On the 4th March the Supreme Court handed down judgment in the conjoined cases of Catt and T v Commissioner of Police of the Metropolis ([2015] UKSC 9). Almost unanimously (there was one dissenting opinion in Catt) the appeals by the Met were allowed. In brief, the judgments held that the retention of historical criminal conviction data was proportionate. But what I thought was particularly interesting was the suggestion (at paragraph 45) by Lord Sumption (described to me recently as “by far the cleverest man in England”) that T‘s claim at least had been unnecessary:
[this] was a straightforward dispute about retention which could have been more appropriately resolved by applying to the Information Commissioner. As it is, the parties have gone through three levels of judicial decision, at a cost out of all proportion to the questions at stake
and as this blog post suggests, there was certainly a hint that costs might flow in future towards those who choose to litigate rather than apply to the Information Commissioner’s Office (ICO).
But I think there’s a potential justice gap here. Last year the ICO consulted on changing how it handled concerns from data subjects about handling of their personal data. During the consultation period Dr David Erdos wrote a guest post for this blog, arguing that
The ICO’s suggested approach is hugely problematic from a rule of law point of view. Section 42 of the Data Protection Act [DPA] is crystal clear that “any person who is, or believes himself to be, directly affect by any processing of personal data” may make a request for assessment to the ICO “as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions” of the Act. On receiving such a request the Commissioner “shall make an assessment” (s. 42 (1)) (emphasis added). This duty is an absolute one
but the ICO’s response to the consultation suggested that
We are…planning to make much greater use of the discretion afforded to us under section 42 of the legislation…so long as a data controller has provided an individual with a clear explanation of their processing of personal information, they are unlikely to need to describe their actions again to us if the matter in question does not appear to us to represent a serious issue or we don’t believe there is an opportunity for the data controller to improve their information rights practice
which is problematic, as section 42 confers a discretion on the ICO only as to the manner in which an assessment shall be made. Section 42(3) describes some matters to which he may have regard in determining the manner, and these include (so are not exhaustive) “the extent to which the request appears to him to raise a matter of substance”. I don’t think “a matter of substance” gets close to being the same as “a serious issue”: a matter can surely be non-serious yet still of substance. So if the discretion afforded to the ICO under section 42 as to the manner of the assessment includes a discretion to rely solely on prior correspondence between the data controller and the data subject, this is not specified in (and can only be inferred from) section 42.
Moreover, and interestingly, Article 28(4) of the European Data Protection Directive, which is transposed in section 42 DPA, confers no such discretion as to the manner of assessment, and this may well have been one of the reasons the European Commission began protracted infraction proceedings against the UK (see Chris Pounder blog posts passim).
Nonetheless, the outcome of the ICO consultation was indeed a new procedure for dealing with data subjects’ concerns. Their website now says
Should I raise my concern with the ICO?
If the organisation has been unable, or unwilling, to resolve your information rights concern, you can raise the matter with us. We will use the information you have provided, including the organisation’s response to your concerns, to decide if your concern provides an opportunity to improve information rights practice.
If we think it does provide that opportunity, we will take appropriate action
“Improving information rights practice” refers to the ICO’s general duties under section 51 DPA, but what is notable by its absence there, though, is any statement that the ICO’s general duty, under section 42, to make an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of the DPA.
Lord Sumption in Catt (at 34) also said that “Mr Catt could have complained about the retention of his personal data to the Information Commissioner”. This is true, but would the ICO have actually done anything? Would it have represented a “serious issue”? Possibly not – Lord Sumption describes the background to Mrs T’s complaints as a “minor incident” and the retention of her data as a “straightforward dispute”. But if there are hints from the highest court of the land that bringing judicial review proceedings on data protection matters might results in adverse costs, because a complaint to the ICO is available, and if the ICO, however, shows reluctance to consider complaints and concerns from aggrieved data subjects, is there an issue with access to data protection justice? Is there a privacy justice gap?
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 
The Information Commissioner’s approach to assessments is wholly unfair and based solely on their obsession with targets and backlogs. The complainant who stamps their foot and demands an assessment almost always gets one. The complainant who realises the assessment outcome is wrong and stamps their foot gets a case review by a more senior officer.
The complainant who doesn’t know all this gets turned away, all because the ICO doesn’t make quick decisions, and so builds up heaps of casework.
That has certainly been my experience.
Dear Information Rights and Wrongs
I am very interested to read of a potential information justice gap. What will happen in future court cases? Will this have the potential to affect all cases throughout England and Wales?
Thank you very much
Rosemary Cantwell
Hi Rosemary – I only really see it as a potential gap. Lord Sumption’s judgment certainly seemed to imply that judicial review might not be the appropriate means of challenge when there is a right of complaint to the ICO. Whether he would have said the same when it came to statutory claims under the DPA is a different matter. But I do think Tim Turner’s comment here is apposite – I’m not convinced the ICO always investigates data subjects’ complaints with sufficient vigour or robustness.
However, yesterday’s Vidal-Hall judgment might have righted the balance somewhat (see my latest post).
Dear Information Rights and Wrongs
Thank you very much for your speedy response and to look at your next post.
I know that there has been a Triennial Review of the ICO and Commissioner this winter and wonder if you have any knowledge of what happened in it please?
I am most grateful to you for your blog
Rosemary
Many thanks Rosemary. As far as I know the MoJ report of the Triennial Review has not been published yet. I might make some enquiries into what’s happened with it.
Thank you very much – I think we are in limbo at present with the ICO.
The case of Ms T exposes serious issues. To my mind, it is doubtful she was well represented. Oddly S10 of the DPA barely came into the argument. She was under eighteen and on legal aid, otherwise her case would have been too expensive to bring – expect costs c £250K.
What is clear to me is:
* The ICO has long known there are serious issues with Police Forces not complying with Sections 7 & 10 of the DPA concerning providing information when requested and removing if it is damaging.
2. The Metropolitan Police has no credible procedures concerning what information should be provided on request and how long various categories of information should be retained.
I was given a harassment warning based on false allegations which the police will not investigate. The police then unlawfully arrested me due to damaging information they held about me.
I am currently suing for unlawful arrest under the Human Rights Act and wondering how to include my rights und S10 of the Data Protection Act.
Any ideas anyone?
About the ICO and Metropolitan Police(Nudge, Nudge, Wink, Wink):
1. The ICO has long known that the Metropolitan Police has not been complying with S7 & S10 of the DPA. It has done nothing more effective than liaising.
2. When I contacted the ICO, the response was I should refer the matter to the court which a very expensive matter. This is because the referral has to be to the High Court as the plaintiff is essentially complaining about overturning a decision by a public body.
3. The ICO is arguably not adding value and appears to serve no purpose.
The judges comments in the MS T case suggest the ICO should have done more without specifying what they expected. I wonder what they had in mind?