Category: Information Rights

Appropriate steps and section 166

Last month I highlighted an interesting decision from the First-Tier Tribunal on the much-litigated section 166 of the Data Protection Act 2018 (a section which often results in data subjects being disappointed as to its scope). Yesterday, the Tribunal gave another interesting decision in relation to section 166.

In August 2021, the applicant made a subject access request to a company called Contactout Limited. In November 2021, the applicant complained to the Information Commissioner as the company had not responded to their subject access request. In February 2022, the Commissioner responded to the applicant essentially telling the applicant that there was nothing that the Commissioner could do as the controller was based in the USA. Another fact of key importance is that the applicant was based in the Netherlands and that nothing had been put forward to connect either the applicant or the controller to the UK.

As the Commissioner had provided a response to the applicant, he asked the tribunal to strike out the application as having no reasonable prospect of success. The Tribunal declined to do this (but ultimately dismissed the application). The applicant argued that no adequate explanation had been provided as to why the Commissioner was not the relevant supervisory authority. The Tribunal considered that such an argument had, at least, the potential to fall within the scope of section 166 application [para 14]. The Tribunal was somewhat critical of the Commissioner’s submission which “failed to engage with the applicant’s actual pleaded case.” [para 14] The Tribunal went on to state that it was not going “so far as holding that a sufficiency of reasoning is required in a public law sense, but the applicant must at least know what the outcome is.” [para 14]

The Tribunal found that the wording of the Commissioner’s response letter to the applicant (quoted in its decision), when taken in isolation, risked misleading the reader of the letter that the commissioner was unable to take regulatory action against a controller based in a third country; Article 3 of the UK GDPR and section 207 of the Data Protection Act 2018 create, at least, some scope for such regulatory action. However, the Tribunal decided that the phrase “In relation to your case” within the decision letter from the Commissioner was sufficient to clear-up any misunderstanding. The complaint disclosed that there was nothing linking the applicant, their personal data or the controller to the United Kingdom and it was for that reason that the Commissioner had no jurisdiction. So, with that misunderstanding cleared up there was nothing left that the Commissioner could do that could form the basis for the Tribunal issuing an order under section 166.

The application was dismissed.

Section 166 continues to be a disappointment to data subjects; the limited scope of its terms has been affirmed repeatedly by both the FtT and Upper Tribunal. It does not afford a mechanism for appeal for a data subject who is unhappy with the outcome of their complaint to the Commissioner. It is clear, however, that where there remains scope for the Commissioner to take reasonable steps to address the complaint, then there may be some scope for orders under section 166. There is a fine line between considering whether appropriate steps have been taken to respond and whether the response itself was appropriate. The Tribunal is tasked with casting “a critical eye to assure itself that the complainant is not using the s.166 process to achieve a different complaint outcome.” (Killock and ors v Information Commissioner [2021 UKUT 229 at [87]).

ColourCoat Ltd v Information Commissioner

Last week, the First-Tier Tribunal issued its decision in an appeal by ColourCoat Limited (“CCL”) against a Monetary Penalty Notice (“MPN”) issued by the Information Commissioner in respect of contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

Since 2016, CCL has been installing, as a subcontractor, hydrophobic thermal coatings to combat damp and heat loss in residential properties. In 2019, CCL decided that it would start marketing directly to potential customers and bought lists of names and phone numbers for this purpose.

When calls from CCL were answered, the call operator introduced themselves as being from “Homes Advice Bureau”; the script that they followed had the call operators inform the recipient that they were following up on a Government initiative about loft or cavity wall insulation. The call recipient was informed that they qualified for a free “heat loss and moisture check” which would be carried out by “EcoSolve UK”. If the recipient expressed interest, CCL would thereafter inspect the property and attempt to sell installation services. By the end of October 2019, CCL’s turnover had increased seven-fold.

In February 2020, the Information Commissioner noted that their office had received a number of complaints about unsolicited direct marketing calls from a company calling themselves “Homes Advice Bureau”. CCL was identified by the Commissioner, using statutory powers, as the source of these calls. The Commissioner discovered that CCL had made almost 970,000 calls for the purpose of direct marketing between August 2019 and March 2020. Of these calls over 450,000 were made to numbers registered with either the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS) and had been so registered for more than 28 days.

The Commissioner issued a Notice of Intent and a Preliminary Enforcement Notice in February 2021. After CCL had made representations through its solicitors, the Commissioner served a MPN (in the sum of £130,000) and Enforcement Notice on CCL on 16 June 2021. The Commissioner had found CCL in breach of Regulations 21(1)(a), 21(1)(b), 21(A1) and 24(1)(b) of PECR.

CCL did not dispute that it had breached Regs 21(1)(a) and (b); however, it did dispute the breaches of Regs 21(A1) and 24(1)(b) of PECR; it also appealed the amount of the MPN. However, the FTT held that CCL was in contravention of Regs 21(A1) and 24(1)(b).

In relation to Reg 21(A1), the FTT held that CCL had used mobile numbers from which it could not be identified and that at least one of the numbers used was registered to a pseudonym (“John Smith”).

In relation to Reg 24(1)(b) the FTT found that CCL had failed to provide call recipeints with its name. The FTT said, at para 36, that “[w]hile a company can trade under a trading name, PECR requires anyone making unsolicited direct marketing calls to provide their name – in this case, the registered company name.” The FTT noted that the Commissioner had experienced difficulty in identifying CCL as the source of the call and had only been able to do so by making us of their statutory powers; something that would have been “impossible for the call recipients” [para 36].

