Category Archives: Data Protection

August 20, 2023 · 3:38 pm

PSNI data breaches and questions over ICO’s investigations retention policy

I’ve been running this blog for about 15 years now. I’m not a records manager, but I recognise that information has a lifecycle. Maybe I could weed some older posts, but the thing is, I occasionally find some of the old posts useful. For instance when news broke of recent nasty data breaches involving police forces (including the Police Service of Northern Ireland, or “PSNI”) and freedom of Information disclosures, I was able to point to a ten-year-old post on this blog which illustrated that concerns about such disclosures have been around for a long time.

So I was rather surprised to see the Information Commissioner’s Office (ICO) saying – in response to claims from two former anti-terrorist officers that the recent incidents were part of a pattern of serious mistakes, and that their information had previously been compromised (albeit not by PSNI itself) – that

Having checked with relevant teams, we do not appear to have record of an investigation regarding this data controller for the time frame noted. This may be due to our retention policy

The retention policy in question says (at page 28) that information in relation to regulatory investigations will normally be retain for five or six years, but that in civil enforcement cases where no action was taken information will be destroyed after two years.

There is nothing inherently “wrong” about this; unless there is a statutory requirement to retain information it will fall to each public body to determine what is an appropriate retention period. However, the ICO elsewhere emphasises the need to consider patterns in compliance. The regulatory action policy, for instance, says that an organisation’s “prior regulatory history” including the “pattern…of complaints” might be an aggravating factor when it comes to taking enforcement action, and that “as issues or patterns of issues escalate in frequency or severity then we will issue more significant powers in response”. But the retention policy means that, unless formal action has been taken against an organisation, such patterns might only be able to be taken into account when they involve incidents occurring within the previous two years. Is that sufficient or adequate?

I would suggest not. The policy’s version history illustrates that it is regularly reviewed (including an annual review). I would hope that the next review consider whether there is compelling evidence to suggest that retaining investigation information for longer than two years is warranted, especially in light of recent events.

Leave a comment

Filed under access to information, adequacy, Data Protection, Information Commissioner, retention, security

Tagged as , , ,

July 31, 2023 · 8:08 pm

ICO failing to inform complainants of investigation outcomes

I’d like you to imagine two people (Person A and Person B). Both receive an unsolicited direct marketing call to their personal mobile phone, in which the caller says the recipient’s name (e.g. “am I speaking to Jon Baines?”) Both are registered with the Telephone Preference Service. Both are aggrieved at receiving the unlawful call.

Person A knows nothing much about electronic marketing laws, and nothing much about data protection law. But, to them, quite reasonably, the call would seem to offend their data protection rights (the caller has their name, and their number). They do know that the Information Commissioner enforces the data protection laws.

Person B knows a lot about electronic marketing and data protection law. They know that the unsolicited direct marketing call was not just an infringement of the Privacy and Electronic Communications (EC Directive) Regulations 2003, but also involved the processing of their personal data, thus engaging the UK GDPR.

Both decide to complain to the Information Commissioner’s Office (ICO). Both see this page on the ICO website

 

They see a page for reporting Nuisance calls and messages, and, so, fill in the form on that page.

And never hear anything more.

Why? Because, as the subsequent page says “We will use the information you provide to help us investigate and take action against those responsible. We don’t respond to complaints individually” (emphasis added).

But isn’t this a problem? If Person A’s and Person B’s complaints are (as they seem to be) “hybrid” PECR and UK GDPR complaints, then Article 57(1)(f) of the latter requires the ICO to

handle complaints lodged by a data subject…and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period (emphasis added)

What Article 57(1)(f) and the words “investigate, to the extent appropriate” mean, has been the subject of quite a bit of litigation in recent years (the basic summary of which is that the ICO has broad discretion as to how to investigate, and even a mere decision to cease handling a complaint will be likely to suffice (see Killock & Veale & others v Information Commissioner (GI/113/2021 & others)).

But nowhere has anyone suggested that ICO can simply decide not to “inform the complainant of the progress and the outcome of the investigation”, in hybrid complaints like the Person A’s and Person B’s would be.

