Author Archives: Alistair Sloan

Data Protection/Privacy Enforcement: June 2018

June was exceptionally good weather wise with lots of bright and sunny weather, but the outlook for some data controllers was not so bright or sunny as the Information Commissioner took action againt them for data protection and privacy breaches. Many of the key points arising out of last month’s enforcement action make a regular appearance on this blog. In relation to enforcement of (the now repealed) Data Protection Act 1998, the focus remains heavily on breaches of the seventh data protection principle relating to technical and organisational measures.

Key Points

  • Train, train, train – training is a key aspect of a data controllers ability to reduce the risk of suffering a data breach. Ensuring that all staff receive appropriate training on data protection relevant to their job role upon induction; and regular refresher training thereafter, is a core aspect of ensuring that the organisation has in place adequate organisational measures. It’s also important to ensure that people actually undertake induction and referesher training on offer. It is all very well having lots of well designed and worked-out policies, procedures and training material, but if nobody is being trained on the policies and procedures, then the controller might as well have not made the investment in the first place.
  • Sending bulk E-mails is a high risk activity and extreme care should be taken to ensure that personal data is not inappropriately revealed. The manual entry of E-mail addresses can pose a significant risk; even if there is a well documented procedure to use the Bcc field (and everyone has undergone their induction and refresher training setting out this procedure).
  • The right of subject access is a core right of data subjects and it is therefore important that data controllers have in place adequate procedures to identify, record, track and respond to subject access requests. A failure to comply with a subject access request can result in a data subject making a complaint to the Information Commissioner (who may take enforcement action) or applying to the court for an order forcing the data controller to comply.
  • When conducting direct marketing campaigns by electronic means, make sure that you really do have in place the appropriate consents. Further, if you’re sending something as a service message make sure it really is a service message and not a marketing message dressed up as a service message.
  • If you are making live telephone calls for the purposes of direct marketing you must ensure that you do not make calls to telephone numbers listed with the Telephone Preference Service unless you have clear consent to do so.

Enforcement action published in June 2018

 The British and Foreign Bible Society
The British and Foreign Bible Society was served with a Monetary Penalty Notice in the amount of £100,000 [pdf] after suffering a ransomware attack. This had been possible after a brute-force attack had exploited a vulnerability of a weak password. This gave them access to the Remote Desk Server (which allowed home working). The attackers were therefore able to access personal data. The Commissioner considered that the British and Foreign Bible Society did not have in place adequate organisational and technical measures and as such was in breach of the seventh data protection principle.

Chief Constable of Humberside Police
The Chief Constable of Humberside Police gave an undertaking to the Information Commissioner after loosing interview disks and written notes concerning n allegation of rape [pdf]. Humberside Police had conducted the interviews on behalf of another force. During the course of the Commissioner’s investigation into the data breach, it transpired that training compliance within the force on data protection was only 16.8%. Of the three officers involved in the initial incident, two had received training some years ago and the third had received no training at all.

Chief Constable of Gloucestershire Police
The Chief Constable of Gloucestershire Police was served with a Monetary Penalty Notice in the amount of £80,000 [pdf] after sending a bulk E-mail which identified victims of historic child abuse. In December 2016 an officer sent an update about investigations into allegations of child abuse relating to multiple victims. The officer did not make use of the ‘Bcc’ function and instead entered all of the E-mail addresses into the “to” field thus revealing the E-mail addresses of every recipient to every other.

Ainsworth Lord Estates Limited
Ainsworth Lord Estates Limited was served with an Enforcement Notice after it failed to respond to a Subject Access Request made by a data subject [pdf]. The data subject made a subject access request to the controller and got an out of office response; when they received no response they attempted to engage with the controller, but got no response. When the Commissioner became involved her office attempted to contact the controller, but had no success in receiving a response.

British Telecommunications Plc
British Telecommunications Plc (BT) was served with a Monetary Penalty Notice in the amount of £77,000 [pdf] for breaching the provisions of the Privacy and Electronic Communications (EC Directive) regulations 2003. A complaint was made to the ICO by an individual who had opted out of receiving marketing communications from BT when they received a message from BT promoting its ‘My Donate’ platform. The Commissioner opened an investigation as it appeared the message had been sent to  the whole of BT’s marketing database. BT advised the Commissioner that it considered that the message re ‘My Donate’ was a service message, rather than a marketing message. Two other marketing campaigns took place, which BT accepted were marketing campaigns and argued that they had complied with the requirements of PECR by only sending it to those who had opted-in; BT purported to also reply upon the ‘soft opt-in’. The Commissioner found that in relation to all three campaigns, BT had failed to comply with Regulation 22 of PECR.

Our Vault Limited
Our Vault Limited was served with an Enforcement Notice [pdf] and also with a Monetary Penalty Notice in the amount of £70,000 [pdf] after it failed to comply with the provisions of PECR. The company made live telephone calls for the purposes of marketing the products of a third party company (under the guise of conducting lifestyle research); including to numbers that were listed with the Telephone Preference Service where they did not have the consent of the subscriber to do so, contrary to Regulation 21 of PECR.

Horizon Windows Limited
Horizon Windows Limited was served with an Enforcement Notice after it failed to comply with the provisions of Regulation 21 of PECR [pdf]. In this case complaints continued to be received by the Commissioner during the course of her offices’ investigation.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Compensation for identifiable third parties following a data breach

The subject of data protection has, once again, been visited by the England and Wales Court of Appeal. At the end of last week the Court (Gross LJ, McFarlane LJ and Coulson LJ) gave its judgment in an appeal brought by the Secretary of State for the Home Department and the Home Office against a decision of the England and Wales High Court in which it was found liable to three members of a family following a data breach.

The Factual Background
The facts as found proved by the court at first instance are more fully set out in the judgment of Mitting J ([2016] EWHC 2217 (QB)), but they can be summarised for the purposes of this blog post in the following way.  The case concerns three members of a family TLT, TLU and TLV. TLT and TLU are married (but have different surnames) and TLU is the teenage son of TLT (sharing the same surname). In 2010 the family lawfully arrived in the United Kingdom. They claimed asylum. They were also jointed by an older child who was, in 2010, 17 years of age. Upon turning 18, he applied for asylum in his own right. His application fro asylum was rejected and he was returned to Iran in 2012. TLT and TLU heard from relatives in Iran that upon his return to Iran their son had been detained and tortured and subsequently released after paying a bribe.

