Category Archives: Data Protection Act 2018

A-levels and data protection – potential challenges?

A new post by me on the Mishcon de Reya website, looking at whether GDPR and the DPA offer the potential for challenges to A-level results.

UPDATE: 14.08.20

A rather odd statement has just been put out by the ICO which suggests that Ofqual have told the former that automated decision making didn’t take place. I’ve updated the Mishcon piece to say this:

The ICO has now issued a statement saying that “Ofqual has stated that automated decision making does not take place when the standardisation model is applied, and that teachers and exam board officers are involved in decisions on calculated grades”. This appears at odds with the statement in Ofqual’s “Privacy Impact Assessment“, which states that the process does involve “automated elements as well as human elements”. Whether this means that the Ofqual standardisation model did not involve “solely” automated decision making will no doubt be determined in the various legal challenges which are apparently currently being mounted.

Oddly, the ICO also says that concerns should be raised with exam boards first, before the ICO will get involved. This does not immediately appear to be in line with the ICO’s obligation to handle complaints, under Article 57 of GDPR (which doesn’t say anything about data subjects having to raise concerns with someone else first).

Leave a comment

Filed under Data Protection, Information Commissioner, GDPR, accuracy, Data Protection Act 2018

BA hints at massively reduced size of ICO proposed fine

A new piece by me on the Mishcon de Reya website – BA’s parent company’s latest financial filings indicate it’s planning for (at most?) a E22m fine.

 

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

High Court – subject access, breach of confidence and the offence of reidentification

An interesting case is being heard in the High Court, arising from an apparent error whereby, in responding to a subject access request (SAR), the London Borough of Lambeth allowed the recipient (and now defendant) data subject to electronically manipulate the information sent to him. This in turn enabled him to remove redactions, and identify someone who had made allegations against him and his wife (about the care they were providing to their child).

This is nightmare scenario for a controller – to inadvertently disclose extremely sensitive information, while responding to a SAR. In this instance, Lambeth have now brought a claim in breach of confidence against the defendant data subject, on the grounds that: the data was provided to the data subject in circumstances where he knew it was confidential; that he breached that confidentiality by unredacting the data, retaining an unredacted copy of the file, using the evidence to write a pre-action letter to the person who made allegations against him and his wife and threatening to bring court proceedings against them based on the information; and that it is integral to the work of Children’s Services that people who bring to its attention instances of perceived inadequate care or neglect of children are able to do so under conditions of confidentiality and can be assured that their confidentiality will be respected.

The instant proceedings were primarily concerned with a strike-out application by the defendant data subject, on the grounds of non-compliance by Lambeth with its (litigation) disclosure obligations. This application was roundly dismissed, and the matter will proceed to trial.

But of particular note is that, notwithstanding that the original error was Lambeth’s, it was revealed in the proceedings that the Information Commissioner’s Office (ICO) is also prosecuting the defendant data subject on charges of committing the offences of knowingly or recklessly re-identifying de-identified personal data, without the consent of the data controller, and knowingly or recklessly processing re-identified personal data, without the consent of the data controller. These are new offences created by sections 171(1) and 171(5) of the Data Protection Act 2018, and, when that Act was passed, it appeared that the mischief the provisions sought to address was the risk of hackers and fraudsters attempting to identify data subjects from large datasets (see the debates at Bill stage). It will be interesting to see if the ICO’s prosecution here results in a conviction. But it will also be interesting to see if ICO considers similar prosecutions in other circumstances. Although there is a public interest defence (among others) to section 171 charges, it is not an uncommon occurrence for public authorities (particularly) to inadvertently disclose or publish information with imperfect redactions. It certainly appears, on a plain reading of section 171, that someone re-identifying de-identified personal data (even if, say, for idle reasons of curiosity) might not always be able to avail themselves of the public interest defence.

