Category Archives: Data Protection Act 2018

July 29, 2025 · 5:44 pm

ICO fines: are you certain?

In his inaugural speech as Information Commissioner, in 2022, John Edwards said

my focus is on bringing certainty in what the law requires of you and your organisations, and in how the regulator acts

It’s a message he’s sought to convey on many occasions since. No surprise: it’s one of the Commissioner’s tasks under the Regulators’ Code to

improve confidence in compliance for those they regulate, by providing greater certainty

This isn’t the place or the time for a broad analysis of how well the ICO has measured up to those standards, but I want to look at one particular example of where there appears to be some uncertainty.

In March 2024, the ICO fined the Central YMCA £7500 for serious contraventions of the UK GDPR. In announcing the fine, the ICO said that it would have been £300,000 but that “this was subsequently reduced in line with the ICO’s public sector approach” (the policy decision whereby “fines for public sector bodies are reduced where appropriate”). When questioned why a charity benefited from the public sector approach, the ICO stated that

Central YMCA is a charity that does a lot of good work, they engaged with us in good faith after the incident happened, recognised their mistake immediately and have made amends to their processing activities…the fine is in line with the spirit of our public sector approach

So the charity sector might have reasonably drawn from this that, in the event that another charity doing a “lot of good work” seriously contravened the UK GDPR, but engaged in good faith with the ICO and made amends to its processing activities, it would also benefit from the public sector approach, with a similar reduction of around 97.5% in any fine.

However, on 28 July, the Scottish charity Birthlink was fined £18,000 by the ICO for serious contraventions of the UK GDPR but the ICO did not apply the public sector approach. When I questioned why, the answer merely confirmed that it had not been applied, but that they had applied their Fining Guidance. Admittedly, Birthlink did not recognise the seriousness of its contraventions for around two years, but that was not mentioned in the ICO’s answer.

I was also referred to the consultation on continuing the public sector approach, which ran earlier this year. That consultation explained that the proposal was not to apply the public sector approach to charities in the future, because the ICO would have regard to the definition of “public authority” and “public body” at section 7 of the Data Protection Act 2018, which, for obvious reasons, doesn’t include charities.

However, the outcome of that consultation has not been announced yet, and the ICO site says

In the meantime, we will continue to apply the approach outlined by the Commissioner in his June 2022 open letter.

As that current approach is the one under which the ICO applied great leniency to the Central YMCA, the question therefore remains – why did Birthlink not also benefit from it?

And there’s a wider question: the definition of a public body/authority at section 7 of the Data Protection Act 2018 has been in effect since 2018. Why did the ICO think, in 2024, that section 7 was not relevant, and that a (wealthy) charity should qualify for the public sector approach, but then decide that another (much less wealthy) charity shouldn’t, when facing a fine only a few months later?

The answers are far from certain.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consistency, Data Protection Act 2018, fines, Information Commissioner, monetary penalty notice, UK GDPR

Tagged as , ,

July 16, 2025 · 2:39 pm

Data Protection risks to life: Should more be done?

I’ve written up my thoughts for the Mishcon de Reya website, on the baffling decision by the ICO to take no action in response to the most catastrophic data breach in UK history, which exposed many thousands of people to immediate risk to their lives.

https://www.mishcon.com/news/data-protection-risks-to-life-should-more-be-done

Leave a comment

Filed under Data Protection, Data Protection Act 2018, data sharing, Information Commissioner, Ministry of Defence, UK GDPR

Tagged as ,

June 6, 2025 · 9:58 am

Good Law Project v Reform

In the run-up to last year’s General Election, the campaigning group The Good Law Project (GLP) actively encouraged people to make subject access requests (under Article 15 of the UK GDPR) to political parties, and they say that they enabled 13,000 people to do so.

The GLP says that the Reform Party “replied to hardly anyone”, and as a result it is bringing the first ever case in the UK under Article 80(1) of the UK GDPR, whereby a data subject (or subjects) mandates an representative organisation to bring an Article 79 claim on their behalf.

Helpfully, the GLP has published both its own particulars of claim, and, now, Reform’s defence to the claim. The latter is particularly interesting, as its initial approach is to threaten to apply to strike out the claim on the grounds that the GLP does not meet the criteria for a representative body, as laid out in section 187 of the Data Protection Act 2018.

Given the nature of the two parties (one a bullish campaign group, the other a bullish political party) it seems quite likely that this will proceed to trial. If so, we should get some helpful clarification on how Article 80(1) should operate.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Article 80, Data Protection Act 2018, political parties, UK GDPR

Tagged as ,

June 4, 2025 · 8:08 am

Covert recordings in family law proceedings – some slightly flawed guidance

The issue of the legality of the making of, and subsequent use of, covert audio and/or visual recordings of individuals is a complex one – even more so when it comes to whether such recordings can be adduced as evidence in court proceedings.

I’m not going to try to give an answer here, but what I will do is note that the Family Justice Council has recently produced guidance on cover recordings in family law proceedings concerning children, and it contains some rather surprising sections dealing with data protection law.

Firstly, I should say what it gets right: I think it is correct when it indicates that processing consisting of the taking of and use of covert recordings for the purpose of proceedings will not normally be able to avail itself of the carve-out from the statutory scheme under Article 2(2)(a) UK GDPR (for purely personal or household purposes).

However, throughout, when addressing the issue of the processing of children’s data, it refers to the Information Commissioner’s Office’s Children’s Code, but doesn’t note (or notice?) that that Code is drafted specifically to guide online services on the subject of age appropriate design of such services. Although some of its general comments about children’s data protection rights will carry over to other circumstances, the Children’s Code is not directly relevant to the FJC’s topic.

It also goes into some detail about the need for an Article 6(1) UK GDPR lawful basis if footage is shared with another person. Although strictly true, this is hardly the most pressing point (there are a few potential bases available, or exemptions to the need to identify one). But it also goes on to say that a failure to identify a lawful basis will be a “breach of the DPA 2018” (as well as the UK GDPR): I would like its authors to say what specific provisions of the DPA it would breach (hint: none).

It further, and incorrectly, suggests that a person making a covert recording might commit the offence of unlawfully obtaining personal data at section 170 DPA 2018. However, it fails to recognise that the offence only occurs where the obtaining is done without the consent of the controller, and, here, the person making and using the recording will be the controller (as the “lawful basis” stuff above indicates).

Finally, when it deals with developing policies for overt recording, it suggests that consent of all the parties would be the appropriate basis, but gives no analysis of how that might be problematic in the context of contentious and fraught family law proceedings.

The data protection aspects of the guidance are only one small part of it, and it may be that it is otherwise sound and helpful. However, it says that the ICO were consulted during its drafting, and gave “helpful advice”. Did the ICO see the final version?

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Covert recording, Data Protection, Data Protection Act 2018, Family law, Information Commissioner, UK GDPR

Tagged as

April 11, 2025 · 5:03 am

Retaining data for journalistic purposes?

This is a quite extraordinary data protection story, by Jamie Roberton and Amelia Jenne of Channel 4 News , involving a mother of a woman who died in suspicious circumstances.

It appears that a “Victims’ Right to Review” exercise was undertaken by Gloucestershire Police, at the request of the family of Danielle Charters-Christie, who was found dead inside the caravan that she shared with her partner – who had been accused of domestic abuse – in Gloucestershire on 26 February 2021.

Officers then physically handed a 74-page document to Danielle’s mother, and the contents of it were subsequently reported by Channel 4 News. But, now, the police say that the Review report was “inadvertently released”, are demanding that Danielle’s mother destroy it, and have referred her apparent refusal to do so to the Information Commissioner’s Office as a potential offence under s170(3) of the Data Protection Act 2018.

That provision creates an offence of “knowingly,…after obtaining personal data, [retaining] it without the consent of the person who was the controller in relation to the personal data when it was obtained”.

But here’s a thing: it is a defence, under s170(3)(c) for a person charged with the offence to show that they acted (and here, the retention of the data would be the “action”) for the purposes of journalism, with a view to the publication by a person of any journalistic material, and in the reasonable belief that in the particular circumstances the retaining was justified as being in the public interest.

The ICO is tasked as a prosecutor for various data protection offences, including the one at s170 DPA. No doubt whoever at the ICO is handed this file will be having close regard to whether this statutory defence would apply, but will also, in line with the ICO’s duty as a prosecutor, to consider evidential factors, but also whether a prosecution would be in the public interest.

At the same time, of course, the ICO has civil enforcement powers, and might well be considering what were the circumstances under which the police, as a controller, wrongly disclosed personal data in such apparently serious circumstances.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection Act 2018, Information Commissioner, law enforcement, offences, police

Tagged as , , ,

March 22, 2025 · 5:55 am

O’Carroll v Meta – what now for targeted adverts on Facebook

Following the news that claimant Tanya O’Carroll and defendant Meta have settled ahead of what was likely to be a landmark data protection case, what are the implications?

Ms O’Carroll argued that advertising served to her on Facebook, because it was targeted at her, met the definition of “direct marketing” under section 122(5) of the Data Protection Act 2018 (“the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”) and thus the processing of her personal data for the purposes of serving that direct marketing was subject to the absolute right to object under Article 21(2) and (3) UK GDPR.

Meta had disputed that the advertising was direct marketing.

