mehaniq41 - stock.adobe.com
ICO selectively discloses reprimands for data protection breaches
Data protection experts question ICO’s selective approach to publishing formal reprimands for contravening the law, after FoI request reveals the Cabinet Office was among the organisations reprimanded
The Information Commissioner’s Office (ICO) has issued reprimands to seven public and private organisations over failures to respond to requests for personal information, but experts have questioned why the regulator chooses to publicly disclose some reprimands and not others.
Under the UK Data Protection Act 2018 (DPA 18), the ICO has the power to serve formal reprimands, as well as fines and other enforcement notices, when organisations contravene the law.
On 28 September 2022, the ICO announced it had reprimanded seven organisations – the Ministry of Defence, the Home Office, Kent Police, Virgin Media, and the London Boroughs of Croydon, Hackney and Lambeth – over repeated failings to respond to subject access requests (SARs) within the statutory deadline of three months.
“SARs and requests made under FOIA [the Freedom of Information Act] are fundamental rights and are an essential gateway to accessing other rights,” said information commissioner John Edwards. “Being able to ask an organisation ‘what information do you hold on me?’ and ‘how it is being used?’ provides transparency and accountability and allows the person to ask for changes to be made or even for the information to be deleted.
“We will continue to support organisations to meet their obligations to individuals, in addition to providing education to people about their rights. This includes developing a SAR generator to help people identify where their personal information is likely to be held and how to request it, at the same time as providing information to the organisation regarding what is required from them.
“We expect all information requests to be handled appropriately and in a timely way. This encourages public trust and confidence and ensures organisations stay on the right side of the law.”
Edwards said each of the seven reprimanded organisations had between three and six months to make improvements, or further enforcement action could be taken.
However, the regulator’s decision to publish and publicise these seven reprimands has raised questions about consistency, and why it chooses to disclose some reprimands, but not others.
What are subject access requests?
Under the UK’s data protection rules, individuals have the right to access and receive a copy of the personal data that organisations hold on them. Submitting these access requests helps people understand how and why their data is being used, as well as enabling them to check that the processing is lawful.
There is no formal process that needs to be followed to make a subject access request, as any request in any format is valid if it is clear that the individual is asking for their own personal data.
Organisations are expected to reply within one month of receiving a request, but they are allowed to extend the response time by a further two months if the access request is complex or there are multiple requests from one individual. Three months is therefore the absolute legal time limit for organisations to respond.
Based on an FOIA request submitted by Jon Baines, a senior data protection specialist at law firm Mishcon de Reya, Computer Weekly reported in June 2022 that the ICO had failed to publicly disclose the majority of reprimands it had issued since November 2021 to public sector organisations for UK data protection law breaches.
The 15 undisclosed reprimand recipients included the Government Communication Service (GCS, part of the Cabinet Office), the UK Independence Party (UKIP), the Crown Prosecution Service (CPS) and the Welsh Language Commissioner. Other recipients included four police forces, two local authorities and two NHS trusts.
Although the ICO declined to disclose the reasons why it decided to issue the reprimands, it confirmed at the time that all the reprimands served to criminal justice sector bodies were issued under Part Three of the DPA 18, which lays out specific rules for processing personal data by law enforcement entities for law enforcement purposes.
Chris Pounder, director of data protection training firm Amberhawk, said: “Reprimands should be published and if there were issues at stake, for example national security or policing, a summary should be published.”
Pounder added that, under the UK’s previous Data Protection Act 1998, the ICO was able to serve “undertakings” to organisations for infringing the law, and these were “usually published”.
In a similar fashion to reprimands, these undertakings would outline the issues, and set out the actions that organisations would need to take to make their data processing activities compliant, and in what timeframe.
Asked about the process behind why some reprimands are publicised and others are not, the ICO said: “Reprimands are currently published on a case-by-case basis. So, for example, in relation to the SAR reprimands published recently, that was part of a co-ordinated piece of work to raise awareness about SAR delays and the consequences of non-compliance. We have also previously published reprimands in cases such as the DHSC [Department of Health and Social Care] private correspondence Behind the screens report.”
The ICO also provided a link to its Regulatory and Enforcement Activity Policy for further information.
But according to this policy, the ICO’s “default position is that we will publish (and, where appropriate, publicise) all formal regulatory work, including significant decisions and investigations, once the outcome is reached”.
On reprimands specifically, the ICO added: “We will publicise these if it will help promote good practice or deter non-compliance.”
Freedom of information disclosures
Responding to a series of follow-up FOIA requests submitted by Computer Weekly, and which focused primarily on reprimands issued to criminal justice bodies, the ICO disclosed documentation related to the Cabinet Office’s reprimand, but none of the other reprimands enquired about.
These include the reprimands issued to Hampshire Constabulary, the Metropolitan Police Service, North Yorkshire Police (which received two reprimands), Surrey Police and the Crown Prosecution Service (CPS).
According to the FOIA responses from the ICO’s information access team, the information about these reprimands was withheld because “disclosure of the information would be likely to prejudice the ICO’s ability to conduct investigations of this nature both now and in the future”. It added: “Disclosure would be likely to jeopardise the ICO’s ability to obtain information from the organisations we investigate and would inhibit our effectiveness as a regulator. Disclosure of information could adversely affect the relationship we have with them and make them more cautious about engaging with us in the future.”
It further cited the FOIA’s section 31 law enforcement exemption and an absolute section 44 exemption, the latter enabling information to be withheld if it was supplied to the ICO during an official investigation.
Mishcon de Reya’s Baines said that although he could see both sides, he was “inherently sceptical” of the argument that publishing information about formal regulatory action the ICO has taken would make organisations less likely to engage with it going forward.
“The ICO is the statutory regulator, with statutory information-gathering powers, and powers of compelling, in certain circumstances, information to be given,” he said, adding that although there will inevitably be edge cases of “dodgy data controllers” ducking their legal obligations to cooperate, this will not be the case for “a reasonable business, acting reasonably”.
Read more about data protection in the UK
- Unionised Uber drivers take industrial action against the company over its failure to pay workers in line with a Supreme Court decision and inflation, as well as the lack of transparency around how it uses their data.
- A Home Office scheme to biometrically scan the faces of convicted migrants who have already carried out punishments has come under fire from privacy and human rights groups for being discriminatory.
- IT industry reacts to the government’s plan to replace the pan-European data protection regulation.
“I am not entirely convinced that a very transparent approach from the ICO would have the chilling effect that they suggest,” said Baines. “If you asked me to argue the other way, I could do that. But on balance, I’m sceptical of the argument in the round.”
The ICO did not comment on its argument that disclosures would have a potentially chilling effect.
Baines, who was provided with copies of Computer Weekly’s requests, said he also had general concerns about how the ICO, and other public authorities, apply the public interest test when responding to FOIA requests.
“When it comes to application of exemptions, I think they just fall on generic arguments in favour of disclosure,” he said. “They are required to weigh the factors in the balance, but often they will say in favour of disclosure is the general benefit in transparency, and then militating against disclosure A, B, C, D, E and F, which are all specific.”
Separate FOIA requests for information about the reprimands were also submitted to each of the individual criminal justice bodies, most of which was withheld under the law enforcement exemption, while others have not yet responded.
Some of the reprimanded organisations said the continuing delays in responding to the FOIA requests are due to the fact that the organisations have so far been unable to locate the reprimands issued to them. Only the Cabinet Office disclosed details about its reprimand from the ICO.
Cabinet Office reprimanded over real-time bidding
According to the ICO’s disclosure, the Cabinet Office was reprimanded over its use of programmatic real-time bidding (RTB) – an automated process by which advertisers can place bids, in real time, for specific display ad placements – on a number of grounds.
These include the fact that the Cabinet Office had not conducted a data protection impact assessment (DPIA) – either when RTB was first rolled out in 2014 or at the inception of the General Data Protection Regulation (GDPR) in May 2018 – and had not identified a lawful basis for the processing of both personal and special category data.
The reprimand said the Cabinet Office had also never published a privacy notice about its processing activities, and did not include RTB in its record of processing activities.
Although the Cabinet Office has been using RTB since 2014 to target individualised messaging to service users, it also claimed to the ICO that it did not believe any personal data was being processed by the system.
Computer Weekly asked the Cabinet Office how it arrived at the conclusion that no personal data was being processed given the nature of the system’s targeted advertising, but it did not respond by the time of publication.
On what steps the it has taken to remedy the issues raised by its reprimand, the Cabinet Office said in its FOIA response: “A series of enhanced data protection and other due diligence measures have been implemented to ensure compliance by government campaigns with the latest ICO guidance.”
The ICO confirmed that the Cabinet Office had conducted a DPIA and published a privacy notice following the reprimand.
However, the Cabinet Office’s own data protection officer (DPO), whose opinion is included in the DPIA, said there was a high risk that RTB does use personal data unlawfully. “My advice is that there remains a high risk that personal data is being collected and used unlawfully within the RTB system,” the DPO said.
“This is because the ICO has advised that the only appropriate lawful basis for much of this data is consent. Consent collected on behalf of the Cabinet Office by publishers can only be valid if Cabinet Office is named as a recipient relying on that consent. This is not, to my knowledge, the case. I therefore recommend that use of RTB ceases until we can have reasonable confidence that our use of RTB is compliant with data protection law.”
The ICO said a review of the Cabinet Office’s progress was conducted in spring 2022. “We were satisfied with their progress at that point and no further review was necessary,” it said. “As with all matters we consider, if there is any new information or intelligence that would lead us to consider it appropriate to pick this matter back up, we would do so.”
It added: “With regard to processing and the DPO assessment, we would of course expect caution where there is any question of compliance, and it is sensible not to process until that is resolved.”
Computer Weekly asked the Cabinet Office if it was able to account for the contradiction between the FOIA response saying all the recommended measures have been put in place, and its DPO saying use of the system should be halted until there is greater confidence that it is operating lawfully, but received no response by the time of publication.
Clear concerns over RTB
Baines said that, given the ICO’s clear concerns over the RTB industry, he is surprised the regulator did not publish or publicise the Cabinet Office reprimand.
In June 2019, the ICO published a report on advertising technology (adtech) and RTB, specifically listing a lack of transparency in the ecosystem, the reliance on questionable legal bases to justify data processing, and the sharing and use of special category data as a major concerns. It also noted that the ICO did not think the data protection issues raised by the sector could be addressed without intervention.
“Overall, in the ICO’s view, the adtech industry appears immature in its understanding of data protection requirements,” it said. “While the automated delivery of ad impressions is here to stay, we have general, systemic concerns around the level of compliance of RTB.”
Commenting on the Cabinet Office’s reprimand, Baines said: “I think it is really interesting that they took action against the Cabinet Office around the time that they were putting out reports about the industry. I am very surprised that this wasn’t given publicity at the time.”
In response to Computer Weekly’s questions, the ICO said: “Reprimands are currently published on a case-by-case basis.”