Tag Archives: ICO

March 12, 2023 · 12:49 pm

Where’s the Tories’ privacy notice? (just don’t mention the footballer)

The Conservative Party, no doubt scrabbling to gather perceived support for its contentious immigration policies and measures is running a web and social media campaign. The web page encourages those visiting it to “back our plan and send a message” to other parties:

Further down the page visitors are invited to “send Labour a message”

Clicking on either of the red buttons in those screenshots results in a pop-up form, on which one can say whether or not one supports the Tory plans (in the screenshot below, I’ve selected “no”)

One is then required to give one’s name, email address and postcode, and there is a tick box against text saying “I agree to the Conservative Party, and the wider Conservative Party, using the information I provide to keep me updated via email about the Party’s campaigns and opportunities to get involved”

There are two things to note.

First, the form appears to submit whether one ticks the “I agree” box or not.

Second, and in any case, none of the links to “how we use your data”, or the “privacy policy”, or the “terms and conditions” works.

So anyone submitting their special category data (information about one’s views on a political party’s policies on immigration is personal data revealing political opinions, and so Article 9 UK GDPR applies) has no idea whatsoever how it will subsequently be processed by the Tories.

I suppose there is an argument that anyone who happens upon this page, and chooses to submit the form, has a good idea what is going on (although that is by no means certain, and people could quite plausibly think that it provides an opportunity to provide views contrary to the Tories’). In any event, it would seem potentially to meet to definition of “plugging” (political lobbying under the guide of research) which ICO deals with in its direct marketing guidance.

Also in any event, the absence of any workable links to privacy notice information means, unavoidably, that the lawfulness of any subsequent processing is vitiated.

It’s the sort of thing I would hope the ICO is alive to (I’ve seen people on social media saying they have complained to ICO). But I won’t hold my breath on that – many years ago I wrote about how such data abuse was rife across the political spectrum – but little if anything has changed.

And finally, the most remarkable thing of all is that I’ve written a whole post on what is a pressing and high-profile issue without once mentioning Gary Lineker.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, marketing, PECR, privacy notice, social media, spam, UK GDPR

Tagged as , , , ,

February 28, 2023 · 8:29 pm

FOI embarrassment

At a recent awards event, recognising high-performing Freedom of Information officers and teams (fantastic idea by the organisers/sponsors, by the way*) I gave a brief talk where I stressed that it was important to recognise how much FOI has achieved in its 23 (or 18**) years, and to remember that every day thousands of disclosures are made by thousands of public authorities. It’s very easy to snipe at bad practice, and I often do, but if we don’t acknowledge the benefits, the real opponents of FOI might start arguing for its repeal.

So. Celebrate success. Accentuate the positive. Eliminate the negative.

However.

Then you see a decision notice from the Information Commissioner (ICO), in which a large London council had refused to disclose, under FOI, information on how many enquiries (MEQs) each of its councillors*** had submitted to the council on behalf of constituents. The reason for refusal was that this was the personal data of the councillors (well, yes) and that disclosure would infringe those councillors’ rights under the data protection law (hell, no).

This isn’t time for legal analysis. It really is as extraordinary as it sounds.

Thankfully, the ICO had no truck with it (and the notice does have legal analysis).

Frankly, though, the council should be ashamed.

______________________

*I have no personal or professional interest

**The Act commenced in 2000, but the main provisions didn’t commence until 2005

***At the end of the notice there is a big hint as to the role of the person who made the request – see if you can guess

.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, Freedom of Information, Information Commissioner, local government

Tagged as , ,

February 22, 2023 · 8:24 am

Monitoring of lawyers by the state

In the Commons on Monday Robert Jenrick, minister for immigration, said, in the context of a debate on the implications of the violent disorder outside a hotel providing refuge for asylum seekers, in Knowsley on 10 February, and in answer to a question about why no “small boats bill” has been introduced into Parliament

this is one of the most litigious areas of public life. It is an area where, I am afraid, human rights lawyers abuse and exploit our laws at times, and where the courts have taken an expansive approach in the past. That is why we must get this right, but we will be bringing forward that legislation very soon

When pressed on his reference to abuse of the law by lawyers, and asked “how many solicitors, advocates and barristers have been reported by the Home Office in the last 12 months to the regulatory authorities”, Mr Jenrick replied

We are monitoring the activities, as it so happens, of a small number of legal practitioners, but it is not appropriate for me to discuss that here.

