Tag Archives: Privacy News

The Information Commissioner’s Powers of Entry and Inspection

Yesterday I wrote a blog post looking at data subject’s rights and lessons for controllers arising out of the Cambridge Analytica and Facebook privacy matter.  In that blog post I mentioned briefly about the Information Commissioner’s powers of entry and search after the Commissioner announced that she was seeking a warrant to enter and search Cambridge Analytica’s premises.   In this blog post I will look at the Commissioner’s powers of entry and search in a bit more detail.

As noted yesterday, the Commissioner’s powers of entry and search are contained in Schedule 9 to the Data Protection Act 1998.  Schedule 9 sets out the circumstances in which a judge can grant a warrant to the Information Commissioner.  The judge considering the application must be satisfied, based on statements made on oath, that the there are reasonable grounds of suspecting that (a) a data controller has contravened or is contravening any of the data protection principles, or (b) that an offence under the Data Protection Act has been or is being committed, and that evidence of the contravention or of the commission of the offence is to be found on any premises specified in the information supplied by the Commissioner.

The Commissioner is generally required, by the terms of Schedule 9 to the Data Protection Act 1998, to jump through some hoops before the judge considering the warrant application can grant the warrant to the Commissioner.  Paragraph 2 of Schedule 9 requires that the judge considering the application be satisfied of a number of other things:

  1. that the Commissioner has given seven days’ notice in writing to the occupier of the premises in question demanding access to the premises, and
  2. that either (i) access was demanded at a reasonable hour and was unreasonably refused, or (ii) although entry to the premises was granted, the occupier unreasonably refused to comply with a request by the Commissioner or any of the Commissioner’s officers or staff to permit the Commissioner or the officer or member of staff to do any of the things she would be entitled to do if she had a warrant (see below); and
  3. that the occupier, has, after the refusal, been notified by the Commissioner of the application for the warrant and has had an opportunity of being heard by the judge on the question whether or not it should be issued.

Where the judge is satisfied that the case is one of urgency or that compliance with those provisions would defeat the object of the entry, the judge does not need to be satisfied of the three things listed above.  In this case, given that the Commissioner announced her intention to apply for a warrant on national television, it is likely that a judge will require to be satisfied of the three conditions listed above.

Who considers an application by the Commissioner for a warrant depends upon the jurisdiction in which the warrant is being applied for.  In England and Wales a District Judge (Magistrates’ Court) or a Circuit Judge has the power to grant the warrant; in Scotland it is the Sheriff and in Northern Ireland it is a Country Court Judge.

A warrant granted under Schedule 9 of the Data Protection Act 1998 gives the Commissioner the power to do a number of things; these things can be found in paragraph 1(3) of the Schedule and are:

  1. to enter the premises
  2. to search the premises
  3. to inspect, examine, operate and test any equipment found on the premises which is used or intended to be used for the processing of personal data;
  4. to inspect and seize any relevant documents or other material found on the premises;
  5. to require any person on the premises to provide an explanation of any document or other material found on the premises;
  6. to require any person on the premises to provide such other information as may reasonably be required for the purpose of determining whether the data controller has contravened, or is contravening, the data protection principles.

The warrant must be executed at a reasonable hour, unless it appears to the person executing it that there are grounds for suspecting that the object of the warrant would be defeated if it were so executed, and within 7 days of the date of issue.  It allows the Commissioner, her officers and staff to use reasonable force to execute the warrant.

There are lots of other, really boring and technical requirements, which I won’t go into; the last thing I will mention is the terms of paragraph 12 of Schedule 9 which makes it an offence to: (i) intentionally obstruct a person in the execution of a warrant issued under Schedule 9; (ii) fail, without reasonable excuse, to give any person executing such a warrant such assistance as he may reasonably require for the execution of the warrant; (iii) makes a statement in response to a requirement  to provide information (see 5 and 6 in the list of powers the warrant gives the Commissioner) which that person knows to be false in a material respect; and (iv) recklessly makes a statement in response to such a requirement which is false in a material respect.

The Commissioner does get warrants from time to time; for example, earlier this month the ICO executed search warrants in relation to two properties in Greater Manchester as part of an investigation into companies suspected of sending text messages in contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).  The provisions of Schedule 9 to the Data Protection Act 1998 apply to PECR by virtue of Regulation 31 of PECR.

Alistair Sloan

If you are a data controller or an individual who is looking for advice and assistance with any aspect of data protection or privacy law, then you can contact Alistair Sloan on 0345 450 0123 or 0141 229 0880.  Alternatively, you can send him an E-mail.

Data Protection, Facebook and Cambridge Analytica

We know that the Information Commissioner is investigating the circumstances surrounding the obtaining of personal data of a considerable number of individuals by Cambridge Analytica.  Cambridge Analytica is a data analytics company that is in the midst of what can only be described as a data protection and privacy scandal.

There are a number of significant allegations being made against Cambridge Analytica about how it obtains and processes personal data.  The Information Commissioner has also revealed that Cambridge Analytica is not cooperating with her investigation to the extent that she is going to apply for a warrant to enter and search their premises.  This means that, in all probability, the Commissioner has already sought access and it has been refused.  Schedule 9 to Data Protection Act 1998 sets out the Information Commissioner’s powers of entry and inspection; it permits the Commissioner to obtain a warrant from the court where the court is satisfied that a data controller has contravened or is contravening any of the data protection principles, or that an offence under this Act has been or is being committed, and that evidence of the contravention or of the commission of the offence is to be found on any premises specified.

This story is moving at quite a pace and is constantly changing with new revelations coming to light; it’s also the subject of an investigation by the Information Commissioner and there is the possibility that the company might face prosecution for offences under Section 55 of the Data Protection Act 1998 depending upon what the Commissioner finds during the course of her investigation.  I am therefore going to try and keep this blog post broad and theoretical rather than trample upon the toes of a live regulatory investigation.

A data controller has a duty to comply with the data protection principles in relation to all of the personal data for which they are the controller, subject to certain specified exemptions set out in statute.  The First data protection principle requires that personal data be “processed fairly and lawfully”; this requires the data controller to meet one or more of the conditions set out in Schedule 2 to the Data Protection Act 1998 (and, in respect of sensitive personal data, a condition in Schedule 3 also requires to be satisfied).

What can individuals do if they are concerned about whether Cambridge Analytica has any personal data concerning them and what they’ve been doing with it?  Data Subjects have a number of rights under the Data Protection Act 1998 and the cornerstone of those rights is the right of subject access.  This is currently given effect to in section 7 of the Data Protection Act 1998 and is not simply about getting copies of the personal data being processed by a data controller:  it consists of a whole suite or rights, of which getting a copy of the personal data is only one aspect.  Under the current law, data controllers are entitled to charge a fee up to a prescribed maximum for dealing with such requests; a request of this nature would attract a fee of £10, but many individuals might well think that this is a price worth paying to know if and how they have been affected by this issue.  Data Controllers have up to 40 days in which to comply with a subject access request.  Some key changes to the right of subject access will come into effect on 25th May 2018, but for now the law contained within the Data Protection Act 1998 is still applicable.

Once you have the response to your subject access request your rights do not end there; once you’ve established what a data controller is processing about you, what they’re doing with it and where they got it from there are a number of other steps that you might be able to take, such as requiring them to cease processing your personal data, complaining to the Information Commissioner or making a claim for compensation.

For data controllers, what is currently unfolding should be seen as an important lesson.  Data can be a useful tool to a business; whether it is being used for targeted marketing campaigns or to work out what consumers want from products and services in your market.  However, there are laws governing data protection and privacy and at the heart of those laws are the principles of fairness and transparency.  Controllers need to be careful as to how they obtain personal data, where they obtain it from, what they do with it and be certain that they have a lawful basis for processing that personal data in the ways that they want to do so; that may be because you have the consent of the data subject, because you have a legitimate interest in the processing or some other lawful ground for processing.  Don’t forget the Privacy and Electronic Communications (EC Directive) Regulations 2003 when conducting direct marketing by electronic means.

Simply because a person has made their personal data available, for example through social media, does not mean that is free to be used by whomever and for whatever they want.  The principles of the Data Protection Act 1998 still apply and the reputational damage that can be suffered may well vastly outweigh any regulatory action taken by the Information Commissioner or by data subjects themselves.

Alistair Sloan

If you are a data controller or an individual who is looking for advice and assistance with any aspect of data protection or privacy law, then you can contact Alistair Sloan on 0345 450 0123 or 0141 229 08800.  Alternatively, you can send him an E-mail.