Tag Archives: ICO

The most boring blogpost on this blog?

Although GDPR, and the Data Protection Act 2018 (DPA18), took effect from 25 May 2018, it has been notable that the Information Commissioner’s Office (ICO) has continued to exercise its enforcement powers under the prior law. There is no problem with this, and it is only to be expected, given that regulatory investigations can take some time. The DPA18 contains transitional provisions which mean that certain sections of the Data Protection Act 1998 continue to have effect, despite its general repeal. This is the reason, for instance, why the ICO could serve its recent enforcement notice on Hudson Bay Finance Ltd using the powers in section 40 of the 1998 – paragraph 33 of Schedule 20 to the DPA18 provides that section 40 of the 1998 Act continues to apply if the ICO is satisfied that the controller contravened the old data protection principles before the rest of the 1998 Act was repealed.

However, what is noticeable in the Hudson Bay Finance Ltd enforcement notice is that it says that it was prompted by a request for assessment by the complainant, apparently made on 21 September 2018, purportedly made under section 42 of the 1998 Act. I say “purportedly” because the transitional provisions in Schedule 20 of DPA18 require the ICO to consider a request for assessment made before 25 May 2018, but in all other respects, section 42 is repealed. Accordingly, as a matter of law, a data subject can (after 25 May 2018) no longer exercise their right to request an assessment under section 42 of the 1998 Act.

This is all rather academic, because it appears to me that the ICO has discretion – even if it does not have an obligation – to consider a complaint by a data subject relating to compliance with the 1998 Act. And ICO clearly (as described above) has the power still to take enforcement action for contraventions of the 1998 Act. But no one ever told me I can’t use my blog to make arid academic points.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, enforcement, Information Commissioner

Blagging as academic research

A white paper on GDPR subject access rights, presented at the Blackhat USA 2019 conference, got a lot of UK media coverage recently. Less discussion was had, however, about whether the research raised questions about the ethics and legality of “blagging”.

The paper, by Oxford University DPhil researcher James Pavur and Casey Knerr, talked of “Using Privacy Laws to Steal Identities” and describes Pavur’s attempts to acquire another person’s (Knerr’s) data, by purporting to be that person and pretending to exercise their access rights under Article 15 of the General Data Protection Regulation (GDPR). It should be emphasised that Knerr was fully acquiescent in the exercise.

Pavur and Knerr’s paper has a section entitled “Ethical and legal concerns” but what it notably fails to address is the fact that deliberately obtaining personal data without the consent of the controller is potentially a criminal offence under UK law.

Since 1998 it has been an offence to deliberately obtain personal data by deception, with defences available where the obtaining was, for instance, justified as being in the public interest. The Data Protection Act 2018 introduces, at section 170, a new defence where the obtaining is for academic purposes, with a view to publication and where the person doing the obtaining reasonably believes that it was justified in the public interest. Previously, this defence was only available where the obtaining was for the “special purposes” of journalism, literature or art.

It would certainly appear that Pavur obtained some of the data without the consent of the controller (the controller cannot properly be said to have consented to its disclosure if it was effected by deception – indeed, such is the very nature of “blagging”), but it also appears that the obtaining was done for academic purposes and with a view to publication and (it is likely) in the reasonable belief that the obtaining was justified in the public interest.

However, one would expect that prior to conducting the research, some analysis of the legal framework would have revealed the risk of an offence being committed, and that, if this analysis had been undertaken, it would have made its way into the paper. Its absence makes the publicity given to the paper by Simon McDougall, of the Information Commissioner’s Office (ICO), rather surprising (McDougall initially mistakenly thought the paper was by the BBC’s Leo Kelion). Because although Pavur (and Knell) could almost certainly fall back on the “academic purposes” defence to the section 170 offence, a fear I have is that others might follow their example, and not have the same defence. Another fear is that an exercise like this (which highlights risks and issues with which controllers have wrestled for years, as Tim Turner points out in his excellent blogpost on the subject) might have the effect of controllers becoming even more keen to demand excessive identification credentials for requesters, without considering – as they must – the proportionality of doing so.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner

ICO change to guidance on Subject Access Request time limits

I have a post on the Mishcon de Reya website, on an odd, but potentially very significant, change of position by the Information Commissioner’s Office, when it comes to calculating GDPR time limits for data subject requests.

ICO change to guidance on Subject Access Request time limits

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner

Open by Design, Closed by Default?

The Information Commissioner’s Office (ICO) have published their new access to information strategy. Something strikes me about their “Goal #2”:

Goal #2: Providing excellent customer service to individuals making requests to us and lead by example in fulfilling our own statutory functions

The thing strikes me is that, bizarrely, they seem to have misunderstood the goal they’ve set themselves (I nearly referred to it as their “own goal”, which has a bit of a ring about it). They say

We have a varied range of individuals who request an independent review from us and a diverse range of public authorities within our jurisdiction from large central government departments to very small parish councils.

What they don’t say is “we are a public authority, subject to the Freedom of Information Act, and have to comply with its timescales, and promote observance of it by example”.

And, unfortunately, there is much evidence recently of a failure to do this.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency

ICO still breaching law it’s meant to oversee

A month ago I pointed out some rather concerning  failings by the Information Commissioner’s Office (ICO) in its own compliance with Freedom of Information (FOI) law. At the time, the ICO press office told me

We acknowledge that we have fallen short of expectations in these instances but can confirm that the responses to both requests will be issued soon

It’s with some incredulity, therefore, that I see that one of the requests has still not been responded to, despite a further twenty working days having elapsed, and despite the (even greater) incredulity of the requester:

You have missed your own deadline, months after you should have answered this request. Your inability to answer a simple FOI promptly would be a disgrace if you were a local council. The fact that you are the FOI regulator makes your handling of my request a scandal.