CCL had sought to argue that its contravention of Reg 21(1)(a) had been negligent; however, the FTT held that it was deliberate. Names would only go on CCL’s “Do Not Call” list if an individual was particularly forceful or insistent. CCL’s sole director confirmed in oral evidence to the FTT that a call recipient who had told CCL to “go away” would be called again in case they were just in a bad mood or in a rush. [para 39]

In relation to the contravention of Reg 21(1)(b), the FTT held that that was negligent. At paragraph 41 of its decision it states that CCL “knew or ought to have known that there was a risk that calls would be made to” TPS and CTPS registered numbers. The data list invoices received by CCL contained references to TPS and GDPR so although the company lacked actual knowledge of these matters, CCL “could have easily researched the relevant rules and put screening software in place.” [para 41].

In relation to the amount of the MPN, the FTT held, at para 44, “that the Commissioner had taken a careful, detailed and reasonable approach to determining the amount of the penalty” and that it had done so in line with the principles that penalties should be effective, proportionate and dissuasive and whether a fair balance has been struct between means and ends. Furthermore, the decision was in line with the Commissioner’s Regulatory Action Policy and published guidance.

The FTT noted that CCL “had targeted older, and potentially more vulnerable, people and by using a “neutral” trading name and referring to a Government initiative, created the false impression that [CCL] was providing an official or Government authorised service.” [para 48] The FTT also held that during the period of the contraventions that CCL’s turnover had been high and that a “substantial proportion” was likely to have been derived from the marketing campaign. [para 50]

The appeal was dismissed.

The FTT makes some interesting comments in its decision in this appeal that ought to be kept in mind by people undertaking direct marketing and those advising them on the lawfulness and/or privacy aspects of direct marketing. If you’re using a trading name and it is not immediately obvious from that trading name who the actual caller (or instigator, if different) is then that is information that requires to be provided as part of the call.

The FTT also noted what was said by the Upper Tribunal in the Leave.EU appeals that comparisons with other penalties issued by the commissioner is not helpful in assessing whether another penalty is appropriate. While there are principles that underpin how the Commissioner (and FTT) will assess what is an appropriate level of penalty, what that is will vary depending on the facts of each case (although being wildly out of step from other penalties may be an indication that something has gone wrong, but consideration would also need to be given to what material differences exist between each case).

ECJ: Advocate General on Damages under the GDPR

Last week the opinion of Advocate General Campos Sánchez-Bordona was published in UI v Österreichische Post AG (Case C-300/21), which is a request for a preliminary ruling from the Oberster Gerichtshof (the Supreme Court of Justice, Austria) in connection with the provisions in the GDPR on damages.

The GDPR (and, in the UK, the UK GDPR) provides for any person who has suffered material or non-material damage as a result of an infringement to be compensated from the controller or processor for the damage suffered.

In the case that has been the impetus for the reference from the Austrian courts, Österreichische Post AG (the company responsible for postal services in Austria) had, from 2017 onwards, collected information on political party affinities of the Austrian population. With the assistance of an algorithm, it defined ‘target group addresses’ according to certain socio-demographic features. UI has claimed €1,000 in damages in respect of inner discomfort. He claims that the political affinity that Österreichische Post AG attributed to him is both insulting and shameful. He also claims that it is extremely damaging to his reputation. Furthermore, he says that the conduct complained of has caused him great upset and a loss of confidence as well as a feeling a public exposure.

At first instance, UI’s claim for compensation was refused. The appellate court upheld the decision to refuse him compensation holding that breaches of the GDPR do not automatically result in compensation. The appellate court also held that the principle in Austrian law that in life, everyone must bear mere discomfort and feelings of unpleasantness without any consequence in terms of compensation.

This decision was again appealed, and the referring court has referred three questions for a preliminary ruling:

  1.  Does the award of compensation under Article 82 also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
  2. Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
  3. Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?’

In relation to the first question, the Advocate General comes down very firmly against an interpretation which allows automatic compensation for every infringement. At para 28 of his Opinion, he states that “there is an unequivocal requirement that the natural person concerned must have suffered damage as a result of an infringement”. He states, at para 29, that “an interpretation which automatically associates the notion of ‘infringement’ with that of ‘compensation’, without the existence of any damage, is not compatible with the wording of Article 82 of the GDPR.”

On the second question, the Advocate General takes the view, at para 89, that it “cannot be ruled out that reparation sought for non-material damage may include components other than merely financial components, such as recognition that the infringement occurred, thereby providing the applicant with a certain moral satisfaction.” However, it is important to consider how the provisions on an effective judicial remedy and the right to compensation interact with one another; a difficulty in proving damage where a data subject is alleging financial damage must not result in nominal damages (para 92).

On the third question, which is concerned with whether the GDPR permits member states to refuse damages where the damage does not exceed a particular level of seriousness, the Advocate General concludes that this question could be answered in the affirmative. At paragraph 105 of his opinion, the Advocate General states that he does “not believe, however, that it is possible to infer from this a rule pursuant to which all non-material damage, regardless of how serious it is, is eligible for compensation.” He continues, at para 112, by stating that ” the right to compensation under Article 82(1) of the GDPR does not appear to me to be a suitable instrument for countering infringements in connection with the processing of personal data where all those infringements create for the data subject is annoyance or upset.” However, he goes on to propose an answer to the third question which essentially leaves it to national courts to determine whether, on the facts before them in each case, whether it goes beyond “mere upset”. So, while the Advocate General is clearly of the view that there is some form of de minimis threshold, he does not assist that much with where the line is.

