(Data)setting an example

Is the ICO failing to comply with its own obligations under FOI law?

Some UK regulators are subject to the laws or rules they themselves oversee and enforce. Thus, for example, the Advertising Standards Authority should avoid advertising its services in contravention of its own code of advertising practice, the Environment Agency should avoid using a waste carrier who is not authorised to carry waste, and the Information Commissioner (ICO) – as a public authority under Schedule 1 of the same – should not breach the Freedom of Information Act 2000 (FOIA). However, I think I can point to numerous examples (I estimate there are 57 on its own website at the time of writing this) where the last has done precisely this, possibly unknowingly, or – if knowingly – with no contrition whatsoever.

In 2012 sections 11 and 19 of FOIA were amended by the Protection of Freedoms Act 2012 (POFA). POFA inserted into FOIA what are colloquially known as the “dataset provisions”. For our purposes here, what these say is that

Under its publication scheme a public authority should publish datasets that have been requested [under FOIA], and any updated versions it holds, unless it is satisfied that it is not appropriate to do so.

In short – and I take the wording above from ICO’s own guidance – if someone asks ICO for a dataset under FOIA, ICO must disclose it, put it on its website, and regularly update it (unless it is “not appropriate” to do so).

“Dataset” has a specific, and rather complex, meaning under POFA, and FOIA. However, the ICO’s own guidance nicely summarises the definition:

A dataset is a collection of factual information in electronic form to do with the services and functions of the authority that is neither the product of analysis or interpretation, nor an official statistic and has not been materially altered.

So, raw or basic data in a spreadsheet, relating to an authority’s functions, would constitute a dataset, and, if disclosed under FOIA, would trigger the authority’s general obligation to publish it on its website and regularly update it.

Yet, if one consults the ICO’s own disclosure log (its website page listing FOI responses it has made “that might be of wider public interest”), one sees multiple examples of disclosures of datasets under FOI (in fact, one can even filter the results to separate dataset disclosures from others – which is how I got my figure of 57 mentioned above) yet it appears that none of these has ever been updated, in line with section 19(2A)(a)(ii) of FOIA.

Some of the disclosures on there are of datasets which are indeed of public interest. Examples are: information on how many FOI etc requests ICO itself receives, and how timeously it handles them; information on the numbers and types of databreach reports ICO receives, and from which sectors; information on how many monetary penalties have been paid/recovered.

It’s important to note that these 57 disclosures are only those which ICO has chosen, because they are “of wider public interest”, to publish on its website. There may well be – no doubt are – others.

But if these dataset disclosures are, as declared, of wider public interest, I cannot see that ICO could readily claim that its reason for not updating them is because it is “not appropriate” to do so.

It may be that ICO feels, as some people have suggested, that the changes to FOIA wrought by POFA might not have met any pressing public demand for amended dataset-access provisions, and, therefore, compliance with the law is all a bit pointless. But there would be two problems with this, were it the case. Firstly, ICO is uniquely placed to comment on and lobby for changes to the law – if it thinks the dataset provisions are not worth being law, then why does it not say so? Secondly, as the statutory regulator for FOIA, and a public authority itself subject to FOIA, it is simply not open to it to disregard the law, even were it to think the law was not worth regarding.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, datasets, Freedom of Information, Information Commissioner

What’s in a name?

For reasons which will become obvious I have replaced the names of two people referred to in this post to “John Doe” and “Jane Doe”: I’ve no wish to perpetuate a possible wrong.

Last night I was reading a recent judgment of the High Court in the matter of an appeal by a barrister from a decision of sanction by the Bar Tribunals and Adjudication Service. The judge, Mr Justice Warby, is one of the most senior media law judges in the country. Indeed, as judge in charge of the Media and Communications List, he is arguably the most senior such judge.

