Tag Archives: data protection

June 29, 2024 · 10:16 am

An EIR judgment as long as a novel

Those who think the data protection statutory regime is complex might want to consider how it compares to that under the Environmental Information Regulations 2004 (EIR).

So if you fancy spending the day reading a judgment that is (by my calculations) longer than George Orwell’s 1984, now’s your chance.

A number of personal search companies, who undertake different types of searches for use in real property sale and purchase transactions, are bringing a claim in restitution regarding the charges they’ve paid to defendant water companies for reports under the CON29DW Drainage and Water Enquiry process. Their argument is that information responsive to a CON29DW is “environmental information” (EI) within the meaning of the EIR and that the water companies in question were obliged to make EI available for free or for no more than a reasonable charge. Accordingly, the charges levied by the water companies were unlawful and/ or paid under a mistake of law and that the water companies have been unjustly enriched to the extent of those charges.

The water companies, in turn, say that information responsive to a CON29DW was not EI, and/or that the information was not ‘held’ by them at the time the relevant request was made and/or that they were otherwise entitled under the EIR to refuse its disclosure.

Mr Justice Richard Smith’s magnum opus of a judgment bears close reading (closer than I’ve yet been able to give it), but it contains some notable findings, such as: not all of the information responsive to a CON29DW is EI; not all of the information was held for the purposes of the EIR and not by all of the defendants; information responsive to a CON29DW about internal flooding to a property is personal data (there’s an interesting discussion on the definition of personal data, touching on Durant, Edem, Ittihadieh and Aven v Orbis – but I think this part of the judgment is flawed – just because information about internal flooding could be personal data doesn’t mean it always is (which is what the judge appears to hold) – what about where a residential property is unoccupied and owned by a company?)

It seems to me that the effect of the judgment is to fracture the claim into small bits – some of the info is EI, some is held, by some defendants, some is exempt, etc. – and may well have the effect of damaging the chances of the claim progressing.

The judge ends by imploring the parties to try to resolve the issue other than through the court process. So let’s see if there’s an appeal.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, Environmental Information Regulations, judgments

Tagged as ,

June 7, 2024 · 4:52 pm

Subject access: recipients, and motive

A very significant subject access judgment has been handed down in the High Court. Key rulings have been made to the effect that 1) requesters are entitled, in principle, to be informed of the identities of the recipients of their personal data (not just the categories of recipient), and 2) the subject access regime has a “specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her personal data unlawfully infringes privacy rights and, if so, to take such steps as the data protection law provides.

The underlying details of the case are interesting and alarming in themselves. A director of a gardening company (Mr Cameron) had covertly recorded threatening calls made by a wealthy homeowner working in the property investment industry (Mr Harrison) with whom the company was coming into dispute, and subsequently circulated the recordings to a limited number of unnamed family members and others.

The recordings found their way to a wider circle of people, including some of Mr Harrison’s peers and competitors in the property investment sector. Mr Harrison contended that the circulation of the recordings had caused his own company to lose out on a significant property acquisition. Accordingly, he made subject access requests, under Article 15 of the UK GDPR both to and Cameron and to Mr Cameron’s company (“ACL”). Those requests were rejected on the grounds that i) Mr Cameron, when circulating the recordings, was processing Mr Harrison’s personal data in a “purely personal and household” context, and so the processing was out of scope of the UK GDPR, ii) Mr Cameron was not personally a controller under the UK GDPR, iii) ACL could rely on the exemption to disclosure where it would involve disclosing information relating to another individual who did not consent to disclosure, and where – in the absence of such consent – it was not reasonable in the circumstances to disclose (see Article 15(4) UK GDPR and paragraph 16 of Schedule 2 to the Data Protection Act 2018).

In a lengthy judgment (dealing mostly with the facts and evidence) Mrs Justice Steyn held that Mr Cameron’s processing was not for purely personal and household reasons: he was clearly acting as a director of ACL in making the recordings and circulating them. However, she agreed that he was not a controller – he was acting in his capacity as a director, and – following Ittihadieh and In re Southern Pacific Loans – a director processing data in the course of their duties for their company is not a controller; the company is.

