Category Archives: accuracy

March 24, 2023 · 7:37 am

SRA, data protection and the solicitors roll

In August 2022 the Solicitors Regulation Authority (SRA) announced plans to change its rules and reinstate the annual “keeping of the roll” exercise. Until 2014, all solicitors without practising certificates were required to complete an application each year and pay an administration fee if they wished to remain on the roll. This requirement was dispensed with in 2014 in part because the annual process was seen as burdensome for solicitors.

One of the justifications now for reintroducing the keeping of the roll is given by the SRA as

There are also requirements under the General Data Protection Regulation (GDPR) 2016 [sic] and the seven principles that govern the holding and retention of data. Under GDPR we have responsibility as a data controller to ensure we maintain accurate data relating to individuals and we are processing it fairly and lawfully.

What is slightly odd is that when, in 2014, the SRA proposed to scrap the keeping of the roll, it was not troubled by the observations of the then Information Commissioner about the importance of accuracy and privacy of information. In its reply to the then Commissioner’s consultation response it said that it had “fully considered the issues” and

We consider that the availability of the SRA’s online system, mySRA, to non- practising solicitors as a means of keeping their details up to date, serves to mitigate the possibility of data become inaccurate…To further mitigate the risk of deterioration of the information held on the roll, the SRA can include reminders to keep contact details up to date in standard communications sent to solicitors.

If that was the position in 2014, it is difficult to understand why it is any different today. The data protection principles – including the “accuracy principle” – in the UK GDPR (not in fact the “GDPR 2016” that the SRA refers to) are effectively identical to those in the prior Data Protection Act 1998.

If the SRA was not concerned by data protection considerations in 2014 but is so now, one might argue that it should explain why. The Information Commissioner does not appear to have responded to the consultation this time around, so there is no indication that his views swayed the SRA.

If the SRA was concerned about the risk of administrative fines (potentially larger under the UK GDPR than under the Data Protection Act 1998) it should have reassured itself that any such fines must be proportionate (Article 83(1) UK GDPR) and by the fact that the Commissioner has repeatedly stressed that he is not in the business of handing out fines for minor infringements to otherwise responsible data controllers.

I should emphasise that data protection considerations were not the only ones taken into account by the SRA, and I don’t wish to discuss whether, in the round, the decision to reintroduce the keeping of the roll was correct or not (Joshua Rozenberg has written on this, and the effect on him). But I do feel that the arguments around data protection show a confused approach to that particular issue.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, Information Commissioner, Let's Blame Data Protection, UK GDPR

Tagged as , , , ,

July 22, 2022 · 8:53 am

High Court muddle over data protection regime

A relatively common error by those unaccustomed to the rather odd structure of the data protection statutory regime in the UK, is to look first to the Data Protection Act 2018 (“DPA”) for the applicable law, instead of the UK GDPR. This is despite the fact that the very first section of the DPA instructs us in how the regime works. Section 1(2) provides that “most processing of personal data is subject to the UK GDPR”, and then sections 1(4) and (5) explain that Parts 3 and 4 of the DPA deal with those parts of the regime (law enforcement processing and intelligence services processing) which are out of the scope of UK GDPR.

“Put me to one side” – says the DPA tactfully – “you should have picked up your copy of the UK GDPR first, and not me”.

Accordingly, the key provisions, and the basic principles, applying to most processing, are to be found in the UK GDPR.

The result of this relatively common error, is that people will sometimes cite, say, section 45 of the DPA in relation to a generic subject access request, when in fact, the applicable provision is Article 15 of the UK GDPR (section 45 applies to subject access requests to competent authorities for the purposes of law enforcement).

Occasionally, I have seen non-specialist lawyers make this mistake.

And now, I have seen a high court judge do the same. In a judicial review case in the High Court of Northern Ireland, challenging the accuracy of a child’s social care records, part of the claim (which was primarily an Article 8 human rights claim) was pleaded as also a breach of Article 5(1) and (6) of the “GDPR” (the correct pleading should have been, and maybe was, by reference to the UK GDPR) and Part 1 of the DPA. Article 5(1) of the UK GDPR contains the data protection principles.

