In the months leading up to 25th May 2018, data controllers will have been working like Trojans to become GDPR compliant. Data Protection Officers may have been pulling their hair out at the length of their ‘to do lists’. Not least, working out what their lawful basis or processing is, drafting Privacy Notices in clear and plain English, reviewing their subject access and breach notification procedures and training staff.
Add to all of that the additional requirements imposed by the Data Protection Act 2018 to have an ‘appropriate policy’ in place in relation to the processing of certain special category personal data and personal data relating to criminal convictions. Specifically s. 10 DPA requires that processing special category data meets the conditions in Part 1-3 of Schedule 1. This in turn also requires that in certain circumstances the data controller must have an ‘appropriate policy document in place’. [1] Schedule 1, Part 4 provides some limited guidance on what must be in the policy document. The document must explain the controller’s procedures for securing compliance with the principles in Article 5 of the GDPR in connection with the processing of the personal data. It must also explain the controller’s policies in relation to the retention and erasure of personal data processed in reliance of the condition.
This new requirement may not have been the foremost concern for every data controller and it is possible or even likely that policies may still be in draft as DPOs work out what to include in their documents. The ICO has not, as yet, issued any guidance on these policy documents and so this no doubt will present challenges for many DPOs. . Perhaps the requirement is also presenting challenges for the ICO, because at the time of writing, the ICO is unwilling to publish its own Policy Document.
The request and the refusal
On 19th July the ICO received a request for a copy of its ‘Policy designed to show compliance with Schedule 1, Part 4 of the DPA 2018.’ Although the applicant did not explain why they wanted it (and as FOIA practitioners know, the regime is purpose blind), there can be little doubt that many data controllers would find the ICO’s own Policy Document a very useful guide to the scope and content of such a policy. Additionally it is important that the public, and indeed ICO employees, are made aware of how the ICO itself will process special category and criminal conviction data.
On August 17th 2018 the ICO refused the request, citing the s 22 FOIA exemption (information held with a view to future publication). S 22 provides that information is exempt information if:
- the information is held by the public authority with a view to its publication, by the authority or any other person, at some future date (whether determined or not),
- the information was already held with a view to such publication at the time the request for information was made, and
- it is reasonable in all the circumstances that the information should be withheld from disclosure until the date referred to in paragraph (a).
S 22 is a qualified exemption and requires a determination of the public interest.
Sadly, the ICO’s Refusal Notice falls short of the ‘best practice’ that one should reasonably expect from the FOIA regulator.
- The refusal notice offers no explanation of why the ICO believes it is reasonable in all the circumstances to withhold disclosure until some future date. The ICO has failed to follow its own guidance on the s 22 exemption in not even addressing this point. In fact it is arguable that by not considering this, the exemption is not engaged.
- It fails to provide any indication of a future intended date for publication. Although there is no requirement under the FOIA to do this, given the level of interest surrounding the new Data Protection Act it is difficult to see why the ICO did not seek to offer some indication of the intended future publication date. It also neglects the ICO’s own advice on the s 22 exemption, that is good practice to provide the requestor with an anticipated date of publication.
- It fails to adequately explain the public interest factors that have been taken into account.
Weak and generic public interest assessment
The public interest test requires an assessment of whether:
In all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
This requires a particular attention to the ‘circumstances of the case’. In one of its earliest judgments the Information Tribunal emphasised that a public authority must ask ‘is the balance of public interest in favour of maintain the exemption in relation to this information and in the circumstances of this case?’. [2] The ICO refusal notice is however generic and lacks any explicit reference to the information requested or the particular circumstances surrounding this document.
In favour of disclosure the ICO simply states that there is a public interest in transparency being demonstrated by disclosure and a legitimate interest in the compliance of the ICO with the legislation it regulates. It could have added more weight to this side of the equation. For instance, it could have supplemented these rather generic assertions by making explicit reference to the first Principle in Article 5 (1) GDPR, that data should be processed in a transparent manner. It might also have used different language recognising a ‘strong’ (rather than legitimate) public interest in ensuring that the ICO complies with the legislation it regulates, particularly given the gravity of non-compliance.
In favour of withholding the information the ICO cites three points, again without elaboration or reference to the specifics of the case.
First it states that ‘transparency is achieved through the pro-active publication of information on the web site’. Simply stating this falls well short of explaining how it is not in the public interest to disclose earlier than planned. Given that the information is going to be published at some future date, the public interest test should really consider why it is not in the public interest to publish earlier than planned. This is not addressed by the ICO.
Second, the ICO cites ‘the impact on ICO resources if we were to respond individually to requests for information that is due to be published’. This again appears to be something of a blanket refusal and fails to take into account the specific information that is being requested.
Finally, the ICO cites there is no pressing public interest in disclosing the information early. The refusal notice does not offer any reason in support of why it would not be in the public interest to disclose the document now. There is no explanation about why the ICO has reached this conclusion. However, perhaps more compelling is the fact that the Act has been in force for almost three months now. The ICO should have had a Policy Document in place since May 23rd 2018. In which case it is difficult to see how disclosing it now would be ‘early’. That is unless the document is still in a draft form and the ICO is not in a position to say when it might be published. Perhaps the ICO, like other data controllers is finding it a challenge to draft its Policy Document.
At the time of writing the requestor has submitted a request for an internal review.
I leave you with the ICO’s strapline; ICO, the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Susan Wolf has over ten years experience teaching information rights practitioners on the LLM Information Rights Law & Practice at Northumbria University. She will be delivering a range of online webinars on various subjects around GDPR.
We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now. New Dates added for London!
Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.
[1] In addition, under Part 3 of the DPA 2018 which implements the Law Enforcement Directive, sections 35 and 42 and Schedule 8 also require that data controllers have an appropriate policy document in place.
[2] Hogan and Oxford City Council v The Information Commissioner EA/2005/0026 & EA/2005/0030
I feel honoured to have a blog re a FOI request submitted!!
Would you say a data controller needs multiple policy documents, i.e. one for every type of processing of special category data they undertake, or would an overarching single document be sufficient?