Aug 222017
 

If anybody feels that an organisation may have failed to follow the Data Protection Act whilst dealing with their data, they can ask the ICO for an assessment about whether that processing is likely to have been OK or not, under S42 of the Data Protection Act. The ICO are obliged to respond unless they need the subject to supply more ID or more explanation as to what processing the subject’s concerned about. Those are the ONLY exemptions the ICO can use to avoid having to undertake a S42 assessment.

S42.2 On receiving a request under this section, the Commissioner shall make an assessment in such manner as appears to him to be appropriate, unless he has not been supplied with such information as he may reasonably require in order to—
(a) satisfy himself as to the identity of the person making the request, and
(b) enable him to identify the processing in question.

It is usually a good idea for the data subject to complain to the data controller before bothering the ICO. It’s often probably the best way to get the issue resolved speedily and with the least of fuss, to the benefit of both the data controller and the data subject. It also means that the ICO are less likely to be swamped with S42 requests about stuff that could have been sorted a lot easier by a simple email.

However, that isn’t appropriate in all cases.

My reading of the Act is that the ICO are under an obligation to respond to a data subject’s S42 request for assessment irrespective of whether the data subject has complained to the data controller. The ONLY factors they can take into consideration as to whether they must undertake an assessment or not, is whether they have enough ID to be confident the data subject is who (s)he says (s)he is, and whether they’ve been given enough information to identify the processing in question.

S42 lists other factors that the authority can take into account – but these factors are only to be taken into account when considering how the authority will go about the assessment, not IF they will undertake an assessment. They still have to do the assessment, irrespective of these factors. But in any case, these factors do not include whether or not the data subject has made a complaint to the data controller.

S42.3 The matters to which the Commissioner may have regard in determining in what manner it is appropriate to make an assessment include—
(a) the extent to which the request appears to him to raise a matter of substance,
(b) any undue delay in making the request, and
(c) whether or not the person making the request is entitled to make an application under section 7 in respect of the personal data in question.

So as far as I’m concerned, the law does not give the ICO latitude to insist data subjects complain to the data controller before submitting a S42 request. It doesn’t allow the ICO to refuse to undertake an assessment where the data subject hasn’t submitted a complaint direct to the data controller.

I submitted a S42 request recently, having not complained to the data controller first. The ICO responded:

I note that you also sent us a copy of an email received from ‘Charity Checkout’, which appears to be a trading name of ‘Online Giving Ltd’.  There is no other copy correspondence to show that you have raised a concern with ‘Online Giving Ltd’ in writing and allowed time for its response. You would need to do this before the ICO could progress any concern about this third organisation.

I remonstrated:

This approach is not in compliance with obligations under S42 of the Data Protection Act, which states:

I parroted the above in detail, showing that the ICO cannot legitimately insist on subjects complaining to the controller before the ICO is obliged to conduct an assessment.

It always bugs me when the ICO state that they will not make a S42 assessment unless the data subject has raised their concern with the data controller. This is evidently ingrained and standard practice in the ICO, but it has no basis in law. No doubt the ICO would like it to be in the law, acts as if it is the law and doubtless often it achieves a speedier resolution if the data subject  complains to the data controller, but the fact is that the Information Commissioner is obliged to undertake an assessment whether or not the data subject has raised their concern with the data controller.

As the ICO expects and requires data controllers to comply with the detail of the Data Protection Act, it should do so itself. S42 does not give the Commissioner the right to reject S42 requests on the basis that the data subject has not raised a concern with the data controller. That’s the letter of the law, and the ICO should comply with it.

Please register a complaint that the ICO’s standard practice in this specific is not in compliance with the Commissioner’s obligation under S42 of the Data Protection Act.

They gave their final response:

You are dissatisfied with this approach and do not consider that section 42 of the Act allows the ICO to require that you contact the organisation prior to requesting an assessment.

My Findings

The requirement for individuals to have raised their concerns with the organisation involved is part of the ICO’s operational policy, rather than being written into the legislation.

