Tag Archives: Information Commissioner

Commissioner Dispenses GDPR Administrative Fine

On 20th December 2019, the Information Commissioner published a Penalty Notice [pdf] it had issued under the Data Protection Act 2018 to Doorstep Dispensaree Limited in the sum of £275,000. While we have had the Marriot and British Airways Notices of Intent, this is the first penalty notice published by the Information Commissioner exercising her powers under the Data Protection Act 2018 and the General Data Protection Regulation to issue administrative fines (formally known in the UK as “Penalty Notices”).

In this case, the Information Commissioner was acting upon information received from another UK Regulator (the Medicines and Healthcare Products Regulatory Agency, or “MHRA”). The MHRA had executed a search warrant under its own regulatory scheme and discovered in a courtyard approximately 500,000 documents containing personal data, all of which were contained in an insecure manner. The MHRA inspected the documents and discovered that they contained personal data and special category personal data. The documents were dated from January 2016 to June 2018 and the condition of them indicated that they had been stored in the courtyard for some time. The Information Commissioner began an investigation; she wrote to the data controller asking a number of questions. The controller responded, via its solicitor; however, its response didn’t answer any of the Commissioner’s questions, but instead it seemed to the Commissioner (as recorded in the penalty notice) that the controller was denying any knowledge of the documents.

The Commissioner followed-up with more information and repeated the questions initially asked. The controller refused to answer those questions and the Commissioner records that it appears as though the Controller was conflating the separate investigation by the Commissioner with the one being undertaken by the MHRA. The Commissioner thereafter issued it with an information notice, which the controller (unsuccessfully) appealed to the First-Tier Tribunal. The Commissioner’s Penalty Notice then records that after the appeal was disposed of by the Tribunal, the controller did not comply timeously with the notice and the Commissioner had to threaten the controller with obtaining an information order and/or issuing a penalty notice.

The controller finally responded to the Information Notice, refusing to provide some information (under section 143(6) of the Data Protection Act 2018) on the basis that providing that information would open the controller up to prosecution by the MHRA in its separate criminal investigation. The controller provided various documents to the Commissioner, most of which were dated from 2015.

The Commissioner ultimately found that the controller’s infringements of data protection law were systemic in nature; the Commissioner pointed to the inadequate and outdated policies and procedures that it had in place. Furthermore, its privacy notice fell far short of what was enquired by Articles 13 and 14 of the GDPR. Interestingly, there appears to be no reference in the Penalty Notice to the early payment discount that was a feature of monetary penalty notices issued by the ICO under the Data Protection Act 1998.

The controller was also issued with an Enforcement Notice [pdf] by the Commissioner; which requires the controller to, among other things, update its internal policies and procedures, appoint a member of staff as an Information Governance Lead or Data Protection Officer, introduce mandatory training and update its privacy notice in line with Articles 13 and 14.

This Penalty Notice contains much that can be of assistance to controllers when it comes to enforcement action under the GDPR. The first point that is worth mentioning is that it is not recommended that controllers do not co-operate with the ICO during investigations. Indeed, controllers (and processors) and their representatives are under a positive duty to co-operate with the Commissioner (Article 31 of the GDPR). In any event, the Commissioner has a range of powers to ensure that she can properly investigate alleged breaches of data protection law; including, the power to issue an information notice, obtain an information order and obtain (and execute) a search warrant. It’s important that where you’re facing multiple regularly investigations simultaneously that you take each one seriously and understand precisely what each regulator is investigating and what their respective powers are.

It also appears that the Commissioner has dropped the early payment discount that used to be offered to controllers to encourage them to pay the penalty notice (an appeal automatically meant that the controller lost the early payment discount, as it would delay payment of the monetary penalty).

Alistair Sloan

We are able to assist data subjects, controllers and processors with data protection law matters, as well as a range of other information law concerns. If you would like to speak to us about an information law matter, then please contact our team on 0141 229 0880 or by E-mail.

Penalty Notices and Notices of Intent

Yesterday there was a great deal of excitement as some news outlets reported that British Airways had been fined £183m by the Information Commissioner’s Office. It became apparent fairly quickly that this wasn’t what had happened and that we are still waiting for the Commissioner to issue the first “penalty notice” for a breach of the General Data protection Regulation.

What did come to light yesterday was that the Commissioner had issued a notice of intent to British Airways giving them notice that she intends on issuing a penalty notice in the sum f £183m. This is not the first time where news of a notice of intent has resulted in reporting that the Commissioner had actually issued a financial penalty. The last time was when she issued Facebook with a notice of intent in respect of a pre-GDPR breach (a penalty was subsequently served on Facebook in the sum of £500,000 and that penalty is currently the subject of an appeal to the First-Tier Tribunal).

There is quite a bit of difference between a notice of intent and a penalty notice (formally known as a monetary penalty notice in the Data Protection Act 1998) and they shouldn’t be confused with one another. So, given the confusion, I thought I might write a brief guide to the process adopted in the UK in respect of administrative fines under the GDPR and the Law Enforcement Directive.

The process essentially begins with the Commissioner opening an investigation. This could be as a result of a mandatory breach notification by the controller, a complaint made by a data subject or  it having come to the attention of the Commissioner in some other way (for example, via the media). The Commissioner then enters into an information gathering phase, and she has the power to compel (subject to appeal and some other limited exceptions) data controllers to provide her with information by issuing an information notice should data controllers refuse to engage with her office.

