“masterclass in not answering questions”

Just about a month ago, I had a little Twitter disagreement with Paul-Olivier Dehaye, patron saint of subject access requests. He said his tool for making subject access was brilliant and revolutionary, and I said it was shit. There was a bit more to it than that, but I was hoping to make this a short blog.

The use of third parties to make subject access requests on one’s behalf is not new – solicitors have always done it, and companies have made batched SARs at least since the bank charges furore of the last decade. The problem with a third party – or automation of the process – is that it gives the Data Controller something to play with. Dehaye admitted to me that in all the time he spent developing his SAR tool, he didn’t speak to anyone with any experience of dealing with SARs from the controller’s perspective, and it shows.

Even though one of Dehaye’s tedious cheerleaders told me that SARs were going to be “frictionless” post-GDPR, there are inevitably some bumps in the road when asking for data even in this Brave New World. The Data Controller needs to identify the application properly, and the involvement of a third party might complicate that – or might be exploited to complicate that, as anyone who has ever dealt with a poorly-written solicitor SAR can probably tell you. If there is a lot of data, the controller can ask the subject to narrow the scope of their request. If they believe that the request is unfounded or excessive, they can make a charge, or even refuse. An automated third party doesn’t make any of this easier.

Ironically given his status as pro-DP activist, I think Dehaye wants SARs to seem difficult. “In my own experience, SARs are complicated to do in a way that properly defends data subject rights” he said, but given that he’s building a business based on data, he kind of would say that. When I first encountered him, Dehaye told me that he was planning to charge subjects for using his tool; while that plan might have changed, he gets evasive when you ask whether he might charge for add-on services in the future. One of the main advantages of GDPR for the subject is that SARs are now free – the best way to exercise the right is to ask for the data direct, without the involvement of a politically-motivated middleman whose company isn’t even in the EU. I voted Remain and I think Brexit is moronic, but that doesn’t mean that weaponising SARs is a good idea. After all, someone might turn round and do it to you.

I decided to make a SAR to Dehaye’s company on the 25th May. His response, though admirably swift, wasn’t exactly the zenith of transparency that one might have hoped for. One might even describe it as a masterclass in not answering questions. I provided a variety of different email addresses and phone numbers that the company might hold in relation to me – the purpose of this was to allow the data controller to identify whether any of my data was held. I did the same thing with my request to Experian – I don’t know what data Experian holds on me, so I provided all the possible identifiers that I could think of. I don’t know what, if any, data Dehaye or his company might hold, so I needed to provide a variety of different identifiers.

EDIT: in response to a request from the data controller, click here for the full text of my request (redacted only to remove personal data that is not in the public domain) and the full text of their reply.

Article 12 of GDPR states that “The controller shall facilitate the exercise of data subject rights under Articles 15 to 22” and shall answer requests unless it “demonstrates that it is not in a position to identify the data subject” – it is plainly correct for the controller to want to know who the applicant is, in order to avoid giving data to the wrong person. However, Recital 64 says that the controller’s measures to identify the subject must be “reasonable“. Dehaye demanded that I send a separate request from each of the email addresses I specified. This means that he thinks that if an organisation has harvested emails from a variety of sources, the controller only has to disclose data if they receive confirmation from that account that it is linked to the subject. So if a person applies from a Gmail account, and the controller has harvested a work email address, even if they have linked the two together, Dehaye doesn’t think that the subject is entitled to the work-related data unless they make a separate request.

Similarly, I provided my home address, my 2 mobile numbers (business and personal) and my landline. Bear in mind, a data controller may have harvested all of this data, so the SAR applicant might need to provide it in order to say this is me, this is my data, do you have it? Dehaye’s response to this part of my request was to demand copies of phone bills for each account, and a recent utility bill for the home address. Clearly, this is the approach he would advocate for any data controller faced with such a request. As it happens, my girlfriend’s name is on the landline account, so I cannot prove that the landline is my personal data, even though it is. One of my mobiles is pay-as-you-go, so I don’t get bills, and the work mobile is on my website, and so can be linked to me without the need for unnecessary proof. As with most people, I receive electronic utility bills, and do not have them immediately to hand. Dehaye’s approach seems to be that if a Data Controller has harvested your data, subject access requires the applicant to provide a lot more personal data in order to get access.

The point of the ID check is to ensure that the person is who they say they are – once that’s done, if the controller has doubts about whether an identifier does link back to the subject (i.e. an email address), they can check, or just send any relevant data to that separate identifier. If Dehaye thinks that his approach is legally correct, there is no reason why Leave.EU, Vote Leave or any other organisation shouldn’t do exactly the same thing if they receive a SAR from now on. When I asked him in April how his tool would deal with the ID element he said “Let’s set the standard” – now we know what that looks like. It looks like giving huge quantities of personal data to someone you don’t trust.

This is a no-win – either Dehaye’s approach is right, and I have to go through an administrative nightmare when SAR-ing organisations that grab data from anywhere they can get it, providing them with a fat dossier of extra information before I can get access, or Dehaye is a hypocrite who complains about hurdles to subject access but builds a wall when asked to practice what he preaches. In any case, if Dehaye’s obstructive and unhelpful approach was correct, it would still be easier to handle without the added complication of a middleman.