The judge, however, stated that

It seems to the court that in fact the relevant part of the 2018 Act are sections 86 to 91 which set out the six data protection principles in relation to data processing.

This is simply wrong. Sections 86 to 91 of the DPA lay out the data protection principles only in relation to intelligence services processing (i.e. processing of personal data by the Security Service, the Secret Intelligence Service or by the Government Communications Headquarters).

It isn’t clear whether there was any discussion about this in the court (quite possibly not), but it appears not to have been picked up when the judgment was circulated in draft or published to the parties. As it is, it seems very likely that nothing turns on it. This is because the Part 4 DPA principles, like the Part 3 DPA principles, effectively mirror the principles in Article 5(1) UK GDPR, and so the analysis, for the purposes of the substantive matter, was sound.

So this was an error of form, more than substance.

However, there are some differences between the UK GDPR regime, the Part 3 DPA regime and the Part 4 DPA regime, and in different circumstances an error like this could result in an outcome which is wrong, and harmful.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, Data Protection Act 2018, GDPR, human rights, Ireland, judiciary, UK GDPR

Tagged as , ,

February 19, 2021 · 9:21 pm

Search and (don’t) destroy

Martin Lewis’s Money Saving Expert (MSE) site reports that over £1m is apparently held by Highways England (HE) in respect of Dartford Crossing pre-paid online accounts (Freedom of Information requests were apparently used to establish the amount). It is of course by no means uncommon for money to lie dormant in money accounts – for instance, banks across the world hold fantastic sums which never get claimed. MSE itself suggests elsewhere that the total amount in the UK alone might be around £15bn – but what these FOI requests to HE also revealed is an approach to retention of personal data which may not comply with HE’s legal obligations.

People appear to have received penalty charges after assuming that their pre-paid accounts – in credit when they were last used – would still cover the crossing charge (even where the drivers had been informed that their accounts had been closed for lack of use). MSE reports the case of Richard Riley, who

had been notified by email that his account would be closed, but he’d wrongly assumed it would be reactivated when he next made the crossing (this is only the case if you cross again within 90 days of being notified). On looking into it further, Richard also realised he had £16 in his closed account

However, HE apparently explained to MSE that

…it’s unable to reopen automatically closed accounts or automatically refund account-holders because it has to delete personal data to comply with data protection rules.

This cannot be right. Firstly, as the MSE article goes on to explain, if someone suspects or discovers that they have credit in a closed Dartford Crossing account, they can telephone HE and “any money will be paid back to the debit or credit card which was linked to the account. If this isn’t possible, a refund will be issued by cheque.”

So HE must retain some personal data which enables them to confirm whose money it is that they hold. But if it is true that HE feels that data protection law requires them to delete personal data which would otherwise enable them to refund account-holders when accounts are closed, then I fear that they are misreading two of the key principles of that law.

Article 5(1)(e) of the UK GDPR (the “storage limitation principle”) requires that personal data be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” (emphasis added), and Article 5(1)(c) ( the “data minimisation principle”) requires that personal data be “limited to what is necessary in relation to the purposes for which they are processed” (emphasis added). Both of these make clear that where personal data is still needed for the purposes for which it is processed, then it can (and should) be retained. And when one adds the point, under Article 5(1)(c), that personal data should also be “adequate” for the purposes for which it is processed, it becomes evident that unnecessary deletion of personal data which causes a detriment or damage to the data subject can in itself be an infringement.

This matter is, of course, on a much lower level of seriousness than, for instance, the unnecessary destruction of landing cards of members of the Windrush Generation, or recordings of witnesses in the Ireland Mother and Baby Homes enquiry, but it strikes me that it is – in general – a subject that is crying out for guidance (and where necessary enforcement) by the Information Commissioner. Too many people feel, it seems, that “data protection” means they have to delete, or erase or destroy personal data.

Sometimes, that is the worst thing to do.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, adequacy, Data Protection, Information Commissioner, Let's Blame Data Protection, UK GDPR

December 15, 2020 · 3:14 pm

Windrush and data protection

As far as I know the Information Commissioner has never investigated this issue (I’ve made an FOI request to find out more), but this, on the Mishcon site, is an overview of the key issue.

