operations directorate: overview april to september 2011...profile of unsolicited (spam) texts. ......

Operations Directorate: Overview April to September 2011

Authors Director of Operations; Heads of Operations Directorate

Status and version Final Version Date last updated and reason

18 October 2011 First 6 month overview

Distribution ODDH Heads/ICON page Related documents

Operations Directorate: Overview April 2011 to September 2011

Introduction This was a period of consolidation for the Directorate. There were changes, but I would characterise these as part of our general drive to improve and be more efficient. People Staff in the Cardiff and Belfast offices dealing with FOI cases moved into the complaints resolution department and the new system is working well. Both the Cardiff and Edinburgh offices moved to new premises. Neither move was without its problems, but disruption to output was kept to a minimum. The Head of Enforcement retired and a replacement was recruited. He starts in December and additional support was transferred into to the Department to support the Acting Head. The relative inexperience of staff in the Customer Contact Department was an issue. In April the First Contact Group had approximately 35% of staff with less than 12 months experience with this figure rising to 45% by the end of September. Good systems for training and supporting new staff are in place, but the high turnover continues to be a challenge. We began recruitment of a new group of auditors in the Good Practice area. These should be in place early in the New Year and will receive comprehensive training. Processes Changes made to the decision notice sign off process continue to deliver efficiencies. We have also seen benefits from a different approach to DP casework. Further changes to FOI processes were introduced which we expect to show benefits in the second half of the year. We developed a process for self-assessment in the Good Practice team and we continue to drive down the volume of cases that become “complaints” by using the telephone to provide early advice. Output The general picture shows FOI complaints continuing to rise, but the rate of increase is now 6%, which is lower than last year. We have increased our output to match this and closed a record number of FOI cases during the first half of the year. Current predictions suggest 4,600 closures and 4,500 receipts for the year as a whole.

Version 1.0 final 18 October 2011

1


There was an increase in our PECR complaints and a reduction in DP complaints. The overall total is up by 2%. Overall closures also increased. Our strategy is to reduce the number of these DP complaints is working but particular issues (such as unsolicited text messages) generated an increase in complaints under the PECR. We have taken steps to enable us to collect general information on these text messages without being required to respond to every individual referral. The good practice department is on track to complete 40 audits during the year. There will be more audits finished in the second half. The final sign off of audits by the organisation audited still causes some delay at the end of the process. We have issued more undertakings than last year. We finalised 2 civil monetary penalties, and have around 14 currently under investigation that are likely to result in a penalty. Future The FOI process changes we have implemented mean that only a very small proportion of FOI cases require input from outside the directorate. There was also a significant increase in the number of decision notices signed by staff in the directorate. We expect even more cases to be completed in the second half of the year. We remain focused on keeping on top of an increasing caseload with static resources. On DP, we have begun to concentrate on adding value and using our caseload to help us target areas where there are problems. We continue to produce case studies and look to provide other themes related to the cases. This work will be linked to the ICO’s priority areas and we will work closely with the communications team to publish this information. Simon Entwisle Director of Operations


2


1. Customer Contact

Performance - responding to demand Helpline Service Demand for our Helpline service increased in the first half of the year by 6% with 102,000 customers seeking our help by telephone. This is something we have been trying to encourage as part of our initiative to see more customers having their enquiries and complaints resolved by telephone. We more than met this increase in demand with the percentage of calls answered increasing from 93% in 2010/11 to 95% this year compared with our target of 90%. Customers waited, on average, for 49 seconds before their call was answered. This compares favourably with our 60 second target. Complaints Service Data Protection We continue to work hard to resolve complaints online and by telephone. It is encouraging to see a decrease in the number of data protection complaints referred to the ICO. The number of ineligible complaints submitted to the ICO in this area remains relatively high at approximately 30%. However, this is a slight reduction on last year as more of these issues are now dealt with by telephone and on the website. Customer Contact is responsible for dealing with approximately two thirds of all the DP complaints made to the ICO. In the first half of the year we fell just short of closing all the complaints we received in this area. However, progress was made on the age of our caseload with the number of cases over 30 days old falling from 503 to 396, a reduction of 21%. Our aim is for our DP caseload to have no cases over 30 days old by the end of quarter 3. Freedom of Information Customer Contact is responsible for resolving approximately 50% of all FOI/EIR complaints. Despite the increase in referrals to the ICO mentioned in the introduction to this report we have been able to increase our output to keep pace with this work and maintain our healthy caseload position from the start of the year. The vast majority of cases have been resolved within 30 calendar days.


3


Privacy & Electronic Communications Regulations (PECR) We introduced a revised PECR complaints process to take account of the new Regulations introduced in May. At the same time there was a huge increase in complaints under PECR caused by the media profile of unsolicited (SPAM) texts. Customer Contact is responsible for dealing with over 95% of PECR complaints and referrals to the ICO increased by 29% compared to the same period last year. We maintained our caseload below 30 calendar days throughout the year which enabled us to feed the most up to date information into our Enforcement department, to the press office and to the ‘SPAM text Hot Issues Group’ being led by Customer Contact. This group helped to co-ordinate the ICO’s efforts in this area. Thanks to the work of the hot issues group we were able to identify the point at which we had gathered sufficient evidence from our complaints to enable us to conduct our investigation. At this point our website and helpline advice changed to giving customers the information they needed to reassure them and take steps to resolve the problem for themselves. This proved successful in reducing the number of complaint referrals. We launched an online survey to help track the type of SPAM texts the public are receiving, how they feel about the issue and the impact on them. 67% of responses to our survey said they were concerned at receiving the texts, particularly because they thought their mobile phone number had been disclosed to the company sending them. 5% of responses said they found the texts distressing. 5% also said they were not in the least bit troubled by receiving the texts and 20% said they found them inconvenient. To ensure we took a balanced approach we also asked if customers found the texts helpful and 3% said they did. We will continue to build this profile which will hopefully help us at the conclusion of our formal investigation. Maintaining the public register of notified data controllers Notification is the highest volume service in the ICO in terms of the number of customer transactions. Whether it be renewing and maintaining the 320,000 plus entries on the public register, adding or removing those who need to join or leave the register or providing written advice to approximately 25,000 organisations a year all services are targeted to be complete within 7 calendar days. This has been achieved in 96% of cases in the first half of the year.


4


Influencing Demand A major part of our plans for 2011/12 is to develop greater insight into the needs and demands of our customers and to develop our services to maximise self service opportunities. We also want those customers who do contact us to do so through the most efficient and convenient channel possible. We’ve had some initial successes during the first half of the year. Most notably, we have reduced demand for our notification related written advice service by approximately 17%. We have achieved this by improving the self service opportunities on our website after analysing trends and demands for the service. As mentioned earlier we have also had some initial success encouraging customers to ring our helpline for advice when they might otherwise submit a complaint to us in writing. Our work in these areas will continue for the rest of the year based on the analysis we’ve been able to conduct during the first half of 2011/12. At the heart of this analysis is our commitment to deal with as many as possible of the customers who can’t legitimately self serve online, in a single transaction with the first person the customer speaks to / picks up their case. We achieve this by focussing our training and support on the point of delivery to the customer. Knowledge management resources and one to one support are available to staff as they are dealing with a customer’s complaint or enquiry to minimize the need for calls or cases to be transferred from one member of staff to another. We measure our success in this area through a quarterly survey of 10% of our customer transactions. So far this year we have resolved 97% of calls to our helpline within the Customer Contact department with 90% being resolved by the first person the customer spoke to. For customers who write to us for advice we resolve 95% with 2 or fewer responses and 85% in just a single response. Given the range of enquiries we deal with and the relatively inexperienced profile of our staff at the moment we are very proud of what these figures tell us about the service we are providing to our customers. What our customers tell us We did some work at the start of the year to launch a rolling customer satisfaction survey to ask customers to provide feedback against five core indicators of customer satisfaction. So far we have struggled to get a sufficiently high response rate to this survey to allow us to extrapolate meaningful results. However, many of our customers have taken the trouble to tell us what they think of our service. Although not practical to list them all in this mid year report the following is an entirely random selection:


5


Comments from organisations An organisation calling our Helpline for advice described the service as ‘clear and refreshingly straightforward’. Another apologised for the number of times he called our Helpline but described the service as invaluable support for small organisations looking to comply with the law. A large NHS trust called us to tell us that our advice is always very clear and helpful. A member of the tax payer’s alliance complimented us on the competence and quality of our advice. A large data controller commented that our helpline service was the best they’d dealt with across many regulators and commended us on the knowledge and professionalism of our staff. The general theme from organisations is that they are impressed with the clarity, simplicity and general helpfulness of our service. Comments from consumers These comments tend to be more personal as individual consumers will tend to deal with us only once. Comments include describing our staff as ‘extraordinarily wonderful’, ‘legendary’, ‘wonderfully helpful’, ‘the best person I’ve ever spoken to on a government helpline’ and a lot of general appreciation for the patience and approach we take when assisting members of the public. Of course this feedback is only a very small proportion of all the customers we deal with, but we never under estimate the effort needed for a customer to take the time to provide positive feedback. In many of the above cases, the customer called us or wrote to us just to provide the feedback. In an attempt to set this in context 0.6% of all the work completed by the Customer Contact department leads to a request for a case review or a service complaint from the customer. We’re again very pleased with what this says about the service we offer and the commitment to providing high quality service it demonstrates amongst all our staff. It is also a strong endorsement of our commitment to train and support our staff to not only ‘know what the law means’ but also how to use that knowledge to deliver a series of customer focussed services. Looking ahead In general our mid year position is strong. Our performance targets, when set against a back drop of our resource profile, are challenging. We are at least keeping pace with demand and having good success influencing and reducing avoidable customer transactions.


6


In addition to our commitments to continue to improve and deliver service in line with our performance targets we are also responsible for implementing a new customer relationship management system. Much of the work to achieve the first phase of this implementation will be carried out during the next six months. To deliver this project in the most efficient way possible and for the lowest cost we are bringing a number of activities ‘in house’ which might in the past have been out sourced to our external IT contractors. This project is being led by Customer Contact, in conjunction with the IT department, through the Operations Support Team and the schedule of work for the remainder of the year is extremely challenging. The new CRM system will initially replace our existing Notification system (DUIS) and provide the basis to improve our online notification services considerably. Once this is complete we plan to consider the possible benefits of migrating our existing CMEH based casework services to our new system. In time this CRM system will hopefully provide the ICO with a full 360 degree view of our dealings with stakeholders. This is an ambitious project but the foundations are being well and truly laid during the second half of 2011/12 through the ICE (ICO Customer engagement) project. The evolving role for the Operations Support Team and the new systems and services being introduced in the Notification area will also present us with an opportunity to look at the way all our customer facing services are delivered and drive ever more efficient customer transactions and services. This review will pick up pace during the second half of the year.

2. Complaints Resolution

Performance commentary The last six months has seen more improvement activity across both data protection and freedom of information casework within Complaints Resolution. At the end of September the teams had dealt with 2604 data protection related complaints, which compares favourably with the 2265 cases we had closed at the same point last year (an increase in productivity of 14%). For freedom of information we also dealt with more cases than at this point in 2010. Including those cases handled in the regional offices, we resolved 1007 section 50 complaints, increase in


7


productivity of around 17%. We had closed 859 at this time last year. What has been important to us, more than simply counting case closures, has been the service that we are able to provide to those that have requested our help. As well as increasing output in the department, the time taken to resolve individual concerns has continued to fall. We are confident that we have addressed the historical backlog of casework. At the end of this half year we had only 1 open case that had been with us for over 12 months. Our aim however is to deliver further improvements and to ensure that 90% of all of our complainants receive their decisions within 6 months of approaching the ICO, regardless of whether they have an FOI or DP concern. We have made some significant progress toward this aim with only 154 cases over 6 months old, on the books. Again, to put this into context, at the end of September 2010 we had a total of 1231 cases of the same age, open and unresolved. We are now comparing well against the performance of others who carry out a similar regulatory functions. The Parliamentary and Health Service Ombudsman for example, or the Financial Services Ombudsman all aim to deliver similar standards of service for their complex casework. We intend to do some more benchmarking against those organisations as we move toward year end. Significant activities We have been able to deliver improvements because of some of the efficiency work that we began last year and some further activity that was concluded in the last few months. The work commissioned from the Freedom of Information Project Board has effectively come to an end. All FOI facing staff have had a briefing on a revised approach to our casework. The new and more streamlined approach is based on asking Public Authorities to revisit decisions made, making more use of our available guidance and lines to take, to satisfy themselves and then us at the regulator, that they are right to withhold requested information. Just as we have done with our data protection casework, we are placing more emphasis on asking organisations to convince us of their ability to deliver against their obligations, and stepping in


