Data Protection Bill

Further written evidence submitted by Robin Makin (DPB37)

1. This evidence relates to Chapter 3 of Part 4 of the Data Protection Bill. It is based on the Bill as brought from the House of Lords on 18.01.2018.

2. It is submitted by Robin Makin, a solicitor who has litigation experience for Data Subjects seeking their rights under the Data Protection Act 1998

3. As the Information Commissioner has indicated in her evidence to this Committee "Effective, modern data protection laws with robust safeguards are central to securing the public's trust and confidence in the use of personal information". Effective rights of Data Subjects to obtain access to their personal information; objet to inappropriate processing and have the right to rectify and erase it are not carefully and comprehensively enshrined in the legislation enacted by Parliament and not left to judicial discretion or interpretation.

4. These submissions set out issues of concern of various clauses in Part 4 Chapter 3 followed by a suggested amendment

5. Clause 93 (1) (d) provides in the alternative to the recipients being identified only the categories of recipients can be provided. In practice this has meant that those making subject access requests often do not obtain the information that they ought to have as to who has processed and had access to their data. Accordingly, in order to provide data subjects with the best protection it is submitted that this provision ought to be amended to ensure that the recipients are identified and only if there is a justified reason for not identifying a recipient should a category be provided.

Suggested amendment to clause 93 (1) (d)

Replace with:

(d) the recipients or, if the provision of the identity of any particular recipient would be in breach of the recipient’s rights having regard to balancing them against the rights of the Data Subject, but not otherwise, the categories of recipient

6. Clause 93 (3) introduces a provision that does not require a Data Controller to provide information that a Data Subject may already have. However there are a couple of difficulties with such a provision that could be damaging to Data Subjects. Firstly, it is still important for a Data Subject to know what information may still be held by a Data Controller. Secondly, whether the Data Subject already has the data is not always easy to ascertain. Even if information has previously been provided the Data Subject may not still have it. Indeed, I have a matter in which information which was previously possessed by a Data Subject is no longer available to him and a request has been made to the Data Controller for that information.

Suggested amendment to clause 93 (3)

Replace with:

(3) The controller is not required under subsection (1) to give a data subject information that the data subject already has. However, the Data Controller must identify the information that is still held even if it has been previously provided and must provide information if the Data Subject provides evidence to the effect that he does not have the information that is being requested.

7. Clause 93 (4) appears to provide exceptions to the provision of information if (a) the processing is authorised by an enactment; and (b) if giving the information to the data subject would be impossible or involve disproportionate effort.

8. It is imperative that these provisions are further defined and the intention is not to deprive Data Subjects of their rights of access.

9. With regard to processing authorised by an enactment this could be construed so widely that any processing by a Public Body under its statutory powers could be included and this could deprive the Data Subject of rights of access.

10. With regard to impossibility of providing information it is not clear what this means. If it is impossible to provide the information then why does such need to be specified?

11. Disproportionate effort is not defined. It cannot be right to deny the fundamental right of access to personal data on the basis that to do so would be disproportionate.

Suggested amendment to clause 93 (4)

Delete in its entirety

12. The fundamental right of access needs to be guaranteed

13. Clause 94 (2) (b) provides for the categories of personal data concerned to be provided. However, there is no definition of categories and this ought to be included in some definition so that both Data Controllers and Data Subjects know the categories required.

Suggested amendment to Clause 94 (2) (b)

The categories of personal data shall be given in accordance with [guidance from the ICO] [By regulation]

14. Clause 94 (2) (c) mirrors clause 93 (1) (d) and so for the reasons indicated above a similar amendment is suggested.

Suggested amendment to Clause 94 (2) (c)

the recipients or, if the provision of the identity of any particular recipient would be in breach of the recipient’s rights having regard to balancing them against the rights of the Data Subject, but not otherwise, the categories of recipient

15. Clause 94 (2) (d) provides the period for which the personal data is to be preserved. However, this could vary for each piece of data and would be unwieldy in certain circumstances for Data Controllers.

Suggested amendment to Clause 94 (2) (d)

the latest date or period for which any of the personal data is to be preserved.

16. Clause 94 (4) has the potential to curtail the fundamental right of access by having regulations which could require a fee of a huge amount to be paid. It should be enshrined that the maximum amount of the fee should be no more than the current fees charged [£10 for most requests and £50 for medical records]

Suggested amendment to Clause 94 (4)

(4) The Secretary of State may by regulations-

(a) specify cases in which a controller may not charge a fee;

(b) specify the maximum amount of a fee.

Those regulations may not specify that a fee in excess of £20 may be charged for requests other than requests for medical records for which a fee of no more than £75 may be charged.

17. Clause 94 (5) deals with where a Data Controller (a) reasonably requires further information (i) in order that the controller be satisfied as to the identity of the individual making a request.

18. However, experience has shown that the equivalent provision in the current legislation has been used to delay compliance with the Subject Access Request. Accordingly the burden should be on the Data Controller to specify why further information is required especially if the requester is known to them

Suggested amendment to Clause 94 (5) (a) (i)

(i) in order that the controller be satisfied as to the identity of the individual making a request. However, in seeking further information the Data Controller must specify why it is contended that further information as to the identity is required.

19. Clause 94 (5) (a) (ii) deals with when a Data Controller might reasonably require further information to locate the information which is sought.

20. However, most Data Subjects do not know the internal workings of large Data Controllers and cannot be reasonably expected to provide such information. This provision should only apply if the Data Subject only seeks limited information as to do otherwise could mean that some relevant data is excluded

Suggested amendment to Clause 94 (5) (a) (ii)

(ii) to locate the information which that individual seeks if the Data Subject indicates that he is seeking limited or specified information

21. Clause 94 (5) (b) provides for a Data Subject to be informed of the requirement to provide further information and excuses the Data Controller from complying with the request until the information is supplied. However the clause does not set out any time scale for informing the Data Subject of the request for further information and such needs to be provided.

Suggested amendment to Clause 94 (5) (b)

Insert after "the controller is not obliged to comply with the request unless the controller is supplied with that further information" Any such request must be made within 7 days of receipt of the request

22. Clause 94 (6) to (9) deals with competing interests and appears to replicate what is set out in the Data Protection Act 1998. The origins of the provision lie in the need to implement the European Court of Human Rights judgment in Gaskin -v- The United Kingdom [judgment of the European Court of Human Rights of 07.07.1989]

https://hudoc.echr.coe.int/eng#{%22dmdocnumber%22:[%22695368%22],%22itemid%22:[%22001-57491%22]}

23. In practice the balancing test appears to be rarely undertaken and a huge amount of time and effort is spent in redacting names – even if they are known to the Data Subject. Invariably names of public officials acting in their official capacity are redacted. It does not appear that many Data Controllers have specific policies to deal with this situation. The ICO has a policy in connection with requests made under the Freedom of Information Act

https://ico.org.uk/media/about-the-ico/policies-and procedures/1891/policy_on_disclosure_of_ico_employee_information.pdf

24. it should be deemed reasonable for information provided by an individual whose involvement has been in a professional or work capacity (and not in a private capacity) to be disclosed

Suggested amendment to clause 94 (9)

After

"(a) any duty of confidentiality owed to the other individual,

(b) any steps taken by the controller with a view to seeking the consent of the other individual,

(c) whether the other individual is capable of giving consent, and

(d) any express refusal of consent by the other individual."

Add:

"However there is a presumption that it is deemed reasonable for information provided by an individual whose involvement has been in a professional or work capacity (and not in a private capacity) to be disclosed"

25. Clause 94 (10) requires compliance (a) promptly and (b) in any event before the end of the applicable time period. However there is no sanction for non-compliance. Accordingly, provision needs to be made.

Suggested amendment to Clause 94 (10)

In the event of the Data Controller not complying with the request by the end of the applicable time period the Data Controller shall compensate the requester by payment of such sum as may be specified by the Secretary of State in regulations.

26. Clause 94 (11) provides for application to Court if there has been a failure to comply. However the Court is given a discretion [the Court "may order"] making it difficult for a Data Subject to know whether relief will be granted even if the lack of compliance is established. This vagary ought to be removed.

Suggested amendment to Clause 94 (11)

(11) If a court is satisfied on the application of an individual who has made a request under subsection (1) that the controller in question has failed to comply with the request in contravention of this section, the court will make a declaration to that effect and will order the controller to comply with the request.

27. Clause 94 (12) should be amended in a similar way to clause 94 (11)

Suggested amendment to Clause 94 (12)

(12) A court will make an order under subsection (11) in relation to a joint controller whose responsibilities are determined in an arrangement under section 104 only if the controller is responsible for compliance with the obligation to which the order relates.

28. Clause 94 (13) requires High Court proceedings. There is no reason why the County Court should not have jurisdiction. Such would increase access to justice and reduce cost

Suggested amendment to Clause 94 (13)

(13) The jurisdiction conferred on a court by this section is exercisable by County Court, the High Court or, in Scotland, by the Court of Session.

29. In clause 94 (14) the definition in sub clause (c) of "the relevant day" should be amended so as to be consistent with the situation in which the Data Subject only seeks limited information (referred to above).

Suggested amendment to Clause 94 (14)

After:

"the relevant day", in relation to a request under subsection (1), means the latest of the following days

(a) the day on which the controller receives the request,

(b) the day on which the fee (if any) is paid, and

Insert

"(c) if the Data Subject only seeks limited information" before "the day on which the controller receives the information (if any) required under subsection (5) in connection with the request"

30. Clause 94 (15) provides for Regulations to be subject to the negative resolution procedure. It is submitted that affirmative resolutions would be more appropriate.

31. Clause 95 (1) (a) excludes the provision of a copy of the information in writing is excluded if such is either not possible or would involve disproportionate effort. However, a Data Subject’s fundamental right of access should not be curtailed by undefined terms. It should be made clear that it is not disproportionate to provide the Data Subject with his personal data by some means. The disproportionate effort should simply relate to the format in which the data is supplied

Suggested amendment to Clause 95 (1) (a)

(a) the supply of such a copy is not possible or would involve disproportionate effort. However, this provision must not be interpreted as restricting the fundamental right of access and if a copy of information is not to be provided then the Data Controller must seek to facilitate access to the information in some other way including by offering inspection.

32. Clause 95 (3) requires requests to only be made reasonable intervals and regard must be had to (a) the nature of the data, (b) the purpose for which the data is processed, and (c) the frequency with which the data is altered.

33. However a reasonable interval is not defined and there needs to be a long stop date. Accordingly it is suggested that the reasonable interval should not exceed 12 months.

Suggested amendment to Clause 95 (3)

After:

(c) the frequency with which the data is altered.

Insert:

A reasonable interval will not exceed 12 months. If the Data Controller seeks to refuse a request on the basis that there has not been a reasonable interval the request and if the Data Controller should give written notice to the Data Subject of the reasons for such a decision within 7 day s of the request.

34. Clause 95 (4) sets out that the information to be supplied is by reference to "the data in question at the time when the request is received, except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request."

35. Some clarity is needed as to what this provision means. It is suggested that any amendments and deletions are to be supplied in response to the request

Suggested Clause 95 (4)

After "any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request. Any amendments and deletions are to be supplied in response to the request

add:

"with both any amendment or deletion to be supplied in response to the request"

36. Clause 98 deals with the Right to information about decision-making. Under sub-clause (1) the data subject is entitled to obtain from the controller, on request, knowledge of the reasoning underlying the processing. However there is no provision for the identity of those undertaking the processing to be identified and this ought to be included.

Suggested amendment to clause 98 (1)

After

"the data subject is entitled to obtain from the controller, on request, knowledge of the reasoning underlying the processing."

Insert

"and the identity and designation of the person(s) undertaking the processing"

37. Clause 98 (2) makes it mandatory for the controller to "comply with the request without undue delay" However there is no long stop date.

Suggested amendment to Clause 98 (2)

After

"comply with the request without undue delay"

Add:

"and in any event within the maximum permitted time for compliance with the request"

38. Clause 99 deals with the Right to object to processing

39. Clause 99 (2) (a) covers the situation where the Data Controller reasonably requires further information about identity and location. The burden should be on the Data Controller to specify why further information is required especially if the requester is known to them. It should only be if the Data Subject seeks limited information that the location should be provided as to do otherwise could mean that some relevant data is excluded

Suggested amendment to Clause 99 (2) (a)

Amend to:

(a) reasonably requires further information-

(i) in order that the controller be satisfied as to the identity of the individual giving notice under subsection (1) The Data Controller must specify why further information is required

(ii) to locate the data to which the notice relates but only if the Data Subject seeks limited information

40. Clause 99 (2) (b) requires the Data Controller to inform of the requirement but no time period is provided.

Suggested amendment to Clause 99 (2) (b)

Amend to:

(b) has informed that individual of that requirement in writing within 7 days of the request

41. Clause 99 (5) gives the Court a discretion making it difficult for anyone to know what rights can be enforced. If the Court is satisfied then the Data Controller ought to be ordered to comply

Suggested amendment to Clause 99 (5)

(5) If the court is satisfied that the controller should comply with the notice (or should comply to any extent), the court shall order the controller to take the steps for complying with the notice

42. In respect of joint controllers there ought to be a similar amendment to Clause 99 (6) to the one indicated in Clause 99 (5) above

Suggested amendment to Clause 99 (6)

Amend to

(6) A court shall make an order under subsection (5) in relation to a joint controller whose responsibilities are determined in an arrangement under section 104 only if the controller is responsible for compliance with the obligation to which the order relates.

43. Clause 99 (7) excludes the County Court from jurisdiction. Such is not appropriate and matters ought to be capable of being heard in the County Court.

Suggested amendment to Clause 99 (7)

Replace with

(7) The jurisdiction conferred on a court by this section is exercisable by the High Court, County Court or, in Scotland, by the Court of Session.

44. With regard to Clause 100 (1) and (2) relating to the Rights to rectification and erasure if the Court is satisfied that the data is inaccurate then it should be made mandatory to rectify the situation.

Suggested amendment to Clause 100 (1) and (2)

Replace with

(1) If a court is satisfied on the application of a data subject that personal data relating to the data subject is inaccurate, the court will order the controller to rectify that data without undue delay.

(2) If a court is satisfied on the application of a data subject that the processing of personal data relating to the data subject would infringe any of sections 86 to 91, the court will order the controller to erase that data without undue delay.

45. Clause 100 (3) deals with the preservation of evidence. However, this should only be for existing legal proceedings.

Suggested amendment to Clause 100 (3)

(3) If personal data relating to the data subject must be maintained for the purposes of evidence in existing legal proceedings, the court may (instead of ordering the controller to rectify or erase the personal data) order the controller to restrict its processing without undue delay.

46. Clause 100 (4) provides for restricting processing in certain circumstances instead of rectification or erasure. However, sub-clause (b) could be tightened

Suggested amendment to Clause 100 (4) (b)

Replace with

(b) the court is satisfied that the controller has taken all reasonable steps to ascertain whether the data is accurate or not but cannot do so and has provided evidence to this effect then, …

47. Clause 100 (6) excludes the County Court from having jurisdiction. This is unnecessary

Suggested amendment to Clause 100 (6)

The jurisdiction conferred on a court by this section is exercisable by the County Court, High Court or, in Scotland, by the Court of Session.

March 2018

 

Prepared 15th March 2018