Tag Archives: data protection

August 29, 2014 · 7:14 am

Some observations on the MoJ £180,000 data protection “fine”

1. It wasn’t a fine: section 55A of the Data Protection Act 1998 (DPA) gives the Information Commissioner’s Office (ICO) the power to impose a monetary penalty notice (MPN) to a maximum of £500,000 on a data controller which has made a serious contravention of its obligation to comply with the data protection principles, and the contravention was of a kind likely to cause substantial damage or substantial distress (and the data controller knew or should have known about the risk). There is often confusion over the civil and criminal sanctions in the DPA, perhaps not helped by the fact that the main criminal sanction is at section 55, and the main civil sanction at section 55A. However, although the incorrect use of the term “fine” is understandable in some circumstances, I don’t think the ICO themselves should use it.

2. The money goes straight back to the government: this is true – monetary penalties do not get paid to the ICO. Rather, they are paid into the Consolidated Fund – the government’s bank account. While this does have an element of absurdity (and similar complaints are sometimes made when the ICO serves MPNs on other public bodies, such as the NHS, or local authorities) recent research (and personal anecdotal experience) suggests that the MPNs are effective in improving data controller compliance. One wonders if alternative methods, like individual liability for data controller failings (which would require major primary legislation), would have similar effects.

3. The Ministry of Justice funds the ICO: in part, at least. The MoJ funds the ICO for its freedom of information work. Its data protection work comes from the fees data controllers pay the ICO to appear on its register. Nonetheless, penalising the MoJ could be seen as biting the hand that feeds – it is commendable that the ICO is not afraid to do so.

4. The MoJ is data controller for prisoner data within prisons: being the person or persons who determine the purposes for which and the manner in which any personal data are, or are to be, processed. That’s a heck of a lot of highly sensitive personal data to be responsible for. And such responsibility carries potential huge liability for errors.

5. This is not the first MPN the MoJ has received: less than 12 months ago the MoJ received an MPN of £140,000 for a remarkably similar set of events to those which prompted the latest MPN. Both MPNs involved insecure processes to safeguard prisoner databases – in the first an unencrypted database file was emailed to a member of the public, and in the second a hard disk containing a prisoner database, which should have been encrypted but wasn’t, has been lost. As MPNs are often served (as these were) for contraventions of the obligation to have appropriate organisational and technical measures in place to safeguard against loss of data, one might argue that a second such serious contravention might have warranted even more severe sanctions. The ICO even notes that the second contravention was because of a botched attempt to put right what happened in the first, and deems the second contravention “very serious” (as opposed to the first’s “serious”). I am not the only person I have spoken to who is surprised this latest MPN was not higher.

and finally

6. Data security is not just about technology: it’s also about people. In this instance the MoJ, after its first MPN (see above), sent hard drives to all relevant prisons which were capable of holding data in encrypted format.

But they forgot to tell the prison staff to switch encryption on.

1 Comment

Filed under Data Protection, Information Commissioner, monetary penalty notice

Tagged as , ,

August 28, 2014 · 4:20 pm

Data Protection Act non-pecuniary damages in the County Court

The Data Protection Act 1998 (DPA) is, as its regulator the Information Commissioner (IC) concedes, “complex and, in places, hard to understand”. Moreover, it has been observed that 

there is…little case law…most damages claims under the DPA go to the County Court, where unless you were in the case it is hard to know that it happened or get hold of a judgment

To which one would add that, as most damages claims go no further than the County Court those cases we do hear about don’t set precedent anyway.

However, thanks to the website LegalBeagles we do now have another judgment which deals with the DPA, and which was handed down in June this year in the County Court at Taunton. In the judgment (.pdf, 12MB), in rather dense prose, Deputy District Judge Stockdale ruled on a money claim against Lloyds Bank for unfair bank charges (the primary claim) and a claim for damages under section 13 of the DPA. Holding that the specific bank charges between 2007 and 2009, for unauthorised overdraft facilities, were indeed unfair (for reasons I am rather ill-equipped to explore), the Judge went on to hold that the referral of a default to credit reference agencies was in breach of the first data protection principle (Schedule One, DPA) which obliged the bank to process the claimant’s personal data fairly (and lawfully). This was because, by reference to the then IC Guidance “Filing of defaults with credit reference agencies”, the relationship between the lender and the individual had not broken down. The guidance said

The term ‘default’, when recorded on a credit reference file should be used to refer to a situation when the lender in a standard business relationship with the individual decides that the relationship has broken down

In this case, as the claimant and the bank, at the time the latter registered the default, had entered into a repayment arrangement (which the claimant was keeping to), it could not be said that the relationship had broken down.

