Category: Data Protection

A New Commissioner, a New Approach?

Earlier this month John Edwards, former Privacy Commissioner and Barrister in New Zealand, replaced Elizabeth Denham as Information Commissioner.  The job of Information Commissioner is a significant one with many challenges. He has began what he calls a “listening exercise”. I have completed the survey, which didn’t give much room for comment. I thought I would place a more detailed outline of my thoughts here; more as an exercise for expressing my own frustrations with the ICO and to perhaps give others some ideas about what they can include in their own response to the Commissioner’s survey.

Freedom of Information

Under this heading, for the sake of clarity, I’m not simply referring to the Freedom of Information Act 2000, but also to both the Environmental Information Regulations 2004 and the more obscure INSPIRE Regulations 2009 (which are concerned with spatial data).

FOI, especially the Freedom of Information Act 2000 and the Environmental Information Regulations 2004, is, as the Commissioner has himself acknowledged, critical to our democracy. They are a means for individuals to find out what is going on in areas that interest or directly affect them and to obtain information which they can use to help keep public bodies and officials accountable.

There are two main areas of concern, from my perspective, with the ICO in respect of FOI: (1) length of time taken to deal with regulatory complaints; (2) the apparent reluctance of previous commissioners to make full use of their enforcement powers in this area.

Turning first to the issue of delay; currently it is taking around 6 months for complaints, once received, to be allocated for investigation. That means that for up to six months the complaint is just sitting there, with absolutely nothing happening. The last decision notice I received from the Commissioner, was issued 11 months and 18 days after the complaint had been made to the ICO. This is unhelpful, and quite frankly, unacceptable. In many cases, these delays at the ICO are compounding already significant delays by some public bodies. There are some public authorities with well-known compliance issues in this area, where requests can take upwards of 6 months to be dealt with by the authority; meaning from request to ICO decision it can be upwards of 18 months.

FOI is a critical tool in helping individuals, community groups, journalists and others hold public bodies and officials to account. In a great many cases the value of the information sought diminishes over time; if information is being sought to help oppose, for example, changes to the provision of services in local communities, the delays at the ICO significantly hamper (and indeed damage) the usefulness of FOI in this area. If information is only, finally, being released several years after it was first requested it has almost certainly come far too late to be of any use to those requesting it.

The length of time that it takes for a FOI request to be dealt with is, in some respects, hampered by the legislation itself, with provisions for open-ended extensions for consideration of the public interest test and no statutory timescales (beyond the statutory Code of Practice) in relation to internal reviews. These have both been highlighted to Parliament on several occasions, but no legislative action has been forthcoming to deal with these issues. However, I will return to this in a moment.

What is completely within the control of the Commissioner is how long it takes his office to deal with matters once complaints have been made. A priority for the Commissioner should be looking to significantly reduce the backlog; and put in place systems that ensure complaints are being dealt with promptly once they end up with his office. The Scottish Commissioner (who, granted, has a much smaller office and a much smaller scope of responsibility in that he only deals with FOI complaints concerning Scottish public authorities) has an average closure time of just 4.37 months (2020-21), with 60% of all complaints to his office being dealt with within 4 months (the Freedom of Information (Scotland) Act 2002 makes provision for the Scottish Commissioner to deal with all such complaints within 4 months, but there is flexibility). It is not a like-for-like comparison due to the significant differences in volumes of work; however, the ICO needs to put more effort and resources into trying to resolve complaints much more quickly.

Turning to the issue of enforcement; some public authorities have a horrendous reputation for compliance with FOI, especially around the timeliness of responses. For some authorities these issues have existed for a decade or more. Previous Commissioners have seemed not just reluctant but almost wholly disinterested in exercising the significant enforcement powers that they possess to tackle problems here. Some public authorities have been having their compliance closely monitored by the ICO for years with no discernible improvement. Yet, no formal enforcement action has been taken to force these public authorities to make significant improvements.

Enforcement must be proportionate; formal enforcement powers should not, in most cases, be a first resort. However, they must be utilised if the ICO is going to be taken seriously as a regulator. Other authorities watch what the ICO is doing; there is currently no real incentive to engage with the ICO over poor FOI performance. The threat of formal enforcement action effectively doesn’t exist because of the apparent reluctance of the ICO to use its enforcement powers. The ICO needs to adopt a much more robust approach to regulation, which can be achieved in a way that is consistent with the relevant provisions of the Legislative and Regulatory Reform Act 2006.

Data Protection

Some of the problems that exist with the ICO’s FOI function also exist in relation to its Data Protection function. When it comes to Data Protection, the ICO is too business friendly and has often acted more like a think-tank than a regulator in this field.

As I have already said, enforcement must be proportionate. However, the ICO needs to remember that it is a regulator first and foremost. It is not a professional adviser for data controllers; there are lawyers and data protection consultants out there who can (and should) be fulfilling the professional advisor role. The balance between the informal methods of encouraging compliance and the formal methods of enforcing compliance have been all wrong. The ICO is obliged to have guidance in place, but it is not its sole purpose to produce and promulgate guidance.

The Regulators’ Code [pdf] (which applies to the ICO) does require regulators to carry out their activities in a way that supports those they regulate to comply and grow. It provides that “[r]egulators should avoid imposing unnecessary regulatory burdens through their regulatory activities and should assess whether similar social, environmental and economic outcomes could be achieved by less burdensome means.” However, it appears that the ICO has historically taken this to a degree that is inappropriate.

The Regulators’ code also provides that “[i]f a regulator concludes, on the basis of material evidence, that a specific provision of the Code is either not applicable or is outweighed by another relevant consideration, the regulator is not bound to follow that provision, but should record that decision and the reasons for it.” The balance is all wrong with the ICO; it appears to focus too much on the provisions of section 1 of the Regulators’ Code and not enough on forcing compliance where other, less burdensome, means have obviously failed.

In short, the ICO needs to re-orientate its relationship with those it regulates so that it is in a much stronger position to deploy its considerable enforcement powers when needed. When it comes to data protection, the most powerful tool at the ICO’s disposal is not the fines that it can levy but rather the power to issue Enforcement Notices; these can be used to force controllers to stop processing personal data altogether, or in certain ways, and they can be used to require data controllers to take certain specified steps to bring them into compliance.

The recent Enforcement Notice [pdf] issued to the Ministry of Justice is an example of formal enforcement action coming far too late; the MoJ has a backlog of many thousands of Subject Access Requests. The ICO records in its Enforcement Notice that it first became aware that the MoJ’s backlog had grown again (following an Enforcement Notice in 2017) in January 2019. It then records a shift in the ICO’s enforcement activities as a result of the COVID-19 pandemic, but that was more than a year after the ICO first became involved with the MoJ, for a second time, over its compliance with the right of subject access. An Enforcement Notice was then issued in January 2022, almost 2 years to the day after it started to get involved with the MoJ for a second time. This is, in my opinion, an example of a failure in regulation. The ICO watched as the MoJ continued to fail in a basic and important aspect of data protection law; much earlier formal intervention ought to have been taken (especially given that this was the second time the ICO had to get involved with the controller over the same issue).

Conclusion

The overriding issue with the ICO, in my opinion, is that it has got the balance wrong between soft and hard regulation. The ICO needs to adopt a much more robust approach to regulation; neither the 2006 Act nor the Regulators’ Code prohibits this. However, the ICO seems to have become paralysed in its regulatory activity in a way that the neither the 2006 Act, nor the Code which flows from it, intended.

Litigation, Privilege and Subject Access

The English Court of Appeal has issued a judgment in relation to subject access rights under the Data Protection Act 1998 (“the DPA”).  The Court’s decision centres on three main issues in relation to subject access requests:  (1) the extent of the exemption for legal professional privilege; (2) when the effort to comply with a subject access request is disproportionate; and (3) the discretion of the court when considering an application pursuant to Section 7(9) of the DPA .

The right of subject access is one of the fundamental rights afforded to data subjects.  It allows individuals to discover what information a data controller is processing about them, in what way they are processing it (including who it has been or may be disclosed to) and to check the accuracy of the personal data being processed.  The importance of the data subject’s right is marked by the right of a data subject to apply to the courts in order to secure compliance where a data controller has failed to comply.  It is not an absolute right; there are circumstances in which a data controller does not need to comply with a subject access request.

The Extent of the Legal Professional Privilege Exemption

Paragraph 10 of Schedule 7 to the DPA makes provision for exempting information from the subject access provisions in Section 7 where “the data consist of information in respect of which a claim to legal professional privilege or, in Scotland, to confidentiality of communications could be maintained in legal proceedings.”

In Dawson-Damer there were two interpretations of this exemption put forwarded, described in the judgment as the “narrow” and “wide” interpretations.  The Court preferred the narrower of the two holding that the exemption “relieves the data controller from complying with a subject access request (“SAR”) only if there is relevant privilege according to the law of any part of the UK.” [45] The Court also held that “the DPA does not contain an exception for documents not disclosable to a beneficiary under trust law principles.” [54]  The Court held that the Legal Professional Privilege exemption does not extend to such information. [54].

Disproportionate Effort

The Court held that whether complying with the SAR, or taking certain steps as part of the process of complying with the SAR, “will be a question for evaluation in each particular case [77].  The court noted that “it is clear from the recitals to the Directive that there are substantial public policy reasons for giving people control over data maintained about them through the system of rights and remedies contained in the Directive, which must mean that where and so far as possible, SARS should be enforced.” [79].

Court’s discretion

The discretion afforded to the Court under section 7(9) of the DPA is a “general discretion” [105].  The Court held that Durant v Financial Services Authority did not create a position whereby a data subject cannot exercise DPA rights for purposes outside the DPA.  Durant was concerned with the scope of the term ‘personal data’ and as such the Court’s comments in Durant were in that context.  They did not mean that where individuals had another purpose (for example, with a view to using the material in litigation) that they could not exercise their subject access rights.  The Court noted that “it would be odd if the verification of data was always in practice a complete aim in itself which excluded all others…neither the Directive nor the DPA compels that interpretation.  Nor has Parliament expressly required a data subject to show that he has no other purpose.” [108]  The court did not that there might be a different outcome where an application under section 7(9) of the DPA “was an abuse of the court’s process…or if the claimant was a representative party who had some purpose which might give rise to a conflict of interest with that of the group or body he represents.”

Comment

This is an important case concerning the right of subject access under Section 7 of the DPA and is one that all data protection practitioners ought to be familiar with.  Although it is not directly binding on the courts in Scotland (it being a decision of the English Court of Appeal), it is quite likely that a Scottish court faced with similar issues will arrive at the same conclusions as the Court of Appeal has done here.

The exemption for legal professional privilege is a narrow one; it does not cover information that might be the subject of such claims in jurisdictions other than one of the three UK jurisdictions, nor does it extend to claims of confidentiality that fall outside of the scope of legal professional privilege.

When it comes to disproportionate effort in dealing with a SAR, it is a balance between the effort to comply and the data subject’s right.  It is clear from both the statutory provisions themselves and the comments of Arden LJ in this case that the data subject’s right is a fundamental one.  As a consequence the barrier is a high one when trying to argue that complying would cause a disproportionate effect.  The Court did not consider that the Taylor Wessing LLP had even begun the process, let alone be able to demonstrate that complying would be disproportionate.  It would appear that data controllers will not simply be able to look at a SAR and dismiss it out of hand as resulting in a disproportionate effort; the fundamental nature of the right of subject access will trump the effort it is necessary to go to in to comply in most cases.

Finally, if you’ve ever been under the belief that law firms are data processors for client information then this case is clear that this is wrong:  law firms are data controllers.  If a law firm receives a subject access request from a third party then the personal data must be assessed carefully to establish whether privilege exists and where it does, it must be claimed.

Don’t throw stones in glass houses

Today the Scottish National Party (SNP) launched a brand new website with the aim of gauging public support for a second referendum on Scottish independence.  Of course Scotland had a referendum on this issue a little under two years ago where those who voted did so 55% – 45% in favour of Scotland remaining part of the United Kingdom.  In May the Scottish people went to the polls to elect the Scottish Parliament; the Scottish Conservative Party fought that election on a strong pro-union message and had its best electoral success in Scotland in many decades.  They pushed Scottish Labour (who the criticisms in this blog equally apply to) into third place to become the official opposition in the Scottish Parliament to the SNP Government (which, incidentally lost its overall majority and is governing, once again, as a minority government).

This afternoon I had a look at the SNP’s new website and immediately spotted some problems with it.  The National Survey website unsurprisingly has a survey for people to complete.  It asks a number of questions such as how people voted in the 2014 independence referendum and in June’s EU referendum.  It also asks for the name and postcode of the person completing the survey as well as whether or not they have children or grandchildren who are under the age of 18 years, all fields which are mandatory.  The website does have a data protection and privacy policy, which is very brief.  The following screenshot was taken from the National Survey website this afternoon:

surveydp

The policy is extremely short, but the key aspect of the policy for the present purposes is “The SNP may…contact you about issues you may find of interest using any details you have supplied.  You can opt out of some or all contact by writing to us.”  I shall return to why this is the key aspect in a moment, but for now it’s on with the story.

The Scottish Conservative Party has apparently taken legal advice on the SNP’s National Survey website and written to both the Electoral Commission and the Information Commissioner; the former being irrelevant for present purposes.  The Scottish Conservatives state that they considered that the SNP’s website breaches the Data Protection Act 1998 (it does, but more on that in a moment).  However, while they are considering the SNP’s National Survey website they might wish to consider their own website.

Unlike the SNP’s National Survey website, the Scottish Conservatives website has a lengthy data protection and privacy policy, but I have taken a screenshot of the relevant bit:

toriespp

The relevant part for present purposes is the bit that reads “[b]y entering your contact details you agree to receive communications from us, from which you can opt-out using the “unsubscribe” link in each email we send or using the contact details at the top of this privacy notice.”

There are problems with both the Privacy Notices above, and they are in fact the same problem.  I will come onto the breaches of the Data Protection Act 1998 in a moment; however, I initially want to discuss the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Both the above privacy notices envisage sending information to those who have provided their E-mail address about campaigns that the respective political parties are engaging in.  These E-mails will essentially be promoting the aims of the respective political party, either generally or in respect of a specific area of policy.  These E-mails will be sent directly to an individual; that makes them direct marketing communications.  The law is very strict on when it is legal to send such communications.  The relevant regulation is Regulation 22, which covers direct marketing by electronic mail.  Regulation 22(2) requires (except in a very limited set of circumstances, not relevant here) that there individuals must give consent to receive such marketing.

The Scottish Conservatives’ privacy policy certainly seems to suggest that they have consent, but in reality they do not.  This is because the consent is actually defined in the 1995 Data Protection Directive and that definition is applicable to the PECR; their privacy policy doesn’t meet that definition.  The definition of consent in the 1995 Data Protection Directive is to be found in Article 2 and is “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”  Consent achieved in the way the SNP and Scottish Conservatives have approached is not “freely given specific and informed”.  Individuals have not positively expressed a desire to receive general communications about the party or its campaigns; they’ve simply filled in a survey expressing their views on the matters asked about in the survey.  In the case of the specific example of the SNP’s National Survey website the privacy policy isn’t visible at the time the personal data is collected; it cannot therefore be said to be an informed expression of the data subject’s wishes.  The Conservatives (both at a UK and Scottish level) have been guilty of this too.

Essentially what this means is that any E-mail communication sent by either the Scottish Conservatives or the SNP that amounts to direct marketing (which is likely to be every e-mail) in reliance upon the consent obtained through their respective privacy policies is unlawful.

Now, to the Data Protection Act issues.  A data controller (which any political party will be) must only process personal data fairly and lawfully (first data protection principle).  For the processing to be lawful a schedule 2 condition must be satisfied (and in the case of sensitive personal data, a schedule 3 condition as well).  One of the conditions in Schedules 2 and 3 is essentially processing to which the data subject has consented; however, neither the SNP nor the Scottish Conservatives can wholly rely on consent because they simply do not have that data controllers consent.  They wouldn’t be able to satisfy any of the other schedule 2 or 3 conditions to legitimise their sending of direct marketing e-mail communications; they would therefore also breach the first data protection principle when sending those E-mails.

Collecting personal data is also a processing activity.  In the case of the SNP’s National survey they are not collecting the personal data fairly.  While they do have their privacy policy (which is quite frankly a sorry excuse for one) it is not prominent on the actual survey itself; people are not told at the time their personal data is collected exactly how the SNP will make use of it.  You can navigate to the privacy police from the survey page, but the link to the policy is in extremely small text at the very foot of the page (so much so that I initially had difficulty in locating its existence at all).

Turning once again to the Scottish Conservatives, they are currently running a petition on their website against the having a second referendum on Scottish independence.  They continue to rely on implied consent for general communications about the Scottish conservative Party and are arguably collecting personal data unfairly as well.  While the link to their data collection and use policy is clearer, it comes after the “sign up” button and still requires individuals to navigate away from the page that they are no in order to see exactly how their personal data is going to be used by the Scottish Conservatives.

One other issue with the SNP’s National Survey website relates to the third data protection principle which states that “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”  All of the fields are mandatory and it is unclear as to why information such as the number of children or grandchildren you have under the age of 18 or indeed what your name or E-mail has to do with gauging support for a second independence referendum.  This is simply an exercise in gathering personal data and that should be made clear from the website and the survey (otherwise it will only add to the breaches of the first data protection principle).  Those fields should, as a very minimum, be made optional.

To conclude, while the Scottish Conservatives have raised legitimate and valid criticisms of the SNP’s National Survey website, they would do well to remember that people in glass houses ought not to throw stones.

 

Procedures, Training and Data Protection

On Thursday last week the Information Commissioner’s Office published a Monetary Penalty Notice that it had served upon a GP Surgery in England for breaches of the Data Protection Act 1998.  The Notice cited the all too familiar seventh data protection principle.  This data protection principle broadly requires a data controller to have in place adequate technical and organisational measures to protect personal data.  It is the data protection principle which features in almost all of the Information Commissioner’s enforcement in relation to the Data Protection Act.

The Monetary Penalty Notice served on the GP Practice arose out of the practice’s handling of a Subject Access Request which it had received.  The request was received in respect of a child patient from one of the patient’s parents (the child’s father).  The child’s parents had separated sometime before and that separation had not been amicable.  The child’s mother had moved and did not want the father knowing where she was currently living.  The mother’s new address was contained within the child’s medical records.

The practice handled the Subject Access request and sent the father everything that was contained within the child’s medical records.  These records were subsequently lodged in court as part of ongoing court proceedings between the parents.  The records were then forwarded onto the mother who discovered that her personal data had been disclosed to the father in response to the subject access request concerning the child as well as personal data relating to another child not related to the father and other personal information that should not have been disclosed to the child’s father.

The Monetary Penalty Notice records that there had been no training given in respect of the handling of Subject Access Requests and that there were no procedures within the practice for the handling of these requests.  In this case the disclosure was not checked before it was sent out to ensure that there was nothing within the records that ought to be excluded.

The handling of Subject Access Requests are not straight forward.  It is not simply a matter of printing out all of the records held and posting them or downloading them and E-mailing them to the data subject.  The information has to be carefully gone through to identify any third party personal data so that decisions can be taken about whether or not that third party personal data can or should be disclosed.  Furthermore, there are a range of exemptions that can be applied to information that is held – some of which may well apply to medical records – which enable the data controller to refuse to provide that information in response to a Subject Access Request.  That is in addition to the other (often forgotten) rights contained in Section 7 of the Data Protection Act 1998.

Given the complexity of handling such requests it is important that there are proper procedures in place as to how such requests should be handled.  This should cover everything from the recording of the request having come in through to identifying the data subject’s personal data, considering it for disclosure, compiling the disclosure, checking and recording that the response has been sent (and everything else not mentioned in that list).

It’s not just a case of having in place a procedure; everyone who is involved in the process needs to have training appropriate to the functions that they are performing.  Those who are responsible for identifying what should be disclosed should have proper training to enable them to identify third party information as well as the information which could potentially be withheld.  That training must also be regular to ensure that persons involved in the process are kept up-to-date with the procedures and any changes in the relevant law – regular training is especially important for people who rarely handle Subject Access Requests.

Having in place good quality, detailed procedures together with a comprehensive training programme can substantially reduce the risk of experiencing a data breach.  If things do go wrong, having in place good quality, detailed procedures (compliance with which is being regularly monitored) and a comprehensive training programme can substantially mitigate any regulatory action taken by the Information Commissioner.

Data Protection and the #EUref

Data Protection is not an area that people generally get especially excited about, but the rights contained in the Data Protection Act 1998 (“the DPA”) are important.  They enable individuals to find out (mostly) what information companies and organisations hold about them, where they got it from, what they do with it, who they give it to and what it says.  It also enables people to take a degree of control over what companies and organisations do with that information; including the ability to prevent a company from using their information for marketing purposes, forcing them to correct inaccurate information and forcing them to stop “processing” their information where the processing causes substantial damage or distress that is unwarranted.

The DPA implements an EU Directive into domestic law.  Data Protection law in the UK has its roots in European law.  However, it’s not just the DPA that has its roots in European law; the connected Privacy and Electronic Communications Regulations 2003 (the full name of which is actually the Privacy and Electronic Communications (EC Directive) Regulations 2003) also implement European law into domestic law.  These Regulations relate to the use of personal data and are the regulatory regime that governs the use of electronic communications (such as E-mail, phone and text) to market directly to individuals.  These are the regulations which help deal with those annoying and unsolicited PPI and accident claims telephone calls.

In 2018 the Directive that underpins the DPA is being replaced with a new EU Regulation on Data Protection and the Directive underpinning the 2003 Regulations is currently being reviewed in light of the new EU Data Protection Regulation (the European Commission is consulting on this issue until 5 July 2016).

The DPA replaced the Data Protection Act 1984.  The 1984 Act was introduced to give protection to individuals in relation to the automatic processing of their personal data and was based upon the Council of Europe’s (the same Council of Europe behind the European Convention on Human Rights and Fundamental Freedoms) 1981 Convention for the protection of individuals with regard to automatic processing of personal data.

Now that there has been a brief account in respect of the history of Data Protection law in the United Kingdom, it is possible to thrust into the main purpose of this article; that is to consider Data Protection in the context of the EU Referendum.

If the UK votes to remain in the European Union then in May 2018 the United Kingdom will have to comply with the General Data Protection Regulation (which, being a Regulation, will have direct effect regardless as to whether the UK Parliament enacts a new Data Protection Act or not) together with the associated Directives; including whatever eventually replaces the 2002 e-Privacy Directive.  The associated Directives, together with some of the fudges in the new Regulation, will likely mean that there will be a new Data Protection Act to replace the current Act (probably towards the end of 2017).

If the UK votes to leave the European Union what happens is a bit more uncertain.  A vote to leave the EU will not mean that there is a complete end to the UK’s relationship with the EU, and that will have an impact on Data Protection.

The first thing to note is that a vote to leave will not mean an instantaneous split.  There currently isn’t really a process for an EU Member State to leave the Union so some time will be spent working out how that happens and there will inevitably be a time spent negotiating a new relationship with the EU; whether that is inside of or outside of the EEA.  It seems quite likely that we will still be in the EU come May 2018, which might mean that the GDPR will automatically apply – but that is entirely dependent upon what happens in terms of negotiations between the vote to leave and May 2018.