On 15th October 2013 the Home Office suffered a data breach when it accidently published more information than it had intended to concerning the family return process. It had intended to publish the statistics contained in the first sheet of a spreadsheet, but not the underlying data that was contained in a second sheet. The error was discovered on 28th October 2013 and the spreadsheet was immediately removed from the internet. It was discovered that by the time the spreadsheet was removed at least one unknown individual had downloaded and saved the spreadsheet.

In November 2014 a person who had downloaded the page and the spreadsheet from the UK Border Agency’s website uploaded the spreadsheet onto a US website; this was later removed on 18 December 2013.

The personal data of TLT was included within the spreadsheet; in particular it included both his forename and surname, his nationality (Iranian), his date of birth and age. It also noted that “assisted return” was being pursued and stated that the removal case type was “Family with Children – Voluntary”. It further acknowledged that asylum had been claimed.

In March 2014, TLU received some communications from a family member in Iran. These communications advised that the Iranian authorities had detained another member of TLU’s family and questioned them about “you”. It was said that the authorities in Iran claimed to have documentation showing that TLT and his family had claimed asylum.

The issues on appeal
There were three issues on appeal:

  • Did the spreadsheet in question contain the private and/or confidential information?
  • Did the spreadsheet contain personal data of which TLU and TLV were the data subjects?
  • Even if the information in the spreadsheet did not contain the personal data of TLU and TLV, are they entitled to damages for the distress they have suffered under section 13 of the Data Protection Act 1998 in any event?

The first issue
This issue amounts to a common law tort in English law. At para 28 of the judgment of the Court of Appeal Gross LJ said that “this issue is short, straightforward and essentially one of fact.” Gross LJ had “no hesitation in concluding that the Home Office’s publication of the spreadsheet misused TLU’s and TLV’s private and confidential information.” [31] TLT was the lead family claimant and the detailed nature of the information concerning TLT as such meant that TLU and TLV “could readily be identified by third parties” and that they “had a reasonable expectation of privacy and confidentiality in respect of their information in the spreadsheet.” [31]

The second Issue
In terms of section 1 of the Data Protection Act 1998, personal data was defined as meaning “data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.” The Data Protection Act 1998 was the domestic vehicle through which the United Kingdom implemented is obligations under Directive 95/46/EC (which has, of course, now been replaced by the General Data Protection Regulation, but is still relevant for the purpose of this case as that was the law in force at the time). Recital 26 of the Directive noted that the “principles of protection” should take account “of all the means likely reasonably to be used either by the controller or by any other person to identify the” data subject.

In the present case, limb (b) of the definition of personal data was met in relation to TLU and TLV. The Home Office had argued that the information contained in row 1101 of the spreadsheet (which concerned TLT) did not “relate to” TLU and TLV. This was rejected by the court with reference to the statutory language. [39]

The Home Office had also sought to rely on Durant v Financial Services Authority as a means of trying to limit the scope of personal data (and therefore its liability) in this case. However, Gross LJ held that Durant, when properly applied, “powerfully reinforces the case for TLU and TLV” [44] and that Auld LJ was simply stating “a broad, practical working assumption.” [42] There was nothing within Durant that enabled the Court to depart from the conclusions that they must reach in light of the decision by the Court of Appeal in Vidal-Hall v Google and the Supreme Court in Common Services Agency v Scottish Information Commissioner

Third Issue
In the circumstances, this issue did not arise and the court felt it best to leave resolution of it “to a case where a decision is required” on it. [48]

Comment
The appeal was therefore dismissed by Gross LJ on all three issues that were raised and McFarlane LJ and Coulson LJ simply agreed adding no further comments of their own.

This is an interesting, but not unexpected, decision from the Court of Appeal which will be binding on all lower courts in England and Wales and will be persuasive in Scotland. It is difficult to find fault with the approach taken by the Court of Appeal or the judge at first instance; indeed, this is very much the view of the Court of Appeal. It does make it clear though that it will be possible for data subjects not directly referred to within the compromised data arising out of a data breach to sue for damages in certain circumstances. The first instance case had become an important case when such situations arose and now that the Court of Appeal has confirmed the approach adopted by the first instance judge it is likely that we will see more claims of this nature being made.

The circumstances in the present case are fairly clear-cut, but not all situations where liability might arise will be as clear-cut. The GDPR is not going to have any real impact upon this position; the definition of personal data essentially adopts the same two-stage test as was to be found within section 1 of the Data Protection Act 1998. Therefore this pre-GDPR case will continue to be instructive in the post-GDPR world we now inhabit.

Alistair Sloan

If you require further information in relation any data protection or privacy law matter then please do contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law account on twitter for news and updates concerning data protection, privacy and freedom of information.

Data Protection/Privacy Enforcement: May 2018

May saw the long awaited General Data Protection Regulation coming into force, but it will be a while yet before we begin to see regulatory enforcement action taken under the GDPR and the associated Data Protection Act 2018 being taken. In May there was, as is normal, a steady stream of enforcement action against data controllers published by the Information Commissioner’s Office. It is once again time to take our monthly look at what breaches the Commissioner has taken enforcement action in relation to and what data controllers and their staff can learn from it.

