Monthly Archives: December 2019

Commissioner Dispenses GDPR Administrative Fine

On 20th December 2019, the Information Commissioner published a Penalty Notice [pdf] it had issued under the Data Protection Act 2018 to Doorstep Dispensaree Limited in the sum of £275,000. While we have had the Marriot and British Airways Notices of Intent, this is the first penalty notice published by the Information Commissioner exercising her powers under the Data Protection Act 2018 and the General Data Protection Regulation to issue administrative fines (formally known in the UK as “Penalty Notices”).

In this case, the Information Commissioner was acting upon information received from another UK Regulator (the Medicines and Healthcare Products Regulatory Agency, or “MHRA”). The MHRA had executed a search warrant under its own regulatory scheme and discovered in a courtyard approximately 500,000 documents containing personal data, all of which were contained in an insecure manner. The MHRA inspected the documents and discovered that they contained personal data and special category personal data. The documents were dated from January 2016 to June 2018 and the condition of them indicated that they had been stored in the courtyard for some time. The Information Commissioner began an investigation; she wrote to the data controller asking a number of questions. The controller responded, via its solicitor; however, its response didn’t answer any of the Commissioner’s questions, but instead it seemed to the Commissioner (as recorded in the penalty notice) that the controller was denying any knowledge of the documents.

The Commissioner followed-up with more information and repeated the questions initially asked. The controller refused to answer those questions and the Commissioner records that it appears as though the Controller was conflating the separate investigation by the Commissioner with the one being undertaken by the MHRA. The Commissioner thereafter issued it with an information notice, which the controller (unsuccessfully) appealed to the First-Tier Tribunal. The Commissioner’s Penalty Notice then records that after the appeal was disposed of by the Tribunal, the controller did not comply timeously with the notice and the Commissioner had to threaten the controller with obtaining an information order and/or issuing a penalty notice.

The controller finally responded to the Information Notice, refusing to provide some information (under section 143(6) of the Data Protection Act 2018) on the basis that providing that information would open the controller up to prosecution by the MHRA in its separate criminal investigation. The controller provided various documents to the Commissioner, most of which were dated from 2015.

The Commissioner ultimately found that the controller’s infringements of data protection law were systemic in nature; the Commissioner pointed to the inadequate and outdated policies and procedures that it had in place. Furthermore, its privacy notice fell far short of what was enquired by Articles 13 and 14 of the GDPR. Interestingly, there appears to be no reference in the Penalty Notice to the early payment discount that was a feature of monetary penalty notices issued by the ICO under the Data Protection Act 1998.

The controller was also issued with an Enforcement Notice [pdf] by the Commissioner; which requires the controller to, among other things, update its internal policies and procedures, appoint a member of staff as an Information Governance Lead or Data Protection Officer, introduce mandatory training and update its privacy notice in line with Articles 13 and 14.

This Penalty Notice contains much that can be of assistance to controllers when it comes to enforcement action under the GDPR. The first point that is worth mentioning is that it is not recommended that controllers do not co-operate with the ICO during investigations. Indeed, controllers (and processors) and their representatives are under a positive duty to co-operate with the Commissioner (Article 31 of the GDPR). In any event, the Commissioner has a range of powers to ensure that she can properly investigate alleged breaches of data protection law; including, the power to issue an information notice, obtain an information order and obtain (and execute) a search warrant. It’s important that where you’re facing multiple regularly investigations simultaneously that you take each one seriously and understand precisely what each regulator is investigating and what their respective powers are.

It also appears that the Commissioner has dropped the early payment discount that used to be offered to controllers to encourage them to pay the penalty notice (an appeal automatically meant that the controller lost the early payment discount, as it would delay payment of the monetary penalty).

Alistair Sloan

We are able to assist data subjects, controllers and processors with data protection law matters, as well as a range of other information law concerns. If you would like to speak to us about an information law matter, then please contact our team on 0141 229 0880 or by E-mail.

We don’t hold it…oh yes you do!

Dr Ian Graham v The Scottish Information Commissioner [2019] CSIH 57 is a rare decision of the Court of Session in an appeal against a decision of the Scottish Information Commissioner, the last one coming almost 12 months ago. The case was considered by the Second Division (with the bench comprising of the Lord Justice Clerk, Lord Malcolm and Lord Glennie) with Lord Glennie delivering the Opinion of the Court.

