Category Archives: Data Protection

MPs have rights too

The Guardian reports on MPs’ concerns that IPSA’s proactive commitment to transparency is putting them at risk. Could those MPs use the Data Protection Act to stop IPSA publishing?

Anyone who has worked in the fields of Freedom of Information (FOI) and transparency will have come across colleagues or third parties who fear that one will simply disclose information, including personal information, into the public domain, without any thought. The reality is very different: FOI and transparency  professionals need to be expert not only in FOI law, but also other laws, such as breach of confidence, and, especially, the law of data protection: the FOI Act’s most cited exemption is at section 40(2), which provides an absolute exemption to disclosure where to do so would contravene someone’s rights under the Data Protection Act 1998 (DPA).

With this in mind, and at least on the face of things, I have some sympathies with MPs concerned at proactive disclosure of details of mileage claims by IPSA (the Independent Parliamentary Standards Authority). (Although the law requires candidates for parliamentary seats to declare their home address, as UKIP’s Paul Nuttall has recently been reminded, candidates can ask that the addresses not be made public.) The Guardian reports that the SNP’s Angus Robertson has ordered colleagues to stop submitting claims, because

data now required to make a claim for mileage, including the locations of journeys travelled to and from on a daily basis, was now being publicised [by IPSA]

Robertson says

Ipsa have been aware for some time that they are inadvertently confirming the home locations of parliamentarians, which runs contrary to basic security advice

Although IPSA appear to dispute that what is being published could locate specific properties, it is important to note that the expenses information being published is the personal data of the MPs involved. Therefore, any processing of it by IPSA must be in accordance with their obligations under the Data Protection Act 1998 (DPA). The first data protection principle (in Schedule One of the DPA) requires that processing must be fair and lawful: if Robertson and others are right that there is a risk of disclosure of their home addresses (maybe by combining the IPSA data with other publicly available data), there is a strong argument that the processing is not fair.

So what can MPs do? Well, in addition to refusing to submit claims (which is rather cutting off one’s nose to spite one’s face), the DPA offers a possible option. Section 10 allows a data subject to serve a notice in writing requiring a data controller to cease a specified act of processing, on the grounds that the processing is causing unwarranted substantial distress. Upon receipt of such a notice the data controller has twenty one days to respond, either by ceasing the processing, or stating why it considers the notice unjustified. At that point the data subject can ask a court to rule on whether the notice was justified, and order such steps as are appropriate.

Were an MP or MPs to serve such a notice, it might be difficult for IPSA to dispute the potential for substantial distress to be caused – if MPs reasonably fear that disclosure of their home addresses could occur (and it seems to me to be quite possible that they could – a location frequently travelled from at the start of a day, and to at the end of the day is quite likely to be a place of residence) then, given the horrendous murder of Jo Cox last year, and general ongoing security threats, I don’t think it would be surprising for such distress to be caused. And if the distress caused is real and substantial, could IPSA say it was warranted? I very much doubt it – the publication of this information is not necessary for the performance of IPSA’s core functions.

IPSA say that they have “consulted police” and feel that there is not a risk, although the Guardian suggests that both the Met and “senior security sources” have expressed concerns.

MPs’ expenses of course play an important part in the history of FOI in the UK, and some of the abuses of the system which were revealed when the requested information was leaked to the Telegraph were egregious (although it’s always worth remembering that were it not for the leak, a lot of the more gory details would probably not have emerged). But threats to MPs are real and serious, and one wonders why IPSA, even if it thinks the risk of identification of home addresses is low or even non-existent would not want to review the practice. A section 10 notice would, though, force the issue.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Freedom of Information, parliament

Why what Which did wears my patience thin

Pre-ticked consent boxes and unsolicited emails from the Consumers’ Association

Which?, the brand name of the Consumers’ Association, publishes a monthly magazine. In an era of social media, and online reviews, its mix of consumer news and product ratings might seem rather old-fashioned, but it is still (according to its own figures1) Britain’s best-selling monthly magazine. Its rigidly paywalled website means that one must generally subscribe to get at the magazine’s contents. That’s fair enough (although after my grandmother died several years ago, we found piles of unread, unopened even, copies of Which? She had apparently signed up to a regular Direct Debit payment, probably to receive a “free gift”, and had never cancelled it: so one might draw one’s own conclusion about how many of Which?’s readers are regular subscribers for similar reasons).

In line with its general “locked-down” approach, Which?’s recent report into the sale of personal data was, except for snippets, not easy to access, but it got a fair bit of media coverage. Intrigued, I bit: I subscribed to the magazine. This post is not about the report, however, although the contents of the report drive the irony of what happened next.

As I went through the online sign-up process, I arrived at that familiar type of page where the subject of future marketing is broached. Which? had headlined their report “How your data could end up in the hands of scammers” so it struck me as amusing, but also irritating, that the marketing options section of the sign-in process came with a pre-ticked box:

img_0770

As guidance from the Information Commissioner’s Office makes clear, pre-ticked boxes are not a good way to get consent from someone to future marketing:

Some organisations provide pre-ticked opt-in boxes, and rely on the user to untick it if they don’t want to consent. In effect, this is more like an opt-out box, as it assumes consent unless the user clicks the box. A pre-ticked box will not automatically be enough to demonstrate consent, as it will be harder to show that the presence of the tick represents a positive, informed choice by the user.

The Article 29 Working Party goes further, saying in its opinion on unsolicited communications for marketing purposes that inferring consent to marketing from the use of pre-ticked boxes is not compatible with the data protection directive. By extension, therefore, any marketing subsequently sent on the basis of a pre-ticked box will be a contravention of the data protection directive (and, in the UK, the Data Protection Act 1998) and the ePrivacy directive (in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)).

Nothwithstanding this, I certainly did not want to consent to receive subsequent marketing, so, as well as making a smart-arse tweet, I unticked the box. However, to my consternation, if not my huge surprise, I have subsequently received several marketing emails from Which? They do not have my consent to send these, so they are manifestly in contravention of regulation 22 of PECR.

It’s not clear how this has happened. Could it be a deliberate tactic by Which?  to ignore subscribers’ wishes? One presumes not: Which? says it “exists to make individuals as powerful as the organisations they deal with in their daily live” – deliberately ignoring clear expressions regarding consent would hardly sit well with that mission statement. So is it a general website glitch – which means that those expressions are lost in the sign-up process? If so, how many individuals are affected? Or is it just a one-off glitch, affecting only me?

Let’s hope it’s the last. Because the ignoring or overriding of expressions of consent, and the use of pre-ticked boxes for gathering consent, are some of the key things which fuel trade in and disrespect for personal data. The fact that I’ve experience this issue with a charity which exists to represent consumers, as a result of my wish to read their report into misuse of personal data, is shoddy, to say the least.

I approached Which? for a comment, and a spokesman said:

We have noted all of your comments relating to new Which? members signing up, including correspondence received after sign-up, and we are considering these in relation to our process.

I appreciate the response, although I’m not sure it really addresses my concerns.

1Which? Annual Report 2015/2016

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, Data Protection, Directive 95/46/EC, Information Commissioner, marketing, PECR, spam, subject access

Data Protection distress compensation for CCTV intrusion

The Information Commissioner’s Office (ICO) recently (2 February) successfully prosecuted a business owner for operating CCTV without an appropriate notification under section 18 of the Data Protection Act 1998 (DPA), announcing:

Businesses could face fines for ignoring CCTV data protection law

But a recent case in the Scottish Sheriff Court shows that CCTV and data protection can also have relevance in private law civil proceedings. In Woolley against Akbar [2017] ScotsSC 7 the husband and wife pursuers (equivalent to claimants in England and Wales) successfully brought a claim for compensation for distress caused by the defender’s (defendant in England and Wales) use of CCTV cameras which were continuously recording video and audio, and which were deliberately set to cover the pursuers’ private property (their garden area and the front of their home). Compensation was assessed at £8634 for each of the pursuers (so £17268 in total) with costs to be assessed at a later date.

Two things are of particular interest to data protection fans: firstly, the willingness of the court to rule unequivocally that CCTV operated in non-compliance with the DPA Schedule One principles was unlawful; and secondly, the award of compensation despite the absence of physical damage.

The facts were that Mr and Mrs Woolley own and occupy the upper storey of a dwelling place, while Mrs Akbar owns and operates the lower storey as a guest house, managed by her husband Mr Akram. In 2013 the relationship between the parties broke down. Although both parties have installed CCTV systems, the pursuers’ system only monitors their own property, but this was not the case with the defender’s:

any precautions to ensure that coverage of the pursuers’ property was minimised or avoided. The cameras to the front of the house record every person approaching the pursuers’ home. The cameras to the rear were set deliberately to record footage of the pursuers’ private garden area. There was no legitimate reason for the nature and extent of such video coverage. The nature and extent of the camera coverage were obvious to the pursuers, as they could see where the cameras were pointed. The coverage was highly intrusive…the defender also made audio recordings of the area around the pursuers’ property…they demonstrated an ability to pick up conversations well beyond the pursuers’ premises. There are four audio boxes. The rear audio boxes are capable of picking up private conversations in the pursuers’ rear garden. Mr Akram, on one occasion, taunted the pursuers about his ability to listen to them as the pursuers conversed in their garden. The defender and Mr Akram were aware of this at all times, and made no effort to minimise or avoid the said audio recording. The nature of the coverage was obvious to the pursuers. Two audio boxes were installed immediately below front bedroom windows. The pursuers feared that conversations inside their home could also be monitored. The said coverage was highly intrusive.

Although, after the intervention of the ICO, the defender realigned the camera at the rear of the property, Sheriff Ross held that the coverage “remains intrusive”. Fundamentally, the sheriff held that the CCTV use was: unfair (in breach of the first data protection principle); excessive in terms of the amount of data captured (in breach of the third data protection principle); and retained for too long (in breach of the fifth data protection principle).

The sheriff noted that, by section 13(2) of the DPA, compensation for distress can only be awarded if the pursuer has suffered “damage”, which was not the case here. However, the sheriff further correctly noted, and was no doubt taken to, the decision of the Court of Appeal in Vidal-Hall & Ors v Google [2015] EWCA Civ 311 in which the court struck down section 13(2) as being incompatible with the UK’s obligations under the European data protection directive and the Charter of Fundamental Rights (my take on Vidal Hall is here). Accordingly, “pure” distress compensation was available.

Although the facts here show a pretty egregious breach of DPA, it is good to see a court understanding and assessing the issues so well, no doubt assisted in doing so by Paul Motion, of BTO Solicitors, who appeared for the pursuers.

One niggle I do have is about the role of the ICO in all this: they were clearly apprised of the situation, and could surely have taken enforcement action to require the stopping of the CCTV (although admittedly ICO cannot make an award of compensation). It’s not clear to me why they didn’t.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under damages, Data Protection, Information Commissioner

Get rights right, gov.uk

Government page on subject access rights is not accurate

Right of access to data about oneself is recognised as a fundamental right (article 8(2) of the Charter of Fundamental Rights of the European Union*). Section 7 of the UK’s Data Protection Act 1998 (DPA) gives expression to this, and provides that as a general right individuals are entitled to be told whether someone else is processing their data, and why, and furthermore (in terms) to be given a copy of that data. The European General Data Protection Regulation retains and bolsters this right, and recognises its importance by placing it in the category of provisions non-compliance with which could result in an administrative fine for a data controller of up to €20m or 4% of turnover (whichever is higher).

So subject access is important, and this is reflected in the fact that it is almost certainly the most litigated of provisions of the DPA (a surprisingly under-litigated piece of legislation). Many data controllers need to commit significant resources to comply with it, and the Information Commissioner’s Office (ICO) produced a statutory code of practice on the subject in 2014.

But it is not an absolute right. The DPA explains that there are exemptions to the right where, for instance, compliance would be likely to prejudice the course of criminal justice, or national security, or, in the case of health and social care records, would be likely to cause serious harm to the data subject or another person. Additionally the DPA recognises that, where complying with a subject access request would involve disclosing information about another individual, the data controller should not comply unless that other person consents, or unless it “is reasonable in all the circumstances to comply with the request without the consent of the other individual” (section 7(4) DPA).

But this important caveat (the engagement of the parallel rights of third parties) to the right of subject access is something which is almost entirely omitted in the government’s own web guidance regarding access to CCTV footage of oneself. It says

The CCTV owner must provide you with a copy of the footage that you can be seen in. They can edit the footage to protect the identities of other people.

The latter sentence is true, and especially in the case where footage captures third parties it is often appropriate to take measures to mask their identities. But the first sentence is simply not true. And I think it is concerning that “the best place to find government services and information” (as gov.uk describes itself) is wrong in its description of a fundamental right.

A data controller (let’s ignore the point that a “CCTV owner” might not necessarily be the data controller) does not have an unqualified obligation to provide information in response to a subject access request. As anyone working in data protection knows, the obligation is qualified by a number of exemptions. The page does allude to one of these (at section 29 of the DPA):

They can refuse your request if sharing the footage will put a criminal investigation at risk

But there are others – and the ICO has an excellent resource explaining them.

What I don’t understand is why the gov.uk page fails to provide better (accurate) information, and why it doesn’t provide a link to the ICO site. I appreciate that the terms and condition of gov.uk make clear that there is no guarantee that information is accurate, but I think there’s a risk here that data subjects could gather unreasonable expectations of their rights, and that this could lead to unnecessary grievances or disputes with data controllers.

Gov.uk invite comments about content, and I will be taking up this invitation. I hope they will amend.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

 

Leave a comment

Filed under Data Protection, Information Commissioner, subject access

A Massive Impact for the ICO?

[Edited to add: it is well worth reading the comments to this piece, especially the ones from Chris Pounder and Reuben Binns]

I needed a way to break a blogging drought, and something that was flagged up to me by a data protection colleague (thanks Simon!) provides a good opportunity to do so. It suggests that the drafting of the GDPR could lead to an enormous workload for the ICO.

The General Data Protection Regulation (GDPR) which entered into force on 24 May this year, and which will apply across the European Union from 25 May 2018, mandates the completion of Data Protection Impact Assessments (DPIAs) where indicated. Article 35 of the GDPR explains that

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data

In the UK (and indeed elsewhere) we already have the concept of “Privacy Impact Assessments“, and in many ways all that the GDPR does is embed this area of good practice as a legal obligation. However, it also contains some ancillary obligations, one of which is to consult the supervisory authority, in certain circumstances, prior to processing. And here is where I get a bit confused.

Article 36 provides that

The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk
[emphasis added]

A close reading of Article 36 results in this: if the data controller conducts a DPIA, and is of the view that if mitigating factors were not in place the processing would be high risk, it will have to consult supervisory authority (in the UK, the Information Commissioner’s Office (ICO)). This is odd: it effectively renders any mitigating measures irrelevant. And it appears directly to contradict what recital 84 says

Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing [emphasis added]

So, the recital says the obligation to consult will arise where high risk is involved which the controller can’t mitigate, while the Article says the obligation will arise where high risk is involved notwithstanding any mitigation in place.

Clearly, the Article contains the specific legal obligation (the recital purports to set out the reason for the contents of the enacting terms), so the law will require data controllers in the UK to consult the ICO every time a DPIA identifies an inherently high risk processing activity, even if the data controller has measures in place fully to mitigate and contain the risk.

For example, let us imagine the following processing activity – collection of and storage of customer financial data for the purposes of fulfilling a web transaction. The controller might have robust data security measures in place, but Article 36 requires it to consider “what if those robust measures were not in place? would the processing be high risk?” To which the answer would have to be “yes” – because the customer data would be completely unprotected.

In fact, I would submit, if article 36 is given its plain meaning virtually any processing activity involving personal data, where there is an absence of mitigating measures, would be high risk, and create a duty to consult the ICO.

What this will mean in practice remains to be seen, but unless I am missing something (and I’d be delighted to be corrected if so), the GDPR is setting the ICO and other supervisory authorities up for a massive influx of work. With questions already raised about the ICO’s funding going forward, that is the last thing they are likely to need.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

9 Comments

Filed under Data Protection, GDPR, Information Commissioner

Any Safe Harbor in a storm…?

The ICO has contacted me to say that it actually selected SnapSurveys because they offered clients the option of hosting survey response on UK servers, and it has checked with SnapSurveys that this remains the case. I’ve been pointed me to http://www.snapsurveys.com/survey-software/security-accessibility-and-professional-outline/ which confirms this point.

So the answer to my question

Is the ICO making unlawful transfers of personal data to the US?

I’m pleased to confirm, appears to be “no”.

Earlier this week the Information Commissioner’s Office (ICO) published a blogpost by Deputy Commissioner David Smith, entitled The US Safe Harbor – breached but perhaps not destroyed!

“Don’t panic” says David to those data controllers who are currently relying on Safe Harbor as a means of ensuring that personal data transferred by them to the United States has adequate protection (in line with the requirements of Article 25 of the European Data Protection Directive, and the eighth principle of schedule one of the UK’s Data Protection Act 1998 (DPA)). He is referring, of course, to the recent decision of the Court of Justice of the European Union in Schrems. which Data controllers should, he says, “take stock” and “make their own minds up”:

businesses in the UK don’t have to rely on Commission decisions on adequacy. Although you won’t get the same degree of legal certainty, UK law allows you to rely on your own adequacy assessment. Our guidance tells you how to go about doing this.  Much depend [sic] here on the nature of the data that you are transferring and who you are transferring it to but the big question is can you reduce the risks to the personal data, or rather the individuals whose personal data it is, to a level where the data are adequately protected after transfer? The Safe Harbor can still play a role here.

Smith also refers to a recent statement by the Article 29 Working Party – the grouping of representatives of the various European data protection authorities, of which he is a member – and refers to “the substance of the statement being measured, albeit expressed strongly”. What he doesn’t say is how unequivocal it is in saying that

transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful

And this is particularly interesting because, as I discovered today, the ICO itself appears (still) to be making transfers under Safe Harbor. I reported a nuisance call using its online tool (in doing so I included some sensitive personal data about a family member) and noticed that the tool was operated by SnapSurveys. The ICO’s own website privacy notice says

We collect information volunteered by members of the public about nuisance calls and texts using an online reporting tool hosted by Snap Surveys. This company is a data processor for the ICO and only processes personal information in line with our instructions.

while SnapSurveys’ privacy policy explains that

Snap Surveys NH, Inc. complies with the U.S. – E.U. Safe Harbor framework

This does not unambiguously say that SnapSurveys are transferring the personal data of those submitting reports to the ICO to the US under Safe Harbor – it is possible that the ICO has set up some bespoke arrangement with its processor, under which they process that specific ICO data within the European Economic Area – but it strongly suggests it.

It is understandable that a certain amount of regulatory leeway and leniency be offered to data controllers who have relied on Safe Harbor until now – to that extent I agree with the light-touch approach of the ICO. But if it is really the case that peoples’ personal data are actually being transferred by the regulator to the US, three weeks after the European Commission decision of 2000 that Safe Harbor provided adequate protection was struck down, serious issues arise. I will be asking the ICO for confirmation about this, and whether, if it is indeed making these transfers, it has undertaken its own adequacy assessment.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

 

1 Comment

Filed under 8th principle, Data Protection, Directive 95/46/EC, Information Commissioner, safe harbor

A novel defence by Talk Talk?

Talk Talk, in response to the recent revelations about the compromising of the data of up to four million of its customers, says rather boldly

Has TalkTalk breached the Data Protection Act?
No, this is a criminal attack. We have notified the ICO and we will work closely with them over the coming weeks and months. 

And it got me to wondering how well this rather novel approach could be extended in other legal areas.

The defendant, a Mr Talk Talk, was travelling at a speed of ninety-four miles per hour, and had consumed the equivalent of two bottles of gin. However, as the other driver involved in the collision had failed to renew his motor insurance we find that the defendant was evidently merely the victim of a crime, and my client could not, as a matter of law, have broken speeding and drink driving laws.

Furthermore, although the defendant later viciously kicked an elderly bystander in a motiveless attack, he cannot be guilty of an assault because the pensioner was recently convicted of watching television without a licence.

And finally, although my client picked up a police officer and threw him into a duck pond, the fact that the said officer once forgot to pay for a milky way in the staff canteen provides an absolute defence to the charge of obstructing a police officer in the line of duty.

Let’s see how well Talk Talk’s defence washes with the ICO.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under Data Protection, Information Commissioner, Uncategorized

Blackpool Displeasure Breach, redux

Over a year ago I blogged about a tweet by a member of the Oyston family connected with Blackpool FC:

a fan replies to a news item about the club’s manager, and calls the Oyston family “wankers”. Sam Oyston responds by identifying the seat the fan – presumably a season-ticket holder – occupies, and implies that if he continues to be rude the ticket will be withdrawn

For the reasons in that post I thought this raised interesting, and potentially concerning, data protection issues, and I mentioned that the Information Commissioner’s Office (ICO) had powers to take action. It was one of (perhaps the) most read posts (showing, weirdly, that football is possibly more of interest to most people than data protection itself) and it seemed that some people did intend complaining to the ICO. So, recently, I made an FOI request to the ICO for any information held by them concerning Blackpool FC’s data protection compliance. This was the reply

We have carried out thorough searches of the information we hold and have identified one instance where a member of the public raised concerns with the ICO in September 2014, about the alleged processing of personal data by Blackpool FC.

We concluded that there was insufficient evidence to consider the possibility of a s55 offence under the Data Protection Act 1998 (the DPA), and were unable to make an assessment as the individual had not yet raised their concerns with Blackpool FC direct.  We therefore advised the individual to contact the Club and to come back to us if they were still concerned, however we did not hear from them again.  As such, no investigation took place, nor was any assessment made of the issues raised.

This suggests the ICO appears wrongly to consider itself unable to undertake section 42 assessments under the Data Protection Act 1998 unless the data subject has complained to the data controller – a stance strongly criticised by Dr David Erdos on this blog, and one which has the potential to put the data subject further in dispute with the data controller (as I can imagine could have happened here, with a family some of whose members are ready to sue to protect their reputation). It also suggests though that maybe people weren’t quite as interested as the page views suggested. Nonetheless, I am posting this brief update, because a few people asked about it.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner

Complaint about Google’s Innuendo, redux

Some time ago I complained to the Information Commissioner’s Office (ICO) about the innuendo carried in the message that Google serves with search results on most personal names: “Some results may have been removed under data protection law in Europe”. I had already complained to Google UK, and wrote about it here. Google UK denied any responsibility or liability, and referred me to their enormous, distant, parents at 1600 Amphitheatre Parkway. I think they were wrong to do so, in light of the judgment of the Court of Justice of the European Union in the Google Spain case C‑131/12, but I will probably pursue that separately.

However, section 42 of the Data Protection Act 1998 (DPA) allows me to ask the ICO to assess whether a data controller has likely or not complied with its obligations under the DPA. So that’s what I did (pointing out that a search on “Jon Baines” or “Jonathan Baines” threw up the offending message).

