ICO Reprimand for Misuse of Children’s Data: A Proportionate Response or a Let Off?

Last week, the Department for Education received a formal reprimand from the Information Commissioner’s Office(ICO) over a “serious breach” of the GDPR involving the unauthorised sharing of up to 28 million children’s personal data. But the Department has avoided a fine, despite a finding of “woeful” data protection practices.

The reprimand followed the ICO’s investigation into the sharing of personal data stored on the Learning Records Service (LRS) database, for which the DfE is the Data Controller. LRS provides a record of pupils’ qualifications that education providers can access. It contains both personal and Special Category Data and at the time of the incident there were 28 million records stored on it. Some of those records would have pertained to children aged 14 and over. 

The ICO started its investigation after receiving a breach report from the DfE about the unauthorised access to the LRS database. The DfE had only become aware of the breach after an exposé in a national Sunday newspaper.

The ICO found that the DfE’s poor due diligence meant that it continued to grant Trustopia access to the database when it advised the DfE that it was the new trading name for Edududes Ltd, which had been a training provider. Trustopia was in fact a screening company and used the database to provide age verification services to help gambling companies confirm customers were over 18. The ICO ruled that the DfE failed to:

  • protect against the unauthorised processing by third parties of data held on the LRS database for reasons other than the provision of educational services. Data Subjects were unaware of the processing and could not object or otherwise withdraw from this processing. Therefore the DfE failed to process the data fairly and lawfully in accordance with Article 5 (1)(a). 
  • have appropriate oversight to protect against unauthorised processing of personal data held on the LRS database and had also failed to ensure its confidentiality in accordance with Article 5 (1)(f). 

The ICO conducted a simultaneous investigation into Trustopia, during which the company confirmed it no longer had access to the database and the cache of data held in temporary files had been deleted. Trustopia was dissolved before the ICO investigation concluded and therefore regulatory action was not possible.

The DfE has been ordered to implement the following five measures to improve its compliance: 

  1. Improve transparency around the processing of the LRS database so Data Subjects are aware and are able to exercise their Data Subject rights, in order to satisfy the requirements of Article 5 (1)(a) of the UK GDPR. 
  • Review all internal security procedures on a regular basis to identify any additional preventative measures that can be implemented. This would reduce the risk of a recurrence to this type of incident and assist compliance with Article 5 (1)(f) of the UK GDPR. 
  • Ensure all relevant staff are made aware of any changes to processes as a result of this incident, by effective communication and by providing clear guidance. 
  • Complete a thorough and detailed Data Protection Impact Assessment, which adequately assesses the risk posed by the processing. This will enable the DfE to identify and mitigate the data protection risks for individuals. 

This investigation could, and many would say should, have resulted in a fine. However, in June 2022 John Edwards, the Information Commissioner, announced a new approach towards the public sector with the aim to reduce the impact of fines on the sector. Had this new trial approach not been in place, the DfE would have been issued with a fine of over £10 million. In a statement, John Edwards said:

“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them.

“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.

“This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”

The ICO also followed its new public sector enforcement approach when issuing a reprimand to NHS Blood and Transplant Service. In August 2019, the service inadvertently released untested development code into a live system for matching transplant list patients with donated organs. This error led to five adult patients on the non-urgent transplant list not being offered transplant livers at the earliest possible opportunity. The ICO said that, if the revised enforcement approach had not been in place, the service would have received a fine of £749,856. 

Some would say that the DFE has got off very lightly here and, given their past record, perhaps more stringent sanctions should have been imposed. Two years ago, the ICO criticised the DfE for secretly sharing children’s personal data with the Home Office, triggering fears it could be used for immigration enforcement as part of the government’s hostile environment policy. 

Many will question why the public sector merits this special treatment. It is not as if it has been the subject of a disproportionate number of fines. The first fine to a public authority was only issued in December 2021 (more than three and a half years after GDPR came into force) when the Cabinet Office was fined £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online. This was recently reduced to £50,000 following a negotiated settlement of a pending appeal.

Compare the DfE reprimand with last month’s Monetary Penalty Notice in the sum of £1,350,000 issued to a private company, Easylife Ltd. The catalogue retailer was found to have been using 145,400 customers personal data to predict their medical condition and then, without their consent, targeting them with health-related products. With austerity coming back with a vengeance, no doubt the private sector will question the favourable terms for the public sector. 

