Category Archives: Data Protection

November 25, 2016 · 8:40 am

Get rights right, gov.uk

Government page on subject access rights is not accurate

Right of access to data about oneself is recognised as a fundamental right (article 8(2) of the Charter of Fundamental Rights of the European Union*). Section 7 of the UK’s Data Protection Act 1998 (DPA) gives expression to this, and provides that as a general right individuals are entitled to be told whether someone else is processing their data, and why, and furthermore (in terms) to be given a copy of that data. The European General Data Protection Regulation retains and bolsters this right, and recognises its importance by placing it in the category of provisions non-compliance with which could result in an administrative fine for a data controller of up to €20m or 4% of turnover (whichever is higher).

So subject access is important, and this is reflected in the fact that it is almost certainly the most litigated of provisions of the DPA (a surprisingly under-litigated piece of legislation). Many data controllers need to commit significant resources to comply with it, and the Information Commissioner’s Office (ICO) produced a statutory code of practice on the subject in 2014.

But it is not an absolute right. The DPA explains that there are exemptions to the right where, for instance, compliance would be likely to prejudice the course of criminal justice, or national security, or, in the case of health and social care records, would be likely to cause serious harm to the data subject or another person. Additionally the DPA recognises that, where complying with a subject access request would involve disclosing information about another individual, the data controller should not comply unless that other person consents, or unless it “is reasonable in all the circumstances to comply with the request without the consent of the other individual” (section 7(4) DPA).

But this important caveat (the engagement of the parallel rights of third parties) to the right of subject access is something which is almost entirely omitted in the government’s own web guidance regarding access to CCTV footage of oneself. It says

The CCTV owner must provide you with a copy of the footage that you can be seen in. They can edit the footage to protect the identities of other people.

The latter sentence is true, and especially in the case where footage captures third parties it is often appropriate to take measures to mask their identities. But the first sentence is simply not true. And I think it is concerning that “the best place to find government services and information” (as gov.uk describes itself) is wrong in its description of a fundamental right.

A data controller (let’s ignore the point that a “CCTV owner” might not necessarily be the data controller) does not have an unqualified obligation to provide information in response to a subject access request. As anyone working in data protection knows, the obligation is qualified by a number of exemptions. The page does allude to one of these (at section 29 of the DPA):

They can refuse your request if sharing the footage will put a criminal investigation at risk

But there are others – and the ICO has an excellent resource explaining them.

What I don’t understand is why the gov.uk page fails to provide better (accurate) information, and why it doesn’t provide a link to the ICO site. I appreciate that the terms and condition of gov.uk make clear that there is no guarantee that information is accurate, but I think there’s a risk here that data subjects could gather unreasonable expectations of their rights, and that this could lead to unnecessary grievances or disputes with data controllers.

Gov.uk invite comments about content, and I will be taking up this invitation. I hope they will amend.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

 

Leave a comment

Filed under Data Protection, Information Commissioner, subject access

Tagged as ,

June 4, 2016 · 1:04 pm

A Massive Impact for the ICO?

[Edited to add: it is well worth reading the comments to this piece, especially the ones from Chris Pounder and Reuben Binns]

I needed a way to break a blogging drought, and something that was flagged up to me by a data protection colleague (thanks Simon!) provides a good opportunity to do so. It suggests that the drafting of the GDPR could lead to an enormous workload for the ICO.

The General Data Protection Regulation (GDPR) which entered into force on 24 May this year, and which will apply across the European Union from 25 May 2018, mandates the completion of Data Protection Impact Assessments (DPIAs) where indicated. Article 35 of the GDPR explains that

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data

In the UK (and indeed elsewhere) we already have the concept of “Privacy Impact Assessments“, and in many ways all that the GDPR does is embed this area of good practice as a legal obligation. However, it also contains some ancillary obligations, one of which is to consult the supervisory authority, in certain circumstances, prior to processing. And here is where I get a bit confused.

Article 36 provides that

The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk
[emphasis added]

A close reading of Article 36 results in this: if the data controller conducts a DPIA, and is of the view that if mitigating factors were not in place the processing would be high risk, it will have to consult supervisory authority (in the UK, the Information Commissioner’s Office (ICO)). This is odd: it effectively renders any mitigating measures irrelevant. And it appears directly to contradict what recital 84 says

Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing [emphasis added]

So, the recital says the obligation to consult will arise where high risk is involved which the controller can’t mitigate, while the Article says the obligation will arise where high risk is involved notwithstanding any mitigation in place.

