Axe Honesty First: SIC Rosemary Agnew broke Data Protection Act THE high-powered watchdog responsible for promoting and enforcing Scotland’s freedom of information laws has issued an unreserved apology to a retired Borders journalist after admitting three breaches of the Data Protection Act (DPA).
But the Scottish Information Commissioner (SIC) will not be hit with any form of punishment after an investigation by the England-based Information Commissioner (IC) concluded there was no need for further action.
A second complaint against the SIC by former Scotsman reporter Bill Chisholm, from Jedburgh, that the Commissioner - Rosemary Agnew released around 200 pages of personal correspondence to a Freedom of Information (FOI) requester without asking his permission and without even consulting him was not upheld.
Earlier this year Mr Chisholm submitted Petition PE1512 Amendments to the Freedom of Information Scotland Act 2002 to the Scottish Parliament seeking an addition to the Freedom of Information Scotland Act (FOISA) which would force councils and other public authorities to provide “honest and accurate” responses to requests for information.
Holyrood evidence session with Bill Chisholm on reform to Freedom of Information
But the petition met stiff opposition from Ms Agnew’s office and from the Scottish Government. They both claimed there was no need for amended legislation, and in any case Mr Chisholm’s proposals would be “unworkable”.
Last week MSPs on the Public Petitions Committee agreed unanimously to close down Mr Chisholm’s petition which means it will receive no further consideration.
While his petition was still “live” Mr Chisholm decided not to disclose details of the SIC’s triple breach of the Data Protection Act which occurred earlier this year.
Ms Agnew, who gave evidence to the Petitions Committee in May, received a FOI request asking for copies of all documents and email exchanges relating to Mr Chisholm’s petition. The extensive collection of correspondence was released by the SIC, and the contents were subsequently published on an internet website.
But in providing the information to the requester Ms Agnew’s office failed to redact Mr Chisholm’s email address from three separate documents, thereby committing clear breaches of the Data Protection regulations.
Before lodging a complaint with the SIC Mr Chisholm rang the Information Commissioner’s Helpline to ask for their opinion and advice. He said: “At this stage I did not identify the SIC as the offender. I was told several times by the person who took my call that the public authority concerned had no right to release any information without contacting me first. I was advised to seek an explanation before asking for an investigation.”
The SIC subsequently carried out its own internal enquiry which confirmed the three breaches of the Data Protection Act but dismissed the rest of the complaint.
Margaret Keyse, Head of Enforcement at the SIC told Mr Chisholm in a written decision: “I examined the information we disclosed and what we told the requester. It was clear from the response that we intended to withhold your email address, because it was your personal data and because we considered that disclosure would breach the DPA. We redacted it in most places where it appeared but, through a clerical error, we failed to redact it in three places.
“I am very sorry that this has happened and apologise unreservedly for any distress this has caused you. Although the accidental disclosure was the result of a clerical error rather than procedural failure, the Scottish Information Commissioner will also reflect on this and incorporate any lessons learned in the review of our internal procedures for responding to information requests.”
Mr Chisholm was not satisfied with the outcome of the SIC investigation, and referred the case to the ICO for their consideration.
In their decision notice, sent to Mr Chisholm at the weekend, the ICO’s Lead Case Officer Rachel Webster said: “Given that your email address should have been withheld it appears unlikely that the SIC has complied with the Data Protection Act 1998. In particular it appears that the SIC has contravened the First Principle by disclosing your email address.
“The SIC has explained in their response the changes they have made to their procedures to try and prevent any future reoccurrence of this problem. I am satisfied at the changes they have made and do not anticipate taking any further action at this time.”
But Ms Webster went on to say that the SIC had not broken FOI rules by passing the 200 pages of correspondence to the requester.
She wrote: “It appears from the information provided that the personal data released by the SIC was limited. As such it is likely in this case given that some of your personal data was already in the public domain as a result of your petition and that the SIC believed it was in the legitimate interests of the requester to be provided with the information that contained your personal data, in our view, it was reasonable for this to be released.
Commenting on the outcome Mr Chisholm said: “The advice I was given by the ICO in June appears to have been flawed or plain wrong. I maintain that the SIC had no right to issue correspondence I had with them without even having the courtesy to inform me beforehand.
“The decision by the ICO to take no further action simply emphasises the point I was trying to make via my petition. Public authorities can flout FOISA or breach the DPA without fear of punishment. The entire system lacks credibility, but there are too many vested interests to allow any strengthening of the law.”
