ICO on S42 assessments of data controller’s compliance with S10

 

Here’s the ICO’s response in full. Editing errors, such as the chopped-off sentence “In circumstances where an individual believes,” were in the original.

21 July 2016

 

Case Reference Number RCC0621317

 

Dear Mr Paulley

 

I write in response to your correspondence of 17 March 2016 in which you have raised concerns about the advice provided to you by our office in relation to section 10 and section 42 of the Data Protection Act 1998 (DPA). My name is Traci Shirley and as a Team Manager at the Information Commissioner’s Office (ICO) your concerns have been passed to me to review and respond to. Please accept my apologies for our delay in responding to you.

I have considered your comments and document my findings below.

Introduction
You contacted our office on 16 March 2016 to discuss your concerns in relation to Sky’s information security practice and it’s handling of your personal information. During your call you were advised by a Helpline officer and a ‘senior case officer’ that the Information Commissioner’s Officer (ICO) is unable to conduct an assessment under section 42 of the DPA with regards to whether an organisation has satisfied its obligations under section 10 (1) of the DPA.

You explain that the Helpline officer’s ‘explanation of the ICO’s inability to investigate such referrals was twofold’ in that:

  • ‘the mechanism for enforcing such rights is through the courts’, and
  • ‘s.10 ‘doesn’t give organisations any obligation other than to provide a written notice’.

You explain the conflict between the advice provided by the two officers in that the Helpline officer advised that ‘a data controller’s compliance or otherwise with s.10’ could not be considered by our office. However, the senior officer advised that a ‘the ICO can make a determination if the data controller has failed to provide a notice within 21 days as required under s.10 (3) but as s.10 places no obligation on the data provider to do anything other than provide a notice, the ICO cannot undertake an assessment on the organisations determination as to whether to accede to a s.10 notice or not’.

  • It is your view that each officers understanding of the law is incorrect in that s.42 of the DPA ‘obliges the ICO to conduct assessments on request as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of the Act’ and that the Act does not exclude s.10 from this obligation.
  • You further explain that, ‘the ability of the  data subject to enforce their rights by application to the court under s.10(4) of the Act does not negate the Information Commissioner’s obligation to undertake a s.42 assessment’.
  • You reiterate the provisions of Schedule 1 Part II para 8(b) of the DPA relating to the sixth principle of the Act and any contravention of the right under s.10. On the basis of this provision you explain that ‘a failure to comply with a justified s.10 notice is a failure to comply with the 6th data protection principle’.
  • Similarly, you reiterate the provisions of under s.42 of the DPA and explain your view as to why the ICO should ‘conduct a s.42 assessment as to a data controller’s compliance or otherwise with s.10 (1) and (3)’.
  • You have asked to be informed of ‘what discretion you have under the Act to refuse to make an assessment as to the requirements placed upon a controller by section 10 (a)’ [sic].

Having reviewed all of the information available to me I shall document my findings below.

My Findings

The ICO does not record calls made to our Helpline therefore I am unable to review the call that took place between you and our officers. However, it is always our intention to provide a quality service. I apologise for any conflicting advice that you have received from our officers and that you have the felt the need to complain about the advice provided to you on this occasion.

Security practices
You have explained that you initially contacted us in relation to Sky’s security practice and it’s handling of your personal information.  As I am unable review your call and you have not provided further information in relation to the advice provided to you regarding this aspect of your concerns, I am unable to comment further on this matter. However, the seventh principle of the DPA provides that personal information must be held securely. As such, if you believe that Sky has processed your personal information insecurely, you should, in the first instance, raise your concerns directly in writing to Sky. Following this, our office may be able to make an assessment of this aspect of your concerns.

DPA s.10 and s.42
As stated above, I am unable to review the call which took place between you and our officers therefore I am unable to comment specifically on the advice provided to you, or the context in which that advice was provided. However, in light of the detail provided by you, I agree that you may not have been correctly advised in relation to the rights and obligations set out in s.10 and s. 42 of the DPA.

DPA s.42 (1)
A request may be made to the Commissioner by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of the Act.

DPA s.10 (1)
An individual is entitled at any time by notice in writing to the data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the grounds that, for specified reasons –

  1. The processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or distress to him or to another, and
  2. That damage or distress is or would be unwarranted

DPA s.10 (4)
If a court is satisfied on the application of any person who has given notice under subsection (1) which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.

When considering compliance with any notice served on a data controller under s.10 (1), the court will consider whether the processing is likely to cause unwarranted substantial damage or distress. In addition, the court will consider whether s.10 (1) will not apply by virtue of s.10 (2), where the processing is for the a purpose set out in paragraphs 1-4 of Schedule II.

If the court determines that a s.10 (1) notice is justified, s.10 (4) empowers the court to order the data controller to take such steps as the court thinks fit. However, s.10 (4) does not require the court to consider a data controllers compliance with the ‘supplementary provisions’ under s.10 (3) which provide:

DPA s.10 (3)
The data controller must within twenty-one days of receiving a notice under subsection (1) (the data subject notice) give the individual who gave it a written notice – 

  1. Stating that he has complied or intends to comply with the data subject notice, or
  2. Stating his reasons for regarding the data subject notice as to any extent unjustified and the extent (if any) to which he has complied or intends to comply with it.

