Internal ICO correspondence reveals that the Information Commissioner was asked by the Ministry of Justice to justify Graham Smith’s (the Deputy Information Commissioner) pay rise. The ICO’s response was that Mr Smith had additional responsibilities, in particular it was claimed that:

“Graham Smith is increasingly consulted by the Cabinet Office and others on specific FOI cases”

Mr Smith is the Deputy Commissioner and Director of Freedom of Information for the ICO and “has lead responsibility for promoting and enforcing Freedom of Information.” In simple terms, he is the top boss of FOI regulation. If Mr Smith is giving advice to the public authorities on specific FOI cases which later come before the ICO as the regulator then it isn’t difficult to see that a potential conflict of interest could arise. Of course if Mr Smith kept detailed records of the cases he had advised upon and the advice he had given then conceivably it would be possible to put in place adequate safeguards to ensure he was not involved in signing off the relevant Decision Notices. In view of his wider responsibilities for FOI enforcement the situation would remain problematic.

No records were kept
We now know that Graham Smith keeps no records at all of the advice he gives:

ICO: “We have conducted searches of the ICO’s records and no information is held.

Graham Smith: “My meetings and discussions with the Cabinet Office occur only on an “as and when” basis. We do not have regular scheduled meetings. We never have a formal written agenda or minutes. When we do meet or talk on the phone the discussions are not always about specific cases. When they are, it could be one or any number of cases. Those cases may or may not be with the ICO. They might be Tribunal appeals or requests which have not and may never reach the ICO.” [Insert your own sarcasm here]

As no records at all are kept we can conclude that there are no adequate safeguards in place to manage the conflict of interest that arises from Graham Smith’s acting as both adviser and regulator to the Cabinet Office on specific FOI cases. Mr Smith should not be giving secret advice on live cases whilst working for the regulator.

Principles of public life
As a public official Graham Smith is subject to the 7 principles of public life. In particular, he is required to “… declare and resolve any interests and relationships” and to act “in an open and transparent manner.” He has done neither with respect to his advice. He is also subject to the following requirement:

“Holders of public office are accountable to the public for their decisions and actions and must submit themselves to the scrutiny necessary to ensure this.”

By not keeping any records whatsoever of his actions in advising the Cabinet Office Graham Smith has made it impossible for the public to scrutinise his actions or to hold him accountable for his advice.

Duty of Candour

The ICO is a party in all FOI Tribunal cases and Mr Smith has acknowledged that the cases on which he he gives advice “might be Tribunal appeals”. The Hearing Bundles – Good Practice Guide 2014 for FOI/EIR cases (not available online!) states that:

“The ICO is of course aware of their duty to put before the Tribunal all relevant evidence regardless of whether it is favourable to their own case or not – CIS/0473/2007 paras 36-37, a decision of Judge Jacobs, when a Social Security Commissioner”

If Graham Smith is discussing Tribunal appeals with the Cabinet Office and the Cabinet Office happen to reveal facts unfavourable to the Cabinet Office’s case then Christopher Graham would appear to have a duty to ensure the Tribunal is made aware of those facts. Keeping no records when discussing active Tribunal cases whatsoever does not sit at all well with the ICO’s duty of candour.

Independence from Government

The ICO used to have a “” domain name but moved to a “” domain to ensure it is perceived by the public as being independent of government. The ICO indeed works in mysterious ways. On the one hand the ICO is spending our money to create a public veneer of independence online whilst at the same time spending more of our money on Mr Smith’s pay rise for giving secret advice to the Cabinet Office.

The Freedom of Information Act 2000 gives requesters a general right of access to official information subject to (lots of) specific exceptions. The Act also gives requesters a right to apply for a decision from the Information Commissioner (see Section 50). The word used in Section 50 is “apply” rather than complain or report a concern. The words used in Acts of Parliament matter. The word “apply” means that it is perfectly fine for a requester to ask the ICO to review a decision even if the requester is 90% certain that the public authority has acted within the law. A requester does not need to have a cause for complaint or a concern.

