Tag Archives: ICO

ICO still breaching law it’s meant to oversee

A month ago I pointed out some rather concerning  failings by the Information Commissioner’s Office (ICO) in its own compliance with Freedom of Information (FOI) law. At the time, the ICO press office told me

We acknowledge that we have fallen short of expectations in these instances but can confirm that the responses to both requests will be issued soon

It’s with some incredulity, therefore, that I see that one of the requests has still not been responded to, despite a further twenty working days having elapsed, and despite the (even greater) incredulity of the requester:

You have missed your own deadline, months after you should have answered this request. Your inability to answer a simple FOI promptly would be a disgrace if you were a local council. The fact that you are the FOI regulator makes your handling of my request a scandal.

I am utterly powerless here – I cannot complain to the regulator about your contempt for FOI because you are supposed to be the organisation I would complain to. Do you have no shame at all? No self respect?

What am I supposed to do now?

The other request I highlighted at the time has had a response, albeit one that was cursory, to say the best, and which is now the subject of a request for internal review.

My own request for the ICO’s compliance figures is now the subject of a formal complaint (with a request for a decision notice under section 50 of the FOI Act), although I am told that there will be, er, a delay in getting to it.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency

Information Tribunal rejects data subject appeals under new Data Protection Act

The Information Tribunal has recently heard the first applications under the Data Protection Act 2018 for orders regarding the Information Commissioner’s handling of data protection complaints. As I write on the Mishcon de Reya website, the Tribunal has peremptorily dismissed them.

Leave a comment

Filed under Data Protection, enforcement, GDPR, Information Commissioner, Information Tribunal

ICO breaching the law it’s meant to oversee

This may be complete coincidence, but on the WhatDoTheyKnow website, there are two Freedom of Information (FOI) requests, on similar themes, which requesters have made to the Information Commissioner’s Office (ICO), to which – at the time of writing – the ICO appears simply to be failing to respond, way beyond the statutory timescale of 20 working days.

Both requests are about procurement of external consultants. In the first, the requester asked

Please disclose all current agreements for provision of legal services by outside bodies such as barristers chambers, law firms etc. This should include the rates of pay agreed.

The request was made on the 19th February and more than three months on, has simply had no response (other than an automated acknowledgment).

In the second the (different) requester asked

how many times the Information Commissioner’s Office has engaged consultants, companies or other specialists to deliver services to the ICO without putting the work out to tender or otherwise advertising the opportunity externally

That request was made on the 26th February and, barring some holding responses, which seem to have dried up, it has had no substantive response.

The failure to respond is concerning, and the failure to communicate inexplicable. One wonders where the reluctance comes from.

My own recent experience of making FOI requests to them indicates a less-than-ideal level of compliance with the laws the ICO is meant to regulate. However, when, some time ago, I asked the ICO for compliance figures, they refused to disclose them, saying they would be published soon. Yet approximately six months on they still haven’t done so (which is not in compliance with the best-practice requirements of the section 45 FOI Code of Practice).

I offered the ICO an invitation to comment on this blogpost, and in response a spokesperson said: “We aim to resolve 95% of information requests within the statutory deadline, unless we have sought an extension. We acknowledge that we have fallen short of expectations in these instances but can confirm that the responses to both requests will be issued soon.” No comment was made on the wider point about compliance, and publication of compliance statistics. (I would also make the observation that it’s rather surprising ICO only aims to respond to 95% of requests within the statutory deadline – surely they would (and should) aim to respond to 100% within the timeframe mandated by the law?)

I’ve previously expressed concern about the ICO’s unwillingness to take enforcement action against recalcitrant, if not contemptuous, public authorities for poor FOI compliance. Elizabeth Denham has recently (and unsuccessfully) called for an extension of FOI law, saying

Part of my job is to make sure that the legislation my office regulates fulfils its objectives and remains relevant. When it does not, I will speak out

Will she also speak out about the fact that her office is not itself complying with the legislation it regulates?

The views in this post (and indeed all posts on this blog, unless they indicate otherwise) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency

ICO – HMRC must delete 5 million voice records

I have a piece on the Mishcon de Reya website, on news that the ICO has required HMRC to delete 5 million unlawfully gathered Voice ID records.

Leave a comment

Filed under consent, Data Protection, HMRC, Information Commissioner

Farrow & Ball lose appeal for non-payment of data protection fee

I have a new post on the Mishcon de Reya website, drawing attention to the first (and unsuccessful) attempt to appeal an ICO monetary penalty for failing to pay the statutory data protection fee.

Leave a comment

Filed under Data Protection, Information Commissioner, Information Tribunal, monetary penalty notice

ICO hasn’t given own staff a GDPR privacy notice

The first principle of GDPR says that personal data shall be processed in a transparent manner. Articles 13 and 14 give details of what information should be provided to data subjects to comply with that principle (and that information should be provided at the time it is collected (if it is collected directly from the data subject)).

