Category Archives: Data Protection

The most boring blogpost on this blog?

Although GDPR, and the Data Protection Act 2018 (DPA18), took effect from 25 May 2018, it has been notable that the Information Commissioner’s Office (ICO) has continued to exercise its enforcement powers under the prior law. There is no problem with this, and it is only to be expected, given that regulatory investigations can take some time. The DPA18 contains transitional provisions which mean that certain sections of the Data Protection Act 1998 continue to have effect, despite its general repeal. This is the reason, for instance, why the ICO could serve its recent enforcement notice on Hudson Bay Finance Ltd using the powers in section 40 of the 1998 – paragraph 33 of Schedule 20 to the DPA18 provides that section 40 of the 1998 Act continues to apply if the ICO is satisfied that the controller contravened the old data protection principles before the rest of the 1998 Act was repealed.

However, what is noticeable in the Hudson Bay Finance Ltd enforcement notice is that it says that it was prompted by a request for assessment by the complainant, apparently made on 21 September 2018, purportedly made under section 42 of the 1998 Act. I say “purportedly” because the transitional provisions in Schedule 20 of DPA18 require the ICO to consider a request for assessment made before 25 May 2018, but in all other respects, section 42 is repealed. Accordingly, as a matter of law, a data subject can (after 25 May 2018) no longer exercise their right to request an assessment under section 42 of the 1998 Act.

This is all rather academic, because it appears to me that the ICO has discretion – even if it does not have an obligation – to consider a complaint by a data subject relating to compliance with the 1998 Act. And ICO clearly (as described above) has the power still to take enforcement action for contraventions of the 1998 Act. But no one ever told me I can’t use my blog to make arid academic points.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, enforcement, Information Commissioner

Blagging as academic research

A white paper on GDPR subject access rights, presented at the Blackhat USA 2019 conference, got a lot of UK media coverage recently. Less discussion was had, however, about whether the research raised questions about the ethics and legality of “blagging”.

The paper, by Oxford University DPhil researcher James Pavur and Casey Knerr, talked of “Using Privacy Laws to Steal Identities” and describes Pavur’s attempts to acquire another person’s (Knerr’s) data, by purporting to be that person and pretending to exercise their access rights under Article 15 of the General Data Protection Regulation (GDPR). It should be emphasised that Knerr was fully acquiescent in the exercise.

Pavur and Knerr’s paper has a section entitled “Ethical and legal concerns” but what it notably fails to address is the fact that deliberately obtaining personal data without the consent of the controller is potentially a criminal offence under UK law.

Since 1998 it has been an offence to deliberately obtain personal data by deception, with defences available where the obtaining was, for instance, justified as being in the public interest. The Data Protection Act 2018 introduces, at section 170, a new defence where the obtaining is for academic purposes, with a view to publication and where the person doing the obtaining reasonably believes that it was justified in the public interest. Previously, this defence was only available where the obtaining was for the “special purposes” of journalism, literature or art.

It would certainly appear that Pavur obtained some of the data without the consent of the controller (the controller cannot properly be said to have consented to its disclosure if it was effected by deception – indeed, such is the very nature of “blagging”), but it also appears that the obtaining was done for academic purposes and with a view to publication and (it is likely) in the reasonable belief that the obtaining was justified in the public interest.

However, one would expect that prior to conducting the research, some analysis of the legal framework would have revealed the risk of an offence being committed, and that, if this analysis had been undertaken, it would have made its way into the paper. Its absence makes the publicity given to the paper by Simon McDougall, of the Information Commissioner’s Office (ICO), rather surprising (McDougall initially mistakenly thought the paper was by the BBC’s Leo Kelion). Because although Pavur (and Knell) could almost certainly fall back on the “academic purposes” defence to the section 170 offence, a fear I have is that others might follow their example, and not have the same defence. Another fear is that an exercise like this (which highlights risks and issues with which controllers have wrestled for years, as Tim Turner points out in his excellent blogpost on the subject) might have the effect of controllers becoming even more keen to demand excessive identification credentials for requesters, without considering – as they must – the proportionality of doing so.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner

ICO change to guidance on Subject Access Request time limits

I have a post on the Mishcon de Reya website, on an odd, but potentially very significant, change of position by the Information Commissioner’s Office, when it comes to calculating GDPR time limits for data subject requests.

ICO change to guidance on Subject Access Request time limits

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner

Boris Johnson and GDPR

Might there have been a breach of data protection law in the recording, apparently by neighbours, of incidents at Boris Johnson’s home, and the passing of the recording to the media and the police? Almost certainly not.

(In this post I would like to avoid, as far as possible, broader ethical questions, and I will restrict any political observations to this: if Johnson becomes leader of the Conservative Party, and therefore prime minister, the two main UK political parties will be being led by people less fit to hold the role than at any time in my lifetime.)

In general, processing of personal data done for one’s own domestic purposes avoids the need for compliance with data protection law: Article 2(2)(c) of the General Data Protection Regulation (GDPR) – which of course provides the overarching statutory framework for most processing of personal data – says that the GDPR itself “does not apply to the processing of personal data…by a natural person in the course of a purely personal or household activity”. This is understandable: were there not such a carve-out, one’s children might, say, try to sue one for unlawful processing of their pocket-money data.

However, that word “purely” is key in Article 2. Processing which is not in the course of a “purely” domestic activity, such as, say, passing a recording of an altercation involving one’s neighbours to the media and the police, will be within GDPR’s scope.

So if GDPR is likely to apply, what are the considerations?

Firstly, passing information to the police about an altercation involving one’s neighbours is straightforward: GDPR permits processing which is necessary for the performance of a task carried out in the public interest (Article 6(1)(e)) and where the processing is necessary for the purposes of someone’s legitimate interests (provided that such interests are not overridden by the rights of the data subject) (Article 6(1)(f)).

But what of passing such information to the media? Well, here, the very broad exemption for the purposes of journalism will apply (even though the neighbours who are reported to have passed the information to the media are not, one assumes, journalists as such). GDPR requires members states to reconcile the right to the protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes, and this obligation is given effect in UK law by paragraph 26 of Schedule 2 to the Data Protection Act 2018. This provides that the GDPR provisions (for the most part) do not apply to processing of personal data where it

is being carried out with a view to the publication by a person of journalistic, academic, artistic or literary material, and…the controller reasonably believes that the publication of the material would be in the public interest [and] the controller reasonably believes that the application of [the GDPR provisions] would be incompatible with the… purposes [of journalism].

Here, the controller is not just going to be the journalist or media outlet to whom the information was passed, but it is also likely to be the non-journalist person who actually passes the information (provides that the latter passes it with a view to its publication and does so under a reasonable belief that such publication would be in the public interest).

The equivalent exemption in the prior law (the Data Protection Act 1998) was similar, but, notably, applied to processing which was only carried for the purposes of journalism (or its statutory bedfellows – literature and art). The absence of the word “only” in the 2018 Act arguably greatly extends the exemption, or at least removes ambiguity (there was never any notable example of action being taken under the prior law against the media for processing which was alleged to be unlawful and which was for more than one purposes (i.e. not solely for the purposes of journalism)).

It seems almost certain, then, that Johnson’s non-journalist neighbours could avail themselves of the “journalism” exemption in data protection law. As could anyone who processes personal data with a view to its publication and who reasonably believes such publication is in the public interest: we should prepare to see this defence aired frequently over the coming years. Whether the exemption is too broad is another question.

Because of the breadth of the journalism exemption in data protection law, actions are sometimes more likely to be brought in the tort of misuse of private information (see, for example, Cliff Richard v BBC, and Ali v Channel 5). Whether such a claim might be available in this case is also another question, and not one for this blog.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, journalism, police

Information Tribunal rejects data subject appeals under new Data Protection Act

The Information Tribunal has recently heard the first applications under the Data Protection Act 2018 for orders regarding the Information Commissioner’s handling of data protection complaints. As I write on the Mishcon de Reya website, the Tribunal has peremptorily dismissed them.

Leave a comment

Filed under Data Protection, enforcement, GDPR, Information Commissioner, Information Tribunal

ICO – HMRC must delete 5 million voice records

I have a piece on the Mishcon de Reya website, on news that the ICO has required HMRC to delete 5 million unlawfully gathered Voice ID records.

Leave a comment

Filed under consent, Data Protection, HMRC, Information Commissioner

Farrow & Ball lose appeal for non-payment of data protection fee

I have a new post on the Mishcon de Reya website, drawing attention to the first (and unsuccessful) attempt to appeal an ICO monetary penalty for failing to pay the statutory data protection fee.

Leave a comment

Filed under Data Protection, Information Commissioner, Information Tribunal, monetary penalty notice

ICO hasn’t given own staff a GDPR privacy notice

The first principle of GDPR says that personal data shall be processed in a transparent manner. Articles 13 and 14 give details of what information should be provided to data subjects to comply with that principle (and that information should be provided at the time it is collected (if it is collected directly from the data subject)).

As the Information Commissioner’s Office (ICO) says

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. [emphasis added]

and

Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage

If you read the ICO’s Guide to GDPR, it is largely predicated on the understanding that privacy notices will be made available to data subjects, effectively as a prerequisite to overall compliance.

So, one thing a data controller must – surely – prioritise (and have prioritised, in advance of GDPR becoming applicable in May 2018) is the preparation and giving of appropriate privacy notices, including to its own employees.

With that in mind, I was interested surprised astounded well-and-truly-gobsmacked to see an admission, on the “WhatDoTheyKnow” website, that the ICO itself has – almost a year on from GDPR’s start – not yet prepared, let alone given, its own staff a GDPR privacy notice

I can confirm we do not currently hold the information you have requested. The privacy notice for ICO employees is currently under construction.

As getting the right to be informed wrong can leave one open to fines (as well as reputational damage), one wonders if ICO is considering fining itself for this fundamental infringement of a fundamental right?

The views in this post (and indeed all posts on this blog, unless they indicate otherwise) are my personal ones, and do not represent the views of any organisation I am involved with.

10 Comments

Filed under Data Protection, fairness, GDPR, Information Commissioner, privacy notice, transparency

ICO – no GDPR fines in the immediate pipeline

FOI request reveals ICO has served no “notices of intent” to serve fines under GDPR. A new piece by me on the Mishcon de Reya website.

Leave a comment

Filed under Data Protection, Freedom of Information, GDPR, Information Commissioner, monetary penalty notice

MPs, Lords, councillors exempt from data protection fee

As I have previously discussed on the Mishcon de Reya website, the General Data Protection Regulation (“GDPR”) removed the requirement at European law for data controllers to “register” with their supervisory authority. However, in the UK, the need to provide a funding stream for the data protection work of the Information Commissioner’s Office (ICO) led parliament to pass laws (The Data Protection (Charges and Information) Regulations 2018) (“the Fee Regulations”), made under sections 137 and 138 of the Data Protection Act 2018 (“DPA”)) requiring controllers to pay a fee to the ICO, unless an exemption applied.

New amendment regulations (The Data Protection (Charges and Information) (Amendment) Regulations 2019) have now been passed, following a consultation run by DCMS last year. These mean that new categories of exempt processing are introduced. In short, processing of personal data by members of the House of Lords, elected representatives and prospective representatives is also now “exempt processing” for the purposes of the Fee Regulations. “Elected representative” means (adopting the definition at paragraph 23(3)(a) to (d) and (f) to (m) of Schedule 1 to the DPA)

a member of the House of Commons;
a member of the National Assembly for Wales;
a member of the Scottish Parliament;
a member of the Northern Ireland Assembly;
an elected member of a local authority within the meaning of section 270(1) of the Local Government Act 1972
an elected mayor of a local authority within the meaning of Part 1A or 2 of the Local Government Act 2000;
a mayor for the area of a combined authority established under section 103 of the Local Democracy, Economic Development and Construction Act 2009;
the Mayor of London or an elected member of the London Assembly;
an elected member of the Common Council of the City of London, or the Council of the Isles of Scilly;
an elected member of a council constituted under section 2 of the Local Government etc (Scotland) Act 1994;
an elected member of a district council within the meaning of the Local Government Act (Northern Ireland) 1972;
a police and crime commissioner.

But, it should be noted, MEPs’ processing is not exempt, and, for the time being at least, they must still pay a fee.

6 Comments

Filed under Data Protection, DCMS, GDPR