ICO (bizarrely) suggests DPO conflict of interest is criminal offence

*UPDATE, 17.11.20: ICO has now “reissued” its FOI response, saying that there was an error in the original, and that section 31 (dealing, broadly, with prejudice to regulatory functions), rather than section 30, of FOIA applies. If this was a plain example of a typo, I would not have drawn attention, but the original response specifically showed that the author thought that criminality would arise in a case of DPO conflict of interest.

I would add two things. First, the exemption is still questionable in my view – I can’t see how disclosing whether organisations have been investigated regarding DPO conflicts (and if so, the numbers involved) could conceivably cause or be likely to cause prejudice to ICO’s regulatory functions. Second, I raised this, as NADPO chair, as a matter of concern with ICO, but, despite the withdrawal of the offending response, I have heard nothing yet. END UPDATE*

As chair of NADPO* (the National Association of Data Protection and Freedom of Information Officers) I’m understandably interested in information and news about data protection officers (DPOs). In particular, what the Information Commissioner’s Office (ICO) (as the regulatory body most DPOs will interact with) says on this subject will be especially notable.

When I saw that someone had made a Freedom of Information (FOI) request to the ICO about whether the latter had investigated or taken enforcement action against any controllers for reasons relating to potential conflict of interest regarding DPO positions, I was intrigued to see what the response would be (I knew no fines had been issued, but I wanted to know how many investigations might have taken place – indeed, I had blogged about the ICO’s own DPO role a few months previously).

However, the ICO’s response to the FOI request is, let’s say, odd. They have refused to disclose (in fact, have refused even to confirm or deny whether they hold) the requested information, citing the FOI exemption that applies to information held for the purposes of investigations into whether someone should be charged with a criminal offence: remarkably, the ICO seems to think that a conflict of interest such as envisaged by Article 38(6) of the General Data Protection Regulation (GDPR) would amount to a criminal offence – “it is likely that, if proven, an offence under the DPA [Data Protection Act 2018] may have been committed”. This cannot be the case though – there are no offence provisions under the DPA which come close to criminalising a potential conflict of interest regarding a DPO role, and it would be extraordinary if parliament had decided to make it an offence.

Why the ICO should suggest that there are such provisions is not at all clear, and – if it is not just a stray error – might indicate a rather worrying lack of understanding of both data protection and FOI law.

One final point to note – even the part of the FOI response which didn’t mistakenly assume criminal law provisions were engaged, said, in respect of the part of the request which asked for any information the ICO holds “to assist public authorities protect [sic] against a conflict of interest with the role of the DPO”, that staff at the ICO had been consulted and “there is no information held”. However, on the ICO’s website, in plain view, is guidance on the subject (admittedly not in any detail, but clearly in scope of this request).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

*I notice that the cookie notice on the NADPO site has somehow slipped into error – I am on the blower to our webdev as we speak.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, DPO, Freedom of Information, GDPR, Information Commissioner, Uncategorized

One third of personal data breaches reported “late” to ICO

By me, on the Mishcon de Reya website.

…a recent request to the ICO under the Freedom of Information Act 2000 (FOIA) has revealed that, from the available data, of the 21705 personal data breaches notified to the ICO since May 2018, 14,365 were notified within 72 hours, and 7340 were not – meaning that approximately one third of personal data breaches are reported later than within 72 hours

Leave a comment

Filed under Breach Notification, Data Protection, data security, GDPR, Information Commissioner

Manhattan (and Syrian) Transfer

When data protection law (e.g. Chapter V of the General Data Protection Regulation (GDPR) and Article 25 of the prior Data Protection Directive) talks about a “transfer” of personal data to a third country, no one quite knows what it means: “transfer” is not defined. There’s been a fair bit of legal and academic discussion about this.

But, as far back as 2002 it has been established law that, if I upload personal data onto an internet page, so that that data becomes accessible to people outside the EU, this does not constitute a transfer of data to a third country. The Court of Justice of the European Union held so, in the case of Lindqvist (C-101/01), pointing out that, if that were the case

every time that personal data are loaded onto an internet page, that transfer would necessarily be a transfer to all the third countries where there are the technical means needed to access the internet

with the result that, if even one third country in the world did not ensure adequate protection of personal data, EU Member States – following, as they must, EU data protection law – would be obliged to prevent any personal data being placed on the internet. As a matter of public policy, and indeed of common sense, that could not have been the intention of the legislator.

But notably (and oddly, given its generally relaxed approach to international transfer issues) the Information Commissioner’s Office (ICO), eighteen years on from Lindqvist appears to take an opposing view, saying

Putting personal data on to a website will often result in a restricted transfer. The restricted transfer takes place when someone outside the EEA accesses that personal data via the website…If you load personal data onto a UK server which is then available through a website, and you plan or anticipate that the website may be accessed from outside the EEA, you should treat this as a restricted transfer.

Which is all well and good, but, if that is indeed the case, then how does ICO find a basis in Chapter V of GDPR for its transfer of my personal data (and others’) to, say, Syria, or South Sudan, or Cambodia, or anywhere else in the world? There is no adequacy decision in place, (presumably) no standard contractual clauses or other appropriate safeguards, and no apparent Article 49 derogation. Is this, then, an unlawful transfer?

I’m just mightily relieved we haven’t got some bizarre constitutional crisis on the immediate horizon, under which these issue are going to get even more complex.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner


A guest post by Danny Budzak.

Danny is the Senior Information Manager at the London Legacy Development Corporation and is involved in data protection and information security. He regularly delivers training and learns as much, if  not more, than he might teach. He has also worked with Silver Surfers, helping older people to get online. What he has learned makes him amazed and concerned in equal measure at the whole issue of ‘password management’.

In days gone by, confessions could be described as the aural equivalent of click-bait. Everyone wants to listen. I will start with mine. On a recent holiday, I found that space where work and the office and projects and PowerPoint presentations seemed far away. And at that point I realised I had forgotten my network password. I was convinced such a thing could never happen. I used it at least ten times a day to log on, unlock the screen, to log on, to unlock the screen. During lock-down I was probably using it more than in the office. But it had gone. Where that password should have been in my brain was nothing but a blank space. Being in the office would have mitigated the problem. It can be reset remotely. But it doesn’t work like that for many people when working remotely.

I do a lot of information security training and password training is a key part of this. I was used to watching people counting on their fingers how many characters their password had (usually eight), or counting on one hand the number of “different” passwords they use. Some could this with one finger. One password to rule them all.

Then I introduced a new exercise by asking people how many online accounts they had. Some said “about twenty…or maybe thirty”, others admitted, “I don’t have a clue”, two people with password managers knew exactly; 189, 233. Research shows that most people think they have around 20 – 30 online accounts, but they are more likely to have 120 – 130 accounts. Sit down and make a list. And that will just be the ones you can remember. What about that website where you bought tickets for an event ten years ago? It’s still there, even if you have forgotten. Just remember, the internet has a much better and far more comprehensive memory than you do.

And then the story goes like this. So if you have 120 – 130 accounts, how do you manage the passwords? “One key password with variations”, “the browser remembers them”, “I just re-set them each time”, “a small number which I swop and vary”. Why not write them down with invisible ink on a sheet of A4 and store the paper in the third book of the fourth shelf in the kitchen?

After a couple of  years I was puzzled why no-one ever asked me how I managed passwords. So I started telling them.

For my most important accounts – bank, email, social media, consumer sites – I write them down. In a book. These are long passwords – 25-30 characters long. But I write them down in such a way as they don’t look like passwords. Paradoxically, if you have a password of 1*EKLP&!!mm…!()??.< and write it down, it’s obvious it’s a password. But if you do have a password like that, you will never remember it.

For what I consider low-risk work applications (appraisal system, annual leave, bike shed booking) all the passwords are in a spreadsheet, that’s in a part of the network drive that only I can access, that is among 10,000 other files. That spreadsheet has a password on it. What could possibly go wrong?

And then the passwords for my social life – art galleries, books, music, exploring. These generally require accounts because it helps them sell to advertisers and they can do more fancy analysis of what you look at. Somewhere in the universe a database exists which shows I like the art of the Northern Renaissance, German electronic music and Italian food. It’s all a bit creepy that companies want to know this but I don’t care two hoots where that “web page usage” data goes and what Facebook or anyone else does with it. Good luck with anyone who manages to sell me anything based on that. An original Jan Van Eyck perhaps? But where there is a problem is if you use the same password for everything; because you are then at the mercy of the weakest system in which you have data. Does it matter if your password is the same for an obscure fan site of CAN as your social media account? Well yes, actually it does.

But there are already three systems here. Four if you include “saving passwords in the browser”. Five, if I have to accept that I get in a muddle with passwords sometimes and need to re-set them, or log in from a different machine. And yet the password is the key security element which we all hold and control.

I still had a vague sense that I was doing something wrong so I thought it might be worth asking my peers. I sent a very short questionnaire to two online communities which I thought might be interested. The Data Protection forum and Records Management forum on JISCmail. Nothing could have prepared me for what happened next.

This is not a scientific study, it was almost a bit of light-hearted fun. Some of the responses certainly made me laugh out loud, but for all the wrong reasons. There are no percentages or totals here, but I got the feeling that the 50 or so people who responded were a fairly representative sample. The responses very much reflected the sort of responses I have been getting in training for the past five years. “I have one password and no one will ever guess it.” Actually, it doesn’t really work like that. “I use 3 instead of E”. Wow! Don’t tell the hackers they would never think of such things. “All my passwords are in French.” That’s great. No hacking problems in France. “I use the same one but change the number at the end.” “I have a few which I interchange.” One person’s reply was so baroque that one felt like asking if they had taken part in the Napoleonic wars where cyphers and skull-duggery became ever more elaborate: “I use the names of the first team squad of  my favourite football team but I remove all the letters a and e”. This is fantastic, but it only provides 25 passwords. What about the 100 others?

Other responses made me gasp and some were so shocking that if I revealed the methods it would only help the bad people. I suspect the people who use Password1, TopCat2, OpenSesame and others kept their guilty heads down. So the problem is almost certainly worse than the responses received.

The other thing I noticed was that very few people displayed much confidence in their “methods” (although in many instances that is stretching the meaning of the word). The small minority who did display a certainty about what they did were those who were convinced that one password is enough, and those who use a password manager. And that got me thinking.

At a recent training session I started to go through password management. The different types of passwords for different types of systems; using reminders such as salsa sauce recipes (1 handful of basil, 2 tbsp lemon juice, a lot of parsley – they are actually good passwords); writing them down but also having a couple of characters which only you know; using the third page of a book. And half way through I stopped.

“This is madness”, I said, “get a password manager”.

I don’t know if they are the best way to do it, but it has got to be better than the Heath Robinson approach which so many people have.

As well as managing passwords, it will also help you understand how many accounts you have online. And if you don’t know that – which most people don’t – then how can you be in control of your own personal data?

Leave a comment

Filed under Data Protection, data security

“All right, tell me. What’s the irony?”

“What’s wrong, Oscar? – This system is wrong”

Leave a comment

Filed under Uncategorized

ICO tells ICO off for terrible FOI compliance

As any fule kno, a public authority has to comply with a Freedom of Information Act 2000 (FOIA) request within 20 working days. Where the authority fails to do so, the requester can ask the Information Commissioner’s Office (ICO) to issue a decision notice.

And so, here we have a newly published decision where the ICO is telling itself that it has overshot the twenty working day limit by almost seven months:

“it is clear that, in failing to issue a full response to this request within 20 working days, the ICO has breached section 10 of the FOIA.”

Unsurprisingly, the ICO doesn’t appear to be taking enforcement action against itself. Surprisingly, though, there seems to be no indication in the notice itself that this is an extraordinary, and extraordinarily poor, state of affairs.

I’d like to imagine this is single aberration, but it isn’t. On 12 March this year I also made a FOIA request to ICO, and I am still to get a (complete) answer. And only a couple of months ago ICO again had to rule against itself, after it took six months to respond to a request.

Leave a comment

Filed under Freedom of Information, Information Commissioner

ICO’s reasons for reducing BA’s fine – COVID not significant factor

Some media outlets who should know better have suggested COVID-19’s economic impact led to the ICO reducing its intended £183m fine for British Airways to the final £20m. In this piece on the Mishcon site, I point out that the initial figure was dropped after (and quite probably because of) strong representations from BA’s lawyers about the ICO’s reliance on a draft internal procedure for setting fine amounts.

Leave a comment

Filed under Uncategorized

Something is rotten in the state of FOI

By law, Freedom of Information Act 2000 (FOIA) requests must be responded to within 20 working days.

FOIA is regulated and (should be) enforced by the Information Commissioner’s Office (ICO).

As a public authority the ICO must also respond to FOIA requests.

So the ICO regulates (and should enforce) its own compliance with FOIA.

On 9 March 2020 I made a FOIA request to ICO, asking for the number of, and the recipients of “reprimands” issued by the ICO under Article 58(2)(b) of the General Data Protection Regulation (GDPR).

I didn’t receive a response within 20 working days (I did receive an acknowledgment of receipt on 31 March). However, I understood, and understand, the impact that COVID-19 has had on the ICO, so I realised and accepted that there might be a slight delay.

On 12 June I chased for a response.

On 16 June I was told the ICO was “working on a response”.

On 31 July I chased for a response.

On 12 August I received an apology and on 19 August a further email telling me I should receive a response by 28 August.

On 28 August I received some information: I was told how many Article 58 reprimands have been issued, but not who the recipients were. The latter would follow “shortly” as they were still “considering it”.

Despite chasing again, twice, I have heard nothing more.

So, nearly seven months after I made my FOIA request, and nearly half a year late, I still have no response from the office which is meant to regulate the law.

I really didn’t want to push this request too much. This period of pandemic has been beyond any normality, and I was very aware of the pressures the ICO must be under. But this was not a difficult request to deal with, in terms of finding the information (in fact, I would imagine they could find it in minutes). What presumably was difficult was the decision about whether to name and therefore shame the recipients of reprimands. I cannot see how COVID will have adversely affected the ability to take such a decision.

Ultimately, though, with an approach such as this from the regulator, one is left wondering – what’s the point in making FOIA requests?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Uncategorized

Tony Abbott hacking and data protection offences

The story about the hacking of Tony Abbott’s travel and other personal details, after he foolishly posted a picture of a flight boarding pass on social media, is both amusing and salutary (salutary for Abbott, and, I would suggest, Qantas and any other airline which prints boarding passes with similar details). What is also interesting to consider, is whether, if this hacking had occurred in the UK, it might have constituted an offence under data protection law.

Under section 170(1)(a) and 170(1)(c) of the Data Protection Act 2018 it is an offence for a person knowingly or recklessly…to obtain or disclose personal data without the consent of the controller, and also an offence for a person knowingly or recklessly…after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.

There is at least an argument that this would have been a knowing obtaining of personal data without the consent of the controller (whether that controller was Qantas, or Abbott himself).

There are defences to both of these where the person can prove that the obtaining, disclosure, retaining etc. was in the particular circumstances, justified as being in the public interest.

Also, and this may be engaged here, it is a defence if the person acted for journalistic purposes, with a view to the publication by a person of any journalistic, academic, artistic or literary material, and in the reasonable belief that in the particular circumstances the obtaining, disclosing, retaining etc. was justified as being in the public interest. One does not have to be a paid journalist, or journalist by trade, to rely on this defence.

Prosecution in both cases may only be brought by the Information Commissioner, or with the consent of the Director of Public Prosecutions. The offences are triable either way, and punishable by an unlimited fine.

I write all this not to condemn the “hacker”, nor to condone Abbott. However, it is worth remembering that similar hacking, in the UK at least, is not without its risks.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, offences

An Uber-reaction in The Times

“Uber gives police private data on drivers and passengers” announces The Times(£) this morning.

In this post, much to my surprise (I have never taken an Uber, and don’t intend to – I don’t like their business model), I come to the defence of Uber.

A closer read of the Times piece reveals that what is being referred to, in documents filed with the High Court, in proceedings regarding TfL’s refusal to renew Uber’s licence, is requests to Uber from the police to disclose personal data for the purposes of the prevention and detection of crime or the apprehension or prosecution of offenders.

Such requests are commonly made to thousands of public authorities and private companies. They used to be known in data protection and police circles as “section 29 requests”, after the relevant section of the now-repealed Data Protection Act 1998. The term was a bit misleading: section 29, now replaced effectively by paragraph 2 of Schedule 2 to the Data Protection Act 2018, has the effect of disapplying the provisions of data protection law which would otherwise prevent the disclosure of personal data to the police (or others), and where not disclosing would be likely to prejudice the purposes of the prevention and detection of crime or the apprehension or prosecution of offenders. This is a necessary provision of data protection law, and provided that (as with all provisions) it is applied correctly and proportionately, it works very well: it gives controller the power to disclose personal data to the police where it is necessary for criminal justice.

If Uber are dealing with police requests appropriately, it is for the public good that personal data which assists the police to investigate drug transporting and human trafficking is made available to them.

In fact, I strongly suspect that The Times will receive such requests from the police. When the requests are related to the paper’s journalistic activities they are probably, and probably rightfully, refused, but they may well get requests in respect of their employees’ data, and I would be very surprised if they don’t sometimes – as a responsible company – comply with these.

Transport for London certainly receives such requests. Indeed, as a public authority, under its transparency measures, it has habitually made statistics on this public. The most recent publication I can find shows that 2012 to 2017 TfL received an average of approximately 10,000 requests each year.

Will The Times now report that TfL is handing over to the police thousands of pieces of intelligence on members of the public each year?

Leave a comment

Filed under Data Protection, Data Protection Act 2018, data sharing, police