As the Information Commissioner’s Office (ICO) says

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. [emphasis added]

and

Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage

If you read the ICO’s Guide to GDPR, it is largely predicated on the understanding that privacy notices will be made available to data subjects, effectively as a prerequisite to overall compliance.

So, one thing a data controller must – surely – prioritise (and have prioritised, in advance of GDPR becoming applicable in May 2018) is the preparation and giving of appropriate privacy notices, including to its own employees.

With that in mind, I was interested surprised astounded well-and-truly-gobsmacked to see an admission, on the “WhatDoTheyKnow” website, that the ICO itself has – almost a year on from GDPR’s start – not yet prepared, let alone given, its own staff a GDPR privacy notice

I can confirm we do not currently hold the information you have requested. The privacy notice for ICO employees is currently under construction.

As getting the right to be informed wrong can leave one open to fines (as well as reputational damage), one wonders if ICO is considering fining itself for this fundamental infringement of a fundamental right?

The views in this post (and indeed all posts on this blog, unless they indicate otherwise) are my personal ones, and do not represent the views of any organisation I am involved with.

10 Comments

Filed under Data Protection, fairness, GDPR, Information Commissioner, privacy notice, transparency

ICO – no GDPR fines in the immediate pipeline

FOI request reveals ICO has served no “notices of intent” to serve fines under GDPR. A new piece by me on the Mishcon de Reya website.

Leave a comment

Filed under Data Protection, Freedom of Information, GDPR, Information Commissioner, monetary penalty notice

There’s nothing like transparency…

…and this is nothing like transparency

Those of us with long memories will remember that, back in 2007, in those innocent days when no one quite knew what the Freedom of Information Act 2000 (FOIA) really meant, the Information Commissioner’s Office (ICO), disclosed some of its internal advice (“Lines to Take” or “LTTs”) to its own staff about how to respond to questions and enquiries from members of the public about FOIA. My memory (I hope others might confirm) is that ICO resisted this disclosure for some time. Now, the advice documents reside on the “FOIWiki” pages (where they need, in my opinion, a disclaimer to the effect that some of the them at least are old, and perhaps out-of-date).

Since 2007 a number of further FOIA requests have been made for more recent LTTs – for instance, in 2013, I made a request, and had disclosed to me, a number of LTTs on data protection matters.

It is, therefore, with some astonishment, that I note that a recent FOIA request to ICO for up-to-date LTTs – encompassing recent changes to data protection law – has been refused, on the basis that, apparently, disclosure would, or would be likely to, inhibit the free and frank exchange of views for the purposes of  deliberation, and would otherwise prejudice, or would be likely otherwise to prejudice, the effective conduct of public affairs. This is problematic, and concerning, for a number of reasons.

Firstly, the exemptions claimed, which are at section 36 of FOIA, are the statute’s howitzers – they get brought into play when all else fails, and have the effect of flattening everything around them. For this reason, the public authority invoking them must have the “reasonable opinion” of its “qualified person” that disclosure would, or would be likely to, cause the harm claimed. For the ICO, the “qualified person” is the Information Commissioner (Elizabeth Denham) herself. Yet there is no evidence that she has indeed provided this opinion. For that reason, the refusal notice falls – as a matter of law – at the first hurdle.

Secondly, even if Ms Denham had provided her reasonable opinion, the response fails to say why the exemptions are engaged – it merely asserts that they are, in breach of section 17(1)(c) of FOIA.

Thirdly, it posits frankly bizarre public interest points purportedly militating against disclosure, such as that the LTTs “exist as part of the process by which we create guidance, not as guidance by themselves”, and “that ICO  staff should have a safe space to provide colleagues with advice for them to respond to challenges posed to us in a changing data protection landscape”, and – most bizarre of all – “following a disclosure of  such notes in the past, attempts have been made to utilise similar documents to undermine our regulatory procedures” (heaven forfend someone might cite a regulator’s own documents to advance their case).

There has been such an enormous amount of nonsense spoken about the new data protection regime, and I have praised ICO for confronting some of the myths which have been propagated by the ignorant or the venal. There continues to be great uncertainty and ignorance, and disclosing these LTTs could go a long way towards combatting these. In ICO’s defence, it does identify this as a public interest factor militating in favour of disclosure:

disclosure may help improve knowledge regarding the EIR, FOIA or  the new data protection legislation on which the public desire information as evidenced by our increase in calls and enquiry handling

And as far as I’m concerned, that should be the end of the matter. Whether the requester (a certain “Alan Shearer”) chooses to challenge the refusal is another question.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Freedom of Information, GDPR, Information Commissioner, transparency

ICO – “we’re very sorry we fined you”

***Update, 3 September. ICO have now published their apology – although scant on details it does state that “there were significantly fewer complaints than previously evidenced” and that this information led to the withdrawal of the MPN.***

It’s not unusual for the recipient of a monetary penalty notice (MPN) to appeal to the Information Tribunal. It’s not entirely unusual for such appeals to be settled by consent of the parties (normally when one of them concedes that its case is not tenable).

It’s much rarer, however, for a consent order to have attached to it a requirement that the Information Commissioner’s Office should apologise for serving the MPN in the first place. But that’s exactly what has recently happened. A consent order dated 25 September 2018 states that, by consent, the appeal by STS Commercial Limited is allowed, and that

The Commissioner will publish [for four weeks] on the Information Commissioner’s Office website in the section “News, blogs and speeches”, the following statement:

On 6 July 2018 the ICO announced that the Information Commissioner had imposed a fine of £60,000 on STS Commercial Ltd for allowing its lines to be used to send spam texts. STS Commercial Ltd appealed that penalty and upon considering the grounds of appeal, the ICO accepts that the appeal should be allowed and no monetary penalty should be imposed. The ICO apologises to STS Commercial Ltd.

Already, most of the traces of the MPN have been removed from the ICO’s website (and Google returns broken links), although the apology itself does not appear to have yet been uploaded.

Section 55B(5) of the Data Protection 1998 provides for the right of appeal, in respect of MPNs served by the ICO under section 55A for contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003. And paragraph 37 of the Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 provides that the Tribunal may

make a consent order disposing of the proceedings and making such other appropriate provision as the parties have agreed

One wonders what on earth occurred that has led not just to the appeal being disposed of, but such contrition from the ICO!

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under Information Commissioner, Information Tribunal, monetary penalty notice, PECR

The wheels of the Ministry of Justice

do they turn so slowly that they’ll lead to the Lord Chancellor committing a criminal offence?

On 21 December last year, as we were all sweeping up the mince piece crumbs, removing our party hats and switching off the office lights for another year, the Information Commissioner’s Office (ICO) published, with no accompanying publicity whatsoever, an enforcement notice served on the Secretary of State for Justice. The notice drew attention to the fact that in July 2017 the Ministry of Justice (MoJ) had had a backlog of 919 subject access requests from individuals, some of which dated back to 2012. And by November 2017 that had barely improved – to 793 cases dating back to 2014.

I intended to blog about this at the time, but it’s taken me around nine months to retrieve my chin from the floor, such was the force with which it dropped.

Because we should remember that the exercise of the right of subject access is a fundamental aspect of the fundamental right to protection of personal data. Requesting access to one’s data enables one to be aware of, and verify the lawfulness of, the processing. Don’t take my word for it – look at recital 41 of the-then applicable European data protection directive, and recital 63 of the now-applicable General Data Protection Regulation (GDPR).

And bear in mind that the nature of the MoJ’s work means it often receives subject access requests from prisoners, or others who are going through or have been through the criminal justice system. I imagine that a good many of these horrendously delayed requests were from people with a genuinely-held concern, or grievance, and not just from irritants like me who are interested in data controllers’ compliance.

The notice required MoJ to comply with all the outstanding requests by 31 October 2018. Now, you might raise an eyebrow at the fact that this gave the MoJ an extra eight months to respond to requests which were already incredibly late and which should have been responded to within forty days, but what’s an extra 284 days when things have slipped a little? (*Pseuds’ corner alert* It reminds me of Larkin’s line in The Whitsun Weddings about being so late that he feels: “all sense of being in a hurry gone”).

Maybe one reason the ICO gave MoJ so long to sort things out is that enforcement notices are serious things – a failure to comply is, after all, a criminal offence punishable on indictment by an unlimited fine. So one notes with interest a recent response to a freedom of information request for the regular updates which the notice also required MoJ to provide.

This reveals that by July this year MoJ had whittled down those 793 delayed cases to 285, with none dating back further than 2016. But I’m not going to start hanging out the bunting just yet, because a) more recent cases might well be more complex (because the issues behind them will be likely to be more current, and therefore potentially more complex, and b) because they don’t flaming well deserve any bunting because this was, and remains one of the most egregious and serious compliance failures it’s been my displeasure to have seen.

And what if they don’t clear them all by 31 October? The notice gives no leeway, no get-out – if any of those requests extant at November last year remains unanswered by November this year, the Right Honourable David Gauke MP (the current incumbent of the position of Secretary of State for Justice) will, it appears, have committed a criminal offence.

Will he be prosecuted?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Data Protection, Directive 95/46/EC, GDPR, human rights, Information Commissioner, Ministry of Justice, Uncategorized