October 11, 2024 · 6:24 am

Still no clearer on reprimands

[reposted from LinkedIn]

What is a reprimand, and how does the ICO decide to issue one? This, bizarrely, remains a bit of a mystery – apparently even to the ICO themselves.

Under Article 58(2)(b) of the UK GDPR the Information Commissioner’s Office has the power to issue reprimands to a controller or a processor where processing operations have infringed provisions of the UK GDPR.

Since January 2022 the ICO has issued 84 reprimands that it has made public (it’s possible there are others it hasn’t published – that’s certainly happened in the past). Yet there is still no clearly documented process that the ICO will follow to decide what might trigger the decision to issue a reprimand.

In February 2023 I was informed by the ICO that “there is no specific written policy or procedure covering the issuing of reprimands [but that they were] currently working on putting together a formalised process specifically for reprimands, which will be added to our Investigations Manual once finalised”.

So I followed this up recently (18 months on from the previous request). And I’ve had a couple of documents disclosed to me, one a checklist that begins “Once reprimand agreed…” and another on how to apply redactions, but, otherwise, there appears still to be no way of an organisation – or even the ICO themselves(!) – knowing what might lead to a reprimand being issued, and how the decision will be made.

So, six years on from the ICO getting the power, those organisations placed on the naughty step appear to be no clearer to understanding what exactly they did to deserve it.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, reprimand, UK GDPR

Tagged as ,

October 8, 2024 · 4:39 am

Is the purchase of a watch “private information”?

[reposted from LinkedIn]

An interesting (if it gets to trial) Northern Ireland case of Frampton and Van Der Horst [2024] NIMaster 17, in which the plaintiff former boxer (P) has sought damages in, variously, passing off, copyright, breach of confidence, misuse of private information and data protection, as a result of the defendant watch seller’s (D) publication of a YouTube video revealing that P had bought a watch from D.

P had obtained judgment in default and D sought to set this aside. In deciding to do so the master only had to determine whether the D has an arguable defence.

The analyses of whether the MOPI and data protection defences are arguable are interesting (and in the latter case, flawed).

On MOPI, the master noted that the “Murray factors” (“the attributes of the claimant, the nature of the activity in which the claimant was engaged, the place at which it was happening, the nature and purpose of the intrusion, the absence of consent and whether it was known or could be inferred, the effect on the claimant, and the circumstances in which and the purposes for which the information came into the hands of the publisher”) will require consideration at trial, and also noted that the authoritative law books on the topic identify “personal financial and tax related information” as one of the types of information that will normally (but not invariably) be regarded as giving rise to a reasonable expectation of privacy. All these points could only, said the master, be determined by a trial judge, having heard all the evidence.

On the data protection claim, the defence consisted in an argument that D’s processing was based on his legitimate interests. Here, the master seems to have erred, in assessing that “This would appear a particularly weak argument as there was no express consent from the plaintiff and the purported legitimate reason for processing the data was effectively to make money, which is not an exemption under UK General Data Protection Regulations [sic]”. But, of course, reliance on Article 6(1)(f) UK GDPR legitimate interests does not (cannot) require the consent of the data subject; rather, it requires the controller’s legitimate interests to be balanced against the interests, rights and freedoms of the data subject. Nor is there any authority for the proposition that an interest or interests cannot be “legitimate” because they are commercial interests (indeed, the CJEU, in a finding which I am certain would be followed by the domestic courts, only last week ruled that a commercial interest is capable of being a legitimate interest).

This, of course, was not a fully argued case (the master only had affidavits and draft pleadings to go on). If the case goes to trial we may well see all of the claims more properly argued and considered.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, misuse of private information

Tagged as ,

October 5, 2024 · 9:11 am

Join NADPO, get free Tim Turner training

If I told you that you could secure attendance at two half-day online training sessions on data protection, with one of the UK’s leading experts and trainers, for the meagre sum of £130 and that payment bought you two years’ membership of NADPO, with all the other benefits that brings (regular webinars, a stellar annual conference, regular newsletters, discounts on training), you would snap it up, wouldn’t you?

Well, dear friends, that’s what we’re offering our members. On Wednesday 9 October and Wednesday 16 October the fantastic Tim Turner of 2040 Training will be delivering sessions exclusively for NADPO members. So, if you purchase a membership in the next few days you’ll be entitled to attend both sessions (plus get all those other benefits).

I can’t think how any rational person could turn such an offer down.

Leave a comment

Filed under Data Protection, NADPO, Uncategorized

Tagged as ,

October 3, 2024 · 6:44 am

You must be taking the PSNI

[Reposted from LinkedIn]

The Information Commissioner’s Office has fined the Police Service of Northern Ireland £750,000 for the failings that led to the public disclosure of the surnames, initials, ranks and roles of all 9,483 PSNI officers and staff, putting countless people’s lives at risk from dissident republicans. The fine would have been £5.6m if the ICO’s “public sector approach” had not been applied.

The disclosure was made in a spreadsheet attached to a Freedom of Information Act response. The spreadsheet was intended to disclose some information, but also contained a hidden tab, where the offending information was situated.

Eleven years ago I was asked to write a piece in The Guardian about the risks of hidden data in spreadsheets. At the time, as many of you will remember, these sort of incidents were prevalent in councils and the NHS. I called for the ICO to do more to warn, and, in fairness, they did. But the fact that this sort of incident was allowed to happen is shocking: the ICO notice points out that there PSNI would regularly create pivot tables to prepare information for disclosure, where the risk of data being hidden (but easily revealed) is particularly high.

The ICO announcement is unusual in that it also allows the Chief Constable of PSNI to comment, and – extraordinarily – to express that he is “extremely disappointed at the level of the fine” (despite the massive reduction over what it would have been if he was in charge of a private sector organisation).

Chief Constable Boucher – you got off lightly.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, fines, Freedom of Information, Information Commissioner, personal data breach, police, UK GDPR

Tagged as , , ,

September 26, 2024 · 6:12 am

Can a nullity be deemed a legal notice?

[reposted from LinkedIn]

I wrote recently about the fact that the Information Commissioner’s Office appeared to have served countless decision notices under section 50 of the Freedom of Information Act 2000 on the wrong legal person:

Someone recently made an FOI request to ask why the Commissioner had changed… terminology, because some decision notices are addressed to, say, the “University of Exeter”, while others are addressed to the “Governing Body of the University of Exeter”. The answer given by the Information Commissioner’s Office is that was not a change of approach, but, rather, that the examples of the former were “due to an error.”

Obviously I’ve not had any response to that from the ICO, and didn’t really expect one. But I do note a recent Information Tribunal case where the ICO argued that the Tribunal did not have jurisdiction to hear an appeal from a decision notice, because the ICO had discovered it had been served on the wrong body, and it was therefore a “nullity” – it wasn’t, and never had been a proper legal notice:

the IC submitted the DN was served upon [Harrogate Integrated Facilities Ltd] a trading name of [Harrogate Healthcare Facilities Management Ltd] and that [the latter] was the correct legal entity upon which the DN should have been served. As the DN was not served upon the correct public authority it should be deemed a nullity. An application was made to strike out the appeal under 8(2)(a) of the Rules due to lack of jurisdiction in relation to the proceedings.

Interestingly, although the Tribunal did not dispute the fact that the notice had been served on the wrong person, it skirted over (or, rather, avoided totally) the “nullity” submission. Instead, the Tribunal decided that it would itself “deem” the notice to have been served on Harrogate Healthcare Facilities Management Ltd (rather than on the wrong entity).

The Tribunal’s reasoning is sound on a common sense approach (they noted that if the proceedings were struck out the ICO would then just serve an identical notice on the correct body, and the whole process would need to restart, which would involve a disproportionate use of resources). However, it seems to me very dubious from a legal point of view, and there may be strong grounds to argue that its decision to treat what was argued to be a nullity as a decision notice for reasons of expediency (and not dealing with the nullity point) was ultra vires.

It will be interesting to see if the ICO appeal. Especially as if they do, it may open up a floodgate of other cases which – on their submission – might also be nullities.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under FOIA, Information Commissioner, Information Tribunal, rule of law

Tagged as ,

September 21, 2024 · 10:32 am

Exempt from FOI? Hoyle say it is

[reposted from LinkedIn]

Although the Information Commissioner’s Office is tasked with enforcing the Freedom of Information Act 2000, the Act contains some provisions which have the effect of ousting the ICO’s jurisdiction. A little-seen one appears in a recent decision notice about a request to the House of Commons for information and correspondence in relation to events at the controversial Opposition Day Debate on 21 February 2024. Much of the controversy turned on the actions of the Speaker of the House, Sir Lindsay Hoyle, who later apologised.

Section 34 of FOIA creates an absolute exemption (i.e. not subject to a public interest test) if the exemption is required for the purpose of avoiding an infringement of the privileges of either House of Parliament. But section 34(3) goes further, and says that

A certificate signed by the appropriate authority certifying that exemption…is, or at any time was, required for the purpose of avoiding an infringement of the privileges of either House of Parliament shall be conclusive evidence of that fact.

Such a certificate closes things down: it is not open to the ICO (or a court) to say “we disagree – the exemption is not required to avoid informing the privilege of House Houses”.

All very interesting, and the decision notice is still worth reading, to see how it all works.

But, who, you might ask, is the “appropriate authority” who signed this certificate?

Well, dear friends, section 34(4) FOIA says that, when the privilege of the Commons is at issue, the appropriate authority is the Speaker of the House – a certain Sir Lindsay Hoyle MP.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Information Commissioner, parliament

Tagged as , ,

September 4, 2024 · 7:57 am

Gender critical beliefs not relevant in determining whether FOI request was vexatious

[reposted from LinkedIn]

The holding and expression of gender critical beliefs was not valid evidence for LNER to take into account in determining that an FOI request was vexatious.

Can a public authority take into account a requester’s public comments elsewhere, when considering whether a request is vexatious under s14 of the Freedom of Information Act 2000, in circumstances where the comments are expressions of a belief, the holding of which is a protected characteristic under the Equality Act 2010? The answer, says the Information Commissioner’s Office, in a well-argued decision notice, is “no” – however much the authority might disagree with the expressions.

The request was to London North East Railway (a company wholly owned by the Department for Transport), and therefore a public authority for the purposes of FOIA), and was for information about the process and costs of decorating a train in Pride colours, the processes for selecting train designs more generally and about plans for future designs.

LNER refused the request as vexatious, and justified this to the ICO on grounds including the content of social media posts by the requester

have demonstrated views that indicate a bias against transgender individuals, [that complying could lead to] harmful discourse and cause distress to our transgender employees and the people that the Pride train represents [and that the requester’s] focused questions on binary sex divisions and the specific targeting of a Pride-themed train…indicates a shift toward a disruptive agenda rather than an informational one.

In response, the requester

accepted that she had a binary view of sex, but…that this was a protected belief [citing Forstater v CGD]

LNER had therefore, in her view,

unlawfully discriminated against her because it had refused to provide information, that she would otherwise have been entitled to receive, due to her beliefs.

The ICO ruled that LNER had been entitled to take “a holistic view of the request” and nothing in principle had prevented it taking account of social media posts. However

the question of vexatiousness does not turn on what the complainant’s beliefs are, or are not. Nor whether she is, or is not, entitled to those beliefs

The question was “whether the request had a serious purpose and value” – here, it did – and whether that was outweighed by factors pointing towards vexatiousness. The ICO found that it was not:

the complainant’s motivation may well have a grounding in her beliefs, but the public authority has not demonstrated that she has made the request just to be disruptive, or just to target individual. Nor has it demonstrated that it would be subject to an unjustified burden if it were to respond to the present request

The right to information under FOIA is a species of the Article 10 ECHR right to receive and impart information. This is an important decision by the ICO on the extent of the right.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Equality Act, FOIA, Freedom of Information, human rights, Information Commissioner

Tagged as , ,

September 3, 2024 · 7:03 am

CCTV and commercial property leases

[reposted from LinkedIn]

There is a minor, but interesting, data protection point in this judgment on a dispute between a landlord and commercial tenant about a lease.

The claimant was a dentist who had become suspended and therefore could not practise as a fully registered dentist in accordance with the terms of the lease. The dispute was about whether she had done so, and, if so, whether the court should grant relief from forfeiture (it did, on the facts).

The claimant also sought and was granted a declaration, in relation to the landlord’s siting of internal CCTV cameras, “that the processing of the claimant’s data by the defendant is unlawful and breached the provisions of the Data Protection Act 2018 and the regulations [sic] relating thereto”. 

The evidence was that “a CCTV camera was installed by the defendant by being affixed to the door frame above the entrance to the toilets in the building, on the same floor as the room let to the claimant, pointing at the stairs and the door to the claimant’s…premises”. Although the defendant landlord claimed that “the CCTV was placed there for the legitimate purpose of monitoring those going to the building’s toilets”(!), the judge did not accept that: “as it was placed, [it] had a distinct view of the entrance to the claimant’s room, and, when it was opened, into the room itself. There is no real reason why it could not have been so positioned to exclude that, or why indeed it could not have been located to point in the opposite direction to monitor those coming out of the toilet area door[!]… it was an attempt to monitor who was attending the claimant’s room and its use.”

Unfortunately, the judge does not appear to have made findings as to what precisely were the infringements of the data protection law (one notes that the declaration was sought only in respect of the claimant’s own data, and not of those attending her premises, but the finding appears to be in respect of both). 

So, as I say, a minor point, but interesting. Landlords, even in commercial property agreements (and disputes arising), should not simply assume they have the right to place CCTV on their property in such a way as it infringes the data protection rights of individuals using the property (whether they be tenants, employees of tenants, or the tenant’s visitors).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under CCTV, Data Protection, judgments, property dispute, Uncategorized

Tagged as ,

September 2, 2024 · 3:49 pm

Department for the Economy (Northern Ireland) v Information Commissioner and White (GIA/85/2021)

I wrote recently about the fact that a judgment in the Upper Tribunal, which the Information Commissioner cites in guidance, was not publicly available anywhere. The ICO had refused to disclose it in response to a Freedom of Information Act request and suggested the requester ask for a copy directly from the Tribunal.

I don’t know if the requester did, but I thought it would be helpful to do so, and upload it here. (Kudos to the Tribunal for the swift, helpful reply.)

I’m also going to contact Bailii, and see if they might host a copy as well.

GIA-85-2021.pdfDownload

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, FOIA, Freedom of Information, Information Commissioner, Open Justice, Upper Tribunal

Tagged as , ,

August 31, 2024 · 7:41 am

JR judgment, and the lack of third party rights under FOIA

[reposted from LinkedIn]

The Freedom of Information Act 2000 (FOIA) confers rights on those requesting information, and obligations on public authorities (it also confers duties and powers on the Information Commissioner). What it does not do is confer any rights on someone whose information is held by a public authority and requested to be disclosed: if someone asks for that third party’s information and the public authority discloses, or is minded to disclose, the third party can do little or nothing to stop it.

That appears to be illustrated by a case in the High Court of Northern Ireland. I say “appears” because there doesn’t seem to be a judgment yet, and so I’ve had to piece together what seems to have been at issue.

FOIA requests were made by three unionist MPs to the Legal Services Agency (LSA) for funding for legal cases brought by victims’ campaigner Raymond McCord. It appears that the LSA proposed to disclose the information, and Mr McCord (because he has no rights as a third party under the FOIA regime itself) brought judicial review proceedings to prevent disclosure.

According to the media reports, those proceedings have failed, with the judge saying

There is a legitimate public interest in the openness and accountability of the LSA as a public authority responsible for the expenditure of substantial public funds…[Mr McCord’s] contention that he is a private individual sits uneasily with his own description as a ‘peace campaigner’ and his various interviews with the media, including when he challenged the public claims made by Mr Allister about the appropriateness of him being granted legal aid…Self-evidently, the applicant has injected himself into the public discourse on a number of high-profile cases which are of obvious and manifest interest to the public. This is particularly so in relation to Brexit litigation.

It also appears that at some stage the ICO was involved, and indicated its view that disclosure would “likely be unfair and unlawful”. I imagine that this was because Mr McCord made a data protection complaint. In any event, the ICO said that its view was not legally binding (an interesting side note: could the ICO have issued an enforcement notice under section 149 of the Data Protection Act 2018 to prevent a public authority releasing personal data under FOIA?)

This issue of “third party rights” (or lack thereof) under FOIA is a very interesting one. The section 45 Code recommends that public authorities consult with third parties where necessary, and have regard to their representations, but this still doesn’t confer a direct right.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, FOIA, Freedom of Information, Information Commissioner, judgments, judicial review, personal data

Tagged as , ,