Here is a letter I wrote to my MP re the Royal Household and Freedom of Information.  If you are inspired to write to your MP please don’t copy the whole letter but feel free to copy small extracts.

I wrote the letter in response to a campaign message from Republic.

—-

Dear [MP],
I am writing to express my concern about the limitations of freedom of
information law with respect to the Royal Household. The Royal
Household is not a public authority for the purposes of the Freedom of
Information Act 2000 (‘the Act’) despite the fact that it is a publicly
funded body. This means that information held by the Royal Household
cannot be accessed by the public even in cases where it can be shown
that disclosure is in the public interest. Taxpayers have the right to
have detailed information about how public money is being spent.

There is also a second wall of secrecy surrounding the Royal Household
and the Royal Family, provided by the exemption in Section 37 of the
Act. Section 37 provides an absolute exemption for certain types of
correspondence meaning that for example correspondence between Prince
Charles and a government minister cannot be accessed even in cases
where it can be demonstrated that the public interest is in favour of
disclosure. I simply cannot accept that members of the Royal Family
should have greater rights to privacy of their correspondence than
other citizens of the United Kingdom.

It has been argued by some that the correspondence of the monarch and
heir requires additional protection because of the need for
impartiality in these roles. I note that impartiality is critical to
the work of the Electoral Commission, police forces and the Court
Service yet all are public authorities subject to the provisions of the
Act. Impartiality cannot be used as an excuse for unnecessary secrecy.

It is a concern to me that papers have been transferred from the
National Archives where they are accessible to the public to the Royal
Archives where they are not.

The Government has the power under Section 5 of the Act to designate
the Royal Household as a public authority and this power ought to be
exercised.

I would be grateful if you could pass my remarks on to the Ministry of
Justice. I would also like you to use the power you have as a
legislator to propose amendments and table questions aimed at
highlighting the problems with the present arrangements. Please let me
know what steps if any you intend to take as a result of this letter.

Yours sincerely,

 

A guest post by @foimonkey

The accidental release of a substantial amount of personal data by Newcastle Citizens Advice Bureau has already been quite widely reported in the media, but as the person responsible for spotting that Newcastle CAB had made this mistake and reporting it to the ICO, I feel it is appropriate to comment on the nature of the breach, the aftermath and what wider lessons can be learnt from this incident.

On 17 September 2013, I came across a spreadsheet whilst searching Google that contained sensitive personal information belonging to a sizeable number of individuals. It was apparent from the nature of the document that this was not intended for release and should not have been made available online. What was less clear was who owned the document (no organisation name was mentioned) so I modified my search to see what other files were hosted on the same ftp server to try to establish who was responsible and who to contact about the incident. To my horror, I found literally thousands of documents containing highly sensitive information that had been hosted on a public ftp server that was accessible via two different ip addresses. It didn’t take much detective work to figure out that this data belonged to the Newcastle branch of the Citizens Advice Bureau.

Citizens Advice Bureaux nationwide provide a valuable source of assistance to vulnerable people and great importance is placed on the confidentiality of their advice. It was troubling to discover that something had gone so horribly wrong at this particular branch of the CAB that meant that client files were not only publicly available on the internet to those who knew where to look, but had also been indexed, cached and made fully searchable. The potential for harm and distress to be caused to individuals who have had the most intimate details of their lives made available to all who cared to look for them should not be underestimated.

In total, Google showed that over 12,000 files from 55 directories had been indexed whilst the FTP server was publicly accessible. These appear to date from 2004 up until the first half of 2013. As well as the obvious risks associated with bank details and other financial information being published online, the files contained, amongst other things, information about suicide attempts, domestic violence, criminal activity, drug use, distressing family breakdowns,detailed medical reports from doctors for benefits appeals hearings and a list of sufferers of post-traumatic stress disorder who had been referred from the Royal British Legion – information that couldn’t be more sensitive or more private.

The files themselves show that this was not even the first data loss incident by Newcastle CAB. In 2010 client files that had been taken out of their office were left in a shop. It is unclear whether they notified the ICO about that incident.

After an initial attempt to get in touch with the CAB on 17 September, I finally managed to alert the CAB and the ICO early on 18 September. You would think that the first priority of Newcastle CAB, in conjunction with the ICO, would be to ensure that this information was removed from the internet as soon as possible. In my email to the CAB I included a link to Google’s help pages on how to remove personal data that had been included in the cache. This process is automatic and usually takes 24 hrs to complete. I personally submitted the urls of several hundred of the most sensitive files for removal from the cache that day and by the next day they were gone, so it is clear that the process works. Astonishingly, cached copies of these files were still accessible as late as yesterday(30 September), close to a fortnight after the breach was initially reported. I can not understand why there has been such a delay in acting, a delay that I believe may have put the victims of this breach at greater risk. As others have already written, an explanation as to why this information has taken so long to be taken offline has yet to be forthcoming, but I believe that one is certainly owed to those affected by the breach.

Sadly, this breach by Newcastle CAB is not the only breach that has occurred by the means of confidential files being uploaded to an open ftp server. On the same day as this breach came to light, I also contacted the ICO about a small company who had made confidential information available via an open FTP server in the same way. This time, the sensitive personal data of current and former employees was exposed including their bank account details and passport numbers. As yet, neither the company concerned, nor the ICO has acknowledged this incident and the data (contained in over 5000 files) remains online today.

There are other companies/organisations that currently have or have previously had client and employee data exposed online, including a law firm, a haulage firm, a photographer, a firm of lobbyists, a clothing company, an engineering firm, a vets, an investment fund, several charities, a medical database provider to the NHS, a recruitment agent, a parish council and even a data protection trainer. It currently takes less than 5 minutes to find copies of bank account information, credit card details, scans of driving licences and passports and other information of use to fraudsters that UK organisations have leaked online. I even found a copy of the unedited electoral roll listing postal and proxy voters in Epsom West that had been uploaded to the public ftp server of a local firm.

The risk doesn’t only come from unsecure company servers themselves, but also from automatic file backups to personal cloud servers by individual employees who have taken their work home with them. Whilst there may be benefits to having a copy of all your files backed up online in case of system failure, it may be wise to make sure that you know exactly what data you are putting online and who has access to it. Whilst a lot of the ICO’s enforcement activity has thus far concentrated on hard copy breaches from public sector organisations, online breaches such as this by private sector organisations could, if properly investigated, keep them busy in the years to come.