In her response the ICO case officer did not address the jurisdiction point which Google had produced, and nor did she actually make a section 42 assessment (in fairness, I had not specifically cited section 42). What she did say was this

As you know, the Court of Justice of the European Union judgement in May 2014 established that Google was a data controller in respect of the processing of personal data to produce search results. It is not in dispute that some of the search results do relate to you. However, it is also clear that some of them will relate to other individuals with the same name. For example, the first result returned on a search on ‘Jonathan Baines’ is ‘LinkedIn’, which says in the snippet that there are 25 professionals named Jonathan Baines, who use LinkedIn.

It is not beyond the realms of possibility that one or more of the other individuals who share your name have had results about them removed. We cannot comment on this. However, we understand that this message appears in an overwhelming majority of cases when searching on any person’s name. This is likely to be regardless of whether any links have actually been removed.

True, I guess. Which is why I’ve reverted with this clarification of my complaint:

If it assists, and to extend my argument and counter your implied question “which Jon Baines are we talking about?”, if you search < “Jon Baines” Information Rights and Wrongs > (where the search term is actually what lies between the < >) you will get a series of results which undoubtedly relate to me, and from which I can be identified. Google is processing my personal data here (that is unavoidable a conclusion, given the ruling by the Court of Justice of the European Union in “Google Spain” (Case C‑131/12)). The message “Some results may have been removed under data protection law in Europe” appears as a result of the processing of my personal data, because it does not appear on every search (for instance < prime minister porcine rumours > or < “has the ICO issued the cabinet office an enforcement notice yet” >). As a product of the processing of my personal data, I argue that the message relates to me, and constitutes my personal data. As it carries an unfair innuendo (unfair because it implies I might have asked for removal of search results) I would ask that you assess whether Google have or have not likely complied with their obligation under section 4(4) to comply with the first and fourth data protection principles. (Should you doubt the innuendo point, please look at the list of results on a Twitter search for “Some results may have been removed”).

Let’s hope this allows the ICO to make the assessment, without my having to consider whether I need to litigate against one of the biggest companies in world history.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

8 Comments

Filed under Data Protection, Information Commissioner

When data security = national security

One of the options open to the Information Commissioner’s Office (ICO), when considering whether to take enforcement action under the Data Protection Act 1998 (DPA) is – as an alternative to such action – to invite an offending data controller to sign an “undertaking”, which will in effect informally commit it to taking, or desisting from, specified actions. An undertaking is a relatively common event (there have been fifty over the last year) – so much so that the ICO has largely stopped publicising them (other than uploading them to its website) – very rarely is there a press release or even a tweet.

There is a separate story to be explored about both ICO’s approach to enforcement in general, and to its approach to publicity, but I thought it was worth highlighting a rather remarkable undertaking uploaded to the ICO’s site yesterday. It appears that the airline Flybe reported itself to the ICO last November, after a temporary employee managed to scan another individual’s passport, and email it to his (the employee’s) personal email account. The employee in question was in possession of an “air side pass”. Such a pass allows an individual to work unescorted in restricted areas of airports and clearly implies a level of security clearance. The ICO noted, however, that

Flybe did not provide data protection training for all staff members who process personal data. This included the temporary member of staff involved in this particular incident…

This is standard stuff for DPA enforcement: lack of training for staff handling personal data will almost always land the data controller in hot water if something goes wrong. But it’s what follows that strikes me as remarkable

the employee accessed various forms of personal data as part of the process to issue air side passes to Flybe’s permanent staff. This data included copies of passports, banking details and some information needed for criminal record background checks. The Commissioner was concerned that such access had been granted without due consideration to carrying out similar background checks to those afforded to permanent employees. Given the nature of the data to which the temporary employee had access, the Commissioner would have expected the data controller to have had some basic checking controls in place.

Surely this raises concerns beyond the data protection arena? Data protection does not exist in isolation from a broader security context. If it was really the case that basic checking controls were not in place regarding Flybe’s temporary employees and data protection, might it raise concerns about how that impacts on national security?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, national security, undertaking