Key Points

  • This is a frequent message of these monthly reviews, but it is important to ensure that you screen telephone numbers you are intending to call as part of a marketing campaign against the list maintained by the Telephone Preference Service. If you have, and can demonstrate that you have, consent to do so; you can call a number that is listed with the Telephone Preference Service.
  • When undertaking direct marketing by telephone you must identify the caller; if you are making the call on behalf of a third party then you must also identify the third party. It is not permissible to hide, obscure or refuse to provide the identity of the caller or their principal.
  • If you are obtaining personal data from a third party organisation for the purposes of direct marketing, you should ensure that you conduct your own due diligence checks to ensure that the appropriate consents are in fact in place.
  • When drafting privacy notices, when setting out to who you will be passing personal data onto for the purposes of direct marketing you need to be fairly specific. It is not sufficient to simply put “selected partners” or phrases that are similarly generic.
  • When sending personal data or sensitive personal data, even to other sites within your own company, it is important to ensure that you have in place adequate technical and organisational measures. Encrypting CDs and memory sticks is easy and cheap to do and therefore should be done whenever sending personal data outside the organisation on such media.
  • You should ensure that when updating the security of your websites and servers that you look at all aspects of your website and severs, including microsites and sub-domains, to ensure that you are taking appropriate precautions to secure the websites and servers.
  • When storing personal data offsite you should ensure that you take steps to keep that personal data safe and secure; off-site storage may not be visited as regularly by staff as your on-site storage and so this should be taken into consideration. When vacating a premises it is important to ensure that you systematically check the premises to ensure that all personal data has been removed from the site – you should be able to evidence your plan and that it was followed.
  • If you’re processing personal data within the European Union which concerns a data subject resident oustide of the European Union then you may be required to comply with a subject access request received from teh data subject.

Enforcement action published in May 2018

IAG Nationwide Limited
IAG Nationwide Limited was served with both an Enforcement Notice [pdf] and a Monetary Penalty Notice in the amount of £100,000. [pdf] IAG Nationwide Limited is an advertising/marketing agency. IAG Nationwide Limited made telephone calls to numbers which were listed with the Telephone Preference Service (TPS) and continued to make such calls even after complaints had been raised with the TPS.  This was a contravention of Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). IAG Nationwide Limited also failed to properly identify itself to those who it called which was a contravention of Regulation 24 of PECR. Indeed, when the Commissioner’s staff contacted the company by telephone they refused to provide its address and only provided an E-mail address which was unregistered and available for sale.

Costelloe and Kelly Limited
Costelloe and Kelly Limited were served a Monetary Penalty Notice in the amount of £19,000 [pdf] after it undertook a direct marketing campaign by text message in a way that contravened Regulation 22 of PECR. The company instigated the transmission of approximately 283,500 test messages promoting products without having in place proper consent to do so. The company had relied upon a list supplied to it by a data provider which said that it had obtained consent for the purposes of direct marketing by text messages. Cotselloe and Kelly Limited conducted little or no due diligence itself to ensure appropriate consent. The consent obtained by its data provider was insufficient as it referred only to providing details to its “partners” and other generic descriptions when getting people to “opt-in”.

SCL Elections Limited
SCL Elections Limited was served with an Enforcement Notice requiring it to comply with a Subject Access Request made to it by a data subject [pdf]. SCL Elections Limited provided some information, for and on behalf of Cambridge Analytica. The data subject was not satisfied with the response and made a request for assessment to the Commissioner. In response, SCL Elections Limited asserted that the data subject had no right to make a subject access request nor a request for assessment to the commissioner as the data subject was a US rather than a UK citizen. The Commissioner disagreed and found that SCL Elections had not fully complied with its obligations.

Crown Prosecution Service
The Crown Prosecution Service (CPS) was served with its second Monetary Penalty Notice for a failure to comply with the seventh data protection principle [pdf]. In November 2016 the CPS received from Surrey Police 15 unencrypted DVDs from Surrey Police. The DCDs contained interviews with alleged victims of child sexual abuse. The DVDs received by the CPS were copies; the originals being maintained by Surrey Police. The DVDs were sent by tracked DX delivery to another CPS office to be examined by specialists and were noted to have been delivered before 7 in the morning. The DVDs were likely to have been left in a reception area where individuals not employed by the CPS could have had access to the package. The CPS could not locate the packages. They therefore did not have in place adequate technical and organisational measures.

The University of Greenwich
The University of Greenwich was served a monetary penalty notice in the amount of £120,000 [pdf] after a breach of security resulted in the personal data of approximately 19,500 individuals being extracted by an authorised attacker. The personal data included sensitive personal data in relation to 3,500 individuals. The attacker posted the personal data on a third party website. The commissioner found that the university had failed to have in place adequate technical and organisational measures to ensure that, so far as was possible, the security breach which occurred did not happen and thus contravened the seventh data protection principle.

Bayswater Medical Centre
Bayswater Medical Centre was served a monetary penalty notice in the amount of £35,000 [pdf] after it left sensitive personal data in an empty premises. The practice had operated from two sites, but merged down to one retaining the second as a storage facility. Another GP practice sought to take over the lease and the Bayswater Medical Centre provided the second GP practice with a set of keys. On numerous occasions the second practice notified Bayswater medical Centre of the presence of the medical centres patient records which were unsecured. Bayswater Medical Centre did nothing to rectify the situation, including failing to remove the records from the premises when the new practice requested them to uplift the records. The Commissioner found that the Medical Centre had failed to comply with the requirements of the seventh data protection principle.

Prosecutions
A limited company and its director have been prosecuted by the Information Commissioner’s Office for failing to comply with an Information Notice. The Information notices were issued in October 2017 and both failed to respond to the notices. The company was fined £1,000 and ordered to pay a £100 victim surcharge while the director was fined £325 and ordered to pay a victim surcharge of £32. The director was also ordered to pay £364.08 in prosecution costs.

A former recruitment consultant was successfully prosecuted by the Information Commissioner’s Office after he illegally obtained personal data. The defendant set up his own recruitment consultancy and left his former employer’s employment. When he left the defendant took 272 CVs from his former employers’ database without consent. He admitted an offence of unlawfully obtaining personal data under section 55 of the Data Protection Act 1998.  He was fined £355 and ordered to pay £35 victim surcharge and £700 prosecution costs by Exeter Magistrate’s Court.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

 

Personal Data and FOI: to anonymise or not to anonymise

I recently wrote a blog post covering the release of third party personal data under freedom of information laws in both Scotland and the rest of the UK. Requests which seek the release of third party personal data, or where information within the scope of a FOI request constitutes the personal data of a third party, are the most common examples of where freedom of information and data protection overlap; however, they are not the only examples.

On Friday of last week, the Herald contained a piece covering calls which had been made to anonymise FOI requests which are sent to government advisers. These calls follow on from some high profile disagreements between the Scottish Government and journalists. The allegations levelled against the Scottish Government is that ministers and their advisers are having undue influence over what information is and is not released under the Freedom of Information (Scotland) Act 2002; in particular where the request comes from a journalist. The Scottish Information Commissioner is currently carrying out an “intervention” which is looking at this matter alongside one which has a wider remit in relation to the Scottish Government’s handling of FOI requests. It is understood that the Commissioner’s Office will report its findings of these interventions in the next month or so.

These wider issues are not, however, the focus of this blog post. Rather, the focus of this blog post relates to the call to anonymise FOI requests in this way and whether this is a practice that public authorities ought to be following in any event.

The General Data Protection Regulation and the Data protection Act 2018 now govern how organisations, such as public authorities, process personal data. Reducing the data protection framework down to its most basic requirement, data controllers should not be processing the personal data of a data subject unless they have a lawful basis to do so.

When a public authority circulates a request for information, or a proposed response to a request for information, that is not stripped of the personal data of the requester then that would amount to the processing of personal data of which the requester is the data subject. What is the lawful basis of processing in Article 6 of the GDPR which enables the public authority to process the requester’s personal data in that way?  Clearly there is a need for the requester’s personal data to be processed in order to enable the response to be issued to the requester and there will no doubt be some central record which records who has made FOI requests, what the request was for and what the outcome of the request was – if only to enable the authority to respond to an internal review, appeal to the Commissioner or appeal to the tribunal/courts.

The Authority cannot possibly have the consent of the data subject to process their personal data by circulating it around the authority. Consent cannot be inferred in the way that would be necessary in order to rely upon consent. There’s no contract with the data subject which would require the processing of their personal data in this way.

Answering a FOI request is a legal obligation on behalf of the public authority, but is it necessary to provide the name of the requester to the department(s) who need to search for the information or to an official or adviser who is having in put into the response? Probably not, especially when set against the ‘applicant blind’ way in which FOI requests are supposed to be dealt with. Is it necessary in order to protect the vital interests of the data subject or of another natural person? I’d have thought it unlikely. Again, it’s unlikely to be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Finally, it’s unlikely that it would be necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

In short, it’s unlikely that it is necessary for those searching for the information or considering the proposed response to know who the requester is. There are, of course, situations where a different course might be required. For example, if considering refusing the request on the grounds that it is vexatious under section 14 of the Freedom of Information (Scotland) Act 2002 or section 14 of the Freedom of Information Act 2000; it will often be necessary to speak with other areas of the organisation, especially persons responsible for handling complaints. In such circumstances it would be necessary for those being consulted to know the identity of the requester, otherwise the evidence required in order to justify reliance upon the vexatious provisions could not be gathered.

In normal circumstances, public authorities should probably be removing personal data such as a requester’s name, place of work and job title (where included) from a request before sending it out to those who need to perform searches for information or those who, in accordance with the authority’s internal procedures, need to approve responses before they’re issued. Only where the identity of the requester is directly relevant to the response, such as where consideration is being given to refusing the request on the grounds that it is vexatious, should the identity of the requester be disclosed otherwise it may amount to a breach of data protection law.

It may be relevant at this juncture to look, briefly, at the applicant blind requirement of freedom of information law. The applicant blind requirement is not specifically provided for within the relevant legislation; however, it has been understood for some considerable time that requests ought to be dealt with in a way that means that they are applicant blind.  The applicant blind requirement is often largely over-stated.  There are clearly situations where the applicant’s identity will be relevant; for example is it a request for that person’s own personal data or is it a vexatious/repeated request or are you aware of any disability which may mean that you need to make reasonable adjustments in terms of the Equality Act 2010?  If public authorities applied the applicant blind requirement absolutely and slavishly, it would cause difficulties in those situations and also in others.

The purpose of the applicant blind test is to ensure that, other than where the exemption necessitates it, the requester’s identity does not form part of the decision in whether to apply an exemption or in the application of the public interest balancing test. Anonymising FOI requests when they go out to the wider organisation or to selected individuals for comment/approval assists to ensure that the applicant blind aspect of the FOI regime is also complied with.

Alistair Sloan

If you require advice and assistance in connection with a freedom of information or data protection matter then contact Alistair Sloan on 0141 229 0880. Alternatively you can send Alistair and E-mail.

Data Protection Act 2018

Earlier this week the House of Lords and the House of Commons completed their game of ping pong with the Data Protection Bill and it completed its journey through the Parliamentary procedure; a journey which began when the Bill was introduced to the House of Lords by the Department for Culture, Media and Sport (DCMS) in September 2017.  Almost eight months later, and after quite a bit of amendment, the Bill has now received Royal Assent to become the Data Protection Act 2018.

It is expected that the various pieces of secondary legislation which are required to bring the Act into force and make transitional provisions will be signed by a Minister in the DCMS later today or tomorrow to ensure that the Act comes into force on Friday.

The new Data Protection Act 2018 does a number of things: (1) it deals with those areas within the GDPR, such as exemptions, which have been left to Member States to deal with individually; (2) applies the GDPR (with appropriate medications) to areas which are not within the competence of the European Union; and (3) gives effect to the Law Enforcement Directive (which should have been in place by the 6th May 2018, but better late than never).

Data Protection law has become much more complex than was the case under the Data Protection Act 1998; it requires individuals to look in many more places to get a proper handle upon what the law requires (and that’s before we start to get decisions from the European and domestic courts).

There has been an indication by some campaign groups that there might be an early challenge to the immigration exemption within the Bill which will have an impact upon the information that data subjects can obtain from the Home Office under the subject access provisions within the GDPR.  It will certainly be interesting to see whether such a challenge is in fact made and what the outcome of it is – and of course, we will cover any decision on that point should one be made by a court.

Alistair Sloan

If you require further information in relation any data protection or privacy law concern then please do contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law account on twitter for news and updates concerning data protection, privacy and freedom of information.

Data Protection Impact Assessments under the GDPR

Accountability is an important aspect of the General Data Protection Regulation (GDPR).  The accountability principle in Article 5(2) of the GDPR obliges data controllers to be able to demonstrate that they are complying with the data protection principles in Article 5(1) of the GDPR.  Some of the technical requirements placed upon data controllers within the GDPR can be traced back, at least in part, to the accountability principle.  One of the requirements of the GDPR which will assist data controllers to demonstrate compliance with the data protection principles is the requirement to complete, in certain circumstances, a Data Protection Impact Assessment (DPIA).

