A guest post by @foimonkey

The accidental release of a substantial amount of personal data by Newcastle Citizens Advice Bureau has already been quite widely reported in the media, but as the person responsible for spotting that Newcastle CAB had made this mistake and reporting it to the ICO, I feel it is appropriate to comment on the nature of the breach, the aftermath and what wider lessons can be learnt from this incident.

On 17 September 2013, I came across a spreadsheet whilst searching Google that contained sensitive personal information belonging to a sizeable number of individuals. It was apparent from the nature of the document that this was not intended for release and should not have been made available online. What was less clear was who owned the document (no organisation name was mentioned) so I modified my search to see what other files were hosted on the same ftp server to try to establish who was responsible and who to contact about the incident. To my horror, I found literally thousands of documents containing highly sensitive information that had been hosted on a public ftp server that was accessible via two different ip addresses. It didn’t take much detective work to figure out that this data belonged to the Newcastle branch of the Citizens Advice Bureau.

Citizens Advice Bureaux nationwide provide a valuable source of assistance to vulnerable people and great importance is placed on the confidentiality of their advice. It was troubling to discover that something had gone so horribly wrong at this particular branch of the CAB that meant that client files were not only publicly available on the internet to those who knew where to look, but had also been indexed, cached and made fully searchable. The potential for harm and distress to be caused to individuals who have had the most intimate details of their lives made available to all who cared to look for them should not be underestimated.

In total, Google showed that over 12,000 files from 55 directories had been indexed whilst the FTP server was publicly accessible. These appear to date from 2004 up until the first half of 2013. As well as the obvious risks associated with bank details and other financial information being published online, the files contained, amongst other things, information about suicide attempts, domestic violence, criminal activity, drug use, distressing family breakdowns,detailed medical reports from doctors for benefits appeals hearings and a list of sufferers of post-traumatic stress disorder who had been referred from the Royal British Legion – information that couldn’t be more sensitive or more private.

The files themselves show that this was not even the first data loss incident by Newcastle CAB. In 2010 client files that had been taken out of their office were left in a shop. It is unclear whether they notified the ICO about that incident.

After an initial attempt to get in touch with the CAB on 17 September, I finally managed to alert the CAB and the ICO early on 18 September. You would think that the first priority of Newcastle CAB, in conjunction with the ICO, would be to ensure that this information was removed from the internet as soon as possible. In my email to the CAB I included a link to Google’s help pages on how to remove personal data that had been included in the cache. This process is automatic and usually takes 24 hrs to complete. I personally submitted the urls of several hundred of the most sensitive files for removal from the cache that day and by the next day they were gone, so it is clear that the process works. Astonishingly, cached copies of these files were still accessible as late as yesterday(30 September), close to a fortnight after the breach was initially reported. I can not understand why there has been such a delay in acting, a delay that I believe may have put the victims of this breach at greater risk. As others have already written, an explanation as to why this information has taken so long to be taken offline has yet to be forthcoming, but I believe that one is certainly owed to those affected by the breach.

Sadly, this breach by Newcastle CAB is not the only breach that has occurred by the means of confidential files being uploaded to an open ftp server. On the same day as this breach came to light, I also contacted the ICO about a small company who had made confidential information available via an open FTP server in the same way. This time, the sensitive personal data of current and former employees was exposed including their bank account details and passport numbers. As yet, neither the company concerned, nor the ICO has acknowledged this incident and the data (contained in over 5000 files) remains online today.

There are other companies/organisations that currently have or have previously had client and employee data exposed online, including a law firm, a haulage firm, a photographer, a firm of lobbyists, a clothing company, an engineering firm, a vets, an investment fund, several charities, a medical database provider to the NHS, a recruitment agent, a parish council and even a data protection trainer. It currently takes less than 5 minutes to find copies of bank account information, credit card details, scans of driving licences and passports and other information of use to fraudsters that UK organisations have leaked online. I even found a copy of the unedited electoral roll listing postal and proxy voters in Epsom West that had been uploaded to the public ftp server of a local firm.

