Category Archives: Information Commissioner

FOI 101 on “held”

I note that the First-tier Tribunal has recently had to school the Information Commissioner’s Office (ICO) on one of the real basics of the Freedom of Information Act (FOIA).

A request had been made to the Parliamentary and Health Service Ombudsman (PHSO) for past versions of a Joint Working Team (JWT) Manual setting out how the PHSO and the Local Government and Social Care Ombudsman (LGSCO) should work together. Rather oddly, the PHSO searched for these, and couldn’t find them. More oddly, the PHSO decided that this meant that it didn’t “hold” the information, for the purposes of FOIA (and directed the requester to LGSCO). Even more oddly, the ICO then upheld the PHSO’s refusal, saying

Copies of the JWT manuals are stored on the LGSCO website and the PHSO argue that it has no control over the production of the manual. The Commissioner is therefore satisfied that the PHSO do not hold copies of the JWT manuals published in March and June 2019

I use the word “oddly”, because one of the first thing FOIA practitioners and lawyers learn is that whether information is “held” for the purposes of FOIA turns on two situations – namely, whether

(a)it is held by the authority, otherwise than on behalf of another person, or

(b)it is held by another person on behalf of the authority.

If either of those applies, then information is held.

In this case, as Her Honour Judge Shanks realised very quickly, when the requester appealed the ICO decision to the First-tier Tribunal, surely a joint working manual, setting out “guidance on key processes and on jurisdictional and policy considerations which have been agreed by the two Ombudsmen”, would be held by both offices? And, if copies were not physically held by the PHSO, any copies physically held by the LGSCO would be held on behalf of the PHSO. Furthermore, HH Judge Shanks noted

Indeed, leaving aside any technical arguments I am puzzled as to why the PHSO did not just get hold of the documents from the LGSCO and pass them over to Mr McDougall, thereby saving a great deal of unnecessary time and expense.

The ICO has good guidance for public authorities on this very topic. Let’s hope they refer to it themselves in future similar cases.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal

ICO SAR guidance – open to challenge?

A new piece by me and a colleague on the Mishcon de Reya website, about the ICO’s new SAR guidance https://www.mishcon.com/news/ico-guidance-on-subject-access-requests

A couple of NB points where this guidance differs from the draft version:

ICO suggests one of the factors to take into account when deciding whether a request is excessive is “Whether refusing to provide the information or even acknowledging it is held may cause substantive damage to the individual”. To me, this is pretty extraordinary, and might have the effect of putting the requester to proof as to damage caused by non-compliance.

ICO also has shifted its position, and suggest that staff time perse (rather than disbursements) might be charged for in the event of excessive or manifestly unfounded requests. 

I have my own views on whether these propositions are positive or negative. I suspect though that we will see challenges.

Leave a comment

Filed under access to information, Data Protection, Data Protection Act 2018, GDPR, Information Commissioner

ICO (bizarrely) suggests DPO conflict of interest is criminal offence

*UPDATE, 17.11.20: ICO has now “reissued” its FOI response, saying that there was an error in the original, and that section 31 (dealing, broadly, with prejudice to regulatory functions), rather than section 30, of FOIA applies. If this was a plain example of a typo, I would not have drawn attention, but the original response specifically showed that the author thought that criminality would arise in a case of DPO conflict of interest.

I would add two things. First, the exemption is still questionable in my view – I can’t see how disclosing whether organisations have been investigated regarding DPO conflicts (and if so, the numbers involved) could conceivably cause or be likely to cause prejudice to ICO’s regulatory functions. Second, I raised this, as NADPO chair, as a matter of concern with ICO, but, despite the withdrawal of the offending response, I have heard nothing yet. END UPDATE*

As chair of NADPO* (the National Association of Data Protection and Freedom of Information Officers) I’m understandably interested in information and news about data protection officers (DPOs). In particular, what the Information Commissioner’s Office (ICO) (as the regulatory body most DPOs will interact with) says on this subject will be especially notable.