An interesting point about this judgment is that the claimant’s case was bolstered by the fact he could point to a prior assessment opinion by the IC. He had complained about the bank’s actions to the IC, who had determined (in line – although this is unsaid in the judgment – with his duties under section 42 DPA to assess processing) that it was unlikely that the bank had complied with its DPA obligation. This clearly carried weight for the judge (as did the Guidance).

Another interesting point is that, in assessing the remedy for the contravention, the judge followed the (compelling) dicta of Tugendhat J in Vidal -Hall & Ors v Google Inc [2014] EWHC 13 (QB) and awarded compensation  for what was non-pecuniary damage of £1000, in recognition of the trouble to which the claimant had been put in pursuing the matter and bringing the claim. The claimant was also successful in an application under section 14(1) DPA for erasure/destruction of the default on his credit reference files.

Vidal-Hall has not yet come to trial. If, when it does, Tugendhat J’s “preliminary view” that “damage in s.13 does include non-pecuniary damage” is upheld, it could lead to a rush of similar claims being made.

1 Comment

Filed under damages, Data Protection, Information Commissioner

Tagged as , ,

August 28, 2014 · 1:30 pm

A fishy way of boosting party membership?

A tweet today referred me to a New Statesman article from October last year which contains what I think are actually quite serious allegations against Tory MP Douglas Carswell (who has today announced his intention to resign his seat and re-stand for UKIP) or, perhaps, against his local party machine. The magazine alleges that

A snout rang with the tale of an Essex man who went along to a Clacton fish-and-chip supper organised by the local MP, Douglas Carswell. The chap paid his £10, enjoyed his cod and then listened to the debate before going home unconvinced by the Tory case on Europe. So imagine his perturbation at a letter from Carswell’s office informing him that his tenner would be converted into membership of the constituency association unless he wrote back renouncing the party. The chap couldn’t be bothered to reply and – hey presto! – an unwanted Tory membership card duly popped through his letter box.

I do not know if if this is true*. I’ve asked Mr Carswell via his twitter account whether it is, but, understandably, he may have more pressing priorities today. He was certainly in the habit of hosting such events, as his personal blog shows.

But if it is true, it raises concerns about the handling of constituents’ personal data. The second principle of the Data Protection Act 1998 (DPA) provides that

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes

and by section 4(4) of the DPA a data controller (the person or persons who determine the purposes for which and the manner in which any personal data are, or are to be, processed) must comply with the eight data protection principles. Failure to do so renders the data controller liable to private legal action by aggrieved data subjects, as well as regulatory enforcement action by the Information Commissioner (which can consist of monetary penalties to a maximum of £500,000 for especially serious contraventions). Mr Carswell’s entry on the Commissioner’s register confirms he accepts his status as data controller, as does the entry for his local Conservative Constituency Association. Any personal data of a constituent attending fish-and-chip suppers had to processed in accordance with eight principles, and wrongly recording someone as a member of a political party would involve the processing of sensitive personal data (a category which includes information about political allegiance, and which is afforded even higher protection).

And, as well as being in contravention of the second principle, such processing would be in breach of the first, which requires that personal data be processed fairly and lawfully. I’m not going to make a party political point, but as of today, even Mr Carswell might feel that, in broader terms, it would be particularly unfair to wrongly categorise someone as a member of the Tory party.

