Tag Archives: ICO

Initially maybe – a subtle but important change to PECR enforcement?

Direct electronic marketing law (the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)) provides limited exceptions to the duty only to send unsolicited direct marketing to individual subscribers when those recipients have consented. Those exceptions are in regulation 22(3), and since February this year they are available both to those who offer products or services for sale and to charities furthering their charitable purposes. The effect of the exceptions (referred to colloquially as the “soft opt-in”) is that marketing can be sent without consent provided certain requirements are met.

However, the exceptions only apply where the sender of the marketing offered a simple means of refusing marketing at the time the recipient’s details were “initially collected”. The orthodox view is you can’t invite people to update their contact details, and then ask them about and send marketing, when you didn’t offer them an opt-out when you “initially” collected their details. In 2017, Honda were fined £13000 by the Information Commissioner’s Office (ICO), for sending emails asking about marketing preferences to customers whose preferences had not been recorded when their details were “initially collected”.

As Adrian Beney has pointed out, the Fundraising Regulator’s new guidance on the charitable purposes soft opt-in appears to have ignored the word “initially” in reg 22(3A)(c), when it gives, as an example of lawful use of the soft opt-in, a charity which has “long-standing volunteers” whom it has not previously asked for consent to receive fundraising marketing relating to the charity, but to whom “at the next annual update of volunteer contact details” it offers an opt-out. This is described as “the right approach”.

I was about to reply to Adrian to say this is clearly at odds with the ICO’s own guidance, but I thought I should check first. To my surprise, I see that the ICO has not made this point clear in its own guidance on the charitable purposes soft opt-in. True, in its generic guide to PECR as a whole (not yet updated to reflect the introduction of the charitable purposes soft opt-in) it says that to use the soft opt-in the sender must have offered a simple way to opt out when the recipient’s details were “first collected”. But the (updated) specific “Guidance on direct marketing using electronic mail” does not make this clear, and, notably, has dropped the crucial word “first”. Thus, where it used to say “You must give people a clear opportunity to opt-out of your direct marketing when you first collect their details” (emphasis mine) it now says “You must give people a simple way to opt out of your electronic mail marketing when you collect their contact details”.

Dropping a word in this way has the hallmarks of a deliberate decision. It certainly appears that it might have led the Fundraising Regulator to give guidance that, if followed, would arguably result in marketing behaviour that the ICO would have held to unlawful until recently.

I think it’s incumbent on the ICO to clarify this point. On the face of it, this subtle change could lead some to assume they can now contact existing customers and supporters, for whom they don’t have current marketing preferences on record, ask them to confirm their contact details and ask them if they want to opt out of future marketing. If it transpires that the ICO is now of the view that the word “initially” in regulation 22 can be ignored, that would not be an unreasonable understanding of what might be permitted. But if that is the ICO’s view it will also be incumbent on them to justify what would be a remarkable position for a regulator to take.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under charities, Information Commissioner, marketing, PECR

Something rotten in the state of Wilmslow

I realise that I’ve written reams on LinkedIn, but nothing here, to reflect the ignominious departure of Information Commissioner, John Edwards. This is cobbled together from those posts.

Very early on the morning of 19 June, Information Commissioner John Edwards announced on LinkedIn an intention to resign, citing “poor judgement and…attempts at humour that were inappropriate and caused offence”.

This was in reference to the “independent workplace investigation” into his conduct, which had led to his stepping aside from his duties at the end of February: a fact which the ICO kept from the public, and from most of its own staff, for several weeks (might others have come forward in that time, had they known more?), and which they only publicly acknowledged after Edwards posted about the investigation on LinkedIn.

Edwards’ comments appear to have had the effect of stealing a march on the ICO’s and the government’s own communications. They were picked up by a lot media and commentators and run as “resignation over inappropriate humour”.

But, by the end of the day, the Secretary of State for his sponsor department, Science, Innovation and Technology, Liz Kendall, had revealed that, much more than that, she had

seen evidence of the vulgar and highly sexualised language that was used in his interactions with his staff and am extremely concerned that he continues to describe these incidents as misplaced humour. Multiple women shared testimony to the investigator on feeling offended, shocked and uncomfortable following interactions with Mr Edwards.