A crucial part of the judgment, in terms of wider relevance, is on the interpretation of Article 15(1)(c) of the UK GDPR. This provides that a data subject should be given information on “the recipients or categories of recipient” to whom personal data have been or will be disclosed. Many practitioners, and lawyers, have taken this be an option available to the controller (i.e. the controller can decide whether to provide information on the specific recipient or just on categories thereof). Not so, said Steyn J, agreeing with the CJEU in the Austrian Post case (which, as a post-Brexit case, wasn’t binding on her, but to which she could have regard, so far as it was relevant to the issues (see section 6(2) of the EU (Withdrawal) Act 2018)): the choice lies with the data subject, and, if the data subject chooses to receive information on individual recipients, he or she is entitled, in principle, to that information (unless it would be impossible or manifestly excessive to do so).

Notwithstanding this, Mr Harrison was not entitled in this case to have the identities. Mr Harrison had previously sent subject access requests individually to at least 23 employees of ACL and ACL, and he had an intention to pursue further legal options other than under the UK GDPR, if he was to identify potential claimants. ACL believed that disclosing identities of recipients of the recordings would put them at “significant risk of being the object of intimidating, harassing and hostile legal correspondence and litigation”. The judge agreed that it was “not unreasonable for the Defendants to give significant weight to [Mr Harrison’s] sustained and menacing behaviour in considering whether to protect or disclose the identities of friends, colleagues and family members”. The fact that “hostile litigation”, against the third parties to whom the recordings were disclosed, was being contemplated was a relevant factor to take into account when balancing their interests with Mr Harrison’s access rights, under paragraph 16 of Schedule 2. The judge held that

[Although there] is no general principle that the interests of the request should be treated as devalued by reason of a motive to obtain information to assist the requester in litigation…as Farbey J observed in X v Transcription Agency…the SAR regime “has a specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her ‘personal data’ unlawfully infringes privacy rights and, if so, to take such steps as the DPA 2018 provides“…[and so] it was reasonable for the Defendants to give weight to their desire to protect family, friends and colleagues from hostile litigation going beyond the exercise of rights under the UK GDPR and the DPA 2018

So, the perennial question of the extent to which a requester’s motive is relevant when responding to a subject access request rears its head again. Steyn J’s analysis is compelling, and so it certainly appears that – at the very least when it comes to the balancing test implied by paragraph 16 of Schedule 2 – the motive is capable of being taken into account.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Data Protection Act 2018, judgments, subject access, UK GDPR

Tagged as , , ,

June 6, 2024 · 7:45 am

The demise of portmanteau data breach claims

Many defendants in data protection proceedings will have experienced claims which also plead a misuse of private information (MPI). Often, on the face of things, the latter appears to add nothing to the data protection claim, but there can be procedural and costs/other financial implications. Importantly, where claimants have secured after-the-event (ATE) insurance, premiums can be recovered from losing defendants (as there is an exception for certain claims, including MPI ones, to the general rule introduced by the Legal Aid, Sentencing and Punishment of Offenders Act 2012, by which ATE premiums became generally irrecoverable between parties). This can be perceived as a factor which might impel defendants to settle otherwise weak claims.

The practice of bundling data protection and MPI claims (sometimes with a bonus breach of confidence claim) in “data breach” proceedings was struck a blow in 2021, when Mr Justice Saini, in Warren v DSG, held that, as both MPI and breach of confidence require there to have been a “use”, a “positive action”, they do not impose a data security obligation on a defendant, or create liability where the defendant was, instead, alleged to have failed to do something.

This inevitably led to a drop in claims pleading MPI (and breach of confidence) in data security cases, but not a complete stop: after all – I imagine some claimant lawyers thought, a claim can still be pleaded as a MPI claim – even if it might not look like one (following Warren v DSG).

