British Telecom/Plusnet & ACS:Law

Link: [1]File-List

31st January 2011

Case Reference Number IRQ0371765

Dear Mr John

Thank you for your email of 29 January 2011 in which you have made a
request for information to the Information Commissioner’s Office.  

Your request is being dealt with in accordance with the Freedom of
Information Act 2000.  We will respond by 25 February 2011 which is 20
working days from the day after we received your request.

Should you wish to reply to this email, please be careful not to amend the
information in the ‘subject’ field. This will ensure that the
information is added directly to your case. However, please be aware that
this is an automated process; the information will not be read by a member
of our staff until your case is allocated to a request handler.

Yours sincerely

Joanne Crowley

Lead Internal Compliance Officer

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/rad1CB58_files/filelist.xml

Link: [1]File-List

24th February 2011

Case Reference Number IRQ0371765

Dear Mr John

I am writing further to our email dated 31 January 2011 in which we
acknowledged your request for information to the Information
Commissioner’s Office (ICO).

As previously explained we are treating your request as a request for
information under the Freedom of Information Act 2000 (the FOIA).

Firstly it would appear helpful if I clarify that the ICO was in contact
with BT separately from the ACS Law investigation.  We did not contact BT
during the course of the ACS Law investigation.  We apologise if this was
not clear from our previous responses on this topic.

Specifically your request referred to information sent to ACS Law by BT
and you asked a number of questions.  For your ease of reference we will
deal with each of your questions in turn.

“- Please could you confirm (or deny) a statement from Steve Baldwin
Chairman and Chief Executive's Service Team Manager at BT who said "I can
confirm that we have advised the ICO of this matter", and indicate when
that advice was received”

In answer to this part of your request please be advised that the ICO
received a telephone call from BT during the week commencing 27 September
2011 in regard to this issue.  The ICO does not operate an automatic call
recording system and we do not hold any record of exactly what was said in
the call and the ICO employee who took the call is unable to recall the
exact date.  However the ICO employee who took the call recalls being
asked which ICO department would be likely to investigate such a matter.

“- The initial letter (or fax/email) of advice sent by BT/Plusnet to
ICO”

We do not hold any recorded information which would answer this part of
your request.  This is because the ICO received a telephone call from BT
as outlined above.

“- The number of complaints the ICO has received from British
Telecom/Plusnet subscribers about the disclosure of personal
information”

As you may be aware the ICO uses an electronic case management system.
The correspondence is scanned onto the system and an electronic record is
created for every case, every complainant and every ‘complained about’
organisation. 

The system allows us to search for the cases we have dealt with in a
number of different ways, such as by the unique reference number the case
was given, the name and address of the person who contacted us and the
name of any organisation that has been complained about. We can also
search for cases on the basis of the broad nature of the complaint, but we
can only search on a limited number of fixed criteria which are structured
around the main sections of the Data Protection Act 1998. However our
reporting software is only able to conduct searches for information held
on our system since April 2007.

As you have not specified a time period we have conducted a search of our
system for data protection complaints received since April 2007 where BT
has been entered as the complained about party which have the “nature”
of the complaint filled in as “disclosure of data”.  The results are
below and show the financial year, the number of complaints of with the
“disclosure of data” nature and the number of those complaints which
have the outcome as “compliance unlikely” (i.e. the ICO’s view was
that BT was unlikely to have complied with the DPA);

+------------------------------------------------------------------------+
|Year|No of complaints with nature as |Number closed as “compliance|
| |“disclosure of data” |unlikely” |
|----+------------------------------------+------------------------------|
|2007|14 |5 |
|----+------------------------------------+------------------------------|
|2008|26 |8 |
|----+------------------------------------+------------------------------|
|2009|20 |8 |
|----+------------------------------------+------------------------------|
|2010|22 |16 |
+------------------------------------------------------------------------+

For your information we have received two complaints which have the nature
as “disclosure of data” in which Plusnet has been entered as the
complained about party.  One was received in 2007 and closed as “advice
given” and the other received in 2009 which was closed as “compliance
likely”.

“- The assessment the ICO has made of the adequacy of the encryption and
transmission methods used by British Telecom/Plusnet”

We do not hold any recorded information which would answer this part of
your request.  This is because the ICO has not made an assessment.

“- The action the ICO has taken to prosecute British Telecom/Plusnet for
sending acutely sensitive personal information as an unencrypted email
attachent to ACS:Law in defiance of a Court Order”

We do not hold any recorded information which would answer this part of
your request.

“- Correspondence between the ICO and British Telecom/Plusnet
concerning the ACS:Law email affair”

In answer to this part of your request we have attached a copy of four
emails from the ICO to BT dated 4 October 2010 (two emails), 11 January
2011 and 18 January 2011 and a copy of BT/Plusnet template emails to
customers.  You will note however that we have redacted the personal data
relating to BT/Plusnet employees.  This information exempt under Section
40(2) of the Freedom of Information Act 2000 (FOIA) by virtue of Section
40(3)(a)(i). 

Section 40(2) of the FOIA allows a public authority to withhold
information from a response to a request when the information requested is
personal data relating to someone other than the requestor and either the
first or second condition in Section 40(3) is satisfied.  In this
instance the disclosure would satisfy Section 40(3)(a)(i) as to disclose
such information would contravene one of the Data Protection principles.

We consider that such a disclosure would be unfair and in breach of the
first Data Protection principle which states that – “Personal data
shall be processed fairly and lawfully”.

With regard to the remainder of the correspondence between the ICO and
BT/Plusnet which the ICO holds in regard to this matter this information
has been withheld under the provisions of Section 44 of the FOIA which
places prohibitions on disclosure. 

Section 44(1)(a) of the FOIA states;

“(1) Information is exempt information if its disclosure (otherwise than
under this Act) by the public authority holding it -

(a) is prohibited by or under any enactment”

The enactment in question is the Data Protection Act 1998 (DPA) and
specifically Section 59 of the DPA. Section 59 (as amended by the FOIA)
states that neither the Commissioner nor his staff shall disclose;

“any information which:

(a) has been obtained by, or furnished to, the Commissioner under or
for the purposes of the information Acts.

(b) relates to an identified or identifiable individual business, and

(c) is not at the time of disclosure, and has not been available to
the public from other sources,

unless the disclosure is made with lawful authority.”

This prevents us from disclosing the information which has been collected
in the course of our investigations unless we have lawful authority to do
so.    

We do not have lawful authority on the basis that this information was
provided to us in confidence. 

“- Any Enforcement Notice issued to British Telecom/Plusnet”

We do not hold any recorded information which would answer this part of
your request.

“- Any financial penalty imposed on British Telecom/Plusnet”

We do not hold any recorded information which would answer this part of
your request.

“- Any scheduled court hearings involving British Telecom/Plusnet”

The ICO is not involved in any court hearings involving BT/Plusnet
therefore we do not hold any recorded information which would answer this
part of your request.

I trust that this information is of use to you however if you are
dissatisfied with the response you have received and wish to request a
review of our decision or make a complaint about how your request has been
handled you should write to the Internal Compliance Department at the
address below or e-mail [2][email address]

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request
received after this time will only be considered at the discretion of the
Commissioner.

If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please write
to the First Contact Team, at the address below or visit the
‘Complaints’ section of our website to make a Freedom of Information
Act or Environmental Information Regulations complaint online.

 

A copy of our review procedure is attached.

Yours sincerely

Joanne Crowley

Lead Internal Compliance Officer

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/radA1E5B_files/filelist.xml
2. mailto:[email address]

Link: [1]File-List

26th February 2011

Case Reference Number RCC0377543

Dear Mr John

Thank you for your email of 25 February 2011 to the Information
CommissionerÂ’s Office.

This correspondence will now be treated as a request for review of your
recent request for information under the Freedom of Information Act 2000.

We will respond by 25 March 2011 which is 20 working days from the date we
received your recent correspondence.  This is in accordance with our
internal review procedures.

Yours sincerely

Joanne Crowley

Lead Internal Compliance Officer

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/rad40F49_files/filelist.xml

Link: [1]File-List

25th March 2011

Case Reference Number RCC0377543

Dear Mr John

In your e-mail sent to the ICO on 25 February 2011 you asked that we
conduct an internal review of the handling of your request for information
relating BT/Plusnet and ACS:Law. I have undertaken that review.

In your e-mail you asked that the ICO reconsiders releasing specific
documents in the public interest. You listed these as:

o The draft NPO that BT claim they will use in future
o The assurances given by BT to the ICO that the failure to protect
personal information will never be repeated.

I have carefully considered all the relevant information, including your
original request, your request for review and the information withheld
from you. I have reached the following findings.

The information requested by you but withheld engages whether section 44
of the Freedom of Information Act 2000(FOIA) prohibits disclosure and
which amongst other things states:

“(1) Information is exempt information if its disclosure (otherwise
than under this Act) by the public authority holding it-

(a)is prohibited by or under any enactment….”

This exemption needs to be considered as section 59 of the Data Protection
Act 1998 prohibits the disclosure by the Commissioner or his staff or
agents of:

“any information which:

(a)has been obtained by, or furnished to, the Commissioner under or for
the purposes of the information Acts.

(b)relates to identified or identifiable individual or business, and

(c) is not at the time of disclosure and has not previously been,
available to the public from other sources,

unless that disclosure is made with lawful authority”

The information that you requested and that was withheld was obtained by
the Commissioner for his statutory functions, does relate to identifiable
businesses and has not been made available to the public from other
sources. Indeed the information requested was provided to the Commissioner
in confidence.

I am satisfied that at the time of handling your request this exemption
was engaged and applied correctly.

Given the passage of time since your original requests I have initiated
enquiries with the organisation concerned to ascertain whether the
position has changed during the intervening period. They have confirmed
that it has not and the information you request is still entrusted to the
ICO on a confidential basis.

This means that the section 44 FOIA 2000 exemption is still applicable as
a result of the Commissioner still being prohibited from disclosing the
information requested by virtue of S.59 of the DPA 1998. The exemption at
section 44 FOIA 2000 is an absolute exemption and there is no applicable
public interest test to that exemption.

In conclusion I am satisfied that your request for information was handled
in accordance with the legal requirements and that these still preclude
the disclosure of the information you have requested.

If you are not content that the request for a review has been handled
correctly, you have a further right of appeal to this office in our
capacity as the statutory complaints handler under FOIA 2000. If you wish
to pursue this, please write to the First Contact team at our address or
visit the ‘Complaints’ section of our website to make a complaint
online.

Yours sincerely,

Jonathan Bamford

Head of Strategic Liaison

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/rad3A8BF_files/filelist.xml

Thank you for emailing the Information Commissioners Office (ICO). This is
an automated acknowledgement; please do not reply to this email.

If your email was a reply to an email we sent you it has now been attached
to your case and will be read when your correspondence is allocated to a
case officer.

If your case has already been allocated, the case officer will be in
contact when they have considered your email.
If your email was not a reply to an email from us it will be considered by
our Customer Contact Department and we will respond to you as soon as
possible.

If you need more help, please contact our Helpline on 08456 30 60 60 or
01625 545745 if you prefer to use a national rate number or visit the
Contact us page of our website.

Yours sincerely

Customer Contact Department
The Information Commissioner's Office

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk