November 2, 2022 · 5:11 pm

ICO threatened Matt Hancock with £17.5m fine (sort of)

It’s well known that, under the UK GDPR, and the Data Protection Act 2018 (DPA), the Information Commissioner can fine a controller or a processor a maximum of £17.5m (or 4% of global annual turnover). Less well known (to me at least) is that he can fine any person, including you, or me, or Matt Hancock, the same, even if they are not a controller or processor.

Section 142 of the DPA empowers the Commissioner to serve “Information Notices”. These fall broadly into two types: those served on a controller or processor requiring them to provide information which the Commissioner reasonably requires for the purposes of carrying out his functions under the data protection legislation; and those requiring

any person to provide the Commissioner with information that the Commissioner reasonably requires for the purposes of—

(i)investigating a suspected failure of a type described in section 149(2) or a suspected offence under this Act, or

(ii)determining whether the processing of personal data is carried out by an individual in the course of a purely personal or household activity.

And by section 155(1) of the DPA, the Commissioner may serve a monetary penalty notice (aka “fine”) on any “person” who fails to comply with an Information Notice. That includes you, or me, or Matt Hancock. (Section 157(4) provides that the maximum amount is £17.5m, or 4% of global annual turnover – although I doubt that you, I, or Matt Hancock has an annual global turnover.)

All very interesting and theoretical, you might think. Well, so might Matt Hancock have thought, until an Information Notice (which the Commissioner has recently uploaded to the ICO website) dropped onto his figurative doormat last year. The Notice was in relation to the Commissioner’s investigation of the leaking of CCTV images showing the former Secretary of State for Health and Social Care and his former aide enjoying each other’s company. The investigation – which was into the circumstances of the leak, and not Matt Hancock’s conduct – concluded in April of this year, with the ICO deciding that there was insufficient evidence to justify further action. But the Notice states clearly at paragraph 7 that failure to comply is, indeed, punishable with a fine of up to £17.5m (etc.).

The Matt Hancock Notice admittedly addresses him as if he were a controller (it says the ICO is looking at his compliance with the UK GDPR) although I am not sure that is correct – Matt Hancock will indeed be a controller in respect of his constituency work, and his work as an MP outside ministerial duties, but the normal approach is that a ministerial department will be the relevant controller for personal data processed in the context of that department (thus, the Department for Health and Social Care shows as a controller on the ICO register of fee payers).

Nonetheless, the ICO also issued an Information Notice to Matt Hancock’s former aide (as well as to Helen Whateley MP, the Minister of State), and that one makes no mention of UK GDPR compliance or a suggestion she was a controller, but does also “threaten” a potential £17.5m fine.

Of course, realistically, no one, not even Matt Hancock, was really ever at risk of a huge fine (section 155(3) of the DPA requires the Commissioner to have regard to various factors, including proportionality), but it strikes me as a remarkable state of affairs that you, I or any member of the public caught up in a matter that leads to ICO investigation, and who might have relevant information, is as a matter of law vulnerable to a penalty of £17.5m if they don’t comply with an Information Notice.

Even Matt Hancock.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, Information Commissioner, information notice, monetary penalty notice, UK GDPR

Tagged as , ,

October 18, 2022 · 7:34 am

NADPO conference on 22 Nov, with keynote from John Edwards, Information Commissioner

NADPO’s 2022 annual conference will see a return to in-person events. And we are delighted that the keynote speaker is UK Information Commissioner John Edwards. John will be joined by a stellar line up including

  • Maurice Frankel, from the Campaign for Freedom of Information
  • Professor Victoria Nash, from the Oxford Internet Institute
  • Professor Lilian Edwards, from Newcastle University, and also the Ada Lovelace Institute
  • Sarah Houghton, Head of Competition Law at Mishcon de Reya LLP
  • Stewart Room, of DWF and also President of NADPO

The conference will take place on 22 November, at the Mishcon de Reya offices at Africa House, Kingsway (right next to Holborn tube station).

Attendance is free (as ever) for all NADPO members, and it is not too late to purchase a membership, for the price of £130, which guarantees free attendance at all NADPO events, as well as at some partners’ events, as well as discounted rates on commercial training services from respected providers. Members also receive a monthly newsletter.

Leave a comment

Filed under Data Protection, Freedom of Information, Information Commissioner, NADPO

Tagged as , , ,

October 7, 2022 · 7:42 am

GDPR is rubbish

I was challenged recently along the lines that “you don’t like change – you think that GDPR is great and any amendments are negative”.

After I’d spluttered in rage that this wasn’t true, I checked my thoughts. I don’t think the challenge was fair – I don’t mind the idea of repeal or reform of the UK GDPR model – but I do still think that any change needs to be planned and drafted very carefully, so as not to interfere with the core data protection concepts, and checks and balances, that have – broadly – carried through and developed over a series of legal instruments, starting with the Council of Europe Convention 108 of 1981 and the OECD Guidelines of 1980.

But, also, I’m happy to point out that, at times, GDPR is simply rubbish. And I don’t mean in broad legal terms – see for instance David Erdos’s interesting criticisms – I mean that it sometimes doesn’t make sense.

There’s an example in recital 63

A data subject should have the right of access to personal data…in order to be aware of, and verify, the lawfulness of the processing.

I think this is meant to mean “a data subject should have the right of access in order to be aware of the processing and verify its lawfulness”. But, as drafted, it suggests the data subject should be able to be aware of the lawfulness of the processing, and verify that lawfulness, which lacks logic.

But that’s in the recitals, and no one reads the recitals do they?

But consider one of the substantive provisions. Article 5(2), which describes the “accountability principle” says

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Think about what that says: “the controller shall be responsible for…paragraph 1” (paragraph 1 containing the core data protection principles). What it is surely intended to mean is “the controller shall be responsible for compliance with paragraph 1”, but it doesn’t say that. In literal terms it says that the controller has responsibility for the legislative words.

And it’s worth noting that in the French text (French being the only other language this lumbering English person has really even vague familiarity with), the wording does say that: “…est responsable du respect du paragraphe 1…”.

I’m not suggesting this is a big problem: a regulator and a court would almost certainly read the wording so as to give effect to the legislator’s intention.

It just irritates me.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, not-entirely-serious, UK GDPR

Tagged as ,

October 3, 2022 · 8:21 pm

Certainly uncertain – data protection reform developments

In recent weeks the future of data protection law in the UK has been not just hard to predict, but also hard to keep up with.

Since Brexit, the UK has had its own version of the EU’s GDPR, called, obviously enough, the “UK GDPR“. Then, on 18 July, a Data Protection and Digital Information Bill was presented in Parliament – it proposed some significant (but possibly not hugely so) changes to the current regime, but it retained the UK GDPR. It was scheduled to have its second reading in the House of Commons on 5 September, but this was postponed “to allow Ministers to consider the legislation further”.  

Following this, on 22 September, the Retained EU Law (Revocation and Reform) Bill was introduced. This appeared to propose the “sunsetting” (i.e. the repeal) of multiple data and information laws, including the UK GDPR, by the end of 2023.

The next development, on the first day of the Conservative Party conference, is the announcement by the Culture Secretary, Michelle Donelan, that

we will be replacing GDPR with our own business and consumer-friendly data protection system… Many…smaller organisations and businesses only in fact employ a few people. They don’t have the resources or money to negotiate the regulatory minefield that is GDPR. Yet right now, in the main, they’re forced to follow this one-size-fits-all approach.

She also suggested that businesses had suffered from an 8% reduction in profit from GDPR. It is not immediately clear where this figure comes from, although some have suggested that an Oxford Martin School paper is the source. This paper contains some remarkably complex equations. I have no competence in assessing, and no reason to doubt, the authors’ economic and statistical prowess, but I can say (with a nod to the ageless concept of “garbage in, garbage out”) that their understanding of data protection law is so flawed as to compromise the whole paper. They say, for instance

websites are prohibited from sharing user data with third parties, without the consent from each user

and

companies that target EU residents are required to encrypt and anonymise any personal data it [sic] stores

and (probably most bizarrely)

as users incur a cost when prompted to give consent to using their data, they might reduce online purchases, leading to lower sales

To be quite clear (as politicians are fond of saying): websites are not prohibited from sharing data without the consent from “users” (if they were, most ecommerce would grind to a halt, and the internet economy would collapse); companies subject to GDPR are not required to anonymise personal data they store (if they did, they would no longer be able to operate, leading to the collapse of the economy in general); and “users” do not have to consent to the use of their data, and I am still scratching my head at why even if they did they would incur a cost.

If the authors base their findings on the economic cost of GDPR on these bases, then there are some very big questions for them to answer from anyone reviewing their paper.

I may have the wrong paper: I actually really hope the government will back up its 8% figure with something more sensible.

But regardless of the economic thinking this paper, or underpinning the developments in the statutory regime, it is possible that all the developments cohere: that the Data Protection and Digital Information Bill, when it re-emerges, will have been amended so as to have the effect of removing references to “GDPR” or the “UK GDPR”, and that this will mean that, in substance, if not in name, the principles of the UK GDPR are assimilated into a new piece of domestic legislation.

