Print

Print

Tim,

Thanks for the email. Here is the central question.

 

Does the trust need to inform a data subject that they have read their public blog or their public statements?

 

I would suggest that no, they do not. 

 

Issues that emerge if they do are the following. When does the organisation have to provide this FPN? When an officer reads a blog? When the officer reads the blog and sends it, or material from it, to another officer?  The question is when is the *organisation* aware of the information. When it is officially collecting personal data from the web? Is it only when they extract the material from the site or is it when anyone from the organisation visits the site? Does the existing FPN that might exist on the organisation’s website or its notification with the ICO apply to those cases?  What this would suggest is that anytime an officer in an organisation visits a blog they need to issue a FPN. (Does any organisation know regularly what sites its officers visited on a daily or hourly basis and for what purpose? They might be able to find that out after the fact.)

 

I would suggest that in this case an FPN, for reading the blog, is not needed is for the following reasons.

1.    Following Jay’s discussion of FPN on p.263 where she says “The reasoning is not completely clear [the argument that the MPs had not been told about disclosure of expenses so it would be in breach of the FPN requirements to disclose the information] but it appears that they accepted that because the MPs were aware of the disclosure of some information under the Publication Scheme adopted by the Commons the further disclosure was not regarded as another purpose. They also placed reliance on the fact that the obligation on the data controller to provide the information is not absolute but is only to “ensure so far as practicable” that the information is provided or made available.”

 

I would suggest that the nature of writing a public blog and publishing it about a case would indicate that the author would have the reasonable expectation that the other party mentioned in the public statements would read those statements. Thus, it should not be a surprise that the organisation would become aware of and read the blog.  The intent is to make their case in the public domain about the organisation and its behaviour. As a result, the organisation is going to receive attention by the public. It will have to act on the basis of what was written, whether it has read the blog or not.

 

2.    I would suggest that as far as practicable applies in the case we are discussing. I would be surprised if the ICO expected FPN notices each time a blog was read or was forwarded within an organisation as it would not be reasonably practicable to provide that notification each time an officer within an organisation read a blog.

 

3.    I would suggest that the ongoing relationship further reduces the need for a FPN for the blog being read and the response by the organisation, to read it, monitor it, and circulate cuttings from it, fits within the management of the ongoing relationship, which the author was aware of as part of the ongoing relationship. If I understand your logic, it would suggest that an additional FPN is needed even though the organisation is already processing and dealing with the author in an ongoing relationship. I would suggest that a FPN might be needed if the blog that was being read had nothing to do with the organisation as that would be stretching the view that it is within the expectations of the data subject. However, this is still uncertain because the comments are in the public domain. This would suggest that anytime an officer read any blog they would need to issue a FPN to the author of the blog.

 

4.    Following Jay again, p. 265, she does point out that the ICO’s guidance does distinguish between actively communicating a notice and making it readily available. “On the wording of the Act, as long as the data subject has the information made readily available to him and is not misled or deceived, then there is no obligation of active communication. On the other hand the data controller has an overriding obligation to act fairly and there may be cases where fairness requires an active communication.”

I would suggest that in this case, the FPN notice of the organisation would likely cover the fact that they will collect personal data to manage the complaints. I think the organisation has already provided the necessary ingredients for a FPN by their ongoing relationship with the author. I would suggest that the collection and processing has been fair. We may dislike it, but that does not make it unfair.

They know the data controller.

They know their representative.

They know the purpose for which the personal data is collected. Their personal data is collected to manage their ongoing case/ complaint /legal issues.

 

I am not sure what more would be expected.

 

You will recall that the ICO did mention that it read some FOI/ DP blogs and did circulate the cuttings within the ICO. Did they issue a FPN at the time for that particular collection? I do not recall seeing one. (I do not believe that my blog would qualify nor would I expect my comments on this list to reach that status).

 

On the defamation issue, I would not suggest that organisations use their media teams as defamation detectors. I was pointing out that the staff would have a reasonable expectation that the organisation would take steps to protect them, as employees, from defamation as well as potential threats that can emerge on the web. I would think this requirement is heightened now that we have social media. The flip side of the individual holding the organisation to account is that the organisation has to take steps to protect it staff. One would note that the Solicitors from Hell was a harbinger of what was to come. I would image that in the wake of Haringey and Rotherham organisations will need to be aware of the potential that their social workers could be subject to online campaigns of abuse.

 

I would suggest that a public sector organisation is not able to sue for defamation, but its individual officers can. http://www.brodies.com/node/1844 The level of serious harm, this case involving a housing provider, has to be pretty high. http://www.nabarro.com/insight/alerts/2014/august/defamation-act-2013-what-is-serious-harm/

 

As I said previously, all of this is moot until such time as the ICO receives and actions a complaint or the court receives and actions a complaint.

 

If one does occur, I will be interested in the outcome.

 

Best,


Lawrence

 

 

 

From: Tim Turner [mailto:[log in to unmask]]
Sent: 14 October 2014 13:45
To: Lawrence Serewicz; [log in to unmask]
Subject: Re: [data-protection] [MASSMAIL]Re: [MASSMAIL]Monitoring Blog Posts and the Law

 

Hi Lawrence

 

I think you are distracted by the question of whether the organisation is allowed or not allowed to process the data. That is not what I am concerned with. The question is whether the Trust should have informed the data subject and I don’t think you have dealt with this adequately. We don’t know whether anyone subscribed to the blog, but even if they did, that could not possibly meet the requirements of DPA Schedule 1, Part II and I’m surprised you think it might. The Trust should have informed the subject that they were analysing her blog for the purposes of news management and sharing the results with other bodies (i.e. the CCG that disclosed the monitoring to the subject). I don’t believe you have raised anything that might contradict that. I’m sceptical that this activity was either proportionate or a good use of public money, but I am certain that they were obliged to tell the data subject that they were doing it. I find it surprising that you think an organisation is justified in secretly monitoring blogs. The Trust in question did not even admit it when in receipt of requests - this revelation came from CCG with whom the outcome of the monitoring must have been shared.

 

On a separate issue, as I alluded to before, I think your emphasis on defamation is concerning. There is no duty on public bodies to go looking for instances of defamation. Public servants should be allowed to do their work without having to face unfair or untrue accusations, like those of corruption and conspiracy which are sometimes flung around. Equally, they need broad shoulders and should accept robust criticism from justifiably angry people without hiding behind threats of a publicly-funded defamation case. 

 

Best Wishes

 

Tim

 

On 14 October 2014 at 13:13:53, Lawrence Serewicz ([log in to unmask]) wrote:




Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)