Monthly Archives: September 2017

FOI in Scotland in 2016/17: The Scottish Information Commissioner’s Annual Report

Margaret Keyes, Acting Scottish Information Commissioner chose yesterday, International Right to Know Day, to launch her office’s annual report [pdf] for the 2016/17 year.  The report finds that the public’s awareness of the right to ask and obtain information from public bodies is high, at 85%.

The Scottish Information Commissioner is a statutory office holder charged with enforcing the Freedom of Information (Scotland) Act 2002, the Environmental Information (Scotland) Regulations 2004 and the INSPIRE (Scotland) Regulations 2009.  The Commissioner’s office, amongst other things, investigates complaints made by individuals and organisations who have exercised their rights under these various pieces of legislation, but who are dissatisfied with how the Scottish public authority has handled their request.

In 2016/17 the Commissioner received a total of 425 appeals and issued a total of 252 formal, legally enforceable, decision notices.  Most of the appeals received related to requests made under the Freedom of Information (Scotland) Act 2002 with the remainder relating to requests which fell to be dealt with under the Environmental Information (Scotland) Regulations 2004.  The Commissioner received no appeals under the INSPIRE (Scotland) Regulations 2009 (although these Regulations are much more specialised and are probably only really of interest/relevance to a limited number of people).

There lies a right to appeal against formal notices issued by the Commissioner, including a formal decision notices, to the Court of Session.  A very small number of appeals were made to the Court of Session during the 2016/17 year, according to the Commissioner’s report (some of which Inksters were instructed in by the Appellant).

The Commissioner has a range of enforcement tools which can be deployed.  One of those is to issue an ‘enforcement notice’ which requires a Scottish public authority to take specified steps to comply with the legislation.  In 2016/17, the Commissioner issued four enforcement notices (which represented the first enforcement notices ever issued by the Commissioner).

Where the Commissioner reasonably requires information in order to (a) assess whether a Scottish public authority has complied, or is complying, with the legislation; or (b) assess whether a Scottish public authority has complied, or is complying, with the statutory codes of practice issued by the Scottish Ministers, the Commissioner can issue an Information Notice.  In 2016/17, the Commissioner issued 3 such notices.

The Commissioner’s decision notices are legally enforceable and where the Commissioner considers that a Scottish public authority is failing to comply with a decision notice the Commissioner has the power to certify this to the Court of Session.  The Court can ultimately, after making enquiries, deal with a Scottish public authority which has failed to comply with a decision notice as if they were in contempt of Court.  The Commissioner has never made such a certification, but the 2016/17 annual report reveals that the Commissioner came close to doing so during the course of that year.

On the whole it seems to have been a busy year for the Scottish Information Commissioner’s Office; although, the number of appeals received in 2016/17 was lower than in 2015/16.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Subject Access Requests under the GDPR

The right of subject access has been a cornerstone of the Data Protection Act 1998 (“the DPA”).  This is the right that allows individual data subjects to, among other things, receive confirmation from a data controller whether or not the controller is processing their personal data and to obtain copies of that data which is being processed by the data controller.  Under the DPA, data controllers have 40 calendar days in which to respond to a subject access requests and can charge a fee which does not exceed the prescribed limit (which is £10 for most data controllers).

The critical importance of the right of subject access means there is no surprise that the General Data Protection Regulation (“GDPR”), which becomes applicable from 25 May 2018, continues to have in place a right of subject access. The right of subject access is to be found in Article 15 of the GDPR and has been incorporated into Clause 43 of the Data Protection Bill, published by the government earlier this month.  There have been some changes to that right which are designed to make it much more effective for data subjects.  This blog post explores some of the key changes to the right of subject access; however, it is by no means comprehensive.

The first key change to note is the length of time that data controllers will have to comply with a subject access request; this is being reduced from the current 40 calendar days to 30.  Where the data controller has “reasonable doubts as to the identity of an individual making” as subject access request, then they may request the provision of additional information to enable the controller to confirm the identity.  Where such a request is made, Clause 52 of the Data Protection Bill provides that the 30 day period does not begin to be calculated until the day on which that information is provided to the data contoller.  It should be noted though that this does not provide a route to delay the fulfilling of a subject access request; the data controller must have doubts as to the identity of the requester and those doubts must be reasonable.

In terms of fees, there is no provision within the GDPR for a data controller to request a fee for making a subject access request; however, Article 15(3) of the GDPR does permit data controllers to charge a reasonable fee based on administrative costs for providing copies of the personal data being processed beyond the first copy (i.e. the first copy is free).  For subsequent copies, what will be considered a “reasonable fee” remains to be seen.  The Data Protection Bill has supplemented this provision and allows the Secretary of State to set a cap on such fees.  There has not yet been any indication as to whether (a) the Secretary of State will set such a cap; and (b) if so, what that cap will be.

The administrative fines provisions of the GDPR apply to the right of subject access and a failure to comply with the requirements of Article 15 can attract a maximum administrative fine of the greater of €20m or 4% of global turnover.

