The Information Commissioner is presently undertaking an investigation into the possible unlawful use of personal data, in particular, data analytics, by political parties and political campaigning organisations. The most high profile activity that the Commissioner has undertaken in respect of that investigation has to be the obtaining and execution of a warrant to search the offices of Cambridge Analytica. As part of that investigation it has been reported that a number of persons and organisations involved in politics have been served with Information Notices by the Information Commissioner, including the United Kingdom Independence Party (UKIP), Leave.EU and Arron Banks.
An Information Notice is a formal investigative tool which the Information Commissioner can use in order to gather information. Her power to issue such notices, in respect of the processing of personal data, is to be found in section 43 of the Data Protection Act 1998. There are two circumstances in which the Commissioner can issue an Information Notice: (1) when conducting an assessment pursuant to section 42 of the Data Protection Act 1998; and (2) where the Commissioner reasonably requires any information for the purpose of determining whether the data controller has complied or is complying with the data protection principles. Broadly speaking this means that the Commissioner can issue an Information Notice either when her office is conducting an investigation at the request of a data subject or an investigation undertaken by her office which has been instigated by the Commissioner herself.
An Information Notice is simply a document which requires the data controller concerned to provide the Commissioner with information specified within the notice relating to the section 42 request or the controller’s compliance with the data protection principles. However, its simplicity obscures its formality. The issuing of an Information Notice is a formal step, and is a serious one for the recipient of the notice. There is an automatic right of appeal against the notice or any part of the notice to the First-Tier Tribunal (Information Rights). The right of appeal exists precisely because of its formality and the consequences for not complying with the notice. It has been reported that UKIP has appealed the Information Notice served on it to the Tribunal.
An Information Notice is more than a polite request for information; it is a formal demand for information which is baked up by the threat of sanctions. It is a criminal offence to fail to comply with an information notice which can result, if convicted, in a fine. Furthermore, it is a criminal offence to (i) make a statement in response to an information notice which is known to be false; or (ii) recklessly make a false statement in response to an information notice.
When serving an Information Notice, the Commissioner can specify or describe the information required by her or can be broader and instead specify or describe categories of information that she requires from the data controller. There are some restrictions though on the information that the Commissioner can require a data controller to provide her with. A data controller is not required to furnish the Commissioner with (a) “any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to the person’s obligations, liabilities or rights under [the Data Protection Act 1998]”, or (b) “any communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of [the Data Protection Act 1998] (including proceedings before the Tribunal) and for the purposes of such proceedings.”
A data controller can also refuse to provide information which would reveal evidence of the commission of any offence. However, there are some exceptions to this general exception; if the offence is an offence under the Data Protection Act 1998 or offences under certain statutory provisions concerning the giving of false evidence, then the data controller may still be required to provide the Commissioner with that information.
The serving of an Information Notice on a data controller is a significant step by the Commissioner and it is one that data controllers should not take lightly. The consequences for failing to comply with the notice or for deliberately or recklessly misleading the Commissioner through the provision of false information can see the data controller facing criminal charges. The Notice can be challenged through the First-Tier Tribunal (Information Rights) which could see part or all of the notice reduced/quashed. The Data Protection Bill contains provisions in relation to Information Notices which are for the most part identical to the powers found within the Data Protection Act 1998 and so the Commissioner will continue to possess this potentially powerful took once the GDPR becomes a reality next month (subject, of course, to the Data Protection Bill completing is passage through parliament and receiving Royal Assent in time).
If you are facing an investigation by the Information Commissioner in respect of alleged failures to comply with privacy and data protection law, or if you require advice on any other information law matter you can contact Alistair Sloan on 0141 229 0880. Alternatively you can contact him directly by E-mail. We also have a dedicated information law twitter account which you can follow.