Tag Archives: ICO

February 9, 2024 · 8:39 am

When is a breach of FOIA not a breach of FOIA?

I posted about this originally on LinkedIn, but I found it so nerdily interesting I wanted to preserve it better by putting it on this blog.

In 4 December 2023 the Information Commissioner’s Office (ICO) issued a decision notice under section 50 of the Freedom of Information Act 2000 (FOIA) finding that its own office did not deal with a FOIA request within the statutory time limit. Subsequently, however, as the ICO website has it, “Following a review of this case it has been noted that the Commissioner erred in citing a breach of section 17(1) of FOIA, having omitted to include the Scottish bank holiday of 7 August 2023 in his calculation of the 20 working day deadline. Therefore, the ICO did not breach section 17(1) of FOIA.”

However, merely staring on its website that “the ICO did not breach FOIA” is not sufficient. As a matter of law, the decision notice itself stands, unless it is substituted by another notice made by the Information Tribunal upon appeal. The ICO cannot withdraw/amend a decision notice, in the absence of an appeal (under the doctrine of “functus officio”, but see also IC v Bell [2014] UKUT 0106)).

So merely saying on its website “we didn’t breach the time limits” cannot cancel or overturn the decision notice.

In some analogous circumstances of “wrong” legal decisions by public authorities bound by functus officio, the authority will consent to judicial review proceedings quashing the decision. But here, the only person with any interest in quashing the decision is the ICO itself, and I don’t believe it could apply for judicial review of its own decision (although there have been cases, I believe, where local authorities have judicially reviewed decisions of their own planning committees).

What the ICO could have done though (and I give a nod to Ganesh Sittampalam here) is appeal the decision itself to the Tribunal. It would seem to be the case that the ICO, as the public authority on whom the decision notice was served, would have had a right of appeal to the Tribunal, even though it would be both the appellant and the respondent. This would, obviously, be rather an odd situation, but it’s one that the ICO already faces when it has to rule (as it did here) on its own compliance with the laws it regulates and enforces (for these purposes it effectively creates a fictional divide between “the ICO” and the “Commissioner” – see for example paragraph four in the decision notice linked above).

However, for whatever reason, the right of appeal was not exercised. But, given that that was the statutory route for challenge, why was the purported correction of the error instead subject to an internal, non-binding and unsatisfactory “review” within the ICO?

One wonders how this will be recorded within the ICO’s datasets: will the ICO accept the point that, as a matter of law, the decision is and remains that it breached the time limits? I doubt it.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal

Tagged as ,

November 17, 2023 · 6:35 am

EIR you sure you got that right?

Someone said they’d read this post if I wrote it. That’s miles more encouragement than I normally need, so here goes.

The other day, Tim Turner’s FOIDaily account pointed out how, after twenty-odd years, some public authorities still fail to identify when a request for information should be dealt with under the Environmental Information Regulations 2004 (EIR), rather than the Freedom of Information Act 2000 (FOIA). An example was given of Information Commissioner’s Office (ICO) identifying where a public authority had got this wrong.

As any fule kno, the two laws operate in parallel to create a regime for access to information held by public authorities, and it’s Regime 101 for a public authority to be able to know, and identify, when each applies. But, in short, if requested information is on, for instance, “measures (including administrative measures), such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect…the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape…” then the EIR, and not FOIA, apply.

I pointed out in the comments to the FOIDaily post that I’d seen a case where everyone, from the requester, to the public authority, to the ICO, to the First-tier Tribunal, had failed to deal with a case under the correct scheme.

This was it.

The case was about a request to a district council for information about whether a councillor had (in a private capacity) been required to pay any money to the council in relation to a fly-tipping incident or incidents. The request itself even referred to the Environmental Protection Act 1990, which was a very big hint that environmental information might be at issue.

What appears to have happened is that everyone jumped to the issue of whether disclosure of the requested information would contravene the councillor’s data protection rights. As most similar discussions take place in relation to the provisions of section 40 FOIA, the public authority, the ICO and the Tribunal (and presumably even the requester) all appear to have gravitated towards FOIA, without asking the correct first question: what is the applicable law? The answer to which was, clearly, EIR.

Regulation 13 of the EIR deals with personal data, and is cast in very similar terms to section 40 FOIA. It is, then, strongly arguable that, given that similarity, both the ICO and the Tribunal would have arrived at the same decision whichever regime applied. But Parliament has chosen to have two separate laws, and this is because they have a different genesis (EIR emanate from EU law which in turn emanates from international treaty obligations). Additionally, where all things are otherwise equal, the EIR contain an express presumption in favour of disclosure (something that is not the case in relation to personal data under the FOIA regime – see Lord Hope’s opinion in Common Services Agency v Scottish Information Commissioner).

As Tim implies in his post, the EIR have always been seen as somehow inferior, or subservient, to FOIA. No doubt this is because they are in the form of secondary legislation, rather than statute. This is more an accident of history, rather than of constitutional significance, and is never going to be relevant in most practice. But if the ICO and the courts continue to miss their relevance, it shouldn’t be that surprising that some public authorities will also do so.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal

Tagged as , , ,

November 16, 2023 · 5:36 pm

I was stupid

I was stupid, I was naive: I thought that recent statements from senior people at the Information Commissioner’s Office (ICO) indicated a willingness to enforce against non-compliance in the use of cookies and cookie banners.

I was wrong. My recent complaint, published as an open letter to John Edwards, the Commissioner, not only took ten weeks to be allocated to a case worker, but, now, that case worker has told me, in terms, that they’re not interested:

we do not respond to cookie complaints individually…Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. When consumers raise their complaints with us, we either conduct our own compliance check or write to the organisation…Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK.

This leaves two things hanging: 1) the site I complained about is one of the most visited in the UK; 2) the website in question arguably “raises awareness” of cookies, but only insofar as it confounds, frustrates and obstructs the user, in a manner which, in my submission, contravenes ePrivacy and Data Protection law, and 3) fails to get users’ consent (as it is defined in those laws).

MLex(£) have now written about this, and have secured a quote from the ICO, which is more than I got, really:

It is an ICO priority to influence changes to online tracking practices to create a more privacy-oriented internet. Where users want personalized adverts they should have the choice to receive them. But where websites don’t give people fair choices over how their data is used we will take action to safeguard their rights.

Try as I might, I can’t square that, and the ICO’s previous public statements about taking firm action, with an approach which fails in any real way to engage with people who take the time and effort to make complaints. But, as I say, I was stupid and naive to think it might have been different.

I’ve now complained, in turn, about the ICO’s handling of my complaint (and made an FOI request), in these terms:

1. I made a complaint under Article 77 UK GDPR. You have not investigated that at all, let alone “to the extent appropriate” as you are required to do under Article 57(1)(f). 

2. My letter was addressed to John Edwards. Has he seen it? 

3. You say, “When consumers raise their complaints with us, we either conduct our own compliance check or write to the organisation.” Which have you done here? Please disclose information either in respect of the compliance check you undertook, or of the correspondence you sent to Associated Newspapers Ltd.

4. Frankly, your response is discourteous. I went to some effort to assist the ICO in its stated intention to investigate poor compliance with PECR, but your response gives no indication that you’ve even read the substance of my complaint.

5. Your letter contains no apology or explanation for the extensive delay in handling it, which falls outside your own service standards.

In seriousness, I find this all really disheartening. The gulf between what the ICO says and what it does is sometimes huge, and not necessarily appreciated by those who don’t work in the field.

But I will get back in my stupid box.

+++

For completeness’ sake, the full response from the caseworker was:

Thank you for your correspondence in which you have complained about Associated Newspapers Ltd and its use of cookies.

Complaints regarding cookies can be submitted to us through the following link: Cookies | ICO

In this case, I have forwarded the information you have provided to the appropriate department. Although we do not respond to cookie complaints individually, we use the information you send us to help us identify, investigate and take action against organisations causing you complaint. To do this, we work alongside other organisations and website owners.

Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. When consumers raise their complaints with us,
we either conduct our own compliance check or write to the organisation. Our website provides further information about the action we’re taking on cookies.

Yours sincerely

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under adtech, consent, cookies, Information Commissioner, PECR, UK GDPR

Tagged as , , ,

October 23, 2023 · 1:15 pm

Verging on contempt

Where the Information Commissioner serves a decision notice on a public authority, under section 50(3)(b) of the Freedom of Information Act 2000 (FOIA), it is a legal notice and a failure to comply may be treated by the High Court (or in Scotland, the Court of Session) as if the authority had committed a contempt of court. It is, therefore (and to state the obvious) a serious matter not to comply. The process involves the Commissioner “certifying” to the court that there has been a failure to comply.

Yet, a recent FOIA disclosure by the Information Commissioner’s Office (ICO) reveals that it currently has two such cases where it has referred non-compliance by one particular public authority to its own solicitors to initiate (or at least consider) certification proceedings. The rather remarkable thing is that the public authority in question is the government department with overall responsibility for FOIA policy – namely, the Cabinet Office.

The disclosure reveals no more in the way of detail – we do not know what the cases relate to, or what the current progress is (other than court proceedings have not yet commenced). However, it is very rare for a case actually to proceed to certification (in fact, I can only recall one case relating to a s50(3)(b) decision notice, and that was instead certified to the High Court by the First-tier Tribunal under section 61 of FOIA (as it applied then)).

It is worth pointing out that it doesn’t necessarily follow that, if there were a finding of contempt, sanctions would be imposed. Although a committal application or fines are, in principle, available, the Court could merely make a public finding that the Cabinet Office had breached the obligation to respond to the decision notice, but impose no further punishment.

Over the years the Cabinet Office has been subject to much criticism for its approach to FOIA – some of it, quite frankly, fully justified. However, there have been encouraging signs of improvements more recently, with its response to the “Clearing House” review, and its setting up of an Information Rights User Group (of which I am a member), although the latter has not fully kicked off yet, as far as I can understand.

However, it is a terrible look for the primus inter pares of government departments, and the one which holds the brief for FOIA policy, to be faced with potential contempt proceedings for failure to do what the law, and the regulator, requires it to do. Although the original FOIA request to the ICO was not mine, I’ll be interested to see if any updates are given.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under access to information, Cabinet Office, contempt, Freedom of Information, Information Commissioner

Tagged as ,

September 27, 2023 · 7:23 am

Soft regulation = poorer compliance?

The Information Commissioner’s Office (ICO) has published reprimands against seven separate organisations all of whom committed serious infringements of data protection law by inadvertently disclosing highly sensitive information in the context of cases involving victims of domestic abuse.

The ICO trumpets the announcement, but does not appear to consider the point that, until recently, most, if not all, of these infringements would have resulted in a hefty fine, not a regulatory soft tap on the wrist. Nor does it contemplate the argument that precisely this sort of light-touch regulation might lead to more of these sorts of incidents, if organisations believe they can act (or fail to act) with impunity.

I have written elsewhere about both the lack of any policy or procedure regarding the use of reprimands, and also about the lack of empirical evidence that a “no fines” approach works.

I think it is incumbent on the Information Commissioner, John Edwards, to answer this question: are you confident that your approach is not leading to poorer compliance?

The cases include

  • Four cases of organisations revealing the safe addresses of the victims to their alleged abuser. In one case a family had to be immediately moved to emergency accommodation. 
  • Revealing identities of women seeking information about their partners to those partners. 
  • Disclosing the home address of two adopted children to their birth father, who was in prison on three counts of raping their mother. 
  • Sending an unredacted assessment report about children at risk of harm to their mother’s ex-partners. 

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, monetary penalty notice, reprimand, UK GDPR

Tagged as , , ,

September 12, 2023 · 8:49 am

Arbitrary criminality and data protection

It shouldn’t be too controversial to state that to commit a criminal offence is a serious matter: although there are – obviously – different levels of severity, certain acts or omissions are so injurious to society as a whole that they warrant prosecution.

The majority of infringements of data protection law are not criminal offences, but, rather, contravention of civil law. But there are a few offences in the statutory scheme. Section 132 of the Data Protection Act 2018 (DPA) is one such. It says that it is an offence for the Information Commissioner, or a member of his staff, to disclose information

which—

(a)has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions,

(b)relates to an identified or identifiable individual or business, and

(c)is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources,

However, it will not be an offence if the disclosure is made with “lawful authority”, and a disclosure is made with lawful authority only if and to the extent that

(a)the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,

(b)the information was obtained or provided as described in subsection (1)(a) for the purpose of its being made available to the public (in whatever manner),

(c)the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions,

(d)the disclosure was made for the purposes of, and is necessary for, the discharge of an EU obligation,

(e)the disclosure was made for the purposes of criminal or civil proceedings, however arising, or

(f)having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.

This means that, for instance, if an individual or a business has given (willingly or under compulsion) information to the Commissioner for the purposes of a regulatory investigation, and the information is not already public, then the Commissioner must not disclose it, unless he has lawful authority to do so.

Where, also for instance, the Commissioner publishes a legal decision notice, or monetary penalty notice, or the like, this will ordinarily contain information of this kind, but the Commissioner can point to the lawful authority he has under section 132(2)(c) – namely that the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions. No offence committed.

But section 132 is why the Commissioner’s Office might refuse, under the Freedom of Information Act 2000 (FOIA), to disclose information it has received from an individual or business. For instance, a notification report a controller has submitted pursuant to its “personal data breach” obligations under Article 33 UK GDPR. Here is an example. The ICO withholds the “breach report” in question, citing the exemption at section 44, because of the offence provisions at section 132 DPA.

Whether this is an over-cautious stance is one thing, but it is understandable.

What puzzles me, though, is the inconsistency, because elsewhere, in very similar circumstances, in response to a FOIA request, the ICO has disclosed a personal data report (albeit with redactions). Here, also.

If the Commissioner’s staff in the first example feel that they would commit an offence by disclosing the report, do the staff dealing with the second or third examples not feel that they would also?

One thing that should certainly not happen is claiming exemptions because it is easier to do so than not. I am not saying that has happened here, but there certainly seems to be inconsistency. And inconsistency, or uncertainty, about whether a regulator and his staff might commit a criminal offence is not a good situation.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, crime, Data Protection, Data Protection Act 2018, Freedom of Information, Information Commissioner

Tagged as , , , ,

September 10, 2023 · 2:38 pm

An open complaint to the ICO about MailOnline cookies

***UPDATE at 8 November***

There is no update. Nothing from the ICO at all, other than, at four weeks – after chasing – a message saying it’s taking six to eight weeks to allocate cases.

It’s now more than eight weeks.

***END UPDATE***

Dear Mr Edwards

In June this year Stephen Bonner told MLex that websites which

don’t have “reject all” on your top level [cookie banner]…are breaking the law. ..There is no excuse for that. The ICO is paying attention in this area and will absolutely issue fines if we see organizations are not taking that seriously and taking steps.

Subsequently, your office said to law firm Mishcon de Reya

Having a ‘reject all’ button on a cookies banner that is just as prominent as an ‘accept all’ button helps people to more easily exercise their information rights. The ICO is closely monitoring how cookie banners are used in the UK and invites industry to review their cookies compliance now. If the ICO finds that cookies banners breach the law, it will seriously consider using the full range of its powers, including fines.

Then, on 9 August, in conjunction with the Competition and Markets Authority, your office stated

One clear example of often harmful design are cookie consent banners. A website’s cookie banner should make it as easy to reject non-essential cookies as it is to accept them. Users should be able to make an informed choice on whether they want to give consent for their personal information to be used, for example, to profile them for targeted advertising. The ICO will be assessing cookie banners of the most frequently used websites in the UK, and taking action where harmful design is affecting consumers.

In view of all of these statements, I wish to complain, under Article 77 UK GDPR, and simultaneously request, under regulation 32 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), that you exercise your enforcement functions, in relation to the use of cookies and similar technology by Associated Newspapers Limited, or alternatively DMG Media (whichever is applicable) as controller of, and person responsible for confidentiality of communications on, the “MailOnline” website at https://www.dailymail.co.uk/home/index.html (the “Website”).

The Website presents a visitor using the Safari browser on an iPhone 11 Pro with a “cookie banner” (see attached screenshot) which does not offer visitors a “reject all” option.

Furthermore, the whole set-up is opaque. If one clicks “Cookie Settings” one is faced with an initially straightforward set of options (one of them set by default to accept cookies for personalised advertising on the basis of “legitimate interest”, which is clearly not compliant with regulation 6 of PECR). However, if one then clicks on the tab for “Vendors”, one is faced with a frankly farcically long list of such “vendors”, and options, many of them set by default to “legitimate interest”. I consider myself reasonably knowledgeable in this area, but it is far from clear what is actually going on, other than to say it plainly appears to be falling short of compliance with regulation 6, and, to the extent my personal data is being processed, the processing plainly appears to be in contravention of the UK GDPR, for want – at least – of fairness, lawful basis and transparency.

It is worth noting that much of MailOnline’s content is likely to be of interest to and accessed by children (particularly its sports and “celebrity news” content), even if the publisher does not actively target children. You state, in your guidance

if children are likely to access your service you will need to ensure that both the information you provide and the consent mechanism you use are appropriate for children.

But the complexity and opacity of the Website’s cookie use means that it is largely incomprehensible to adults, let alone children.

It is, obviously, not for me to specify how you undertake an investigation of my complaint, but you must, of course, by reference to Article 57(1)(f) UK GDPR, investigate to the “extent appropriate”. Given the clear messages your office has delivered about cookie banners and the like, and given the weight of evidence as to non-compliance, I would suggest an investigation to the extent appropriate must – at the very least – result in a clear finding as to legality, with reasons, and recommendations for the investigated party.

I cannot claim to be distressed by the infringements I allege, but I do claim to be irritated, and to have, cumulatively, been put to excess time and effort repeatedly trying to “opt out” of receiving cookies on the Website and understand what sort of processing is being undertaken, and what sort of confidentiality of communications exists on it.

Of course the Website here is not the only example of apparent non-compliance: poor practice is rife. Arguably, it is rife because of a prolonged unwillingness by your office and your predecessors to take firm action. However, if you would like me to refer to other examples, or require any further information, please don’t hesitate to ask.

Yours sincerely

Jon Baines

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adtech, consent, cookies, Data Protection, Information Commissioner, PECR, UK GDPR

Tagged as , , , , ,

September 9, 2023 · 9:56 am

ICO breaching section 45 FOI code which it has a duty to promote

Under section 45 of the Freedom of Information Act 2000 (FOIA), the Minister for the Cabinet Office is required to issue a Code of Practice providing guidance to public authorities as to the practice which it would, in his opinion, be desirable for them to follow. A Code of Good Practice, if you will. The Information Commissioner’s Office (ICO) says, about the most recent version of the section 45 Code, that it

should be used as a handbook which sets out best practice to help you with the day to day handling of requests. Adhering to the Code will result in positive benefits for your authority, and in practical terms, offer good customer service.

And under section 47(1)(b) of FOIA the ICO has a duty to perform his functions so as to promote the observance of the Code.

Paragraph 8.5 of the Code says that

Public authorities with over 100 Full Time Equivalent (FTE) employees should, as a matter of best practice, publish details of their performance on handling requests for information under [FOIA…and] should do so on a quarterly basis…

However, the ICO themselves do not do, indeed never have done, this.

I recently made a FOIA request to the ICO, in which I queried the absence of they published statistics under paragraph 8.5 of the Code, and asked for disclosure of the last two years’ statistics. The response revealed statistics that are not particularly interesting, other than that they show that the ICO has made commendable improvements in its own compliance, following the dip which coincided with the pandemic. But all that was said about the proactive publication point was

We are not presently publishing our quarterly stats

No explanation as to why, and the fact that it appears expressly contrary to the ICO’s duty under section 47 to promote observance of the Code.

The ICO has, in recent months, indicated a willingness to get a bit tougher on public authorities don’t comply with FOIA, but if it does not itself comply, the effect of such tougher enforcement is greatly weakened.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner

Tagged as ,

August 22, 2023 · 8:55 pm

“Text pests” and data protection criminal offences

The modern digital economy allows us to order goods (and have them delivered) with a few taps on our phones. But the infrastructure behind locating, packaging and delivering those goods necessitates that a chain of people have access to the specific of our orders, and, in some cases, our contact details. A consequence of this appears to be an extraordinary prevalence of customers receiving unwanted contact as a result: research commissioned by the Information Commissioner’s Office (ICO) indicates that 29% of 18-34-year-olds have received unwanted contact after giving their personal details to a business.

It is to the ICO’s credit that it is looking at this issue, and calling for evidence of what it correctly calls this “illegal behaviour”. But I found it surprising that the ICO did not explain, in its communications, that if someone obtains a customer’s contact details from a business, and uses it for personal purposes which are different from (and not approved by) the business, they are very likely to be committing the criminal offence of unlawfully obtaining personal data without the consent of the controller, under section 170(1)(a) of the Data Protection Act 2018 (DPA).

The ICO says it will be contacting

some of the major customer-facing employers in the country to emphasise their legal responsibilities as well as to learn more about what safeguards they have in place

Which is all fine, but maybe a quicker and more effective action would be to remind those employers in turn to make their staff aware that using customer data for such purposes may well see them ending up with a criminal record.

Under section 197 of the DPA prosecutions for section 170 offences can only be brought, in England, Wales and Northern Ireland at least, by the ICO itself (or with the permission of the Director of Public Prosecutions or equivalent). One wonders if the sheer numbers of incidents where customer data is being obtained and misused in this way means that the ICO’s criminal prosecution team simply doesn’t have the capacity to deal with it. If so, maybe Parliament needs to look at giving the CPS a role, or even whether private prosecutions could be allowed.

Leave a comment

Filed under crime, Data Protection, Data Protection Act 2018, Information Commissioner

Tagged as , , ,

August 20, 2023 · 3:38 pm

PSNI data breaches and questions over ICO’s investigations retention policy

I’ve been running this blog for about 15 years now. I’m not a records manager, but I recognise that information has a lifecycle. Maybe I could weed some older posts, but the thing is, I occasionally find some of the old posts useful. For instance when news broke of recent nasty data breaches involving police forces (including the Police Service of Northern Ireland, or “PSNI”) and freedom of Information disclosures, I was able to point to a ten-year-old post on this blog which illustrated that concerns about such disclosures have been around for a long time.

So I was rather surprised to see the Information Commissioner’s Office (ICO) saying – in response to claims from two former anti-terrorist officers that the recent incidents were part of a pattern of serious mistakes, and that their information had previously been compromised (albeit not by PSNI itself) – that

Having checked with relevant teams, we do not appear to have record of an investigation regarding this data controller for the time frame noted. This may be due to our retention policy

The retention policy in question says (at page 28) that information in relation to regulatory investigations will normally be retain for five or six years, but that in civil enforcement cases where no action was taken information will be destroyed after two years.

There is nothing inherently “wrong” about this; unless there is a statutory requirement to retain information it will fall to each public body to determine what is an appropriate retention period. However, the ICO elsewhere emphasises the need to consider patterns in compliance. The regulatory action policy, for instance, says that an organisation’s “prior regulatory history” including the “pattern…of complaints” might be an aggravating factor when it comes to taking enforcement action, and that “as issues or patterns of issues escalate in frequency or severity then we will issue more significant powers in response”. But the retention policy means that, unless formal action has been taken against an organisation, such patterns might only be able to be taken into account when they involve incidents occurring within the previous two years. Is that sufficient or adequate?

I would suggest not. The policy’s version history illustrates that it is regularly reviewed (including an annual review). I would hope that the next review consider whether there is compelling evidence to suggest that retaining investigation information for longer than two years is warranted, especially in light of recent events.

Leave a comment

Filed under access to information, adequacy, Data Protection, Information Commissioner, retention, security

Tagged as , , ,