As I was looking at the excellent version of the UK GDPR on the Mishcon de Reya website (plaudits, and a salary increase, for the person who created it), I noticed odd wording at Article 23(1)(e)
…including monetary, budgetary and taxation a matters, public health…
“taxation a matters”? Oh dear – salary decrease for whoever typed that?
At that point, my national pride was concerned. Did the UK screw up its retention of the EU GDPR? But no – pride restored! plaudits restored! salary increase merited! The silly old drafters of the original GDPR had done the original typo, which has carried through. The Official Journal of the European Union bears the original sin
I surely can’t be the first person to have noticed this. But a cursory Google search didn’t show anyone else mentioning it. So I’m going to claim it. With all the associated plaudits.
NADPO’s May lunchtime webinar is at 13:30 on 23 May. Speakers and topics are
Prof Mark Elliott, UKAN – “Anonymisation: What is it? And how do I do it?” Karen Levy, Cornell University – “Robotruckers: The double threat of AI for low-waged work”
As usual, there are a couple of free spaces for anyone who wants to test the NADPO waters. Email me on chair at nadpo dot co dot uk if you’re interested.
There’s an interesting Freedom of Information (FOI) response by the Information Commissioner’s Office (ICO) on the website WhatDoTheyKnow. In response to the question
have you examined the use of AI to help you in doing your work as an organisation?
For information, the ICO does not use any artificial intelligence (“AI”) technology.
However, if one uses most of the standard definitions of AI (such as the one from the government’s National AI Strategy: “machines that perform tasks normally requiring human intelligence, especially when the machines learn from data how to do those tasks”) one might find that hard to believe. What about spam filters on the ICO email network? Or the fact they recommend Google Maps for anyone needing directions to their offices? Or their corporate use of social media? All of those technologies use, or constitute, AI.
There is a wider point here: the task of regulating AI, or even of comprehending how it uses personal data, will fall increasingly on some key regulators in coming years (including the ICO). It is going to be crucial that there is understanding within those organisations of these issues, and if they don’t comprehend now how, within their own walls, the technology operates, they will be starting off on the back foot.
(One should also add that, if the ICO has missed some of its own more obvious uses of AI, then it has probably also failed to respond to the FOI request in accordance with the law.)
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
The Information Commissioner’s Office (ICO) has announced that it will not be taking action against Lancashire Police in relation to their disclosure of private information during their investigation into the tragic case of Nicola Bulley.
This is unsurprising, and, objectively, reassuring, because if the ICO had brought enforcement proceedings it would almost certainly have been unlawful to do so. In blunt terms, the ICO’s relevant powers are under laws which deal with “personal data” (data relating to a living individual) and when the police disclosed information about Nicola, she was not living.
There is no discretion in these matters, and no grey areas – a dead person (in the UK, at least) does not have data protection rights because information relating to a dead person is, simply, not personal data. Even if the police thought, at the time of the disclosure, that Nicola was alive, it appears that, as a matter of fact, she was not. (I note that the ICO says it will be able to provide further details about its decision following the inquest into Nicola’s death, so it is just possible that there is further information which might elucidate the position.)
Unless the ICO was going to try to take enforcement action in relation to a general policy, or the operation of a general policy, about disclosure of information about missing people (for instance under Article 24 of the UK GDPR), then there was simply no legal power to take action in respect of this specific incident.
That is not to say that the ICO was not entitled to comment on the general issues, or publish the guidance it has published, but it seems to be either an empty statement to say “we don’t consider this case requires enforcement action”, or a statement that reveals a failure to apply core legal principles to the situation.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Have HMRC jumped the gun, and assumed that they can now (in advance of the Data Protection and Digital Information (No.2) Bill being passed) rely on the soft opt-in for email marketing?
In common with many other poor souls, I have in recent years had to submit a self-assessment tax return to HMRC. Let’s just say that, unless they’re going to announce a rebate, I don’t relish hearing from them. So I was rather surprised to receive an email from “HMRC Help and Support” recently, telling me “what’s coming up in May” and inviting me to attend webinars. A snippet of the email is here
This certainly wasn’t solicited. And, at least if you follow the approach of the Information Commissioner’s Office (ICO) was direct marketing by electronic means (“Direct marketing covers the promotion of aims and ideals as well as the sale of products and services. This means that the rules will cover not only commercial organisations but also not-for-profit organisations“).
The only lawful way that a person can send unsolicited direct electronic marketing to an individual subscriber like me, is if the recipient has consented to receive it (I hadn’t), or if the person obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service to that recipient (see regulation 22 of the Privacy and Electronic Marketing (EC Directive) Regulations 2003 (“PECR”)). But HMRC cannot avail themselves of the latter (commonly known as the “soft opt-in”), because they have not sold me (or negotiated with me for the sale) of a product or service. The ICO also deals with this in its guidance: “Not-for-profit organisations should take particular care when communicating by text or email. This is because the ‘soft opt-in’ exception only applies to commercial marketing of products or services“.
I raised a complaint (twice) directly with HMRC’s Data Protection Officer who (in responses that seemed oddly, let’s say, robotic) told me how to unsubscribe, and pointed me to HMRC’s privacy notice.
It seems to me that HMRC might be taking a calculated risk though: the Data Protection and Digital Information (No.2) Bill, currently making its way through Parliament, proposes (at clause 82) to extend the soft opt-in to “non-commercial objectives”. If it passes, then we must expect much more of This Type Of Thing from government.
If I’m correct in this, though, I wonder if, when calculating that calculated risk, HMRC calculated the risk of some calculated individual (me, perhaps) complaining to the ICO?
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
In August 2022 the Solicitors Regulation Authority (SRA) announced plans to change its rules and reinstate the annual “keeping of the roll” exercise. Until 2014, all solicitors without practising certificates were required to complete an application each year and pay an administration fee if they wished to remain on the roll. This requirement was dispensed with in 2014 in part because the annual process was seen as burdensome for solicitors.
One of the justifications now for reintroducing the keeping of the roll is given by the SRA as
There are also requirements under the General Data Protection Regulation (GDPR) 2016 [sic] and the seven principles that govern the holding and retention of data. Under GDPR we have responsibility as a data controller to ensure we maintain accurate data relating to individuals and we are processing it fairly and lawfully.
What is slightly odd is that when, in 2014, the SRA proposed to scrap the keeping of the roll, it was not troubled by the observations of the then Information Commissioner about the importance of accuracy and privacy of information. In its reply to the then Commissioner’s consultation response it said that it had “fully considered the issues” and
We consider that the availability of the SRA’s online system, mySRA, to non- practising solicitors as a means of keeping their details up to date, serves to mitigate the possibility of data become inaccurate…To further mitigate the risk of deterioration of the information held on the roll, the SRA can include reminders to keep contact details up to date in standard communications sent to solicitors.
If that was the position in 2014, it is difficult to understand why it is any different today. The data protection principles – including the “accuracy principle” – in the UK GDPR (not in fact the “GDPR 2016” that the SRA refers to) are effectively identical to those in the prior Data Protection Act 1998.
If the SRA was not concerned by data protection considerations in 2014 but is so now, one might argue that it should explain why. The Information Commissioner does not appear to have responded to the consultation this time around, so there is no indication that his views swayed the SRA.
If the SRA was concerned about the risk of administrative fines (potentially larger under the UK GDPR than under the Data Protection Act 1998) it should have reassured itself that any such fines must be proportionate (Article 83(1) UK GDPR) and by the fact that the Commissioner has repeatedly stressed that he is not in the business of handing out fines for minor infringements to otherwise responsible data controllers.
I should emphasise that data protection considerations were not the only ones taken into account by the SRA, and I don’t wish to discuss whether, in the round, the decision to reintroduce the keeping of the roll was correct or not (Joshua Rozenberg has written on this, and the effect on him). But I do feel that the arguments around data protection show a confused approach to that particular issue.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
The Conservative Party, no doubt scrabbling to gather perceived support for its contentious immigration policies and measures is running a web and social media campaign. The web page encourages those visiting it to “back our plan and send a message” to other parties:
Further down the page visitors are invited to “send Labour a message”
Clicking on either of the red buttons in those screenshots results in a pop-up form, on which one can say whether or not one supports the Tory plans (in the screenshot below, I’ve selected “no”)
One is then required to give one’s name, email address and postcode, and there is a tick box against text saying “I agree to the Conservative Party, and the wider Conservative Party, using the information I provide to keep me updated via email about the Party’s campaigns and opportunities to get involved”
There are two things to note.
First, the form appears to submit whether one ticks the “I agree” box or not.
Second, and in any case, none of the links to “how we use your data”, or the “privacy policy”, or the “terms and conditions” works.
So anyone submitting their special category data (information about one’s views on a political party’s policies on immigration is personal data revealing political opinions, and so Article 9 UK GDPR applies) has no idea whatsoever how it will subsequently be processed by the Tories.
I suppose there is an argument that anyone who happens upon this page, and chooses to submit the form, has a good idea what is going on (although that is by no means certain, and people could quite plausibly think that it provides an opportunity to provide views contrary to the Tories’). In any event, it would seem potentially to meet to definition of “plugging” (political lobbying under the guide of research) which ICO deals with in its direct marketing guidance.
Also in any event, the absence of any workable links to privacy notice information means, unavoidably, that the lawfulness of any subsequent processing is vitiated.
It’s the sort of thing I would hope the ICO is alive to (I’ve seen people on social media saying they have complained to ICO). But I won’t hold my breath on that – many years ago I wrote about how such data abuse was rife across the political spectrum – but little if anything has changed.
And finally, the most remarkable thing of all is that I’ve written a whole post on what is a pressing and high-profile issue without once mentioning Gary Lineker.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
At a recent awards event, recognising high-performing Freedom of Information officers and teams (fantastic idea by the organisers/sponsors, by the way*) I gave a brief talk where I stressed that it was important to recognise how much FOI has achieved in its 23 (or 18**) years, and to remember that every day thousands of disclosures are made by thousands of public authorities. It’s very easy to snipe at bad practice, and I often do, but if we don’t acknowledge the benefits, the real opponents of FOI might start arguing for its repeal.
So. Celebrate success. Accentuate the positive. Eliminate the negative.
However.
Then you see a decision notice from the Information Commissioner (ICO), in which a large London council had refused to disclose, under FOI, information on how many enquiries (MEQs) each of its councillors*** had submitted to the council on behalf of constituents. The reason for refusal was that this was the personal data of the councillors (well, yes) and that disclosure would infringe those councillors’ rights under the data protection law (hell, no).
This isn’t time for legal analysis. It really is as extraordinary as it sounds.
Thankfully, the ICO had no truck with it (and the notice does have legal analysis).
Frankly, though, the council should be ashamed.
______________________
*I have no personal or professional interest
**The Act commenced in 2000, but the main provisions didn’t commence until 2005
***At the end of the notice there is a big hint as to the role of the person who made the request – see if you can guess
.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 