Information Commissioner – ICO

Those not familiar with the ICO’s machinations should perhaps read this.

It will become evident  that what should have happened, is very different from what had actually happened.

It is clear that the ICO exerted utmost of effort to avoid mentioning CONFIDENTIALITY, CONSENT, STATUTORY RESTRICTIONS ON DATA HANDLING AND ARTICLE 8 OF THE  HUMAN RIGHTS ACT.   Perhaps he assumed that as these finer intellectual and ethical considerations are OUTSIDE OF HIS REMIT, he was in no way obliged to take them into consideration.

Moreover, the ICO chose NOT to refer to his own Statutory Code, the ‘Data Sharing Code of Practice’, where section 4 – Data Sharing and the Law, puts the onus on legality of disclosure on RBKC and the possibility that some data processing may be  governed by, for example  Statutory Restrictions, which are OUTSIDE OF THE DPA, or subject to CONFIDENTIALITY,  to avoid  F from taking his concerns to a new, unwelcome and perhaps embarrassing level.

Unhappy with RBKC’s obvious failure to comply with F’s May 2010  Amendment  to his Information Sharing Agreement and  their justification of  disclosure of F’s information to the LGO,  on 5th  January 2012 F submitted a request to the ICO for his opinion in the matter of disclosure of his information without his consent or even knowledge.

At the time of his request, F was NOT aware what was actually disclosed by RBKC, that came to light on 11th  February 2012.  He was not even told by RBKC that any documents were sent to the LGO, let alone asked to provide his CONSENT,  as required by his Information Sharing Agreement.

In his request F quoted portion of his  May 2010 amendment to his ‘Information Sharing Agreement‘, clearly  stating that his HIV+ status may have been disclosed without his CONSENT and/or knowledge.

F did not deem it necessary to tell the ICO about the instructions relating to the deletion of his information, as he thought that this was already taken care of. But perhaps some may have still remained on RBKC files.

In his ‘assessment’  dated  23rd January 2012, without asking any questions, or obtaining  details of the actual  information disclosed to the LGO,  ICO’s Ms Sacha Powell  merely  endorsed RBKC’s justification and swiftly closed the case, wholeheartedly hoping that F would swallow the ‘assessment’, hook, line and sinker, shut up and go away. 

Therefore, Ms Powell did not deem it necessary to offer F the opportunity to challenge the assessment, as she  should have done.

Even if the ICO offered F the opportunity to challenge the ‘assessment’, there is NOTHING that the ICO could have done to provide  REMEDY to F, whatever the outcome, as this is also outside of the ICO’s remit. 

The DPA  can only provides resolution in respect of the data controller, RBKC in F’s case.   The ICO cannot compel RBKC to even offer an apology, let alone any equitable compensation for the distress and concern the matter may have caused him.

In this respect, F must avail himself of paragraph 13  of the DPA and go to court.  Where,  the Judge is in NO way obliged to consider the ICO’s ‘assessment’, as it has NO legal value.  He would consider the matter anew, from a legal point of view, discarding anything stated by the ICO.   It is after all, a mere ‘assessment’, stating whether RBKC   had ‘likely’ or ‘unlikely’ complied with the DPA.

Considering the subject article, it is no surprise that Ms Powell chose to ignore the provisions of ICO’s  ‘Data Sharing Code of Practice – section 14- Data Sharing Agreements,  which states that ‘The  ICO will  take this  into account should it receive a complaint about  data sharing”., when considering F’s  statement about his May 2010 Amendment to his Information Sharing Agreement.

Considering the fact that ALL information in service user’s file held by his Social Worker is deemed ‘CONFIDENTIAL‘, very much like GP’s file on his patients, it must be treated as such.

In F’s case some of his information is  of NOT ONLY SENSITIVE, but ALSO of CONFIDENTIAL MEDICAL nature.

On seeing that F’s not only medical but also more seriously, his  status  HIV may have been disclosed, Ms Powell should have realised that  a disclosure of  a highly CONFIDENTIAL medical information may have occurred, as  referred to ICO’s DPA complaints casework,  page 5 – operational priorities – evidence of unauthorised disclosure of medical information and take further action.  He should have perhaps asked RBKC for details of the information disclosed to the LGO, which were at that time unknown.

The extent of the disclosure came to light only on  11th February 2012almost a month  after the ICO’s ‘assessment’, when F received  from RBKC the requested documents sent to the LGO.

It  became clear that the 146 CONFIDENTIAL documents, were culled  from F’s file, indiscriminately, without reason or purpose.   This is confirmed by the ABSENCE of a document which should have listed all the documents, the authority for their disclosure without consent and the reason/purpose for their disclosure.  This is required by the legislation,  paragraph 6.22 of the Department of Health Guidelines – ‘Data Protection Act 1998 – Guidance to Social Services, and  the Caldicott Principles‘.

