Of course if you don’t own one of Apple’s devices and don’t use Safari, then Google can’t track you – well not using that method anyway.

The Disclosure and Barring Service, a new organisation formed from the merger of the Criminal Records Bureau and the Independent Safeguarding Authority, has launched. The Home Office says the new Disclosure and Barring Service will make it clearer and simpler for those requiring criminal records disclosures (CRB) and barring checks for employment purposes.

The Disclosure Barring Service will oversee a number of government reforms including the introduction of portable CRB checks which will eliminate the need for multiple checking and an online update service which will make it easier for employers to assess individuals.

Volunteering England and a group of charities have called on the Government to confirm whether the online system will be free for volunteers. The group has written to the Home Secretary, Theresa May MP, arguing that by charging volunteers to use the new online service runs counter to efforts to make the system less of a barrier to people wanting to give their time.

Other upcoming changes to the current system of criminal record checks and barring include introducing a single criminal records certificate which will be sent only to the applicant; an independent right of review to allow individuals to challenge information disclosed about them before it is given to their employer; and reducing the number of positions requiring barring checks from 9.3m to around 5m.

Portable CRB checks were launched in Spring 2013.

Clamping Banned

Clamping may have been banned but this makes no difference to the legal position. All a registered keeper has to do is name a driver, which could be himself of course. The new Law is then satisfied. The parking company will no doubt issue a charge to the named driver. However, the parking company still needs to show that it has an interest in the land and that it is Dunlop compliant, that is, that the charge it is making is not subject to a discount for early payment and that the charge is proportionate to the standard parking charge. If it fails any of these three tests, the ticket can safely be popped into the round filing cabinet known as the waste bin.

Dissent from secondary use of patient identifiable data

Dear Doctor,

I am writing to give notice that I refuse consent for my identifiable information to be transferred from your practice systems for any purpose other than my medical care.

As you are probably aware, on the direction of NHS England you can now be required to transfer patient-identifiable data from the electronic medical records that you hold to the Health and Social Care Information Centre (HSCIC), via the General Practice Extraction Service (GPES) or other means. This is to be done without seeking my explicit consent and for purposes other than my medical care.

There are substantial concerns about the privacy and confidentiality of any information transferred to HSCIC, not least because NHS England has been given legal exemptions to pass identifiable data gathered by HSCIC between itself and a range of regional processing centres, local area teams and commissioning bodies that came into force on April 1^st 2013. I am also disturbed to note that HSCIC provides access to patient data, some in identifiable form, to a range of ‘customers’ including private companies.

I do not believe that these widely distributed systems with so many potential users and such a wide range of uses, some as yet undefined, can be regarded as secure. And no guarantees can be given as to the future re-identification of pseudonymised or de-identified data; indeed HSCIC admits this is a risk

I cannot know what specific information my medical records might come to hold but I regard the entirety of my medical records, existing and future, as private and personal.

Please take whatever steps necessary to ensure my confidential personal information is not uploaded and record my dissent by whatever means possible.

This includes adding the ‘Dissent from secondary use of GP patient identifiable data’ code (Read v2: 9Nu0 or CVT3: XaZ89) to my record as well as the ‘Dissent from disclosure of personal confidential data by Health and Social Care Information Centre’ code (Read v2: 9Nu4 or CTV3: XaaVL).

I am aware of the implications of this request, understand that it will not affect the care I receive and will notify you should I change my mind.

I recognise the need for health care providers to be paid for services provided to me. I believe the limited information required for such purposes can be wholly anonymised by the provider, before it is released to the relevant commissioning authority. Please ensure that any of my information used for these purposes is treated in this way, and that any other providers are made aware of this mandate, e.g. by forwarding a copy of this letter along with my information when it is passed to them.