This is a remarkable statement, both in its lack of detail and in its potential effect. The prospect of the monitoring of lawyers by the state carries chilling implications. It may well be that Mr Jenrick had no intention of making what could be interpreted as an oppressive statement, but words are important, and words said in Parliament carry particular weight.

It may also be that the “monitoring” in question consists of legitimate investigation into potential criminality by that “small number” of lawyers, but if that was the case, why not say so?

But “monitoring”, in itself, must be done in accordance with the law. If it is in the context of a criminal investigation, or surveillance, there are specific laws which may apply.

And to the extent that it involves the processing of personal data of the lawyers in question (which, inevitably, it surely must, when one considers that “processing” means, among other things “collection, recording, organisation, structuring or storage” performed on personal data) the monitoring must comply with applicable data protection laws).

As a fundamental general principle, processing of personal data must be transparent (see Articles 5(1)(a), 13 and 14 UK GDPR, or, for law enforcement processing, section 44 of the Data Protection Act 2018 (DPA), or, for Intelligence Services Processing, section 93 of the DPA.

There are qualifications to and exemptions from this general principle, but, in the absence of circumstances providing such an exemption, a data subject (here, the lawyers who are apparently being monitored) should be made aware of the processing. The information they should receive includes, among other things: the identity and the contact details of the person directing the processing; the legal basis and the purposes of the processing, and; the recipients or categories of recipients of the personal data.

We tend to call the notices we receive under these provisions “privacy notices”. Those of us who have practised data protection law for a long time will remember the term “fair processing notice” which is arguably a better term. Whatever one calls them, though, such notices are a bedrock of the law – without being aware of the processing, and the risks, rules, safeguards and rights in relation to it, data subjects cannot properly exercise their rights.

With all that in mind, has the Home Office – or whoever it is who is directing the monitoring of the “small number of lawyers” – informed them that they are being monitored? If not, why not?

Returning to my earlier comments about the oppressiveness of comments to the effect that, or the giving of a perception that, the coercive powers of the state are being deployed against lawyers by monitoring them, one wonders if the Information Commissioner should take steps to investigate the background to Mr Jenrick’s comments.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, transparency, surveillance, human rights, Home Office, privacy notice, Data Protection Act 2018, law enforcement, monitoring

Tagged as , , , ,

February 11, 2023 · 12:07 pm

SNP MP private email hack

UPDATE 13.02.23: it’s been drawn to my attention that Mr McDonald says that his private account is “not used for constituency or parliamentary business” END UPDATE

It was reported last week that the email account of Stewart McDonald, an SNP MP, had been compromised in what he described as a “sophisticated and targeted spear phishing hack”. The BBC appeared to agree with him, describing it as a “highly targeted and sophisticated attack”.

Maybe it was, although surely MPs are told to be wary of unexpected email attachments, and not to put enter system passwords when asked to in palpably suspicious circumstances (McDonald had attempted to open a document apparently sent by a member of his staff, with a military update on Ukraine, and clicking on it brought up a login page for the email account he was using).

But what I haven’t seen raised much in the media is the fact that the account which was compromised appears to have been McDonald’s private email account, and that the offending attachment was sent (or was spoofed to make it look like it was sent) from his staffer’s private email account. The reporting has referred to “personal” email account, from which it is reasonable to infer that these are not official accounts (such as McDonald’s one given on his parliamentary page).

Only last year the Information Commissioner presented a report to Parliament on the use of private communications channels in government. Although the report was prompted by concerns about the use of such private channels within the Department for Health and Social Care, it made clear that it had general application in relation to the “adopting [of] new ways of working without sufficient consideration of the risks and issues they may present for information management”. The report stresses throughout the importance of “maintaining the security of personal and official information” and the risks that private channels present to such security.

