Brief post for today. Well a brief post by the standards of this blog!
In yesterdayโs blog post one of the themes touched upon was how The Ministry of Justice had sent data in error to a third party. This was a serious breach of the data subjectโs rights and potentially quite dangerous to the data subject as MoJ shared the subjectโs name, address, date of birth and financial details.
The post discussed the attempts The Ministry of Justice made to get back at the accidental recipient of this data which included a false complaint to police to ensure he was arrested, although fully aware police would not be able to bring charges as no offence had taken place.
The Information Commissionerโs Office (ICO) is a quasi-Governmental organisation reliant on public funding. Their stated aim is to enforce data access rights of people in the UK and also to adjudicate on data protection issues: in other words to monitor that your personal data held by companies and Government organisations is kept safe.
So we can naturally expect ICO to fully comply with data protection legislation and be extra specially careful with their own handling of other peopleโs data.
Canโt we?
In a delicious piece of timing just after Iโd written yesterdayโs blog post about The Ministry of Justice emailing data to the wrong person ICO go and do the same by sending a letter in error to me which was intended for a third party, just like the error MoJ made!
It seems that Dacorum Borough Council also suffers from the problem of email incontinence as they appear to have sent the intended recipient of the ICO letter some information despite claiming an apparent exemption over the data sent!
The ICO letter states:
I am aware that the council inadvertently provided you with the requested information.
Significantly the letter also states the grounds for the council attempting to withhold this data (but clearly not managing to) were under section 31 – that is a claimed exemption from disclosure as the data is related to law enforcement.
One might hope the ICO takes appropriate action against itself for this data breach.
In all honesty I wouldnโt hold my breath.
Like many of the UKโs regulatory bodies such as The Parliamentary and Health Service Ombudsman or The Local Government Ombudsman the ICO has selective blindness in relation to even large scale and ongoing breaches of GDPR and The Data Protection Act.
Ultimately the best most complainants can hope for is a letter from the ICO informing them that their complaint has been upheld and that ICO will keep a record of the data protection concerns logged regarding the data controller complained of. This does not of course produce the data that has been requested! Occasionally ICO will assist by instructing the data controller to supply data if it is being clearly withheld. However if the data controller is sufficiently obstreperous there exists enough โtrapdoorsโ in the relevant legislation that a (often misapplied) exemption will be used to avoid supply of the data.
The efforts organisations used to evade production of data include the mishandling of applications such as considering a subject access request for personal data as if it were a Data Protection Act request and so rejecting it without giving sufficient grounds to the requester. A further trick is to label everything as the personal data of a third party and thus exempt from disclosure: on this basis large scale parts of any data disclosed can be redacted (meaning blanked out).
In these circumstances ICO becomes like a turtle placed on its back: it spins around to no real effect.
Letโs look at the wider picture. A key thing to recall about most of the non-departmental public bodies supposed to supervise how the law or organisations work in Britain is that they rarely do. These supervisory bodies often exist instead to confirm the decisions made by the lower organisation or as a way to diffuse complaints safely and without litigation. Having said this ICO is better than most and does occasionally pursue misconducting organisations through the courts. But due to the pressure of time and resources they also habitually pursue only those organisations who have committed a blatant breach of the law which has been made public, or who would be less likely to defend themselves in court and thus drive up ICOโs expenses. The majority of the fines issued in successful judgments are not paid.
One example of this willingness to turn a blind eye on the part of ICO: a 2017 significant data breach by the NHS involving some 50,000 patients medical records – the largest loss of data in NHS history – was not prosecuted by ICO. This is a matter I will comment on in detail in a blog another day.
Legal Babble 