*If Mr Carswell refutes the allegations in the story I will be very happy to amend this blog post accordingly

1 Comment

Filed under Data Protection, Information Commissioner

Tagged as , ,

August 19, 2014 · 6:39 pm

One for the Environmental Information Regulations + Data Protection nerds

In 2010 the Court of Justice of the European Union (CJEU) held that, insofar as they required the automatic publication of the name and other particulars of natural persons (as opposed to legal persons) of beneficiaries of funds deriving from the European Agricultural Guarantee Fund (EAGF) and the European Agricultural Fund for Rural Development (EAFRD), certain articles of European Council Regulation (EC) No 1290/2005 of 21 June 2005 on the financing of the common agricultural policy were invalid. This was because they imposed an obligation to publish personal data relating to these beneficiaries (who might be private individuals or sole traders) without permitting criteria such as the periods, frequency and amounts involved to be considered.

Rip-roaring start to a blog post eh?

In the words of the First-tier Tribunal (Information Rights) (FTT) which has recently had to consider the impact of those CJEU cases on an Environmental Information Regulations 2004 (EIR) case

[the CJEU] ruled that such a requirement for publication was incompatible with an individual’s right for privacy where the agreement holder concerned was a private individual or sole trade

The relevance of the European judgments was that Natural England, which had until 2010 published information about beneficiaries of funds granted to farmers and landowners under the European Stewardship Agreement (ESA), even when it consisted of personal data of private individual or sole trader beneficiaries, ceased such automatic publication and removed previously published information from its website. This was despite the fact applicants for an ESA had, until 2010, been given a privacy notice in a handbook which explained that the information would be published, and had signed a declaration accepting the requirements.

Notwithstanding this, when it received a request for agreements reached with farmers and landowners in the River Avon flood plains area, Natural England decided that the personal data of the beneficiary (there appears to have just been one) was exempt from disclosure under regulations 12(3) and 13 of the EIR (which broadly provide an exception to the general obligation under the EIR to disclose information if the information in question is personal data disclosure of which would be in breach of the public authority’s obligations under the Data Protection Act 1998 (DPA)).

The Information Commissioner’s Office had agreed, saying

although consent for disclosure has been obtained [by virtue of the applicant’s declaration of acceptance of the handbook’s privacy notice], circumstances have changed since that consent was obtained. As Natural England’s current practice is not to publish the names of those who have received grants with the amounts received, the Commissioner is satisfied that the expectation of the individuals concerned will be that their names and payments will not be made public.

However, the FTT was not convinced by this. Although it accepted that it was possible “that the applicant no longer expected the relevant personal data to be disclosed” it considered whether this would nevertheless be a reasonable expectation, and it also took into account that the effect of the CJEU’s decision had not been expressly to prohibit disclosure (but rather that the validity of automatic publication had been struck down):

When one combined the facts that an express consent had been given, that there had been no publicity by NE or mention on its website of the ECJ decision and finally, that the effect of that decision had not, in the event been to prohibit disclosure, [the FTT] concluded that such an expectation would not be reasonable

Furthermore, given that there was no real evidence that disclosure would cause prejudice or distress to the applicant, given that some identifying information had already been disclosed into the public domain and given that there was a legitimate interest – namely “accountability in the spending of public monies” – in the information being made public (and disclosure was necessary to meet this legitimate interest) the disclosure was both fair and supported by a permitting condition in Schedule 2 of the DPA. For these reasons, disclosure would not, said the FTT, breach Natural England’s obligation to process personal data fairly under the first data protection principle.

So maybe not the most ground-breaking of cases, but it is relatively rare that an FTT disagrees with the ICO and orders disclosure of personal data under the EIR (or FOI). The latter is, after all, the statutory regulator of the DPA, and its views on such matters will normally be afforded considerable weight by any subsequent appellate body.