Data Controllers have sometimes interpreted the right of subject access under Section 7 of DPA as only providing a right to receive copies of the personal data processed, but that is not the case; and it continues to be the case under the GDPR.  Data Controllers should therefore familiarise themselves with the full suite of rights that a data subject has under the heading of subject access; these can be found in Clause 43(2) of the Data Protection Bill or in Article 15 of the GDPR.

There are a number of circumstances in which a data controller can restrict a data subject’s right of subject access.  These are set out in Clause 43(4) of the Data Protection Bill and are:

  • to avoid obstructing an official or legal inquiry, investigation or procedure;
  • avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
  • to protect public security;
  • to protect national security

However, where a data controller has restricted the data subject’s right to subject access, the data contoller is required to provide certain information to the data subject in writing and without undue delay.  That information is:

  • that the rights of the data subject have been restricted;
  • the reasons for the restriction;
  • the data subject’s right to make a request to the Information Commissioner to check that the processing is compliant;
  • the data subject’s right to make a complaint to the Information commissioner; and
  • the data subject’s rights to make an application to the court (in Scotland, the Court of Session or the Sheriff Court).

One additional point of note about subject access requests is that the GDPR, in recital 63 and unlike the Data Protection Directive, upon which the Data Protection Act 1998 is based, states that the purpose of the right to subject access is to enable the data subject “to be aware of, and verify, the lawfulness of the processing.”  This may mean that Subject Access Requests may be rejected where they are submitted for other reasons.  Whether the courts will consider Recital 63 as exhaustive as to the purposes for which an individual may exercise their rights of subject access or not remains to be seen.

There is a lot to the right of subject access and there are some key changes which will come into effect on 25 May 2018.  This is a cornerstone of data protection law and data controllers should be attaching substantial weight to compliance as a consequence.

Alistair Sloan

If you would like any advice and assistance on subject access requests, either under the GDPR or the Data Protection Act 1998, or any other Information Law matter; then contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

The GDPR and Personal Data Breaches

Under the current data protection framework in the UK only some data controllers are placed under an obligation to notify the Information Commissioner’s Office of data breaches.  That will change on 25 May 2018 when the General Data Protection Regulation (“GDPR”) becomes applicable.   Under the GDPR all data controllers will be required to report certain types of data breaches to the Supervisory Authority (the Information Commissioner in the UK); it will also place an obligation to report some breaches to the affected data subjects.

What breaches need to be reported to the ICO?

It should be stressed that the provisions in the GDPR regarding notification of breaches apply to all data controllers.  If you’re a data controller that isn’t presently under an obligation to report data breaches then it is important that you prepare for having to comply with this requirement.  The timescales for reporting a breach to the ICO are tight.

A personal data breach is defined in the GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

All personal data breaches will require to be reported to the ICO, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.   Therefore, only the most minor of personal data breaches will not require to be reported.  The obligation is on the data controller to decide whether or not the breach meets the threshold to be reported and equally, the obligation on being able to justify why a personal data breach did not need to be reported falls on the data controller.

When do I need to report the breach to the ICO?

The GDPR requires that personal data breaches which require to be brought to the attention of the ICO need to be reported without undue delay and, where feasible, not later than 72 hours after the data controller becomes aware of it.  Where the ICO is notified of the breach more than 72 hours after the data controller became aware of it, the data controller must explain the delay when making the report.

It is likely that only the most exceptional of justifications will be accepted when reporting a data breach outside of the maximum window of 72 hours.  This is because the data controller does not need to supply all of the required information to the ICO at the same time; the data controller can pass on information as they become aware of it.  This means that data controllers should not delay the notification of the breach until after the conclusion of internal investigations.

When do affected data subjects require to be notified of a data breach?

The GDPR requires that affected data subjects be notified of a breach in certain circumstances; although it will likely be considered good practice to notify affected data subjects about most breaches, even when there is no legal obligation to do so.  The threshold for telling affected data subjects is higher than the threshold for reporting personal data breaches to the ICO; not all breaches reported to the ICO will need to be reported to the affected data subjects.

Affected data subjects require to be told of the data breach where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.  Affected data subjects should be told without undue delay.

Are there any Exceptions?

The Data Protection Bill, which has now started its journey through the parliamentary process, proposes that the obligations under Articles 33 (requirement to notify the Information Commissioner of a personal data breach) and 34 (requirement to notify data subjects of a personal data breach) will not apply where exemption is required for either (a) the prupose of safeguarding national security; or (b) defence purposes.

Clause 25 makes provision for a member of the Cabinet, the Attorney General or the Advocate General of Scotland to certify “that exemption from all or any of the provisions listed in section 24(2) is, or at any time was, required in relation to any personal data for the purpose of safeguarding national security” and that such a certificate is “conclusive of that fact”, although there will be a right to appeal such a certificate to the First-Tier Tribunal (Information Rights) who shall be required to apply the same principles as would apply to a claim or petition for judicial review.

Penalties

The GDPR provides for financial penalties for (a) not reporting a personal data breach to the ICO when notification was required; (b) delays in reporting the personal data breach to the ICO; and (c) failure to notify affected data subjects when there was a requirement to do so.  The financial penalties can be significant – potentially up to €10m or 2% of global turnover, whichever is greater.

It is far too early to say anything about the level of penalties that might be imposed by the ICO and in what circumstances they will make use of these powers.  The power exists and data controllers should be aware of the power to impose administrative fines, but it is probably best not to think too much about the maximum penalties.  I have already published a blog post which covers the subject of administrative fines under the GDPR, which you can read here.

What to do?

It’s going to be important for data controllers to have robust policies and procedures in place around personal data breaches.  These will need to cover identifying personal data breaches, what to do when a personal data breach has been identified and the reporting and monitoring of personal data breaches.  It will also be essential to ensure that there are sufficient resources in place to ensure that reports are made to the ICO in time; someone being on holiday or off sick is unlikely to be considered sufficient justification for a delay in reporting a personal data breach (especially in medium sized and large organisations).

Alistair Sloan

If you would like advice on personal data breaches under the GDPR, or on any other information law matter, then you can contact Alistair Sloan on 0345 450 0123 or you can send him an E-mail.

Data Protection Bill 2017: initial observations and comments

Last week the UK Government finally introduced their much anticipated Data Protection Bill [pdf], which is required to deal with certain aspects of the General Data Protection Regulation.  I have spent some time since then reading through the Bill and this blog post is intended as an initial introduction to the new Bill.

The first thing to note is that the Bill is not an easy read and certainly much of the commentary and discussion has centred on how uneasy a Bill it is to read.  This may well create some difficulties for practitioners going forward, and indeed may also cause some difficulties for data subjects who are trying to understand what their data protection rights are.

There are a few things of note which clarify a number of matters.  The GDPR requires public bodies to appoint a Data Protection Officer, but the GDPR does not stipulate what is and what is not a public body; this was left up to member states to deal with.  The proposed answer comes in Clause 6 of the Bill which gives it the same meaning as public authority in the Freedom of Information Act 2000 and Scottish public authority in the Freedom of Information (Scotland) Act 2002.  So, a public authority for the purposes of FOI is also a public authority for the purpose of the GDPR.  The definition does not include those bodies who are subject only to the Environmental Information Regulations 2004 or the Environmental Information (Scotland) Regulations 2004.

It should be noted that it is proposed that the Secretary of State will have the power to provide, in regulations, that a public body, as defined by clause 6, is not in fact a public body for the purposes of the GDPR.  It is also proposed that the Secreatry of State shall have the power to provide that a body that is not a public body, as defined by clause 6, is in fact a public body for the purposes of the GDPR.  There has been no indication as yet that the Secretary of State intends on making any Regulations under these powers and so for the time being it would be prudent to work on the basis that every person and organisation who is subject to the provisions of either the UK or Scottish FOI Acts is a public body for the purposes of the GDPR.

Although the Scottish Ministers cannot directly decide that a person or body ought to be (or ought not to be) a public body for the purposes of the GDPR, the exercising of their powers under Sections 4 and 5 of the Freedom of Information (Scotland) Act 2002 can result in persons or bodies becoming, or ceasing to be, public bodies for the purpose of the GDPR.  This effect is something to consider when the Scottish Government is seeking to extend the coverage of the Freedom of Information (Scotland) Act 2002; the obvious example is housing associations in Scotland.  The Scottish Government is currently considering whether they ought to be Scottish public authorities for the purposes of the Freedom of Information (Scotland) Act 2002 or not.  If they lay Regulations to make housing associations a Scottish public authority this will have the effect of making housing associations a public body for the purposes of the GDPR as well.  Of course, the Secretary of State would have the power to then make Regulations which would have the effect of not making housing associations in Scotland a public authority for GDPR purposes.

This may well have an effect on how quickly an order under Section 5 of the Freedom of Information (Scotland) Act 2002 can come into force.  The data controller would become a public authority for the purposes of the GDPR immediately upon the coming into force of the “Section 5 Order”; if they do not already have a Data Protection Officer appointed then they will need to recruit an dappoint someone in advance of the Section 5 Order entering into force.

The definition of who is a public body also has implications beyond the need to appoint a Data Protection Officer.  Public bodies are not allowed to rely upon the “legitimate interests” condition for processing personal data in the performance of the public body’s tasks.

In relation to consent, the GDPR allows member states to set an age between 13 and 16 for the purposes of when a child can give consent for the processing of their personal data by ‘information society services’ (e.g. Twitter, Facebook, Snapchat); Clause 8 of the Data Protection Bill proposes setting this at 13 in the UK.  It should be stressed that this only applies to consent provided to information society services and not consent more generally.  A child who is younger than 13 may be capable of providing consent more generally under the GDPR (and ineed, the presumtion in Scotland will continue to be that a child of 12 can provide consent).

The GDPR allows data controllers to charge fees, in limited circumstances, when dealing with subject access requests.  Clause 11 of the Data Protection Bill provides that the Secretary of State may “by regulations specify limits on the fees that a controller may charge”.   The inclusion of this power within the Bill suggests that it is the Government’s intention to place a cap on what can be charged by data controllers in those circumstances where a fee can be charged.  The general right to charge a fee in order to process a subject access request, that is in place under the current Data Protection Act, will go.  A more detailed blog on the topic of subject access requests under the GDPR shall follow.