For a number of years supervisory authorities around the EU, including the UK Information Commissioner, have encouraged organisations to conduct a Privacy Impact Assessment (PIA) as part of their promotion of good data protection practice. DPIAs are simply PIAs by another name. The requirements for DPIAs are set out in Articles 35 and 36 of the GDPR.

When do I need to perform a DPIA?

Article 35(1) of the GDPR requires data controllers to conduct an assessment of the impact of envisaged processing operations on the protection of personal data, where a type of processing, in particular using new technologies; and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.  The DPIA must be conducted prior to undertaking the processing envisaged.

Article 35(3) sets out specific circumstances where a DPIA should be carried out by a data controller and those are:-

(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or

(c) a systematic monitoring of a publicly accessible area on a large scale.

When deciding whether a DPIA is required it will be important for data controllers to check the ICO’s website. The Information Commissioner is required to publish a list of the kind of processing operations which are subject to the requirement for a DPIA.  If the processing operations envisaged by a controller appear on this list, then they will be required to carry out a DPIA.  Article 35(5) also empowers the Information Commissioner (but does not require her) to establish and publish a list of the kind of processing operations for which no data protection impact assessment is required.

What does a DPIA require?

Article 35(7) sets out what the DPIA must include as a minimum; these are:-

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes
  • an assessment of the risks to the rights and freedoms of data subjects (the risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage – see recital 75 of the GDPR for more detail)
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data; and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned

It should be noted that requirements set out in Article 35(7) for the content of a DPIA are a minimum; there may be situations when a DPIA requires to go beyond what is set above.

The role of the Data Protection Officer

If you have appointed a Data Protection Officer, then Article 35(2) of the GDPR requires that you seek advice from them when carrying out a DPIA. It should be remembered that a DPIA might change a number of time during the process; you should therefore keep your DPO involved throughout and be seeking advice from them regularly at appropriate junctures. Seeking advice from the DPO is not simply a box ticking exercise and should therefore not be treated as such. If you treat it as a simple box-ticking you could find yourself not complying properly with the requirements of the GDPR and could potentially be missing out on valuable advice. Remember that controllers are not obliged to follow the advice of their DPO, but if they elect to act contrary to that advice then they should document this and could be required to defend that decision.

The Role of The Information Commissioner

I have already indicated that the Information Commissioner has a role in the DPIA process, but her role is more extensive than has already been covered above. There are circumstances, set out in Article 36 of the GDPR, in which controllers will be required to consult with the ICO.  This applies where, in the absence of any mitigating measures by the controller, the DPIA indicates that the processing would result in a high risk to the rights and freedoms of data subjects.

Within a period of 8 weeks following receipt of the request for consultation (but this may be extended by a further 6 weeks in appropriate cases) the Information Commissioner is required to provide written advice to the controller where she is of the opinion that the intended processing would infringe this Regulation.  It’s therefore important that you consult the Commissioner well in advance of undertakng the envisaged processing to ensure that you have enough time to receive any written advice from the Commissioner and to consider and apply it.

The Information Commissioner’s role does not end there; she is not simply limited to giving written advice to the controller.  She can also become much more involved by conducting a data protection audit; issuing a formal warning that the intended processing is likely to infringe the provisions of the GDPR and even limit or prohibit (temporarily or indefinitely) a data controller from undertaking the proposed processing.

Penalties

A failure by a controller to comply with its obligations to conduct a DPIA where one is required can attract an administrative fine of up to €10,000,000 or 2% of global turnover (whichever is greater); as can a failure to consult with the Information Commissioner where consultation is required under Article 36 of the GDPR.  Failure to comply with an order limiting or prohibiting the processing (whether temporary or indefinite) can attract an administrative fine of up to €20,000,000 or 4% of global turnover (whichever is greater).

Can I undertake a DPIA when one is not required by the GDPR?

Yes you can; a properly completed DPIA will be of assistance to you in demonstrating that you are complying the the data protection principles. A DIPA on its own will usually be insufficient to completely comply with the Artcile 5(2) obligations (even where it is required by Article 35), but a properly completed DPIA is certainly something that you can produce to the Information Commissioner to help evidence that you are taking your data protection obligations seriously.

Alistair Sloan

If you require advice or assistance with Data Protection Impact Assessments or any other data protection matter then contact Alistair Sloan on 0141 229 0880 or by E-mail. Alistair can also assist with other aspects of information law.

The Tension Continues: GDPR, FOI and EIRs

An exemption that is frequently deployed by Scottish public authorities is the exemption in section 38 of Freedom of Information (Scotland) Act 2002 (along with its corresponding exception in the Environmental Information (Scotland) Regulations 2004, regulation 11) which relates to personal data; both the personal data of the requester themselves as well as the personal data of third parties.  Data protection law is changing later this month and as a consequence section 38 (as well as Regulation 11 of the Environmental Information Regulations) will also see some amendment.

The Data Protection Bill proposes amendments to both the Freedom of Information (Scotland) Act 2002 (“FOISA”) as well as the Environmental Information (Scotland) Regulations 2004 (“the Scottish EIRs”).  The Bill is still making its way through the UK Parliamentary procedure and is due to have its third reading later today (9 May 2018) and, subject to completing its passage through Parliament in time, will come into force on 25 May 2018.  There are currently no amendments tabled in the Commons ahead of the Bill’s third reading that would affect the relevant provisions in the Bill, but it is important to bear in mind that until the Bill completes its journey through the various stages of the legislative process it can be amended – even if it passes the Commons today, it still has to go back to the House of Lords and could become locked in a game of ping-pong between to the Commons and the Lords during which time it could be further amended.  However, it seems unlikely that there will be any changes to the relevant provisions within the Bill.

Schedule 18 to the Bill proposes the amendments that should be made to a wide range of primary and secondary legislation, both reserved and devolved.  Paragraphs 88-90 of Schedule 18 (as it stands at the time of writing) contain the amendments that will be made to section 38 of FOISA; meanwhile paragraphs 292-294 of Schedule 18 contain the amendments that will be made to the Scottish EIRs.

The Office of the Scottish Information Commissioner has published, in draft form, updated guidance on the application of section 38 to take account of the GDPR and the expected amendments to the relevant parts of FOISA and the Scottish EIRs. As it is still in draft form, anybody relying upon it (requester or public authority) should continue to monitor it to ensure that it has not been updated.

The proposed amendments to FOISA and the Scottish EIRs look, on the face of it, quite significant.  However, the addition of a lot of text to section 38 and regulation 11 does not necessarily mean that there will be a drastic change in practice on the ground.  One thing that public authorities should be aware of is the proposed subsection (5A) to section 38 and the proposed paragraph (7) of regulation 11.  These proposals will have the effect of re-instating the ‘legitimate interests’ condition for lawful processing where public authorities are considering the release of third party personal data under the FOISA or the Scottish EIRS.

In short, what this will mean is that public authorities will be able to consider legitimate interests in the same way as they do now under condition 6 of schedule 2 when dealing with FOI requests under either regime.  Had it not been for these proposed provisions then the GDPR might well have had a significant impact upon the release of third party personal data under FOISA and the Scottish EIRs; it would have had the effect of removing the processing condition mostly relied upon when releasing third party personal data in response to FOI requests.  It should be noted that Schedule 18 to the Data Protection Bill proposes re-instating the legitimate interests condition in respect of the release of third party personal data under the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 (see, as at the time of writing, paragraphs 58 and 289 of Schedule 18 respectively).

There is very little difference between condition 6 of Schedule 2 to the Data Protection Act 1998 and the legitimate interests condition in Article 6 of the GDPR and in practical terms there is almost no difference at all.  The only real area where there may be some difference is where the third party personal data is that of a child where Article 6(1)(f) of the GDPR instructs data controllers to have particular regard to the interests and fundamental rights and freedoms of data subjects who are children.  In reality, the fact that a data subject is a child is likely to always have been a factor that has been taken into consideration when undertaking the balancing exercise required by Condition 6 of Schedule 2 and so even to this extent there is unlikely to be much in the way of change.

Of course, the provisions are untested and the Commissioner and courts could take a different view, but in my view we are likely to see the release of the same sorts of third party personal data under FOISA and the Scottish EIRs after the GDPR as we do now.  Furthermore, there is the question as to whether the re-introduction of legitimate interests for FOI purposes is lawful in terms of EU law.  Article 85 of the GDPR does require Member States to reconcile the right to protection of personal data under the GDPR with the right to freedom of expression and information.  Whether the UK Government’s method of reconciling the two, by effectively disapplying the prohibition on public authorities relying upon legitimate interests in respect of the performance of their tasks, is permitted by EU law is something we might need to wait to discover (then again, the UK might not be in the EU long enough for that matter to be determined – but that’s a whole different issue).

In conclusion both requesters and public authorities should familiarise themselves with the amended section 38 and regulation 11.  In practice not much, if anything, is likely to change when it comes to the releasing of third party personal data under FOI laws (both Scottish and UK regimes). However, public authorities and requesters should keep a close eye on the decisions of both the Scottish and UK Information Commissioners as well as the First-Tier Tribunal, Upper Tribunal, English and Welsh Court of Appeal, the Court of Session and the UK Supreme Court.

Alistair Sloan

If you require any assistance with any Freedom of Information or Data Protection/Privacy law matter you can contact Alistair Sloan on 0141 229 0880 or by E-mail.  We also have a twitter account dedicated to information law matters from across the UK.

Data Protection/Privacy Enforcement: April 2018

In April the Information Commissioner’s Office published a number of enforcement measures taken against public and private organisations under both the Data Protection Act 1998 (“DPA”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).  The key points to draw from the enforcement action this month should be familiar to anyone who has been reading this series of blog posts since it began in September.

Key Points

  • It is important to keep track of personal data, especially when it is sensitive personal data; if it is to be sent out of the organisation ensure that it is properly secured and that a record of it being sent and received is kept.
  • Before sending out information to your customers it is important to consider whether the information you are sending is properly business information (or information you’re required to give by law), or whether it is actually promotional or marketing material. If it’s promotional or marketing material ensure that you only send it to the E-mail addresses of people who have consented to receive promotional or marketing material from you.
  • Make sure that before you conduct a marketing campaign by telephone that you do not include numbers listed with the TPS unless you have the consent of the subscriber to contact them by phone for the purposes of direct marketing.
  • When disclosing information to someone, whether under FOI laws or not, ensure that you do not accidently disclose personal or sensitive personal data of third parties where you do not have legal grounds to do so. Be especially careful with pivot tables, a number of public authorities shave found themselves in regulatory hot water of the use of pivot tables. The ICO produced a helpful blog post in 2013 on the issue of pivot tables.
  • If you are an employee it is important that you remember that you should only be accessing personal data where you have a proper business need to do so and should only be disclosing personal data where you need to do so in order to properly perform your role. You can be held personally liable and find yourself being prosecuted in the criminal courts.

Enforcement action published by the ICO in April 2018

Humberside Police
The Information Commissioner, exercising her powers under section 55A of the DPA, served a Monetary Penalty Notice in the amount of £130,000 [pdf] for breaches of the DPA.  The force conducted an interview of a person alleging that they had been the victim of rape, on behalf of Cleveland Police. The interview was filmed and three copies of it existed: the master and two copies. The discs were unencrypted. They were to be sent to Cleveland Police, but were never received by Cleveland police. Humberside Police were unable to locate the discs or to confirm whether they had ever been posted to Cleveland Police.  The Commissioner found that Humberside Police had failed to comply with the seventh data protection principle and also paragraph 9 of Schedule 1 to the DPA.

Royal Mail Group Limited
The Information Commissioner served a Monetary Penalty Notice on Royal Mail Group Limited for contravening Regulation 22 of PECR.  The Monetary Penalty Notice was in the amount of £12,000 [pdf]. Royal Mail Group is the designated Universal Postal Service Provider in the UK and as such, it has certain statutory responsibilities to disseminate certain information. Royal Mail Group Limited sent E-mails to all of its customers, including those who had opted not to receive electronic marketing, to notify them of a change in price for second class parcels purchased online.  The price change was described as being a “promotional” one. The Commissioner found that this amounted to direct marketing rather than information that Royal Mail was obliged to provide under the Postal Services Act 2011 and was therefore in contravention of Regulation 22 of PECR.

The Royal Borough of Kensington and Chelsea
The Information Commissioner served a monetary penalty notice on the Royal Borough of Kensington and Chelsea in the amount of £130,000 [pdf] for breaches of the DPA. The breach arose out of a request for information made to the council pursuant to the Freedom of Information Act 2000. The Council answered the request for information by providing a pivot table to the requesters. The council did not properly redact the underlying information which was then accessible to the requesters without too much difficulty; the underlying information included personal data.

The Energy Saving Centre Limited
The Information Commissioner has served the Energy Saving Centre Limited with a Monetary Penalty Notice in the amount of £250,000 [pdf] and also with an Enforcement Notice [pdf] for contraventions of PECR.  The Commissioner had found that the Energy Saving Centre Limited had made tens of thousands of marketing calls to numbers which were listed with the Telephone Preference Service and where the individual subscribers to those numbers had not given consent to the Energy Saving Centre Limited to be contacted by phone for marketing purposes.  The Enforcement Notice requires the company to stop making unlawful calls – failure to comply with an Enforcement Notice is a criminal offence.

Approved Green Energy Solutions
The Information Commissioner has served a Monetary Penalty Notice [pdf] on an individual who traded as a sole trader under the name Approved Green Energy Solutions.  The amount of the penalty was £150,000. Approved Green Energy Solutions used a public telecommunications service to make in excess of 330,000 unsolicited telephone calls for the purpose of direct marketing where the line subscriber had listed their number with the Telephone Preference Service (“TPS”). The Commissioner and the TPS received 107 complaints directly from individuals affected.

Prosecutions
A former receptionist/general assistant at Milton Keynes University Hospital NHS Foundation Trust has bene prosecuted by the Information Commissioner after she inappropriately accessed the records of 12 patients when not required to do so in the course of her employment. The defendant entered a plea of guilty to offences of unlawfully accessing personal data and unlawfully disclosing personal data in breach of section 55 of the DPA. The Defendant was fined a total of £300 and ordered to pay a £30 victim surcharge.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Crossroads: where data protection and freedom of information intersect

The laws relating to freedom of information and those relating to privacy and data protection often come into conflict with one another.  One issue which arises often for those who are responsible for answering freedom of information requests is whether or not to disclose personal data of third parties which is caught up within the information that has been requested.  This is an area that has been the subject of much litigation both under the Scottish and UK FOI laws; indeed, cases have gone from Scotland all the way to the UK Supreme Court (this might be because there are fewer levels of appeal to go through in Scotland and until very recently Scottish litigants did not need the permission of the Court of Session or the Supreme Court to take an appeal there).

One area which is perhaps the most contentious of all is where the personal data in question relations to civil servants.  The generally accepted position has been that in most cases the personal data of junior civil servants will be redacted while personal data relating to senior civil servants is more likley to be disclosed.  This position, however, is one that has never really had any scrutiny from the superior courts; that is until now.  On 6th April the Upper Tribunal (Administrative Appeals Chamber) made its decision in Cox v Information Commissioner and Home Office [2018] UKUT 119 (AAC).  Judge Wikeley records that to the best of his knowledge Cox was “the first occasion on which the Upper Tribunal has had to consider in any depth the issue of the principles governing the disclosure of the names of individual civil servants in response to a request under FOIA.” [32]

In this appeal the Appellant, Mr Cox, is concerned with the development of Government policy and its application in relation to migration from the Horn of Africa.  The Appellant made a request for information to the Home Office pursuant to his right of access to information within the Freedom of Information Act 2000.  His request for information sought details concerning meetings between civil servants from the Home Office and government officials from countries within the region.  In particular, the Appellant sought the dates of the meetings, names of all those who were present at the meetings and also the notes of such meetings.

There were two issues in the appeal, but this blog post only focuses on the first of those issues; that being the disclosure of the names of civil servants.  The Home Office had refused to disclose the names of three civil servants who had formed part of the UK’s delegation to Eritrea in December 2014 (they were referred to as J, L and N during the course of the proceedings before the First-Tier Tribunal).  The Information Commissioner had agreed with the Home Office and found that the Home Office had complied with the requirements of the Freedom of Information Act 2000 in withholding the names under section 40(2) of the Act.

The UK and Scottish provisions in respect of personal data are the same (although, in the Scottish Act the exemption can be found within section 38 of the Freedom of Information (Scotland) Act 2002).  Personal data of third parties is exempt under FOI law where to release the personal data would amount to a breach of the data protection principles.  When third party personal data is involved in an FOI request the sixth condition in Schedule 2 to the Data Protection Act 1998 comes into play.  This condition requires there to be a balancing exercise undertaken between the rights of the data subject and the rights of the person who is seeking disclosure of the personal data.

In South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 (a case which involved the disclosure of pay scales within the Council in connection with matters concerning equal pay), Lady Hale observed that the sixth condition in Schedule 2 required that three discrete questions are asked and answered:

  1. Is the data controller or the third party or parties who whom the data are disclosed pursuing a legitimate interest of interests?
  2. Is the processing involved necessary for the purpose of those interests?
  3. Is the processing unwarranted in the circumstances by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

The first hurdle for a requester to get across in seeking to have third party personal data, including the names of civil servants, disclosed under FOI laws is that they are pursuing a legitimate interest. It is clear from the authorities that there is no inherent interest in the release of civil servants’ names: “[t]here is no reason why the general transparency values underpinning FOIA should automatically create a legitimate interest in disclosure under the DPA.” [42] (see also Department of Health v Information Commissioner and Lewis [2017] EWCA Civ 374)  What needs to be assessed is “the legitimate interests of the individual requester, and not the more abstract legitimate interests of the public at large”. [43]  If the decision-maker, whether that be the public authority, commissioner or courts/tribunals, is not satisfied that there is no legitimate interest being pursued by the requester, then they do not need to go any further as the sixth condition would not apply (see the comments of Judge Jacobs giving the decision of the Upper Tribunal in Information Commissioner v (1) CF and (2) Nursing and Midwifery Council [2015] UKUT 449 (AAC) at paragraph 19 in particular).