On 9th July 2012  ICO responded with his Case Review.  Mr Gray merely reiterated Ms Powell’s  earlier  decision.  He stated that the disclosure of his  HIV status was  in order, should    RBKC merely believe, on a whim,  acquired during a momentary loss of sanity, that the disclosure was NECESSARY, without any reference to governing legislation, guidelines and codes of practice. How very convenient for all of them.

On 11th May 2013,  F asked Ms Powell to confirm that the ‘decision’ would have been same had she were to consider that the disclosed information was of ‘CONFIDENTIAL MEDICAL’ nature.  Ms Powell chose NOT to reply.  

The ICO certainly reacted swiftly and properly in September 2015 when  an ‘accidental’ disclosure of  email addressed of patients  by a Soho HIV Clinic had occurred.

 However, in F’s case, the ICO tried his hardest NOT to admit that  at least  breach of CONFIDENTIALITY  had occurred; in addition a breach of the NHS Statutory Restrictions on data handling and Article 8 of the Human Rights Act.

ICO should have also realised that  F’s Amendment was in fact  a NOTICE in accordance with paragraph 10 of the Data Protection Act.  ICO’s own ‘Paragraph 10 procedures‘ are clear what action should be taken. 

It states that F was not obliged to refer to  paragraph 10 in his Notice,  nor provide it in a specific format, as it is undefined.  It may be as simple or as convoluted as he might have felt fit.  The onus to recognise the NOTICE was on RBKC and react accordingly.

In respect of the Notice, the ICO should have asked RBKC to provide a copy of its reply to F,  which RBKC was legally obliged to provide, in accordance with paragraph 10-(3) of the DPA.

Had the above happened, he would have realised that RBKC breached  their obligation and therefore committed an offence and subject to further  action.

CONCLUSION: The true events described above endorse  the comments made it the article referred to above.

 Ms Powell should have informed F that if HIV relevant information was disclosed, he must address his concerns to the NHS, as this specific information is protected by NHS Statutory Restrictions on data handling, which are OUTSIDE OF THE ICO’s REMIT, as confirmed  by ICO  at a much later date.

It is clear that Ms Powell  intentionally chose NOT to tell F that RBKC must follow the ICO’s ‘Data Sharing Code of Practice’,  a Statutory Code, which in section 4 clearly address the responsibilities relating to disclosure.   Had she done so, the matter may have taken an unexpected turn and create an embarrassing  situation to RBKC, which the ICO  tried so hard to avoid.

In this context it may be alleged that ICO may have been influenced by some unsavoury,  unethical and amoral dark forces, to ensure that F’s concerns were stifled, and he ended up in a legal cul-de-sac and give up.. Hence the lack of opportunity to challenge the ‘assessment’.

In respect of the ‘case review’, taking the lead article  into consideration, it would be utterly absurd to even think that Mr Gray, Ms Powell’s work colleague, would  overturn or negatively comment on her ‘assessment’.

This effort, was utter waste of time, taking into consideration the nonsense cited by Mr Gray.  Maybe, as result of his abysmal incompetence and a lapse of sanity, or just in order not to upset the apple cart and Ms Powell.  Fortunately, Mr Gray’s ‘case review’ is as WORTHLESS as the original ‘assessment’.  In fact, not worth the paper it is printed on.

Of interest is ICO’s reaction in 2015, when  email addresses of Soho HIV clinic were compromised.  The ICO took a dim view of  the event, merely because the subscribers to  the Clinic’s Newsletters were made aware of other subscribers’ email addresses.  THAT’S ALL.  IN NO WAY these addresses positively identified the individuals.   It was merely because of the implied association between the the recipients and the HIV Clinic that the ICO  thought that this ONLY may cause unnecessary anxiety and distress to the recipients. 

Had the emails  were sent by say, TESCO, the event would have passed by, unnoticed. There would not have been the frenetic media/public  frenzy about the event.

Whereas, in F’s case, he could not care less that F’s  identity, full details of his HIV diagnosis and clinical details of his condition were disclosed without F’s consent/knowledge and most importantly, without any legal obligation on RBKC to do so.

It is distressing to see that the ICO failed to take account of F’s Information Sharing Agreement, which not only requires that RBKC seek his CONSENT, but also that they should have removed any HIV related information.

Information, RBKC were NOT entitled to have in the first place.

Bottom line: The ICO must NOT be trusted to provide  credible ‘assessments’.  Thank God that they  are worthless, having NO legal gravitas whatsoever.  Sad, but true.





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.