Rebuked by the Information Commissioner’s Office, and revealed to have misunderstood the law, LBWF sails on regardless
As past posts demonstrate, LBWF has a poor record when it comes to issues around transparency, regularly failing even in terms of its statutory responsibilities.
A recent case reinforces the cause for concern.
In April 2019, the Waltham Forest Echo journalist Michelle Edwards sent LBWF a Subject Access Request (SAR), that is, a request to see what information the local authority at that point held about her in relation to certain stated topics.
It should be emphasised that, first, SARs are by now a very routine part of everyday life, fully sanctioned by the data protection legislation; and second, on its website, LBWF recognises this reality, and in fact provides a good deal of practical guidance:
However, that said, LBWF’s response to Ms. Edwards was – to put it mildly – uncompromising, with an unsigned letter stating the following:
‘Having considered the request the Council considers that it is a request that is both excessive (i.e. would involve a disproportionate expense of resource to comply with) and manifestly unfounded (i.e. it is not a request made with the genuine purpose of seeking your information but a “fishing expedition” aimed to finding out if any information is held). As such the Council is not obliged to comply with the request.
I confirm that prior to the decision not to comply with your request for the reasons set out above, the Council’s Data Protection Officer, Mark Hynes, Director of Governance and Law has been consulted’.
For Ms. Edwards, the reasoning employed here was fallacious, and so she appealed to the Information Commissioner’s Office (ICO), the government regulator charged with policing all such matters.
And having reviewed the correspondence, the ICO concluded that, yes, she was indeed right. SARs, it underlined, were ‘purpose blind’, meaning that petitioners did not have to either explain or justify their motives. Moreover, LBWF’s ‘manifestly unfounded and excessive exemption’ was unwarranted, since no specific reasons had been adduced to explain ‘why complying with this SAR would be too onerous’, and anyway ‘the Council should have technical and organisational measures in place in order to locate the personal data in question’.
Accordingly, the ICO wrote to LBWF and requested that, within ten calendar days, it fully review the case, and in particular provide evidence that it had ‘conducted some reasonable searches for the personal data that Ms Edwards has requested’.
There followed (in the ICO’s words) ‘lengthy discussion…on the phone and by letter’, but LBWF simply refused to budge.
In the end, the ICO wrote to Ms. Edwards with what amounted to an admission of defeat:
‘Dear Ms Edwards,
Further to my recent correspondence, I write regarding the way in which London Borough of Waltham Forest (The Council) has handled your subject access request.
I have contacted the Council and from the evidence they have provided to me, as stated before, it appears that they have infringed your right to access under the GDPR [The EU General Data Protection Regulation] failing to comply with your SAR request. However, it does not appear as though they are willing to provide you with any further information and we have informed them of our dissatisfaction with this situation. It is a requirement under the Data protection Act 2018 that we investigate cases to the “extent appropriate” and after lengthy correspondence with the Council, it appears they are no longer willing co-operate with us to provide this information. Therefore, you may have better results if you seek independent legal advice regarding the matters raised in this particular case.
Right to judicial remedy and compensation [GDPR Articles 79 & 82]
Individuals have the right to take proceedings to court if they believe their information rights have been infringed. This means that if a court is satisfied that the individual’s rights have been infringed it may order the controller or processor in question to take steps to comply with its Data protection obligations. Individuals who have suffered material or non-material damage (such as distress) as a result of an infringement may also be able to receive compensation from the controller or processor.
Please be advised that this is not a process with which the Information Commissioner’s Office is able to assist and we recommend that you seek independent legal advice if you wish to pursue this course of action’.
In short, while the ICO fully accepted that Ms. Edwards was the injured party, it was not prepared to force LBWF’s hand.
And that, as of today, is where the matter stands.
Three observations are pertinent.
First, it is of course very disappointing to find LBWF defying the regulator in the way described. Regrettably, however, this by no means is the only example of such arrogance – see, the links below – so it hardly can be called surprising. The unpalatable truth is that, over some issues, LBWF apparently has come to believe that non-compliance and even deliberate obstruction are acceptable, no matter what the consequences for residents.
Second, it is doubly disappointing to find that LBWF’s ostensible justification in this case partly rests upon ignorance of the law. For the specific issue of ‘purpose’ in relation to SARs was definitively settled as long ago as 2016, thanks to a series of higher court decisions at the end of that year. Guidance issued by the law firm DAC Beachcroft neatly encapsulates developments:
‘It is irrelevant if the requestor has an ulterior motive – The courts considered the arguments for and against a data controller being able to take account of an individual’s collateral purpose for submitting a SAR, particularly where separate legal proceedings between the parties were underway. Ultimately the courts were persuaded by the fact the DPA [Data Protection Act] 1998 does not qualify the right to make a SAR by reference to the individual’s motive, i.e. the right is “purpose blind”. The earlier case law on this point…was disregarded’.
As has been noted, LBWF’s anonymous correspondent told Ms. Edwards that the Council’s Data Protection Officer, Mark Hynes, had been ‘consulted’ over the initial response to her. If that is in fact true, it makes the whole situation even more reprehensible.
The final issue is the role played by the ICO. Quite clearly, in resource-scarce times, all regulators have to choose carefully which cases to pursue. However, for the ICO to tell Ms. Edwards that yes, she is right, but then add that the only way forward for her is to fund her own legal action makes for very unhappy reading.
In a nutshell, if the ICO can’t or won’t effectively defend the ordinary citizen, perhaps there needs to be an urgent rethink about what it’s there for in the first place.