If the United Kingdom simply becomes part of the EEA then the result, insofar as Data Protection is concerned, will be identical to a vote to remain; the GDPR applies to the EEA countries (presently being Iceland, Liechtenstein and Norway) as well as to EU Member States.

If the United Kingdom leaves the EU and doesn’t join the EEA there will be bit more freedom in respect of Data Protection.  However, the requirement for Data Controllers within EU Member States not to transfer personal data to a country outside of the EU/EEA, unless there is an adequate level of protection for personal data, will mean that we will continue to have some form of Data Protection law.

It is possible that the UK could meet the adequate level of protection requirement with rights that are substantially lower than those afforded by the DGPR (when it enters into force) and so the UK’s Data Protection law will not necessarily be all that similar to the GDPR – especially if the government of the day is one that favours light-touch regulation and a lack of “red tape”.  That means that even if the UK is forced to comply with the GDPR initially, Data Protection law in the UK could change dramatically to something that affords much less protection than the GDPR.  What the law will look like though will not only depend upon the ideals of the government of the day, but what they think would be politically acceptable; over the last 30 or so years people have become much more wary about what governments, public agencies and businesses do with their personal data; so while the political will might be to substantially lower the level of protection afforded to individual’s personal data, the public will might not let them go quite as far as they wish!

In short, the future of Data Protection law in the UK will be very much influenced by the result of the Referendum and the eventual relationship with the EU in the event of a vote to leave.

Another day, another DPP7 breach and another Monetary Penalty

Section 2 of the Data Protection Act 1998 stipulates that information concerning a person’s health (mental or physical) is sensitive personal data.  This means that a person’s health information attracts a higher level of protection under the Data Protection Act 1998; the damage and distress that can result from the inappropriate disclosure or processing of a person’s health information can be significant.  People can experience bullying, harassment and/or discrimination as a consequence of mental or physical health conditions.  Some health conditions, mental or physical, can attract far more discrimination than others do.  HIV is, sadly, a health condition that still attracts a certain amount of discrimination and prejudice in the UK today.  With that in mind, an NHS Trust sending out its E-mail newsletter to users of its HIV sexual health services, with all of the recipients E-mail addresses visible to every other recipient, is likely to result in the said NHS Trust being in more than a bit of bother with the Information Commissioner’s Office.  That’s exactly what happened to one NHS Trust in London.

The Information Commissioner has served  a Monetary Penalty Notice in the amount of £180,000 on Chelsea and Westminster Hospital NHS Foundation Trust after a member of staff E-mailed out a Newsletter to users of 56 Dean Street with all 781 recipient’s E-mail addresses being visible to all of the recipients.

56 Dean Street is a Soho based sexual health clinic which provides sexual health services to patients, including patients who are HIV positive.  The clinic had developed a service whereby patients with HIV were able to receive results and to make appointments and enquiries online.  They, together with a small number of patients who were not HIV positive, received newsletters from the clinic.  Some of the E-mail addresses included the full name of the patient whose E-mail address it was.  In September 2015, a member of staff sending out one of the clinic’s newsletters sent the E-mail with all of the recipient’s E-mail addresses in the “to” field, rather than the “bcc” field.  This meant that each recipient was able to see the E-mail addresses of all other recipients.

This was not the first time that a member of the Trust’s staff had done this in respect of E-mail addresses of HIV Patients.  The Monetary Penalty Notice served on the Trust records a similar incident that occurred in March 2010.  In that incident, a Pharmacist sent out a questionnaire to 17 patients receiving treatment for HIV about their treatment.  The E-mail addresses of all recipients were included in the “to” field, rather than the ‘bcc’ field; meaning that they were visible to all recipients.  The Monetary Penalty Notice records that remedial steps were put into place by the Trust following that breach, it doesn’t state what they were; however, it does record that there was no training given to staff to remind them to check the group E-mail addresses were being placed in the correct field, nor had they replaced the E-mail account being used with one that would enable separate E-mails to be sent to each address on the mailing list.

The Monetary Penalty Notice records that subscribers were not told that their E-mail addresses would be used to send Newsletters to other patients by way of a bulk E-mail and also notes that one of the subscribers should have been removed from the list following their relocation to Essex.

The Commissioner found that the Trust had breached the seventh Data Protection Principle, which relates to having appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of personal data as well as against the accidental loss or destruction of, or damage to, personal data.  The Commissioner considered that the Trust had failed to comply with the seventh data protection principle by not using an E-mail account that enabled separate E-mails to be sent to each recipient, and also by failing to provide adequate training to staff to ensure that E-mail addresses were being placed in the correct field.

The Commissioner was satisfied that the Trust was responsible for the breach.  The Commissioner was also satisfied that the Trust had not intended to breach the seventh data protection principle.  However, the Commissioner was satisfied that the breach that had occurred was reasonably foreseeable and that the Trust should have therefore taken steps to prevent the breach from occurring.

Once again a breach of the seventh Data Protection Principle has resulted in enforcement action being taken by the Information Commissioner.  The Information Commissioner’s enforcement action in respect of Data Protection breaches has almost exclusively centred on breaches of the seventh Data Protection Principle.  Each time enforcement action is taken it carries with it national publicity.  Therefore, Data Controllers ought to be well aware that failures to have in place adequate internal processes and security measures to protect personal data, especially where that Data Controller is also a public authority, are extremely likely to result in enforcement action being taken by the Information Commissioner – and that is aside from the reputational damage that inevitably comes with security breaches around personal data.

It is important that Data Controllers ensure that they have in place adequate policies and procedures as well as software and other technical measures (such as password protection and encryption) to protect against all reasonably foreseeable data breaches.  That requires organisations to review the personal data that they hold, together with the ways in which they process that personal data, to identify vulnerabilities in respect of the security of personal data that they hold.  The results of getting it wrong can be substantial, both financially and reputational.

The current maximum financial penalty available to the Information Commissioner is capped at £500,000; however, when the new Data Protection regulation enters into force in May 2018 (subject to the results of the EU referendum next month) the maximum financial penalty for such breaches will increase to 4% of net global turnover of €20 million and so the financial consequences of getting it wrong could be even greater in two years time than what they currently are.

When a Data Controller processes personal data they are being trusted with that data by the Data Subject.  Some Data Controllers are entrusted with some of the most sensitive personal data about an individual, perhaps things that only a few other trusted people know; that level of trust can be huge.  It’s not the sort of information that should just be left lying around; it needs to be kept safely and securely and be processed in a way that is appropriate for its nature; especially when the information in question is (rightly) defined as sensitive personal data.

Gilroy -v- Scottish Information Commissioner

The Court of Session has issued a rare judgment in respect of an appeal under the Freedom of Information (Scotland) Act 2002 (FOISA).  Yesterday the First Division published its judgment in the case of David Gilroy –v– The Scottish Information Commissioner and the Chief Constable of Police Scotland.

The Appellant, David Gilroy, had been convicted of the Murder of Suzanne Pilley at the High Court of Justiciary.  Mr Gilroy sought information from the Police Service of Scotland, as the statutory successor to Lothian and Borders Police (who had conducted the investigation to the murder of which Mr Gilroy has been convicted).  The information he sought related to CCTV that had been seized by the Police as part of the murder investigation.  The Police initially responded by saying that the information sought had been released to Mr Gilroy’s defence team and so he could obtain it that way, but had not complied with the technical requirements imposed in FOISA for a refusal notice.  Mr Gilroy required that the Police conducted a review into their handling of the request.  In response to the requirement for review, the Police refused the request on the grounds that it was exempt under section 38(1)(a) of FOISA – which provides that information to which the applicant is the data subject of is exempt.  This is an absolute exemption and therefore it is not subject to the public interest contained in section 2 of the FOISA.  Such information can be sought by way of a ‘subject access request’ pursuant to section 7 of the Data Protection Act 1998.  The Police also cited the exemption at section 34(1)(c) of FOISA.

Mr Gilroy made an application to the Scottish Information Commissioner pursuant to section 47(1) of FOISA.  The Commissioner issued a Decision in respect of that application (Decision 005/2015) finding that the Police were correct to withhold the information under section 38(1)(a).  Section 56 of the FOISA provides a right of appeal to the Court of Session against a decision of the Scottish Information Commissioner on a point of law.  Mr Gilroy appealed the decision of the Scottish Information Commissioner to the Court of Session.

The Court of Session’s decision is a short one. The relationship between the Data Protection Act 1998 and FOISA has been the subject of previous litigation and nothing new was brought out in this case.  The litigation that has previously occurred in this field has confirmed that the question of whether information is personal data is a factual one.  The Lord President (Carloway), in giving the decision of the Court, considered that there was “no identifiable error of law” in the Commissioner’s decision (para [14]) and that there was no “point of law to be considered” (Para [15]). The Lord President’s judgment states that Mr Gilroy’s appeal was “essentially an application to this court to review an assessment of fact made by the first respondent”. Mr Gilroy’s appeal was therefore refused by the Court.

The judgment does highlight (once again) the wide scope of the definition of personal data in the Data Protection Act.  The Information in question was not stills or footage from the CCTV, but rather a list of images together with details such as location, dates and times.  This was considered by the Court to clearly be within the definition of personal data and that the Appellant was the data subject (para [14]).

The Commissioner did not consider in her decision the question of the application of section 34(1)(c) to the information because it was, in her view, exempt under section 38(1)(a).  The Court of Session therefore did not consider it either.

The Court’s judgment can be read on the Scottish Courts and Tribunals website here.

More cross-border Data Protection

On Thursday the Court of Justice of the European Union issued another decision on the interpretation of Direction 95/46/EC – the Data Protection Directive.  The case was on reference from the Hungarian Supreme Court and asked a number of questions around when a data controller is established in a particular member state for the purposes of the Directive.

Factual Background

Weltimmo s.r.o is a company registered in Slovakia under Slovakian law. It operates one or more property websites which are written in Hungarian and feature Hungarian properties.  The Company offered one month’s free advertising before beginning to charge its customers for the use of its service.  Somewhat unsurprisingly a lot of people took advantage of the one month free offer and then sought to have their adverts and personal data erased at the conclusion of the free month.  Weltimmo did not delete the advertisements or their personal data and instead charged its customers for the use of its services.  Those charges went unpaid and Weltimmo passed details of the ‘debtors’ onto debt collection agencies in Hungary.

Complaints were made to the Hungarian Data Protection Authority who found that Weltimmo had breached Data Protection law.  A fine of approximately €32,000 was imposed on Weltimmo.  Weltimmo appealed and the fine was overturned; however, it was determined that Weltimmo was established in Hungary for the purposes of Hungary’s data protection law.  Weltimmo disagreed and appealed to the Hungarian Supreme Court, who made a reference to the Court of Justice of the European Union.

Other important facts narrated in the Court’s decision are: that the company had a Hungarian bank account; it had a letter box in Hungary that was used for its every day affairs; and it had a representative in Hungary who sought to negotiate settlements of the unpaid debts.

Court’s decision

The Court made reference to Google Spain and stated that “establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements and that the legal form of such an establishment, whether simply a branch or subsidiary with a legal personality.” [28] The Court went on to say that there is a “flexible definition of the concept of ‘establishment’, which departs from a formalistic approach whereby undertakings are established solely in the place where they are registered.” [29]

Essentially what the Court is stating here is that there may be a difference between where a company is registered and where it is established for the purposes of data protection law.  It is necessary to look at where the exercise of activity is and not just about where it has a physical presence by way of a building or a registered office.  A company registered in Scotland, but which deals exclusively in the Republic of Ireland might find itself subject to the data protection law of the Republic of Ireland as opposed to that of the United Kingdom.