Yet that is what undoubtedly happens in many cases. And – it strikes me – it has happened to me countless times (I have complained about many, many unsolicited calls over the years, but never heard anything of the progress and outcome). Maybe you might say that I (who, after all, have found time to think about and write this post) can’t play the innocent. But I strongly believe that there are lots of Person As (and a fair few Person Bs) who would, if they knew that – to the extent theirs is a UK GDPR complaint –  the law obliges the ICO to investigate and inform them of the progress and the outcome of that investigation, rightly feel aggrieved to have heard nothing.

This isn’t just academic: unsolicited direct marketing is the one area that the ICO still sees as worthy of fines (all but two of the twenty-three fines in the last year have been under that regime). So a complaint about such a practice is potentially a serious matter. Sometimes, a single complaint about such marketing has resulted in a large fine for the miscreant, yet – to the extent that the issue is also a UK GDPR one – the complainant themselves often never hears directly about the complaint.

In addition to the Killock & Veale case, there have been a number of cases looking at the limits to (and discretion regarding) ICO’s investigation of complaints. As far as I know no one has actually yet raised what seems to be a plain failure to investigate and inform in these “hybrid” PECR and UK GDPR cases.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, PECR, UK GDPR

Tagged as , ,

July 30, 2023 · 11:05 am

Has the Information Commissioner’s Office lost its FOI purposes?

When Parliament passed the Data Protection Act 1984 it created a role of a regulator for that new data protection law. Section 3(1)(a) said that

For the purposes of this Act there shall be…an officer known as the Data Protection Registrar

The office remained in this form until the passing of the Data Protection Act 1998, section 6(1) of which provided that

The office originally established by section 3(1)(a) of the Data Protection Act 1984 as the office of Data Protection Registrar shall continue to exist for the purposes of this Act but shall be known as the office of Data Protection Commissioner

The advent of the Freedom of Information Act 2000 necessitated a change, so as to create a role of regulator for that Act. Paragraph 13(2) of Schedule 2 to the Freedom of Information Act 2000 amended section 6(1) of the Data Protection Act 1998 so it read

For the purposes of this Act and of the Freedom of Information Act 2000 there shall be an officer known as the Information Commissioner

So, at this point, and indeed, until 25 May 2018, there was an Information Commissioner “for the purposes of” the Data Protection Act 1998, and “for the purposes of” the Freedom of Information Act 2000.

25 May 2018 marked, of course the date from which (by effect of its Article 99) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, or “GDPR“, applied.

Also on 25 May 2018, by effect of the Data Protection Act 2018 (Commencement No. 1 and Transitional and Saving Provisions) Regulations 2018, section 114 of the Data Protection Act 2018 commenced. This provided (and provides)

There is to continue to be an Information Commissioner.

However, paragraph 44 of schedule 19 to the Data Protection Act 2018 (commenced also by effect of the Data Protection Act 2018 (Commencement No. 1 and Transitional and Saving Provisions) Regulations 2018) repealed the “FOIA purpose” provisions of section 6(1) of the Data Protection Act 1998 (which, to recall, said that “for the purposes of…the Freedom of Information Act 2000 there shall be an officer known as the Information Commissioner“). At the same time, paragraph 59 of schedule 19 to the Data Protection Act 2018 repealed section 18(1) (which had provided that “The Data Protection Commissioner shall be known instead as the Information Commissioner“).

So, the Information Commissioner is no longer described, in statute, as an officer which shall be for the purposes of the Freedom of Information Act 2000.

Probably nothing turns on this. Elsewhere in the Freedom of Information Act 2000 it is clear that the Information Commissioner has various functions, powers and duties, which are not removed by the repeal (and subsequent absence of) the “FOIA purpose” provisions. However, the repeal (and absence) do raise some interesting questions. If Parliament thought it right previously to say that, for the purposes of the Freedom of Information Act 2000 there should have been an Information Commissioner, why does it now think it right not to? No such questions arise when it comes to the data protection laws, because section 114 and schedule 12 of the Data Protection Act 2018, and Articles 57 and 58 of the UK GDPR, clearly define the purposes (for those laws) of the Information Commissioner.