Leave a comment

Filed under Data Protection, Environmental Information Regulations, Europe, Freedom of Information, Information Commissioner, Information Tribunal

Tagged as , , ,

August 17, 2014 · 10:14 am

ICO indicates that (non-recreational) bloggers must register with them

I think I am liable to register with the ICO, and so are countless others. But I also think this means there needs to be a debate about what this, and future plans for levying a fee on data controllers, mean for freedom of expression

Recently I wrote about whether I, as a blogger, had a legal obligation to register with the Information Commissioner’s Office (ICO) the fact that I was processing personal data (and the purposes for which it was processed). As I said at the time, I asked the ICO whether I had such an obligation, and they said

from the information you have provided it would be unlikely that you would be required to register in respect of your blogs and tweets

However, I asked them for clarification on this point. I noted that I couldn’t see any exemption from the obligation to register, unless it was the general exemption (at section 36) from the Data Protection Act 1998 (DPA) where the processing is only for “domestic purposes”, which include “recreational purposes”. I noted that, as someone writing a semi-professional blog, I could hardly rely on the fact I do this only for recreational purposes. The ICO’s reply is illuminating

if you were blogging only for your own recreational purposes, it would be unlikely that you would need to register as a data controller. However, you have explained that your blogging is not just for recreational purposes. If you are sharing your views in order to further some other purpose, and this is likely to impact on third parties, then you should consider registering.

I know this is couched in rather vague terms – “if”…”likely”…”consider” – but it certainly suggests that merely being a non-professional blogger does not exempt me from having to register with a statutory regulator.

Those paying careful attention might understand the implications of this: millions of people every day share their views online, in order to further some purpose, in a way that “is likely to impact on third parties”. When poor Bodil Lindqvist got convicted in the Swedish courts in 2003 that is just what she was doing, and the Court of Justice of the European Union held that, under the European Data Protection Directive, she was processing personal data as a data controller, and consequently had legal obligations under data protection law to process data fairly, i.e. by not writing about a fellow churchgoer’s broken leg etc. without informing them/giving them an opportunity to object.

And there, in my last paragraph, you have an example of me processing personal data – I have published (i.e. processed) sensitive (i.e. criminal conviction) personal data (i.e. of an identifiable individual). I am a data controller. Surely I have to register with the ICO? Section 17 of the DPA says that personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the ICO, unless an exemption applies. The “domestic purposes” exemption doesn’t wash – the ICO has confirmed that1, and none of the exemptions apply. I have to register.

But if I have to register (and I will, because if I continue to process personal data without a registration I am potentially committing a criminal offence) then so, surely, do the millions of other people throughout the country, and throughout the jurisdiction of the data protection directive, who publish personal data on the internet not solely for recreational purposes – all the citizen bloggers, campaigning tweeters, community facebookers and many, many others…

To single people out would be unfair, so I’m not going to identify individuals who I think potentially fall into these categories, with the following exception. In 2011 Barnet Council was roundly ridiculed for complaining to the ICO about the activities of a blogger who regularly criticised the council and its staff on his blog2. The Council asked the ICO to determine whether the blogger in question had failed in his legal obligation to register with the ICO in order to legitimise his processing of personal data. The ICO’s response was

If the ICO were to take the approach of requiring all individuals running a blog to notify as a data controller … it would lead to a situation where the ICO is expected to rule on what is acceptable for one individual to say about another. Requiring all bloggers to register with this office and comply with the parts of the DPA exempted under Section 36 (of the Act) would, in our view, have a hugely disproportionate impact on freedom of expression.

But subsequently, the ICO was taken to task in the High Court on this general stance (but in unrelated proceedings) about being “expected to rule on what is acceptable for one individual to say about another”, with the judge saying

I do not find it possible to reconcile the views on the law expressed [by the ICO] with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully

And if now the ICO accepts that, at least those bloggers (like the one in the Camden case) who are not solely blogging for recreational purposes, might be required to register, it possibly indicates a fundamental change.

In response to my last blog post on this subject someone asked “why ruffle feathers?”. But I think this should lead to a societal debate: is it an unacceptable infringement of the principles of freedom of expression for the law to require registration with a state regulator before one can share one’s (non-recreational) views about individuals online? Or is it necessary for this legal restraint to be in place, to seek to protect individuals’ privacy rights?European data protection reforms propose the removal of the general obligation for a data controller to register with a data protection authority, but in the UK proposals are being made (because of the loss of ICO fee income that would come with this removal) that there be a levy on data controllers.

If such proposals come into effect it is profoundly important that there is indeed a debate about the terms on which the levy is made – or else we could all end up being liable to pay a tax to allow us to talk online.