But (given that the government’s focus is on it) business, just as nature, abhors a vacuum – many business owners (and indeed many data protection practitioners) must be hoping that there is a clear route forward so that the UK’s data protection regime can be considered, and applied, with at least a degree of certainty.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adequacy, consent, Data Protection, Data Protection Act 2018, Data Protection Bill, GDPR, parliament, UK GDPR

Tagged as ,

September 26, 2022 · 4:20 pm

Government urged to take action to protect UK citizens’ information rights

The Retained EU Law (Revocation and Reform) Bill was introduced to Parliament on 22 September 2022. The Bill sets a “sunset date” of 31 December 2023 by which all remaining retained EU Law will either be repealed, unless expressly assimilated into UK domestic law. The sunset may be extended for specified pieces of retained EU Law until 2026. A large number of UK laws which cover “information rights” appear to be caught by the Bill.

Mishcon de Reya has written an open letter to the Minister of State at the Department for Digital, Culture, Media & Sport, Julia Lopez, to highlight the risk to these laws.

Government urged to take action to protect UK citizens’ (mishcon.com)

Leave a comment

Filed under access to information, Data Protection, DCMS, Environmental Information Regulations, Freedom of Information, UK GDPR

Tagged as ,

September 23, 2022 · 8:00 am

Was the Queen’s Funeral day a FOIA “working day”?

Under the Freedom of Information Act 2000 a public authority must respond to a request for information within 20 working days. For obvious reasons “working day” does not include a bank holiday. Does this mean that for FOIA requests made before Monday 19 September 2022 (the bank holiday in recognition of the late Queen’s funeral) public authorities and requesters must add an extra day when calculating when a response to the request is due? The jury is out.

Section 10(6) of FOIA defines a “working day” as

any day other than a Saturday, a Sunday, Christmas Day, Good Friday or a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom

And section 1 of the Banking and Financial Dealings Act 1971 says

the days specified in Schedule 1 to this Act shall be bank holidays in England and Wales, in Scotland and in Northern Ireland as indicated in the Schedule

The Schedule to that 1971 Act therefore provides a number of dates which are to be considered as bank holidays

All straightforward then? Not quite. Sections 1(2) and 1(3) of the 1971 Act go on to add that the Sovereign can effectively remove or add a bank holiday “by proclamation”, and this was the means by which 19 September was made a bank holiday.

(In passing it’s interesting to note that those sections of the 1971 Act refer to proclamations by “Her Majesty”. Clearly “Her Majesty” could not have made the proclamation. However, by section 10 of the Interpretation Act 1978 “In any Act a reference to the Sovereign reigning at the time of the passing of the Act is to be construed, unless the contrary intention appears, as a reference to the Sovereign for the time being”.)

But the question of whether the 19 September should be classed as a working day or not for the purposes of FOIA requests which were already running, might turn on the extent to which the general presumption at common law applies, whereby legislation is not intended to have retrospective effect. See, in this regard, Lord Kerr in Walker v Innospec Limited and others [2017] UKSC 47:

The general rule, applicable in most modern legal systems, is that legislative changes apply prospectively…The logic behind this principle is explained in Bennion on Statutory Interpretation, 6th ed (2013), Comment on Code section 97:

‘If we do something today, we feel that the law applying to it should be the law in force today, not tomorrow’s backward adjustment of it.’

An exception to the general rule will only apply where a contrary intention appears.

It might be said, though, that the proclamation of a bank holiday, pursuant to a statutory power, is not in itself a legislative change to which the general rule against retrospectivity applies. I’m not sure there’s a clear answer either way.

Whether public authorities should have one extra day for a FOIA request is clearly not a constitutional issue which should trouble the great minds of our generation (although I know plenty of FOI teams and officers who are judged on their performance against indicators such as response times). Nonetheless, I asked the ICO this week what their view was, and the answer that came back was that they didn’t have a settled position on the issue, but that, in the event of a subsequent complaint about whether a deadline had been met, they would take all the circumstances into account (which I take to mean that they are unlikely to criticise a public authority whichever way it decided to approach the question).

Shortly after initially uploading this post, I was contacted by someone who pointed out that the New Zealand parliament has specifically legislated to give retrospective “non-working-day” effect to its own extraordinary bank holiday. This would seem to reinforce the point about the presumption against retrospectivity unless there’s an express intention to the contrary.

So it probably doesn’t matter, and probably no one really cares. But I enjoyed thinking about it.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner

Tagged as ,

September 6, 2022 · 11:18 am

Data Protection reform Bill on ice

A piece by me on the Mishcon de Reya website on yesterday’s news that the Data Protection and Digital Information Bill has been paused

https://www.mishcon.com/news/data-protection-reform-progress-paused

Leave a comment

Filed under Data Protection, Data Protection Bill

Tagged as ,

September 4, 2022 · 11:21 am

Breaking the code

Bletchley Park’s use of adtech means you can’t opt out of non-essential cookies and still access the website

I found this ironically sad.

Visit Bletchley Park’s website and one is presented with a cookie banner. If you’re like me you will deselect all but essential cookies – so no “preferences”, “statistics” or “marketing”

Regulation 6 of the Privacy and Electronic Marketing (EC Directive) Regulations 2003 (PECR) is behind this.

As much as one might find cookie banners annoying, they are a result of cookies being inherently intrusive. They are code placed on one’s terminal equipment; sometimes they are essential for a website’s functioning (in which case they can be placed without consent) and sometimes they are merely useful (but not essential) for the user or the operator – perhaps to get analytics, or remember preferences, or deliver targeted advertising (in which case user consent is required).

The problem with the Bletchley site is that if one refuses “non-essential” cookies (I tried on Edge, Chrome and Safari mobile), they turn out to be rather essential, because what one is left is this

I only spent a few minutes trying to work out if it was some clever puzzle you had to crack to gain access before I realised it was just poor configuration.

So, in fact, the non-essential cookies are actually essential.

I’m sure someone with some expertise in code can sort it out. It can’t be beyond the wit of those running Bletchley Park to configure a website so that it functions properly without interfering with visitors’ computers.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adtech, cookies, not-entirely-serious, PECR

Tagged as ,

September 1, 2022 · 7:12 pm

ICO investigates collection of barristers’ names

News from the Mishcon de Reya website on data protection concerns arising from criminal barristers’ dispute with the MoJ

https://www.mishcon.com/news/information-commissioner-investigates-collection-of-criminal-barristers-names

Leave a comment

Filed under Data Protection, fairness, Information Commissioner, Ministry of Justice, UK GDPR

Tagged as , ,

August 27, 2022 · 9:16 am

OMG – OCG attacks HMRC

ICO declines to take action after 1000 HMRC customer records apparently altered in 2020 by Organised Crime Gang and used to make fraudulent claims

Rather hidden away on the Information Commissioner’s Office (ICO) website is information, disclosed under the Freedom of Information Act 2000 (FOIA), in relation to an ICO investigation of a security incident involving HMRC, and an organised crime gang (OCG).

It appears that, in June 2020, an OCG had used 193 genuine National Insurance Numbers (NINOs) which it had managed to “hijack” (it is not clear how) from external sources, and set up bogus Government Gateway (GG) accounts. This subsequently “enabled the OCG to carry out enrolments on the bogus GG accounts of genuine Self-Assessment customer Unique Tax References”, which in turn enabled the submission of fraudulent tax returns with the aim of the OCG being to make fraudulent expenses claims.

It was also discovered that details of 130 of the data subjects whose NINOs had been compromised were also used to “utilise” the DWP universal credit service.

HMRC did not become aware of this incident until 2 December 2020, and it notified the ICO (pursuant to its obligations under Article 33 GDPR) on 14 December 2020.

Details of the incident also appear to be contained in HMRC’s Annual Report for the period in question, where (at page 188) it refers to an incident involving 1023 people where “Personal information [was] used to make changes to customer records on HMRC systems without authorisation”.

There are many redactions in the information that the ICO has now published, but the headline point is that it did not view the incident as a serious enough infringement of HMRC’s obligations under GDPR so as to warrant a monetary penalty. The ICO noted that

…there is no indication that any of the originating personal data used to commit the fraud was obtained from HMRC.

However, it does appear that some people might have lost money, although this has since been repaid to them:

…any repayments due to genuine customers have been (or will be) made good…and therefore all the financial losses will be HMRC’s.

Also redacted are what would probably be details of systems changes that HMRC has taken or agreed to undertake as a result of the incident. These would, says the ICO

increase the protection applied to customer records and data and make stacks of this nature more difficult…

This wording suggests that the ICO felt that the level of protection had not been adequate, in line with HMRC’s security obligations under the GDPR. That being the case, the ICO must have decided that, in this instance, despite the infringement, it wasn’t necessary, or appropriate, to issue a fine or take other enforcement action.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Breach Notification, Data Protection, GDPR, HMRC, Information Commissioner, security

Tagged as , , ,