When I saw that someone had made a Freedom of Information (FOI) request to the ICO about whether the latter had investigated or taken enforcement action against any controllers for reasons relating to potential conflict of interest regarding DPO positions, I was intrigued to see what the response would be (I knew no fines had been issued, but I wanted to know how many investigations might have taken place – indeed, I had blogged about the ICO’s own DPO role a few months previously).

However, the ICO’s response to the FOI request is, let’s say, odd. They have refused to disclose (in fact, have refused even to confirm or deny whether they hold) the requested information, citing the FOI exemption that applies to information held for the purposes of investigations into whether someone should be charged with a criminal offence: remarkably, the ICO seems to think that a conflict of interest such as envisaged by Article 38(6) of the General Data Protection Regulation (GDPR) would amount to a criminal offence – “it is likely that, if proven, an offence under the DPA [Data Protection Act 2018] may have been committed”. This cannot be the case though – there are no offence provisions under the DPA which come close to criminalising a potential conflict of interest regarding a DPO role, and it would be extraordinary if parliament had decided to make it an offence.

Why the ICO should suggest that there are such provisions is not at all clear, and – if it is not just a stray error – might indicate a rather worrying lack of understanding of both data protection and FOI law.

One final point to note – even the part of the FOI response which didn’t mistakenly assume criminal law provisions were engaged, said, in respect of the part of the request which asked for any information the ICO holds “to assist public authorities protect [sic] against a conflict of interest with the role of the DPO”, that staff at the ICO had been consulted and “there is no information held”. However, on the ICO’s website, in plain view, is guidance on the subject (admittedly not in any detail, but clearly in scope of this request).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

*I notice that the cookie notice on the NADPO site has somehow slipped into error – I am on the blower to our webdev as we speak.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, DPO, Freedom of Information, GDPR, Information Commissioner, Uncategorized

One third of personal data breaches reported “late” to ICO

By me, on the Mishcon de Reya website.

…a recent request to the ICO under the Freedom of Information Act 2000 (FOIA) has revealed that, from the available data, of the 21705 personal data breaches notified to the ICO since May 2018, 14,365 were notified within 72 hours, and 7340 were not – meaning that approximately one third of personal data breaches are reported later than within 72 hours

Leave a comment

Filed under Breach Notification, Data Protection, data security, GDPR, Information Commissioner

Manhattan (and Syrian) Transfer

When data protection law (e.g. Chapter V of the General Data Protection Regulation (GDPR) and Article 25 of the prior Data Protection Directive) talks about a “transfer” of personal data to a third country, no one quite knows what it means: “transfer” is not defined. There’s been a fair bit of legal and academic discussion about this.

But, as far back as 2002 it has been established law that, if I upload personal data onto an internet page, so that that data becomes accessible to people outside the EU, this does not constitute a transfer of data to a third country. The Court of Justice of the European Union held so, in the case of Lindqvist (C-101/01), pointing out that, if that were the case

every time that personal data are loaded onto an internet page, that transfer would necessarily be a transfer to all the third countries where there are the technical means needed to access the internet

with the result that, if even one third country in the world did not ensure adequate protection of personal data, EU Member States – following, as they must, EU data protection law – would be obliged to prevent any personal data being placed on the internet. As a matter of public policy, and indeed of common sense, that could not have been the intention of the legislator.

But notably (and oddly, given its generally relaxed approach to international transfer issues) the Information Commissioner’s Office (ICO), eighteen years on from Lindqvist appears to take an opposing view, saying

Putting personal data on to a website will often result in a restricted transfer. The restricted transfer takes place when someone outside the EEA accesses that personal data via the website…If you load personal data onto a UK server which is then available through a website, and you plan or anticipate that the website may be accessed from outside the EEA, you should treat this as a restricted transfer.

Which is all well and good, but, if that is indeed the case, then how does ICO find a basis in Chapter V of GDPR for its transfer of my personal data (and others’) to, say, Syria, or South Sudan, or Cambodia, or anywhere else in the world? There is no adequacy decision in place, (presumably) no standard contractual clauses or other appropriate safeguards, and no apparent Article 49 derogation. Is this, then, an unlawful transfer?

