Category Archives: Uncategorized

An enforcement gap?

ICO wants 200 more staff for GDPR , but its Board think there’s a risk it will instead be losing them

The General Data Protection Regulation (GDPR) is, without doubt, a major reconfiguring of European data protection law. And quite rightly, in the lead-up to its becoming fully applicable on 25 May next year, most organisations are considering how best they can comply with its obligations, and, where necessary, effecting changes to achieve that compliance. As altruistic as some organisations are, a major driver for most is the fear that, under GDPR, regulatory sanctions can be severe. Regulators (in the UK this is the Information Commissioner’s Office (ICO)) will retain powers to force organisations to do, or to stop, something (equivalent to an enforcement notice under our current Data Protection Act 1998 (DPA)), but they will also have the power to levy civil administrative fines of up to €20 million, or 4% of annual global turnover. Much media coverage has, understandably, if misleadingly, focused on these increased “fining” powers (the maximum monetary under the DPA is £500,000). I use the word “misleadingly”, because it is by no means clear that regulators will use the full fining powers available to them: GDPR provides regulators with many other options (see Article 58) and recital 129 in particular states that measures taken should be

appropriate, necessary and proportionate in view of ensuring compliance with this Regulation [emphasis added]

Commentators stressing the existence of these potentially huge administrative fines should be referred to these provisions of GDPR. 

But in the UK, at least, another factor has to be born in mind, and that is the regulator’s capacity to effectively enforce the law. In March this year, the Information Commissioner herself, Elizabeth Denham, told the House of Lords EU Home Affairs Sub-Committee that with the advent of GDPR she was going to need more resource

With the coming of the General Data Protection Regulation we will have more responsibilities, we will have new enforcement powers. So we are putting in new measures to be able to address our new regulatory powers…We have given the government an estimate that we will need a further 200 people in order to be able to do the job.

Those who rather breathlessly reported this with headlines such as “watchdog to hire hundreds more staff” seem to have forgotten the old parental adage of “I want doesn’t always get”. For instance, I want a case of ’47 Cheval Blanc delivered to my door by January Jones, but I’m not planning a domestic change programme around the possibility.

In fact, the statement by Denham might fall into a category best described as “aspirational”, or even “pie in the sky”, when one notes that the ICO Management Board recently received an item on corporate risk, the minutes from which state that

Concern was expressed about the risk of losing staff as GDPR implementation came closer. There remained a risk that the ICO might lose staff in large numbers, but to-date the greater risk was felt to be that the ICO could lose people in particular roles who, because of their experience, were especially hard to replace.

The ICO has long been based in the rather upmarket North West town of Wilmslow (the detailed and parochial walking directions from the railway station to the office have always rather amused me). There is going to be a limited pool of quality candidates there, and ICO pays poorly: current vacancies show case officers being recruited at starting salary of £19,527, and I strongly suspect case officers are the sort of extra staff Denham is looking at.

If ICO is worried about GDPR being a risk to staff retention (no doubt on the basis that better staff will get poached by higher paying employers, keen to have people on board with relevant regulatory experience), and apparently can’t pay a competitive wage, how on earth is it going to retain (or replace) them, and then recruit 200 more, from those sleepy Wilmslow recruitment fairs?

I write this blogpost, I should stress, not in order to mock or criticise Denham’s aspirations – she is absolutely right to want more staff, and to highlight the fact to Westminster. Rather, I write it because I agree with her, and because, unless someone stumps up some significant funding, I fear that the major privacy benefits that GDPR should bring for individuals (and the major sanctions against organisations for serious non-compliance) will not be realised.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, GDPR, Information Commissioner, Uncategorized

Making even more criminals

Norfolk Police want your dashcam footage. Do you feel lucky, punk?