UPDATE 28/5/18: Mr Dehaye has admitted that he deliberately adopted an obstructive approach because he thinks I am a trouble-maker. I believe that this is a clear breach of the GDPR; if the Data Controller Personal Data.IO is capable of playing these kinds of games, and deliberately discriminates against data subjects, I think this seriously undermines their credibility to act as an agent for other people’s SARS. The company is setting a cynical, obstructive example, and it would be catastrophic for subject rights if other controllers followed their lead.

Checks and balances

A while ago, I was asked by a prospective client to provide a criminal records check before getting a big piece of work. Given that I wouldn’t be handling any personal data or getting access to children or other vulnerable people, it seemed like overkill. The awkward part of me wanted to suggest that the requirement was close to being an enforced subject access request, which would be a criminal breach of Data Protection law. Enforced subject access requests occur where a person is obliged to provide a data controller with the result of a subject access request for criminal records in return for employment or a service.

Then I looked at the number of days’ work they were offering and the pragmatic part of me kicked in. I don’t have a criminal record, so I applied for and sent them a disclosure certificate saying so. It occurred to me that if I tried to make an issue of principle out of it, it might look like I had something to hide. I imagine it’s a terrible situation to be in if you have got a record and are trying to move on, but to be selfish, I don’t and it seemed odd to create the impression that I might have. And I wanted the work.

Last week, a prosecution by the Information Commissioner against the insurance company Hiscox for the enforced subject access offence collapsed. A customer, Irfan Hussain, was attempting to claim on a £30,000 watch he had lost, and Hiscox wanted to see his criminal record before paying out. He refused, and complained to the ICO. The case collapsed when the unlucky horologist was too unwell to give evidence.

I can’t help thinking that this was an odd choice for a prosecution. Even if Hiscox tried to force their customer to provide his information, was this unreasonable? He had already stated that he had no criminal record (according to the FT), so all Hiscox were apparently asking him to do was prove that what he had said was true in the light of his claim. The means by which they proposed to do it might technically have been an enforced subject access request, but there’s surely a difference between something technically being an offence and it being worth mounting a prosecution on it. The provisions contain a public interest defence, and Hiscox’s public comments after the trial suggest that this was their strategy. I suspect it might have worked. Especially as this seems to be the ICO’s first attempt at an enforced subject access case, was this really the best place to start?

The business of criminal records checks overall works in mysterious ways. Hiscox are reported to have asked Mr Hussain to make a subject access request to the Criminal Records Office, which is run by the National Police Chief’s Council. This is not the same as applying to the Disclosure and Barring Service or Disclosure Scotland for a certificate or a disclosure, but having been through the process, I have to admit that I am somewhat confused at the difference.

To get my disclosure, I made a written application, proved my identity and then paid a fee to receive a copy of personal data that related to me, or confirmation that no such information was held. The basic check comes through faster than a subject access request (about 2 weeks, although mine came in matter of a few days) but it’s also more expensive (£25). In my case, nothing was held but that’s neither here or there. There is statutory provision for access to this information via the Criminal Records Bureau set out in the Police Act 1997, replaced by the Disclosure and Barring Service in 2006 via the Safeguarding Vulnerable Groups Act 2006. Someone is going to tell me that applying for a certificate is different to applying for subject access, but that raises some questions. If Hiscox had told Mr Hussain to apply for a certificate like I did, it’s exactly the same outcome – a person is obliged by a data controller to obtain information about their criminal history and then cough it up – but if it’s not subject access, no prosecution could be possible.

An individual can obtain a basic check that shows their unspent convictions and cautions, both of which are listed as a relevant record in the DPA section that creates enforced subject access. The ICO’s guidance doesn’t explain the position if a person was forced to ask for a basic check. That check might not give everything that a data controller might want, but it’s full information about a person’s recent criminal history. If obliging someone to ask for a basic check isn’t enforced subject access, it’s a loophole. But if a basic check is essentially a subject access request by another name, it shouldn’t be £25 now, and it should be free after May 25th.

It’s clear that the DBS doesn’t think that forcing an individual to ask for a basic check would be enforced subject access or illegal in some other way because their website says this:

You can’t carry out a basic check as an organisation – you must ask the person to request their own basic DBS check. A basic check shows unspent convictions and cautions.

This implies that asking a person to carry out a basic check when you can’t make an application yourself is acceptable, even though these are very likely to be circumstances where a person can’t meaningfully refuse. There are no warnings about compulsion during the application process via the DBS website. So why is a subject access request to ACRO magic, acceptable only when uncontaminated by duress, but a basic check isn’t? The amount of data disclosed isn’t exactly the same, but the outcome – being forced to disclose your criminal history when it might be unnecessary or excessive to do so – might be identical.

It took a long time (from 1998 to 2015) for enforced subject access to be fully enacted. Now it’s in force, the Hiscox case doesn’t give cause for optimism that anything will change. I have doubts about whether it was a good idea to prosecute Hiscox, but I have heard first hand terrible stories over the years about data being demanded when it should not have been. Having used the system, the way in which criminal records are made available gives me little confidence that such unnecessary and unfair demands for personal data are properly prevented. After the failure of the Hiscox case, even if only because of an ill-timed illness, the ICO needs to go in again and draw a line somewhere.