I’m just mightily relieved we haven’t got some bizarre constitutional crisis on the immediate horizon, under which these issue are going to get even more complex.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner

ICO tells ICO off for terrible FOI compliance

As any fule kno, a public authority has to comply with a Freedom of Information Act 2000 (FOIA) request within 20 working days. Where the authority fails to do so, the requester can ask the Information Commissioner’s Office (ICO) to issue a decision notice.

And so, here we have a newly published decision where the ICO is telling itself that it has overshot the twenty working day limit by almost seven months:

“it is clear that, in failing to issue a full response to this request within 20 working days, the ICO has breached section 10 of the FOIA.”

Unsurprisingly, the ICO doesn’t appear to be taking enforcement action against itself. Surprisingly, though, there seems to be no indication in the notice itself that this is an extraordinary, and extraordinarily poor, state of affairs.

I’d like to imagine this is single aberration, but it isn’t. On 12 March this year I also made a FOIA request to ICO, and I am still to get a (complete) answer. And only a couple of months ago ICO again had to rule against itself, after it took six months to respond to a request.

Leave a comment

Filed under Freedom of Information, Information Commissioner

GDPR’s scope – does it extend to China?

The answer to the question in the title is, of course, “yes”, if the processing in question is of personal data of data subjects in the EU, by a controller outside the EU, and related to the monitoring of data subjects’ behaviour as far as their behaviour takes place within the Union.

So, the activities of Zhenhua Data, in compiling its Overseas Key Individual Database, as described in The Mail, will be squarely within the scope of Article 3(2) of the General Data Protection Regulation (GDPR):

Boris Johnson and the Queen are among 40,000 Britons listed on a database compiled by a Chinese tech firm with reported links to Beijing’s military and intelligence networks, it can be disclosed.

Files on senior British politicians including the Prime Minister, members of the Royal Family, UK military officers and their families, and religious leaders are currently being stored by Zhenhua Data, a technology company based in Shenzhen, China as part of a ‘global mass surveillance system on an unprecedented scale’.

It seems difficult to imagine that the processing can possibly comply with GDPR. Where is the Article 14 notice? What is the Article 6 legal basis? Or the Article 9 exception to the general prohibition on processing special categories of data? Or the Article 30 record of processing activities? Or…or…or…?

But here’s the problem with any legislative attempt to extend the scope of laws beyond geographical and jurisdictional borders, to the activities of those who are not consulted, nor assigned rights, nor (in all likelihood) bothered: how does one enforce those laws? In 2018 (oh those heady early GDPR days!) the Information Commissioner’s Office (ICO) was reported to have told the Washington Post that its practice of only allowing those who paid for its premium subscription to refuse tracking cookies was unlawful. How many figs the WaPo gave is evidenced by a glance at its current subscription model:

(i.e. it appears to have changed nothing.)

Indeed, as the ICO said at the time

We hope that the Washington Post will heed our advice, but if they choose not to, there is nothing more we can do in relation to this matter

If there was nothing ICO could do against a newspaper outside the jurisdiction, consider how unrealistic is the idea that it might enforce against a Chinese company rumoured to work for the Chinese military, and which is said to view its mission as ‘using big data for the “great rejuvenation of the Chinese nation”‘.

The logical question, though, which arises is this – in the absence of an effective regulatory scheme to enforce them what exactly is the point of GDPR’s (or even more trenchantly, the UK GDPR’s) extra-territorial scope provisions?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, Europe, GDPR, Information Commissioner

If ICO won’t regulate the law, it must reboot itself

The exercise of the right of (subject) access under Article 15 of the General Data Protection Regulation (GDPR) is the exercise of a fundamental right to be aware of and verify the lawfulness of the processing of personal data about oneself.

That this is a fundamental right is emphasised by the range of enforcement powers available to the Information Commissioner’s Office (ICO), against those controllers who fail to comply with their obligations in response to an access request. These include the power to serve administrative fines to a maximum amount of €20m, but, more prosaically, the power to order the controller to comply with the data subject’s requests to exercise his or her rights. This, surely, is a basic function of the ICO – the sort of regulatory action which underlines its existence. This, much more than operating regulatory sandboxes, or publishing normative policy papers, is surely what the ICO is fundamentally there to do.

