I have a post on the Mishcon de Reya website, on an odd, but potentially very significant, change of position by the Information Commissioner’s Office, when it comes to calculating GDPR time limits for data subject requests.
Category Archives: Data Protection
Might there have been a breach of data protection law in the recording, apparently by neighbours, of incidents at Boris Johnson’s home, and the passing of the recording to the media and the police? Almost certainly not.
(In this post I would like to avoid, as far as possible, broader ethical questions, and I will restrict any political observations to this: if Johnson becomes leader of the Conservative Party, and therefore prime minister, the two main UK political parties will be being led by people less fit to hold the role than at any time in my lifetime.)
In general, processing of personal data done for one’s own domestic purposes avoids the need for compliance with data protection law: Article 2(2)(c) of the General Data Protection Regulation (GDPR) – which of course provides the overarching statutory framework for most processing of personal data – says that the GDPR itself “does not apply to the processing of personal data…by a natural person in the course of a purely personal or household activity”. This is understandable: were there not such a carve-out, one’s children might, say, try to sue one for unlawful processing of their pocket-money data.
However, that word “purely” is key in Article 2. Processing which is not in the course of a “purely” domestic activity, such as, say, passing a recording of an altercation involving one’s neighbours to the media and the police, will be within GDPR’s scope.
So if GDPR is likely to apply, what are the considerations?
Firstly, passing information to the police about an altercation involving one’s neighbours is straightforward: GDPR permits processing which is necessary for the performance of a task carried out in the public interest (Article 6(1)(e)) and where the processing is necessary for the purposes of someone’s legitimate interests (provided that such interests are not overridden by the rights of the data subject) (Article 6(1)(f)).
But what of passing such information to the media? Well, here, the very broad exemption for the purposes of journalism will apply (even though the neighbours who are reported to have passed the information to the media are not, one assumes, journalists as such). GDPR requires members states to reconcile the right to the protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes, and this obligation is given effect in UK law by paragraph 26 of Schedule 2 to the Data Protection Act 2018. This provides that the GDPR provisions (for the most part) do not apply to processing of personal data where it
is being carried out with a view to the publication by a person of journalistic, academic, artistic or literary material, and…the controller reasonably believes that the publication of the material would be in the public interest [and] the controller reasonably believes that the application of [the GDPR provisions] would be incompatible with the… purposes [of journalism].
Here, the controller is not just going to be the journalist or media outlet to whom the information was passed, but it is also likely to be the non-journalist person who actually passes the information (provides that the latter passes it with a view to its publication and does so under a reasonable belief that such publication would be in the public interest).
The equivalent exemption in the prior law (the Data Protection Act 1998) was similar, but, notably, applied to processing which was only carried for the purposes of journalism (or its statutory bedfellows – literature and art). The absence of the word “only” in the 2018 Act arguably greatly extends the exemption, or at least removes ambiguity (there was never any notable example of action being taken under the prior law against the media for processing which was alleged to be unlawful and which was for more than one purposes (i.e. not solely for the purposes of journalism)).
It seems almost certain, then, that Johnson’s non-journalist neighbours could avail themselves of the “journalism” exemption in data protection law. As could anyone who processes personal data with a view to its publication and who reasonably believes such publication is in the public interest: we should prepare to see this defence aired frequently over the coming years. Whether the exemption is too broad is another question.
Because of the breadth of the journalism exemption in data protection law, actions are sometimes more likely to be brought in the tort of misuse of private information (see, for example, Cliff Richard v BBC, and Ali v Channel 5). Whether such a claim might be available in this case is also another question, and not one for this blog.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
The Information Tribunal has recently heard the first applications under the Data Protection Act 2018 for orders regarding the Information Commissioner’s handling of data protection complaints. As I write on the Mishcon de Reya website, the Tribunal has peremptorily dismissed them.
I have a new post on the Mishcon de Reya website, drawing attention to the first (and unsuccessful) attempt to appeal an ICO monetary penalty for failing to pay the statutory data protection fee.
The first principle of GDPR says that personal data shall be processed in a transparent manner. Articles 13 and 14 give details of what information should be provided to data subjects to comply with that principle (and that information should be provided at the time it is collected (if it is collected directly from the data subject)).
As the Information Commissioner’s Office (ICO) says
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. [emphasis added]
Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage
If you read the ICO’s Guide to GDPR, it is largely predicated on the understanding that privacy notices will be made available to data subjects, effectively as a prerequisite to overall compliance.
