Category Archives: Information Commissioner

Complaining

When A-Levels results were announced last week, the Information Commissioner’s Office (ICO) advised those unhappy with the processing of their personal data to

raise those concerns with the exam boards first, then report to us if they are not satisfied

And in its “service standards” the ICO even says

we expect you to give the organisation the opportunity to consider it first. In order for us to look at their information rights practices we need you to provide us with their reply [emphasis added]

and

Our role is not to investigate or adjudicate on every individual complaint. We are not an ombudsman.

(This last bit is, I would submit, correct – the ICO is not an ombudsman according to my understanding of such a role (under which an ombudsman has powers to investigate complaints, but only to make recommendations as a result, rather than legally enforceable orders). How this squares with Elizabeth Denham’s confident pronouncement in the foreword to the ICO’s Regulatory Action Policy that she is “both an educator and an ombudsman”, I’ve never quite grasped, but, in her support, the ICO is a member of the Ombudsman Association. What a muddle.)

As I mentioned a few days ago, the ICO does not have the power simply to refuse to investigate a complaint by a data subject – it must, under Article 77 of GDPR, handle complaints and investigate them “to the extent appropriate”. I can see that in normal cases, it might be beneficial, and provide a complete picture, for there to have been correspondence between the data subject and the controller, but in some other cases, it hardly seems helpful, let alone a legal requirement, to raise a complaint with a controller first. So data subjects do not have to complain to exam boards first. (Please note – I’m not encouraging, or wishing for, a flood of complaints to be made to ICO, but, equally, if data subjects have specific complaint rights under GDPR, we (and I include the ICO in “we”) can’t just pretend they don’t exist.)

So, if data subjects were to complain to (and hold their ground with) ICO, what would happen next? How long does an investigation take?

As to the last question, oddly, it is difficult to know. In recent months, I have asked ICO on a few occasions through their chat service how long data protection complaints are taking merely to be allocated to a caseworker. I have regularly been told that cases are taking around three months to be allocated (a Freedom of Information request by someone else from June last year got the same figure). However, the ICO’s annual report, published only a few weeks ago says, at page 50, “we unfortunately have not been able to meet our target of 80% of [data protection] cases being resolved within 12 weeks” but they have achieved 74% being resolved within 12 weeks. I may be missing something, but how can 74% of data protection cases have been resolved within 12 weeks, when 100% of them are not allocated to a caseworker until 12 weeks have passed? The only way I can square these figures is if caseworkers “resolve” 74% of cases effectively on the day they get them. If that is the case, it might raise questions of the amount of rigour in the investigation process.

In any case, it seems clear that if an aggrieved student wished to complain about the processing of her personal data during the awarding of A-Levels this year, she would a) (probably wrongly) be expected by ICO first to complain to the exam body, then wait to receive a response, before b) then complaining to the ICO, and waiting three months for her complaint to be allocated to a caseworker. At that point, she might have her complaint investigated in line with Article 77 of GDPR. If the best a student this year might expect would be that her complaint might get allocated to a caseworker by December, more than three months after the distressing debacle which was the awards process, would the ICO realistically be said to be complying with its Article 57(1)(f) task to investigate complaints “within a reasonable period”?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner

Cometh the hour…

One thing in particular struck me about the statement from the Information Commissioner’s Office (ICO) in response to the huge distress and uncertainty facing thousands of students and their families, following the announcement of A-level grades:

Anyone with any concerns about how their data has been handled should raise those concerns with the exam boards first, then report to us if they are not satisfied

In some ways, this is standard. Even the ICO’s “contact us” page leads a potential complainant through various stages before telling people who haven’t raised their concerns by “contacting the [offending] organisation in writing” to “Raise your concern with the organisation handling your information”.

Whilst I can understand the reason for this general approach (ICO’s resources are limited, and many complaints can no doubt be resolved at source), it is difficult to reconcile it with what the law requires the ICO to do. Article 77 GDPR says that a supervisory authority must handle complaints lodged by a data subject, and investigate, to the extent appropriate, the subject matter of the complaint. There is no caveat, no exemption. It does leave the option open for the ICO to handle a complaint, and choose not to investigate it all, but that is not what the ICO is doing here (and in its general approach).

But it must be said that sometimes, as it is permitted to, under Articles 57 and 58, the ICO does conduct investigations of its volition. It also has a range of powers, including the power to give an opinion to parliament and/or the government. Given that its Norwegian counterpart has indicated it will take strong action against the International Baccalaureate Organisation, I am hopeful that, as a new week of uncertainty for students approaches, the ICO will take this particular bit between its teeth, and properly investigate such a pressing issue.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, fairness, GDPR, Information Commissioner, parliament

Ofqual and the International Baccalaureate – more woes?

UPDATE: 23.08.20 One week on from this original post below, and it is clear (and unsurprising, when one reads the details) that many IB students are still deeply unhappy about the process, and now, with the u-turn on the A-Level awards, are arguably feeling even further aggrieved that their results are still tied to the outcome of what they see as a flawed an unfair algorithmic process. Also one week on, there seems to have been no word from the ICO about the decision of the Norwegian DPA, and what it means for UK IB students. END UPDATE.

UPDATE: 17.08.20 It appears that the IBO has responded to concerns (and possibly to the Norwegian DPA’s investigation, by reviewing the results, and making an adjustment to awarded results, with the emphasis that “no student will receive a lower grade than what was received previously”) END UPDATE.

In a piece for the Mishcon de Reya website last week, I noted, in the context of the recent A-Level awards fiasco, that the Norwegian Data Protection Authority had sent the International Baccalaureate Association (IBO) an advance notification that it was going to order the latter to rectify grades it had awarded based on “so-called ‘school context’ and ‘historical data'”. The IBO has until 21 August to “contradict” the Norwegian DPA’s draft decision.

What I had not fully appreciated were two things:

  1. The effect of the Norwegian DPA’s draft decision, should it be formalised, may be that all IBO grades based on such data would have to be re-done, not just those of Norwegian children.
  2. In a move now saturated with irony, the IBO’s grading process is, apparently, already being scrutinised by…erm…Ofqual, to whom the IBO’s awarding model was submitted , both prior to its actual use and to the issue of results.

The second point raises the rather remarkable possibility that Ofqual was a controller, in GDPR terms, for the International Baccalaureate model, as well as for the English A-Levels. This will only add to its already significant woes.

The first point turns on this: the IBO is based in Switzerland. Although Norway is not in the EU, it is in the European Economic Area (EEA), and by a joint agreement of July 2018 GDPR was incorporated into the EEA Agreement. To the extent that the IBO is offering (which it clearly is) goods or services to data subjects in the  European Union, it is subject to GDPR’s extra-territorial provisions at Article 3(2). So, although in theory, the Norwegian DPA’s decision would only apply in respect of the processing of personal data in respect of Norwegian data subjects, in practice it is very difficult to see how the IBO could comply with an order only applying to Norwegians, when the effect of the order would be that IB candidates across everywhere would have had their data impermissibly processed in the same way. If it decided not to redo all awards, and just Norwegian ones, then presumably supervisory authorities across Europe, including the Information Commissioner in the UK, would need to investigate.

[This post was edited to reflect the blindingly obvious point that Norway is not in the EU, but is in the EEA. I’m embarrassed to admit that I’m only human]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, EDPB, Europe, GDPR, Information Commissioner

Elizabeth Denham and international transfers

One question prompted by the news (original source: 2040training) that Elizabeth Denham, the Information Commissioner, is currently working from her home in Canada, is whether the files and matters she is working on, to the extent they contain or constitute personal data, are being transferred to her in accordance with Chapter 5 of the General Data Protection Regulation (GDPR).

Chapter 5’s provisions mean that personal data can only be transferred to a country outside the European Economic Area in certain circumstances. In general, these boil down to: 1) if the European Commission has made an adequacy determination in respect of the country, 2) if Commission-approved standard contractual clauses are in place, 3) if binding corporate rules are in place, 4) if Article 49 derogations for specific situations are in place.

So, can one play a distracting little parlour game looking at what international transfer mechanism Ms Denham and the Information Commissioner’s Office (ICO) in the UK have adopted? No need, says the ICO. What is going on is not an international transfer of the type envisaged by GDPR.