Yet read this, a letter shown to me recently which was sent by ICO to someone complaining about the handling of an access request:

 

Dear [data subject],

Further to my recent correspondence, I write regarding the way in which [a London Borough] (The Council) has handled your subject access request.

I have contacted the Council and from the evidence they have provided to me, as stated before, it appears that they have infringed your right to access under the GDPR by failing to comply with your SAR request. However, it does not appear as though they are willing to provide you with any further information and we have informed them of our dissatisfaction with this situation.

It is a requirement under the Data protection Act 2018 that we investigate cases to the ‘extent appropriate’ and after lengthy correspondence with the Council, it appears they are no longer willing co-operate with us to provide this information. Therefore, you may have better results if you seek independent legal advice regarding the matters raised in this particular case.

Here we have the ICO telling a data subject that it will not take action against a public authority data controller which has infringed her rights by failing to comply with an access request. Instead, the requester must seek her own legal advice (almost inevitably at her own significant cost).

Other controllers might look at this and wonder whether they should bother complying with the law, if no sanction arises for failing to do so. And other data subjects might look at it and wonder what is the point in exercising their rights, if the regulator will not enforce them.

This is the most stark single example in a collection of increasing evidence that the ICO is failing to perform its basic tasks of regulation and enforcement.

It is just one data subject, exercising her right. But it is a right which underpins data protection law: if you don’t know and can’t find out what information an organisation has about you, then your ability to exercise other rights is stopped short.

The ICO should reboot itself. It should, before and above all else, perform its first statutory duty – to monitor and enforce the application of the GDPR.

I don’t understand why it does not want to do so.

[P.S. I think the situation described here is different, although of the same species, to situations where ICO finds likely non-compliance but declines to take punitive action – such as a monetary penalty. Here, there is a simple corrective regulatory power available – an enforcement notice (essentially a “steps order”) under section 148 Data Protection Act 2018.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, GDPR, human rights, Information Commissioner

ICO – fines, what fines?

No surprise…but ICO has only issued four notices of intent to serve a fine since GDPR came into application (and one fine)

I made a quick Freedom of Information Act (FOIA) request a few weeks ago to the Information Commissioner’s Office (ICO), asking

since 25 May 2018
1) how many notices of intent have been given under paragraph 2(1) of schedule 16 to the Data Protection Act 2018?
2) How many notices of intent given under 1) have not resulted in a monetary penalty notice being given (after the period of 6 months specified in paragraph 2(2) of the same schedule to same Act)?

I have now received (4 September) received a response, which says that four notices of intent only have been issued in that time. Three of those are well known: one was in respect of Doorstep Dispensaree (who have since received an actual fine – the only one issued under GDPR – of £275,000); two are in respect of British Airways and of Marriott Inc., which have become long-running, uncompleted sagas; the identity of the recipient of the final one is not known at the time of writing.

The contrast with some other European data protection authorities is stark: in Spain, around 120 fines have been issued in the same time; in Italy, 26; in Germany (which has separate authorities for its individual regions), 26 also.

Once again, questions must be asked about whether the aim of the legislator, in passing GDPR, to homogenise data protection law across the EU, has been anywhere near achieved.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

Met – FOI requester’s focus on police misconduct was a “vexatiousness” factor

I regularly criticise the Information Commissioner’s Office on this blog. But credit where it’s due. They have upheld a complaint about the Met Police’s handling of a Freedom of Information Act 2000 (FOIA) request, in which the Met, remarkably, had argued that the request for information about police officers stopping people without cause and asking for their ID was vexatious (per section 14(1) of FOIA).

Clearly, there was some history to the request and the requester, and in line with authority, the Met were entitled to take this into account at arriving at their (now overturned) decision. But, as the decision notice points out, one of the factors which they said pointed towards vexatiousness was this:

Complainant’s focus upon police misconduct and/or related issues

I’ll say that again

Complainant’s focus upon police misconduct and/or related issues

Yes, the Met did indeed argue that a focus by a FOIA requester on police misconduct was a factor which led them to believe there was a pattern of behaviour which made this request (about stopping people without cause and asking for their ID) vexatious.

So well done ICO for dismissing that argument.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, police