Information Commissioner Update
1. ICO Enforcement Action
The ICO has recently reported two prosecutions it has undertaken under s.170 of the Data Protection Act concerning individuals who had unlawfully accessed personal data. The first prosecution concerned a former family intervention officer at St Helens Borough Council, who was prosecuted for viewing records on the council’s case management system on several occasions during 2019 without having a business need to do so. An internal audit found that Rachel Anderton had unlawfully looked at the records of 145 people whilst employed in the social services department. Ms Anderton was fined £92.00 and ordered to pay court costs of £385.00.
The second prosecution concerned a medical secretary who worked in the ophthalmology department of Worcestershire Acute NHS Trust. The ICO reported that Loretta Alborghetti had in 2019 unlawfully accessed the medical records of over 150 people on over 1800 separate occasions, and in relation to one individual had accessed their records 33 times over a three month period, without consent or a business need to do so. The individuals whose records were accessed had no medical conditions relating to ophthalmology. Ms Alborghetti was fined £648.00.
These examples of non-authorised access to sensitive information highlight the ICO’s willingness to bring prosecutions under the Data Protection Act for unlawful access to personal data, and health and care organisations in particular will be conscious of the need to remind all workers to avoid looking at records where there is no justification for so doing and to ensure that appropriate workforce training is in place. Links to the relevant media articles are below.
2. ICO Consultations
(i) ICO’s approach to data protection fines
On 2 October 2023 the ICO published a consultation on its draft Data Protection Fining Guidance. The proposed guidance sets out the legal framework, how the ICO decides to issue penalty notices and how it calculates fines under the UK GDPR and the Data Protection Act 2018. When finalised, this guidance will replace parts of the ICO’s Regulatory Action Policy.
One key takeaway from this guidance is the ICO’s clear attempt to align with the European Data Protection Board’s approach to fines, with the proposal containing a five-step method for calculating fines and, where a controller and processor are part of one ‘undertaking’, the maximum fine being based on the turnover of the whole undertaking.
The ICO also plans to consult on new procedural guidance that will incorporate the other statutory guidance about regulatory action required by the Data Protection Act 2018. This will in turn replace parts of the Regulatory Action Policy.
The consultation closed on 27 November.
(ii) Transparency in health and social care
On 13 November 2023 the ICO published a consultation on its new draft Transparency in Health and Social care Guidance. The guidance aims to help health and social care organisations understand the ICO’s expectations about transparency in the sector, particularly in light of new technologies which are being developed to support both direct and secondary care, including research and planning, and which often use large amounts of personal information. Whilst these technologies often provide a significant benefit to the public, the ICO is clear that the use of personal information within them must be clearly explained in order to maintain trust and comply with data protection requirements. This guidance will be relevant to both public sector organisations (including NHS Trusts, GPs, ICBs and local authorities) and private and third sector providers of health and social care.
The consultation closes on 7 January 2024. Find the link to the consultation here.
(iii) Court of Appeal cases
The Court of Appeal has handed down three significant judgements to the ICO over the last couple of months.
Complaints to the ICO
A data subject had raised a complaint with the ICO regarding the way in which a Data Subject Access Request had been handled by Wise Payments Limited. In brief, the ICO’s position was that it was required to receive complaints under data protection legislation, but that it was not required to fully investigate those complaints to conclusion and to issue a formal decision. The Court of Appeal upheld the ICO’s decision; this means that the ICO will be able to continue exercising a degree of valuable discretion in considering how it approaches complaints, and in particular how far it can work with willing organisations to reach an informal resolution before adopting a more formal approach.
Clearview AI has succeeded in appealing against the ICO's £7.5 million fine for its facial recognition software. Although the Tribunal overturned the fine, it did so on a very narrow ground relating to the non-applicability of the GDPR to foreign law enforcement activities. Had this not applied, the Tribunal concluded that Clearview would have been responsible for the monitoring of UK individuals carried out by Clearview's customers, and that Clearview would have been caught by the GDPR and UK GDPR, even though Clearview was established overseas. The ICO has announced it is seeking permission to appeal on the basis that, while Clearview AI’s customers were processing the data for foreign law enforcement purposes, Clearview AI itself was not.
Aggregation of Public Interest Test factors
An ICO decision was appealed, eventually reaching the Court of Appeal. The decision related to whether multiple public interest exemptions can be ‘aggregated’ and weighed together when assessing disclosure, or whether they must each be considered individually. The ICO’s position was that each would need to be considered separately, providing a more restrictive framework for public bodies to withhold information. The Court ruled against the ICO; this means that multiple different exemptions can be grouped together in considering where the public interest lies, and therefore gives public bodies more latitude in considering and applying multiple exemptions in such a way as to support each other.
UK Law & Policy Update
Update on DPDI Bill
The Data Protection and Digital Information (No. 2) Bill has been carried over and reintroduced to the new session of parliament. The Bill will be renamed the Data Protection and Digital Information Bill, as it is in a new Session. The Bill is due to have its Report Stage and third reading on 29 November 2023. The House of Commons will debate the contents of the bill and vote on its approval. If approved, the Bill will move to the House of Lords for consideration.
As ever, we will keep you updated on the Bill’s progress in future editions of Data Matters.
For more explanatory information about what the DPDI Bill is, please see previous editions of Data Matters.
Online Safety Act 2023
The Online Safety Act 2023 received Royal Assent on 26 October 2023 and is now law.
The Act aims to, among other things, make tech companies responsible for the content posted on their platforms, with a responsibility to prevent and rapidly remove illegal content and give users an option to filter out content that they do not want to see.
There have been a number of criticisms raised against the Act, particularly in relation to privacy rights and freedom of expression. The Act does contain a statement that these rights should be protected when providers are implementing the necessary provisions. It is unclear how this will be dealt with in practice though.
So, what next? Ofcom will be responsible for the interpretation and enforcement of the Act; it will produce several different codes of conduct, each of which will be subject to consultation and each of which will require parliamentary approval. On this subject, Ofcom have said: “Our first Codes aim to capture existing good practice within industry and set clear expectations on raising standards of user protection, especially for services whose existing systems are patchy or inadequate. Each proposed measure has been impact assessed, considering harm reduction, effectiveness, cost and the impact on rights.”
Social Housing (Regulation) Act 2023: Access to Information Scheme
The Social Housing (Regulation) Act 2023 came into force on 20 July 2023. One part of this wider ranging piece of legislation is a new “Access to Information Scheme”, which will allow tenants of privately owned social housing to request information from their housing providers. Tenants of local authority owned social housing can already get information from their landlord through the Freedom of Information Act route.
Under the Scheme a provider will have to provide information to their tenants about: their tenants’ rights in connection with their homes and with the facilities and services provided in connection with those homes; how their tenants can make a complaint against them; and any relevant regulatory requirements in connection with their homes and with the facilities and services provided in connection with those homes. The process for tenants accessing information, as proposed, is:
- Providers make information available to residents through a publication scheme
- Tenants request information they can’t find through the publication scheme from their housing provider
- If a tenant is not happy with the outcome above, they may complain to the housing provider
- If the tenant is still not happy, they may then complain to the Housing Ombudsman.
The Access to Information Scheme is currently being consulted on. The consultation closed on 22 November.
This legislation applies to England and Wales only. Registered private social landlords in Scotland were brought under the Freedom of Information (Scotland) Act in November 2019.
For more information, please watch out for our upcoming video digest on this issue.
EU Law Update and International Data Transfers
ICO signs MoU with European Data Protection Supervisor (EDPS)
At the beginning of November the ICO and the EDPS signed a Memorandum of Understanding (MoU), reinforcing the parties’ shared mission to uphold individuals’ data protection and privacy rights, and to cooperate internationally to achieve this goal.
The MoU is statement of intent to ensure cooperation between the two institutions; to carry out specific projects and joint research; share best practice, information and intelligence; support regulatory work; and, promote dialogue. The MoU is not legally binding, but highlights the ICOs commitment to maintain alignment with the EU on data protection and privacy matters.
CJEU case: Subject Access Requests (SARs) and the individual’s right to their personal data
On 26 October 2023, the Court of Justice of the European Union (CJEU) handed down its judgement on a case brought by an individual who had his application for a free copy of his personal data from his dentist rejected on the basis that, under German law, an applicant has to pay to obtain copies of their medical records.
The German courts found in favour of the individual, but referred the case to the CJEU because they believed the decision hinged on the interpretation of the GDPR. This is because the specific reason for the request – to bring a legal case (on the basis of suspected malpractice) against the data controller – was not explicitly set out in Recital 63 of the GDPR. The CJEU considered Articles 12(5) (accessing personal data should be cost free for the individual) and 15(3) (a person should be provided with a free initial copy of their personal data) of the GDPR. The court found that Recital 63 does not limit the grounds for a request.
The CJEU also considered the nature of the medical information an individual should have access to. Under Article 15(3) a person is entitled to a copy of their personal data. The court determined that this means patients are entitled to a complete copy of documents in their medical records containing their personal data, not just a summary of that data.
Although this judgement is not binding in the UK, the ICO commonly takes decisions of the Court of Justice into account when considering its own approach to a similar issue of interpretation of the UK GDPR, hence this decision will be of relevance to UK data controllers’ considerations of these issues.
More details on this case can be found at: GDPR: the right to obtain a ‘copy’ of personal data means that the data subject must be given a faithful and intelligible reproduction of all those data | CJEU Press Release
International Data Transfers
In January 2022 the UK Government established the International Data Transfers Expert Council, coordinated by the Department for Science, Innovation and Technology (DCMS at the time of the Council’s inception). The Council were tasked by the government to look at the thorny issue of international data transfers and to provide recommendations for the promotion of a global solution for data transfers at the same time as upholding existing protections for personal data around the world. The Council has now published their report which is available at the link below. As well as encouraging relevant stakeholders to continue and escalate discussions to promote a sustainable solution, the Council’s recommendations (among others) included:
- continued engagement on the issue of “Trusted Government Access” to personal data held by the private sector and on the expansion of the OECD’s TGA Principles and how these principles can be strengthened;
- strengthen the frameworks around certifications and trustmark mechanisms for international data transfers (such as the EU/UK – US Data Privacy Framework);
- explore certification to international technical standards such as ISO or other similar codes of conduct;
- explore multi-lateral binding treaties between countries to guarantee protections for personal data to provide true stability for data transfers.
The Council noted that the UK government would be providing a response to the issues raised in the report, and confirmed that the next steps would be to consider proposals for the implementation of the ideas and proposals generated in this report.
The Council’s report (published November 2023) is available here:
Towards a sustainable multilateral and universal solution for international data transfers (publishing.service.gov.uk)
If you have any questions about the issues raised in this update, please contact a member of our Information Law team.