8 February 2018

ICO issues enforcement notice against the MoJ – Data Protection Update

UK government seeks to assure ICO of its independence under the draft Data Protection Bill.

UK Information Commissioner issues enforcement notice against the Ministry of Justice

On December 21st 2017, the Information Commissioner served the Ministry of Justice with an enforcement notice in relation to extensive delays in the handling of subject access requests made to the department. The Information Commissioner sighted the backlog of 919 subject access requests made by individuals, dating back as far as 2012, to which the department had yet to respond. The Information Commissioner concluded that individuals were likely to suffer damage or distress as a result of them being deprived of the opportunity to correct any inaccurate personal data about them, and also concluded that the rights of individuals under Article 8 of the European Convention on Human Rights (the right to respect for private and family life, home and correspondence) had been unlawfully interfered with. The measures ordered by the Information Commissioner include a requirement that the Secretary of State for Justice inform individuals having made the pending subject access requests, by October 21st 2018, whether any personal data about them have been processed and to supply them with a copy of such personal data. The Secretary of State was also ordered to provide the Information Commissioner with a monthly progress report.    

The enforcement action by the Information Commissioner serves as a reminder for those who handle personal data – in particular as we approach the May 25th 2018 deadline for compliance with the General Data Protection Regulation (‘GDPR’) – to be prepared to respond to access requests in a timely manner. Under the GDPR, data controllers will need to respond to access requests within one month of receipt. Achieving compliance will be greatly aided by ensuring that access requests are logged and assessed quickly upon receipt, and that processes are in place to allow for the rapid identification of a requesters personal data. Carrying out a data audit is highly recommended, as understanding fully what personal data you hold and how they are being processed is a key to enabling your organisation to meet the GDPR’s standards.

Metropolitan Police Service refers data leaks to Information Commissioner 

The Metropolitan Police Service (‘MPS’) has referred a matter to the Information Commissioner’s Office (‘ICO’), after former officers made public statements concerning the MPS’ 2008 investigation into leaks of official documents from the Home Office. The Public disclosures made by a former Assistant Commissioner and a former Detective Constable of the MPS concerned pornographic material allegedly discovered on Mr. Green’s Commons computer in the course of the 2008 Home Office investigation. The former officers’ statements were widely cited in the media. In referring the matter to the ICO, the MPS stated it had concluded that the disclosures may have contravened the Data Protection Act 2008. In response to the referral by the MPS, the Information Commissioner, Elizabeth Denham, confirmed that her office would be looking at whether the former officers acted unlawfully by retaining or disclosing personal data.  

Whether any data protection infractions occurred will only be known once the ICO has concluded its inquiries. The considerations raised by this matter, however, are relevant to organisations and their employees who handle personal data in the course of their employment; both employers and their employees are at risk if personal data are not handled in accordance with the law. For organisations, having in place clear internal policies on the handling and safeguarding of personal data, and carrying out regular training for employees, can be extremely valuable in demonstrating compliance to a regulator should questions of improper data disclosure arise.

UK Government seeks to assure the Information Commissioner of her independence under the draft Data Protection Bill

The Information Commissioner’s Office recently expressed concern over the draft Data Protection Bill’s provisions allowing the government to issue a ‘framework’ for the processing of personal data by government departments and public bodies, and to require the ICO to consider such a framework when carrying out its supervisory duties.  It is the requirement for the ICO to take account of any data processing framework, which raised concerns from the ICO about its independence in carrying out its regulatory duties, such independence being required under the General Data Protection Regulation. The ICO stated that the provisions of the draft Bill posed ‘a real risk of creating the impression that the Commissioner will not enjoy the full independence of action and freedom from external influence when deciding how to exercise her full range of functions.’

Lord Ashton, the Parliamentary Under-Secretary of State at the Department for Digital, Culture, Media and Sport, addressed the powers in the draft Bill, stating that any framework which the Government may issue, should be viewed in the same manner as sector-specific data protection guidance in existence for other areas in the UK economy: ‘This is not a novel concept. Across the country, organisations and businesses produce guidance on data processing that addresses the specific circumstances relevant to them or the sector in which they operate.’

There has been no suggestion from the Government that the provisions in the draft Bill are intended to (or even may have the effect of) fettering the independence of the ICO.  Rather, the development of such frameworks could be helpful (and indeed very valuable) to ensure that certain lawful processing activities are able to be carried out.  For example, data processing in relation to the electoral roll as part of the democratic process; clear guidance from the Government on the right of political parties and other political campaigners to process personal data for fundraising and during election (or referendum) periods.  Because Government departments are the holders of electoral data, it is essential that those departments have clear guidance on the processing of such data in compliance with the UK’s data protection regime, and that the electoral process is not compromised by, for example, a misapprehension as to whom is permitted to have access to the electoral roll for permitted democratic activities.  

We shall continue to monitor and report on the progress of the draft Bill as it continues to move through the Parliamentary stages.

European News in Brief

Andrea Jelinek, the data protection chief in Austria, is now expected to chair the Article 29 Working Party in the coming months and is highly likely to become the first-ever chairwoman of the European Data Protection Board, a pan-European watchdog institution that will enforce incoming GDPR privacy rules after May 25th 2018.  We will be watching with interest what her approach will be.