The Data Protection and Digital Information Bill: A new UK GDPR?

In July the Government published the Data Protection and Digital Information Bill, the next step in its much publicised plans to reform the UK Data Protection regime following Brexit. 

In the Government’s response to the September 2021 consultation (“Data: A New Direction”) it said it intended “to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.” To achieve this, the new Bill proposes substantial amendments to existing UK data protection legislation; namely the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). There is no shiny new Data Protection Act 2022 or even a new colour for the UK GDPR! Perhaps a missed opportunity to showcase the benefits of Brexit! 

In addition to reforming core data protection law, the Bill deals with certification of digital identity providers, electronic registers of births and deaths and information standards for data-sharing in the health and adult social care system. The notable DP provisions are set out below.

Amended Definition of Personal Data

Clause 1 of the Bill limits the scope of personal data to:

  • where the information is identifiable by the controller or processor by reasonable means at the time of the processing; or
  • where the controller or processor ought to know that another person will likely obtain the information as a result of the processing and the individual will likely be identifiable by that person by reasonable means at the time of the processing.

This proposed change would limit the assessment of identifiability of data to the controller or processor, and persons who are likely to receive the information, rather than anyone in the world. It could make it easier for organisations to achieve data anonymisation as they would no longer need to concern themselves with potential future identifiability, with the focus instead being on identifiability “at the time of the processing”. On the other hand, the change does not address the risk of indirect identification.

Vexatious Data Subject Requests

Article 12 of the UK GDPR allows controllers to refuse to comply with data subject rights requests (or charge a fee) when the requests are “manifestly unfounded” or “excessive”.  Clause 7 of the Bill proposes to replace this with “vexatious” or “excessive”. Examples of vexatious requests given in the Bill are those requests intended to cause distress, not made in good faith, or that are an abuse of process. All these could easily fit into “manifestly unfounded” and so it is difficult to understand the need for change here. 

Data Subject Complaints

Currently, the UK GDPR allows a data subject to complain to the Information Commissioner, but nothing expressly deals with whether or how they can complain to a controller. Clause 39 of the Bill would make provision for this and require the controller to acknowledge receipt of such a complaint within 30 days and respond substantively “without undue delay”. However, under clause 40, if a data subject has not made a complaint to the controller, the ICO is entitled not to accept the complaint.

Much was made about “privacy management programmes” in the Government’s June announcement. These are not expressly mentioned in the Bill but most of the proposals that were to have fallen under that banner are still there (see below).

Senior Responsible Individuals

As announced in June, the obligation for some controllers and processors to appoint a Data Protection Officer (DPO) is proposed to be removed. However, public bodies and those who carry out processing likely to result in a “high risk” to individuals, are required (by clause 14) to designate a senior manager as a “Senior Responsible Individual”. Just like the DPO, the SRI must be adequately resourced and cannot be dismissed for performing their tasks under the role. The requirement for them to be a senior manager (rather than just reporting to senior management, as current DPOs must) will cause problems for those organisations currently using outsourced DPO services.

ROPAs and DPIAs

The requirement for Records of Processing Activities (ROPAs) will also go. Clause 15 of the Bill proposes to replace it with a leaner “Record of Processing of Personal Data”.  Clause 17 will replace Data Protection Impact Assessments (DPIAs) with leaner and less prescriptive Assessments of High Risk Processing. Clause 18 ensures that controllers are no longer required, under Article 36 of the UK GDPR, to consult the ICO on certain high risk DPIAs.

Automated Decision Making

Article 22 of UK GDPR currently confers a “right” on data subjects not to be subject to automated decision making which produces legal effects or otherwise significantly affects them. Clause 11 of the Bill reframes Article 22 in terms of a positive right to human intervention. However, it would only apply to “significant” decisions, rather than decisions that produce legal effects or similarly significant effects. It is unclear whether this will make any practical difference. 

International Transfers 

The judgment of the European Court of Justice (ECJ) in “Schrems II” not only stated that organisations that transfer personal data to the US can no longer rely on the Privacy Shield Framework as a legal transfer tool. It also said that in any international data transfer situation, whether to the USA or other countries, the data exporter needs to make a complex assessment  about the recipient country’s data protection legislation to ensure that it adequately protects the data especially from access by foreign security agencies (a Transfer Impact Assessment or TIA) .  

The Bill amends Chapter 5 of the UK GDPR (international transfers) with the introduction of the “data protection test” for the above mentioned assessment. This would involve determining if the standard of protection provided for data subjects in the recipient country is “not materially lower” than the standard of protection in the UK. The new test would apply both to the Secretary of State, when making “adequacy” determinations, and to controllers, when deciding whether to transfer data. The explanatory notes to the Bill state that the test would not require a “point- by-point comparison” between the other country’s regime and the UK’s. Instead an assessment will be “based on outcomes i.e. the overall standard of protection for a data subject”. 

An outcome based approach will be welcome by organisations who regularly transfer personal data internationally especially where it is of no practical interest to foreign security agencies. However, this proposed approach will attract the attention of the EU (see later). (see also our forthcoming International Transfers webinar).

The Information Commission

Under clause 100 of the Bill, the Information Commissioner’s Office will transform into the Information Commission; a corporate body with a chief executive (presumably John Edwards, the current Commissioner). 

The Commission would have a principal function of overseeing data protection alongside additional duties such as to have regard to the desirability of promoting innovation; the desirability of promoting competition; the importance of the prevention, investigation, detection and prosecution of criminal offences; and the need to safeguard public security and national security. New powers for the Commission include an audit/assessment power (clause 35) to require a controller to appoint a person to prepare and provide a report and to compel individuals to attend for interviews (clause 36) in civil and criminal investigations.

The Bill also proposes to abolish the Surveillance Camera Commissioner and the Biometrics Commissioner.

Privacy and Electronic Communications (EC Directive) Regulations 2003 

Currently, under PECR, cookies (and similar technologies) can only be used to store or access information on end user terminal equipment without express consent where it is “strictly necessary” e.g. website security or proper functioning of the site. The Bill proposes allowing cookies to be used without consent for the purposes of web analytics and to install automatic software updates (see the GDPR enforcement cases involving Google Analytics). 

Another notable proposed change to PECR, involves extending “the soft opt-in” to electronic communications from organisations other than businesses. This would permit political parties, charities and other non-profits to send unsolicited email and SMS direct marketing to individuals without consent, where they have an existing supporter relationship with the recipient. 

Finally on PECR, the Bill proposes to increase the fines for infringement from the current maximum of £500,000 to UK GDPR levels i.e.  up to £17.5m of 4% of global annual turnover (whichever is higher). 

Business Data

The Bill would give the Secretary of State and the Treasury the power to issue regulations requiring “data holders” to make available “customer data” and “business data” to customers or third parties, as well as regulations requiring certain processing, such as collection and retention, of such data. “Customers” would not just be data subjects, but anyone who purchased (or received for free) goods, services or digital content from a trader in a consumer (rather than business) context. “Business data” would include information about goods, services and digital content supplied or provided by a trader. It would also include information about where those goods etc. are supplied, the terms on which they are supplied or provided, prices or performance and information relating to feedback from customers. Customers would potentially have a right to access their data, which might include information on the customer’s usage patterns and the price paid to aid personalised price comparisons. Similarly, businesses could potentially be required to publish, or otherwise make available, business data.

These provisions go much further than existing data portability provisions in the UK GDPR. The latter does not guarantee provision of data in “real time”, nor cover wider contextual data. Nor do they apply where the customer is not an individual.

Adequacy?

