What was my reply when Wirral Council’s “Ministry of Truth” asked for 2 invoices on this blog to be erased?
Jenmaleo,
134 Boundary Road
Bidston
CH43 7PH
18th January 2015
by email to surjittour@wirral.gov.uk
CC: joeblott@wirral.gov.uk
Mr. Surjit Tour
Head of Legal and Member Services and Monitoring Officer
Department of Transformation and Resources
Wirral Metropolitan Borough Council
Town Hall
Brighton Street
Wallasey
Wirral
CH44 8ED
Dear Mr. Tour,
Thank you for your email of 15th January 2015 sent at 16:38 with the subject “Blog posting of invoices” which is attached for reference at appendix A. You also attached to your email ICO guidance to s.32 of the Data Protection Act 1998 titled “Social networking and online forums – when does the DPA apply?” which can be read on ICO’s website at https://ico.org.uk/media/for-organisations/documents/1600/social-networking-and-online-forums-dpa-guidance.pdf .
Please class this as a formal response to the issues you have raised in it. I have no problem with you sending a copy of this response to Dr Gareth Vincenti.
You refer in your opening paragraph to section 15 of the Audit Commission Act 1998 (in its amended form as it was later amended by s.160 of the Local Government and Public Involvement in Health Act 2007). This is attached in full for reference at appendix B.
You state “You were provided with copies of certain invoices in compliance with Section 15 (a) of the 1998 Act, which entitles you to make copies of all or any part of the accounts and those other documents.”
The issue of copying of documents (as you can read for yourself in appendix B which is a copy of the legislation) is dealt with by the Audit Commission Act 1998 section 15(1)(b), as section 15(1)(a) deals with a right to inspect documents, not to copy documents. Therefore this sentence in your email should read Section 15(1)(b), not Section 15(a).
You go on to state “In redacting certain parts of those invoices, the Council relied on Section 15 (3A) of the Audit Commission Act 1998, as amended, which relates to personal information.”
If you read s.15(3A) of the Audit Commission Act 1998, as amended (attached as appendix B) you will find the definition of personal information in s.3A is “(3A) Information is personal information if–
(a) it identifies a particular individual or enables a particular individual to be identified; and
(b) the auditor considers that it should not be inspected or disclosed.”
It is important to note that the way the legislation is phrased it is not down to Wirral Council to make the ultimate decision as to whether information that may or may not fall within the definition of personal information as defined by section 3A should or shouldn’t be inspected or disclosed, but that decision is to be made by Wirral Council’s auditor who is for the financial year in question (2013-14) was Grant Thornton UK LLP.
It has not been determined yet whether Wirral Council asked its auditor Grant Thornton UK whether any of the information on the invoice in question should not be inspected or disclosed and if so what Grant Thornton UK LLP’s decision on this matter was.
Appendix C is a communication to Wirral Council’s external auditor in an attempt to clarify whether this took place.
On the 19th January 2015 I received a reply from Wirral Council audit Grant Thornton UK LLP. As you may or may not be aware the current engagement lead at Grant Thornton UK LLP is different to the engagement lead at Grant Thornton UK LLP for the 2013/14 audit. I can confirm that Grant Thornton UK LLP however are making enquiries and will respond as soon as they can.
If there has been an oversight and Wirral Council did not ask its external auditor to make a determination in relation to the many redactions it made to the hundreds of invoices I inspected and received copies of, I would hope that that arrangements could be made to inspect and copy the information I was incorrectly denied access to inspect and receive copies of last year.
You state later in your email:
“The Council considers that it may be necessary to report this matter to the Information Commissioner’s Office and Dr Vincenti may wish to take his own action in connection with your disclosing his personal data “
I will deal with the two interrelated matters raised here in relation to what you refer to as “personal data” of Dr Vincenti’s.
His surname “VINCENTI” is mentioned at the top of the invoice. Not redacted on the copy invoice supplied by Wirral Council is the phrase “Invoicing by Midex Pro for Dr Vincenti”. It is also stated that “cheques are to made payable to Dr. Vincenti”. Two addresses are also used on the invoice to send cheques to, one is a document exchange “DX 720874 Northallerton”, the sort code of 54-10-41 (which relates to a specific branch of a bank) is provided on the invoice for BACS payments and an email address of garethvincenti@btinternet.com is also given.
Dr Gareth Vincenti discloses his own email address, along with other contact details such as the address for correspondence on his website here [drvincenti.co.uk/contact.htm (at the time of writing this link worked however Dr Vincenti’s website is down as of 19th March 2015)]] . The document exchange address is published here http://www.expertsearch.co.uk/cgi-bin/find_expert?4052 and also elsewhere online.
Neither the sort code, nor the document exchange reference fall under s.3A as neither identify a particular individual or enable a particular individual to be identified as both would be used by multiple individuals.
You refer in my email to my right to inspect the invoice. Section 34 of the Data Protection Act 1998 deals with information available to the public under inspection by another enactment (in this case s.15 of the Audit Commission Act 1998).
As it is short I will quote it here:
34 Information available to the public by or under enactment.
Personal data are exempt from—
(a) the subject information provisions,
(b) the fourth data protection principle and section 14(1) to (3), and
(c) the non-disclosure provisions, if the data consist of information which the data controller is obliged by or under any enactment other than an enactment contained in the Freedom of Information Act 2000 to make available to the public, whether by publishing it, by making it available for inspection, or otherwise and whether gratuitously or on payment of a fee.
As to the invoice in question, the “personal data” of Dr Vincenti as you put it was available for inspection because of s.15 of the Audit Commission Act 1998, therefore s.34(c) of the Data Protection Act 1998 applies. It has not been established whether the auditor made a determination that any of it fell within the meaning of “personal information” in section 3A. Therefore at this stage, as you have not provided any evidence that the auditor made such a determination it means such “personal data” is exempt from the non-disclosure provisions that you refer to in your email.
You also state in your email that “which additions include the address of an employee/or former employee of the Council which is capable of amounting to personal data and in the context of the invoice capable of amounting to the processing of sensitive personal data.”
The address you refer to was a partial address. Had it been a complete address including house number, it could be argued that it would fall under the definition of personal information (as defined by s.15(4) of the Audit Commission Act 1998 see appendix B) which states that in order to qualify as personal information, the information “relates specifically to a particular individual”.
There are 60 different addresses in Forwood Road and 22 addresses that match that particular postcode. Wirral has a average household population of 2.17 per a household. Therefore the partial address could potentially relate to one of an estimated 48 individuals.
A partial address, without a house number does not therefore “relate specifically to a particular individual” nor does it enable a particular individual who may live at one of these addresses to be identified. It relates to a large group of individuals. Therefore it falls outside the definition of “personal information” as defined by s.4(1)(a) as it is not information that relates specifically to a particular individual.
Section 32 of the Data Protection Act 1998 on journalism, literature and art also applies here. I state my belief as data controller that I believe that having regard in particular to the special importance of the public interest in freedom of expression, publication of both the original invoice, a copy of the invoice with some of the text from the original invoice highlighted in green and this response including appendices to the response is in the public interest.
A very similar complaint to ICO was made in 2011 about a blogger called Derek Dishman who blogs under the nom de plume of “Mr Mustard” by Barnet Council. The exchange between Barnet Council and ICO can be read here https://www.whatdotheyknow.com/request/94886/response/237295/attach/2/R%20IRQ0426076%20ICO%20Barnet%20correspondence%20re%20ENQ0391446.pdf . To summarise ICO disagreed with Barnet Council’s incorrect assertions about this blogger (which seem broadly similar to those made by Wirral Council).
Finally you state “I do not consider that your right to inspect and the right to have copies made of relevant documents, then entitles you to disclose such documents to the public”.