And what is unsaid in the judgment, is whether Lambeth are facing any sort of civil, regulatory action from the ICO, arising from their error in sending the imperfectly redacted information in the first place.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under anonymisation, Data Protection, Data Protection Act 2018, Information Commissioner, local government, subject access

Podcast – GDPR two years on

Here’s a podcast I recently recorded with my Mishcon de Reya colleague Adam Rose, looking at some of the issues we think are salient two years after GDPR became directly applicable in the U.K.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR

Yet more delays to proposed ICO BA and Marriott fines

I have this piece on the Mishcon de Reya website. More than a year since they were first proposed, ICO has still not converted its notices of intent into actual fines. Will it ever?

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

COVID-19 and ICO’s proposed fines for BA and Marriott

I have a piece on the Mishcon de Reya website, questioning whether the Coronavirus might fundamentally affect the likelihood of BA and Marriott receiving huge GDPR fines.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

Why the big pause? ICO delay agreed re GDPR fines

On the Mishcon website: ICO agrees delay over GDPR fines with both BA and Marriott

 

Leave a comment

Filed under Data Protection, Data Protection Act 2018, enforcement, GDPR, Information Commissioner, monetary penalty notice

First prosecution under DPA 2018?

The Information Commissioner has successfully prosecuted a former Social Services Support Officer at Dorset County Council for an offence under section 170 of the Data Protection Act 2018 – I think that this is the first such prosecution under the 2018 Act. Section 170 is in broadly similar terms to section 55 of the Data Protection Act 1998, under which any number of prosecutions were brought for unlawfully obtaining (etc) personal data without the consent of the controller.

Just as the 1998 Act did, the 2018 Act reserves such prosecutions to the Commissioner (except that they may also be brought by or with the consent of the Director of Public Prosecutions – see s197 of the 2018 Act).

What we have not yet seen is a prosecution of the “new” offence at section 170(1)(c) of retaining personal data (after obtaining it) without the consent of the person who was the controller when it was obtained. This is a most interesting provision – I have wondered whether the mischief it aims to address is that which arises when someone inadvertently obtains personal data (perhaps as a result of a mistake by the controller) but then refuses to hand it back. This is not an infrequent occurrence, and powers at civil law to address the issue are potentially complex and expensive to exercise. It will be interesting to see whether prosecutions in this regard emerge in due course.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under crime, Data Protection, Data Protection Act 2018, Information Commissioner

The most boring blogpost on this blog?

Although GDPR, and the Data Protection Act 2018 (DPA18), took effect from 25 May 2018, it has been notable that the Information Commissioner’s Office (ICO) has continued to exercise its enforcement powers under the prior law. There is no problem with this, and it is only to be expected, given that regulatory investigations can take some time. The DPA18 contains transitional provisions which mean that certain sections of the Data Protection Act 1998 continue to have effect, despite its general repeal. This is the reason, for instance, why the ICO could serve its recent enforcement notice on Hudson Bay Finance Ltd using the powers in section 40 of the 1998 – paragraph 33 of Schedule 20 to the DPA18 provides that section 40 of the 1998 Act continues to apply if the ICO is satisfied that the controller contravened the old data protection principles before the rest of the 1998 Act was repealed.

However, what is noticeable in the Hudson Bay Finance Ltd enforcement notice is that it says that it was prompted by a request for assessment by the complainant, apparently made on 21 September 2018, purportedly made under section 42 of the 1998 Act. I say “purportedly” because the transitional provisions in Schedule 20 of DPA18 require the ICO to consider a request for assessment made before 25 May 2018, but in all other respects, section 42 is repealed. Accordingly, as a matter of law, a data subject can (after 25 May 2018) no longer exercise their right to request an assessment under section 42 of the 1998 Act.

This is all rather academic, because it appears to me that the ICO has discretion – even if it does not have an obligation – to consider a complaint by a data subject relating to compliance with the 1998 Act. And ICO clearly (as described above) has the power still to take enforcement action for contraventions of the 1998 Act. But no one ever told me I can’t use my blog to make arid academic points.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, enforcement, Information Commissioner