The “mutually agreed statement” from Ms O’Carroll says “In agreeing to conclude the case, Meta Platforms, Inc. has agreed that it will not display any direct marketing ads to me on Facebook, will not process my data for direct marketing purposes and will not undertake such processing (including any profiling) to the extent it is related to such direct marketing”.

One concludes from this that Meta will, at least insofar as the UK GDPR applies to its processing, now comply with any Article 21(2) objection, and, indeed, that is how it is being reported.

But will the upshot of this be that Meta will introduce ad-free services in the UK, but for a charge (because its advertising revenues will be likely to drop if people object to targeted ads)? It is indicating so, with a statement saying “Facebook and Instagram cost a significant amount of money to build and maintain, and these services are free for British consumers because of personalised advertising. Like many internet services, we are exploring the option of offering people based in the UK a subscription and will share further information in due course”.

The ICO intervened in the case, and have uploaded a summary of their arguments, which were supportive of Ms O’Carroll’s case, and her lawyers AWO Agency have also posted an article on the news.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, facebook, Information Commissioner, marketing, Meta, Right to object, UK GDPR

Tagged as , ,

March 11, 2025 · 6:04 am

Why is the ICO so quiet about prosecutions?

Not infrequently, I get contacted (personally and professionally) by individuals who are concerned that their personal data has been compromised in circumstances that may constitute the criminal offence of “obtaining” or “retaining”, under section 170 of the Data Protection Act 2018.

In many cases, there is not much I can bring to the table. If an offence has been committed then this is a matter for the prosecutor. Normally, for data protection offences, this is the Information Commissioner’s Office.

But what strikes me is that there appears to be no information on the ICO website for anyone who wants to report an alleged or potential offence. Their “For the public” pages don’t cover the scenario, and all of the data protection complaints information there is predicated on the assumption that the individual will be complaining about the data controller’s compliance (whereas, in a section 170 offence, the controller is more of the status of “victim”).

In fact, the best I can find is one brief reference (at page 61) of a lengthy guide to the DPA 2018, aimed at “organisations and individuals who are already familiar with data protection law”, and which doesn’t even actually explain that the offences described can be prosecuted by the ICO.

Dr David Erdos has recently highlighted both the low number of ICO prosecutions, and the rather slapdash way in which the ICO appears to be handling information about them. But the section 170 provisions are criminal ones for a reason: they will sometimes involve the most distressing and serious interferences with people’s data protection and privacy rights.

Surely the ICO should pay more attention to such incidents, and assist concerned data subjects (or others) who might want to report potential offences?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, Information Commissioner, offences

Tagged as ,

March 8, 2025 · 6:31 am

Can a data subject inspect withheld information in court proceedings?

When a controller, in response to a subject access request, has withheld personal data on the grounds of an exemption or exemptions, the data subject can apply to the court for a compliance order, under section 167 of the Data Protection Act 2018. That application will be determined by a judge who must determine whether the personal data was properly withheld or not. But general rules in adversarial proceedings do not permit one side and the judge to have access to material when the other side does not. So can the claimant and his/her lawyers therefore have access to the withheld information? Of course not – you all say – that would be absurd. However, the picture is not quite as clear as one might think.

Section 15(2) of the Data Protection Act 1998 specifically dealt with this issue: it said that the information should “be made available for [the judge’s] own inspection but shall not, pending the determination of that question in the applicant’s favour, require the information sought by the applicant to be disclosed to him or his representatives”.

But no such provision is contained in the equivalent sections of the 2018 Act. That appears to have been a drafting error.

The issue came up in X -v- The Transcription Agency LLP [2024] 1 WLR 33, and the court there held that

it would defeat the purpose of the legislation if a person challenging the application of an exemption were to be given sight of the material for the purpose of advancing his or her arguments…It would bring about a situation in which a party seeking personal data “would have obtained the very thing which the hearing was designed to decide”

As a result, I imagine, of the X case, Parliament moved to address the lacuna in the law: the Data Protection and Digital Information Bill contained a clause which would have given the court the express power contained in section 15(2) of the 1998 Act. That Bill was, of course, dropped just before the 2024 General Election, but the Data (Use and Access) Bill, now speeding through the Commons, contains something similar, at clause 103.

And so it was that the issue again arose in recent proceedings – Cole v Marlborough College [2024] EWHC 3575 (KB) – involving a former pupil who is seeking information through subject access regarding an investigation into a disciplinary matter in his former school.

As in X, the judge noted the absence of any express power to inspect the materials without permitting their disclosure to the claimant. But, relying on X, the judge held that there was an implied power (either implied within section 167) and/or in exercise of the court’s inherent jurisdiction.