The risk doesn’t only come from unsecure company servers themselves, but also from automatic file backups to personal cloud servers by individual employees who have taken their work home with them. Whilst there may be benefits to having a copy of all your files backed up online in case of system failure, it may be wise to make sure that you know exactly what data you are putting online and who has access to it. Whilst a lot of the ICO’s enforcement activity has thus far concentrated on hard copy breaches from public sector organisations, online breaches such as this by private sector organisations could, if properly investigated, keep them busy in the years to come.

  • current Practice recommendations published on ICO website (s48): 0
  • Information notices published on ICO website (s51): 0
  • current Enforcement notices published on the ICO website (s52): 0
  • Certificates of non-compliance with Decision Notices (s54): 0
  • Use of powers of entry and inspection (s55, Sch 3): 0
  • Prosecutions for altering/blocking/concealing/destroying records with intent to prevent disclosure (s77): 0

Important notes

  • The statistics are based on the latest information that I can easily find, sources are indicated below.
  • I am not simply interested in enforcement action taking place, these figures about enforcement action being seen to be done.
  • Decision notices are excluded because I see these as ruling on whether or not a public authority has complied with the law as oppose to taking firm action to enforce the law. Also the ICO is legally required to issue Decision Notices (subject to certain limited exceptions) – I want to focus on the discretion he is exercising with regard to enforcement.
  • I am happy to accept any additions/corrections/clarifications that the Information Commissioner or any third party sees fit to provide.


  1. Good practice recommendations: The ICO has committed to publishing all practice recommendations. The latest one I found was one relating to Department of Health from March 2009. These recommendations are not binding as such so I am not particularly interested in searching for ones issued more than three years ago that are not listed on the ICO’s enforcement page.
  2. Information Notices: I checked the Enforcement page, ICO website (accessed 1 June 2013) and conducted other searches.
  3. It is known that the ICO has issued at least one (referred to in: FS50436434) but I could not easily find a copy.

  4. Enforcement notices: “There are currently no freedom of information enforcement notices available on the website.” Enforcement Notices page, ICO website, accessed 1 June 2013. The ICO has issued such notices in the past but my point is that none are regarded as current by the ICO.
  5. Certificates of non-compliance: Email from the ICO’s Assistant Internal Compliance Manager, 25 February 2009. I searched for more recent data but could not find any, in particular I checked the Enforcement page, ICO website (accessed 1 June 2013)
  6. Powers of entry/inspection: I checked the Enforcement page, ICO website (accessed 1 June 2013) and conducted other searches.
  7. Prosecutions: I checked the Enforcement page, ICO website (accessed 1 June 2013) and conducted other searches. The ICO is underfunded has a large backlog of cases which makes it difficult to catch offenders in time to prosecute.

Further note re practice recommendations
“Although a Practice Recommendation is not directly enforceable, a failure to comply with a Practice Recommendation may lead to a failure to comply with the FOIA or EIR. Further, a failure to take account of a Practice Recommendation may lead to an adverse comment in a report to Parliament by the Commissioner.” Source: ICO guidance on practice recommendations.

OK, lets back up a bit here to the year 2000 and the reason the Freedom of Information Act 2000 was brought in – the Act was brought in so that the public would have a legal right to access promptly any information held by a public body except where this would be harmful. That includes the right to access information the public body or the people who work for it don’t want you to have because it is embarrassing or would take up a bit of their time to put together. That said let’s get back to December 2012 and to the UKBA’s reasons for withholding information from the public. UKBA have been asked for information about exclusion orders. I understand why it might not be appropriate to release names of individuals and I understand that it might not be appropriate to release information about ethnic groups where there are only a very small number of individuals, however UKBA’s response is ridiculous:

(my emphasis)

“We have considered whether to withhold only the names of the individuals concerned, but to release the rest of the information requested. However, we have concluded that the data relating to the years 2009-2011, most of the data relating to nationalities and the information on the basis of each individual’s exclusion order, relate to sufficiently small numbers of people that its release would breach the Data Protection Principles. This is because the information released could be linked to
particular individuals, or enable individuals to be identified if that information were cross referenced with other data that may be available via other sources. Although not all of the nationalities relate to very small numbers of people, we consider that the release of figures relating to some nationalities but not others, could similarly make it possible for someone, who already knows information relating to any of the other nationalities, to deduce information about individuals who have been excluded because they would know, from the omission of that nationality from our response, that they are from a nationality of which only a small number of people have been excluded.”