I wrote recently about the change to the Information Commissioner’s Office (ICO) registration process, which enables domestic users of CCTV to notify the ICO of that fact, and pay the requisite fee of £35. I noted that this meant that

it is the ICO’s apparent view that if you use CCTV in your household and capture footage outside the boundaries of your property, you are required to register this fact publicly with them, and pay a £35 fee. The clear implication, in fact the clear corollary, is that failure to do so is a criminal offence.

I didn’t take issue with the correctness of the legal position, but I went on to say that

The logical conclusion…here is that anyone who takes video footage anywhere outside their home must register

I even asked the ICO, via Twitter, whether users of dashcams should also register, to which I got the reply

If using dashcam to process personal data for purposes not covered by domestic exemption then would need to comply with [the Data Protection Act 1998]

This subject was moved from the theoretical to the real today, with news that Norfolk Constabulary are encouraging drivers using dashcams to send them footage of “driving offences witnessed by members of the public”.

Following the analyses of the courts, and the ICO, as laid out here and in my previous post, such usage cannot avail itself of the exemption from notification for processing of personal data “only” for domestic purposes, so one must conclude that drivers targeted by Norfolk Constabulary should notify, and pay a £35 fee.

At this rate, the whole of the nation would eventually notify. Fortunately (or not) the General Data Protection Regulation becomes directly applicable from May next year. It will remove the requirement to give notification of processing. Those wishing, then, to avoid the opprobrium of being a common criminal have ten months to send their fee to the ICO. Others might question how likely it is that the full force of the law will discover their criminality, and prosecute, in that short time period.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner, police, Uncategorized

Making criminals of us all

The Information Commissioner thinks that countless households operating CCTV systems need to register this, and pay a £35 fee for doing so. If they don’t, they might be committing a crime. The Commissioner is probably mostly correct, but it’s a bit more complex than that, for reasons I’ll explain in this post.

Back in 2014, to the surprise of no one who had thought about the issues, the Court of Justice of the European Union (CJEU) held that use of domestic CCTV to capture footage of identifiable individuals in public areas could not attract the exemption at Article 3(2) of the European data protection directive for processing of personal data

by a natural person in the course of a purely personal or household activity

Any use of CCTV, said the CJEU, for the protection of a house or its occupiers but which also captures people in a public space is thus subject to the remaining provisions of the directive:

the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision

As some commentators pointed out at the time, the effect of this ruling was potentially to place not just users of domestic CCTV systems under the ambit of data protection law, but also, say, car drivers using dashcams, cyclists using helmetcams, and many other people using image recording devices in public for anything but their own domestic purposes.

Under the directive, and the UK Data Protection Act 1998, any data controller processing personal data without an exemption (such as the one for purely personal or household activity) must register the fact with the relevant supervisory authority, which in the UK is the Information Commissioner’s Office (ICO). Failure to register in circumstances under which a data controller should register is a criminal offence punishable by a fine. There is a two-tier fee for making an entry in the ICO’s register, set at £35 for most data controllers, and £500 for larger ones.

For some time the ICO has advised corporate data controllers that if they use CCTV on their premises they will need to register:


But I recently noticed that the registration page itself had changed, and that there is now a separate button to register “household CCTV”


If one clicks that button one is taken to a page which informs that, indeed, a £35 fee is payable, and that the information provided will be published online 


There is a link to the ICO’s overarching privacy notice [ed. you’re going to have to tighten that up for GDPR, guys] but the only part of that notice which talks about the registration process relates only to “businesses”


Continuing the household CCTV registration process, one then gets to the main screen, which requires that the responsible person in the household identify themselves as data controller, and give either their household or email address for publication


What this all means is that it is the ICO’s apparent view that if you use CCTV in your household and capture footage outside the boundaries of your property, you are required to register this fact publicly with them, and pay a £35 fee. The clear implication, in fact the clear corollary, is that failure to do so is a criminal offence.