Leave a comment

Filed under accuracy, adequacy, Data Protection, fairness, Home Office, human rights, Information Commissioner

December 15, 2020 · 3:10 pm

Students challenge International Baccalaureate on data protection grounds

My firm is acting for the students, and there’s a link to the detailed grounds in this explanatory piece.

Leave a comment

Filed under accuracy, Data Protection, fairness, Further education, GDPR, transparency

August 16, 2020 · 2:11 pm

Ofqual and the International Baccalaureate – more woes?

UPDATE: 23.08.20 One week on from this original post below, and it is clear (and unsurprising, when one reads the details) that many IB students are still deeply unhappy about the process, and now, with the u-turn on the A-Level awards, are arguably feeling even further aggrieved that their results are still tied to the outcome of what they see as a flawed an unfair algorithmic process. Also one week on, there seems to have been no word from the ICO about the decision of the Norwegian DPA, and what it means for UK IB students. END UPDATE.

UPDATE: 17.08.20 It appears that the IBO has responded to concerns (and possibly to the Norwegian DPA’s investigation, by reviewing the results, and making an adjustment to awarded results, with the emphasis that “no student will receive a lower grade than what was received previously”) END UPDATE.

In a piece for the Mishcon de Reya website last week, I noted, in the context of the recent A-Level awards fiasco, that the Norwegian Data Protection Authority had sent the International Baccalaureate Association (IBO) an advance notification that it was going to order the latter to rectify grades it had awarded based on “so-called ‘school context’ and ‘historical data'”. The IBO has until 21 August to “contradict” the Norwegian DPA’s draft decision.

What I had not fully appreciated were two things:

  1. The effect of the Norwegian DPA’s draft decision, should it be formalised, may be that all IBO grades based on such data would have to be re-done, not just those of Norwegian children.
  2. In a move now saturated with irony, the IBO’s grading process is, apparently, already being scrutinised by…erm…Ofqual, to whom the IBO’s awarding model was submitted , both prior to its actual use and to the issue of results.

The second point raises the rather remarkable possibility that Ofqual was a controller, in GDPR terms, for the International Baccalaureate model, as well as for the English A-Levels. This will only add to its already significant woes.

The first point turns on this: the IBO is based in Switzerland. Although Norway is not in the EU, it is in the European Economic Area (EEA), and by a joint agreement of July 2018 GDPR was incorporated into the EEA Agreement. To the extent that the IBO is offering (which it clearly is) goods or services to data subjects in the  European Union, it is subject to GDPR’s extra-territorial provisions at Article 3(2). So, although in theory, the Norwegian DPA’s decision would only apply in respect of the processing of personal data in respect of Norwegian data subjects, in practice it is very difficult to see how the IBO could comply with an order only applying to Norwegians, when the effect of the order would be that IB candidates across everywhere would have had their data impermissibly processed in the same way. If it decided not to redo all awards, and just Norwegian ones, then presumably supervisory authorities across Europe, including the Information Commissioner in the UK, would need to investigate.

[This post was edited to reflect the blindingly obvious point that Norway is not in the EU, but is in the EEA. I’m embarrassed to admit that I’m only human]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, EDPB, Europe, GDPR, Information Commissioner

Tagged as , , ,

August 13, 2020 · 1:02 pm

A-levels and data protection – potential challenges?

A new post by me on the Mishcon de Reya website, looking at whether GDPR and the DPA offer the potential for challenges to A-level results.

UPDATE: 14.08.20

A rather odd statement has just been put out by the ICO which suggests that Ofqual have told the former that automated decision making didn’t take place. I’ve updated the Mishcon piece to say this:

The ICO has now issued a statement saying that “Ofqual has stated that automated decision making does not take place when the standardisation model is applied, and that teachers and exam board officers are involved in decisions on calculated grades”. This appears at odds with the statement in Ofqual’s “Privacy Impact Assessment“, which states that the process does involve “automated elements as well as human elements”. Whether this means that the Ofqual standardisation model did not involve “solely” automated decision making will no doubt be determined in the various legal challenges which are apparently currently being mounted.