The Bill is currently making its way through Parliament. The impact assessment reiterates that “the government’s view is that reform of UK legislation on personal data is compatible with the EU maintaining free flow of personal data from Europe.”  However, with the multiple amendments proposed in the Bill, the UK GDPR is starting to look quite different to the EU version. And the more the two regimes diverge, the more there is a risk that the EU might put a “spanner in the works” when the UK adequacy assessment is reviewed in 2024. Much depends on the balance struck in the final text of the Bill. 

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in September. 

Cabinet Office Receives £500,000 GDPR Fine

The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online.

The New Year Honours list is supposed to “recognise the achievements and service of extraordinary people across the United Kingdom.” However in 2020 the media attention was on the fact that, together with the names of recipients, the Cabinet Office accidentally published their addresses; a clear breach of the General Data Protection Regulation (GDPR) particularly the sixth data protection principle and Article 32 (security).

The Honours List file contained the details of 1097 people, including the singer Sir Elton John, cricketer Ben Stokes, the politician Iain Duncan Smith and the TV cook Nadiya Hussain. More than a dozen MoD employees and senior counter-terrorism officers as well as holocaust survivors were also on the list which was published online at 10.30pm on Friday 26th December 2019. After becoming aware of the data breach, the Cabinet Office removed the weblink to the file. However, the file was still cached and accessible online to people who had the exact webpage address.

The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times. The vast majority of people on the list had their house numbers, street names and postcodes published with their name. One of the lessons here is, always have a second person check the data before pressing “publish”.

This is the first ever GDPR fine issued by the ICO to a public sector organisation. A stark contrast to the ICO’s fines under the DPA 1998 where they started with a local authority. Article 82(1) sets out the right to compensation:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

It will be interesting to see how many of the affected individuals pursue a civil claim. 

(See also our blog post from the time the breach was reported.)

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a one place left on our Advanced Certificate in GDPR Practice course starting in January.

To Share or Not to Share; That is the Question! 

elaine-casap-qgHGDbbSNm8-unsplash

On 5th October 2021 the Data Sharing Code of Practice from the Information Commissioner’s Office came into effect for UK based Data Controllers.  

The code is not law nor does it ‘enforce’ data sharing, but it does provide some useful steps to consider when sharing personal data either as a one off or as part of an ongoing arrangement. Data Protection professionals, and the staff in the organisations they serve, will still need to navigate a way through various pressures, frameworks, and expectations on the sharing of personal data; case by case, framework by framework. A more detailed post on the contents of the code can be read here.  

Act Now Training is pleased to announce a new full day ‘hands on’ workshop for Data Protection professionals on Data Sharing. Our expert trainer, Scott Sammons, will look at the practical steps to take, sharing frameworks and protocols, risks to consider etc. Scott will also explore how, as part of your wider IG framework, you can establish a proactive support framework; making it easier for staff to understand their data sharing obligations/expectations and driving down the temptation to use a ‘Data Protection Duck out’ for why something was shared/not shared inappropriately.  

Delegates will also be encouraged to bring a data sharing scenario to discuss with fellow delegates and the tutor. This workshop can also be customised and delivered to your organisation at your premises or virtually. Get in touch to learn more.

advanced_cert

Law Enforcement Processing and the Meaning of “authorised by law”

ethan-wilkinson-UJdx3XM3xao-unsplash

In October, there was a decision in the Scottish courts which will be of interest to data protection practitioners and lawyers when interpreting Part 3 of the Data Protection Act 2018 (law enforcement processing)  and more generally the UK GDPR.

The General Teaching Council For Scotland v The Chief Constable of The Police Service of Scotland could fairly be described as a skirmish about expenses (known as costs in other parts of the UK) in seven Petitions to the Court of Session by the General Teaching Council for Scotland (“GTCS”) against the Chief Constable of the Police Service of Scotland (“Police Scotland”). The petitions essentially sought disclosure of information, held by Police Scotland, to the GTCS which the GTCS had asked Police Scotland for, but which the latter had refused to provide. 

This case will be of interest to data protection practitioners for two reasons: (1) there is some consideration by Lord Uist as to what “authorised by law” means in the context of processing personal data under Part 3 DPA 2018 for purposes other than law enforcement purposes; and (2) it contains a salutary reminder that while advice from the Information Commissioner’s Office (ICO) can be useful, it can also be wrong; as well as the responsibilities of data controllers in relation to their decisions.

The GTCS is the statutory body responsible for the regulation of the teaching profession in Scotland. They are responsible for assessing the fitness of people applying to be added to the register of teachers in Scotland as well as the continuing fitness of those already on the register. In reliance of these functions, the GTCS had requested information from Police Scotland in order to assist it in fulfilling these duties. The information held by Police Scotland was processed by them for the law enforcement purposes; it thus fell within Part 3 of the DPA 2018. In response, the GTCS petitioned the Court of Session for orders requiring Police Scotland to release the information. Police Scotland did not oppose the Petitions and argued that it should not be found liable for the expenses of the GTCS in bringing the Petitions to the court. This was on the basis that it had not opposed them and it could not have given the GTCS information without the court’s order.

The ICO advice to Police Scotland

Police Scotland refused to supply the information without a court order on the basis that to do so would be processing the personal data for purposes other than the law enforcement purposes where the disclosure was authorised by law in contravention of the second Data Protection Principle under Section 36 of the DPA 2018 which states:

“(1) The second data protection principle is that – (a) the law enforcement purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and (b) personal data so collected must not be processed in a manner that is incompatible with the purpose for which it was collected. 

(2) Paragraph (b) of the second data protection principle is subject to subsections (3) and (4). 

(3) Personal data collected for a law enforcement purpose may be processed for any other law enforcement purpose (whether by the controller that collected the data or by another controller) provided that – 

(a) the controller is authorised by law to process that data for the other purpose, and
(b) the processing is necessary and proportionate to that other purpose. 

(4) Personal data collected for any of the law enforcement purposes may not be processed for a purpose that is not a law enforcement purpose unless the processing is authorised by law.” 

Police Scotland was relying upon advice from the ICO. That advice was that Police Scotland “would require either an order of the court or a specific statutory obligation to provide the information”, otherwise Police Scotland would be breaching the requirements of the DPA 2018. A longer form of the advice provided by the ICO to Police Scotland may be found at paragraph 10 of Lord Uist’s decision.

The ICO’s advice to Police Scotland was in conflict with what the ICO said in its code of practice issued under section 121 of the DPA 2018. There the ICO said that “authorised by law” could be “for example, statute, common law, royal prerogative or statutory code”. 

Authorised by Law

Lord Uist decided that the position adopted by Police Scotland, and the advice given to them by the ICO, was “plainly wrong”; concluding that the disclosure of the information requested by the GTCS would have been authorised by law without a court order.

The law recognises the need to balance the public interest in the free flow of information to the police for criminal proceedings, which requires that information given in confidence is not used for other purposes, against the public interest in protecting the public by disclosing confidential  information to regulatory bodies charged with ensuring professionals within their scope of responsibility are fit to continue practising. In essence, when the police are dealing with requests for personal data processed for law enforcement purposes by regulatory bodies, they must have regard to the public interest in ensuring that these regulatory bodies, which exist to protect the public, are able to carry out their own statutory functions.

Perhaps more significantly, the law also recognises that a court order is not required for such disclosures to be made to regulatory bodies. This meant that there was, at common law, a lawful basis upon which Police Scotland could have released the information requested by the GTCS to them. Therefore, Police Scotland would not have been in breach of section 36(4) of the DPA 2018 had they provided the information without a court order.

In essence, a lack of a specific statutory power to require information to be provided to it, or a specific statutory requirement on the police to provide the information, does not mean a disclosure is not authorised by law. It is necessary, as the ICO’s code of practice recognises, to look beyond statute and consider whether there is a basis at common law. 

Police Scotland was required by Lord Uist to meet the expenses of the GTCS in bringing the Petitions. This was because the Petitions had been necessitated by Police Scotland requiring a court order when none was required. Lord Uist was clear that Police Scotland had to take responsibility for their own decision; it was not relevant to consider that they acted on erroneous advice from the ICO.

This case serves as a clear reminder that, while useful, advice from the ICO can be wrong. The same too, of course, applies in respect of the guidance published by the ICO. It can be a good starting point, but it should never be the starting and end point. When receiving advice from the ICO it is necessary to think about that advice critically; especially where, as here, the advice contradicts other guidance published by the ICO. It is necessary to consider why there is a discrepancy and which is correct: the advice or the guidance?
It may, of course, be the case that both are actually incorrect.

The finding of liability for expenses is also a reminder that controllers are ultimately responsible for the decisions that they take in relation to the processing of personal data.
It is not good enough to effectively outsource that decision-making and responsibility to the ICO. Taking tricky questions to the regulator does not absolve the controller from considering the question itself, both before and after seeking the advice of the ICO.

Finally, this case may also be a useful and helpful reference point when considering whether something is “authorised by law” for the purposes of processing under Part 3 of the DPA 2018. It is, however, a first instance decision (the Outer House of the Court of Session being broadly similar in status to the High Court in England and Wales) and that ought to be kept in mind when considering it.

Alistair Sloan is a Devil (pupil) at the Scottish Bar; prior to commencing devilling he was a solicitor in Scotland and advised controllers, data protection officers and data subjects on a range of information law matters.

We have just announced a new full day workshop on Part 3 of the DPA 2018. See also our Part 3 Policy Pack.

advanced_cert

First ICO GDPR Fine Reduced on Appeal

photo-1580971266928-ff5d40c194a7

The first GDPR fine issued by the Information Commissioner’s Office (ICO) has been reduced by two thirds on appeal.

In December 2019, Doorstep Dispensaree Ltd, a company which supplies medicines to customers and care homes, was the subject of a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data. Following an investigation, the ICO ruled that the company had left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The ICO launched its investigation after it was alerted by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the company.

The unsecured documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
The ICO held that this gave rise to infringements of GDPR’s security and data retention obligations. It also issued an Enforcement Notice after finding, amongst other things, that the company’s privacy notices and internal policies were not up to scratch.

On appeal, the First Tier Tribunal (Information Rights) ruled that the original fine of £275,000 should be reduced to £92,000. It concluded that 73,719 documents had been seized by the MHRA, and not approximately 500,000 as the ICO had estimated. She also held that 12,491 of those documents contained personal data and 53,871 contained Special Category Data.

A key learning point from this appeal is that data controllers cannot be absolved of responsibility for personal data simply because data processors breach contractual terms around security. The company argued that, by virtue of Article 28(1) of GDPR, its data destruction company (JPL) had become the data controller of the offending data because it was processing the data otherwise than in accordance with their instructions. In support of this argument it relied on its contractual arrangement with JPL, under which JPL was only authorised to destroy personal data in relation to DDL- sourced excess medication and equipment and must do so securely and in good time. 

The judge said:

“The issue of whether a processor arrogated the role of controller in this context must be considered by reference to the Article 5(2) accountability principle. This provides the controller with retained responsibility for ensuring compliance with the Article 5(1) data processing principles, including through the provision of comprehensive data processing policies. Although it is possible that a tipping point may be reached whereby the processor’s departure from the agreed policies becomes an arrogation of the controller’s role, I am satisfied that this does not apply to the facts of this case.” 

This case shows the importance of data controllers keeping a close eye on data processors especially where they have access to or are required to destroy or store sensitive data. Merely relying on the data processor contract is not enough to avoid ICO enforcement. 

Our  GDPR Practitioner Certificate is our most popular certificate course available both online and classroom. We have added more dates.

Ticketmaster Fined £1.25m Over Cyber Attack

0_MGP_CHP_270618TICKETMASTER_0736ticketmasterJPG

GDPR fines are like a number 65 bus. You wait for a long time and then three arrive at once. In the space of a month the Information Commissioner’s Office (ICO) has issued three Monetary Penalty Notices. The latest requires Ticketmaster to pay £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information.  

