Tag Archives: UK GDPR

Does DHSC have a compliant ROPA?

Article 30(4) of the UK GDPR requires a controller to make its records of processing activities (ROPA) available to the Information Commissioner (ICO) upon request.

ROPAs are required for most large controllers, and should include at least

  • The name and contact details of the organisation (and where applicable the data protection officer).
  • The purposes of processing.
  • A description of the categories of individuals and categories of personal data.
  • The categories of recipients of personal data.
  • Details of transfers to third countries including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of the controller’s technical and organisational security measures.

Ordinarily, in my experience, controllers will maintain a ROPA in one document, or one set of linked documents. This not only enables a controller to comply with Article 30(4), but reflects the fact that a ROPA is not just a compliance obligation, but contributes to and assists the controller in its information governance functions.

This all makes the position of the Department of Health and Social Care (DHSC) rather odd. Because, in response to a Freedom of Information Act (FOIA) request for disclosure of its ROPA, it stated that the request was “vexatious” on the grounds of the time and costs it would have to incur to respond. This was because, as the DHSC subsequently told the ICO when the latter was asked to issue a FOIA decision notice

We hold a collection of documentation across different formats which, when put together, fulfils our obligation under Article 30 of the GDPR to record and document all of our personal data processing activities…[and]…to locate, retrieve and extract all of this documentation would involve a manual trawl of the whole organisation and each document would then need to be reviewed to check for content such as personal data, commercially sensitive data and any other information that would otherwise not be appropriate to place into the public domain

For this reason, the ICO accepted that compliance with the request would be “grossly oppressive” and this, taken with other factors, meant that the FOIA request was indeed vexatious.

The ICO is tasked with regulating both FOIA and data protection law. The decision notice here notes this, and says

the Commissioner feels duty bound to note that, if the DHSC cannot comply with the request because it would impose a grossly oppressive burden to do so, it is unlikely that the DHSC would be able to provide its ROPA to the Commissioner, which is a requirement under Article 30 of the UK GDPR, without that same burden

There’s a big hint here to DHSC that it should adopt a different approach to its ROPA for the future.

But the decision notice does contain some rather strange wording. In the context of the words quoted just above, the ICO says

This decision notice looks at the DHSC’s compliance with FOIA only and the Commissioner cannot order the DHSC to take any action under any other legislation.

It is true that, under his FOIA powers, the ICO cannot order the DHSC to comply with the UK GDPR, but, quite evidently, under his UK GDPR powers, he certainly can: Article 58(2)(d) specifically empowers him to

order the controller…to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period

I am not aware of anything in FOIA, or data protection law (or wider regulatory and public law) that prevents the ICO from taking enforcement action under UK GDPR as a result of findings he has made under FOIA. Indeed, it would be rather strange if anything did prevent him from doing so.

So it does seem that the ICO could order DHSC to get its ROPA in order. Maybe the big hint in the FOIA decision notice will have the desired effect. But regulation by means of big hints is perhaps not entirely in compliance with the requirement on the ICO, deriving from the Regulators’ Code, to ensure that its approach to its regulatory activities is transparent.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, DHSC, Freedom of Information, Information Commissioner, records management, ROPA, Uncategorized

GDPR is rubbish

I was challenged recently along the lines that “you don’t like change – you think that GDPR is great and any amendments are negative”.

After I’d spluttered in rage that this wasn’t true, I checked my thoughts. I don’t think the challenge was fair – I don’t mind the idea of repeal or reform of the UK GDPR model – but I do still think that any change needs to be planned and drafted very carefully, so as not to interfere with the core data protection concepts, and checks and balances, that have – broadly – carried through and developed over a series of legal instruments, starting with the Council of Europe Convention 108 of 1981 and the OECD Guidelines of 1980.

But, also, I’m happy to point out that, at times, GDPR is simply rubbish. And I don’t mean in broad legal terms – see for instance David Erdos’s interesting criticisms – I mean that it sometimes doesn’t make sense.

There’s an example in recital 63

A data subject should have the right of access to personal data…in order to be aware of, and verify, the lawfulness of the processing.

I think this is meant to mean “a data subject should have the right of access in order to be aware of the processing and verify its lawfulness”. But, as drafted, it suggests the data subject should be able to be aware of the lawfulness of the processing, and verify that lawfulness, which lacks logic.

But that’s in the recitals, and no one reads the recitals do they?

But consider one of the substantive provisions. Article 5(2), which describes the “accountability principle” says

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Think about what that says: “the controller shall be responsible for…paragraph 1” (paragraph 1 containing the core data protection principles). What it is surely intended to mean is “the controller shall be responsible for compliance with paragraph 1”, but it doesn’t say that. In literal terms it says that the controller has responsibility for the legislative words.

And it’s worth noting that in the French text (French being the only other language this lumbering English person has really even vague familiarity with), the wording does say that: “…est responsable du respect du paragraphe 1…”.

I’m not suggesting this is a big problem: a regulator and a court would almost certainly read the wording so as to give effect to the legislator’s intention.

It just irritates me.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, not-entirely-serious, UK GDPR

ICO investigates collection of barristers’ names

News from the Mishcon de Reya website on data protection concerns arising from criminal barristers’ dispute with the MoJ

https://www.mishcon.com/news/information-commissioner-investigates-collection-of-criminal-barristers-names

Leave a comment

Filed under Data Protection, fairness, Information Commissioner, Ministry of Justice, UK GDPR

No, 43% of retail businesses have NOT been fined for CCTV breaches

A bizarre news story is doing the rounds, although it hasn’t, as far as I can see, hit anything other than specialist media. An example is here, but all the stories contain similar wording, strongly suggesting that they have picked up on and reported on a press release from the company (“Secure Redact”) that undertook the research behind the story.

We are told that

research reveals that 43% of UK retailers reported that they had been fined for a violation of video surveillance GDPR legislation…Of these retailers, 37% reported paying an equivalent of 2% of their annual turnover, 30% said the fine amounted to 3% of annual turnover, and 15% said the fine was 45% [sic] of annual turnover…A staggering 33% of those fined also had to close stores as a result of enforcement action

The research was apparently based on a survey of 500 respondents in retail businesses (50% in businesses with less than 250 employees, 50% in businesses with more than 250).

What is distinctly odd about this is that since GDPR has been in force in the UK, including since it has become – post-Brexit – UK GDPR, there has been a sum total of zero fines imposed by the Information Commissioner in respect of CCTV. 43% of retail businesses have not been fined for CCTV infringements – 0% have.

You can check here (direct link to .csv file) if you doubt me.

It’s difficult to understand what has gone wrong here: maybe the survey questions weren’t clear enough for the respondents or maybe the researchers misinterpreted the data.

Whatever the reasons behind the stories, those in the retail sector – whilst they should certainly ensure they install and operate CCTV in compliance with GDPR/UK GDPR – should not be alarmed that there is a massive wave of enforcement action on the subject which threatens to put some of them out of business.

Because there isn’t.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under CCTV, GDPR, Information Commissioner, monetary penalty notice, UK GDPR