March 11, 2025 · 6:04 am

Why is the ICO so quiet about prosecutions?

Not infrequently, I get contacted (personally and professionally) by individuals who are concerned that their personal data has been compromised in circumstances that may constitute the criminal offence of “obtaining” or “retaining”, under section 170 of the Data Protection Act 2018.

In many cases, there is not much I can bring to the table. If an offence has been committed then this is a matter for the prosecutor. Normally, for data protection offences, this is the Information Commissioner’s Office.

But what strikes me is that there appears to be no information on the ICO website for anyone who wants to report an alleged or potential offence. Their “For the public” pages don’t cover the scenario, and all of the data protection complaints information there is predicated on the assumption that the individual will be complaining about the data controller’s compliance (whereas, in a section 170 offence, the controller is more of the status of “victim”).

In fact, the best I can find is one brief reference (at page 61) of a lengthy guide to the DPA 2018, aimed at “organisations and individuals who are already familiar with data protection law”, and which doesn’t even actually explain that the offences described can be prosecuted by the ICO.

Dr David Erdos has recently highlighted both the low number of ICO prosecutions, and the rather slapdash way in which the ICO appears to be handling information about them. But the section 170 provisions are criminal ones for a reason: they will sometimes involve the most distressing and serious interferences with people’s data protection and privacy rights.

Surely the ICO should pay more attention to such incidents, and assist concerned data subjects (or others) who might want to report potential offences?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, Information Commissioner, offences

Tagged as ,

March 8, 2025 · 6:31 am

Can a data subject inspect withheld information in court proceedings?

When a controller, in response to a subject access request, has withheld personal data on the grounds of an exemption or exemptions, the data subject can apply to the court for a compliance order, under section 167 of the Data Protection Act 2018. That application will be determined by a judge who must determine whether the personal data was properly withheld or not. But general rules in adversarial proceedings do not permit one side and the judge to have access to material when the other side does not. So can the claimant and his/her lawyers therefore have access to the withheld information? Of course not – you all say – that would be absurd. However, the picture is not quite as clear as one might think.

Section 15(2) of the Data Protection Act 1998 specifically dealt with this issue: it said that the information should “be made available for [the judge’s] own inspection but shall not, pending the determination of that question in the applicant’s favour, require the information sought by the applicant to be disclosed to him or his representatives”.

But no such provision is contained in the equivalent sections of the 2018 Act. That appears to have been a drafting error.

The issue came up in X -v- The Transcription Agency LLP [2024] 1 WLR 33, and the court there held that

it would defeat the purpose of the legislation if a person challenging the application of an exemption were to be given sight of the material for the purpose of advancing his or her arguments…It would bring about a situation in which a party seeking personal data “would have obtained the very thing which the hearing was designed to decide”

As a result, I imagine, of the X case, Parliament moved to address the lacuna in the law: the Data Protection and Digital Information Bill contained a clause which would have given the court the express power contained in section 15(2) of the 1998 Act. That Bill was, of course, dropped just before the 2024 General Election, but the Data (Use and Access) Bill, now speeding through the Commons, contains something similar, at clause 103.

And so it was that the issue again arose in recent proceedings – Cole v Marlborough College [2024] EWHC 3575 (KB) – involving a former pupil who is seeking information through subject access regarding an investigation into a disciplinary matter in his former school.

As in X, the judge noted the absence of any express power to inspect the materials without permitting their disclosure to the claimant. But, relying on X, the judge held that there was an implied power (either implied within section 167) and/or in exercise of the court’s inherent jurisdiction.

Given the impending amendment of the statute to make the power express, rather than implied, these cases will probably just become footnotes, rather than landmark judgments. But they’re interesting for illustrating how courts will find implied powers and procedures where justice demands it.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under access to information, Data Protection Act 2018, judgments, subject access

Tagged as ,

March 1, 2025 · 9:20 am

Concerns over the Public Authorities (Fraud, Error and Recovery) Bill

When it comes to proposed legislation, most data protection commentary has understandably been on the Data (Use and Access) Bill, but it’s important also to note some of the provisions of the Public Authorities (Fraud, Error and Recovery) Bill, introduced in the Commons on 25 January.

The abandoned Tory Data Protection and Digital Information Bill would have conferred powers on the DWP to inspect bank accounts for evidence of fraud. To his credit, the Information Commissioner John Edwards, in evidence given on that earlier Bill, had warned about the “significant intrusion” those powers would have created, and that he had not seen evidence to assure him that they were proportionate. This may be a key reason why they didn’t reappear in the DUA Bill.

The Public Authorities (Fraud, Error and Recovery) Bill does, however, at clause 74 and schedule 3, propose that the DWP will be able to require banks to search their own data to identify whether recipients of Universal Credit, ESA and Pension Credit meet criteria for investigation for potential fraud.

But such investigative powers are only as good as the data, and the data governance, in place. And as the redoubtable John Pring of Disability News Service reports, many disabled activists are rightly concerned about the potential for damaging errors. In evidence to the Bill Committee one activist noted that “even if there was an error rate of just 0.1 per cent during this process, that would still mean thousands of people showing up as ‘false positives’, even if it just examined those on means-tested benefits”.

The Bill does not appear to confer any specific role on the Information Commissioner in this regard, although there will be an independent reviewer, and – again, creditably – the Commissioner has said that although he could not be the reviewer himself, he would expect to be involved.

It is worth also reading the concerns of the Public Law Project, contained in written evidence to the Bill committee.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, data sharing, Information Commissioner

Tagged as ,

February 19, 2025 · 1:03 pm

FOI doesn’t need a “purpose”

[reposted from my LinkedIn account]

At the close of an otherwise unobjectionable and unsurprising refusal of a Freedom of Information Act 2000 appeal (on the issue of a vexatious request), the Information Tribunal judge says this:

“FOIA exists to safeguard freedom of information. It was not enacted to serve as a tool for furthering personal campaigns and causes, however heartfelt they may be.”

When Parliament enacted FOIA it expressly declined to insert a “purpose clause”. As its explanatory notes say “A request for information can be made by any individual or body, regardless of the purpose of the application.” So if someone wants to use FOIA as a tool for furthering personal campaigns and causes, then (as long as their requests are not, as they were here, vexatious) they jolly well can. And judges should respect this.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Information Tribunal, judgments, Uncategorized

Tagged as

February 19, 2025 · 9:41 am

The state of central government transparency

[reposted from my LinkedIn account]

This is one of the most extraordinary FOIA judgments I’ve ever seen, and it says an awful lot about the approach to transparency at the centre of the civil service.

The Cabinet Office have been trying to resist disclosure under FOIA of copies of blank ministerial declaration of interest forms, on grounds that to do so would be prejudicial to the conduct of public affairs, because among other things [checks notes] “Disclosure may lead to speculative scrutiny regarding why certain elements are included in the forms, potentially leading to amendments to the form which undermines its effectiveness”.

But there’s also an extraordinary citation of a piece of evidence given by a Cabinet Office witness – the “Director of Propriety and Ethics” – to the effect that the system for Minister declaring interests relies heavily on the trust and candour of Ministers, and the effect of disclosure would be that they “may be reluctant to provide the same level of detail” than they do currently.

Let’s just think about that. Ministers have a constitutional and ethical duty to declare interests, but this relies on trust and candour, and disclosure of a blank declaration form might mean that those we trust to be candid in their ethical duty to declare those interests might decide to be less trustworthy and candid as a result? What a sorry state of affairs.

Fortunately, the Information Tribunal, like the Information Commissioner’s Office before, had no truck with these arguments, and refused the Cabinet Office’s appeal.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Cabinet Office, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as ,

February 12, 2025 · 9:45 am

RIP ePrivacy Regulation

[reposted from my LinkedIn account]

The ePrivacy Regulation is dead (as is – also very notably – the AI Liability Directive). The former has been a long time dying: it was first proposed in 2017, and then was subject to almost unprecedented lobbying by tech interests, which lobbying seems to have finally prevailed.

For the time being at least, then, the EU will continue to operate under a crucial law dealing with privacy of online (and telephonic) behaviour and communications which emanates from 2002 (Directive 2002/58/EC), an era when the internet as we now know it was unimaginable.

And in the UK, still effectively tied legislatively for reasons of trade and security to the EU, we will similarly (unless there’s a major jolt to our laws) still be working under the PEC Regulations of 2003 (which implemented Directive 2002/58/EC).

A slight irony is that the Data (Use and Access) Bill will almost certainly pass into UK law one of the key planned provisions of the now-shelved ePrivacy Regulation: to bring financial penalties for ePrivacy infringements onto the same level as those for GDPR/UK GDPR infringements.

So, in that regard at least, the UK will be able to say we have a stricter regime than the EU.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under DUAB, Europe, PECR

Tagged as ,

February 7, 2025 · 4:17 am

Clarity needed on NHS publication of reports into homicides

[reposted from my LinkedIn account]

Does the law need clarifying on the publication of reviews into homicides by those receiving mental health services from the NHS?

The Times led recently on stories that NHS England was refusing to publish the full independent report into the health care and treatment of Valdo Calocane prior to his manslaughter of three people in Nottingham in 2023. NHSE apparently argued that data protection and patient confidentiality concerns prevented them publishing anything but a summary. Under pressure from victims’ families, and the media, NHSE about-turned, and the full report is reported to contain damning details of failings in Calocane’s treatment which were not in the summary version.

Now The Times reports that this is part of a pattern, since last year, of failure to publish full reviews of homicides by mental health patients, contrary to previous practice. It says that NHSE received legal advice that the practice “could breach data protection rules and the killers’ right to patient confidentiality”. The charity Hundred Families talks of cases where the names of victims are not published, or even the identity of the NHS Trust involved.

Of course, without seeing the advice, it is difficult to comment with any conviction, but I did write in recent days about how the law can justify publication where it is “necessary for a protective function” such as exposing malpractice, or failures in services. And it’s important to note that, in many cases, such reports show failings that mean that killers themselves have been let down by the adequacy of treatment: publication can surely, in some cases, cast light on this so that similar failings don’t happen in the future. In any case, guidance says that those preparing reports should do so with a view to their being published, and so confidentiality concerns should be taken into account in the drafting.

However, if NHSE remains concerned about the legality of publication, and if its legal advice continues to say that data protection and medical confidentiality law militated against disclosure, it strikes me that this might call for Parliament to legislate. I also believe that it would be welcomed if the Information Commissioner’s Office issued a statement on the legal issues arising.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Confidentiality, Data Protection, Information Commissioner, NHS

Tagged as , ,

February 6, 2025 · 7:47 am

Is the legal sector really suffering a flood of databreaches?

[reposted from my LinkedIn account]

There have been various articles in the media recently, reporting a significant rise in personal data breaches reported by the legal sector to the Information Commissioner’s Office. I have some real doubts about the figures.

An example article says

A new analysis of data from the Information Commissioner’s Office (ICO) by NetDocuments has revealed a sharp increase in data breaches across the UK legal sector. In the period between Q3 2023 and Q2 2024, the number of identified data breaches in the UK legal sector rose by 39% (2,284 cases were reported to the ICO, compared to 1,633 the previous year)

But something didn’t seem right about those numbers. The ICO say that they have received 60,607 personal data breach reports since their current reporting methods began in Q2 2019 (see their business intelligence visualised database), so it seemed remarkable to suggest that the legal sector was scoring so highly. And, indeed, when I look at the ICO BI data for self-reported personal data breaches, filtered for the legal sector, I see only 197 reported in Q3 2023, and, coincidentally, 197 in Q2 2024 (see attached visuals) – an increase from one relatively low number to another relatively low number of precisely 0%.

A serious question to those more proficient with data than I am – am I missing something?

If I’m not, I really think the ICO should issue some sort of corrective statement.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, data security, Information Commissioner, personal data breach

Tagged as , ,

February 5, 2025 · 8:04 am

Is information held by external solicitors “held” for the purposes of FOIA?

[reposted from my LinkedIn account]

Where an external solicitor’s firm holds information in relation to advice given by the solicitor on instructions by a public authority client, is the information held by the solicitor “on behalf of” the public authority, for the purposes of section 3(2)(b) of the Freedom of Information Act 2000?

While the matter is live, the answer is probably “yes”, but what if the public authority client has long since destroyed its own records, but the solicitor’s firm has retained its records for its own regulatory or risk purposes? Here, the answer is probably “no”.

And that is the situation which came before the Information Tribunal recently. The requester was seeking information from Sheffield City Council about a development scheme from 2007/2008. The Council had said that it would have destroyed its own records, and said that to determine whether the information was held would necessitate the inspection of 28 box files held by law firm Herbert Smith Freehills, who had been instructed by the Council at the relevant time. To even determine whether the information was held or not would exceed the costs limits in section 12 of FOIA. The ICO, in the decision notice being appealed, had agreed.

As I was reading the first few paragraphs of the Tribunal judgment, I said to myself “hang on – is this info being held by HSF on behalf of the Council, or is it being held for HSF’s purposes?” I was limbering up my fingers to write a post criticising everyone for not spotting this, so I was then pleased to see that the Tribunal, of its own volition, identified it as an issue and sought submissions from the ICO and the Council on it.

After some back and fro (it is not entirely clear from the judgment who said what in their submissions, and there was a side issue as to whether in fact the Environmental Information Regulations applied) the evidence was pretty clear that the Council had had no intention to retain the information, nor to entrust it to HSF. Accordingly, the information was not “held” for the purposes of FOIA.

I’m not sure I understand why the Tribunal did not substitute a different decision notice to reflect this (it simply dismissed the requester’s appeal), but ultimately nothing really turns on that.

What one can take from this is that solicitors and their clients (especially public authority clients) should, jointly and separately, make clear in agreements and policies what the status is of information retained by solicitors after an instruction has ceased, and how requests for such information should be dealt with.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as , ,

February 4, 2025 · 6:15 am

NHS England and publication of the Calocane report

[reposted from my LinkedIn account]

[Edited to add: the day following the upload of this post NHS England did an about turn, and published the report in full, saying “The NHS has taken the decision to publish the report in full in line with the wishes of the families and given the level of detail already in the public domain”]

NHS England is reported to be refusing, partly on data protection grounds, to publish the full independent review report into the care and treatment of Valdo Calocane prior to his manslaughter of three people in Nottingham in 2023.

The report is said to be over 200 pages long, and although a summary will be published, families of the victims are calling for the full report (which they only saw after pressure from their lawyers) to be published on public interest grounds, saying “we have grave concerns about the conduct of the NHS”.

So does data protection law prevent disclosure?

The report will clearly contain details of Calocane’s health, and as such it constitutes a special category of personal data, requiring a condition for processing from Article 9 of the UK GDPR. The most likely candidate would be Article 9(2)(g):

processing is necessary for reasons of substantial public interest, on the basis of domestic law….

The domestic law provisions referred to are contained in schedule 1 to the Data Protection Act 2018. And at first glance, it is not straightforward to identify a provision which would permit disclosure.

However, paragraph 11 potentially does. It deals with processing which is necessary for a “protective function”, must be carried without the consent of the data subject so as not to prejudice that protective function and which is necessary for reasons of substantial public interest. A “protective function” includes a function which is intended to protect members of the public against failures in services provided by a body or association.

Reports into homicides by patients in receipt of mental health care are commissioned by NHS England under the Serious Incident Framework “Supporting learning to prevent recurrence”, and this says that “publication of serious incident investigation reports and action plans is considered best practice”, although “reports should not contain confidential personal information unless…there is an overriding public interest”.

I’m not saying it’s a straightforward legal question, as to whether the report can be published, but an argument can be made that there is a substantial, overriding, public interest in disclosure in order that the public can be aware of any failings and understand what actions are being taken to address them. No doubt though that NHS England’s argument would be that this is achieved by publication of the summary report.

I imagine, in any case, that freedom of information requests will be made for the full report, so ultimately we may see the Information Commissioner’s Office, and maybe the courts, rule on this.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, Data Protection Act 2018, NHS, UK GDPR

Tagged as ,