Dear Information Commissioner’s Office,

in September 2010, the law firm ACS:Law accidentally revealed a large volume of confidential email correspondence to the internet, following a botched attempt to recover from a denial of service attack.

Contained within those emails (which have now circulated widely on the internet) were several containing large spreadsheets of ISP subscriber details coupled with allegations of pornographic/media file sharing.

This data was acutely sensitive, linking as it did personal identities to sexual life, allegations of copyright offences, and court proceedings.

ACS:Law are clearly at fault for failing to take appropriate measures to store sensitive personal data securely.

You have a topical web page on the ICO web site which you still haven't bothered to update since September 2010 (*).

So please could you disclose to me

- The present state of the investigation into the ACS:Law affair
- The assessment the ICO has made of the adequacy of the encryption and transmission methods used by ACS:Law
- The action the ICO has taken to prosecute ACS:Law
for sending acutely sensitive personal information as an
unencrypted email attachent to business partners in defiance of a Court Order
- Correspondence between the ICO and ACS:Law staff concerning the ACS:Law email affair
- Any Enforcement Notice issued to ACS:Law
- Any financial penalty imposed on ACS:Law
- Any scheduled court hearings involving ACS:Law

I'm particularly keen to understand how you could ever justify any legal action against ACS:Law, given that BT also failed to comply with the same Court Order, and arguably were even more culpable (given they own and sell the expertise, skills, and resources required to comply)... and in that instance you merely dismissed complaints as a "disciplinary matter".

Yours faithfully,

P John

(*) http://www.ico.gov.uk/news/current_topic...

Information Commissioner’s Office

Link: [1]File-List

11th April 2011

Case Reference Number IRQ0385819

Dear Mr John

Thank you for your email of 9 April 2011 in which you have made a request
for information to the Information CommissionerÂ’s Office.

Your request is being dealt with in accordance with the Freedom of
Information Act 2000.  We will respond by 11 May 2011 which is 20
working days from the day after we received your request.

Should you wish to reply to this email, please be careful not to amend the
information in the ‘subject’ field. This will ensure that the
information is added directly to your case. However, please be aware that
this is an automated process; the information will not be read by a member
of our staff until your case is allocated to a request handler.

Yours sincerely

Joanne Crowley

Lead Internal Compliance Officer

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/rad76EF5_files/filelist.xml

Dear Information Commissioner’s Office,

While I'm waiting for your response, I thought you might be interested in this report on the ongoing ACS:Law/MediaCAT case (*).

To save you time, I'd recommend you skip to the paragraphs featuring terms like disrepute, impromper, unreasonable, chaotic, lamentable, slipshod, and amateurish. (In the words of a Judge).

The Data Protection Princples 1 (Personal data shall be processed fairly and lawfully) & 7 (Appropriate ... measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data) are applicable.

But then, they were also applicable to BT as well.

Even more so.

Yours faithfully,

P. John

(*) http://www.ralli.co.uk/news/acs-law-medi...

Information Commissioner’s Office

1 Attachment

Link: [1]File-List

4th May 2011

Case Reference Number IRQ0385819

Dear Mr John

Request for Information

Further to our acknowledgement of 11 April 2011 we are now in a position
to provide you with a response to your request for information of 9 April
2011.

As you know we have dealt with your request in accordance with your
‘right to know’ under section 1(1) of the Freedom of Information
Act 2000 (FOIA), which entitles you to be provided with a copy of any
information ‘held’ by a public authority, unless an appropriate
exemption applies.

Request

So please could you disclose to me

1.     The present state of the investigation into the ACS:Law
affair
2.     The assessment the ICO has made of the adequacy of
the      encryption and transmission methods used by
ACS:Law
3.     The action the ICO has taken to prosecute ACS:Law
for sending acutely sensitive personal information as an
unencrypted email attachent to business partners in defiance of a
Court Order
4.     Correspondence between the ICO and ACS:Law staff
concerning the ACS:Law email affair

5.     Any Enforcement Notice issued to ACS:Law
6.     Any financial penalty imposed on ACS:Law
7.     Any scheduled court hearings involving ACS:Law

Information Held

1.     I can confirm that this specific investigation is in
its final stages. 

2.     No recorded information is held as no such assessment
was made.

3.     No recorded information is held as no prosecution
action has been taken.

I can confirm that we do hold recorded information in the way of
correspondence between the Information Commissioners Office (ICO) and ACS
Law concerning this investigation. As you may be aware the Information
CommissionerÂ’s Office is currently investigating the circumstances
surrounding the actions of ACS:Law. As such the matter is still ongoing,
and has yet to be
concluded.

Having considered this matter carefully, we take the view that any
information we do hold which relates directly to the investigation is
exempt from disclosure under section 31(1)(g) of the FOIA. This section
states:

“Information…is exempt information if its disclosure under this
Act
would, or would be likely to, prejudice – (g) the exercise by any
public
authority of its functions for any of the purposes specified in subsection
(2)

The purposes referred to in sections 31(2)(a) and (c) are

(a) the purpose of ascertaining whether any person has failed
to comply with the law

(c) the purpose of ascertaining whether circumstances which
would justify regulatory action in pursuance of any enactment exist or may
arise

The purposes at section 31(2)(a) and (c) apply when the Information
Commissioner is determining whether or not there has been a breach of
legislation, and if so what regulatory action, if any, is appropriate.

The exemption at section 31 is not absolute, and we must therefore
consider the prejudice or harm which may be caused by disclosure of the
information you have sought, as well as applying a public interest test by
weighing up the factors in favour of disclosure against those in favour of
maintaining the exemption.

Given that our investigation into the actions of ACS:Law is still ongoing,
in considering the prejudice and/or harm that disclosure may cause we have
taken into account the factors that would, in our view, impact on the
release of the information at this stage.

Firstly, we take the view that to release the information you have asked
for could prejudice the ICOÂ’s ability to conduct the investigation in
an appropriate manner. For example, it is probable that any disclosure at
this stage would discourage our ongoing discussions between the ICO and
ACS: Law, and may damage our ability to conduct and conclude the
investigation fairly and proportionately. Disclosure could also jeopardise
the ICOÂ’s ability to obtain information either relating to this case
or others in the future. In our view harm could be caused if either party
were reluctant to enter into any further discussions if information had
already been disclosed in response to information requests or even general
enquiries. This is likely to result in other parties being reluctant to
engage with the ICO in the future. In addition, any information released
at this stage could be misinterpreted, which in turn could distract from
the investigation process.

With this in mind, we have then considered the public interest test for
and against disclosure.

In this instance the public interest factors in favour of disclosure are:

o the public interest in the ICO investigation procedure being more
transparent and
o the public interest in the details of the ongoing ACS Law
investigation, which has been widely publicised

The public interest factors in favour of maintaining the exemption are:

o the public interest in the ICO maintaining a position which encourages
data controllers to voluntarily report security breaches for
investigation, and
o the public interest in allowing ICO to conduct an investigation in a
manner that does not prejudice that investigation,
o the public interest in allowing ACS Law and the ICO to engage with
each other and have full and frank communication without these parties
being concerned that their comments will be made public prematurely
or, as appropriate, at all,
o the public interest in enabling the ICO to obtain any information it
requires from ACS Law in order to reach a conclusion,

· the public  interest in maintaining trust and confidence
that when the ICO carries out an investigation, any information provided
to the ICO will be afforded an appropriate level of confidentiality while
the investigation is continuing in this and in any subsequent cases.

Having considered all of these factors we have taken the decision that the
public interest in withholding the information outweighs the public
interest in disclosing it. We therefore regret that we are unable to
provide you with the information you have asked for at this moment in
time.

5.     No recorded information as at today’s date as no
enforcement notice has been issued.

6      No recorded information as at todays date as no
financial penalty has been issued.

7.     No recorded information as at today’s date as no court
hearing has been scheduled by the Information Commissioners Office.

I hope this information is helpful and of assistance.   If however
you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Internal Compliance
Department at the address below or e-mail
[2][email address]

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request
received after this time will only be considered at the discretion of the
Commissioner.

If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please
write to the First Contact Team, at the address below or visit the
‘Complaints’ section of our website to make a Freedom of
Information Act or Environmental Information Regulations complaint online.

 

A copy of our review procedure is attached.

Yours sincerely

Charlotte Powell

Internal Compliance Manager

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/rad8E92F_files/filelist.xml
2. mailto:[email address]

Dear Information Commissioner’s Office,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Information Commissioner’s Office's handling of my FOI request 'ACS:Law'.

In a BBC News article in September 2010, Chris Graham was quoted saying, "The question we will be asking is how secure was this information and how it was so easily accessed from outside. We'll be asking about the adequacy of encryption, the firewall, the training of staff and why that information was so public facing".

And yet you tell me in the response to my FoI that, eight months later, the Information Commissioner has made no assessment of the adequacy of the security measures employed by ACS:Law and is now in the final stages of its investigation.

I assume your response is deficient when you say "No recorded information is held as no such assessment [of the encryption or transmission methods used] was made".

Else Chris Graham has not been telling the truth when he said "We'll be asking about the adequacy of encryption, the firewall".

A full history of my FOI request and all correspondence is available on the Internet at this address:
http://www.whatdotheyknow.com/request/ac...

Yours faithfully,

P. John

Information Commissioner’s Office

Link: [1]File-List

4 May 2011

Case Reference Number RCC0389373

Dear Mr John

Thank you for your correspondence of todayÂ’s date.