The ICO investigation into this breach found a vulnerability in a third-party chatbot built by Inbenta Technologies, which Ticketmaster had installed on its online payments page. A cyber-attacker was able to use the chatbot to access customer payment details which included names, payment card numbers, expiry dates and CVV numbers. This had the potential to affect 9.4million Ticketmaster customers across Europe including 1.5 million in the UK. 

As a result of the breach, according to the ICO, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6000 cards were replaced by Monzo Bank after it suspected fraudulent use. The ICO said these bank and others had warned Ticketmaster of suspected fraud. Despite these warnings it took nine weeks to start monitoring activity on its payments page. 

The ICO found that Ticketmaster failed to: 

  • Assess the risks of using a chat-bot on its payment page 
  • Identify and implement appropriate security measures to negate the risks 
  • Identify the source of suggested fraudulent activity in a timely manner 

James Dipple-Johnstone, Deputy Information Commissioner, said: 

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. 

Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. 

The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.” 

In a statement, Ticketmaster said:  

“Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO.
We plan to appeal [against] today’s announcement.” 

Ticketmaster’s appeal will put the ICO’s reasoning and actions, when issuing fines, under judicial scrutiny. This will help GDPR practitioners faced with similar ICO investigations.   

Ticketmaster is also facing civil legal action by thousands of fraud victims. Law firm Keller Lenkner, which represents some of these victims, said: 

“While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million UK customers,” said Kingsley Hayes, the firm’s head of cyber-crime.  

Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount. This fine follows hot on the heels of the British Airways and Marriott fines which also concerned cyber security breaches. (You can read more about the causes of cyber security breaches in our recent blog post.) 

75% of fines issued by the ICO under GDPR relate to cyber security. This is a top regulatory priority for the ICO as well as supervisory authorities across Europe.
Data Protection Officers should place cyber security at the top of their learning and development plan for 2021.  

We have some places available on our forthcoming Cyber Security for DPOs workshop. This and other GDPR developments will be covered in our next online GDPR update workshop.

The ICO’s New Subject Access Guidance

markus-winkler-afW1hht0NSs-unsplash

GDPR has introduced some new Data Subject rights including the right to erasure and data portability. The familiar right of Subject Access though still remains albeit with some additional obligations. Last week the Information Commissioner’s Office (ICO) published its long awaited right of access detailed guidance following a consultation exercise in December. The guidance provides some much needed clarification on key subject access issues Data Controllers have been grappling with since May 2018. 

Reasonable Searches 

Sometimes Data Subjects make subject access requests with the aim of creating maximum work for the recipient. “I want to see all the documents you hold which have my name in them, including e mails” is a common one. How much effort has to be made when searching for such information? The new guidance states that Controllers should make reasonable efforts to find and retrieve the requested information. However, they are “not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.” Factors to consider when determining whether searches may be unreasonable or disproportionate are:

  • the circumstances of the request; 
  • any difficulties involved in finding the information; and 
  • the fundamental nature of the right of access. 

Thus there is no obligation to make every possible effort to find all instances of personal data on the Data Controller’s systems. However, the burden of proof is on Controllers to be able to justify why a search is unreasonable or disproportionate. 

Stopping the Clock 

Data Controllers have one month to respond to a subject access request. Normally this period starts from the day the request is received. Previously the ICO guidance stated that the day after receipt counted as ‘day one’. They revised their position last year following a Court of Justice (CJEU) ruling

Data Controllers can ask the Data Subject to clarify their request, if it is unclear what they want, but this often leaves little time to meet the one month deadline. Having considered consultation responses, the ICO’s position now is that where a request requires clarification, in certain circumstances, the clock can be stopped whilst Controllers are waiting for clarification. 

Manifestly Unfounded and Excessive 

Article 12(5) of GDPR allows Data Controllers to refuse a Data Subject request or charge a fee where it is “manifestly unfounded or excessive.” The burden of proving this is on the Controllers whose staff often struggle with these concepts. The ICO has now provided additional guidance on these terms. 

A request may be manifestly unfounded if: 

  • The individual clearly has no intention to exercise their right of access; or 
  • The request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. For example, the individual: 
  • explicitly states, in the request itself or in other communications, that they intend to cause disruption; 
  • makes unsubstantiated accusations against you or specific employees which are clearly prompted by malice; 
  • targets a particular employee against whom they have some personal grudge; or 
  • systematically sends different requests to the Controller as part of a campaign, e.g. once a week, with the intention of causing disruption. 

To determine whether a request is manifestly excessive Data Controllers need to consider whether it is clearly or obviously unreasonable. They should base this on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. This will mean taking into account all the circumstances of the request, including: 

  • the nature of the requested information; 
  • the context of the request, and the relationship between the Controller and the individual; 
  • whether a refusal to provide the information or even acknowledge if the Controller holds it may cause substantive damage to the individual; 
  • the Controller’s available resources; 
  • whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed; or 
  • whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive).  

The Fee 

What can be included when charging a fee for manifestly unfounded or excessive requests? The new guidance says Data Controllers can take into account the administrative costs of: 

  • assessing whether or not they are processing the information; 
  • locating, retrieving and extracting the information; 
  • providing a copy of the information; and 
  • communicating the response to the individual 

A reasonable fee may include the costs of: 

  • photocopying, printing, postage and any other costs involved in transferring the information to the individual; 
  • equipment and supplies (e.g. discs, envelopes or USB devices) 

Staff time can also be included in the above based on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate. In the absence of relevant regulations under the Data Protection Act 2018, the ICO encourages Data Controllers to publish their criteria for charging a  fee and how they calculate it.  

Finally, the new ICO guidance emphasises the importance of preparation particularity the need to have: 

  • Training for employees to enable them to recognise subject access requests;  
  • Specific people appointed to deal with requests; 
  • Policies and procedures; and  
  • Technical systems in place to assist with the retrieval of requested information. 

Our Handling Subject Access Requests workshop is now available online. It covers all aspects of dealing with SARs including identifying and applying exemptionsLooking for a GDPR Qualification? Final places left on our online GDPR Practitioner Certificate

Act Now Associate Appointed to Judicial Position

EDIT-37

Act Now Training would like to congratulate Susan Wolf our senior associate, who has been appointed as a Fee Paid Member of the Upper Tribunal assigned to the Administrative Appeals Chamber (Information Rights Jurisdiction) and First Tier Tribunal General Regulatory Chamber (Information Rights Jurisdiction). 

We are delighted that Susan will continue in her current position at Act Now Training delivering our full range of online and classroom-based workshops. Susan also writes for our information law blog and has developed our very popular FOI Practitioner Certificate

Prior to joining us, Susan taught information rights practitioners on the LLM in Information Rights Law at at Northumbria University. She has also taught and presented workshops on FOI, EIR and access to EU information in Germany, the Czech Republic and throughout the UK. 

Commenting on Susan’s appointment Ibrahim Hasan Director of Act Now Training, said: 

“I am delighted that Susan’s expertise as an information rights lawyer has been recognised through this judicial appointment. I am sure that she will use her fantastic skills and experience to the benefit her new role.”

Act Now Supporting Innovative Digital DPIA Project

EQaZlPcXsAEyAX4

Act Now Training is pleased to announce that it is supporting a new public sector collaboration to co-design and develop a digital approach to Data Protection Impact Assessments (DPIAs).

This innovative six month project will help Data Controllers conducting DPIAs to ensure that a ’Data Protection by Design and Default’ approach is embedded into the process. The project is also supported by the Information Commissioner’s Office, NHSX and the Information and Records Management Society.

