The Information Commissioner’s Office has fined the CENTRAL YOUNG MEN’S CHRISTIAN ASSOCIATION (YMCA) of London £7500.
The penalty notice is not published at the time of writing (nor anything else yet on the ICO website), although the fine is said to have already been paid, and the press release issued by the ICO says the fine was issued for “a data breach where emails intended for those on a HIV support programme were sent to 264 email addresses using CC instead of BCC, revealing the email addresses to all recipients. This resulted in 166 people being identifiable or potentially identifiable”.
The press release also says that the fine was reduced from an initially-recommended £300,000, “in line with the ICO’s public sector approach”. When I queried the rather obvious point that a charity is not a public authority, an ICO spokesman initially told me that “as Central YMCA is a charity that does a lot of good work, they engaged with us in good faith after the incident happened, recognised their mistake immediately and have made amends to their processing activities and they paid the fine in full straight away, we applied the spirit of the public sector approach to them even though they’re not strictly a public sector body”.
This led to a further follow-up query from me because as a matter of logic and timing, how could the fact that a controller “paid the fine in full straight away” be a mitigating factor in reducing the amount of the fine to be paid? The further response was “The point was that they engaged fully and subsequently paid the fine in full, thus confirming our position that they were engaging and taking the breach seriously. The calculation comes before the payment which has no bearing on the assessed amount.”
I’m not quite sure what to make of this. Can any controller which “does a lot of good work”, engages with the ICO in good faith and remedies processing activities also benefit from a 3900% decrease in fine from an originally-recommended sum? What does “a lot of good work” mean? Is it something only charities do? What about private companies with a strong ESG ethos, or who make significant charitable contributions?
[this post was originally published on my LinkedIn page.]
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
[I tend to do a lot my posting these days on LinkedIn, and less here. But the combination of LinkedIn’s poor search capability and my memory means I forget about some things I’ve written about that I’d quite like to remember. So I’m going to put some of them on this blog to remind me. This one is on a doozy of a Tribunal judgment.]
This Information Tribunal judgment about whether photographs of planning notices should be disclosed begins with a long quote from The Hitchhiker’s Guide to the Galaxy, and gets even more extraordinary as it goes on.
By the end of the judgment the judge has called the Information Commissioner’s Office’s decision a “pitiful failure to understand the scope and significance of material in the public domain and the role of data protection in protecting rights”, uses the term “bankruptcy” to describe the approach to the matter by both the ICO and Shropshire Council, and appears to have declared the Council’s handling of not just the individual planning application, but its planning policy as a whole unlawful (the judgment says, for instance that the council’s implementation of The Town and Country Planning (Development Management Procedure) (England) Order 2015 “failed to accord local residents their rights”).
This last point surely illustrates the Tribunal straying well beyond its jurisdiction, and it is difficult to see how it will escape having its judgment appealed. That’s actually a pity, because the underlying point in it is that the ICO’s approach failed to understand that data protection law has to be considered “in relation to its function in society and be balanced against other fundamental rights” (recital 4 GDPR) and failed to consider the Environmental Information Regulations’ context, whereby access to environmental information is one of the three pillars of the Aarhus Convention – the others being public participation in decision-making, and access to justice in environmental matters.
And even if the judgment gets appealed, I would hope the ICO acknowledges the key point that data protection rights don’t automatically trump all other rights.
On 29 February Lady Elish Angiolini published the first report from her inquiry into how off-duty Metropolitan police officer Wayne Couzens was able to abduct, rape and murder Sarah Everard.
Information Commissioner John Edwards contributed to the inquiry, and his evidence is cited at 4.320 (the paragraph is quoted below). It deals with the profoundly important (and perennially misunderstood) issue of data-sharing within and between police forces.
Although for obvious reasons the identity and content of some witness evidence to the inquiry is being kept anonymous, there should be no obvious reason that Mr Edwards’s is, and I hope that the Information Commissioner’s Office will, in addition to publishing his press statement, also publish any written evidence he submitted. It would also be good to know the details of the work Mr Edwards says his office is doing, and continuing, with the police, in this context.
In discussions with senior leaders of relevant organisations, the Inquiry was told that gaps in information-sharing between human resources, recruitment, professional standards and vetting teams – and, indeed, between forces themselves – were a significant barrier to capturing a clear picture of officers. The Inquiry heard from different sources, including senior leaders, that there are significant barriers to information-sharing. Some cite data privacy and protection laws as a reason not to share information. However, in a discussion with the Information Commissioner, John Edwards, the Inquiry was assured that data protection law recognises that there are legitimate reasons for information-sharing, particularly given the powers attributed to police officers. Indeed, Mr Edwards suggested that data protection law is widely misunderstood and misconstrued, and highlighted a failure of training in this regard.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
As electors went to the polls in the Rochdale by-election on 29 February, a few posts were made on social media showing the disparity between letters sent to different electors by candidate George Galloway. An example is here
On the face of it, Galloway appears to have hoped to persuade Muslim voters to vote for him based on his views on a topic or topics he felt would appeal to them, and others to vote for him based on his views on different topics.
It should be stressed that there is nothing at all wrong that in principle.
What interests me is how Galloway identified which elector to send which letter to.
It is quite possible that a candidate might identify specific roads which were likely to contain properties with Muslim residents. And that, also would not be wrong.
But an alternative possibility is that a candidate with access to the full electoral register, might seek to identify individual electors, and infer their ethnicity and religion from their name. A candidate who did this would be processing special categories of personal data, and (to the extent any form of automated processing was involved) profiling them on that basis.
Article 9(1) of the UK GDPR introduces a general prohibition on the processing of special categories of personal data, which can only be set aside if one of the conditions in Article 9(2) is met. None of these immediately would seem available to a candidate who processes religious and/or ethnic origin data for the purposes of sending targeted electoral post. Article 9(2)(g) provides a condition for processing necessary for reasons of substantial public interest, and Schedule One to the Data Protection Act 2018 gives specific examples, but, again, none of these would seem to be available: paragraph 22 of the Schedule permits such processing by a candidate where it is of “personal data revealing political opinions”, but there is no similar condition dealing with religious or ethnic origin personal data.
If such processing took place in contravention of the prohibition in Article 9, it would be likely to be a serious infringement of a candidate’s obligations under the data protection law, potentially attracting regulatory enforcement from the Information Commissioner, and exposure to the risk of complaints or legal claims from electors.
To be clear, I am not saying that I know how Galloway came to send different letters to different electors, and I’m not accusing him of contravening data protection law. But it strikes me as an issue the Information Commissioner might want to look into.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Three years ago, at the end of the Brexit Implementation Period, I helped prepare a version of the UK GDPR for the Mishcon de Reya website. At the time, it was difficult to find a consolidated version of the instrument, and the idea was to offer a user-friendly version showing the changes made to the retained version of the GDPR, as modified by the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2019, and the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2020.
Since then, the main legislation.gov.uk has offered a version. However, with respect to that site, it’s not always the easiest to use.
The burden now, though, falls to me and Mishcon, of updating our pages as and when the UK GDPR itself gets amended. Major changes are likely to made when the Data Protection and Digital Information Bill gets enacted, but, first, we have the minor amendments (minor in number, of not in significance) effected by The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 (which came into force at 23:59:59 on 31.12.23).
The changes have been made to Articles 1, 4, 9, 50, 85 and 86.
The Mishcon pages have been very well used, and we’ve had some great feedback on them. They don’t profess to be an authoritative version (and certainly should not be relied on as such) but we hope they’ll continue to be a useful resource.
The Information Commissioner’s Office (ICO) has published reprimands against seven separate organisations all of whom committed serious infringements of data protection law by inadvertently disclosing highly sensitive information in the context of cases involving victims of domestic abuse.
The ICO trumpets the announcement, but does not appear to consider the point that, until recently, most, if not all, of these infringements would have resulted in a hefty fine, not a regulatory soft tap on the wrist. Nor does it contemplate the argument that precisely this sort of light-touch regulation might lead to more of these sorts of incidents, if organisations believe they can act (or fail to act) with impunity.
I think it is incumbent on the Information Commissioner, John Edwards, to answer this question: are you confident that your approach is not leading to poorer compliance?
The cases include
Four cases of organisations revealing the safe addresses of the victims to their alleged abuser. In one case a family had to be immediately moved to emergency accommodation.
Revealing identities of women seeking information about their partners to those partners.
Disclosing the home address of two adopted children to their birth father, who was in prison on three counts of raping their mother.
Sending an unredacted assessment report about children at risk of harm to their mother’s ex-partners.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
It shouldn’t be too controversial to state that to commit a criminal offence is a serious matter: although there are – obviously – different levels of severity, certain acts or omissions are so injurious to society as a whole that they warrant prosecution.
The majority of infringements of data protection law are not criminal offences, but, rather, contravention of civil law. But there are a few offences in the statutory scheme. Section 132 of the Data Protection Act 2018 (DPA) is one such. It says that it is an offence for the Information Commissioner, or a member of his staff, to disclose information
which—
(a)has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions,
(b)relates to an identified or identifiable individual or business, and
(c)is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources,
However, it will not be an offence if the disclosure is made with “lawful authority”, and a disclosure is made with lawful authority only if and to the extent that
(a)the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,
(b)the information was obtained or provided as described in subsection (1)(a) for the purpose of its being made available to the public (in whatever manner),
(c)the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions,
(d)the disclosure was made for the purposes of, and is necessary for, the discharge of an EU obligation,
(e)the disclosure was made for the purposes of criminal or civil proceedings, however arising, or
(f)having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.
This means that, for instance, if an individual or a business has given (willingly or under compulsion) information to the Commissioner for the purposes of a regulatory investigation, and the information is not already public, then the Commissioner must not disclose it, unless he has lawful authority to do so.
Where, also for instance, the Commissioner publishes a legal decision notice, or monetary penalty notice, or the like, this will ordinarily contain information of this kind, but the Commissioner can point to the lawful authority he has under section 132(2)(c) – namely that the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions. No offence committed.
But section 132 is why the Commissioner’s Office might refuse, under the Freedom of Information Act 2000 (FOIA), to disclose information it has received from an individual or business. For instance, a notification report a controller has submitted pursuant to its “personal data breach” obligations under Article 33 UK GDPR. Here is an example. The ICO withholds the “breach report” in question, citing the exemption at section 44, because of the offence provisions at section 132 DPA.
Whether this is an over-cautious stance is one thing, but it is understandable.
What puzzles me, though, is the inconsistency, because elsewhere, in very similar circumstances, in response to a FOIA request, the ICO has disclosed a personal data report (albeit with redactions). Here, also.
If the Commissioner’s staff in the first example feel that they would commit an offence by disclosing the report, do the staff dealing with the second or third examples not feel that they would also?
One thing that should certainly not happen is claiming exemptions because it is easier to do so than not. I am not saying that has happened here, but there certainly seems to be inconsistency. And inconsistency, or uncertainty, about whether a regulator and his staff might commit a criminal offence is not a good situation.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Answer – when Parliament approveslegislation to remove it
Rather quietly, the government is introducing secondary legislation which will have the effect of removing the (admittedly odd) situation whereby the UK GDPR describes the right to protection of personal data as a fundamental right.
Currently, Article 1(2) of the UK GDPR says “This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”. For the purposes of the EU GDPR this makes sense (and made sense when the UK was part of the EU) because the Charter of Fundamental Rights of the European Union (“the Charter”) identifies the right to protection of personal data as a free-standing right.
There is no direct equivalent to the right to the protection of personal data in the UK law. However, the protection of personal data falls within the right to respect for private and family life under Article 8 of the European Convention of Human Rights, which is enshrined in UK law by the Human Rights Act 1998. Data protection rights are also protected by UK GDPR, the Data Protection Act 2018 and will continue to be protected by the Data Protection and Digital Information Bill in our domestic legislation.
None of this addresses the point that the EU specifically decided, in the Charter, to separate the right to protection of personal data from the right to respect for a private and family life. One reason being that sometimes personal data is not notably, or inherently, private, but might, for instance, be a matter of public record, or in the public domain, yet still merit protection.
The explanatory memorandum also says, quite understandably, that the UK GDPR has to be amended so as to ensure that
references to retained EU rights and freedoms which would become redundant at the end of 2023 are replaced with references to rights under the European Convention on Human Rights (ECHR) which has been enshrined in the UK’s domestic law under the Human Rights Act 1998
Nonetheless, it was interesting for a while that the UK had a fundamental right in its domestic legislation that was uncoupled from its source instrument – but that, it seems, will soon be gone.
There is no update. Nothing from the ICO at all, other than, at four weeks – after chasing – a message saying it’s taking six to eight weeks to allocate cases.
don’t have “reject all” on your top level [cookie banner]…are breaking the law. ..There is no excuse for that. The ICO is paying attention in this area and will absolutely issue fines if we see organizations are not taking that seriously and taking steps.
Having a ‘reject all’ button on a cookies banner that is just as prominent as an ‘accept all’ button helps people to more easily exercise their information rights. The ICO is closely monitoring how cookie banners are used in the UK and invites industry to review their cookies compliance now. If the ICO finds that cookies banners breach the law, it will seriously consider using the full range of its powers, including fines.
Then, on 9 August, in conjunction with the Competition and Markets Authority, your office stated
One clear example of often harmful design are cookie consent banners. A website’s cookie banner should make it as easy to reject non-essential cookies as it is to accept them. Users should be able to make an informed choice on whether they want to give consent for their personal information to be used, for example, to profile them for targeted advertising. The ICO will be assessing cookie banners of the most frequently used websites in the UK, and taking action where harmful design is affecting consumers.
In view of all of these statements, I wish to complain, under Article 77 UK GDPR, and simultaneously request, under regulation 32 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), that you exercise your enforcement functions, in relation to the use of cookies and similar technology by Associated Newspapers Limited, or alternatively DMG Media (whichever is applicable) as controller of, and person responsible for confidentiality of communications on, the “MailOnline” website at https://www.dailymail.co.uk/home/index.html (the “Website”).
The Website presents a visitor using the Safari browser on an iPhone 11 Pro with a “cookie banner” (see attached screenshot) which does not offer visitors a “reject all” option.
Furthermore, the whole set-up is opaque. If one clicks “Cookie Settings” one is faced with an initially straightforward set of options (one of them set by default to accept cookies for personalised advertising on the basis of “legitimate interest”, which is clearly not compliant with regulation 6 of PECR). However, if one then clicks on the tab for “Vendors”, one is faced with a frankly farcically long list of such “vendors”, and options, many of them set by default to “legitimate interest”. I consider myself reasonably knowledgeable in this area, but it is far from clear what is actually going on, other than to say it plainly appears to be falling short of compliance with regulation 6, and, to the extent my personal data is being processed, the processing plainly appears to be in contravention of the UK GDPR, for want – at least – of fairness, lawful basis and transparency.
It is worth noting that much of MailOnline’s content is likely to be of interest to and accessed by children (particularly its sports and “celebrity news” content), even if the publisher does not actively target children. You state, in your guidance
if children are likely to access your service you will need to ensure that both the information you provide and the consent mechanism you use are appropriate for children.
But the complexity and opacity of the Website’s cookie use means that it is largely incomprehensible to adults, let alone children.
It is, obviously, not for me to specify how you undertake an investigation of my complaint, but you must, of course, by reference to Article 57(1)(f) UK GDPR, investigate to the “extent appropriate”. Given the clear messages your office has delivered about cookie banners and the like, and given the weight of evidence as to non-compliance, I would suggest an investigation to the extent appropriate must – at the very least – result in a clear finding as to legality, with reasons, and recommendations for the investigated party.
I cannot claim to be distressed by the infringements I allege, but I do claim to be irritated, and to have, cumulatively, been put to excess time and effort repeatedly trying to “opt out” of receiving cookies on the Website and understand what sort of processing is being undertaken, and what sort of confidentiality of communications exists on it.
Of course the Website here is not the only example of apparent non-compliance: poor practice is rife. Arguably, it is rife because of a prolonged unwillingness by your office and your predecessors to take firm action. However, if you would like me to refer to other examples, or require any further information, please don’t hesitate to ask.
Yours sincerely
Jon Baines
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
The modern digital economy allows us to order goods (and have them delivered) with a few taps on our phones. But the infrastructure behind locating, packaging and delivering those goods necessitates that a chain of people have access to the specific of our orders, and, in some cases, our contact details. A consequence of this appears to be an extraordinary prevalence of customers receiving unwanted contact as a result: research commissioned by the Information Commissioner’s Office (ICO) indicates that 29% of 18-34-year-olds have received unwanted contact after giving their personal details to a business.
It is to the ICO’s credit that it is looking at this issue, and calling for evidence of what it correctly calls this “illegal behaviour”. But I found it surprising that the ICO did not explain, in its communications, that if someone obtains a customer’s contact details from a business, and uses it for personal purposes which are different from (and not approved by) the business, they are very likely to be committing the criminal offence of unlawfully obtaining personal data without the consent of the controller, under section 170(1)(a) of the Data Protection Act 2018 (DPA).
The ICO says it will be contacting
some of the major customer-facing employers in the country to emphasise their legal responsibilities as well as to learn more about what safeguards they have in place
Which is all fine, but maybe a quicker and more effective action would be to remind those employers in turn to make their staff aware that using customer data for such purposes may well see them ending up with a criminal record.
Under section 197 of the DPA prosecutions for section 170 offences can only be brought, in England, Wales and Northern Ireland at least, by the ICO itself (or with the permission of the Director of Public Prosecutions or equivalent). One wonders if the sheer numbers of incidents where customer data is being obtained and misused in this way means that the ICO’s criminal prosecution team simply doesn’t have the capacity to deal with it. If so, maybe Parliament needs to look at giving the CPS a role, or even whether private prosecutions could be allowed.
informationrightsandwrongs 