Was the Queen’s Funeral day a FOIA “working day”?

Under the Freedom of Information Act 2000 a public authority must respond to a request for information within 20 working days. For obvious reasons “working day” does not include a bank holiday. Does this mean that for FOIA requests made before Monday 19 September 2022 (the bank holiday in recognition of the late Queen’s funeral) public authorities and requesters must add an extra day when calculating when a response to the request is due? The jury is out.

Section 10(6) of FOIA defines a “working day” as

any day other than a Saturday, a Sunday, Christmas Day, Good Friday or a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom

And section 1 of the Banking and Financial Dealings Act 1971 says

the days specified in Schedule 1 to this Act shall be bank holidays in England and Wales, in Scotland and in Northern Ireland as indicated in the Schedule

The Schedule to that 1971 Act therefore provides a number of dates which are to be considered as bank holidays

All straightforward then? Not quite. Sections 1(2) and 1(3) of the 1971 Act go on to add that the Sovereign can effectively remove or add a bank holiday “by proclamation”, and this was the means by which 19 September was made a bank holiday.

(In passing it’s interesting to note that those sections of the 1971 Act refer to proclamations by “Her Majesty”. Clearly “Her Majesty” could not have made the proclamation. However, by section 10 of the Interpretation Act 1978 “In any Act a reference to the Sovereign reigning at the time of the passing of the Act is to be construed, unless the contrary intention appears, as a reference to the Sovereign for the time being”.)

But the question of whether the 19 September should be classed as a working day or not for the purposes of FOIA requests which were already running, might turn on the extent to which the general presumption at common law applies, whereby legislation is not intended to have retrospective effect. See, in this regard, Lord Kerr in Walker v Innospec Limited and others [2017] UKSC 47:

The general rule, applicable in most modern legal systems, is that legislative changes apply prospectively…The logic behind this principle is explained in Bennion on Statutory Interpretation, 6th ed (2013), Comment on Code section 97:

‘If we do something today, we feel that the law applying to it should be the law in force today, not tomorrow’s backward adjustment of it.’

An exception to the general rule will only apply where a contrary intention appears.

It might be said, though, that the proclamation of a bank holiday, pursuant to a statutory power, is not in itself a legislative change to which the general rule against retrospectivity applies. I’m not sure there’s a clear answer either way.

Whether public authorities should have one extra day for a FOIA request is clearly not a constitutional issue which should trouble the great minds of our generation (although I know plenty of FOI teams and officers who are judged on their performance against indicators such as response times). Nonetheless, I asked the ICO this week what their view was, and the answer that came back was that they didn’t have a settled position on the issue, but that, in the event of a subsequent complaint about whether a deadline had been met, they would take all the circumstances into account (which I take to mean that they are unlikely to criticise a public authority whichever way it decided to approach the question).

Shortly after initially uploading this post, I was contacted by someone who pointed out that the New Zealand parliament has specifically legislated to give retrospective “non-working-day” effect to its own extraordinary bank holiday. This would seem to reinforce the point about the presumption against retrospectivity unless there’s an express intention to the contrary.

So it probably doesn’t matter, and probably no one really cares. But I enjoyed thinking about it.

Leave a comment

Filed under Freedom of Information, Information Commissioner, access to information

Data Protection reform Bill on ice

A piece by me on the Mishcon de Reya website on yesterday’s news that the Data Protection and Digital Information Bill has been paused

https://www.mishcon.com/news/data-protection-reform-progress-paused

Leave a comment

Filed under Data Protection, Data Protection Bill

Breaking the code

Bletchley Park’s use of adtech means you can’t opt out of non-essential cookies and still access the website

I found this ironically sad.

Visit Bletchley Park’s website and one is presented with a cookie banner. If you’re like me you will deselect all but essential cookies – so no “preferences”, “statistics” or “marketing”

Regulation 6 of the Privacy and Electronic Marketing (EC Directive) Regulations 2003 (PECR) is behind this.

