If the Information Commissioner reasonably requires any information for the purpose of determining whether a data controller has complied or is complying with the data protection principles, s 43 of the Data Protection Act 1998 empowers him to serve a notice on the data controller requiring it to furnish him with specified information relating to compliance with the principles. In short, he may serve an ‘information notice’ on the data controller which requires the latter to assist him by providing relevant information. A data controller has a right of appeal, to the First-tier Tribunal (Information Rights) (FTT), under s 48 of the DPA.
These provisions have recently come into play in an appeal by Medway Council of an ICO Information Notice. That it did not go well for Medway is probably rather understating it.
It appears that, back in 2012, Medway had a couple of incidents in which sensitive personal data, in the form of special educational needs documents, was sent in error to the wrong addresses. Medway clearly identified these as serious incidents, and reported themselves to the ICO. By way of part-explanation for one of the incidents (in which information was sent to an old address of one of the intended recipients), they pointed to ‘a flaw in the computer software used’. Because of this explanation (which was ‘maintained in detail both in writing and orally’) the ICO formed a preliminary view that there had been a serious contravention of the seventh data protection principle (which is, let us remind ourselves ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’). Moreover, the ICO served a Notice of Intent to serve a Monetary Penalty Notice (MPN). Upon receipt of this, it appears that Medway changed their explanation and said that the incident in question was a result of human error and that there was ‘no evidence of a “system glitch”‘. It appears, however, that the ICO was concerned about discrepancies, and insufficient explanation of the change of position, and served a s 43 information notice requiring Medway to ‘provide a full explanation of how the security breach on 10 December 2012 occurred’. This was the notice appealed to the FTT.
During the FTT proceedings a third explanation for the incidents emerged, which seemed to combine elements of human error and system glitches. This was, observed the FTT, most unsatisfactory, saying (at [25] and [29]):
‘not only is this a third explanation of the breach but it is inconsistent with the other 2 explanations and is internally incoherent… The Tribunal is satisfied that there is still no reliable, clear or sufficiently detailed explanation of the incident to enable the Commissioner to be satisfied of:
a) what went wrong and why,
b) whether there was any prior knowledge of the potential for this problem,
c) what if any procedures were in place to avoid this type of problem at the relevant date,
d) why the Commissioner and the Tribunal have been provided with so many inaccurate and inconsistent accounts.’
But even more ominously (at [30])
‘The evidence provided to the Commissioner and the Tribunal has been inconsistent and unreliable and the Tribunal agrees with the Commissioner that it is reasonable that he should utilize a mechanism that enables him to call the Council to account if they recklessly [make] a statement which is false in a material respect in light of the various contradictory and conflicting assertions made by the Council thus far.’
The words in italics are from s 47(2)(b) of the DPA, and relate to the potential criminal offence of recklessly making a material false statement in purported compliance with an information notice.
Finally, Medway’s conduct of the appeal itself came in for criticism: inappropriate, inconsistent and insufficient redactions were made in some materials submitted, and some evidence was sent in with no explanation of source, date or significance.
It is rare that information notices are required – most data controllers will comply willingly with an ICO investigation. It is even more rare that one is appealed, and maybe Medway’s recent experience shows why it’s not necessarily a good idea to do so. Medway may rather regret their public-spirited willingness to own up to the ICO in the first place.
Jon Baines is chairman of NADPO (nadpo.org.uk). Jon also blogs in a personal capacity at informationrightsandwrongs.com, where this post originally appeared.