Do you know what? I am beginning to wonder whether some of the exemptions in Schedule 2 of the DPA2018 work as they should. So, if you disagree with the following analysis please make a counter argument.
First, I think all the exemptions that are constructed using the use of the word “processed” provide a lawful basis for one controller to disclose personal data to another controller for the purposes/reasons identified in the exemption. In this way, the exemptions permit a disclosure gateway between controllers when in many cases, I suspect the exemption was originally designed for use by a single controller.
Second, I think important exemptions that apply to disclosures of personal data to regulators (e.g. the ICO) and to the disclosure of personal data to the police, HMRC, DWP etc are inherently flawed. It does not matter whether the disclosure is obligatory or voluntary.
This blog explains why? It will be useful for the reader to have Schedule 2 of the DPA2018 handy.
RIP: exempt from the non-disclosure provisions
Under the DPA1998 life was a little easier because there was a separation between some key exemptions associated with disclosure (e.g. “exempt from the non-disclosure provisions”) and other exemptions associated with obtaining (e.g. “exempt from the subject information provisions”).
Thus, a controller wanting to assist the police and disclose personal data could do so if it was satisfied that the requirements of the non-disclosure exemption were met (e.g. failure to disclose would prejudice a criminal inquiry, or if the police had used powers or a court order requiring disclosure to the police).
Such a disclosure of personal data was exempt from the first five Data Protection Principles of the DPA1998 to the extent that it was necessary (e.g. exempt from the fairness obligation which would require the disclosing controller to inform the data subject of the disclosure for policing purposes). The police when they obtained the disclosed personal data had a different obtaining exemption from fairness (e.g. the obtaining controller did not inform the data subject of the obtaining for policing purposes if informing the data subject would prejudice a criminal inquiry).
In this way there was no tipping off the data subject about the criminal investigation either by the disclosing controller or by the obtaining controller. This arrangement under the DPA1998 was not limited to policing; it applied to any disclosure to any law enforcement body and taxation body (e.g. HMRC).
Importance of the word “processed”
Note that both disclosure and obtaining are processing operations. For instance, my disclosure of personal data to you, is your obtaining personal data from me; it is in effect the same transaction viewed from opposite ends of the same telescope. That explains why, in the DPA2018, the word “processed” in the exemptions covers both controllers (i.e. the controller to whom personal data are disclosed as well as the controller that obtained the personal data in the first place).
For example, consider a controller processing personal data for “management planning” (which exempts the right of access, the right to be informed and Principles that correspond to the exempt rights; Schedule 2, Part 2, Paragraph 22), and assume the prejudice test is satisfied.
Now suppose another company in the same group wants to make a disclosure to the first controller for that purpose. Well as far as I can see, the exemption applies to the disclosing controller as well as the obtaining controller, and the lawful basis for the disclosure will be “in the legitimate interests of a third party” (Article 6(1)(f)).
The fact that the legislation has permitted an exemption for such a disclosure, will make it more difficult for the data subject to raise counter arguments. For example, if knowledge of the disclosure is kept from the data subject (as is permitted by the exemption), how can the data subject know that he or she can exercise the right to object (which is not part of the exemption)?
Further evidence that the processing covers the disclosing controller is made explicit in paragraph 10 of Schedule 1 which relates to disclosure of special category personal data from one controller to another controller for law enforcement purposes. The provision in paragraph 10(2) has special provisions if the processing operations are just related to the disclosure of personal data to another law enforcement controller; these special provisions do not apply if the controller is not disclosing personal data (e.g. processing personal data for its own purposes for preventing or detecting unlawful acts).
In summary, each exemption that is expressed using the word “processed” permits disclosure between two or more controllers, and all processing operations for one controller (usually the obtaining controller). As most exemptions include the transparency arrangements, any disclosure of personal data occurs in secret.
Disclosure for law enforcement etc
Consider the exemption relating to disclosure of personal data to the police for their crime related investigatory purposes under Schedule 2, Part 2, paragraph 2 of the DPA2018; it has other problems.
If a controller makes a voluntary disclosure of personal data to the police for their crime related investigatory purposes (under Schedule 2, Part 2, paragraph 2 of the DPA2018), the reach of the exemption (known as “the listed GDPR provisions” in paragraph 1) includes a range of options, all of which are subject to a test of prejudice.
But, suppose that controller refuses to volunteer personal data to the police and the police then obtain a court order for the same personal data and for the same criminal inquiry. Now the exemption (which relates to the same the listed GDPR provisions in paragraph 1) switches from Schedule 2, Part 2, paragraph 2 to the exemption in Schedule 2, Part 2, paragraph 5(2)).
However, whilst the exemption is paragraph 2 is subject to a test of prejudice, the exemption in paragraph 5(2) is subject to a test of prevent. Thus, for a request/demand that relates to the same personal data for the same criminal inquiry is subject to an exemption with different tests depending on how the police approach the controller for disclosure; one exemption has a test of prejudice whilst the other has a test of prevent.
The practical effect is stark. I can see how the application of the data subject’s right to informed about the disclosure of personal data to the police, if applied, could prejudice the police’s criminal investigation; I am struggling with how informing the data subject prevents the disclosure of personal data for that investigation.
That is one reason why I think the exemption in paragraph 5(2) is improperly constructed.
That is not all!
It gets worse by the way. Suppose there is an incident where the police collect CCTV images from many controllers following say a stabbing incident. In both the exemptions that apply (associated with Schedule 2, Part 2, paragraph 2 and paragraph 5(2)), there is no exemption from the requirements of the Data Minimisation Principle (“Personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”).
In other words, the disclosing controller has to be sure that the personal data are limited to those relevant to the police inquiry prior to disclosure, but the police cannot state whether the personal data are indeed relevant until they have viewed the images (e.g. to see whether they show something relevant to their investigation of the stabbing incident) This is most likely to occur after the police have obtained the images (and not before).
Under the DPA1998, the exemption from the non-disclosure provisions included the Third Principle and covered this eventuality. But under the DPA2018, the exemption for the equivalent Principle in Article 5(1)(c) is absent from the listed GDPR provisions in Schedule 2, Part 2, paragraph 1.
In conclusion I think the reach of the exemption in paragraph 1 is incomplete (and this problem I raise applies to all those law enforcement agencies and taxation agencies who use this exemption). If these law enforcement agencies use their powers, the relevant exemption switches from a test of prejudice to one of prevent (another problem).
Disclosures to regulators such as the ICO
A similar problem relates to the listed GDPR provisions that relate to exemption in Schedule 2, Part 2, paragraph 11 which applies to the regulators (e.g. ICO). This exemption protects personal data processed by the ICO from the application of all rights and Principles that correspond to the rights. So, for example, a data subject under investigation by the ICO cannot exercise his rights if application of any particular right would prejudice the ICO’s investigation.
Because of the exemption uses the word processing, that exemption is available to any controller disclosing personal data to the ICO. So, a controller who volunteers personal data to the ICO (e.g. in response to an informal query from the ICO) can rely on withholding subject access (A.15) or a right to be informed notice (A.13) if providing this information would prejudice the ICO’s investigation.
Note listed GDPR provisions linked to the exemption in paragraph 11 does not include the Purpose Limitation Principle, so the controller has to determine whether the disclosure for the ICO’s purpose is compatible with the disclosing controller’s purpose of obtaining.
So, suppose a controller processes personal data for a Purpose X and the ICO asks (not demands – see later!) for a copy of those personal data to pursue an investigatory purpose. Is the disclosure of personal data for the ICO’s investigatory purposes, compatible or incompatible with the Purpose X?
If the Purpose X is deemed incompatible with the ICO’s investigatory purpose, then the disclosing controller who wishes to assist the ICO risks a breach of the Purpose Limitation Principle even if the disclosure is to the ICO for very good reasons.
One therefore wonders whether the ICO’s informal approach to a controller concerning a problem could place a disclosing controller at risk because the exemption does not include the Purpose Limitation Principle? Alternatively, one can see that the exemption should have been drafted to include this Principle as part of the listed GDPR provisions.
The ICO could avoid this problem if she was to serve an Information Notice. In this case, the exemption in Schedule 2, Part 2, paragraph 11 does not apply, but the one in Schedule 2, Part 2, paragraph 5(2) does. As the disclosure is now required by law, the listed GDPR provisions associated with this exemption includes the Purpose Limitation Principle (so problem solved?).
Well no! The exemption in paragraph 11 applies if disclosure would prejudice the ICO’s investigation; the exemption in paragraph 5(2) applies if disclosure would prevent the controller making the disclosure for the ICO's investigation. These are different tests as discussed previously in the context of policing.
There again, I can see how informing the data subject could prejudice the ICO’s investigation; I am struggling with how informing the data subject prevents the disclosure of personal data for the ICO’s investigation.
The conclusion I come to is the exemption in paragraph 11 is also in error (and that applies to all regulators who adopt the ICO’s informal approach to investigations). The same argument applies to all those who process personal data for functions that protect the public (i.e. apply the exemption in Schedule 2, Part 2, paragraph 7).
Concluding comment
If I am correct, some very important Schedule 2 exemptions are very problematic for a number of reasons; I suspect they are in need of a legislative fix.
Upcoming Data Protection/FOI qualification courses (April to July)
- Day devoted to “what’s in the DPA2018” (1 day; London, April 1)
- BCS Data Protection Foundation (3 days; London-May 21-23)
- BCS FOI Practitioner course; London (starts 4 June)
- Because of demand, the next BCS Data Protection Practitioner, London course that can be booked is (6 days starting June 11 or July 16)
- BCS Data Protection Practitioner Upgrade/Conversion (2 days; London, July 23 & 24)
Details on www.amberhawk.com or by emailing [email protected]
Comments
You can follow this conversation by subscribing to the comment feed for this post.