Doug Paulley's blog

disability, data protection, activism and other such

ICO on S42 assessments of data controller’s compliance with S10

Posted on by Doug Paulley

Here’s the ICO’s response in full. Editing errors, such as the chopped-off sentence “In circumstances where an individual believes,” were in the original.

21 July 2016

 

Case Reference Number RCC0621317

 

Dear Mr Paulley

 

I write in response to your correspondence of 17 March 2016 in which you have raised concerns about the advice provided to you by our office in relation to section 10 and section 42 of the Data Protection Act 1998 (DPA). My name is Traci Shirley and as a Team Manager at the Information Commissioner’s Office (ICO) your concerns have been passed to me to review and respond to. Please accept my apologies for our delay in responding to you.

I have considered your comments and document my findings below.

Introduction
You contacted our office on 16 March 2016 to discuss your concerns in relation to Sky’s information security practice and it’s handling of your personal information. During your call you were advised by a Helpline officer and a ‘senior case officer’ that the Information Commissioner’s Officer (ICO) is unable to conduct an assessment under section 42 of the DPA with regards to whether an organisation has satisfied its obligations under section 10 (1) of the DPA.

You explain that the Helpline officer’s ‘explanation of the ICO’s inability to investigate such referrals was twofold’ in that:

  • ‘the mechanism for enforcing such rights is through the courts’, and
  • ‘s.10 ‘doesn’t give organisations any obligation other than to provide a written notice’.

You explain the conflict between the advice provided by the two officers in that the Helpline officer advised that ‘a data controller’s compliance or otherwise with s.10’ could not be considered by our office. However, the senior officer advised that a ‘the ICO can make a determination if the data controller has failed to provide a notice within 21 days as required under s.10 (3) but as s.10 places no obligation on the data provider to do anything other than provide a notice, the ICO cannot undertake an assessment on the organisations determination as to whether to accede to a s.10 notice or not’.

  • It is your view that each officers understanding of the law is incorrect in that s.42 of the DPA ‘obliges the ICO to conduct assessments on request as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of the Act’ and that the Act does not exclude s.10 from this obligation.
  • You further explain that, ‘the ability of the  data subject to enforce their rights by application to the court under s.10(4) of the Act does not negate the Information Commissioner’s obligation to undertake a s.42 assessment’.
  • You reiterate the provisions of Schedule 1 Part II para 8(b) of the DPA relating to the sixth principle of the Act and any contravention of the right under s.10. On the basis of this provision you explain that ‘a failure to comply with a justified s.10 notice is a failure to comply with the 6th data protection principle’.
  • Similarly, you reiterate the provisions of under s.42 of the DPA and explain your view as to why the ICO should ‘conduct a s.42 assessment as to a data controller’s compliance or otherwise with s.10 (1) and (3)’.
  • You have asked to be informed of ‘what discretion you have under the Act to refuse to make an assessment as to the requirements placed upon a controller by section 10 (a)’ [sic].

Having reviewed all of the information available to me I shall document my findings below.

My Findings

The ICO does not record calls made to our Helpline therefore I am unable to review the call that took place between you and our officers. However, it is always our intention to provide a quality service. I apologise for any conflicting advice that you have received from our officers and that you have the felt the need to complain about the advice provided to you on this occasion.

Security practices
You have explained that you initially contacted us in relation to Sky’s security practice and it’s handling of your personal information.  As I am unable review your call and you have not provided further information in relation to the advice provided to you regarding this aspect of your concerns, I am unable to comment further on this matter. However, the seventh principle of the DPA provides that personal information must be held securely. As such, if you believe that Sky has processed your personal information insecurely, you should, in the first instance, raise your concerns directly in writing to Sky. Following this, our office may be able to make an assessment of this aspect of your concerns.

DPA s.10 and s.42
As stated above, I am unable to review the call which took place between you and our officers therefore I am unable to comment specifically on the advice provided to you, or the context in which that advice was provided. However, in light of the detail provided by you, I agree that you may not have been correctly advised in relation to the rights and obligations set out in s.10 and s. 42 of the DPA.

DPA s.42 (1)
A request may be made to the Commissioner by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of the Act.

DPA s.10 (1)
An individual is entitled at any time by notice in writing to the data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the grounds that, for specified reasons –

  1. The processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or distress to him or to another, and
  2. That damage or distress is or would be unwarranted

DPA s.10 (4)
If a court is satisfied on the application of any person who has given notice under subsection (1) which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.

When considering compliance with any notice served on a data controller under s.10 (1), the court will consider whether the processing is likely to cause unwarranted substantial damage or distress. In addition, the court will consider whether s.10 (1) will not apply by virtue of s.10 (2), where the processing is for the a purpose set out in paragraphs 1-4 of Schedule II.

If the court determines that a s.10 (1) notice is justified, s.10 (4) empowers the court to order the data controller to take such steps as the court thinks fit. However, s.10 (4) does not require the court to consider a data controllers compliance with the ‘supplementary provisions’ under s.10 (3) which provide:

DPA s.10 (3)
The data controller must within twenty-one days of receiving a notice under subsection (1) (the data subject notice) give the individual who gave it a written notice – 

  1. Stating that he has complied or intends to comply with the data subject notice, or
  2. Stating his reasons for regarding the data subject notice as to any extent unjustified and the extent (if any) to which he has complied or intends to comply with it.

As such, matters of compliance relating to the supplementary provisions under s.10 (3) are for the Information Commissioner’s Office (ICO) to assess under s.42 of the DPA.

The supplementary obligations of the data controller are, within 21 days of receipt of the section 10(1) notice, to give the data subject written notice that either:

  1. the data controller has or will comply with the section 10(1) notice, or
  2. the data controller will not comply with the notice and the reasons its decision.

Where an individual has issued a notice under s. 10 (1), this does not negate the Commissioner’s obligation to make an assessment in response to an individual’s subsequent request for an assessment of a data controllers processing of personal data and whether such processing is likely or unlikely to be in compliance with the provisions of the DPA.

In addition, an individual may request an assessment under s. 42 (1) of the DPA as to whether any processing by a data controller for its obligation in complying with a s.10 (1) notice was likely or unlikely to be in compliance with the provisions of the DPA.

However, where the data subject has exercised his right in applying to the court under s (10) (4) for an order compelling the data controller to comply with his s.10 (1) notice, the Commissioner may decide not to investigate the data controllers compliance with its supplementary obligations under s.10 (3) on the basis that the data subject is concerned with the data controllers compliance with a notice to cease processing under s.10 (1) rather than the supplementary provisions in s.10 (3).

Schedule 1 Part II paragraph 8 (b) states:
A person is to be regarded as contravening the sixth principle if, but only if –

  1. He contravened section 7 by failing to supply information in accordance with that section
  2. He contravenes section 10 by failing to comply with a notice under subsection (1) of that section to the extent that the notice is justified or by failing to give a notice under subsection (3) of that section

You explain that, ‘a failure to comply with a justified s.10 notice is a failure to comply with the 6th data protection principle’.

Where a data controller fails to comply with the obligations set out in s.10 (3), any such failure may be a breach of s.10 (3) and therefore a breach of the rights afforded to individuals under the sixth principle. In circumstances where an individual believes

In relation to a ‘justified s.10’’ notice, the data controller must consider the specified reasons asserted by the data subject and how the processing is likely to cause substantial damage or substantial distress to the data subject [or another] and whether sure damage or distress is or would be warranted. To the extent that such notice is justified, the data controller should comply with the notice to such an extent. In circumstances where an individual believes that a data controller has failed to comply with a justified notice, the data subject may request an assessment under s.42 of the DPA.

Conclusion
As set out above, the Commissioner may make an assessment under s.42 of the DPA where:

  • the processing, in connection with a service provided to a data subject, is likely or unlikely to comply with the obligations set out in the seventh principle of the DPA.
  • the processing relates to whether a s.10 (1) notice is likely or unlikely to comply with a data controllers obligations under s. 10 (3) of the DPA, and
  • the processing, relating to the data controllers obligations to comply with a notice, is likely or unlikely to be in accordance with the primary obligations under s.10 (3) of DPA.

Thank you for bringing this matter to my attention and for providing me with the opportunity to address your concerns.

What next?

This concludes the case review and service complaint process. However, if you still believe that we have provided you with a poor service, or if you believe we have not treated you properly or fairly then you may be able to complain to:

The Parliamentary and Health Service Ombudsman, Millbank Tower, Millbank, London SW1P 4QP

All complaints to the Ombudsman must be made through an MP.  I would advise you to first call the Ombudsman’s Helpline on 0345 015 4033 or visit their website at www.ombudsman.org.uk to see if they are able to assist you further.

If, however, your complaint relates to the way in which we have interpreted the law then the Ombudsman cannot help you.  If you want to challenge our interpretation of the law, you should consider seeking legal advice. 

Yours sincerely

Traci Shirley
Team Manager
Information Commissioner’s Office
01625 545790

 


____________________________________________________________________

The ICO’s mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

If you are not the intended recipient of this email (and any attachment), please inform the sender by return email and destroy all copies. Unauthorised access, use, disclosure, storage or copying is not permitted.
Communication by internet email is not secure as messages can be intercepted and read by someone else. Therefore we strongly advise you not to email any information, which if disclosed to unrelated third parties would be likely to cause you distress. If you have an enquiry of this nature please provide a postal address to allow us to communicate with you in a more secure way. If you want us to respond by email you must realise that there can be no guarantee of privacy.
Any email including its content may be monitored and used by the Information Commissioner’s Office for reasons of security and for monitoring internal compliance with the office policy on staff use. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you write or forward is within the bounds of the law.
The Information Commissioner’s Office cannot guarantee that this message or any attachment is virus free or has not been intercepted and amended. You should perform your own virus checks.
__________________________________________________________________

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Contact us: 0303 123 1113, www.ico.org.uk, livechat and twitter @ICOnews

Categories: Uncategorised

Accessible Single Deck Buses

Posted on by Doug Paulley

On the way home from the Yorkshire Show on Tuesday, this happened:

To cut a long story short, I caught a single deck bus that had no wheelchair ramp or wheelchair space.

I thought that was illegal because all single deck buses must be accessible as of 1st January 2016. This is set out in S175 of the Equality Act 2010 as explained by Regulation 3(2) of the Public Service Vehicle Accessibility Regulations 2000. However there’s an interesting exemption; Regulation 4(f) states that a vehicle need not comply provided it is:

a vehicle in respect of which twenty years have elapsed since the date of its first use on a road and which is not used to provide a local service or a scheduled service for more than 20 days in any calendar year.

This could create the silly anomaly that if the bus was (say) 19 years and 6 months old, it would be illegal to use it between 1st January 2016 and its 20th birthday, after which it could be used on up to 20 days per year. But as the bus was 20 years and 3 months old, this isn’t the case.

The bus operator told me that they had to put this bus on due to a bus breaking down and others being stuck in traffic. It’s not in regular use on their bus routes. So as long as the bus is used for 20 days or less each year, it is legal for the bus company to use it – even though it isn’t wheelchair accessible.

The question is: what counts as use?

The bus operator’s website says it is used “on schools. Hansard tells me whether a school bus is subject to the accessibility regulations depends on whether the vehicle is “operated for hire and reward“, which is defined by “whether any passengers are carried as separate fares (which includes payment for the right to travel as part of a larger payment)“, and indeed “On a bus provided by the local authority or bus operator, provided that a fare is paid, even if only by some of the students when others are entitled to free transport, the vehicle would be a PSV.” It is not a Public Service Vehicle, and thus not subject to the accessibility regulations, “provided that the passengers made no contribution to the cost of travel and no contribution was made on their behalf“.

The bus operator has a list of its bus services on its website. It runs school buses for two authoritiesMetro (West Yorkshire) and North Yorkshire.

  • All Metro school buses charge per pupil (unless family financial circumstances mean the pupil is entitled to free transport.)
  • Some North Yorkshire school buses take both permits and fares.
  • But some North Yorkshire school buses are permit only.

One may consider that “permit only” school buses paid for by North Yorkshire County Council aren’t “for hire or reward” because no “passengers are carried as separate fares“. However North Yorkshire County Council has a scheme by which pupils can buy travel permits if they aren’t entitled to assistance with transport costs. Further,

In some cases assistance may be provided for ineligible children if there are spare seats available on existing school buses however, parents will be expected to pay a contribution towards costs.

It’s therefore clear that there are likely to be passengers for whom a contribution to the cost of their individual travel has been made on every service run by the bus firm, including all school bus services. If the company had already used the bus I caught for any of these services on at least 20 days this year, then both the company and whichever manager chose to use it for my journey have committed a crime and can be prosecuted. Each could be held liable for a fine up to £2,500.00 and incur a criminal record.

All of which obscure technical red tape pussy-foots round the core underlying issues. I have been lambasted on Twitter by the bus operator (who told me last January that all their buses are accessible but have now deleted all relevant tweets and blocked me) and two apparatchiks who claim I’m being unreasonable and am legally incorrect.

Yet:

  • it’s perfectly reasonable to expect bus services to be acceptable
  • it is morally reprehensible to run inaccessible services
  • the bus operator bought this inaccessible bus in December 2014
  • the Disability Discrimination Act, which announced the forthcoming accessibility requirement, was made in 1995
  • the Public Service Vehicle Accessibility Regulations, which set the dates and details of compliance, was made in 2000.

I’ve therefore complained to the Police, the Traffic Commissioners, North Yorkshire County Council and to West Yorkshire Metro.

When’s the Supreme Court judgment due?

Posted on by Doug Paulley

UPDATE 12th January:

The judgment will be handed down on Wednesday, 18th January at 9:45am.

UPDATE 30th November:

The Supreme Court suddenly have a very urgent, very hot political potato landed on the doorstep. The Brexit high court judgment has been referred for urgent consideration by the Supreme Court, who will put all of their current 11 justices on the case. This may well delay other Supreme Court business, including the Firstbus judgment.

If we aren’t notified of the imminent release of the judgment by Thursday 15th December, it won’t be out before Christmas.

A lot of people have been asking me via Twitter etc. when we can expect the judgment in FirstGroup PLC vs Paulley, about:

The reasonable adjustments which a bus company is required to make to accommodate disabled wheelchair users.

The simple answer is: we don’t know.

My understanding is that the Supreme Court aim to get judgments out within 12 sitting weeks of the hearing. NB: the Court has a summer recess which doesn’t count, also this is only an aim and some judgments do take longer. 

In our case there were 7 justices rather than the usual 5 so there is extra coordination required to write the judgment(s), also it is a case that has generated considerable public interest. Both are factors which may mean that the judgment could take longer.
We hope the judgment may be out in the Autumn, hopefully before Christmas, but ultimately we don’t know.

Judgments are released at 9.45am on Wednesdays when the court is sitting. The full text is put online and there’s a summary read out in court, also this is videod and may be watched live on the Supreme Court website, or after the session the recording is available on both the Supreme Court website and YouTube.

We are given notice of the judgment imminent release of the judgment one week in advance. The judgment is released to legal representatives 6 days beforehand.

The Supreme Court list their forthcoming judgments on the Thursday, 6 days before they’re about to be handed down.

Whilst legal reps will know the content 10 days in advance, I’m not allowed to know any of the contents until the day before it’s released, and all of us are prevented from revealing anything about it at all until it is formally handed down, on pain of contempt of Court.

The Supreme Court produce a weekly list (when they’re sitting) of which judgments are still awaiting and how long each one has been since the hearing. They appear on their blog, in the same article where the coming week’s cases are listed. Here’s the one for 31 October 2016 – note that 13 cases have been waiting for a judgment for longer than Firstbus (longest: a year) and there are 9 cases that have been waiting for a shorter time, though judgments aren’t released in strict order.

I’m very grateful for the support and interest in this case, and am anxiously awaiting the judgment!