I hope I have outlined (in much detail above) as to why you are incorrect in that assertion. This issue of the purposes to which information obtained by third parties using their rights to inspect and have copies of information held by local councils during the audit has already been dealt with at a previous judicial review case.
I refer you to R (HTV Ltd) v Bristol City Council [2004] 1 WLR 2717 which I have recently read. I quote from Elias J, the High Court Judge in that matter:
“55. The premise here is that the provision requires the information to be used for a limited purpose or purposes. As I have indicated, I accept that Parliament probably did envisage that the information would be primarily in order to enable electors to raise questions with the auditor and ultimately raise objections. But the fact that those who have access to this information extend beyond those who can make such a request, or raise such an objection, shows that it cannot be the only purpose.
56. In any event, there is no express limitation in the statute as to the use to which this information can be put. I see significant practical difficulties as to confining the use of the material once it has been acquired.”
Finally, my last two points are as Wirral Council is the data controller for the complaint made to it by Dr Gareth Vincenti which refers to me, please class this response as a request exercising my right under s.7 of the Data Protection Act 1998 for a copy of Dr Gareth Vincenti’s complaint.
I further point out that due to what is referred to above I am exercising my right under s.10 of the Data Protection Act 1998 and request that Wirral Council confirm it will immediately cease to process further any personal data about myself in relation to the complaint made by Dr Gareth Vincenti or your email for the reasons outlined above as raising this issue in the way it has been is causing distress.
Yours sincerely,
John Brace
Appendix A (email from Surjit Tour to John Brace dated 15th January 2015)
from:
|
Tour, Surjit <surjittour@wirral.gov.uk>
|
to:
|
john.brace@gmail.com
|
date:
|
15 January 2015 at 16:38
|
subject:
|
Blog Posting of Invoices
|
mailed-by:
|
wirral.gov.uk
|
Dear Mr Brace,
I refer to your inspection of documents under Section 15 of the Audit Commission Act 1998, in connection with the audit of the Council’s accounts for the financial year ending March 2014. You were provided with copies of certain invoices in compliance with Section 15 (a) of the 1998 Act, which entitles you to make copies of all or any part of the accounts and those other documents. In redacting certain parts of those invoices, the Council relied on Section 15 (3A) of the Audit Commission Act 1998, as amended, which relates to personal information.
I do not consider that your right to inspect and the right to have copies made of relevant documents, then entitles you to disclose such documents to the public nor does it entitle you to alter the Council’s redacted documents, which alteration constitutes processing of data. The Council has received a complaint from Dr Gareth Vincenti concerning a posting made on your blog on 1 December 2014 entitled:
“Do you want to know what 6 redacted legal invoices paid by Wirral Council on employment matters (including one from a consultant psychiatrist) state?
This posting included the copy of an invoice from Dr Vincenti which had been redacted by the Council. You had posted a second copy of the invoice, having altered part of the redactions to include information in green. You state on the blog posting:
“I’ve supplied both the original and a partly redacted copy of this as the original is heavily redacted. My additions are in green”.
I have had regard to the guidance of the Information Commissioner’s Office,“Social networking and online forums – when does the DPA apply?”
I consider that by altering the Council’s redactions to include additions in green, you have potentially processed personal data in breach of the Data Protection Act 1998, which additions include the address of an employee/or former employee of the Council which is capable of amounting to personal data and in the context of the invoice capable of amounting to the processing of sensitive personal data. I do not believe that you are entitled to rely on the exemption contained in section 36 of the Data Protection Act 1998, in that I consider you are using social media for non-domestic purposes. Section 36 contains an exemption for personal data that is processed by an individual for the purposes of their personal, family or household affairs. I am therefore requesting that you remove from your blog both copies of the invoice from Dr Vincenti immediately.
