A bridge too far

June is a significant time for Data Protection in the UK. At the end the month, we have the EU vote (where a vote to leave will throw at least the timetable for implementation of the new General Data Protection Regulation into disarray) and Christopher Graham steps down as Information Commissioner, to be replaced by Elizabeth Denham. There are several reasons to be optimistic about Denham’s appointment – she is the first Information Commissioner to have previous experience of privacy and FOI work, she has already taken on big corporate interests in Canada, and she isn’t Richard Thomas.

However, Denham inherits a series of headaches as she begins her reign as Elizabeth II, and it’s difficult to know which of them will be the hardest to shake off. There is the GDPR implementation, which would be a challenge even without the uncertainty that Brexit will create. She also has to tackle the ICO’s lack of independence from Government, which results in scandalous outcomes like the admission in an FOI response that Wilmslow takes orders from its sponsor department (see answer 3 here). But perhaps biggest of all is the ICO’s approach to enforcement.

On FOI, the ICO doesn’t approach enforcement – it does pointless monitoring and audits without any evidence of success, and the major government departments use the ICO as their internal review, sometimes not bothering to answer requests unless ordered to do so by an ICO case officer. The sole enforcement notice in the past five years wasn’t even promoted by the office because the now departed Deputy Commissioner Graham Smith didn’t want to draw attention to the failure to tackle Whitehall’s FOI abuses.

On Data Protection, the approach is to enforce against self-reported security breaches. There is nothing wrong with lots of enforcement on security – it’s a significant requirement of the legislation and many people are concerned about it. The problem is that Wilmslow doesn’t enforce on anything else, despite breaches of the other principles being widespread and obvious. Unless I missed one, the ICO has issued 61 Data Protection monetary penalties since getting the power to do so. Two have been for non-security breaches: Pharmacy 2U (1st principle data sharing without consent) and Prudential Insurance (accuracy). The overwhelming majority of enforcement notices (and undertakings, if you count them, which you shouldn’t) are on security matters. This is despite the fact that the UK has a massive culture of unlawful data sharing, over-retention, flouted subject access and perhaps most obvious, rampant, damaging inaccuracy. The ICO does nothing about it.

A classic example is a story reported in the Observer about the Dartford Crossing between Kent and Essex. Automatic Number Plate Recognition is used by Highways England to issue penalty charges to drivers who use the crossings without paying by phone or web within a fixed period of time. The only problem is that drivers who have never used the crossing are getting the penalties, but it is more or less inconceivable that the ICO will take action.

Having used the crossing myself, I can confirm that there are some Data Protection issues with the signage around the bridge / tunnel – the Observer article explains well how the signs can easily be confused with those for the London congestion charge, which works entirely differently. This is, in itself, a potential data protection breach, as personal data needs to be obtained fairly, especially when the data being obtained (the license plate) will not only be used to levy a charge, but because court action may result for non-payment.

One person is quoted in the article as having being charged  because the system misread a ‘C’ as a ‘G’. The Observer also reports that hire car users sometimes find penalties aimed at the wrong person because Highways England don’t specify a date that the charge applies to. In another case, the person receiving the charge had sold the car in question, and had a letter from DVLA to prove it. As with most of these situations, terrible customer service and inflexible processes mean that even when a charge is applied to the wrong person, nobody in the food chain has the authority or the inclination to sort things out. Both of the individuals cited in detail by the Observer were headed for the baliffs until the Observer got involved, and all action was terminated. Research by Auto Express notes that only 1 in 25 people appeal their penalty, but 80% of those that do are successful.

Every time Highways England / Dart Charge issues a penalty against the wrong person, it is a breach of the fourth Data Protection principle, which states that “Personal data shall be accurate, and where necessary, up to date”. Note the lack of any qualification or context here – data is accurate, or it’s a breach. Clearly, this means that most organisations are breach DP every minute of every day simply because of typos, but even adopting a flexible approach, there can be no doubt that demanding money and threatening court action is a situation where the Data Controller must be certain that the data is accurate, and if they get the wrong person, it’s a breach. The security principle talks about “appropriate measures” to prevent incidents, but the fourth principle doesn’t: it’s absolute.

Highways England / Dart Charge have breached the DPA, but would it be possible for the ICO to take action? In order to issue a monetary penalty, the ICO has to meet a series of tests.

1. The breach is serious

Dart Charge are pursuing people for debts they don’t owe. It’s serious.

2. The breach is deliberate

This one is potentially tricky, as we would need evidence that Highways England know that they are operating on the basis of inaccurate information in order for the breach to be deliberate. I can’t prove that Highways England are deliberately pursuing people, knowing that they are the wrong targets, although one of the Observer readers quoted gives clear evidence that they might be: “I spent 20 minutes trying to get through to someone who kept telling me I had to pay, even though he could see the problem”. However, we don’t need deliberate if we have:

3. The Data Controller knew or ought to have known about the risk and failed to take steps to prevent it

This test is clearly met – Highways England know that most of their penalty charges are overturned on appeal, they know that their system misreads licence plate characters, that it fails to properly distinguish dates, and they know that people contact them multiple times with evidence that the charge is wrong, but they ignore this evidence until they are embarrassed into action by a national newspaper. The breaches are still happening.

4. The breach is likely to cause damage or distress

Innocent individuals who have not used the Dartford Crossing are being pursued and threatened with legal action if they do not pay money that they do not owe. The breach is causing damage and distress and is highly likely to do so.

The ICO does not enforce on accuracy and they won’t touch this case. If I tried to report it to them, they would ignore my complaint because I have not been affected (if an affected person complained, they would do an unenforceable assessment). They do not ask Data Controllers to report incidents of damaging inaccuracy, and they do not even advocate investigating incidents of inaccuracy in the way that they do for security. This despite that fact that inaccuracy leads to the wrong medical treatment being given, innocent people’s houses being raided by the police, and old men nearly drowning in canals. The ICO took no enforcement action in any of these cases, despite them being in the public domain. I have dozens of others. Meanwhile, the Commissioner chunters on about a series of accidents and mishaps without any direct evidence of harm (ironically, even the pace of security enforcement has slowed, with only three DP monetary penalties at all so far this year).

Whatever Ms Denham’s priorities might be, she cannot ignore this. The ICO has shirked its responsibilities on the other principles for too long. A quick glance at the articles relevant to enforcement show that the GDPR is specifically designed to give breaches of the principles the higher maximum penalty. It’s a riposte to the ICO’s enforcement priorities since the HMRC lost discs incident in 2007, and it’s a bridge that the new Commissioner must be willing to cross.