As much as one might find cookie banners annoying, they are a result of cookies being inherently intrusive. They are code placed on one’s terminal equipment; sometimes they are essential for a website’s functioning (in which case they can be placed without consent) and sometimes they are merely useful (but not essential) for the user or the operator – perhaps to get analytics, or remember preferences, or deliver targeted advertising (in which case user consent is required).

The problem with the Bletchley site is that if one refuses “non-essential” cookies (I tried on Edge, Chrome and Safari mobile), they turn out to be rather essential, because what one is left is this

I only spent a few minutes trying to work out if it was some clever puzzle you had to crack to gain access before I realised it was just poor configuration.

So, in fact, the non-essential cookies are actually essential.

I’m sure someone with some expertise in code can sort it out. It can’t be beyond the wit of those running Bletchley Park to configure a website so that it functions properly without interfering with visitors’ computers.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adtech, cookies, not-entirely-serious, PECR

ICO investigates collection of barristers’ names

News from the Mishcon de Reya website on data protection concerns arising from criminal barristers’ dispute with the MoJ

https://www.mishcon.com/news/information-commissioner-investigates-collection-of-criminal-barristers-names

Leave a comment

Filed under Data Protection, fairness, Information Commissioner, Ministry of Justice, UK GDPR

OMG – OCG attacks HMRC

ICO declines to take action after 1000 HMRC customer records apparently altered in 2020 by Organised Crime Gang and used to make fraudulent claims

Rather hidden away on the Information Commissioner’s Office (ICO) website is information, disclosed under the Freedom of Information Act 2000 (FOIA), in relation to an ICO investigation of a security incident involving HMRC, and an organised crime gang (OCG).

It appears that, in June 2020, an OCG had used 193 genuine National Insurance Numbers (NINOs) which it had managed to “hijack” (it is not clear how) from external sources, and set up bogus Government Gateway (GG) accounts. This subsequently “enabled the OCG to carry out enrolments on the bogus GG accounts of genuine Self-Assessment customer Unique Tax References”, which in turn enabled the submission of fraudulent tax returns with the aim of the OCG being to make fraudulent expenses claims.

It was also discovered that details of 130 of the data subjects whose NINOs had been compromised were also used to “utilise” the DWP universal credit service.

HMRC did not become aware of this incident until 2 December 2020, and it notified the ICO (pursuant to its obligations under Article 33 GDPR) on 14 December 2020.

Details of the incident also appear to be contained in HMRC’s Annual Report for the period in question, where (at page 188) it refers to an incident involving 1023 people where “Personal information [was] used to make changes to customer records on HMRC systems without authorisation”.

There are many redactions in the information that the ICO has now published, but the headline point is that it did not view the incident as a serious enough infringement of HMRC’s obligations under GDPR so as to warrant a monetary penalty. The ICO noted that

…there is no indication that any of the originating personal data used to commit the fraud was obtained from HMRC.

However, it does appear that some people might have lost money, although this has since been repaid to them:

…any repayments due to genuine customers have been (or will be) made good…and therefore all the financial losses will be HMRC’s.

Also redacted are what would probably be details of systems changes that HMRC has taken or agreed to undertake as a result of the incident. These would, says the ICO

increase the protection applied to customer records and data and make stacks of this nature more difficult…

This wording suggests that the ICO felt that the level of protection had not been adequate, in line with HMRC’s security obligations under the GDPR. That being the case, the ICO must have decided that, in this instance, despite the infringement, it wasn’t necessary, or appropriate, to issue a fine or take other enforcement action.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Breach Notification, Data Protection, GDPR, HMRC, Information Commissioner, security

Cabinet Office “Clearing House” to be dismantled

By me, on the Mishcon de Reya website:

https://www.mishcon.com/news/cabinet-office-foi-clearing-house-to-be-dismantled

Leave a comment

Filed under Uncategorized

NADPO September webinar

NADPO’s next lunchtime webinar (after a short summer break) will be next month, on Tuesday 27 September at 12.30pm – 2pm, with David Renton, barrister, of Garden Court Chambers, on “Data, policing and equality law” and Rosemary Jay, senior consultant attorney at Hunton Andrews Kurth Chambers, on the ICO’s proposed strategy and how it sits (or doesn’t) with the proposed changes to the ICO role/relationship with others in the Data Protection and Digital Information Bill.

Attendance is free, as always, to NADPO members. If you are not a member but are interested in joining drop me a line at chair at nadpo dot co dot uk and I may be able to offer a free ticket on a trial basis.

Leave a comment

Filed under Uncategorized

No, 43% of retail businesses have NOT been fined for CCTV breaches

A bizarre news story is doing the rounds, although it hasn’t, as far as I can see, hit anything other than specialist media. An example is here, but all the stories contain similar wording, strongly suggesting that they have picked up on and reported on a press release from the company (“Secure Redact”) that undertook the research behind the story.

We are told that

research reveals that 43% of UK retailers reported that they had been fined for a violation of video surveillance GDPR legislation…Of these retailers, 37% reported paying an equivalent of 2% of their annual turnover, 30% said the fine amounted to 3% of annual turnover, and 15% said the fine was 45% [sic] of annual turnover…A staggering 33% of those fined also had to close stores as a result of enforcement action

The research was apparently based on a survey of 500 respondents in retail businesses (50% in businesses with less than 250 employees, 50% in businesses with more than 250).

What is distinctly odd about this is that since GDPR has been in force in the UK, including since it has become – post-Brexit – UK GDPR, there has been a sum total of zero fines imposed by the Information Commissioner in respect of CCTV. 43% of retail businesses have not been fined for CCTV infringements – 0% have.

You can check here (direct link to .csv file) if you doubt me.

It’s difficult to understand what has gone wrong here: maybe the survey questions weren’t clear enough for the respondents or maybe the researchers misinterpreted the data.

Whatever the reasons behind the stories, those in the retail sector – whilst they should certainly ensure they install and operate CCTV in compliance with GDPR/UK GDPR – should not be alarmed that there is a massive wave of enforcement action on the subject which threatens to put some of them out of business.

Because there isn’t.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under CCTV, GDPR, Information Commissioner, monetary penalty notice, UK GDPR

ICO secures court-awarded compensation

ICO often say they can’t award compensation, but what they can do is – in criminal cases – make an application for the court to make an award (separate to any fines or costs). But as far as I know, until this case last week, they’d never done so:

https://www.mishcon.com/news/ico-recommends-compensation-awards-in-criminal-prosecution-case

Leave a comment

Filed under crime, damages, Data Protection, Data Protection Act 2018, Information Commissioner

A day to remember

I’ve written about this oddity before, but thought it was worth saying it again, because it can catch the *cough cough* best of us out. The oddity being that a bank holiday falling in any part of the United Kingdom counts as a non-working-day for the purposes of FOIA. So, as January 2nd (or the nearest substitute day) is a bank holiday in Scotland, it is not a working day for the purposes of calculating the maximum timescale for compliance with a request made under FOIA, despite the fact that Scotland has its own Freedom of Information (Scotland) Act 2002.

What “bank holiday” means, according to section 10(6) of FOIA, is 

any day other than a Saturday, a Sunday, Christmas Day, Good Friday or a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom

And section 1 of the Banking and Financial Dealings Act 1971 says 

the days specified in Schedule 1 to this Act shall be bank holidays in England and Wales, in Scotland and in Northern Ireland as indicated in the Schedule

The Schedule therefore provides a number of dates which are to be considered as bank holidays

All straightforward then? Not quite. Sections 1(2) and 1(3) of The Banking and Financial Dealings Act 1971 also provide that the Queen can effectively remove or add a bank holiday “by proclamation”.

As the London Gazette records, on 23 July 2021 a proclamation was made by Her Majesty, providing that

We in pursuance of section 1(3) of the Banking and Financial Dealings Act 1971, do hereby appoint …Tuesday the twelfth day of July in the year 2022 to be a bank holiday in Northern Ireland

So those calculating when FOI responses to requests made in recent weeks are due, will need to factor in this extra day.

Leave a comment

Filed under Freedom of Information, access to information