The ICO’s guidance on the subject introduces the not-unhelpful term “restricted transfers”, to describe those transfers of personal data to which Chapter 5 of GDPR applies. However, it includes in its category of transfers which are not restricted, the following example

if you are sending personal data to someone employed by you or by your company, this is not a restricted transfer. The transfer restrictions only apply if you are sending personal data outside your organisation

So (at least to the extent that she, as Commissioner, is employed by, or embodies, the ICO) transfers of personal data to Ms Denham in Canada are not restricted transfers to which Chapter 5 of GDPR applies. There is, as it were, a corner of a foreign field that is forever Wilmslow.

The basis for the ICO’s position here, though, is not entirely easy to discern, and the position does not appear to be one that is obviously  shared by other data protection authorities, or the European Data Protection Board (unless the latter’s impending guidance on international transfers proves me wrong).

And it does strike me that the ICO’s position is potentially open to abuse. What if, for instance, someone decided to set up a medical data analytics company in the UK, with no UK employees, but a branch office in, say, Syria, employing hundreds of people there, and to where all of medical data it gathered was sent for storage and further processing, would the ICO still take the view that this was not a restricted transfer? Given the intense scrutiny which the CJEU applied to the US surveillance regime in the Schrems litigation, is it really likely that it would agree with a legal approach which resulted in data manifestly being in a state whose laws were deficient, but such data was not protected by the Chapter 5 provisions?

A similar issue might arise with another aspect of the ICO’s guidance, which implies that a transfer to a country outside the EEA, but which is a transfer to a controller to which the GDPR extra-territorial provisions apply, is also not a restricted transfer. If that controller was in, say South Sudan, would the ICO hold its position?

None of this is to say, of course, that the fact that a transfer may not be a restricted one means that all the other GDPR obligations are set aside. They continue to apply, and, no doubt, Ms Denham and the ICO are doing all they can to comply with them.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner

Why does the UK stop students accessing their mock exam and assignments data?

UPDATE: 23.08.20 In this piece Chris Pounder identifies what the government sees as a justification for the exam scripts exemption. In a document prepared to assist adequacy discussions with the European Commission, it is said that the exemption “aims to protect the integrity of exams by ensuring that exam scripts cannot be accessed outside established processes” (on the basis that exam boards often re-use or re-purpose exam questions). However, and as Chris implies, this simply isn’t sufficient to justify the blanket exemption, not the breadth of its scope. Moreover the ICO’s meek acceptance that it permits an interpretation which even covers assignments and, presumably, other coursework, is deeply disappointing. END UPDATE.

Domestic data protection law says that students can’t later access data recorded by themselves during an exam or assessment. Why is that? And is it compatible with the UK’s obligations under GDPR and more general human rights law?

As is well known, the General Data Protection Regulation (GDPR) has direct effect on member states of the EU. This is, however, subject to certain provisions which allow member states to legislate for specific exemptions or restrictions. An example is Article 23 of GDPR, which allows member states to restrict by way of a legislative measure the scope of certain data subject rights, including the right of access at Article 15. Such restrictions must, though, respect “the essence of the fundamental rights and freedoms” and be a “necessary and proportionate measure in a democratic society” to safeguard, among a list of things, important objectives of general public interest.

The specific UK restrictions made in respect of Article 23 lie primarily in Schedule 2 of the Data Protection Act 2018. Of particular interest at the current time is the Schedule 2, paragraph 25(1) exemption to the Article 15 right of subject access which says that the right does “not apply to personal data consisting of information recorded by candidates during an exam” (and paragraph 25(4) says that “‘exam’ means an academic, professional or other examination used for determining the knowledge, intelligence, skill or ability of a candidate and may include an exam consisting of an assessment of the candidate’s performance while undertaking work or any other activity”).

Thus it is that guidance from the Information Commissioner’s Office (ICO) says, in relation to this year’s exam awards

The exam script exemption applies to information that has been recorded by the students themselves during an exam or assessment. Therefore students do not have a right to get copies of their answers from mock exams or assignments used to assess their performance

But why does this exemption exist? Search me. Why did it also exist in the 1998 Data Protection Act? Also, search me. Also search Hansard, like I have done, and you may struggle to find out. (Please let me know if I’ve missed something).

So in what way can the exam script exemption be said to respect the essence of the fundamental rights and freedoms and be a necessary and proportionate measure in a democratic society? Is this a case where Parliament merely nodded through a provision which it also merely nodded through 22 years ago?

