ICO - FS50897723: Difference between revisions
Tag: Undo |
No edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 50: | Line 50: | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
| | | | ||
}} | |||
On April 14, 2020, the ICO supported the decision of the Insolvency Service to withold the information it held about insolvent companies. Furthermore, it stated that the confirmation or denial by the Insolvency Serivce that it held more information about the companies within the scope of the request invovled the disclosure of personal data itself. | |||
==English Summary== | ==English Summary== | ||
===Facts=== | ===Facts=== | ||
The Insolvency Services received a request to provide all information regarding two companies it holds on record. The complainant believed that the Director of an insolvent company | The Insolvency Services received a request to provide all information regarding two companies it holds on record. The complainant believed that the Director of an insolvent company had set up a second company with a prohibited name and had requested information about both companies. | ||
Article 216 | Article 216 Insolvency Act prohibits the Director of an insolvent company to use the name of that company in the 12 months leading up to the liquidation. | ||
The Insolvency Service noted that the information it held was already | The Insolvency Service noted that the information it held was already public and that it could not disclose the remainder as it falls under the personal data of an individual (the Director). However, in its communication with the complainant, the Insolvency Services indirectly confirmed that it held more information, by mentioning that the legislation only prevented the directors of the insolvent company from being involved with another company using the same or similar name. | ||
The complainant challenged the way his request was handled by the Insolvency Service before the Information Commission Office. | The complainant challenged the way his request was handled by the Insolvency Service before the Information Commission Office. | ||
===Dispute=== | ===Dispute=== | ||
The Commissioner had to determine whether the Insolvency Service dealt appropriately with the request to the extent that it covered information not already in the public domain. | The Commissioner had to determine whether the Insolvency Service dealt appropriately with the request to the extent that it covered information not already in the public domain. | ||
But first, the Commissioner | But first, the Commissioner considered whether the Insolvency Service should have confirmed or denied holding further information within the scope of the request as providing the confirmation or denial involves the disclosure of personal data itself. | ||
Moreover, Commissioner considered as well whether the Insolvency Service would be disclosing information relating to the criminal convictions and offences of a third party by confirming or denying that it holds further information within the scope of the request. | |||
===Holding=== | ===Holding=== | ||
The Commissioner stated that the information, '''specifically the confirmation or denial about having more information, in the scope of the request, would fall within the definition of ‘personal data’''' '''defined''' '''in''' '''section 3(2)''' '''DPA''': “''Any information relating to an identified or identifiable living individual”''. The Commissioner explains that an identifiable living individual is one who can be identified, directly or indirectly, by reference to an identifier such as a name, location data, etc. '''The confirmation or denial that information was held by the Insolvency Service, not arleady in the public, either way, would involve the disclosure of something about the Director – who is indirectly identifiable from the request.''' | |||
Providing a confirmation or a denial whether it holds information falling within the scope of the request, the Insolvency Service disclosed the personal data, and therefore, by doing so, it breached data protection principles. Here, the Commissioner referred to Article 5(1)(a) GDPR. | |||
Moreover, the Commissioner also stated that confirmation or denial, would involve the processing of the criminal offence data in the scope of the request. Referring to Article 10 GDPR, as well as domestic legislation, the Commissioner underlined that by indirectly confirming or denying the information, it confirmed that it had taken steps to establish whether a breach of Section 216 had occurred, by doing so, the Insolvency Service processed and disclosed criminal offence data. | |||
==Comment== | ==Comment== | ||
Latest revision as of 21:38, 21 April 2021
ICO - FS50897723 | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 5(1)(a) GDPR Article 10 GDPR 216 (4) of the Insolvency Act 1986 3(2) of the DPA |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 14.04.2020 |
Published: | |
Fine: | None |
Parties: | The Insolvency Service The individual/ Complainant |
National Case Number/Name: | FS50897723 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | ICO (in EN) |
Initial Contributor: | n/a |
On April 14, 2020, the ICO supported the decision of the Insolvency Service to withold the information it held about insolvent companies. Furthermore, it stated that the confirmation or denial by the Insolvency Serivce that it held more information about the companies within the scope of the request invovled the disclosure of personal data itself.
English Summary
Facts
The Insolvency Services received a request to provide all information regarding two companies it holds on record. The complainant believed that the Director of an insolvent company had set up a second company with a prohibited name and had requested information about both companies.
Article 216 Insolvency Act prohibits the Director of an insolvent company to use the name of that company in the 12 months leading up to the liquidation.
The Insolvency Service noted that the information it held was already public and that it could not disclose the remainder as it falls under the personal data of an individual (the Director). However, in its communication with the complainant, the Insolvency Services indirectly confirmed that it held more information, by mentioning that the legislation only prevented the directors of the insolvent company from being involved with another company using the same or similar name.
The complainant challenged the way his request was handled by the Insolvency Service before the Information Commission Office.
Dispute
The Commissioner had to determine whether the Insolvency Service dealt appropriately with the request to the extent that it covered information not already in the public domain.
But first, the Commissioner considered whether the Insolvency Service should have confirmed or denied holding further information within the scope of the request as providing the confirmation or denial involves the disclosure of personal data itself.
Moreover, Commissioner considered as well whether the Insolvency Service would be disclosing information relating to the criminal convictions and offences of a third party by confirming or denying that it holds further information within the scope of the request.
Holding
The Commissioner stated that the information, specifically the confirmation or denial about having more information, in the scope of the request, would fall within the definition of ‘personal data’ defined in section 3(2) DPA: “Any information relating to an identified or identifiable living individual”. The Commissioner explains that an identifiable living individual is one who can be identified, directly or indirectly, by reference to an identifier such as a name, location data, etc. The confirmation or denial that information was held by the Insolvency Service, not arleady in the public, either way, would involve the disclosure of something about the Director – who is indirectly identifiable from the request.
Providing a confirmation or a denial whether it holds information falling within the scope of the request, the Insolvency Service disclosed the personal data, and therefore, by doing so, it breached data protection principles. Here, the Commissioner referred to Article 5(1)(a) GDPR.
Moreover, the Commissioner also stated that confirmation or denial, would involve the processing of the criminal offence data in the scope of the request. Referring to Article 10 GDPR, as well as domestic legislation, the Commissioner underlined that by indirectly confirming or denying the information, it confirmed that it had taken steps to establish whether a breach of Section 216 had occurred, by doing so, the Insolvency Service processed and disclosed criminal offence data.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.