Category Archives: GDPR

OMG – OCG attacks HMRC

ICO declines to take action after 1000 HMRC customer records apparently altered in 2020 by Organised Crime Gang and used to make fraudulent claims

Rather hidden away on the Information Commissioner’s Office (ICO) website is information, disclosed under the Freedom of Information Act 2000 (FOIA), in relation to an ICO investigation of a security incident involving HMRC, and an organised crime gang (OCG).

It appears that, in June 2020, an OCG had used 193 genuine National Insurance Numbers (NINOs) which it had managed to “hijack” (it is not clear how) from external sources, and set up bogus Government Gateway (GG) accounts. This subsequently “enabled the OCG to carry out enrolments on the bogus GG accounts of genuine Self-Assessment customer Unique Tax References”, which in turn enabled the submission of fraudulent tax returns with the aim of the OCG being to make fraudulent expenses claims.

It was also discovered that details of 130 of the data subjects whose NINOs had been compromised were also used to “utilise” the DWP universal credit service.

HMRC did not become aware of this incident until 2 December 2020, and it notified the ICO (pursuant to its obligations under Article 33 GDPR) on 14 December 2020.

Details of the incident also appear to be contained in HMRC’s Annual Report for the period in question, where (at page 188) it refers to an incident involving 1023 people where “Personal information [was] used to make changes to customer records on HMRC systems without authorisation”.

There are many redactions in the information that the ICO has now published, but the headline point is that it did not view the incident as a serious enough infringement of HMRC’s obligations under GDPR so as to warrant a monetary penalty. The ICO noted that

…there is no indication that any of the originating personal data used to commit the fraud was obtained from HMRC.

However, it does appear that some people might have lost money, although this has since been repaid to them:

…any repayments due to genuine customers have been (or will be) made good…and therefore all the financial losses will be HMRC’s.

Also redacted are what would probably be details of systems changes that HMRC has taken or agreed to undertake as a result of the incident. These would, says the ICO

increase the protection applied to customer records and data and make stacks of this nature more difficult…

This wording suggests that the ICO felt that the level of protection had not been adequate, in line with HMRC’s security obligations under the GDPR. That being the case, the ICO must have decided that, in this instance, despite the infringement, it wasn’t necessary, or appropriate, to issue a fine or take other enforcement action.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Breach Notification, Data Protection, GDPR, HMRC, Information Commissioner, security

No, 43% of retail businesses have NOT been fined for CCTV breaches

A bizarre news story is doing the rounds, although it hasn’t, as far as I can see, hit anything other than specialist media. An example is here, but all the stories contain similar wording, strongly suggesting that they have picked up on and reported on a press release from the company (“Secure Redact”) that undertook the research behind the story.

We are told that

research reveals that 43% of UK retailers reported that they had been fined for a violation of video surveillance GDPR legislation…Of these retailers, 37% reported paying an equivalent of 2% of their annual turnover, 30% said the fine amounted to 3% of annual turnover, and 15% said the fine was 45% [sic] of annual turnover…A staggering 33% of those fined also had to close stores as a result of enforcement action

The research was apparently based on a survey of 500 respondents in retail businesses (50% in businesses with less than 250 employees, 50% in businesses with more than 250).

What is distinctly odd about this is that since GDPR has been in force in the UK, including since it has become – post-Brexit – UK GDPR, there has been a sum total of zero fines imposed by the Information Commissioner in respect of CCTV. 43% of retail businesses have not been fined for CCTV infringements – 0% have.

You can check here (direct link to .csv file) if you doubt me.

It’s difficult to understand what has gone wrong here: maybe the survey questions weren’t clear enough for the respondents or maybe the researchers misinterpreted the data.

Whatever the reasons behind the stories, those in the retail sector – whilst they should certainly ensure they install and operate CCTV in compliance with GDPR/UK GDPR – should not be alarmed that there is a massive wave of enforcement action on the subject which threatens to put some of them out of business.

Because there isn’t.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under CCTV, GDPR, Information Commissioner, monetary penalty notice, UK GDPR

High Court muddle over data protection regime

A relatively common error by those unaccustomed to the rather odd structure of the data protection statutory regime in the UK, is to look first to the Data Protection Act 2018 (“DPA”) for the applicable law, instead of the UK GDPR. This is despite the fact that the very first section of the DPA instructs us in how the regime works. Section 1(2) provides that “most processing of personal data is subject to the UK GDPR”, and then sections 1(4) and (5) explain that Parts 3 and 4 of the DPA deal with those parts of the regime (law enforcement processing and intelligence services processing) which are out of the scope of UK GDPR.

“Put me to one side” – says the DPA tactfully – “you should have picked up your copy of the UK GDPR first, and not me”.

Accordingly, the key provisions, and the basic principles, applying to most processing, are to be found in the UK GDPR.

The result of this relatively common error, is that people will sometimes cite, say, section 45 of the DPA in relation to a generic subject access request, when in fact, the applicable provision is Article 15 of the UK GDPR (section 45 applies to subject access requests to competent authorities for the purposes of law enforcement).

Occasionally, I have seen non-specialist lawyers make this mistake.

And now, I have seen a high court judge do the same. In a judicial review case in the High Court of Northern Ireland, challenging the accuracy of a child’s social care records, part of the claim (which was primarily an Article 8 human rights claim) was pleaded as also a breach of Article 5(1) and (6) of the “GDPR” (the correct pleading should have been, and maybe was, by reference to the UK GDPR) and Part 1 of the DPA. Article 5(1) of the UK GDPR contains the data protection principles.

The judge, however, stated that

It seems to the court that in fact the relevant part of the 2018 Act are sections 86 to 91 which set out the six data protection principles in relation to data processing.

This is simply wrong. Sections 86 to 91 of the DPA lay out the data protection principles only in relation to intelligence services processing (i.e. processing of personal data by the Security Service, the Secret Intelligence Service or by the Government Communications Headquarters).

It isn’t clear whether there was any discussion about this in the court (quite possibly not), but it appears not to have been picked up when the judgment was circulated in draft or published to the parties. As it is, it seems very likely that nothing turns on it. This is because the Part 4 DPA principles, like the Part 3 DPA principles, effectively mirror the principles in Article 5(1) UK GDPR, and so the analysis, for the purposes of the substantive matter, was sound.

So this was an error of form, more than substance.

However, there are some differences between the UK GDPR regime, the Part 3 DPA regime and the Part 4 DPA regime, and in different circumstances an error like this could result in an outcome which is wrong, and harmful.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, Data Protection Act 2018, GDPR, human rights, Ireland, judiciary, UK GDPR

Data Protection reform bill – all that? or not all that?

I’ve written an “initial thoughts” analysis on the Mishcon de Reya website of the some of the key provisions of the Data Protection and Digital Information Bill:

The Data Protection and Digital Information Bill – an (mishcon.com)

Leave a comment

Filed under adequacy, Data Protection, Data Protection Act 2018, Data Protection Bill, DPO, GDPR, Information Commissioner, PECR, UK GDPR

Podcast on UK data protection reforms

My Mishcon de Reya colleague Adam Rose and I have recorded a short (25 minute) podcast on the government’s recent announcement of proposed data protection reforms.

UK Data Reform – what’s being proposed? (mishcon.com)

Leave a comment

Filed under adequacy, Data Protection, Data Protection Act 2018, GDPR, UK GDPR

Data reform – hot news or hot air?

I’ve written a piece for the Mishcon de Reya website on the some of the key proposals (for our client-base) in today’s data protection reform announcement.

Data protection law reform – major changes, but the (mishcon.com)

Leave a comment

Filed under adequacy, consent, cookies, Data Protection, Data Protection Act 2018, DPO, GDPR, Information Commissioner, international transfers, nuisance calls, PECR, UK GDPR

ICO to keep income from UK GDPR fines

This is a significant development – the Information Commissioner will now be able to keep up to £7.5m a year from penalties, to cover their litigation and debt recovery costs:

https://www.mishcon.com/news/ico-to-keep-money-from-uk-gdpr-fines

Leave a comment

Filed under Data Protection, DCMS, GDPR, Information Commissioner, monetary penalty notice, UK GDPR

GDPR reprimands for Cabinet Office, UKIP, CPS & ors

A piece by me just uploaded to the Mishcon de Reya website, on an FOI disclosure to me of the most recent reprimands under GDPR/ UK GDPR issued by the Information Commissioner

ICO reprimands Cabinet Office, UKIP, CPS and others for (mishcon.com)

Leave a comment

Filed under Data Protection, Freedom of Information, Information Commissioner, Cabinet Office, GDPR, UK GDPR

An Open Letter to Jacob Rees-Mogg

Dear Mr Rees-Mogg

I suspect you and I wouldn’t agree on many things, but, before I moved into private practice I spent many years in the public sector. I saw many examples of efficient and inefficient working there (as well as countless dedicated officers who rarely had time to be sitting at their desks when senior management deigned to visit).

So, despite our different worldviews, and in the spirit of helping improve the efficiency of the offices of Members of Parliament, may I make a couple of suggestions about data protection compliance?

First, you said recently, before the European Scrutiny Committee, that constituents who come to see you at surgery are asked to sign a two-page disclaimer. Nothing in our data protection law requires this (in fact, expecting them to sign one is likely to be contrary to those laws). You should give anyone whose personal data you collect certain information, generally in the form of a notice, but that’s just a matter of being fair and transparent – there’s no reason at all to require a signature or a disclaimer. You could even just refer them to a notice on your own website (your current one is rather well hidden). That should save you a bit of time and money.

Second, at the same hearing, you were concerned that you needed to delete files on constituents prematurely. Again, this appears to be a misapprehension on your part. Personal data should be kept for as long as is necessary in relation to the purpose for which it was collected: if you still need it, you keep it. There – another efficiency tip!

Third, and more generally, I do find that there is a lot of misunderstanding of data protection law. It has a dual objective – to offer protection to individuals and to allow for free movement of data (both of which are obviously subject to qualifications and provisos). I don’t pretend that the law couldn’t do with some revisions, and I’ve even spoken to some of the people helping with the reform programme to suggest a few. But in general, it’s quite possible to run the public bodies and businesses efficiently and also comply with the data protection law – but I fear that training and awareness of that law have been, and continue to be, handled rather inefficiently at government level.

Yours
Jon Baines

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, not-entirely-serious, parliament, Uncategorized

COVID booster messages and the law

GET BOOSTED NOW Every adult needs a COVID-19 booster vaccine to protect against Omicron. Get your COVID-19 vaccine or booster. See NHS website for details

On Boxing Day, this wording appears to have been sent as an SMS in effect to every mobile telephone number in the UK. The relevant government web page explains that the message is part of the national “Get Boosted Now” campaign to protect against the Omicron variant of COVID-19. The web page also thanks the Mobile Network Operators for “their assistance in helping deliver the vitally important Get Boosted Now message”.

It is inevitable that questions may get raised raised about the legality of the SMSs under data protection law. What is important to note is that, although – to the extent that the sending involved the processing of personal data – the GDPR may apply (or, rather, the UK GDPR) the relevant law is actually the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). Under the doctrine of lex specialis where two laws govern the same situation, the more specific rules will prevail over more general rules. Put another way, if the more specific PECR can justify the sending of the SMSs, then the sending will also be justified under the more general provisions of UK GDPR.

Regulation 16A of PECR (inserted by a 2015 amendment), provides that where a “relevant communications provider” (in this case a Mobile Network Operator) is notified by a government minister (or certain other persons, such as chief constables) that an “emergency” has occurred, is occurring or is about to occur, and that it is expedient to use an emergency alert service, then the usual restrictions on the processing of traffic and location data can be disregarded. In this instance, given the wording on the government website, one assumes that such a notification was indeed made by a government minister under regulation 16A. (These are different emergency alerts to those proposed to be able to be sent under the National Emergency Alert system from 2022 which will not directly involve the mobile network operators.)

“Emergency” is not defined in PECR, so presumably will take its definition here from section 1(1)(a) of the Civil Contingencies Act 2004 – “an event or situation which threatens serious damage to human welfare in a place in the United Kingdom”.

The effect of this is that, if the SMSs are legal under PECR, they will also be legal under Article 6(1)(c) and 6(1)(e) of the UK GDPR (on the grounds that processing is necessary for compliance with a legal obligation to which the controller is subject, and/or necessary for the performance of a task carried out in the public interest).

There is an interesting side note as to whether, even though the SMSs count as emergency alerts, they might also be seen as direct marketing messages under regulations 22 and 23 of PECR, thus requiring the content of the recipient before they could be sent. Under the current guidance from the Information Commissioner (ICO), one might argue that they would be. “Direct marketing” is defined in the Data Protection Act 2018 as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals” and the ICO defines it further by saying that this “covers any advertising or marketing material, not just commercial marketing. All promotional material falls within this definition, including material promoting the aims of not-for-profit organisations”. Following that line of thought, it is possible that the Omicron SMSs were both emergency alerts and direct marketing messages. This would be an odd state of affairs (and one doubts very much that a judge – or the ICO, if challenged on this – would actually agree with its own guidance and say that these SMSs were indeed direct marketing messages). The ICO is in the process of updating its direct marketing guidance, and might be well advised to consider the issue of emergency alerts (which aren’t covered in the current consultation document).

[Edited to add: I don’t think what I say above necessarily covers all the legal issues, and no doubt there are aspects of this that could have been done better, but I doubt very much there is any substantive legal challenge which can be made.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under communications data, consent, Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, PECR, UK GDPR