Oddly, the ICO also says that concerns should be raised with exam boards first, before the ICO will get involved. This does not immediately appear to be in line with the ICO’s obligation to handle complaints, under Article 57 of GDPR (which doesn’t say anything about data subjects having to raise concerns with someone else first).

Leave a comment

Filed under accuracy, Data Protection, Data Protection Act 2018, GDPR, Information Commissioner

September 4, 2018 · 1:39 pm

GDPR – an unqualified right to rectification?

Can FCA – or any data controller – any longer argue that it’s too expensive to have to rectify inaccurate personal data?

Amidst all the hoo-ha about the General Data Protection Regulation (GDPR) in terms of increased sanctions, accountability requirements and nonsense about email marketing, it’s easy to overlook some changes that it has also (or actually) wrought.

One small, but potentially profound difference, lies in the provisions around accuracy, and data subjects’ rights to rectification.

GDPR – as did its predecessor, the 1995 Data Protection Directive – requires data controllers to take “every reasonable step” to ensure that, having regard to the purposes of the processing, personal data which are inaccurate are erased or rectified without delay. Under the Directive the concomitant data subject right was to obtain from the controller, as appropriate the rectification, erasure or blocking of data. Under Article 16 of GDPR, however, there is no qualification or restriction of the right:

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

I take this to mean that, yes, a controller must in general only take every reasonable step to ensure that inaccurate data is rectified (the “proactive obligation”, let us call it), but, when put on notice by a data subject exercising his or her right to rectification, the controller MUST rectify – and there is no express proportionality get-out (let us call this the “reactive obligation”).

This distinction, this significant strengthening of the data subject’s right, is potentially significant, it seems to me, in the recently-reported case of Alistair Hinton and the Financial Conduct Agency (FCA).

It appears that Mr Hinton has, for a number of years, been pursuing complaints against the FCA over alleged inaccuracies in its register of regulated firms, and in particular over an allegation that

a register entry which gave the impression both him [sic] and his wife were directors of a firm which the regulator had publicly censured

This puts into rather simple terms what appears to be a lengthy and complex complaint, stretching over several years, and which has resulted in three separate determinations by the Financial Regulators Complaints Commissioner (FRCC) (two of which appear to be publicly available). I no doubt continue to over-simplify when I say that the issue largely turns on whether the information on the register is accurate or not. In his February 2017 determination the FRCC reached the following conclusions (among others)

You and your wife have been the unfortunate victims of an unintended consequence of the design of the FSA’s (and now FCA’s) register, coupled with a particular set of personal circumstances;

…Since 2009 the FSA/FCA have accepted that your register entries are misleading, and have committed to reviewing the register design at an appropriate moment;

Although these findings don’t appear to have been directly challenged by the FCA, it is fair to note that the FCA are reported, in the determinations, as having maintained that the register entries are “technically and legally correct”, whilst conceding that they are indeed potentially misleading.

The most recent FRCC determination reports, as does media coverage, that the Information Commissioner’s Office (ICO) is also currently involved. Whilst the FRCC‘s role is not to decide whether the FCA has acted lawfully or not, the ICO can assess whether or not the FCA’s processing of personal data is in accordance with the law.

And it occurs to me that the difference here between the Directive’s “reactive obligation” and GDPR’s “reactive obligation” to rectify inaccurate data (with the latter not having any express proportionality test) might be significant, because, until now, FCA has apparently relied on the fact that correcting the misleading information on its register would require system changes costing an estimated £50,000 to £100,000, and the FRCC has not had the power to challenge FCA’s argument that the cost of “a proper fix” was disproportionate. But if the Article 16 right is in general terms unqualified (subject to the Article 12(5) ability for a controller to charge for, or refuse to comply with, a request that is manifestly unfounded or excessive), can FCA resist a GDPR application for rectification? And could the ICO decide any differently?