Clearly, the Article contains the specific legal obligation (the recital purports to set out the reason for the contents of the enacting terms), so the law will require data controllers in the UK to consult the ICO every time a DPIA identifies an inherently high risk processing activity, even if the data controller has measures in place fully to mitigate and contain the risk.

For example, let us imagine the following processing activity – collection of and storage of customer financial data for the purposes of fulfilling a web transaction. The controller might have robust data security measures in place, but Article 36 requires it to consider “what if those robust measures were not in place? would the processing be high risk?” To which the answer would have to be “yes” – because the customer data would be completely unprotected.

In fact, I would submit, if article 36 is given its plain meaning virtually any processing activity involving personal data, where there is an absence of mitigating measures, would be high risk, and create a duty to consult the ICO.

What this will mean in practice remains to be seen, but unless I am missing something (and I’d be delighted to be corrected if so), the GDPR is setting the ICO and other supervisory authorities up for a massive influx of work. With questions already raised about the ICO’s funding going forward, that is the last thing they are likely to need.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

9 Comments

Filed under Data Protection, GDPR, Information Commissioner

Tagged as , ,

October 30, 2015 · 5:43 pm

Any Safe Harbor in a storm…?

The ICO has contacted me to say that it actually selected SnapSurveys because they offered clients the option of hosting survey response on UK servers, and it has checked with SnapSurveys that this remains the case. I’ve been pointed me to http://www.snapsurveys.com/survey-software/security-accessibility-and-professional-outline/ which confirms this point.

So the answer to my question

Is the ICO making unlawful transfers of personal data to the US?

I’m pleased to confirm, appears to be “no”.

Earlier this week the Information Commissioner’s Office (ICO) published a blogpost by Deputy Commissioner David Smith, entitled The US Safe Harbor – breached but perhaps not destroyed!

“Don’t panic” says David to those data controllers who are currently relying on Safe Harbor as a means of ensuring that personal data transferred by them to the United States has adequate protection (in line with the requirements of Article 25 of the European Data Protection Directive, and the eighth principle of schedule one of the UK’s Data Protection Act 1998 (DPA)). He is referring, of course, to the recent decision of the Court of Justice of the European Union in Schrems. which Data controllers should, he says, “take stock” and “make their own minds up”:

businesses in the UK don’t have to rely on Commission decisions on adequacy. Although you won’t get the same degree of legal certainty, UK law allows you to rely on your own adequacy assessment. Our guidance tells you how to go about doing this.  Much depend [sic] here on the nature of the data that you are transferring and who you are transferring it to but the big question is can you reduce the risks to the personal data, or rather the individuals whose personal data it is, to a level where the data are adequately protected after transfer? The Safe Harbor can still play a role here.

Smith also refers to a recent statement by the Article 29 Working Party – the grouping of representatives of the various European data protection authorities, of which he is a member – and refers to “the substance of the statement being measured, albeit expressed strongly”. What he doesn’t say is how unequivocal it is in saying that

transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful

And this is particularly interesting because, as I discovered today, the ICO itself appears (still) to be making transfers under Safe Harbor. I reported a nuisance call using its online tool (in doing so I included some sensitive personal data about a family member) and noticed that the tool was operated by SnapSurveys. The ICO’s own website privacy notice says

We collect information volunteered by members of the public about nuisance calls and texts using an online reporting tool hosted by Snap Surveys. This company is a data processor for the ICO and only processes personal information in line with our instructions.

while SnapSurveys’ privacy policy explains that

Snap Surveys NH, Inc. complies with the U.S. – E.U. Safe Harbor framework

This does not unambiguously say that SnapSurveys are transferring the personal data of those submitting reports to the ICO to the US under Safe Harbor – it is possible that the ICO has set up some bespoke arrangement with its processor, under which they process that specific ICO data within the European Economic Area – but it strongly suggests it.

It is understandable that a certain amount of regulatory leeway and leniency be offered to data controllers who have relied on Safe Harbor until now – to that extent I agree with the light-touch approach of the ICO. But if it is really the case that peoples’ personal data are actually being transferred by the regulator to the US, three weeks after the European Commission decision of 2000 that Safe Harbor provided adequate protection was struck down, serious issues arise. I will be asking the ICO for confirmation about this, and whether, if it is indeed making these transfers, it has undertaken its own adequacy assessment.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

 

1 Comment

Filed under 8th principle, Data Protection, Directive 95/46/EC, Information Commissioner, safe harbor

Tagged as , ,

October 24, 2015 · 8:05 am

A novel defence by Talk Talk?

Talk Talk, in response to the recent revelations about the compromising of the data of up to four million of its customers, says rather boldly

Has TalkTalk breached the Data Protection Act?
No, this is a criminal attack. We have notified the ICO and we will work closely with them over the coming weeks and months. 

And it got me to wondering how well this rather novel approach could be extended in other legal areas.

The defendant, a Mr Talk Talk, was travelling at a speed of ninety-four miles per hour, and had consumed the equivalent of two bottles of gin. However, as the other driver involved in the collision had failed to renew his motor insurance we find that the defendant was evidently merely the victim of a crime, and my client could not, as a matter of law, have broken speeding and drink driving laws.

Furthermore, although the defendant later viciously kicked an elderly bystander in a motiveless attack, he cannot be guilty of an assault because the pensioner was recently convicted of watching television without a licence.

And finally, although my client picked up a police officer and threw him into a duck pond, the fact that the said officer once forgot to pay for a milky way in the staff canteen provides an absolute defence to the charge of obstructing a police officer in the line of duty.

Let’s see how well Talk Talk’s defence washes with the ICO.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under Data Protection, Information Commissioner, Uncategorized

October 4, 2015 · 11:18 am

Blackpool Displeasure Breach, redux

Over a year ago I blogged about a tweet by a member of the Oyston family connected with Blackpool FC:

a fan replies to a news item about the club’s manager, and calls the Oyston family “wankers”. Sam Oyston responds by identifying the seat the fan – presumably a season-ticket holder – occupies, and implies that if he continues to be rude the ticket will be withdrawn

For the reasons in that post I thought this raised interesting, and potentially concerning, data protection issues, and I mentioned that the Information Commissioner’s Office (ICO) had powers to take action. It was one of (perhaps the) most read posts (showing, weirdly, that football is possibly more of interest to most people than data protection itself) and it seemed that some people did intend complaining to the ICO. So, recently, I made an FOI request to the ICO for any information held by them concerning Blackpool FC’s data protection compliance. This was the reply

We have carried out thorough searches of the information we hold and have identified one instance where a member of the public raised concerns with the ICO in September 2014, about the alleged processing of personal data by Blackpool FC.

We concluded that there was insufficient evidence to consider the possibility of a s55 offence under the Data Protection Act 1998 (the DPA), and were unable to make an assessment as the individual had not yet raised their concerns with Blackpool FC direct.  We therefore advised the individual to contact the Club and to come back to us if they were still concerned, however we did not hear from them again.  As such, no investigation took place, nor was any assessment made of the issues raised.

This suggests the ICO appears wrongly to consider itself unable to undertake section 42 assessments under the Data Protection Act 1998 unless the data subject has complained to the data controller – a stance strongly criticised by Dr David Erdos on this blog, and one which has the potential to put the data subject further in dispute with the data controller (as I can imagine could have happened here, with a family some of whose members are ready to sue to protect their reputation). It also suggests though that maybe people weren’t quite as interested as the page views suggested. Nonetheless, I am posting this brief update, because a few people asked about it.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner

Tagged as , ,

September 27, 2015 · 10:36 am

Complaint about Google’s Innuendo, redux

Some time ago I complained to the Information Commissioner’s Office (ICO) about the innuendo carried in the message that Google serves with search results on most personal names: “Some results may have been removed under data protection law in Europe”. I had already complained to Google UK, and wrote about it here. Google UK denied any responsibility or liability, and referred me to their enormous, distant, parents at 1600 Amphitheatre Parkway. I think they were wrong to do so, in light of the judgment of the Court of Justice of the European Union in the Google Spain case C‑131/12, but I will probably pursue that separately.

However, section 42 of the Data Protection Act 1998 (DPA) allows me to ask the ICO to assess whether a data controller has likely or not complied with its obligations under the DPA. So that’s what I did (pointing out that a search on “Jon Baines” or “Jonathan Baines” threw up the offending message).

In her response the ICO case officer did not address the jurisdiction point which Google had produced, and nor did she actually make a section 42 assessment (in fairness, I had not specifically cited section 42). What she did say was this

As you know, the Court of Justice of the European Union judgement in May 2014 established that Google was a data controller in respect of the processing of personal data to produce search results. It is not in dispute that some of the search results do relate to you. However, it is also clear that some of them will relate to other individuals with the same name. For example, the first result returned on a search on ‘Jonathan Baines’ is ‘LinkedIn’, which says in the snippet that there are 25 professionals named Jonathan Baines, who use LinkedIn.

It is not beyond the realms of possibility that one or more of the other individuals who share your name have had results about them removed. We cannot comment on this. However, we understand that this message appears in an overwhelming majority of cases when searching on any person’s name. This is likely to be regardless of whether any links have actually been removed.

True, I guess. Which is why I’ve reverted with this clarification of my complaint:

If it assists, and to extend my argument and counter your implied question “which Jon Baines are we talking about?”, if you search < “Jon Baines” Information Rights and Wrongs > (where the search term is actually what lies between the < >) you will get a series of results which undoubtedly relate to me, and from which I can be identified. Google is processing my personal data here (that is unavoidable a conclusion, given the ruling by the Court of Justice of the European Union in “Google Spain” (Case C‑131/12)). The message “Some results may have been removed under data protection law in Europe” appears as a result of the processing of my personal data, because it does not appear on every search (for instance < prime minister porcine rumours > or < “has the ICO issued the cabinet office an enforcement notice yet” >). As a product of the processing of my personal data, I argue that the message relates to me, and constitutes my personal data. As it carries an unfair innuendo (unfair because it implies I might have asked for removal of search results) I would ask that you assess whether Google have or have not likely complied with their obligation under section 4(4) to comply with the first and fourth data protection principles. (Should you doubt the innuendo point, please look at the list of results on a Twitter search for “Some results may have been removed”).

Let’s hope this allows the ICO to make the assessment, without my having to consider whether I need to litigate against one of the biggest companies in world history.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

8 Comments

Filed under Data Protection, Information Commissioner

Tagged as ,

September 25, 2015 · 2:46 pm

When data security = national security

One of the options open to the Information Commissioner’s Office (ICO), when considering whether to take enforcement action under the Data Protection Act 1998 (DPA) is – as an alternative to such action – to invite an offending data controller to sign an “undertaking”, which will in effect informally commit it to taking, or desisting from, specified actions. An undertaking is a relatively common event (there have been fifty over the last year) – so much so that the ICO has largely stopped publicising them (other than uploading them to its website) – very rarely is there a press release or even a tweet.

There is a separate story to be explored about both ICO’s approach to enforcement in general, and to its approach to publicity, but I thought it was worth highlighting a rather remarkable undertaking uploaded to the ICO’s site yesterday. It appears that the airline Flybe reported itself to the ICO last November, after a temporary employee managed to scan another individual’s passport, and email it to his (the employee’s) personal email account. The employee in question was in possession of an “air side pass”. Such a pass allows an individual to work unescorted in restricted areas of airports and clearly implies a level of security clearance. The ICO noted, however, that

Flybe did not provide data protection training for all staff members who process personal data. This included the temporary member of staff involved in this particular incident…

This is standard stuff for DPA enforcement: lack of training for staff handling personal data will almost always land the data controller in hot water if something goes wrong. But it’s what follows that strikes me as remarkable

the employee accessed various forms of personal data as part of the process to issue air side passes to Flybe’s permanent staff. This data included copies of passports, banking details and some information needed for criminal record background checks. The Commissioner was concerned that such access had been granted without due consideration to carrying out similar background checks to those afforded to permanent employees. Given the nature of the data to which the temporary employee had access, the Commissioner would have expected the data controller to have had some basic checking controls in place.

Surely this raises concerns beyond the data protection arena? Data protection does not exist in isolation from a broader security context. If it was really the case that basic checking controls were not in place regarding Flybe’s temporary employees and data protection, might it raise concerns about how that impacts on national security?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, national security, undertaking

Tagged as ,

September 25, 2015 · 12:31 pm

Anti-EU campaign database – in contravention of data protection laws?

The politics.co.uk site reports that an anti-EU umbrella campaign called Leave.EU (or is it theknow.eu?) has been written to by the Information Commissioner’s Office (ICO) after allegedly sending unsolicited emails to people who appear to have been “signed up” by friends or family. The campaign’s bank-roller, UKIP donor Aaron Banks, reportedly said

We have 70,000 people registered and people have been asked to supply 10 emails of friends or family to build out (sic) database

Emails sent to those signed up in this way are highly likely to have been sent in breach of the campaign’s obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), and the ICO is reported to have to written to the campaign to

inform them of their obligations under the PECR and to ask them to suppress [the recipient’s] email address from their databases

But is this really the main concern here? Or, rather, should we (and the ICO) be asking what on earth is a political campaign doing building a huge database of people, and identifying them as (potential) supporters without their knowledge? Such concerns go to the very heart of modern privacy and data protection law.

Data protection law’s genesis lie, in part, in the desire, post-war, of European nations to ensure “a foundation of justice and peace in the world”, as the preamble to the European Convention on Human Rights states. The first recital to the European Community Data Protection Directive of 1995 makes clear that the importance of those fundamental rights to data protection law.