The Monetary Penalty Notice is to remain (although it will now just be a penalty notice) and this is the way in which the Information Commissioner will be able to exercise her powers under the GDPR to issue administrative fines.  The procedure adopted under the current monetary penalty regime is retained with the requirement for the Commissioner to issue a “notice of intent” in advance of serving a penalty.  It will also continue to be a requirement that the penalty notice be issued within 6 months of the notice of intent (see Schedule 16 of the Data Protection Bill).  The Commissioner will be able to issue a penalty notice to a data controller who has failed to comply with an enforcement notice.

These are just a few of the notable points from the new Data Protection Bill and there is plenty more to write about, but that will come in future blog posts.  The Bill has only just been introduced to the House of Lords and still has to go through the full process of scrutiny in both the House of Lords and the House of Commons; therefore, it is entirely possible that the Bill’s 194 clauses and 18 schedules will be amended during the passage of the Bill through Parliament.  The Bill is due to have its Second Reading in the House of Lords, at which the House of Lords will agree (or not) to the general principles of the Bill, on 10th October 2017.

Alistair Sloan

If you would like advice on the General Data Protection Regulation or on the new Data Protection Bill then contact our Alistair Sloan on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.

Data Protection Officers under the GDPR

Many data controllers already have people within their organisation who are referred to as “Data Protection Officers”.  Currently, people with the job title of “Data Protection Officer” can be senior members of staff, or (more often) quite junior members of staff, and their job roles can vary quite considerably from organisation to organisation.  Under the current data protection framework within the UK there is no formal concept of a Data Protection Officer, but that will all change in May 2018 when the General Data Protection Regulation becomes applicable.

The Data Protection Officer

The Data Protection Officer, or DPO, is a specific concept within the GDPR.  All public bodies will be required to appoint a DPO (with one exception, on which see further on) as will many private sector organisations.  The DPO is a key person within the new data protection framework and organisations should avoid giving people who are not a DPO within the context of the GDPR job titles which could be misleading.

The DPO should operate at a senior level and be able to feed into the highest level of the organisation.  The DPO should be a person with expert knowledge of data protection law and practices and should assist the controller or processor to monitor internal compliance with the GDPR.  The DPO can be a full-time or part-time member of staff, but can also be provided by a third party in terms of a service contract.

Where a DPO has been appointed, the data controller is required to publish the name and contact details for their DPO.

When does a Data Protection Officer require to be appointed?

All public authorities, regardless of size, (and with the exception of courts acting in their judicial capacity) will be required to appoint a DPO under the GDPR.  The GDPR does not define what is meant by “public authority or body” and this will largely be left up to national laws to determine.  It would be fair to say that in the UK any organisation that is deemed to be a public authority for the purposes of the Freedom of Information Act 2000 or a Scottish public authority for the purposes of the Freedom of Information (Scotland) Act 2002 will be considered as a public authority or body.

It is also probable that private companies who carry out functions of a public administrative nature will also be considered as a public authority or body and so the definition of public authority for the purposes of the Environmental Information Regulations 2004 and the Environmental Information (Scotland) Regulations 2004 should also be considered.

As already noted, the requirement to appoint a DPO is not simply confined to public authorities; private sector organisations will also be required to appoint a DPO if they meet certain criteria.  Private sector organisations (whether they are a data controller or a data processor – references to data controller in this blog post should be taken to include data processors) will need to appoint a DPO where their core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale.

Finally, any data controller whose core activities consist of processing, on a large scale (which is yet to be properly defined), special categories of data or personal data relating to criminal convictions and  offences.  Special categories of personal data broadly corresponds with what the Data Protection Act 1998 describes as “sensitive personal data”, which includes personal data such as race, religion, political beliefs, health data etc.

What this means is that there is likely to be a requirement on a large number of private sector organisations to appoint a DPO.

The tasks of the Data Protection Officer

The GDPR sets out various tasks that Data Protection Officers will be required to carry out; these are:

  • to inform and advise the controller or the processor and the employees who are
    processing personal data of their obligations pursuant to the GDPR;
  • to monitor compliance with the GDPR, including the assignment of responsibilities, awareness- raising and training of staff involved in the processing operations, and the related audits;
  • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35
  • to co-operate with the Information Commissioner as the supervisory authority
  • to act as the contact point for the supervisory authority on issues related to the processing of personal data

Data Protection Officers must be able to carry out their functions independently and must also be given sufficient resources to enable to them fulfill their obligations (for larger organisations, this is may include, for example, having a staff to assist them).  The requirement for them to conduct their responsibilities independently means that they should not be subject to direction on the performance of their responsibilities by anyone in the organisation and should not be treated unfairly for discharging their duties (e.g. they shouldn’t be side-lined or dismissed if they give an opinion that isn’t appreciated).

There is no obligation within the GDPR for an organisation to do what their DPO advises them to do; however, the accountability principle in the GDPR will mean that the ICO will likely want an explanation as to why an organisation has gone against the advice of their DPO if that is what they decide to do.

