Category: Reprimands

Police Scotland Fined for Mishandling Alleged Victim’s Mobile Phone Data 

The Information Commissioner’s Office (ICO) has fined the Police Scotland £66,000 and issued a Reprimand for serious failures in the handling of sensitive personal data. 

Detective Constable Lianne Gilbert, who has now waived her right to anonymity, made domestic abuse allegations, including serious sexual assault, against another officer in 2020. However when a misconduct inquiry took place two years later, it emerged data extracted from Ms Gilbert’s phone was given to the accused officer, his lawyer and his Scottish Police Federation (SPF) representative. There were 40,000 pages of extracted data including 80,000 images, medical records and contact details of Ms Gilbert’s friends and family. Some of the images were of an intimate nature.  

Ms Gilbert has given her account to BBC Scotland News. She said: 

“It’s been absolutely horrific and very, very traumatic.” 

“At the time it happened I had a five-month-old baby. It’s really impacted my motherhood journey. At times I still feel quite numb.” 

It is important to note that the officer in question has not been charged with any offences against Ms Gilbert and the case remains live. 

UK GDPR Breaches 

The ICO investigation concluded that:  

a) Police Scotland failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of personal data by the PSD for the purposes of compiling misconduct packs for disclosure as part of its investigations (Article 32(1) UK GDPR); 

b) These deficiencies put the personal data processed by the PSD at risk of unauthorised disclosure, in breach of the requirement to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (Article 5(1)(f) UK GDPR); 

c) Police Scotland failed, at the time of the determination of the means of processing and at the time of the processing itself, to implement appropriate technical and organisational measures designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the UK GDPR and protect the rights of data subjects (Article 25(1)-(2) UK GDPR); 

d) Police Scotland failed to ensure that the personal data processed by the PSD when compiling misconduct packs for disclosure was adequate, relevant and limited to what was necessary in relation to the purposes for which it was processing that data (Article 5(1)(c) UK GDPR); and 

e) Police Scotland failed to inform the Commissioner of the personal data breach within 72 hours of becoming aware of the same (Article 33(1) UK GDPR) 

In assessing the fine amount, the ICO considered the seriousness of the incident, the sensitivity of the data involved and the impact on the affected person. It initially concluded that a £132,000 fine would be effective, proportionate and dissuasive. However applying its controversial public sector approach to enforcement, it decided to reduce the amount by a factor of 50%. 

The Monetary Notice states that Police Scotland paid a sum of money (amount redacted) as compensation to Ms Gilbert. This may have been in anticipation of a civil claim by Ms Gilbert. Article 82 UK GDPR gives a data subject a right to compensation for material or non-material damage for any breach of the UK GDPR. Section 168 of the DPA 2018 confirms that “non-material damage” includes distress. There may be more claims to come; no doubt amongst the data extracted (and shared) from Ms Gilbert’s phone there will have been personal data related to third parties. 

Part 3 DPA Reprimand 

The related reprimand was issued under Part 3 of the Data Protection Act 2018 (law enforcement processing). Police Scotland is a competent authority under Part 3 and was, according to the ICO, processing Ms Gilbert’s data for law enforcement purpose when it extracted the data. The ICO found that Police Scotland had infringed sections 35 and 37 of the DPA by failing to ensure that: 

a) The bulk download of personal data on the mobile phone of the Data Subject was lawful and fair (section 35 DPA); and 

b) The personal data processed from the mobile phone download was adequate, relevant and not excessive in relation to the purposes for which it was processed (section 37 DPA). 

The ICO initially considered that a fine would be appropriate for these DPA breaches, and considered notifying Police Scotland of its intention to impose a fine of £78,750. However, once again, due to the revised approach to public sector enforcement it decided a reprimand was more appropriate. 

Listen to the Guardians of Data Podcast for the latest news and views on data protection, cyber security, AI and freedom of information.   

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update workshop and our Law Enforcement Data Processing workshop.

ICO Issues Reprimands to Scottish Councils for Subject Access Delays 

Last week the Information Commissioner’s Office (ICO) issued reprimands to two Scottish councils for repeatedly failing to respond to subject access requests (SARs) within the statutory timeframe under the UK GDPR. 

Many Scottish local authorities have seen an increase in SARs in the past few years, particularly in relation to the Redress Scotland scheme which allows people, who suffered abuse while in care, to apply for redress using supporting documents such as their care record. This increase was reported as 67% between 2021 and 2024.  

In its press release, the ICO says it has supported local authorities to improve their SAR response times and this has led to a 75% improvement, with 13 local authorities reporting a compliance rate of 90% in 2023/24. However, two local authorities have been singled out for a reprimand: 

Why did the ICO not issue a fine? In June 2022, the ICO revised its approach to enforcement of the UK GDPR against public sector organisations choosing to issue reprimands in most cases. Last summer, it announced a review of this approach following criticism that it was not effective in delivering GDPR compliance and that it was unfair to treat the public sector differently to other sectors. 

In December last year, the Commissioner issued a statement following publication of the review report. In short, he has decided to continue with his approach. He said: 

“Feedback from the review said that public authorities saw the publication of reprimands as effective deterrents, mainly due to reputational damage and potential impact on public trust, and how they can be used to capture the attention of senior leaders. Central government departments cited increased engagement and positive changes on the back of reprimands, particularly with our regular interaction with the government’s Chief Operating Officers Network. But wider public sector organisations displayed limited awareness, which means we must do more to share best practice and lessons learned.” 

The Commissioner also launched a consultation on the scope of the public sector enforcement approach and the factors and circumstances that would make it appropriate to issue a fine to a public authority. The deadline for responding to this consultation was 31st January 2025. We await its outcome.  

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!   

Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment.

Labour Party Reprimanded for Subject Access Delays 

Last week, the Information Commissioner’s Office (ICO) issued the Labour Party with a Reprimand, under the UK GDPR, for repeatedly failing to respond to subject access requests (SARs). This is an embarrassing development for a party in government which recently announced a number of parliamentary bills in the area of information governance.   

Background 

In November 2022, the Labour Party found itself inundated with 352 SARs that required timely responses. 78% of these requests remained unanswered within the maximum compulsory time limit of three months, and more than half (56%) were significantly delayed by over one year. The backlog stemmed from a cyber-attack on the Labour Party in October 2021, which triggered a surge in SARs. 

During the ICO’s investigation, it came to light that a ‘privacy inbox’ within the Labour Party had not been monitored since November 2021. This inbox contained approximately 646 additional SARs and around 597 requests for deletion of personal data. None of these requests had been responded to.  

This reprimand comes a few months after a report by openDemocracy, an independent international media platform. The report claims that people requesting copies of their data, such as police or immigration records, have faced long delays or had their requests ignored entirely. Others have been given folders with key documents missing. Apparently this is having a knock-on effect on the justice system, with lawyers telling openDemocracy that asylum applications and claims for false imprisonment have been put on hold due to the delays. Victims of the Windrush Scandal have also struggled to obtain copies of their immigration papers in order to claim compensation. 

Since engaging with the ICO, the Labour Party has taken steps to address its backlog including assigning three temporary staff members to focus solely on handling outstanding requests and allocating  additional resources to expedite responses.  

Enjoy reading our blog? Help us reach 10,000 subscribers bysubscribing today!  

Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment. 

Electoral Commission Reprimanded for Data Breach Affecting 40 Million People

Last week the Information Commissioner’s Office(ICO) issue a GDPR reprimand to the Electoral Commission.

In August 2023 the Electoral Commission revealedin a public notice issued under Article 33 and 34 of the UK GDPR, that it had been the victim of a “complex cyber-attack” potentially affecting millions of voters. It had discovered in October 2022 that unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021. Hackers also broke into its emails and “control systems”.

The Commission said the information it held at the time of the attack included the names and addresses of people in the UK who registered to vote between 2014 and 2022. This included those who opted to keep their details off the open register, which is not accessible to the public but can be purchased. The data accessed also included the names, but not the addresses, of overseas voters.  The Commission further explained that it was difficult to predict exactly how many people could be affected, but it estimated the register for each year contains the details of around 40 million people. 

The ICO reprimand reveals that the Commission did not take basic security steps to ensure the protection of personal data. The ICO said:

“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened.”

Many have criticised the ICO for issuing a “slap on the wrist” rather than a fine for an entirely preventable cyberattack that exposed the personal data of 40 million UK voters. But the reprimand is in line with the ICO’s approach to public sector enforcement which has been the subject of a two year trial since June 2022. 
Explaining the approach at the time, the Information Commissioner wrote:

“I am not convinced large fines on their own are as effective a deterrent within the public sector. They do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services. The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”

In June the ICO announced that it will now review the two-year trial before making a decision on the public sector approach in the Autumn.

The Act Now Advanced Certificate in GDPR Practice is designed for experienced Data Protection Officers seeking to develop their skills and confidence to tackle the most challenging data protection projects within their organisation.

Please subscribe to this blog and help us to get to 10,000 subscribers. 

The ICO’s Tougher FOI Enforcement Policy 

By Martin Rosenbaum 

Last month the Information Commissioner’s Office announced it was issuing another two Enforcement Notices against public authorities with extreme backlogs of FOI and EIR requests; the Ministry of Defence and the Environment Agency. From the published notices it is clear that both authorities had consistently failed to tackle their excessive delays, despite extensive discussions over many months with the ICO. 

The ICO also issued Practice Recommendations, a lower level of sanction, to three authorities with a poor track record on FOI; Liverpool Council, Tower Hamlets Council and the Medicines and Healthcare Products Regulatory Agency. This brings the total of Enforcement Notices in the past year or so to six, and the number of Practice Recommendations to 12.
As Warren Seddon, the ICO’s Director of FOI, proclaimed in his blog on the subject, both these figures exceed the numbers previously issued by the ICO in the entire 17 years since the FOI Act came into force. 

From my point of view, as a frequent requestor, this is good news.
For requestors, the ICO’s current activity represents a welcome tougher stance on FOI regulation adopted by Seddon and also the Commissioner, John Edwards, since the latter took over at the start of last year.  

Under the previous Commissioner Elizabeth Denham, any strategic enforcement regarding FOI and failing authorities had dwindled to nothing. The experience of requestors was that the FOI system was beset by persistent lengthy delays, both from many authorities and also at the level of ICO complaints.  

The ICO’s Decision Notices would frequently comment on obstruction and incompetence from certain public bodies, as I reported when I was a BBC journalist, but without the regulator then making any serious systematic attempt to change the culture and operations of these authorities.
Under Denham the ICO had also ceased its previous policy of regularly and publicly revealing a list of authorities it was ‘monitoring’ due to their inadequate processing of FOI requests. Although this was in any case a weaker step than issuing formal enforcement notices and practice recommendations, in some cases it did have a positive effect.
Working at the BBC at the time I saw how, when the BBC was put into monitoring by the ICO, it greatly annoyed the information rights section, who brought in extra resources and made sure the BBC was released from it at the first opportunity.  

On the other hand, other public authorities with long-lasting deficiencies, such as the Home Office and the Metropolitan Police, were kept in ICO monitoring repeatedly, without improving significantly and without further, more effective action being taken against them.  

The ICO’s FOI team has also made important progress in the past year in rectifying its own defects in processing complaints, speeding things up and tackling its backlog. This led to a rapid rush of decision notices.
One result is that delay has been shifted further up the system, as the
First-tier Tribunal has been struggling to cope with a concomitant increase in the number of decisions appealed. I understand that the proportion of decisions appealed did not change, although I don’t know if the balance between requestor appeals and authority appeals has altered. 

Another consequence has been that decision notices now tend to be shorter than they used to be, especially those which support the stance of the public authority and thus require less interventionist argument from the ICO. Requestors may need to be reassured that the pressure on ICO staff for speedier decisions does not mean that finely balanced cases end up predominantly being decided on the side of the authority.  

More generally I gather there is some concern within the ICO about its decisions under sections 35 and 36 of FOI, to do with policy formulation and free and frank advice, that some staff have got into a pattern of dismissing requestors’ arguments without properly considering the specific circumstances which may favour disclosure. 

As part of its internal operational changes, a few months ago the ICO introduced a procedure for prioritisation amongst appeals and expediting selected ones. I have seen the evidence of this myself.  A complaint I made in April was prioritised and allocated to a case worker within six weeks and then a decision notice served within another six weeks (although sadly my case was rejected). All done within three months.  

On the other hand a much older appeal that I submitted to the ICO in May 2022 has extraordinarily still not even been allocated to a case worker 15 months later, from what I have been told. This is partly because it relates to the Cabinet Office, which accounts for a large proportion of the ICO’s oldest casework and has been allowed a longer period of time to work through old cases.  

It is interesting to note that the ICO does not proactively tell complainants that their case has been prioritised, even when they have specifically argued it should be at the time of submitting their complaint.
The ICO wants to avoid its staff getting sucked in to disputes about which appeals merit prioritisation. If you want to know whether your case has been prioritised, you have to ask explicitly, and then you will be told. 

The ICO has not yet officially released any statistics about the impact of its new prioritisation policy. However I understand that in the first three months about 60 cases were prioritised and allocated to a case officer to investigate within a month or so. This is a smaller number than might have been expected.  

Around 80 percent of these were prioritised in line with the criterion for the importance of the public interest involved in the issue. And about 60 percent of decisions to prioritise reflected the fact that the requestor was in a good position to disseminate further any information received, possibly as a journalist or campaigner. 

In most of the early decision notices for prioritised complaints the ICO has backed the authority and ruled against disclosure. So if you are a requestor, the fact that the ICO has decided to prioritise your appeal does certainly not mean that it has reached a preliminary decision that you are right.  

Martin Rosenbaum is the author of Freedom of Information: A practical guidebook. The book is aimed at requestors and provides thorough guidance on the workings of the law, how best to frame requests and how to challenge refusals. It will also be valuable to FOI officers and others who want a better understanding of the perspective of requestors. In the book Martin passes on the benefits of all the expertise and experience he acquired during 16 years as the leading specialist in BBC News in using FOI for journalism.