This correspondence will now be treated as a request for review of your
recent request for information under the Freedom of Information Act 2000.

We aim to respond by 2 June 2011 which is 20 working days from the date we
received your recent correspondence.  This is in accordance with our
internal review procedures.

Yours sincerely

Helen Ward

Lead Internal Compliance Officer

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/rad8FAD3_files/filelist.xml

Dear Ms Ward,

If I might add, you also told me in response to an earlier related request concerning communications between BT and ACS:Law;

“- The assessment the ICO has made of the adequacy of the encryption and transmission methods used by British Telecom/Plusnet”

We do not hold any recorded information which would answer this part of your request. This is because the ICO has not made an assessment."

It would appear that Chris Graham's public assurance that the ICO would make a thorough assessment of the encryption and security measures that led to the disclosure of acutely sensitive personal information by BT & ACS:Law was entirely false and completely misleading.

I'd be grateful, if your internal review process confirms that no such assessment was made, to receive an explanation for the reason why there was no detailed assessment of encryption and security measures despite the assurances offered by Chris Graham.

Presumably, for example, there was a clear instruction given by Chris Graham to the staff investigating the BT/ACS:Law case to conduct an assessment of the encryption & security measures, and the staff responded by rejecting his instructions for some reason?

I would be most interested to receive a copy of any such instructions please.

Yours faithfully,

P. John

Dear Information Commissioner’s Office,

now I'm completely confused.

You told me you made no asssessment of the security and encryption measures used by ACS:Law, and yet the Register tells me you have fined ACS:Law on the basis that(*);

"The security measures ... in place were barely fit for purpose in a person's home environment, let alone a business handling such sensitive details".

Your disclosure to me was apparently dishonest when you stated;

"No recorded information is held as no such assessment
was made".

Clearly an assessment has been made that has lead to Mr. Crossley being fined £1,000.

I'm also somewhat confused by your decision to impose a penalty, and limit the fine to £1,000 on the basis that "Mr Crossley now has limited means".

British Telecom committed precisely the same offences. BT has the expertise, technology, and resources to protect sensitive personal information... And BT has the means to pay a £200,000 fine.

And yet the ICO have taken no action against them.

Yours faithfully,

P. John

(*) ACS:Law fined for data breach
http://www.theregister.co.uk/2011/05/10/...

Information Commissioner’s Office

Link: [1]File-List

31st May 2011

Case Reference Number RCC0389373

Dear Mr John

Your request for an internal review of the handling of your information
request (case reference number IRQ0385819) has been passed to me to
undertake. I have considered the scope of your request, the response sent
to you and the information which you submitted to support your request for
an internal review.

You requested specific information which related to the investigation
undertaken by ICO relating to ACS Law.

Your request was dealt with in accordance with section 1(1) of the Freedom
of Information Act 2000 (FOIA).

Within your request you specifically asked for:

‘the assessment the ICO has made of the adequacy of the encryption and
transmission methods used by ACS:Law.Â’

The response which my colleague Charlotte Powell sent to you on 4 May 2011
informed you that:

‘No recorded information is held as no such assessment was made.’

I understand from your letter of 4 May 2011 and subsequent communication
of 10 May 2011 that this is the element of your request which is of
concern to you, and therefore the scope of my internal review has focused
on this aspect of your request. 

I must stress that the purpose of the internal review is to  consider
whether your information request has been handled correctly in accordance
with the requirements of FOIA and whether there is any information to
which you are entitled which you have not received. The internal review
will not address any wider questions about this investigation.   

Under Section 1(4) (b) of FOIA a person making a request for information
to a public authority is entitled to information held at the time when the
request is received. Account may be taken of any amendment or deletion
made between that time and the time when the information is to be
communicated.

I have made further enquiries and confirmed that at the time of your
request and the time when the response was sent to you no recorded
information was held about any assessment made of the adequacy of the
encryption and transmission methods used by ACS Law. No assessment has
specifically been made of the adequacy of the encryption and transmission
methods.  

I should inform you that if you are unhappy with the outcome of this
internal review then you do have a right to appeal to ICO in our capacity
as the statutory regulator for the FOIA.

How to complain

Information on how to complain is available on the ICO website at:

[2]http://www.ico.gov.uk/complaints/freedom...

By post: If your supporting evidence is in hard copy you can fill in the
online Complaint Form, print it and post it to us with your supporting
evidence. Please send to:

First Contact Team

Information CommissionerÂ’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Sk9 5AF

By email: If all your supporting evidence is available electronically, you
can fill in our online complaint form. Information included in the form
and any supporting evidence will be sent to us by email.

Yours sincerely

Lesley Bett

Head of Internal Compliance

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/rad0C603_files/filelist.xml
2. http://www.ico.gov.uk/complaints/freedom...

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org