Mr Justice Warby knows a lot, then, about privacy, and data protection, and harm to reputation. As the judge who decided the landmark NT1 and NT2 cases, he also knows a lot about the concept of the “right to be forgotten” and how historic, outdated or inaccurate information on the internet has the potential to cause unwarranted harm in the future.

Yet in the case I will discuss here, I think he adopts a course of action in writing his judgment (one which he implies he may well repeat in future) which has the potential to cause great harm to wholly innocent individuals.

The facts of the case are not particularly relevant. Suffice to say that the barrister in question (named Khan) was suspended because it was found that he had engaged in serious misconduct in inter alia discussing in a robing room serious allegations of sexual offences made by a former client of his against another practising barrister.

In reading the description of the agreed facts I was perturbed, to say the least, to note that the names of the former client and the alleged offender were apparently given in full:

What Mr Khan did, in summary, was this. On two occasions, in the robing rooms of two Courts in the Midlands, he spoke words that suggested to those who were present and heard him that a fellow barrister, [John Doe], had (a) stalked and then (b) raped another, female, lawyer who had been Mr Khan’s client and, (c) when she complained of this, caused serious threats to her life to be made, in an attempt to cover up what had taken place. All the information that Mr Khan had about these matters came from his former client, [Jane Doe], who was the complainant.

The explanation for using apparent full names was given by Warby J in the following paragraph:

I have…changed the name of the complainant because, as someone who has alleged rape, she is entitled to lifetime anonymity (Sexual Offences (Amendment) Act 1992, s 1). To make anonymity effective in her case, I have also changed the name of the barrister she accused. [John Doe] is not his real name. I have used this method of anonymisation, in preference to the use of initials, as it is at least as effective, less artificial, and reduces the potential for confusion

This strikes me as, with respect to the learned judge, profoundly misguided. The use of initials (obviously not the person’s actual initials) does not just anonymise the person to whom they relate, but also avoids the risk of someone else inadvertently being associated.

Because – here’s the rub – there does appear (unsurprisingly) to be a former barrister (now solicitor) called “[John Doe]”. He is clearly not the [John Doe] Warby J refers to (not least because [John Doe] in the judgment is of course a pseudonym. But, as is all too obvious in the modern world, snippets of information can sometimes become separated from their context, and used, inadvertently, or even maliciously, to harmful effect.

It is by no means unlikely that the first paragraph I quote above could be later quoted, or extracted, and read in isolation, and that the practising barrister who is really called [John Doe], but who has no connection whatsoever to the events in the judgment, could be defamed or otherwise harmed as a result.

Put it this way – if I were the practising barrister who is really called [John Doe] I would be horrified, and greatly aggrieved, by paragraph 5 of Warby J’s judgment.

A while ago, my enjoyment of a silly internet game, whereby one Googles the phrase “X was convicted of” (where X is one’s own name), was swiftly replaced by abject dismay, when I found that someone sharing my name had been convicted of a horrific offence. This was pure, if unfortunate, coincidence. What Mr Justice Warby appears to have done in this judgment, and is – I fear – proposing to do in future judgments, is deliberately try to develop (for the best of reasons) a judicial naming convention which risks great harm to wholly innocent and unwitting individuals. I hope he rethinks.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under anonymisation, defamation, Open Justice, sexual offences amendment act

GDPR doesn’t always mean “opt in”

TL;DR – the law says that when you’re buying something from them companies only have to offer you an opt out from marketing. GDPR hasn’t changed this.

I see a lot of criticism of companies on social media by people who accuse the former of not complying with the General Data Protection Regulation (GDPR). Here’s an example:

But the criticism is generally misguided. GDPR does not itself deal directly with direct marketing (other than to provide for an unqualified right to opt out of it (at Article 21(3)) and a statement in one of the recitals to the effect that the processing of personal data for the purposes of direct marketing may be regarded as carried out for a legitimate interest).

The operative law in the UK regarding electronic direct marketing is, and remains, The Privacy and Electronic Communications (EC Directive) Regulations 2003 (which implement a 2002 European Directive).

These provide that one cannot send direct marketing to an individual subscriber* by unsolicited “electronic mail” (which these days largely boils down to email and SMS) unless the recipient has consented or unless the sender

has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient…the direct marketing is in respect of that person’s similar products and services only…and the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

In plain language, this means that when you buy, or enter into negotiations to buy, a product or service from someone, the seller only has to offer an “opt out” option for subsequent electronic marketing. Nothing in GDPR changes this.

*”individual subscriber” means the person who is a party to a contract with a provider of public electronic communications services for the supply of such services- in effect, this is likely to be someone using their personal email address, and not a work one).

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, Data Protection, GDPR, marketing, PECR

FOI needs a strong regulator

Slightly more than twenty working days ago I made a request to a government department under the Freedom of Information Act 2000. Following the structure of section 1(1) of the same, I asked

Please confirm whether you hold [X information] regarding [Y]

If you hold this information, please disclose it.

There are relatively mundane reasons why I am keen to know the first point, and, following on from that, to have the information if it exists.

On the twentieth working day (give or take a bank holiday or two) I received a reply to the first point, but total silence on the second:

I can confirm that [government department] does hold [X information] regarding the [Y].

Although this is rather a bizarre approach to an FOI request (FOIA is after all, primarily about access to information, not just knowledge that it exists) I have no reason to think that the failure to note the second point of my very short request was anything other than an innocent mistake.

Accordingly, I pointed the mistake out to the government department, asking them to send the information by return. (I had to do this by email, because no phone number is given on the correspondence or on the relevant (sparse) website (query whether the service is accessible, therefore, to people who may have difficulties in communicating in writing.)) However, not only did I not get the information by return, I got a template reply, and a new reference number, indicating that my follow-up email is being treated as a wholly new request. I would not be surprised for it to take another twenty working days to get a substantive reply (if I’m wrong, I will update this post accordingly).

So what to do? Well, I could complain to the government department, or ask for an internal review, but that would likely take at least another twenty working days to get a response. I could complain to the Information Commissioner’s Office, but, anecdotally, I understand they are taking some months to allocate and deal with complaint, and the only likely outcome would be a declaration that the government department had failed to comply with its section 10 and section 17 FOIA obligations, and giving them another period of days to comply. I can’t make an application for judicial review because a) the idea is completely ridiculous (have you seen my bank balance?) and b) in March the High Court rather peremptorily dismissed an argument that JR should be available for FOIA cases of urgency (on the grounds that the right of appeal under the statutory scheme was sufficient.

And FOIA delays are not isolated incidents; the BBC’s Martin Rosenbaum has written recently, following up his and others’ research, about the apparent contempt with which some public authorities treat FOIA and the Information Commissioner. Yet the latter appears unwilling, despite having the powers to do so, to act. As the Campaign for Freedom of Information recently noted, her recent draft regulatory action policy effectively ignored the fact that she is responsible for FOIA regulation, as well as for data protection and eprivacy.

Data protection and privacy are certainly hot topics (try counting the number of arriviste consultants who’ve sprung up over the last year to get an idea of how hot) but freedom of information laws are a legislative expression of another fundamental human right. I don’t think it’s the case that as a society we just don’t care about FOI (look back to the MPs’ expenses scandal to see how important and high-profile it can be) so why is it that there appears to be no effective mechanism to enforce our rights in a timely way against a recalcitrant public authority?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

5 Comments

Filed under access to information, Article 10, Freedom of Information, Information Commissioner, Uncategorized

It’s not fine

I’m seeing regular discussions on social media about notification of personal data breaches under Article 33 and liability for administrative fines under Article 83 of the General Data Protection Regulation (GDPR). For instance

because Carphone Warehouse had their breach start before GDPR the ICO fines will be tiny…

…Is it breach start or reported date that makes a difference?…

…So all we need to do if you have a breach is say it started in the 24th may…

These sort of discussions overlook two points.