(In passing, there is a problem here: the pages and the process miss the point that for the registration to be required, the footage needs to be capturing images of identifiable individuals, otherwise no personal data is being processed, and data protection law is simply not engaged. What if someone has installed a “nest cam” in a nearby wooded area? Is ICO saying they are committing a criminal offence if they fail to register this? Also, what if the footage does capture identifiable individuals outside the boundaries of a household, but the footage is only taken for household, rather than crime reduction purposes? The logical conclusion of the ICO pages here is that anyone who takes video footage anywhere outside their home must register, which contradicts their guidance elsewhere.)

What I find particularly surprising about all this is that, although fundamentally it is correct as a matter of law (following the Ryneš decision by the CJEU), I have seen no publicity from the ICO about this pretty enormous policy change. Imagine how many households potentially *should* register, and how many won’t? And, therefore, how many the ICO is implying are committing a criminal offence?

And one thing that is really puzzling me is why this change, now? The CJEU ruling was thirty months ago, and in another eleven months, European data protection law will change, removing – in the UK also – the requirement to register in these circumstances. If it was so important for the ICO to effect these changes before then, why keep it quiet?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

9 Comments

Filed under Data Protection, Directive 95/46/EC, GDPR, Information Commissioner, Uncategorized

The first time Parliament heard the term “Freedom of Information”

…if there is one matter on which I feel more strongly than another it is that in a democratic community the foundation of good government lies in freedom of information, freedom of thought, and freedom of speech: You can not have a country, which is governed by its people, wisely and well governed, unless those people are permitted access to accurate information, and are permitted the free exchange of their views and their opinions: That is essential to good government: It is quite true that if you grant that freedom there will be abuses: It is quite true that foolish people advocate foolish views: That is one of the many unfortunate corollaries

Although the past is a foreign country, some of its citizens can seem familiar: the quotation above is from Liberal politician Sir Richard Durning Holt, and was made in a parliamentary debate seven months short of a hundred years ago. It contains the first recorded parliamentary use of the term “freedom of information”. It was said as part of a debate about conscientious objectors to the “Great War” (Holt was drawing attention to what he saw as the unfair and counter-productive prosecutions of objectors). He may not have meant “freedom of information” in quite the way we mean it now, but his words resonate, and – at a time when our own Freedom of Information Act 2000 is under threat – remain, as a matter of principle, remarkably relevant.

I found the quotation using Glasgow University’s extraordinary corpus of “nearly every speech given in the British Parliament from 1803-2005”. I commend it to you, and, a century on, commend Sir Richard’s words to Jack Straw and his fellow members on the Independent Commission on Freedom of Information.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Freedom of Information, Uncategorized

A novel defence by Talk Talk?

Talk Talk, in response to the recent revelations about the compromising of the data of up to four million of its customers, says rather boldly

Has TalkTalk breached the Data Protection Act?
No, this is a criminal attack. We have notified the ICO and we will work closely with them over the coming weeks and months. 

And it got me to wondering how well this rather novel approach could be extended in other legal areas.

The defendant, a Mr Talk Talk, was travelling at a speed of ninety-four miles per hour, and had consumed the equivalent of two bottles of gin. However, as the other driver involved in the collision had failed to renew his motor insurance we find that the defendant was evidently merely the victim of a crime, and my client could not, as a matter of law, have broken speeding and drink driving laws.

Furthermore, although the defendant later viciously kicked an elderly bystander in a motiveless attack, he cannot be guilty of an assault because the pensioner was recently convicted of watching television without a licence.

And finally, although my client picked up a police officer and threw him into a duck pond, the fact that the said officer once forgot to pay for a milky way in the staff canteen provides an absolute defence to the charge of obstructing a police officer in the line of duty.

Let’s see how well Talk Talk’s defence washes with the ICO.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under Data Protection, Information Commissioner, Uncategorized

Easy as 1-2-3…?

Has the ICO got its FOI sums wrong?

