UK GDPR Resource

My firm Mishcon de Reya have created a version of the UK’s post-Brexit version of GDPR as there isn’t yet an official version. What’s more, we’ve added in links to the Recitals, and made it freely available.

The announcement is here. The actual UK GDPR is here.

Ain’t we kind?

Leave a comment

Filed under Data Protection, GDPR, UK GDPR

Search and (don’t) destroy

Martin Lewis’s Money Saving Expert (MSE) site reports that over £1m is apparently held by Highways England (HE) in respect of Dartford Crossing pre-paid online accounts (Freedom of Information requests were apparently used to establish the amount). It is of course by no means uncommon for money to lie dormant in money accounts – for instance, banks across the world hold fantastic sums which never get claimed. MSE itself suggests elsewhere that the total amount in the UK alone might be around £15bn – but what these FOI requests to HE also revealed is an approach to retention of personal data which may not comply with HE’s legal obligations.

People appear to have received penalty charges after assuming that their pre-paid accounts – in credit when they were last used – would still cover the crossing charge (even where the drivers had been informed that their accounts had been closed for lack of use). MSE reports the case of Richard Riley, who

had been notified by email that his account would be closed, but he’d wrongly assumed it would be reactivated when he next made the crossing (this is only the case if you cross again within 90 days of being notified). On looking into it further, Richard also realised he had £16 in his closed account

However, HE apparently explained to MSE that

…it’s unable to reopen automatically closed accounts or automatically refund account-holders because it has to delete personal data to comply with data protection rules.

This cannot be right. Firstly, as the MSE article goes on to explain, if someone suspects or discovers that they have credit in a closed Dartford Crossing account, they can telephone HE and “any money will be paid back to the debit or credit card which was linked to the account. If this isn’t possible, a refund will be issued by cheque.”

So HE must retain some personal data which enables them to confirm whose money it is that they hold. But if it is true that HE feels that data protection law requires them to delete personal data which would otherwise enable them to refund account-holders when accounts are closed, then I fear that they are misreading two of the key principles of that law.

Article 5(1)(e) of the UK GDPR (the “storage limitation principle”) requires that personal data be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” (emphasis added), and Article 5(1)(c) ( the “data minimisation principle”) requires that personal data be “limited to what is necessary in relation to the purposes for which they are processed” (emphasis added). Both of these make clear that where personal data is still needed for the purposes for which it is processed, then it can (and should) be retained. And when one adds the point, under Article 5(1)(c), that personal data should also be “adequate” for the purposes for which it is processed, it becomes evident that unnecessary deletion of personal data which causes a detriment or damage to the data subject can in itself be an infringement.

This matter is, of course, on a much lower level of seriousness than, for instance, the unnecessary destruction of landing cards of members of the Windrush Generation, or recordings of witnesses in the Ireland Mother and Baby Homes enquiry, but it strikes me that it is – in general – a subject that is crying out for guidance (and where necessary enforcement) by the Information Commissioner. Too many people feel, it seems, that “data protection” means they have to delete, or erase or destroy personal data.

Sometimes, that is the worst thing to do.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, adequacy, Data Protection, Information Commissioner, Let's Blame Data Protection, UK GDPR

You don’t “register” with the ICO

“Data protection public register…find organisations and people registered with the ICO under the Data Protection Act”, says the Information Commissioner’s Office (ICO) website. Which is funny, because you can’t register with the ICO under the Data Protection Act.

Under the now-repealed 1995 European Data Protection Directive, given domestic effect in the UK by the now-repealed Data Protection Act 1998 (DPA98), all data controllers had to notify with their version of the ICO (unless they were exempt from doing so). And under section 19 of the now-repealed DPA98, the ICO had to keep a register and make it publicly available. The obvious way of doing that was to put it online.

It was a criminal offence to process personal data and not be notified (registered) with the ICO.

But, the General Data Protection Regulation (aka GDPR, and now to be known as the “EU GDPR”), did away with statutory notification as a matter of European law (on the grounds that it achieved nothing, and was an administrative headache). In the UK, where (as part of the notification scheme) controllers had to pay a fee to the ICO, this risked a major budget shortfall for the ICO. So, cleverly, we passed law that requires controllers to pay a fee purely to fund the ICO’s data protection work (the explanatory memo to that law even says it is “to make provision to ensure that the [Information Commissioner] has the financial resources necessary for the performance of her tasks and exercise of her powers”. Failure to pay this fee is a civil wrong, punishable by the imposition of a civil monetary penalty (of up to £4350). There is no requirement for the ICO to maintain a register, no requirement for it to be made public, and it is certainly not the case that what they do publish is a register of people “registered with the ICO under the Data Protection Act”.

What they publish is a non-statutory register of controllers who’ve paid their fee. Presence on that register says nothing other than that the controller has paid its fee.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner

Oil well not personal data shock

In news that should surprise no one, the Information Commissioner’s Office (ICO) has ruled that the locations of two oprhaned oil or gas well bores do not amount to personal data, for the purposes of the Environmental Information Regulations 2004 (EIR).

Perhaps more interestingly, the ICO cites the much-derided-but-probably-still-good-law case of Durant:

The Commissioner accepts that placing the two addresses into the public domain would allow the [owners of the land] to be identified. However, she does not consider that the information that would be revealed via disclosure “relates to” those individuals and it is therefore not their personal data…

And specifically refers to the famous dicta of Mr Justice Auld (as he was) from the Durant case

Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree. It seems to me that there are two notions that may be of assistance. The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject’s involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person’s or body’s conduct that he may have instigated. In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity

So, at least for now, oil wells will stay out of the list of Things Which Have Been Found to be Personal Data.

And as my esteemed colleague Adam Rose notes, oil’s well that ends well. Pun complaints should be addressed here.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner

ICO and Article 27 representative liability

The ever-entertaining (but more importantly, ever-illuminating) Tim Turner has made available a recording of a webinar he did recently on the subject of representatives under Article 27 of the EU GDPR and the UK GDPR. Such representatives are required to be designated by controllers or processors who are outside the relevant jurisdiction, but who are subject to the extra-territorial provisions of Article 3(2) of EU GDPR or UK GDPR (thus, under Article 27 EU GDPR, a company outside the EU but offering goods or service to, or monitoring the behaviour of, data subjects in the EU, must appoint a representative in the EU, and under Article 27 UK GDPR, a company outside the UK but offering goods or service to, or monitoring the behaviour of, data subjects in the UK, must appoint a representative in the UK).

Tim’s webinar deals, in part, with what is expected of representatives, but also touches on their potential liability, and he points to – but doesn’t actually address – a remarkable assertion on the website of the Information Commissioner’s Office (ICO)

The EDPB’s view is that supervisory authorities are able to initiate enforcement action (including fines) against a representative in the same way as they could against the controller or processor that appointed them.

I describe this as remarkable, because it seems to completely misrepresent the guidance (of the European Data Protection Board) to which it refers (and links).

The issue of representative liability is an important one – many companies offer a contracted service under which they will act as a representative, and a commercial evaluation of such a service will inevitably need to consider whether being a representative exposes oneself to the possibility of regulatory action. Recital 80 of the EU GDPR and the UK GDPR says “The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor” and much debate is there to be had on what it means. But the EDPB’s view is pretty clear, and it’s nothing like the view attributed to it by the ICO

The GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the Union. It should however be noted that the concept of the representative was introduced precisely with the aim of facilitating the liaison with and ensuring effective enforcement of the GDPR against controllers or processors that fall under Article 3(2) of the GDPR. To this end, it was the intention to enable supervisory authorities to initiate enforcement proceedings through the representative designated by the controllers or processors not established in the Union. This includes the possibility for supervisory authorities to address corrective measures or administrative fines and penalties imposed on the controller or processor not established in the Union to the representative… [emphasis added]

(It goes on to say that a representative will be directly liable only to the extent that it is infringing its direct obligations – namely to provide information to a supervisory authority under Article 58(1)(a) of GDPR, and to maintain a record of processing activities under Article 30.)

Whether the ICO’s assertion represents what it thinks a proper reading of the UK GDPR (including recital 80) should be, is an interesting question. The EDPB is, of course, no part of the UK GDPR regulatory and legal scheme, so ICO is free to disregard its views. What it shouldn’t be free to do though, really, is to attribute to the EDPB a position totally at odds with what the EDPB actually says.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, EDPB, EU representative, GDPR, Information Commissioner, UK GDPR

High Court – subject access, breach of confidence and the offence of reidentification (part 2)

In June last year I wrote about an unsuccessful strike-out application by the defendant in the High Court in proceedings arising from a very unfortunate incident, whereby Lambeth Council had imperfectly redacted highly sensitive data when responding to a subject access request.

The requester was the father (“AM”) of a child about whom a referral had been made to Lambeth social services, and the person whose identity was inadvertently revealed (when AM disapplied redactions made using Adobe software) was the person who made the referral – “HJ” – who happened to be AM’s sister.

The substantive proceedings have now come to trial, with a judgment now published (London Borough of Lambeth v AM (Judgment No. 2) [2021] EWHC 186 (QB)). Unsurprisingly, the judge held that AM acted in breach of confidence by removing the redactions, by retaining a copy of the information and refusing to return or destroy it, and by using the information to write a letter before action accusing HJ of malicious defamation, breach of confidence and harassment.

There were no further allusions to an apparent criminal prosecution of AM by the Information Commissioner’s Office. One waits to see if further news about that emerges.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, local government

ICO statutory duty to promote economic growth

From time to time I can be a bit critical of the Information Commissioner’s Office (ICO). Indeed, in the past I may have criticised them for appearing to promote things or exercise their functions in a way that exceeded what their core role is. For instance, I may have queried why they frequently appear to be cheer-leading for innovation and digital economic expansion (not that I think those things are inherently to be avoided).

But it’s important to note that their functions are not limited to regulation of specific laws. Rather, under section 108 of the Deregulation Act 2015, and (made under that Act) The Economic Growth (Regulatory Functions) Order 2017, the ICO, as well as a host of other regulators, has a statutory duty to exercise her regulatory functions (other than those under FOIA, interestingly) with regard to the desirability of promoting economic growth. In particular, she has to consider the importance for the promotion of economic growth of exercising the regulatory function in a way which ensures that regulatory action is taken only when it is needed, and any action taken is proportionate.

Additionally, under section 110 of the Deregulation Act 2015 ICO (and other regulators) must also have regard to this guidance: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/603743/growth-duty-statutory-guidance.pdf

When people (again, I should include myself) question, for instance, the paucity in the UK of low-level GDPR fines for low-level infringements, they should take into account these provisions.

Whether this aspect of the Deregulation Act 2015 is actually reconcilable with the provisions of the GDPR (and, now, the UK GDPR) is a separate question. In principle, there need not be a clash between the promotion of economic growth and the regulation of compliance with the duty to observe the fundamental right to protection of personal data, but in practice, such clashes tend to occur.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, Uncategorized

Dashcams and domestic purposes

What do people use dashcams and cameras on cycle helmets for? I’m sure that some (especially in the latter group) use them to capture footage of interesting journeys they have made. But a considerable proportion of users – surely – use them in the event that the user is involved in a road traffic incident. Indeed the “National Dash Cam Safety Portal”, although provided by a commercial organisation selling cameras, is operated in partnership with, and enables upload of footage to, police forces in England and Wales, and its FAQ clearly inform people of the evidential nature and implications of such footage. And a recent piece on the “Honest John” website suggests that one in four dashcam submissions result in a prosecution. Whatever the intentions were of the people who used those dashcams to record that footage, it is undeniable that the outcome of the processing of personal data involved had a significant effect on the rights of those whose data was processed.

Article 2 of the UK GDPR says that the law’s scope does not extend to processing of personal data “by a natural person in the course of a purely personal or household activity”, and the case law of the Court of Justice of the European Union (at least insofar as such case law decided before 1 January 2021 is retained domestic law – unless departed from by the Court of Appeal or the Supreme Court) makes clear that use of recording cameras which capture footage containing personal data outwith the orbit of one’s property cannot claim this “purely personal or household activity” exemption (see, in particular the Ryneš case).

Yet the position taken by the authorities in the UK (primarily by the Information Commissioner’s Office (ICO)) largely fails to address the difficult issues arising. Because if the use of dashcams and helmet cams, when they result in the processing of personal data which is not exempt under under the “purely personal and household exemption, is subject to data protection law, then those operating them are, in principle at least, obliged to comply with all the relevant provisions of the UK GDPR, including: compliance with the Article 5 principles; providing Article 13 notices to data subjects; complying with data subject request for access, erasure, etc. (under Articles 15, 17).

But the ICO, whose CCTV guidance deals well with the issues to the extent that domestic CCTV is in issue, implies that use of dashcams etc, except in a work context, is not subject to the UK GDPR. For instance, its FAQs on registering as a data protection fee payer say “the use of the dashcam in or on your vehicle for work purposes will not be considered as ‘domestic’ and therefore not exempt from data protection laws”. It is very difficult to reconcile the ICO’s position here with the case law as exemplified in Ryneš.

And what raises interesting questions for me is the evidential status of this dashcam and helmet cam footage, when used in prosecutions. Although English law has traditionally tended to take the approach that evidence should be admitted where it is relevant, rather than excluding it on the grounds that it has been improperly obtained (the latter being a species of the US “fruit of the poisoned tree” doctrine), it is surely better for a court not to be faced with a situation where evidence may have been obtained in circumstances involving illegality.

If this was a passing issue, perhaps there would not need to be too much concern. However, it is clear that use of mobile video recording devices (and use of footage in criminal, and indeed civil, proceedings) is increasing and will continue to do so, at the same time as access to such devices, and the possibility for their covert or surreptitious use, also increases. It is, no doubt, a tremendously tricky area to regulate, or event to contemplate regulating, but that is no reason for the ICO to duck the issue.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under CCTV, crime, Data Protection, Information Commissioner, police

FOI – there’s no (jurisdictional) limits

Practitioners tend to have a few mantras about the Freedom of Information Act 2000 (FOIA). Some of those mantras admit of exceptions (“it’s requester and motive blind” may, for instance, fall away where the wider context of the request needs to be considered in “vexatious” cases) but the mantra that “anyone, anywhere can make a request” had never been seriously challenged, until recently.

In conjoined cases, the First tier Tribunal – apparently, one understands, of its own volition – had raised an issue as to whether FOIA did indeed have extra-territorial application – contrary to the standard approach to statutory construction whereby UK legislation applies only to those who are citizens of the UK, or on its territory – such that requests could be made by anyone, anywhere in the world.

If the Tribunal had decided that the standard approach applied, and no extra-territorial effect was in place, there would have been a significant diminution of rights, and a consequent diminution in the accountability of public authorities. More practically, we would have no doubt seen, at least from some public authorities, identity verification measures being directed at requesters.

Thankfully, the Tribunal decided that there was extra-territorial effect, in a decision handed down orally on 27 January (with written reasons to follow).

There are posts about the case(s) on both Cornerstone Barristers’ and Doughty Street’s websites.

Leave a comment

Filed under Freedom of Information, Information Tribunal, transparency

Start the DSAR countdown (but how?)

A while ago I wrote a piece on the Mishcon de Reya website pointing out that the Information Commissioner’s Office (ICO) had silently changed its guidance on how to calculate the “one month” timescale for responding to a subject access request under the General Data Protection Regulation (or “GDPR” – which is now domestic law in the form of the amended retained version of the GDPR, aka “UK GDPR”).

The nub of that piece was that the ICO (following the legal precedents) was now saying that “You should calculate the time limit from the day you receive the request“. Which was a change from the previous position that “You should calculate the time limit from the day after you receive the request “.

I have noticed, however, that, although the ICO website, in its UK GDPR guidance, maintains that the clock starts from the date of receipt, the guidance on “Law Enforcement Processing” (which relates to processing of personal data by competent authorities for law enforcement purposes under part 3 of the Data Protection Act 2018 (DPA), which implemented the Law Enforcement Directive) states that the time should be calculated

from the first day after the request was received

It’s not inconceivable (in fact I am given to understand it is relatively common) that a some controllers might receive a subject access request (or other data subject request) which must be dealt with under both the UK GDPR and the Law Enforcement Processing provisions (police forces are a good example of this). The ICO’s position means that the controller must calculate the response time as starting, on the one hand, on the date of receipt, and, on the other hand, on the day after the date of receipt.

And if all of this sounds a bit silly, and inconsequential, I would argue that it is certainly the former, but not necessarily the latter: failure to comply within a statutory timescale is a breach of a statutory duty, and therefore actionable, at least in principle. If the ICO really does believe that the timescale works differently under different legal schemes, then how, for instance can it properly determine (as it must, when required to) under Articles 57(1)(f) and 77(1) of the UK GDPR, or section 51(2) of the DPA, whether there has been a statutory infringement?

Statutory infringements are, after all, potentially actionable (in this instance either with regulatory action or private action by data subjects) – the ICO maintains a database of complaint cases and publishes some of this (albeit almost two years in arrears), and also uses (or may use) it to identify trends. If ICO finds that a controller has made a statutory infringement, that is a finding of potential significance: if that same finding is based on an unclear, and internally contradictory, interpretation of a key aspect of the law, then it is unlikely to be fair, and unlikely to be lawful.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, subject access, UK GDPR, Uncategorized