Monthly Archives: July 2018

Information Notices: UKIP -v- Information Commissioner

Last week the Information Commissioner published an update on her investigation into the use of personal data in political campaigning; it received much publicity and I wrote about the report on this blog. In the report it was revealed that the First-Tier Tribunal (Information Rights) (hereafter “FTT”) had dismissed an appeal by the United Kingdom Independence Party (“UKIP”) against an Information Notice served upon it by the Commissioner.

I have previously written on Information Notices more generally (which dealt with them under the Data Protection Act 1998 (”DPA98”), rather than the Data Protection Act 2018(“DPA18”)) and so I don’t propose to set out in any detail what an Information Notice is; however, in brief the Commissioner had the power to compel a person (not just a data controller) to provide her with certain information under section 43 of the DPA98; failure to comply with an Information Notice issued under the DPA98 is a criminal offence.

In my blog post last week I said that I would try and blog when the FTT published its decision in respect of UKIP’s appeal against the Information notice. The FTT has now published its decision in United Kingdom Independence Party (UKIP) –v– The Information Commissioner [pdf]. The background to the Information Notice is set out in the decision, but it appears that the Commissioner’s office wrote to UKIP asking it to provide certain information. UKIP responded, but did so in a very unsatisfactory manner. In particular the answers given were lacking in detail and contradicted information obtained by the Commissioner’s office from the Electoral commission website.  As a result, the Commissioner used her power to compel information from UKIP.

UKIP appealed on the grounds that the Information Notice was “unjust, disproportionate and unnecessary because the UKIP has never suggested it would not comply and that a preferable course of action would have been for the Commissioner to write seeking clarification and specific details.“ [para 13] It seems that the Tribunal issued Directions asking the Commissioner whether she could issue a fresh Information notice because the FTT was not clear on certain matters; however, it was pointed out that this was not open to either the FTT or the Commissioner and that the FTT must allow or dismiss the appeal by UKIP.

The matters upon which the FTT was uncertain were clarified by the Commissioner and ultimately the appeal was dismissed by the FTT. The appeal was considered, at the request of both parties, on the papers alone and therefore no hearing took place. The Tribunal concluded that “the expressed intention of UKIP to provide information and co-operate with the Commissioner is at odds with the information provided by UKIP.” [para 19] UKIP was not arguing that the Notice was not issued “in accordance with the Data Protection Act [1998]” [para 20].

It appears from the FTT’s decision that UKIP later did try to argue that it was not in accordance with the law founding upon the FTT’s own request for clarification; however, the FTT decided that the “notice, of itself, is clear”  and that the reasoning advanced by UKIP did “not provide grounds for allowing this appeal.” [para 25]

The Tribunal also concluded that the appeal had no merit [para 26] before unanimously dismissing the appeal [para 27].

Information Notices are not a common feature of the data protection enforcement landscape. UKIP could seek to appeal the FTT’s decision to dismiss its appeal and whether UKIP seek permission to appeal the decision to the Upper Tribunal remains to be seen. My own view, from the information available in the FTT’s judgment, is that the ultimate conclusion of the FTT was correct; however, the route by which the FTT arrived at that conclusion is unhelpful and may be enough to persuade either the FTT or the Upper Tribunal to grant permission to appeal.

From reading the FTT’s decision it appears that there might have been some confusion on the part of the FTT concerning what its functions were in respect of Information Notices and what the statutory scheme for such a notice was. Whether this was down to the way in which the Commissioner had presented the case on the papers or down to a genuine lack of understanding by the FTT is something that we might never know (especially if there is no appeal by UKIP to the Upper Tribunal)

In terms of the actual decision; it is not at all surprising that the FTT did not take UKIP’s assertion that it would co-operate with the Commissioner at face value when presented with its response to the Commissioner’s more informal request for information from them. It underlines the importance of genuinely engaging with the Commissioner when they are undertaking investigations – they do have certain powers to assist them with their investigation and they do seem willing to use those powers where they feel as though they need to do so.

The framework for Information Notices has changed slightly under the GDPR/DPA18 – it’s no longer a criminal offence to fail to comply with an Information Notice; however, the Commissioner could go to court and obtain an Information Order from the Court where an Information Notice is not complied with. A right of appeal to the FTT continues to exist against Information Notices issued under the DPA18.

Alistair Sloan

If you are facing an investigation by the Information Commissioner in respect of alleged failures to comply with privacy and data protection law, or if you require advice on any other information law matter you can contact Alistair Sloan on 0141 229 0880.  Alternatively you can contact him directly by E-mail.  We also have a dedicated information law twitter account which you can follow.

Facebook, Fines and Enforcement: ICO investigation into political campaigning

In March the Commissioner executed a warrant under the Data Protection Act 1998, to much fanfare and press coverage, on Cambridge Analytica – the data analytics firm who had been involved in the election campaign by US President Donald Trump and who had allegedly undertaken work for Leave.EU in the 2016 referendum on whether the UL should remain a member of the European Union or not. At the same time the Information commissioner announced a much wider investigation into compliance with data protection and privacy laws in political campaigning.

The Information Commissioner has today published a report giving an update on that wider investigation [pdf]. There has been much fanfare around this report and in particular a suggestion that Facebook has been served with a Monetary Penalty Notice in the amount of £500,000. This would be big news; it may not be a large sum of money to Facebook, but £500,000 is the maximum that the Information commissioner can serve a Monetary Penalty Notice for under the Data Protection Act 1998.

However, it has become clear that Facebook has not been served with a Monetary Penalty Notice in the amount of £500,000. The first thing to note here is that the Data Protection Act 1998 still applies; the alleged breaches of data protection law that the Commissioner is concerned with pre-dated 25 May 2018 and therefore the powers under the General Data Protection Regulation (GDPR) do not apply. What has happened is that the Information Commissioner has served a “Notice of Intent” on Facebook indicating that the Commissioner intends on serving Facebook with a Monetary Penalty Notice in the amount of £500,000. This is the first stage in the process of serving a Monetary Penalty Notice, but it is by no means guaranteed that (a) a Monetary Penalty Notice will be issued; and (b) that it will be in the amount of £500,000.

Facebook will have the opportunity to make written representations to the Information Commissioner on various matters, including whether the statutory tests for serving a Monetary Penalty Notice have been met and on the amount of the Penalty. The Commissioner must take account of these representations when making a final decision on serving the Monetary Penalty Notice: not to do so would likely result in an appeal against the Notice to the First-Tier Tribunal (Information Rights), which could ultimately result in the Monetary Penalty Notice being reduced in amount or quashed altogether. If Facebook brings forward evidence to the Commissioner that means she can no longer make certain findings in fact that will have an impact on both her ability to serve the Monetary Penalty Notice and the amount of that notice.

It could be many more weeks, if not months before we know whether a Monetary Penalty Notice is in fact being served on Facebook and how much it is for. The Commissioner must serve the Monetary Penalty Notice on Facebook within six month of serving the Notice of Intent.

There are some other aspects of the Commissioner’s report that are worthy of some brief consideration. The Commissioner has announced that she is intending on prosecuting SCL Elections Limited. The information given by the Commissioner suggests that this prosecution is to be limited to one very specific issue: their failure to comply with an Enforcement Notice previously served on the company. The Enforcement Notice was served on the company after they failed to comply with a subject access request received by them from a US academic. The company was in administration when the Enforcement Notice was served and remains in administration today. The Information Commissioner is able to prosecute offences under the legislation it is responsible for enforcing in its own right; except in Scotland where it requires to report the matter to the Procurator Fiscal in the same way as every other law enforcement agency is required. How successful that prosecution will be and what benefit it will bring remains to be seen given that the company is in administration. Even if the company is successfully

We have also seen what appears to be the first piece of enforcement action taken under the Data Protection Act 2018 and the General data Protection Regulation.  The Commissioner has served an Enforcement Notice on the Canadian company, Aggregate IQ [pdf]. This amounts to what could be termed as a “stop processing notice” and it requires Aggregate IQ to, within 30 days, “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning, or any other advertising.”

Failure to comply with an Enforcement Notice under the Data Protection Act 2018 and the GDPR is not (unlike under the Data Protection Act 1998) a criminal offence; however, a failure to comply can result in an administrative fine of up to €20 million or 4% of global turnover (whichever is the greater). How successful the ICO will be at enforcing this enforcement notice, given that the company is located in Canada and appears to have no established base in the UK, or any other EU member state, remains to be seen.

Other investigations are still ongoing. The Commissioner appears to be continuing to investigate whether there was any unlawful data sharing between Leave.EU and Eldon Insurance. Investigations are also being undertaken into the main ‘Remain’ campaign in the EU referendum and also into all of the UK’s main political parties. It remains to be seen what will happen there.

The Commissioner’s report also informs us that the appeal by the United Kingdom Independence Party (UKIP) against an Information Notice previously served upon them has been dismissed. The First-Tier Tribunal (Information Rights) has not yet published a decision in that case on its website, but should it do so I shall endeavour to blog on that decision (especially given that there has never to my knowledge been an appeal to the Tribunal against an Information Notice). Failure to comply with an Information Notice is a criminal offence, and a company was recently fined £2,000 at Telford Magistrates’ Court for that very offence.

Alistair Sloan

If you require advice or assistance on a matter relating to data protection or privacy law then you can contact Alistair Sloan on 0141 229 0880 or send him an E-mail. You can also follow our twitter account dedicated to information law matters.

Data Protection/Privacy Enforcement: June 2018

June was exceptionally good weather wise with lots of bright and sunny weather, but the outlook for some data controllers was not so bright or sunny as the Information Commissioner took action againt them for data protection and privacy breaches. Many of the key points arising out of last month’s enforcement action make a regular appearance on this blog. In relation to enforcement of (the now repealed) Data Protection Act 1998, the focus remains heavily on breaches of the seventh data protection principle relating to technical and organisational measures.