I am utterly powerless here – I cannot complain to the regulator about your contempt for FOI because you are supposed to be the organisation I would complain to. Do you have no shame at all? No self respect?

What am I supposed to do now?

The other request I highlighted at the time has had a response, albeit one that was cursory, to say the best, and which is now the subject of a request for internal review.

My own request for the ICO’s compliance figures is now the subject of a formal complaint (with a request for a decision notice under section 50 of the FOI Act), although I am told that there will be, er, a delay in getting to it.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency

Information Tribunal rejects data subject appeals under new Data Protection Act

The Information Tribunal has recently heard the first applications under the Data Protection Act 2018 for orders regarding the Information Commissioner’s handling of data protection complaints. As I write on the Mishcon de Reya website, the Tribunal has peremptorily dismissed them.

Leave a comment

Filed under Data Protection, enforcement, GDPR, Information Commissioner, Information Tribunal

ICO breaching the law it’s meant to oversee

This may be complete coincidence, but on the WhatDoTheyKnow website, there are two Freedom of Information (FOI) requests, on similar themes, which requesters have made to the Information Commissioner’s Office (ICO), to which – at the time of writing – the ICO appears simply to be failing to respond, way beyond the statutory timescale of 20 working days.

Both requests are about procurement of external consultants. In the first, the requester asked

Please disclose all current agreements for provision of legal services by outside bodies such as barristers chambers, law firms etc. This should include the rates of pay agreed.

The request was made on the 19th February and more than three months on, has simply had no response (other than an automated acknowledgment).

In the second the (different) requester asked

how many times the Information Commissioner’s Office has engaged consultants, companies or other specialists to deliver services to the ICO without putting the work out to tender or otherwise advertising the opportunity externally

That request was made on the 26th February and, barring some holding responses, which seem to have dried up, it has had no substantive response.

The failure to respond is concerning, and the failure to communicate inexplicable. One wonders where the reluctance comes from.

My own recent experience of making FOI requests to them indicates a less-than-ideal level of compliance with the laws the ICO is meant to regulate. However, when, some time ago, I asked the ICO for compliance figures, they refused to disclose them, saying they would be published soon. Yet approximately six months on they still haven’t done so (which is not in compliance with the best-practice requirements of the section 45 FOI Code of Practice).

I offered the ICO an invitation to comment on this blogpost, and in response a spokesperson said: “We aim to resolve 95% of information requests within the statutory deadline, unless we have sought an extension. We acknowledge that we have fallen short of expectations in these instances but can confirm that the responses to both requests will be issued soon.” No comment was made on the wider point about compliance, and publication of compliance statistics. (I would also make the observation that it’s rather surprising ICO only aims to respond to 95% of requests within the statutory deadline – surely they would (and should) aim to respond to 100% within the timeframe mandated by the law?)

I’ve previously expressed concern about the ICO’s unwillingness to take enforcement action against recalcitrant, if not contemptuous, public authorities for poor FOI compliance. Elizabeth Denham has recently (and unsuccessfully) called for an extension of FOI law, saying

Part of my job is to make sure that the legislation my office regulates fulfils its objectives and remains relevant. When it does not, I will speak out

Will she also speak out about the fact that her office is not itself complying with the legislation it regulates?

The views in this post (and indeed all posts on this blog, unless they indicate otherwise) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency

ICO – HMRC must delete 5 million voice records

I have a piece on the Mishcon de Reya website, on news that the ICO has required HMRC to delete 5 million unlawfully gathered Voice ID records.

Leave a comment

Filed under consent, Data Protection, HMRC, Information Commissioner

Farrow & Ball lose appeal for non-payment of data protection fee

I have a new post on the Mishcon de Reya website, drawing attention to the first (and unsuccessful) attempt to appeal an ICO monetary penalty for failing to pay the statutory data protection fee.

Leave a comment

Filed under Data Protection, Information Commissioner, Information Tribunal, monetary penalty notice

ICO hasn’t given own staff a GDPR privacy notice

The first principle of GDPR says that personal data shall be processed in a transparent manner. Articles 13 and 14 give details of what information should be provided to data subjects to comply with that principle (and that information should be provided at the time it is collected (if it is collected directly from the data subject)).

As the Information Commissioner’s Office (ICO) says

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. [emphasis added]

and

Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage

If you read the ICO’s Guide to GDPR, it is largely predicated on the understanding that privacy notices will be made available to data subjects, effectively as a prerequisite to overall compliance.

So, one thing a data controller must – surely – prioritise (and have prioritised, in advance of GDPR becoming applicable in May 2018) is the preparation and giving of appropriate privacy notices, including to its own employees.

With that in mind, I was interested surprised astounded well-and-truly-gobsmacked to see an admission, on the “WhatDoTheyKnow” website, that the ICO itself has – almost a year on from GDPR’s start – not yet prepared, let alone given, its own staff a GDPR privacy notice

I can confirm we do not currently hold the information you have requested. The privacy notice for ICO employees is currently under construction.

As getting the right to be informed wrong can leave one open to fines (as well as reputational damage), one wonders if ICO is considering fining itself for this fundamental infringement of a fundamental right?

The views in this post (and indeed all posts on this blog, unless they indicate otherwise) are my personal ones, and do not represent the views of any organisation I am involved with.

10 Comments

Filed under Data Protection, fairness, GDPR, Information Commissioner, privacy notice, transparency