I’d like you to send me a copy of the personal data you hold on me.
I am particularly interested in where you obtained my name and address from.
The numbers on your mailing are
8666U501J01101
XA4416175
I’d like you to explain what these mean.
Regards etc
Dear Mr xxxx
Thank you for your email. Firstly, we can confirm that we do not have any of your personal data on our records of any kind.
The recent Christmas appeal which you received, was sent out as part of our Christmas campaign. During this campaign, we purchased some contact details from a third party supplier for temporary use – these details are not stored on our database and are no longer in our possession.
In this instance, your details were selected for The Christmas Appeal – which also includes a Christmas appeal reminder which you are likely to receive in the next 2-3 weeks, and, unfortunately, as the mailings are selected far in advance, it is not currently possible to prevent this mailing from being sent. Please accept our sincere apologies for any inconvenience this may cause you. However, we confirm that we do not hold any of your data on our database.
The DM code you have listed below indicates that your details were temporarily given to us for a one-off use.
The XA code you supplied is your reference number is not stored on our own system in any way.
What a great reply! We don’t have any data on you; we did have a while ago to send you an unsolicited letter but it was only held temporarily and besides we bought it from someone else. We’ve checked the reference numbers you gave us even though we don’t have them on our systems.
And we won’t be processing your data while we hang onto it for 2 to 3 weeks so we can send you a reminder about the unsolicited begging letter we just sent.
Am I the only person who finds this unacceptable? Or is this the norm for the charity sector? Just for clarity the ICO says
“Processing in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data”
So that’s 3 processing operations at least – obtaining, mailing and holding. Maybe even destruction if in fact they do delete it. (Next Xmas will tell me this). The ICO doesn’t give an exemption for ‘temporarily” processing it.
When Christmas (the season of good cheer and peace to all data subjects) arrives, is it part of the festive spirit (or even lawful?!) to buy a wodge of names and addresses that you have no relationship with and then mail them two (count them) begging letters; and when someone makes a subject access request say, “We do not hold any data on you – we did last week but it’s disappeared. We might hold it again in a week or two but only for a short time and then it will disappear again.”
This organisation is a good organisation. I support their aims and like listening to their brass bands outside supermarkets in the run up to Christmas, but I find their marketing activities dubious. It may just affect my giving to them this year.
The government’s controversial Draft Investigatory Powers Bill was published in early November. Amongst other things, the Bill:
Requires web and phone companies to store records of websites visited by every citizen for 12 months for access by police, security services and some public bodies.
Makes explicit in law for the first time the Security Services’ powers for the bulk collection of large volumes of personal communications data.
Makes explicit in law for the first time the powers of the Security Services and police to hack into and bug computers and phones. It also places new legal obligation on companies to assist in these operations to bypass encryption.
Requires internet and phone companies to maintain “permanent capabilities” to intercept and collect the personal data passing over their networks. They will also be under a wider power to assist the security services and the police in the interests of national security.
A Committee has been formed to consider the key issues raised by the Bill, including whether the powers sought are necessary, whether they are legal and whether they are workable and clearly defined. The Committee is now inviting written evidence to be received by 21st December 2015 (call for evidence).
Some of the questions the Committee are inviting evidence on include:
To what extent is it necessary for the security and intelligence services and law enforcement to have access to investigatory powers such as those contained in the draft Bill?
Are there sufficient operational justifications for undertaking targeted and bulk interception, and are the proposed authorisation processes for such interception activities appropriate and workable?
Should the security and intelligence services have access to powers that allow them to undertake targeted and bulk equipment interference? Should law enforcement also have access to such powers?
The Committee is due to report back by February 2016.
What will the effect be of the Investigatory Powers Bill on local authorities? Is it true that councils will be given powers to view citizens’ internet history (according to the Telegraph)? The answer is no.
Sam Lincoln has written an in-depth analysis of the bill, detailing and dissecting its various points. Please take a look here.
Sam has designed our RIPA E-Learning Package which is an interactive online learning tool, ideal for those who need a RIPA refresher before an OSC inspection. Our 2016 RIPA workshops will include an update on the Bill.
Charity envelope time again. And yet again another organisation I had no relationship with at all. This time it was a big one with offices in…are you ready…
UK, USA, India, China, Philippines, Latin America, Mexico, Brazil, Africa, Indonesia, Vietnam, Middle East & North Africa and Bangladesh.