1On a strict reading of the law, and the CJEU judgment in Lindqvist, the distinction between recreational and non-recreational expressions online does not exist, and any online expression about an identifiable individual would constitute processing of personal data. The “recreational” distinction does not exist in the data protection directive, and is solely a domestic provision

2A confession: I joined in the ridicule, but was disabused of my error by the much better-informed Tim Turner. Not that I don’t think the Council’s actions were ill-judged.

 

10 Comments

Filed under Data Protection, Directive 95/46/EC, Information Commissioner, social media

Tagged as , , , ,

August 13, 2014 · 10:52 am

Green light for spam texters – for now

The ICO has effectively conceded he has no current powers to issue monetary penalties on spam texters.

In June this year the Upper Tribunal dismissed the appeal by the Information Commissioner’s Office (ICO) against the quashing of a £300,000 monetary penalty notice (the MPN) served on spam texter Christopher Niebel. The MPN had been issued pursuant to the ICO’s powers under section 55A of the Data Protection Act 1998 to serve such a notice if there has been a serious contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) of a kind likely to cause substantial damage or substantial distress. The Upper Tribunal held that the First-tier Tribunal had not erred in law in finding that the ICO’s relevant interpretation of “distress” was unsustainable:

the tribunal took issue with the Commissioner’s guidance as to the meaning of “distress” and, in my opinion rightly so. According to that guidance, “Distress is any injury to feelings, harm or anxiety suffered by an individual” (at paragraph [12], emphasis added). The tribunal’s conclusion was that if this “involves the proposition that it is not possible to have ‘any injury to feelings’ which falls short of ‘distress’ then, it seems to us, that the definition is at odds with common experience and with the ordinary use of English [¶60]

As the law required evidence that Niebel’s company’s sending of spam texts had been of a kind likely to cause substantial distress, and as the ICO’s evidence did not match up to this, the MPN had been rightly quashed. Implicitly, the Upper Tribunal was suggesting that further MPNs of this kind would also not be sustainable, and, explicitly, it questioned whether, if Parliament wanted to give the ICO powers to financially punish spam texters, it would require a change in the law

[a] more profitable course of action, is for the statutory test to be revisited…a statutory test that was formulated in terms of e.g. annoyance, inconvenience and/or irritation, rather than “substantial damage or substantial distress”, might well have resulted in a different outcome.

To no real surprise, since the ICO lost this appeal, no further MPNs have been issued for spam texting (some have been served for spam telephone calls). Now the ICO, in a blog post by their Head of Enforcement Steve Eckersley has effectively conceded that the result of the Niebel litigation has been to remove their powers to serve MPNs for spam texts, saying it had “largely [rendered] our power to issue fines for breaches of PECR involving spam texts redundant”. And Eckersley picks up the call for a law change, confirming that there will be a consultation later this year (whether any of this will see results this side of the general election, however, is another question).  This call echoes one made by the Information Commissioner himself, who said in February

We have just got to lower that hurdle because I think if you ask most people they would say silent calls and unsolicited spam texts are one of the great curses of the age – and if the Information Commissioner can’t protect you it’s a poor lookout.
There are, of course, other strings to the ICO bow, and Eckersley refers to some of them
we are using our existing powers to hold companies to account and to disrupt their unlawful activities….and we are obtaining undertakings from and issuing enforcement notices, effectively cease-and-desist orders, to companies that breach PECR.
This sounds good, but leaves me rather puzzled: as the ICO has confirmed to me, no enforcement notices have been served and only one undertaking obtained, against companies or individuals who have sent spam texts in breach of PECR. Enforcement notices are a strong power – breach of one is a criminal offence – and only require the ICO to consider whether the PECR contravention has caused or is likely to cause any person damage or distress, not “substantial damage or substantial distress”. This lower threshold should make it much more difficult for enforcement to be resisted. Maybe some enforcement notices are on their way? One rather hopes so, because, for the moment, it looks like spam texters have received a green light.
EDITED TO ADD:
Tim Turner points out to me that a conviction for breach of an enforcement notice is not a recordable offence it will not make its way on to the Police National Computer, and will not therefore generally result in disclosure for, e.g. employment purposes. Tim’s view, and it is a compelling one, is that for a lot of spammers the threat of a minor conviction for breach of a legal notice is not one which is likely to dissuade them from their practice.