I am left wondering under what circumstances UKBA would release any aggregated statistical data whatsoever. Presumably, the UKBA officials would oppose the publication of the 99% literacy rate of the UK population because it would mean that I could be virtually certain that my next door neighbour was literate. To be honest I am surprised they even released the total figure of 32 because had I told my neighbour that I was the 100th person ever to receive an exclusion order and I got a special cake from UKBA he would now know I had lied. Presumably, UKBA cannot admit to not having a holding centre inside the Ritz Hotel in case someone happened to tell a friend they were in a holding centre and putting two and two together she deduces that he wasn’t staying at the Ritz. Seriously, though if you go down the UKBA route where does it end?

If you provide certain information to friends, neighbours and others it does make it more likely they can usually find out more information about you using other information in the public domain – that’s obvious and to a point you have to accept this.

Why can’t UKBA at least address the question: “In each case, what was the basis of the exclusion order?” for the 32 exclusion orders issued on a no names no nationalities basis?

The UK Border Agency’s highly questionable interpretation of FOI law is contrary to the spirit of transparency that is so badly needed in this country today.

The Information Commissioner’s formal ruling that the Royal Household is not legally required to answer requests for environmental information has today been criticised by a number of freedom of information experts and activists after it was found to contain unattributed extracts from three Wikipedia articles.

Environmental information was requested from the Royal Household in March 2012. The Royal Household refused to answer the request on the basis that it was not a public authority despite receiving millions of pounds of public funding and being responsible for the upkeep of the state-owned Occupied Royal Palaces. The requester (@foimonkey on Twitter*) appealed this decision to the ICO in May 2012, who formally responded around nine months later.

Plagiarism from Wikipedia
The ICO’s formal Decision Letter contained unattributed extracts from three Wikipedia articles – the material from Wikipedia was not in quotes and was passed off as though it were the ICO’s original analysis of the legal and constitutional position of the Royal Household. This is particularly embarrassing for the ICO as the Decision Letter was signed off by the Deputy Information Commissioner with responsibility for FOI (Graham Smith) and given the nature of the ruling should have been looked at by the ICO’s high profile case unit.

The ICO may have broken copyright law by reproducing this material without attributing Wikipedia. Questions are now being asked about the use of unattributed sources in the ICO’s formal decisions.

Plagiarism from Royal Household website
The ICO’s Decision Letter also included a number of unattributed extracts from the Royal Household website again passed off as though it were the ICO’s own analysis. This demonstrates a lack of rigour by the ICO in reaching formal decisions and suggests that it taking statements made by the bodies it regulates at face value rather than acting as a robust and responsible regulator. The ICO’s conduct in this matter will be taken by many as a sign that it gives too much weight to the views of public bodies and is is too quick to dismiss the legitimate concerns of FOI requesters.

Absurd ruling
A number of other deficiencies in the ruling have been identified. One claim made by the ICO is particularly absurd and is likely to anger Monarchists and Republicans alike:

“the Commissioner is satisfied that the Sovereign does not exercise functions that are public in nature.”

(This despite the Queen’s role in the State Opening of Parliament, in awarding Peerages and honours and appointing ministers, as Head of the Armed Forces, I could go on…)

No mention of right to appeal
It has also been noted that the ICO has not notified the requester of their right to appeal the ruling – this failure is already the subject of a separate complaint to the ICO.

The Information Commissioner’s Office has a number of questions to answer about the quality of formal decisions and needs to take urgent action to regain the confidence of FOI requesters.

*well known to me and many who read my blog

The BBC has reported that Rutland Council could be the first local authority to sue for defamation. Lawyers claim the council’s reputation had been damaged and suggested they could sue using the powers the Council now has under the Localism Act 2011.

This threatens a long standing principle of English law that prevents local councils from suing for defamation.

“The Derbyshire county council v Times Newspapers Ltd judgment of 1993 specifically rules out local authorities from suing for libel. As Lord Keith said in the judgment: “It is of the highest public importance that a democratically elected governmental body, or indeed any governmental body, should be open to uninhibited public criticism”.” [This protection is called “the Derbyshire Principle”.] Guardian, 14 February 2012

Where it went wrong
The Localism Act 2011 was intended to reduce red tape for local councils … so where did it all go wrong. Supporters of the bill were eager to reduce legal hurdles that stopped local councils innovating. One of these perceived barriers was a rule which states that a council cannot legally do something unless it is expressly authorised by law (this contrasts with the position for a private person who is allowed to do anything unless the law says he or she cannot). To eliminate this rule Section 1(1) of the Act says “A local authority has power to do anything that individuals generally may do.” and it is this clause which puts the Derbyshire Principle at risk.

Why you should care
You should care because:

(1) Anyone who supports freedom of speech and/or freedom of the press and/or hates corruption and incompetence should be greatly concerned about this threat to our previously well established right to criticize local councils as corporate bodies without fear of a defamation action being taken against us.

(2) Defamation actions in the UK are incredibly complex and expensive. In the words of the Libel Reform Campaign: “The potential cost of defending a libel action is prohibitive”. When a council loses a defamation case against a local newspaper or blogger its costs will be paid for out of your Council Tax and other taxes. Many bloggers and journalists will be put off by the potential cost and you simply won’t see the story.

(3) The UK’s defamation laws are bad enough already which is why we have attracted ‘libel tourism’.

(4) Do you really want the secretive and influential City of London Corporation being able sue for damage to the Corporation’s reputation?

(5) It is dangerous precedent to allow local councils to sue for defamation – the next step could be allowing Central Government bodies the same powers.

How can I help to stop this?
I don’t have all the answers but here are my initial thoughts:

(1) There is a Defamation Bill and a Crime and Courts Bill currently before Parliament so write to your MP and tell them that you are extremely concerned about this threat to a long standing principle of English law.

  • Ask your MP to put forward an amendment to one of the bills already before Parliament to put this important civic right on a solid legal basis.
  • Ask your MP to consider proposing an early day motion on this issue – an early day motion is a bit like a petition that MPs and only MPs can sign – it will help to highlight the issue.
  • Ask your MP to ask a written question to the Government about whether the Localism Act 2011 means that the Derbyshire Principle no longer applies?

(2) Raise awareness – tweet and blog about this issue and encourage others to take action.

(3) Write to one of the Lords interested in defamation law and ask them to help secure this important right.

Thank you to Ganesh Sittampalam for an email which made me sit up and take notice of this issue.

Given the fact that in coalition it is hard to get agreement on big policies, especially as there isn’t a lot of spare cash, I thought I would write a list of pro-transparency ideas that would be fairly small and reasonably easily to implement – though not all are uncontentious. I am an eternal optimist and I hope that lots of political parties will copy these ideas and put them in their manifestoes.

Increase the number of bodies covered by the Freedom of Information Act

  • Make all exam boards subject to FOI in respect of the administration of public examinations.
  • Make the Higher Education Statistics Agency (HESA) subject to FOI.
  • Make all housing associations subject to FOI.
  • Make all trust ports subject to FOI.
  • Make the Panel on Takeovers and Mergers subject to FOI.
  • Make Returning Officers and Electoral Registration Officers in public elections subject to FOI.
  • Make ‘any person providing health, education, social care, criminal justice services under a contract made with a public authority where the provision of the service is function of that authority’ subject to FOI

See also: more ideas and even more ideas.

Make Freedom of Information Act 2000 more effective by making the whole process quicker

  • Introduce fixed time limits for internal reviews.
  • Introduce fixed time limits for public interest extensions.

Reduce the “get out clauses” and “loopholes” … and make transparency laws more robust

  • Toughen up the wording – require public bodies to demonstrate ‘substantial prejudice’ before using an exemption to withhold information, rather than simply demonstrating ‘prejudice’.
  • Close the loophole that means that HMRC does not have to release information about corporate tax payers even when it can be shown that the public interest is harmed by non-disclosure.
  • Scrap the Ministerial Veto – take away right of ministers to overrule the independent Information Commissioner (if appropriate it could be retained for matters of National Security only).
  • Remove the exemption that exists in respect of communications with the Royal Family and Royal Household – this is in line with the idea that everyone should be equal before the law
  • Only allow information to be withheld under the “intended for future publication” exemption if the public body has made a public commitment to publish the information within 90 days.
  • Make the BBC more accountable by replacing the BBC’s “derogation” with a properly drafted exemption.
  • Bodies subject to the FOI should be required to publish a functioning email contact address on their website (with due prominence) – Note companies providing services through websites are already legally required to do this
  • Where the opinion of a “qualified person” is used to block disclosure that person should have to be named in the refusal notice.
  • Make all companies owned 90% or more by one or more public bodies subject to FOI.
  • Make the House of Commons Commission and the Corporate Officers of the Houses of Parliament subject to FOI to avoid the present situation where the senior officials working in the Palace of Westminster will not answer FOI requests while Parliament is dissolved.
  • Make it easier for people to request information about themselves under Data Protection law by only allowing exemptions to be used where it is in the public interest, this already happens for FOI exemptions.

Make publicly owned companies accountable

Say those owned 90~ by one or more public bodies

  • give the public the right to attend Board Meetings of public companies, except those parts of the agenda where there was a good reason to go into closed session.
  • require each director’s vote to be minuted on all formal decisions.
  • require (draft) minutes of open meetings to be published online within 15 working days of the day on which the meeting finishes and that final minutes are published online promptly once approved.

Be flexible on format when supplying public sector information

Extend Whistleblower Protection

  • Give students the same whistleblower protection that employees already have.
  • Give non-executive directors the same whistleblower protection that employees already have.

Make it easier for people to reuse public sector information and hold the public sector to account without fear of litigation

Further Acknowledgements

Foiwiki ideas and more ideas.

A quick search of the ICO’s Register of Data Controllers for the word “coroner” reveals just 18 records. This does not compare favourably with the dropdown box on the Coroner Society figure of about 110. Only 32 of these are ‘whole time’ coroners the remainder being paid for each case. Now let’s consider whether coroners need to be registered as data controllers and other key questions that arise.

(1) Do coroners hold data about living individuals?
Yes. It is accepted that information about the deceased is not ‘personal data’ for the purposes of the Data Protection Act but as noted in the registration of Her Majesty’s Coroner for Greater Manchester (North District) coroners hold data about the “RELATIVES, GUARDIANS, PERSONS ASSOCIATED WITH DECEASED”.

(2) Are coroners covered by the data protection registrations of local authorities?
No. In the ICO FOI Decision notice the Commissioner “determined that the tapes are held by the public authority solely on behalf of the Hertfordshire Coroner and not for its own purposes. Coroners are not designated as public authorities under
the Freedom of Information Act 2000 and therefore their records are not subject to the information access regime of this Act.”
It goes on to conclude “It holds the information on behalf of another person and that other person, the Hertfordshire Coroner, is not a public authority as defined in the Act”.

It seems therefore very unlikely that the ICO would take the opposite view for Data Protection purposes, so I think it is safe to say that the coroner as an independent judicial officer is also a Data Processor who is not covered by the local authority registration.