Before a Scottish public authority is required to release information, it actually has to hold it and information will not be held, according to the law, if it is held by the Scottish public authority on behalf of a third party. The question that was considered in the appeal by Dr Graham was on this fundamental point: whether the Scottish public authority held the information or not; and in particular whether information was held by a Council on behalf of a third party (in this case, the Returning Officer).

In January 2018, Dr Graham requested the following information from Aberdeenshire Council: (1) a list of the contracts called off by the council from the framework agreement, (2) invoice and order copies for each contract, (3) payment confirmation from the council of the invoices and (4) whether the council reclaimed the input VAT on the invoice. The framework agreement in question was for the provision of electoral services to the returning officer. In terms of the contract (and of importance for this appeal), the Council assumed obligations and liabilities under the contract and also had responsibilities and liabilities in respect of the procurement process.

Whilst the Council ultimately released information in relation to parts (3) and (4) of his request, initially the Council also claimed that it did not hold this information for the purposes of the Freedom of Information (Scotland) Act 2002 (“FIOSA”). The Council’s argument was that because a returning officer, although an official from within the council, was legally a separate entity from the rest of the council when acting in their capacity as returning officer, they only held the information on behalf of the returning officer and not in their own right. Dr Graham was dissatisfied with this and applied to the Scottish Information Commissioner for a decision on whether the Council had complied with its disclosure obligations under FOISA. The Commissioner upheld the Council’s decision, determining that the Council did not hold the information for the purposes of FOISA, but rather held it on behalf of the returning officer.

Counsel for the Appellant argued that the word ‘held’ was being submitted to too much scrutiny, as well as drawing attention to the spirit in which the FOISA had been made; that being to make information available to the public. Counsel contended that a liberal approach should be taken to the interpretation of this provision. Reference was made by the Appellant’s Counsel to University and Colleges Admission Service v Information Commissioner [2014] UKUT 0557 (AAC) and Common Services Agency v Scottish Information Commissioner 2008 SC (HL) 184. Counsel for the Appellant further drew upon University of Newcastle v Information Commissioner [2011] UKUT 185 (AAC) to demonstrate how a more common-sense approach was preferable. The broader interpretation of ‘held’ was further supported  by the decision of the Upper Tribunal in Department of Health v Information Commissioner where it was held that a ministerial diary was ‘held’ by a department purely as a historical record for reference purposes. With reference to the current case, he ultimately claimed that the differentiation between the council holding the information for itself or on behalf of the returning officer was immaterial and indeed that both conditions could be fulfilled simultaneously in the present circumstances; with the fine-tooth investigation of the council election laws amounting to little more than prevaricating.

The Court allowed Dr Graham’s appeal, emphasising that “that the relevant provisions of FOISA should, so far as possible, be interpreted in a manner consistent with the policy of the Act, namely the desirability of making information available to the public, all in the interests of promoting open, transparent and accountable government.” [15] The court also held “that the words and expressions used in the Act should, so far as possible, be given their ordinary and natural meaning” and that “[t]here should be no scope for the introduction of technicalities, unnecessary legal concepts calculated to over-complicate matters and, by so doing, to restrict the disclosure of relevant information.” [15].

The Court approved of and agreed with the reasoning given by the Upper Tribunal at paragraphs 21-22 of its decision in University of Newcastle. In essence, a Scottish public authority will hold information if it has more than a de minimis interest in the information. That is to say, it will only fall outside of the scope of FOISA if it has “no (or no material) interest of its own” in the information. [18] As a result of the Court’s decision, it reduced the Commissioner’s decision and remitted the matter back to him so that he could reconsider Dr. Graham’s application in light of its opinion.

The effect of this decision should be to widen the scope of information that is available to the public under FOISA. Scottish public authorities and the Commissioner will be required to take a more holistic approach in future to deciding whether information is only held by the Scottish public authority on behalf of a third party. A more practical approach requires to be taken than simply looking at whether the Scottish public authority and the third party are separate entities from one another; consideration must be given to the underlying factual matrix. The opinion of the Court also re-iterates previous comments by the courts that the Act should be interpreted in a way that isn’t too complex or technical.

Our Alistair Sloan acted for the successful appellant in this case, instructing John MacGregor, Advocate.

Danny Cummins (Trainee Solicitor)

If you would like advice or assistance in respect of a Freedom of Information matter or a data protection/privacy issue then contact us on 0141 229 0880 or you can send us an E-mail.