I wrote recently about a decision of the Information Tribunal where the Tribunal held that the Information Commissioner’s Office (ICO) had wrongly calculated the time for compliance with a request made under the Freedom of Information Act 2000 (FOIA) and consequently had said that the public authority in question had contravened its obligations under section 10(1) of FOIA, when in fact it had complied on time. 

One might have thought the ICO would have made sure that it didn’t make this counting mistake again, particularly in cases where an error can make the difference between requests being either compliant or not compliant with FOIA. I was rather surprised, therefore, to notice  a recently published decision notice by the ICO in which (if my calculations are correct) they have again wrongly calculated the time for compliance and consequently issued a decision against a public authority when in fact the public authority had complied with its obligations under section 10(1). As I have noted before, the 20 working day time for compliance with a FOIA request does not include bank holidays even where the bank holiday in question applies only in one part of the UK. So, for instance, a bank holiday in Scotland (say, St Andrew’s Day), but not in the rest of the UK, is still classed as a non-working day for the purposes of FOIA. In this instance one of the requests for information was made on March 16, 2014 and responded to on April 14 2014. The ICO said this meant that the public authority in question – the Student Loans Company – had taken 21 working days to respond. However this seems to overlook the fact that March 17 is a bank holiday in Northern Ireland, where it marks St Patrick’s Day. Accordingly it should not have been counted as a working day by the ICO for the purposes of FOIA. 

By my calculations the public authority responded on the 20th working day, they complied with their obligations under FOIA, and the ICO has issued a defective decision notice. I wonder if an appeal has been lodged.

There are a surprising number of bank holidays throughout the year, when one takes into account those in all parts of the UK, and it is worth bearing in mind that if one of those days falls within any of the putative 20 working days for compliance with a FOIA request then it will push the time for compliance back that one extra day. I reckon (and as nerdy as I am I’m not so nerdy as to have (yet) worked it out) that there’s probably something like a 50% chance that a FOIA request will actually contain a day that is a bank holiday, and maybe one that is not one that applies uniformly throughout the UK. All FOIA requesters, practitioners and, indeed, regulators, should bear this in mind.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

28 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal, Uncategorized

No Information Rights Levy for ICO – where now for funding?

The ICO’s plan for an “information rights levy” appears to have been scuppered by the government. But is retaining data protection notification fees the way to solve the funding problem?

Back in the heady days of January 2012, when a naive but optimistic European Commission proposed a General Data Protection Regulation (GDPR), to replace the existing 1995 Directive, one of the less-commented-on proposals was to remove the requirement for data controllers to notify their processing activities to the national data protection authority. However, the UK Information Commissioner’s Office (ICO) certainly noticed it, because the implications were that, at a stroke, a large amount of ICO funding would disappear. Currently, section 18(5) of the Data Protection Act 1998 (DPA), and accompanying secondary legislation, mean that data controllers (unless they have an exemption) must pay an annual fee to the ICO of either £35 or £500 (depending upon the size of the organisation). In 2012-2013 this equated to an estimated income of £17.4m, and this income effectively funds all of the ICO’s data protection regulatory actions (its FOI functions are funded by grant-in-aid from the Ministry of Justice).

Three years later, and the GDPR is still not with us. However, it will eventually be passed, and when it is, it seems certain that the requirement under European law to notify will be gone. Because of this, as the Justice Committee recognised in 2013, alternative ICO funding means need to be identified as soon as possible. The ICO’s preferred choice, and one which Christopher Graham has certainly been pushing for, was an “Information Rights Levy”, the details of which were not specified, but which it appears was proposed to be paid by data controllers and public authorities (subject to FOI) alike. In the 2013/14 ICO Annual Report Graham was bullish in calling for action:

Parliament needs to get on with the task of establishing a single, graduated information rights levy to fund the important work of the ICO as the effective upholder of our vital right to privacy and right to know

But this robust approach doesn’t seem to have worked. At a recent meeting of the ICO Management Board a much more pessimistic view emerges. In a report entitled “Registration Fee Strategy” it is said that

The ICO has previously highlighted the need for an ‘information rights fee’ or one fee, paid by organisations directly to the ICO, to fund all information rights activities. Given concerns across government that this would result in private sector cross subsidising public sector work, the ICO recognises that this is unlikely in the short term

The report goes on, therefore, to talk about proposed changes to the current fee/notification process, and about ways of identifying who needs to pay. 

But, oddly, it seems to assume that although the GDPR will remove the requirement for a data controller  to notify processing to the ICO, the UK will retain the discretion to continue with such arrangements (and to charge a fee). I’m not sure this is right. As I’ve written previously, under data protection law at least some recreational bloggers have a requirement to notify (and pay a fee), and the legal authorities are clear that the law’s ambit extends to, for instance, individuals operating domestic CCTV, if that CCTV covers public places where identifiable individuals are. Indeed, as the 2004 Lindqvist case found 

The act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number…constitutes ‘the processing of personal data…[and] is not covered by any of the exceptionsin Article 3(2) of Directive 95/46 [section 36 of the DPA transposes Article 3(2) into domestic law]

It is arguable that, to varying extents, we are all data controllers now (and ones who will struggle to avail ourselves of the data protection exemption for domestic purposes). Levying a fee on all of us, in order that we can lawfully express ourselves, has the potential to be a serious infringement of our right to freedom of expression under Article 10 of the European Convention on Human Rights, and even more directly, Article 11 of the Charter of Fundamental Rights of the European Union.

The problem of how to effectively fund the ICO in a time of austerity is a challenging one, and I don’t envy those at the ICO and in government who are trying to solve it, but levying a tax on freedom of expression (which notification arguably already is, and would almost certainly be if the GDPR doesn’t actually require notification) is not the way to do so.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with..

1 Comment

Filed under Data Protection, Directive 95/46/EC, GDPR, Information Commissioner, Uncategorized

Internal review request of case IRQ 0576154

Thanks for your reply. However, I would like to request an internal review of case IRQ0576154.

Specifically, I would like you to review the decision not to release the executive summary of your audit of Talk Talk’s compliance with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

I can understand and accept the application, in your initial response, of s31(1)(g) of the Freedom of Information Act 2000 (FOIA) in regard to most of the held (and withheld) information you have identified, but you say the disclosing the executive summary itself would or would be likely to prejudice the relevant exercise of your functions, and that the public interest favours the maintaining of the exemption. But neither in your consideration of the application of the exemption nor in your consideration of the public interest have you taken into account the fact that the executive summaries of your audits are prepared on the presumption that they will be published. As your document “Communicating Audits” says:

The ICO will expect to publish the Executive Summary on our website and will encourage the data controller to allow us to do so

And certainly in the case of some PECR audits you do (last year you published the summaries of audits into EE and Telefonica UK).

I appreciate that the document goes on to say that a data controller (and by inference a person, for PECR purposes) can “prevent” publication, but surely allowing, or purporting to allow, a person to prevent publication (without any other reason) is an impermissible restraint on your public law discretion to disclose information.

Furthermore, I would submit that you have failed to take into account, both when considering whether the exemption was engaged and when considering the public interest, the fact that publishing (or disclosing) the executive summary allows consumers to make a more informed choice about which telecoms provider to choose to do business with. If some providers’ PECR compliance is better, or worse, than others, then consumers have an interest in knowing this.

For these reasons I hope you can reconsider your decision and disclose the executive summary at least.

Best wishes,

Jon Baines

2 Comments

Filed under Uncategorized

ICO finds Lib Dems in breach of ePrivacy law

A few months ago, when I entered my email address on the Liberal Democrats’ website to say that I agreed with the statement 

Girls should never be cut. We must end FGM

I hoped I wouldn’t subsequently receive spam emails promoting the party. However I had no way of knowing because there was no obvious statement explaining what would happen. But, furthermore, I had clearly not given specific consent to receive such emails.

Nonetheless, I did get them, and continue to do so – emails purportedly from Nick Clegg, from Paddy Ashdown and from others, promoting their party and sometimes soliciting donations.

I happen to think the compiling of a marketing database by use of serious and emotive subjects such as female genital mutilation is extraordinarily tasteless. It’s also manifestly unlawful in terms of Lib Dems’ obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which require specific consent to have been given before marketing emails can be sent to individuals.

On the lawfulness point I am pleased to say the Information Commissioner’s Office (ICO) agrees with me. Having considered my complaint they have said:

I have reviewed your correspondence and the organisations website, and it appears that their current practices would fail to comply with the requirements of the PECR. This is because consent is not knowingly given, clear and specific….As such, we have written to the organisation to remind them of their obligations under the PECR and ensure that valid consent is obtained from individuals.

Great. I’m glad they agree – casual disregard of PECR seems to be rife throughout politics. As I’ve written recently, the Labour Party, UKIP and Plaid Cymru have also spammed my dedicated email account. But I also asked the ICO to consider taking enforcement action (as is my right under regulation 32 of PECR). Disappointingly, they have declined to do so, saying:

enforcement action is not taken routinely and it is our decision whether to take it. We cannot take enforcement action in every case that is reported to us

It’s also disappointing that they don’t say why this is their decision. I know they cannot take enforcement action in every case reported to them, which is why I requested it in this specific case.

However, I will be interested to see whether the outcome of this case changes the Lib Dems’ approach. Maybe it will, but, as I say, they are by no means the only offenders, and enforcement action by the ICO might just have helped to address this wider problem.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

8 Comments

Filed under consent, enforcement, Information Commissioner, marketing, PECR, spam, Uncategorized

Up a gum tree

Data protection law doesn’t prevent disclosure of personal data where not doing would be likely to prejudice criminal justice purposes

Theft of a bicycle may not be the most serious crime ever. However, crime it is, and any omission by a person which is likely to prejudice the detection of that crime or the apprehension or prosecution of the thief is, in societal terms, to be deplored. This is why, when the omission in question would be a failure by a data controller to disclose personal data to the police which would be likely to assist in the detection of the crime or the apprehension or prosecution of the thief, the Data Protection Act 1998 (DPA) provides an exemption to the general presumption in the Act against disclosure, which authorises such disclosure.

Section 29 of the DPA is often misunderstood. It is quite common, particularly in certain sectors (social services, housing etc.) for data controllers to be contacted by the police, or other bodies with powers to investigate crime, asking for disclosure of information about people whose personal data the data controller holds. Data protection officers will often talk of a “section 29 request”, but this is really just shorthand for saying “the police etc. have requested disclosure of personal data from this data controller and the section of the DPA which is engaged and under whose provisions we would be authorised to disclose would be section 29”.

With this in mind it is surprising to read in The Daily Record that police are unable to trace a person who had the gall to post an advert on the classified ad site Gumtree purporting to offer for sale a bike stolen from outside a gym in Edinburgh. According to the article police have told the owner of the bike, who spotted the advert, that

…officers could not act because of data protection laws…Due to data protection laws, a warrant must be applied for before police can access personal information held by the site.

The reference to a warrant, however, is surely excessive. The article also refers to the police “waiting to hear back” from Gumtree. Section 29(3) of the DPA allows Gumtree to disclose the details of the person who placed the advert, by exempting them from the general obligation to comply with the first five data protection principles and sections 10 and 14(1) to (3) (collectively referred to as the non-disclosure principles). Failure to exercise this power by a data controller, or a delay in doing so, in circumstances where such a failure would be likely to prejudice the police’s duties is detrimental to the public interest. One hopes that, if the article is correct, Gumtree will now act in that public interest and disclose the details without delay.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under Data Protection, data sharing, police, Uncategorized