However, in a costs judgment from September last year, but only recently published, Deputy Costs Judge Roy held that a “spurious” (as opposed to a “genuine”) MPI claim (in Saini J’s characterisation “an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI”) can’t avail itself of the ATE premium irrecoverability exception. (The claim was against Equiniti, but seems to be separate to the recent attempted group litigation against the same defendant.)

I suspect the story is not entirely over. Claimants will quite possibly say “yes, spurious MPI claims can’t be shoehorned into data protection claims, but this one – Judge – is not spurious on the facts”. Nonetheless, the days of portmanteau data breach claims seem to disappearing into the past.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, data security, judgments, litigation

Tagged as ,

June 1, 2024 · 8:36 am

Disastrous data protection advice in child protection proceedings

I am only going to link at the foot of this post to the recent judgment in the Family Court, as it is long, contains distressing and graphic references to alleged sexual offences and how a school and a local authority dealt with the allegations and only deals in passing with the issue I raise in this post. Please be aware of that.

However, the issue is of real importance.

The reason for referring to it is the extraordinary, and extraordinarily worrying, references in the judgment to a discussion a deputy head teacher had with the nine year old child in question. The judgment records the teacher’s evidence that, although

she took notes of the discussion she destroyed any notes that she had made. This appeared to be in accordance with a school-wide misunderstanding of data protection guidance. She fairly admitted that after a year she could only guess at those notes now

The judge stresses that she

“[does] not criticise GG – she was a caring and conscientious teacher who was doing her best and believed she was following advice and good practice. She lacked specialist training and some of the advice was unhelpful. I have carefully considered the problems with her record of this discussion, and I am mindful that these challenges add to the difficulty of appraising the reliability of what she recorded.”

[nb, this was said not solely in the context of the destruction of the notes]

The London Borough involved recognised, during the course of the proceedings, “the importance of addressing a wide range of gaps and concerns that emerged during the course of this hearing”, and the judge invited the parties to draw up an agreed list of issues for the Council to consider and provide a response to as a positive problem-solving exercise. Among these agreed issues was this

“Contemporaneous notes need to be taken when a child makes any allegation of physical, sexual or emotional abuse against a third party…. It needs to be made clear within the policy that contemporaneous notes ought to be kept and stored securely (electronically if possible). This includes any handwritten notes even if, only key words are noted down and later entered onto any electronic system. THIS DOES NOT INFRINGE GDPR.”

Those final words resound, even if they shouldn’t need saying.

Prior to GDPR, there were certainly a multitude of misunderstandings about data protection, but the idea that personal data should not be recorded, or should be quickly destroyed, is one of the most pernicious of misunderstandings that seems to have emerged since GDPR – in part from terrible advice and training given by people who shouldn’t have ever been engaged to train the public sector. I implore those involved in training and advising in these complex areas of social care and education to consider the import and impact of the advice they give.

Finally, the importance and meaning of the first word of the third data protection principle is often overlooked. Yes, it’s the “data minimisation” principle, but personal data must still be adequate.

This is the judgment.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, GDPR, local government, retention, UK GDPR

Tagged as , ,

April 30, 2024 · 5:58 am

ICO applies public sector fine approach to charity

The Information Commissioner’s Office has fined the CENTRAL YOUNG MEN’S CHRISTIAN ASSOCIATION (YMCA) of London £7500.

The penalty notice is not published at the time of writing (nor anything else yet on the ICO website), although the fine is said to have already been paid, and the press release issued by the ICO says the fine was issued for “a data breach where emails intended for those on a HIV support programme were sent to 264 email addresses using CC instead of BCC, revealing the email addresses to all recipients. This resulted in 166 people being identifiable or potentially identifiable”.

The press release also says that the fine was reduced from an initially-recommended £300,000, “in line with the ICO’s public sector approach”. When I queried the rather obvious point that a charity is not a public authority, an ICO spokesman initially told me that “as Central YMCA is a charity that does a lot of good work, they engaged with us in good faith after the incident happened, recognised their mistake immediately and have made amends to their processing activities and they paid the fine in full straight away, we applied the spirit of the public sector approach to them even though they’re not strictly a public sector body”.

This led to a further follow-up query from me because as a matter of logic and timing, how could the fact that a controller “paid the fine in full straight away” be a mitigating factor in reducing the amount of the fine to be paid? The further response was “The point was that they engaged fully and subsequently paid the fine in full, thus confirming our position that they were engaging and taking the breach seriously. The calculation comes before the payment which has no bearing on the assessed amount.”

I’m not quite sure what to make of this. Can any controller which “does a lot of good work”, engages with the ICO in good faith and remedies processing activities also benefit from a 3900% decrease in fine from an originally-recommended sum? What does “a lot of good work” mean? Is it something only charities do? What about private companies with a strong ESG ethos, or who make significant charitable contributions?

[this post was originally published on my LinkedIn page.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, fines, Information Commissioner, LinkedIn Post, monetary penalty notice, Uncategorized

Tagged as ,

March 1, 2024 · 7:02 am

John Edwards evidence to the Angiolini inquiry

On 29 February Lady Elish Angiolini published the first report from her inquiry into how off-duty Metropolitan police officer Wayne Couzens was able to abduct, rape and murder Sarah Everard.

Information Commissioner John Edwards contributed to the inquiry, and his evidence is cited at 4.320 (the paragraph is quoted below). It deals with the profoundly important (and perennially misunderstood) issue of data-sharing within and between police forces.

Although for obvious reasons the identity and content of some witness evidence to the inquiry is being kept anonymous, there should be no obvious reason that Mr Edwards’s is, and I hope that the Information Commissioner’s Office will, in addition to publishing his press statement, also publish any written evidence he submitted. It would also be good to know the details of the work Mr Edwards says his office is doing, and continuing, with the police, in this context.

In discussions with senior leaders of relevant organisations, the Inquiry was told that gaps in information-sharing between human resources, recruitment, professional
standards and vetting teams – and, indeed, between forces themselves – were a
significant barrier to capturing a clear picture of officers. The Inquiry heard from different sources, including senior leaders, that there are significant barriers to
information-sharing. Some cite data privacy and protection laws as a reason not to
share information. However, in a discussion with the Information Commissioner, John Edwards, the Inquiry was assured that data protection law recognises that there are legitimate reasons for information-sharing, particularly given the powers attributed to police officers. Indeed, Mr Edwards suggested that data protection law is widely misunderstood and misconstrued, and highlighted a failure of training in this regard.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, data sharing, Information Commissioner, police

Tagged as , , ,

March 1, 2024 · 6:48 am

How did George Galloway come to send different canvassing info to different electors?

As electors went to the polls in the Rochdale by-election on 29 February, a few posts were made on social media showing the disparity between letters sent to different electors by candidate George Galloway. An example is here

On the face of it, Galloway appears to have hoped to persuade Muslim voters to vote for him based on his views on a topic or topics he felt would appeal to them, and others to vote for him based on his views on different topics.

It should be stressed that there is nothing at all wrong that in principle.

What interests me is how Galloway identified which elector to send which letter to.

It is quite possible that a candidate might identify specific roads which were likely to contain properties with Muslim residents. And that, also would not be wrong.

But an alternative possibility is that a candidate with access to the full electoral register, might seek to identify individual electors, and infer their ethnicity and religion from their name. A candidate who did this would be processing special categories of personal data, and (to the extent any form of automated processing was involved) profiling them on that basis.

Article 9(1) of the UK GDPR introduces a general prohibition on the processing of special categories of personal data, which can only be set aside if one of the conditions in Article 9(2) is met. None of these immediately would seem available to a candidate who processes religious and/or ethnic origin data for the purposes of sending targeted electoral post. Article 9(2)(g) provides a condition for processing necessary for reasons of substantial public interest, and Schedule One to the Data Protection Act 2018 gives specific examples, but, again, none of these would seem to be available: paragraph 22 of the Schedule permits such processing by a candidate where it is of “personal data revealing political opinions”, but there is no similar condition dealing with religious or ethnic origin personal data.

If such processing took place in contravention of the prohibition in Article 9, it would be likely to be a serious infringement of a candidate’s obligations under the data protection law, potentially attracting regulatory enforcement from the Information Commissioner, and exposure to the risk of complaints or legal claims from electors.

To be clear, I am not saying that I know how Galloway came to send different letters to different electors, and I’m not accusing him of contravening data protection law. But it strikes me as an issue the Information Commissioner might want to look into.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under access to information, Data Protection, Data Protection Act 2018, data sharing, Information Commissioner, political parties, UK GDPR

Tagged as , , ,

January 2, 2024 · 6:20 pm

UK GDPR amended

Three years ago, at the end of the Brexit Implementation Period, I helped prepare a version of the UK GDPR for the Mishcon de Reya website. At the time, it was difficult to find a consolidated version of the instrument, and the idea was to offer a user-friendly version showing the changes made to the retained version of the GDPR, as modified by the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2019, and the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2020.

Since then, the main legislation.gov.uk has offered a version. However, with respect to that site, it’s not always the easiest to use.

The burden now, though, falls to me and Mishcon, of updating our pages as and when the UK GDPR itself gets amended. Major changes are likely to made when the Data Protection and Digital Information Bill gets enacted, but, first, we have the minor amendments (minor in number, of not in significance) effected by The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 (which came into force at 23:59:59 on 31.12.23).

The changes have been made to Articles 1, 4, 9, 50, 85 and 86.

The Mishcon pages have been very well used, and we’ve had some great feedback on them. They don’t profess to be an authoritative version (and certainly should not be relied on as such) but we hope they’ll continue to be a useful resource.

Leave a comment

Filed under Data Protection, GDPR, UK GDPR

Tagged as , ,

November 16, 2023 · 5:36 pm

I was stupid

I was stupid, I was naive: I thought that recent statements from senior people at the Information Commissioner’s Office (ICO) indicated a willingness to enforce against non-compliance in the use of cookies and cookie banners.

I was wrong. My recent complaint, published as an open letter to John Edwards, the Commissioner, not only took ten weeks to be allocated to a case worker, but, now, that case worker has told me, in terms, that they’re not interested:

we do not respond to cookie complaints individually…Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. When consumers raise their complaints with us, we either conduct our own compliance check or write to the organisation…Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK.

This leaves two things hanging: 1) the site I complained about is one of the most visited in the UK; 2) the website in question arguably “raises awareness” of cookies, but only insofar as it confounds, frustrates and obstructs the user, in a manner which, in my submission, contravenes ePrivacy and Data Protection law, and 3) fails to get users’ consent (as it is defined in those laws).

MLex(£) have now written about this, and have secured a quote from the ICO, which is more than I got, really:

It is an ICO priority to influence changes to online tracking practices to create a more privacy-oriented internet. Where users want personalized adverts they should have the choice to receive them. But where websites don’t give people fair choices over how their data is used we will take action to safeguard their rights.

Try as I might, I can’t square that, and the ICO’s previous public statements about taking firm action, with an approach which fails in any real way to engage with people who take the time and effort to make complaints. But, as I say, I was stupid and naive to think it might have been different.

I’ve now complained, in turn, about the ICO’s handling of my complaint (and made an FOI request), in these terms:

1. I made a complaint under Article 77 UK GDPR. You have not investigated that at all, let alone “to the extent appropriate” as you are required to do under Article 57(1)(f). 

2. My letter was addressed to John Edwards. Has he seen it? 

3. You say, “When consumers raise their complaints with us, we either conduct our own compliance check or write to the organisation.” Which have you done here? Please disclose information either in respect of the compliance check you undertook, or of the correspondence you sent to Associated Newspapers Ltd.

