Tag Archives: ICO

August 31, 2014 · 10:03 am

Data protection implications of MPs crossing the floor

Douglas Carswell MP is a data controller.

It says so on the Information Commissioner’s register:

carswell

(I hope he remembers to renew the registration when it expires next week  it’s a criminal offence to process personal data as a data controller without a registration, unless you have an exemption).

But, more directly, he is a data controller because as an MP he is a person who determines the purposes for which and the manner in which the personal data of his constituents is processed.  Sensible guidance for MPs is provided by Parliament itself

A Member is the data controller for all personal data that is handled by their office and they have overall responsibility for ensuring that this is done in accordance with the DPA.

I have already written recently raising some concerns about Carswell’s alleged handling of constituents’ personal data. But this week he decided to leave the Conservative Party, resign his seat, and seek re-election as a member of the UKIP party. James Forsyth, in the Daily Mail, talks about the constituency knowledge Carswell will bring to UKIP, and reports that “one senior Ukip figure purrs: ‘The quality of Douglas’s data is amazing'”.

As a data controller an MP must process constituents’ personal data in accordance with the eight data protection principles of the Data Protection Act 1998 (DPA). Failure to do so is a contravention of the data controller’s obligation under section 4(4). Data subjects can bring legal claims for compensation for contravention of that obligation, and for serious contraventions the ICO can take enforcement action, including the serving of monetary penalty notices to a maximum of £500,000.

The second data protection principle requires that

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes

A person’s political opinions are “sensitive personal data”, afforded even greater protection under the DPA. It is not difficult to understand the historical basis for this, nor, indeed, the current basis for its still being so. Data protection law is in part an expression of and development of rights which were recognised by the drafters of the Universal Declaration of Human Rights and European Convention on Human Rights. Oppression of people on the basis of their politics was and remains distressingly common.

If constituents have given Carswell their details on the basis that it would be processed as part of his constituency work as a Conservative MP they might rightly be aggrieved if that personal data were then used by him in pursuit of his campaign as a UKIP candidate. As Paul Bernal tweeted

If I gave my data to help the Tories and found it was being used to help UKIP I’d be livid
Such use would also potentially be in breach of the first data protection principle, which requires that personal data be processed fairly and lawfully. It would not be fair to share data with a political party or for the purposes of furthering its aim in circumstances where the data subject was not aware of this, and might very reasonably object. And it would not be lawful if the data were, for instance, disclosed to UKIP in breach of confidence.

An interesting twitter discussion took place this morning about whether this apparent use of constituents’ data might even engage the criminal law provisions of the DPA. As well as Carswell, there may be other data controllers involved: if some of the data he was in possession of was for instance, being processed by him on behalf of, say, the Conservative Party itself, then the latter would be data controller. Section 55 of the DPA creates, in terms, an offence of unlawfully disclosing personal data without the consent of the data controller. However, as was agreed on twitter, this would be a complex knot to unpick, and it is unlikely, to say the least, that either the ICO or the CPS would want to pursue the matter.
Notwithstanding this, there are serious questions to be asked about the DPA implications of any MP crossing the floor. The use of personal data is likely to be a key battleground in the forthcoming general election, and throw even sharper focus on European data protection reform. I would argue that this is a subject which the ICO needs to get a grip on, and quickly.

 

UPDATE: Paul Bernal has written a superb piece on the broader ethical issues engaged here.

4 Comments

Filed under Confidentiality, Data Protection, human rights, Information Commissioner

Tagged as , , ,

August 29, 2014 · 7:14 am

Some observations on the MoJ £180,000 data protection “fine”

1. It wasn’t a fine: section 55A of the Data Protection Act 1998 (DPA) gives the Information Commissioner’s Office (ICO) the power to impose a monetary penalty notice (MPN) to a maximum of £500,000 on a data controller which has made a serious contravention of its obligation to comply with the data protection principles, and the contravention was of a kind likely to cause substantial damage or substantial distress (and the data controller knew or should have known about the risk). There is often confusion over the civil and criminal sanctions in the DPA, perhaps not helped by the fact that the main criminal sanction is at section 55, and the main civil sanction at section 55A. However, although the incorrect use of the term “fine” is understandable in some circumstances, I don’t think the ICO themselves should use it.

2. The money goes straight back to the government: this is true – monetary penalties do not get paid to the ICO. Rather, they are paid into the Consolidated Fund – the government’s bank account. While this does have an element of absurdity (and similar complaints are sometimes made when the ICO serves MPNs on other public bodies, such as the NHS, or local authorities) recent research (and personal anecdotal experience) suggests that the MPNs are effective in improving data controller compliance. One wonders if alternative methods, like individual liability for data controller failings (which would require major primary legislation), would have similar effects.

3. The Ministry of Justice funds the ICO: in part, at least. The MoJ funds the ICO for its freedom of information work. Its data protection work comes from the fees data controllers pay the ICO to appear on its register. Nonetheless, penalising the MoJ could be seen as biting the hand that feeds – it is commendable that the ICO is not afraid to do so.

4. The MoJ is data controller for prisoner data within prisons: being the person or persons who determine the purposes for which and the manner in which any personal data are, or are to be, processed. That’s a heck of a lot of highly sensitive personal data to be responsible for. And such responsibility carries potential huge liability for errors.

5. This is not the first MPN the MoJ has received: less than 12 months ago the MoJ received an MPN of £140,000 for a remarkably similar set of events to those which prompted the latest MPN. Both MPNs involved insecure processes to safeguard prisoner databases – in the first an unencrypted database file was emailed to a member of the public, and in the second a hard disk containing a prisoner database, which should have been encrypted but wasn’t, has been lost. As MPNs are often served (as these were) for contraventions of the obligation to have appropriate organisational and technical measures in place to safeguard against loss of data, one might argue that a second such serious contravention might have warranted even more severe sanctions. The ICO even notes that the second contravention was because of a botched attempt to put right what happened in the first, and deems the second contravention “very serious” (as opposed to the first’s “serious”). I am not the only person I have spoken to who is surprised this latest MPN was not higher.

and finally

6. Data security is not just about technology: it’s also about people. In this instance the MoJ, after its first MPN (see above), sent hard drives to all relevant prisons which were capable of holding data in encrypted format.

But they forgot to tell the prison staff to switch encryption on.

1 Comment

Filed under Data Protection, Information Commissioner, monetary penalty notice

Tagged as , ,

August 28, 2014 · 4:20 pm

Data Protection Act non-pecuniary damages in the County Court

The Data Protection Act 1998 (DPA) is, as its regulator the Information Commissioner (IC) concedes, “complex and, in places, hard to understand”. Moreover, it has been observed that 

there is…little case law…most damages claims under the DPA go to the County Court, where unless you were in the case it is hard to know that it happened or get hold of a judgment

To which one would add that, as most damages claims go no further than the County Court those cases we do hear about don’t set precedent anyway.

However, thanks to the website LegalBeagles we do now have another judgment which deals with the DPA, and which was handed down in June this year in the County Court at Taunton. In the judgment (.pdf, 12MB), in rather dense prose, Deputy District Judge Stockdale ruled on a money claim against Lloyds Bank for unfair bank charges (the primary claim) and a claim for damages under section 13 of the DPA. Holding that the specific bank charges between 2007 and 2009, for unauthorised overdraft facilities, were indeed unfair (for reasons I am rather ill-equipped to explore), the Judge went on to hold that the referral of a default to credit reference agencies was in breach of the first data protection principle (Schedule One, DPA) which obliged the bank to process the claimant’s personal data fairly (and lawfully). This was because, by reference to the then IC Guidance “Filing of defaults with credit reference agencies”, the relationship between the lender and the individual had not broken down. The guidance said

The term ‘default’, when recorded on a credit reference file should be used to refer to a situation when the lender in a standard business relationship with the individual decides that the relationship has broken down

In this case, as the claimant and the bank, at the time the latter registered the default, had entered into a repayment arrangement (which the claimant was keeping to), it could not be said that the relationship had broken down.

An interesting point about this judgment is that the claimant’s case was bolstered by the fact he could point to a prior assessment opinion by the IC. He had complained about the bank’s actions to the IC, who had determined (in line – although this is unsaid in the judgment – with his duties under section 42 DPA to assess processing) that it was unlikely that the bank had complied with its DPA obligation. This clearly carried weight for the judge (as did the Guidance).

Another interesting point is that, in assessing the remedy for the contravention, the judge followed the (compelling) dicta of Tugendhat J in Vidal -Hall & Ors v Google Inc [2014] EWHC 13 (QB) and awarded compensation  for what was non-pecuniary damage of £1000, in recognition of the trouble to which the claimant had been put in pursuing the matter and bringing the claim. The claimant was also successful in an application under section 14(1) DPA for erasure/destruction of the default on his credit reference files.