Maybe all of this rather painful crashing through the thickets of the information rights laws is just an excuse for me to build up to a punchline of “what’s the purpose of the Information Commissioner?” But I don’t think that is solely what I’m getting at: the implied uncoupling of the office from its purposes seems odd, and something that could easily have been avoided (or could easily be remedied). If I’m wrong, or am missing something – and I very much invite comment and correction – then I’ll happily withdraw/update this post.

Please note that links to statutes here on the legislation.gov.uk website are generally to versions as they were originally enacted.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, Freedom of Information, GDPR, Information Commissioner

Tagged as , , , ,

July 28, 2023 · 9:32 am

Has ICO “no fines” policy been introduced without proper debate?

At the NADPO annual conference last year Information Commissioner John Edwards discussed his policy of reserving fines under UK GDPR to public bodies only for the most egregious cases. The policy had been announced a few months earlier in an open letter (interestingly addressed to “public sector colleagues”).

Since then, it seems that fines (other than for Privacy and Electronic Communications Regulations (PECR) matters) are – in general – almost off the Information Commissioner’s agenda. Just this week a reprimand – only – was issued to a video sharing platform (the contents of which tend towards the conspiratorial, and the users of which might have particular concerns about exposure) which suffered an exfiltration attack involving 345000 user names, email addresses and passwords.

Earlier this year I made a Freedom of Information request for the evidential basis for Edwards’ policy. The response placed primary focus on a paper entitled “An Introduction to Outcome Based Cooperative Regulation (OBCR)” by Christopher Hodges, from the Centre for Socio-Legal Studies at Oxford. Hodges is also Chair of the government’s Regulatory Horizons Council.

The paper does not present empirical evidence of the effects of fines (or the effects of not-fining) but proposes a staged model (OBCR) of cooperation between businesses (not, one notes, public bodies) and regulators to achieve common purposes and outcomes. OBCR, it says, enables organisations to “opt for basing their activities around demonstrating they can be trusted”. The stages proposed involve agreement amongst all stakeholders of purposes, objectives and desired outcomes, as well as evidence and metrics to identify those outcomes.

But what was notable about Edwards’ policy, was that it arrived without fanfare, and – apparently – without consultation or indeed any involvement of stakeholders. If the aim of OBCR is cooperation, one might reasonably question whether such a failure to consult vitiates, or at least hobbles, the policy from the start.

And, to the extent that the judiciary is one of those stakeholders, it would appear from the judgment of Upper Tribunal Judge Mitchell, in the first GDPR/UK GDPR fining case (concerning the very first GDPR fine in the UK) to reach the appellate courts, that there is not a consensus on the lack of utility of fines. At paragraph 178, when discussing the fact that fines (which are, by section 155 Data Protection Act 2018, “penalty” notices) the judge says

There is clearly also a dissuasive aspect to [monetary penalty notices]. I do not think it can be sensibly disputed that, in general, the prospect of significant financial penalties for breach of data protection requirements makes a controller or processor more likely to eschew a lackadaisical approach to data protection compliance and less likely to take deliberate action in breach of data protection requirements.

This is a statement which should carry some weight, and, to the extent that it is an expression on regulatory theory (which I think it is) it illustrates why a policy such as John Edwards has adopted requires (indeed, required) more of a public debate that it appears to have had.

As the issuing of fines inevitably involves an exercise of discretion, it is essentially impossible to say how many fines have not been issued which would have been, but for the Edwards policy (although it might be possible to look at whether there has – which I suspect there has – been a corresponding increase in “reprimands”, and draw conclusions from that). Nonetheless, some recipients of fines from before the policy was introduced might well reasonably ask themselves whether, had Edwards’ policy been in place at the time, they would have escaped the penalty, and why, through an accident of timing, they were financially punished when others are not. Similarly, those companies which may still receive fines, including under the PECR regime, yet which can convincingly argue that they wish to, and can, demonstrate they can be trusted, might also reasonably asked why they are not being given the opportunity to do so.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, fines, GDPR, Information Commissioner, monetary penalty notice, PECR, rule of law, UK GDPR

Tagged as , , , ,

June 20, 2023 · 9:50 am

Typo in the GDPR

A small thing, to please small minds.

As I was looking at the excellent version of the UK GDPR on the Mishcon de Reya website (plaudits, and a salary increase, for the person who created it), I noticed odd wording at Article 23(1)(e)

…including monetary, budgetary and taxation a matters, public health…

“taxation a matters”? Oh dear – salary decrease for whoever typed that?

However, I then saw that the version of the UK GDPR on the legislation.gov.uk pages has the same odd wording.

At that point, my national pride was concerned. Did the UK screw up its retention of the EU GDPR? But no – pride restored! plaudits restored! salary increase merited! The silly old drafters of the original GDPR had done the original typo, which has carried through. The Official Journal of the European Union bears the original sin

I surely can’t be the first person to have noticed this. But a cursory Google search didn’t show anyone else mentioning it. So I’m going to claim it. With all the associated plaudits.

Leave a comment

Filed under accuracy, Data Protection, GDPR, UK GDPR

Tagged as , ,

May 9, 2023 · 2:30 pm

ICO: powers to enforce over dead people’s information?

The Information Commissioner’s Office (ICO) has announced that it will not be taking action against Lancashire Police in relation to their disclosure of private information during their investigation into the tragic case of Nicola Bulley.

This is unsurprising, and, objectively, reassuring, because if the ICO had brought enforcement proceedings it would almost certainly have been unlawful to do so. In blunt terms, the ICO’s relevant powers are under laws which deal with “personal data” (data relating to a living individual) and when the police disclosed information about Nicola, she was not living.

There is no discretion in these matters, and no grey areas – a dead person (in the UK, at least) does not have data protection rights because information relating to a dead person is, simply, not personal data. Even if the police thought, at the time of the disclosure, that Nicola was alive, it appears that, as a matter of fact, she was not. (I note that the ICO says it will be able to provide further details about its decision following the inquest into Nicola’s death, so it is just possible that there is further information which might elucidate the position.)

Unless the ICO was going to try to take enforcement action in relation to a general policy, or the operation of a general policy, about disclosure of information about missing people (for instance under Article 24 of the UK GDPR), then there was simply no legal power to take action in respect of this specific incident.

That is not to say that the ICO was not entitled to comment on the general issues, or publish the guidance it has published, but it seems to be either an empty statement to say “we don’t consider this case requires enforcement action”, or a statement that reveals a failure to apply core legal principles to the situation.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, Information Commissioner, personal data, police

Tagged as , ,

March 24, 2023 · 7:37 am

SRA, data protection and the solicitors roll

In August 2022 the Solicitors Regulation Authority (SRA) announced plans to change its rules and reinstate the annual “keeping of the roll” exercise. Until 2014, all solicitors without practising certificates were required to complete an application each year and pay an administration fee if they wished to remain on the roll. This requirement was dispensed with in 2014 in part because the annual process was seen as burdensome for solicitors.

One of the justifications now for reintroducing the keeping of the roll is given by the SRA as

There are also requirements under the General Data Protection Regulation (GDPR) 2016 [sic] and the seven principles that govern the holding and retention of data. Under GDPR we have responsibility as a data controller to ensure we maintain accurate data relating to individuals and we are processing it fairly and lawfully.

What is slightly odd is that when, in 2014, the SRA proposed to scrap the keeping of the roll, it was not troubled by the observations of the then Information Commissioner about the importance of accuracy and privacy of information. In its reply to the then Commissioner’s consultation response it said that it had “fully considered the issues” and

We consider that the availability of the SRA’s online system, mySRA, to non- practising solicitors as a means of keeping their details up to date, serves to mitigate the possibility of data become inaccurate…To further mitigate the risk of deterioration of the information held on the roll, the SRA can include reminders to keep contact details up to date in standard communications sent to solicitors.

If that was the position in 2014, it is difficult to understand why it is any different today. The data protection principles – including the “accuracy principle” – in the UK GDPR (not in fact the “GDPR 2016” that the SRA refers to) are effectively identical to those in the prior Data Protection Act 1998.

If the SRA was not concerned by data protection considerations in 2014 but is so now, one might argue that it should explain why. The Information Commissioner does not appear to have responded to the consultation this time around, so there is no indication that his views swayed the SRA.

If the SRA was concerned about the risk of administrative fines (potentially larger under the UK GDPR than under the Data Protection Act 1998) it should have reassured itself that any such fines must be proportionate (Article 83(1) UK GDPR) and by the fact that the Commissioner has repeatedly stressed that he is not in the business of handing out fines for minor infringements to otherwise responsible data controllers.

I should emphasise that data protection considerations were not the only ones taken into account by the SRA, and I don’t wish to discuss whether, in the round, the decision to reintroduce the keeping of the roll was correct or not (Joshua Rozenberg has written on this, and the effect on him). But I do feel that the arguments around data protection show a confused approach to that particular issue.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, Information Commissioner, Let's Blame Data Protection, UK GDPR

Tagged as , , , ,

March 12, 2023 · 12:49 pm

Where’s the Tories’ privacy notice? (just don’t mention the footballer)

The Conservative Party, no doubt scrabbling to gather perceived support for its contentious immigration policies and measures is running a web and social media campaign. The web page encourages those visiting it to “back our plan and send a message” to other parties:

Further down the page visitors are invited to “send Labour a message”

Clicking on either of the red buttons in those screenshots results in a pop-up form, on which one can say whether or not one supports the Tory plans (in the screenshot below, I’ve selected “no”)

One is then required to give one’s name, email address and postcode, and there is a tick box against text saying “I agree to the Conservative Party, and the wider Conservative Party, using the information I provide to keep me updated via email about the Party’s campaigns and opportunities to get involved”

There are two things to note.

First, the form appears to submit whether one ticks the “I agree” box or not.

Second, and in any case, none of the links to “how we use your data”, or the “privacy policy”, or the “terms and conditions” works.

So anyone submitting their special category data (information about one’s views on a political party’s policies on immigration is personal data revealing political opinions, and so Article 9 UK GDPR applies) has no idea whatsoever how it will subsequently be processed by the Tories.

I suppose there is an argument that anyone who happens upon this page, and chooses to submit the form, has a good idea what is going on (although that is by no means certain, and people could quite plausibly think that it provides an opportunity to provide views contrary to the Tories’). In any event, it would seem potentially to meet to definition of “plugging” (political lobbying under the guide of research) which ICO deals with in its direct marketing guidance.

Also in any event, the absence of any workable links to privacy notice information means, unavoidably, that the lawfulness of any subsequent processing is vitiated.

It’s the sort of thing I would hope the ICO is alive to (I’ve seen people on social media saying they have complained to ICO). But I won’t hold my breath on that – many years ago I wrote about how such data abuse was rife across the political spectrum – but little if anything has changed.

And finally, the most remarkable thing of all is that I’ve written a whole post on what is a pressing and high-profile issue without once mentioning Gary Lineker.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, marketing, PECR, privacy notice, social media, spam, UK GDPR

Tagged as , , , ,

February 28, 2023 · 8:29 pm

FOI embarrassment

At a recent awards event, recognising high-performing Freedom of Information officers and teams (fantastic idea by the organisers/sponsors, by the way*) I gave a brief talk where I stressed that it was important to recognise how much FOI has achieved in its 23 (or 18**) years, and to remember that every day thousands of disclosures are made by thousands of public authorities. It’s very easy to snipe at bad practice, and I often do, but if we don’t acknowledge the benefits, the real opponents of FOI might start arguing for its repeal.

So. Celebrate success. Accentuate the positive. Eliminate the negative.

However.

Then you see a decision notice from the Information Commissioner (ICO), in which a large London council had refused to disclose, under FOI, information on how many enquiries (MEQs) each of its councillors*** had submitted to the council on behalf of constituents. The reason for refusal was that this was the personal data of the councillors (well, yes) and that disclosure would infringe those councillors’ rights under the data protection law (hell, no).

This isn’t time for legal analysis. It really is as extraordinary as it sounds.

Thankfully, the ICO had no truck with it (and the notice does have legal analysis).

Frankly, though, the council should be ashamed.

______________________

*I have no personal or professional interest

**The Act commenced in 2000, but the main provisions didn’t commence until 2005

***At the end of the notice there is a big hint as to the role of the person who made the request – see if you can guess

.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, Freedom of Information, Information Commissioner, local government

Tagged as , ,

February 22, 2023 · 8:24 am

Monitoring of lawyers by the state

In the Commons on Monday Robert Jenrick, minister for immigration, said, in the context of a debate on the implications of the violent disorder outside a hotel providing refuge for asylum seekers, in Knowsley on 10 February, and in answer to a question about why no “small boats bill” has been introduced into Parliament

this is one of the most litigious areas of public life. It is an area where, I am afraid, human rights lawyers abuse and exploit our laws at times, and where the courts have taken an expansive approach in the past. That is why we must get this right, but we will be bringing forward that legislation very soon

When pressed on his reference to abuse of the law by lawyers, and asked “how many solicitors, advocates and barristers have been reported by the Home Office in the last 12 months to the regulatory authorities”, Mr Jenrick replied

We are monitoring the activities, as it so happens, of a small number of legal practitioners, but it is not appropriate for me to discuss that here.

This is a remarkable statement, both in its lack of detail and in its potential effect. The prospect of the monitoring of lawyers by the state carries chilling implications. It may well be that Mr Jenrick had no intention of making what could be interpreted as an oppressive statement, but words are important, and words said in Parliament carry particular weight.

It may also be that the “monitoring” in question consists of legitimate investigation into potential criminality by that “small number” of lawyers, but if that was the case, why not say so?

But “monitoring”, in itself, must be done in accordance with the law. If it is in the context of a criminal investigation, or surveillance, there are specific laws which may apply.

And to the extent that it involves the processing of personal data of the lawyers in question (which, inevitably, it surely must, when one considers that “processing” means, among other things “collection, recording, organisation, structuring or storage” performed on personal data) the monitoring must comply with applicable data protection laws).

As a fundamental general principle, processing of personal data must be transparent (see Articles 5(1)(a), 13 and 14 UK GDPR, or, for law enforcement processing, section 44 of the Data Protection Act 2018 (DPA), or, for Intelligence Services Processing, section 93 of the DPA.

There are qualifications to and exemptions from this general principle, but, in the absence of circumstances providing such an exemption, a data subject (here, the lawyers who are apparently being monitored) should be made aware of the processing. The information they should receive includes, among other things: the identity and the contact details of the person directing the processing; the legal basis and the purposes of the processing, and; the recipients or categories of recipients of the personal data.

We tend to call the notices we receive under these provisions “privacy notices”. Those of us who have practised data protection law for a long time will remember the term “fair processing notice” which is arguably a better term. Whatever one calls them, though, such notices are a bedrock of the law – without being aware of the processing, and the risks, rules, safeguards and rights in relation to it, data subjects cannot properly exercise their rights.

With all that in mind, has the Home Office – or whoever it is who is directing the monitoring of the “small number of lawyers” – informed them that they are being monitored? If not, why not?

Returning to my earlier comments about the oppressiveness of comments to the effect that, or the giving of a perception that, the coercive powers of the state are being deployed against lawyers by monitoring them, one wonders if the Information Commissioner should take steps to investigate the background to Mr Jenrick’s comments.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, Home Office, human rights, Information Commissioner, law enforcement, monitoring, privacy notice, surveillance, transparency

Tagged as , , , ,