The AG’s opinion is, of course, not a judgment of the court; we await to see whether the court adopts the opinion of the Advocate General and, if so, to what extent. Of course, decisions of the European Court are no longer binding in the UK. That is not to say that they are no longer of any relevance when it comes to UK law that derives from EU law (such as the UK GDPR); the effect of section 6(2) of the European Union (Withdrawal) Act 2018 provides that a court or tribunal may have regard to case law for the European Court which has come about after the UK left the European Union.

In the UK, the most recent authoritative case to grapple with the question of damages for data protection breaches was the Supreme Court’s judgment in Lloyd v Google. That was concerned with damages under the Data Protection Act 1998 and Lord Leggatt, giving the sole judgment of the court, confined his decision to the 1998 Act. However, it would be prudent to note that the reasoning in Lloyd is essentially the same as the reasoning in the Advocate General’s opinion in UI.

When the European Court’s judgment comes in this case, it will likely be a decision of some importance to data protection litigation in the UK, if only to confirm that the reasoning in Lloyd is equally applicable to Article 82 of the UK GDPR.

When no complaint is found

Section 166 of the Data Protection Act 2018 has produced a reasonable amount of litigation arising out of what appear to be repeated fundamental misunderstandings by data subjects as to what section 166 provides them with. The Upper Tribunal has authoritatively, on more than one occasion, sated that the right afforded by section 166 of the 2018 Act is limited and does not provide a route for an unhappy data subject to appeal the outcome of their complaint to the Information Commissioner.

A recent FTT decision on section 166 took a slightly different approach, striking out the appeal on the grounds that the applicant had not even made a complaint to the Commissioner and so the Commissioner’s obligation to provide information as to the progress of the complaint was not even engaged.

On 25 May 2021, the applicant copied the Information Commissioner’s Office into an E-mail that had been sent to various other organisations. In that E-mail, the applicant raised a number of issues, none of which seem to have engaged the data protection legislation. There was, attached to the E-mail, an annotated copy of an E-mail that she had received days earlier from the Home Office.

On 8 June 2021, a case officer at the ICO wrote to the applicant to inform her that none of the issues she had raised fell within the jurisdiction of the Commissioner and advised her to complete one of the ICO’s complaint forms if she wished to raise a complaint under the data protection legislation.

The Commissioner argued that as no valid complaint had been made to his office there was no complaint to progress and therefore the application under section 166 of the Data Protection Act 2018 had no reasonable prospect of success.

Judge O’Connor agreed with the Commissioner and concluded that there was no reasonable prospect that the applicant could establish the contrary. Therefore, the application was dismissed. Judge O’Connor did go on to state that even if he was wrong on this, the Commissioner’s letter dated 8 June 2021 was a response and so the Tribunal would have had no jurisdiction under section 166 of the Act in any event.

This case is rather different to the usual section 166 cases that have been seen until now. It suggests that the Information Commissioner is taking a robust approach to what is and what is not a complaint. It has been the case for many years that the ICO would not typically respond to E-mails where they have simply been copied in. The Tribunal appears to be willing, at least in this case, to conclude that no complaint in terms of Article 77 of the UK GDPR or section 165 of the Data Protection Act 2018 has been made to the Commissioner where that is appropriate, and strike out section 166 applications which follow on the back of correspondence not amounting to a proper complaint.

A New Commissioner, a New Approach?

Earlier this month John Edwards, former Privacy Commissioner and Barrister in New Zealand, replaced Elizabeth Denham as Information Commissioner.  The job of Information Commissioner is a significant one with many challenges. He has began what he calls a “listening exercise”. I have completed the survey, which didn’t give much room for comment. I thought I would place a more detailed outline of my thoughts here; more as an exercise for expressing my own frustrations with the ICO and to perhaps give others some ideas about what they can include in their own response to the Commissioner’s survey.

Freedom of Information

Under this heading, for the sake of clarity, I’m not simply referring to the Freedom of Information Act 2000, but also to both the Environmental Information Regulations 2004 and the more obscure INSPIRE Regulations 2009 (which are concerned with spatial data).

FOI, especially the Freedom of Information Act 2000 and the Environmental Information Regulations 2004, is, as the Commissioner has himself acknowledged, critical to our democracy. They are a means for individuals to find out what is going on in areas that interest or directly affect them and to obtain information which they can use to help keep public bodies and officials accountable.

There are two main areas of concern, from my perspective, with the ICO in respect of FOI: (1) length of time taken to deal with regulatory complaints; (2) the apparent reluctance of previous commissioners to make full use of their enforcement powers in this area.

Turning first to the issue of delay; currently it is taking around 6 months for complaints, once received, to be allocated for investigation. That means that for up to six months the complaint is just sitting there, with absolutely nothing happening. The last decision notice I received from the Commissioner, was issued 11 months and 18 days after the complaint had been made to the ICO. This is unhelpful, and quite frankly, unacceptable. In many cases, these delays at the ICO are compounding already significant delays by some public bodies. There are some public authorities with well-known compliance issues in this area, where requests can take upwards of 6 months to be dealt with by the authority; meaning from request to ICO decision it can be upwards of 18 months.

FOI is a critical tool in helping individuals, community groups, journalists and others hold public bodies and officials to account. In a great many cases the value of the information sought diminishes over time; if information is being sought to help oppose, for example, changes to the provision of services in local communities, the delays at the ICO significantly hamper (and indeed damage) the usefulness of FOI in this area. If information is only, finally, being released several years after it was first requested it has almost certainly come far too late to be of any use to those requesting it.

The length of time that it takes for a FOI request to be dealt with is, in some respects, hampered by the legislation itself, with provisions for open-ended extensions for consideration of the public interest test and no statutory timescales (beyond the statutory Code of Practice) in relation to internal reviews. These have both been highlighted to Parliament on several occasions, but no legislative action has been forthcoming to deal with these issues. However, I will return to this in a moment.

What is completely within the control of the Commissioner is how long it takes his office to deal with matters once complaints have been made. A priority for the Commissioner should be looking to significantly reduce the backlog; and put in place systems that ensure complaints are being dealt with promptly once they end up with his office. The Scottish Commissioner (who, granted, has a much smaller office and a much smaller scope of responsibility in that he only deals with FOI complaints concerning Scottish public authorities) has an average closure time of just 4.37 months (2020-21), with 60% of all complaints to his office being dealt with within 4 months (the Freedom of Information (Scotland) Act 2002 makes provision for the Scottish Commissioner to deal with all such complaints within 4 months, but there is flexibility). It is not a like-for-like comparison due to the significant differences in volumes of work; however, the ICO needs to put more effort and resources into trying to resolve complaints much more quickly.

Turning to the issue of enforcement; some public authorities have a horrendous reputation for compliance with FOI, especially around the timeliness of responses. For some authorities these issues have existed for a decade or more. Previous Commissioners have seemed not just reluctant but almost wholly disinterested in exercising the significant enforcement powers that they possess to tackle problems here. Some public authorities have been having their compliance closely monitored by the ICO for years with no discernible improvement. Yet, no formal enforcement action has been taken to force these public authorities to make significant improvements.

Enforcement must be proportionate; formal enforcement powers should not, in most cases, be a first resort. However, they must be utilised if the ICO is going to be taken seriously as a regulator. Other authorities watch what the ICO is doing; there is currently no real incentive to engage with the ICO over poor FOI performance. The threat of formal enforcement action effectively doesn’t exist because of the apparent reluctance of the ICO to use its enforcement powers. The ICO needs to adopt a much more robust approach to regulation, which can be achieved in a way that is consistent with the relevant provisions of the Legislative and Regulatory Reform Act 2006.

Data Protection

Some of the problems that exist with the ICO’s FOI function also exist in relation to its Data Protection function. When it comes to Data Protection, the ICO is too business friendly and has often acted more like a think-tank than a regulator in this field.

As I have already said, enforcement must be proportionate. However, the ICO needs to remember that it is a regulator first and foremost. It is not a professional adviser for data controllers; there are lawyers and data protection consultants out there who can (and should) be fulfilling the professional advisor role. The balance between the informal methods of encouraging compliance and the formal methods of enforcing compliance have been all wrong. The ICO is obliged to have guidance in place, but it is not its sole purpose to produce and promulgate guidance.

The Regulators’ Code [pdf] (which applies to the ICO) does require regulators to carry out their activities in a way that supports those they regulate to comply and grow. It provides that “[r]egulators should avoid imposing unnecessary regulatory burdens through their regulatory activities and should assess whether similar social, environmental and economic outcomes could be achieved by less burdensome means.” However, it appears that the ICO has historically taken this to a degree that is inappropriate.

The Regulators’ code also provides that “[i]f a regulator concludes, on the basis of material evidence, that a specific provision of the Code is either not applicable or is outweighed by another relevant consideration, the regulator is not bound to follow that provision, but should record that decision and the reasons for it.” The balance is all wrong with the ICO; it appears to focus too much on the provisions of section 1 of the Regulators’ Code and not enough on forcing compliance where other, less burdensome, means have obviously failed.

In short, the ICO needs to re-orientate its relationship with those it regulates so that it is in a much stronger position to deploy its considerable enforcement powers when needed. When it comes to data protection, the most powerful tool at the ICO’s disposal is not the fines that it can levy but rather the power to issue Enforcement Notices; these can be used to force controllers to stop processing personal data altogether, or in certain ways, and they can be used to require data controllers to take certain specified steps to bring them into compliance.

The recent Enforcement Notice [pdf] issued to the Ministry of Justice is an example of formal enforcement action coming far too late; the MoJ has a backlog of many thousands of Subject Access Requests. The ICO records in its Enforcement Notice that it first became aware that the MoJ’s backlog had grown again (following an Enforcement Notice in 2017) in January 2019. It then records a shift in the ICO’s enforcement activities as a result of the COVID-19 pandemic, but that was more than a year after the ICO first became involved with the MoJ, for a second time, over its compliance with the right of subject access. An Enforcement Notice was then issued in January 2022, almost 2 years to the day after it started to get involved with the MoJ for a second time. This is, in my opinion, an example of a failure in regulation. The ICO watched as the MoJ continued to fail in a basic and important aspect of data protection law; much earlier formal intervention ought to have been taken (especially given that this was the second time the ICO had to get involved with the controller over the same issue).

Conclusion

The overriding issue with the ICO, in my opinion, is that it has got the balance wrong between soft and hard regulation. The ICO needs to adopt a much more robust approach to regulation; neither the 2006 Act nor the Regulators’ Code prohibits this. However, the ICO seems to have become paralysed in its regulatory activity in a way that the neither the 2006 Act, nor the Code which flows from it, intended.

Litigation, Privilege and Subject Access

The English Court of Appeal has issued a judgment in relation to subject access rights under the Data Protection Act 1998 (“the DPA”).  The Court’s decision centres on three main issues in relation to subject access requests:  (1) the extent of the exemption for legal professional privilege; (2) when the effort to comply with a subject access request is disproportionate; and (3) the discretion of the court when considering an application pursuant to Section 7(9) of the DPA .

The right of subject access is one of the fundamental rights afforded to data subjects.  It allows individuals to discover what information a data controller is processing about them, in what way they are processing it (including who it has been or may be disclosed to) and to check the accuracy of the personal data being processed.  The importance of the data subject’s right is marked by the right of a data subject to apply to the courts in order to secure compliance where a data controller has failed to comply.  It is not an absolute right; there are circumstances in which a data controller does not need to comply with a subject access request.

The Extent of the Legal Professional Privilege Exemption

Paragraph 10 of Schedule 7 to the DPA makes provision for exempting information from the subject access provisions in Section 7 where “the data consist of information in respect of which a claim to legal professional privilege or, in Scotland, to confidentiality of communications could be maintained in legal proceedings.”

In Dawson-Damer there were two interpretations of this exemption put forwarded, described in the judgment as the “narrow” and “wide” interpretations.  The Court preferred the narrower of the two holding that the exemption “relieves the data controller from complying with a subject access request (“SAR”) only if there is relevant privilege according to the law of any part of the UK.” [45] The Court also held that “the DPA does not contain an exception for documents not disclosable to a beneficiary under trust law principles.” [54]  The Court held that the Legal Professional Privilege exemption does not extend to such information. [54].

Disproportionate Effort

The Court held that whether complying with the SAR, or taking certain steps as part of the process of complying with the SAR, “will be a question for evaluation in each particular case [77].  The court noted that “it is clear from the recitals to the Directive that there are substantial public policy reasons for giving people control over data maintained about them through the system of rights and remedies contained in the Directive, which must mean that where and so far as possible, SARS should be enforced.” [79].

Court’s discretion

The discretion afforded to the Court under section 7(9) of the DPA is a “general discretion” [105].  The Court held that Durant v Financial Services Authority did not create a position whereby a data subject cannot exercise DPA rights for purposes outside the DPA.  Durant was concerned with the scope of the term ‘personal data’ and as such the Court’s comments in Durant were in that context.  They did not mean that where individuals had another purpose (for example, with a view to using the material in litigation) that they could not exercise their subject access rights.  The Court noted that “it would be odd if the verification of data was always in practice a complete aim in itself which excluded all others…neither the Directive nor the DPA compels that interpretation.  Nor has Parliament expressly required a data subject to show that he has no other purpose.” [108]  The court did not that there might be a different outcome where an application under section 7(9) of the DPA “was an abuse of the court’s process…or if the claimant was a representative party who had some purpose which might give rise to a conflict of interest with that of the group or body he represents.”

Comment

This is an important case concerning the right of subject access under Section 7 of the DPA and is one that all data protection practitioners ought to be familiar with.  Although it is not directly binding on the courts in Scotland (it being a decision of the English Court of Appeal), it is quite likely that a Scottish court faced with similar issues will arrive at the same conclusions as the Court of Appeal has done here.

The exemption for legal professional privilege is a narrow one; it does not cover information that might be the subject of such claims in jurisdictions other than one of the three UK jurisdictions, nor does it extend to claims of confidentiality that fall outside of the scope of legal professional privilege.

When it comes to disproportionate effort in dealing with a SAR, it is a balance between the effort to comply and the data subject’s right.  It is clear from both the statutory provisions themselves and the comments of Arden LJ in this case that the data subject’s right is a fundamental one.  As a consequence the barrier is a high one when trying to argue that complying would cause a disproportionate effect.  The Court did not consider that the Taylor Wessing LLP had even begun the process, let alone be able to demonstrate that complying would be disproportionate.  It would appear that data controllers will not simply be able to look at a SAR and dismiss it out of hand as resulting in a disproportionate effort; the fundamental nature of the right of subject access will trump the effort it is necessary to go to in to comply in most cases.

Finally, if you’ve ever been under the belief that law firms are data processors for client information then this case is clear that this is wrong:  law firms are data controllers.  If a law firm receives a subject access request from a third party then the personal data must be assessed carefully to establish whether privilege exists and where it does, it must be claimed.

Court Fees, Access to Justice and Freedom of Information

On Monday new tables of fees enter into force for the Sheriff Courts and Court of Session in Scotland.  The new table of fees is necessary because of the new Simple Procedure that is coming into force next week to replace the Small Claim procedure and to partially replace the Summary Cause procedure in the Sheriff Court.  It would appear that the Scottish Government has used this opportunity to increase some other fees as well.

The other increases are part of the Scottish Government’s aim to get “full cost recovery” in the civil courts; that is, that so far as is possible those who litigate in Scotland’s civil courts fully fund the cost of running those civil courts.  I have grave misgivings about such a policy for access to justice (and I am not alone in that view).  This blog has, in recent times, moved more towards the field of Information Law and to that extent, I am going to look at these latest court fee rises in the context of Freedom of Information appeals.

In Scotland, under the Freedom of Information (Scotland) Act 2002, if a person is dissatisfied with how a public authority has handled a FOI request they can make an application to the Scottish Information Commissioner (SIC).  The SIC has the power under the 2002 Act to make a decision as to whether the public authority has complied with the Act, and if not, she has the power to state what steps the public authority must take in order to comply with the act (including to order that the public authority release information to the requester).  If a requester or public authority is unhappy with the Commissioner’s decision there lies a right of appeal (on a point of law) to the Court of Session.

The Scottish appeals procedure differs vastly from the appeals procedure under the UK Freedom of Information Act, where a right of appeal (on both fact and law) exists to a specialist First-Tier Tribunal and then on to the Upper Tribunal and the Courts (on a point of law only).  There is currently no charge for lodging an appeal with the First-Tier Tribunal, nor for any step of process or a hearing.  That is not the case in Scotland.

Unless the party bringing the appeal is in receipt of Civil Legal Aid, there are court fees to be paid.  The appeals are also dealt with under Chapter 41 of the Rules of the Court of Session and go straight to the Inner House.  For those who are unfamiliar with the Scottish court structure, the Court of Session is split into two “houses”.  The Outer House hears cases at first instance and is usually presided over by a single Senator of the College of Justice; while the Inner House is the appellate court and hears appeals from the Outer House as well as other courts, tribunals and regulators (such as the Sheriff Appeal Court and the Scottish Information Commissioner).  Appeals from the Inner House are (with permission) to the UK Supreme Court; the Inner House is therefore Scotland’s supreme Civil Appellate court.  In the Inner House, at least three of Scotland’s most senior judges will sit to hear the appeal.

On 28 November, the Court Fees (Miscellaneous Amendment) (Scotland) Order 2016 shall enter into force.  Schedule 1 to that Order sets out a new table of fees in the Court of Session.  Paragraph 1 in Section B of the Table sets a new fee for lodging an “Appeal, application for leave or permission to appeal, summons, or other writ or step by which any cause or proceeding, other than a family action, is originated in either the Inner or Outer House (to include signeting in normal office hours)”.  The new fee is set at £300, up from £214.  So, in order to lodge your appeal against a decision of the SIC the Appellant (whether an individual or public authority) needs to stump up £300.  The Respondent (who is the SIC) will also have to pay £300 (again, up from £214) to lodge their Answers to the Appeal.

There may be other fees to pay along the way, depending on the procedure that ends up taking place; however, when it gets to the hearing of the appeal, the costs start to mount up significantly.  Each party (appellant and respondent) will be required to pay £500 (up from £239) per 30 minutes (or part thereof).  Therefore, a hearing that lasts a full court day (roughly 5-6 hours) will result in a court fee of between £5,000 and £6,000; and that is before solicitors’ fees and the fees of Counsel are added.  This is an astronomical figure.  It is not paid by anyone in receipt of legal aid (and legal aid is available for FOI matters in Scotland), but you do not have to be very well off not to qualify for legal aid.

This represents a significant barrier to accessing justice.  These are sums of money that most middle earners will struggle to get their hands on, even if they attempt the appeal as a party litigant (which given the complexity and sometimes archaic nature of the Court of Session Rules is no easy task).  When it comes to the question of FOI, it only strengthens my belief that appeals against decisions of the SIC should be to a lower court or tribunal in the first instance.

There is a much more fundamental point however; the civil courts should be accessible to everyone.  The level that court fees are rising to (and they are going to continue to rise over the next few years as the Government moves towards “full cost recovery”) presents a very real barrier to justice.  The Scottish Government accepted that fees represent a barrier to justice in respect of the Employment Tribunal fees set by the UK Government (and has pledged to abolish them when the power to do so comes to the Scottish Parliament in the near future).  However, the Government seems happy to continue with a policy of full cost recovery (that was, admittedly, started under the Labour/Liberal Democrat Administration that left office in May 2007).  It is a flawed policy that will place a very real barrier to the courts for very many people.  That, is a tragedy for justice and for democracy.

Don’t throw stones in glass houses

Today the Scottish National Party (SNP) launched a brand new website with the aim of gauging public support for a second referendum on Scottish independence.  Of course Scotland had a referendum on this issue a little under two years ago where those who voted did so 55% – 45% in favour of Scotland remaining part of the United Kingdom.  In May the Scottish people went to the polls to elect the Scottish Parliament; the Scottish Conservative Party fought that election on a strong pro-union message and had its best electoral success in Scotland in many decades.  They pushed Scottish Labour (who the criticisms in this blog equally apply to) into third place to become the official opposition in the Scottish Parliament to the SNP Government (which, incidentally lost its overall majority and is governing, once again, as a minority government).

This afternoon I had a look at the SNP’s new website and immediately spotted some problems with it.  The National Survey website unsurprisingly has a survey for people to complete.  It asks a number of questions such as how people voted in the 2014 independence referendum and in June’s EU referendum.  It also asks for the name and postcode of the person completing the survey as well as whether or not they have children or grandchildren who are under the age of 18 years, all fields which are mandatory.  The website does have a data protection and privacy policy, which is very brief.  The following screenshot was taken from the National Survey website this afternoon:

surveydp

The policy is extremely short, but the key aspect of the policy for the present purposes is “The SNP may…contact you about issues you may find of interest using any details you have supplied.  You can opt out of some or all contact by writing to us.”  I shall return to why this is the key aspect in a moment, but for now it’s on with the story.

The Scottish Conservative Party has apparently taken legal advice on the SNP’s National Survey website and written to both the Electoral Commission and the Information Commissioner; the former being irrelevant for present purposes.  The Scottish Conservatives state that they considered that the SNP’s website breaches the Data Protection Act 1998 (it does, but more on that in a moment).  However, while they are considering the SNP’s National Survey website they might wish to consider their own website.

Unlike the SNP’s National Survey website, the Scottish Conservatives website has a lengthy data protection and privacy policy, but I have taken a screenshot of the relevant bit:

toriespp

The relevant part for present purposes is the bit that reads “[b]y entering your contact details you agree to receive communications from us, from which you can opt-out using the “unsubscribe” link in each email we send or using the contact details at the top of this privacy notice.”

There are problems with both the Privacy Notices above, and they are in fact the same problem.  I will come onto the breaches of the Data Protection Act 1998 in a moment; however, I initially want to discuss the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Both the above privacy notices envisage sending information to those who have provided their E-mail address about campaigns that the respective political parties are engaging in.  These E-mails will essentially be promoting the aims of the respective political party, either generally or in respect of a specific area of policy.  These E-mails will be sent directly to an individual; that makes them direct marketing communications.  The law is very strict on when it is legal to send such communications.  The relevant regulation is Regulation 22, which covers direct marketing by electronic mail.  Regulation 22(2) requires (except in a very limited set of circumstances, not relevant here) that there individuals must give consent to receive such marketing.

The Scottish Conservatives’ privacy policy certainly seems to suggest that they have consent, but in reality they do not.  This is because the consent is actually defined in the 1995 Data Protection Directive and that definition is applicable to the PECR; their privacy policy doesn’t meet that definition.  The definition of consent in the 1995 Data Protection Directive is to be found in Article 2 and is “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”  Consent achieved in the way the SNP and Scottish Conservatives have approached is not “freely given specific and informed”.  Individuals have not positively expressed a desire to receive general communications about the party or its campaigns; they’ve simply filled in a survey expressing their views on the matters asked about in the survey.  In the case of the specific example of the SNP’s National Survey website the privacy policy isn’t visible at the time the personal data is collected; it cannot therefore be said to be an informed expression of the data subject’s wishes.  The Conservatives (both at a UK and Scottish level) have been guilty of this too.

Essentially what this means is that any E-mail communication sent by either the Scottish Conservatives or the SNP that amounts to direct marketing (which is likely to be every e-mail) in reliance upon the consent obtained through their respective privacy policies is unlawful.

Now, to the Data Protection Act issues.  A data controller (which any political party will be) must only process personal data fairly and lawfully (first data protection principle).  For the processing to be lawful a schedule 2 condition must be satisfied (and in the case of sensitive personal data, a schedule 3 condition as well).  One of the conditions in Schedules 2 and 3 is essentially processing to which the data subject has consented; however, neither the SNP nor the Scottish Conservatives can wholly rely on consent because they simply do not have that data controllers consent.  They wouldn’t be able to satisfy any of the other schedule 2 or 3 conditions to legitimise their sending of direct marketing e-mail communications; they would therefore also breach the first data protection principle when sending those E-mails.

Collecting personal data is also a processing activity.  In the case of the SNP’s National survey they are not collecting the personal data fairly.  While they do have their privacy policy (which is quite frankly a sorry excuse for one) it is not prominent on the actual survey itself; people are not told at the time their personal data is collected exactly how the SNP will make use of it.  You can navigate to the privacy police from the survey page, but the link to the policy is in extremely small text at the very foot of the page (so much so that I initially had difficulty in locating its existence at all).

Turning once again to the Scottish Conservatives, they are currently running a petition on their website against the having a second referendum on Scottish independence.  They continue to rely on implied consent for general communications about the Scottish conservative Party and are arguably collecting personal data unfairly as well.  While the link to their data collection and use policy is clearer, it comes after the “sign up” button and still requires individuals to navigate away from the page that they are no in order to see exactly how their personal data is going to be used by the Scottish Conservatives.

One other issue with the SNP’s National Survey website relates to the third data protection principle which states that “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”  All of the fields are mandatory and it is unclear as to why information such as the number of children or grandchildren you have under the age of 18 or indeed what your name or E-mail has to do with gauging support for a second independence referendum.  This is simply an exercise in gathering personal data and that should be made clear from the website and the survey (otherwise it will only add to the breaches of the first data protection principle).  Those fields should, as a very minimum, be made optional.

To conclude, while the Scottish Conservatives have raised legitimate and valid criticisms of the SNP’s National Survey website, they would do well to remember that people in glass houses ought not to throw stones.

 

Procedures, Training and Data Protection

On Thursday last week the Information Commissioner’s Office published a Monetary Penalty Notice that it had served upon a GP Surgery in England for breaches of the Data Protection Act 1998.  The Notice cited the all too familiar seventh data protection principle.  This data protection principle broadly requires a data controller to have in place adequate technical and organisational measures to protect personal data.  It is the data protection principle which features in almost all of the Information Commissioner’s enforcement in relation to the Data Protection Act.

The Monetary Penalty Notice served on the GP Practice arose out of the practice’s handling of a Subject Access Request which it had received.  The request was received in respect of a child patient from one of the patient’s parents (the child’s father).  The child’s parents had separated sometime before and that separation had not been amicable.  The child’s mother had moved and did not want the father knowing where she was currently living.  The mother’s new address was contained within the child’s medical records.

The practice handled the Subject Access request and sent the father everything that was contained within the child’s medical records.  These records were subsequently lodged in court as part of ongoing court proceedings between the parents.  The records were then forwarded onto the mother who discovered that her personal data had been disclosed to the father in response to the subject access request concerning the child as well as personal data relating to another child not related to the father and other personal information that should not have been disclosed to the child’s father.

The Monetary Penalty Notice records that there had been no training given in respect of the handling of Subject Access Requests and that there were no procedures within the practice for the handling of these requests.  In this case the disclosure was not checked before it was sent out to ensure that there was nothing within the records that ought to be excluded.

The handling of Subject Access Requests are not straight forward.  It is not simply a matter of printing out all of the records held and posting them or downloading them and E-mailing them to the data subject.  The information has to be carefully gone through to identify any third party personal data so that decisions can be taken about whether or not that third party personal data can or should be disclosed.  Furthermore, there are a range of exemptions that can be applied to information that is held – some of which may well apply to medical records – which enable the data controller to refuse to provide that information in response to a Subject Access Request.  That is in addition to the other (often forgotten) rights contained in Section 7 of the Data Protection Act 1998.

Given the complexity of handling such requests it is important that there are proper procedures in place as to how such requests should be handled.  This should cover everything from the recording of the request having come in through to identifying the data subject’s personal data, considering it for disclosure, compiling the disclosure, checking and recording that the response has been sent (and everything else not mentioned in that list).

It’s not just a case of having in place a procedure; everyone who is involved in the process needs to have training appropriate to the functions that they are performing.  Those who are responsible for identifying what should be disclosed should have proper training to enable them to identify third party information as well as the information which could potentially be withheld.  That training must also be regular to ensure that persons involved in the process are kept up-to-date with the procedures and any changes in the relevant law – regular training is especially important for people who rarely handle Subject Access Requests.

Having in place good quality, detailed procedures together with a comprehensive training programme can substantially reduce the risk of experiencing a data breach.  If things do go wrong, having in place good quality, detailed procedures (compliance with which is being regularly monitored) and a comprehensive training programme can substantially mitigate any regulatory action taken by the Information Commissioner.

Data Protection and the #EUref

Data Protection is not an area that people generally get especially excited about, but the rights contained in the Data Protection Act 1998 (“the DPA”) are important.  They enable individuals to find out (mostly) what information companies and organisations hold about them, where they got it from, what they do with it, who they give it to and what it says.  It also enables people to take a degree of control over what companies and organisations do with that information; including the ability to prevent a company from using their information for marketing purposes, forcing them to correct inaccurate information and forcing them to stop “processing” their information where the processing causes substantial damage or distress that is unwarranted.

The DPA implements an EU Directive into domestic law.  Data Protection law in the UK has its roots in European law.  However, it’s not just the DPA that has its roots in European law; the connected Privacy and Electronic Communications Regulations 2003 (the full name of which is actually the Privacy and Electronic Communications (EC Directive) Regulations 2003) also implement European law into domestic law.  These Regulations relate to the use of personal data and are the regulatory regime that governs the use of electronic communications (such as E-mail, phone and text) to market directly to individuals.  These are the regulations which help deal with those annoying and unsolicited PPI and accident claims telephone calls.

In 2018 the Directive that underpins the DPA is being replaced with a new EU Regulation on Data Protection and the Directive underpinning the 2003 Regulations is currently being reviewed in light of the new EU Data Protection Regulation (the European Commission is consulting on this issue until 5 July 2016).

The DPA replaced the Data Protection Act 1984.  The 1984 Act was introduced to give protection to individuals in relation to the automatic processing of their personal data and was based upon the Council of Europe’s (the same Council of Europe behind the European Convention on Human Rights and Fundamental Freedoms) 1981 Convention for the protection of individuals with regard to automatic processing of personal data.

Now that there has been a brief account in respect of the history of Data Protection law in the United Kingdom, it is possible to thrust into the main purpose of this article; that is to consider Data Protection in the context of the EU Referendum.

If the UK votes to remain in the European Union then in May 2018 the United Kingdom will have to comply with the General Data Protection Regulation (which, being a Regulation, will have direct effect regardless as to whether the UK Parliament enacts a new Data Protection Act or not) together with the associated Directives; including whatever eventually replaces the 2002 e-Privacy Directive.  The associated Directives, together with some of the fudges in the new Regulation, will likely mean that there will be a new Data Protection Act to replace the current Act (probably towards the end of 2017).

If the UK votes to leave the European Union what happens is a bit more uncertain.  A vote to leave the EU will not mean that there is a complete end to the UK’s relationship with the EU, and that will have an impact on Data Protection.

The first thing to note is that a vote to leave will not mean an instantaneous split.  There currently isn’t really a process for an EU Member State to leave the Union so some time will be spent working out how that happens and there will inevitably be a time spent negotiating a new relationship with the EU; whether that is inside of or outside of the EEA.  It seems quite likely that we will still be in the EU come May 2018, which might mean that the GDPR will automatically apply – but that is entirely dependent upon what happens in terms of negotiations between the vote to leave and May 2018.

If the United Kingdom simply becomes part of the EEA then the result, insofar as Data Protection is concerned, will be identical to a vote to remain; the GDPR applies to the EEA countries (presently being Iceland, Liechtenstein and Norway) as well as to EU Member States.

If the United Kingdom leaves the EU and doesn’t join the EEA there will be bit more freedom in respect of Data Protection.  However, the requirement for Data Controllers within EU Member States not to transfer personal data to a country outside of the EU/EEA, unless there is an adequate level of protection for personal data, will mean that we will continue to have some form of Data Protection law.

It is possible that the UK could meet the adequate level of protection requirement with rights that are substantially lower than those afforded by the DGPR (when it enters into force) and so the UK’s Data Protection law will not necessarily be all that similar to the GDPR – especially if the government of the day is one that favours light-touch regulation and a lack of “red tape”.  That means that even if the UK is forced to comply with the GDPR initially, Data Protection law in the UK could change dramatically to something that affords much less protection than the GDPR.  What the law will look like though will not only depend upon the ideals of the government of the day, but what they think would be politically acceptable; over the last 30 or so years people have become much more wary about what governments, public agencies and businesses do with their personal data; so while the political will might be to substantially lower the level of protection afforded to individual’s personal data, the public will might not let them go quite as far as they wish!

In short, the future of Data Protection law in the UK will be very much influenced by the result of the Referendum and the eventual relationship with the EU in the event of a vote to leave.