Greater Manchester Combined Authority, the London Office of Technology and Innovation, Norfolk County Council and the University of Nottingham are leading the project which follows on from a successful alpha phase undertaken last year. A full project overview can be read here: https://cc2i.org.uk/digital-dpia/

Ibrahim Hasan, Director of Act Now Training, said:

“We are really pleased to be supporting this innovative new project alongside the Information Commissioner’s Office, NHSX and the IRMS. A digital DPIA solution will be a valuable tool to help DPOs ensure that privacy and data protection are at the heart of every new data driven project.”

Are you a public authority wishing to a share in this exciting new project and shape the future of the Digital DPIA? Using a proven co-funding approach (similar to crowdfunding, but on a corporate level), the collective is actively looking for partners to join them in this cost-neutral project.

A webinar on the project and approach is being hosted on Wednesday 12th at 2pm. Led by Stephen Girling, Information Governance Project Manager at GMCA and Lianne Hawkins, Head of Service Design at Looking Local, this webinar will cover:

  • The background and outcomes of the original Digital DPIA alpha project undertaken by GMCA – including the headline business case
  • The benefits of a uniform approach to DPIAs across public sector
  • The work packages planned to deliver a digital DPIA solution
  • Partner benefits and their motivation to be part of this collaborative approach
  • Project partners timelines & what’s involved

We would encourage all our blog subscribers to register for the webinar here: http://bit.ly/2ScGdi2 A recording of the webinar will also be available. Please email  irene.zdziebko@cc2i.org.uk 

Viva Las Vegas

Welcome to fabulous Las Vegas sign

Act Now is pleased to announce that Ibrahim Hasan has accepted an invitation to address the 21st Annual NAPCP Commercial Card and Payment Conference in Las Vegas, April 6-9 2020.

high_rez_NAPCP all black with url

The NAPCP is a membership-based professional association committed to advancing Commercial Card and Payment professionals and industry practices globally, with timely research and resources, peer networking and events serving a community of almost 20,000 individuals worldwide. The NAPCP is a respected voice in the industry and an impartial resource for members at all experience levels in the public and private sectors.

In a session entitled “Complying with the GDPR and United States Privacy Legislation” Ibrahim will examine the impact of GDPR and the California Consumer Privacy Act (CCPA) on the Payment Card industry. He will also be presenting webinars pre and post conference on these subjects to the NAPCP community.

The NAPCP Annual Conference is the can’t-miss event for the industry, bringing together 600 professionals from around the world to share perspectives on all Commercial Card and Payment vehicles, including Purchasing Card, Travel Card, Fleet Card, Ghost Card, Declining Balance Card, ePayables and other electronic payment options. Experts and practitioners share case studies, successes and thought-provoking ideas in almost 80 breakout sessions, all with an eye for trends and innovation across sectors.

Diane McGuire, CPCP, MBA, Managing Director of the NACP, said:

“I am really pleased that Ibrahim has accepted our invitation to join us in Las Vegas. As legislators and governments globally are starting to wake up to the implications of the digital revolution on individuals’ rights, our conference delegates will benefit from his GDPR and privacy expertise in what is sure to be a thought-provoking session.”

This is one of a number of international projects that Act Now has worked on in recent years. In June 2018 we delivered a GDPR workshop in Dubai for Middle East businesses and their advisers. In 2015 Ibrahim went to Brunei to conduct data protection audit training for government staff.

Ibrahim Hasan said:

“I am really pleased to address the NACP conference in Las Vegas. Our GDPR expertise is now being recognised abroad. The United States is the latest addition to our increasing international portfolio. We hope to use the conference as a platform to showcase our expertise to the US Data Controllers.”

Regular registration is now open for the event. Head over to this link to confirm registration.

NAPCPConferenceLogo_2020-high rez

Act Now’s forthcoming live and interactive CCPA webinar will cover the main obligations and rights in CCPA and practical steps to compliance. This webinar is ideal for data protection officers and advisers in UK and US businesses.

%d bloggers like this: