Category Archives: Uncategorized

ICO (bizarrely) suggests DPO conflict of interest is criminal offence

*UPDATE, 17.11.20: ICO has now “reissued” its FOI response, saying that there was an error in the original, and that section 31 (dealing, broadly, with prejudice to regulatory functions), rather than section 30, of FOIA applies. If this was a plain example of a typo, I would not have drawn attention, but the original response specifically showed that the author thought that criminality would arise in a case of DPO conflict of interest.

I would add two things. First, the exemption is still questionable in my view – I can’t see how disclosing whether organisations have been investigated regarding DPO conflicts (and if so, the numbers involved) could conceivably cause or be likely to cause prejudice to ICO’s regulatory functions. Second, I raised this, as NADPO chair, as a matter of concern with ICO, but, despite the withdrawal of the offending response, I have heard nothing yet. END UPDATE*

As chair of NADPO* (the National Association of Data Protection and Freedom of Information Officers) I’m understandably interested in information and news about data protection officers (DPOs). In particular, what the Information Commissioner’s Office (ICO) (as the regulatory body most DPOs will interact with) says on this subject will be especially notable.

When I saw that someone had made a Freedom of Information (FOI) request to the ICO about whether the latter had investigated or taken enforcement action against any controllers for reasons relating to potential conflict of interest regarding DPO positions, I was intrigued to see what the response would be (I knew no fines had been issued, but I wanted to know how many investigations might have taken place – indeed, I had blogged about the ICO’s own DPO role a few months previously).

However, the ICO’s response to the FOI request is, let’s say, odd. They have refused to disclose (in fact, have refused even to confirm or deny whether they hold) the requested information, citing the FOI exemption that applies to information held for the purposes of investigations into whether someone should be charged with a criminal offence: remarkably, the ICO seems to think that a conflict of interest such as envisaged by Article 38(6) of the General Data Protection Regulation (GDPR) would amount to a criminal offence – “it is likely that, if proven, an offence under the DPA [Data Protection Act 2018] may have been committed”. This cannot be the case though – there are no offence provisions under the DPA which come close to criminalising a potential conflict of interest regarding a DPO role, and it would be extraordinary if parliament had decided to make it an offence.

Why the ICO should suggest that there are such provisions is not at all clear, and – if it is not just a stray error – might indicate a rather worrying lack of understanding of both data protection and FOI law.

One final point to note – even the part of the FOI response which didn’t mistakenly assume criminal law provisions were engaged, said, in respect of the part of the request which asked for any information the ICO holds “to assist public authorities protect [sic] against a conflict of interest with the role of the DPO”, that staff at the ICO had been consulted and “there is no information held”. However, on the ICO’s website, in plain view, is guidance on the subject (admittedly not in any detail, but clearly in scope of this request).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

*I notice that the cookie notice on the NADPO site has somehow slipped into error – I am on the blower to our webdev as we speak.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, DPO, Freedom of Information, GDPR, Information Commissioner, Uncategorized

“All right, tell me. What’s the irony?”

“What’s wrong, Oscar? – This system is wrong”

Leave a comment

Filed under Uncategorized

ICO’s reasons for reducing BA’s fine – COVID not significant factor

Some media outlets who should know better have suggested COVID-19’s economic impact led to the ICO reducing its intended £183m fine for British Airways to the final £20m. In this piece on the Mishcon site, I point out that the initial figure was dropped after (and quite probably because of) strong representations from BA’s lawyers about the ICO’s reliance on a draft internal procedure for setting fine amounts.

Leave a comment

Filed under Uncategorized

Something is rotten in the state of FOI

By law, Freedom of Information Act 2000 (FOIA) requests must be responded to within 20 working days.

FOIA is regulated and (should be) enforced by the Information Commissioner’s Office (ICO).

As a public authority the ICO must also respond to FOIA requests.

So the ICO regulates (and should enforce) its own compliance with FOIA.

On 9 March 2020 I made a FOIA request to ICO, asking for the number of, and the recipients of “reprimands” issued by the ICO under Article 58(2)(b) of the General Data Protection Regulation (GDPR).

I didn’t receive a response within 20 working days (I did receive an acknowledgment of receipt on 31 March). However, I understood, and understand, the impact that COVID-19 has had on the ICO, so I realised and accepted that there might be a slight delay.

On 12 June I chased for a response.

On 16 June I was told the ICO was “working on a response”.

On 31 July I chased for a response.

On 12 August I received an apology and on 19 August a further email telling me I should receive a response by 28 August.

On 28 August I received some information: I was told how many Article 58 reprimands have been issued, but not who the recipients were. The latter would follow “shortly” as they were still “considering it”.

Despite chasing again, twice, I have heard nothing more.

So, nearly seven months after I made my FOIA request, and nearly half a year late, I still have no response from the office which is meant to regulate the law.

I really didn’t want to push this request too much. This period of pandemic has been beyond any normality, and I was very aware of the pressures the ICO must be under. But this was not a difficult request to deal with, in terms of finding the information (in fact, I would imagine they could find it in minutes). What presumably was difficult was the decision about whether to name and therefore shame the recipients of reprimands. I cannot see how COVID will have adversely affected the ability to take such a decision.

Ultimately, though, with an approach such as this from the regulator, one is left wondering – what’s the point in making FOIA requests?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Uncategorized

New posts on EC 2 year review of GDPR and CCPA

A couple of new posts by me on the Mishcon de Reya website.

Commission evaluation report of GDPR: a good start, but areas for improvement
CCPA – California’s new data protection law is now enforceable

I’d note in particular the quote ICO gave us on the Commission’s GDPR review, to the effect that it doesn’t think it needs more resources:

We continually invest in strengthening the ICO in both number and expertise and presently employ nearly 800 staff. We have over 200 case officers working on issues raised by the public and over 100 staff in our enforcement department taking forward our investigations. We also have well resourced departments developing our information rights policies and guidance.


Leave a comment

Filed under Uncategorized

Further delays to ICO proposed fines for BA and Marriott

A post by me on the Mishcon de Reya website.

ICO is clearly not finding it easy to make the intended fines stick.

Leave a comment

Filed under Uncategorized

Event on collective redress for databreaches

Via the Mishcon de Reya website – an event run in association with the British Institute for International and Comparative Law on identifying, building, bringing and defending Group actions for data protection infringements.

Leave a comment

Filed under Uncategorized

Sign-up available for Mishcon Data Matters blog

Just a very quick post to say that it is now possible to subscribe to the Mishcon de Reya Data Matters blog. I often post on there, as do several of my colleagues.

Leave a comment

Filed under Uncategorized

Data protection and legal knowledge – it cuts both ways

In his recent annual COMBAR lecture, the Chancellor of the High Court, Sir Geoffrey Vos, said

an insight into the law relating to data and data protection should be one of the most important specialisms in the armoury of a modern commercial lawyer

To which I say, “spot on, Sir Geoffrey”. As he goes on to add

Whilst many glaze over at the mention of “data protection”, it will become something that every lawyer at all levels will need to understand and advise upon

Ignore the cruel jibe – he is right, or almost so: in fact lawyers at all levels should already be understanding and advising on data protection.

But it cuts both ways – those who are not qualified lawyers, but who practise in the area of data protection, need to understand its basis in law. Too often one sees non-lawyer practitioners failing to ground their advice in the legal definitions and statutory principles, and being unaware of prior court decisions, or the concept of stare decisis itself, or even how to navigate a statute.

I’m not here to recommend any particular provider, or offering, but I will say that all lawyers could benefit from good training in at least data protection, and all data protection practitioners could benefit from good training in the basics of the law.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Uncategorized

Computer says “no”

I have another piece up on the Mishcon de Reya Data Matters site:

Computer says no – data protection and reasonable adjustments

Leave a comment

Filed under Uncategorized