June 16, 2014 · 6:47 pm

A public interest test in the Data Protection Act?

Mr Justice Cranston has suggested that there is a public interest factor when considering whether disclosure of personal data would be “fair” processing. I’m not sure that is right.

The first data protection principle (DPP1) in Schedule 1 of the Data Protection Act 1998 (DPA) says that personal data must be processed “fairly” (and lawfully). But what does “fairly” mean?

In an interesting recent case (AB v A Chief Constable [2014] EWHC 1965 (QB)) the High Court determined that, on the very specific facts, it would not be fair, in terms of DPP1, and common law legitimate expectation, for a Chief Constable to send a second, non-standard, reference to the new employer of a senior police officer who was subject to disciplinary investigation. (The judgment merits close reading – this was by no means a statement of general principle about police references). The reason it would not be fair was because the officer in question had tendered his resignation upon the sending of the initial, anodyne, reference, and the force had terminated misconduct proceedings:

He was thus in the position that for the Force to send the second reference would most likely leave him without employment and without the opportunity to refute the gross misconduct allegations. In these special circumstances it would be a breach of the Data Protection Act 1998 and undermine his legitimate expectations for the second reference to be sent [¶94]

Something in particular struck me about the judge’s analysis of DPP1, although, given the outcome, it was not determinative. He rejected a submission from the claimant officer that the duty of fairness in the DPP1 and the European Data Protection Directive was a duty to be fair primarily to the data subject. Rather, correctly identifying that the privacy rights in the Directive and the DPA are grounded in article 8 of the European Convention on Human Rights and in general principles of EU law, he held that

The rights to private and family life in Article 8 are subject to the countervailing public interests set out in Article 8(2). So it is here: assessing fairness involves a balancing of the interests of the data subject in non-disclosure against the public interest in disclosure [¶75]

I am not sure this is right. Recital 28 of the Directive says

Whereas any processing of personal data must be lawful and fair to the individuals concerned [emphasis added]

and recital 38 suggests that whether processing is “fair” is in large part dependent on whether the data subject is made aware of the processing and the circumstances under which it takes place. These recitals give way to the descriptions in Articles 10 and 11 which both talk about “fair processing in respect of the data subject” (again, emphasis added). Similarly Part II of Schedule One to the DPA provides interpretation to DPP1, and says that in determining whether personal data are processed fairly

regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed

Admittedly this introduces “any person”, which could be someone other than the data subject, but more general considerations of public interest are absent. It is also notable that the Information Commissioner’s position in guidance seems predicated solely on the belief that it is the data subject’s interests that are engaged in an analysis of “fairness”, although the guidance does conceded that processing might cause some detriment to the individual without it being unfair, but I do not think this is the same as taking into account public interest in disclosure.

To the extent that a public interest test does manifest itself in DPP1, it is normally held to be in the conditions in Schedules 2 and 3. DPPP1 says that, in addition to the obligation to process personal data fairly and lawfully, a condition in Schedule 2 (and, for sensitive personal data, Schedule 3) must be met. Many of these conditions contain tests as to whether the processing is “necessary”, and that “necessity test” constitutes a proportionality test, as described by Latham LJ in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 (Admin)

‘necessary’…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends

To import a public interest test into the word “fairly” in DPP1 seems to me to be a potentially radical step, especially when disclosures of personal data under the Freedom of Information Act 2000 (FOIA) are being considered. As I say – I doubt that this is correct, but I would welcome any contrary (or concurring) opinions.

(By the way, I at first thought there was a more fundamental error in the judgment: the judge found that a rule of law was engaged which ordinarily would have required the Chief Constable to send the second reference:

the public law duty of honesty and integrity would ordinarily have demanded that the Chief Constable send the Regulatory Body something more than the anodyne reference about the claimant [¶93]

If a rule of law necessitates disclosure of personal data, then the exemption at section 35 DPA removes the requirement to process that data fairly and lawfully. However, I think the answer lies in the use of the word “ordinarily”: in this instance the doctrine of legitimate expectation (which the claimant could rely upon) meant that the public law duty to send the second reference didn’t apply. So section 35 DPA wasn’t engaged.)

 

 

 

 

 

7 Comments

Filed under Confidentiality, Data Protection, human rights, police

Tagged as , ,

June 15, 2014 · 9:08 pm

Virgin on the ridiculous

UPDATE 15.12.14: I think the comments on this piece take it further, and I do accept (as I did at the time, in fact) that the “password” in question was not likely to relate to customers’ accounts.
END UPDATE.

I got into a rather odd exchange over the weekend with the people running the Virgin Media twitter account. It began when, as is my wont, I was searching for tweets about “data protection” and noticed an exchange in which someone had asked Virgin Media whether their sales people rang customers and asked them to give their passwords. Virgin Media kindly appeared to confirm they did, and that

it’s for security as we can’t make any changes without data protection being passed

I asked for clarification, and this exchange ensued

[ME] Is it true your sales people call customers and ask for their account passwords? If so, are these unsolicited calls?

[VM] Yes this is true, our sales team would call and before entering your account, would need you to pass account security. I understand for your own security purposes why you wouldn’t feel great doing this, i’d be the same. If you give us a call on 150/03454541111 we can get this cleared up. Let me know how you get on

[ME] Thanks. Not a customer. Just interested in what seems like questionable practice being defended under guise of data protection

[VM] We contact our customers if there upgrade is due, or for a heath check on accounts, and a few other instances, but I get where your coming from [sic]

There’s nothing unlawful about this practice, and I assume that the accounts in question are service and not financial ones, but it doesn’t accord with normal industry practice. Moreover, one is warned often enough about the risks of phishing calls asking for account passwords. If a legitimate company requires or encourages its sales staff to do this, it adds to a culture of unnecessary risk. There are better ways of verifying identity, as their social media person seems to accept, when they say “I understand for your own security purposes why you wouldn’t feel great doing this, i’d be the same”.

One thing I’m certain about, though, is that isn’t any part of “passing data protection” (unless they mean bypassing) to make outbound calls and ask for customer passwords.

On a final note, and in admiration of bare-faced cheek, I highlight the end of my exchange with Virgin Media

If you want, as your not a customer, you can check out our brill offers here [removed] maybe we could save you a few pounds?

That’s an offer I most certainly can refuse.

(By the way, as it’s an official Virgin Media account, I’ve taken what I was told on Twitter at face value. If I have misunderstood any of their policies on this I’d be happy to correct).

UPDATE:

Virgin Media’s Twitter account appears to have confirmed to me a) that they do ask for customers’ passwords on outbound sales calls, and b) that they see nothing wrong with it. And rather hilariously, they say that “we can discuss further” if I will “pop a few details” on their web form for social media enquiries. No thanks.

12 Comments

Filed under Data Protection, Let's Blame Data Protection, marketing, nuisance calls, PECR, social media

Tagged as ,

June 13, 2014 · 12:23 pm

Ticking off Neelie Kroes (sort of)

In which I take issue with the European Commission V-P about what the Consumer Rights Directive says about pre-ticked boxes

I found myself retweeting what I think was a rather misleading message from the Vice-President of the European Commission, Neelie Kroes. Her tweet said

You know those annoying “pre-ticked boxes” on shopping/travel websites? They’re banned in #EU from today http://europa.eu/rapid/press-release_IP-14-655_en.htm#eCommerce

I thought this was very interesting, particularly in light of my recent post about the implying of consent to electronic marketing if people forget to untick such boxes. The EU press release itself does say at one point

Under the new EU rules…consumers can now rely on…A ban on pre-ticked boxes on the internet, as for example when they buy plane tickets

But, it earlier says

The new rules also ban…pre-ticked boxes on websites for charging additional payments (for example when buying plane tickets online)

The emphasis I’ve added in that last quote is crucial. What DIRECTIVE 2011/83/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 October 2011 on consumer rights actually proscribes is the contractual binding of a consumer to any payment in addition to the original remuneration agreed on if

the trader has not obtained the consumer’s express consent but has inferred it by using default options which the consumer is required to reject in order to avoid the additional payment

 So, as the press release explains,

When shopping online –for example when buying a plane ticket – you may be offered additional options during the purchase process, such as travel insurance or car rental. These additional services may be offered through so-called pre-ticked boxes. Consumers are currently often forced to untick those boxes if they do not want these extra services. With the new Directive, pre-ticked boxes will be banned across the European Union.

I happen to think that that text should more properly say “With the new Directive, pre-ticked boxes of this sort will be banned across the European Union”.

So, no ban on pre-ticked boxes themselves, just on those which purport to bind a consumer to an additional payment under a contract.

The Directive has been implemented in the UK by  The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 and associated The Enterprise Act 2002 (Part 8 EU Infringements) Order 2013 the former of which says (at regulation 40)

Under a contract between a trader and a consumer, no payment is payable in addition to the remuneration agreed for the trader’s main obligation unless, before the consumer became bound by the contract, the trader obtained the consumer’s express consent.. There is no express consent (if there would otherwise be) for the purposes of this paragraph if consent is inferred from the consumer not changing a default option (such as a pre-ticked box on a website)

Having said all this, I do think it is interesting that clearly-defined concepts of “express consent” are making their way into European and domestic legislation. And in due course, we may even find that, for instance, electronic marketing will be restrained unless similarly clearly-defined express consent is given. But not just yet.

Update: Ms Kroes kindly replied to me, saying it’s difficult to get a message across in 140 characters. So true.

 

 

 

 

Leave a comment

Filed under Data Protection, Europe, marketing, PECR

Tagged as ,

June 12, 2014 · 1:44 pm

The Ministry of Poor Record Keeping?

If the Ministry of Justice really can’t search the text of emails for information, how can it comply with the FOI Code of Practice on Records Management?

In performing his functions under the Freedom of Information Act 2000 (FOIA) the Information Commissioner (IC) must promote the observance by public authorities of codes of practice issued under section 45 and section 46 of FOIA. Section 46 provides for a code of practice to be issued by the Lord Chancellor as to desirable practice for public authorities for the keeping, management and destruction of their records. A code was duly issued by the then Lord Chancellor Lord Irvine in 2002.

So, when deciding whether, for instance, a public authority has complied with its obligations under part 1 of FOIA (i.e. has it properly responded to a request for information?) the IC should, I submit, take into account where necessary whether the authority is complying with the Records Management Code.

With this in mind, consider the Ministry of Justice’s (MoJ) reported response to an FOI request for any mentions on its systems of the Howard League for Penal Reform. As Ian Dunt reports, the MoJ said that

On this occasion, the cost of determining whether we hold the information would exceed the limit set by the Freedom of Information Act

I have seen the MoJ response in question, and I accept that it is legitimate for a public authority to refuse to disclose information if the costs of determining whether it is held exceeds the limit prescribed by regulations (although authorities have an obligation under section 16 FOIA to advise and assist applicants as to how they might reframe their request to fall within the cost limits, and the MoJ have failed to do this). However, while the response refers to a necessity to search paper records, it also says

A manual search is required as central search functions (for example, those on email systems) would not identify all correspondence  – for example, if the Howard League for Penal Reform was mentioned in the body of the text

This appears to suggest, as Ian says, that “they can only search electronically for the headline of an email, not the body of a message”

If this is true (which seems extraordinary, but one is sure it must be, because intentionally to conceal information which otherwise should be disclosed under FOIA is an offence) it would appear to be contrary to the desirable practice in the Records Management Code, which says that

Records systems should be designed to meet the authority’s operational needs and using them should be an integral part of business operations and processes. Records systems should…enable quick and easy retrieval of information. With digital systems this should include the capacity to search for information requested under [FOIA]

It would be most interesting if the Howard League were to refer this to the IC for a decision. The IC rarely these days mentions the Records Management Code, but as the Code itself says

Records and information are the lifeblood of any organisation. They are the basis on which decisions are made, services provide and policies developed and communicate

Not only does poor records management affect compliance with FOIA (and other legal obligations), but it is not conducive to the reduction of back-office costs, developing new ways of working, and driving economies of scale (all things, of course, which the current Lord Chancellor prays in aid of his potentially devastating changes to legal aid provision).

p.s. As @Unity_MoT points out on twitter, if the MoJ struggles to search its systems to respond to FOIA requests, how does it undertake searches for responding to subject access requests under section 7 of the Data Protection Act 1998? See e.g. page 17 of the IC Code of Practice on Subject Access:

Not only should your systems have the technical capability to search for the information necessary to respond to a SAR, but they should also operate by reference to effective records management policies

 

Leave a comment

Filed under Freedom of Information, Information Commissioner, records management

Tagged as ,

June 12, 2014 · 8:10 am

Nominal damages give rise to distress compensation under the Data Protection Act – AB v Ministry of Justice

An award of nominal DPA damages in the High Court.

Whether, or in what circumstances, compensation may be awarded to a claimant who shows a contravention by a data controller of any of the requirements of the Data Protection Act 1998 (DPA), is a much-debated issue. It is also, occasionally, litigated. One key aspect is when compensation for distress might be awarded.

Section 13 of the DPA provides, so far as is relevant here, that

(1)An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

(2)An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—

(a)the individual also suffers damage by reason of the contravention

The general interpretation of this has been that compensation for distress, in the absence of pecuniary damage, is not available. The leading case on this is Johnson v The Medical Defence Union Ltd (2) [2006] EWHC 321 and on appeal Johnson v Medical Defence Union [2007] EWCA Civ 262, with Buxton LJ saying in the latter

section 13 distress damages are only available if damage in the sense of pecuniary loss has been suffered

However in allowing an appeal in Murray v Big Pictures (UK) Ltd [2008] EWCA Civ 446, and directing that the case go to trial, the Court of Appeal was prepared to consider a different view

It seems to us to be at least arguable that the judge [in the first instance] has construed ‘damage’ too narrowly, having regard to the fact that the purpose of the Act was to enact the provisions of the relevant Directive

But that case was ultimately settled before trial, and the issue left undecided.

Clearly, the decision in Johnson is potentially controversial, especially in cases (of which Johnson was not one) where the UK’s obligations under the European Data Protection Directive, and data subjects’ associated rights under the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union, are taken into account. This much was recognised by Tugendhat J, in giving permisssion to the applicants in Vidal -Hall & Ors v Google Inc [2014] EWHC 13 (QB) to serve on Google Inc out of jurisdiction. He noted (¶83-104) academic statements on the issue, as well as the European Commission’s view that the UK DPA wrongly restricts “[t]he right to compensation for moral damage when personal information is used inappropriately”, and said

This is a controversial question of law in a developing area, and it is desirable that the facts should be found. It would therefore be the better course in the present case that I should not decide this question on this application.

I shall therefore not decide it. However, in case it is of any assistance in the future, my preliminary view of the question is that Mr Tomlinson’s submissions are to be preferred, and so that damage in s.13 does include non-pecuniary damage

This is a fascinating point, and detailed judicial consideration of it would be welcomed (it may also be at issue in the impending case of Steinmetz v Global Witness Ltd) but, in the meantime, a question exists as to whether nominal pecuniary damage opens the door to awards for distress. In Johnson, the cost of a £10.50 breakfast had opened the door, but this was actual (if minor) damage. Last year, the Court of Appeal avoided having to decide the issue when the defendant conceded the point in Halliday v Creation Consumer Finance Ltd (CCF) [2013] EWCA Civ 333 (about which I blogged last year). However, in a very recent judgment, AB v Ministry of Justice [2014] EWHC 1847 (QB), which takes some wading through, Mr Justice Baker does appear to have proceeded on the basis that nominal damages do give rise to distress compensation.

The case involves an (anonymous) partner in a firm of solicitors who, as a result of events involving the coroner following his wife’s tragic death, made a series of subject access requests (under the provisions of section 7 DPA). The Ministry of Justice (MoJ) did not, it seems, necessarily handle these well, nor in accordance with their obligations under the DPA, and when it came to remedying these contraventions (which consisted of delayed responses) the judge awarded nominal damages of £1.00, before moving on to award £2250 for distress caused by the delays.

What is not clear from the judgment is to what extent the judge considered the MoJ’s submission that compensation for distress was only available if an individual has also suffered damage. The answer may lie in the fact that, although he awarded nominal damages, the judge accepted that AB had suffered (actual) damage but had “not sought to quantify his time or expense”. Query, therefore, whether this is a case of purely nominal damage.

One hopes that Vidal-Hall and Global Witness give the occasions to determine these matters. One notes, however, the vigour with which both cases are being litigated by the parties: it may be some time before the issue is settled once and for all.

 

Leave a comment

Filed under damages, Data Protection, Directive 95/46/EC, human rights

Tagged as ,

June 9, 2014 · 3:08 pm

ICO’s power to refuse to decide cases is rarely used

The “filter” of section 50(2)(c) of the FOI Act allows the Information Commissioner to refuse to make a decision on frivolous or vexatious applications. It is rarely used. What an exciting intro to a blog post eh?

The First-tier Tribunal (Information Rights) (FTT), recently refused an application by Leeds City Council for an award of costs against a requester whose requests had been held by the Information Commissioner (IC), and the FTT itself, as vexatious under section 14(1) of the Freedom of Information Act 2000 (FOIA). Alistair Sloan has blogged about the decision itself, and I would commend his piece to readers, but an observation by the judge led me make an FOI request of my own.

After noting that

it must be possible, depending on the circumstances, for the maker of a request regarded by everyone else as vexatious, to defend his or her position on that point without automatically being treated under the costs Rules as behaving unreasonably

the judge adverted to section 50(2)(c) of FOIA. This permits to IC to not make a decision whether a public authority has complied with its FOIA obligations if the application for the decision is itself “frivolous or vexatious”. (This must be distinguished from a decision as to whether the original FOI request to the public authority was, pursuant to section 14(1), vexatious). It gives the IC an exception to the general requirement to make a formal decision on all cases where the applicant asks for one. The judge said

it is right to remember the protections which already exist for public authorities in the context of vexatious requests or hopeless appeals. Before a right of appeal is even a gleam in the Tribunal’s eye, there must be a complaint to the Information Commissioner (ICO). If the complaint to the ICO appears to be “frivolous or vexatious,” then there is no need for him even to make any decision appealable to the Tribunal. See Section 50(2) FIA

but then went on to note that he was

not aware of any published information about the extent to which the ICO makes use of this important provision.

 Ever keen to help our judiciary, I asked the IC, via What Do They Know. With admirable promptness they disclosed to me that, in the years for which records are retained (2007 onwards), the IC has declined to serve a decision notice because he considers the application vexatious or frivolous only 18 times (which breaks down into 16 frivolous and 2 vexatious).

Clearly, the IC considers this exceptional power to be just that – one that should be used only in exceptional cases, and maybe its use in 0.3% of cases accords with that. But in my research for this piece I did dig up again the IC’s submission to the Justice Committee for the latter’s 2012 post-legislative scrutiny of FOIA, and I noticed that there was this comment

For some reason Parliament made a distinction between this provision [section 50(2)(c)] and that in section 14(1) applying to requests to public authorities.

This strikes me as odd. It is quite clear that there is an important distinction between a vexatious request to a public authority and a frivolous or vexatious application for a decision. A requester could make a request to a public authority which was not in any way vexatious, yet choose to pursue the matter by applying for a decision in a way that made that application frivolous or vexatious. And it seems to me that this was what Judge Warren in the FTT was alluding to, and why it would be highly unusual – and potentially oppressive – to award costs against someone appealing a refusal of a vexatious request. Rule 10(1)(b) of the relevant tribunal rules does allow for the award of costs for unreasonably bringing (as opposed to conducting) the proceedings, but the availability of the filter of section 50(2)(c) FOIA should mean that it would be extraordinarily unusual for such an award ever to be made.

A final observation from me. The wording of section 50(2)(c) seems to make it clear that, as the IC would make no decision in a case where the application is frivolous or vexatious, then no possible right of appeal to the FTT could exist (and, therefore, judicial review would be the only legal remedy available). This would be in contrast to cases such as Sugar and (currently at case management stage in the Upper Tribunal) Cross v IC  where what is at issue is whether a decision by the IC that an organisation is not a public authority for the purposes of FOIA constitutes an appealable “decision”.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal, judiciary, vexatiousness

Tagged as ,

June 6, 2014 · 12:11 pm

Piles of cash for claiming against spammers? I’m not so sure

I am not a lawyer, but I’m pretty certain that most commercial litigation strategies will be along the lines of “don’t waste lots of money fighting a low-value case which sets no precedent”. And I know it is a feature of such litigation that some companies will not even bother defending such cases, calculating that doing so will cost the company much more, with no other gain.

With this in mind, one notes the recent case of Sky News producer Roddy Mansfield. His employer itself reported (in a piece with a sub-heading  “John Lewis is prosecuted…”, which is manifestly not the case – this was a civil matter) that

John Lewis has been ordered to pay damages for sending “spam” emails in a privacy ruling that could open the floodgates for harassed consumers.

Roddy Mansfield, who is a producer for Sky News, brought the case under EU legislation that prohibits businesses from sending marketing emails without consent

The case appears to have been brought under regulation 30 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Those regulations, as the title suggests, give effect to the UK’s obligations under the snappily titled Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. Regulation 30(1) of PECR provides that

A person who suffers damage by reason of any contravention of any of the requirements of these Regulations by any other person shall be entitled to bring proceedings for compensation from that other person for that damage

It appears that Mr Mansfield created an account on the John Lewis website, and omitted to “untick” a box which purported to convey his consent to John Lewis sending him marketing emails. It further appears that in the County Court Mr Mansfield successfully argued that the subsequent sending of such emails was in breach of regulation 22(2), which provides in relevant part that

a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent…

Assuming that this accurately reflects what happened, I think Mr Mansfield was probably correct to argue that John Lewis had breached the regulations: the Information Commissioner’s Office (ICO) guidance states that

Some organisations provide pre-ticked opt-in boxes, and rely on the user to untick it if they don’t want to consent. In effect, this is more like an opt-out box, as it assumes consent unless the user clicks the box. A pre-ticked box will not automatically be enough to demonstrate consent, as it will be harder to show that the presence of the tick represents a positive, informed choice by the user

For a detailed exposition of the PECR provisions in play, see Tim Turner’s excellent recent blog post on this same story.

I’ve used the word “appears” quite a bit in this post, because there are various unknowns in this story. One of the main missing pieces of information is the actual amount of damages awarded to Mr Mansfield. Unless (and it is not the case here) exemplary or aggravated damages are available, an award will only act as compensation. It has been said that

The central purpose of a civil law award of damages is to compensate the claimant for the damage, loss or injury he or she has suffered as a result of another’s acts or omissions, and to put the claimant in the same position as he or she would have been but for the injury, loss or damage, so far as this is possible

So I doubt very much whether the award to Mr Mansfield was anything other than a small sum (so the albeit tongue-in-cheek Register reference to a PILE OF CASH is very probably way off the mark) . I have asked him via his twitter account for details, but have had no reply as yet.

Perhaps the most important aspect of this story, though, is the extent to which it indicates the way the courts might interpret the relevant consent provisions of PECR. As this was a case in the County Court it sets no precedent, and, unless someone decides to pay for a transcript of the hearing we’re very unlikely to get any written judgment or law report, but the principles at stake are profound ones, concerning how electronic marketing communications can be lawfully sent, and about what “consent” means in this context.

The issue will not go away, and, although I suspect (referring back to my opening paragraph) that John Lewis chose not to appeal because the costs of doing so would have vastly outweighed the costs of settling the matter by paying the required damages, it would greatly benefit from some proper consideration by a higher court.

And another important aspect of the story is whether behaviours might change as a result. Maybe they have: I see that John Lewis, no doubt aware that others might take up the baton passed on by Mr Mansfield, have quietly amended their “create an account” page, so that the opt-in box is no longer pre-ticked.

jl

UPDATE: 7 June

In a comment below a pseudonymed person suggests that the damages award was indeed tiny – £10 plus £25 costs. It also suggests that John Lewis tried to argue that they were permitted to send the emails by virtue of the “soft opt-in” provisions of regulation 22(3) PECR, perhaps spuriously arguing that Mr Mansfield and they were in negotiations for a sale.

9 Comments

Filed under damages, Data Protection, Information Commissioner, marketing, PECR

Tagged as

June 5, 2014 · 4:24 pm

Right now, you are being monitored

This morning, as I was leaving the house for work, I wanted to check the weather forecast so started tapping and swiping away at my newish iPhone to find the weather screen. I was startled to see some text appear which said

Right now, it would take you about 11 minutes to drive to [workplace address]

(It looked a bit like this (not my phone I stress)).

It was correct, it would indeed take me about that long to drive to work at that time, but I was genuinely taken aback. After a bit of research I see that this was a new feature in iOS7, (and, indeed, the weather widget was lost at the same time). Sure enough, I find that my new phone has been logging frequently visited locations, but must have also been logging the fact that I travel between A (home) and B (work) frequently. It is described by Apple as being a way to

Allow your iPhone to learn places you frequently visit in order to provide useful location-related information

I’m not going to argue whether this is a useful service or not, or even whether on general principles it is concerning or not. What I am going to say is that, because I’ve not had much time recently to sit down and learn about my new phone, to customise it in the most privacy-friendly way, I’ve been saddled with a default setting which has captured an extraordinarily accurate dataset about my travel habits without my knowledge. And yes, I know that tracking is a prerequisite of mobile phone functionality, but I would just rather it was, as default, limited to the bare minimum. 

p.s. to turn off this default setting, navigate to Settings/Privacy/Location Services [scroll to very bottom]/System Services/Frequent Locations and set to “off”

 

Leave a comment

Filed under Data Protection, interception, Privacy, surveillance, tracking

Tagged as

May 30, 2014 · 8:46 am

Data Protection in the Court System

The Lord Chief Justice’s welcome call for a modern ICT system for the courts of England and Wales does, at the same time, raise concerns about the data protection compliance of the current systems

If a representative of a public sector data controller, responsible for processing huge amounts of manual and electronic sensitive data (of all categories), were to concede that their systems for handling this data “were recognised as outdated more than 15 years ago” it would – one imagines – raise a few eyebrows in Wilmslow. Outdated systems are, by default, systems which are unlikely to indicate compliance by the relevant data controller with the seventh data protection principle:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

A serious contravention of the obligation to comply with that principle can lead to monetary penalty notices to a maximum sum of £500,000, as many data controllers know to their cost.

But such a concession is just what the Lord Chief Justice of England and Wales appeared to make at the Annual Lecture of the Society of Computers and Law on 20 May in London. In his lecture he referred to

 re-entering information on different systems, using and holding paper files, diaries that are manual and unreliable telephonic and video communications

He spoke of how

Once papers are misfiled they are lost. In a number of parts of the country it is difficult to find people to do the filing at a wage which HMG is prepared to pay

and that

Save for using Outlook, judges have no electronic filing system for their administration. Outside the most senior Judiciary, very little clerical support is available for the judges

 All of this is enough to make most data security and data protection officers have sleepless (and screamful) nights.

In fairness to Lord Thomas, a) he was reflecting his own personal views, and b) his lecture, which laid out the history of how things had got to this state, was admirably aimed at seizing an opportunity to modernise. However, it did make me wonder how the judicial system appears to have largely avoided the steely enforcement glare of the Information Commissioner. I think this is probably, in part, because it is highly complicated when looked at through the lens of the Data Protection Act 1998 (DPA). The DPA distinguishes between data controllers and data processors, with former attracting all the legal obligations and liabilities under the Act. A data controller is, by section 1(1) of the DPA

a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed

Applying this to the situations which obtain in the court system is not an easy task (although it isn’t uniquely difficult – the distinction between data controller and processor is a notoriously complex, and perhaps increasingly artificial, one to establish). It seems to me that, with the sorts of personal data being processed as part of a legal claim or trial before a court, there may be multiple data controllers doing different things with the same or similar data – the parties, their legal representatives, the court staff, and the judiciary are those which immediately come to mind. In such circumstances we are probably talking about data controllers in common (“where data controllers share a pool of personal data, each processing independently of the other”*).

What is certain is that the Judicial Office for England and Wales considers the judiciary to be data controllers at least for some personal data and some acts of processing which take place within the court system. In a document entitled “Judicial Responsibilities and the Data Protection Act 1998” it says that

It is now acknowledged that individual judicial office-holders are data controllers in circumstances in which they determine the purpose for which and the manner in which any personal data is processed. This is so in relation to data processed in the exercise of any judicial functions

And another document “IT and Information Security Guidance for the Judiciary” contains generally sensible advice to judiciary on ICT security, but fine words butter no parsnips, and if the reality, as suggested by the Lord Chief Justice’s lecture (and, indeed, anecdotal evidence I have seen and heard) does not match up to the intentions of that document, then it would point to potentially serious contraventions of the DPA.

In April 2013 the Information Commissioner’s Office published the summary outcome of a data protection audit it had performed – by consent – on HM Courts and Tribunals Service. The audit gave the ICO “reasonable assurance” but one notes that it focused on data protection governance, training, and subject access requests, and did not appear to encompass security. And, for the reasons discussed earlier in this post, HMCTS are only one of the data controllers in play in the court system. In the rather unlikely event that the ICO decided to seek to audit them, would judges pass so easily?

*ICO Data Protection Legal Guidance, page 16

Leave a comment

Filed under Data Protection, Information Commissioner, judiciary, monetary penalty notice

Tagged as ,

May 29, 2014 · 4:31 pm

Articles on care.data

I thought I was rather flogging the care.data horse on this blog, so, in the spirit of persistence, I thought why not go and do it somewhere else? The Society of Computers and Law kindly asked me to write a broadly “anti” piece, while asking Martin Hoskins to do a broadly “pro” one. They are here:

Care.data the Cons
Care.data the Pros

I am pleased to announce that Martin and I are still on speaking terms.

Leave a comment

Filed under care.data, Data Protection, data sharing, NHS

Tagged as , ,