Category Archives: Uncategorized

NADPO events

Just a very quick blogpost to highlight that, since earlier this year NADPO (of whom I am Chair), has been running monthly online webinars for members on the third Tuesday of each month (with a break in August).

The latest event will take place on Tuesday 21 September, with speakers Sophie Van der Zee on “The power of personalised deception detection – Is Trump lying or just wrong?” and Dr Neil Bhatia on “Enforcing the enforcer? – The ICO orders the ICO to respond to an FOI request!”

Further details are available on the NADPO website.

Leave a comment

Filed under Uncategorized

DCMS admits reappointment of Elizabeth Denham was unlawful

A post by me on the Mishcon de Reya website.

Leave a comment

Filed under Uncategorized

Recital 7 of the new SCCs – it’s a doozy

Post by me on the Mishcon de Reya website.

Everyone needs to understand the new model clauses for international transfers, and recital 7 is a red flag.

Leave a comment

Filed under Uncategorized

Regulatory breach reporting webinar

My firm recently held a webinar on regulatory notification obligations. We had Laura Middleton, head of ICO’S breach reporting team, as well as me and a couple of colleagues.

The highlights of the recording are here: https://www.mishcon.com/news/tv/-self-reporting-regulators-advantages-pitfalls

Leave a comment

Filed under Uncategorized

ICO statutory duty to promote economic growth

From time to time I can be a bit critical of the Information Commissioner’s Office (ICO). Indeed, in the past I may have criticised them for appearing to promote things or exercise their functions in a way that exceeded what their core role is. For instance, I may have queried why they frequently appear to be cheer-leading for innovation and digital economic expansion (not that I think those things are inherently to be avoided).

But it’s important to note that their functions are not limited to regulation of specific laws. Rather, under section 108 of the Deregulation Act 2015, and (made under that Act) The Economic Growth (Regulatory Functions) Order 2017, the ICO, as well as a host of other regulators, has a statutory duty to exercise her regulatory functions (other than those under FOIA, interestingly) with regard to the desirability of promoting economic growth. In particular, she has to consider the importance for the promotion of economic growth of exercising the regulatory function in a way which ensures that regulatory action is taken only when it is needed, and any action taken is proportionate.

Additionally, under section 110 of the Deregulation Act 2015 ICO (and other regulators) must also have regard to this guidance: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/603743/growth-duty-statutory-guidance.pdf

When people (again, I should include myself) question, for instance, the paucity in the UK of low-level GDPR fines for low-level infringements, they should take into account these provisions.

Whether this aspect of the Deregulation Act 2015 is actually reconcilable with the provisions of the GDPR (and, now, the UK GDPR) is a separate question. In principle, there need not be a clash between the promotion of economic growth and the regulation of compliance with the duty to observe the fundamental right to protection of personal data, but in practice, such clashes tend to occur.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, Uncategorized

Start the DSAR countdown (but how?)

A while ago I wrote a piece on the Mishcon de Reya website pointing out that the Information Commissioner’s Office (ICO) had silently changed its guidance on how to calculate the “one month” timescale for responding to a subject access request under the General Data Protection Regulation (or “GDPR” – which is now domestic law in the form of the amended retained version of the GDPR, aka “UK GDPR”).

The nub of that piece was that the ICO (following the legal precedents) was now saying that “You should calculate the time limit from the day you receive the request“. Which was a change from the previous position that “You should calculate the time limit from the day after you receive the request “.

I have noticed, however, that, although the ICO website, in its UK GDPR guidance, maintains that the clock starts from the date of receipt, the guidance on “Law Enforcement Processing” (which relates to processing of personal data by competent authorities for law enforcement purposes under part 3 of the Data Protection Act 2018 (DPA), which implemented the Law Enforcement Directive) states that the time should be calculated

from the first day after the request was received

It’s not inconceivable (in fact I am given to understand it is relatively common) that a some controllers might receive a subject access request (or other data subject request) which must be dealt with under both the UK GDPR and the Law Enforcement Processing provisions (police forces are a good example of this). The ICO’s position means that the controller must calculate the response time as starting, on the one hand, on the date of receipt, and, on the other hand, on the day after the date of receipt.

And if all of this sounds a bit silly, and inconsequential, I would argue that it is certainly the former, but not necessarily the latter: failure to comply within a statutory timescale is a breach of a statutory duty, and therefore actionable, at least in principle. If the ICO really does believe that the timescale works differently under different legal schemes, then how, for instance can it properly determine (as it must, when required to) under Articles 57(1)(f) and 77(1) of the UK GDPR, or section 51(2) of the DPA, whether there has been a statutory infringement?

Statutory infringements are, after all, potentially actionable (in this instance either with regulatory action or private action by data subjects) – the ICO maintains a database of complaint cases and publishes some of this (albeit almost two years in arrears), and also uses (or may use) it to identify trends. If ICO finds that a controller has made a statutory infringement, that is a finding of potential significance: if that same finding is based on an unclear, and internally contradictory, interpretation of a key aspect of the law, then it is unlikely to be fair, and unlikely to be lawful.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, subject access, UK GDPR, Uncategorized

ICO (bizarrely) suggests DPO conflict of interest is criminal offence

*UPDATE, 17.11.20: ICO has now “reissued” its FOI response, saying that there was an error in the original, and that section 31 (dealing, broadly, with prejudice to regulatory functions), rather than section 30, of FOIA applies. If this was a plain example of a typo, I would not have drawn attention, but the original response specifically showed that the author thought that criminality would arise in a case of DPO conflict of interest.

I would add two things. First, the exemption is still questionable in my view – I can’t see how disclosing whether organisations have been investigated regarding DPO conflicts (and if so, the numbers involved) could conceivably cause or be likely to cause prejudice to ICO’s regulatory functions. Second, I raised this, as NADPO chair, as a matter of concern with ICO, but, despite the withdrawal of the offending response, I have heard nothing yet. END UPDATE*

As chair of NADPO* (the National Association of Data Protection and Freedom of Information Officers) I’m understandably interested in information and news about data protection officers (DPOs). In particular, what the Information Commissioner’s Office (ICO) (as the regulatory body most DPOs will interact with) says on this subject will be especially notable.

When I saw that someone had made a Freedom of Information (FOI) request to the ICO about whether the latter had investigated or taken enforcement action against any controllers for reasons relating to potential conflict of interest regarding DPO positions, I was intrigued to see what the response would be (I knew no fines had been issued, but I wanted to know how many investigations might have taken place – indeed, I had blogged about the ICO’s own DPO role a few months previously).

However, the ICO’s response to the FOI request is, let’s say, odd. They have refused to disclose (in fact, have refused even to confirm or deny whether they hold) the requested information, citing the FOI exemption that applies to information held for the purposes of investigations into whether someone should be charged with a criminal offence: remarkably, the ICO seems to think that a conflict of interest such as envisaged by Article 38(6) of the General Data Protection Regulation (GDPR) would amount to a criminal offence – “it is likely that, if proven, an offence under the DPA [Data Protection Act 2018] may have been committed”. This cannot be the case though – there are no offence provisions under the DPA which come close to criminalising a potential conflict of interest regarding a DPO role, and it would be extraordinary if parliament had decided to make it an offence.

Why the ICO should suggest that there are such provisions is not at all clear, and – if it is not just a stray error – might indicate a rather worrying lack of understanding of both data protection and FOI law.

One final point to note – even the part of the FOI response which didn’t mistakenly assume criminal law provisions were engaged, said, in respect of the part of the request which asked for any information the ICO holds “to assist public authorities protect [sic] against a conflict of interest with the role of the DPO”, that staff at the ICO had been consulted and “there is no information held”. However, on the ICO’s website, in plain view, is guidance on the subject (admittedly not in any detail, but clearly in scope of this request).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

*I notice that the cookie notice on the NADPO site has somehow slipped into error – I am on the blower to our webdev as we speak.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, DPO, Freedom of Information, GDPR, Information Commissioner, Uncategorized

“All right, tell me. What’s the irony?”

“What’s wrong, Oscar? – This system is wrong”

Leave a comment

Filed under Uncategorized

ICO’s reasons for reducing BA’s fine – COVID not significant factor

Some media outlets who should know better have suggested COVID-19’s economic impact led to the ICO reducing its intended £183m fine for British Airways to the final £20m. In this piece on the Mishcon site, I point out that the initial figure was dropped after (and quite probably because of) strong representations from BA’s lawyers about the ICO’s reliance on a draft internal procedure for setting fine amounts.

Leave a comment

Filed under Uncategorized

Something is rotten in the state of FOI

By law, Freedom of Information Act 2000 (FOIA) requests must be responded to within 20 working days.

FOIA is regulated and (should be) enforced by the Information Commissioner’s Office (ICO).

As a public authority the ICO must also respond to FOIA requests.

So the ICO regulates (and should enforce) its own compliance with FOIA.

On 9 March 2020 I made a FOIA request to ICO, asking for the number of, and the recipients of “reprimands” issued by the ICO under Article 58(2)(b) of the General Data Protection Regulation (GDPR).

I didn’t receive a response within 20 working days (I did receive an acknowledgment of receipt on 31 March). However, I understood, and understand, the impact that COVID-19 has had on the ICO, so I realised and accepted that there might be a slight delay.

On 12 June I chased for a response.

On 16 June I was told the ICO was “working on a response”.

On 31 July I chased for a response.

On 12 August I received an apology and on 19 August a further email telling me I should receive a response by 28 August.

On 28 August I received some information: I was told how many Article 58 reprimands have been issued, but not who the recipients were. The latter would follow “shortly” as they were still “considering it”.

Despite chasing again, twice, I have heard nothing more.

So, nearly seven months after I made my FOIA request, and nearly half a year late, I still have no response from the office which is meant to regulate the law.

I really didn’t want to push this request too much. This period of pandemic has been beyond any normality, and I was very aware of the pressures the ICO must be under. But this was not a difficult request to deal with, in terms of finding the information (in fact, I would imagine they could find it in minutes). What presumably was difficult was the decision about whether to name and therefore shame the recipients of reprimands. I cannot see how COVID will have adversely affected the ability to take such a decision.

Ultimately, though, with an approach such as this from the regulator, one is left wondering – what’s the point in making FOIA requests?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Uncategorized