Firstly, the Information Commissioner’s Office has repeatedly given indications that big penalty notices (to adopt the wording of the Data Protection Act 2018, which notably avoids using the word “fine”*) will not be regularly imposed under the new regime, and nor will there be a “scaling up” of penalties.

Secondly, and crucially, penalties cannot be imposed on controllers merely because they have had, and become aware of, a personal data breach. Under Article 83, penalties can be imposed by a supervisory authority for infringements of the GDPR. The fact that a personal data breach has occurred is not proof that an infringement has also occurred. Article 4 explains that a personal data breach is

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

Such personal data breaches might occur even where the controller has complied with its obligations under Article 5(1)(f) to ensure that personal data are

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

“Protection” does not impose a counsel of perfection. A personal data breach might occur but a supervisory authority might determine that the controller had done all it reasonably could, and not impose a penalty. In fact, I predict that in the vast majority of cases where controllers notify the ICO of personal data breaches, this is exactly what will happen.

So, returning to those social media discussions – what will actually determine whether GDPR applies, when it comes to the imposition of a penalty, is when the infringement took place, not when the personal data breach did.

This is not new. Some of us have been (largely vainly) arguing for years that a data security incident is not equivalent to a statutory breach, but the elision still happens.

* the word “fine” in domestic law is nearly always reserved for penalties as a sentence under criminal law.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Uncategorized

STOP THE NONSENSE PLEASE

5 Comments

Filed under Uncategorized

ICO newsletter: direct marketing, but no need to “reconsent”

I suspect everyone is now fed up to the back teeth of emails from long-forgotten and sometimes never-known businesses and organisations claiming they need us to renew our consent to receive electronic marketing from them. In many cases we never wanted the marketing in the first place and therefore almost certainly never consented to receive it, according to how “consent” has been construed in the operative law (the Data Protection Act 1998 (DPA), and, specifically, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)). Everyone is probably equally fed up with similar emails from businesses and organisations we do have a relationship with, and from whom we do want to hear. I’m not going to rehash the law on this – I’ve written and commented multiple times elsewhere (search “Jon Baines +banging head against a brick wall”), as have other, more sage people (try Tim Turner, Adam Rose or Matt Burgess).

But I did notice that the Information Commissioner’s Office (ICO) recently issued a broadly helpful corrective to some of the misinformation out there. I say “broadly helpful” because it is necessarily, and probably correctly, cautious about giving advice which could be potentially interpreted as “do nothing”. Nonetheless, it makes clear that in some cases, doing nothing may be precisely the right thing to do: although the definition of “consent” from the General Data Protection Regulation (GDPR) will drop into PECR, replacing the definition which currently applies (the one at section 11 (3) of the DPA), this does not represent a significant reconfiguring. In general, if you had proper consent before GDPR, you’ll have proper consent under GDPR, and if you didn’t, well, you probably don’t have consent to send an email asking for consent.

Even though the ICO corrective was welcome, I’d actually already begun some slightly mischievous digging.

For a number of years, through various email addresses, I have subscribed to the ICO’s email newsletter (I invite thoughts, through the “comments” function on this blog, about the adequacy of the privacy notice given when one signs up to it, but this post is not directly about that). All the nonsense emails flying round got me to thinking – the ICO newsletter is probably “direct marketing” according to the law and the ICO’s own guidance, and when it is sent to an “individual subscriber” the PECR consent requirements kick in. So, I wondered, had the ICO reviewed whether it needed to get “GDPR-standard consent”, at least from those individual subscribers?

The answer, in response to my request for information under the Freedom of Information Act 2000, is yes – the ICO have reviewed, and no, they don’t think they need to “reconsent”.

They’ve told me that

We have reviewed our e-newsletter and consent as part of our preparations for the requirements of GDPR…we do think our newsletter constitutes direct marketing [but we] don’t think we need to seek re-consent from individuals who have already consented to receive the newsletter.  The newsletter is only sent to people who asked to receive it, this was done on an opt in basis on the back of a clear question asked separately from other information. We have a record of the date they asked to receive the newsletter. There is an unsubscribe option at the end of each newsletter and we log when people tell us they don’t want to receive it anymore – we’ve reviewed that process to make sure it is robust.

Pretty clear, I think.

I post their response here in the hope it might assist those who are in a similar position are struggling to understand whether they need to send another of those stupid “reconsent” emails flying around.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

10 Comments

Filed under Uncategorized

When will it all stop?

I saw two iterations of the same erroneous statement about the General Data Protection Regulation (GDPR) this morning, and it’s instructive to compare them.

One was in a Times article by journalist Danny Fortson. This said:

[Under GDPR] organisations large and small will have to ask for new permission to keep personal details on file

The other was contained in a brief twitter exchange which I barged into, in which a personal trainer revealed that a “GDPR consultant” had told her that she

had to regain all [client] details and destroy all the previously held info

I haven’t got anything profound to say here – just three observations: 1) GDPR absolutely does not expressly require businesses to do anything about client or customer data already held, let alone contact those people to get their consent 2) there is some shockingly bad advice about GDPR apparently being promulgated by people purporting to be competent to give it 3) there is a rather toxic feedback loop by which this shockingly bad advice is repeated in the media, and then picked up by others.

I hope it will all calm down after 25 May. And I also hope that decent people running decent businesses don’t get permanently harmed by this situation.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under Uncategorized

Perennial message about GDPR

Leave a comment

Filed under Uncategorized

It’s all about the fineszzzzz

It can be unwise to make too much of reported and/or throwaway remarks, but I’m going to look at a recent reported, and possibly throwaway, remark by a senior manager from the Information Commissioner’s Office (ICO) at a recent Law Society conference on the General Data Protection Regulation (GDPR).

Giving “A perspective from the ICO” Richard Nevinson, Group Manager for Policy and Engagement, was reported by the Law Society Gazette to have said, on the subject of potential administrative fines under GDPR

If a breach warranted a fine of £30,000 under the Data Protection Act it probably warrants a similar fine under GDPR

This perhaps doesn’t at first blush sound that notable: the Commissioner herself – Elizabeth Denham – has been at pains, over the months leading up to GDPR coming into direct effect, to stress that, although the maximum fine will increase from £500,000 to €20m or 4% of annual global turnover (whichever is larger), such fines are not her focus:

Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense

(despite this, somecommentators have continued to employ such “nonsense”).

What Nevinson said though, goes further than anything I’ve seen so far from the ICO. Because, if what he is reported to have said is correct, it would mean that we should see no change in frequency or amount of fines, unless there is a contravention on an unprecedented scale. The highest fine levied under the existing Data Protection Act 1998 (DPA) has been £400,000 (twice – once to Talk Talk and once to Carphone Warehouse) – only 80% of the current maximum. This means that the ICO cannot feel that the current maximum sets a cap which frustrates them by preventing them from issuing higher fines. One would assume, therefore, that the ICO would (must?) see GDPR’s legislative intent as being to “scale up” fines in some way. But no – says Nevinson – £X under DPA will equate to £X under GDPR.

Following that line of argument, as we have never seen a fine of £500,000 under DPA we will not see one of that size (or higher) under GDPR, unless a contravention emerges that is worse than anything seen before.

I may be wildly over-analysing what he was reported to have said, but I thought it noteworthy enough to blog about it at 06:00 in the morning, so I thought you might too.

Oh, and Nevinson might not be right or might not have been accurately reported, and I definitely might not be right. So you’d be silly to pay too much attention, and you certainly shouldn’t forget about the risks that fines may represent under GDPR.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under 7th principle, Data Protection, GDPR, Information Commissioner, monetary penalty notice