Tag: Subject Access Request

Tory Party Data Sharing Revealed

We recently wrote about the The Good Law Project (GLP) challenging one aspect of the Conservative Party’s data collection practices. The party’s website contains an online tool which allows an individual to calculate the effect on them of recent changes to National Insurance contributions. However GLP claims this tool is “a simple data-harvesting exercise” which breaches UK data protection laws in a number of ways. It says that a visit to the website automatically leads to the placement of
non-essential cookies (related to marketing, analysis and browser tracking), on the visitor’s machine without consent. This is a breach of Regulation 6 of PECR. GLP also challenges the gathering and use of website visitors’ personal data on the site claiming that (amongst other things) it is neither fair, lawful nor transparent and thus a breach of the UK GDPR.

Director of GLP, Jo Maugham, has taken the first formal step in legal proceedings against the Conservative Party. The full proposed claim is set out in the GLP’s Letter Before Action. The Conservative Party has issued a response arguing that they have acted lawfully and that: 

  • They did obtain consent for the placement of cookies. (GLP disagrees and has now made a 15-page complaint to the ICO.) 
  • They have agreed to change their privacy notice. (GLP is considering whether to ask the court to make a declaration of illegality, claiming that the Tories “have stated publicly that it was lawful while tacitly admitting in private that it is not.”) 
  • They have agreed to the request by GLP to stop processing Jo Maugham’s personal data where that processing reveals his political opinions.  

Following a subject access request, Mr Maugham received 1,384 pages of personal data held about him. GLP claim he is being profiled and believe that such profiling is unlawful. However the Conservative’s would not say who Mr Maugham’s personal data was being shared with. Following a threat of legal action, the party has now disclosed that it shared the data with PR companies and media companies all with links to the Tory Party. According to GLP the disclosure  throws “some light on the type of grubby tactics we can likely expect to see in the upcoming general election.”

As an election draws nearer, expect the spotlight will be on all political parties’ data processing activities. 

Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment.

Section 56 is here! Oh no it isn’t! Oh yes it is!

Interstate56

Section 56 prevents employers from requiring people to use their subject access rights under the DPA to obtain and then provide certain records, as a condition of employment. It also prevents contracts from requiring certain records as a condition for providing or receiving a service. Section 56 does not, however, prevent such requests where the record is required by law or is justified in the public interest.

Section 56 was due to be commenced on 1 December 2014. Commencement was delayed because of a technical issue encountered when finalising arrangement for introduction. This issue has now been resolved.

Section 56 was commenced on 10 March 2015. There is a SI 2015/312, entitled, ‘The Data Protection Act 1998 (Commencement No. 4) Order 2015′.

It makes it a criminal offence to require an individual to make a subject access request and supply it to a potential employer for the purpose of obtaining or continuing in employment. It also relates to a supplier of goods, facilities and services to the public who require the production of a record to access that service. The ICO webinar suggests insurance might be such a case. They also suggest it applies to volunteers who help your organisation even they may not be in employment.

Most practitioners called it Enforced Subject Access. In November 2014 the ICO ran a webinar outlining what this means and it’s worth look. See the webinar on youtube at https://www.youtube.com/watch?v=zTYBvr-tb5U. It’s 36 minutes long so set aside a lunch hour and buy your sandwich first. It does a good job looking into all the minor points and ends up with a few good examples of how it will be used.

It’s quite a logical and straightforward concept. Why on earth would you require someone to produce their police record to progress their application for employment? Certain jobs with vulnerable people involve disclosures from the Disclosure & Barring Service and Disclosure Scotland is widely used but employers in these area know about this. Making people outside these areas obtain and produce a relevant record is clearly wrong.

There are some defences to a Section 56 charge – the usual suspects of under enactment, rule of law, court and also in the public interest but specifically excludes prevention or detection of crime from the public interest.

Now it’s time to watch the webinar, download the ICO guidance from https://ico.org.uk/for-organisations/enforced-sar/ and wait for the first case involving section 56.

Looking for a DP qualification? The Act Now Data Protection Practitioner Certificate is a practical four day course. The syllabus is endorsed by the Centre for Information Rights based at the University of Winchester. 

R.I.P. Tiddles – A Cat’s Tale

Maybe it was when he realised he couldn’t access his medical data (through his human owner); maybe it was the lack of a satisfactory diagnosis; maybe it was feline immunodeficiency virus that caused the lesions on all limbs and the infection in his nose and ears but Tiddles disappeared Tuesday morning at 8 am after a full pouch of Felix salmon in jelly. His owners spent 88 hours ch chewing at the front door but it looked like he’d run away to die (research on google revealed that this was a likely outcome). Friday evening and he turned up out of the blue looking very weak and bedraggled. Following day he was taken to the second opinion who made an appointment for an emergency FIV and leukaemia test at a local animal hospital. Despite a negative test the vet decided that the best advice was to put him out of his misery. He’d lost 35% of his body weight; had difficulty walking, slept 23 hours a day and was wasting away. He was 5 years old. At 1400 on Saturday 10th March Tiddles moved outside the scope of the Data Protection Act although he never had any Principle 6 rights as he failed most of the Durant tests. This post not tagged DP or privacy or SAR or anything. Just a shaggy cat story.