Author Archives: Jon Baines

April 11, 2025 · 11:41 am

Subject access, Leeds United, and ****

[reposted from my LinkedIn account]

You’d have thought most football fans would be keen to prove they’d not attended a Leeds United match [#bantz], but when Melvyn Flower was told by the club he couldn’t renew his season ticket for next season, because he’d not used his current one often enough, he resorted to data protection law to vindicate his support for the club.

The information disclosed to him showed that he attended matches on all the occasions the club had said he hadn’t.

I don’t quite understand how the club searched for and disclosed his personal data, without (when doing so) realising its mistake (maybe he asked for footage from a specific camera near his reserved seat). But in any case, it’s a nice little story, and topped off with an excellent point from Mr Flower:

Why would I buy a season ticket and not go this season, of all seasons, given the **** I’ve sat through since 1978?

1 Comment

Filed under Data Protection, not-entirely-serious, Sport, subject access

Tagged as , ,

April 11, 2025 · 5:03 am

Retaining data for journalistic purposes?

This is a quite extraordinary data protection story, by Jamie Roberton and Amelia Jenne of Channel 4 News , involving a mother of a woman who died in suspicious circumstances.

It appears that a “Victims’ Right to Review” exercise was undertaken by Gloucestershire Police, at the request of the family of Danielle Charters-Christie, who was found dead inside the caravan that she shared with her partner – who had been accused of domestic abuse – in Gloucestershire on 26 February 2021.

Officers then physically handed a 74-page document to Danielle’s mother, and the contents of it were subsequently reported by Channel 4 News. But, now, the police say that the Review report was “inadvertently released”, are demanding that Danielle’s mother destroy it, and have referred her apparent refusal to do so to the Information Commissioner’s Office as a potential offence under s170(3) of the Data Protection Act 2018.

That provision creates an offence of “knowingly,…after obtaining personal data, [retaining] it without the consent of the person who was the controller in relation to the personal data when it was obtained”.

But here’s a thing: it is a defence, under s170(3)(c) for a person charged with the offence to show that they acted (and here, the retention of the data would be the “action”) for the purposes of journalism, with a view to the publication by a person of any journalistic material, and in the reasonable belief that in the particular circumstances the retaining was justified as being in the public interest.

The ICO is tasked as a prosecutor for various data protection offences, including the one at s170 DPA. No doubt whoever at the ICO is handed this file will be having close regard to whether this statutory defence would apply, but will also, in line with the ICO’s duty as a prosecutor, to consider evidential factors, but also whether a prosecution would be in the public interest.

At the same time, of course, the ICO has civil enforcement powers, and might well be considering what were the circumstances under which the police, as a controller, wrongly disclosed personal data in such apparently serious circumstances.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection Act 2018, Information Commissioner, law enforcement, offences, police

Tagged as , , ,

April 8, 2025 · 7:11 am

Machine learning lawful basis on a case-by-case approach – really?

The Information Commissioner’s Office has published its response to the government’s consultation on Copyright and AI. There’s an interesting example in it of a “oh really?!” statement.

The government proposes that, when it comes to text and data-mining (TDM) of datasets that contain copyright works) a broad exception to copyright protection should apply, under which “AI developers would be able to train on material to which they have lawful access, but only to the extent that right holders had not expressly reserved their rights”. Effectively, rights holders would have to opt out of “allowing” their works to be mined.

This is highly controversial, and may be the reason that the Data (Use and Access) Bill has stalled slightly in its passage through Parliament. When the Bill was in the Lords, Baroness Kidron successfully introduced a number of amendments in relation to use of copyright info for training AI models, saying that she feared that the government’s proposals in its consultation “would transfer [rights holders’] hard-earned property from them to another sector without compensation, and with it their possibility of a creative life, or a creative life for the next generation”. Although the government managed to get the Baroness’s amendments removed in Commons’ committee stage, the debate rumbles on.

