I’ve written previously about the Information Commissioner’s assessment of organisations’ compliance with S10 notices. S10 is a mechanism by which a data subject can force a data controller to stop processing his/her personal data, or stop it from processing in a certain way, where such processing is causing substantial, unwarranted damage or distress.
Previously the ICO has always insisted that they can only assess organisations’ technical compliance with S10(3), i.e. whether the organisation has responded to the notice and whether such response was within the 21 day timescale. The ICO would not consider whether the organisation had broken the law by failing to comply with a valid notice.
The ICO have now changed their policy. The attached Lines to Take document now states:
an individual may make a request for an assessment under s.42 of the DPA where:
- A data controller has not responded to a notice at all.
- A data controller has not responded within the 21 day timeframe.
- A data controller has not provided its reasons for refusing to comply with a notice.
- A data controller has failed to comply with the data subjects request to cease processing.
That last point is new!
This draft Casework Advice Note goes into more detail.
Section 10(4) refers to the power of the court to order compliance with a section 10 notice.
The Commissioner is still able to make a s42 assessment on processing that may be in breach of the sixth principle (complying with a section 10 notice).
Failure to comply with a justified notice or failure to respond to a valid section 10 notice is a breach of the sixth principle.
The Commissioner can make an assessment of whether processing has been or is being carried out in compliance with the provisions of the DPA – in this case a breach of the sixth principle arising from a failure to comply with a data subject’s section 10 rights.We can make an assessment of:
- any non-compliant processing causing unwarranted damage or distress which means that the notice is justified; and/or
- the data controller’s compliance with the procedural obligations under 10(3) to:
- respond within 21 days of receiving the objection;
- explain whether it intends to comply with the objection; and,
- if it does not intend to comply with the objection in some way, give reasons for the decision.
You CAN also:
- carry out a s42 assessment on whether the data controller has complied with its obligations under s10(1)
They’ve put “CAN” into Bold for the following reason (also in the draft Casework Advice Note):
Problems with the previous line on ASK knowledge base
The previous line said that:‘the only situation where the ICO can get involved with a request made under section 10 is where the organisation hasn’t provided any response within 21 days, we cannot assist with any matters relating to compliance with the request….’
This line may have arisen as a result of our preferences or priorities in terms of the types of complaints we take on as an office where there is a technical limitation on our legal powers, or iit may be that we decided for operational reasons that we would not make assessments on a data controller’s compliance with their section 10(1) obligations.
Just because s10 refers to the powers of the court to order compliance with a section 10 notice does not preclude the Commissioner from making an assessment on processing that is in breach of principle 6.
Other sections of the DPA that relate to principle 6 refer to the order making powers of the court. For example, section 7(9) allows the court to order compliance with a SAR, but wouldn’t prevent the Commissioner from making her own assessment on whether or not a data controller should comply with a section 7 request.
It would seem that I have forced the ICO to reconsider their approach. Their internal dialogue on my complaint is entertaining. I particularly like the implied criticism:
In the present case, rather than referring his complaint about Sky’s processing to the Commissioner for an assessment, the data subject has tried to sort out the matter himself by issuing a section 10(1) notice.
How irresponsible of me 😀