A guest post by Dr David Erdos, University Lecturer in Law and the Open Society, University of Cambridge
In the run up to Christmas, the Information Commissioner’s Office (ICO) published a document entitled “Our new approach to data protection concerns”, which set out on a consultation basis how from 1 April 2014 it intends to deal with the concerns/complaints it receives vis-à-vis the Data Protection Act 1998.
It has been clear for some time that, rather in contrast to how it deals with complaints under the Freedom of Information Act 2000, the ICO’s approach to many of the approximately 40,000 Data Protection complaints it receives has been cursory. The proposals forwarded in the Consultation Document are nevertheless (to my mind at least) rather startling. In sum (and without any April Foolery intended!), the document states that from 1 April, the Office proposes to decide on its own account whether or not to assess the merits of a concern validly sent to it for assessment under the Data Protection framework. A quote on page 6 of the document is particularly enlightening. This states that in the future the ICO will respond to such concerns in the following fashion:
We may make an assessment under section 42 of the DPA where we think this adds value or where the customer has asked us to do so. We may simply offer advice to both parties and ask the organisation to take ownership of their customer or client’s concern. We will decide how we can best tackle each concern on a case by case basis. (emphasis added)
(Relatedly, it also seems to be no accident that the consultation is squarely aimed at those who are regulated by the ICO i.e. Data Controllers (indeed all the discrete questions asked could only be answered by them!) even though such a radical proposal obviously has serious implications for Data Subjects as well).
The ICO’s suggested approach is hugely problematic from a rule of law point of view. Section 42 of the Data Protection Act is crystal clear that “any person who is, or believes himself to be, directly affect by any processing of personal data” may make a request for assessment to the ICO “as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions” of the Act. On receiving such a request the Commissioner “shall make an assessment” (s. 42 (1)) (emphasis added). This duty is an absolute one and whether it has been carried out must also be communicated to the person who made the request (s. 42 (4)). All this is a transposition of Article 28(4) of the Directive which states that
Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of persona data. The person concerned shall be informed of the outcome of the claim.
The Directive particularly emphasises that the authority must hear claims for checks on the lawfulness of any restriction on Data Protection rights adopted by Member States under Article 13 of the Directive and that the person who made the claim shall “be informed that a check has taken place”. It is true that the UK legislation includes some language granting a degree of discretion to the Commissioner as to how he goes about making assessments. However, the obligation to carry out a legal assessment of processing vis-à-vis the Data Protection framework is mandatory. In contrast the ICO’s Consultation Document sees responding to concerns/complaints from the public with such an assessment as discretionary. From now on, it is suggested, a very large number of concerns/complaints will only be treated as a “source of intelligence” (p. 8) for the Office.
It is, of course, possible to have some sympathy for the ICO’s fear of being over-burdened by complaints, especially those which appear to be frivolous or vexatious. Even if this was accepted, however, one might reasonably worry about giving a regulatory agency, particularly one concerned with human rights, the sort of carte blanche discretion the ICO are envisaging in this Consultation. This discretion sits particularly uneasily with the pan-European commitment in the EU’s Charter of Fundamental Rights to recognise Data Protection as a discrete fundamental individual right, the duties arising from which are to be “subject to control” by the data protection agencies (Article 8). In any case, what is far more relevant from a rule of law perspective is that such a wide discretion is not part of the current legislative framework at either the national or the pan-EU level. To the contrary, the ICO has a statutory duty to consider all bona fide requests for assessment. This is a key right given to data subjects under the current Data Protection scheme. The ICO should not be seeking to unilaterally resile from it.
The ICO’s Consultation Document can be accessed here (http://www.ico.org.uk/about_us/consultations/our_consultations) and responses should be sent to consultations@ico.org.uk by 31 January 2014.
informationrightsandwrongs 
S.42(3) gives a lot of flexibility (see below for text of section) with the form of the assessment. Note the word “include” in S.42(3); it is a “flexible friend”.
The ICO is not saying he WON’T make an assessment; he can reasonably say something like (i.e. “include”): “Before making a formal assessment, I think it is appropriate in most cases for the data subject to make an effort to resolve the issue with the data controller because there is no matter of substance, if the issue is resolved”.
I think the ICO’s document is a reflection of the inadequate resources that the ICO has; he risks a policy that cuts the protection afforded to data subjects.
CP
S.42(3) The matters to which the Commissioner may have regard in determining in what manner it is appropriate to make an assessment include—
(a) the extent to which the request appears to him to raise a matter of substance,
(b) any undue delay in making the request, and
(c) whether or not the person making the request is entitled to make an application under section 7 in respect of the personal data in question.
Chris, I completely agree with you that s. 42 (3) grants some discretion to the ICO as to how it goes about making assessments – it is quite right that in carrying out an assessment it can and should take account of whether a matter of substance is involved or whether it seems frivolous, vexatious etc. However, it remains the case that, according to the current statutory scheme, such an assessment must in ALL cases satisfy s. 42 (1). In other words the ICO must still properly determine “whether it is likely or unlikely that the processing has been or is being carried out” is compliance with the Data Protection Act. Especially given the DPA’s unwelcome but well-deserved reputation for complexity, such a right to an expert opinion on legality is in principle a valuable one. (How it may have worked in practice is obviously another matter). The phrasing in the document that “[w]e MAY [as opposed to we WILL] make an assessment under section 42 of the DPA… where the customer has asked us to do so” (emphasis added) pretty clearly indicates that from 1 April the ICO intends to treat it as discretionary whether to carry out such an assessment at all (even in cases when an explicit, let alone implicit, request for this is made). That outcome would clearly undermine a key right given to data subjects under the DPA.
Pingback: Unintended data protection consequences of Defamation Act and ICO proposals? | inforightsandwrongs
Pingback: A green light for publishing FOI requesters names? I hope not | informationrightsandwrongs
Pingback: Dancing to the beat of the Google drum | informationrightsandwrongs
Pingback: A data protection justice gap? | informationrightsandwrongs
Pingback: Blackpool Displeasure Breach, redux | informationrightsandwrongs