Did Mr McDonald and his staff read it? If not, this tweet he made only a couple of years ago is ironic, to say the least.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under data security, Information Commissioner, national security, parliament, security

Tagged as , ,

February 4, 2023 · 9:56 am

Facial recognition in the school canteen

A piece I wrote for the Mishcon de Reya website on the ICO’s recent letter to North Ayrshire Council on the use of facial recognition technology in schools:

https://www.mishcon.com/news/ico-takes-action-on-facial-recognition-in-schools

Leave a comment

Filed under Biometrics, consent, Facial recognition, Information Commissioner

Tagged as , ,

December 18, 2022 · 10:48 am

ICO investigated potential FOI criminal offences by government departments

Under section 77 of the Freedom of Information Act 2000 (FOIA) a person commits a criminal offence if – after someone has made a request for information to a public authority, and would have been entitled to disclosure of that information – he or she

alters, defaces, blocks, erases, destroys or conceals any record held by the public authority, with the intention of preventing the disclosure by that authority of all, or any part, of the information to the communication of which the applicant would have been entitled

This is the only section of FOIA which carries a criminal penalty. It is very rarely invoked: since FOIA commenced in January 2005, there has been just one successful prosecution brought by the Information Commissioner’s Office (ICO) (and, as far as I know, only one other, unsuccessful, prosecution).

One reason for the lack of cases is that the ICO can only bring a prosecution within six months of the offence occurring. This has been identified for many years as an issue which should be addressed (but successive governments have declined to do so).

Nonetheless, a recent FOIA disclosure by the ICO reveals that in the last few years potential section 77 offences by government departments have been investigated. The request, made via the public WhatDoTheyKnow platform, was for information on “all Section 77 investigations carried out regardless of outcome for all Government departments”. In response, the ICO disclosed that

we have opened the following cases with regard to allegations of s77 allegations against Government Departments:
PCB/0013/2018 – MoJ IC/506/2020 – DWP IC/0549/2020 – Cabinet Office INV/0950/2021 – Cabinet Office.

This appears to suggest the existence of four separate investigations. In response to a request for further comment the ICO press office stated to me that none of the cases was still open, but declined to say any more. This seems to confirm that no proceedings were brought as a result of the investigations, but it is not possible to speculate on the reasons why. Nor are details available as to the circumstances under which the investigations were made.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Cabinet Office, DWP, Freedom of Information, Information Commissioner, Ministry of Justice, section 77

Tagged as ,

November 26, 2022 · 10:59 am

Does DHSC have a compliant ROPA?

Article 30(4) of the UK GDPR requires a controller to make its records of processing activities (ROPA) available to the Information Commissioner (ICO) upon request.

ROPAs are required for most large controllers, and should include at least

  • The name and contact details of the organisation (and where applicable the data protection officer).
  • The purposes of processing.
  • A description of the categories of individuals and categories of personal data.
  • The categories of recipients of personal data.
  • Details of transfers to third countries including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of the controller’s technical and organisational security measures.

Ordinarily, in my experience, controllers will maintain a ROPA in one document, or one set of linked documents. This not only enables a controller to comply with Article 30(4), but reflects the fact that a ROPA is not just a compliance obligation, but contributes to and assists the controller in its information governance functions.

This all makes the position of the Department of Health and Social Care (DHSC) rather odd. Because, in response to a Freedom of Information Act (FOIA) request for disclosure of its ROPA, it stated that the request was “vexatious” on the grounds of the time and costs it would have to incur to respond. This was because, as the DHSC subsequently told the ICO when the latter was asked to issue a FOIA decision notice

We hold a collection of documentation across different formats which, when put together, fulfils our obligation under Article 30 of the GDPR to record and document all of our personal data processing activities…[and]…to locate, retrieve and extract all of this documentation would involve a manual trawl of the whole organisation and each document would then need to be reviewed to check for content such as personal data, commercially sensitive data and any other information that would otherwise not be appropriate to place into the public domain

For this reason, the ICO accepted that compliance with the request would be “grossly oppressive” and this, taken with other factors, meant that the FOIA request was indeed vexatious.

The ICO is tasked with regulating both FOIA and data protection law. The decision notice here notes this, and says

the Commissioner feels duty bound to note that, if the DHSC cannot comply with the request because it would impose a grossly oppressive burden to do so, it is unlikely that the DHSC would be able to provide its ROPA to the Commissioner, which is a requirement under Article 30 of the UK GDPR, without that same burden

There’s a big hint here to DHSC that it should adopt a different approach to its ROPA for the future.

But the decision notice does contain some rather strange wording. In the context of the words quoted just above, the ICO says

This decision notice looks at the DHSC’s compliance with FOIA only and the Commissioner cannot order the DHSC to take any action under any other legislation.

