Category Archives: Data Protection

October 24, 2024 · 8:06 am

Harassment of terrorism victims

[reposted from LinkedIn]

It is impossible to imagine claimants with whom one has more sympathy than Martin Hibbert and his daughter Eve, who each suffered grave, life-changing injuries in the 2017 Manchester Arena attack, and who then found themselves targeted by the bizarre and ghoulish actions of Richard Hall, a “conspiracy theorist” who has claimed the attack was in fact a hoax.

Martin and Eve brought claims in harassment and data protection against Hall, and, in a typically meticulous judgment Mrs Justice Steyn DBE yesterday gave judgment comprehensively in their favour on liability in the harassment claim. Further submissions are now invited on remedies.

The data protection claim probably adds nothing, but for those pleading and defending such claims it is worth reading Steyn J’s (mild) criticisms of the flaws, on both sides, at paragraphs 246-261. She has also invited further submissions on the data protection claim, although one wonders if it will be pursued.

Other than that, though, one hopes this case consigns Hall to the dustbin of history.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, UK GDPR

Tagged as ,

October 15, 2024 · 5:41 am

Third party rights under FOIA

[reposted from LinkedIn]

In a Freedom of Information Act (FOIA) matter there are two parties with express rights and obligations – the requester and the public authority (PA) – with the potential for the regulator – the Information Commissioner’s Office – to become involved if there is a dispute.

But there is often a third party involved, and one who has no express rights under FOIA – the person to whom requested information relates. This can be a corporate, but sometimes it will be an individual (think, for example of MPs whose expense claims were sought from the Commons many years ago).

The code of practice issued by the Cabinet Office under section 45 of FOIA recommends as best practice that, where a PA receives a request for information where a third party’s interests are engaged, the third party should be consulted, and given the opportunity to make representations. But the Code is clear that those representations cannot bind the PA, and that the decision on disclosure is ultimately for the PA to make.

All of this should, of course, run its course within the 20 working days that FOIA allows for responding to a request. So quite how a request from 2019, to the Legal Services Agency (LSA) for Northern Ireland, regarding the grant of legal aid to a self-styled peace campaigner, has only just been determined in the High Court is a pressing question. Nonetheless, the judgment (though slightly odd) is worth reading.

The man in question, Raymond McCord, was invited to make representations on the request (made by a unionist MP), having been informed of the LSA’s intention to disclose. He brought immediate judicial review proceedings to prevent disclosure and the LSA undertook not to disclose until the ICO had given a view on the lawfulness of processing (I pause to note that the LSA’s suggestion that McCord had an alternative remedy by way of a complaint to the ICO after disclosure for a determination as to whether FOIA had been complied with was wrong in law, and flawed in logic).

The ICO gave an opinion in June 2020 that disclosure would likely be both unfair and unlawful, but stressed that the opinion “is in no way legally binding in this case, however, it should be of assistance to the court in making a final decision.”

No explanation is given in the judgment of why it then took over four years for the court to rule on the application. This is simply ridiculous.

Nevertheless, the court conducted a rather eccentric analysis of the authorities on disclosure of personal data under FOIA (and of various non-authoritative prior ICO decision notices) before determining, five whole years (rather than twenty working days) after the FOIA request, that the information should be disclosed, holding that “the applicant cannot complain of any breach of privacy in respect of his pursuit of high‑profile public interest litigation in circumstances where he himself has commented publicly on the issues”.

The judgment, ultimately, is rather unsatisfactory. The interim judgment (in 2020(!)) of Keegan J, which noted the undertaking by the LSA not to disclose pending the ICO’s ruling, discusses alternative remedies, and implies that McCord would have a right to appeal the ICO’s decision to the First tier Tribunal. However, this predates the Killock and Delo cases which make clear that there is no substantive data subject right of appeal from an ICO data protection decision through the tribunal system. In Killock the Upper Tribunal made clear that a substantive data subject challenge (rather than a procedural one) to the ICO should, indeed, be by way of judicial review proceedings.

And it remains the case that, if you are a third party who has an interest (maybe a profound interest) in information which a public authority is proposing to disclose, in response to a FOIA request, your rights are unclear and limited.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, FOIA, Information Commissioner, judgments, judicial review

Tagged as , , ,

October 11, 2024 · 6:24 am

Still no clearer on reprimands

[reposted from LinkedIn]

What is a reprimand, and how does the ICO decide to issue one? This, bizarrely, remains a bit of a mystery – apparently even to the ICO themselves.

Under Article 58(2)(b) of the UK GDPR the Information Commissioner’s Office has the power to issue reprimands to a controller or a processor where processing operations have infringed provisions of the UK GDPR.

Since January 2022 the ICO has issued 84 reprimands that it has made public (it’s possible there are others it hasn’t published – that’s certainly happened in the past). Yet there is still no clearly documented process that the ICO will follow to decide what might trigger the decision to issue a reprimand.

In February 2023 I was informed by the ICO that “there is no specific written policy or procedure covering the issuing of reprimands [but that they were] currently working on putting together a formalised process specifically for reprimands, which will be added to our Investigations Manual once finalised”.

So I followed this up recently (18 months on from the previous request). And I’ve had a couple of documents disclosed to me, one a checklist that begins “Once reprimand agreed…” and another on how to apply redactions, but, otherwise, there appears still to be no way of an organisation – or even the ICO themselves(!) – knowing what might lead to a reprimand being issued, and how the decision will be made.

So, six years on from the ICO getting the power, those organisations placed on the naughty step appear to be no clearer to understanding what exactly they did to deserve it.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, reprimand, UK GDPR

Tagged as ,

October 8, 2024 · 4:39 am

Is the purchase of a watch “private information”?

[reposted from LinkedIn]

An interesting (if it gets to trial) Northern Ireland case of Frampton and Van Der Horst [2024] NIMaster 17, in which the plaintiff former boxer (P) has sought damages in, variously, passing off, copyright, breach of confidence, misuse of private information and data protection, as a result of the defendant watch seller’s (D) publication of a YouTube video revealing that P had bought a watch from D.

P had obtained judgment in default and D sought to set this aside. In deciding to do so the master only had to determine whether the D has an arguable defence.

The analyses of whether the MOPI and data protection defences are arguable are interesting (and in the latter case, flawed).

On MOPI, the master noted that the “Murray factors” (“the attributes of the claimant, the nature of the activity in which the claimant was engaged, the place at which it was happening, the nature and purpose of the intrusion, the absence of consent and whether it was known or could be inferred, the effect on the claimant, and the circumstances in which and the purposes for which the information came into the hands of the publisher”) will require consideration at trial, and also noted that the authoritative law books on the topic identify “personal financial and tax related information” as one of the types of information that will normally (but not invariably) be regarded as giving rise to a reasonable expectation of privacy. All these points could only, said the master, be determined by a trial judge, having heard all the evidence.

On the data protection claim, the defence consisted in an argument that D’s processing was based on his legitimate interests. Here, the master seems to have erred, in assessing that “This would appear a particularly weak argument as there was no express consent from the plaintiff and the purported legitimate reason for processing the data was effectively to make money, which is not an exemption under UK General Data Protection Regulations [sic]”. But, of course, reliance on Article 6(1)(f) UK GDPR legitimate interests does not (cannot) require the consent of the data subject; rather, it requires the controller’s legitimate interests to be balanced against the interests, rights and freedoms of the data subject. Nor is there any authority for the proposition that an interest or interests cannot be “legitimate” because they are commercial interests (indeed, the CJEU, in a finding which I am certain would be followed by the domestic courts, only last week ruled that a commercial interest is capable of being a legitimate interest).

This, of course, was not a fully argued case (the master only had affidavits and draft pleadings to go on). If the case goes to trial we may well see all of the claims more properly argued and considered.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, misuse of private information

Tagged as ,

October 5, 2024 · 9:11 am

Join NADPO, get free Tim Turner training

If I told you that you could secure attendance at two half-day online training sessions on data protection, with one of the UK’s leading experts and trainers, for the meagre sum of £130 and that payment bought you two years’ membership of NADPO, with all the other benefits that brings (regular webinars, a stellar annual conference, regular newsletters, discounts on training), you would snap it up, wouldn’t you?

Well, dear friends, that’s what we’re offering our members. On Wednesday 9 October and Wednesday 16 October the fantastic Tim Turner of 2040 Training will be delivering sessions exclusively for NADPO members. So, if you purchase a membership in the next few days you’ll be entitled to attend both sessions (plus get all those other benefits).

I can’t think how any rational person could turn such an offer down.

Leave a comment

Filed under Data Protection, NADPO, Uncategorized

Tagged as ,

October 3, 2024 · 6:44 am

You must be taking the PSNI

[Reposted from LinkedIn]

The Information Commissioner’s Office has fined the Police Service of Northern Ireland £750,000 for the failings that led to the public disclosure of the surnames, initials, ranks and roles of all 9,483 PSNI officers and staff, putting countless people’s lives at risk from dissident republicans. The fine would have been £5.6m if the ICO’s “public sector approach” had not been applied.

The disclosure was made in a spreadsheet attached to a Freedom of Information Act response. The spreadsheet was intended to disclose some information, but also contained a hidden tab, where the offending information was situated.

Eleven years ago I was asked to write a piece in The Guardian about the risks of hidden data in spreadsheets. At the time, as many of you will remember, these sort of incidents were prevalent in councils and the NHS. I called for the ICO to do more to warn, and, in fairness, they did. But the fact that this sort of incident was allowed to happen is shocking: the ICO notice points out that there PSNI would regularly create pivot tables to prepare information for disclosure, where the risk of data being hidden (but easily revealed) is particularly high.

The ICO announcement is unusual in that it also allows the Chief Constable of PSNI to comment, and – extraordinarily – to express that he is “extremely disappointed at the level of the fine” (despite the massive reduction over what it would have been if he was in charge of a private sector organisation).

Chief Constable Boucher – you got off lightly.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, fines, Freedom of Information, Information Commissioner, personal data breach, police, UK GDPR

Tagged as , , ,

September 3, 2024 · 7:03 am

CCTV and commercial property leases

[reposted from LinkedIn]

There is a minor, but interesting, data protection point in this judgment on a dispute between a landlord and commercial tenant about a lease.

The claimant was a dentist who had become suspended and therefore could not practise as a fully registered dentist in accordance with the terms of the lease. The dispute was about whether she had done so, and, if so, whether the court should grant relief from forfeiture (it did, on the facts).

The claimant also sought and was granted a declaration, in relation to the landlord’s siting of internal CCTV cameras, “that the processing of the claimant’s data by the defendant is unlawful and breached the provisions of the Data Protection Act 2018 and the regulations [sic] relating thereto”. 

The evidence was that “a CCTV camera was installed by the defendant by being affixed to the door frame above the entrance to the toilets in the building, on the same floor as the room let to the claimant, pointing at the stairs and the door to the claimant’s…premises”. Although the defendant landlord claimed that “the CCTV was placed there for the legitimate purpose of monitoring those going to the building’s toilets”(!), the judge did not accept that: “as it was placed, [it] had a distinct view of the entrance to the claimant’s room, and, when it was opened, into the room itself. There is no real reason why it could not have been so positioned to exclude that, or why indeed it could not have been located to point in the opposite direction to monitor those coming out of the toilet area door[!]… it was an attempt to monitor who was attending the claimant’s room and its use.”

Unfortunately, the judge does not appear to have made findings as to what precisely were the infringements of the data protection law (one notes that the declaration was sought only in respect of the claimant’s own data, and not of those attending her premises, but the finding appears to be in respect of both). 

So, as I say, a minor point, but interesting. Landlords, even in commercial property agreements (and disputes arising), should not simply assume they have the right to place CCTV on their property in such a way as it infringes the data protection rights of individuals using the property (whether they be tenants, employees of tenants, or the tenant’s visitors).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under CCTV, Data Protection, judgments, property dispute, Uncategorized

Tagged as ,

August 31, 2024 · 7:41 am

JR judgment, and the lack of third party rights under FOIA

[reposted from LinkedIn]

The Freedom of Information Act 2000 (FOIA) confers rights on those requesting information, and obligations on public authorities (it also confers duties and powers on the Information Commissioner). What it does not do is confer any rights on someone whose information is held by a public authority and requested to be disclosed: if someone asks for that third party’s information and the public authority discloses, or is minded to disclose, the third party can do little or nothing to stop it.

That appears to be illustrated by a case in the High Court of Northern Ireland. I say “appears” because there doesn’t seem to be a judgment yet, and so I’ve had to piece together what seems to have been at issue.

FOIA requests were made by three unionist MPs to the Legal Services Agency (LSA) for funding for legal cases brought by victims’ campaigner Raymond McCord. It appears that the LSA proposed to disclose the information, and Mr McCord (because he has no rights as a third party under the FOIA regime itself) brought judicial review proceedings to prevent disclosure.

According to the media reports, those proceedings have failed, with the judge saying

There is a legitimate public interest in the openness and accountability of the LSA as a public authority responsible for the expenditure of substantial public funds…[Mr McCord’s] contention that he is a private individual sits uneasily with his own description as a ‘peace campaigner’ and his various interviews with the media, including when he challenged the public claims made by Mr Allister about the appropriateness of him being granted legal aid…Self-evidently, the applicant has injected himself into the public discourse on a number of high-profile cases which are of obvious and manifest interest to the public. This is particularly so in relation to Brexit litigation.

It also appears that at some stage the ICO was involved, and indicated its view that disclosure would “likely be unfair and unlawful”. I imagine that this was because Mr McCord made a data protection complaint. In any event, the ICO said that its view was not legally binding (an interesting side note: could the ICO have issued an enforcement notice under section 149 of the Data Protection Act 2018 to prevent a public authority releasing personal data under FOIA?)

This issue of “third party rights” (or lack thereof) under FOIA is a very interesting one. The section 45 Code recommends that public authorities consult with third parties where necessary, and have regard to their representations, but this still doesn’t confer a direct right.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, FOIA, Freedom of Information, Information Commissioner, judgments, judicial review, personal data

Tagged as , ,

August 7, 2024 · 6:11 pm

Who was the first ever DPO?

Prompted by a rather strange comment on LinkedIn, by someone who claimed they were the UK’s first DPO in 2007, and then claimed they meant “Data Privacy Officer” and not “Data Protection Officer” I thought I’d do some in-depth research into who might have been (you can thank Aaron Needham for setting the thought in my mind).

By, “in-depth” research, I mean half an hour or so on Google Books Advanced Search, so my findings are as authoritative as that would indicate. I would welcome others’ research.

As I mentioned on LinkedIn, NADPO, of which I am Chair, was founded in 1993, as the “National Association of Data Protection Officers”. The fact that its founder members thought it appropriate to create a national association of DPOs indicates that there were already a fair few of them around. And of course that was the case: the UK had had a Data Protection Act since 1984. Although that Act didn’t create a formal, statutory, role of DPO, it undoubtedly created the statutory scheme that gave rise to widespread adoption of the title, and the role.

And the UK was behind some other countries, in particular Germany. Although the person who might appear to be the world’s first DPO (or Datenschutzbeauftragter), Willi Birkelbach, is in fact more correctly characterised as the first Data Protection Supervisory Authority.

But who, you ask me, was the UK’s first DPO (and DPO proper)? Well, my friends, the earliest candidate I’ve so far managed to find, from an entry in the Commonwealth Universities Yearbook of 1979, was a certain “Halstead, J” of Lancaster University.

Therefore, unless or until someone comes up with a better candidate, I am going to bestow the title of the UK’s first DPO on J. Halstead.

It would be great to know more about them, as well, so if anyone has any info, I’d love to hear it.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Officer, DPO, NADPO

Tagged as ,

July 20, 2024 · 9:11 pm

Crowdstrike and personal data breaches: loss vs unavailability

I ran a poll on LinkedIn in recent days which asked “If a controller temporarily can’t access personal data on its systems because of the Crowdstrike/MSFT incident is it a personal data breach?” 

I worded the question carefully.

50% of the 100-odd people who voted said “no” and 50% said “yes”. The latter group are wrong. I say this with some trepidation because there are people in that group whose opinion I greatly respect. 

But here’s why they, and, indeed, the Information Commissioner’s Office and the European Data Protection Board, are wrong.

Article 4(12) of the GDPR/UK GDPR defines a “personal data breach”. This means that it is a thing in itself. And that is why I try always to use the full term, or abbreviate it, as I will here, to “PDB”. 

This is about the law, and in law, words are important. To refer to a PDB as the single word “breach” is a potential cause of confusion, and both the ICO and the EDPB guidance are infected by and diminished by sloppy conflation of the terms “personal data breach” and “breach”. In English, at least, and in English law, the word “breach” will often be used to refer to a contravention of a legal obligation: a “breach of the law”. (And in information security terminology, a “breach” is generally used to refer to any sort of security breach.) But a “breach” is not coterminous with a “personal data breach”.

And a PDB is not a breach of the law: it is a neutral thing. It is also crucial to note that nowhere do the GDPR/UK GDPR say that there is an obligation on a person (whether controller or processor) not to experience a PDB, and nowhere do GDPR/UK GDPR create liability for failing to prevent one occurring. This does not mean that where a PDB has occurred because of an infringement of other provisions which do create obligations and do confer liability (primarily Article 5(1)(f) and Article 32) there is no potential liability. But not every PDB arises from an infringement of those provisions.

The Article 4(12) definition is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Let us break that down:

  • A breach of security…
  • leading to [one or more of]
  • accidental or unlawful…
  • 1. destruction of…
  • 2. loss of…
  • 3. alteration of…
  • 4. unauthorised disclosure of…
  • 5. unauthorised access to…
  • personal data processed.

If an incident is not a breach of security, then it’s not a PDB. And if it is a breach of security but doesn’t involve personal data, it’s not a PDB. But even if it is a breach of security, and involves personal data, it’s only a PDB if one of the eventualities I’ve numbered 1 to 5 occurs.

Note that nowhere in 1 to 5 is there “unavailability of…” or “loss of access to…”. 

Now, both the ICO, and the EDPB, read into the words “loss of…personal data…” the meaning, or potential meaning “loss of availability of personal data”. But in both cases they appear to do so in the context of saying, in terms, “loss of availability is Article 4(12) ‘loss’ because it can cause harm to data subjects”. I don’t dispute, and nor will many millions of people affected by the Crowdstrike incident, that unavailability of personal data can cause harm. But to me, “loss” means loss: I had something, and I no longer have it. I believe that that is how a judge in the England and Wales courts would read the plain words of Article 4(12), and decide that if the legislator had intended “loss” to mean something more than the plain meaning of “loss” – so that it included a meaning of “temporary lack of access to” – then the legislator would have said so. 

Quite frankly, I believe the ICO and EDPB guidance are reading into the plain wording of the law a meaning which they would like to see, and they are straining that plain wording beyond what is permissible.

The reason, of course, that this has some importance is that Article 33 of the GDPR/UK GDPR provides that “in the case of” (note the neutral, “passive” language) a PDB, a controller must in general make a notification to the supervisory authority (which, in the UK, is the ICO), and Article 34 provides that where a PDB is likely to result in a high risk to the rights and freedoms of natural persons, those persons should be notified. If a PDB has not occurred, no obligation to make such notifications arises. That does not mean of course, that notifications cannot be made, through an exercise of discretion (let’s forget for the time being – because they silently resiled from the point – that the ICO once bizarrely and cruelly suggested that unnecessary Article 33 notifications might be a contravention of the GDPR accountability principle.)

It might well be that the actions or omissions leading to a PDB would constitute an infringement of Articles 5(1)(f) and 32, but if an incident does not meet the definition in Article 4(12), then it’s not a PDB, and no notification obligation arises. (Note that this is an analysis of the position under the GDPR/UK GDPR – I am not dealing with whether notification obligations to any other regulator arise.)

I can’t pretend I’m wholly comfortable saying to 50% of the data protection community, and to the ICO and EDPB, that they’re wrong on this point, but I’m comfortable that I have a good arguable position, and that it’s one that a judge would, on balance agree with. 

If I’m right, maybe the legislator of the GDPR/UK GDPR missed something, and maybe availability issues should be contained within the Article 4(12) definition. If so, there’s nothing to stop both the UK and the EU legislators amending Article 4(12) accordingly. And if I’m wrong, there’s nothing to stop them amending it to make it more clear. In the UK, in particular, with a new, energised government, a new Minister for Data Protection, and a legislative agenda that will include bills dealing with data issues, this would be relatively straightforward. Let’s see.

And I would not criticise any controller which decided it was appropriate to make an Article 33 notification. It might, on balance, be the prudent thing for some affected controllers to do so. The 50/50 split on my poll indicates the level of uncertainty on the part of the profession. One also suspects that the ICO and the EU supervisory authorities might get a lot of precautionary notifications.

Heck, I’ll say it – if anyone wants to instruct me and my firm to advise, both on law and on legal strategy – we would of course be delighted to do so.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, EDPB, GDPR, Information Commissioner, Let's Blame Data Protection, LinkedIn Post, personal data breach, UK GDPR

Tagged as , ,