It is for each data controller and processor to decide whether or not they require to appoint a DPO; however, the accountability principle of the GDPR will mean that organisations who have decided they do not require a DPO should be able to demonstrate how and why they came to that decision. Organisations that are not required to appoint a DPO under the GDPR can still appoint one if they wish, but persons who are “electively” appointed as a DPO will be viewed in exactly the same way as those whose appointment is mandatory.

Core Activities

What constitutes and organisation’s core activities is not specifically defined within the GDPR.  However, Recital 97 of the GDPR states that in the private sector, the “primary activities [of the controller] and do not relate to the processing of personal data as ancillary activities”.  The Recital is not part of the law, but is a tool which assists with the inetrpretation of the law.  Oragnisations will need to be clear as to what their “primary activities” are in order to be able to work out whether processing personal data is one of their “core activities”.

The Article 29 Woking Party, in its Guidelines on Data Protection Officers expresses it in the following way:

“Core activities’ can be considered as the key operations to achieve the controller’s or processor’s objectives. These also include all activities where the processing of data forms as inextricable part of the controller’s or processor’s activity. For example, processing health data, such as patient’s health records, should be considered as one of any hospital’s core activities and hospitals must therefore designate DPOs.

On the other hand, all organisations carry out certain supporting activities, for example, paying their employees or having standard IT support activities. These are examples of necessary support functions for the organisation’s core activity or main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity.”

Large Scale Processing

As noted above, the GDPR does not define what is meant by large scale processing activities.  In its guidelines on Data Protection Officer, the Article 29 Working Party has suggested four factors which should be taken into consideration when decideing whether processing is taking place on a large scale.  Those factors are:

  1. the number of data subjects concerned – either as a specific number or as a proportion of the relevant population;
  2. the volume of data and/or the range of different data items being processed;
  3. the duration, or permanence, of the data processing activity;
  4. the geographical extent of the processing activity

As the phrase remains underfined within the GDPR it is a matter that will require a level of judicial interpretation.  No doubt the domestic courts will be asked to grapple with the concept of large-scale processing at somepoint; as will the Court of Justice of the European Union (although, what impact a decision of the court will have in the UK given Brexit is a matter that remains to be seen).

Penalties

A failure to appoint a DPO where one is required is a matter which can attarct an administrative fine; in this case the maximum is €10m or 2% of global turnover (which ever is greater).  I have covered administrative fines in more detail in another blog post.  Articles 38 and 39 of the GDPR, which relate to the position of the DPO and their tasks, are also subject to the administartive fine provisions; again with the maximum being €10m or 2% of global turnover (whichever is greater).

Alistair Sloan

If you would like advice on Data Protection Officers under the GDPR, or on any other matter relating to data protection/privacy or Freedom of Information, then you can contact Alistair Sloan on 0345 450 0123, by completing the contact form on this blog, or you can send him an E-mail directly.

Privacy and the Monitoring of Communications in the Employment Setting

On 5th September 2017 the Grand Chamber of the European Court of Human Rights issued its decision in the case of Bărbulescu v. Romania, which considers the application of the right to a private and family life contained in Article 8 of the European Court of Human Rights to the monitoring of a person’s communications by their employer.

The background to the case is that an employee was dismissed by his employer for making use of company equipment and services (internet connection and computer) for personal purposes during working hours; in particular, he had been sending personal messages (some of which were of an “intimate nature”) to his brother and fiancée.  The company’s internal policies prohibited this use and after following the disciplinary process required by Romanian domestic law, he was dismissed.  He brought a case in the domestic courts and was unsuccessful in all of those courts.  He then brought a case before the European Court of Human Rights which ultimately ended up with the Grand Chamber issuing its decision on 5th September 2017.  The procedural background to the case is more fully set out in the Court’s judgment.

The Court stated that the relationship between an employee and their employer “is contractual, with particular rights and obligations on either side, and is characterised by legal subordination.” (paragraph 117) The court went on to state, at paragraph 118, that “labour law leaves room for negotiation between the parties to the contract of employment.  Thus, it is generally for the parties themselves to regulate a significant part of the content of their relations.”

In terms of the margin of appreciation afforded to States under the European Convention of Human Rights, the Court decided, at paragraph 119, that States “must be granted a wide margin of appreciation in assessing the need to establish a legal framework governing the conditions in which an employer may regulate electronic or other communications of a non-professional nature by its employees in the workplace.”  However, the Court went on to state, in paragraph 120 of its judgment, that “the discretion enjoyed by States in this field cannot be unlimited.  The domestic authorities should ensure that the introduction by an employer of measures to monitor correspondence and other communications, irrespective of the extent and duration of such measures, is accompanied by adequate and sufficient safeguards against abuse.”  These adequate and sufficient safeguards, the court stated at paragraph 121, “are essential.”

The Court sets out five factors which it considers domestic authorities should treat as being relevant:

  1. What notification has been given to the employee regarding the possibility that the employer might take measures to monitor their correspondence and other communications, and what notification the employee has been given regarding the implementation of these measures;
  2. The extent of the monitoring by the employer and the degree of intrusion into the employee’s privacy (a distinction should be drawn between simply monitoring the flow of communications and the monitoring of the content of the communications);
  3. The reasons the employer has provided to justify the monitoring of their communications and their actual content – greater justification will be required for monitoring the content as opposed to just the flow;
  4. Whether it would have been possible for the employer to have in place a monitoring system that was based on less intrusive methods and measures than simply directly accessing the content of the employee’s communications;
  5. The consequences of the monitoring for the employee subjected to it, and the use made by the employer of the results of the monitoring operation, in particular whether the results were used to achieve the declared aim of the measure;
  6. Whether there were adequate safeguards in place; especially when the employer’s monitoring operations are of an intrusive nature.

This case makes it clear that it can be legitimate for an employer to monitor, not only the flow of private communications made by an employee on company systems, but also the actual content of the correspondence.  However, employers do not have an unlimited right.

Employers will have to think carefully about what aims they are trying to achieve by the monitoring of communications by employees on company systems and whether their proposed method of monitoring is proportionate with that aim.  Furthermore, employees should be given clear and fair notice of what monitoring is taking place and the purpose for the monitoring.

Employers will also need to give careful consideration to the safeguards that they need to have in place with regards to the monitoring procedures they have in place and ensure that what safeguards they do have in place are adequate.  With regards to safeguards, the court specifically stated that employers should not have access to the actual content of the correspondence concerned unless the employee has been notified in advance.

The court has also said that domestic authorities should ensure that any employee whose communications have been monitored has access to a remedy before a judicial body and that judicial body should have jurisdiction to determine, at least in substance, how the six criteria set out in its judgment have been observed and whether the impugned measures were in fact lawful.

This decision doesn’t really change the law as it already operated.  The decision does not prevent employers from undertaking the monitoring of communications by their employees on the employer’s systems.  However, the decision does act as a useful reminder that the ability to conduct such monitoring activities is not wholly unrestrained.  The decision, coupled with the forthcoming applicability of the General Data Protection Regulation, may well provide a good opportunity for employers to review their policies in this area to ensure that they are compliant with the law.

Alistair Sloan

If you would like advice on a matter concerning data protection or privacy, then you can contact our Alistair Sloan on 0345 450 0123 or by completing the contact page on this blog.  Alternatively, you can send him an E-mail directly.

GDPR and Accountability

The Data Protection Act 1998 (“the DPA”) provides a legislative framework that is principle based, rather that one which is centred around lots of prescriptive rules.  This approach is continued under the GDPR and Article 5(1) of the GDPR sets out 6 principles that are broadly similar to the 8 principles currently found in Schedule 1 to the DPA.  The idea of accountability has been implicit in the field of data protection and privacy for some time now; however, the GDPR introduces explicate requirements around accountability, which can be found in Article 5(2).

The accountability principle means that data controllers will not only be responsible for ensuring compliance with the principles in Article 5(1) of the GDPR, but will also be responsible for being able to demonstrate compliance with the principles in Article 5(1).  The GDPR also ends the current position whereby the statutory obligations all fall upon the data controller; data processors have certain statutory obligations under the GDPR and they will also have to demonstrate complaince with their obligations.

The accountability principle essentially means that there is an expectation that organisations will have in place comprehensive, but proportionate, governance measures. Many aspects of good practice that the ICO has recommended for a long time, such as privacy impact assessments (known as “Data Protection Impact Assessments” under the GDPR) and privacy by design, will be required in certain circumstances under the GDPR.  They, of course, remain good practice where there is no legal obligation.

Under the DPA, data controllers are subject to a notification requirement which means that they must register with the ICO every year and pay a fee.  As part of the notification procedure, data controllers give the ICO certain information about what personal data they are processing and how they are using it.  The GDPR does away with the requirement to notify the ICO (it should be noted that the UK Parliament has already passed legislation which, if formally commenced, would re-introduce the registration requirement), but part of the accountability requirements under the GDPR requires certain data controllers to keep internal records of their processing activities.  It is likely that the ICO will want to see these records when conducting any of its responsibilities as the supervisory authority.  It would probably be considered good practice for all data controllers to keep such records, even if the GDPR does not require it.

All organisations with 250 or more employees are required to keep records of their processing activities.  Furthermore, organisations with fewer than 250 employees are required to maintain records of activities related to higher risk processing, such as processing personal data that could result in a risk to the rights and freedoms of individual; or processing of special categories of personal data or criminal convictions and offences.

Accountability under the GDPR is all about being able to demonstrate compliance with the law.  This will require organisations to have in place good policies and procedures and also a strong culture around record keeping.

Alistair Sloan

If you would like advice on the accountability principle of the General Data Protection Regulation, or any other information law matter, then you can contact Alistair  on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.

Administrative Fines and the GDPR

Since 2010 the Information Commissioner has had the power to impose a Monetary Penalty Notice in respect of certain breaches of the Data Protection Act 1998 (“the DPA”), and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).  In 2015 I undertook a Master of Laws degree and my dissertation looked at how the Commissioner had used the power to serve these penalties, but only in relation to breaches of the DPA.  What became clear from my research was that the Commissioner tended to focus on breaches of the seventh data protection principle (which relates to having in place sufficient technical and organisational measures).  However, the Commissioner’s enforcement team have been even more active in issuing monetary penalties for breaches of PECR.  You can see examples of the types of DPA and PECR breaches that can result in the Commissioner serving a Monetary Penalty Notice in my blog post on Data Protection/Privacy Enforcement from August 2017.

The GDPR also includes provisions for financial penalties, which it terms as “administrative fines”, for certain breaches of the Regulation.  For some breaches the maximum penalty is €10m or 2% of global turnover (whichever is the greater); while for others the maximum penalty is €20m or 4% of global turnover (whichever is the greater).  These penalties are far greater than the maximum penalty currently available to the Commissioner, which I fixed at £500,000.  Of course, while the maximum penalties prescribed in the GDPR are in Euros, the UK does not use the Euro as its currency.  The recent Statement of Intent [pdf] from the UK Government (published in August 2017) suggests that the equivalent will be £17m where the GDPR sets a maximum of €20m.  The Government is expected to publish a Data Protection Bill later this month; once it does, we may become more enlightened about how the UK Government intends on converting the maximum penalties from Euros to Pounds Sterling.

Over the last year or so, there have been numerous articles published which focus on the high level of the administrative fines which will be available to the Commissioner.  At this stage it is far too early to tell exactly how the Commissioner will make use of her greatly extended powers; however, looking at how the current powers have been used may well cast some light onto the future.  It is probably fairly unlikely that the ICO will radically change how they have been enforcing data protection law upon the GDPR becoming effective (at least not immediately anyway).  Indeed, the Commissioner herself has published a blog post on the ICO’s blog seeking squash the idea that her office will be rushing to issue crippling financial penalties to errant data controllers.

The consistency mechanism within the GDPR, when having reference to Recital 150, may be used to ensure that there is a consistent approach taken across Member States in the application of administrative fines.  This may well mean that, over time, a more consistent approach to financial penalties may develop across supervisory authorites.  What impact this will have in the UK remains to be seen, given that developing a consistent approach, if indeed that is what happens, will take time; the UK is on course to leave the European Union a little under 12 months after the GDPR becomes applicable.

As I noted above, insofar as the DPA is concerned, much of the Commissioner’s use of monetary penalties has been in relation to breaches of the seventh data protection principle.  Where monetary penalties have been issued, common features have been a failure to have in place adequate policies and procedures; a failure to ensure the staff have been adequately trained in the organisation’s policies and procedures; and a failure to have in place adequate security (especially encryption).

The seventh data protection principle has survived, and is now to be found in Article 5(1)(f) of the GDPR.  Article 5(1)(f) reads: “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.  In GDPR language it is the ‘integrity and confidentiality’ principle; a failure to comply with this basic principle of processing is one of the breaches that can result in a maximum administrative fine of €20m or 4% of global turnover (whichever is the greater).

Given that the Commissioner (and her predecessor) has historically taken action for breaches of the seventh data protection principle (including, but not limited to, the imposition of financial penalties); a reasonable assumption to make is that she will enforce against breaches of the integrity and confidentiality principle.  Therefore, if an oragnisation is found to have breached the integrity and confidentiality principle, and one of the common contributory factors mentioned above are presents; they should consider that an administrative fine is a real possibility (but not necessarily an inevitability).

What is impossible to tell at the moment is the level of the administrative fines that the ICO will issue; although, it is unlikely that there will be a tectonic shift in the size of penalties issued by the Commissioner.  The ICO has traditionally taken into account the organisation’s financial resources when fixing the financial penalty and it is likely that this will continue; indeed Recital 150 of the GDPR states that the supervisory authority should take into account the “economic situation of the person in considering the appropriate amount of the fine.” However, the GDPR does require the ICO to ensure that the imposition of administrative fines in respect of infringements of the Regulation shall, in each individual case, be effective, proportionate and dissuasive.

Recital 148 of the GDPR does state that “in a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine.”  The Recital continues by stating that:

 “due regard should be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor.” 

There will therefore need to be a balancing exercise undertaken by the ICO to find the right level of fine in each case (in the same way as is done today).

There may be some small increase in the level of penalties being issued by the ICO from May 2018, but it is unlikely that we will begin to see financial penalties much larger than those that we are seeing today (not immediately anyway).  The Article 29 Working Party and the ICO will no doubt issue guidance on administrative fines in due course and once we see that guidance we might have a better idea as to how the administrative fines will operate in practice.

Alistair Sloan

If you have a data protection/privacy matter which you would like to discuss, then you can contact Alistair Sloan on 0345 450 0123; or you can complete the contact form on this blog.  Alternatively, you can send him an E-mail directly.

Data Protection/Privacy Enforcement – August 2017

In this blogpost I shall be looking at the enforcement action taken by the Information Commissioner in the fields of data protection and privacy which was publicised during August 2017.  It is hoped that this will become a regular monthly feature on this blog.

Key Points

The key points from the enforcement action publicised by the ICO during the course of August are:

  • Ensure that where your organisation undertakes direct marketing by telephone, you do not make calls to numbers which are listed on the Telephone Preference Service; unless you have been given consent to make such calls.
  • Ensure that contractors who have access to personal data only have access to that personal data which is necessary for the services that they are providing to you.
  • Ensure that you have appropriate technical and organisational measures in places to prevent the unauthorised or unlawful processing of personal data when processing personal data over the internet.
  • Ensure that all of your staff (including temporary and agency staff) are given data protection training which is appropriate to their job role, and to ensure that regular refresher training is undertaken.
  • If you are an employee and have access to personal data as part of your job role, do not make use of that access for any purposes not required as part of your employment; including for personal purposes.

Enforcement Action published by ICO in August 2017

H.P.A.S Limited (trading as Safestyle UK)

H.P.A.S Limited were served with a Monetary Penalty Notice [pdf] in the amount of £70,000 and an Enforcement Notice [pdf] after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Laura Anderson Limited t/a Virgo Home Improvements

Laura Anderson Limited were served with a Monetary Penalty Notice [PDF] in the amount of £80,000 and an Enforcement Notice [pdf] after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Home Logic UK Limited

Home Logic UK Limited were served with a Monetary Penalty Notice [pdf] in the amount of £50,000 after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Talk Talk Telecom Group Plc

Talk Talk Telecom Group Plc were served with a Monetary Penalty Notice [pdf] in the amount of £100,000.  The Commissioner found that they had failed to have in place adequate technical and organisational measures to prevent against the unauthorised or unlawful processing of personal data.  Talk Talk Telecom Group Plc had in place unjustifiably wide-ranging access to personal data by external agents, which put that personal data at risk.

London Borough of Islington

The London Borough of Islington was served with a Monetary Penalty Notice [pdf] in the amount of £70,000.  The Commissioner found that the Borough’s parking enforcement application had design flaws and some of the functionality was misconfigured, allowing for unauthorised access to personal data.

Nottinghamshire County Council

Nottinghamshire County Council was served with a Monetary Penalty Notice [pdf] in the amount of £70,000.  The Commissioner found that the Council had failed to have in place an authentication process for accessing an internet based allocation service for home carers; this left personal data and sensitive personal data exposed on the internet.

Cheshire West and Chester Council

Cheshire West and Chester Council signed an undertaking [pdf] stating that they would take certain steps to ensure compliance with the Data Protection Act 1998.  In particular the Commissioner was concerned that a number of self-reported incidents by the council involved staff who had not received data protection training.

Prosecution

A former employee of Colchester Hospital University NHS Foundation Trust was prosecuted in The Colchester Magistrates’ Court.  The Defendant pleaded guilty to offences under Section 55 of the Data Protection Act 1998.  She had accessed the sensitive health records of friends and people she knew and disclosed some of the personal information she obtained obtained.  She was fined £400 for the offence of obtaining the personal data and £650 for the offence of disclosing the personal data.  She was also required to pay prosecution costs and a victim surcharge.

I can provide advice and assistance on a wide range of information law matters.  If you wish to discuss an information law matter with me then you can contact me on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Alistair Sloan

Welcome to the Information Law Blog by Inksters Solicitors

Welcome to the Information Law Blog from Inksters Solicitors.  On this blog we will be covering the latest issues in the areas of Data Protection/Privacy and also Freedom of Information.  Most of the contributions to this blog will be by Alistair Sloan, although there may be contributions from other members of the Inksters team from time to time.

Alistair is one our solicitors based in our Glasgow HQ; he offers legal services throughout Scotland in the field of information law, among others.   Alistair regulalry travels around Scotland and in particular visits our Caithness base in Wick on a frequent basis.  Alistair has been involved in the fields of freedom of information and data protection for a number of years, including prior to qualifying as a solicitor, and has built up a knowledge base on both areas throughout that time.  While studying for his Master of Laws degree, he researched the Information Commissioner’s use of Monetary Penalty Notices for breaches of the Data Protection Act 1998.

The area of information law is constantly developing.  The biggest change on the horizon is the General Data Protection Regulation, which will be applicable in the UK (and across the rest of the European Union) from 25 May 2018.  This new Regulation from the European Union represents the single biggest change to the laws relating to data protection and privacy in the UK in more than 20 years.

Much of the field of Information law is governed by EU law in one way or another, whether it be data protection or access to environmental information held by public authorities; therefore, the hot political subject of Brexit will feature heavily in the information law field over the coming years.

We’re not new to the world of information law; in 2016 our Sylvia MacLennan acted for the successful Petitioner in WF v Scottish Ministers.  This case challenged the position in Scotland where an accused person could seek access to the medical records of a complainer in a criminal case, but that the complainer was said not to have any standing to make representations directly to the court (including through their own solicitor) on the question of whether their medical records should be disclosed to the accused.  It also challenged the lack of availability of legal aid in Scotland to complainers concerning such issues.

We hope that this blog will become a useful resource for individuals to find out about the latest developments in the field of information law.  To keep up to date with this blog and what we are doing you can follow Alistair on twitter here; we also have a dedicated information law twitter account, which you can follow as well.

If you want to discuss an information law matter with Alistair you contact him on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.