Category Archives: LinkedIn Post

November 1, 2024 · 5:44 am

Dismissed FE teacher’s data protection, MOPI, HRA claims fail

[reposted from LinkedIn]

Claims in misuse of private information, data protection and for breach of the Human Rights Act, by a dismissed further education teacher against Tameside College and three employees are struck out/subject to summary judgment for the defendant.

The claimant was initially suspended after evidence came to light that he had been dismissed from previous roles. The College’s investigation involved the sending of reference requests to two previous employers, and was also informed by disclosures of Facebook and WhatsApp messages which revealed the teacher had, contrary to instruction, communicated with students on social media whilst suspended, and “sent a threatening message to a WhatsApp Group chat comprising members of staff”.

The deputy master found that in relation to the misuse of private information claims, although the claimant had a reasonable expectation of privacy in the social media messages, “those expectations were greatly outweighed by the need to investigate those messages for the purposes of the disciplinary process”. These were subject to summary judgment for the defendant.

The data protection and human rights claims against individual employees were bound to fail, as they were neither data controllers nor public authorities.

As to the data protection claim against the college, a previous determination by the ICO that the sending of the reference requests was not fair and transparent, because it was contrary to the claimant’s expectations, was wrong: it was “plain that it ought to have been well within the Claimant’s reasonable expectation that, in order to investigate whether he had failed to disclose the fact of his dismissal from those two institutions, each would be contacted and asked about it.”

The college’s processing was lawful under Article 6(1)(b) and (c) of the UK GDPR: “The processing was necessary for the purposes of the contract of employment between the [college] and the Claimant and for the performance of the [college’s] obligations to its other staff, and to safeguard and promote the welfare of its students.” The various safeguarding legal duties and obligations on the college established a clear legal basis for the processing.

Similarly, the human rights claims against the college, which included complaints of unlawful monitoring and surveillance, were bound to fail: “There is no real prospect of establishing a breach of Article 8 for the same reasons that there is no real prospect of establishing misuse of private information. The alleged breaches of Articles 10 and 11 appear to relate to the College’s instructions to the Claimant not to communicate with other staff except with permission. The instruction was plainly a reasonable one made for a legitimate purpose.”

Accordingly, the data protection and Human Rights Act claims were struck out.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, employment, Further education, human rights, Information Commissioner, judgments, LinkedIn Post, misuse of private information

Tagged as , ,

August 8, 2024 · 5:09 am

Blistering criticism for Home Office and ICO

[From a LinkedIn post]

A blistering judgment of the Information Tribunal upholding an FOI appeal by Bail for Immigration Detainees (BID) against the decision by the Information Commissioner’s Office (ICO) to uphold the Home Office’s refusal to disclose info about the process for deportation to Eritrea and Somalia (and by extension, the likelihood of deportees being either detained, or bailed, pending removal).

The request, about how many Emergency Travel Documents were requested, how many issued, how many people were then removed and how long this took, was refused by the HO on grounds that disclosure would be likely to harm international relations and would prejudice the operation of immigration controls.

The HO failed to reply to the ICO’s enquiries until served with a formal Information Notice. But the ICO then agreed that the exemptions were engaged.

The Tribunal did not agree.

The judgment notes the HO “made no effort to engage” with the appeals, and its evidence consisted of “thinly reasoned assertions, with no evidential support”, and

…we hope that the reasons were not meant to be comprehensive. It would betray a rather dim view by the Home Office of other countries’ governments to think that “many if not most” only care about money, and whether their citizens commit crimes or migrate unlawfully – as humans from all countries do.

To the extent the FOIA exemptions were engaged, the public interest test fell heavily in favour of disclosure. In the face of evidence from BID about levels of unlawful detention (in the form of the number of cases in which it had successfully appealed refusals of bail for detainees) the Tribunal observed that

For hundreds of years, the common law has demanded that administrative detention must be justified and be capable of proper challenge…The work done by BID, both on behalf of individuals and more broadly, supports that public interest. Disclosure…would help it to achieve those ends and avoid injustice.

There were minimal factors in favour of disclosure. In fact “it is difficult to conceive of a case concerning this exemption where the scales could be less weighted in favour of exemption”.

And, in closing, the Tribunal had a blast at the ICO, noting

our surprise that [he] thought it appropriate to accept the [HO’s] bare assertions, given the way in which it had responded to the previous requests described above and the compulsion required before it then properly engaged with these. In turn the…Decision Notices disclose no consideration of the various public interest factors carefully put forward by BID. A pattern of conduct has been established on the part of the [HO] that is within neither the spirit nor the letter of FOIA, and which can now be seen as having resulted in considerable delay together with expense of resources both on the part of the Tribunal and BID…We hope that future decisions will be reached after considerably more care and scrutiny.

Let’s see.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Home Office, Information Commissioner, Information Tribunal, LinkedIn Post

Tagged as , ,

July 30, 2024 · 7:19 am

Immunity from suit in data protection (and other) claims

[reposted from LinkedIn]

All too often, in my experience, public authorities might inadvertently disclose confidential information about one person to someone with whom that person is in dispute, or from whom that person is in danger. Typical examples are when a council discloses information about one resident to a neighbour, or when the police disclose information about a vulnerable person to their abusive partner.

This can also happen during the process of court proceedings.

There is a long-standing – and complex – common law concept of “immunity from suit”, which, in the very simplest and most general of terms, will prevent someone from being sued for something they say in court.

This judgment involves a fascinating, but headache-inducing, analysis of the different types of immunity from suit – witness immunity at court, advocate’s immunity at court, witness immunity before court, advocate’s immunity before court and legal proceedings immunity before court (which may apply to lawyers, police officers or administrative staff preparing a case for trial).

The background facts are grim: a woman fleeing from domestic violence was forced to flee from safe homes because twice her addresses were inadvertently disclosed (or at least indicated) to the perpetrator, against whom criminal proceedings were being brought – once by the police and once by the CPS.

The woman brought claims against both public authorities under the Human Rights Act 1998, the Data Protection Act 2018 and in misuse of private information. However, the defendants initially succeeded in striking the claims out/getting summary judgment (one part of the claim against the police was permitted to continue).

Mr Justice Richie upheld the appeal against the strike out/summary judgment, with rather a tour de force run through of the history and authorities on immunity (para 66 begins with the words “I start 439 years ago”).

In very short summary, he held that strike out/summary judgment had been inappropriate, because “the movement in the last 25 years in the appellate case law has been away from absolutism, towards careful consideration of whether the facts of each case actually do fit with the claimed ‘immunity’ by reference to whether the long-established justifications for the immunity apply” (at 106). In the examples here, it was at least arguable that immunity was being claimed not over evidence in the case, but “extraneous or peripheral or administrative matters”. The judge should have applied a balancing exercise to the facts to decide whether immunity applied: she had failed to do so, and had not been entitled to determine that there was no arguable claim

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under compensation, damages, Data Protection Act 2018, human rights, judgments, LinkedIn Post, litigation, misuse of private information, police

Tagged as , , , ,

July 20, 2024 · 9:11 pm

Crowdstrike and personal data breaches: loss vs unavailability

I ran a poll on LinkedIn in recent days which asked “If a controller temporarily can’t access personal data on its systems because of the Crowdstrike/MSFT incident is it a personal data breach?” 

I worded the question carefully.

50% of the 100-odd people who voted said “no” and 50% said “yes”. The latter group are wrong. I say this with some trepidation because there are people in that group whose opinion I greatly respect. 

But here’s why they, and, indeed, the Information Commissioner’s Office and the European Data Protection Board, are wrong.

Article 4(12) of the GDPR/UK GDPR defines a “personal data breach”. This means that it is a thing in itself. And that is why I try always to use the full term, or abbreviate it, as I will here, to “PDB”. 

This is about the law, and in law, words are important. To refer to a PDB as the single word “breach” is a potential cause of confusion, and both the ICO and the EDPB guidance are infected by and diminished by sloppy conflation of the terms “personal data breach” and “breach”. In English, at least, and in English law, the word “breach” will often be used to refer to a contravention of a legal obligation: a “breach of the law”. (And in information security terminology, a “breach” is generally used to refer to any sort of security breach.) But a “breach” is not coterminous with a “personal data breach”.

And a PDB is not a breach of the law: it is a neutral thing. It is also crucial to note that nowhere do the GDPR/UK GDPR say that there is an obligation on a person (whether controller or processor) not to experience a PDB, and nowhere do GDPR/UK GDPR create liability for failing to prevent one occurring. This does not mean that where a PDB has occurred because of an infringement of other provisions which do create obligations and do confer liability (primarily Article 5(1)(f) and Article 32) there is no potential liability. But not every PDB arises from an infringement of those provisions.

The Article 4(12) definition is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Let us break that down:

  • A breach of security…
  • leading to [one or more of]
  • accidental or unlawful…
  • 1. destruction of…
  • 2. loss of…
  • 3. alteration of…
  • 4. unauthorised disclosure of…
  • 5. unauthorised access to…
  • personal data processed.

If an incident is not a breach of security, then it’s not a PDB. And if it is a breach of security but doesn’t involve personal data, it’s not a PDB. But even if it is a breach of security, and involves personal data, it’s only a PDB if one of the eventualities I’ve numbered 1 to 5 occurs.

Note that nowhere in 1 to 5 is there “unavailability of…” or “loss of access to…”. 

Now, both the ICO, and the EDPB, read into the words “loss of…personal data…” the meaning, or potential meaning “loss of availability of personal data”. But in both cases they appear to do so in the context of saying, in terms, “loss of availability is Article 4(12) ‘loss’ because it can cause harm to data subjects”. I don’t dispute, and nor will many millions of people affected by the Crowdstrike incident, that unavailability of personal data can cause harm. But to me, “loss” means loss: I had something, and I no longer have it. I believe that that is how a judge in the England and Wales courts would read the plain words of Article 4(12), and decide that if the legislator had intended “loss” to mean something more than the plain meaning of “loss” – so that it included a meaning of “temporary lack of access to” – then the legislator would have said so. 

Quite frankly, I believe the ICO and EDPB guidance are reading into the plain wording of the law a meaning which they would like to see, and they are straining that plain wording beyond what is permissible.

The reason, of course, that this has some importance is that Article 33 of the GDPR/UK GDPR provides that “in the case of” (note the neutral, “passive” language) a PDB, a controller must in general make a notification to the supervisory authority (which, in the UK, is the ICO), and Article 34 provides that where a PDB is likely to result in a high risk to the rights and freedoms of natural persons, those persons should be notified. If a PDB has not occurred, no obligation to make such notifications arises. That does not mean of course, that notifications cannot be made, through an exercise of discretion (let’s forget for the time being – because they silently resiled from the point – that the ICO once bizarrely and cruelly suggested that unnecessary Article 33 notifications might be a contravention of the GDPR accountability principle.)

It might well be that the actions or omissions leading to a PDB would constitute an infringement of Articles 5(1)(f) and 32, but if an incident does not meet the definition in Article 4(12), then it’s not a PDB, and no notification obligation arises. (Note that this is an analysis of the position under the GDPR/UK GDPR – I am not dealing with whether notification obligations to any other regulator arise.)

I can’t pretend I’m wholly comfortable saying to 50% of the data protection community, and to the ICO and EDPB, that they’re wrong on this point, but I’m comfortable that I have a good arguable position, and that it’s one that a judge would, on balance agree with. 

If I’m right, maybe the legislator of the GDPR/UK GDPR missed something, and maybe availability issues should be contained within the Article 4(12) definition. If so, there’s nothing to stop both the UK and the EU legislators amending Article 4(12) accordingly. And if I’m wrong, there’s nothing to stop them amending it to make it more clear. In the UK, in particular, with a new, energised government, a new Minister for Data Protection, and a legislative agenda that will include bills dealing with data issues, this would be relatively straightforward. Let’s see.

And I would not criticise any controller which decided it was appropriate to make an Article 33 notification. It might, on balance, be the prudent thing for some affected controllers to do so. The 50/50 split on my poll indicates the level of uncertainty on the part of the profession. One also suspects that the ICO and the EU supervisory authorities might get a lot of precautionary notifications.