Vidal-Hall has not yet come to trial. If, when it does, Tugendhat J’s “preliminary view” that “damage in s.13 does include non-pecuniary damage” is upheld, it could lead to a rush of similar claims being made.

1 Comment

Filed under damages, Data Protection, Information Commissioner

Tagged as , ,

August 28, 2014 · 1:30 pm

A fishy way of boosting party membership?

A tweet today referred me to a New Statesman article from October last year which contains what I think are actually quite serious allegations against Tory MP Douglas Carswell (who has today announced his intention to resign his seat and re-stand for UKIP) or, perhaps, against his local party machine. The magazine alleges that

A snout rang with the tale of an Essex man who went along to a Clacton fish-and-chip supper organised by the local MP, Douglas Carswell. The chap paid his £10, enjoyed his cod and then listened to the debate before going home unconvinced by the Tory case on Europe. So imagine his perturbation at a letter from Carswell’s office informing him that his tenner would be converted into membership of the constituency association unless he wrote back renouncing the party. The chap couldn’t be bothered to reply and – hey presto! – an unwanted Tory membership card duly popped through his letter box.

I do not know if if this is true*. I’ve asked Mr Carswell via his twitter account whether it is, but, understandably, he may have more pressing priorities today. He was certainly in the habit of hosting such events, as his personal blog shows.

But if it is true, it raises concerns about the handling of constituents’ personal data. The second principle of the Data Protection Act 1998 (DPA) provides that

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes

and by section 4(4) of the DPA a data controller (the person or persons who determine the purposes for which and the manner in which any personal data are, or are to be, processed) must comply with the eight data protection principles. Failure to do so renders the data controller liable to private legal action by aggrieved data subjects, as well as regulatory enforcement action by the Information Commissioner (which can consist of monetary penalties to a maximum of £500,000 for especially serious contraventions). Mr Carswell’s entry on the Commissioner’s register confirms he accepts his status as data controller, as does the entry for his local Conservative Constituency Association. Any personal data of a constituent attending fish-and-chip suppers had to processed in accordance with eight principles, and wrongly recording someone as a member of a political party would involve the processing of sensitive personal data (a category which includes information about political allegiance, and which is afforded even higher protection).

And, as well as being in contravention of the second principle, such processing would be in breach of the first, which requires that personal data be processed fairly and lawfully. I’m not going to make a party political point, but as of today, even Mr Carswell might feel that, in broader terms, it would be particularly unfair to wrongly categorise someone as a member of the Tory party.

*If Mr Carswell refutes the allegations in the story I will be very happy to amend this blog post accordingly

1 Comment

Filed under Data Protection, Information Commissioner

Tagged as , ,

August 22, 2014 · 4:05 pm

The Savile Tapes – ICO says request for audio was vexatious

There is no index of character so sure as the voice – Benjamin Disraeli, Tancred

In October 2013 Surrey Police disclosed, in response to a request made under the Freedom of Information Act 2000 (FOIA) the transcripts of police interviews (under caution) of Jimmy Savile. The Information Commissioner’s Office ICO) has now ruled on a related request, which was for the actual audio recordings of the same interview, and, rather surprisingly, the ICO has agreed with the Police that they did not have to comply with the request, on the grounds that it was vexatious.

Until relatively recently it was difficult to rely on section 14(1) of FOIA (“a public authority [need not] comply with a request for information if the request is vexatious”) simply because the costs burden of dealing with it was too great. The ICO’s guidance did advise that one of the factors to bear in mind when considering whether a request was vexatious was “Would complying with the request impose a significant burden in terms of expense and distraction?”, but in general, for a public authority to refuse to comply with a FOIA request because of the costs, it had to be able to claim that the cost of compliance exceeded the appropriate limit (section 12 FOIA). However, a decision of the First-tier Tribunal (FTT) in 2012 appeared to shift the ground somewhat. Although FTTs’ decisions are not precedent, it was notable that a public authority (the IPCC in this case) was said to be entitled to rely on section 14(1) on the basis that

A request may be so grossly oppressive in terms of the resources and time demanded by compliance as to be vexatious, regardless of the intentions or bona fides of the requester. If so, it is not prevented from being vexatious just because the authority could have relied instead on s.12

As the always-excellent Pantopticon blog said at the time

This will be welcomed by those who find themselves unable to rely on section 12 due to the restricted list of activities which can be taken into account for cost purposes

but the context in that particular case meant that, in fact, the intentions and bona fides of the requester were relevant

The present requests were, in our opinion, not just burdensome and harassing but furthermore wholly unreasonable and of very uncertain purpose and dubious value…We are by no means convinced of [the requester’s] good faith in making it

In the leading case on section 14(1) – IC v Dransfield [2012] UKUT 440 (AAC) – Wikeley J said that it was helpful, when considering whether a FOIA request is vexatious, to consider four “broad issues or themes”

(1) the burden (on the public authority and its staff); (2) the motive (of the requester); (3) the value or serious purpose (of the request) and (4) any harassment or distress (of and to staff)

but that ultimately, the test amounts to

is the request vexatious in the sense of being a manifestly unjustified, inappropriate or improper use of FOIA?

The ICO’s guidance, amended in light of Dransfield reframes this slightly and says that the

the key question a public authority must ask itself is whether the request is likely to cause a disproportionate or unjustified level of disruption, irritation or distress

The ICO draws on this guidance in the Savile decision, but, notably, appears to give considerable credence to the police’s evidence regarding the disruption – the burden – that redacting the audio of the interviews would cause, but does not appear to have interrogated this assertion in any depth. Moreover, the ICO notes its lack of expert knowledge on the subject of redaction, but nothing (other than, presumably, limited resources) prevented it from consulting an expert. Given that this appears to have been the primary evidence for the finding of vexatiousness (the ICO accepted that the requester’s motives were not intended to cause disruption or harassment) and given that the ICO accepted that there was a “qualitative difference” between the written transcripts and the audio (“The speed, volume, expressiveness and intonation of the actual speech may be considered to shed more light on how Savile responded to what was put to him in the interview”) it is difficult to see how the ICO decided that request could have been vexatious, rather than just of a level of annyoance and disruption it accepts a public authority must absorb. The request, using Wikeley J’s formulation, was not improper, it was not inappropriate – and was it really, therefore, a “manifestly unjustified use of FOIA”?

One hopes the bar of vexatiousness has not been lowered too far.

 

31 Comments

Filed under Freedom of Information, Information Commissioner, police, vexatiousness

Tagged as , , ,

August 21, 2014 · 4:34 pm

Jackals among the tombs*

The Information Commissioner has ordered disclosure by the Metropolitan Police of the ages of the deceased children whose identities were used by the ‘Special Demonstration Squad’

UPDATE 23.09.14: The latest listings from the Information Tribunal reveal that the Met are appealing the ICO decision :END UPDATE

UPDATE 07.01.15: The Met clearly decided to withdraw their appeal, and disclosed the information :END UPDATE

In Frederick Forsyth’s novel The Day of the Jackal the protagonist uses a heartless, but, at the time of the novel’s writing, well-known, method of assuming a false identity. He visits graveyards until he finds the gravestone of a dead child who would have been born about the same time as him, then purchases the child’s birth certificate, which he uses to obtain a fake passport. In 2003 Forsyth said

I asked a forger how to get hold of a passport. He told me there were three ways. Steal one and substitute a photograph. Bribe an official for one ‘en blanc’ in which you can fill in your details. Or apply for one under a false name

In February 2013 the Home Secretary, Theresa May, announced that the existing investigation into undercover policing in the Metropolitan Police Service would now be headed by the Chief Constable of Derbyshire Police. This was in part because of serious allegations aired in the Guardian about a covert police officer apparently adopting the identity of a baby named Rod Richardson, who had died at the age of two days old, in 1973.

The ensuing first report into what had become Operation Herne found that there was

 both documentary proof and witness accounts to confirm that the genuine details of deceased children were extensively used by members of the SDS until around 1995 so as to create cover identities and thereby enable the officers to infiltrate a range of violent protest groups

It described the practice as “morally repugnant”, effectively excused it as being necessary within the constraints of the time, but did acknowledge that

There is understandable public, political and media concern about the use of the identities of deceased children, irrespective of the context, of the operational rationale, of any perceived necessity and of any legal considerations

 Although it said that the issue should not detract from the importance of the tactic of undercover policing.

Perhaps the Met had this in mind when they refused to disclose, in response to a request made under the Freedom of Information Act 2000 (FOIA), the mere ages of the 42 dead children whose identities the report either confirmed were or were considered as highly likely to have been (ab)used. The Met placed perhaps most weight on the fact that disclosing this information would allow officers to be identified (thus engaging the FOIA exemption at section 40(2)), but the Information Commissioner’s Office (ICO) was distinctly unimpressed with this argument

 the Commissioner does not consider the age of a child who dies at some point over a forty year period meets the criteria of being the ‘personal data’ of an undercover officer as the age alone is simply too far removed to make any such link

Nor, for a similar reason, were the exemptions at section 38 (prejudice to health and safety) and section 24 (safeguarding national security) engaged: if officers could not be identified from this information then their health and safety could not be prejudiced and there was no compromise to the need to safeguard national security.