So, one thing a data controller must – surely – prioritise (and have prioritised, in advance of GDPR becoming applicable in May 2018) is the preparation and giving of appropriate privacy notices, including to its own employees.
With that in mind, I was
interested surprised astounded well-and-truly-gobsmacked to see an admission, on the “WhatDoTheyKnow” website, that the ICO itself has – almost a year on from GDPR’s start – not yet prepared, let alone given, its own staff a GDPR privacy notice
I can confirm we do not currently hold the information you have requested. The privacy notice for ICO employees is currently under construction.
As getting the right to be informed wrong can leave one open to fines (as well as reputational damage), one wonders if ICO is considering fining itself for this fundamental infringement of a fundamental right?
The views in this post (and indeed all posts on this blog, unless they indicate otherwise) are my personal ones, and do not represent the views of any organisation I am involved with.
FOI request reveals ICO has served no “notices of intent” to serve fines under GDPR. A new piece by me on the Mishcon de Reya website.
As I have previously discussed on the Mishcon de Reya website, the General Data Protection Regulation (“GDPR”) removed the requirement at European law for data controllers to “register” with their supervisory authority. However, in the UK, the need to provide a funding stream for the data protection work of the Information Commissioner’s Office (ICO) led parliament to pass laws (The Data Protection (Charges and Information) Regulations 2018) (“the Fee Regulations”), made under sections 137 and 138 of the Data Protection Act 2018 (“DPA”)) requiring controllers to pay a fee to the ICO, unless an exemption applied.
New amendment regulations (The Data Protection (Charges and Information) (Amendment) Regulations 2019) have now been passed, following a consultation run by DCMS last year. These mean that new categories of exempt processing are introduced. In short, processing of personal data by members of the House of Lords, elected representatives and prospective representatives is also now “exempt processing” for the purposes of the Fee Regulations. “Elected representative” means (adopting the definition at paragraph 23(3)(a) to (d) and (f) to (m) of Schedule 1 to the DPA)
a member of the House of Commons;
a member of the National Assembly for Wales;
a member of the Scottish Parliament;
a member of the Northern Ireland Assembly;
an elected member of a local authority within the meaning of section 270(1) of the Local Government Act 1972
an elected mayor of a local authority within the meaning of Part 1A or 2 of the Local Government Act 2000;
a mayor for the area of a combined authority established under section 103 of the Local Democracy, Economic Development and Construction Act 2009;
the Mayor of London or an elected member of the London Assembly;
an elected member of the Common Council of the City of London, or the Council of the Isles of Scilly;
an elected member of a council constituted under section 2 of the Local Government etc (Scotland) Act 1994;
an elected member of a district council within the meaning of the Local Government Act (Northern Ireland) 1972;
a police and crime commissioner.
But, it should be noted, MEPs’ processing is not exempt, and, for the time being at least, they must still pay a fee.
…and this is nothing like transparency
Those of us with long memories will remember that, back in 2007, in those innocent days when no one quite knew what the Freedom of Information Act 2000 (FOIA) really meant, the Information Commissioner’s Office (ICO), disclosed some of its internal advice (“Lines to Take” or “LTTs”) to its own staff about how to respond to questions and enquiries from members of the public about FOIA. My memory (I hope others might confirm) is that ICO resisted this disclosure for some time. Now, the advice documents reside on the “FOIWiki” pages (where they need, in my opinion, a disclaimer to the effect that some of the them at least are old, and perhaps out-of-date).
Since 2007 a number of further FOIA requests have been made for more recent LTTs – for instance, in 2013, I made a request, and had disclosed to me, a number of LTTs on data protection matters.
It is, therefore, with some astonishment, that I note that a recent FOIA request to ICO for up-to-date LTTs – encompassing recent changes to data protection law – has been refused, on the basis that, apparently, disclosure would, or would be likely to, inhibit the free and frank exchange of views for the purposes of deliberation, and would otherwise prejudice, or would be likely otherwise to prejudice, the effective conduct of public affairs. This is problematic, and concerning, for a number of reasons.