Further information for GPs can be found on the BMA website at:

http://bma.org.uk/practical-support-at-work/ethics/confidentiality-and-health-records/care-data

Yours sincerely,

 

Signature _________________________________________      Date ________________

Information to help identify my records (please complete in BLOCK CAPITALS)

Title   _______      Surname / Family name   ____________________________________

Forename(s)  _____________________________________________________________

Address           _____________________________________________________________

                        _____________________________________________________________

Postcode         ________________________

Date of birth   ________________________

 

NHS number (if known)   ___________________________________

 

There is nothing in the Data Protection Act to prevent Ian Greenwood,the former Labour leader of Bradford council, from informing anyone about his knowledge of the former Co-op Bank chairman Paul Flowers's misdemeanors, because he is unlikely to be a data controller ("Sleazy rider", Focus, last week). Even if he did tell Ed Miliband, he could be sued only for monetary loss. If people are not sure about what they can and cannot say, they should contact the information commissioner and not make assumptions. Sadly people hide behind data protection.

 

Article written by our CEO, published in the Sunday Times 1 December 2013

The European Commission has confirmed to us in a letter that infringement proceedings against the UK are being considered and that a meeting recently took place with the UK authorities. The matters put to the Commission on that occasion are under consideration. We placed a number of issues before the Commission which demonstrated that the Directive has not been properly implemented. The Commission consolidated our contribution with others to create the basis for formal proceedings.

For example, section 14 allows judges to order rectification or not as they please; they have total freedom. This is in conflict with the Directive which is clear that data subjects have a guarantee that inaccurate personal data will be rectified.
The Children and Family Court Advisory and Support Service (CAFCASS) are able to write reports which cannot be challenged in English Court using data protection legislation. They cannot be challenged in the Family Court where CAFCASS reports are lodged because Family Courts cannot consider data protection matters which, in our view, is quite right. There is no duty on CAFCASS to allow reports to be subject to data protection legislation before they are presented to the Family Court and the county courts and High Court will not hear data protection actions because they deem that the matter has been considered in the Family Court (where you cannot use the guarantee granted by the Directive).
Clearly, this is an unsustainable position. Effectively CAFCASS has been able to exempt itself from the Data Protection Act 1998.

The Office of the Information Commissioner says that CAFCASS are not exempt which is correct. However, as it is impossible to bring an action for rectification in an English Court, they are exempt; in theory, they are not; in practice, they are and it’s practice that matters.

Note: The Information Commissioner has no interest in whether the Directive has been properly implemented or not.
 

The Data Protection Society has placed a formal complaint with the European Commission that, ‘Regulation 27’, is incompatible with the European Directive on Data Protection (95/46/EC). The response from DVLA was an extensive Legal Opinion which attempted to show that DVLA complies with the Directive. In fact, in the most part, the Opinion showed what DVLA should do but not, of course, what it actually does in practice. However, DVLA did manage to hoodwink the European Commission into thinking that this somehow resolved the issue. It didn’t. The issue we placed before the Commission was to ask them to rule on whether, ‘Regulation 27’, was compatible with the Directive NOT whether DVLA complied with the Directive. This is completely irrelevant because no UK data controller has to comply with the Directive. The Directive gave life to the Data Protection Act and data controllers have to comply with that. If the Act is not compatible with the Directive, then this is a matter for the Commission to consider.

We have asked the Commission to address the issue we placed before it (that Regulation 27 is incompatible with the Directive) and the Commission has accepted that the Complaint is valid – in other words that it has merit and is worthy of consideration.

Furthermore, we have asked the Commission if all member States disclose personal data for the same reasons, as the Directive must apply equally across the EU. So far, the Commission has failed to respond. If most or all member States refuse to disclose personal data for the reasons given by DVLA, then there is no harmony and the Commission has a duty to ensure all Member States act in the same way.

The Office of the Information Commissioner holds that, ‘Regulation 27’, is law and that DVLA can disclose personal data for any cause which DVLA considers to be reasonable. In practice, this means that personal data will be disclosed for almost any reason such as DVLA generating revenue.

 

Phone Hacking

The phone hacking scandal will run and run but readers may be interested to know that the issue was highlighted five years ago by the Information Commissioner in his Report, ‘What Price Privacy?’ Note that in ONE investigation alone, the ICO uncovered 305 NAMED journalists who had obtained personal data unlawfully. The House of Commons Select Committee has known about this issue since 2003. The Committee has had the ICO’s Report since 2006. The Police were given a dossier.

So why was nothing done?