The ICO’s response to the consultation notes the government’s preferred option of a broad TDM exception, with opt-out, but says that, where personal data is contained in the training data, such an exception would not “in and of itself constitute a determination of the lawful basis for any personal data processing that may be involved under data protection law”. This must be correct: an Article 6(1) UK GDPR lawful basis will still be required. But it goes on to say “the lawfulness of processing would need to be evaluated on a case-by-case basis”. A straightforward reading of this is that for each instance of personal data processing when training a model on a dataset, a developer would have to identify a lawful basis. But this, inevitably, would negate the whole purpose of using machine learning on the data. What I imagine the ICO intended to mean was that a developer should identify a broad, general lawful basis for each dataset. But a) I don’t think that’s what the words used mean, and b) I struggle to reconcile that approach with the fact that a developer is very unlikely to know exactly what personal data is in a training dataset, before undertaking TDM – so how can they properly identify a lawful basis?

I should stress that these are complex and pressing issues. I don’t have answers. But opponents of the consultation will be likely to jump on anything they can.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under AI, Data Protection, datasets, DUAB, Information Commissioner, Lawful basis, parliament, Uncategorized

Tagged as , ,

April 2, 2025 · 5:02 am

The legality of data processing in the course of litigation

There is very convoluted litigation taking place which has as its focus a witness statement, prepared by a solicitor acting for a number of insurance companies who are defending personal injury claims arising from road traffic accidents (RTAs). And part of the argument (and a satellite claim) has now become about compliance with data protection law.

Five original claims were made for damages arising from RTAs. The defendant insurance companies were represented by law firm DWF, and one of DWF’s solicitors prepared a witness statement which contained an analysis of claims data collected by DWF in relation to a number of claims submitted by claimants represented by the solicitors who acted on behalf of the five claimants. The statement sought to adduce that in an unusually high number of the claims claimants had been referred for further psychological assessment, by a doctor who in 100% of those cases diagnosed a psychiatric condition and in two thirds of those cases said that the recovery period would be over two years. In short, a large number of claimants in the relevant RTAs appeared to develop long-term psychiatric conditions.

The claimant sought unsuccessfully to debar the witness statement, although the judge (on appeal) noted that it would be “for the Judge at trial to make of this evidence what they will [although] there are questions as to the extent to which this evidence assists without more in proving fundamental dishonesty”.

Notwithstanding this, an initial 317 (now reduced to three) claims were then made by people whose personal data was accepted to have been processed by DWF for the purposes of preparing the witness statement above. The claims here are for various breaches of the UK GDPR (such as excessive processing, and lack of fairness, lawful basis and transparency).

In a judgment handed down on 1 April, on an application by the claimants for specific disclosure in the UK GDPR claim (and an application by the defendant to amend its defence and strike out a witness statement of the claimants’ solicitor) Mrs Justice Eady DBE dismissed the disclosure applications (made under various headings), on the basis that much of the information would clearly be privileged material, or not relevant, or that the application was a fishing expedition.

If this gets to trial it will be interesting though. This sort of processing of personal data takes place in the course of (non-data-protection) private litigation routinely. It is generally not assumed that any issues of illegality arise. Any ultimate findings would be notable for litigators, and those who need to advise them on data protection compliance.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, litigation, UK GDPR

Tagged as

March 27, 2025 · 4:53 am

A new data protection duty?

I’ve been looking in more detail at the recent subject access judgment in Ashley v HMRC. One key point of general application stands out for me, and that is that it states that in some cases (i.e. where it is necessary for intelligibility purposes) a controller has a duty to provide contextual information in addition to copies of personal data.

As the judge put it

Article 15(1) and 15(3), read with Article 12(1) and (2) of the UK GDPR, did require the Defendant to go beyond providing a copy of the Claimant’s personal data where contextual information was necessary for that personal data to be intelligible in the sense of enabling the data subject to exercise their rights conferred by the UK GDPR effectively. It follows that insofar as the Defendant did not adopt this approach, it was in breach of this duty.

And although she couched the following as “guidance” for the HMRC when reconsidering the request, I feel it has general application:

…it is unlikely that providing an extract that simply comprises the Claimant’s name or his initials or other entirely decontextualised personal data of that sort, will amount to compliance with this obligation.