Perhaps the Government will come to the private sector’s rescue. Following the new DCMS Secretary for State’s speech  last month, announcing a plan to replace the UK GDPR with a new “British data protection system” which cuts the “burdens” for British businesses, DCMS officials have said further delays to the Data Protection and Digital Information Bill are on the way. A new public consultation will be launched soon.

So far the EU is not impressed. A key European Union lawmaker has described meetings with the U.K. government over the country’s data protection reform plans as “appalling.” Italian MEP Fulvio Martusciello from the center-right European People’s Party said his impression from the visit was that Britain is “giving in on privacy in exchange for business gain.”

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. Are you an experienced GDPR Practitioner wanting to take your skills to the next level? Our Advanced Certificate in GDPR Practice starts on 21st November. 

£4.4 Million GDPR Fine for Construction Company 

This month the UK Information Commissioner’s Office has issued two fines and one Notice of Intent under GDPR. 

The latest fine is three times more than that imposed on Easylife Ltd on 5th October. Yesterday, Interserve Group Ltd was fined £4.4 million for failing to keep personal information of its staff secure.  

The ICO found that the Berkshire based construction company failed to put appropriate security measures in place to prevent a cyber-attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email. The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information. 

The Phishing Email 

In March 2020, an Interserve employee forwarded a phishing email, which was not quarantined or blocked by Interserve’s IT system, to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee’s workstation. 

The company’s anti-virus quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. If they had done so, Interserve would have found that the attacker still had access to the company’s systems. 

The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable. 

The ICO investigation found that Interserve failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them vulnerable to a cyber-attack. Consequently, Interserve had breached Article 5 and Article 32 of GDPR by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information. 

Notice of Intent 

Interestingly in this case the Notice of Intent (the pre cursor to the fine) was for also for £4.4million i.e. no reductions were made by the ICO despite Interserve’s representations. Compare this to the ICO’s treatment of two much bigger companies who also suffered cyber security breaches. In July 2018, British Airways was issued with a Notice of Intent in the sum of £183 Million but the actual fine was reduced to £20 million in July 2020. In November 2020 Marriott International Inc was fined £18.4 million, much lower than the £99 million set out in the original notice. 

The Information Commissioner, John Edwards, has warned that companies are leaving themselves open to cyber-attack by ignoring crucial measures like updating software and training staff: 

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office. 

Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.” 

We have been here before. On 10th March the ICO  fined Tuckers Solicitors LLP £98,000 following a ransomware attack on the firm’s IT systems in August 2020. The attacker had encrypted 972,191 files, of which 24,712 related to court bundles.  60 of those were exfiltrated by the attacker and released on the dark web.   

Action Points  

Organisations need to strengthen their defences and have plans in place; not just to prevent a cyber-attack but what to do when it does takes place. Here are our top tips: 

  1. Conduct a cyber security risk assessment and consider an external accreditation through  Cyber Essentials. 
  1. Ensure your employees know the risks of malware/ransomware and follows good security practice. At the time of the cyber-attack, one of the two Interserve employees who received the phishing email had not undertaken data protection training. (Our GDPR Essentials  e-learning solution is a very cost effective e learning solution which contains a specific module on keeping data safe.)  
  1. Have plans in place for a cyber security breach. See our Managing Personal Data Breaches workshop.  
  1. Earlier in the year, the ICO worked with NCSC to remind organisations not to pay a ransom in case of a cyber-attack, as it does not reduce the risk to individuals and is not considered as a reasonable step to safeguard data. For more information, take a look at the ICO ransomware guidance or visit the NCSC website to learn about mitigating a ransomware threat via their business toolkit

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop.  

Are you an experienced GDPR Practitioner wanting to take your skills to the next level? Our Advanced Certificate in GDPR Practice starts on 21st November.  

ICO Takes Action Against GDPR Subject Access Delays

On 28th September 2022, the Information Commissioner’s Office announced it is taking action against seven organisations for delays in dealing with Subject Access Requests(SARs). This includes government departments, local authorities and a communications company. 

The seven organisations were identified following a series of complaints in relation to multiple failures to respond to requests for copies of personal information collected and processed by these organisations, either within statutory timeframes or at all. 

An SAR must be responded to within one month, although this period can be extended by a further two months in the case of a manifestly unfounded or excessive request. The time starts from the date of receipt as per a ECJ court ruling and confirmed by the provisions of the forthcoming Data Protection and Digital Information Bill.

But an ICO investigation found the seven organisations, from across the public and private sector, repeatedly failed to meet this legal deadline. This resulted in reprimands under the UK GDPR and, in some cases, Practice Recommendations under the Freedom of Information Act 2000.

Information Commissioner John Edwards told the BBC naming and shaming organisations that fail to comply is a new proactive way for the ICO to work. 

“It’s going to become more common – it’s really important that people can have confidence in the administration of their information rights,” he said.

“That’s why we are publicly notifying these organisations that they have to bring themselves into compliance. 

“Being able to ask an organisation ‘what information do you hold on me’ and ‘how it is being used’ provides transparency and accountability.

“These are fundamental rights – these are not optional.” 

The seven organisations are:

Ministry of Defence (MoD)

The MoD has been issued with a reprimand following an identified SAR backlog dating back to March 2020. Despite setting up a recovery plan, this backlog has continued to grow, and currently stands at 9,000 SAR requests yet to be responded to. This has meant that, on average, people were typically waiting over 12 months for their information.

Home Office

reprimand has been issued to the Home Office following investigations that showed between March 2021 and November 2021, they had a significant back log of SARs, amounting to just under 21,000 not being responded to during the statutory timeframe. Complaints to the ICO showed requesters suffered significant distress as a result. As of July 2022, there are just over 3,000 unanswered SARs outside of the legal time limit.

London Borough of Croydon

The investigation revealed that from April 2020 to April 2021, the London Borough of Croydon Council had responded to less than half of their SARs within the statutory timescales. This meant that 115 residents did not receive a response in accordance with the UKGDPR. Additionally, since June 2021, the ICO has issued 27 decisions notices under FOIA related to the Council’s failure to respond to information requests. They have been issued with a reprimand as well as a recommendation under our renewed approach to FOI regulation for failure to meet statutory response deadlines.

Kent Police

From October 2020 to February 2021, Kent Police received over 200 SARs, 60% were completed during the statutory deadline. However, some of the remaining SARs are reported to have taken over 18 months to issue a response. As of May 2022, over 200 SARs remain overdue. A reprimand has been issued.

London Borough of Hackney

For the period of April 2020 to February 2021, London Borough of Hackney did not respond to over 60% of the SARs submitted to them in the statutory timeframe. The oldest SAR was over 23 months. They have since been issued with a reprimand as well as a FOI practice recommendation.

London Borough of Lambeth

London Borough of Lambeth has only responded to 74% of the SARs it has received within the statutory timescales from 1 August 2020 to 11 August 2021. This equates to 268 SARs. The council continues to have a backlog of SAR cases and, based on the updated figures, does not appear to be improving. They have been issued with a reprimand.

Virgin Media

Over a 6 month period in 2021, Virgin Media received over 9500 SARs. 14% of these were not responded to during the statutory timeframe. However, their compliance in 2022 has seen improvements. A reprimand has been issued.

These organisations have between three and six months to make improvements or further enforcement action could be taken by the ICO. This action is a reminder that all Data Controllers must have policies and procedures in place to deal with SARs in a timely manner. 

Our workshop, How to Handle a Subject Access Request, equips delegates with the skills and knowledge to handle complex SARs. For experienced GDPR Practitioners wanting to take your skills to the next level we have  our Advanced Certificate in GDPR Practice which starts on 25th October. 

£1.35 Million GDPR Fine for Catalogue Retailer

On 5th October, the Information Commissioner’s Office (ICO) issued a GDPR Monetary Penalty Notice in the sum of £1,350,000 to Easylife Ltd. The catalogue retailer was found to have been using 145,400 customers personal data to predict their medical condition and then, without their consent, targeting them with health-related products.

This latest ICO fine is interesting but not because of the amount involved. There have been much higher fines. In October 2020, British Airways was fined £20 million for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by hackers. This, like most of the other ICO fines, involved a breach of the security provisions of GDPR. In the Easylife fine, the ICO focussed on the more interesting GDPR provisions (from a practitioner’s perspective) relating to legal basis, profiling and transparency. 

The background to the fine is that a telemarketing company was being investigated by the ICO for promoting funeral plans during the pandemic. This led to the investigation into Easylife because the company was conducting marketing calls for Easylife. The investigation initially concerned potential contraventions of the Privacy and Electronic Communications Regulations (PECR), and that investigation raised concerns of potential contraventions of GDPR, which the Commissioner then investigated separately.

The ICO investigation found that when a customer purchased a product from Easylife’s Health Club catalogue, the company would make assumptions about their medical condition and then market health-related products to them without their consent. For example, if a person bought a jar opener or a dinner tray, Easylife would use that purchase data to assume that person has arthritis and then call them to market glucosamine joint patches.

Special Category Data and Profiling

Article 4( 4) of the GDPR defines profiling:
“‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;”

Out of 122 products in Easylife’s Health Club catalogue, 80 were considered to be ‘trigger products’. Once these products were purchased by customers, Easlylife would target them with a health-related item. The ICO found that significant profiling of customers was taking place. 

Easylife’s use of customer transactional data to infer that the customer probably had a particular health condition was Special Category Data. Article 6 and 9 of the GDPR provides that such data may not be processed unless a lawfulness condition can be found. The only relevant condition in the context of Easylife’s health campaign was explicit consent. Easylife did not collect consent to process Special Category Data, instead relying on legitimate interest (based on its privacy notice) under Article 6. As a result, it had no lawful basis to process the data in contravention of Article 6 and Article 9 of the GDPR. 

Invisible Processing

Furthermore the ICO concluded that ‘invisible’ processing of health data took place. It was ‘invisible’ because Easylife’s customers were unaware that the company was collecting and using their personal data for profiling/marketing purposes. In order to process this data lawfully, Easylife would have had to collect explicit consent from the customers and to update its privacy policy to indicate that Special Category Data was to be processed by consent. Easylife’s omission to do this was a breach of Article 13(1)(c) of the GDPR.

John Edwards, UK Information Commissioner, said:

“Easylife was making assumptions about people’s medical condition based on their purchase history without their knowledge, and then peddled them a health product – that is not allowed.

The invisible use of people’s data meant that people could not understand how their data was being used and, ultimately, were not able to exercise their privacy and data protection rights. The lack of transparency, combined with the intrusive nature of the profiling, has resulted in a serious breach of people’s information rights.”

One other ICO monetary penalty notice has examined these issues in detail. In May 2022 Clearview AI was fined £7,552,800 following an investigation into its online database contains 20 billion images of people’s faces scraped from the internet. 

As Jon Baines pointed out (thanks Jon!), on the Jiscmail bulletin board, a large chunk of the online programmatic advertising market also profiles people and infers Special Category Data in the same way as Easylife. This was highlighted in the ICO’s 2019 report. The ICO said in January last year that it was resuming its Adtech investigation, but there has been very little news since then.

GDPR was not the only cause of Easylife’s woes. It was also fined £130,000 under PECR for making 1,345,732 direct marketing calls to people registered with the Telephone Preference Service (TPS).

This case also shows the importance of organisations only using  telephone marketing companies who understand and comply with GDPR and PECR. If not, the ICO enforcement spotlight will also fall on clients of such companies.

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. 

Are you an experienced GDPR Practitioner wanting to take your skills to the next level? Our Advanced Certificate in GDPR Practice starts on 25th October. 

TikTok Faces a £27 Million GDPR Fine

On 26 September 2022, TikTok was issued with a Notice of Intent under the GDPR by the Information Commissioner’s Office (ICO). The video-sharing platform faces a £27 million fine after an ICO investigation found that the company may have breached UK data protection law.  

The notice sets out the ICO’s provisional view that TikTok breached UK data protection law between May 2018 and July 2020. It found the company may have:

  • processed the data of children under the age of 13 without appropriate parental consent,
  • failed to provide proper information to its users in a concise, transparent and easily understood way, and
  • processed special category data, without legal grounds to do so.

The Information Commissioner, John Edwards said:

“We all want children to be able to learn and experience the digital world, but with proper data privacy protections. Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement.

“I’ve been clear that our work to better protect children online involves working with organisations but will also involve enforcement action where necessary. In addition to this, we are currently looking into how over 50 different online services are conforming with the Children’s code and have six ongoing investigations looking into companies providing digital services who haven’t, in our initial view, taken their responsibilities around child safety seriously enough.”

Rolled out in September last year, the Children’s Code puts in place new data protection standards for online services likely to be accessed by children.

It will be interesting to see if and when this notice becomes an actual fine. If it does it will be the largest fine issued by the ICO. It is also the first potential fine to look at transparency and consent and will provide valuable guidance to Data Controllers especially if it is appealed to the Tribunal.  

It is important to note that this is not a fine but ‘notice of intent’ – a legal document that precedes a potential fine. The notice sets out the ICO’s provisional view which may of course change after TikTok makes representations. 

Remember we have been here before. In July 2018 British Airways was issued with a Notice of Intent in the sum of £183 Million but the actual fine was for £20 million issued in July 2020. In November 2020Marriott International Inc was fined £18.4 million, much lower than the £99 million set out in the original notice.

This is not the first time TikTok has found itself in hot water of over its data handling practices. In 2019, the company was given a record $5.7m fine by the Federal Trade Commission, for mishandling children’s data. It has also been fined in South Korea for similar reasons.

Are you an experienced GDPR Practitioner wanting to take your skills to the next level? Our Advanced Certificate in GDPR Practice starts on 25th October. 

A New GDPR Fine and a New ICO Enforcement Approach

Since May 25th 2018, the Information Commissioner’s Office (ICO) has issued ten GDPR fines. The latest was issued on 30th June 2022 to Tavistock and Portman NHS Foundation Trust for £78,400. The Trust had accidentally revealing 1,781 adult gender identity patients’ email addresses when sending out an email.

This is the second ICO fine issued to a Data Controller in these circumstances. In 2021, HIV Scotland was fined £10,000 when it sent an email to 105 people which included patient advocates representing people living with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk. 

The latest fine was issued to Tavistock and Portman NHS Foundation Trust following an e mail sent in early September 2019. The Trust intended to run a competition inviting patients of the adult Gender Identity Clinic to provide artwork to decorate a refurbished clinic building. It sent two identical emails promoting the competition (one to 912 recipients, and the second to 869 recipients) before realising they had not Bcc’d the addresses.

It was clear from the content of the email that all the recipients were patients of the clinic, and there was a risk further personal details could be found by researching the email addresses. The Trust immediately realised the error and tried, unsuccessfully, to recall the emails. It wrote to all the recipients to apologise and informed the ICO later that day.

The ICO investigation found:

  • Two similar, smaller incidents had affected a different department of the same Trust in 2017. While that department had strengthened their processes as a result, the learning and changes were not implemented across the whole Trust.
  • The Trust was overly reliant on people following policy to prevent bulk emails using ‘to’ in Outlook. There were no technical or organisational safeguards in place to prevent or mitigate against this very predictable human error. The Trust has since procured specialist bulk email software and set “a maximum ‘To’ recipient” rule on the email server.

The ICO reduced the fine issued to the Trust from £784,800 to £78,400 to reflect the ICO’s new approach to working more effectively with public authorities. This approach, which will be trialled over the next two years, was outlined in an open letter from the UK Information Commissioner John Edwards to public authorities. It will see more use of the Commissioner’s discretion to reduce the impact of fines on the public sector, coupled with better engagement including publicising lessons learned and sharing good practice. 

In practice, the new approach will mean an increased use of the ICO’s wider powers, including warnings, reprimands and enforcement notices, with fines only issued in the most serious cases. When a fine is considered, the decision notice will give an indication on the amount of the fine the case would have attracted. This will provide information to the wider economy about the levels of penalty others can expect from similar conduct. Additionally, the ICO will be working more closely with the public sector to encourage compliance with data protection law and prevent harms before they happen.

The ICO followed its new approach recently when issuing a reprimand to NHS Blood and Transplant Service. in August 2019, the service inadvertently released untested development code into a live system for matching transplant list patients with donated organs. This error led to five adult patients on the non-urgent transplant list not being offered transplant livers at the earliest possible opportunity. The service remedied the error within a week, and none of the patients involved experienced any harm as a result. The ICO says that, if the revised enforcement approach had not been in place, the service would have received a fine of £749,856. 

The new approach will be welcome news to the public sector at a time of pressure on budgets. However some have questioned why the public sector merits this special treatment. It is not as if it has been the subject of a disproportionate number of fines. The first fine to a public authority was only issued in December 2021 (more than three and a half years after GDPR came into force) when the Cabinet Office was fined £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online. Perhaps the ICO is already thinking about the reform of its role following the DCMS’s response to last year’s GDPR consultation. It will be interesting to see if others, particularly the charity sector, lobby for similar treatment. 

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a few places left on our Advanced Certificate in GDPR Practice course starting in September.

ICO Fines “World’s Largest Facial Network”

The Information Commissioner’s Office has issued a Monetary Penalty Notice of £7,552,800 to Clearview AI Inc for breaches of the UK GDPR. 

Clearview is a US based company which describes itself as the “World’s Largest Facial Network”. It allows customers, including the police, to upload an image of a person to its app, which is then checked against all the images in the Clearview database. The app then provides a list of matching images with a link to the websites from where they came from. 

Clearview’s online database contains 20 billion images of people’s faces and data scraped from publicly available information on the internet and social media platforms all over the world. This service was used on a free trial basis by a number of UK law enforcement agencies. The trial was discontinued and the service is no longer being offered in the UK. However Clearview has customers in other countries, so the ICO ruled that is still processing the personal data of UK residents.

The ICO was of the view that, given the high number of UK internet and social media users, Clearview’s database is likely to include a substantial amount of data from UK residents, which has been gathered without their knowledge. It found the company had breached the UK GDPR by:

  • failing to use the information of people in the UK in a way that is fair and transparent, given that individuals are not made aware or would not reasonably expect their personal data to be used in this way;
  • failing to have a lawful reason for collecting people’s information;
  • failing to have a process in place to stop the data being retained indefinitely;
  • failing to meet the higher data protection standards required for biometric data (Special Category Data):
  • asking for additional personal information, including photos, when asked by members of the public if they are on their database. This may have acted as a disincentive to individuals who wish to object to their data being collected and used.

The ICO has also issued an enforcement notice ordering Clearview to stop obtaining and using the personal data of UK residents that is publicly available on the internet, and to delete the data of UK residents from its systems.

The precise legal basis for the ICO’s fine will only be known when (hopefully not if) it decides to publish the Monetary Penalty Notice. The information we have so far suggests that it considered breaches of Article 5 (1st and 5th Principles – lawfulness, transparency and data retention) Article 9 (Special Category Data) and Article 14 (privacy notice) amongst others.  (UPDATE – the notice has now been published here)

Whilst substantially lower than the £17 million Notice of Intent, issued in November 2021, this fine shows that the new Information Commissioner, John Edwards, is willing to take on at least some of the big tech companies. 

The ICO enforcement action comes after a joint investigation with the Office of the Australian Information Commissioner (OAIC). The latter also ordered the company to stop processing citizens’ data and delete any information it held. France, Itlay and Canada have also sanctioned the company under the EU GDPR. 

So what next for Clearview? The ICO has very limited means to enforce a fine against foreign entities.  Clearview has no operations or offices in the UK so it could just refuse to pay. This may be problematic from a public relations perspective as many of Clearview’s customers are law enforcement agencies in Europe who may not be willing to associate themselves with a company that has been found to have breached EU privacy laws. 

When the Italian DP regulator fined Clearview €20m (£16.9m) earlier this year, it responded by saying it did not operate in any way that brought it under the jurisdiction of the EU GDPR. Could it argue the same in the UK, where it also has no operations, customers or headquarters? Students of our  UK GDPR Practitioner certificate course will know that the answer lies in Article 3(2) which is sets out the extra territorial effect of the UK GDPR:

This Regulation applies to the relevant processing of personal data of data subjects who are in the United Kingdom by a controller or processor not established in the United Kingdom where the processing activities are related to:

  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the United Kingdom; or
  2. the monitoring of their behaviour as far as their behaviour takes place within the United Kingdom. [our emphasis]

Whilst clearly Clearview (no pun intended) is not established in the UK, the ICO is of the view it is covered by the UK GDPR due to Article 3(2). See the statement of the Commissioner, John Edwards:

“Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images. The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.”

If Clearview does appeal, we will hopefully receive judicial guidance about the territorial scope of the  UK GDPR.   

UPDATE 19/10/22): Clearview’s appeal against the ICO’s £7.5 million fine is scheduled for 21-23 November in the First Tier Tribunal(Information Rights).

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in September.

Cabinet Office Receives £500,000 GDPR Fine

The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online.

The New Year Honours list is supposed to “recognise the achievements and service of extraordinary people across the United Kingdom.” However in 2020 the media attention was on the fact that, together with the names of recipients, the Cabinet Office accidentally published their addresses; a clear breach of the General Data Protection Regulation (GDPR) particularly the sixth data protection principle and Article 32 (security).

The Honours List file contained the details of 1097 people, including the singer Sir Elton John, cricketer Ben Stokes, the politician Iain Duncan Smith and the TV cook Nadiya Hussain. More than a dozen MoD employees and senior counter-terrorism officers as well as holocaust survivors were also on the list which was published online at 10.30pm on Friday 26th December 2019. After becoming aware of the data breach, the Cabinet Office removed the weblink to the file. However, the file was still cached and accessible online to people who had the exact webpage address.

The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times. The vast majority of people on the list had their house numbers, street names and postcodes published with their name. One of the lessons here is, always have a second person check the data before pressing “publish”.

This is the first ever GDPR fine issued by the ICO to a public sector organisation. A stark contrast to the ICO’s fines under the DPA 1998 where they started with a local authority. Article 82(1) sets out the right to compensation:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

It will be interesting to see how many of the affected individuals pursue a civil claim. 

(See also our blog post from the time the breach was reported.)

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a one place left on our Advanced Certificate in GDPR Practice course starting in January.

To Share or Not to Share; That is the Question! 

On 5th October 2021 the Data Sharing Code of Practice from the Information Commissioner’s Office came into effect for UK based Data Controllers.  

The code is not law nor does it ‘enforce’ data sharing, but it does provide some useful steps to consider when sharing personal data either as a one off or as part of an ongoing arrangement. Data Protection professionals, and the staff in the organisations they serve, will still need to navigate a way through various pressures, frameworks, and expectations on the sharing of personal data; case by case, framework by framework. A more detailed post on the contents of the code can be read here.  

Act Now Training is pleased to announce a new full day ‘hands on’ workshop for Data Protection professionals on Data Sharing. Our expert trainer, Scott Sammons, will look at the practical steps to take, sharing frameworks and protocols, risks to consider etc. Scott will also explore how, as part of your wider IG framework, you can establish a proactive support framework; making it easier for staff to understand their data sharing obligations/expectations and driving down the temptation to use a ‘Data Protection Duck out’ for why something was shared/not shared inappropriately.  

Delegates will also be encouraged to bring a data sharing scenario to discuss with fellow delegates and the tutor. This workshop can also be customised and delivered to your organisation at your premises or virtually. Get in touch to learn more.

Law Enforcement Processing and the Meaning of “authorised by law”

In October, there was a decision in the Scottish courts which will be of interest to data protection practitioners and lawyers when interpreting Part 3 of the Data Protection Act 2018 (law enforcement processing)  and more generally the UK GDPR.

The General Teaching Council For Scotland v The Chief Constable of The Police Service of Scotland could fairly be described as a skirmish about expenses (known as costs in other parts of the UK) in seven Petitions to the Court of Session by the General Teaching Council for Scotland (“GTCS”) against the Chief Constable of the Police Service of Scotland (“Police Scotland”). The petitions essentially sought disclosure of information, held by Police Scotland, to the GTCS which the GTCS had asked Police Scotland for, but which the latter had refused to provide. 

This case will be of interest to data protection practitioners for two reasons: (1) there is some consideration by Lord Uist as to what “authorised by law” means in the context of processing personal data under Part 3 DPA 2018 for purposes other than law enforcement purposes; and (2) it contains a salutary reminder that while advice from the Information Commissioner’s Office (ICO) can be useful, it can also be wrong; as well as the responsibilities of data controllers in relation to their decisions.

The GTCS is the statutory body responsible for the regulation of the teaching profession in Scotland. They are responsible for assessing the fitness of people applying to be added to the register of teachers in Scotland as well as the continuing fitness of those already on the register. In reliance of these functions, the GTCS had requested information from Police Scotland in order to assist it in fulfilling these duties. The information held by Police Scotland was processed by them for the law enforcement purposes; it thus fell within Part 3 of the DPA 2018. In response, the GTCS petitioned the Court of Session for orders requiring Police Scotland to release the information. Police Scotland did not oppose the Petitions and argued that it should not be found liable for the expenses of the GTCS in bringing the Petitions to the court. This was on the basis that it had not opposed them and it could not have given the GTCS information without the court’s order.

The ICO advice to Police Scotland

Police Scotland refused to supply the information without a court order on the basis that to do so would be processing the personal data for purposes other than the law enforcement purposes where the disclosure was authorised by law in contravention of the second Data Protection Principle under Section 36 of the DPA 2018 which states:

“(1) The second data protection principle is that – (a) the law enforcement purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and (b) personal data so collected must not be processed in a manner that is incompatible with the purpose for which it was collected. 

(2) Paragraph (b) of the second data protection principle is subject to subsections (3) and (4). 

(3) Personal data collected for a law enforcement purpose may be processed for any other law enforcement purpose (whether by the controller that collected the data or by another controller) provided that – 

(a) the controller is authorised by law to process that data for the other purpose, and
(b) the processing is necessary and proportionate to that other purpose. 

(4) Personal data collected for any of the law enforcement purposes may not be processed for a purpose that is not a law enforcement purpose unless the processing is authorised by law.” 

Police Scotland was relying upon advice from the ICO. That advice was that Police Scotland “would require either an order of the court or a specific statutory obligation to provide the information”, otherwise Police Scotland would be breaching the requirements of the DPA 2018. A longer form of the advice provided by the ICO to Police Scotland may be found at paragraph 10 of Lord Uist’s decision.

The ICO’s advice to Police Scotland was in conflict with what the ICO said in its code of practice issued under section 121 of the DPA 2018. There the ICO said that “authorised by law” could be “for example, statute, common law, royal prerogative or statutory code”. 

Authorised by Law

Lord Uist decided that the position adopted by Police Scotland, and the advice given to them by the ICO, was “plainly wrong”; concluding that the disclosure of the information requested by the GTCS would have been authorised by law without a court order.

The law recognises the need to balance the public interest in the free flow of information to the police for criminal proceedings, which requires that information given in confidence is not used for other purposes, against the public interest in protecting the public by disclosing confidential  information to regulatory bodies charged with ensuring professionals within their scope of responsibility are fit to continue practising. In essence, when the police are dealing with requests for personal data processed for law enforcement purposes by regulatory bodies, they must have regard to the public interest in ensuring that these regulatory bodies, which exist to protect the public, are able to carry out their own statutory functions.

Perhaps more significantly, the law also recognises that a court order is not required for such disclosures to be made to regulatory bodies. This meant that there was, at common law, a lawful basis upon which Police Scotland could have released the information requested by the GTCS to them. Therefore, Police Scotland would not have been in breach of section 36(4) of the DPA 2018 had they provided the information without a court order.

In essence, a lack of a specific statutory power to require information to be provided to it, or a specific statutory requirement on the police to provide the information, does not mean a disclosure is not authorised by law. It is necessary, as the ICO’s code of practice recognises, to look beyond statute and consider whether there is a basis at common law. 

Police Scotland was required by Lord Uist to meet the expenses of the GTCS in bringing the Petitions. This was because the Petitions had been necessitated by Police Scotland requiring a court order when none was required. Lord Uist was clear that Police Scotland had to take responsibility for their own decision; it was not relevant to consider that they acted on erroneous advice from the ICO.

This case serves as a clear reminder that, while useful, advice from the ICO can be wrong. The same too, of course, applies in respect of the guidance published by the ICO. It can be a good starting point, but it should never be the starting and end point. When receiving advice from the ICO it is necessary to think about that advice critically; especially where, as here, the advice contradicts other guidance published by the ICO. It is necessary to consider why there is a discrepancy and which is correct: the advice or the guidance?
It may, of course, be the case that both are actually incorrect.

The finding of liability for expenses is also a reminder that controllers are ultimately responsible for the decisions that they take in relation to the processing of personal data.
It is not good enough to effectively outsource that decision-making and responsibility to the ICO. Taking tricky questions to the regulator does not absolve the controller from considering the question itself, both before and after seeking the advice of the ICO.

Finally, this case may also be a useful and helpful reference point when considering whether something is “authorised by law” for the purposes of processing under Part 3 of the DPA 2018. It is, however, a first instance decision (the Outer House of the Court of Session being broadly similar in status to the High Court in England and Wales) and that ought to be kept in mind when considering it.

Alistair Sloan is a Devil (pupil) at the Scottish Bar; prior to commencing devilling he was a solicitor in Scotland and advised controllers, data protection officers and data subjects on a range of information law matters.

We have just announced a new full day workshop on Part 3 of the DPA 2018. See also our Part 3 Policy Pack.

Exit mobile version
%%footer%%