In the present case, the Court noted at paragraph [32] that “the activity exercised by Weltimmo consists, at the very least, of the running of one or several property dealing websites concerning properties situated in Hungary, which are written in Hungarian and whose advertisements are subject to a fee after a period of one month.  It must therefore be held that the company pursues a real and effective activity in Hungary.”

In Google Spain the Court held that the Directive does not require the processing of personal data to be carried out by the establishment, but only that it be carried out “in the context of the activities” of the establishment (Google Spain, [52]).  The Court considered that there was “no doubt” that this was the case in the Weltimmo case. [38] Therefore, unless any of the facts concerning bank accounts, representatives and letter boxes proved to be incorrect (matters which it is for the national court to determine) Weltimmo is established in Hungary for the purposes of data protection law.

The Court did stress that the owners of the properties being advertised had Hungarian nationality was of no relevance in determining the question of which national law was applicable. [40]

The referring court had also sought guidance from the Court concerning the imposition of sanctions.  The Court emphasised the responsibility of national authorities to take action within their own territory and that they may investigate any complaints made to it where the national law of another member state is applicable. [54] However, the Court was equally clear that a national authority cannot impose a sanction upon a data controller who is not established in their territory. [56] This is fairly obvious and stems from the sovereignty of nations.  In those circumstances the national authority that has investigated the matter should pass on the case to the national authority that has jurisdiction to impose a penalty seeking that they do so; based where necessary on any information supplied to that national authority by the authority who initially investigated the complaint.  [57]

For example, the Information Commissioner’s Office cannot take action against Facebook because it is not established in the UK; however, it may investigate a complaint from someone in the UK as to how Facebook has processed their personal data before passing it to the Irish Data Protection Commissioner, who does have jurisdiction by virtue of Facebook being established in the Republic of Ireland.  It would then be for the Irish Data Protection Commissioner to establish whether Facebook has broken Irish Law in relation to data protection and to then impose penalties in accordance with Irish Law, making use of the information passed to it by the ICO.

This is an important judgment that gives very good and strong advice on handling cross-border data protection issues where the internet is involved.  It stresses the need for data protection authorities across Europe to work in co-operation to ensure the rights of data subjects are protected whilst personal data is being processed.  The coming reforms (expected to be in force middle – late 2018) will not move away from that; indeed, with the proposed ‘one-stop’ regulation it will only increase that requirement.

Round-Up on DPA and PECR: September 2015

A new, trial feature on the blog in which I take a monthly look at the Monetary Penalty and Enforcement Notices issued by the ICO together with the formal undertakings also published.


September has seen the Information Commissioner issue two Monetary Penalty Notices in respect of breaches of PECR and publish three formal undertakings following breaches of the DPA.

General Dental Council

The General Dental Council (‘the GDC’), a statutory regulator, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal.  This followed an incident in which fitness to practice allegations and a CD containing background information relative to the allegations were sent to the wrong practitioner.  An investigation by the GDC established that the error had occurred because the recipient had a similar name to the intended recipient.

The GDC had in place guidance on the processing of such information; this had not been followed by the employees who had arranged for this information to be sent out.  The GDC’s guidance and processes required that the CD on which the background information was sent was encrypted.  In this particular incident the CD was not encrypted.

The Commissioner established that while the GDC had in place sufficient policies and procedures, there was a lack of corporate refresher training in relation to data protection for those employees whose job roles entailed the processing of personal data.  The GDC had introduced induction training, but this was not rolled out to existing staff.  The GDC did have examples of where data protection training was being delivered; however, much of this was delivered on an ad hoc basis.

The Undertaking records a second incident where a patient’s dental records had gone missing.  The GDC’s investigation suggested that the records had never left their office, but had instead been securely destroyed.  However, the employee involved in this incident had not received induction data protection training.

Cold Call Elimination Ltd

The Commissioner served a Monetary Penalty Notice on Cold Call Elimination Ltd following breaches of PECR.  Somewhat ironically Cold Call Elimination Ltd was making unsolicited cold calls to sell a service and device to stop unsolicited cold calls.

The Commissioner wrote to the company following a number of complaints to the Commissioner and the Telephone Preference Service.  The Company provided an explanation and further explained that it would be putting in additional measures relating to unsolicited marketing calls.  The Commissioner placed the company on a period of monitoring for a period of 3 months, during which a large number of complaints continued to be received.

The Commissioner’s Office met with Cold Call Elimination Ltd to discuss its compliance with PECR following which a further period of monitoring took place.  During that second period of monitoring there was a drop in the number of complaints received, but the Commissioner described this as an insignificant drop.

The Commissioner had received 46 complaints directly from individuals who were subscribed to the Telephone Preference Service between 14 June 2013 and 31 March 2015.  The Telephone Preference Service had received 336 complaints over the same period.

The Commissioner determined that the company was in breach of Regulation 21 of PECR and subsequently issued a Monetary Penalty Notice in the amount of £75,000.

Martin & Company

Martin & Company, a firm of solicitors, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal following an incident in which a DVD containing CCTV footage went missing.  The firm was acting for a criminal accused and the CCTV footage was released to them by the Crown Office and Procurator Fiscal Service (‘the COPFS’).  Martin & Company is based in Ayr and the DVD required to be collected from the COPFS office in Kilmarnock.  Martin & Company instructed a third party to collect the DVD from the COPFS.  The DVD went missing having been collected by the third party, but before reaching Martin & Company.

The Commissioner’s investigation found that there were some shortcomings in Martin & Company’s procedures.  In particular the Commissioner highlighted a lack of guidance to staff regarding the DPA as well as relevant training on the DPA.  The Commissioner also took the view that there was a lack of formal procedure for staff when arranging to have personal data collected from outside of the office environment.

FlyBe Limited

FlyBe Limited, an airline, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal following an incident in which a temporary employee sent a scanned image of another individual’s passport to his personal E-mail address.  The incident occurred in the department responsible for processing airside clearance for other FlyBe staff.

The Commissioner investigated and discovered that FlyBe did not provide any training to its staff members who processed personal data, including the temporary employee who was involved in this particular incident.  The Commissioner also found that FlyBe’s data protection policy was inadequate and only provided limited information.

Home Energy & Lifestyle Management Ltd

The Commissioner served a Monetary Penalty Notice on Home Energy & Lifestyle Management Ltd following breaches of PECR.  Home Energy & Lifestyle Management Ltd engaged in a marketing campaign via automated recorded calls to 6 million people in relation to the ‘Green Deal’, a Government backed energy saving initiative

The Commissioner wrote to the company having received a number of complaints about the calls being made.  The Company explained that it had now ceased the marketing campaign and that it had not realised that there were different rules in the Privacy and Electronic Communications Regulations for recorded calls as opposed to “live” calls.  The company also sought to explain the calls by attempting to lay the blame at the door of the third party company it had contracted to make the calls on its behalf.

The Commissioner’s office received 242 complaints concerning Home Energy & Lifestyle Management Ltd’s calls during a three month period of monitoring. The Commissioner decided that the company had breached Regulation 19 of PECR. The Commissioner also found that the company had breached Regulation 24 of PECR by not identifying the person who was sending the automated marketing calls, not providing the address of the person and not providing a telephone number on which the person responsible for making the calls can be reached free of charge.

The Commissioner issued a Monetary Penalty notice requiring the company to pay the sum of £200,000, the largest amount ever required for a breach of PECR. Press reports of the Monetary Penalty Notice have indicated that the company intends to appeal.

Comment

In respect of the three undertakings for breaches of the Data Protection Act 1998 it is clear that data controllers, even large organisations, are still failing in the basics by not having in place adequate policies and procedures covering data protection and failing to provide adequate induction and refresher training on data protection to those who handle personal data.  This is a regular feature in enforcement action taken by the Information Commissioner.  Having in place sufficient policies and procedures, as well as training and adequate checks to ensure compliance, will reduce the chances of experiencing a data breach in the first place.  Furthermore, it will undoubtedly serve to mitigate any enforcement action taken by the Commissioner should a data controller experience a breach.

The Monetary Penalty Notices issued this month highlight the importance of ensuring that organisations undertaking marketing by telephone have in place he appropriate consents and take sufficient steps to ensure that the calls are not made to individuals who have registered with the Telephone Preference Service.  They also highlight the truth of the latin maxim ignorantia legis neminem excusat – or ignorance of the law excuses no one. Following a change in the law, it is now much easier for the Commissioner to issue Monetary Penalty Notices in respect of breaches of PECR; it is therefore now much more likely that breaches of PECR will result in the Commissioner issuing Monetary Penalty Notices.

Home Office, Twitter and Immigration

Immigration is never far from the headlines in the UK and this has been true for a number of years.  On 1 August 2013 the Home Office conducted a high profile immigration operation around the UK which caused debate and discussion in the UK.  On that day in August 2013 the Home Office published a series of tweets which provided details of the number of persons that they had arrested during the day accompanied by the hashtag #immigrationoffenders and in some cases photographs.

In the days that followed there was national press coverage online on the BBC News website, the Guardian, the New Statesman and others as well as international, for example on the website of Le Parisen, a newspaper in France.  This operation came around a month or so after the mobile billboard campaign ran by the Home Office, which popularly became known as ‘the racist van’ – a campaign that was criticised by the Advertising Standards Authority when the partially upheld a complaint against the Home Office.  Much of the criticism of the 1 August 2013 operation, known as ‘Operation Compliance’ was around the operation itself and centred on concerns about racial profiling.  However, some people considered whether the Home Office was properly complying with the Data Protection Act 1998 and there was even some consideration as to whether the activities might be considered as prejudicing future criminal proceedings (if any).

After some consideration I made a Freedom of Information request to the Home Office in August 2013 concerning the events of 1 August 2013, a request that finally came to a conclusion on 3 September 2015.  The Home Office initially refused the request and largely upheld that position on internal review (which it took over 9 months to complete).  The Information Commissioner found in his decision notice that the Home Office were entitled to withhold some of the information that they had withheld, but not the rest (see the ICO’s decision here – which also sets out my request in full).  The Home Office then appealed this to the First-Tier Tribunal (Information Rights).  The Tribunal dismissed the Home Office’s appeal (the Tribunal’s decision can be read here) after a hearing in late June 2015.  The information that was disclosed can be read here (this document does include some of the information that had been earlier disclosed, but the Home Office included it in the new disclosure for “consistency”).

What the information reveals is nothing sinister; it shows civil servants planning and executing a public relations campaign highlighting the work that the Home Office is undertaking.  My principal interest though was always around what consideration the Home Office had given to data protection implications, as well as concerns around prejudicing future criminal prosecutions and also compliance with civil service guidance (which someone else had written about following a tweet of a similar nature about a month earlier).

The information that has been disclosed reveals quite a lot by what it does not contain.  There appears to be no direct consideration of data protection or of prejudice to future criminal proceedings or civil service guidance.  Of course, these matters could have been considered and there simply exists no record of them having been considered (that, I suggest, would show a lack of proper and effective record keeping).  There is an indirect reference to the data protection and prejudice matters in the email extract dated 31/7.2013 at 16:42.

The information also shows that the Home Office changed the hashtag prior to the operation commencing.  It would appear from the information disclosed that they had initially intended to use #illegalworking.  It seems that they changed their mind because the 1 August 2013 operation was not solely targeting those working without the proper papers and permission and they feared criticism from using the #illegalworking hashtag.

Of course this information is not anywhere near as valuable as it might have been had it been released in August or September 2013, many people will have forgotten all about the 1 August 2013 operation (I suspect it will be etched in my mind for some time to come having lived it, studied it, discussed it and litigated it for over 2 years).  It has been a long road, but nonetheless the information that has been released is valuable:  it largely shows a measured discussion by civil servants who appear to be trying to demonstrate to the public in relevant and imaginative ways the work of one of the Departments of State; however, it does appear to highlight some weaknesses in the planning for such media operations and if anything, hopefully these matters will be considered in future operations.