Following recent revelations made by The Mirror, Oliver Letwin has undoubtedly been forced to adopt a more conventional filing system. On approximately five separate occasions throughout September and early October the Prime Minister’s policy advisor (and MP for West Dorset) was seen discarding handfuls of paper work into public bins close to Downing Street. Whilst the various correspondences and documents were clearly considered to be redundant or unimportant by the MP, for The Mirror they were journalistic gold, and were therefore retrieved from amidst empty Coke cans and used train tickets. Totalling in excess of 100 sheets, the papers allegedly relate to a diverse array of individuals (including the Dalai Lama, Philip Green, Tony Blair and Letwin’s own constituents) and topics (from “The Big society” to al-Qaeda and British security).
There is no doubting that Oliver Letwin’s actions went against protocol, eliciting an apology from the MP and described as “not a sensible way to dispose of documents” by a No.10 spokeswoman. Indeed whilst the Cabinet Secretary, Gus O’Donnell, has stated he is satisfied that none of the papers in question were of a classified or sensitive nature, the Information Commissioner’s Office is, nonetheless, investigating the case to deduce whether or not Letwin’s actions were in breach of Data Protection Laws.
“Bin-gate” was not however the only (potential) breach of data protection to have been discovered in the past few weeks, though it certainly received the most national media attention. A housing group based in Dorset (Letwin’s neck of the woods) was found to have emailed the personal details of 200 employees to the wrong external email address clearly breaching data protection. Furthermore in Scotland, the Dumfries and Galloway council accidentally published the names, salaries and dates of birth of almost 900 employees (past and present) in response to an FOI request. The information could be viewed on the council’s website for over two months and was only removed following complaints from a trade union and numerous individuals mentioned in the data. This accident broke the fundamental principles of data protection, intruding on the privacy of affected individuals and exposing them to identity fraudsters. It is telling (yet by no means surprising) that Oliver Letwin’s blunder has received so much more media attention, despite the fact that the severity of his actions is as yet unknown and potentially minimal.
Whilst the nature and consequences of these three cases differ, one common variable is present in all: human error. Through misjudgement and mistakes the most basic principles of data protection fail to be upheld. All too often we see politicians carrying confidential papers in transparent folders or hear of memory sticks holding volumes of important information being left on trains. Incidents like these would not look out of place in an episode of “The Thick Of It”. Fundamentally, Data Protection Laws are only as robust as the integrity of those entrusted to maintain and abide by them.
The Information Commissioner has recently called for the ICO to be given more powers to carry out compulsory data protection audits on local government, the NHS and the private sector, all of which have breached data protection repeatedly. Speaking at the 10th annual data protection compliance conference, Christopher Graham stressed how important it is to ensure that those handling data concerning members of the general public are acting within the rules. It will be interesting to see both whether his appeal is acted upon but also whether increased auditing can help identify or even minimize human errors which, given its nature, are particularly damaging to data protection.