Heck, I’ll say it – if anyone wants to instruct me and my firm to advise, both on law and on legal strategy – we would of course be delighted to do so.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, EDPB, GDPR, Information Commissioner, Let's Blame Data Protection, LinkedIn Post, personal data breach, UK GDPR

Tagged as , ,

April 30, 2024 · 5:58 am

ICO applies public sector fine approach to charity

The Information Commissioner’s Office has fined the CENTRAL YOUNG MEN’S CHRISTIAN ASSOCIATION (YMCA) of London £7500.

The penalty notice is not published at the time of writing (nor anything else yet on the ICO website), although the fine is said to have already been paid, and the press release issued by the ICO says the fine was issued for “a data breach where emails intended for those on a HIV support programme were sent to 264 email addresses using CC instead of BCC, revealing the email addresses to all recipients. This resulted in 166 people being identifiable or potentially identifiable”.

The press release also says that the fine was reduced from an initially-recommended £300,000, “in line with the ICO’s public sector approach”. When I queried the rather obvious point that a charity is not a public authority, an ICO spokesman initially told me that “as Central YMCA is a charity that does a lot of good work, they engaged with us in good faith after the incident happened, recognised their mistake immediately and have made amends to their processing activities and they paid the fine in full straight away, we applied the spirit of the public sector approach to them even though they’re not strictly a public sector body”.

This led to a further follow-up query from me because as a matter of logic and timing, how could the fact that a controller “paid the fine in full straight away” be a mitigating factor in reducing the amount of the fine to be paid? The further response was “The point was that they engaged fully and subsequently paid the fine in full, thus confirming our position that they were engaging and taking the breach seriously. The calculation comes before the payment which has no bearing on the assessed amount.”

I’m not quite sure what to make of this. Can any controller which “does a lot of good work”, engages with the ICO in good faith and remedies processing activities also benefit from a 3900% decrease in fine from an originally-recommended sum? What does “a lot of good work” mean? Is it something only charities do? What about private companies with a strong ESG ethos, or who make significant charitable contributions?

[this post was originally published on my LinkedIn page.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, fines, Information Commissioner, LinkedIn Post, monetary penalty notice, Uncategorized

Tagged as ,

April 27, 2024 · 6:41 am

Douglas Adams and the EIR

[I tend to do a lot my posting these days on LinkedIn, and less here. But the combination of LinkedIn’s poor search capability and my memory means I forget about some things I’ve written about that I’d quite like to remember. So I’m going to put some of them on this blog to remind me. This one is on a doozy of a Tribunal judgment.]

This Information Tribunal judgment about whether photographs of planning notices should be disclosed begins with a long quote from The Hitchhiker’s Guide to the Galaxy, and gets even more extraordinary as it goes on.

By the end of the judgment the judge has called the Information Commissioner’s Office’s decision a “pitiful failure to understand the scope and significance of material in the public domain and the role of data protection in protecting rights”, uses the term “bankruptcy” to describe the approach to the matter by both the ICO and Shropshire Council, and appears to have declared the Council’s handling of not just the individual planning application, but its planning policy as a whole unlawful (the judgment says, for instance that the council’s implementation of The Town and Country Planning (Development Management Procedure) (England) Order 2015 “failed to accord local residents their rights”).

This last point surely illustrates the Tribunal straying well beyond its jurisdiction, and it is difficult to see how it will escape having its judgment appealed. That’s actually a pity, because the underlying point in it is that the ICO’s approach failed to understand that data protection law has to be considered “in relation to its function in society and be balanced against other fundamental rights” (recital 4 GDPR) and failed to consider the Environmental Information Regulations’ context, whereby access to environmental information is one of the three pillars of the Aarhus Convention – the others being public participation in decision-making, and access to justice in environmental matters.

And even if the judgment gets appealed, I would hope the ICO acknowledges the key point that data protection rights don’t automatically trump all other rights.

https://www.bailii.org/uk/cases/UKFTT/GRC/2024/330.html

Leave a comment

Filed under Data Protection, Environmental Information Regulations, LinkedIn Post

Tagged as