The ICO then put out a statement on 20 June, saying that

Mr Edwards’ actions were completely at odds with our values. We do not accept sexual harassment, bullying or discrimination in any form and have clear policies in place to deal with issues such as these.

And then, on 22 June, MLex reported (£) that

Despite the ICO’s relative silence, comments about the workplace culture at Britain’s privacy regulator have been increasingly common since the investigation started, even if most remarks were made privately…MLex understands Edwards was often described as “a bully” by current and former ICO employees. Beyond complaints of harassment and dismissive treatment of staff, a disproportionate growth in the numbers of staff at director and executive director levels while lower-grade staff were under extreme stress was also pointed out as a key factor contributing to a poor workplace environment.

Quite frankly this is a disgrace. My sympathy is with those who had to work with him in what appears to have been a toxic environment.

And questions still hang over this: how long has this behaviour been known about? and by whom?

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Information Commissioner, John Edwards

Information Commissioner John Edwards resigns

Many will be aware that there has been a recent “independent workplace investigation” into the conduct of John Edwards, Information Commissioner.

A few days after news was announced that the initial investigation had revealed he had a “case to answer” Mr Edwards has announced on LinkedIn that he has resigned, both as current Commissioner and as incoming Chair of the new Information Commission.

Details as to what the impugned conduct was are sparse, but he refers to “poor judgement” and “attempts at humour that were inappropriate and caused offence”.

As a matter of law, the Commissioner doesn’t simply resign: paragraph 3(1) of schedule 12 of the Data Protection Act 2018 requires him to request to the King that he be relieved of his office. One wonders if this has already been done: if not, although the ultimate outcome is of course inevitable, is it maybe a bit presumptuous?

Needless to say, this is all unprecedented. And it presents the government with a headache: they will have been hoping for a smooth and largely unnoticed transition from the old model of Commissioner as Crown appointee and corporation sole to a modern regulatory Information Commission, with Edwards as Chair. Now, those transition arrangements have no doubt been made much more complicated (at the least), and there will need to be an exercise to recruit and appoint a new Chair.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Information Commissioner, John Edwards, Uncategorized

Data protection complaints – a missed opportunity

Has the Information Commissioner’s Office ducked an opportunity to improve data subjects’ rights and provide regulatory clarity to data controllers?

Section 103 of the Data (Use and Access) Act 2025, which will come into effect on 19 June this year, inserts a new section 164A into the Data Protection Act 2018. It confers a right on data subjects to make a complaint to a data controller, and imposes a duty on controllers to facilitate this, and take appropriate steps to respond to any such complaint.

Perhaps surprisingly, Parliament chose to say that controllers must acknowledge receipt of complaints within 30 days (!), but chose not to specify a time frame for actually responding to them. Instead, controllers must simply “inform the complainant of the outcome…without undue delay”.

Last year the ICO ran a consultation on draft guidance for handling data subject complaints. In their now-published summary of responses to the consultation, the ICO explained that some people who responded questioned whether the ICO should lay down some guidance for how long a controller should take to respond to a complaint. In declining to do so, the ICO says

We recognise that organisations would like us to set out a specific time period within which we expect they should investigate the complaint. The legislation says “without undue delay”, which is context dependent. We’ve therefore provided advice around how to complete the investigation “without undue delay”./This will vary from one complaint to another, and from one organisation to another. A timeframe that is justifiable for one complaint may be unjustifiable for another.

All this is true, but I don’t really buy it. Legislation will quite often provide a broad framework for a procedure, with regulators or other overseers then producing good practice guidance.

It strikes me that it would have been straightforward for the ICO to say “Complaints must be responded to without undue delay. In most cases we would expect controllers to do so within [say] 40 days. Where this timeframe is exceeded we will expect controllers to explain why this did not constitute an undue delay”.

As it is, I can readily foresee some controllers taking many months to respond. As the ICO generally won’t accept complaints themselves until the data subject has received a response from the controller, this has the potential to build in even greater delay for data subjects.

(And all that is before we get to the issue of delays at the ICO’s end, and their new approach to complaints where, in effect, they will peremptorily dismiss some.)

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Data (Use and Access) Act, Data Protection, Data Protection Act 2018, Information Commissioner

NCND for personal data – a qualified exemption?

[reposted from my LinkedIn Account]

I’ve been known to criticise First-tier Tribunal (FTT) judgments in the freedom of information jurisdiction. By contrast, this one is superb.

In it, the FTT dismantle the argument (and the decision notice) of the Information Commissioner’s Office that Bolton NHS Foundation Trust were entitled to “neither confirm nor deny” (NCND) holding reviews, including a review by PWC, into the Trust’s governance and management. The PWC review was the subject of an article in the Health Service Journal, and the requester was the journalist, Lawrence Dunhill.

Firstly, the FTT noted that the ICO “case begins with an elementary error of fact. It treats the Trust as having given an NCND response to the entirety of the Request when it did no such thing” (the Trust had only applied NCND in respect of the request for a PWC report, but had confirmed it held other reviews). Oddly, the Trust, in its submissions for the appeal, simply ignored this error (the FTT chose not to speculate on “whether that omission was accidental or tactical”).

Secondly, and notably, the FTT found a fundamental error of law in the ICO’s approach (and, by implication, in its guidance) to NCND in the context of personal data. Section 2(3)(fa) of FOIA provides that section 40(2) is an absolute exemption (therefore not subject to a public interest test). But section 2(3) does not include section 40(5B) (the personal data NCND provision) in the list of absolute exemptions. As far as I know, the ICO has always taken the view, however, that it is an absolute exemption – certainly its current guidance says this).

That approach, held the FTT, is “simply wrong…the exemption under FOIA, s40(5B)(a)(i) is qualified and the public interest balancing test applies”. And but for that error, they said, the ICO might have reached a different conclusion.

As it was, the FTT held that the legitimate interests balancing test under Article 6(1)(f) of the UK GDPR was sufficient to determine the issue: merely confirming or denying whether the PWC review was held would not cause unwarranted prejudice to a named individual when balanced against the requester’s legitimate interests.

It will be interesting to see if the ICO appeal this. Given the strength of the criticism it would perhaps be bold to do so, but it might be that the only alternative will be to have to rewrite their guidance on s40(5), and rethink their long-held view on it.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments, NCND, UK GDPR

Chief Constable in contempt over body-worn-video footage disclosure failures

The Court of Appeal has handed down an extraordinary judgment (Buzzard-Quashie v Chief Constable of Northamptonshire Police [2025] EWCA Civ 1397) in which the Chief Constable of Northamptonshire was forced to admit civil contempt of court, after camera footage, which the police force had repeatedly insisted, including before the lower courts, and also in response to an express order of the county court, did not exist, was found to exist just before the appeal hearing.

The appellant/applicant, Ms Buzzard-Quashie, had been arrested and initially charged with an offence in 2021. The arrest had involved three officers, all of whom had deployed body-worn-video cameras. Ms Buzzard-Quashie had complained about the arrest very shortly afterwards, and had sought copies of the footage. Although the charge was dropped, the force made only “piecemeal” disclosure, before determining that there was no further footage, or what there had been, had been destroyed.

At that point, she complained to the Information Commissioner’s Office, who told her that it had told the force “to revisit the way it handled your request and provide you with a comprehensive disclosure of the personal data to which you would be entitled as soon as possible”. (Here, the court – I believe – slightly misrepresents this as an “order” by the ICO. The ICO has the power to make an order, by way of an enforcement notice, but it does not appear to have issued a notice (and it would be highly unusual for it to do so in a case like this).)

The force did not do what the ICO had told it to do, so Ms Buzzard-Quashie issued proceedings in the Brentford County Court and obtained an order requiring the force to deliver up to her any footage in its possession or, if none was available or disclosable, to provide a statement from an officer “of a rank no lower than Inspector” explaining why it could not. It also required the force to pay her costs.

Remarkably, the force did not comply with any element of this order. This failure led to Ms Buzzard-Quashie initiating contempt proceedings in the High Court. At that hearing the Chief Constable, in evidence, maintained that that a full search had already been performed; all the footage had been produced; no other footage existed; and he was not in contempt. The judge found that Ms Buzzard-Quashie had not succeeded in establishing to the criminal standard that the Chief Constable was in contempt.

Upon appeal, and just before the hearing, primarily through the efforts of Ms Buzzard-Quashie and her lawyers (acting pro bono), the force was compelled to admit that footage did still exist: its searches had been manifestly inadequate.

The CoA found that eight pieces of information and evidence (and this was “only a selection”) had not been true, and that “the Chief Constable had not only failed to comply with the [County Court] Order in both substance and form, but had advanced a wholly erroneous factual case before that court, and before this court as well”. Ms Buzzard-Quashie clearly succeeded in her appeal.

The judgment records that the issue of sanction for the contempt found “must wait until the next round of the process”, which presumably will be a further (or perhaps remitted) hearing.

There are any number of issues arising from this. It is, for example, notable that the data protection officer for the force was involved in the searches (and, indeed, she gave the initial statement that the County Court had ordered be given by an Inspector or above).

But a standout point for me is how incredibly difficult it was for Ms Buzzard-Quashie to vindicate her rights: the police force, for whatever reason, felt able to disregard both the statutory regulator and an order of a court. She and her pro bono lawyers showed admirable tenacity and skill, but those features (and that pro bono support) are not available to everyone. One welcomes the fact that all three judges noted her efforts and those of the lawyers.

The force has referred itself to the Independent Office of Police Conduct, and the Court of Appeal has reinforced that by making the referral part of its own order.

In this post I’ve tried to summarise the judgment, but I would strongly encourage its reading. The screenshot here is merely part of the damning findings.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Body worn video, Data Protection, Information Commissioner, judgments, police, subject access

MoD: “too costly” to find out if there have been further spreadsheet data breaches

Response to FOI request says it would take 237 hours to find out. How can ICO have confidence lessons have been learnt?

Anyone who’s ever had been responsible for compiling or overseeing a data breach log will know that one of the commonest incidents is the inadvertent disclosure of personal data. And since the time spreadsheets could first be sent via, or uploaded to, the internet people have mistakenly left personal data in them which should have been removed or otherwise masked. It’s not a new phenomenon: as long ago as 2013 I wrote for the Guardian about the risks, and what I perceived then as a lack of urgency by the Information Commissioner’s Office in addressing, and educating about, those risks.

So it might be found surprising that, two years after the most catastrophic data breach in UK history, in which the information of thousands of Afghan citizens was mistakenly disclosed, putting many lives directly at risk, the Ministry of Defence appears to have no process for identifying when or whether there have been recurrences of the issue.

Section 12 of the Freedom of Information Act 2000 permits a government department not to comply with a request where locating and retrieving any information held would take more than 24 hours. It’s not uncommon for it to be invoked where requests are formulated in too general a manner.

But when I made a request to the MoD for

the number of personal data breaches recorded between April 2023 to date which involved: a) disclosure of personal data to the wrong recipient; b) inadvertent disclosure of personal data contained in a spreadsheet

I imagined that this would be relatively easily located and extracted. Most data breach logs I’ve seen would be categorised in such a way as to enable this. However, the MoD instead informed me that it would take over 237 hours to do so.

Helpfully, the MoD said that if I restricted my request just to the first part (“disclosure of personal data to the wrong recipient”) they might be able to comply. But what this appears to indicate is that no, or no clear, record is being taken of whether there have been repeats of the spreadsheet error involving Afghan citizens.

The Information Commissioner’s Office (ICO) has come under some criticism – including from the leading academics, the Science, Innovation and Technology Committee, and me – for failing even to conduct a formal investigation into the Afghan spreadsheet data breach. Justifying that decision, the Commissioner himself said that

MoD has briefed us on the measures it has adopted since the breach, which seek to mitigate risk of such an incident occurring in future

But if the MoD cannot say (without it taking more than 237 hours) whether there have been further such incidents, how can they reassure themselves that the risk has been indicated?

And perhaps more pertinently, how can the ICO be satisfied of this?

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under Data Protection, data security, Freedom of Information, Information Commissioner, Ministry of Defence, personal data breach

Tribunal: unincorporated associations are not companies for the purposes of FOIA

The question of whether a body is a public authority for the purposes of the Freedom of Information Act 2000 (FOIA) is determined by asking (up to) three questions:

1: is it listed in Schedule 1 to FOIA?
2: has it been designated as a public authority by order by the Secretary of State or Minister for the Cabinet Office?
3: is it a company wholly owned by the wider public sector, or by the Crown (or by both of those)?

If the answer to all of those is “no”, then the body is not a public authority, and it is not obliged to comply with FOIA, no matter how much it might seem or look like a public authority.