Could it be that there were just too many people with too much to lose? Who now will investigate this Committee for failing to deal with the issue? The Metropolitan Commissioner and his Assistant have resigned and failed to investigate. Will there be a proper investigation now? Who in the Labour Government, which was in power at the time, will take responsibility?

We know that the media, politicians and police have all been keen to ‘kick this into the long grass’, but could there be other institutions involved such as the Judiciary? Just how many people were involved? We suggest that nothing was done because nobody wanted to blow the whistle on this web of lies, deceit and illegal activity.

Extract from the Information Commissioner’s Report, ‘What Price Privacy?’

(The full Report appears on the Web Site of the Information Commissioner)

“Much more illegal activity lies hidden under the surface. Investigations by the ICO and the police have uncovered evidence of a widespread and organised undercover market in confidential personal information. Such evidence forms the core of this report, providing details about how the unlawful trade in personal information operates: who the buyers are, what information they are seeking, how that information is obtained for them, and how much it costs. Among the ‘buyers’ are many journalists looking for a story. In one major case investigated by the ICO, the evidence included records of information supplied to 305 named journalists working for a range of newspapers. Other cases have involved finance companies and local authorities wishing to trace debtors; estranged couples seeking details of their partner’s whereabouts or finances; and criminals intent on fraud or witness or juror intimidation.

The personal information they are seeking may include someone’s current address, details of car ownership, an ex-directory telephone number or records of calls made, bank account details or intimate health records. Disclosure of even apparently innocuous personal information – such as an address – can be highly damaging in some circumstances, and in virtually all cases individuals experience distress when their privacy is breached without their consent. The ‘suppliers’ almost invariably work within the private investigation industry: private investigators, tracing agents, and their operatives, often working loosely in chains that may include several intermediaries between ultimate customer and the person who actually obtains the information.

The ICO is not the only body to keep a watching eye on the encroachment of individual privacy. Early in 2003, the House of Commons Select Committee on Culture, Media and Sport conducted an investigation into privacy and media intrusion. Like the Information Commissioner in this report, the Committee was particularly concerned to focus on people who are ‘not generally in public life’.

Among those giving evidence was Sun editor, Rebekah Wade (now Brooks - DPS), who claimed that self-regulation under the guidance of the Press Complaints Commission (PCC) had changed the culture in Fleet Street and ‘in every single newsroom in the land’. When asked whether she or her newspaper ever used private detectives, bugged people, paid the police or others for information they should not legally have, she said that subterfuge was only ever used in the public interest.

Pressed again by Committee member, Chris Bryant MP, on whether she ever paid the police for information, she replied, ‘We have paid the police for information in the past.’ Further probing about whether she would continue to pay the police in future was answered in her stead by her colleague, Andrew Coulson, who declared that ‘We operate within the [PCC’s] code and within the law and if there is a clear public interest then we will’.”

So, there we have it, phone hacking and paying the police for information has been known about and admitted to for five years. We wonder what Andy Coulson meant by, “in the public interest”. Given that he is a journalist, then we suspect that he means if the public might be interested in it, not whether it is in the public interest - in other words – if it sells papers.

This is yet more proof that the ICO has too cosy a relationship with data controllers. Note how the equivalents in other countries take their jobs seriously. Our ICO prefers to have an easy life. After all, if you come down hard on a big organisation like Google, they are never going to give you a juicy job in a couple of year’s time. And, of course, it’s much easier to have a nice jolly on the train from Wilmslow to London, have a nice lunch at some fancy restaurant in Soho, have a leisurely chat with Google, look at a few bits of paper you don’t understand and travel back to Wilmslow and report what good chaps they are at Google – definitely a company to work for when you leave the ICO.

It appears that the ICO is really just a training camp for big companies. Any problems can then be solved by having a quiet word with your old mates back in Wilmslow or even take them to one of the fancy restaurants in Wilmslow or nearby Alderley Edge. Problem solved! For full article see Archive under general/RIPA.

Yet another reason not to use credit cards.

You may be carrying a contactless credit card right now even if you haven't asked for one and to protect it, you are advised to wrap it in foil. After use, you must remember to wrap it up carefully, hoping the foil doesn't tear. Of course, your card is still vulnerable when you unwrap it. You won't find out if your personal details have been stolen (unless the thieves are greedy by attempting to buy a large ticket item) until you get your credit card statement - and then there is all that hassle.....

