MISCONDUCT IN PUBLIC OFFICE
The Information Commissioner has a word with the MP
This page contains a record of the email exchanges that took place between a constituent and their MP (now escalated to the office of the Information Commissioner).
Reading the 2020 Case Study is not a prerequisite to understanding the content on this page.
In this document the Case Reference Number is replaced by the code PN1985.
[IMPN] is short for insert MP name.
*Everywhere where the MP had originally been addressed by their Title-and/or-Surname now reads ‘Dear Sir
Complaint email of 29 October 2020, 17:52hrs
To: [Information Commissioner]
Subject: Data Breach Report (MP – ■■■■ ■■■■)
Dear Information Commissioner
My name is [Constituent]. I reside at [Home address supplied].
I would like to submit complaint against the office of Member of Parliament for ■■■■ ■■■■ over their handling of a data breach that involved my personal information.
The MP for ■■■■ ■■■■ is [IMPN]
[MP email address]
Postal address: [IMPN], MP – ■■■■ ■■■■, House of Commons, London, SW1A 0AA
The Office Manager for IMPN is [name and email address supplied].
[The Office Manager’s] phone number is ■■■■ ■■■■.
By way of background: I submitted a Subject Access Request to the MP’s office in email of 7 June 2020 21:39hrs (their Ref: PN1984). Copy of my ID with address was supplied with the information request (Full UK Driver’s Licence + Poll Card).
I got home on the 6th of July to find that an envelope from the MP’s office had been posted through my door, but it had been opened. The envelope contained my [PN1984] SAR supply, under cover of letter of 27th June.
On later examination, I found that the envelope had been addressed to [wrong address]. It appears as if Royal Mail delivered the documents to that address, and the resident at that address opened it before realising that it wasn’t addressed to them. I am guessing that they then later came and posted it through my door in my absence (I’m Number ■■■■).
I do not know on what date the MP’s office themselves posted the documents, all I know is that they were deposited through my door on 06.07.2020, and that the envelope (containing cover letter of 27.06.2020), had been opened.
I sent the MP’s office an email of 6 July 2020, 19:13hrs, asking them to please investigate this data breach and to please also correct your address in your records. The MP’s office did not reply to me regarding this issue.
I sent them further emails to prompt a response:
*16 July 2020, 21:35hrs
*28 July 2020, 16:47hrs
*17 August 2020, 01:35hrs
*28 August 2020, 14:14hrs
but none was forthcoming.
This is really bad information management practice. The MP’s office should have conducted an investigation asap after receiving my 6th July letter, and given me an apology.
Up to this day, as I send you this email ICO, I have not heard any apology of any sort from the MP’s office regarding this issue.
Please take the MP’s office to task over their unacceptably poor information management practice. Those that will not hear must be made to feel (it in their pockets – due to an ICO fine).
Information Commissioner to IMPN
05 March 2021
Our Reference: ■■■■ ■■■■
Dear Chief Executive,
The Information Commissioner’s Office (ICO) has received a complaint about the way your organisation processes personal data. We received the complaint on 23 November 2020 and I have attached the relevant details.
The ICO’s role
Our role is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
One way that we do that is to consider complaints from individuals who believe there has been an infringement of the data protection law. Section 165 of the Data Protection Act 2018 requires us to take steps to respond to the complaint including investigating it to the extent that we feel is appropriate and informing the complainant of the outcome.
The outcome of this complaint
Your constituent has complained to the ICO about your handling of their data protection complaint. They believe that you have not complied with your obligations under data protection legislation.
The complainant has informed that his data was sent to a third party’s address and that this error has not been addressed.
It is our decision that there is more work for you to do and now expect you to take steps to address any outstanding issues with the complainant.
What you need to do now
One of the ICO’s strategic goals is to increase the public’s trust and confidence in how their personal data is used and made available and this relies on data controllers being accountable for their actions in relation to handling data and responding to information rights requests.
Accountability is one of the data protection principles and makes you responsible for complying with the General Data Protection Regulation (GDPR).
You must be able to demonstrate your compliance to your customer and work hard to promote trust and resolve their concerns without the need for the individual to come to us. The attached document provides more detail about this.
As a regulator we look to organisations to effectively manage and resolve the data protection complaints they receive. When an individual comes to us to complain, they are in effect telling the regulator that they believe you are breaking the law. Reports of this kind are something that we will treat seriously and robustly.
We do not expect to receive complaints when there is still further work that you can do to better explain the processing in question to them, or to put things right when they have gone wrong.
We therefore require you to revisit the way you have handled this matter and consider what further action you can now take to resolve this complaint. We expect organisations to deal with the data protection complaints they receive and to proactively work with their customers to provide an appropriate resolution.
If you believe that you have complied with the data protection law, you need to explain this in detail to your customer. You also need to be confident that you have done all you can to find an appropriate resolution. If your organisation could have done more to resolve the concern then we expect you to take steps now to resolve the issue with your customer.
I have included a checklist in the attached document to help you with this, you should be able to tick off all the points on this non exhaustive list.
We expect you to contact your customer within the next 28 days with this further detail. If you are unable to meet this timeframe we expect you to contact your customer to let them know and to advise them when to expect it. You do not need to provide a response to us at this stage.
However, if we receive a further complaint about this processing, we will carefully review and assess the response you have provided. If we consider that you are infringing data protection law then we will consider using our formal powers and any sanctions available.
Although individuals do have the right to raise complaints with the ICO, we should not be viewed as a routine second stage in a resolution process. As indicated above, we expect organisations to take their personal data obligations seriously and this should reduce the need for individuals to approach the regulator directly.
Advice and assistance
Our website contains advice and guidance about the processing of personal data and an organisation’s obligations under the Data Protection law. I recommend that you review the information on our website to fully understand your obligations and in particular our accountability framework. We also have specific information about how you should respond to data protection complaints.
Information Commissioner’s Office
Please consider the environment before printing this email.
For information about what we do with personal data see our privacy notice.
You should be aware that the Information Commissioner often receives request for copies of the letters we send and receive when dealing with casework. Not only are we obliged to deal with these in accordance with the access provisions of the data protection framework and the Freedom of Information Act 2000, it is in the public interest that we are open and transparent and accountable for the work that we do.
HOUSE OF COMMONS
L O N D O N S W 1 A 0 A A
23 March 2021
Our Case Ref: [PN1985]
Dear [Mr Constituent]
RE: ICO Data Handling Complaint Final Response ICO Reference: ■■■■ ■■■■
I am writing in response to your complaint to the Information Commissioners Office (ICO) concerning the processing of your personal data by my office.
You complained to the ICO on 23 November 2020 (ICO Ref: ■■■■ ■■■■) that a response sent to you by my office dated 27 June 2020 was mistakenly sent to [wrong address] instead of your correct address of ■■■■ ■■■■ and resultingly it had be open prior to your receipt by your neighbour. In addition, that upon rising this matter with my office your complaint was not acknowledged.
The ICO wrote to me on 5 March 2021 detailing your complaint and asked me to investigate and respond to you within 28 days in the form of a final response letter. Please accept this letter as the final response to my investigation and remedy of your complaint.
I have investigated, and it is the case that the letter of 27 June 2020 was sent to [wrong address] as a result of human error. Your address held on file was typed incorrectly. I apologise to you and have ensured that your address details kept on file have been amended in accordance with your right of rectification under the Data Protection Act 2018 (DPA 2018).
25th March 2021
Re: Data Breach Concern (Your Ref – PN1985)
Reference is made to the Information Management concern raised in the PN1984 emails of 6th July, 16 July 2020, 21:35hrs, 28 July 2020, 16:47hrs, 17 August 2020, 01:35hrs and 28 August 2020, 14:14hrs that I sent to <■■■■■■■■>
Due to your failure to engage with me on this matter, I raised 29.10.2020 complaint with the Information Commissioner, resulting in the ICO’s office sending you letter of 5th March 2021 (Their Ref: ■■■■■■■■). Your [PN1985] letter of 23.03.2021 comes as a result of that complaint. As Data Controller you have failed to reassure me that you have high standards for keep constituent personal details securely.
[NC1] Non-conformity 1: You disclosed my sensitive private information to a Third Party.
[NC2] Non-conformity 2: You failed to engage with me regarding the Data Handling complaint that I raised as a result of the Data Breach.
In your letter of 23.03.2021 you have attributed to human error the fact that you sent my private and confidential documents to [wrong address]. This is incorrect. While it is (very likely) true that the human being who input my address into your electronic system made a genuine mistake, that mistake should not have translated to having my sensitive personal information disclosed to a third party member of the public. Amending the address details that you hold on file is just “correction”; we need also to look at “corrective action” and “preventive action”. Before we can do that, we need to get at the root cause of the problem.
While you now have a new Head Office, I do not gather from my reading of your 23rd March letter that you have stopped employing human beings in your offices.1 Human beings, by nature; are prone to error. Your system needs to have checks and balances in place to ensure that when an understandable human error occurs, it is early detected; thereby enabling the prevention/minimisation of the repercussions of the error.
The hard copy letters of 7th July and 16th July that I sent to your office both had my address written on them correctly. So too did the soft copy letter of 6th July, and the Driver’s licence copy that was attached to my email of 7th June. On what date was my home address logged onto your information database please? Do your operational procedures explicitly require the person who inputs an address into your system to check themselves? [Mistakes happen, even when one checks themselves, I know that]. Do your operational procedures explicitly require a second individual to check after the person who inputs an address into your system? Final checkpoint: Point of dispatch (i.e. once the information requested in the SAR has been put together and is ready to send). Do your operational procedures require that you check the address on the envelope against the ID document that was supplied by the Data Subject (and also against the address on your Database). Can you see how having and implementing sufficient checks can help prevent data breaches like the one that happened in my case?
There’s another issue (and more important): The method that you used to send the data to myself. You sent the data using Royal Mail’s second class post. Using Recorded Delivery would have provided you with another checkpoint; you didn’t even use Recorded Delivery. Just to be clear, I am not recommending that ‘Recorded Delivery’ service, all I am saying is that had you used it, there would have been a buffer that may have helped prevent the Data Breach.
On why I do not recommend the Royal Mail Signed For® service:
Royal Mail Group Ltd provides the inland letters services to customers under a scheme made under s.89 of the Postal Services Act 2000. The terms and conditions relating to the company’s services, compensation policy and packaging guidelines are published in the public domain and that customers have reasonable access to this information.
The Royal Mail United Kingdom Post Scheme 27 April 2020 is available at https://www.royalmail.com/sites/royalmail.com/files/2020-04/UK-Post-Scheme-27-April-2020.pdf
According to Royal Mail’s explanation of how ‘the Scheme’ works; Royal Mail do not enter into a contractual agreement with their retail customers for the collection and delivery of mail items, neither do they owe their customers a duty of care. Royal Mail’s Senior Information Rights and Governance Manager tells me that ICO guidance states that Royal Mail are not considered to be Data Controllers for the information that is inside any mail item (all the liability not borne by Royal Mail remains with the mail sender).
When Royal Mail leave a Recorded Signed For item with a neighbour (any neighbour of their choosing), they consider the item delivered; and they have limited liability.
As for normal post:
Royal Mail deliver ‘normal post’ to the address and not the addressee. Their postpersons are instructed to deliver the mail through the door of the address specified on the envelope even though the postperson knows full well that the person named on that envelope does not live at that address.2 If you want reassurance that the mail will get delivered to the addressee, Royal Mail recommend using their Special Delivery Guaranteed service.
Please investigate some more. We have a long way to go before I get reassured:
[Q1] Please look into the systematic and systemic issues surrounding how the wrong address came to be put on the envelope that contained the letter of 27.06.2020.
You may want to look at such questions as: On what date was my address input into your electronic database? Did the staff member check themselves? Do staff members who perform such tasks routinely check after themselves? Did a different staff member check after the staff member who did the original entry? Was the address-on-envelope checked against the supplied ID documents before sending?
[Q2] Why did you choose to use Royal Mail’s standard post for sending sensitive information?
[Q3] As the Information Commissioner rightly points out: “[The Information Commissioner] should not be viewed as a routine second stage in a resolution process. [They] expect organisations to take their personal data obligations seriously and this should reduce the need for individuals to approach the regulator directly.”
You are a registered Data Controller who is well aware of your personal data obligations. Why did you ignore the Data Breach concerns that I raised in emails of 6th July, 16th July 28th July, 17th August and 28th August 2020?
A robust information investigation of these concerns will go a long way towards ensuring that the constituent data held and processed by your offices is kept secure.
I look forward to hearing back from you in the near future.