These issues arose in a recent case in the First-tier Tribunal, following a decision by the Information Commissioner’s Office that the Conference of Colleges of the University of Oxford (the “Conference”) – an unincorporated association – was not a FOIA public authority.

It is accepted that the University of Oxford is a public authority, as is each of the colleges of the University (see paragraph 53 of Schedule 1 FOIA). The appeal to the Tribunal was based on argument by the appellant (“The Association Of Precarious Postdoctoral Researchers Ltd”) that the Conference, being a body created by the constituent colleges, met the definition of a “company” wholly owned by those colleges. Although FOIA does not define “company”, certain other legislative provisions do, including section 1121 of the Corporation Tax Act 2010, pursuant to which it is defined as meaning “any body corporate or unincorporated association…”.

That argument, however – held the Tribunal – actually counted against the appellant, because in the absence of clear legislative intent to broaden the term for the purposes of FOIA, it should take its ordinary English use: “unincorporated associations are not considered to be caught by the normal definition of a ‘company’ and…Parliament will make express provision to include them where it intends to do”.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Information Commissioner, Information Tribunal

ICO fines: are you certain?

In his inaugural speech as Information Commissioner, in 2022, John Edwards said

my focus is on bringing certainty in what the law requires of you and your organisations, and in how the regulator acts

It’s a message he’s sought to convey on many occasions since. No surprise: it’s one of the Commissioner’s tasks under the Regulators’ Code to

improve confidence in compliance for those they regulate, by providing greater certainty

This isn’t the place or the time for a broad analysis of how well the ICO has measured up to those standards, but I want to look at one particular example of where there appears to be some uncertainty.

In March 2024, the ICO fined the Central YMCA £7500 for serious contraventions of the UK GDPR. In announcing the fine, the ICO said that it would have been £300,000 but that “this was subsequently reduced in line with the ICO’s public sector approach” (the policy decision whereby “fines for public sector bodies are reduced where appropriate”). When questioned why a charity benefited from the public sector approach, the ICO stated that

Central YMCA is a charity that does a lot of good work, they engaged with us in good faith after the incident happened, recognised their mistake immediately and have made amends to their processing activities…the fine is in line with the spirit of our public sector approach

So the charity sector might have reasonably drawn from this that, in the event that another charity doing a “lot of good work” seriously contravened the UK GDPR, but engaged in good faith with the ICO and made amends to its processing activities, it would also benefit from the public sector approach, with a similar reduction of around 97.5% in any fine.

However, on 28 July, the Scottish charity Birthlink was fined £18,000 by the ICO for serious contraventions of the UK GDPR but the ICO did not apply the public sector approach. When I questioned why, the answer merely confirmed that it had not been applied, but that they had applied their Fining Guidance. Admittedly, Birthlink did not recognise the seriousness of its contraventions for around two years, but that was not mentioned in the ICO’s answer.

I was also referred to the consultation on continuing the public sector approach, which ran earlier this year. That consultation explained that the proposal was not to apply the public sector approach to charities in the future, because the ICO would have regard to the definition of “public authority” and “public body” at section 7 of the Data Protection Act 2018, which, for obvious reasons, doesn’t include charities.

However, the outcome of that consultation has not been announced yet, and the ICO site says

In the meantime, we will continue to apply the approach outlined by the Commissioner in his June 2022 open letter.

As that current approach is the one under which the ICO applied great leniency to the Central YMCA, the question therefore remains – why did Birthlink not also benefit from it?

And there’s a wider question: the definition of a public body/authority at section 7 of the Data Protection Act 2018 has been in effect since 2018. Why did the ICO think, in 2024, that section 7 was not relevant, and that a (wealthy) charity should qualify for the public sector approach, but then decide that another (much less wealthy) charity shouldn’t, when facing a fine only a few months later?

The answers are far from certain.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consistency, Data Protection Act 2018, fines, Information Commissioner, monetary penalty notice, UK GDPR

Data Protection risks to life: Should more be done?

I’ve written up my thoughts for the Mishcon de Reya website, on the baffling decision by the ICO to take no action in response to the most catastrophic data breach in UK history, which exposed many thousands of people to immediate risk to their lives.

https://www.mishcon.com/news/data-protection-risks-to-life-should-more-be-done

Leave a comment

Filed under Data Protection, Data Protection Act 2018, data sharing, Information Commissioner, Ministry of Defence, UK GDPR