ICO secures court-awarded compensation

ICO often say they can’t award compensation, but what they can do is – in criminal cases – make an application for the court to make an award (separate to any fines or costs). But as far as I know, until this case last week, they’d never done so:

https://www.mishcon.com/news/ico-recommends-compensation-awards-in-criminal-prosecution-case

Leave a comment

Filed under crime, damages, Data Protection, Data Protection Act 2018, Information Commissioner

A day to remember

I’ve written about this oddity before, but thought it was worth saying it again, because it can catch the *cough cough* best of us out. The oddity being that a bank holiday falling in any part of the United Kingdom counts as a non-working-day for the purposes of FOIA. So, as January 2nd (or the nearest substitute day) is a bank holiday in Scotland, it is not a working day for the purposes of calculating the maximum timescale for compliance with a request made under FOIA, despite the fact that Scotland has its own Freedom of Information (Scotland) Act 2002.

What “bank holiday” means, according to section 10(6) of FOIA, is 

any day other than a Saturday, a Sunday, Christmas Day, Good Friday or a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom

And section 1 of the Banking and Financial Dealings Act 1971 says 

the days specified in Schedule 1 to this Act shall be bank holidays in England and Wales, in Scotland and in Northern Ireland as indicated in the Schedule

The Schedule therefore provides a number of dates which are to be considered as bank holidays

All straightforward then? Not quite. Sections 1(2) and 1(3) of The Banking and Financial Dealings Act 1971 also provide that the Queen can effectively remove or add a bank holiday “by proclamation”.

As the London Gazette records, on 23 July 2021 a proclamation was made by Her Majesty, providing that

We in pursuance of section 1(3) of the Banking and Financial Dealings Act 1971, do hereby appoint …Tuesday the twelfth day of July in the year 2022 to be a bank holiday in Northern Ireland

So those calculating when FOI responses to requests made in recent weeks are due, will need to factor in this extra day.

Leave a comment

Filed under Freedom of Information, access to information

High Court muddle over data protection regime

A relatively common error by those unaccustomed to the rather odd structure of the data protection statutory regime in the UK, is to look first to the Data Protection Act 2018 (“DPA”) for the applicable law, instead of the UK GDPR. This is despite the fact that the very first section of the DPA instructs us in how the regime works. Section 1(2) provides that “most processing of personal data is subject to the UK GDPR”, and then sections 1(4) and (5) explain that Parts 3 and 4 of the DPA deal with those parts of the regime (law enforcement processing and intelligence services processing) which are out of the scope of UK GDPR.

“Put me to one side” – says the DPA tactfully – “you should have picked up your copy of the UK GDPR first, and not me”.

Accordingly, the key provisions, and the basic principles, applying to most processing, are to be found in the UK GDPR.

The result of this relatively common error, is that people will sometimes cite, say, section 45 of the DPA in relation to a generic subject access request, when in fact, the applicable provision is Article 15 of the UK GDPR (section 45 applies to subject access requests to competent authorities for the purposes of law enforcement).

Occasionally, I have seen non-specialist lawyers make this mistake.

And now, I have seen a high court judge do the same. In a judicial review case in the High Court of Northern Ireland, challenging the accuracy of a child’s social care records, part of the claim (which was primarily an Article 8 human rights claim) was pleaded as also a breach of Article 5(1) and (6) of the “GDPR” (the correct pleading should have been, and maybe was, by reference to the UK GDPR) and Part 1 of the DPA. Article 5(1) of the UK GDPR contains the data protection principles.

The judge, however, stated that

It seems to the court that in fact the relevant part of the 2018 Act are sections 86 to 91 which set out the six data protection principles in relation to data processing.

This is simply wrong. Sections 86 to 91 of the DPA lay out the data protection principles only in relation to intelligence services processing (i.e. processing of personal data by the Security Service, the Secret Intelligence Service or by the Government Communications Headquarters).

It isn’t clear whether there was any discussion about this in the court (quite possibly not), but it appears not to have been picked up when the judgment was circulated in draft or published to the parties. As it is, it seems very likely that nothing turns on it. This is because the Part 4 DPA principles, like the Part 3 DPA principles, effectively mirror the principles in Article 5(1) UK GDPR, and so the analysis, for the purposes of the substantive matter, was sound.

So this was an error of form, more than substance.

However, there are some differences between the UK GDPR regime, the Part 3 DPA regime and the Part 4 DPA regime, and in different circumstances an error like this could result in an outcome which is wrong, and harmful.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, Data Protection Act 2018, GDPR, human rights, Ireland, judiciary, UK GDPR

Data Protection reform bill – all that? or not all that?

I’ve written an “initial thoughts” analysis on the Mishcon de Reya website of the some of the key provisions of the Data Protection and Digital Information Bill:

The Data Protection and Digital Information Bill – an (mishcon.com)

Leave a comment

Filed under adequacy, Data Protection, Data Protection Act 2018, Data Protection Bill, DPO, GDPR, Information Commissioner, PECR, UK GDPR

Data protection nonsense on gov.uk

It feels like a while since I randomly picked on some wild online disinformation about data protection, but when you get an itch, you gotta scratch, and this page of government guidance for businesses – “Get your business ready to employ staff: step by step” – specifically on “Personal data an employer can keep about an employee” certainly got me itching. It starts off sensibly enough by saying that

Employers must keep their employees’ personal data safe, secure and up to date.

This is true (Article 5(1)(f) and part of 5(1)(c) UK GDPR). And the page goes on to list some information can be “kept” (for which I charitably read “processed”) without employees’ permission, such as: name, address, date of birth, sex, education and qualifications, work experience, National Insurance number, tax code, emergency contact details, employment history with the organisation, employment terms and conditions, any accidents connected with work, any training taken, any disciplinary action. All pretty inoffensive, although I’m not sure what it’s trying to achieve. But then…oh my. Then, it says

Employers need their employees’ permission to keep certain types of ’sensitive’ data

We could stop there really, and snigger cruelly, Consent (aka “permission”) as a condition for processing personal data is complicated and quite frankly to be avoided if possible. It comes laden with quite strict requirements. The Information Commissioner puts it quite well

Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair…employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given

And let’s consider the categories of personal data the government page thinks employers should get “permission” to “keep”: race and ethnicity, religion, political membership or opinions, trade union membership, genetics [sic], biometrics, , health and medical conditions, sexual history or orientation.

But how quickly would an employer’s wheels grind to a halt if it couldn’t process personal data on an employee’s health “without her permission”? It would be unable to refer her to occupational health if she didn’t “permit” it. It would be unable to keep a record of her sickness absence if she withdrew her consent (consent should be as easy to withdraw as it is to give (see Article 7(3)). During the COVID pandemic, it would have been unable to keep a record of whether she had tested positive or not, if she said she didn’t want a record kept.

It’s nonsense, of course. There’s a whole range of gateways, plus a whole Schedule of the Data Protection Act 2018), which provide conditions for processing special categories of data without having to get someone’s consent. They include pressing social imperatives, like compliance with public health law, and promotion of equality of treatment and safeguarding of children or other vulnerable people. The conditions don’t apply across the board, but the point is that employees’ permission – their consent – is rarely, if ever, required when there is another compelling reason for processing their data.

I don’t really understand what need, what gap, the government page is trying to fill, but the guidance is pretty calamitous. And it is only likely to lead to confusion for business owners and employers, and runs the risk of pitting themselves against each other – with disputes arising – amidst the confusion.

BAH!

Now, that felt better. Like I say, sometimes it’s good to scratch that itch.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, Data Protection, Data Protection Act 2018, Let's Blame Data Protection, UK GDPR

Podcast on UK data protection reforms

My Mishcon de Reya colleague Adam Rose and I have recorded a short (25 minute) podcast on the government’s recent announcement of proposed data protection reforms.

UK Data Reform – what’s being proposed? (mishcon.com)

Leave a comment

Filed under adequacy, Data Protection, Data Protection Act 2018, GDPR, UK GDPR

Data reform – hot news or hot air?

I’ve written a piece for the Mishcon de Reya website on the some of the key proposals (for our client-base) in today’s data protection reform announcement.

Data protection law reform – major changes, but the (mishcon.com)

Leave a comment

Filed under adequacy, consent, cookies, Data Protection, Data Protection Act 2018, DPO, GDPR, Information Commissioner, international transfers, nuisance calls, PECR, UK GDPR

ICO to keep income from UK GDPR fines

This is a significant development – the Information Commissioner will now be able to keep up to £7.5m a year from penalties, to cover their litigation and debt recovery costs:

https://www.mishcon.com/news/ico-to-keep-money-from-uk-gdpr-fines

Leave a comment

Filed under Data Protection, DCMS, GDPR, Information Commissioner, monetary penalty notice, UK GDPR

GDPR reprimands for Cabinet Office, UKIP, CPS & ors

A piece by me just uploaded to the Mishcon de Reya website, on an FOI disclosure to me of the most recent reprimands under GDPR/ UK GDPR issued by the Information Commissioner

ICO reprimands Cabinet Office, UKIP, CPS and others for (mishcon.com)

Leave a comment

Filed under Data Protection, Freedom of Information, Information Commissioner, Cabinet Office, GDPR, UK GDPR

Commons Committee report on Cabinet Office FOI “Clearing House”

I’ve written on the Mishcon website about the PACAC report on the Clearing House.

Leave a comment

Filed under Freedom of Information, Information Commissioner