Section 50 requires the requester to provide very little information to the Information Commissioner. The requester has to apply for a decision as to “whether, in any specified respect, a request […] has been dealt with in accordance with the requirements of Part I.” Clearly, it would make sense to give the ICO your name and some means of contacting you and if you don’t you could be deemed to have abandoned the application. It will also be helpful to provide the ICO with access to a copy of your request and any subsequent correspondence. I would suggest, firstly that there is no need to complete any kind of form and secondly that the ICO’s ‘Report a Concern’ form is particularly inappropriate.

The form is not particularly easy to find – when I go on the ICO’s website I find I have to complete a short survey just to get to it.

What don’t I like about the ICO’s form?

The title of the form makes no reference to applying for a decision or even making a complaint. Nowhere in the whole form does it refer to seeking a decision. For that reason the Information Commissioner’s obligations under Section 50(2)-(3) are not triggered and the ICO can safely ignore your ‘concerns’.

A lot of the information the ICO asks for simply isn’t needed. Sections 1, 4, 5 and 6 contain text fields but would actually be better addressed by forwarding all correspondence, or where applicable, simply sending the ICO a link to the request page on WhatDoTheyKnow.

Section 2 asks for your relationship with the organisation – the whole of Section 2 will always or almost always be irrelevant for FOI requests.

Section 3 will be relevant but again uses the “your concern” wording rather than applying for a decision.

Section 7 asks for your contact details and contains about 15 fields – in most cases a name and email address would suffice.

Section 8 – where do I start? The ICO asks for a four point declaration from the requester that the requester is under no obligation to provide when seeking a decision under Section 50. When it says “I have included all the necessary supporting evidence” – what does that even mean in the context of reporting a concern? In fairness, the declaration does not read like it is meant to be a formal legal declaration but in my mind that makes it even less suitable for making Section 50 applications. Version 1.0 of the ICO’s form did not contain a declaration.

Section 9 is instructions on submitting the form which appears to be steering people towards submission by email and suggests requesters use “Concern about accessing information” in the subject line.

Can the ICO really ignore a ‘concern’?

Some readers may think that the ICO couldn’t ignore a valid concern or that the choice of words in the ICO’s form is accidental but note the ICO’s Service Standards “It is up to us to decide whether or not we should take further action.” – this wording is clearly inconsistent with Section 50(2) of the Act. Even on the ICO’s own analysis reporting a concern does not engage the Commissioner’s obligations under Section 50.

It wasn’t always like this – back in 2006, the ICO explicitly acknowledged the Commissioner’s obligation to rule on complaints. “Your complaint will be allocated to a caseworker and if we cannot resolve your complaint informally, the Information Commissioner will issue a Decision Notice.”

The Scottish Information Commissioner gets it

The Scottish Information Commissioner’s form is called an application form and there is a clear link between application and decision – see for example paragraphs 2 and 16 of A guide for applicants.

Suggested alternative

I would suggest sending an email to the ICO. The wording will depend on what you want the ICO to make a decision on but the wording below could be adapted in most cases where the requester would like the ICO to rule on whether more information should have been released.

Dear Information Commissioner,

I am writing to apply for a decision under Section 50 of the Freedom of Information Act 2000 with respect to a request I made under the Act. I seek a decision as to whether or not the [name of public authority] complied with Section 1(1) of the Act when it withheld information I had requested. In particular, I would like the Commissioner to rule on whether the [list out the exemptions the public authority cited] can apply to all of the information withheld.

My request and all related correspondence are attached.

[Or: My request and all related correspondence can be accessed here: WhatDoTheyKnow URL]

Please acknowledge receipt.

many thanks,

[your full name]

The Freedom of Information Act 2000 gives requesters the right to request recorded information and receive it except where an exemption applies. The Act does not give you a right to make a public authority justify or explain decisions they have taken. The upshot of all this is that some questions are FOI requests and some are not. Starting your question with “Why” is the equivalent of giving public authorities a “Get out of FOI free card”.


Unfortunately, part of being a skilled FOI requester is jumping through procedural hoops. It helps to include clear requests for recorded information rather than questions that may or may not be considered to be valid requests. I have given some hints below on how best to do this.