4. Frankly, your response is discourteous. I went to some effort to assist the ICO in its stated intention to investigate poor compliance with PECR, but your response gives no indication that you’ve even read the substance of my complaint.

5. Your letter contains no apology or explanation for the extensive delay in handling it, which falls outside your own service standards.

In seriousness, I find this all really disheartening. The gulf between what the ICO says and what it does is sometimes huge, and not necessarily appreciated by those who don’t work in the field.

But I will get back in my stupid box.

+++

For completeness’ sake, the full response from the caseworker was:

Thank you for your correspondence in which you have complained about Associated Newspapers Ltd and its use of cookies.

Complaints regarding cookies can be submitted to us through the following link: Cookies | ICO

In this case, I have forwarded the information you have provided to the appropriate department. Although we do not respond to cookie complaints individually, we use the information you send us to help us identify, investigate and take action against organisations causing you complaint. To do this, we work alongside other organisations and website owners.

Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. When consumers raise their complaints with us,
we either conduct our own compliance check or write to the organisation. Our website provides further information about the action we’re taking on cookies.

Yours sincerely

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under adtech, consent, cookies, Information Commissioner, PECR, UK GDPR

Tagged as , , ,

September 12, 2023 · 8:49 am

Arbitrary criminality and data protection

It shouldn’t be too controversial to state that to commit a criminal offence is a serious matter: although there are – obviously – different levels of severity, certain acts or omissions are so injurious to society as a whole that they warrant prosecution.

The majority of infringements of data protection law are not criminal offences, but, rather, contravention of civil law. But there are a few offences in the statutory scheme. Section 132 of the Data Protection Act 2018 (DPA) is one such. It says that it is an offence for the Information Commissioner, or a member of his staff, to disclose information

which—

(a)has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions,

(b)relates to an identified or identifiable individual or business, and

(c)is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources,

However, it will not be an offence if the disclosure is made with “lawful authority”, and a disclosure is made with lawful authority only if and to the extent that

(a)the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,

(b)the information was obtained or provided as described in subsection (1)(a) for the purpose of its being made available to the public (in whatever manner),

(c)the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions,

(d)the disclosure was made for the purposes of, and is necessary for, the discharge of an EU obligation,

(e)the disclosure was made for the purposes of criminal or civil proceedings, however arising, or

(f)having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.

This means that, for instance, if an individual or a business has given (willingly or under compulsion) information to the Commissioner for the purposes of a regulatory investigation, and the information is not already public, then the Commissioner must not disclose it, unless he has lawful authority to do so.

Where, also for instance, the Commissioner publishes a legal decision notice, or monetary penalty notice, or the like, this will ordinarily contain information of this kind, but the Commissioner can point to the lawful authority he has under section 132(2)(c) – namely that the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions. No offence committed.

But section 132 is why the Commissioner’s Office might refuse, under the Freedom of Information Act 2000 (FOIA), to disclose information it has received from an individual or business. For instance, a notification report a controller has submitted pursuant to its “personal data breach” obligations under Article 33 UK GDPR. Here is an example. The ICO withholds the “breach report” in question, citing the exemption at section 44, because of the offence provisions at section 132 DPA.

Whether this is an over-cautious stance is one thing, but it is understandable.

What puzzles me, though, is the inconsistency, because elsewhere, in very similar circumstances, in response to a FOIA request, the ICO has disclosed a personal data report (albeit with redactions). Here, also.

If the Commissioner’s staff in the first example feel that they would commit an offence by disclosing the report, do the staff dealing with the second or third examples not feel that they would also?

One thing that should certainly not happen is claiming exemptions because it is easier to do so than not. I am not saying that has happened here, but there certainly seems to be inconsistency. And inconsistency, or uncertainty, about whether a regulator and his staff might commit a criminal offence is not a good situation.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, crime, Data Protection, Data Protection Act 2018, Freedom of Information, Information Commissioner

Tagged as , , , ,