 

We say: use lovely, untraceable CASH!  For full article see archive under Financial Institutes and Insurance.

"Two million drivers are at risk of a £1000 fine because the photograph on their driving license is out of date. The law demands that you update your photgraph every five years, even if you no longer drive a car.

Around 3 million drivers need to update their license this year- so CHECK that photo.

We say don't have a photo license in the first place. And this is despite the fact the license is valid for 10 years so who remembers to check that the photo needs changing only half way through the validity of their license." ANOTHER SCAM.

 

Government organisations compete fiercely to be the most incompetent. With so many departments with decades of experience, it is a hotly contested title.

In the dim and distant past, if you wanted, ‘sick pay’, you signed and dated the back of the note the doctor gave you which was the size of a prescription form. It took ten seconds at most. However, the DWP decided that this was not creating many pointless jobs so they introduced a 40 page form with 16 pages of guidance notes in very small type which had to be completed for your ‘sick pay’. As the form was incomprehensible to the average member of Mensa, it did cause the DWP some hassle as people rang in with dozens of questions such as, ‘why is the form written in gibberish?”. It did, of course, cause hassle for the claimant as they had to take an extra three days off work to read the form and the accompanying notes and another three days to lie down in a dark room with a cold compress to recover, not that this concerned the DWP of course.

So, the whizz kids at the DWP came up with another hare-brained scheme. All claims would have to be completed by telephone. Bear in mind that the Government wishes to reduce public expenditure and so makes it as difficult as possible to claim money to which you are entitled in the hope that you will give up or die.

After 40 minutes on the telephone answering pointless questions, our correspondent was sent a letter telling him that he could not make a claim for, ‘sick pay’, because he hadn’t paid any national insurance contributions, but still demanding all sorts of information so that they could continue to build their mountain of pointless paperwork and keep their employees busy doing pointless tasks. Of course, our correspondent had paid by way of credits but facts are not welcome at the DWP as they get confused by them.

We have selected two from the deluge of forms and paperwork which may amuse our readers.

The questions to be answered on the DWP form include the ward number, telephone number and postcode of any hospital you have been in in the past 12 months even if your claim is for a completely different and unrelated illness. The DWP also want to know when you will be disposing of business assets and why there is a delay if you are not going to dispose of them immediately. So, if you are off work with ‘flu’ for a couple of weeks, be prepared to take on a new hobby called – “obtaining your, ‘sick pay’, from the wallies and prats and the DWP".

DWP letter

DWP letter page 2

Letter of reply  page 1

Letter of reply page 2

Another letter from the DWP time machine

Robert Toft, Head of Data Sharing at DVLA, was reprimanded by the Information Commissioner for failing to comply with the Freedom of Information Act 2000 and the official procedures for dealing with such requests. The full decision dated 20 October 2011 is available on the Information Commissioner's Web Site (reference FS50326639).

The 12 paragraphs of criticism which are reproduced below, detail the extent of the incompetence of DVLA. One perhaps could understand if the errors were committed by a junior employee or someone recently employed by DVLA, but the incompetence was displayed by the Head of Data Sharing. If the person in charge is unable to do the job he is paid to do properly, then what hope is there that DVLA complies with any freedom of information or data protection legislation?

We have not heard of any disciplinary action being taken against Mr Toft for his incompetance. The extracts are as follows:

However, the Commissioner has also decided that the following elements of the request were not dealt with in accordance with the Act:

• The DVLA's failure to recognise the correct nature of the complainant's first request and to provide information falling within the scope of the request within the required timescales represents a breach of sections 1 (1) and 10 (1) of the Act. The Commissioner requires no steps to be taken.

Although they do not form part of this Decision Notice the Commissioner wishes to highlight the following matters of concern:

• The Commissioner notes that there were a number of procedural issues regarding the DVLA's handling of this request for information which, although they did not result in breaches additional to those outlined in paragraphs 82 to 84 of this notice, nevertheless resulted in an unsatisfactory response to this request from the outset.

