Keeping Mum

by | Dec 31, 2013 | Data Protection, DPA, ICO | 8 comments

I am not a great admirer of Mr John Hemming MP. I don’t know if it’s his show-off turns in the House of Commons to defend a woman who falsely accused her husband of being a paedophile or to breach super-injunctions involving other people’s personal lives. It could be his hysterical depiction of the recent case where a health authority applied for an emergency caesarean on an Italian woman. The fact that he once nominated himself for the News of the World’s ‘Love Rat of the Year’ award doesn’t help. If you really want to get the measure of him, use the search term ‘Hemming’ on Carl Gardner’s excellent website and lose several depressing hours.

So far, so what? Well, there is a Data Protection angle to Hemming’s antics that is worth a moment’s consideration. In the past few days, he has been banned from commenting on the website Mumsnet. A detailed account of the background can be found in the very entertaining Deepest Darkest Lomellina blog. He condescendingly described the ban as being put on the ‘naughty step‘, but I think that rather plays it down. Commenting on a website while pissed is hardly conduct becoming of an MP (his comment “I may not be sober, but I am right” is a puny pretender to Tom Butler’s epic statement of inebriated entitlement “I am the Bishop of Southwark, it’s what I do“). Worse are crass attempts to reveal the real-life identities of Mumsnetters (people who may have very good reason to contribute without being identified). But the most worrying aspect is allegedly releasing a document that put him in contempt of court and revealed the names of children involved in a court case.

Hemming’s own account says blandly: “There has been an additional debate about the content of an Italian court order“, but the translation he provides makes no reference to the children’s names. When pressed on the issue of naming the children in the comments section of his blog, Hemming’s reply was opaque: “As Essex County Council implied it is not clear that the italian court order that I posted in error (my emphasis) did contravene any particular law or english court order. There is a complex jurisdictional question that applies here.”

Principle 7 of the Data Protection Act 1998 states that a Data Controller must take appropriate organisational and technical measures to prevent loss, theft, or damage to personal data, and crucially, “unauthorised or unlawful processing of personal data“. Hemming’s version confirms that he accidentally posted some of the Italian Court Order, but he appears to be unwilling to comment on the naming of the children despite being pressed to do so. If he was able to say ‘I didn’t name them’ or ‘their names are all over the internet’, I imagine he would have leapt on that defence and as far as I can see, he hasn’t.

** UPDATE: The first comment below is very compelling. I very much doubt that Mr Hemming can claim that he did not reveal any personal data, or that the data was widely known in Italy. **

Whether he chose the wrong document or – as the Deepest Darkest Lomellina blog implies – didn’t understand enough Italian to know what he was posting, there is an incident involving the publication of a court document. Whether this means Mr Hemming has breached the Seventh Principle depends whether it contained personal data, and on what measures he has taken to prevent documents containing personal data from being published inadvertently on Mumsnet. Human error is not a breach of the Seventh Principle, but poor training, a lack of checks before publication or an inadequate grasp of Italian when handling documents in that language could well be.

I cannot pretend to be an expert in contempt of court – as Mr Hemming himself said, it’s a complex jurisdictional question. But if there is a possibility that publication of the document was in contempt, then it is likely that the incident involves a breach of the first Data Protection principle. It would be neither fair or lawful to publish the data in these circumstances – which condition could Mr Hemming meet for putting personal data on Mumsnet? The publication might even engage the third principle, which demands that the processing of personal data should not be excessive. None of this should be taken to imply that Hemming *has* breached the DPA, but I do not believe that the question should lie unanswered.

The Information Commissioner certainly regards MPs as individual data controllers for the purposes of the DPA – a few years ago, he obtained an undertaking from Oliver Letwin MP following his eccentric use of bins in St James Park to dispose of sensitive letters from constituents. Moreover, following the fines levied against both Islington and Aberdeen City Councils, it is clear that the ICO is willing to take serious enforcement action against Data Controllers who publish data on the internet without proper protections.

Regular readers of this blog will know that I am sceptical about whether Data Controllers should submit themselves to the pain of an enforcement investigation just because of a random cock-up. But Mr Hemming is an MP, and should ensure that laws are upheld as well as made. He is also a devotee of transparency – in the Family Courts, in Ryan Giggs’ marriage – and so I am certain that he would want this incident to be openly and properly investigated.

Therefore, unless Mr Hemming can categorically state that he did not reveal any personal data on Mumsnet, he should report himself to the Information Commissioner immediately. And if he doesn’t, someone else should.