As such, matters of compliance relating to the supplementary provisions under s.10 (3) are for the Information Commissioner’s Office (ICO) to assess under s.42 of the DPA.

The supplementary obligations of the data controller are, within 21 days of receipt of the section 10(1) notice, to give the data subject written notice that either:

  1. the data controller has or will comply with the section 10(1) notice, or
  2. the data controller will not comply with the notice and the reasons its decision.

Where an individual has issued a notice under s. 10 (1), this does not negate the Commissioner’s obligation to make an assessment in response to an individual’s subsequent request for an assessment of a data controllers processing of personal data and whether such processing is likely or unlikely to be in compliance with the provisions of the DPA.

In addition, an individual may request an assessment under s. 42 (1) of the DPA as to whether any processing by a data controller for its obligation in complying with a s.10 (1) notice was likely or unlikely to be in compliance with the provisions of the DPA.

However, where the data subject has exercised his right in applying to the court under s (10) (4) for an order compelling the data controller to comply with his s.10 (1) notice, the Commissioner may decide not to investigate the data controllers compliance with its supplementary obligations under s.10 (3) on the basis that the data subject is concerned with the data controllers compliance with a notice to cease processing under s.10 (1) rather than the supplementary provisions in s.10 (3).

Schedule 1 Part II paragraph 8 (b) states:
A person is to be regarded as contravening the sixth principle if, but only if –

  1. He contravened section 7 by failing to supply information in accordance with that section
  2. He contravenes section 10 by failing to comply with a notice under subsection (1) of that section to the extent that the notice is justified or by failing to give a notice under subsection (3) of that section

You explain that, ‘a failure to comply with a justified s.10 notice is a failure to comply with the 6th data protection principle’.

Where a data controller fails to comply with the obligations set out in s.10 (3), any such failure may be a breach of s.10 (3) and therefore a breach of the rights afforded to individuals under the sixth principle. In circumstances where an individual believes

In relation to a ‘justified s.10’’ notice, the data controller must consider the specified reasons asserted by the data subject and how the processing is likely to cause substantial damage or substantial distress to the data subject [or another] and whether sure damage or distress is or would be warranted. To the extent that such notice is justified, the data controller should comply with the notice to such an extent. In circumstances where an individual believes that a data controller has failed to comply with a justified notice, the data subject may request an assessment under s.42 of the DPA.

Conclusion
As set out above, the Commissioner may make an assessment under s.42 of the DPA where:

  • the processing, in connection with a service provided to a data subject, is likely or unlikely to comply with the obligations set out in the seventh principle of the DPA.
  • the processing relates to whether a s.10 (1) notice is likely or unlikely to comply with a data controllers obligations under s. 10 (3) of the DPA, and
  • the processing, relating to the data controllers obligations to comply with a notice, is likely or unlikely to be in accordance with the primary obligations under s.10 (3) of DPA.

Thank you for bringing this matter to my attention and for providing me with the opportunity to address your concerns.

What next?

This concludes the case review and service complaint process. However, if you still believe that we have provided you with a poor service, or if you believe we have not treated you properly or fairly then you may be able to complain to:

The Parliamentary and Health Service Ombudsman, Millbank Tower, Millbank, London SW1P 4QP

All complaints to the Ombudsman must be made through an MP.  I would advise you to first call the Ombudsman’s Helpline on 0345 015 4033 or visit their website at www.ombudsman.org.uk to see if they are able to assist you further.

If, however, your complaint relates to the way in which we have interpreted the law then the Ombudsman cannot help you.  If you want to challenge our interpretation of the law, you should consider seeking legal advice. 

Yours sincerely

Traci Shirley
Team Manager
Information Commissioner’s Office
01625 545790

 


____________________________________________________________________

The ICO’s mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

If you are not the intended recipient of this email (and any attachment), please inform the sender by return email and destroy all copies. Unauthorised access, use, disclosure, storage or copying is not permitted.
Communication by internet email is not secure as messages can be intercepted and read by someone else. Therefore we strongly advise you not to email any information, which if disclosed to unrelated third parties would be likely to cause you distress. If you have an enquiry of this nature please provide a postal address to allow us to communicate with you in a more secure way. If you want us to respond by email you must realise that there can be no guarantee of privacy.
Any email including its content may be monitored and used by the Information Commissioner’s Office for reasons of security and for monitoring internal compliance with the office policy on staff use. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you write or forward is within the bounds of the law.
The Information Commissioner’s Office cannot guarantee that this message or any attachment is virus free or has not been intercepted and amended. You should perform your own virus checks.
__________________________________________________________________

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Contact us: 0303 123 1113, www.ico.org.uk, livechat and twitter @ICOnews

%d bloggers like this: