ICO: Investigating cannot occur!
Does the Information Commissioners Office actual investigate things?
A rather well known travel company has recently annoyed me. They failed to respond to requests for personal data. I spent a couple of months following the ICO (Information commissioners office) guidelines on how to request it and what to do if there is no response. Send the initial request via email and post (recorded delivery, I know the twats received it), wait the allotted amount of time, send them more correspondence reminding them they had a legal obligation to provide the information, I even sent a letter to the CEOs office. All of which was met by a stony silence. Time to escalate this up to the ICO. The problem is that the ICO also don’t seem to respond to anything either. This turned out to not be an issue because I had also lodged a formal complaint with ABTA (Association of British Travel Agents) and the two pronged attack did the trick and I got a response, finally. I hoped that was the last of it and I could turned my attention to something else.
Unfortunately not.
On the first day of our holiday we received the obligatory ‘Welcome valued guest, here are a bunch of things you could do for much cheaper if you were not so lazy to actually book it yourself so have a 2/3x markup’. No thanks guys, I like my monies. Nothing unusual about this. Until we received it again, and again, and again. Was this a mailing issue? Nope we were being BCC’ed into the email for other guests, effectively displaying their email addresses to us. This is a breach of the Data Protection Act 1998.
http://www.legislation.gov.uk/ukpga/1998/29/contents
Now I know a little bit about data protection and am also a pedant. I am currently somewhat displeased with the previously mentioned travel company so I decided that I’d go ahead and lodge a complaint with the ICO, given the fact I’ve had no end of grief getting anything resembling a response out of the travel company without the the assistance of an official intermediary organisation, I decided to go straight to the the ICO. This is where it all goes a bit weird. There is a section regarding the reporting of concerns;
Reporting concerns
We want to know how organisations are doing when they are handling information rights issues. We also want to improve the way they deal with the personal information they are responsible for. Reporting your concerns to us will help us to do that.
Before reporting a concern to us, we expect you to give the organisation the opportunity to consider it first. In order for us to look at their information rights practices we need you to provide us with their reply.
So, apparently I have to take my evidence of a breach of the DPA and tell them off myself? Because obviously I have legal and regulatory backing to do this? What do they expect to happen; ‘Sorry we won’t do this again’? I didn’t like this and decided to contact their online chat function. Here is the transcript:
You are now chatting with ico_shemiaht
ico_shemiaht: Good afternoon
Pete: Afternoon
Pete: I have a question about being emailed as a CC disclosing other customers email address to me
Pete: I recently went on holiday and received a ‘welcome valued customer’ email
ico_shemiaht: An organisation has a duty to keep information safe and secure. When sending emails, data controllers should use the blind copy function to conceal the name of other recipients, if, it would not be within their reasonable expectations to have their information shared.
ico_shemiaht: If you have concerns that an organisation has breached the Data Protection Act (DPA) we first advise that you should raise your concerns in writing with them. If you haven’t already done this you may find our template letter useful:https://ico.org.uk/for-the-public/raising-concerns/
If you are not satisfied with the response they provide then you can report the concern to our office and we can make an assessment. You can do this via the report a concern section of our website:
https://ico.org.uk/concerns/
Pete: okay, but if this is a breach of the DPA
Pete: should they not be held accountable?
Pete: Why do I have to go through the steps of telling them they have breached a legally binding act?
Pete: That’s surely what you lot are for?
ico_shemiaht: We are the regulators of the Act and therefore you can report your concerns to us. If, we conclude that they are in breach in the Act we can take the appropriate action where neccesary.
Pete: okay, so as part of the concerns section
Pete: I then assume there is no requirement to be in contact with the company prior to raising said concern?
ico_shemiaht: Section 42 of the DPA allows any person who believes themselves to be directly affected by a contravention of the Act, to make a request for us to conduct an assessment of compliance. In order for us to carry out the assessment the individual must have exhausted the concerns process with the data controller — we require that you raise it in writing and allow them a reasonable p]period to respond.
ico_shemiaht: Further information can be found here — https://ico.org.uk/about-the-ico/what-we-do/how-we-handle-concerns/
Pete: I can’t see a section 42 in that link
Pete: do you have a link to that documentation?
Pete: because this sounds a lot like they are disclosing email addresses they shouldn’t be and you’re asking me to do your job for you. I’d like to see where it says I have to jump through these hoops prior to raising a concern with you
ico_shemiaht: The above link will direct you to our handling concerns process. I think this may be of interest to you.
Pete: i have read it, it doesn’t show me section 42 that apparently says i have to exhaust all my concerns with their data controller
ico_shemiaht: http://www.legislation.gov.uk/ukpga/1998/29/section/42 — here is a link to the legislation.
Pete: okay so reading that
Pete: there is no requirement for me to contact anyone
Pete: oter than yourselves to investigate the matter
Pete: other*
Pete: can you confirm that is the case, or point me at documentation that says otherwise
please
ico_shemiaht: 42(2) refers to instances where the ICO is not required to provide an assessment
ico_shemiaht: https://ico.org.uk/about-the-ico/our-information/service-standards/
ico_shemiaht: Under the subheading ‘reporting concerns’ via the above link you can find the information you require
Pete: which isn’t actually part of the DPA though is it
Pete: it says expect but doesn’t mandate
Pete: and if the DPA is breached you as regulators are legally obliged to investigate?
ico_shemiaht: You can bring a concern to us if you wish. I believe I have informed you of the process, which is that we require you to raise your concerns with the organisation in the first instance. You may put forward your reasons why you don’t believe it necessary for you to follow the process and it will be for the manager of the the team dealing with your case to decide whether or not we conduct an assessment. It is important to note that we do not usually look into concern sunless you have reported your concerns to the organisation first.
Pete: Summary: you will look into it only if the leg work has been done for you, To think further up this chat session you said you are the regulators of the act, I’ll submit my evidence and see if you guys can be arsed doing your jobs then.
So there we have it, the ICO do not usually look into concerns unless you have reported your concerns to the organisation first. It’s up to us to not only provide evidence of wrong doing, it’s also apparently up to us to do the investigation and communication with the company whom are breaching a legally binding act of parliament. All I can say is that it’s a good thing our police force doesn’t view breaches of the law in the same way or we’d either be living in 24/7/365 the purge territory or a nation of sleuths!
Guess I’ll chuck in the evidence and see what happens, I’m not expecting much though.