Given the impending amendment of the statute to make the power express, rather than implied, these cases will probably just become footnotes, rather than landmark judgments. But they’re interesting for illustrating how courts will find implied powers and procedures where justice demands it.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under access to information, Data Protection Act 2018, judgments, subject access

Tagged as ,

February 4, 2025 · 6:15 am

NHS England and publication of the Calocane report

[reposted from my LinkedIn account]

[Edited to add: the day following the upload of this post NHS England did an about turn, and published the report in full, saying “The NHS has taken the decision to publish the report in full in line with the wishes of the families and given the level of detail already in the public domain”]

NHS England is reported to be refusing, partly on data protection grounds, to publish the full independent review report into the care and treatment of Valdo Calocane prior to his manslaughter of three people in Nottingham in 2023.

The report is said to be over 200 pages long, and although a summary will be published, families of the victims are calling for the full report (which they only saw after pressure from their lawyers) to be published on public interest grounds, saying “we have grave concerns about the conduct of the NHS”.

So does data protection law prevent disclosure?

The report will clearly contain details of Calocane’s health, and as such it constitutes a special category of personal data, requiring a condition for processing from Article 9 of the UK GDPR. The most likely candidate would be Article 9(2)(g):

processing is necessary for reasons of substantial public interest, on the basis of domestic law….

The domestic law provisions referred to are contained in schedule 1 to the Data Protection Act 2018. And at first glance, it is not straightforward to identify a provision which would permit disclosure.

However, paragraph 11 potentially does. It deals with processing which is necessary for a “protective function”, must be carried without the consent of the data subject so as not to prejudice that protective function and which is necessary for reasons of substantial public interest. A “protective function” includes a function which is intended to protect members of the public against failures in services provided by a body or association.

Reports into homicides by patients in receipt of mental health care are commissioned by NHS England under the Serious Incident Framework “Supporting learning to prevent recurrence”, and this says that “publication of serious incident investigation reports and action plans is considered best practice”, although “reports should not contain confidential personal information unless…there is an overriding public interest”.

I’m not saying it’s a straightforward legal question, as to whether the report can be published, but an argument can be made that there is a substantial, overriding, public interest in disclosure in order that the public can be aware of any failings and understand what actions are being taken to address them. No doubt though that NHS England’s argument would be that this is achieved by publication of the summary report.

I imagine, in any case, that freedom of information requests will be made for the full report, so ultimately we may see the Information Commissioner’s Office, and maybe the courts, rule on this.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, Data Protection Act 2018, NHS, UK GDPR

Tagged as ,

January 30, 2025 · 7:54 am

Exceptionally unlikely: ICO and judicial review

[reposted from my LinkedIn account]

Where Parliament has entrusted a specialist body with bringing prosecutions, such as the Serious Fraud Office, or the Information Commissioner’s Office (ICO), it is “only in highly exceptional circumstances” that a court will disturb a decision made by that body (see Lord Bingham in R(Corner House and others) v Director of the Serious Fraud Office [2008] UKHL 60)).

Such was the situation faced by the claimant in an unsuccessful recent application for judicial review of two decisions of the ICO.

The claimant, at the time of the events in question, was a member of the Labour Party and of the Party’s “LGBT+Labour” group, She had been concerned about an apparent disclosure of the identity and trans status of 120 members of a “Trans Forum” of the group, of which she was also a member, and of what she felt was a failure by the LGBT+Labour group to inform members of the Forum of what had happened.

She reported this to the ICO as potential offences under sections 170 and 173 of the Data Protection Act 2018 (it’s not entirely clear what specific offences would have been committed), and she asked whether she was “able to discuss matters relating to potential data breaches with the individuals involved”. The ICO ultimately declined to prosecute, and also informed her that disclosing information to the individuals could in itself “potentially be a section 170 offence”.

The application for judicial review was i) in respect of the “warning” about a potential prosecution in the event she disclosed information to those data subjects, and her subsequent rejected request for a commitment that she would not be prosecuted, and ii) in respect of the decision not to prosecute LGBT+Labour.

Neither application for permission succeeded. In the first case, there was no decision capable of being challenged: it was an uncontroversial statement by the ICO about a hypothetical and fact-sensitive future situation, and in any event she was out of time in bringing the application. In the second case, there were no “highly exceptional circumstances” that would enable the court “to consider there was a realistic prospect of showing that the ICO had acted outside the wide range of its discretion when deciding not to prosecute”.

One often sees suggestions that the ICO should be JRd over its failure to take action (often in a civil context). This case illustrates the deference that the courts will give to its status and expertise both as regulator and prosecutor. Outside the most exceptional of cases, such challenges are highly unlikely to succeed.

Peto v Information Commissioner [2025] EWHC 146 (Admin)

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under crime, Data Protection, Data Protection Act 2018, Information Commissioner, judgments, judicial review

Tagged as ,