The Directive is, of course, given domestic effect by the Data Protection Act 1998 (DPA). Section 2 of the same states that information as to someone’s political beliefs is her personal data: I would submit that presence on a database purporting to show that someone supports the UK”s withdrawal from the European Union is also her personal data. Placing someone on that database, without her knowledge or ability to object, will be manifestly “unfair” when it comes to compliance with the first data protection principle. It may also be inaccurate, when it comes to compliance with the fourth principle.

I would urge the ICO to look much more closely at this – the compiling of (query inaccurate) of secret databases of people’s political opinions has very scary antecedents.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, Directive 95/46/EC, Europe, human rights, Information Commissioner

Tagged as , ,

September 23, 2015 · 4:55 pm

ICO discloses names of Operation Motorman journalists

In August this year the Upper Tribunal dismissed an appeal by the Information Commissioner’s Office (ICO) of a prior ruling that he must disclose the names of certain journalists who appeared on a list 305 names seized by the ICO during a raid in 2003 on the home of private investigator Steve Whittamore. The raid was part of “Operation Motorman”, an investigation which forms part of the background to the various civil and criminal proceedings generated by the phone-hacking scandals, and to the establishment of the Leveson Inquiry.

The names which have been ordered to be disclosed have now been provided by the ICO to the requester, the clearly indefatigable Chris Colenso-Dunne. Chris has kindly given the list to me, and I make it available in the attachment below. One name stands out in particular: Rebekah Wade (as she then was), now Brooks, who has always denied knowledge of the phone-hacking which took place while she was editor of the now defunct News of the World (and who was, of course, acquitted in 2014 of conspiring to hack phones when editor of that paper and of making corrupt payments to public officials when editor of The Sun, as well as of all other charges).

It is important to be aware, as the Upper Tribunal said, that presence on the list means nothing more than that the journalists in question

had commissioned Mr Whittamore to obtain information… The information did not carry with it any assertion as to the actual or alleged commission of any crime by those journalists [para 38]

No doubt the list will generate further comment, though.

ICO Motorman List

[this post was edited to remove a paragraph where I’d mistakenly taken the list to mean that Wade was working for “Femail” at the time]

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.


7 Comments

Filed under Data Protection, Freedom of Information, Information Commissioner, Information Tribunal, journalism, Upper Tribunal

Tagged as , ,

August 14, 2015 · 7:05 am

Zero rating for fairness

It’s a long time since I took a flight, but when I used to do so, I too would have the experience, when purchasing items in airport shops, of being asked to produce my boarding pass and having it scanned by the retailer. I now know that the reason for this is, contrary to my assumptions, nothing to do with security, and everything to do with the retailer’s VAT pricing structure

I don’t particularly object to the practice itself, but what does concern me, from a privacy and data protection perspective, is the lack of information traditionally given to passengers about the reason for it, and what happens with the information gathered.

The third data protection principle, in Schedule 1 of the Data Protection Act 1998 (DPA) states, in relevant part, that personal data should be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Is the processing by retailers compliant with their obligations under this principle?When retailers scan boarding passes they will be at least potentially collecting (“processing”) passengers’ names, flight numbers and travel destination. The last is the purpose of the exercise: if the passenger is travelling outside the European Union the purchase is zero-rates for the purposes of VAT. But is it necessary therefore to collect all the boarding pass data? Well, HMRC guidance suggests that it is:

Information from the boarding cards or travel documents presented by entitled passengers should be retained by retailers as part of their export evidence.

This suggests that, in order to satisfy any HMRC inspector that zero-rated purchases have been made legitimately, proof of the details of the purchase will need to be retained and provided. 

If that is the case then there’s a good argument that retailers could satisfy the requirements of the third DPA principle. But there is a more fundamental requirement, in the first Schedule One principle, to process personal data fairly, and fairness will not be achieved unless

in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him… [inter alia]…the purpose or purposes for which the data are intended to be processed

And there we are back to the start of this post: I didn’t know what the purpose was of scanning my boarding pass, and it’s very clear from the recent media coverage of the issue that many, probably most, passengers didn’t or don’t realise. In my view this, coupled with the retention of the data for HMRC purposes, renders the processing unfair and unlawful. Whether the relevant data controller is the retailer, who does the act, or HMRC, who appear to require it, is another question (it’s probable that they are acting as joint data controllers) but I think the Information Commissioner’s Office should take a look.

(Thanks to Rich Greenhill for pointing out the HMRC guidance).

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, privacy notice