The Information Tribunal has recently heard the first applications under the Data Protection Act 2018 for orders regarding the Information Commissioner’s handling of data protection complaints. As I write on the Mishcon de Reya website, the Tribunal has peremptorily dismissed them.
ICO breaching the law it’s meant to oversee
This may be complete coincidence, but on the WhatDoTheyKnow website, there are two Freedom of Information (FOI) requests, on similar themes, which requesters have made to the Information Commissioner’s Office (ICO), to which – at the time of writing – the ICO appears simply to be failing to respond, way beyond the statutory timescale of 20 working days.
Both requests are about procurement of external consultants. In the first, the requester asked
Please disclose all current agreements for provision of legal services by outside bodies such as barristers chambers, law firms etc. This should include the rates of pay agreed.
The request was made on the 19th February and more than three months on, has simply had no response (other than an automated acknowledgment).
In the second the (different) requester asked
how many times the Information Commissioner’s Office has engaged consultants, companies or other specialists to deliver services to the ICO without putting the work out to tender or otherwise advertising the opportunity externally
That request was made on the 26th February and, barring some holding responses, which seem to have dried up, it has had no substantive response.
The failure to respond is concerning, and the failure to communicate inexplicable. One wonders where the reluctance comes from.
My own recent experience of making FOI requests to them indicates a less-than-ideal level of compliance with the laws the ICO is meant to regulate. However, when, some time ago, I asked the ICO for compliance figures, they refused to disclose them, saying they would be published soon. Yet approximately six months on they still haven’t done so (which is not in compliance with the best-practice requirements of the section 45 FOI Code of Practice).
I offered the ICO an invitation to comment on this blogpost, and in response a spokesperson said: “We aim to resolve 95% of information requests within the statutory deadline, unless we have sought an extension. We acknowledge that we have fallen short of expectations in these instances but can confirm that the responses to both requests will be issued soon.” No comment was made on the wider point about compliance, and publication of compliance statistics. (I would also make the observation that it’s rather surprising ICO only aims to respond to 95% of requests within the statutory deadline – surely they would (and should) aim to respond to 100% within the timeframe mandated by the law?)
I’ve previously expressed concern about the ICO’s unwillingness to take enforcement action against recalcitrant, if not contemptuous, public authorities for poor FOI compliance. Elizabeth Denham has recently (and unsuccessfully) called for an extension of FOI law, saying
Part of my job is to make sure that the legislation my office regulates fulfils its objectives and remains relevant. When it does not, I will speak out
Will she also speak out about the fact that her office is not itself complying with the legislation it regulates?
The views in this post (and indeed all posts on this blog, unless they indicate otherwise) are my personal ones, and do not represent the views of any organisation I am involved with.
Farrow & Ball lose appeal for non-payment of data protection fee
I have a new post on the Mishcon de Reya website, drawing attention to the first (and unsuccessful) attempt to appeal an ICO monetary penalty for failing to pay the statutory data protection fee.
ICO hasn’t given own staff a GDPR privacy notice
The first principle of GDPR says that personal data shall be processed in a transparent manner. Articles 13 and 14 give details of what information should be provided to data subjects to comply with that principle (and that information should be provided at the time it is collected (if it is collected directly from the data subject)).
As the Information Commissioner’s Office (ICO) says
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. [emphasis added]
and
Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage
If you read the ICO’s Guide to GDPR, it is largely predicated on the understanding that privacy notices will be made available to data subjects, effectively as a prerequisite to overall compliance.
So, one thing a data controller must – surely – prioritise (and have prioritised, in advance of GDPR becoming applicable in May 2018) is the preparation and giving of appropriate privacy notices, including to its own employees.
With that in mind, I was interested surprised astounded well-and-truly-gobsmacked to see an admission, on the “WhatDoTheyKnow” website, that the ICO itself has – almost a year on from GDPR’s start – not yet prepared, let alone given, its own staff a GDPR privacy notice
I can confirm we do not currently hold the information you have requested. The privacy notice for ICO employees is currently under construction.
As getting the right to be informed wrong can leave one open to fines (as well as reputational damage), one wonders if ICO is considering fining itself for this fundamental infringement of a fundamental right?
The views in this post (and indeed all posts on this blog, unless they indicate otherwise) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Data Protection, fairness, GDPR, Information Commissioner, privacy notice, transparency
ICO – no GDPR fines in the immediate pipeline
FOI request reveals ICO has served no “notices of intent” to serve fines under GDPR. A new piece by me on the Mishcon de Reya website.
MPs, Lords, councillors exempt from data protection fee
As I have previously discussed on the Mishcon de Reya website, the General Data Protection Regulation (“GDPR”) removed the requirement at European law for data controllers to “register” with their supervisory authority. However, in the UK, the need to provide a funding stream for the data protection work of the Information Commissioner’s Office (ICO) led parliament to pass laws (The Data Protection (Charges and Information) Regulations 2018) (“the Fee Regulations”), made under sections 137 and 138 of the Data Protection Act 2018 (“DPA”)) requiring controllers to pay a fee to the ICO, unless an exemption applied.
New amendment regulations (The Data Protection (Charges and Information) (Amendment) Regulations 2019) have now been passed, following a consultation run by DCMS last year. These mean that new categories of exempt processing are introduced. In short, processing of personal data by members of the House of Lords, elected representatives and prospective representatives is also now “exempt processing” for the purposes of the Fee Regulations. “Elected representative” means (adopting the definition at paragraph 23(3)(a) to (d) and (f) to (m) of Schedule 1 to the DPA)
a member of the House of Commons;
a member of the National Assembly for Wales;
a member of the Scottish Parliament;
a member of the Northern Ireland Assembly;
an elected member of a local authority within the meaning of section 270(1) of the Local Government Act 1972
an elected mayor of a local authority within the meaning of Part 1A or 2 of the Local Government Act 2000;
a mayor for the area of a combined authority established under section 103 of the Local Democracy, Economic Development and Construction Act 2009;
the Mayor of London or an elected member of the London Assembly;
an elected member of the Common Council of the City of London, or the Council of the Isles of Scilly;
an elected member of a council constituted under section 2 of the Local Government etc (Scotland) Act 1994;
an elected member of a district council within the meaning of the Local Government Act (Northern Ireland) 1972;
a police and crime commissioner.
But, it should be noted, MEPs’ processing is not exempt, and, for the time being at least, they must still pay a fee.
Filed under Data Protection, DCMS, GDPR
Computer says “no”
I have another piece up on the Mishcon de Reya Data Matters site:
Computer says no – data protection and reasonable adjustments
Filed under Uncategorized
Regulatory cooperation and information sharing
I have a new piece up on the Mishcon de Reya Data Matters pages. You can read it here.
Filed under Uncategorized
There’s nothing like transparency…
…and this is nothing like transparency
Those of us with long memories will remember that, back in 2007, in those innocent days when no one quite knew what the Freedom of Information Act 2000 (FOIA) really meant, the Information Commissioner’s Office (ICO), disclosed some of its internal advice (“Lines to Take” or “LTTs”) to its own staff about how to respond to questions and enquiries from members of the public about FOIA. My memory (I hope others might confirm) is that ICO resisted this disclosure for some time. Now, the advice documents reside on the “FOIWiki” pages (where they need, in my opinion, a disclaimer to the effect that some of the them at least are old, and perhaps out-of-date).
Since 2007 a number of further FOIA requests have been made for more recent LTTs – for instance, in 2013, I made a request, and had disclosed to me, a number of LTTs on data protection matters.
It is, therefore, with some astonishment, that I note that a recent FOIA request to ICO for up-to-date LTTs – encompassing recent changes to data protection law – has been refused, on the basis that, apparently, disclosure would, or would be likely to, inhibit the free and frank exchange of views for the purposes of deliberation, and would otherwise prejudice, or would be likely otherwise to prejudice, the effective conduct of public affairs. This is problematic, and concerning, for a number of reasons.
Firstly, the exemptions claimed, which are at section 36 of FOIA, are the statute’s howitzers – they get brought into play when all else fails, and have the effect of flattening everything around them. For this reason, the public authority invoking them must have the “reasonable opinion” of its “qualified person” that disclosure would, or would be likely to, cause the harm claimed. For the ICO, the “qualified person” is the Information Commissioner (Elizabeth Denham) herself. Yet there is no evidence that she has indeed provided this opinion. For that reason, the refusal notice falls – as a matter of law – at the first hurdle.
Secondly, even if Ms Denham had provided her reasonable opinion, the response fails to say why the exemptions are engaged – it merely asserts that they are, in breach of section 17(1)(c) of FOIA.
Thirdly, it posits frankly bizarre public interest points purportedly militating against disclosure, such as that the LTTs “exist as part of the process by which we create guidance, not as guidance by themselves”, and “that ICO staff should have a safe space to provide colleagues with advice for them to respond to challenges posed to us in a changing data protection landscape”, and – most bizarre of all – “following a disclosure of such notes in the past, attempts have been made to utilise similar documents to undermine our regulatory procedures” (heaven forfend someone might cite a regulator’s own documents to advance their case).
There has been such an enormous amount of nonsense spoken about the new data protection regime, and I have praised ICO for confronting some of the myths which have been propagated by the ignorant or the venal. There continues to be great uncertainty and ignorance, and disclosing these LTTs could go a long way towards combatting these. In ICO’s defence, it does identify this as a public interest factor militating in favour of disclosure:
disclosure may help improve knowledge regarding the EIR, FOIA or the new data protection legislation on which the public desire information as evidenced by our increase in calls and enquiry handling
And as far as I’m concerned, that should be the end of the matter. Whether the requester (a certain “Alan Shearer”) chooses to challenge the refusal is another question.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 