Question form Example Request for recorded information
Who? Who is the HR Director? Please provide me with the name of the current Director of Human Resources.
What? What does the Strategic Director do? Please provide me with a copy of the job description of the Strategic Director. Please also provide me with a copy of the Strategic Director’s performance objectives for 2015.
When? When did the Executive Committee meet? Please provide me with the dates and times of the last five meetings of the Executive Committee.
Where? Where are you planning to hold the consultation meetings? Please provide me with the addresses of the venues where the consultation meetings are planned to be held.
Why? Why did you close the library> Please provide me with any recorded information held relating to the decision to close the library.
How much? How much do you spend on debt collection? Please provide me with the total amount spent on debt collection during the last three calendar years
How many? How many staff work in marketing? Please provide me with the number of employees currently working in marketing on a ful time equivalent basis.

FOI requesters may occasionally want to know when their FOI request was received. The reason it matters is because it is (sometimes) used in calculating when the response is due. I have managed to get into a bit of a Twitter debate about this with FOIman. FOIman a former FOI officer, FOI trainer and expert in all things FOI. His website is a really useful resource and so where I disagree it is worth explaining why and I thought a blog post on this might explain my position more clearly.

What does the law say?
Section 10 of the Freedom of Information Act 2000 says: “Subject to [certain rules], a public authority must comply with section 1(1) promptly and in any event not later than the twentieth working day following the date of receipt.”

I get two key points from this:

(1) public bodies must respond promptly and sometimes that might mean responding within 15 workings – they don’t always get the full twenty.

(2) the twenty working day period never starts on the date your request is received.

So what’s the debate
FOIman’s Christmas 2014/15 UK FOI Deadlines blog post says that whether a request is made on 1 and 2 December 2014 the 20th working day is still 5 January 2015. FOIman’s reasoning is that “… the reason they’re the same is that Dec 1 is not technically a working day – so request is actually received on 2nd.” That is where I disagree with FOIman Dec 1 may not be a working day but it is a date so there is no reason why it cannot be the date of receipt.

I know that some employees of public authorities don’t work on Saturdays for example but some do and some public buildings such as libraries are open on Saturdays and there is no reason why they cannot receive an FOI request in their hands. A more common scenario is that a public authority email server receives an email on a Saturday, Sunday or bank holiday. I make most of my requests by email or via so the date of receipt is the date I send/make the request and the 20 working days does not start that day but on the 1st working day after that day.
The ICO’s guidance on date of receipt is as follows:

“Section 10(6) states that the “date of receipt” is “the day on which the public authority receives the request for information”.

There is no requirement for this to be a working day. Indeed the “date of receipt” could be at a weekend, on a bank holiday or any other day on which an office is closed.

We acknowledge that the actual date of receipt when an office is closed may not be entirely certain, particularly with requests submitted in hard copy form.”

I hope that clears up one of the trickier aspects of FOI compliance.

This is simply two lists rather than a proper blog post and it has sat in my ‘drafts’ for a long time. First of special tax dispensations granted to MPs by HMRC followed by a (shorter) list of dispensations refused. All information obtained under FOI in May 2012. The same FOI request was source for the Guardian article: Tax inspectors clash with MPs over expenses.

Dispensations granted:

Dispensations refused:

Back in 2012, the ICO did indeed investigate the ICO, documenting its findings in a security incident report dated 26 April 2012 (“SIR”) that has recently been released under FOI.

Some may argue that no-one should be judge in his own case and others may argue the same in Latin. I don’t hold the the ICO to this standard. Part of the ICO’s job is to investigate possible breaches of the law and there isn’t really anyone else to investigate the incidents which the ICO itself gets caught up in. I do of course expect that when the ICO investigates itself it does so properly, that the ICO staff assigned to such investigations make objective decisions and that there is no attempt at a cover up.

Having reviewed the available evidence, I have reached the conclusion that the ICO’s investigation of the ICO simply wasn’t up to the standard I would expect and I am going to explain exactly why:

(1) In the ICO annual report the incident is described as a self-reported breach. Most people would take that to mean that the ICO identified the matter internally before anyone external complained. That isn’t what happened. The investigation was in fact triggered by an allegation received from a firm of solicitors (Field Fisher Waterhouse) that were not working for the ICO (Source: SIR).

(2) The public security incident update refers to just one disc (“disclosed the disc to the Solicitor”) but in fact two CDs were sent out (Source: SIR). It may seem like a minor point but it suggests that the ICO is seeking to downplay the incident in the public update.

(3) The public security incident update stated that “The hard-drive … had not been forensically examined prior to it being copied and disclosed”. Many readers may interpret this as meaning that there was some examination of the documents disclosed but that this examination was not forensic. In fact “Emails contained within email folders and attachments were not reviewed prior to disclosure” (Source: SIR). This would also support the view that the ICO is seeking to downplay the incident.

(4) The ICO’s public update also says that: “After we had been informed that the disc contained personal data unrelated to the investigation we acted promptly and the disc was recovered from the Solicitor who had stored the disc securely up to the point of recovery.” This would suggest that the disk was recovered fairly quickly but in fact this isn’t what happened: “McCartneys [the solicitors] have been guarded in their engagements with the ICO and have not cooperated and despite repeated efforts the CDs have not yet been returned to the ICO” (Source: SIR). So the Solicitors had the discs for at least five months from October 2011 to April 2012 despite the ICO’s repeated efforts to get the disc back. I view the fact that this is omitted as further evidence of attempts to downplay the incident.

(5) The ICO still doesn’t know the full extent of the personal data released in the breach. The ICO disclosed images of a hard drive but the investigators only appear to have looked at emails and attachments (source: SIR)- it is hard to believe that any hard drive being used would not contain other personal data. In addition, not all emails in the sent folder were read by the ICO (source: SIR). Anyone who uses email will know that sent folders contain very similar types of material to inboxes so it is quite hard to justify why the ICO investigators treated the two folders so differently, perhaps they just ran out of time.

(6) When evaluating the seriousness of the breach the ICO appeared to take no account of the fact that the data was collected and stored by criminals who had together committed “potentially 3,000 criminal offences” all related to data protection (source: SIR). In my view much of this information should never have been obtained in the first place and so data subjects would have a much greater expectation of privacy when the data later came into the hands of a public body than for cases where information was created lawfully in the first instance.

(7) Christopher Graham (the Information Commissioner) said of these criminals: “The public expects to see firmer action taken against people who break the rules in this area, and Parliament needs to recognise that.” (20 November 2013 ICO news release) The unfortunate irony is that the ICO also committed a breach when sending on the same data that these criminals had collected. I do not wish to compare the ICO to a company that tricked people into revealing personal data but I do question how the Commissioner can credibly call for tougher action when the rules are broken when I look at how the ICO’s investigation of the ICO was handled.

I am writing this blog post in relation to an ICO Decision Notice issued in December 2011, to some of you that may seem like a long time ago but the dedicated few will appreciate that in the context ICO this counts as a quick and witty reply.


The requester asked for copies of any agreements with the Independent Police Complaints Commission under section 26 of the Police Reform Act 2002 in respect of either Hampstead Heath Constabulary or the Epping Forest Keepers. On 6 December 2011, the Information Commissioner (FS50402837) ruled that the Common Council of the City of London was not subject to the Freedom of Information Act 2000 in respect of the Hampstead Heath Constabulary and the Epping Forest Keepers – what I would call parks police. The Common Council is only listed a public authority in Schedule 1 of FOI for information held in local authority, police authority or port health authority (the three specific capacities). The basic rationale for the ICO’s ruling was that “the information would not be held in its capacity as a local authority, police authority or port health authority”.

… surely functions relating to parks police are functions of a local authority

It turns out that the Hampstead Constabulary was specifically transferred to the ‘other part’ of the City of London Corporation which excludes the local authority, police authority and port health authority in 1989 (See regulations 2, 4 & 5 of SI 1989/304) .This other part of the Corporation is sometimes called “city cash”. In effect the constabulary was taken out of the scope of this part of the FOI Act 11 years before the FOI Act was passed. The Common Council argued that its role in relation to the Keepers of Epping Forest was carried out in their capacity as conservators of Epping Forest under the Epping Forest Act 1878.

but it says ‘police authority’ …

Consistent with the above, the ICO accepted the Common Council’s argument that the parks police were paid for from city cash and not part of its functions as a police authority. The term ‘police authority’ here would appear to be limited to functions carried out with respect to the the City of London police force.

… but Parliament specifically wanted private police forces to be covered

The ICO also considered the provisions of schedule 1 of FOI specifically intended to bring bodies managing (so called) private police forces within the scope of FOI. Section 64 of Schedule 1 provides that:

“Any person who—
(a)by virtue of any enactment has the function of nominating individuals who may be appointed as special constables by justices of the peace, and

(b)is not a public authority by virtue of any other provision of this Act,

in respect of information relating to the exercise by any person appointed on his nomination of the functions of a special constable.”

The Common Council argued that the Hampstead Heath Constables and the Epping Forest Keepers were not special constables and therefore part (a) was not met. The Common Council also argued that in any event the Common Council was a public authority by virtue of another provision of Schedule 1 (para 9) and so part (b) was not satisfied. The ICO agreed with the Common Council that as it was listed in paragraph 9 of Schedule 1 it was a public authority by virtue of another provision. The ICO were not concerned by the fact that paragraph 9 only applied to the Common Council in three specific capacities because of the ruling in Sugar v BBC [2009]. The ICO summarises the implications of the ruling in Sugar as follows: “it was established by a majority agreement that where bodies are listed in Schedule 1 of the FOIA in respect of a certain type of information only, they remain public authorities under the FOIA regardless of the type of information at issue.” Having found that part (b) was not satisfied the ICO did not consider part (a).

This leads to the counterintuitive conclusion that the City of London Corporation’s would would be “foiable” in respect of the parks police if it were not for the fact that the Corporation had so many other public functions.

Where I disagree with the ICO

(1) The intention of Parliament was clearly that special constables be ‘foiable’, 64(b) is simply intended to prevent duplication in the schedule 1 list. This in itself doesn’t mean the ICO are wrong in all its conclusions but the intention behind the legislation should drive interpretation. I do not think the ICO gave the intention behind the Act sufficient weight.

(2) The ICO said that “The complainant’s belief that this was an unintended “loophole” is not supported by evidence.” The ICO should not expect complainants to have all the evidence at their disposal. The ICO has more resources (and expertise?) than the average requester and should try to investigate and gather evidence to support or refute claims requesters make. The mere inclusion of references to special constables in Schedule 1 might well be evidence enough. The ICO researchers might have found a copy of the report of the Stephen Lawrence inquiry published in 1999 not all that long before the Freedom of Information Act was passed: “Similarly we consider it an important matter of principle that the Police Services should be open to the full provisions of a Freedom of Information Act. We see no logical grounds for a class exemption for the police in any area (Recommendations 9-11).” and the related recommendation “That a Freedom of Information Act should apply to all areas of policing, both operational and administrative, subject only to the “substantial harm” test for withholding disclosure.” The government’s response was to accept this recommendation: “The Freedom of information Act to be applied to all areas of policing.”

(3) The ICO did not consider the implications of paragraph 59 of Schedule 1: which includes within the scope of FOI: “A chief officer of police of a police force in England or Wales.” I do not see why this could not apply to police forces maintained otherwise than by police authorities – see for example the language used in Section 26 of the Police Reform Act 2002 (ironically this section was what the requester was asking about). It is no secret that I am an FOI inclusionist but I think this would apply to the head of a parks police force. The Common Council should have passed the request on to that person if they felt they themselves were not covered by FOI for the information in question. The point could be argued both ways but the ICO don’t even mention it in their Decision Notice. In 2010, the ICO acknowledged that the interpretation of paragraph 59 was a matter that had still to be settled.

(4) The City of London Corporation is a body corporate (as a result of prescription) and therefore legal person. It is a person that is not a public authority by virtue of paragraph 9 of the Act. Note in particular that paragraph 9 of the Act only makes the Common Council of the Corporation a public authority which does not make the Corporation a public authority. The ICO failed to make this distinction. The Corporation is not just the Common Council, it also consists of the Lord Mayor and the Court of Aldermen for example. The Corporation would satisfy paragraph 64(b) of Schedule 1. Even in the case where powers are exercised by the Conservators the legal person is still the City of London Corporation (CIR v Corporation of London (as Conservators of Epping Forest) is referred to in HMRC’s SAIM8030). The question then is whether part (a) is also satisfied – something that the ICO never looked at. Does the City of London Corporation “by virtue of any enactment has the function of nominating individuals who may be appointed as special constables by justices of the peace”?

Section 43 of the Epping Forest Act 1878:

“The Conservators may from time to time, for securing the better execution of this Act and their byelaws, procure all or any of the reeves or assistant reeves, and of the bailiffs, and other officers appointed by them, to be sworn in as constables before a justice of the peace for the county of Essex, who shall have power to swear them in accordingly.”

The general power to appoint the Hampstead Heath Constables was conferred upon the City of London Corporation by paragraph 18 of the Greater London and Parks and Open Spaces Order 1967: “A local authority may procure officers … to be sworn in as constables”.

The argument would then be as to whether the constables were “special” or not, certainly, these are not regular territorial police forces. My view is that the definition would be met. It is worth noting that the ‘volunteer police’ in the Special Constabulary are referred to as Special Constables but so are the members of certain non-territorial police forces e.g. port police so the terminology is hard to interpret. It is disappointing that the ICO overlooked some of the key issues in this case.

(5) In general, I have observed that in borderline and/or novel cases the ICO often rules in a way that is consistent with minimising its own workload, often shying away from difficult and expensive legal fights with public bodies. The Decision Notice issued in this case is not inconsistent with that pattern.

(6) Territorial police forces and the police authorities (or Police and Crime Commissioners) which oversea are separately subject to FOI. My view is that parks police and the bodies which appoint them (and in almost all if not all cases oversee their work) are also separately subject to FOI. Yes, even when the police force in question is controlled by a powerful institution that can afford to take on the ICO.

Here is a letter I wrote to my MP re the Royal Household and Freedom of Information.  If you are inspired to write to your MP please don’t copy the whole letter but feel free to copy small extracts.

I wrote the letter in response to a campaign message from Republic.


Dear [MP],
I am writing to express my concern about the limitations of freedom of
information law with respect to the Royal Household. The Royal
Household is not a public authority for the purposes of the Freedom of
Information Act 2000 (‘the Act’) despite the fact that it is a publicly
funded body. This means that information held by the Royal Household
cannot be accessed by the public even in cases where it can be shown
that disclosure is in the public interest. Taxpayers have the right to
have detailed information about how public money is being spent.

There is also a second wall of secrecy surrounding the Royal Household
and the Royal Family, provided by the exemption in Section 37 of the
Act. Section 37 provides an absolute exemption for certain types of
correspondence meaning that for example correspondence between Prince
Charles and a government minister cannot be accessed even in cases
where it can be demonstrated that the public interest is in favour of
disclosure. I simply cannot accept that members of the Royal Family
should have greater rights to privacy of their correspondence than
other citizens of the United Kingdom.

It has been argued by some that the correspondence of the monarch and
heir requires additional protection because of the need for
impartiality in these roles. I note that impartiality is critical to
the work of the Electoral Commission, police forces and the Court
Service yet all are public authorities subject to the provisions of the
Act. Impartiality cannot be used as an excuse for unnecessary secrecy.

It is a concern to me that papers have been transferred from the
National Archives where they are accessible to the public to the Royal
Archives where they are not.

The Government has the power under Section 5 of the Act to designate
the Royal Household as a public authority and this power ought to be

I would be grateful if you could pass my remarks on to the Ministry of
Justice. I would also like you to use the power you have as a
legislator to propose amendments and table questions aimed at
highlighting the problems with the present arrangements. Please let me
know what steps if any you intend to take as a result of this letter.

Yours sincerely,


A guest post by @foimonkey

The accidental release of a substantial amount of personal data by Newcastle Citizens Advice Bureau has already been quite widely reported in the media, but as the person responsible for spotting that Newcastle CAB had made this mistake and reporting it to the ICO, I feel it is appropriate to comment on the nature of the breach, the aftermath and what wider lessons can be learnt from this incident.

On 17 September 2013, I came across a spreadsheet whilst searching Google that contained sensitive personal information belonging to a sizeable number of individuals. It was apparent from the nature of the document that this was not intended for release and should not have been made available online. What was less clear was who owned the document (no organisation name was mentioned) so I modified my search to see what other files were hosted on the same ftp server to try to establish who was responsible and who to contact about the incident. To my horror, I found literally thousands of documents containing highly sensitive information that had been hosted on a public ftp server that was accessible via two different ip addresses. It didn’t take much detective work to figure out that this data belonged to the Newcastle branch of the Citizens Advice Bureau.

Citizens Advice Bureaux nationwide provide a valuable source of assistance to vulnerable people and great importance is placed on the confidentiality of their advice. It was troubling to discover that something had gone so horribly wrong at this particular branch of the CAB that meant that client files were not only publicly available on the internet to those who knew where to look, but had also been indexed, cached and made fully searchable. The potential for harm and distress to be caused to individuals who have had the most intimate details of their lives made available to all who cared to look for them should not be underestimated.

In total, Google showed that over 12,000 files from 55 directories had been indexed whilst the FTP server was publicly accessible. These appear to date from 2004 up until the first half of 2013. As well as the obvious risks associated with bank details and other financial information being published online, the files contained, amongst other things, information about suicide attempts, domestic violence, criminal activity, drug use, distressing family breakdowns,detailed medical reports from doctors for benefits appeals hearings and a list of sufferers of post-traumatic stress disorder who had been referred from the Royal British Legion – information that couldn’t be more sensitive or more private.

The files themselves show that this was not even the first data loss incident by Newcastle CAB. In 2010 client files that had been taken out of their office were left in a shop. It is unclear whether they notified the ICO about that incident.

After an initial attempt to get in touch with the CAB on 17 September, I finally managed to alert the CAB and the ICO early on 18 September. You would think that the first priority of Newcastle CAB, in conjunction with the ICO, would be to ensure that this information was removed from the internet as soon as possible. In my email to the CAB I included a link to Google’s help pages on how to remove personal data that had been included in the cache. This process is automatic and usually takes 24 hrs to complete. I personally submitted the urls of several hundred of the most sensitive files for removal from the cache that day and by the next day they were gone, so it is clear that the process works. Astonishingly, cached copies of these files were still accessible as late as yesterday(30 September), close to a fortnight after the breach was initially reported. I can not understand why there has been such a delay in acting, a delay that I believe may have put the victims of this breach at greater risk. As others have already written, an explanation as to why this information has taken so long to be taken offline has yet to be forthcoming, but I believe that one is certainly owed to those affected by the breach.

Sadly, this breach by Newcastle CAB is not the only breach that has occurred by the means of confidential files being uploaded to an open ftp server. On the same day as this breach came to light, I also contacted the ICO about a small company who had made confidential information available via an open FTP server in the same way. This time, the sensitive personal data of current and former employees was exposed including their bank account details and passport numbers. As yet, neither the company concerned, nor the ICO has acknowledged this incident and the data (contained in over 5000 files) remains online today.

There are other companies/organisations that currently have or have previously had client and employee data exposed online, including a law firm, a haulage firm, a photographer, a firm of lobbyists, a clothing company, an engineering firm, a vets, an investment fund, several charities, a medical database provider to the NHS, a recruitment agent, a parish council and even a data protection trainer. It currently takes less than 5 minutes to find copies of bank account information, credit card details, scans of driving licences and passports and other information of use to fraudsters that UK organisations have leaked online. I even found a copy of the unedited electoral roll listing postal and proxy voters in Epsom West that had been uploaded to the public ftp server of a local firm.

The risk doesn’t only come from unsecure company servers themselves, but also from automatic file backups to personal cloud servers by individual employees who have taken their work home with them. Whilst there may be benefits to having a copy of all your files backed up online in case of system failure, it may be wise to make sure that you know exactly what data you are putting online and who has access to it. Whilst a lot of the ICO’s enforcement activity has thus far concentrated on hard copy breaches from public sector organisations, online breaches such as this by private sector organisations could, if properly investigated, keep them busy in the years to come.