At some stage the Commissioner will decide whether enforcement action is appropriate in the particular case. There will have been a dialogue of sorts going on between the Commissioner’s office and the controller during the information gathering phase. A financial penalty is not the only option available to the Commissioner. If the Commissioner decides that an administrative fine (in GDPR language, or “penalty notice” in the language of the Data Protection Act 2018 (“DPA2018”)) might be the appropriate means to deal with the breach, then she is required by Paragraph 2(1) of Schedule 16 to the DPA2018 to the to give written notice to the controller of her intent to do so; this is known as a “notice of intent”. This notice must contain certain information, which is set out in paragraph 3 of Schedule 16 to the DPA2018.

The notice of intent is an important step because, by virtue of paragraph 3(4) of Schedule 16, the notice of intent must contain details of a period in which the controller can make written representations to the Commissioner; this period must not be less than 21 days. The Commissioner is prohibited from serving a penalty notice until this period has expired (paragraph 4(1) of Schedule 16). Furthermore, before deciding to issue a penalty and before finally deciding upon the amount of any penalty, the Commissioner must consider any written or oral representations made by or on behalf of the controller (paragraph 4(2) of Schedule 16).

Essentially, the notice of intent forms part of the due process of law. The Commissioner sets out in the notice the basis upon which she believes a penalty notice is appropriate and the proposed amount of the penalty notice. The controller then has an opportunity to make its case to the Commissioner and put forward a legal or factual case which:- (a) argues that no penalty notice should or can be given; (b) challenges proposed findings in fact contained within the notice of intent; and/or (c) challenge the proposed amount.

When the commissioner issues a notice of intent, she (and her office) must continue to have an open mind. It is not simply a tick-box exercise; it is an important part of a formal legal process. The Commissioner must be open to being persuaded by the controller that she is wrong in any of the matters set out in the notice of intent; including, being persuaded that the legal tests for issuing a penalty notice has not been met.

A notice of intent is certainly not (or shouldn’t be) a guarantee that a penalty notice will follow, or that it will be in the amount specified in the notice of intent. It is no more than a formal document giving notice to a controller of the Commissioner’s intentions and forms part of the legal process for issuing an administrative fine.

Once a notice of intent has been served by the Commissioner, she is normally required to issue the penalty notice within 6 months (paragraph 2(2) of Schedule 16); this includes the time permitted for written, and where applicable, oral representations. However, this period can be extended where the Commissioner and the controller agree (paragraph 2(3) of Schedule 16)

Appeals
Unlike a notice of intent, a penalty notice is subject of a right of appeal to the First-Tier Tribunal. In such an appeal all of the relevant factual and legal matters are reconsidered by the Tribunal. The Tribunal is empowered to uphold the penalty notice, modify the penalty notice or quash the penalty notice. Thereafter, there are appeals (but not as of right, only with permission) to the Upper Tribunal and the courts on points of law. Failures within the notice of intent procedure would give rise to grounds of appeal in respect the penalty notice. Depending upon the nature of the defects they could ultimately lead to the Tribunal quashing the Penalty Notice.

“One Stop Shop”
One final thing of note is that the Information Commissioner is acting as the “lead supervisory authority” in the British Airways matter; this is a mechanism which exists in the General Data Protection Regulation and applies so long as the United Kingdom remains a member of the European Union. Other supervisory authorities from elsewhere in the EU will also have the opportunity to comment on the Commissioner’s enforcement action in this case. This is an important aspect to note in relation to all enforcement action, not just penalty notices. Before taking a final decision in the British Airways case the Information Commissioner will have to circulate a draft of her decision to those other supervisory authorities, who are then permitted to make comments; the Commissioner must take these comments into account. This mechanism applies where there is cross-border processing taking place (see Article 4(23) of the General Data Protection Regulation for a definition of “cross-border processing”), which was the case in repsect of the British Airways data breach.

Alistair Sloan

We are able to assist data subjects, controllers and processors with data protection law matters, as well as a range of other information law concerns. If you would like to speak to us about an information law matter, then please contact our team on 0141 229 0880 or by E-mail.

Cart before Horse

E.ON UK Plc v The Information Commissioner and Fish Legal [2019] UKUT 132 (AAC) is an appeal to the Upper Tribunal (Administrative Appeals Chamber) concerning an issue that doesn’t come up very often in information rights litigation: the Information Commissioner’s power to issue an Information Notice under section 51 of the Freedom of Information Act 2000 (“FOIA”).

The background to this appeal is a little convoluted, but of importance to understanding the issues and the decision of the Upper Tribunal. The solicitor of Fish Legal made a request for information to E.ON UK Plc seeking information from it. The information sought was environmental information and so the request fell to be dealt with under the Environmental Information Regulations 2004 (“EIRs”). E.ON UK Plc disputed that it was not a public authority and so did not issue a substantive response to the request. It became clear during the Commissioner’s involvement that the position of E.ON would be that, if it were a public authority, it did not hold the information.

As there was a dispute as to whether E.ON is a public authority, the Commissioner determined that she needed to resolve that issue first. If E.ON is not a public authority, then she had no jurisdiction to determine whether it held the information in question. After some exchange of correspondence between the Commissioner’s case officer and E.ON, an information notice was served on E.ON. The purpose of this Notice, we learn from the decision of the Upper Tribunal, was to assist the Commissioner in determining whether E.ON UK PLC is a public authority for the purposes of the EIRs.

E.ON appealed to the First-Tier Tribunal (Information Rights) against the information notice. It did so on two grounds: firstly, the decision to issue the information notice was unlawful because, as E.ON did not hold the requested information, it was pointless, disproportionate and academic. Secondly, the information requested in the notice was wholly or mainly in the public domain and so it was unlawful to issue an information notice to require E.ON to provide the information.

The First-Tier Tribunal heard argument and issued what it described as a decision on a preliminary issue, inviting written submissions from the parties as to how the remainder of the appeal should progress. E.ON appealed to the Upper Tribunal and its grounds of appeal are set out by the Upper Tribunal in paragraph 4 of its decision.

What is of most interest in this appeal was the position adopted by E.ON as to the Commissioner’s powers to determine whether the information was held or not. E.ON argued that the Commissioner could consider  whether a purported public authority held the information requested, before deciding whether it was reasonable and proportionate to issue an information notice seeking information to assist the Commissioner in deciding whether the purported authority is, in fact, a public authority. E.ON argued, essentially, that where a purported authority did not hold the information it was unlawful, disproportionate and unreasonable for the Commissioner to issue an Information Notice requiring a body to provide her with information to assist her in determining whether the purported authority was, in fact a public authority.

This argument was, ultimately, given short shrift by Upper Tribunal Judge Markus QC. The Upper Tribunal Judge considered that this “position would lead the Commissioner to a dead end” [47] as “[t]here is no statutory provision which could accommodate the outcome for which [Counsel for E.ON] contended, that being a decision by the Commissioner not to address the public authority question because there was no point in doing so.” [47] The outcome of the position advanced by E.ON before the Upper Tribunal would have simultaneously meant that the Commissioner could not have issued a decision notice under section 50 of FOIA that no information was held, because there was no decision that she had jurisdiction; she could not issue a decision on whether she had jurisdiction because it was pointless, and in any event she lacked the information she required to do so and she could not have refused a to make a decision under section 50 because none of the circumstances in section 50(2) of FOIA applied.

Upper Tribunal Markus QC remarks, paragraph 49 of her decision, that what the First-Tier Tribunal decided at paragraph 24 of its own decision was not that it was unable to decide any matter not determined by the Commissioner, but rather that the question whether the information requested by the applicant was held by the authority was irrelevant in an appeal against an information notice which was directed at establishing whether the Commissioner had jurisdiction. The question as to whether the information was held would be decided, if at all, if the Commissioner had jurisdiction to do so.

E.ON also tried to argue that the section 50 application by the applicant should be treated as being frivolous or vexatious by the Commissioner (thus giving her a reason under section 50(2) of FOIA to refuse to issue a decision notice). This, again, was also based upon E.ON’s position that it did not hold the information. E.ON seemed to be suggesting that it was frivolous or vexatious to press for the Commissioner to determine whether she had jurisdiction when the purported authority had demonstrated that it did not hold the information. The Upper Tribunal disagreed stating that “[t]here is nothing in this case which gets close to meeting the high standard set by vexatiousness” [61] (with reference to the principles set out in the Upper Tribunal and Court of Appeal in Dransfield v Information Commissioner and Devon CC).

What appears to have become lost in these appeal proceedings is that this is an appeal against an information notice and not an appeal against a decision notice. The Tribunal was not concerned with the substantive issue (whether or not E.ON had complied with its obligations under the EIRs, if it has any such obligation at all). E.ON, in this appeal, were getting ahead of themselves; or as the Commissioner reportedly put it “they were putting the cart before the horse”. The Commissioner had not made any decision on the issue (that would not stop the Tribunal considering it though if it were an appeal against a decision notice issued under section 50) as she had been unable to determine the preliminary issue of jurisdiction. The purpose of the Information Notice was to enable her to gather sufficient information to determine that issue.

The Commissioner simply does not, and this has been clear for some considerable time, have the power to determine a substantive issue (such as whether information is held) if she does not have jurisdiction. Where there is doubt about her jurisdiction, that matter has to be resolved by the Commissioner first. If the Commissioner is satisfied of her jurisdiction she will go on to consider the substantive issue (and the two matters will be dealt with in one decision notice dealing first with jurisdiction and then the substantive issue); if she determines that she has no jurisdiction she will issue a decision to that effect which can then be appealed in the normal way.

It remains to be seen whether the Commissioner’s Information Notice will survive; the First-Tier Tribunal has yet to consider all of the matters set out in the initial appeal by E.ON. Now that the Upper Tribunal has disposed of this appeal, the First-Tier Tribunal will now need to hear and determine the rest of the appeal.

Alistair Sloan

If you require advice and assistance with a Freedom of Information matter, or any other information law issue, contact our team on 0141 229 0880 or E-mail info@inksters.com.

Openness by design: ICO’s draft access to information strategy

The Information Commissioner’s Office has published a draft access to information strategy [pdf] and is inviting comments on it. The document opens by explaining that over the next three years the ICO has the ambition to be “more proactive and increase the impact of” regulation in respect of the Freedom of Information Act 2000 (“FOIA”) and the Environmental Information Regulations 2004 (“EIRs”).

The document is intended to be read in conjunction with the ICO’s ‘Regulatory Action Policy’, which was consulted on last year (and covers all of the legislation that the Commissioner is tasked with enforcing, not just FOIA and the EIRs).

The draft strategy gives the impression that the ICO intends to become more proactive in its enforcement of FOIA and the EIRs – especially in relation to “systematic non-compliance”. This could mean that the ICO intends become more formal in its enforcement action. So we will need to wait and see how it pans out.

The other matter within the draft strategy that is worthy of note (although it really is worthwhile taking the time to read the whole document – it’s not a lengthy one) is the section which discusses the changes that have occurred since FOIA and the EIRs were enacted. In particular the draft strategy indicates that a report to Parliament will be published later this month “making recommendations for change in relation to outsourced public services and some other categories of public service provision that are not within the scope of the current legislation.” Quite what will happen with such a report, given that Parliament is pretty tied up with Brexit related matters, is unclear; however, it should be worth looking at – especially if you’re involved in the provision of public services under contract.

The ICO is inviting comments on the draft strategy document until 8th March 2019 and comments can be submitted via the ICO website.

Non-payment of Data Protection Fees: The ICO announces first steps in enforcement

Under the Data Protection Act 1998 it was an offence to process personal data without notifying with the Information Commissioner (and paying the required notification fee) unless you were exempt from having to notify. The position changed in May when the GDPR and Data Protection Act 2018 entered into force. The requirement to notify, which had its origin in the 1995 Data Protection Directive, was done away with. This left the UK with a particular problem: the Information Commissioner’s work in relation to the enforcement of data protection was funded entirely by the notification fees paid by data controllers. The solution was to introduce a system of fees which data controllers are required to pay to the Information Commissioner unless they are exempt from having to do so.

The law was also changed so that non payment of the data protection fee by a controller required to pay it is no longer a criminal offence. There are duplicate provisions in law which allow the Information Commissioner to charge these fees. The duplicate provisions are section 137 of the Data Protection Act 2018 and section 108 of the Digital Economy Act 2017. The fees payable are current specified within The Data Protection (Charges and Information) Regulations 2018, which were made exercising the powers under section 108 of the Digital Economy Act (the Regulations being made prior to the enactment of the Data Protection Act 2018 in May). There are, however, no provisions within the Digital Economy Act 2017 in respect of penalties for non-payment of these fees; the only provision which provides for non-payment of these fees is section 158 of the Data Protection Act 2018, which applies to fees made under section 137 of the Data Protection Act 2018.

In terms of section 158 of the Data Protection Act 2018, the maximum penalty for non-payment of the fee is 150% of the highest charge payable in accordance with the fees regulations, disregarding any discount available under the fees regulations.

It seems that a number of data controllers, who the Commissioner believes should be paying a fee, have not paid their fee. Earlier this week it was announced that the Information Commissioner’s Office had started to take enforcement action against 34 such organisations. The enforcement regime in section 158 of the Data protection Act 2018 applies to regulations made under section 108 of the Digital Economy Act 2017 by virtue of a provision within Schedule 20 to the Data Protection Act 2018 which provides that Regulations made under section 108 of the Digital Economy Act 2017 are to have effect as if they were Regulations made under section 137 of the Data Protection Act 2018 after the coming into force of section 137 of the Data Protection act 2018 (which happened on 25 May 2018).

The Notices of Intent, according to the ICO press release, have been issued to a range of controllers across the public and private sectors and that there are others in the process of being about to be issued. They act as a final warning by the ICO they if organisations don’t pay then they will be the recipient of a fixed penalty. It seems that the ICO is taking a relatively strong stance against non-payers from the outset and data controllers should therefore ensure that they pay their registration fees (where applicable) as and when their notification under the Data Protection Act 1998 comes to an end; or immediately where they were did not notify under the Data Protection Act 1998.

Alistair Sloan

If you would like advice on a data protection or privacy matter than contact Alistair on 0141 229 0880 or you can E-mail him directly. You can also follow our twitter account dedicated to the field of Information law

Facebook, Fines and Enforcement: ICO investigation into political campaigning

In March the Commissioner executed a warrant under the Data Protection Act 1998, to much fanfare and press coverage, on Cambridge Analytica – the data analytics firm who had been involved in the election campaign by US President Donald Trump and who had allegedly undertaken work for Leave.EU in the 2016 referendum on whether the UL should remain a member of the European Union or not. At the same time the Information commissioner announced a much wider investigation into compliance with data protection and privacy laws in political campaigning.

The Information Commissioner has today published a report giving an update on that wider investigation [pdf]. There has been much fanfare around this report and in particular a suggestion that Facebook has been served with a Monetary Penalty Notice in the amount of £500,000. This would be big news; it may not be a large sum of money to Facebook, but £500,000 is the maximum that the Information commissioner can serve a Monetary Penalty Notice for under the Data Protection Act 1998.

However, it has become clear that Facebook has not been served with a Monetary Penalty Notice in the amount of £500,000. The first thing to note here is that the Data Protection Act 1998 still applies; the alleged breaches of data protection law that the Commissioner is concerned with pre-dated 25 May 2018 and therefore the powers under the General Data Protection Regulation (GDPR) do not apply. What has happened is that the Information Commissioner has served a “Notice of Intent” on Facebook indicating that the Commissioner intends on serving Facebook with a Monetary Penalty Notice in the amount of £500,000. This is the first stage in the process of serving a Monetary Penalty Notice, but it is by no means guaranteed that (a) a Monetary Penalty Notice will be issued; and (b) that it will be in the amount of £500,000.

Facebook will have the opportunity to make written representations to the Information Commissioner on various matters, including whether the statutory tests for serving a Monetary Penalty Notice have been met and on the amount of the Penalty. The Commissioner must take account of these representations when making a final decision on serving the Monetary Penalty Notice: not to do so would likely result in an appeal against the Notice to the First-Tier Tribunal (Information Rights), which could ultimately result in the Monetary Penalty Notice being reduced in amount or quashed altogether. If Facebook brings forward evidence to the Commissioner that means she can no longer make certain findings in fact that will have an impact on both her ability to serve the Monetary Penalty Notice and the amount of that notice.

It could be many more weeks, if not months before we know whether a Monetary Penalty Notice is in fact being served on Facebook and how much it is for. The Commissioner must serve the Monetary Penalty Notice on Facebook within six month of serving the Notice of Intent.

There are some other aspects of the Commissioner’s report that are worthy of some brief consideration. The Commissioner has announced that she is intending on prosecuting SCL Elections Limited. The information given by the Commissioner suggests that this prosecution is to be limited to one very specific issue: their failure to comply with an Enforcement Notice previously served on the company. The Enforcement Notice was served on the company after they failed to comply with a subject access request received by them from a US academic. The company was in administration when the Enforcement Notice was served and remains in administration today. The Information Commissioner is able to prosecute offences under the legislation it is responsible for enforcing in its own right; except in Scotland where it requires to report the matter to the Procurator Fiscal in the same way as every other law enforcement agency is required. How successful that prosecution will be and what benefit it will bring remains to be seen given that the company is in administration. Even if the company is successfully

We have also seen what appears to be the first piece of enforcement action taken under the Data Protection Act 2018 and the General data Protection Regulation.  The Commissioner has served an Enforcement Notice on the Canadian company, Aggregate IQ [pdf]. This amounts to what could be termed as a “stop processing notice” and it requires Aggregate IQ to, within 30 days, “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning, or any other advertising.”

Failure to comply with an Enforcement Notice under the Data Protection Act 2018 and the GDPR is not (unlike under the Data Protection Act 1998) a criminal offence; however, a failure to comply can result in an administrative fine of up to €20 million or 4% of global turnover (whichever is the greater). How successful the ICO will be at enforcing this enforcement notice, given that the company is located in Canada and appears to have no established base in the UK, or any other EU member state, remains to be seen.

Other investigations are still ongoing. The Commissioner appears to be continuing to investigate whether there was any unlawful data sharing between Leave.EU and Eldon Insurance. Investigations are also being undertaken into the main ‘Remain’ campaign in the EU referendum and also into all of the UK’s main political parties. It remains to be seen what will happen there.

The Commissioner’s report also informs us that the appeal by the United Kingdom Independence Party (UKIP) against an Information Notice previously served upon them has been dismissed. The First-Tier Tribunal (Information Rights) has not yet published a decision in that case on its website, but should it do so I shall endeavour to blog on that decision (especially given that there has never to my knowledge been an appeal to the Tribunal against an Information Notice). Failure to comply with an Information Notice is a criminal offence, and a company was recently fined £2,000 at Telford Magistrates’ Court for that very offence.

Alistair Sloan

If you require advice or assistance on a matter relating to data protection or privacy law then you can contact Alistair Sloan on 0141 229 0880 or send him an E-mail. You can also follow our twitter account dedicated to information law matters.

Crossroads: where data protection and freedom of information intersect

The laws relating to freedom of information and those relating to privacy and data protection often come into conflict with one another.  One issue which arises often for those who are responsible for answering freedom of information requests is whether or not to disclose personal data of third parties which is caught up within the information that has been requested.  This is an area that has been the subject of much litigation both under the Scottish and UK FOI laws; indeed, cases have gone from Scotland all the way to the UK Supreme Court (this might be because there are fewer levels of appeal to go through in Scotland and until very recently Scottish litigants did not need the permission of the Court of Session or the Supreme Court to take an appeal there).

One area which is perhaps the most contentious of all is where the personal data in question relations to civil servants.  The generally accepted position has been that in most cases the personal data of junior civil servants will be redacted while personal data relating to senior civil servants is more likley to be disclosed.  This position, however, is one that has never really had any scrutiny from the superior courts; that is until now.  On 6th April the Upper Tribunal (Administrative Appeals Chamber) made its decision in Cox v Information Commissioner and Home Office [2018] UKUT 119 (AAC).  Judge Wikeley records that to the best of his knowledge Cox was “the first occasion on which the Upper Tribunal has had to consider in any depth the issue of the principles governing the disclosure of the names of individual civil servants in response to a request under FOIA.” [32]

In this appeal the Appellant, Mr Cox, is concerned with the development of Government policy and its application in relation to migration from the Horn of Africa.  The Appellant made a request for information to the Home Office pursuant to his right of access to information within the Freedom of Information Act 2000.  His request for information sought details concerning meetings between civil servants from the Home Office and government officials from countries within the region.  In particular, the Appellant sought the dates of the meetings, names of all those who were present at the meetings and also the notes of such meetings.

There were two issues in the appeal, but this blog post only focuses on the first of those issues; that being the disclosure of the names of civil servants.  The Home Office had refused to disclose the names of three civil servants who had formed part of the UK’s delegation to Eritrea in December 2014 (they were referred to as J, L and N during the course of the proceedings before the First-Tier Tribunal).  The Information Commissioner had agreed with the Home Office and found that the Home Office had complied with the requirements of the Freedom of Information Act 2000 in withholding the names under section 40(2) of the Act.

The UK and Scottish provisions in respect of personal data are the same (although, in the Scottish Act the exemption can be found within section 38 of the Freedom of Information (Scotland) Act 2002).  Personal data of third parties is exempt under FOI law where to release the personal data would amount to a breach of the data protection principles.  When third party personal data is involved in an FOI request the sixth condition in Schedule 2 to the Data Protection Act 1998 comes into play.  This condition requires there to be a balancing exercise undertaken between the rights of the data subject and the rights of the person who is seeking disclosure of the personal data.

In South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 (a case which involved the disclosure of pay scales within the Council in connection with matters concerning equal pay), Lady Hale observed that the sixth condition in Schedule 2 required that three discrete questions are asked and answered:

  1. Is the data controller or the third party or parties who whom the data are disclosed pursuing a legitimate interest of interests?
  2. Is the processing involved necessary for the purpose of those interests?
  3. Is the processing unwarranted in the circumstances by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

The first hurdle for a requester to get across in seeking to have third party personal data, including the names of civil servants, disclosed under FOI laws is that they are pursuing a legitimate interest. It is clear from the authorities that there is no inherent interest in the release of civil servants’ names: “[t]here is no reason why the general transparency values underpinning FOIA should automatically create a legitimate interest in disclosure under the DPA.” [42] (see also Department of Health v Information Commissioner and Lewis [2017] EWCA Civ 374)  What needs to be assessed is “the legitimate interests of the individual requester, and not the more abstract legitimate interests of the public at large”. [43]  If the decision-maker, whether that be the public authority, commissioner or courts/tribunals, is not satisfied that there is no legitimate interest being pursued by the requester, then they do not need to go any further as the sixth condition would not apply (see the comments of Judge Jacobs giving the decision of the Upper Tribunal in Information Commissioner v (1) CF and (2) Nursing and Midwifery Council [2015] UKUT 449 (AAC) at paragraph 19 in particular).

When the personal data exemptions are in play they represent an exception to the general proposition that the FOI process is applicant blind (i.e. that the applicant doesn’t play a part in determining whether information ought to be released or not); other exceptions include, for example, the vexatious provisions and the aggregation provisions within the appropriate limit regulations.  Judge Jacobs, at paragraph 30, in IC v CF & NMC (above) said that it “is impossible to apply paragraph 6(1) without having regard to the identity of the applicant, the interest pursued by the request and the extent to which information is already potentially available to the public.”

Each case will, of course, turn on its own facts.  Many of the factors which go into determining whether third party personal data ought to be released is specific to the facts and context. However, I suggest that we can draw some clear principles from the case law to date:

  1. When determining the legitimate interests part of the test; there is no public benefit legitimate interest – reference must be had to who is making the request and why they are making the request;
  2. The balancing exercise required to be undertaken when applying condition 6 of Schedule 2 is not the same balancing exercise that is completed when undertaking the public interest balancing exercise;
  3. FOI rights do not take precedence over privacy and data protection rights;
  4. When it comes to the personal data of civil servants; there is no hard rule that the personal data (including names) of senior civil servants will always be disclosed and likewise there is no hard rule that the personal data (including names) of junior civil servants will always be redacted; it is a decision that is both fact-specific and context-specific

The decision in Cox is of course one that is not binding on the Scottish Information Commissioner, but it is binding upon the First-Tier Tribunal and the UK Information Commissioner.  It essentially approves of the way in which public authorities and both commissioners have been handling these issues to date and so we’re unlikely to see anything change as to how the tension between FOI laws and the data protection laws is resolved.

The Data Protection Bill will (when it is finally passed and eneacted) amend both the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 to reflect the General Data Protection Regulation; the provisions look a bit unwieldy, but in reality they are unlikely to change very little in terms of day-to-day practice.

Alistair Sloan

If you require advice and assistance on any aspect of freedom of information or data protection and privacy law then you can contact Alistair Sloan on 0141 229 0880; alternatively you can contact him directly be E-mail.  We have a Twitter account dedicated to information law issues , which you are welcome to follow.

The Information Commissioner’s power to compel information

The Information Commissioner is presently undertaking an investigation into the possible unlawful use of personal data, in particular, data analytics, by political parties and political campaigning organisations.  The most high profile activity that the Commissioner has undertaken in respect of that investigation has to be the obtaining and execution of a warrant to search the offices of Cambridge Analytica.  As part of that investigation it has been reported that a number of persons and organisations involved in politics have been served with Information Notices by the Information Commissioner, including the United Kingdom Independence Party (UKIP), Leave.EU and Arron Banks.

An Information Notice is a formal investigative tool which the Information Commissioner can use in order to gather information.  Her power to issue such notices, in respect of the processing of personal data, is to be found in section 43 of the Data Protection Act 1998.  There are two circumstances in which the Commissioner can issue an Information Notice:  (1) when conducting an assessment pursuant to section 42 of the Data Protection Act 1998; and (2) where the Commissioner reasonably requires any information for the purpose of determining whether the data controller has complied or is complying with the data protection principles.  Broadly speaking this means that the Commissioner can issue an Information Notice either when her office is conducting an investigation at the request of a data subject or an investigation undertaken by her office which has been instigated by the Commissioner herself.

An Information Notice is simply a document which requires the data controller concerned to provide the Commissioner with information specified within the notice relating to the section 42 request or the controller’s compliance with the data protection principles.  However, its simplicity obscures its formality.  The issuing of an Information Notice is a formal step, and is a serious one for the recipient of the notice.  There is an automatic right of appeal against the notice or any part of the notice to the First-Tier Tribunal (Information Rights).  The right of appeal exists precisely because of its formality and the consequences for not complying with the notice.  It has been reported that UKIP has appealed the Information Notice served on it to the Tribunal.

An Information Notice is more than a polite request for information; it is a formal demand for information which is baked up by the threat of sanctions.  It is a criminal offence to fail to comply with an information notice which can result, if convicted, in a fine.  Furthermore, it is a criminal offence  to (i) make a statement in response to an information notice which is known to be false; or (ii) recklessly make a false statement in response to an information notice.

When serving an Information Notice, the Commissioner can specify or describe the information required by her or can be broader and instead specify or describe categories of information that she requires from the data controller.  There are some restrictions though on the information that the Commissioner can require a data controller to provide her with.  A data controller is not required to furnish the Commissioner with (a) “any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to the person’s obligations, liabilities or rights under [the Data Protection Act 1998]”, or (b) “any communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of [the Data Protection Act 1998] (including proceedings before the Tribunal) and for the purposes of such proceedings.”

A data controller can also refuse to provide information which would reveal evidence of the commission of any offence.  However, there are some exceptions to this general exception; if the offence is an offence under the Data Protection Act 1998 or offences under certain statutory provisions concerning the giving of false evidence, then the data controller may still be required to provide the Commissioner with that information.

The serving of an Information Notice on a data controller is a significant step by the Commissioner and it is one that data controllers should not take lightly.  The consequences for failing to comply with the notice or for deliberately or recklessly misleading the Commissioner through the provision of false information can see the data controller facing criminal charges.  The Notice can be challenged through the First-Tier Tribunal (Information Rights) which could see part or all of the notice reduced/quashed.  The Data Protection Bill contains provisions in relation to Information Notices which are for the most part identical to the powers found within the Data Protection Act 1998 and so the Commissioner will continue to possess this potentially powerful took once the GDPR becomes a reality next month (subject, of course, to the Data Protection Bill completing is passage through parliament and receiving Royal Assent in time).

Alistair Sloan

If you are facing an investigation by the Information Commissioner in respect of alleged failures to comply with privacy and data protection law, or if you require advice on any other information law matter you can contact Alistair Sloan on 0141 229 0880.  Alternatively you can contact him directly by E-mail.  We also have a dedicated information law twitter account which you can follow.

The Information Commissioner’s Powers of Entry and Inspection

Yesterday I wrote a blog post looking at data subject’s rights and lessons for controllers arising out of the Cambridge Analytica and Facebook privacy matter.  In that blog post I mentioned briefly about the Information Commissioner’s powers of entry and search after the Commissioner announced that she was seeking a warrant to enter and search Cambridge Analytica’s premises.   In this blog post I will look at the Commissioner’s powers of entry and search in a bit more detail.

As noted yesterday, the Commissioner’s powers of entry and search are contained in Schedule 9 to the Data Protection Act 1998.  Schedule 9 sets out the circumstances in which a judge can grant a warrant to the Information Commissioner.  The judge considering the application must be satisfied, based on statements made on oath, that the there are reasonable grounds of suspecting that (a) a data controller has contravened or is contravening any of the data protection principles, or (b) that an offence under the Data Protection Act has been or is being committed, and that evidence of the contravention or of the commission of the offence is to be found on any premises specified in the information supplied by the Commissioner.

The Commissioner is generally required, by the terms of Schedule 9 to the Data Protection Act 1998, to jump through some hoops before the judge considering the warrant application can grant the warrant to the Commissioner.  Paragraph 2 of Schedule 9 requires that the judge considering the application be satisfied of a number of other things:

  1. that the Commissioner has given seven days’ notice in writing to the occupier of the premises in question demanding access to the premises, and
  2. that either (i) access was demanded at a reasonable hour and was unreasonably refused, or (ii) although entry to the premises was granted, the occupier unreasonably refused to comply with a request by the Commissioner or any of the Commissioner’s officers or staff to permit the Commissioner or the officer or member of staff to do any of the things she would be entitled to do if she had a warrant (see below); and
  3. that the occupier, has, after the refusal, been notified by the Commissioner of the application for the warrant and has had an opportunity of being heard by the judge on the question whether or not it should be issued.

Where the judge is satisfied that the case is one of urgency or that compliance with those provisions would defeat the object of the entry, the judge does not need to be satisfied of the three things listed above.  In this case, given that the Commissioner announced her intention to apply for a warrant on national television, it is likely that a judge will require to be satisfied of the three conditions listed above.

Who considers an application by the Commissioner for a warrant depends upon the jurisdiction in which the warrant is being applied for.  In England and Wales a District Judge (Magistrates’ Court) or a Circuit Judge has the power to grant the warrant; in Scotland it is the Sheriff and in Northern Ireland it is a Country Court Judge.

A warrant granted under Schedule 9 of the Data Protection Act 1998 gives the Commissioner the power to do a number of things; these things can be found in paragraph 1(3) of the Schedule and are:

  1. to enter the premises
  2. to search the premises
  3. to inspect, examine, operate and test any equipment found on the premises which is used or intended to be used for the processing of personal data;
  4. to inspect and seize any relevant documents or other material found on the premises;
  5. to require any person on the premises to provide an explanation of any document or other material found on the premises;
  6. to require any person on the premises to provide such other information as may reasonably be required for the purpose of determining whether the data controller has contravened, or is contravening, the data protection principles.

The warrant must be executed at a reasonable hour, unless it appears to the person executing it that there are grounds for suspecting that the object of the warrant would be defeated if it were so executed, and within 7 days of the date of issue.  It allows the Commissioner, her officers and staff to use reasonable force to execute the warrant.

There are lots of other, really boring and technical requirements, which I won’t go into; the last thing I will mention is the terms of paragraph 12 of Schedule 9 which makes it an offence to: (i) intentionally obstruct a person in the execution of a warrant issued under Schedule 9; (ii) fail, without reasonable excuse, to give any person executing such a warrant such assistance as he may reasonably require for the execution of the warrant; (iii) makes a statement in response to a requirement  to provide information (see 5 and 6 in the list of powers the warrant gives the Commissioner) which that person knows to be false in a material respect; and (iv) recklessly makes a statement in response to such a requirement which is false in a material respect.

The Commissioner does get warrants from time to time; for example, earlier this month the ICO executed search warrants in relation to two properties in Greater Manchester as part of an investigation into companies suspected of sending text messages in contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).  The provisions of Schedule 9 to the Data Protection Act 1998 apply to PECR by virtue of Regulation 31 of PECR.

Alistair Sloan

If you are a data controller or an individual who is looking for advice and assistance with any aspect of data protection or privacy law, then you can contact Alistair Sloan on 0345 450 0123 or 0141 229 0880.  Alternatively, you can send him an E-mail.

Data Protection, Facebook and Cambridge Analytica

We know that the Information Commissioner is investigating the circumstances surrounding the obtaining of personal data of a considerable number of individuals by Cambridge Analytica.  Cambridge Analytica is a data analytics company that is in the midst of what can only be described as a data protection and privacy scandal.

There are a number of significant allegations being made against Cambridge Analytica about how it obtains and processes personal data.  The Information Commissioner has also revealed that Cambridge Analytica is not cooperating with her investigation to the extent that she is going to apply for a warrant to enter and search their premises.  This means that, in all probability, the Commissioner has already sought access and it has been refused.  Schedule 9 to Data Protection Act 1998 sets out the Information Commissioner’s powers of entry and inspection; it permits the Commissioner to obtain a warrant from the court where the court is satisfied that a data controller has contravened or is contravening any of the data protection principles, or that an offence under this Act has been or is being committed, and that evidence of the contravention or of the commission of the offence is to be found on any premises specified.

This story is moving at quite a pace and is constantly changing with new revelations coming to light; it’s also the subject of an investigation by the Information Commissioner and there is the possibility that the company might face prosecution for offences under Section 55 of the Data Protection Act 1998 depending upon what the Commissioner finds during the course of her investigation.  I am therefore going to try and keep this blog post broad and theoretical rather than trample upon the toes of a live regulatory investigation.

A data controller has a duty to comply with the data protection principles in relation to all of the personal data for which they are the controller, subject to certain specified exemptions set out in statute.  The First data protection principle requires that personal data be “processed fairly and lawfully”; this requires the data controller to meet one or more of the conditions set out in Schedule 2 to the Data Protection Act 1998 (and, in respect of sensitive personal data, a condition in Schedule 3 also requires to be satisfied).

What can individuals do if they are concerned about whether Cambridge Analytica has any personal data concerning them and what they’ve been doing with it?  Data Subjects have a number of rights under the Data Protection Act 1998 and the cornerstone of those rights is the right of subject access.  This is currently given effect to in section 7 of the Data Protection Act 1998 and is not simply about getting copies of the personal data being processed by a data controller:  it consists of a whole suite or rights, of which getting a copy of the personal data is only one aspect.  Under the current law, data controllers are entitled to charge a fee up to a prescribed maximum for dealing with such requests; a request of this nature would attract a fee of £10, but many individuals might well think that this is a price worth paying to know if and how they have been affected by this issue.  Data Controllers have up to 40 days in which to comply with a subject access request.  Some key changes to the right of subject access will come into effect on 25th May 2018, but for now the law contained within the Data Protection Act 1998 is still applicable.

Once you have the response to your subject access request your rights do not end there; once you’ve established what a data controller is processing about you, what they’re doing with it and where they got it from there are a number of other steps that you might be able to take, such as requiring them to cease processing your personal data, complaining to the Information Commissioner or making a claim for compensation.

For data controllers, what is currently unfolding should be seen as an important lesson.  Data can be a useful tool to a business; whether it is being used for targeted marketing campaigns or to work out what consumers want from products and services in your market.  However, there are laws governing data protection and privacy and at the heart of those laws are the principles of fairness and transparency.  Controllers need to be careful as to how they obtain personal data, where they obtain it from, what they do with it and be certain that they have a lawful basis for processing that personal data in the ways that they want to do so; that may be because you have the consent of the data subject, because you have a legitimate interest in the processing or some other lawful ground for processing.  Don’t forget the Privacy and Electronic Communications (EC Directive) Regulations 2003 when conducting direct marketing by electronic means.

Simply because a person has made their personal data available, for example through social media, does not mean that is free to be used by whomever and for whatever they want.  The principles of the Data Protection Act 1998 still apply and the reputational damage that can be suffered may well vastly outweigh any regulatory action taken by the Information Commissioner or by data subjects themselves.

Alistair Sloan

If you are a data controller or an individual who is looking for advice and assistance with any aspect of data protection or privacy law, then you can contact Alistair Sloan on 0345 450 0123 or 0141 229 08800.  Alternatively, you can send him an E-mail.