Of course, one must acknowledge that there is a general principle of proportionality at European law (enshrined in Article 5 of the Treaty of the European Union) so a regulator, or a court, cannot simply dispense with the concept. But there was clearly an intention by European legislature not to put an express qualification on the right to rectification (and by extension the reactive obligation it places on controllers), and that will need to be the starting point for any assessment by said regulator, or court.

 

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under accuracy, Data Protection, GDPR, Information Commissioner

Tagged as , , , ,

June 29, 2017 · 8:39 pm

Data Protection (and other) compensation awarded against Ombudsman

I’ve been helpfully referred to a rather remarkable judgment of the Leeds County Court, in a claim for damages against the Local Government Ombudsman for, variously, declaratory relief and damages arising from discrimination under the Equality Act 2010, and breach of the Data Protection Act 1998 (DPA). The claim was resoundingly successful, and led to a total award of £12,500, £2,500 of which were aggravated damages because of the conduct of the trial by the respondent.

The judgment has been uploaded to Dropbox here.

I will leave readers to draw their own conclusions about the actions of the Ombudsman, but it’s worth noting, when one reads the trenchant criticism by District Judge Geddes, that one of the office’s strategic objectives is to

deliver effective redress through impartial, rigorous and proportionate investigations

One can only conclude that, in this case at least, this objective was very far from met.

Of particular relevance for this blog, though, was the award of £2500 for distress arising from failure to prepare and keep an accurate case file recording the disability of the claimant and her daughter. This, held the District Judge, was a contravention of the Ombudsman’s obligations under the DPA. As is now relatively well known, the DPA’s original drafting precluded compensation for distress alone (in the absence of tangible – e.g. financial – damage), but the Court of Appeal, in Vidal Hall & ors v Google ([2015] EWCA Civ 311), held that this was contrary to the provisions of the Charter of Fundamental Rights of the European Union and that, accordingly, there was a right under the DPA to claim compensation for “pure” distress. The award in question here was of “Vidal Hall” compensation, with the judge saying there was

no doubt in my mind that the data breaches have caused distress to the claimant in their own rights as well as as a result of the consequences that flowed.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under 7th principle, accuracy, Data Protection, human rights, local government

September 25, 2015 · 12:31 pm

Anti-EU campaign database – in contravention of data protection laws?

The politics.co.uk site reports that an anti-EU umbrella campaign called Leave.EU (or is it theknow.eu?) has been written to by the Information Commissioner’s Office (ICO) after allegedly sending unsolicited emails to people who appear to have been “signed up” by friends or family. The campaign’s bank-roller, UKIP donor Aaron Banks, reportedly said

We have 70,000 people registered and people have been asked to supply 10 emails of friends or family to build out (sic) database

Emails sent to those signed up in this way are highly likely to have been sent in breach of the campaign’s obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), and the ICO is reported to have to written to the campaign to

inform them of their obligations under the PECR and to ask them to suppress [the recipient’s] email address from their databases

But is this really the main concern here? Or, rather, should we (and the ICO) be asking what on earth is a political campaign doing building a huge database of people, and identifying them as (potential) supporters without their knowledge? Such concerns go to the very heart of modern privacy and data protection law.

Data protection law’s genesis lie, in part, in the desire, post-war, of European nations to ensure “a foundation of justice and peace in the world”, as the preamble to the European Convention on Human Rights states. The first recital to the European Community Data Protection Directive of 1995 makes clear that the importance of those fundamental rights to data protection law.

The Directive is, of course, given domestic effect by the Data Protection Act 1998 (DPA). Section 2 of the same states that information as to someone’s political beliefs is her personal data: I would submit that presence on a database purporting to show that someone supports the UK”s withdrawal from the European Union is also her personal data. Placing someone on that database, without her knowledge or ability to object, will be manifestly “unfair” when it comes to compliance with the first data protection principle. It may also be inaccurate, when it comes to compliance with the fourth principle.

I would urge the ICO to look much more closely at this – the compiling of (query inaccurate) of secret databases of people’s political opinions has very scary antecedents.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, Directive 95/46/EC, Europe, human rights, Information Commissioner

Tagged as , ,