The Council considers that it may be necessary to report this matter to the Information Commissioner’s Office and Dr Vincenti may wish to take his own action in connection with your disclosing his personal data and the address referred to above.
Yours sincerely
Surjit Tour
Head of Legal & Member Services
and Monitoring Officer
Department of Transformation and Resources
Wirral Metropolitan Borough Council
Town Hall
Brighton Street
Wallasey
Wirral
CH44 8ED
Tel: 0151 691 8569
Fax: 0151 691 8482
Email:surjittour@wirral.gov.uk
Visit our website: www.wirral.gov.uk
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.clearswift.com
Appendix B
Section 15 of the Audit Commission Act 1998 (as amended by s.160 of the Local Government and Public Involvement in Health Act 2007)
15 Inspection of documents and questions at audit
(1)At each audit under this Act, other than an audit of accounts of a health service body, any persons interested may—
(a)inspect the accounts to be audited and all books, deeds, contracts, bills, vouchers and receipts relating to them, and
(b)make copies of all or any part of the accounts and those other documents.
(2)At the request of a local government elector for any area to which the accounts relate, the auditor shall give the elector, or any representative of his, an opportunity to question the auditor about the accounts.
(3)Nothing in this section entitles a person—
(a)to inspect so much of any accounts or other document as contains personal information within the meaning of subsection (3A) or (4); or
(b)to require any such information to be disclosed in answer to any question.
(3A) Information is personal information if–
(a) it identifies a particular individual or enables a particular individual to be identified; and
(b) the auditor considers that it should not be inspected or disclosed.
(4) Information is personal information if it is information about a member of the staff of the body whose accounts are being audited which relates specifically to a particular individual and is available to the body for reasons connected with the fact—
(a)that that individual holds or has held an office or employment under that body; or
(b)that payments or other benefits in respect of an office or employment under any other person are or have been made or provided to that individual by that body.
(5)For the purposes of subsection (4)(b), payments made or benefits provided to an individual in respect of an office or employment include any payment made or benefit provided to him in respect of his ceasing to hold the office or employment.
Appendix C – Email to external auditor Grant Thornton
from:
|
John Brace<john.brace@gmail.com>
|
reply-to:
|
john.brace@gmail.com
|
to:
|
Robin Baker <robin.j.baker@gt.com>
|
cc:
|
“Chris Whittingham (Grant Thornton)” <c.whittingham@uk.gt.com>
|
date:
|
18 January 2015 at 18:48
|
subject:
|
query about whether Grant Thornton gave permission to Wirral Council during the 2013/14 audit for personal information on invoices should not be inspected/disclosed
|
Dear Robin Baker & Chris Whittingham,
During the 2013/14 audit I exercised my inspection rights to inspect various invoices and receive copies of them for the 2013/14 financial year under s.15 of the Audit Commission Act 1998.
Last Thursday I received an email from Wirral Council that stated “In redacting certain parts of those invoices, the Council relied on Section 15 (3A) of the Audit Commission Act 1998, as amended, which relates to personal information.”
S.15 (3A) of the Audit Commission Act 1998 was amended in 2008 to state:
“(3A)Information is personal information if—
(a) it identifies a particular individual or enables a particular individual to be identified; and
(b) the auditor considers that it should not be inspected or disclosed.”
Could you confirm that as Wirral Council’s auditor at the time whether a determination was made by the auditor that personal information on an invoice for £3,060 from a Dr Gareth Vincenti dated 31st December
2013 was made and if so which elements on the invoice the auditor considered should not be inspected or disclosed?
Could you also confirm as Wirral Council’s auditor at the time whether any determination was made by the auditor about personal information on any of the invoices I requested for the 2013/14 year was made and
if so the particular invoices and particular information that the auditor considered should not be inspected or disclosed?
If the auditor was not asked to make any such a determination could you state this too?
Thanks,
John Brace
If you click on any of these buttons below, you’ll be doing me a favour by sharing this article with other people. Thanks: