Doug Paulley's blog

disability, data protection, activism and other such

Data controllers’ compliance with Section 10 notices: the ICO now assess.

Posted on by Doug Paulley

I’ve written previously about the Information Commissioner’s assessment of organisations’ compliance with S10 notices. S10 is a mechanism by which a data subject can force a data controller to stop processing his/her personal data, or stop it from processing in a certain way, where such processing is causing substantial, unwarranted damage or distress.

Previously the ICO has always insisted that they can only assess organisations’ technical compliance with S10(3), i.e. whether the organisation has responded to the notice and whether such response was within the 21 day timescale. The ICO would not consider whether the organisation had broken the law by failing to comply with a valid notice.

The ICO have now changed their policy. The attached Lines to Take document now states:

an individual may make a request for an assessment under s.42 of the DPA where:

  • A data controller has not responded to a notice at all.
  • A data controller has not responded within the 21 day timeframe.
  • A data controller has not provided its reasons for refusing to comply with a notice.
  • A data controller has failed to comply with the data subjects request to cease processing.

That last point is new!

This draft Casework Advice Note goes into more detail.

Section 10(4) refers to the power of the court to order compliance with a section 10 notice.
The Commissioner is still able to make a s42 assessment on processing that may be in breach of the sixth principle (complying with a section 10 notice).

Failure to comply with a justified notice or failure to respond to a valid section 10 notice is a breach of the sixth principle.
The Commissioner can make an assessment of whether processing has been or is being carried out in compliance with the provisions of the DPA – in this case a breach of the sixth principle arising from a failure to comply with a data subject’s section 10 rights.

We can make an assessment of:

  • any non-compliant processing causing unwarranted damage or distress which means that the notice is justified; and/or
  • the data controller’s compliance with the procedural obligations under 10(3) to:
    • respond within 21 days of receiving the objection;
    • explain whether it intends to comply with the objection; and,
    • if it does not intend to comply with the objection in some way, give reasons for the decision.

You CAN also:

  • carry out a s42 assessment on whether the data controller has complied with its obligations under s10(1)

They’ve put “CAN” into Bold for the following reason (also in the draft Casework Advice Note):

Problems with the previous line on ASK knowledge base
The previous line said that:

‘the only situation where the ICO can get involved with a request made under section 10 is where the organisation hasn’t provided any response within 21 days, we cannot assist with any matters relating to compliance with the request….’

This line may have arisen as a result of our preferences or priorities in terms of the types of complaints we take on as an office where there is a technical limitation on our legal powers, or iit may be that we decided for operational reasons that we would not make assessments on a data controller’s compliance with their section 10(1) obligations.
Just because s10 refers to the powers of the court to order compliance with a section 10 notice does not preclude the Commissioner from making an assessment on processing that is in breach of principle 6.
Other sections of the DPA that relate to principle 6 refer to the order making powers of the court. For example, section 7(9) allows the court to order compliance with a SAR, but wouldn’t prevent the Commissioner from making her own assessment on whether or not a data controller should comply with a section 7 request.

It would seem that I have forced the ICO to reconsider their approach. Their internal dialogue on my complaint is entertaining. I particularly like the implied criticism:

In the present case, rather than referring his complaint about Sky’s processing to the Commissioner for an assessment, the data subject has tried to sort out the matter himself by issuing a section 10(1) notice.

How irresponsible of me 😀

Southern Rail’s disgusting treatment of wheelchair users

Posted on by Doug Paulley

My valued friend and co-campaigner told me about his disgusting experience at the hands of Southern Rail staff. I have reblogged the below from the excellent Transport for All website.

I very much hope Southern Rail – and other rail providers – take it seriously. Their response to it doesn’t inspire confidence though; they clearly hadn’t even read it…

A very unpleasant experience for a wheelchair user at Clapham Junction

Blog by TfA member Chris. This blog and its content reflect the views of the author only.

Clapham Junction is a busy and important transport hub in South London, and I’m pleased to say that it has step-free access to all platforms, and wheelchair ramps on every platform.

But lifts and ramps are not enough to make a station disabled-friendly. The attitude and behaviour of the station staff matter hugely.

Last weekend I had an extremely unpleasant experience at Clapham Junction Station. It was not my first experience of rudeness and unhelpfulness from Southern Railway staff at this station, but it was certainly the worst.

I’m a wheelchair user. I arrived at platform 15 on Saturday afternoon, and asked a member of staff on the platform for assistance with a ramp to board a train.

His response to my request was curt and unfriendly: “Next train“, with a jab of the finger in the direction of the track, and with that he disappeared.

In itself this small moment of rudeness was not surprising, it’s what I have got used to at Clapham Junction when I interact with Southern Railway staff. But then things got much worse.

The train pulled in and I positioned myself by the door with the wheelchair logo, as I wanted to be placed in the wheelchair space on the train.

The member of staff I had spoken to didn’t come with a ramp. I couldn’t see him until everyone had boarded, and then I saw that he was at the back of the train with the ramp. I waved to him. He refused to move. I pointed to the doors with the wheelchair logo. He shouted that I had to board at the back of the train (where there was no wheelchair space). Some of his colleagues told me that I had to get on at the back. I said no, I wished to travel in the wheelchair space. The man with the ramp did not budge, and kept gesturing me to come towards him.

I did not want to travel in a part of the train without a wheelchair space because I do not consider this a safe or comfortable way to travel, so we reached an impasse. The man with the ramp let the train go, without me onboard.

He then came over and addressed me angrily, and with a staggering level of rudeness, telling me I should have boarded exactly where he wanted me to. I told him that I had wanted to be placed in the wheelchair space, as that was the only safe place for me to travel.

He was not displaying a name badge. I asked him three times for his name. Three times he refused, and then he walked away briskly, refusing to communicate with me any further.

He then placed the ramp flat down on the platform, near the platform edge, for several minutes, perpendicular to the track, in such a way that customers could easily trip over it, and possibly even fall onto the tracks.

After this I encountered a second member of staff. He too was extremely rude to me when I explained that his colleague had refused to allow me to board the train where the wheelchair space was. He told me that I was obliged to board the train exactly where the platform staff had decided.

He also make this extraordinary statement: “If you don’t know the rules, you shouldn’t come here“. This statement was too bizarre and silly to argue with, but it was also an act of intolerable rudeness.

This second member of staff also refused to give his name, and was not showing a name-badge.

Later they put me onto a train, in the wheelchair space as I had requested at first, and I was able to make my journey at last.

Disabled people should be able to travel with the same ease, flexibility, safety and comfort as everyone else. But I find again and again that I come up against unhelpfulness, rudeness, ignorance and inflexibility when I want to travel on Southern Railway train services. I do not believe that this company takes its responsibility to its disabled customers at all seriously.

A great deal needs to change before train services are truly accessible, and before wheelchair users can use them without stress, distress and annoyance. Transport for All continues to campaign for full accessibility across all of London’s transport networks. Please join us if you would like to support our campaigns – you can find out here how to become a member.

Reblogged from the Transport for All website.

ICO on S42 assessments of data controller’s compliance with S10

Posted on by Doug Paulley

Here’s the ICO’s response in full. Editing errors, such as the chopped-off sentence “In circumstances where an individual believes,” were in the original.

21 July 2016

 

Case Reference Number RCC0621317

 

Dear Mr Paulley

 

I write in response to your correspondence of 17 March 2016 in which you have raised concerns about the advice provided to you by our office in relation to section 10 and section 42 of the Data Protection Act 1998 (DPA). My name is Traci Shirley and as a Team Manager at the Information Commissioner’s Office (ICO) your concerns have been passed to me to review and respond to. Please accept my apologies for our delay in responding to you.

I have considered your comments and document my findings below.

Introduction
You contacted our office on 16 March 2016 to discuss your concerns in relation to Sky’s information security practice and it’s handling of your personal information. During your call you were advised by a Helpline officer and a ‘senior case officer’ that the Information Commissioner’s Officer (ICO) is unable to conduct an assessment under section 42 of the DPA with regards to whether an organisation has satisfied its obligations under section 10 (1) of the DPA.

You explain that the Helpline officer’s ‘explanation of the ICO’s inability to investigate such referrals was twofold’ in that:

  • ‘the mechanism for enforcing such rights is through the courts’, and
  • ‘s.10 ‘doesn’t give organisations any obligation other than to provide a written notice’.

You explain the conflict between the advice provided by the two officers in that the Helpline officer advised that ‘a data controller’s compliance or otherwise with s.10’ could not be considered by our office. However, the senior officer advised that a ‘the ICO can make a determination if the data controller has failed to provide a notice within 21 days as required under s.10 (3) but as s.10 places no obligation on the data provider to do anything other than provide a notice, the ICO cannot undertake an assessment on the organisations determination as to whether to accede to a s.10 notice or not’.

  • It is your view that each officers understanding of the law is incorrect in that s.42 of the DPA ‘obliges the ICO to conduct assessments on request as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of the Act’ and that the Act does not exclude s.10 from this obligation.
  • You further explain that, ‘the ability of the  data subject to enforce their rights by application to the court under s.10(4) of the Act does not negate the Information Commissioner’s obligation to undertake a s.42 assessment’.
  • You reiterate the provisions of Schedule 1 Part II para 8(b) of the DPA relating to the sixth principle of the Act and any contravention of the right under s.10. On the basis of this provision you explain that ‘a failure to comply with a justified s.10 notice is a failure to comply with the 6th data protection principle’.
  • Similarly, you reiterate the provisions of under s.42 of the DPA and explain your view as to why the ICO should ‘conduct a s.42 assessment as to a data controller’s compliance or otherwise with s.10 (1) and (3)’.
  • You have asked to be informed of ‘what discretion you have under the Act to refuse to make an assessment as to the requirements placed upon a controller by section 10 (a)’ [sic].

Having reviewed all of the information available to me I shall document my findings below.

My Findings

The ICO does not record calls made to our Helpline therefore I am unable to review the call that took place between you and our officers. However, it is always our intention to provide a quality service. I apologise for any conflicting advice that you have received from our officers and that you have the felt the need to complain about the advice provided to you on this occasion.

Security practices
You have explained that you initially contacted us in relation to Sky’s security practice and it’s handling of your personal information.  As I am unable review your call and you have not provided further information in relation to the advice provided to you regarding this aspect of your concerns, I am unable to comment further on this matter. However, the seventh principle of the DPA provides that personal information must be held securely. As such, if you believe that Sky has processed your personal information insecurely, you should, in the first instance, raise your concerns directly in writing to Sky. Following this, our office may be able to make an assessment of this aspect of your concerns.

DPA s.10 and s.42
As stated above, I am unable to review the call which took place between you and our officers therefore I am unable to comment specifically on the advice provided to you, or the context in which that advice was provided. However, in light of the detail provided by you, I agree that you may not have been correctly advised in relation to the rights and obligations set out in s.10 and s. 42 of the DPA.

DPA s.42 (1)
A request may be made to the Commissioner by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of the Act.

DPA s.10 (1)
An individual is entitled at any time by notice in writing to the data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the grounds that, for specified reasons –

  1. The processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or distress to him or to another, and
  2. That damage or distress is or would be unwarranted

DPA s.10 (4)
If a court is satisfied on the application of any person who has given notice under subsection (1) which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.

When considering compliance with any notice served on a data controller under s.10 (1), the court will consider whether the processing is likely to cause unwarranted substantial damage or distress. In addition, the court will consider whether s.10 (1) will not apply by virtue of s.10 (2), where the processing is for the a purpose set out in paragraphs 1-4 of Schedule II.

If the court determines that a s.10 (1) notice is justified, s.10 (4) empowers the court to order the data controller to take such steps as the court thinks fit. However, s.10 (4) does not require the court to consider a data controllers compliance with the ‘supplementary provisions’ under s.10 (3) which provide:

DPA s.10 (3)
The data controller must within twenty-one days of receiving a notice under subsection (1) (the data subject notice) give the individual who gave it a written notice – 

  1. Stating that he has complied or intends to comply with the data subject notice, or
  2. Stating his reasons for regarding the data subject notice as to any extent unjustified and the extent (if any) to which he has complied or intends to comply with it.

As such, matters of compliance relating to the supplementary provisions under s.10 (3) are for the Information Commissioner’s Office (ICO) to assess under s.42 of the DPA.

The supplementary obligations of the data controller are, within 21 days of receipt of the section 10(1) notice, to give the data subject written notice that either:

  1. the data controller has or will comply with the section 10(1) notice, or
  2. the data controller will not comply with the notice and the reasons its decision.

Where an individual has issued a notice under s. 10 (1), this does not negate the Commissioner’s obligation to make an assessment in response to an individual’s subsequent request for an assessment of a data controllers processing of personal data and whether such processing is likely or unlikely to be in compliance with the provisions of the DPA.

In addition, an individual may request an assessment under s. 42 (1) of the DPA as to whether any processing by a data controller for its obligation in complying with a s.10 (1) notice was likely or unlikely to be in compliance with the provisions of the DPA.

However, where the data subject has exercised his right in applying to the court under s (10) (4) for an order compelling the data controller to comply with his s.10 (1) notice, the Commissioner may decide not to investigate the data controllers compliance with its supplementary obligations under s.10 (3) on the basis that the data subject is concerned with the data controllers compliance with a notice to cease processing under s.10 (1) rather than the supplementary provisions in s.10 (3).

Schedule 1 Part II paragraph 8 (b) states:
A person is to be regarded as contravening the sixth principle if, but only if –

  1. He contravened section 7 by failing to supply information in accordance with that section
  2. He contravenes section 10 by failing to comply with a notice under subsection (1) of that section to the extent that the notice is justified or by failing to give a notice under subsection (3) of that section

You explain that, ‘a failure to comply with a justified s.10 notice is a failure to comply with the 6th data protection principle’.

Where a data controller fails to comply with the obligations set out in s.10 (3), any such failure may be a breach of s.10 (3) and therefore a breach of the rights afforded to individuals under the sixth principle. In circumstances where an individual believes

In relation to a ‘justified s.10’’ notice, the data controller must consider the specified reasons asserted by the data subject and how the processing is likely to cause substantial damage or substantial distress to the data subject [or another] and whether sure damage or distress is or would be warranted. To the extent that such notice is justified, the data controller should comply with the notice to such an extent. In circumstances where an individual believes that a data controller has failed to comply with a justified notice, the data subject may request an assessment under s.42 of the DPA.

Conclusion
As set out above, the Commissioner may make an assessment under s.42 of the DPA where:

  • the processing, in connection with a service provided to a data subject, is likely or unlikely to comply with the obligations set out in the seventh principle of the DPA.
  • the processing relates to whether a s.10 (1) notice is likely or unlikely to comply with a data controllers obligations under s. 10 (3) of the DPA, and
  • the processing, relating to the data controllers obligations to comply with a notice, is likely or unlikely to be in accordance with the primary obligations under s.10 (3) of DPA.

Thank you for bringing this matter to my attention and for providing me with the opportunity to address your concerns.

What next?

This concludes the case review and service complaint process. However, if you still believe that we have provided you with a poor service, or if you believe we have not treated you properly or fairly then you may be able to complain to:

The Parliamentary and Health Service Ombudsman, Millbank Tower, Millbank, London SW1P 4QP

All complaints to the Ombudsman must be made through an MP.  I would advise you to first call the Ombudsman’s Helpline on 0345 015 4033 or visit their website at www.ombudsman.org.uk to see if they are able to assist you further.

If, however, your complaint relates to the way in which we have interpreted the law then the Ombudsman cannot help you.  If you want to challenge our interpretation of the law, you should consider seeking legal advice. 

Yours sincerely

Traci Shirley
Team Manager
Information Commissioner’s Office
01625 545790

 


____________________________________________________________________

The ICO’s mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

If you are not the intended recipient of this email (and any attachment), please inform the sender by return email and destroy all copies. Unauthorised access, use, disclosure, storage or copying is not permitted.
Communication by internet email is not secure as messages can be intercepted and read by someone else. Therefore we strongly advise you not to email any information, which if disclosed to unrelated third parties would be likely to cause you distress. If you have an enquiry of this nature please provide a postal address to allow us to communicate with you in a more secure way. If you want us to respond by email you must realise that there can be no guarantee of privacy.
Any email including its content may be monitored and used by the Information Commissioner’s Office for reasons of security and for monitoring internal compliance with the office policy on staff use. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you write or forward is within the bounds of the law.
The Information Commissioner’s Office cannot guarantee that this message or any attachment is virus free or has not been intercepted and amended. You should perform your own virus checks.
__________________________________________________________________

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Contact us: 0303 123 1113, www.ico.org.uk, livechat and twitter @ICOnews

Categories: Uncategorised