Surprisingly in all these locations they couldn’t find a data protection expert to run his eye over their Privacy Policy. This is puzzling as you can find good information about their accounts and activities quite easily on the web. (£7m donations in 2014 and over 125,000 children helped all over the world). They look like they’re doing a good job except for the unsolicited mailing that dropped through my door today.
They sent 2 full colour glossy A4 double sided leaflets. 10 sticky gift tags to attach to Xmas presents, an A5 double sided full colour leaflet, an eight page A6 booklet about their work, a donation form to return and an envelope. If they’d not spent their money on these pieces of coloured paper, 2 of which were customised to say my name and address they might have had more in the kitty to help the children they featured in their leaflets. Nowhere on any of these pieces of paper is there a mention of the Data Protection Act. Nor is there a phone number so I could tell them quickly I didn’t want their unsolicited mailing. Presumably their marketing expert advised them not to offer this simple mechanism of objecting as it might result in people using it. So I found their website and had a look.
After a while I found their Privacy Policy. It was extensive and told me a lot about the cookies it used. No mention of the Data Protection Act again. Some of the interesting sections were
Your acceptance of this policyBy using our site, you consent to the collection and use of information by XXXXXXX in accordance with our Privacy Policy. If you do not agree to this Policy, please do not use our site. In order to fully understand your rights we encourage you to read this Privacy Policy.
(Mmm a good one to start with. You have to use the site to find the policy before you can read it, but by using the site you have already agreed with their policy even though you haven’t read it, which they want you to do).
Changes to this privacy policyXXXXXXXX reserves the right at any time and without notice to change this Privacy Policy simply by posting such changes on our site. Any such change will be effective immediately upon posting. Your subsequent use of this website after we have made changes to this policy (including the submission of information on our donation form) will be deemed to signify your acceptance of any variations that we make.
(So when they change something and before you find out about the changes by reading their policy you have already agreed to the changes you haven’t yet read about).
3. Sharing your information with third parties
From time to time, XXXXXX allows other worthy organisations to send communications to our donors via direct mail. We carefully screen these organisations to ensure their services may be of interest to our supporters. If you do not wish to hear from these organisations, please let us know by contacting us.
(Wow what a good one. Firstly that great phrase “from time to time” I thought this had died out but here it is again and what it really means is whenever we feel like it…”. The following few words shows the staggering arrogance of the organisation. We ALLOW other worthy organisations to send communications to OUR donors. Despite the fact that there is a law that prohibits this they ALLOW it and the donors aren’t any free thinking individuals – they belong to the organisation and the organisation can do with their personal data what they want. Did the Slavery Abolition Act of 1833 have a clause in it exempting charities. Er… no And there’s more – what is a worthy organisation? One that helps children? One that only uses recycled paper? One that pays their directors in bit coins? We have no idea what this cute little phrase means. It implies that Data Controllers don’t have to bother with Principle 2 if you’re passing data to ‘worthy’ organisations.
It gets worse. The last element is giving you the right to write to them and object to receiving communications from what they think are worthy organisations that have been through a screening process although you don’t know much about their screening methods if they do in fact exist, and ended up on a list of organisations they sell your data to but which they may not keep).
It seems they are relying on the mythical but desirable exemption in the Act that says Charities are completely exempt from the DPA and also it seems exempt from writing simple Privacy Policies in Plain English.
Read more about how EU Data Protection Regulation will change the DP landscape. Attend our full day workshop.
It shocked me on Sunday morning (a few months ago) when driving into our local Sainsbury’s car park. Through bleary eyes I suddenly saw my registration number flash up on a display in front of me. It also said my 2 hours of free parking would end in precisely 1 hour and 59 minutes. After parking and doing a bit of investigating I found that they’d fitted cameras at the only entrance (which was also the exit) so they could snap you on the way in and on the way out and thereby obtain evidence (or not) of your length of stay. This isn’t new. Many car parks have been doing this for years but it does raise a few issues.
Filming and collecting personal data is OK as long as a Schedule 2 condition of the Data Protection Act is fulfilled. (I suppose going off on one for a moment that filming at a hospital car park might require a Schedule 3 condition but that’s an argument for another day). The simplest one is Schedule 2 condition is consent as the other 5 require a necessary element. Do Sainsbury’s have your consent? Did you know that filming was going to happen before you attempted to enter their car park or did it only register when your number plate was staring back at you. If you were filmed before you knew you’d been filmed the consent is out of the window.
Once inside the car park you could see signs that told you more about the filming. Looks good to start with but the small print really is small and is also 8 feet up in the air (that old joke again!). I couldn’t actually read the small print. Basic fact remains that the Fair Processing Notice whatever the quality of it was only available after the processing took place.
So far we’ve missed out on an obvious Schedule 2 condition and missed the fair processing element of Principle One. What else could go wrong? If the sensible Sainsbury’s shoppers don’t overstay their welcome they won’t be troubled by a bit of DPA non-compliance. But if they do go over their limit will Sainsbury’s do nothing or will they take the registration number they acquired unlawfully and unfairly and further process it by finding out more personal data about the driver and sending him/her a penalty notice?
It may be that they’ve explained all this very well somewhere but as an everyday shopper in a rush I didn’t see it. It may also be that holding the information about a car than its owner and its address is proportionate if by so doing they allow you to stay a couple of minutes extra checking out the different brands of Prosecco but it could also be argued that it is not. A recent court judgment about parkingis interesting:
It seems to come down in favour of disproportionate penalties for parking and while it may be appealed the current climate is not very temperate.
The fact remains that Sainsbury’s have obtained your car’s number plate without giving you fair warning and are holding it and probably further processing it.
The old joke? What lies on its back 8 feet up in the air.
In recognition of National Poetry day last week, that was my shockingly brilliant (!!) effort at a short rhyme in aid of this blog post. I know, stick to the day job right? (And yes, I know that we are in October and not May).
As the rhyme suggests however, I was indeed browsing the web and I did indeed come across an interesting legal case looking at rights of access and metadata in telecoms/internet providers in Australia. Something of particular relevance at the moment in the light of the Australian Government announcing its new Data Retention Law.
In the news article and legal case an Australian citizen, Mr Grubb, exercised his rights under the Australian Privacy Act 1988 to ask for all information Telstra (a phone company) held about him. His request specifically asked for the meta-data associated against him:
“…I’d like to request all of the metadata information Telstra has stored about my mobile phone service (XXX XXX XXX).
The metadata would likely include which cell tower I’m connected to at any given time, the mobile phone number of a text I have received and the time it was received, who is calling and who I’ve called and so on. I assume estimated longitude and latitude positions would be stored too. This is the type of data I would like to receive.”
Although Telstra provided some data to Grubb, it refused to hand over internet protocol address information, edited versions of incoming call records and website URL information stating that retrieving the information would take disproportionate effort and therefore was unreasonable.
The Commissioner supported Telstra in its exemption of some pieces of information to do with telephone numbers of 3rd parties, particularly where those numbers had registered with a Telephone Preference type service in Australia. Telstra argued that it had no effective method of determining those numbers and removing them from the list therefore the entire list of inbound numbers to the Data Subject’s telephone line would be exempt.
The Commissioner did however reject a number of claims made by Telstra about the difficulty in retrieving and linking data to a person’s identity. Telstra relied in part on this submission to argue that certain types of Grubb’s data was not “personal information” because it could not be linked to the Data Subject’s identity. However, the Commissioner in his decision drew attention to Telstra’s provision of data to law enforcement agencies to show that it has (and has used in the past) the ability to process and connect different types of metadata to individuals.
It’s also interesting that since the case was initiated Telstra’s approach to customer access to metadata has shifted significantly. Telstra customers will now be able to access the same metadata about them (save for shared information) that Telstra would provide to law enforcement agencies, on request without a warrant.
Now while Australia is a very long way away from Europe this case does pose some interesting questions. I ran a search online for cases where metadata was refused under a Subject Access Request (SAR) but could not find any in the public domain. As we all know there are a growing number of laws appearing that require telecoms companies to capture and store such metadata for government access but to date I’ve not seen a similar legal challenge whereby the data has been refused in a SAR.
For those that don’t have much experience with metadata the Oxford English dictionary defines metadata as “a set of data that describes and gives information about other data”. In this context, telecommunications data, is data that is associated with an account and its usage (e.g. masts used, websites visited, numbers called) which on their own do not automatically equate to personal data, but do so when associated with one number form the metadata of that persons account. Therefore it is personal data as it can identify them and/or be associated with them.
The current subject access request code of practice from the UK Information Commissioner’s Office doesn’t specifically talk about metadata being or not being personal data or in scope for a SAR. Based on the principles of the Data Protection Act 1998 (DPA) and the fact that such metadata can and is requested by law enforcement agencies and is used to identify you; I would argue that this is Personal Data, as defined by the Act, and should be provided to a requestor under subject access.
How does this sit under the current proposed EU Data Protection Regulation text(s)? Well, you won’t find the term “metadata” in the Regulation text anywhere so there won’t be a crystal clear stance on it. Instead we will need to look at the definition of Personal Data as proposed.
In the European Council’s text Chapter 1, Article 4 (1) it defines Personal Data as;
“any information relating to an identified or identifiable natural personal (“data subject an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person).”
So while the new proposed definition doesn’t specifically call out metadata it does seem to imply that it would be. For example, your mobile number and all data that can identify your location (phone mast data for example) would be considered Personal Data under that definition; which isn’t that far removed from DPA definition of Personal Data.
On that note, following a brief search online I have not been able to find any cases on SAR and telecoms in the public domain. I can find plenty of commentaries and a remotely similar financial services case. I would therefore be interested to see if anyone knows of one currently ongoing or that has been tested in the courts / tribunal so far to date?
Currently the UK Government is looking to revive the so-called “snooper’s charter” under the Draft Communications Data Bill. Therefore if government agencies are to spy / monitor / keep / ignore my personal data then I think that we should, at any point, see what that personal data is. I bet mine is really rather dull…but it’s my dull data dammit.
Scott Sammons an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.
Read more about the EU Data Protection Regulation. Attend our full day workshop.
Returned from holiday to a mountain of mail. Usually this is good fun but recently it’s turned into a nightmare of more and more charity mailings. First off today was British Heart Foundation. A good cause and I walk voluntarily into their charity shops regularly to find bargains and do my bit. But because of recent publicity about charity mailings I took a hard line. I rang them up and asked to be taken off their mailing list. The operator was polite and efficient. She asked for the code next to my address beginning 52A so she could add me to their suppression list but when I quoted it she said I wasn’t actually on their mailing list. Strange – I am looking at a letter addressed to me at my address asking for money from BHF.
She was quick to explain however that it was a one off mailing using data supplied by a 3rd party so they didn’t actually process my name and address. They just used it. I trotted out the well worn definition of processing that all BCS certificate holders know and she did admit that it looked as if they were processing after all. I asked who was the 3rd party and it turned out to be Senior Rail Card.
(as an aside these are managed by ATOC Ltd which manages the contract for the issue and use of the Senior Railcard on behalf of the Train Companies. Reference to a ‘Train Company’ or the ‘Train Companies’ means those Train Companies which, pursuant to a franchise agreement, operate Passenger Railway Services in Great Britain. Their website has a cookie policy but no privacy policy. Nowhere on their website do they assure you that they will only use your personal data to supply you with a senior railcard. Nowhere do they inform you that they will pass it on to anyone else.)
To be honest it wasn’t Senior Rail card who gave my details to BHF it was Media Lab group; BHF told me at the same time they told me about Senior Rail card.
Media Lab has a website where it says
“The media landscape may have changed, but the need for data hasn’t. That’s why at Medialab, we live and breathe data. It’s at the centre of everything we do. Our data-driven approach allows us to develop successful multi-channel media plans that are built on econometric analysis, innovation and a passion for our clients’ results. As a leading integrated direct response agency, we plan campaigns for the UK’s leading brands including National Trust, Post Office and Macmillan.”
Bizarrely for a data driven company they don’t have a privacy policy either. They were the company that gave my data to BHF. They got it from ATOC. I’m not sure how the transfer of data was made or whether money changed hands. We just don’t know. But I thought when I bought my senior rail card that my personal data would only be used or me to get cheap rail fares not donate to Heart charities or end up in the hands of List brokers.
The efficient BHF operator said she couldn’t delete me from their mailing list as I wasn’t actually on it. The list really belonged to Media Lab Group. They only used it to mail me. (Did someone at the back say Data Processor agreement and breach of Principle 7?).
However she had a solution to my predicament. She would add me to their database and immediately add me to their suppression list. Brilliant.
Next Alzheimers. Not as we first thought the Alzheimers Society (See comments) but another organisation working in this sector.
They also asked for money (or any donation will do) and they did have a privacy policy and also an undertaking issued by the ICO. They also gave me my Supporter reference number which was why they were contacting me. Because a year ago I filled in an online quiz to see if I was presenting any of the symptoms of dementia. At no time before, during or after the quiz did they give me any indication they would tap me up for money nor I asked if I wanted to become a supporter of theirs.
I rang them up to ask them to remove me from their mailing list but not a lot happened. When I say not a lot there was a recorded message saying “we apologise for the delay” then there was silence for the next 10 minutes at which point I gave up. They could have whistled a tune or even played a song but nothing. It was as if they had forgotten to answer or they were hoping (like Doc Martin) that I had no patience.
They were right so I used the system they provided to communicate with them. This time they supplied an SAE and a form where I could inform them of my preferences so I did. They’d used a jocular style to contact me without my consent so I replied in the same vein.
Only 20 more charity letters to deal with… How I hate coming home from holidays.
I received an email last week. It was from someone I’d never heard of.
Translating this into PECR speak
We have a list of emails. We don’t think we have your consent to email you which would lead to us breaching PECR so we’re writing to ask for your permission which in itself is breach of PECR. By putting Request for Permission in the subject line we’re hoping you’ll think we know what we’re doing and that we’re a nice company.
I asked them by email to tell me where they obtained my email. A week later they hadn’t replied. I know a week is a long time in politics but a week is a light year in emails.
I upgraded my request to a Subject Access Request and suggested they pass my request to their DPO. Less than 3 hours later I had a reply which appeared to come from near the top.
Dear Sir
Thank you very much for your email and for reaching out to us with regards to our recent emails to you. We have carried out an investigation into your complaint as we take this type of matter very seriously.
As per your inquiry, we have recently acquired a new supplier called “Latest Mailing Database” (latestdatabase.com) who provided us a list of customers’ email addresses interested in travel. They have contractually reassured us that those listed have expressed their consent to be contacted by selected third party partners for marketing purposes.
Upon receiving your inquiry, we have realised that the reassurances we received from this company is in question. While we investigate this further, we have subsequently ceased the use of that mailing list they have provided and all the e-mails, including yours, have now been deleted from our Databases.
We apologise for any inconvenience caused.
Best regards,
Spiros XXXXXXX
Head of International Marketing and Business Development
At least I received a reply but the phrase “They have contractually reassured us that those listed have expressed their consent to be contacted by selected third party partners for marketing purposes” started to worry me. Also a list of people who are interested in travel. Isn’t that a list of everyone in the world? We all travel. Now if they’d asked for a list of those interested in sex and travel we’d have a snappy answer.
Globehunters have a privacy policy which looks pretty good. Just for fun I looked up their company name and their postcode on the ICO Register of Data Controllers. The ICO doesn’t have any record of their name and there are only 2 notifications from their postcode both from the next door building.
I couldn’t resist looking at his source for the emails.
http://www.latestdatabase.com A quick scan through showed their address was Majira Bypass Sajahanpur, Bogra, Bangladesh and they sold email lists. Google maps zeroes in rapidly on a company called seoexparte. A touching review of the company is available.
Their UK customer list boasted 2 million records or just $300
Listing Include:
* Frist Name (sic)
* Last Name
* Age
* address
* Email Address
* Ip address
* Phone number
They also have a blog (http://www.latestdatabase.com/appearance-adele-gaga/) and although it would be churlish to mock their poor English if they’re operating in a global marketplace and assuring their customers contractually of the quality of their product it might be a good idea to use a spell checker.
So where are we now? For £190 a start up company has bought 2 million customer emails. This means that my emailis worth 1/100th of a penny. When prodded they realize that they may have bought in a dodgy list so apologise and take my name off their list. A good response but no mention of my Subject Access Request. No Notification for their business and a lead to a major list seller who may just not check their lists that well.
All in day’s work for a PECR vigilante. I’ll see if Spiros comes back.
Act Now Training is one of the UK’s leading provider of seminars and workshops on all aspects of Data Protection, Freedom of Information, Surveillance Law and Records Management. More detailswww.actnow.org.uk
In case you missed it over the last week or so it has been confirmed that the European Council have agreed a text of the Draft EU Data Protection Regulation. You would think that would be the final stage but alas no. Instead we now present this version back to the Commission & Parliament for tri-partide discussion and agreement. This really is the final stage of the legal process in which the Council, the EU Parliament and the EU Commission will now negotiate on this document to agree a final text that can become law (promise… it really is the last stage).
However, in typical governmental fashion of not being able to do anything smoothly 2 versions were ‘released’. One is the text of the Council of Minister’s final text agreed on June 15th: Council of Ministers text minus objections from Member States.
There is still some discussion to be had however and in the comments version the Council acknowledges this. First up, with regards to police processing of personal data the regulation now includes as a purpose for processing “safeguarding against and the prevention of threats to public security”. Which, at face value, seems rather wide and “loose” in its wording. We all know that defining a “threat to public security” can be open to various interpretations therefore this may meet with some stiff opposition.
The Council has also said that there needs to be some discussion around the “lawfulness of processing” under Article 6 recital (40 and Article 19 (1). The Council is looking to approve final wording on legitimacy of processing data that is incompatible with the original purpose for which it was collected. The current proposal looks to allow such processing but as a condition allows the data subject a means to legitimately object. Again, how this will work in the real world is open to interpretation but given that this is a move away from the current Directive’s standards then it will be interesting to see if the Council and Parliament accept that.
The Council also appears to be looking for further discuss on the right to compensation and liability outlined in Article 77 and recitals (112), (113a), (118), (118b). The current proposal clarifies the roles and liabilities for processing that is not compatible with the regulation. Namely it is looking to narrow the extent of liability for a processor or controller where it can be demonstrated that the controller or processor concerned is not fully liable (IE, it can be clearly demonstrated that it wasn’t their fault). It makes sense but again, how that will go down with the Parliament and Commission will be interesting.
I’ve now had the chance to read through this updated text and in short it smells an awful lot like a beefed up Directive. A lot of the stricter wording that was in the initial draft proposed by the Commission & indeed the Parliament draft have been replaced with general expectations, the finer details of which member state law or local codes of practice are encouraged to work out. Some of the aspects of the regulation even invite member states to write complimentary laws so that those sections can be properly enacted within that member state. (I’m sure that’s the purpose of a Directive you know…).
Here’s a quick summary for you;
Member states can create their own laws on conditions for processing certain types of data (national ID numbers for example). (Article 9 (5)). This also extends to the conditions for processing HR data which can be defined by local member state work agreements.
Member states can decide if fines are to be used on public sector bodies.
Article 79a – Fines of up to 250,000 euros or 0.5% of previous year global annual turnover for deliberate or negligent breaches & not responding to SARs.
Article 79a – Fines of up to 500,000 euros or 1.0% of previous year global annual turnover for any of the above or;
Does not provide information in a timely manner to a data subject
Does not provide access or rectify data belonging to the data subject
Does not erase personal data belonging to the data subject
Processing data in violation of an restrictions on processing outlined in article 17 (Notification obligation regarding rectification, erasure or restriction).
Does not communicate any rectification, erasure or restriction requests to 3rd parties
Does not provide the data subject with their personal data.
Processing of data of objection to processing received and no viable reason for legitimate processing.
Does not provide data subject with information about the right to object to processing of information for marketing purposes.
Does not sufficiently determine responsibilities of joint controllers.
Does not maintain sufficient documentation pursuant to Articles 28 (Records of categories of personal data processing activities) & 34 (Prior consultation).
Article 79a – Fines of up to 1,000,000 euros or 2.0% of previous year global annual turnover for any of the above or;
Processes information without a legal basis for doing so or does not obtain appropriate consent.
Does not comply with conditions for automated decision making & profiling.
Does not implement measure to demonstrate compliance with articles 22 (Obligations of the controller) and 30 (Security of processing).
Does not designate a representative in violation of Article 25 (Representatives of controllers not established in the Union).
processes or instructs the processing of personal data in violation of Articles 26 (Processor).
does not alert on or notify a personal data breach or does not [timely or] completely notify the data breach to the supervisory authority or to the data subject in violation of Articles 31 (Notification of a personal data breach to the supervisory authority) and 32 (Communication of a personal data breach to the data subject).
does not carry out a data protection impact assessment in violation of Article 33 (Data protection impact assessment) or processes personal data without prior consultation of the supervisory authority in violation of Article 34(2) (Prior consultation).
misuses a data protection seal or mark in the meaning of Article 39 (Certification) or does not comply with the conditions and procedures laid down in Articles 38a (Monitoring of approved codes of conduct) and 39a (Certification body and procedure).
carries out or instructs a data transfer to a recipient in a third country or an international organisation in violation of Articles 41 to 44 (Transfer of Personal Data to third countries or international organisations).
does not comply with an order or a temporary or definite limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 53 (1b) or does not provide access in violation of Article 53(1) (Powers).
Article 38 – Member states can create their own codes of practice and standards for data protection for specific sectors. This need approval by the EU Data Protection Board but can be developed per member per sector.
Article 54a – One stop shop concept for regulatory action and complaint handling amongst supervisory authorities remains.
Article 12 – Removal of charging for SARs remains.
Article 70 – Removal of need to register all processing of personal data remains but instead only high risk processing must be registered (at no charge) and will be published by the supervising authority.
Data portability now does not apply to the public sector or any processing for the enactment of a contract. (General Text, paragraph 55)
Article 31 – Breach notification to a supervisory authority is now 72 hours or “without undue delay” if longer than that period.
This Regulation is as close to a final version as we are going to get for the moment. As we’ve seen in recent weeks and months the majority of Data Protection regulators and even the EU Commission are saying that elements of the Regulation should start to be implemented from this point onwards (e.g. Netherlands are implementing a general DP breach notification law from next year). Some are even using the principle of the Regulation in the interpretation of current law (the ‘right to be forgotten’ for example).
I intend to do a few more articles over the coming weeks to look in more detail at some of the wording and what this could mean if the Parliament and Commission accept the current draft (which is a realistic possibility).
Author:
Scott Sammons CIPP/E, AMIRMS
@privacyminion
Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate which is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.
It’s quite simple. You’ve just bought a product and the company who just sold it to you asks for a friend’s email so they can market to them. If they buy then you (and them) get a cheque for £25. What a great idea!
a) You must have obtained the email address in the course of a sale or negotiations for a sale
b) You should only market similar products
c) You should offer an opt out with every message.
They clearly miss the first one as they have made no sale nor negotiated with your friend. The second one falls by the wayside for the same reason as your friend won’t have bought anything from them, so there is no “similar” test. Finally, we’ll credit them with offering an opt out (although based on their understanding of email marketing so far that’s being generous).
There is a safety valve. If your friend, after being sold down the river does not buy from the company, then their email will never be used by the company. In fact it will be destroyed securely within 30 days. And of course it will never be passed to any other organisation or sold to a list broker.
Unfortunately the company doesn’t offer any of the guarantees in the previous paragraph. They may well do so but they don’t bother with any concept of a fair processing notice. How do you feel about sending your friend’s email to this organisation? If they’re happy to pay £25 to buy an email address that makes a sale what price do they put on a prospect?
I’m not a hacker. I’ve started an online course to learn how to be one. There is no course literature or reading list. The exam which can be taken at any time has one task. “ Your grade is held in a secure area at Hacker’s University. Change it to Pass and email yourself a PDF of your certificate”.
But if I was a hacker I’m sure I could find a way to flood this business that’s trying to buy email addresses with a few long lists of emails. All those on JISCmail data protection list; All people with NHS.net; I have many lists that people have sent me by accident.
Paul Simpkins is a Director and trainer at Act Now Training Ltd.
No time to attend our PECR courses? Try our on demand PECR webinars. One hour of learning for only £39 plus vat.
It is an oft-repeated phrase that the Freedom of Information Act (FOI) provides a right of access to information but not documents. A recent Court of Appeal decision shows that it is not that straightforward an issue.
Section 1 contains the general right of access and uses the term “request for information.” But what exactly is “information”? Section 84 defines it as “information recorded in any form.” This includes information held on paper, computer, video, audiotapes as well as that contained in manuscript notes. No mention is made of access to the actual documents containing the information. However this does not mean that documents cannot be requested.
A request for a document will generally be a valid request for all of the information contained within that document (including visual format, design, layout etc). In considering whether the public authority has complied with the request, the question is whether all of the information recorded in the document has been provided. It will not be sufficient to rephrase the document or provide an outline or summary of its contents unless the applicant has specifically expressed a preference for a digest or summary under section 11(1)(c).
This matter has now been put beyond doubt by a Court of Appeal decision this week. Judges dismissed an appeal by the Independent Parliamentary Standards Authority (IPSA), the body that oversees MPs’ expenses claims, from a decision of the Upper Tribunal requiring it to release copies of MPs’ invoices and receipts. This is the latest in a serious of appeals by IPSA in an attempt to overturn the original decision of the Information Commissioner.
In April 2013 the First Tier Tribunal (Information Rights), ruled that images of MPs’ expense claim receipts were information to which the FOI applied (IPSA v Information Commissioner (EA/2012/0242)). The background to the request was that, following the MPs’ expenses scandal, the then newly-formed IPSA, decided that it would not routinely publish images of the receipts submitted to IPSA by MPs in support of their expenses claims. Only text transcribed from the submitted receipts would be published.
A journalist made an FOI request for the actual receipts submitted by a number of MPs. The question arose as to whether images of those receipts held by IPSA contained “information” within the meaning of section 1 of FOI, which was not captured by the transcription process favoured by IPSA. The Tribunal concluded that the definition of information (in this case) included logos, letterheads, handwriting, manuscript comments, and even the layout and style of the requested documents. These were not disclosed to the requestor as a result of providing a transcription, rather than a copy, of the relevant receipts.
“It is to me also trite to note that the wording on a typical receipt or invoice is only part of what a recipient sees when looking at it. Typically there will be verbal and numerical content to be read and understood, but there will also be visual content to be seen, rather than read, but which may also require to be understood for the recipient to have appreciated the whole of the experience, if I may term it that, communicated by the receipt or invoice.”
In the judge’s view information is more than just the words and figures on a piece of paper. Sometimes the nature of the request will mean that the only way to convey all the information on a document is to disclose the original or at least a copy. He gave the example of Land Registry plans, drawings and photographic evidence of a particular building.
In coming to his decision the judge took note of the Scottish Court of Session decision in Glasgow CC v SIC [2009] CSIH 73 under the Freedom of Information (Scotland) Act 2002 (FOISA). As a general point of principle, the Commissioner and the Tribunal is not bound by Court of Session decisions on FOISA, although they may be considered persuasive where the terms of FOISA mirror the terms of FOI. In the Scottish case the applicant specifically wanted the public authority to provide copies of the documents, although he acknowledged that the same information was available elsewhere. The Court confirmed that FOISA entitles requesters to the information within a document, rather than a copy of the document itself. To the extent that this request was specifically for copies of the documents over and above the information they contained, it was invalid. The Court rejected an argument that the copy documents were “information” distinct from the information contained within them.
Paragraph 45 of the Court of Session judgment states:
“Where the request does not describe the information requested… but refers to a document which may contain the relevant information, it may nonetheless be reasonably clear in the circumstances that it is the information recorded in the document that is relevant.”
However paragraph 48 should be noted:
“The difference between the original and a copy… does not consist in any difference between the information recorded in each document: that information, if the copy is true and accurate, will be identical.” (my emphasis)
To quote one of our FOI trainers (Philip Bradshaw), much will also in practice depend on the wording of the request. Contrast “How much did you spend on pencils?” with “Can I have a copy of your pencil invoices”. You can clearly provide in permanent form all the recorded information within scope of the first request without copies, but not perhaps for the second.
In the IPSA case, the judge ruled that transcriptions of the requested receipts would not be “true and accurate”, as they would not contain all the same information as on the originals e.g. logos, style, layout etc.
This is an interesting decision especially for those public authorities who often insist, when refusing to supply actual documents (such as minutes of meetings) that FOI is about access to information not documents. Sometimes the requestor is interested in the document, which contains the requested information, as it will give a further insight into its background and the thoughts/observations of the producers/subjects of the document.
IPSA has been given time to consider taking the case to the Supreme Court.
Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshops which are delivered in one hour online sessions as well as full day face to face sessions.