Key Points

  • Train, train, train – training is a key aspect of a data controllers ability to reduce the risk of suffering a data breach. Ensuring that all staff receive appropriate training on data protection relevant to their job role upon induction; and regular refresher training thereafter, is a core aspect of ensuring that the organisation has in place adequate organisational measures. It’s also important to ensure that people actually undertake induction and referesher training on offer. It is all very well having lots of well designed and worked-out policies, procedures and training material, but if nobody is being trained on the policies and procedures, then the controller might as well have not made the investment in the first place.
  • Sending bulk E-mails is a high risk activity and extreme care should be taken to ensure that personal data is not inappropriately revealed. The manual entry of E-mail addresses can pose a significant risk; even if there is a well documented procedure to use the Bcc field (and everyone has undergone their induction and refresher training setting out this procedure).
  • The right of subject access is a core right of data subjects and it is therefore important that data controllers have in place adequate procedures to identify, record, track and respond to subject access requests. A failure to comply with a subject access request can result in a data subject making a complaint to the Information Commissioner (who may take enforcement action) or applying to the court for an order forcing the data controller to comply.
  • When conducting direct marketing campaigns by electronic means, make sure that you really do have in place the appropriate consents. Further, if you’re sending something as a service message make sure it really is a service message and not a marketing message dressed up as a service message.
  • If you are making live telephone calls for the purposes of direct marketing you must ensure that you do not make calls to telephone numbers listed with the Telephone Preference Service unless you have clear consent to do so.

Enforcement action published in June 2018

 The British and Foreign Bible Society
The British and Foreign Bible Society was served with a Monetary Penalty Notice in the amount of £100,000 [pdf] after suffering a ransomware attack. This had been possible after a brute-force attack had exploited a vulnerability of a weak password. This gave them access to the Remote Desk Server (which allowed home working). The attackers were therefore able to access personal data. The Commissioner considered that the British and Foreign Bible Society did not have in place adequate organisational and technical measures and as such was in breach of the seventh data protection principle.

Chief Constable of Humberside Police
The Chief Constable of Humberside Police gave an undertaking to the Information Commissioner after loosing interview disks and written notes concerning n allegation of rape [pdf]. Humberside Police had conducted the interviews on behalf of another force. During the course of the Commissioner’s investigation into the data breach, it transpired that training compliance within the force on data protection was only 16.8%. Of the three officers involved in the initial incident, two had received training some years ago and the third had received no training at all.

Chief Constable of Gloucestershire Police
The Chief Constable of Gloucestershire Police was served with a Monetary Penalty Notice in the amount of £80,000 [pdf] after sending a bulk E-mail which identified victims of historic child abuse. In December 2016 an officer sent an update about investigations into allegations of child abuse relating to multiple victims. The officer did not make use of the ‘Bcc’ function and instead entered all of the E-mail addresses into the “to” field thus revealing the E-mail addresses of every recipient to every other.

Ainsworth Lord Estates Limited
Ainsworth Lord Estates Limited was served with an Enforcement Notice after it failed to respond to a Subject Access Request made by a data subject [pdf]. The data subject made a subject access request to the controller and got an out of office response; when they received no response they attempted to engage with the controller, but got no response. When the Commissioner became involved her office attempted to contact the controller, but had no success in receiving a response.

British Telecommunications Plc
British Telecommunications Plc (BT) was served with a Monetary Penalty Notice in the amount of £77,000 [pdf] for breaching the provisions of the Privacy and Electronic Communications (EC Directive) regulations 2003. A complaint was made to the ICO by an individual who had opted out of receiving marketing communications from BT when they received a message from BT promoting its ‘My Donate’ platform. The Commissioner opened an investigation as it appeared the message had been sent to  the whole of BT’s marketing database. BT advised the Commissioner that it considered that the message re ‘My Donate’ was a service message, rather than a marketing message. Two other marketing campaigns took place, which BT accepted were marketing campaigns and argued that they had complied with the requirements of PECR by only sending it to those who had opted-in; BT purported to also reply upon the ‘soft opt-in’. The Commissioner found that in relation to all three campaigns, BT had failed to comply with Regulation 22 of PECR.

Our Vault Limited
Our Vault Limited was served with an Enforcement Notice [pdf] and also with a Monetary Penalty Notice in the amount of £70,000 [pdf] after it failed to comply with the provisions of PECR. The company made live telephone calls for the purposes of marketing the products of a third party company (under the guise of conducting lifestyle research); including to numbers that were listed with the Telephone Preference Service where they did not have the consent of the subscriber to do so, contrary to Regulation 21 of PECR.

Horizon Windows Limited
Horizon Windows Limited was served with an Enforcement Notice after it failed to comply with the provisions of Regulation 21 of PECR [pdf]. In this case complaints continued to be received by the Commissioner during the course of her offices’ investigation.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.