• For example, the failure to understand the nature of the original request does not represent good practice on the part of the DVLA and falls short of adherence to the Section 45 Code of Practice. In the Commisioner's opinion, the complainant's letter of 16 June 2010 quite clearly requested information in respect of the 'application' of 'Regulation 27' as opposed to its 'compatability' with the directive.

• This was further compounded when the DVLA interpreted the complainant's letter of 23 July 2010 as a new request for information, and in the process completely discounted the complainant's requests numbered 3,4 and 5.

• The Commissioner would have anticipated that a large public authority like the DVLA, accustomed to high volumes of requests for information under the Act, would have handled this request in a manner more closely aligned to the recommended standards in the Section 45 Code of Practice and he expects that all future requests should demonstrate closer adherence to a procedural efficiency.

The internal review.

• Whilst there are no timescales specified in the Act for the communication of the internal review, the Section 45 Code of Practice recommends that the internal review should be considered promptly.

• The Commissioner has also produced guidance in relation to this matter and considers 20 working days from the date of the request for a review to be a reasonable time in most cases. He does nevertheless recognise that there maybe a small number of cases where it may be reasonable to take longer. The Commissioner's view is that no review should exceed 40 working days and, as a matter of good practice, the Commissioner expects the public authorities to notify the applicants in cases where more time is needed and to provide an explanation of why that is the case.

• The Commissioner notes that the complainant requested an internal review of the original decision on 23 July 2010. However, as stated in paragraph 20 of the notice, the DVLA did not communicate the outcome of its internal review until 17 November 2010.

• The Commissioner also notes that even if the DVLA had correctly treated the complainant's letter of 23 July 2010 as a new request for information, his letter dated 2 October 2010 requesting an internal review exceeded the 20 working days considered by the Commissioner as a reasonable time in most cases. The Commissioner notes that the complainant was not notified by the DVLA why any more time was needed.

• The Commissioner considers that this is an unacceptable responses to the request for an internal review and does not take into account of the Section 45 Code of Practice or his own guidance on the matter. The Commissioner therefore expects the Council to ensure that all future requests for internal reviews are dealt with in accordance with both the Section 45 Code of Practice and his guidance.

The Data Protection Act allows data subjects to demand rectification, erasure, deletion or blocking of data which are inaccurate. However, the European Directive, which is the primary legislation, says that data subjects can demand erasure and blocking for any breach of the provisions of the Directive which includes a data controller keeping data for longer than is necessary.

The Data Protection Society has asked the European Commission to consider this discrepancy. We think that data subjects should be able to demand that their personal data is rectified, erased or blocked for any breach of the Directive and not just for inaccuracy. At present, we have to rely on the Information Commissioner taking action against a data controller and this usually means persuading them. We would like to see data subjects having an absolute right in English and Scottish Law.

Under the DPA, judges have total discretion whether to rectify data or not. A data controller could write reports containing extremely damaging information which is completely untrue and judges could refuse to change a single word. This is clearly not what the Directive intends.

The Data Protection Society believes that legislation must be passed to remove this anomaly. We have proposed that where inaccuracies in personal data are non-trivial, judges must be compelled to order rectification. Where inaccuracies are both non-trivial and trivial, judges must also order rectification. Only where all the inaccuracies are trivial should judges be allowed leeway.

The European Commission is currently considering this proposal.

Those parents who find themselves in court to obtain meaningful contact with their children are very likely to find themselves the subject of a CAFCASS report. CAFCASS is the body which, amongst other activities, writes reports to assist courts in deciding the best way forward in matters of contact and adoption. Courts almost always accept the recommendations of the CAFCASS officer with perhaps a few minor variations to show that they are in charge.

Most CAFCASS officers belong to the Trade Union, NAPO, which has as one of its objectives, the removal of men from the lives of their children. Fathers therefore should consider themselves lucky to have any meaningful contact at all starting from this position.

Once a CAFCASS report is written, CAFCASS officers will not show it to a parent until the court approves which can be a few minutes before a hearing giving parents no time to absorb or object to the contents. This is done to minimise any complaints and protect the CAFCASS officer from rigorous questioning. CAFCASS says that any errors may be revealed in court and so there is no problem.

However, time constraints may not allow the CAFCASS officer to be questioned in full. Judges may declare that CAFCASS officers are being badgered and deny questions. Even so, judges in the Family Court make no decisions on the accuracy of any data in the report because the matter is not before them. Furthermore, they rarely order rectification because the decision on contact will be taken in the court. As far as judges are concerned, the report has done its work and is of no use. Yet this same report, which could be full of lies, half-truths and innuendos, can follow a parent for the rest of his or her life. It can affect future hearings. It can be extremely damaging for decades.

The Directive guarantees data subjects the right to rectification, erasure or blocking of inaccurate personal data as does the Data Protection Act. The problem is that there is no lex forum – or court – where parents can use the power of the Act or Directive. Actions under the DPA cannot be brought in the Family Court. The county court and High Court will say that you are trying to have two bites at the cherry by bringing a data protection action in their courts. In effect, they bounce it back and forward between them to prevent parents from using their guarantee provided under the Directive.

Parents cannot be at the mercy of the whims and caprices of judges in the Family Court, hoping against hope that the judge takes pity on them and orders a few changes, and they cannot be denied the use of the powerful data protection laws, yet this is the position in both England and Scotland.

We believe that children have the right to meaningful contact with both parents unless there is a very good and provable reason why they should not. It is the right of children to see their parents, not the right of parents to see their children that matters most. This is not a sexist issue although fathers are more affected than mothers.

The Data Protection Society has raised this issue with the European Commission who are currently investigating on the basis of a dossier which we provided.

The Data Protection Society has placed a formal complaint with the European Commission that, ‘Regulation 27’, is incompatible with the European Directive on Data Protection (95/46/EC). The response from DVLA was an extensive Legal Opinion which attempted to show that DVLA complies with the Directive. In fact, in the most part, the Opinion showed what DVLA should do but not, of course, what it actually does in practice.

However, DVLA did manage to hoodwink the European Commission into thinking that this somehow resolved the issue. It didn’t. The issue we placed before the Commission was to ask them to rule on whether, ‘Regulation 27’, was compatible with the Directive NOT whether DVLA complied with the Directive. This is completely irrelevant and is a completely separate issue. We have asked the Commission to address the issue we placed before it and await a response.

Furthermore, we have asked the Commission if all Member States disclose personal data for the same reasons, as the Directive must apply equally across the EU. Once again, the Commission has failed to respond. If most or all Member States refuse to disclose personal data for the reasons given by DVLA, then there is no harmony and the Commission has a duty to ensure all Member States act in the same way.

The Office of the Information Commissioner holds that, ‘Regulation 27’, is law and that DVLA can disclose personal data for any cause which DVLA considers to be reasonable. In practice, this means that personal data will be disclosed for almost any reason.

The European Commission has confirmed to us in a letter that infringement proceedings against the UK are being considered and that a meeting recently took place with the UK authorities. The matters put to the Commission on that occasion are under consideration. We placed a number of issues before the Commission which demonstrated that the Directive has not been properly implemented. The Commission consolidated our contribution with others to create the basis for formal proceedings.

For example, section 14 allows judges to order rectification or not as they please; they have total freedom. This is in conflict with the Directive which is clear that data subjects have a guarantee that inaccurate personal data will be rectified.

The Children and Family Court Advisory and Support Service (CAFCASS) are able to write reports which cannot be challenged in English Court using data protection legislation. They cannot be challenged in the Family Court where CAFCASS reports are lodged because Family Courts cannot consider data protection matters which, in our view, is quite right. There is no duty on CAFCASS to allow reports to be subject to data protection legislation before they are presented to the Family Court and the county courts and High Court will not hear data protection actions because they deem that the matter has been considered in the Family Court (where you cannot use the guarantee granted by the Directive).

Clearly, this is an unsustainable position. Effectively CAFCASS has been able to exempt itself from the Data Protection Act 1998.

The Office of the Information Commissioner says that CAFCASS are not exempt which is correct. However, as it is impossible to bring an action for rectification in an English Court, they are exempt; in theory, they are not; in practice, they are and it’s practice that matters.

Note: The Information Commissioner has no interest in whether the Directive has been properly implemented or not.