You will appreciate that the ICO has limited resources, and we cannot take action in response to every concern reported to us. Ultimately our role is to improve information rights practices, and we put our efforts into taking action in those areas where we can make the biggest improvement to the practice of those we regulate. We are an independent body and do not work on behalf of individuals

As explained on our website, we believe that the organisation responsible for a data protection matter should deal with it in the first instance. We expect organisations to take concerns seriously and work with the data subject to try to resolve them. Most organisations will want to put things right when they have gone wrong, and learn from complaints that are raised with them – further, it is best practice for them to have an effective complaints procedure.

If the organisation has been unable, or unwilling, to resolve an information rights concern, the data subject can then raise the matter for us to evaluate whether there is an opportunity to improve information rights practice.

For all of these reasons we are committed to giving organisations the opportunity to respond to public concerns before they are raised with us as the regulator.

I trust that this explains our approach.

Well yes, it explains their approach, but it doesn’t explain how their approach complies with the legislation, which was the sole point in my complaint. “We think our approach is better” isn’t a valid response to a complaint that said approach is not in accordance with their legal obligations.

However, they have successfully stonewalled me through their single-stage complaints procedure, so they won’t consider the issue any further. I wouldn’t want to bother the ombudsmen, partly as I haven’t experienced sufficient harm and in any case, as the ICO pointed out – “If your complaint relates to the way in which we have interpreted the law then the Ombudsman cannot help you.” The only further avenue suggested was, “If you want to challenge our interpretation of the law, you should consider seeking legal advice.” They presumably know that it doesn’t merit that.

I’m therefore reduced to publishing a whiny blog explaining how I’ve been wronged, on an obscure part of the Internet where nobody will read it — similar to the likes of Alan Dransfield.

But I still think I’m right, that the ICO are failing to comply with their legal obligations, and that they have succeeded in their intent of stonewalling me throughout the statutory procedures ostensibly designed to make sure they take on board complainants’ legitimate concerns and change accordingly. (Again, just like Dransfield. Perhaps we’re long-lost relatives or something.)

Feb 152017
 

Section 50 of the Freedom of Information Act gives requesters the right to ask the Information Commissioner to decide if a public authority’s handling of the requester’s Freedom of Information Request is in compliance with the Act.

Application for decision by Commissioner.

(1)Any person (in this section referred to as “the complainant”) may apply to the Commissioner for a decision whether, in any specified respect, a request for information made by the complainant to a public authority has been dealt with in accordance with the requirements of Part I.

Here’s the bit I’m interested in: (my emphasis)

Any person … may apply to the Commissioner for a decision whether, in any specified respect, a request for information made by the complainant to a public authority has been dealt with in accordance…

I don’t think the Commissioner complies with this, and I think she / her office should.

Here’s a current example, in which the ICO is refusing to decide whether an authority’s handling of my request complied with the Act in my specified respect – whether they were correct to use the S43 exemption:

In January 2015, as part of my campaign to make Leonard Cheshire pay carers the living wage, I put in Freedom of Information requests to many councils for details of how much they pay care providers including Leonard Cheshire. Surrey Council (alone, out of the 172 I surveyed) maintained that the S43 exemption (Commercial Interests), partly because they were currently undertaking a review of care home contracts.

In February 2016, on the assumption that the review would be over, I sent a new request for the original data. Their dilatory response of 19 April 2016 cited S43 again. I requested an internal review; their usual dilatory response of 21 July 2016 upheld S43.

On 29th June 2016, I sent the ICO a S50 request. It read, in its entirety,

Hello

Please can you conduct a S50 request:

https://www.whatdotheyknow.com/request/surrey_council_leonard_cheshire

1) failure to respond within 20 working days

2) inappropriate reliance on S43

I have given them every opportunity to respond, including requesting
an internal review, but they have neglected to so so.

Thank you

Doug Paulley

After Surrey had completed their internal review, the ICO contacted me to ask if I was still unhappy. I emailed them on 23rd July to say that I was most definitely still unhappy about their use of the commercial interests exemption and repeated my request for a S50 assessment. The ICO appointed an investigator, who emailed me on 20th September 2016, stating:

The focus of my investigation will be to determine whether the Council is entitled to rely on section 43(2) as a basis for withholding the information described in your requests

I was entirely clear in my initial S50 request, and throughout all following correspondence, that my S50 request was about their use of S43. I initially included their failure to respond within the deadline, but still it was clear throughout, and in both my S50 requests, that my concern was about the authority’s illegitimate use of S43.

On 6th February 2017 (nigh on a year after the request) Surrey Council released info that arguably satisfied the request:

Following on from the email below and subsequent correspondence with the Information Commissioner, given the passage of time, we are now able to confirm…

The Information Commissioner’s Office emailed me to say they would drop their investigation.

Surrey Council has now sent me a copy of an email it sent to you disclosing the range of fees for LCD as at the date of your request. This would appear to satisfy your request and I therefore now propose to close this case as having been informally resolved.

(One wonders if the Act allows them to unilaterally decide not to complete the S50 assessment.)

I wasn’t happy with this. I stuck to my guns on the S50 assessment. However the ICO then refused to look at the use of S43:

I will do a decision notice. It will be on the narrow issue of Surrey Council’s delay in providing the information to you.

I said: hang on, my S50 request was about their use of S43:

I appreciate your position, but it is clear that the substantial delay was caused by the authority’s inappropriate and prolonged reliance on the exemption. If you hadn’t intervened they wouldn’t have responded at all because they would have maintained that exemption. Writing a decision notice solely on the a time limit issue is disingenuous.

When I sent you my S50 request, back on June 29 2016, I asked you to conduct a S50 assessment into “1) failure to respond within 20 working days 2) inappropriate reliance on S43.”

I didn’t ask you to take 7.5 months to persuade the authority to release the information, then to count the case as closed; then on my remonstration to write a decision notice solely about their delay in response. I asked you to do a DN about their delay, and the fact that they inappropriately used S43.

I appreciate you always prefer an informal resolution to requests as being better all round, but in this case it’s not acceptable. They are dodging the issue by saying that the time since the request has meant they can release the information. This gives me no confidence whatsoever that when I ask for updated information they will supply the information.

Don’t just do a DN about delay. Do it on their S43 refusal also.

Once again the ICO flat refused:

I consulted with senior colleagues regarding your concern about the position I set out for you: namely, that we will do a decision notice addressing the delay in response. They have agreed with my position and I do not intend to change my approach.

If you wish to challenge the scope of our decision notice in that regards, you will be able to appeal the decision notice to the First-tier Tribunal (Information Rights).

I quoted S50 again, and in no uncertain terms set out what I believe is the Information Commissioner’s obligation in the Act:

I require the Information Commissioner to make a decision as to whether the authority’s reliance on the S43 exemption was legitimate. As the complainant, I specify that specific: that is my “specified respect”.

I appreciate that you have asked your seniors, but frankly they are not infallible and in this instance they are wrong. The Information Commissioner does not have the ability to pick and choose whether to respond to the “respect” specified by the complainant.

Please register and investigate a complaint under your complaint procedures that the Commissioner is refusing to comply with her legal obligation set out in the Act to make a determination as to whether the authority was legitimate in refusing to provide the Information for 11 months because they believed S43 was engaged.

Should the Commissioner either not respond to this complaint, or respond but not rescind the decision to ignore the respect I specified, I will apply for a judicial review, in order to ensure that the decision notice addresses the specific point I raised and to ensure that the Commission re-evaluates their obligations set by the Act.

But the Commissioner’s office still refused.

Thank you for your further comments. I will ensure that your comments are passed on to my line manager, [name redacted], who is a Group Manager at the ICO. However, I should be grateful if you would complete our complaints form…

I will, in the meantime, continue to draft a decision notice in the terms previously explained. I acknowledge that you disagree with the scope I have outlined.

I shall send the complaint; and, given that she is continuing to draft the decision notice, I will apply for judicial review; and when they issue the decision notice, I will go to the FTT if need be. But I must say I do think this is ridiculous.

I was perfectly clear all along that my S50 application was for an IC determination as to whether the authority’s use of the S43 exemption was engaged. S50 states that the ICO must decide whether the authority’s actions were compliant with the Act “in any specified respect”. To my mind, the IC is not legitimate in deciding for themselves what they will and will not decide.

I don’t know the Tribunal and Appeal Court decisions in this area – but to me the law is clear, and the IC are wasting their ever-dwindling resources fighting my request for no good reason…

…Or am I barking up the wrong tree?!

Data controllers’ compliance with Section 10 notices: the ICO now assess.

 ICO, Information governance  Comments Off on Data controllers’ compliance with Section 10 notices: the ICO now assess.
Sep 202016
 

I’ve written previously about the Information Commissioner’s assessment of organisations’ compliance with S10 notices. S10 is a mechanism by which a data subject can force a data controller to stop processing his/her personal data, or stop it from processing in a certain way, where such processing is causing substantial, unwarranted damage or distress.

Previously the ICO has always insisted that they can only assess organisations’ technical compliance with S10(3), i.e. whether the organisation has responded to the notice and whether such response was within the 21 day timescale. The ICO would not consider whether the organisation had broken the law by failing to comply with a valid notice.

The ICO have now changed their policy. The attached Lines to Take document now states:

an individual may make a request for an assessment under s.42 of the DPA where:

  • A data controller has not responded to a notice at all.
  • A data controller has not responded within the 21 day timeframe.
  • A data controller has not provided its reasons for refusing to comply with a notice.
  • A data controller has failed to comply with the data subjects request to cease processing.

That last point is new!

This draft Casework Advice Note goes into more detail.

Section 10(4) refers to the power of the court to order compliance with a section 10 notice.
The Commissioner is still able to make a s42 assessment on processing that may be in breach of the sixth principle (complying with a section 10 notice).

Failure to comply with a justified notice or failure to respond to a valid section 10 notice is a breach of the sixth principle.
The Commissioner can make an assessment of whether processing has been or is being carried out in compliance with the provisions of the DPA – in this case a breach of the sixth principle arising from a failure to comply with a data subject’s section 10 rights.

We can make an assessment of:

  • any non-compliant processing causing unwarranted damage or distress which means that the notice is justified; and/or
  • the data controller’s compliance with the procedural obligations under 10(3) to:
    • respond within 21 days of receiving the objection;
    • explain whether it intends to comply with the objection; and,
    • if it does not intend to comply with the objection in some way, give reasons for the decision.

You CAN also:

  • carry out a s42 assessment on whether the data controller has complied with its obligations under s10(1)

They’ve put “CAN” into Bold for the following reason (also in the draft Casework Advice Note):

Problems with the previous line on ASK knowledge base
The previous line said that:

‘the only situation where the ICO can get involved with a request made under section 10 is where the organisation hasn’t provided any response within 21 days, we cannot assist with any matters relating to compliance with the request….’

This line may have arisen as a result of our preferences or priorities in terms of the types of complaints we take on as an office where there is a technical limitation on our legal powers, or iit may be that we decided for operational reasons that we would not make assessments on a data controller’s compliance with their section 10(1) obligations.
Just because s10 refers to the powers of the court to order compliance with a section 10 notice does not preclude the Commissioner from making an assessment on processing that is in breach of principle 6.
Other sections of the DPA that relate to principle 6 refer to the order making powers of the court. For example, section 7(9) allows the court to order compliance with a SAR, but wouldn’t prevent the Commissioner from making her own assessment on whether or not a data controller should comply with a section 7 request.

It would seem that I have forced the ICO to reconsider their approach. Their internal dialogue on my complaint is entertaining. I particularly like the implied criticism:

In the present case, rather than referring his complaint about Sky’s processing to the Commissioner for an assessment, the data subject has tried to sort out the matter himself by issuing a section 10(1) notice.

How irresponsible of me 😀

%d bloggers like this: