Category Archives: Uncategorized

Does DHSC have a compliant ROPA?

Article 30(4) of the UK GDPR requires a controller to make its records of processing activities (ROPA) available to the Information Commissioner (ICO) upon request.

ROPAs are required for most large controllers, and should include at least

  • The name and contact details of the organisation (and where applicable the data protection officer).
  • The purposes of processing.
  • A description of the categories of individuals and categories of personal data.
  • The categories of recipients of personal data.
  • Details of transfers to third countries including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of the controller’s technical and organisational security measures.

Ordinarily, in my experience, controllers will maintain a ROPA in one document, or one set of linked documents. This not only enables a controller to comply with Article 30(4), but reflects the fact that a ROPA is not just a compliance obligation, but contributes to and assists the controller in its information governance functions.

This all makes the position of the Department of Health and Social Care (DHSC) rather odd. Because, in response to a Freedom of Information Act (FOIA) request for disclosure of its ROPA, it stated that the request was “vexatious” on the grounds of the time and costs it would have to incur to respond. This was because, as the DHSC subsequently told the ICO when the latter was asked to issue a FOIA decision notice

We hold a collection of documentation across different formats which, when put together, fulfils our obligation under Article 30 of the GDPR to record and document all of our personal data processing activities…[and]…to locate, retrieve and extract all of this documentation would involve a manual trawl of the whole organisation and each document would then need to be reviewed to check for content such as personal data, commercially sensitive data and any other information that would otherwise not be appropriate to place into the public domain

For this reason, the ICO accepted that compliance with the request would be “grossly oppressive” and this, taken with other factors, meant that the FOIA request was indeed vexatious.

The ICO is tasked with regulating both FOIA and data protection law. The decision notice here notes this, and says

the Commissioner feels duty bound to note that, if the DHSC cannot comply with the request because it would impose a grossly oppressive burden to do so, it is unlikely that the DHSC would be able to provide its ROPA to the Commissioner, which is a requirement under Article 30 of the UK GDPR, without that same burden

There’s a big hint here to DHSC that it should adopt a different approach to its ROPA for the future.

But the decision notice does contain some rather strange wording. In the context of the words quoted just above, the ICO says

This decision notice looks at the DHSC’s compliance with FOIA only and the Commissioner cannot order the DHSC to take any action under any other legislation.

It is true that, under his FOIA powers, the ICO cannot order the DHSC to comply with the UK GDPR, but, quite evidently, under his UK GDPR powers, he certainly can: Article 58(2)(d) specifically empowers him to

order the controller…to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period

I am not aware of anything in FOIA, or data protection law (or wider regulatory and public law) that prevents the ICO from taking enforcement action under UK GDPR as a result of findings he has made under FOIA. Indeed, it would be rather strange if anything did prevent him from doing so.

So it does seem that the ICO could order DHSC to get its ROPA in order. Maybe the big hint in the FOIA decision notice will have the desired effect. But regulation by means of big hints is perhaps not entirely in compliance with the requirement on the ICO, deriving from the Regulators’ Code, to ensure that its approach to its regulatory activities is transparent.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, DHSC, Freedom of Information, Information Commissioner, records management, ROPA, Uncategorized

Cabinet Office “Clearing House” to be dismantled

By me, on the Mishcon de Reya website:

Leave a comment

Filed under Uncategorized

NADPO September webinar

NADPO’s next lunchtime webinar (after a short summer break) will be next month, on Tuesday 27 September at 12.30pm – 2pm, with David Renton, barrister, of Garden Court Chambers, on “Data, policing and equality law” and Rosemary Jay, senior consultant attorney at Hunton Andrews Kurth Chambers, on the ICO’s proposed strategy and how it sits (or doesn’t) with the proposed changes to the ICO role/relationship with others in the Data Protection and Digital Information Bill.

Attendance is free, as always, to NADPO members. If you are not a member but are interested in joining drop me a line at chair at nadpo dot co dot uk and I may be able to offer a free ticket on a trial basis.

Leave a comment

Filed under Uncategorized

An Open Letter to Jacob Rees-Mogg

Dear Mr Rees-Mogg

I suspect you and I wouldn’t agree on many things, but, before I moved into private practice I spent many years in the public sector. I saw many examples of efficient and inefficient working there (as well as countless dedicated officers who rarely had time to be sitting at their desks when senior management deigned to visit).

So, despite our different worldviews, and in the spirit of helping improve the efficiency of the offices of Members of Parliament, may I make a couple of suggestions about data protection compliance?

First, you said recently, before the European Scrutiny Committee, that constituents who come to see you at surgery are asked to sign a two-page disclaimer. Nothing in our data protection law requires this (in fact, expecting them to sign one is likely to be contrary to those laws). You should give anyone whose personal data you collect certain information, generally in the form of a notice, but that’s just a matter of being fair and transparent – there’s no reason at all to require a signature or a disclaimer. You could even just refer them to a notice on your own website (your current one is rather well hidden). That should save you a bit of time and money.

Second, at the same hearing, you were concerned that you needed to delete files on constituents prematurely. Again, this appears to be a misapprehension on your part. Personal data should be kept for as long as is necessary in relation to the purpose for which it was collected: if you still need it, you keep it. There – another efficiency tip!

Third, and more generally, I do find that there is a lot of misunderstanding of data protection law. It has a dual objective – to offer protection to individuals and to allow for free movement of data (both of which are obviously subject to qualifications and provisos). I don’t pretend that the law couldn’t do with some revisions, and I’ve even spoken to some of the people helping with the reform programme to suggest a few. But in general, it’s quite possible to run the public bodies and businesses efficiently and also comply with the data protection law – but I fear that training and awareness of that law have been, and continue to be, handled rather inefficiently at government level.

Jon Baines

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, not-entirely-serious, parliament, Uncategorized

NADPO April webinar

Our next regular NADPO lunchtime webinar is next Tuesday. We have

  • Dr. Ben Collier, Edinburgh University – “Influence government: exploring data issues with digital nudge campaigns in the public sector.
  • Lucas Amin, Open Democracy – “Problems with FOI compliance across UK government and enforcement by the ICO”

Members get free entry. If you are not a member and would like a free place, ask me at chair at nadpo dot co dot uk (nb – repeat askers will instead be nudged down the “become a member” path).

Leave a comment

Filed under Uncategorized

NADPO March webinar

The next NADPO monthly webinar is on 22 March. As usual, we have two great talks:

  • Joe Chapman, Scottish Information Commissioner’s Office – ‘Access to information post-pandemic: learning from the experience of FOI in Scotland’
  • Ashley Winton, Mishcon de Reya LLP – ‘Adtech and Website Analytics – the current state of play’

Attendance is free for all NADPO members (attendance at all NADPO events is always free for members – no “in-game purchases” for them). And Data Protection Forum members are also allowed to attend for no charge.

If anyone else is especially interested in NADPO, or these specific talks, please contact me at chair at NADPO dot co dot uk – I can often be persuaded to offer a free space in those circumstances.

Leave a comment

Filed under Uncategorized

Latest NADPO event

The next of the monthly NADPO lunchtime webinars will be next Tuesday (22 February), with speakers Dr Chris Pounder, of Amberhawk Training, on “Do the proposed changes to the UK’s human rights regime undermine the UK_GDPR?” and Johnny Chagger, of Leeds Teaching Hospitals NHS Trust on “Integrating heath and social care records” (Johnny’s talk has a provisional title for now).

NADPO members can attend for free (as they can at all our events). If you are not a member, but are interested in the talks, and interested in joining NADPO, please feel free to drop me a line at chair at nadpo dot co dot uk. We generally have a couple of free tickets to offer.

Leave a comment

Filed under Uncategorized

NADPO event – some free spaces on request

NADPO, the membership association for information rights professionals, which I’ve chaired for some years now, is holding the latest in its online lunchtime webinars next Tuesday.

We’re delighted to be joined by Professor Kirstie Ball of St Andrews University, who will be talking on the theme of “Worker monitoring and surveillance: Psycho-social risks and organizational justice” and by Dr Ben Worthy, Senior Lecturer in Politics at Birkbeck College, University of London on “Resistance and undermining of FOI”.

Attendance is free for members, but we generally allow a few free tickets for those who are interested in the topics, and who may be interested in joining NADPO. Please contact me (chair at NADPO dot co dot uk) if you would like to request a place.

Leave a comment

Filed under Uncategorized

NADPO events

Just a very quick blogpost to highlight that, since earlier this year NADPO (of whom I am Chair), has been running monthly online webinars for members on the third Tuesday of each month (with a break in August).

The latest event will take place on Tuesday 21 September, with speakers Sophie Van der Zee on “The power of personalised deception detection – Is Trump lying or just wrong?” and Dr Neil Bhatia on “Enforcing the enforcer? – The ICO orders the ICO to respond to an FOI request!”

Further details are available on the NADPO website.

Leave a comment

Filed under Uncategorized

DCMS admits reappointment of Elizabeth Denham was unlawful

A post by me on the Mishcon de Reya website.

Leave a comment

Filed under Uncategorized