7 Comments

Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, marketing, monetary penalty notice, nuisance calls, PECR, Upper Tribunal

Tagged as , ,

August 12, 2014 · 8:12 am

Does your QR code hide personal data?

I remember the first time I saw a demo of a QR code, and being wowed by the potential uses of encoding much larger amounts of information than a conventional barcode. The audience was impressed when the presenter hovered his reader over a code, and was taken to the company website. The mood was rather ruined when someone pointed out that clicking a hyperlink did much the same, and more quickly and consistently (of course, that doesn’t really tell the whole story, but it was a good bubble-pricker). And that, really, is the story of QR codes – they seemed to have a lot of potential, but ultimately they don’t seem to have fulfilled it: their usage outside the advertising industry is low, and they have numerous competing rivals.

But they do potentially hold a lot of information, and they hold it in an encoded format, which means that the information is not immediately apparent to the human eye (that’s the whole idea, I suppose). This was nicely illustrated today to me, when I was alerted to a submission to a government consultation (since – to their credit, suitably edited), by a utilities company, who had included in their response some letters to customers, redacted – for obvious reasons – of obvious identifying features (names, addresses, etc). What had not been redacted though was a QR code, next to the name and address on the letter (one presumes that the company uses this as part of a CRM system) and, sure enough, when I scanned the code with my nifty QR code reader (which I haven’t used since I downloaded it for that first demo a few years ago) it revealed precise address coordinates, with postcode. This is personal data of the customer, and it was needlessly disclosed by the company, in contravention of their obligations under the Data Protection Act 1998.

No doubt the person tasked with redacting the letters didn’t know what the QR code contained. And thereby hangs a old and broader issue: as more and more information has been compressed and encoded, human capacity to read and understand – without technological assistance – what that information is has inevitably reduced. I suppose, in some ways, this is really the story of computing.

Leave a comment

Filed under Data Protection

Tagged as ,

August 10, 2014 · 4:45 pm

Do bloggers need to register with the ICO?

A strict reading of data protection law suggests many (if not all) bloggers should register with the ICO, even though the latter disagrees. And, I argue, the proposal for an Information Rights Levy runs the risk of being notification under a different name

Part III of the Data Protection Act 1998 (DPA) gives domestic effect to Article 18 of the European Data Protection Directive (the Directive). It describes the requirement that data controllers notify the fact that they are processing personal data, and the details of that processing, to the Information Commissioner’s Office (ICO). It is, on one view, a rather quaint throwback to the days when processing of personal data was seen as an activity undertaken by computer bureaux (a term found in the predecessor Data Protection Act 1984). However, it is law which is very much in force, and processing personal data without a valid notification, in circumstances where the data controller had an obligation to notify, is a criminal offence (section 21(1) DPA). Moreover, it is an offence which is regularly prosecuted by the ICO (eleven such prosecutions so far this year).

These days, it is remarkably easy to find oneself in the position of being a data controller (“a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed”). There are, according to the ICO, more than 370,000 data controllers registered. Certainly, if you are a commercial enterprise which in any way electronically handles personal data of customers or clients it is almost inevitable that you will be a data controller with an obligation to register. The exemptions to registering are laid out in regulations, and are quite restrictive – they are in the main, the following (wording taken from the ICO Notification Handbook)

Data controllers who only process personal information for: staff administration (including payroll); advertising, marketing and public relations (in connection with their own business activity); and accounts and records.
Some not-for-profit organisations.
Maintenance of a public register.
Processing personal information for judicial functions.
Processing personal information without an automated system such
as a computer.
But there is one other, key exemption. This is not within the notification regulations, but at section 36 of the DPA itself, and it exempts personal data from the whole of the Act if it is
processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes)
Thus, if you, for instance, keep a record of your children’s medical histories on your home computer, you are not caught by any of the DPA (and not required to notify with the ICO).Where this becomes interesting (it does become interesting, honestly) is when the very expansive interpretation the ICO gives to this “domestic purposes exemption” is considered in view of the extent to which people’s domestic affairs – including recreational purposes – now take place in a more public sphere, whereby large amounts of information are happily published by individuals on social media. As I have written elsewhere, the Court of Justice of the European Union (CJEU) held in 2003, in the Lindqvist case, that the publishing of information on the internet could not be covered by the relevant domestic purposes exemption in the Directive. The ICO and the UK has, ever since, been in conflict with this CJEU authority, a point illustrated by the trenchant criticism delivered in the High Court in the judgment by Tugendhat J in The Law Society v Kordowski.

But I think there is a even more stark illustration of the implications of an expansive interpretation of the section 36 exemption, and I provide it. On this blog I habitually name and discuss identifiable individuals – this is processing of personal data, and I determine the purposes for which, and the manner in which, this personal data is processed. Accordingly, I become a data controller, according to the definitions at section 1(1) of the DPA. So, do I need to notify my processing with the ICO? The answer, according to the ICO, is “no”. They tell me

from the information you have provided it would be unlikely that you would be required to register in respect of your blogs and tweets
But I don’t understand this. I cannot see any exemption which applies to my processing – unless it is section 36. But in what way can I seriously claim that I am processing personal data only for my domestic (including recreational) purposes. Yes, blogging about information rights is partly a recreation to me (some might say that makes me odd) but I cannot pretend that I have no professional aims and purposes in doing so. Accordingly, the processing cannot only be for domestic purposes.I have asked the ICO to confirm what, in their view, exempts me from notification. I hope they can point me to something I have overlooked, because, firstly, anything that avoids my having to pay an annual notification fee of £35 would be welcome, and secondly, I find it rather uncomfortable to be on the receiving end of my own personal analysis that I’m potentially committing a criminal offence, even if the lead prosecutor assures me I’m not.

The point about the notification fee leads to me on to a further issue. As I say above, notification is in some ways rather quaint – it harks back to days when processing of personal data was a specific, discrete activity, and looks odd in a world where, with modern technology, millions of activities every day meet the definition of “processing personal data”. No doubt for these reasons, the concept of notification with a data protection authority is missing from the draft General Data Protection Regulation (GDPR) currently slouching its way through the European legislative process. However, a proposal by the ICO suggests that, at least in the domestic sphere, notification (in another guise), might remain under new law.The ICO, faced with the fact that its main funding stream (the annual notification fees from those 370,000-plus data controllers) would disappear if the GDPR is passed in its proposed form, is lobbying for an “information rights levy”. Christopher Graham said earlier this year

I would have thought  an information rights levy, paid for by public authorities and data controllers [is needed]. We would be fully accountable to Parliament for our spending.

and the fact that this proposal made its way into the ICO’s Annual Report  with Graham saying that Parliament needs to “get on with the task” of establishing the levy, suggests that it might well be something the Ministry of Justice agrees with. As the MoJ would be first in line to have make up the funding shortfall if a levy wasn’t introduced, it is not difficult to imagine it becoming a reality.

On one view, a levy makes perfect sense – a “tax” on those who process personal data. But looked at another way, it will potentially become another outmoded means of defining what a data controller is. One cannot imagine that, for instance, bloggers and other social media users will be expected to pay it, so it is likely that, in effect, those data controllers whom the ICO currently expects to notify will be those who are required to pay the levy. One imagines, also, that pour encorager les autres, it might be made a criminal offence not to pay the levy in circumstances where a data controller should pay it but fails to do so. In reality, will it just be a mirror-image of the current notification regime?

And will I still be analysing my own blogging as being processing that belongs to that regime, but with the ICO, for pragmatic, if not legally sound, reasons, deciding the opposite?

