Tag Archives: accuracy

March 24, 2023 · 7:37 am

SRA, data protection and the solicitors roll

In August 2022 the Solicitors Regulation Authority (SRA) announced plans to change its rules and reinstate the annual “keeping of the roll” exercise. Until 2014, all solicitors without practising certificates were required to complete an application each year and pay an administration fee if they wished to remain on the roll. This requirement was dispensed with in 2014 in part because the annual process was seen as burdensome for solicitors.

One of the justifications now for reintroducing the keeping of the roll is given by the SRA as

There are also requirements under the General Data Protection Regulation (GDPR) 2016 [sic] and the seven principles that govern the holding and retention of data. Under GDPR we have responsibility as a data controller to ensure we maintain accurate data relating to individuals and we are processing it fairly and lawfully.

What is slightly odd is that when, in 2014, the SRA proposed to scrap the keeping of the roll, it was not troubled by the observations of the then Information Commissioner about the importance of accuracy and privacy of information. In its reply to the then Commissioner’s consultation response it said that it had “fully considered the issues” and

We consider that the availability of the SRA’s online system, mySRA, to non- practising solicitors as a means of keeping their details up to date, serves to mitigate the possibility of data become inaccurate…To further mitigate the risk of deterioration of the information held on the roll, the SRA can include reminders to keep contact details up to date in standard communications sent to solicitors.

If that was the position in 2014, it is difficult to understand why it is any different today. The data protection principles – including the “accuracy principle” – in the UK GDPR (not in fact the “GDPR 2016” that the SRA refers to) are effectively identical to those in the prior Data Protection Act 1998.

If the SRA was not concerned by data protection considerations in 2014 but is so now, one might argue that it should explain why. The Information Commissioner does not appear to have responded to the consultation this time around, so there is no indication that his views swayed the SRA.

If the SRA was concerned about the risk of administrative fines (potentially larger under the UK GDPR than under the Data Protection Act 1998) it should have reassured itself that any such fines must be proportionate (Article 83(1) UK GDPR) and by the fact that the Commissioner has repeatedly stressed that he is not in the business of handing out fines for minor infringements to otherwise responsible data controllers.

I should emphasise that data protection considerations were not the only ones taken into account by the SRA, and I don’t wish to discuss whether, in the round, the decision to reintroduce the keeping of the roll was correct or not (Joshua Rozenberg has written on this, and the effect on him). But I do feel that the arguments around data protection show a confused approach to that particular issue.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, Information Commissioner, Let's Blame Data Protection, UK GDPR

Tagged as , , , ,

September 4, 2018 · 1:39 pm

GDPR – an unqualified right to rectification?

Can FCA – or any data controller – any longer argue that it’s too expensive to have to rectify inaccurate personal data?

Amidst all the hoo-ha about the General Data Protection Regulation (GDPR) in terms of increased sanctions, accountability requirements and nonsense about email marketing, it’s easy to overlook some changes that it has also (or actually) wrought.

One small, but potentially profound difference, lies in the provisions around accuracy, and data subjects’ rights to rectification.

GDPR – as did its predecessor, the 1995 Data Protection Directive – requires data controllers to take “every reasonable step” to ensure that, having regard to the purposes of the processing, personal data which are inaccurate are erased or rectified without delay. Under the Directive the concomitant data subject right was to obtain from the controller, as appropriate the rectification, erasure or blocking of data. Under Article 16 of GDPR, however, there is no qualification or restriction of the right:

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

I take this to mean that, yes, a controller must in general only take every reasonable step to ensure that inaccurate data is rectified (the “proactive obligation”, let us call it), but, when put on notice by a data subject exercising his or her right to rectification, the controller MUST rectify – and there is no express proportionality get-out (let us call this the “reactive obligation”).

This distinction, this significant strengthening of the data subject’s right, is potentially significant, it seems to me, in the recently-reported case of Alistair Hinton and the Financial Conduct Agency (FCA).

It appears that Mr Hinton has, for a number of years, been pursuing complaints against the FCA over alleged inaccuracies in its register of regulated firms, and in particular over an allegation that

a register entry which gave the impression both him [sic] and his wife were directors of a firm which the regulator had publicly censured

This puts into rather simple terms what appears to be a lengthy and complex complaint, stretching over several years, and which has resulted in three separate determinations by the Financial Regulators Complaints Commissioner (FRCC) (two of which appear to be publicly available). I no doubt continue to over-simplify when I say that the issue largely turns on whether the information on the register is accurate or not. In his February 2017 determination the FRCC reached the following conclusions (among others)

You and your wife have been the unfortunate victims of an unintended consequence of the design of the FSA’s (and now FCA’s) register, coupled with a particular set of personal circumstances;

…Since 2009 the FSA/FCA have accepted that your register entries are misleading, and have committed to reviewing the register design at an appropriate moment;

Although these findings don’t appear to have been directly challenged by the FCA, it is fair to note that the FCA are reported, in the determinations, as having maintained that the register entries are “technically and legally correct”, whilst conceding that they are indeed potentially misleading.

The most recent FRCC determination reports, as does media coverage, that the Information Commissioner’s Office (ICO) is also currently involved. Whilst the FRCC‘s role is not to decide whether the FCA has acted lawfully or not, the ICO can assess whether or not the FCA’s processing of personal data is in accordance with the law.

And it occurs to me that the difference here between the Directive’s “reactive obligation” and GDPR’s “reactive obligation” to rectify inaccurate data (with the latter not having any express proportionality test) might be significant, because, until now, FCA has apparently relied on the fact that correcting the misleading information on its register would require system changes costing an estimated £50,000 to £100,000, and the FRCC has not had the power to challenge FCA’s argument that the cost of “a proper fix” was disproportionate. But if the Article 16 right is in general terms unqualified (subject to the Article 12(5) ability for a controller to charge for, or refuse to comply with, a request that is manifestly unfounded or excessive), can FCA resist a GDPR application for rectification? And could the ICO decide any differently?

Of course, one must acknowledge that there is a general principle of proportionality at European law (enshrined in Article 5 of the Treaty of the European Union) so a regulator, or a court, cannot simply dispense with the concept. But there was clearly an intention by European legislature not to put an express qualification on the right to rectification (and by extension the reactive obligation it places on controllers), and that will need to be the starting point for any assessment by said regulator, or court.

 

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under accuracy, Data Protection, GDPR, Information Commissioner

Tagged as , , , ,