8


where we have concerns, taking a balanced and proportionate approach. The decision notice process has been simplified, and we are encouraging a more straightforward, and less legalistic, style in our communications, in an attempt to make our outcomes more accessible to a wider audience. We have shared more resources to help public authorities. Publishing our internal lines to take, and FOI knowledge base has been well received and we have a new guide to how we handle FOI complaints (aimed at public authorities) to compliment our approach. We have changed our approach to decision making with case officers and signatories working closely, and more collaboratively than before. There is less emphasis on critical checking and more on working together to deliver efficiently. Group managers have consolidated training and as a result only a small proportion of FOI cases require input from outside the directorate. 69% of decision notices issued so far this year were signed by group managers compared with 49% in the last 6 months of 2010/11. We anticipate that decision notice numbers will increase in the latter half of the year because of the internal changes we have introduced. It is still worth noting at the mid year point in 2010 we had issued 305 formal decisions, to date we have signed off on 522. Whilst the majority of the effort in this half of the year has been to get us into a steady and maintainable state, there has been a conscious effort to do more work with the outcomes of our casework. Group Managers are working with case officers to highlight trends, either on a thematic, or organisational basis. Each group has a liaison project underway to identify where we can focus some of our attention to improve practices more generally than we can in individual cases. By way of examples we have identified issues with the Ministry of Justice in terms of the timeliness of responses and on some of the policies on access to judges’ notes. Likewise the UK Borders Agency is struggling with the timeliness of responses in data protection casework and across various religious organisations there is a poor general understanding of data protection and subject access rights. With freedom of information there are significant issues with the Cabinet Office. We arranged a meeting with their Head of


9


Information Governance and Knowledge management to understand the issues and find ways to work better together. We have work to do with the Office of the First Minister and Deputy First Minister in Northern Ireland as well as the Foreign and Commonwealth Office to improve response times to our enquiries. All of this activity takes place in conjunction with our Strategic Liaison, or Enforcement colleagues and it is part of an ongoing strategy to feed complaints outcomes into the work being carried out elsewhere, when appropriate to do so. Looking ahead Looking forward, our plan is to encourage better practice in specific areas, through the use of improvement action plans that we will expect organisations to sign up to (these will be useful where concerns fall short of the need for a formal undertaking). We are also working on developing a suite of case stories that explain how we have helped the public in a number of common areas of concern. The aim is to share how we deal with complaints raised with us, as well as highlighting what we can, and in some cases cannot, do to help. We anticipate these will be available to the public before the end of quarter 3. We are feeding in to the work of the Information Rights committee priority groups and working with the Audit team to see how some of the common recommendations or findings from that department can feed into action plans that we might suggest. We are also highlighting those organisations that could benefit from either a self-audit questionnaire, a focussed visit or even a full audit to promote better compliance with the legislation. We have a programme of collaborative working, with DP and FOI integration being encouraged. We have completed a program of training to allow all lead case officers to be able to work on both areas of legislation. This helps personal development and builds some more flexibility across the groups. We are also offering all level C case officers the opportunity to work with cases in both areas with lead case officer support. We are confident that the culture of ongoing improvement that we have fostered will help deliver against business plan objectives and add value for those that use our service. The aim for the rest of the year is to continue to promote information rights obligations, and ensure that organisations work with us to demonstrate compliance.


10


At year we intend to highlight how the department’s activities have and will continue to contribute to mission and vision for 2012.

3. Enforcement Department

Performance commentary

DP enforcement activity Our target for the investigation of self reported breaches for the year is 500, in the first half of the year we closed 282 cases. These closures resulted in 42 undertakings, 1 preliminary enforcement notice and 2 civil monetary penalty notices. A further 4 notice of intent have been issued and are awaiting response from the data controller. With a number of other cases under consideration for civil monetary penalty we expect to issue 20 penalty notices during the year.

Investigation activity

This year has seen an increase in the number of section 55 cases investigated. To date we have closed 25 cases which have resulted in 2 cautions administered and 4 prosecutions as follows:

Campbell: The offender obtained patient information from their partner who worked in an NHS Walk in Centre. The information was then used to approach individuals in an attempt to sign them up to accident claims. The outcome was a £1,050 fine + £1,160 towards costs. Hames and Turley: Case involved an employee obtaining and selling customer information for use in the mobile phone reseller industry. Hames was charged with 2 section 55 offences, Turley with 18 section 55 offences (6 obtaining, 6 disclosing and 6 selling). Both received an 18 month conditional discharge. In a Proceeds of Crime Act application, the first brought by the ICO, they were ordered to pay the following retrospectively – Hames £28,700 within 6 months or 15 months imprisonment and Turley £45,000 or 18 Months. Langridge: A bank employee accessed the account of a customer for personal reasons and without authorisation. Langridge was charged with 8 section 55 offences and received an £800 fine with £400 costs. We were disappointed with the level of this fine.


11


We have also successfully prosecuted one section 17 non notification offence and closed 7 section 77 FOIA investigations.

Non notification activity The headline notification figures show a continuing rise on the number of data controllers being registered with the biggest figures being a 15% increase in notifications relation to local councillors (1525 up over the last 6 months), 6.5% in private doctors, 6.4% in letting agents, 3% in dentists and 2.5% in accountants.

FOIA monitoring The 1 April 2011 saw the beginning of the 2nd tranche of section 10 FOIA monitoring; a report which will draw together the outcomes of this exercise is currently being prepared. Early indications suggest that regulatory action or a strong warning on future compliance may be required in a number of cases. Satisfactory compliance was achieved by the following 8 cases leading to case closures:

- Barnsley Metropolitan Council - Equality and Human Rights Commission - Highways Agency, Kirklees Council - North East Lincolnshire Council - Surrey County Council - Surrey Police - Waveney District Council

We continue to monitor the Cabinet Office and the Ministry of Defence from the initial monitoring phase but have been able to conclude the Birmingham City Council case, as the authority has demonstrated that it has met the requirements of the time-bound steps of the undertaking we issued. For tranche three, we have identified 5 more Central Government Departments for potential inclusion

Significant activities

Un-scrubbed drives initiative Following a reported security breach in 2009 involving the sale of un-scrubbed hard drives on the internet containing personal data, the Enforcement Department undertook a repeat exercise to establish whether this remains an issue. A forensic organisation was engaged to purchase and analyse approximately 200 hard disk drives (HDD), 20 memory sticks and 10 mobile telephones. These


12


were bought from a variety of sources with most coming from online auction sites. Analysis of the hardware has revealed that although relatively low amounts of personal data were found, the decommissioning of equipment still poses a risk to organisations if appropriate measures are not in place to ensure the integrity of personal data held within them. However, the research did conclude that there was an improvement from the previous position. The exercise also highlighted that individuals disposing of hard drives also need to take care. We found personal data, relating to owners of the equipment purchased remained on the devices. Identity theft could be the result of this personal information getting into the wrong hands.

New PECR Significant progress has been made with the introduction of the

New Privacy and Electronic Communications Regulations in April 2010. We have worked closely with the Good Practice Team, Strategic Liaison and the telecommunications industry in developing a process for breach reporting and monitoring compliance with the Regulations in this area.

SPAM text investigation Further to a complaint from Jack Straw about the rise in insurance

premiums and the link to referral fees and personal injury claims, an investigation began to try and discover the source of the texts which invited individuals to make claims for compensation following an accident.

Working closely with the Hot Issues Group and external

telecommunication providers the enforcement department have made significant progress with the investigation. An information notice, the first of it’s kind following the introduction of the new Privacy and Electronic Communications Regulations in April 2011, has been issued to a service provider. In addition, a search warrant has been executed at an identified address and work continues pursuing lines of enquiry generated by this activity.

Looking ahead

We continue to raise the issue of the inadequate sentencing powers for DPA Section 55 offences and call for an effective deterrent.


13


We will continue to investigate breaches of section 55 of the DPA. To assist in raising awareness of the potential for organisations to be targeted by ‘blaggers’ committing section 55 offences, we will be producing a training DVD with the help of the Communications Department. The target audience will be large public authorities and private companies who operate call centre operations such as the DWP, HMRC, NHS and the Telecommunication industry. Following the introduction of the civil monetary penalty powers in April 2010, a review of processes in this area is underway. Work continues in further developing internal processes and procedures and communication of our enforcement decisions. This is in conjunction with the ongoing development of the use of the new PECR which came into force in April 2011.

For some time, the vast majority of our work has centred on responding to security breach reports and while this is recognised as a priority area it is important that we take a proactive approach to the identification of other significant breaches of The Act through our complaint handling process, and the identification of issues that are of public importance. We will continue to develop this area of work using management information and close liaison with other departments. We will continue to tackle the issue of SPAM texts. This is clearly a cause for concern for many members of the public.

4. Good Practice Department Performance commentary

Of our target of 40 audits, we have completed 19, with the fieldwork completed on a further 8. We have also completed six follow up audits.

Last year, all our audits were completed with public sector

organisations. The audits we have completed year so far have been across a diverse range of data controllers:

Sector YTD Target Private 26% 25%

Government Departments

21% 20%

Public Authorities/Charities

53% 55%


14


As improvements have been made in the audit process, the time

taken for the ICO to deliver audits has reduced, with a noticeable impact in improving the time it takes organisations to return reports to us and agree findings and recommendations.

0

10

20

30

40

50

60

70

Q1 2010/11 Q2 2010/11 Q3 2010/11 Q4 2010/11 Q1 2011/12

ICO Days

Organisation Days

Measure YTD Target Audits completed in agreed timescales

89%

90%

%age of recommendations in high risk areas complete on follow up

72%

90%

%age of recommendations in medium and low risk areas complete on follow up

92%

80%

%age of recommendations in high risk areas agreed

91%

90%

%age of recommendations in medium and low risk areas agreed

93%

80%

Of the organisations audited who responded to our feedback questionnaire 100% (target 80%) agreed that the audit has added value for them.


15


Comments have included:

“It has raised [our] awareness of the importance of data protection.” “Managers are now more fully aware of their responsibilities.” “…it has raised the profile of Data Protection generally and provided some focus on areas that have been of concern for some time….” “It has … highlighted some areas where we still need to improve and given us reassurance that we are on the right track in other areas.” “The audit provided a useful independent assessment and assurance on how we were meeting our data protection obligations …” “Staff are more aware of the consequences of action they take in relation to data protection …”

Significant activities The first private sector audits (Nationwide, Google, GE Money) executive summaries have been published. We also issued our first green or high assurance audit reports to Nationwide and GE Money. In May, we started to publish the outcomes of our follow up audits on our website. We also published a ‘guide to data protection audits’ on our website, with the aim of explaining the ICO audit process to organisations, and to help to encourage them to agree to an audit. In July, the Annual Report launch was used as platform to use the statistics collected by the team to demonstrate the difficulties in getting private sector organisations to consent to audits. This press release and the publication of the Google audit report have resulted in a higher media profile for audit work. We have conducted a very successful pilot of a self assessment questionnaire for schools in conjunction with Merthyr Tydfil council. The report has been very well received and is being presented to all Head of ICT in Wales in November. We have been working to utilise the new audit powers under the amended PECR regulations, and a process has been developed in


16


conjunction with Enforcement to audit the requirement for breach notification by the relevant sectors. On FOI, publication scheme monitoring of the higher education sector has been followed up with letters to those universities found to be non compliant with their section 19 obligations. Looking ahead Audits are now in the audit programme through the rest of the financial year, with 19 more audits scheduled in across a range of public and private sector organisations. Work will continue to further diversify the types of audits the ICO offers. This will include rolling out the self assessment work to English schools as well as developing and delivering a new ‘short audit’ process to enable smaller organisations to benefit from an ICO audit. We are also developing self audit tools to provide further assistance to organisations and working with enforcement to follow up on the actions of organisations who sign undertakings to ensure they have met their commitments. The Assessment Notice Code of Practice is due to be reviewed in the Spring/Summer of 2012 and work will commence in the second half of the year to identify possible amendments and revisions to reflect current working practices as well as to develop a case for extending our powers to new sectors. With regards FOI, a scope area for inclusion in appropriate audits has been developed. This is being used for the first time at a local authority in October. We are also recruiting a new audit team and will be writing to data controllers in the autumn to ask them to participate in our 2012/13 audit programme. We will also use this exercise to continue to collect information to support the extension of our audit powers.

5. Wales Regional Office


The Wales Office keeps separate statistical data relating to Welsh public authorities and stakeholders. During the period, 37 FOI cases were received against Welsh public authorities, and 42 were closed. We also answered around 140 significant email and telephone enquiries, all well within ICO service delivery target times.


17


During the period, staff from the office have attended 13 meetings with stakeholders, and have spoken at several events, including the conference referred to below. Significant activities At the National Assembly elections in May several new Assembly Members were elected and we have recently provided information rights awareness training for them and their support staff, in liaison with the Assembly Commission. In June, the office hosted a very successful conference on information sharing in Cardiff. This marked the Welsh launch of the Code of Practice on Data Sharing and was attended by over 140 public and third sector stakeholders. Several members of ICO staff were involved and Christopher Graham gave the keynote address. Feedback received was overwhelmingly positive, with 97% of delegates agreeing that the conference was useful, and 94% rating it overall as either 4/5 or 5/5. This was particularly encouraging as we knew we would be targeting two distinct groups, DP practitioners, and those who regularly share information as part of their work but who have no particular DP expertise. In June, we also submitted our first annual report to the Welsh Language Board on the operation of our revised Welsh Language Scheme. This received entirely positive feedback from the Board, with no critical comment. The Welsh Government’s Sharing Personal Information (SPI) programme is being rolled out across (primarily) health, social care and education sectors in Wales, and we have been involved not only with the programme itself but also in attendance at meetings of the Government’s new SPI Programme Board. The aim of the programme is to establish a standardised quality framework for sharing personal information across Wales, by providing support for, and strongly encouraging use of, the WASPI information sharing accord. In July we attended the first meeting of the Wales Information Governance Board, the NHS Wales’ new high level body providing advice on direction and standards, at which the Minister was also present. The board will also consider specific uses and sharing of information in health and social care across Wales. Internally, the period has been a busy one for Cardiff staff, with a move to new premises and a changeover to home-working


18


arrangements for FOI case workers. Neither event went entirely without hitch but all accommodation issues have now been resolved and FOI staff have adapted well to their different working pattern. We are however still awaiting confirmation from the former landlord at Cambrian Buildings of successfully exercising the lease break on 7 September. Looking ahead The office now has a full staffing complement again after an extended period of reduced resource, and as a consequence the next period should show increased levels of output, with a resumption of some activities that had earlier been put on hold. Further awareness raising sessions are being arranged with new AMs and their support staff for November, and the next period will also see involvement with the SPI programme and the housing sector in Wales. We also plan to arrange a meeting with the First Minister and Assembly Commissioner with responsibility for information governance, at which Christopher Graham will be present.

The March referendum on further law-making powers for Wales received a resounding ‘yes’ vote. As the legislative machinery of the Fourth Assembly gains momentum, we anticipate a much bigger scrutiny role for this office and are already seeing some signs of this. Progress by the MOJ’s Estate Transformation Programme in the South Wales area is likely to involve more change for the office in the next few months, as another MoJ arms length body relocates to the same building.

6. Scotland Regional Office


Over the period, the Scotland Office dealt with almost 900 enquiries from members of the public and other stakeholders, the more complex of which led to further involvement by local staff through more formal engagement with data controllers. A total of 31 of meetings were held with stakeholder organisations. Staff also delivered presentations at 32 speaking engagements.


19


The first two-quarters of 2011/12 have been relatively quiet in relation to legislative work, largely because of the Scottish Parliament elections held in May. These were preceded by a period of purdah and were closely followed by the summer recess. Nevertheless, a number of responses were made to ongoing consultations by various public sector consultations covering issues as diverse as proposed taxi licence regulations, an e-health competency framework and CCTV in schools. Significant activities The Scottish launch of the Data Sharing Code of Practice was held in Glasgow on 15 June, with some 100 delegates attending the event. The keynote address was given by Christopher Graham, while other staff, including colleagues from Wilmslow, led both plenary and workshop sessions. Following enforcement action taken against a Bristol-based barrister in late 2010, the office was approached by the Faculty of Advocates and asked to deliver an awareness raising session with member Advocates. This was held in April and has since been followed by similar seminars with all Faculty staff. During 2008, with seed-funding from the Research Committee and with the intention of passing responsibility to participants in due course, the Scotland office established the Scottish Privacy Forum, an informal network of data protection representatives from key sectors. This has now become a well-established discussion group which meets twice yearly. In spring 2011, it was agreed that the administrative responsibility for the Forum would pass to Dr William Webster, Senior Lecturer in Public Management at the University of Stirling. Dr Webster has a specific research interest in CCTV and is currently Chair of an international multi-disciplinary social science research programme, Living in Surveillance Societies, which explores the everyday implications of living in societies where technologically mediated surveillance practices are pervasive. The team have been involved in a number of initiatives raising awareness of DP issues in Scotland-wide organisations. We have been working closely with Skills Development Scotland on data-sharing and have recently undertaken a “compliance review” of the Scottish Children's Reporter Administration. We are represented on the Scottish Government's Data Linkage Working Group and have also completed a series of awareness raising sessions with MSP research staff at the Scottish Parliament. We also continue to be represented at various sectoral forums such as those for the police, for local authorities and for health.


20


Finally, in August, we moved in Melville St, Edinburgh and are now collocated with The Scotland Office, part of the Ministry of Justice. Looking ahead In the next few months, we will be represented at a number of speaking engagements covering CCTV, direct marketing and business security while continuing to raise awareness with individual stakeholders. Prison Governors and their Corporate Management Teams will be addressed in sessions arranged by the Scottish Prison Service following enforcement action taken against it. The SPS wish us to carry out a compliance review in due course.

7. Northern Ireland Regional Office Performance commentary

In common with the Wales office, the team in Northern Ireland was reorganised with effect from 1 April 2011, with all case workers reporting to Wilmslow. At the same time, a post of Senior Policy Officer was established, confirming a role which had been in place informally for some months. The transition to the new arrangements went smoothly and, despite some initial concerns over home-working for case workers, those who have begun working from home on an occasional basis are very positive about the practice. Between April and September, the policy team in Northern Ireland dealt with over 900 enquiries from members of the public and other stakeholders. Meetings were held with 17 stakeholder organisations and we delivered 19 speaking engagements.

Significant activities On 28 June, we held the launch of our Data Sharing Code of Practice in the Linen Hall Library, Belfast. It was formally launched by Christopher Graham to 100 delegates at a half-day conference chaired by Simon Entwisle. This was followed by a more informal introduction to the Code to senior officials in public authorities later that evening. All feedback received following the launch has been extremely positive. During the launch event, we were approached by delegate who sought advice from us on aspects of data sharing in the health


21


service. As a direct result of this, we met with officials of the Department of Health, Social Services and Public Safety (DHSSPS) to discuss compliance issues in relation to the proposed Electronic Care Record under development by the department. Latterly, we were approached by the DHSSPS to deliver a broader presentation to its senior managers (up to and including the Permanent Secretary) in the second half of the year. This will indirectly complement completed a series of focused DP and FOI awareness raising sessions which were delivered to over 100 middle managers from all departments of the NI Civil Service during the first quarter. We have responded to a wide range of consultations covering proposals on subject as diverse as the retention of DNA and other biometric information, the extension of access to the NI driver licensing database and on the protection of the confidentiality of service user information. We have subsequently been invited to attend the new NI DNA Database Governance Board as Observers. The Board will meet for the first time in November. In April, we were advised of a serious incident involving patient records at derelict premises under the ownership and control of the Belfast Health & Social Care Trust. We have worked alongside our colleagues in Enforcement during the on-going investigation of the breach. More recently, we have assisted Enforcement in the investigation of a separate breach involving a small number of NI patient records lost by a data processor in the Isle of Man and have liaised with the Manx Data Protection Supervisor during the resolution of this case. The NI office has developed good working relationships with other locally based regulators. We have signed an MoU about the sharing of information with the NI Ombudsman’s office and, along with the Public Records Office NI (PRONI) we have issued instructions to public authorities in relation to compliance with NI legislation on retention and destruction schedules.

Looking ahead The lease of our premises in Belfast comes to a break-point in December 2012. We will take advantage of this to relocate to smaller and less costly offices, preferably within the Crown Estate. The search for new accommodation will take place throughout the second half of the year. Our work raising awareness of information rights will continue throughout the year. A conference on the business case for data protection, with a focus on the private and voluntary sectors, is


22



23

being held in L‘Derry in October. We will continue to promote good practice in information handling throughout all sectors and expect to assist the NICS in developing new internal information governance procedures in the first quarter of 2012.

operations directorate: overview april to september 2011...profile of unsolicited (spam) texts. ......

Documents