Tag Archives: data protection

Why does the UK stop students accessing their mock exam and assignments data?

UPDATE: 23.08.20 In this piece Chris Pounder identifies what the government sees as a justification for the exam scripts exemption. In a document prepared to assist adequacy discussions with the European Commission, it is said that the exemption “aims to protect the integrity of exams by ensuring that exam scripts cannot be accessed outside established processes” (on the basis that exam boards often re-use or re-purpose exam questions). However, and as Chris implies, this simply isn’t sufficient to justify the blanket exemption, not the breadth of its scope. Moreover the ICO’s meek acceptance that it permits an interpretation which even covers assignments and, presumably, other coursework, is deeply disappointing. END UPDATE.

Domestic data protection law says that students can’t later access data recorded by themselves during an exam or assessment. Why is that? And is it compatible with the UK’s obligations under GDPR and more general human rights law?

As is well known, the General Data Protection Regulation (GDPR) has direct effect on member states of the EU. This is, however, subject to certain provisions which allow member states to legislate for specific exemptions or restrictions. An example is Article 23 of GDPR, which allows member states to restrict by way of a legislative measure the scope of certain data subject rights, including the right of access at Article 15. Such restrictions must, though, respect “the essence of the fundamental rights and freedoms” and be a “necessary and proportionate measure in a democratic society” to safeguard, among a list of things, important objectives of general public interest.

The specific UK restrictions made in respect of Article 23 lie primarily in Schedule 2 of the Data Protection Act 2018. Of particular interest at the current time is the Schedule 2, paragraph 25(1) exemption to the Article 15 right of subject access which says that the right does “not apply to personal data consisting of information recorded by candidates during an exam” (and paragraph 25(4) says that “‘exam’ means an academic, professional or other examination used for determining the knowledge, intelligence, skill or ability of a candidate and may include an exam consisting of an assessment of the candidate’s performance while undertaking work or any other activity”).

Thus it is that guidance from the Information Commissioner’s Office (ICO) says, in relation to this year’s exam awards

The exam script exemption applies to information that has been recorded by the students themselves during an exam or assessment. Therefore students do not have a right to get copies of their answers from mock exams or assignments used to assess their performance

But why does this exemption exist? Search me. Why did it also exist in the 1998 Data Protection Act? Also, search me. Also search Hansard, like I have done, and you may struggle to find out. (Please let me know if I’ve missed something).

So in what way can the exam script exemption be said to respect the essence of the fundamental rights and freedoms and be a necessary and proportionate measure in a democratic society? Is this a case where Parliament merely nodded through a provision which it also merely nodded through 22 years ago?

Note that this is not a question as to whether information recorded by candidates during an exam is their personal data. It most certainly is, as the CJEU found in 2017 in Nowak. But note also that the court, in that case, observed that “the use of [such] information, one consequence of [the use of the information] being the candidate’s success or failure at the examination concerned, is liable to have an effect on his or her rights and interests, in that it may determine or influence, for example, the chance of entering the profession aspired to or of obtaining the post sought”. The court also noted, in holding that such information was personal data, the importance of the data subject’s rights of access, rectification and objection.

And let us remember recital 63 GDPR, which reminds us that one purpose of the right of subject access is to be able to “verify the lawfulness of the processing”. In the absence of any indication as to why the UK decided to restrict the right of access in such a way as to prevent students, especially this year’s students, accessing their own assignment and mock exam data, one must query how those students can adequately verify the lawfulness of the processing by those who determined their grades.

P.S. there is an argument that the ICO should do something about this, under its Article 57 tasks to monitor and enforce GDPR, to handle complaints from data subjects, and to advise parliament, the government, and other institutions and bodies. It has the power under Article 58 to issue an opinion to those bodies.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, subject access

BA hints at massively reduced size of ICO proposed fine

A new piece by me on the Mishcon de Reya website – BA’s parent company’s latest financial filings indicate it’s planning for (at most?) a E22m fine.

 

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

Schrems II – what now?

A piece I have written with my Mishcon colleague Adam Rose, looking at the issues for businesses involved in international transfers (esp. to the US).

Make no mistake – the effect of Schrems II is to make bulk/regular transfers of personal data to the US problematic (putting it at its lowest). It arguably has the same effect in respect of transfers to most, if not all, third countries.

Leave a comment

Filed under adequacy, Data Protection, data security, Europe, facebook, GDPR, Information Commissioner, national security, privacy shield

Betting and Gaming GDPR Code of Conduct proposed

A new piece on the Mishcon de Reya website, co-authored by me, on a proposed Article 40 Code (one of the first) prepared by the European Gaming and Betting Association.

Leave a comment

Filed under Code of Conduct, Data Protection, EDPB, GDPR

There’s nothing like consistency

A tale of two Member States, and two supervisory authorities.

First, the Belgium Data Protection Authority is reported to have fined a controller €50,000 for, among other infringements, appointing its director of audit, risk and compliance as its Data Protection Officer (DPO). This was – the DPA appears to have said – a conflict of  interest, and therefore an infringement of Article 38(6) of the General Data Protection Regulation (GDPR).

Second (and bearing in mind that all cases turn on their specific facts), one notes that, in the UK, the Data Protection Officer for the Information Commissioner’s Office (ICO), is its Head of Risk and Governance.

Let’s speculate –

Are the tasks of a Head of Risk and Governance likely to be similar to those of a director of audit, risk and compliance?

Would the Belgium DPA take the view that its UK equivalent is infringing GDPR, by appointing as DPO someone in circumstances which create a conflict of interest? (ICO notably says “[In respect of the combined roles of] DPO and Head of Risk and Governance, the tasks and focus of each role complement each other, and do not conflict. Neither responsibility is focused on determining the purposes and means of processing personal data but are both focused on providing advice about the risks, mitigations, safeguards and solutions required to ensure our processing is compliant and supported by our business decisions“).

What view would the European Data Protection Board take, if asked to consider the matter under the GDPR consistency mechanism (for instance on receipt of a request for an Opinion, under Article 64(2))?

Does it matter, given Brexit?

And if doesn’t matter immediately, might the status and position of the ICO’s DPO be one of the factors the European Commission might subsequently take into account, when deciding whether post-Brexit UK has an adequate level of protection, as a third country?

No answers folks, just questions.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adequacy, Brexit, consistency, Data Protection, Europe, GDPR, Information Commissioner

High Court – subject access, breach of confidence and the offence of reidentification

An interesting case is being heard in the High Court, arising from an apparent error whereby, in responding to a subject access request (SAR), the London Borough of Lambeth allowed the recipient (and now defendant) data subject to electronically manipulate the information sent to him. This in turn enabled him to remove redactions, and identify someone who had made allegations against him and his wife (about the care they were providing to their child).

This is nightmare scenario for a controller – to inadvertently disclose extremely sensitive information, while responding to a SAR. In this instance, Lambeth have now brought a claim in breach of confidence against the defendant data subject, on the grounds that: the data was provided to the data subject in circumstances where he knew it was confidential; that he breached that confidentiality by unredacting the data, retaining an unredacted copy of the file, using the evidence to write a pre-action letter to the person who made allegations against him and his wife and threatening to bring court proceedings against them based on the information; and that it is integral to the work of Children’s Services that people who bring to its attention instances of perceived inadequate care or neglect of children are able to do so under conditions of confidentiality and can be assured that their confidentiality will be respected.

The instant proceedings were primarily concerned with a strike-out application by the defendant data subject, on the grounds of non-compliance by Lambeth with its (litigation) disclosure obligations. This application was roundly dismissed, and the matter will proceed to trial.

But of particular note is that, notwithstanding that the original error was Lambeth’s, it was revealed in the proceedings that the Information Commissioner’s Office (ICO) is also prosecuting the defendant data subject on charges of committing the offences of knowingly or recklessly re-identifying de-identified personal data, without the consent of the data controller, and knowingly or recklessly processing re-identified personal data, without the consent of the data controller. These are new offences created by sections 171(1) and 171(5) of the Data Protection Act 2018, and, when that Act was passed, it appeared that the mischief the provisions sought to address was the risk of hackers and fraudsters attempting to identify data subjects from large datasets (see the debates at Bill stage). It will be interesting to see if the ICO’s prosecution here results in a conviction. But it will also be interesting to see if ICO considers similar prosecutions in other circumstances. Although there is a public interest defence (among others) to section 171 charges, it is not an uncommon occurrence for public authorities (particularly) to inadvertently disclose or publish information with imperfect redactions. It certainly appears, on a plain reading of section 171, that someone re-identifying de-identified personal data (even if, say, for idle reasons of curiosity) might not always be able to avail themselves of the public interest defence.

And what is unsaid in the judgment, is whether Lambeth are facing any sort of civil, regulatory action from the ICO, arising from their error in sending the imperfectly redacted information in the first place.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under anonymisation, Data Protection, Data Protection Act 2018, Information Commissioner, local government, subject access

ICO – report a databreach to us, and we might take action against you

[EDITED TO ADD: since I wrote this piece, it appears that ICO has silently amended its guidance, so it no longers threatens regulatory action for over-reporting. For posterity’s sake, (and to show I wasn’t making it up) I provide this link to the archived page.] 

Data protection practitioners (and many others) are well aware that a failure to comply with the general obligation on a controller to notify the Information Commissioner’s Office (ICO), in the event of a personal data breach, is an infringement of the General Data Protection Regulation (GDPR). What may be less known, however, is that making a notification, in circumstances where it wasn’t required, might also be an infringement, and might result in sanctions from the ICO. That, at least, appears to be the ICO’s own view of the law, when it says

Over reporting breaches which have not been appropriately risk assessed in terms of their impact on the data subject may be seen as evidence of failing to comply with the GDPR accountability principle. This can also result in regulatory action.

I don’t know about you, but I think that’s a pretty extraordinary statement.

Of course, controllers should assess whether, as an exception to the general obligation, they are not required to make a notification, on the grounds that the personal data breach (defined at Article 4(12) of GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”) is unlikely to result in a risk to the rights and freedoms of natural persons. Such a risk assessment (because that’s what it is) will be, though, a nuanced challenge. What, after all, constitutes a likely “risk to the rights and freedoms of natural persons”? Although recital 85 to GDPR gives some clues, it still leaves much to be determined on the facts:

 

…physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.

Article 83 makes a failure to notify, in circumstances where one should notify, an infringement with a maximum administrative fine attached of €10m or 2% of global annual turnover (whichever is higher). Is it any surprise then, that some controllers might have taken what they thought to be a cautious, or precautionary, approach, and notified ICO of personal data breaches even when they weren’t sure it was necessary to do so?

Although the ICO has been suggesting for some time that controllers have been too keen to make personal data breach notifications, the web page in question appears to have only very recently been amended to say this (an archived version only from 31 May 2020 lacks the wording).  And it seems to me a little bit mean-spirited (and potentially confusing to some controllers) to start threatening the use of  sanctions against those who are making a regulatory notification in good faith.

In fact, I’m not at all sure that – as ICO suggests – it is potentially an infringement of the Article 5(2) obligation (by which a controller shall be responsible for, and be able to demonstrate compliance with, the Article 5(1) principles) to make a notification without properly assessing risk. And to say that it is such an infringement, is – I submit – stretching the accountability principle further than, in other circumstances, ICO would expect it to be stretched.

And don’t start thinking about whether an excessive notification of a personal data breach is a personal data breach which requires notification. That way madness (or is it Wilmslow?) lies.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Breach Notification, Data Protection, GDPR, Information Commissioner

Yet more delays to proposed ICO BA and Marriott fines

I have this piece on the Mishcon de Reya website. More than a year since they were first proposed, ICO has still not converted its notices of intent into actual fines. Will it ever?

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

COVID-19 and ICO’s proposed fines for BA and Marriott

I have a piece on the Mishcon de Reya website, questioning whether the Coronavirus might fundamentally affect the likelihood of BA and Marriott receiving huge GDPR fines.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

DSARs – the clock doesn’t stop for clarification of a request

A thread on Twitter by solicitor Martin Sloan has drawn attention to a change to official guidance on the question of when a subject access request (pursuant to Article 15 of the General Data Protection Regulation (GDPR)) “starts”, in circumstances where a controller processes large amounts of data and asks the data subject to specify what information is sought.

Recital 63 of GDPR says that where a controller processes “a large quantity of information concerning the data subject [it] should be able to request that, before the information is delivered, the data subject specify the information or the processing activities to which the request relates”. This certainly seems to suggest that it is only when the controller is ready to “deliver” the information (i.e. when it has already searched for and retrieved it) that it can ask for the request to be, in effect, narrowed down.

However, guidance from the Information Commissioner’s Office (ICO) used to say* “If you process a large amount of information about an individual you can ask them for more information to clarify their request. You should only ask for information that you reasonably need to find the personal data covered by the request. You need to let the individual know as soon as possible that you need more information from them before responding to their request. The period for responding to the request begins when you receive the additional information” (emphasis added). This was similar to the position which obtained under the prior Data Protection Act 1998, which provided that a controller was not obliged to comply with a request unless it was supplied with such information as was reasonably required to locate the information which the data subject sought.

But the ICO now says: “If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. However, this does not affect the timescale for responding – you must still respond to their request within one month” (emphasis also added).

The change appears to be correct as a matter of law (by reference to recital 63), but it is possible that it may lead to an increase in reliance by controllers on Article 12(3), which potentially allows an extension to the one month period for compliance if a request is complex.

The new wording is contained in the ICO’s draft detailed guidance on subject access requests, which is currently out for consultation. One presumes the ICO thought this particular change was sufficiently important to introduce it in advance, but it is rather surprising that no announcement was made.

[UPDATE: Martin has now got a piece on Brodies’ own website about this].

[*the link here is to an archived page].

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner, subject access