Firstly, the exemptions claimed, which are at section 36 of FOIA, are the statute’s howitzers – they get brought into play when all else fails, and have the effect of flattening everything around them. For this reason, the public authority invoking them must have the “reasonable opinion” of its “qualified person” that disclosure would, or would be likely to, cause the harm claimed. For the ICO, the “qualified person” is the Information Commissioner (Elizabeth Denham) herself. Yet there is no evidence that she has indeed provided this opinion. For that reason, the refusal notice falls – as a matter of law – at the first hurdle.
Secondly, even if Ms Denham had provided her reasonable opinion, the response fails to say why the exemptions are engaged – it merely asserts that they are, in breach of section 17(1)(c) of FOIA.
Thirdly, it posits frankly bizarre public interest points purportedly militating against disclosure, such as that the LTTs “exist as part of the process by which we create guidance, not as guidance by themselves”, and “that ICO staff should have a safe space to provide colleagues with advice for them to respond to challenges posed to us in a changing data protection landscape”, and – most bizarre of all – “following a disclosure of such notes in the past, attempts have been made to utilise similar documents to undermine our regulatory procedures” (heaven forfend someone might cite a regulator’s own documents to advance their case).
There has been such an enormous amount of nonsense spoken about the new data protection regime, and I have praised ICO for confronting some of the myths which have been propagated by the ignorant or the venal. There continues to be great uncertainty and ignorance, and disclosing these LTTs could go a long way towards combatting these. In ICO’s defence, it does identify this as a public interest factor militating in favour of disclosure:
disclosure may help improve knowledge regarding the EIR, FOIA or the new data protection legislation on which the public desire information as evidenced by our increase in calls and enquiry handling
And as far as I’m concerned, that should be the end of the matter. Whether the requester (a certain “Alan Shearer”) chooses to challenge the refusal is another question.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
…do they turn so slowly that they’ll lead to the Lord Chancellor committing a criminal offence?
On 21 December last year, as we were all sweeping up the mince piece crumbs, removing our party hats and switching off the office lights for another year, the Information Commissioner’s Office (ICO) published, with no accompanying publicity whatsoever, an enforcement notice served on the Secretary of State for Justice. The notice drew attention to the fact that in July 2017 the Ministry of Justice (MoJ) had had a backlog of 919 subject access requests from individuals, some of which dated back to 2012. And by November 2017 that had barely improved – to 793 cases dating back to 2014.
I intended to blog about this at the time, but it’s taken me around nine months to retrieve my chin from the floor, such was the force with which it dropped.
Because we should remember that the exercise of the right of subject access is a fundamental aspect of the fundamental right to protection of personal data. Requesting access to one’s data enables one to be aware of, and verify the lawfulness of, the processing. Don’t take my word for it – look at recital 41 of the-then applicable European data protection directive, and recital 63 of the now-applicable General Data Protection Regulation (GDPR).
And bear in mind that the nature of the MoJ’s work means it often receives subject access requests from prisoners, or others who are going through or have been through the criminal justice system. I imagine that a good many of these horrendously delayed requests were from people with a genuinely-held concern, or grievance, and not just from irritants like me who are interested in data controllers’ compliance.
The notice required MoJ to comply with all the outstanding requests by 31 October 2018. Now, you might raise an eyebrow at the fact that this gave the MoJ an extra eight months to respond to requests which were already incredibly late and which should have been responded to within forty days, but what’s an extra 284 days when things have slipped a little? (*Pseuds’ corner alert* It reminds me of Larkin’s line in The Whitsun Weddings about being so late that he feels: “all sense of being in a hurry gone”).
Maybe one reason the ICO gave MoJ so long to sort things out is that enforcement notices are serious things – a failure to comply is, after all, a criminal offence punishable on indictment by an unlimited fine. So one notes with interest a recent response to a freedom of information request for the regular updates which the notice also required MoJ to provide.
This reveals that by July this year MoJ had whittled down those 793 delayed cases to 285, with none dating back further than 2016. But I’m not going to start hanging out the bunting just yet, because a) more recent cases might well be more complex (because the issues behind them will be likely to be more current, and therefore potentially more complex, and b) because they don’t flaming well deserve any bunting because this was, and remains one of the most egregious and serious compliance failures it’s been my displeasure to have seen.
And what if they don’t clear them all by 31 October? The notice gives no leeway, no get-out – if any of those requests extant at November last year remains unanswered by November this year, the Right Honourable David Gauke MP (the current incumbent of the position of Secretary of State for Justice) will, it appears, have committed a criminal offence.
Will he be prosecuted?