Category Archives: Data Protection

Dashcams and domestic purposes

What do people use dashcams and cameras on cycle helmets for? I’m sure that some (especially in the latter group) use them to capture footage of interesting journeys they have made. But a considerable proportion of users – surely – use them in the event that the user is involved in a road traffic incident. Indeed the “National Dash Cam Safety Portal”, although provided by a commercial organisation selling cameras, is operated in partnership with, and enables upload of footage to, police forces in England and Wales, and its FAQ clearly inform people of the evidential nature and implications of such footage. And a recent piece on the “Honest John” website suggests that one in four dashcam submissions result in a prosecution. Whatever the intentions were of the people who used those dashcams to record that footage, it is undeniable that the outcome of the processing of personal data involved had a significant effect on the rights of those whose data was processed.

Article 2 of the UK GDPR says that the law’s scope does not extend to processing of personal data “by a natural person in the course of a purely personal or household activity”, and the case law of the Court of Justice of the European Union (at least insofar as such case law decided before 1 January 2021 is retained domestic law – unless departed from by the Court of Appeal or the Supreme Court) makes clear that use of recording cameras which capture footage containing personal data outwith the orbit of one’s property cannot claim this “purely personal or household activity” exemption (see, in particular the Ryneš case).

Yet the position taken by the authorities in the UK (primarily by the Information Commissioner’s Office (ICO)) largely fails to address the difficult issues arising. Because if the use of dashcams and helmet cams, when they result in the processing of personal data which is not exempt under under the “purely personal and household exemption, is subject to data protection law, then those operating them are, in principle at least, obliged to comply with all the relevant provisions of the UK GDPR, including: compliance with the Article 5 principles; providing Article 13 notices to data subjects; complying with data subject request for access, erasure, etc. (under Articles 15, 17).

But the ICO, whose CCTV guidance deals well with the issues to the extent that domestic CCTV is in issue, implies that use of dashcams etc, except in a work context, is not subject to the UK GDPR. For instance, its FAQs on registering as a data protection fee payer say “the use of the dashcam in or on your vehicle for work purposes will not be considered as ‘domestic’ and therefore not exempt from data protection laws”. It is very difficult to reconcile the ICO’s position here with the case law as exemplified in Ryneš.

And what raises interesting questions for me is the evidential status of this dashcam and helmet cam footage, when used in prosecutions. Although English law has traditionally tended to take the approach that evidence should be admitted where it is relevant, rather than excluding it on the grounds that it has been improperly obtained (the latter being a species of the US “fruit of the poisoned tree” doctrine), it is surely better for a court not to be faced with a situation where evidence may have been obtained in circumstances involving illegality.

If this was a passing issue, perhaps there would not need to be too much concern. However, it is clear that use of mobile video recording devices (and use of footage in criminal, and indeed civil, proceedings) is increasing and will continue to do so, at the same time as access to such devices, and the possibility for their covert or surreptitious use, also increases. It is, no doubt, a tremendously tricky area to regulate, or event to contemplate regulating, but that is no reason for the ICO to duck the issue.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under CCTV, crime, Data Protection, Information Commissioner, police

Start the DSAR countdown (but how?)

A while ago I wrote a piece on the Mishcon de Reya website pointing out that the Information Commissioner’s Office (ICO) had silently changed its guidance on how to calculate the “one month” timescale for responding to a subject access request under the General Data Protection Regulation (or “GDPR” – which is now domestic law in the form of the amended retained version of the GDPR, aka “UK GDPR”).

The nub of that piece was that the ICO (following the legal precedents) was now saying that “You should calculate the time limit from the day you receive the request“. Which was a change from the previous position that “You should calculate the time limit from the day after you receive the request “.

I have noticed, however, that, although the ICO website, in its UK GDPR guidance, maintains that the clock starts from the date of receipt, the guidance on “Law Enforcement Processing” (which relates to processing of personal data by competent authorities for law enforcement purposes under part 3 of the Data Protection Act 2018 (DPA), which implemented the Law Enforcement Directive) states that the time should be calculated

from the first day after the request was received

It’s not inconceivable (in fact I am given to understand it is relatively common) that a some controllers might receive a subject access request (or other data subject request) which must be dealt with under both the UK GDPR and the Law Enforcement Processing provisions (police forces are a good example of this). The ICO’s position means that the controller must calculate the response time as starting, on the one hand, on the date of receipt, and, on the other hand, on the day after the date of receipt.

And if all of this sounds a bit silly, and inconsequential, I would argue that it is certainly the former, but not necessarily the latter: failure to comply within a statutory timescale is a breach of a statutory duty, and therefore actionable, at least in principle. If the ICO really does believe that the timescale works differently under different legal schemes, then how, for instance can it properly determine (as it must, when required to) under Articles 57(1)(f) and 77(1) of the UK GDPR, or section 51(2) of the DPA, whether there has been a statutory infringement?

Statutory infringements are, after all, potentially actionable (in this instance either with regulatory action or private action by data subjects) – the ICO maintains a database of complaint cases and publishes some of this (albeit almost two years in arrears), and also uses (or may use) it to identify trends. If ICO finds that a controller has made a statutory infringement, that is a finding of potential significance: if that same finding is based on an unclear, and internally contradictory, interpretation of a key aspect of the law, then it is unlikely to be fair, and unlikely to be lawful.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, subject access, UK GDPR, Uncategorized

Windrush and data protection

As far as I know the Information Commissioner has never investigated this issue (I’ve made an FOI request to find out more), but this, on the Mishcon site, is an overview of the key issue.

Leave a comment

Filed under accuracy, adequacy, Data Protection, fairness, Home Office, human rights, Information Commissioner

Students challenge International Baccalaureate on data protection grounds

My firm is acting for the students, and there’s a link to the detailed grounds in this explanatory piece.

Leave a comment

Filed under accuracy, Data Protection, fairness, Further education, GDPR, transparency

The ICO Facebook Page – some questions to ICO

(NON-)UPDATE 03.04.21: I’ve still had no response to my complaint on this, after almost four months. I’ve asked the ICO’s Data Protection Officer to escalate it.

(NON-)UPDATE 17.02.21: a couple of people have asked me what the ICO’s response to this was. Good question – and I haven’t had one yet. I had an email at the start of January apologising for the delay in replying, but nothing since then. I’ve chased. END UPDATE

For some time now I’ve wondered how the Information Commissioner’s Office (ICO) complies with data protection law when operating its Facebook page. It’s not a challenge unique to ICO – anyone running a corporate page is likely to be faced with similar challenges. However, as the UK’s supervisory authority under Article 51 of the GDPR (or, from 1 January 2021, under Article 51 of the UK GDPR, the person responsible for monitoring the application of the UK GDPR), the ICO should, understandably, be looked to as an exemplar.

With this in mind, I have raised an enquiry/complaint with the ICO, and will, of course, update this blog when I get a response.

I wish to raise an issue with you regarding your compliance with, at least, Articles 5(1)(a)(b)(c) and (f) of the GDPR.

I note that you operate a Facebook organisation page: https://www.facebook.com/ICOnews (the “ICO Facebook Page”), on which you invite and respond to comments. Following the findings of the Court of Justice of the European Union (CJEU) in Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (Case C‑210/16), you are a joint controller with Facebook for the purposes of the processing of – at least – the personal data of those who comment on the ICO Facebook Page (the “Facebook data”). I am one of those.

I also note that in your “ICO Privacy Notice“, you do not state, in respect of your processing of the Facebook data, that you are a controller, although you do, rather cryptically, say “We see all this information [sent to us via social media] and decide how we manage it”, but you otherwise appear to disavow controller status when you say “When contacting the ICO through a social media platform, we suggest you also familiarise yourself with the privacy information of that platform.” This is, I would suggest, an abrogation of your obligations under Article 13 GDPR.

Following the findings of the CJEU in Wirtschaftsakademie it can be said that the creation of an organisation page on Facebook involves the definition of parameters by the administrator which has an influence on the processing of personal data for the purpose of, at least, permitting visitor comments or visitor interactions, such as clicking “like” buttons. Consequently, the administrator of a Facebook organisation page such as the ICO Facebook Page contributes to the processing of the personal data of visitors to its page.

I assert that you process, as a controller, my personal data as a person who has commented on the ICO Facebook Page. I also believe that, as a controller, you are involved in the transfer of the Facebook data, which must be taken to include my personal data, to a third country, namely, the United States (Facebook itself says that information controlled by Facebook Ireland (which it sees as the primary controller for the processing of personal data on UK Facebook pages) will be transferred or transmitted to, or stored and processed in, the United States). Facebook appears to effect such transfers by means of standard data protection clauses approved by the European Commission (https://www.facebook.com/help/566994660333381).

Please could you inform me whether:

1) you agree that you are controller (jointly or severally) with Facebook for the processing of my personal data when I comment on your Facebook page?

2) you take the view more generally that you are controller (jointly or severally) with Facebook for the processing of my personal data when I visit your Facebook page (for instance for the processing involved in the placing of cookies and similar technologies)?

3) as a controller (assuming you accept that you are one) you are transferring my personal data out of the EEA?

4) if the answer to 3) is “yes”, how you are complying with conditions laid down in Chapter 5 of GDPR?

I appreciate this might appear to be a flippant or mischievous matter, but I assure you of my good faith and keen interest. I appreciate that ICO has a general task to promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. It would be helpful, when answering this enquiry, if you could say whether you take the view that you cannot adequately perform this task without using Facebook to do so.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, facebook

The problems with GDP are GDP are GDP are…

No one sensible professes that data protection practice is always easy, and discussions around whether the UK will, come 1 January 2021, have or be close to having, an adequacy decision from the European Commission are complex and highly political. However, I hadn’t, until today, encountered the argument that GDPR itself was a barrier to, er, attaining adequacy status.

But that is the remarkable assertion in this recent Diginomica piece:

GDPR Is a European data protection success story, yes? Well, yes…but it could also be a complicating factor in trying to secure a post-Brexit data adequacy deal between the UK and the EU.

It is a complicating factor, I suppose, in the same way that, say, a speed limit is for those who drive too fast.

The reason that an “adequacy deal” is being sought is because GDPR itself says, in Article 45, that the Commission may decide, after taking into account a number of factors, that a third country (such as the UK will become) offers an adequate level of protection for personal data. In the absence of an adequacy decision, GDPR imposes restrictions on the transfer of data to third countries.

GDPR is the reason we are seeking an adequacy deal, not the barrier to it.

Leave a comment

Filed under adequacy, Data Protection, GDPR, international transfers

Litigation disclosure != subject access disclosure

I’m not a lawyer, yet alone a Scottish lawyer, but a recent judgment, on data protection matters, from Sheriff A Cubie in the Glasgow and Strathkelvin Sheriffdom has significance beyond Scotland (and, of course, data protection law – by which we mean the General Data Protection Regulation (GDPR), or from 1 January 2021, the UK GDPR, and the Data Protection Act 2018 (DPA) – apply across the UK).

The issue before the court was whether data protection obligations, which might in general militate against disclosure of personal data, override disclosure obligations in general court proceedings. The basic answer, and one that most data protection practitioners and lawyers understand, is that they don’t. Article 6(1)(c) of the GDPR makes clear that processing is lawful if it is necessary for compliance with a legal obligation to which a controller is subject. More specifically, paragraph 5 of Schedule Two to the DPA says that the bulk of the GDPR provisions conferring rights on data subjects and obligations on controllers simply “do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure.”

The Sheriff was faced with a situation [which sounds like a line from a Western] of possible contempt of court by an unnamed Scottish Council in social work referral proceedings concerning children. Upon receipt of an application (in Scottish law, a “motion for specification of documents”), which it had not opposed, the Council had disclosed social work records to solicitors for the mother in the proceedings, but subjected the records (apparently having received internal legal advice) to substantial redaction of personal data, of the sort which would have taken place if the records had been required to be disclosed under an Article 15 subject access request.

The Sheriff “invited” a senior Council officer and someone from its legal department to answer his enquiries as to how the redactions came to be made. At that hearing, it transpired that the disclosure exercise had been passed to the Council’s Data Protection Officer to deal with – that officer had sought advice from the Council’s legal department, which advised that the exercise should be treated as if it was redaction for the purposes of a subject access request. Before the court, the Council apologised unreservedly, and announced that it had begun an internal investigation into how it had happened.

Nothing earth-shattering, and this post is not to suggest that sometimes it might be necessary to redact personal data during litigation disclosure, but an interesting observation about the risks of confusing or conflating disclosure regimes.

And I end by noting that the Sheriff himself fell into error: he cites at several points, subject access provisions from part 3 of the DPA. Part 3 deals with law enforcement processing under Directive 2016/680, and has no relevance here. The subject access right emanates from, and is full described in, Article 15 GDPR.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, law enforcement

HMG FOI “Clearing House” – infringing GDPR?

I’ve written a piece for OpenDemocracy questioning the legality of the government’s practice of circulating some FOI requesters’ names across all departments.

Leave a comment

Filed under Cabinet Office, Data Protection, Freedom of Information, transparency

ICO SAR guidance – open to challenge?

A new piece by me and a colleague on the Mishcon de Reya website, about the ICO’s new SAR guidance https://www.mishcon.com/news/ico-guidance-on-subject-access-requests

A couple of NB points where this guidance differs from the draft version:

ICO suggests one of the factors to take into account when deciding whether a request is excessive is “Whether refusing to provide the information or even acknowledging it is held may cause substantive damage to the individual”. To me, this is pretty extraordinary, and might have the effect of putting the requester to proof as to damage caused by non-compliance.

ICO also has shifted its position, and suggest that staff time perse (rather than disbursements) might be charged for in the event of excessive or manifestly unfounded requests. 

I have my own views on whether these propositions are positive or negative. I suspect though that we will see challenges.

Leave a comment

Filed under access to information, Data Protection, Data Protection Act 2018, GDPR, Information Commissioner

ICO (bizarrely) suggests DPO conflict of interest is criminal offence

*UPDATE, 17.11.20: ICO has now “reissued” its FOI response, saying that there was an error in the original, and that section 31 (dealing, broadly, with prejudice to regulatory functions), rather than section 30, of FOIA applies. If this was a plain example of a typo, I would not have drawn attention, but the original response specifically showed that the author thought that criminality would arise in a case of DPO conflict of interest.

I would add two things. First, the exemption is still questionable in my view – I can’t see how disclosing whether organisations have been investigated regarding DPO conflicts (and if so, the numbers involved) could conceivably cause or be likely to cause prejudice to ICO’s regulatory functions. Second, I raised this, as NADPO chair, as a matter of concern with ICO, but, despite the withdrawal of the offending response, I have heard nothing yet. END UPDATE*

As chair of NADPO* (the National Association of Data Protection and Freedom of Information Officers) I’m understandably interested in information and news about data protection officers (DPOs). In particular, what the Information Commissioner’s Office (ICO) (as the regulatory body most DPOs will interact with) says on this subject will be especially notable.

When I saw that someone had made a Freedom of Information (FOI) request to the ICO about whether the latter had investigated or taken enforcement action against any controllers for reasons relating to potential conflict of interest regarding DPO positions, I was intrigued to see what the response would be (I knew no fines had been issued, but I wanted to know how many investigations might have taken place – indeed, I had blogged about the ICO’s own DPO role a few months previously).

However, the ICO’s response to the FOI request is, let’s say, odd. They have refused to disclose (in fact, have refused even to confirm or deny whether they hold) the requested information, citing the FOI exemption that applies to information held for the purposes of investigations into whether someone should be charged with a criminal offence: remarkably, the ICO seems to think that a conflict of interest such as envisaged by Article 38(6) of the General Data Protection Regulation (GDPR) would amount to a criminal offence – “it is likely that, if proven, an offence under the DPA [Data Protection Act 2018] may have been committed”. This cannot be the case though – there are no offence provisions under the DPA which come close to criminalising a potential conflict of interest regarding a DPO role, and it would be extraordinary if parliament had decided to make it an offence.

Why the ICO should suggest that there are such provisions is not at all clear, and – if it is not just a stray error – might indicate a rather worrying lack of understanding of both data protection and FOI law.

One final point to note – even the part of the FOI response which didn’t mistakenly assume criminal law provisions were engaged, said, in respect of the part of the request which asked for any information the ICO holds “to assist public authorities protect [sic] against a conflict of interest with the role of the DPO”, that staff at the ICO had been consulted and “there is no information held”. However, on the ICO’s website, in plain view, is guidance on the subject (admittedly not in any detail, but clearly in scope of this request).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

*I notice that the cookie notice on the NADPO site has somehow slipped into error – I am on the blower to our webdev as we speak.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, DPO, Freedom of Information, GDPR, Information Commissioner, Uncategorized