Back in 2012, the ICO did indeed investigate the ICO, documenting its findings in a security incident report dated 26 April 2012 (“SIR”) that has recently been released under FOI.

Some may argue that no-one should be judge in his own case and others may argue the same in Latin. I don’t hold the the ICO to this standard. Part of the ICO’s job is to investigate possible breaches of the law and there isn’t really anyone else to investigate the incidents which the ICO itself gets caught up in. I do of course expect that when the ICO investigates itself it does so properly, that the ICO staff assigned to such investigations make objective decisions and that there is no attempt at a cover up.

Having reviewed the available evidence, I have reached the conclusion that the ICO’s investigation of the ICO simply wasn’t up to the standard I would expect and I am going to explain exactly why:

(1) In the ICO annual report the incident is described as a self-reported breach. Most people would take that to mean that the ICO identified the matter internally before anyone external complained. That isn’t what happened. The investigation was in fact triggered by an allegation received from a firm of solicitors (Field Fisher Waterhouse) that were not working for the ICO (Source: SIR).

(2) The public security incident update refers to just one disc (“disclosed the disc to the Solicitor”) but in fact two CDs were sent out (Source: SIR). It may seem like a minor point but it suggests that the ICO is seeking to downplay the incident in the public update.

(3) The public security incident update stated that “The hard-drive … had not been forensically examined prior to it being copied and disclosed”. Many readers may interpret this as meaning that there was some examination of the documents disclosed but that this examination was not forensic. In fact “Emails contained within email folders and attachments were not reviewed prior to disclosure” (Source: SIR). This would also support the view that the ICO is seeking to downplay the incident.

(4) The ICO’s public update also says that: “After we had been informed that the disc contained personal data unrelated to the investigation we acted promptly and the disc was recovered from the Solicitor who had stored the disc securely up to the point of recovery.” This would suggest that the disk was recovered fairly quickly but in fact this isn’t what happened: “McCartneys [the solicitors] have been guarded in their engagements with the ICO and have not cooperated and despite repeated efforts the CDs have not yet been returned to the ICO” (Source: SIR). So the Solicitors had the discs for at least five months from October 2011 to April 2012 despite the ICO’s repeated efforts to get the disc back. I view the fact that this is omitted as further evidence of attempts to downplay the incident.

(5) The ICO still doesn’t know the full extent of the personal data released in the breach. The ICO disclosed images of a hard drive but the investigators only appear to have looked at emails and attachments (source: SIR)- it is hard to believe that any hard drive being used would not contain other personal data. In addition, not all emails in the sent folder were read by the ICO (source: SIR). Anyone who uses email will know that sent folders contain very similar types of material to inboxes so it is quite hard to justify why the ICO investigators treated the two folders so differently, perhaps they just ran out of time.

(6) When evaluating the seriousness of the breach the ICO appeared to take no account of the fact that the data was collected and stored by criminals who had together committed “potentially 3,000 criminal offences” all related to data protection (source: SIR). In my view much of this information should never have been obtained in the first place and so data subjects would have a much greater expectation of privacy when the data later came into the hands of a public body than for cases where information was created lawfully in the first instance.

(7) Christopher Graham (the Information Commissioner) said of these criminals: “The public expects to see firmer action taken against people who break the rules in this area, and Parliament needs to recognise that.” (20 November 2013 ICO news release) The unfortunate irony is that the ICO also committed a breach when sending on the same data that these criminals had collected. I do not wish to compare the ICO to a company that tricked people into revealing personal data but I do question how the Commissioner can credibly call for tougher action when the rules are broken when I look at how the ICO’s investigation of the ICO was handled.

I am writing this blog post in relation to an ICO Decision Notice issued in December 2011, to some of you that may seem like a long time ago but the dedicated few will appreciate that in the context ICO this counts as a quick and witty reply.

Background

The requester asked for copies of any agreements with the Independent Police Complaints Commission under section 26 of the Police Reform Act 2002 in respect of either Hampstead Heath Constabulary or the Epping Forest Keepers. On 6 December 2011, the Information Commissioner (FS50402837) ruled that the Common Council of the City of London was not subject to the Freedom of Information Act 2000 in respect of the Hampstead Heath Constabulary and the Epping Forest Keepers – what I would call parks police. The Common Council is only listed a public authority in Schedule 1 of FOI for information held in local authority, police authority or port health authority (the three specific capacities). The basic rationale for the ICO’s ruling was that “the information would not be held in its capacity as a local authority, police authority or port health authority”.

… surely functions relating to parks police are functions of a local authority

It turns out that the Hampstead Constabulary was specifically transferred to the ‘other part’ of the City of London Corporation which excludes the local authority, police authority and port health authority in 1989 (See regulations 2, 4 & 5 of SI 1989/304) .This other part of the Corporation is sometimes called “city cash”. In effect the constabulary was taken out of the scope of this part of the FOI Act 11 years before the FOI Act was passed. The Common Council argued that its role in relation to the Keepers of Epping Forest was carried out in their capacity as conservators of Epping Forest under the Epping Forest Act 1878.

but it says ‘police authority’ …

Consistent with the above, the ICO accepted the Common Council’s argument that the parks police were paid for from city cash and not part of its functions as a police authority. The term ‘police authority’ here would appear to be limited to functions carried out with respect to the the City of London police force.

… but Parliament specifically wanted private police forces to be covered

The ICO also considered the provisions of schedule 1 of FOI specifically intended to bring bodies managing (so called) private police forces within the scope of FOI. Section 64 of Schedule 1 provides that:

“Any person who—
(a)by virtue of any enactment has the function of nominating individuals who may be appointed as special constables by justices of the peace, and

(b)is not a public authority by virtue of any other provision of this Act,

in respect of information relating to the exercise by any person appointed on his nomination of the functions of a special constable.”

The Common Council argued that the Hampstead Heath Constables and the Epping Forest Keepers were not special constables and therefore part (a) was not met. The Common Council also argued that in any event the Common Council was a public authority by virtue of another provision of Schedule 1 (para 9) and so part (b) was not satisfied. The ICO agreed with the Common Council that as it was listed in paragraph 9 of Schedule 1 it was a public authority by virtue of another provision. The ICO were not concerned by the fact that paragraph 9 only applied to the Common Council in three specific capacities because of the ruling in Sugar v BBC [2009]. The ICO summarises the implications of the ruling in Sugar as follows: “it was established by a majority agreement that where bodies are listed in Schedule 1 of the FOIA in respect of a certain type of information only, they remain public authorities under the FOIA regardless of the type of information at issue.” Having found that part (b) was not satisfied the ICO did not consider part (a).

This leads to the counterintuitive conclusion that the City of London Corporation’s would would be “foiable” in respect of the parks police if it were not for the fact that the Corporation had so many other public functions.

Where I disagree with the ICO

(1) The intention of Parliament was clearly that special constables be ‘foiable’, 64(b) is simply intended to prevent duplication in the schedule 1 list. This in itself doesn’t mean the ICO are wrong in all its conclusions but the intention behind the legislation should drive interpretation. I do not think the ICO gave the intention behind the Act sufficient weight.

(2) The ICO said that “The complainant’s belief that this was an unintended “loophole” is not supported by evidence.” The ICO should not expect complainants to have all the evidence at their disposal. The ICO has more resources (and expertise?) than the average requester and should try to investigate and gather evidence to support or refute claims requesters make. The mere inclusion of references to special constables in Schedule 1 might well be evidence enough. The ICO researchers might have found a copy of the report of the Stephen Lawrence inquiry published in 1999 not all that long before the Freedom of Information Act was passed: “Similarly we consider it an important matter of principle that the Police Services should be open to the full provisions of a Freedom of Information Act. We see no logical grounds for a class exemption for the police in any area (Recommendations 9-11).” and the related recommendation “That a Freedom of Information Act should apply to all areas of policing, both operational and administrative, subject only to the “substantial harm” test for withholding disclosure.” The government’s response was to accept this recommendation: “The Freedom of information Act to be applied to all areas of policing.”

(3) The ICO did not consider the implications of paragraph 59 of Schedule 1: which includes within the scope of FOI: “A chief officer of police of a police force in England or Wales.” I do not see why this could not apply to police forces maintained otherwise than by police authorities – see for example the language used in Section 26 of the Police Reform Act 2002 (ironically this section was what the requester was asking about). It is no secret that I am an FOI inclusionist but I think this would apply to the head of a parks police force. The Common Council should have passed the request on to that person if they felt they themselves were not covered by FOI for the information in question. The point could be argued both ways but the ICO don’t even mention it in their Decision Notice. In 2010, the ICO acknowledged that the interpretation of paragraph 59 was a matter that had still to be settled.

(4) The City of London Corporation is a body corporate (as a result of prescription) and therefore legal person. It is a person that is not a public authority by virtue of paragraph 9 of the Act. Note in particular that paragraph 9 of the Act only makes the Common Council of the Corporation a public authority which does not make the Corporation a public authority. The ICO failed to make this distinction. The Corporation is not just the Common Council, it also consists of the Lord Mayor and the Court of Aldermen for example. The Corporation would satisfy paragraph 64(b) of Schedule 1. Even in the case where powers are exercised by the Conservators the legal person is still the City of London Corporation (CIR v Corporation of London (as Conservators of Epping Forest) is referred to in HMRC’s SAIM8030). The question then is whether part (a) is also satisfied – something that the ICO never looked at. Does the City of London Corporation “by virtue of any enactment has the function of nominating individuals who may be appointed as special constables by justices of the peace”?

Section 43 of the Epping Forest Act 1878:

“The Conservators may from time to time, for securing the better execution of this Act and their byelaws, procure all or any of the reeves or assistant reeves, and of the bailiffs, and other officers appointed by them, to be sworn in as constables before a justice of the peace for the county of Essex, who shall have power to swear them in accordingly.”

The general power to appoint the Hampstead Heath Constables was conferred upon the City of London Corporation by paragraph 18 of the Greater London and Parks and Open Spaces Order 1967: “A local authority may procure officers … to be sworn in as constables”.

The argument would then be as to whether the constables were “special” or not, certainly, these are not regular territorial police forces. My view is that the definition would be met. It is worth noting that the ‘volunteer police’ in the Special Constabulary are referred to as Special Constables but so are the members of certain non-territorial police forces e.g. port police so the terminology is hard to interpret. It is disappointing that the ICO overlooked some of the key issues in this case.

(5) In general, I have observed that in borderline and/or novel cases the ICO often rules in a way that is consistent with minimising its own workload, often shying away from difficult and expensive legal fights with public bodies. The Decision Notice issued in this case is not inconsistent with that pattern.

(6) Territorial police forces and the police authorities (or Police and Crime Commissioners) which oversea are separately subject to FOI. My view is that parks police and the bodies which appoint them (and in almost all if not all cases oversee their work) are also separately subject to FOI. Yes, even when the police force in question is controlled by a powerful institution that can afford to take on the ICO.