Note that this is not a question as to whether information recorded by candidates during an exam is their personal data. It most certainly is, as the CJEU found in 2017 in Nowak. But note also that the court, in that case, observed that “the use of [such] information, one consequence of [the use of the information] being the candidate’s success or failure at the examination concerned, is liable to have an effect on his or her rights and interests, in that it may determine or influence, for example, the chance of entering the profession aspired to or of obtaining the post sought”. The court also noted, in holding that such information was personal data, the importance of the data subject’s rights of access, rectification and objection.

And let us remember recital 63 GDPR, which reminds us that one purpose of the right of subject access is to be able to “verify the lawfulness of the processing”. In the absence of any indication as to why the UK decided to restrict the right of access in such a way as to prevent students, especially this year’s students, accessing their own assignment and mock exam data, one must query how those students can adequately verify the lawfulness of the processing by those who determined their grades.

P.S. there is an argument that the ICO should do something about this, under its Article 57 tasks to monitor and enforce GDPR, to handle complaints from data subjects, and to advise parliament, the government, and other institutions and bodies. It has the power under Article 58 to issue an opinion to those bodies.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, subject access

A-levels and data protection – potential challenges?

A new post by me on the Mishcon de Reya website, looking at whether GDPR and the DPA offer the potential for challenges to A-level results.

UPDATE: 14.08.20

A rather odd statement has just been put out by the ICO which suggests that Ofqual have told the former that automated decision making didn’t take place. I’ve updated the Mishcon piece to say this:

The ICO has now issued a statement saying that “Ofqual has stated that automated decision making does not take place when the standardisation model is applied, and that teachers and exam board officers are involved in decisions on calculated grades”. This appears at odds with the statement in Ofqual’s “Privacy Impact Assessment“, which states that the process does involve “automated elements as well as human elements”. Whether this means that the Ofqual standardisation model did not involve “solely” automated decision making will no doubt be determined in the various legal challenges which are apparently currently being mounted.

Oddly, the ICO also says that concerns should be raised with exam boards first, before the ICO will get involved. This does not immediately appear to be in line with the ICO’s obligation to handle complaints, under Article 57 of GDPR (which doesn’t say anything about data subjects having to raise concerns with someone else first).

Leave a comment

Filed under accuracy, Data Protection, Data Protection Act 2018, GDPR, Information Commissioner

Some PECR figures in light of a new monetary penalty notice

Presented without comment.

21,166,574 unsolicited direct marketing messages

£100,000 monetary penalty

Only £1k in the bank at the last filings

Zero chance of recovery?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, Information Commissioner, marketing, monetary penalty notice, PECR

BA hints at massively reduced size of ICO proposed fine

A new piece by me on the Mishcon de Reya website – BA’s parent company’s latest financial filings indicate it’s planning for (at most?) a E22m fine.

 

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

Schrems II – what now?

A piece I have written with my Mishcon colleague Adam Rose, looking at the issues for businesses involved in international transfers (esp. to the US).

Make no mistake – the effect of Schrems II is to make bulk/regular transfers of personal data to the US problematic (putting it at its lowest). It arguably has the same effect in respect of transfers to most, if not all, third countries.

Leave a comment

Filed under adequacy, Data Protection, data security, Europe, facebook, GDPR, Information Commissioner, national security, privacy shield

Schrems II – this time it’s serious

As soon as judgment came out, my Mishcon de Reya colleague Adam Rose and I recorded our initial reactions to the CJEU’s decision in Schrems II. Here’s the link to the recording. Excuse my lockdown locks.

Some takeaways

  • The EU-US Privacy Shield arrangement for transferring personal data to the US is declared invalid.
  • Parties using Standard Contractual Clauses to transfer personal data from the EEA to countries outside must not do so if, in their assessment, the recipient country doesn’t provide an adequate level of protection. There must now be serious questions as to whether any transfers to the US can be valid.
  • The Binding Corporate Rules regime used by some of the world’s biggest international groups must now also be open to challenge.
  • Data Protection Authorities (such as the ICO) must intervene to stop transfers under SCCs which are made to countries without an adequate level of protection.
  • Post-Brexit UK may be seen as an attractive place for US companies to base operations, but there may well be further legal challenges to such arrangements.

Leave a comment

Filed under adequacy, Data Protection, Directive 95/46/EC, Europe, facebook, GDPR, Information Commissioner, Ireland, national security, privacy shield, surveillance