1 Comment

Filed under Data Protection, Directive 95/46/EC, Europe, GDPR, parliament

Tagged as , , , ,

August 5, 2014 · 11:18 am

Watch out lawyers – the ICO has you in his sights

The Information Commissioner’s Office (ICO) has “sounded the alarm” to the legal profession regarding breaches of the Data Protection Act 1998 (DPA). In a press release today it says it is

warning barristers and solicitors to keep personal information secure, especially paper files. This follows a number of data breaches reported to the ICO involving the legal profession

Fifteen incidents (which, of course, are not in themselves, breaches of the DPA)  involving members of the legal profession have been reported to the ICO in the last three months, and the release goes on to point out that

The information handled by barristers and solicitors is often very sensitive. This means that the damage caused by a data breach could meet the statutory threshold for issuing a financial penalty. Legal professionals will also often carry around large quantities of information in folders or files when taking them to or from court, and may store them at home. This can increase the risk of a data breach

This of course is shorthand for what enforcement of the DPA really entails. Solicitors and barristers will often be data controllers pursuant to section 1(1) of the DPA (but not always – in-house lawyers are employees, and their employer will generally be the relevant data controller) and as such they will have an obligation under section 4(4) DPA to comply with the data protection principles of Schedule One. The seventh principle requires a data controller to take

Appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

and this is what the ICO refers to (or should refer to) when it talks about a “data breach”: a data security incident (such as loss of files) might occur as a result of a seventh principle breach, but, equally, it might not (I blogged at length on this distinction previously).

Nonetheless, the ICO will often give a shot across the bows of a particular group or industry, prior to taking formal enforcement action, such as the serving of monetary penalty notices, to a maximum of £500,000. The likelihood of any individual barrister or solicitor or any but the very largest firms getting such a large penalty is very very low (the ICO’s own rules state that he must take into account the impact on a data controller of a penalty). That said, all lawyers would do well to check their compliance with the DPA, and with their information security obligations.

1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner, monetary penalty notice

Tagged as , ,

August 5, 2014 · 10:07 am

Lib Dems in breach of ePrivacy laws?

As I’ve written on several occasions recently, the sending of direct marketing emails without the consent of the recipient is, as a general principle, unlawful under European and domestic law.

The Information Commissioner’s Office (ICO) guidance makes clear that promotion of a political party, campaign or candidate is “direct marketing” for the purposes of the Privacy and Electronic Communication (EC Directive) Regulations 2003 (PECR):

We take a broad view of what constitutes marketing and are satisfied that it is not only the offer for sale of goods or services but also includes the promotion of the aims and ideals of any organisation including political campaigns.
On 20 July I noted this on the Liberal Democrats’ home page
 
libdem
A campaign to end Female Genital Mutilation is a worthy one (and not a party political issue) and one I’m happy to put my name to. However, I did have my suspicions, so set up a new email address, entered that into the box, and clicked “I agree”. There was no indication of what would happen with my email address once I had done this, although there was, at the very foot of the page, a small unobtrusive link to a “privacy policy” (of which more later).
 
What did happen was, firstly, and straight away, I received the following email
receipt1
 which was fair enough. At the foot of that email was this message
receipt
again, fair enough, and that should be the end of my engagement with the Lib Dems.
  
But, you will perhaps be unsurprised to hear, it wasn’t. Two days later I received this, from Lynn Featherstone MP
featherstone
which at least was on the subject of FGM, but I was surprised she considered herself my “friend”. And two days after that I found I’d made another friend:
nick
So, a few days after I’d expressed my support for a non-party-political campaign, I was on first name terms with a political party leader, who was sending me an unsolicited marketing email. Which takes us back to PECR, and consent, and my myriad previous blog posts.
 
I thought I’d check exactly what the Lib Dems website privacy policy says. Of course there’s the usual guff about taking privacy seriously, but it goes on to say
If you provide your email address…we may use the email address to send you further information in the future. You may at any point request not to receive such information any more.
And there it is, in clear terms – a statement of non-compliance with the law. They cannot, under regulation 22(2) of PECR, infer consent to receive marketing emails merely because someone has provided an email address. I will be complaining to the Lib Dems, and, if necessary, the Information Commissioner’s Office.

2 Comments

Filed under consent, Data Protection, Information Commissioner, marketing, PECR, privacy notice

Tagged as , , , ,