If anybody feels that an organisation may have failed to follow the Data Protection Act whilst dealing with their data, they can ask the ICO for an assessment about whether that processing is likely to have been OK or not, under S42 of the Data Protection Act. The ICO are obliged to respond unless they need the subject to supply more ID or more explanation as to what processing the subject’s concerned about. Those are the ONLY exemptions the ICO can use to avoid having to undertake a S42 assessment.
S42.2 On receiving a request under this section, the Commissioner shall make an assessment in such manner as appears to him to be appropriate, unless he has not been supplied with such information as he may reasonably require in order to—
(a) satisfy himself as to the identity of the person making the request, and
(b) enable him to identify the processing in question.
It is usually a good idea for the data subject to complain to the data controller before bothering the ICO. It’s often probably the best way to get the issue resolved speedily and with the least of fuss, to the benefit of both the data controller and the data subject. It also means that the ICO are less likely to be swamped with S42 requests about stuff that could have been sorted a lot easier by a simple email.
However, that isn’t appropriate in all cases.
My reading of the Act is that the ICO are under an obligation to respond to a data subject’s S42 request for assessment irrespective of whether the data subject has complained to the data controller. The ONLY factors they can take into consideration as to whether they must undertake an assessment or not, is whether they have enough ID to be confident the data subject is who (s)he says (s)he is, and whether they’ve been given enough information to identify the processing in question.
S42 lists other factors that the authority can take into account – but these factors are only to be taken into account when considering how the authority will go about the assessment, not IF they will undertake an assessment. They still have to do the assessment, irrespective of these factors. But in any case, these factors do not include whether or not the data subject has made a complaint to the data controller.
S42.3 The matters to which the Commissioner may have regard in determining in what manner it is appropriate to make an assessment include—
(a) the extent to which the request appears to him to raise a matter of substance,
(b) any undue delay in making the request, and
(c) whether or not the person making the request is entitled to make an application under section 7 in respect of the personal data in question.
So as far as I’m concerned, the law does not give the ICO latitude to insist data subjects complain to the data controller before submitting a S42 request. It doesn’t allow the ICO to refuse to undertake an assessment where the data subject hasn’t submitted a complaint direct to the data controller.
I submitted a S42 request recently, having not complained to the data controller first. The ICO responded:
I note that you also sent us a copy of an email received from ‘Charity Checkout’, which appears to be a trading name of ‘Online Giving Ltd’. There is no other copy correspondence to show that you have raised a concern with ‘Online Giving Ltd’ in writing and allowed time for its response. You would need to do this before the ICO could progress any concern about this third organisation.
I remonstrated:
This approach is not in compliance with obligations under S42 of the Data Protection Act, which states:
I parroted the above in detail, showing that the ICO cannot legitimately insist on subjects complaining to the controller before the ICO is obliged to conduct an assessment.
It always bugs me when the ICO state that they will not make a S42 assessment unless the data subject has raised their concern with the data controller. This is evidently ingrained and standard practice in the ICO, but it has no basis in law. No doubt the ICO would like it to be in the law, acts as if it is the law and doubtless often it achieves a speedier resolution if the data subject complains to the data controller, but the fact is that the Information Commissioner is obliged to undertake an assessment whether or not the data subject has raised their concern with the data controller.
As the ICO expects and requires data controllers to comply with the detail of the Data Protection Act, it should do so itself. S42 does not give the Commissioner the right to reject S42 requests on the basis that the data subject has not raised a concern with the data controller. That’s the letter of the law, and the ICO should comply with it.
Please register a complaint that the ICO’s standard practice in this specific is not in compliance with the Commissioner’s obligation under S42 of the Data Protection Act.
They gave their final response:
You are dissatisfied with this approach and do not consider that section 42 of the Act allows the ICO to require that you contact the organisation prior to requesting an assessment.
My Findings
The requirement for individuals to have raised their concerns with the organisation involved is part of the ICO’s operational policy, rather than being written into the legislation.
You will appreciate that the ICO has limited resources, and we cannot take action in response to every concern reported to us. Ultimately our role is to improve information rights practices, and we put our efforts into taking action in those areas where we can make the biggest improvement to the practice of those we regulate. We are an independent body and do not work on behalf of individuals
As explained on our website, we believe that the organisation responsible for a data protection matter should deal with it in the first instance. We expect organisations to take concerns seriously and work with the data subject to try to resolve them. Most organisations will want to put things right when they have gone wrong, and learn from complaints that are raised with them – further, it is best practice for them to have an effective complaints procedure.
If the organisation has been unable, or unwilling, to resolve an information rights concern, the data subject can then raise the matter for us to evaluate whether there is an opportunity to improve information rights practice.
For all of these reasons we are committed to giving organisations the opportunity to respond to public concerns before they are raised with us as the regulator.
I trust that this explains our approach.
Well yes, it explains their approach, but it doesn’t explain how their approach complies with the legislation, which was the sole point in my complaint. “We think our approach is better” isn’t a valid response to a complaint that said approach is not in accordance with their legal obligations.
However, they have successfully stonewalled me through their single-stage complaints procedure, so they won’t consider the issue any further. I wouldn’t want to bother the ombudsmen, partly as I haven’t experienced sufficient harm and in any case, as the ICO pointed out – “If your complaint relates to the way in which we have interpreted the law then the Ombudsman cannot help you.” The only further avenue suggested was, “If you want to challenge our interpretation of the law, you should consider seeking legal advice.” They presumably know that it doesn’t merit that.
I’m therefore reduced to publishing a whiny blog explaining how I’ve been wronged, on an obscure part of the Internet where nobody will read it — similar to the likes of Alan Dransfield.
But I still think I’m right, that the ICO are failing to comply with their legal obligations, and that they have succeeded in their intent of stonewalling me throughout the statutory procedures ostensibly designed to make sure they take on board complainants’ legitimate concerns and change accordingly. (Again, just like Dransfield. Perhaps we’re long-lost relatives or something.)
Spot on Doug. While I sympathise with ICO’s position regarding lack of resources, their approach cannot be squared with what the law says. And it’s not just the DPA – the Data Protection Directive, at Article 28(4) states that supervisory authorities “shall” hear claims for checks on the lawfulness of data processing lodged by any person. No discretion or exemption is provided.