In arriving at this conclusion the judge drew in part on both pre- and post-Brexit case law of the Court of Justice of the European Union. Most notably she decided to have regard to case C-487/21. Even though this does not bind the domestic courts, the effect of section 6(2) of European Union (Withdrawal) Act 2018 is that courts may have regard to EU case law where it is relevant to the matter before them.

Of course, there are also times when merely providing a snippet in the form of a name constitutes a failure to provide all of the personal data in scope (omitting the final five words of “Jon Baines works at Mishcon de Reya” would be to omit some of my personal data). But the “context duty” seems to me to go further, and creates, where it is necessary, an obligation to provide information beyond what is in the source documents.

Most of the other points in the judgment, as important as they were to the facts, and as interesting they are, particularly on the concept of “relating to” in the definition of “personal data”, will not necessarily change things for most data subjects and controllers.

But this “context duty” feels to me to be an advancement of the law. And I suspect controllers can now expect to see data subjects and their lawyers, when making subject access requests (or when challenging responses), begin to argue that the “context duty” applies.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, judgments, subject access, UK GDPR

Tagged as ,

March 25, 2025 · 8:08 am

NADPO Webinar – 25 March

On the lunchtime of Tuesday 25 March I’ll be chairing one of the regular NADPO webinars. We have Dr Judith Townend talking about learning from ‘open justice’ and other data/technology contexts, and Dr Lachlan Urquhart on “Clever Computing through Accountable Design: Cybersecurity in Smart Homes”.

Members will already have received the joining instructions.

A reminder that membership is bargain £130 for two years, and gets you free attendance at all webinars, as well as at our annual conference and other ad hoc events, plus a range of other benefits (for example we’ve recently hosted free training sessions for members run by Tim Turner and a free session on databreaches and cybersecurity from 5 Essex Chambers and CyXcel). Members also get complimentary free attendance at UK Data Protection Forum events.

Leave a comment

Filed under Uncategorized

March 22, 2025 · 5:55 am

O’Carroll v Meta – what now for targeted adverts on Facebook

Following the news that claimant Tanya O’Carroll and defendant Meta have settled ahead of what was likely to be a landmark data protection case, what are the implications?

Ms O’Carroll argued that advertising served to her on Facebook, because it was targeted at her, met the definition of “direct marketing” under section 122(5) of the Data Protection Act 2018 (“the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”) and thus the processing of her personal data for the purposes of serving that direct marketing was subject to the absolute right to object under Article 21(2) and (3) UK GDPR.

Meta had disputed that the advertising was direct marketing.

The “mutually agreed statement” from Ms O’Carroll says “In agreeing to conclude the case, Meta Platforms, Inc. has agreed that it will not display any direct marketing ads to me on Facebook, will not process my data for direct marketing purposes and will not undertake such processing (including any profiling) to the extent it is related to such direct marketing”.

One concludes from this that Meta will, at least insofar as the UK GDPR applies to its processing, now comply with any Article 21(2) objection, and, indeed, that is how it is being reported.

But will the upshot of this be that Meta will introduce ad-free services in the UK, but for a charge (because its advertising revenues will be likely to drop if people object to targeted ads)? It is indicating so, with a statement saying “Facebook and Instagram cost a significant amount of money to build and maintain, and these services are free for British consumers because of personalised advertising. Like many internet services, we are exploring the option of offering people based in the UK a subscription and will share further information in due course”.

The ICO intervened in the case, and have uploaded a summary of their arguments, which were supportive of Ms O’Carroll’s case, and her lawyers AWO Agency have also posted an article on the news.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, facebook, Information Commissioner, marketing, Meta, Right to object, UK GDPR

Tagged as , ,

March 13, 2025 · 6:32 am

Cabinet Office unsuccessfully appeals FOIA information notices

When a public authority relies on an exemption to refuse to disclose information in response to a Freedom of Information Act request, the requester can ask the Information Commissioner’s Office for a decision as to whether the refusal was in accordance with the law. In order to make such a decision, the ICO may often need to see the information withheld by the public authority. Where the public authority is unwilling to provide this, or perhaps drags its heels over it, the ICO may serve, under section 51 of FOIA, an “information notice”, requiring the information to be provided. Failure to comply with an Information Notice can be certified as contempt of court, but there is a right of appeal to the First-tier Tribunal.

And so it was that the Tribunal recently found itself hearing appeals by the Cabinet Office in relation to two Information Notices served on it by the ICO, who is investigating whether FOIA requests for information relating to Rishi Sunak’s declarations of interest when he was Prime Minister.

The Cabinet Office sought to argue, among other things, that access by the ICO was not necessary, was unfair and damaging to the process of handling ministerial declarations of interest, and would constitute unlawful processing of personal data. All of these arguments got short shrift from the Tribunal – ultimately, it held that it would not be possible to determine whether any of the exemptions prayed in aid by the Cabinet Office were made out without an examination of the material, and the appeals were dismissed.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Cabinet Office, Freedom of Information, Information Commissioner, information notice, Information Tribunal, judgments

Tagged as ,

March 12, 2025 · 4:50 am

Cabinet Office wins Covid face masks FOIA appeal

The Information Tribunal has overturned a decision of the Information Commissioner’s Office and ruled that the Cabinet Office is not required to disclose minutes of meetings in June and July 2020 at which policy decisions were taken to make mandatory the wearing of face masks in shops and on public transport.

It is a shame that, for a decision of some import, the judgment reads like a stream-of-consciousness draft, and that it is infused with unnecessary sarcasm at various points.

The ICO had determined that although the exemption at s35 FOIA (for information relating to the formulation of government policy) was engaged. He acknowledged the importance of a protected space for government decision-making, and of the principle of collective responsibility, but decided that the “exceptionally weighty” public interest favoured disclosure.

The Tribunal, however, via reasoning which is – frankly – very difficult to follow, appears to have focused on the issue of “accountability”, something that the requester had mentioned rather in passing in support of his request, but which was not a matter expressly mentioned in the ICO’s decision. Having fixed on this concept, the Tribunal appears to have decided that as those in government at the time have since been held accountable in various ways, there was diminished public interest in achieving accountability by way of disclosure of the requested information. The key passage is probably this (at 57):

In considering the context of this request there is a stark contrast between the salience and effectiveness of other multiple forms of accountability…and the value of the information sought – in contrast with the risk of harm to the functioning of government caused by its release disproportionate to any benefit.

I do not say the Tribunal has necessarily got this wrong, but I do say that this a FOIA case of some significance, and that it warranted a clearer judgment.

Whether the judgment is amenable to an appeal is not entirely clear, but it’s worth pointing out that the original requester was not a party to, and was not joined to, these proceedings, and so I do not believe he himself has a right of appeal to the Upper Tribunal, and one wonders whether the ICO will have the enthusiasm to do so, given the costs involved.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Cabinet Office, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as , ,

March 11, 2025 · 8:47 am

An offence of unlawful access to records of the dead?

I’m starting to wonder whether Parliament should consider a new offence of accessing and/or retaining records of the deceased without lawful excuse.

The BBC, and others, are reporting concerns that there may have been unauthorised access to medical records of the victim of killer Valdo Calocane. In the last few years we have also seen similar stories emerging in relation to police files on the murders of Sarah Everard, Bibaa Henry and Nicole Smallman (and I am sure there are many others).

The offence at section 170 of the Data Protection Act 2018 cannot be engaged when the records in question relate to someone who is dead, and although there is the potential for prosecutions for misconduct in a public office, or under the Computer Misuse Act 1990, there will be times when these do not apply.

Such unwarranted access seems to be a serious risk which arises wherever there is a high profile killing, and it must cause immense extra distress for the families and friends of the victims.

I wonder if now is the time for a debate on the topic, with an agenda item of whether there is need for a new criminal offence.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Confidentiality, crime, parliament

Tagged as