The ICO did concede that exemptions at section 30 was engaged. This exemption deals – broadly – with investigations conducted by relevant public authorities into potential criminal offences, and information which relates to the obtaining of information from confidential sources. However, and ultimately, the public interest favoured disclosure. The ICO found particularly compelling, as will many, the following submission from the requester

There is…a clear public interest with regards to the hundreds of thousands of families who lost a child during the relevant period. Any of these families may fear that their relative’s details were used by police officers without consent. The question of whether the 42 families should be told is complex. By confirming which ages were used, the MPS would also be confirming which ages were not used. This information could help answer the questions of tens of thousands of families for each any [sic] age that is identified as not having been used

Perhaps, if it transpires (the Met can, of course, appeal) this FOIA disclosure will, even more than most, serve a public interest.

*Faith, like a jackal, feeds among the tombs, and even from these dead doubts she gathers her most vital hope – Herman Melville

1 Comment

Filed under Freedom of Information, Information Commissioner, police

Tagged as , ,

August 19, 2014 · 6:39 pm

One for the Environmental Information Regulations + Data Protection nerds

In 2010 the Court of Justice of the European Union (CJEU) held that, insofar as they required the automatic publication of the name and other particulars of natural persons (as opposed to legal persons) of beneficiaries of funds deriving from the European Agricultural Guarantee Fund (EAGF) and the European Agricultural Fund for Rural Development (EAFRD), certain articles of European Council Regulation (EC) No 1290/2005 of 21 June 2005 on the financing of the common agricultural policy were invalid. This was because they imposed an obligation to publish personal data relating to these beneficiaries (who might be private individuals or sole traders) without permitting criteria such as the periods, frequency and amounts involved to be considered.

Rip-roaring start to a blog post eh?

In the words of the First-tier Tribunal (Information Rights) (FTT) which has recently had to consider the impact of those CJEU cases on an Environmental Information Regulations 2004 (EIR) case

[the CJEU] ruled that such a requirement for publication was incompatible with an individual’s right for privacy where the agreement holder concerned was a private individual or sole trade

The relevance of the European judgments was that Natural England, which had until 2010 published information about beneficiaries of funds granted to farmers and landowners under the European Stewardship Agreement (ESA), even when it consisted of personal data of private individual or sole trader beneficiaries, ceased such automatic publication and removed previously published information from its website. This was despite the fact applicants for an ESA had, until 2010, been given a privacy notice in a handbook which explained that the information would be published, and had signed a declaration accepting the requirements.

Notwithstanding this, when it received a request for agreements reached with farmers and landowners in the River Avon flood plains area, Natural England decided that the personal data of the beneficiary (there appears to have just been one) was exempt from disclosure under regulations 12(3) and 13 of the EIR (which broadly provide an exception to the general obligation under the EIR to disclose information if the information in question is personal data disclosure of which would be in breach of the public authority’s obligations under the Data Protection Act 1998 (DPA)).

The Information Commissioner’s Office had agreed, saying

although consent for disclosure has been obtained [by virtue of the applicant’s declaration of acceptance of the handbook’s privacy notice], circumstances have changed since that consent was obtained. As Natural England’s current practice is not to publish the names of those who have received grants with the amounts received, the Commissioner is satisfied that the expectation of the individuals concerned will be that their names and payments will not be made public.

However, the FTT was not convinced by this. Although it accepted that it was possible “that the applicant no longer expected the relevant personal data to be disclosed” it considered whether this would nevertheless be a reasonable expectation, and it also took into account that the effect of the CJEU’s decision had not been expressly to prohibit disclosure (but rather that the validity of automatic publication had been struck down):

When one combined the facts that an express consent had been given, that there had been no publicity by NE or mention on its website of the ECJ decision and finally, that the effect of that decision had not, in the event been to prohibit disclosure, [the FTT] concluded that such an expectation would not be reasonable

Furthermore, given that there was no real evidence that disclosure would cause prejudice or distress to the applicant, given that some identifying information had already been disclosed into the public domain and given that there was a legitimate interest – namely “accountability in the spending of public monies” – in the information being made public (and disclosure was necessary to meet this legitimate interest) the disclosure was both fair and supported by a permitting condition in Schedule 2 of the DPA. For these reasons, disclosure would not, said the FTT, breach Natural England’s obligation to process personal data fairly under the first data protection principle.

So maybe not the most ground-breaking of cases, but it is relatively rare that an FTT disagrees with the ICO and orders disclosure of personal data under the EIR (or FOI). The latter is, after all, the statutory regulator of the DPA, and its views on such matters will normally be afforded considerable weight by any subsequent appellate body.

Leave a comment

Filed under Data Protection, Environmental Information Regulations, Europe, Freedom of Information, Information Commissioner, Information Tribunal

Tagged as , , ,

August 17, 2014 · 10:14 am

ICO indicates that (non-recreational) bloggers must register with them

I think I am liable to register with the ICO, and so are countless others. But I also think this means there needs to be a debate about what this, and future plans for levying a fee on data controllers, mean for freedom of expression

Recently I wrote about whether I, as a blogger, had a legal obligation to register with the Information Commissioner’s Office (ICO) the fact that I was processing personal data (and the purposes for which it was processed). As I said at the time, I asked the ICO whether I had such an obligation, and they said

from the information you have provided it would be unlikely that you would be required to register in respect of your blogs and tweets

However, I asked them for clarification on this point. I noted that I couldn’t see any exemption from the obligation to register, unless it was the general exemption (at section 36) from the Data Protection Act 1998 (DPA) where the processing is only for “domestic purposes”, which include “recreational purposes”. I noted that, as someone writing a semi-professional blog, I could hardly rely on the fact I do this only for recreational purposes. The ICO’s reply is illuminating

if you were blogging only for your own recreational purposes, it would be unlikely that you would need to register as a data controller. However, you have explained that your blogging is not just for recreational purposes. If you are sharing your views in order to further some other purpose, and this is likely to impact on third parties, then you should consider registering.

I know this is couched in rather vague terms – “if”…”likely”…”consider” – but it certainly suggests that merely being a non-professional blogger does not exempt me from having to register with a statutory regulator.

Those paying careful attention might understand the implications of this: millions of people every day share their views online, in order to further some purpose, in a way that “is likely to impact on third parties”. When poor Bodil Lindqvist got convicted in the Swedish courts in 2003 that is just what she was doing, and the Court of Justice of the European Union held that, under the European Data Protection Directive, she was processing personal data as a data controller, and consequently had legal obligations under data protection law to process data fairly, i.e. by not writing about a fellow churchgoer’s broken leg etc. without informing them/giving them an opportunity to object.

And there, in my last paragraph, you have an example of me processing personal data – I have published (i.e. processed) sensitive (i.e. criminal conviction) personal data (i.e. of an identifiable individual). I am a data controller. Surely I have to register with the ICO? Section 17 of the DPA says that personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the ICO, unless an exemption applies. The “domestic purposes” exemption doesn’t wash – the ICO has confirmed that1, and none of the exemptions apply. I have to register.

But if I have to register (and I will, because if I continue to process personal data without a registration I am potentially committing a criminal offence) then so, surely, do the millions of other people throughout the country, and throughout the jurisdiction of the data protection directive, who publish personal data on the internet not solely for recreational purposes – all the citizen bloggers, campaigning tweeters, community facebookers and many, many others…

To single people out would be unfair, so I’m not going to identify individuals who I think potentially fall into these categories, with the following exception. In 2011 Barnet Council was roundly ridiculed for complaining to the ICO about the activities of a blogger who regularly criticised the council and its staff on his blog2. The Council asked the ICO to determine whether the blogger in question had failed in his legal obligation to register with the ICO in order to legitimise his processing of personal data. The ICO’s response was

If the ICO were to take the approach of requiring all individuals running a blog to notify as a data controller … it would lead to a situation where the ICO is expected to rule on what is acceptable for one individual to say about another. Requiring all bloggers to register with this office and comply with the parts of the DPA exempted under Section 36 (of the Act) would, in our view, have a hugely disproportionate impact on freedom of expression.

But subsequently, the ICO was taken to task in the High Court on this general stance (but in unrelated proceedings) about being “expected to rule on what is acceptable for one individual to say about another”, with the judge saying

I do not find it possible to reconcile the views on the law expressed [by the ICO] with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully

And if now the ICO accepts that, at least those bloggers (like the one in the Camden case) who are not solely blogging for recreational purposes, might be required to register, it possibly indicates a fundamental change.

In response to my last blog post on this subject someone asked “why ruffle feathers?”. But I think this should lead to a societal debate: is it an unacceptable infringement of the principles of freedom of expression for the law to require registration with a state regulator before one can share one’s (non-recreational) views about individuals online? Or is it necessary for this legal restraint to be in place, to seek to protect individuals’ privacy rights?European data protection reforms propose the removal of the general obligation for a data controller to register with a data protection authority, but in the UK proposals are being made (because of the loss of ICO fee income that would come with this removal) that there be a levy on data controllers.

If such proposals come into effect it is profoundly important that there is indeed a debate about the terms on which the levy is made – or else we could all end up being liable to pay a tax to allow us to talk online.

1On a strict reading of the law, and the CJEU judgment in Lindqvist, the distinction between recreational and non-recreational expressions online does not exist, and any online expression about an identifiable individual would constitute processing of personal data. The “recreational” distinction does not exist in the data protection directive, and is solely a domestic provision

2A confession: I joined in the ridicule, but was disabused of my error by the much better-informed Tim Turner. Not that I don’t think the Council’s actions were ill-judged.

 

10 Comments

Filed under Data Protection, Directive 95/46/EC, Information Commissioner, social media

Tagged as , , , ,

August 14, 2014 · 8:55 am

ICO refuses to disclose information about “non-trivial data security incident”

In July this year the Information Commissioner’s Office (ICO) disclosed within their annual report that they had themselves experienced

one non-trivial data security incident. The incident was treated as a self-reported breach. It was investigated and treated no differently from similar incidents reported to us by others. We also conducted an internal investigation. It was concluded that the likelihood of damage or distress to any affected data subjects was low and that it did not amount to a serious breach of the Data Protection Act. A full investigation was carried out with recommendations made and adopted.
This got a fair amount of attention, (even I, who rarely have anything to say on such matters, blogged about it) in a way which hadn’t happened when the ICO had reported a similar-sounding incident two years previously. I understand that there were several freedom of information (FOI) requests made to the ICO, and, I notice, they have now published their response, in their disclosure log.
I wasn’t hugely surprised to find that they are totally refusing disclosure. In their statement to me (and others) in July they had said
We are unable to provide details of the breach at this stage, as the information involved is linked to an ongoing criminal investigation
and this remains the position. Some information is exempt because it is the personal data of staff involved, and they do not have a reasonable expectation of disclosure. But primarily they invoke the exemption at section 30 of the FOI Act, which provides in terms an exemption to disclosure if the information is held for the purposes of an investigation to establish whether someone has committed an offence, or which may lead to a decision to bring criminal proceedings. As this is a qualified exemption, the ICO has considered whether the public interest in disclosure outweighs the public interest in maintaining the exemption, and finds that it doesn’t:
It is of the utmost importance that ICO is able to carry out its statutory duty and conduct investigations into potential criminal offences confident that information will not be inappropriately disclosed
However, the ICO have indicated that when the criminal investigation is completed “the ICO will make a clear public statement about what occurred and the action taken”.
As I say, none of this is particularly surprising: when one heard in July that there was an ongoing criminal investigation it was apparent that little further information would emerge until that was complete. We will have to be patient.

Leave a comment

Filed under Freedom of Information, Information Commissioner

Tagged as ,

August 10, 2014 · 4:45 pm

Do bloggers need to register with the ICO?

A strict reading of data protection law suggests many (if not all) bloggers should register with the ICO, even though the latter disagrees. And, I argue, the proposal for an Information Rights Levy runs the risk of being notification under a different name

Part III of the Data Protection Act 1998 (DPA) gives domestic effect to Article 18 of the European Data Protection Directive (the Directive). It describes the requirement that data controllers notify the fact that they are processing personal data, and the details of that processing, to the Information Commissioner’s Office (ICO). It is, on one view, a rather quaint throwback to the days when processing of personal data was seen as an activity undertaken by computer bureaux (a term found in the predecessor Data Protection Act 1984). However, it is law which is very much in force, and processing personal data without a valid notification, in circumstances where the data controller had an obligation to notify, is a criminal offence (section 21(1) DPA). Moreover, it is an offence which is regularly prosecuted by the ICO (eleven such prosecutions so far this year).

These days, it is remarkably easy to find oneself in the position of being a data controller (“a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed”). There are, according to the ICO, more than 370,000 data controllers registered. Certainly, if you are a commercial enterprise which in any way electronically handles personal data of customers or clients it is almost inevitable that you will be a data controller with an obligation to register. The exemptions to registering are laid out in regulations, and are quite restrictive – they are in the main, the following (wording taken from the ICO Notification Handbook)

Data controllers who only process personal information for: staff administration (including payroll); advertising, marketing and public relations (in connection with their own business activity); and accounts and records.
Some not-for-profit organisations.
Maintenance of a public register.
Processing personal information for judicial functions.
Processing personal information without an automated system such
as a computer.
But there is one other, key exemption. This is not within the notification regulations, but at section 36 of the DPA itself, and it exempts personal data from the whole of the Act if it is
processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes)
Thus, if you, for instance, keep a record of your children’s medical histories on your home computer, you are not caught by any of the DPA (and not required to notify with the ICO).Where this becomes interesting (it does become interesting, honestly) is when the very expansive interpretation the ICO gives to this “domestic purposes exemption” is considered in view of the extent to which people’s domestic affairs – including recreational purposes – now take place in a more public sphere, whereby large amounts of information are happily published by individuals on social media. As I have written elsewhere, the Court of Justice of the European Union (CJEU) held in 2003, in the Lindqvist case, that the publishing of information on the internet could not be covered by the relevant domestic purposes exemption in the Directive. The ICO and the UK has, ever since, been in conflict with this CJEU authority, a point illustrated by the trenchant criticism delivered in the High Court in the judgment by Tugendhat J in The Law Society v Kordowski.

But I think there is a even more stark illustration of the implications of an expansive interpretation of the section 36 exemption, and I provide it. On this blog I habitually name and discuss identifiable individuals – this is processing of personal data, and I determine the purposes for which, and the manner in which, this personal data is processed. Accordingly, I become a data controller, according to the definitions at section 1(1) of the DPA. So, do I need to notify my processing with the ICO? The answer, according to the ICO, is “no”. They tell me

from the information you have provided it would be unlikely that you would be required to register in respect of your blogs and tweets
But I don’t understand this. I cannot see any exemption which applies to my processing – unless it is section 36. But in what way can I seriously claim that I am processing personal data only for my domestic (including recreational) purposes. Yes, blogging about information rights is partly a recreation to me (some might say that makes me odd) but I cannot pretend that I have no professional aims and purposes in doing so. Accordingly, the processing cannot only be for domestic purposes.I have asked the ICO to confirm what, in their view, exempts me from notification. I hope they can point me to something I have overlooked, because, firstly, anything that avoids my having to pay an annual notification fee of £35 would be welcome, and secondly, I find it rather uncomfortable to be on the receiving end of my own personal analysis that I’m potentially committing a criminal offence, even if the lead prosecutor assures me I’m not.

The point about the notification fee leads to me on to a further issue. As I say above, notification is in some ways rather quaint – it harks back to days when processing of personal data was a specific, discrete activity, and looks odd in a world where, with modern technology, millions of activities every day meet the definition of “processing personal data”. No doubt for these reasons, the concept of notification with a data protection authority is missing from the draft General Data Protection Regulation (GDPR) currently slouching its way through the European legislative process. However, a proposal by the ICO suggests that, at least in the domestic sphere, notification (in another guise), might remain under new law.The ICO, faced with the fact that its main funding stream (the annual notification fees from those 370,000-plus data controllers) would disappear if the GDPR is passed in its proposed form, is lobbying for an “information rights levy”. Christopher Graham said earlier this year

I would have thought  an information rights levy, paid for by public authorities and data controllers [is needed]. We would be fully accountable to Parliament for our spending.

and the fact that this proposal made its way into the ICO’s Annual Report  with Graham saying that Parliament needs to “get on with the task” of establishing the levy, suggests that it might well be something the Ministry of Justice agrees with. As the MoJ would be first in line to have make up the funding shortfall if a levy wasn’t introduced, it is not difficult to imagine it becoming a reality.

On one view, a levy makes perfect sense – a “tax” on those who process personal data. But looked at another way, it will potentially become another outmoded means of defining what a data controller is. One cannot imagine that, for instance, bloggers and other social media users will be expected to pay it, so it is likely that, in effect, those data controllers whom the ICO currently expects to notify will be those who are required to pay the levy. One imagines, also, that pour encorager les autres, it might be made a criminal offence not to pay the levy in circumstances where a data controller should pay it but fails to do so. In reality, will it just be a mirror-image of the current notification regime?

And will I still be analysing my own blogging as being processing that belongs to that regime, but with the ICO, for pragmatic, if not legally sound, reasons, deciding the opposite?

1 Comment

Filed under Data Protection, Directive 95/46/EC, Europe, GDPR, parliament

Tagged as , , , ,