Tag Archives: Elizabeth Denham

September 24, 2021 · 9:41 am

What John Edwards will inherit

The new Information Commissioner will have a lot on his plate. I’m going to focus very briefly on what is, objectively, a very small matter but which, to me, illustrates much about priorities within the ICO.

On 29 July I happened to notice an Information Tribunal decision which I thought was slightly odd, in that apparently both the Tribunal, and the Commissioner beforehand, had dealt with it under the Freedom of Information Act 2000 rather than the Environmental Information Regulations 2004, despite the subject matter (a tree inspection report) appearing to fall squarely under the latter’s ambit.

However, the decision notice appealed (referred to as FS5081345 in the Tribunal judgment), does not appear on the ICO’s searchable online database (in fact, no decisions relating to the public authority – the mighty Great Wyrley Parish Council – are listed). It’s unusual but certainly not unheard of for decision notices not to get uploaded (either by overlook, or – occasionally – for other, legal reasons) but in the past when I’ve asked for one of these, informally, it’s been provided by return.

So I used the ICO’s online Chat function to ask for a copy of the decision notice. However, I was told I had to submit a request in writing (of course I’d already done so – the Chat function is in writing, after all, but let’s not quibble). I said I was concerned that what was a simple request would get sucked up into the ICO’s own FOI processes, but the person on the Chat thought I would get a response within a couple of days.

Those who’ve stayed this far into the blogpost will be unsurprised to hear what happened next – my simple request got sucked into the ICO’s own FOI processes, and more than seven weeks on (more than three weeks beyond the statutory timescale for responding) I have still had no response, and no indication of why not, other than the pressure the FOI team is under.

And that last point is key: if the ICO’s own FOI caseworkers are under such pressure that they cannot deal with a very simple request within the legal timescale, nor update me in any meaningful way as to why, something has surely gone wrong.

At a recent NADPO webinar Dr Neil Bhatia spoke about his own difficulties with getting information out of the ICO through FOI. He (and I) were challenged by one of the other speakers on why we didn’t more regularly take formal action to force the issue. It was a fair point, and prompted me yesterday to ask the ICO for a formal decision under section 50 of the FOI Act (which means the ICO will have to issue an FOI decision notice on whether the ICO handled an FOI request for an FOI request in accordance with the law – and that sentence itself illustrates the ridiculousness of the situation).

This isn’t the only FOI request I have that the ICO is late responding to. I have one going back to May this year and another to June (albeit on rather more complex subjects). And I know that I and Dr Bhatia are not alone.

All the fine talk from the current Commissioner about forging international data protection accords, and encouraging “data driven innovation” can’t prevent a perception that her office seems increasingly to have left FOI regulation (and in some cases its own FOI compliance) behind. The right to access information is (part of) a fundamental right (just as is the right to data protection). If the ICO doesn’t want the role, is it time for a separate FOI Commissioner?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, rule of law

Tagged as , ,

September 12, 2020 · 8:30 am

If ICO won’t regulate the law, it must reboot itself

The exercise of the right of (subject) access under Article 15 of the General Data Protection Regulation (GDPR) is the exercise of a fundamental right to be aware of and verify the lawfulness of the processing of personal data about oneself.

That this is a fundamental right is emphasised by the range of enforcement powers available to the Information Commissioner’s Office (ICO), against those controllers who fail to comply with their obligations in response to an access request. These include the power to serve administrative fines to a maximum amount of €20m, but, more prosaically, the power to order the controller to comply with the data subject’s requests to exercise his or her rights. This, surely, is a basic function of the ICO – the sort of regulatory action which underlines its existence. This, much more than operating regulatory sandboxes, or publishing normative policy papers, is surely what the ICO is fundamentally there to do.

Yet read this, a letter shown to me recently which was sent by ICO to someone complaining about the handling of an access request:

 

Dear [data subject],

Further to my recent correspondence, I write regarding the way in which [a London Borough] (The Council) has handled your subject access request.

I have contacted the Council and from the evidence they have provided to me, as stated before, it appears that they have infringed your right to access under the GDPR by failing to comply with your SAR request. However, it does not appear as though they are willing to provide you with any further information and we have informed them of our dissatisfaction with this situation.

It is a requirement under the Data protection Act 2018 that we investigate cases to the ‘extent appropriate’ and after lengthy correspondence with the Council, it appears they are no longer willing co-operate with us to provide this information. Therefore, you may have better results if you seek independent legal advice regarding the matters raised in this particular case.

Here we have the ICO telling a data subject that it will not take action against a public authority data controller which has infringed her rights by failing to comply with an access request. Instead, the requester must seek her own legal advice (almost inevitably at her own significant cost).

Other controllers might look at this and wonder whether they should bother complying with the law, if no sanction arises for failing to do so. And other data subjects might look at it and wonder what is the point in exercising their rights, if the regulator will not enforce them.

This is the most stark single example in a collection of increasing evidence that the ICO is failing to perform its basic tasks of regulation and enforcement.

It is just one data subject, exercising her right. But it is a right which underpins data protection law: if you don’t know and can’t find out what information an organisation has about you, then your ability to exercise other rights is stopped short.

The ICO should reboot itself. It should, before and above all else, perform its first statutory duty – to monitor and enforce the application of the GDPR.

I don’t understand why it does not want to do so.

[P.S. I think the situation described here is different, although of the same species, to situations where ICO finds likely non-compliance but declines to take punitive action – such as a monetary penalty. Here, there is a simple corrective regulatory power available – an enforcement notice (essentially a “steps order”) under section 148 Data Protection Act 2018.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, GDPR, human rights, Information Commissioner

Tagged as , , , , ,

August 15, 2020 · 7:07 pm

Elizabeth Denham and international transfers

One question prompted by the news (original source: 2040training) that Elizabeth Denham, the Information Commissioner, is currently working from her home in Canada, is whether the files and matters she is working on, to the extent they contain or constitute personal data, are being transferred to her in accordance with Chapter 5 of the General Data Protection Regulation (GDPR).

Chapter 5’s provisions mean that personal data can only be transferred to a country outside the European Economic Area in certain circumstances. In general, these boil down to: 1) if the European Commission has made an adequacy determination in respect of the country, 2) if Commission-approved standard contractual clauses are in place, 3) if binding corporate rules are in place, 4) if Article 49 derogations for specific situations are in place.

So, can one play a distracting little parlour game looking at what international transfer mechanism Ms Denham and the Information Commissioner’s Office (ICO) in the UK have adopted? No need, says the ICO. What is going on is not an international transfer of the type envisaged by GDPR.

The ICO’s guidance on the subject introduces the not-unhelpful term “restricted transfers”, to describe those transfers of personal data to which Chapter 5 of GDPR applies. However, it includes in its category of transfers which are not restricted, the following example

if you are sending personal data to someone employed by you or by your company, this is not a restricted transfer. The transfer restrictions only apply if you are sending personal data outside your organisation

So (at least to the extent that she, as Commissioner, is employed by, or embodies, the ICO) transfers of personal data to Ms Denham in Canada are not restricted transfers to which Chapter 5 of GDPR applies. There is, as it were, a corner of a foreign field that is forever Wilmslow.

The basis for the ICO’s position here, though, is not entirely easy to discern, and the position does not appear to be one that is obviously  shared by other data protection authorities, or the European Data Protection Board (unless the latter’s impending guidance on international transfers proves me wrong).

And it does strike me that the ICO’s position is potentially open to abuse. What if, for instance, someone decided to set up a medical data analytics company in the UK, with no UK employees, but a branch office in, say, Syria, employing hundreds of people there, and to where all of medical data it gathered was sent for storage and further processing, would the ICO still take the view that this was not a restricted transfer? Given the intense scrutiny which the CJEU applied to the US surveillance regime in the Schrems litigation, is it really likely that it would agree with a legal approach which resulted in data manifestly being in a state whose laws were deficient, but such data was not protected by the Chapter 5 provisions?

A similar issue might arise with another aspect of the ICO’s guidance, which implies that a transfer to a country outside the EEA, but which is a transfer to a controller to which the GDPR extra-territorial provisions apply, is also not a restricted transfer. If that controller was in, say South Sudan, would the ICO hold its position?

None of this is to say, of course, that the fact that a transfer may not be a restricted one means that all the other GDPR obligations are set aside. They continue to apply, and, no doubt, Ms Denham and the ICO are doing all they can to comply with them.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner

Tagged as , , , ,

May 22, 2019 · 8:49 am

ICO breaching the law it’s meant to oversee

This may be complete coincidence, but on the WhatDoTheyKnow website, there are two Freedom of Information (FOI) requests, on similar themes, which requesters have made to the Information Commissioner’s Office (ICO), to which – at the time of writing – the ICO appears simply to be failing to respond, way beyond the statutory timescale of 20 working days.

Both requests are about procurement of external consultants. In the first, the requester asked

Please disclose all current agreements for provision of legal services by outside bodies such as barristers chambers, law firms etc. This should include the rates of pay agreed.

The request was made on the 19th February and more than three months on, has simply had no response (other than an automated acknowledgment).

In the second the (different) requester asked

how many times the Information Commissioner’s Office has engaged consultants, companies or other specialists to deliver services to the ICO without putting the work out to tender or otherwise advertising the opportunity externally

That request was made on the 26th February and, barring some holding responses, which seem to have dried up, it has had no substantive response.

The failure to respond is concerning, and the failure to communicate inexplicable. One wonders where the reluctance comes from.

My own recent experience of making FOI requests to them indicates a less-than-ideal level of compliance with the laws the ICO is meant to regulate. However, when, some time ago, I asked the ICO for compliance figures, they refused to disclose them, saying they would be published soon. Yet approximately six months on they still haven’t done so (which is not in compliance with the best-practice requirements of the section 45 FOI Code of Practice).

I offered the ICO an invitation to comment on this blogpost, and in response a spokesperson said: “We aim to resolve 95% of information requests within the statutory deadline, unless we have sought an extension. We acknowledge that we have fallen short of expectations in these instances but can confirm that the responses to both requests will be issued soon.” No comment was made on the wider point about compliance, and publication of compliance statistics. (I would also make the observation that it’s rather surprising ICO only aims to respond to 95% of requests within the statutory deadline – surely they would (and should) aim to respond to 100% within the timeframe mandated by the law?)

I’ve previously expressed concern about the ICO’s unwillingness to take enforcement action against recalcitrant, if not contemptuous, public authorities for poor FOI compliance. Elizabeth Denham has recently (and unsuccessfully) called for an extension of FOI law, saying

Part of my job is to make sure that the legislation my office regulates fulfils its objectives and remains relevant. When it does not, I will speak out

Will she also speak out about the fact that her office is not itself complying with the legislation it regulates?

The views in this post (and indeed all posts on this blog, unless they indicate otherwise) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency

Tagged as , , ,