When the personal data exemptions are in play they represent an exception to the general proposition that the FOI process is applicant blind (i.e. that the applicant doesn’t play a part in determining whether information ought to be released or not); other exceptions include, for example, the vexatious provisions and the aggregation provisions within the appropriate limit regulations.  Judge Jacobs, at paragraph 30, in IC v CF & NMC (above) said that it “is impossible to apply paragraph 6(1) without having regard to the identity of the applicant, the interest pursued by the request and the extent to which information is already potentially available to the public.”

Each case will, of course, turn on its own facts.  Many of the factors which go into determining whether third party personal data ought to be released is specific to the facts and context. However, I suggest that we can draw some clear principles from the case law to date:

  1. When determining the legitimate interests part of the test; there is no public benefit legitimate interest – reference must be had to who is making the request and why they are making the request;
  2. The balancing exercise required to be undertaken when applying condition 6 of Schedule 2 is not the same balancing exercise that is completed when undertaking the public interest balancing exercise;
  3. FOI rights do not take precedence over privacy and data protection rights;
  4. When it comes to the personal data of civil servants; there is no hard rule that the personal data (including names) of senior civil servants will always be disclosed and likewise there is no hard rule that the personal data (including names) of junior civil servants will always be redacted; it is a decision that is both fact-specific and context-specific

The decision in Cox is of course one that is not binding on the Scottish Information Commissioner, but it is binding upon the First-Tier Tribunal and the UK Information Commissioner.  It essentially approves of the way in which public authorities and both commissioners have been handling these issues to date and so we’re unlikely to see anything change as to how the tension between FOI laws and the data protection laws is resolved.

The Data Protection Bill will (when it is finally passed and eneacted) amend both the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 to reflect the General Data Protection Regulation; the provisions look a bit unwieldy, but in reality they are unlikely to change very little in terms of day-to-day practice.

Alistair Sloan

If you require advice and assistance on any aspect of freedom of information or data protection and privacy law then you can contact Alistair Sloan on 0141 229 0880; alternatively you can contact him directly be E-mail.  We have a Twitter account dedicated to information law issues , which you are welcome to follow.

The Information Commissioner’s power to compel information

The Information Commissioner is presently undertaking an investigation into the possible unlawful use of personal data, in particular, data analytics, by political parties and political campaigning organisations.  The most high profile activity that the Commissioner has undertaken in respect of that investigation has to be the obtaining and execution of a warrant to search the offices of Cambridge Analytica.  As part of that investigation it has been reported that a number of persons and organisations involved in politics have been served with Information Notices by the Information Commissioner, including the United Kingdom Independence Party (UKIP), Leave.EU and Arron Banks.

An Information Notice is a formal investigative tool which the Information Commissioner can use in order to gather information.  Her power to issue such notices, in respect of the processing of personal data, is to be found in section 43 of the Data Protection Act 1998.  There are two circumstances in which the Commissioner can issue an Information Notice:  (1) when conducting an assessment pursuant to section 42 of the Data Protection Act 1998; and (2) where the Commissioner reasonably requires any information for the purpose of determining whether the data controller has complied or is complying with the data protection principles.  Broadly speaking this means that the Commissioner can issue an Information Notice either when her office is conducting an investigation at the request of a data subject or an investigation undertaken by her office which has been instigated by the Commissioner herself.

An Information Notice is simply a document which requires the data controller concerned to provide the Commissioner with information specified within the notice relating to the section 42 request or the controller’s compliance with the data protection principles.  However, its simplicity obscures its formality.  The issuing of an Information Notice is a formal step, and is a serious one for the recipient of the notice.  There is an automatic right of appeal against the notice or any part of the notice to the First-Tier Tribunal (Information Rights).  The right of appeal exists precisely because of its formality and the consequences for not complying with the notice.  It has been reported that UKIP has appealed the Information Notice served on it to the Tribunal.

An Information Notice is more than a polite request for information; it is a formal demand for information which is baked up by the threat of sanctions.  It is a criminal offence to fail to comply with an information notice which can result, if convicted, in a fine.  Furthermore, it is a criminal offence  to (i) make a statement in response to an information notice which is known to be false; or (ii) recklessly make a false statement in response to an information notice.

When serving an Information Notice, the Commissioner can specify or describe the information required by her or can be broader and instead specify or describe categories of information that she requires from the data controller.  There are some restrictions though on the information that the Commissioner can require a data controller to provide her with.  A data controller is not required to furnish the Commissioner with (a) “any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to the person’s obligations, liabilities or rights under [the Data Protection Act 1998]”, or (b) “any communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of [the Data Protection Act 1998] (including proceedings before the Tribunal) and for the purposes of such proceedings.”

A data controller can also refuse to provide information which would reveal evidence of the commission of any offence.  However, there are some exceptions to this general exception; if the offence is an offence under the Data Protection Act 1998 or offences under certain statutory provisions concerning the giving of false evidence, then the data controller may still be required to provide the Commissioner with that information.

The serving of an Information Notice on a data controller is a significant step by the Commissioner and it is one that data controllers should not take lightly.  The consequences for failing to comply with the notice or for deliberately or recklessly misleading the Commissioner through the provision of false information can see the data controller facing criminal charges.  The Notice can be challenged through the First-Tier Tribunal (Information Rights) which could see part or all of the notice reduced/quashed.  The Data Protection Bill contains provisions in relation to Information Notices which are for the most part identical to the powers found within the Data Protection Act 1998 and so the Commissioner will continue to possess this potentially powerful took once the GDPR becomes a reality next month (subject, of course, to the Data Protection Bill completing is passage through parliament and receiving Royal Assent in time).

Alistair Sloan

If you are facing an investigation by the Information Commissioner in respect of alleged failures to comply with privacy and data protection law, or if you require advice on any other information law matter you can contact Alistair Sloan on 0141 229 0880.  Alternatively you can contact him directly by E-mail.  We also have a dedicated information law twitter account which you can follow.