Tag: enforcement notice

ICO Issues Two FOI Enforcement Notices

Under the Freedom of Information Act 2000, an Enforcement Notice may be served where the Information Commissioner is satisfied that a public authority has failed to comply with any of the requirements of Part I of the Act. If a public authority fails to comply with a Notice, the Commissioner may commence court proceedings under section 54 of the Act, which may be dealt with as contempt of Court.

The ICO recently served an Enforcement Notice on both Devon and Cornwall Police and Barking, Havering and Redbridge Hospitals NHS Trust for their ongoing FOI failings which have seen hundreds of information requests go unanswered.

Devon and Cornwall Police

In 2023, as part of the ICO’s routine work to monitor public authorities’ compliance, the ICO found that between 2022 and 2024 the percentage of requests responded to by Devon and Cornwall Policewithin the statutory FOI timeframe (20 working days) was consistently low (between 39% and 65%). Their rate of response to internal review requests was also poor, averaging between 0% and 22%. The Force had a backlog of older FOI requests which had increased from 77 in December 2023 to 251 in June 2024.

The ICO Enforcement Notice orders the Force to devise and publish an action plan in the next 30 days which must detail how they will comply with their duties to respond to information requests in a timely manner. It has also been given six months to clear the existing backlog.

Barking, Havering and Redbridge Hospitals NHS Trust

The ICO first contacted the Trust in June 2023 due to a number of complaints received about its late compliance with FOI requests. The ICO found that, over 12 months, the Trust had only responded to 29% of requests during the statutory timeframe, with January 2024 seeing just 2.5% of requests responded to in a timely manner.

The Trust had a backlog of 589 requests in April 2024, which increased to 785 by June 2024. The ICO Enforcement Notice gives the Trust 35 days to devise and publish an action plan to clear this backlog by the end of the year.

Since last year, the ICO has pursued a tougher FOI enforcement policy. Recently it issued Enforcement Notices against three other police forces for poor FOI performance which has led to significant backlogs in their responses.

Our FOI Intermediate Certificate strengthens the foundations established by our FOI Practitioner CertificateIt will help you become an adept FOI practitioner by delving deeper into the intricacies of the FOIA, equipping you with the skills and confidence to navigate its complexities.

GDPR: One Year on

canstockphoto16138153

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 came into force on 25th May 2018 with much fanfare. The biggest change to data protection law in 20 years, with GDPR carrying a maximum fine of 20 million Euros or 4% of gross annual turnover (whichever is higher), the marketing hype, emails and myths came thick and fast.

There has been no avalanche of massive fines under GDPR. According to a progress report by the European Data Protection Board (EDPB), Supervisory Authorities from 11 EEA countries imposed a total of €55,955,871 in fines. This is not a large amount when you consider it includes a 50 million euro fine on Google issued by the French National Data Protection Commission (CNIL). It followed complaints from two privacy groups who argued, amongst other things, that Google did not have a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes, as they were in effect forcing users to consent.

EPDB figures also show:

  • 67 % of Europeans have heard of GDPR
  • Over 89,000 data breaches have been logged by the EEA Supervisory Authorities. 63% of these have been closed and 37% are ongoing
  • There have been 446 cross border investigations by Supervisory Authorities

Despite the warnings of data armageddon, Year one of GDPR has mostly been a year of learning for Data Controllers and one of raising awareness for Supervisory Authorities. The Information Commissioner’s Office (ICO) in the UK, has produced a GDPR progress report in which it highlights an increased public awareness.In March it surveyed Data Protection Officers. 64% stated that they either agreed or strongly agreed with the statement ‘I have seen an increase in customers and service users exercising their information rights since 25 May 2018’.

The ICO has not issued any fines yet but has used its other enforcement powers extensively. It has issued 15 Assessment Notices and 11 Information Notices in conjunction with various investigations including into data analytics for political purposes, political parties, data brokers, credit reference agencies and others. Two Enforcement Notices have been issued against a data broking company and the HMRC respectively (read our blog) as well as warnings and reprimands across a range of sectors including health, central government, criminal justice, education, retail and finance. (25/6/19 STOP PRESS  – Enforcement notices have been served (25th June), under the 1998 and 2018 Data Protection Acts on the Metropolitan Police, for sustained failures to comply with individuals’ rights in respect of subject access requests.)

The ICO is planning to produce four new codes of practice in 2019 under GDPR. Here are the dates for your diary:

  • A new Data Sharing code. A draft code for formal consultation is expected to be launched in June 2019 and the final version laid before Parliament in the autumn.
  • A new Direct Marketing code to ensure that all activities are compliant with the GDPR, DPA 2018 and the Privacy and Electronic Communications Regulations (PECR). A formal consultation on this will be launched in June 2019 with a view to finalising the code by the end of October.
  • A Data Protection and Journalism code. A formal consultation on this will be launched in June 2019 with a view to laying the final version before Parliament in the summer.
  • A code of practice on political campaigning. The code will apply to all organisations who process personal data for the purpose of political campaigning, i.e. activity relating to elections or referenda. A draft will be published for consultation in July 2019.

Year 2 of GDPR will no doubt see more enforcement action by the ICO including the first fines. According to its progress report though, it will continue to focus on its regulatory priorities which are cyber security, AI Big Data and machine learning, web and cross device tracking for marketing purposes, children’s privacy, use of surveillance and facial recognition, data broking, the use of personal information in political campaigns and Freedom of Information compliance.

Finally, depending on whether there is Brexit deal, we may see some changes to GDPR via the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 which came into force in March this year.

More on these and other developments will be in our GDPR Update webinar and full day workshop presented by Ibrahim Hasan. For those seeking a GDPR qualification, our highly popular practitioner certificate is the best option. Read our testimonials here.