Datatilsynet - 2019-812-0035

From GDPRhub
Datatilsynet - 2019-812-0035
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 15 GDPR
[ Section 15 Law Enforcement Act]
[ Section 19 Law Enforcement Act]
Type: Complaint
Outcome: Partly Upheld
Decided: n/a
Published: 11.05.2020
Fine: None
Parties: Danish Prison and Probation Service
National Case Number/Name: 2019-812-0035
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: n/a

The Danish DPA (Datatilsynet) found itself incompetent to assess which of the different legal grounds applicable to an access request is the most beneficial for the complainant, in a case where a prison officer requested access to all documents that mentioned his name.

English Summary[edit | edit source]

Facts[edit | edit source]

A prison officer had requested the Prison and Probation Service to get access to documents confirming that he as an employee had been involved in violent incidents. He later clarified that he wanted access to all documents that mentioned his name.

The Prison and Probation Service initially rejected the request on the grounds that, for technical reasons, it was not possible to report all the episodes in which the officer had participated and it was only possible to seek reports that the officer had written himself. Then, they claimed that searching all relevant documents that mentioned the complainant's name would be an excessive burden according to Article 12 (5) GDPR.

The prison officer then complained before the DPA about the Prison and Probation Service's refusal to grant access.

Dispute[edit | edit source]

Holding[edit | edit source]

The DPA found that different legal grounds are relevant in this case, such as Article 15 GDPR, sections 15 and 19 of the Danish Law Enforcement Act and provision of the Public Administration Act.

The DPA is not competent to decide which legal ground will have the best results for the complainant as it is a matter of administrative law.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

The Prison and Probation Service's handling of the request for insight
Published 11-05-2020
Decision Public authorities

The Data Inspectorate criticizes the Prison and Probation Service's handling of a prison officer's request for insight. In connection with the case, the Data Inspectorate took, inter alia, position on the importance of information describing a function that an employee has performed in the workplace, rather than describing the employee's behavior.

Journal number: 2019-812-0035
Summary

A prison officer had asked the Prison and Probation Service for access to documents confirming that he (as part of his employment) had been involved in violent incidents, including reports of use of force, observation cell, security cell, as well as reports of threats and possible reports of suicide attempts or other violent self-harm .

The Prison and Probation Service initially rejected the prison officer's refusal of access on the grounds that, for technical reasons, it was not possible to prosecute all the episodes in which he had participated and that it was only possible to seek reports from the prison officer himself had written.
The prison officer then complained about the Prison and Probation Service's refusal of access to the Data Inspectorate.

At the request of the Data Inspectorate, the Prison and Probation Service stated that, with the assistance of the system provider, it was nevertheless possible to search for specific reports in which the prison officer's name may have been registered and that the Prison and Probation Service had thus informed the prison officer.

However, the Prison and Probation Service stated at the same time that it was not possible to conduct searches in the free text fields of the reports in the system concerned in order to clarify whether the prison officer's name must appear there, as this would require a search of DKK 8-10 million. documents in the system's document server, which could not be technically supported in the system.

After a review of the case - and after the case was presented to the Data Council - the Data Inspectorate criticized the Prison and Probation Service for not giving complaints insight in accordance with section 15 of the Law Enforcement Act, when the Prison and Probation Service first provided insights after the Data Protection Authority's inquiry regarding the case.

As regards the part of the complaint, which concerned access to any information in free-text fields, which would require a search for DKK 8-10 million. documents in the system's document server, the Data Inspectorate found that the request could be rejected with reference to section 19 of the Law Enforcement Act.

In this connection, the Data Protection Supervisor presumed that the free-text fields mainly described only a function that the prison officer had performed in the workplace and not actions that reflected his personal choices and reactions, or actions that he had been exposed to.
The Data Inspectorate also emphasized, among other things, that the Prison and Probation Service had already made significant efforts to obtain information about the prison officer and that the Prison and Probation Service had to assume that they did not use insignificant resources to obtain any additional information about him. In addition, the Authority also emphasized that the prison officer had not been able to clarify his request in order to identify further information about him.

The case is the first case where the Danish Data Protection Agency has made a decision regarding section 19 of the Law Enforcement Act (corresponding to the provision in Article 12 (5) of the Data Protection Regulation).
Decision

The Data Inspectorate hereby returns to the case where, on behalf of XX (hereinafter the complainant), XX has, on 8 January 2019, complained to the Supervisory Authority about the Danish Prison and Probation Service's refusal of the complainant's request for access.
1. Decision

After a review of the case, the Data Inspectorate finds that there are grounds for expressing criticism that the Swedish Prison and Probation Service's processing of personal data has not taken place in accordance with the rules in section 15 of the Law Enforcement Act [1].

The following is a detailed examination of the case and a justification for the Danish Data Protection Agency's decision.
2. Case making

It appears from the case that on September 17, 2018, complainants requested access to all records with the Prison and Probation Service, where complaints are mentioned by name, for use in a pending work injury case.
On October 4, 2018, the Prison and Probation Service requested complaints to clarify which reports, in the complainant's opinion, are relevant to the treatment of his or her occupational injury case.

In response to the Prison Service's request, complainants clarified his request for insights and stated that he was primarily interested in documents confirming that he had participated in violent episodes, including reports of use of force, observation cell submissions, security cell submissions as well as reports of threats and any reports of suicide attempts or other violent self-harm.

On 12 November 2018, the Prison and Probation Service stated that, after a closer examination, no additional information was registered than those that had already been sent to the Complainant in connection with the Prison and Probation Service's response to the complainant's request for access on 18 June 2018.

On November 13, 2018, the Complainant again clarified his request, stating that he wanted access to reports stating his name. In this connection, the complainant stated to the Prison and Probation Service that, to his knowledge, there are a greater number of reports - in which he is referred - than those which he had already been provided.

On December 6, 2018, the Prison and Probation Service announced a complaint against his request for insight, which reads as follows:

 “[…] [Complainant] requests access to all documents stating your name. Previously, access to registrations regarding violence and threats. The Area Office understands that this request concerns all reports of use of force, obscellations, security cell submissions, and reports of suicide attempts in which you are named.

According to Article 15 of the GDPR on 'The data subject's right of access', the data subject has the right to gain access to the personal data processed by the employer regarding the data subject and, where applicable, access to this personal data.
According to the GDPR, it is thus only possible to seek insight into the personal data processed by the Prison and Probation Service.

However, access to documents (reports) from a specific case must be sought for the rules of the Public Administration and Public Law, which you did in an email of 7 June 2018.

The Ringsted District Office responded to your original request on June 18, 2018, and the Security Office Security Unit has further investigated the case and responded again on November 12, 2018. The District Office may state that access to the file has been restricted, as the Ringsted District Office cannot request all reports from the Client System . It is not possible for purely technical reasons to search all episodes that you have participated in. We can only search the reports that you have written yourself.

As is well known, it is not possible in the Client System to search freely in an employee's name or across this system.

If you want insight into personal data, please specify in which specific cases you want the information from and provide information on the time so that the information can be found. "

On 7 December 2018, the complainant again contacted the Prison and Probation Service, as he continued to request access to "all documents where [the complainant's] name is registered".

The Prison and Probation Service responded to this request on December 20, 2018, upholding the rejection with the same wording as last. It appears from the reply that two further reports were filed for complaints on the same date.
2.1. The Prison Service's remarks

On 1 March 2019 the Prison and Probation Service issued a statement in the case. The Prison and Probation Service has generally stated the following:

“Initially, the Directorate can state that when the Prison and Probation Service processes personal data on employees, it basically takes place in the Prison and Probation Service's HR systems, which are covered by the Data Protection Regulation. In the Directorate's view, therefore, there is, in principle, no treatment that is carried out for the purpose of preventing, investigating, revealing or prosecuting criminal acts or enforcing criminal sanctions, including to protect or prevent threats to public safety, cf. the Law Enforcement Act § 1.
However, the Prison and Probation Service may process information about employees for the purpose of enforcing criminal penalties, according to which the information will be covered by the Law Enforcement Act. This may be the case, for example, if an employee is employed as a prison officer and has made use of force against one of the clients of the Prison and Probation Service, after which the employee's name is registered in a power use report, which is created in the Prison and Probation System's case law system on that client's case.

On this basis, it can be stated that the Directorate treats the complainant's request as a request for insight in accordance with the rules of Chapter 5 of the Law Enforcement Act, Chapter 3 of the Data Protection Regulation and Chapter 3 of the Data Protection Act.

The Directorate may state that the Prison and Probation Service processes information on complaints that are covered by the Data Protection Regulation in the Prison and Probation Service's HR systems by virtue of the complainant's employment conditions.

The Prison and Probation Service processes ordinary personal data on complaints under Article 6 of the Data Protection Regulation, including name, position, number of sick days, salary, work telephone number and work email.

The Prison and Probation Service also processes sensitive personal data on complaints under Article 9 of the Data Protection Regulation, including information on the complainants' union affiliation.

The Prison and Probation Service can also state that it is only possible in the client case system to seek reports from an employee's name, which this employee has created himself. As a rule, it is not technically possible to seek out other reports regarding episodes in which an employee's name may appear.

Against this backdrop, the Directorate will engage with the client system vendor to clarify whether there are ways in which such a search can be made to meet the complainant's request for access to reports under the Law Enforcement Act.

The Directorate may state that the Prison and Probation Service intends to respond to the complainant's request for access under the Data Protection Regulation and the Act to the extent that the complainant wishes to gain access to information covered by these rules.
As regards the complainant's request for access under the Law Enforcement Act, the Directorate is by clarifying how and to what extent, the Prison and Probation Service can technically meet the complainant's request, cf. above. ”

In response to the Danish Data Protection Agency's request, the Prison Service on May 3, 2019 issued a supplementary opinion. The opinion states, inter alia, following:

“The Prison and Probation Service can state that the client system is designed to process information about the Prison and Probation Service's clients, which means that information can be sought on a specific client in the system. Therefore, it is possible to meet a request for insight from a client by conducting a search of the system.

When creating a report during a case in the client system - e.g. in connection with the use of force against a client - the name of the employee who made the restraint will be recorded in the report. If there is a subsequent need to search in which reports an employee's name is registered, it cannot be done based on a search of the employee's name directly in the system.

In order to meet requests for insight into the client case system from employees, the Prison Service has been in dialogue with the client system provider. For this reason, the Prison and Probation Service can state that, with the supplier's assistance, it is possible to search for specific reports in which an employee's name may have been registered, and thus it is possible to respond to employees' requests for insight into the client system. On that basis, the Prison and Probation Service provided information covered by the complainant's request for access to the complaint on April 3, 2019.

The Prison and Probation Service can thus state that requests from clients and employees for access to information in the client system can be met.

The Prison and Probation Service must deplore the lengthy processing time and that the complainant's request for insight was not initially granted. "
In addition, on 15 August 2019, the Prison and Probation Service issued a further opinion. it appears that:

“The Directorate of Prison and Probation can state that, with regard to the personal data processed on complaints under the Data Protection Regulation, the Prison and Probation Service has provided full insight into the information covered by the complainant's request.

In addition, the Directorate can state that, as regards the part of the Prison and Probation Service's information on complaints covered by the Law Enforcement Act, some of the reports are covered by the complainant's request at this time, which unfortunately has happened several times. The remainder of the reports covered by the complainant's request, the Prison and Probation Service is working to deliver complaints as quickly as possible.

To respond to the complainant's request for access, in March, the Prison and Probation Service obtained information from the Client System vendor in which reports the complainant's name was registered. On that basis, the Prison Service responded to the complainant's request.

Subsequently, the Prison and Probation Service became aware that so-called ordinary reports can also be sought in the client system, so in July the supplier was asked to do another search to clarify if there were ordinary reports covered by the complainant's request. In July, a number of general reports appeared, as well as a number of reports on the use of force, security cell and observation cell, which regrettably did not appear in the supplier's search in March.

The inconsistent results in the searches performed by the supplier in March and July respectively are due to the supplier adjusting and expanding the search criteria to include all relevant reports.
The Directorate has been in dialogue with the supplier with a view to ensuring, both backwards and forwards, that all relevant reports appear in the search results provided by the supplier to the Prison and Probation Service. The Directorate last held a meeting with the supplier on August 14, 2019, where the supplier stated that changes have now been made in the procedure for searches in the Client System, so that conflicts in the future can be avoided. The supplier specifically ensures this by reviewing the scripts on which the searches are based and at the same time ensuring that the search criteria used are clearly stated in the search result when submitting to the criminal defense service.

In addition, the Directorate can - in relation to the complaints stated - state that neither the searches made in March nor July show reports of suicide in which the complainant's name appears.

Finally, the Directorate should note that the Prison and Probation Service currently has no way of conducting searches in the free text fields of reports in the Client System in order to clarify whether the complainant's name may appear therein. This is because searches in free-text fields require searches across the entire client system's document server, which is estimated to include between 8 and 10 million documents. Such a search is theoretically possible, but cannot currently be technically supported in the Client System - either by the criminal defense service or by the supplier.

The Directorate can finally state that when data subjects can gain access to information about themselves according to the rules of section 8 of the Public Act and the rules of section 15 of the Law Enforcement Act, the Prison and Probation Service considers that section 15 of the Law Enforcement Act gives the data subject a better legal position than section 8 of the Public Act. as the right of access under the Law Enforcement Act - contrary to the rules of public law - also gives the right to certain contextual information, including information on the purpose of the treatment, the categories of recipients of the information, other rights under the Law Enforcement Act and - if possible - the envisaged period in which the information will be stored. "

The Prison and Probation Service has finally telephoned on October 8, 2019 that complaints on September 10, 2019 have been provided with insights into the reports found in the July 2019 search.
2.2. The complainant's remarks

The complainant has generally stated that the Prison and Probation Service has not given him full insight into the personal data requested.

The complainant also states that he has gained access to information about him, which appears from reports on the use of force, securing cell, observation cell and handcuffs, but that, on the other hand, no information has been provided in reports on possible suicide attempts and ordinary reports.

In the complainant's view, complaints information may also be found in these types of reports, as may other types of reports that include complaint information.

In addition, complainants have stated that, in principle, no information has been provided on all information on complaints handled by the Prison and Probation Service, as, among other things, no reports are omitted.

In this connection, the complainant refers to another case of insight, in which it appeared that all the documents were not disclosed, as it was found that a report was "missing".

The complainant has finally stated that, as an employee, you do not have the opportunity to know what type of reports you are mentioned / registered in, and when the Prison and Probation Service cannot definitively confirm that full insight has been given, the complainant is of the opinion that the Prison and Probation Service does not have communicated to him full insight.
3. Justification for the Danish Data Protection Agency's decision
3.1. Scope of the Law Enforcement Act

As complainants have been given full insight into the information contained in the Prison and Probation Service's HR systems, the present case only deals with the Prison and Probation Service's processing of information on complaints in the client system.

In this connection, the Data Inspectorate assumes that the Prison and Probation Service processes information about complaints in the Prison and Probation Service's client system, as complaints are employed as prison guards in the Prison and Probation Service.

The Data Inspectorate finds that the processing of information on complaints that appear in the client system is covered by the Law Enforcement Act, cf. section 1 (1) of the Act. 1. The Data Inspectorate has in particular emphasized that the Swedish Prison and Probation Service's processing of information about employees in the client system is inextricably linked to the enforcement of criminal penalties and the exercise of powers through forced intervention and use of force against prisoners.
3.2. The Prison and Probation Service's response to the complainant's request for insight

The Data Inspectorate assumes that initially, the Prison and Probation Service has issued complaints refusing access to documents that can confirm that he (as a prison officer) has participated in violent episodes, citing the structure of the client system and that the Prison and Probation Service subsequently - after the Danish Data Protection Agency's request regarding the case - has continuously provided complainants insight into the reports that could be sought in the client system.

As a rule, data subjects have the right to obtain the data controller's confirmation of whether personal data concerning the person is processed and, where applicable, access to personal data, cf. Section 15 of the Law Enforcement Act. When the reports in question contain personal data on complaints, complaints are thus entitled to insight.

Following a review of the case, the Data Inspectorate finds that the Prison and Probation Service - by initially denying complaints to documents that can confirm that he (as a prison officer) has participated in violent episodes - has not acted in accordance with section 15 of the Law Enforcement Act , which provides the Authority with a basis for commenting criticism.

The Data Inspectorate has hereby emphasized that it is the responsibility of the data controller to respond to insight requests, including to the greatest extent possible. In this connection, the Authority has also emphasized that the Prison and Probation Service did not involve the system provider with a view to seeking the information in question initially, and that this only happened after the Danish Data Protection Agency had contacted the Prison and Probation Service regarding the case.
3.3. Further insights into information presented in the free text fields of reports
3.3.1.

In addition to HR systems, both public and private employers will to a large extent process information about employees in case management systems, etc., where the registration of information about the employee depends primarily on the work function performed by the person concerned.

This information will in principle be personal data, and the employee will thus have the right to insight, etc. according to the data protection rules. However, given the nature of the information and the purpose of its registration, the exemption clause in section 19 of the Law Enforcement Act (and the corresponding provision of Article 12 (5) of the Regulation) will be relevant in a number of cases.
3.3.2.

Under the wording of Section 19 of the Law Enforcement Act, the data controller alone may refuse to respond to manifestly baseless or excessively repeated requests for access. It is clear from the specific comments on the provision [2]:

“It is clear from section 33 of the Personal Data Act that a registered person who has been notified pursuant to section 31 (1). Paragraph 1, whether the data subject's right of access, is not entitled to a new notification until 6 months after the last notification, unless a special interest is shown in it.

Section 19 proposes that the data controller may refuse to respond to manifestly baseless or excessively repeated requests made under the provisions of section III.

It is the data controller who bears the burden of proof that the conditions for rejection are fulfilled. Thus, it is not up to the data subject to prove a legitimate interest, but to the extent that the data subject presents information on such interest, there will presumably be no grounds for refusing the request under the proposed provision ”.

Section 19 of the Law Enforcement Act is established on the basis of Article 12 (1) of the Law Enforcement Directive. 4, which states:

'Member States shall provide that information provided pursuant to Article 13 and any communication and measures taken pursuant to Articles 11, 14 to 18 and 31 shall be free of charge. If requests from a data subject are manifestly baseless or excessive, especially because they are repeated, the data controller can either:

(a) charge a reasonable fee, taking into account the administrative costs of providing information or notices or taking the desired action; or

(b) refuse to grant the request.

The burden of proof that the request is manifestly baseless or excessive rests with the data controller. "

Since it is not apparent from the comments on section 19 of the Law Enforcement Act, that a derogation from Article 12 (1) of the Directive is envisaged. 4, the Data Inspectorate assumes that a directive-compliant interpretation of the provision must be taken. It is on this basis that the Data Inspectorate finds that section 19 of the Law Enforcement Act applies both in situations of repeated requests and situations of excessive requests in the same way as Article 12 (2) of the Directive. 4th
3.3.3.

The Data Protection Authority's guidance on data protection in employment (2018) [3] shows the following example, which was drawn up on the basis of the Danish Data Protection Agency's decision in a specific case:

“A retired employee asks his former employer for insight into the information that the employer has registered about him.

After gaining insight, the employee complains that no insights have been given to letters he has signed and notes and emails, etc., which he has prepared or sent in connection with his assignment.

Since the purpose of the right of access is to create transparency about the processing of personal data, so that the data subject is given the opportunity to check the legality of the processing and the accuracy of the processed personal data, information on letters, notes and emails, etc. if not prepared or sent in the work context, information not covered by the right of access, and it is therefore justified that the former employer did not provide such information. "

The example concerns information that must be considered personal information about the employee (information that in a given situation the employee has signed a letter, sent an email, etc.), but the information basically only describes a function that the person concerned has taken care of the workplace. The information, on the other hand, does not in itself say anything about the employee and is also not registered for the purpose of processing information about the person concerned.
3.3.4.

The decision that formed the basis for the example was taken on the basis of the previous legal basis, but it is the opinion of the Danish Data Protection Agency that in the case referred to - at least in the case of a large amount of information - could be given refusal of access under section 19 of the Law Enforcement Act (corresponding to Article 12 (5) of the Data Protection Regulation), or on the grounds that the request for access is "excessive". In addition, it must be added that, although this is a personal information about the employee (information that in a given situation the employee has signed a letter, sent an email, etc.), a function is described first and foremost, which the person has taken care of in the workplace.
However, at the same time, the Data Inspectorate considers that there may be cases where information registered about an employee not only describes a function that the person has performed or merely establishes the person's presence, but where the registration also extends further contains information "about" the person concerned, e.g. a description of a course of action that expresses a personal choice made by that person or a reaction on his part.
3.3.5.

The Data Inspectorate must note that the Authority is not aware of the detailed content of the reports, etc., which the Prison and Probation Service has not been able to identify in the specific case and therefore have not been able to give complainants insight. Thus, the Data Inspectorate is not aware if there is only This includes information about complaints that have been present, or whether the documents may also contain more detailed information or descriptions of actions that have been or have been exposed to complaints.

However, the Data Inspectorate assumes that more detailed information about complaints or descriptions of actions that the person has performed or has been exposed to, can be found in the specific reports on the use of force, security cell placement, etc., to which complaints have already been notified and that any information that appears in the free-text fields to a greater extent only describes a function that complaints have been carried out in the workplace. In the case of information that could also be used in connection with e.g. consideration of disciplinary reactions or other measures in relation to the employee, the Data Inspectorate must thus assume that the information is (also) registered in another context, e.g. in the employee's personnel case.

3.3.6.

A data controller who has recorded a large amount of information about the person seeking insight may ask the person to clarify his request in order to facilitate the processing of the case and shorten the processing time in favor of the data subject. A data controller, on the other hand, cannot reject a request for insight if the data subject does not wish to specify his request. In that case, all information processed about the data subject must be provided.

However, if the data subject is a by-person, the data controller may, in cases where it is not possible to search on anyone but the protagonists, may be entitled to request a by-person to provide the necessary information for the data controller to find any processing of information about the biperson. The same will apply if an identification of the by-person is not possible without a complete review of a significant amount of recorded information.
3.6.7.

It is evident from the available information that the Prison and Probation Service in the present case - in connection with the Danish Data Protection Agency's handling of the case - has made considerable efforts to obtain information on complaints, although complaints have not been able to provide details of the events or inmates in relation to which complaints believe to be registered.

The Prison and Probation Service has reportedly given complainants insight into the reports that were sought on July 19, 2019. However, the Prison and Probation Service did not give complainants insight into the reports' free-text fields in the client system, which according to the information will require a search for DKK 8-10 million. documents, which p.t. will not be technically supported in the client system.
On the basis of the information provided, the Danish Data Protection Agency assumes that it cannot be excluded that information on complaints is processed in the above free-text fields for which complaints have not been made aware.

As the Data Inspectorate assumes that the free-text fields mainly describe only a function that the person has performed in the workplace and not actions that express the complainant's personal choices and reactions, or actions that the complainant has been exposed to, it is the Danish Data Protection Authority's assessment that the complainants request for further insight into any remaining information in free-text fields may be rejected with reference to section 19 of the Law Enforcement Act.

In this assessment, the Data Inspectorate has therefore paid special attention to the nature of information about complaints in the client system's free-text fields. The Authority has also emphasized that the Prison and Probation Service has already made significant efforts to find information on complaints and that the Prison and Probation Service must be presumed to use insignificant resources to find any additional information about complaints. Finally, the Authority has emphasized that complaints have not been able to provide the Prison and Probation Service with further information about the events or inmates in relation to which complaints believe to be registered.

However, the Data Inspectorate must urge the Prison and Probation Service to assess whether there is a basis for drawing up guidelines to limit or avoid the registration of personal data in non-searchable free-text fields in the client system.
4. Concluding remarks

Finally, the Data Inspectorate refers to the Authority's guidance on the rights of data subjects [4], which states that a public authority must be aware of the interaction between the data protection regulation (and law enforcement) rules on access and the rules of the Public Administration Act and the public law on party access and self-access respectively. as a starting point, the registered insight and / or access to documents must be given according to the rules that are most favorable to the data subject in the specific case.

To this end, the Data Inspectorate must note that the Authority can only assess whether insight has been provided in accordance with the Law Enforcement Act. Thus, the Data Inspectorate cannot assess which rules give the data subject the most favorable result in a specific case, since this is in the opinion of the Authority a matter of administrative law.