It is true that, under his FOIA powers, the ICO cannot order the DHSC to comply with the UK GDPR, but, quite evidently, under his UK GDPR powers, he certainly can: Article 58(2)(d) specifically empowers him to

order the controller…to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period

I am not aware of anything in FOIA, or data protection law (or wider regulatory and public law) that prevents the ICO from taking enforcement action under UK GDPR as a result of findings he has made under FOIA. Indeed, it would be rather strange if anything did prevent him from doing so.

So it does seem that the ICO could order DHSC to get its ROPA in order. Maybe the big hint in the FOIA decision notice will have the desired effect. But regulation by means of big hints is perhaps not entirely in compliance with the requirement on the ICO, deriving from the Regulators’ Code, to ensure that its approach to its regulatory activities is transparent.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, DHSC, Freedom of Information, Information Commissioner, records management, ROPA, Uncategorized

Tagged as , , ,

November 2, 2022 · 5:11 pm

ICO threatened Matt Hancock with £17.5m fine (sort of)

It’s well known that, under the UK GDPR, and the Data Protection Act 2018 (DPA), the Information Commissioner can fine a controller or a processor a maximum of £17.5m (or 4% of global annual turnover). Less well known (to me at least) is that he can fine any person, including you, or me, or Matt Hancock, the same, even if they are not a controller or processor.

Section 142 of the DPA empowers the Commissioner to serve “Information Notices”. These fall broadly into two types: those served on a controller or processor requiring them to provide information which the Commissioner reasonably requires for the purposes of carrying out his functions under the data protection legislation; and those requiring

any person to provide the Commissioner with information that the Commissioner reasonably requires for the purposes of—

(i)investigating a suspected failure of a type described in section 149(2) or a suspected offence under this Act, or

(ii)determining whether the processing of personal data is carried out by an individual in the course of a purely personal or household activity.

And by section 155(1) of the DPA, the Commissioner may serve a monetary penalty notice (aka “fine”) on any “person” who fails to comply with an Information Notice. That includes you, or me, or Matt Hancock. (Section 157(4) provides that the maximum amount is £17.5m, or 4% of global annual turnover – although I doubt that you, I, or Matt Hancock has an annual global turnover.)

All very interesting and theoretical, you might think. Well, so might Matt Hancock have thought, until an Information Notice (which the Commissioner has recently uploaded to the ICO website) dropped onto his figurative doormat last year. The Notice was in relation to the Commissioner’s investigation of the leaking of CCTV images showing the former Secretary of State for Health and Social Care and his former aide enjoying each other’s company. The investigation – which was into the circumstances of the leak, and not Matt Hancock’s conduct – concluded in April of this year, with the ICO deciding that there was insufficient evidence to justify further action. But the Notice states clearly at paragraph 7 that failure to comply is, indeed, punishable with a fine of up to £17.5m (etc.).

The Matt Hancock Notice admittedly addresses him as if he were a controller (it says the ICO is looking at his compliance with the UK GDPR) although I am not sure that is correct – Matt Hancock will indeed be a controller in respect of his constituency work, and his work as an MP outside ministerial duties, but the normal approach is that a ministerial department will be the relevant controller for personal data processed in the context of that department (thus, the Department for Health and Social Care shows as a controller on the ICO register of fee payers).

Nonetheless, the ICO also issued an Information Notice to Matt Hancock’s former aide (as well as to Helen Whateley MP, the Minister of State), and that one makes no mention of UK GDPR compliance or a suggestion she was a controller, but does also “threaten” a potential £17.5m fine.

Of course, realistically, no one, not even Matt Hancock, was really ever at risk of a huge fine (section 155(3) of the DPA requires the Commissioner to have regard to various factors, including proportionality), but it strikes me as a remarkable state of affairs that you, I or any member of the public caught up in a matter that leads to ICO investigation, and who might have relevant information, is as a matter of law vulnerable to a penalty of £17.5m if they don’t comply with an Information Notice.

Even Matt Hancock.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, Information Commissioner, information notice, monetary penalty notice, UK GDPR

Tagged as , ,

October 18, 2022 · 7:34 am

NADPO conference on 22 Nov, with keynote from John Edwards, Information Commissioner

NADPO’s 2022 annual conference will see a return to in-person events. And we are delighted that the keynote speaker is UK Information Commissioner John Edwards. John will be joined by a stellar line up including

  • Maurice Frankel, from the Campaign for Freedom of Information
  • Professor Victoria Nash, from the Oxford Internet Institute
  • Professor Lilian Edwards, from Newcastle University, and also the Ada Lovelace Institute
  • Sarah Houghton, Head of Competition Law at Mishcon de Reya LLP
  • Stewart Room, of DWF and also President of NADPO

The conference will take place on 22 November, at the Mishcon de Reya offices at Africa House, Kingsway (right next to Holborn tube station).

Attendance is free (as ever) for all NADPO members, and it is not too late to purchase a membership, for the price of £130, which guarantees free attendance at all NADPO events, as well as at some partners’ events, as well as discounted rates on commercial training services from respected providers. Members also receive a monthly newsletter.

Leave a comment

Filed under Data Protection, Freedom of Information, Information Commissioner, NADPO

Tagged as , , ,

September 23, 2022 · 8:00 am

Was the Queen’s Funeral day a FOIA “working day”?

Under the Freedom of Information Act 2000 a public authority must respond to a request for information within 20 working days. For obvious reasons “working day” does not include a bank holiday. Does this mean that for FOIA requests made before Monday 19 September 2022 (the bank holiday in recognition of the late Queen’s funeral) public authorities and requesters must add an extra day when calculating when a response to the request is due? The jury is out.

Section 10(6) of FOIA defines a “working day” as

any day other than a Saturday, a Sunday, Christmas Day, Good Friday or a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom

And section 1 of the Banking and Financial Dealings Act 1971 says

the days specified in Schedule 1 to this Act shall be bank holidays in England and Wales, in Scotland and in Northern Ireland as indicated in the Schedule

The Schedule to that 1971 Act therefore provides a number of dates which are to be considered as bank holidays

All straightforward then? Not quite. Sections 1(2) and 1(3) of the 1971 Act go on to add that the Sovereign can effectively remove or add a bank holiday “by proclamation”, and this was the means by which 19 September was made a bank holiday.

(In passing it’s interesting to note that those sections of the 1971 Act refer to proclamations by “Her Majesty”. Clearly “Her Majesty” could not have made the proclamation. However, by section 10 of the Interpretation Act 1978 “In any Act a reference to the Sovereign reigning at the time of the passing of the Act is to be construed, unless the contrary intention appears, as a reference to the Sovereign for the time being”.)

But the question of whether the 19 September should be classed as a working day or not for the purposes of FOIA requests which were already running, might turn on the extent to which the general presumption at common law applies, whereby legislation is not intended to have retrospective effect. See, in this regard, Lord Kerr in Walker v Innospec Limited and others [2017] UKSC 47:

The general rule, applicable in most modern legal systems, is that legislative changes apply prospectively…The logic behind this principle is explained in Bennion on Statutory Interpretation, 6th ed (2013), Comment on Code section 97:

‘If we do something today, we feel that the law applying to it should be the law in force today, not tomorrow’s backward adjustment of it.’

An exception to the general rule will only apply where a contrary intention appears.

It might be said, though, that the proclamation of a bank holiday, pursuant to a statutory power, is not in itself a legislative change to which the general rule against retrospectivity applies. I’m not sure there’s a clear answer either way.

Whether public authorities should have one extra day for a FOIA request is clearly not a constitutional issue which should trouble the great minds of our generation (although I know plenty of FOI teams and officers who are judged on their performance against indicators such as response times). Nonetheless, I asked the ICO this week what their view was, and the answer that came back was that they didn’t have a settled position on the issue, but that, in the event of a subsequent complaint about whether a deadline had been met, they would take all the circumstances into account (which I take to mean that they are unlikely to criticise a public authority whichever way it decided to approach the question).

Shortly after initially uploading this post, I was contacted by someone who pointed out that the New Zealand parliament has specifically legislated to give retrospective “non-working-day” effect to its own extraordinary bank holiday. This would seem to reinforce the point about the presumption against retrospectivity unless there’s an express intention to the contrary.

So it probably doesn’t matter, and probably no one really cares. But I enjoyed thinking about it.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner

Tagged as ,