Tag Archives: data sharing

ICO updates Subject Access Requests (SARs) advice for data controllers following Court of Appeal decisions

The Information Commissioner’s Office (ICO) has updated its ‘Code of Practice on Subject Access Requests’ chiefly in response to several Court of Appeal decisions made earlier this year related to SARs. Under the Data Protection Act 1998, individuals (‘data subjects’) may request access to their personal information held by a ‘data controller.’

These requests for information are called SARs, and can range from the request for specific or limited information to the request for the entirety of held information including why it is held and to whom it may have been disclosed. The scope of a data controller’s obligations, therefore, will vary from case to case, and will be particularly burdensome for large organisations. Currently, data controllers may charge a fee of up to £10 for processing a SAR, and must provide the requester the relevant information within 40 calendar days. When the GDPR comes into force next year, data controllers will normally not be entitled to charge a fee, irrespective of the inconvenience, and will be expected to provide the information within a shorter timeframe of 30 calendar days.

However, the ICO has revised its guidance in dealing with SARs to prepare controllers for data compliance in light of the Court of Appeal’s judgements on a string of cases in which SARs took place alongside ongoing or threatened litigation – cases which in the opinion of numerous legal commentators, therefore, highlight the potential for widespread abuse of SARs to redress grievances outside the purview of data protection law.

The three key changes to the ICO’s Code

  1. Scope for assessing ‘disproportionate effort’

The DPA includes an exemption from having to respond to SARs if this would involve ‘disproportionate effort’ for the data controller. Whereas the Code previously indicated that a refusal to provide information on the grounds of it being difficult is unacceptable, it now, with greater lenience, states: “there is scope for assessing whether, in the circumstances of a particular case, supplying a copy of the requested information in permanent form would result in so much work or expense as to outweigh the requester’s right of access to their personal data.” The ICO expects controllers to evaluate the benefits to the data subject as a result of the SAR against the difficulties in complying with the request, and assess whether the scope of the request is reasonable.

  1. Dialogue between controller and requester

The ICO now advises controllers to enter into dialogue with data subjects following a SAR. This may allow the requester to specify which information they require, thereby refining the request, and making the process more manageable and less likely to result in disproportionate effort. The Code continues to explain how it will take into account both controller’s and subject’s willingness to participate in this dialogue if they receive a complaint about the handling of a SAR.

  1. Information management systems and redaction of third-party data

 The ICO now expects controllers to have information management systems wherein personal information, including archived or back-up data, can be found expediently in anticipation of a SAR. Moreover, the information management system should allow for the redaction of third-party data. This is important, since certain SARs may be declined if the information requested would result some way in the disclosure of personal information about another living person.

Subject Access Requests: For more information have a look at the 4 Court of Appeal decisions that informed the ICO’s revised guidance:  Dawson-Damer v Taylor Wessing LLP, Ittihadieh v 5-11 Cheyne Gardens, Deer v Oxford University, Holyoake v Candy

Harry Smithson 7th July 2017

RSPCA and British Heart Foundation Fined

CHARITY FINED.jpg

So it’s getting closer and closer to Christmas – a time for giving, with more and more charity adverts on the TV, on the radio, on social media – in fact  pretty much everywhere you look. Although Christmas can be a bit tight on the purse strings thousands of people still give to their favourite charities. 

Whether you’re helping children, refugees, animals or cancer or medical research, these organisations all promote that the money goes to a good cause. Unless this ‘good cause’ is to pay an ICO fine…?

Two of the major charities we all know and love are the RSPCA and the British Heart Foundation. And both have been under investigation for secretly screening its donors aiming to target those with more money. This process is known as “wealth-screening”. 

The two organisations hired wealth management companies who pieced together information on its donors from publicly available sources to build data on their income, property value and even friendship circles. This allowed for a massive pool of donor data to be created and sold.

The RSPCA and BHF were part of a scheme called Reciprocate where they could share and swap data with other charities to find prospective donors. Donors to both charities were given an opt-out option. 

Information included in the scheme was people’s names, addresses, date of birth and the value and date of their last donation. The ICO ruled that the charities didn’t provide a clear enough explanation to allow consumers to make an educated decision what it was they were signing up for, and therefore ruled that they had therefore not given their consent.

The RSPCA has admitted that it was not aware of the actual charities with whom they were sharing their data.  It also became clear that the charity shared data of those donors who had opted out. 

The BHF insists it had all the correct permissions. However the ICO disagrees on the basis that the charities with whom they were sharing the data were not for similar causes.

The ICO has fined the RSPCA £25,000 and the British Heart Foundation £18,000. Ironically the BJF was praised on its data handling by the ICO in June this year, and it is likely to appeal the fine. 

In my opinion I feel the whole thing is a mess. I like to give to charity when I can, which if I’m honest, isn’t as frequent as I’d like. 

However when you hear of debacles like this, it really does put you off. I want my money to go to a good cause. I don’t want my data being shared without my knowledge so that other charities can investigate how much I earn, whether I own my property and what social circles I move in, and then decide whether I’m worth targeting. Surely these charities should be thankful for every single donation. The widow’s mite springs to mind. 

I feel for the poor animals and souls that rely on these charities, who are I’m sure going to take a hit from these fines. It’s not their fault, yet no doubt it’s them that’s going to pay the price.

charlotte-seymour-2016

 

Written by Charlotte Seymour, 8th December 2016.

Charities … data protection … reputation

The ongoing stories in the press are hurting charities who are being seen to be treating decent people – particularly vulnerable people – monstrously unfairly.  The press and media are giving consumers an ever clearer perception of the charity sector as being irresponsible, uncaring and aggressive  in their treatment of donors.  And it does the data industry no favours at all.

Charity Data

NHS Data Sharing – why the delay?

iStock_000006820636Medium

It’s good to see that common sense has prevailed, and the roll-out of care.data has been deferred until Autumn – primarily, it would seem, to allow time to make absolutely certain that all patients have been made aware of the plans to do so.

The media, privacy lobby groups and, most notably, both the ICO and The Royal College of General Practitioners flagged their concerns that communicating the NHS data sharing plans with patients had been inadequate, leaving many individuals throughout the country unaware either of the plans to share their sensitive, confidential patient data, or indeed of their right to refuse to participate (see more here about how and why your patient data is to be held in a central NHS database).

There has been some attempt to inform the public – primarily by GPs (mine was excellent, providing information and opt-in / opt-out forms with repeat prescriptions; issuing leaflets and showing posters in the surgery; and showing information on the website ).  The NHS distributed some 22 million leaflets which were apparently delivered in January / February, but there has been a great deal of criticism of the leaflet’s creative approach, which has been described as bland … appalling … one-sided … and more.  I have to say, I never received it … or if I did, I threw it away unread on the assumption that it was “junk mail”.

I was interested to read what the Royal College of General Practitioners think, and of their own strong desire that GPs, patients and the nation are all properly informed and able to make their own decision whether to support the development of the NHS database or opt out. http://www.rcgp.org.uk/news/2014/february/college-welcomes-decision-to-delay-care-data.aspx

On the subject of making people aware … I find it quite fascinating to watch the government’s delight in using broadcast channels like TV and radio to promote themselves when it suits them.  Yet they seem curiously reluctant to use these same channels to inform the public of an issue as significant and important as the sharing of our own sensitive and confidential medical data.

However, it is quite clear that the NHS must now decide how it will ramp up its communication campaign before the Autumn in order to satisfy the public, the ICO, the RCGP and the media.  Only then will it be possible for the launch of care.data to take place.

Data Compliant Ltd provides advice on data compliance, data security, and runs training classes and workshops.  If you or your business have any concerns over your data being compliant and secure, please contact Michelle or Victoria.  

victoria@datacompliant.co.uk                        michelle@datacompliant.co.uk