If that isn’t enough, in EA/2008/0010:

“the Tribunal concluded that the Coroner had in this case made the decision what was or was not to happen in relation to this information. This was consistent with the statutory regime under the Coroner’s Rules and indicated that ‘ownership’ of and control over this information lay both in fact and law with the Coroner. That this should be the case was consistent with the fact that the Coroner is an independent judicial office holder, whose decisions are made independently of the Council.”

Clearly, the coroner is a data processor.

(3) Are coroners exempt from registering?
No. If you read the ICO’s guidance and bear in mind that coroners are responsible for the administration of justice you will see that no exemption is available.

(4) Why doesn’t the ICO do something?
You would have to ask the ICO that question really, but the ICO’s general approach is not to pro-actively look for potential instances of non-compliance with notification requirements, far from it. In fact, the ICO often does not act when instances of non-compliance are brought to its attention.

Please see information rights and wrongs excellent piece on failure to notify by MPs in which the ICO response is recorded as “Our non notification activities are targeted at particularly high risk or under represented groups or sectors.”

(5) Why does any of this matter?
Firstly, because non-registration is a criminal offence and hardly could conduct for a judicial officer. Secondly, you can choose to buy goods and services from people you trust to process your data lawfully but when it comes to public authorities you usually don’t get a choice and this is true for coroners you might come into contact with in the most tragic of circumstances. Finally, because it again calls into question the ICO’s choice of who to target with enforcement action. I am reminded of Tim Turner’s comment:

“Chris Graham’s speeches are impressive and stirring, with an attitude that no stone will be left unturned, no organisation or sector can act with impunity, but the reality is different. Rather than issuing CMPs [civil monetary penalties] to big private sector organisations, they go after councils. Rather than prosecuting MPs for non-notification, they do estate agents. They have to concentrate scant resources, and the targets that they choose could be exemplars – big, powerful institutions and individuals whose fate would serve as a lesson for all”

I have set up a petition to close HMRC’s FOI loophole, it is currently awaiting approval. Please sign this as soon as it is approved and promote it in any way you can. It should appear here once it is approved: Ministry of Justice Petitions (‘Civ’ to ‘Con’)

Close the HMRC freedom of information loophole petition

“While almost all public bodies are required to release information about companies under the Freedom of Information Act 2000 there is a loophole that means HMRC does not have to do so. The loophole is contained in Sections 18 & 23 of the Commissioners for Revenue and Customs Act 2005. This loophole means that HMRC does not have to release information about corporate tax payers even when it can be shown that the public interest is harmed by non-disclosure. In fact HMRC would not even be required to release relevant information it holds in cases where corporations have knowingly mislead the public about the amount of tax they pay,

Whilst we accept that private individuals have a right to privacy, we fail to see why this right extends to the tax affairs of major corporations.

We call on the Government to introduce legislation to close this loophole in respect of companies and other organisations as step towards a fairer and more transparent tax system.”

The oldest written law currently in force in England is the Distress Act, part of the Statute of Marlborough, 1267 (sources: [1], [2][3]) – but a Law Commission document published in April 2012 reveals that after more seven hundred years on the statute book the Act came very close to being repealed.

“As indicated earlier in this Part we looked at the topics of distress and waste in the context of the Statute of Marlborough 1267 but, as explained, formed the view that it would be premature to pursue repeal of the distress chapters, pending enactment by parliament of amendments to the Tribunals, Courts and Enforcement Act 2007 following the UK government’s consultation on transforming bailiff action, and that it would be inappropriate to repeal the chapter on waste.”

Depending on the outcome of the Government’s consultation on bailiff action the Act could still get repealed. Worryingly nowhere in the Law Commission’s analysis to they really take into account the historical significance of this Act as the oldest law we have left.

The 13th century Act has the effect of stopping a person recovering damages from someone else except by order of a court which amounts to outlawing private feuds. The Act also protects tenant’s property in certain circumstances.

I am not proud of every aspect of British history but I think everyone in the UK can be proud of the positive contributions the British have made to the development of the rule of law and democracy (Magna Carta being among the most famous).We should try to save Britain’s oldest law from repeal if it all possible.