Tag Archive for General Data Protection Regulation

Data protection doesn’t require important records to be destroyed

FOIMan explains why any organisation which blames the destruction of important records on data protection rules is being either disingenuous or is ignorant of what the law requires.

In recent weeks The Guardian has drawn attention to the plight of those innocent people who have lived in the UK for many years, only to be told recently by the Home Office that they could face deportation. This week the Home Secretary finally apologised, but many people are still in a legal limbo, unable to prove their status, not realising that they would ever need to.

Now a former Home Office employee has reported that disembarkation cards which might have helped establish the status of many of these people were deliberately destroyed by the Home Office a few years ago. Responding to the claim, the Home Office has conceded that records were destroyed but claims that this was necessary to comply with the Data Protection Act (DPA). The records were, according to them, destroyed:

to ensure that personal data … should not be kept for longer than necessary. Keeping these records would have represented a potential breach of these principles.

This argument has a long pedigree. It was cited by a police chief constable at the time of the Soham murders as a reason why records were not retained about Ian Huntley which might have prevented his employment as a caretaker at a school. It was used more recently by the House of Commons to justify the early destruction of MPs’ expenses records.

In both these cases, and in the latest example, this is just plain wrong. If the press officer or whoever drafted this statement had checked with their Data Protection Officer, they would have been able to tell them this.

It is true that one of the data protection principles requires that personal data be kept no longer than necessary, and that data controllers – organisations – are required to put in place procedures to ensure this. However, note that word “necessary”. It places the responsibility fairly and squarely at the door of the organisation that has collected the data to decide what is “necessary” and to justify it. If records are still being used to answer enquiries about individuals’ immigration status (as the Home Office whistleblower has maintained), or are at the centre of one of the biggest scandals to hit modern British politics, I would suggest that it is “necessary” to retain them, and to do so can be easily justified. Data protection laws do not say they must be destroyed.

Furthermore, even if there is a view that it is no longer necessary to retain records for their original purpose, both the DPA 1998 and GDPR permit records to be retained for historical research purposes in a record office. The Home Office whistleblower reports that it was suggested that the cards be offered to a record office, but that they were told that no archive wanted them. As public records, the National Archives would have had first option on these and since these records would seem to be of great value to genealogists and those studying the history of migration and minority ethnic communities in the UK, it is hard to imagine them turning such an offer down. Even if they did, are we to believe that other record offices, including for example Brixton’s Black Cultural Archives (based in Windrush Square), a repository specialising in the history of Britain’s African and Caribbean communities, would have said no? It seems unlikely if they were given the opportunity (and the significance of the cards was explained to them). Data protection rules would have allowed the cards to be retained indefinitely in a record office.

Data protection rules simply do not require records with continuing value to be destroyed. Anyone claiming that they do is being disingenuous or is ignorant of what data protection requires. Let’s hope that organisations – particularly those that should know better – stop churning out this misconception every time that they are criticised for the disposal of records.

References:

Home Office destroyed Windrush landing cards, says ex-staffer, The Guardian, 17 April 2018 https://www.theguardian.com/uk-news/2018/apr/17/home-office-destroyed-windrush-landing-cards-says-ex-staffer

MPs to escape expenses investigations after paperwork destroyed by Parliament, Daily Telegraph, 2 November 2014 https://www.telegraph.co.uk/news/newstopics/mps-expenses/11204405/MPs-to-escape-expenses-investigations-after-paperwork-destroyed-by-Parliament.html

The politics of records management, FOIMan blog, 7 November 2014 https://www.foiman.com/archives/1337

Soham police chief ‘ignored advice’, The Guardian, 26 March 2004 https://www.theguardian.com/uk/2004/mar/26/soham.ukcrime

FOI and the General Data Protection Regulation

FOIMan considers how the General Data Protection Regulation (GDPR) affects the Freedom of Information Act (FOI) and its administration.

Happy new year! 2018 is finally here and only a matter of months remain before the GDPR applies to anyone that processes personal data. You may have noticed that I’ve been fairly quiet online of late, and one reason for that is that I’ve been busy travelling the country delivering GDPR training to a range of organisations. Another reason will become clear in due course…

My first love is (when it comes to information rights anyway), of course, FOI. So given that I’ve been giving so much thought to GDPR, it made sense to think about how the new law affects FOI.

A few months ago I blogged briefly about an obscure schedule of the Data Protection Bill (hopefully soon to become the Data Protection Act 2018) that made amendments to FOI in order to ensure that the exemption for personal data will still work effectively with GDPR. It’s important that these changes happen otherwise there would be a conflict between FOI and the new data protection regime. Not making them could lead to personal data being disclosed when it shouldn’t be, or, as I indicated in my blogpost, to less information being disclosed than might have been in the past.

However, GDPR doesn’t just mean changes to other legislation. It means that any organisation processing personal data has to ensure that that processing meets its requirements. That includes public authorities.

What might be forgotten is that the handling of FOI requests invariably involves the processing of personal data. Some of that processing will be expected by applicants and will be easy to justify; some of it won’t be. When I gave a presentation about this to a group of practitioners in December, there were some audible gasps (of recognition primarily) as I listed some of the things that public authorities routinely do with personal data whilst processing FOI requests, but are often done without much thought. It’s not necessarily that those activities are wrong, you understand; but GDPR (if not the current Data Protection Act) requires all public authorities to give some thought to how they are justified. They’ll also need to ensure that they meet the other requirements of GDPR.

In my latest piece for PDP’s Freedom of Information Journal I’ve looked at the FOI amendments in the Data Protection Bill (at least as it stood in October when this piece was written). I’ve also examined how FOI requests are handled and what practitioners will want to be looking at to prepare for GDPR. A lot of the things I discuss will be relevant for other correspondence processes as well.

Have a read. I hope it gives you some food for thought at the start of what will be a very busy and interesting year.

Propping open the gate

FOIMan discovers that the government has an answer to ‘legitimate’ concerns over the GDPR and FOI.

One of the concerns of the Information Commissioner and many observers in relation to the General Data Protection Regulation (GDPR), is that it could potentially lead to less information about individuals being disclosed under FOI. Obviously protecting personal data is important but it shouldn’t stop legitimate public debate around things like MPs’ expenses or council Chief Executives’ pay.

The reason this is an issue is that the s.40 exemption for personal data – or at least the part of it that is most often relevant – revolves around the data protection principles set out currently in schedule 1 of the Data Protection Act 1998 (DPA). The first and most relevant of these says that data must be processed fairly and lawfully. In determining whether a disclosure of information is lawful, authorities have to consider whether it is justified by reference to a condition in schedule 2 of DPA. The condition that most often applies to FOI disclosures is that there is a legitimate interest in disclosing the information that can only be met by the disclosure. This has to be balanced against the rights of the individual. It is this condition that has led to lots of personal information about pay, expenses and so much besides entering the public domain.

The problem is that whilst GDPR more or less replicates the first principle, and the conditions as well, it explicitly says that public authorities can’t use the legitimate interests condition. In other words, potentially there could be no legal mechanism to justify disclosures of personal information in the public interest.

Schedule 18 of the Data Protection Bill 2017, the first draft of which was published yesterday, addresses this by the simple expedient of saying that as far as FOI is concerned, the GDPR bar on public authorities using legitimate interests to justify use of data can be ignored. If this survives the passage of the Bill, the gateway for lawful disclosures of personal data under FOI will remain open. Which is good news for public sector accountability.

GDPR Guide: Portability

GDPR GuideFOIMan examines a new right to access information about yourself that will become law next year, and considers what organisations will be obliged to do to comply with it.

Summary

We’re constantly submitting information about ourselves to companies and other organisations. Everytime we sign up for a new energy deal, we have to input our details. The same if we want to move bank, or credit card. Even if we want to be able to listen to music or watch films from a streaming service. And  everytime we have to re-input those details, even though they’re more or less the same. Imagine if you could just get Apple to transfer the details you gave them to Spotify. Or ask your credit card provider to give your transaction history to their rival so you can find out if you can get a better deal.

Well…from next year you will be able to. The General Data Protection Regulation (GDPR) introduces a new “right to portability” (not potability, as it’s often misspelled – it’s not a right to your own personal drinking water). What does it involve?

What does it do?

It gives data subjects (individuals) a right to be provided with information they have provided to data controllers (businesses and other organisations) in a machine-readable and re-usable format. If the data subject prefers, data controllers will have to transfer their data directly to another data controller.

What does it cover?

Data provided by the data subject that is being processed by automated means (i.e. this won’t apply to data held in paper files) where the data controller relies on consent or a contract with the data subject to justify collection and use of the data (from the list of conditions at Article 6).

According to the Article 29 Working Party (A29WP), data which the data subject has “provided” will include both the information supplied directly by the data subject, but also raw data collected from observation such as smart meter data, activity logs, web usage or search history. It won’t cover any data that results from analysis of the observed data.

Some facts about portability

  • you’re expected to remind people of this right whenever you collect data directly from them, and also tell them if you start collecting data by “observation” within a month
  • requests for data to be “ported” will have to be processed “without undue delay”, and normally no later than a month after receipt of the request
  • fees can only be charged where a request is “manifestly unfounded or excessive”; the A29WP comment that this is going to be rare with portability requests as the data should be relatively easy to extract, prepare and disclose given that the right only applies to automated data
  • data must be disclosed “in a structured, commonly used and machine-readable format”; the A29WP interprets this as a format supporting re-use and suggests commonly used open formats should be used for release such as CSV, XML or JSON
  • where there are reasonable doubts about the identity of a requester, proof of ID can be requested; this is perhaps less likely to be an issue with portability requests than with, say, subject access requests, as in most cases there will be existing methods to authenticate a person’s identity (e.g. username and password)
  • when a data controller complies with a request to transfer data, they are responsible for its security during transfer – for example, by using end-to-end encryption. Once it gets to its destination however, the recipient is responsible for it – whether that be the data subject or another data controller to which the data has been transferred
  • generally data being ported is still subject to the data protection principles and other GDPR rules; e.g. data subjects should be able to restrict what data is transferred and data controllers in receipt of data should not process more of it than they need
  • contracts with other companies that process data on the data controller’s behalf (i.e. data processors) should specify requirements to facilitate portability requests
  • Article 20 specifies that the right to portability shall not adversely affect the rights of others; third parties have rights too.
    • This doesn’t mean that, for example, where someone crops up in the data subject’s bank account as a payee, a bank would have to redact their details before transferring the data.
    • However, in certain cases (A29WP cite social networks as an example) it will be appropriate to seek third parties’ consent at any point where they transact with the data controller (e.g. Facebook’s privacy permissions might indicate that a “friend” could seek to export their account data including data about their friends; the privacy permissions portal might allow individuals to indicate that they don’t want their data to be included in such exports).
    • Where data is transferred to another data controller, that organisation won’t be able to extract the details of third parties from the data and, for example, send them marketing using those details.
  • it’s worth noting that many companies already provide facilities to “port” data; a government initiative in the UK called “MiData” has been working towards developing an industry standard here for some years. If you’ve ever downloaded your bank statement as a spreadsheet, you’ve effectively made a data portability request. GDPR, though, now makes this a right, and potentially there will be many businesses in particular who haven’t worried about this that will now have to prepare for the possibility of receiving such a request.

Further reading

The above are just my notes and thoughts on how portability will work. For further (and more authoritative) information, consult the following:

Note: I’ll be delivering a webinar on the portability right for Act Now Training on 23 June 2017. Visit their website for further details.

GDPR – the phoney war is over

FOIMan launches a new resource to help practitioners and others get to grips with the General Data Protection Regulation (GDPR).

Data Protection Reform and GDPRThose interested in privacy had been waiting for years for the European Union to agree its new rules on data protection. Finally, in May of this year, the General Data Protection Regulation (GDPR) became law. Cue party poppers all round.

The party was well and truly pooped though a month later. Instead of starting a long campaign to educate colleagues and businesses about their new obligations (which take effect from May 2018), practitioners have been forced to spend the summer and early Autumn speculating about what BREXIT means for GDPR. Even if they wisely chose to continue their preparations, their words fell on stony ground as those in charge looked to government for a decisive message more informative than “BREXIT means BREXIT”.

Thankfully we now have more clarity. During a committee hearing last week, the Secretary of State for Culture, Media and Sport, Karen Bradley, stated that:

“An example might be the General Data Protection Regulation, which of course comes into effect in the spring of 2018. We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.” (Oral evidence to the Culture, Media and Sport Select Committee, HC 764, 24 October 2016, answer to Q.72)

So whilst there’s still a possibility that the rules will change again in a few years, at least we now know that GDPR is coming to stay and will be with us for a while. Long enough for us to give it a bedroom and clear some drawer and wardrobe space. Maybe even to cut it a set of keys.

In the meantime, the hands of the clock have been moving apace. There are now just over 18 months to get your house in order, which is not long given how much you need to do to make sure that you meet GDPR’s exacting requirements.

Thankfully there are lots of places to look for help. And now I’m adding to the list. I’ve added a new section to the FOIMan site dealing specifically with data protection reform and GDPR. There are free resources to help you understand your obligations, and suggestions as to where to start your preparations. There’s also a link to the GDPR itself in case you need it. I’ll be updating this page from time to time and adding new links, resources and suggestions so keep popping back for more as your preparations continue.