ICO - FS50897723: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) |Case_Number_Name=...")
 
No edit summary
 
(11 intermediate revisions by one other user not shown)
Line 52: Line 52:
}}
}}


The confirmatin or denial by the Insolvency Service that it held more information about the companies within the scope of the request, invovles the disclosure of personal data itself. That would breach data protection principles and would disclose Criminal Offence data.
On April 14, 2020, the ICO supported the decision of the Insolvency Service to withold the information it held about insolvent companies. Furthermore, it stated that the confirmation or denial by the Insolvency Serivce that it held more information about the companies within the scope of the request invovled the disclosure of personal data itself.
==English Summary==


   
===Facts===
The Insolvency Services received a request to provide all information regarding two companies it holds on record.  The complainant believed that the Director of an insolvent company had set up a second company with a prohibited name and had requested information about both companies.  


== English Summary ==
Article 216 Insolvency Act prohibits the Director of an insolvent company to use the name of that company in the 12 months leading up to the liquidation.


=== Facts ===
The Insolvency Service noted that the information it held was already public and that it could not disclose the remainder as it falls under the personal data of an individual (the Director). However, in its communication with the complainant, the Insolvency Services indirectly confirmed that it held more information, by mentioning that the legislation only prevented the directors of the insolvent company from being involved with another company using the same or similar name.
The Insolvency Services received a request to provide all information regarding two companies it holds on record.  The complainant believed that the Director of an insolvent company, had set up a second company with a prohibited name and had requested information about both companies.
Article 216 of insolvency acts prohibits the director of the insolvent company to use the name of that company in the 12 months leading up to the liquidation.  


The Insolvency Service noted that the information it held was already on public and it could not disclose the remainder as it falls under the personal data of an individual. (the Director)
However, in its communication with the complainant, the Insolvency Services indirectly confirmed that it held more information, by mentioning that the legislation only prevented the directors of the insolvent company from being involved with another company using the same or similar name.
The complainant challenged the way his request was handled by the Insolvency Service before the Information Commission Office.  
The complainant challenged the way his request was handled by the Insolvency Service before the Information Commission Office.  
 
===Dispute===
 
=== Dispute ===
The Commissioner had to determine whether the Insolvency Service dealt appropriately with the request to the extent that it covered information not already in the public domain.
The Commissioner had to determine whether the Insolvency Service dealt appropriately with the request to the extent that it covered information not already in the public domain.
- But first, the commissioner considers whether the Insolvency Service should have confirmed or denied holding further information within the scope of the request as providing the confirmation or denial, involves the disclosure of personal data itself.
- Moreover, Commissioner considers as well whether the Insolvency Service would be disclosing information relating to the criminal convictions and offences of a third party by confirming or denying that it holds further information within the scope of the request.


But first, the Commissioner considered whether the Insolvency Service should have confirmed or denied holding further information within the scope of the request as providing the confirmation or denial involves the disclosure of personal data itself.


=== Holding ===
Moreover, Commissioner considered as well whether the Insolvency Service would be disclosing information relating to the criminal convictions and offences of a third party by confirming or denying that it holds further information within the scope of the request.
After a deep review of the case, the Commissioner considered that the information, specifically the confirmation or denial about having more information on the case, in the scope of the request, would involve the disclosure of personal data itself and would therefore fall within the definition of ‘personal data’ in section 3(2) of the DPA.
===Holding===
The domestic legislation, namely section 3(2) of the DPA defines personal data as: “any information relating to an identified or identifiable living individual”. The Commissioner explains that an identifiable living individual is one who can be identified, directly or indirectly, by reference to an identifier such as a name, location data, etc. The confirmation or denial that information was held by the Insolvency Service, either way, would involve the disclosure of something about the Director – who is indirectly identifiable from the request.
The Commissioner stated that the information, '''specifically the confirmation or denial about having more information, in the scope of the request, would fall within the definition of ‘personal data’''' '''defined''' '''in''' '''section 3(2)''' '''DPA''': “''Any information relating to an identified or identifiable living individual”''. The Commissioner explains that an identifiable living individual is one who can be identified, directly or indirectly, by reference to an identifier such as a name, location data, etc. '''The confirmation or denial that information was held by the Insolvency Service, not arleady in the public, either way, would involve the disclosure of something about the Director – who is indirectly identifiable from the request.''' 
Providing a confirmation or a denial whether it holds information falling within the scope of the request, the Insolvency Service disclosed the personal data, and therefore, by doing so, it breached data protection principles.  Here, commissioner referred to the Article 5(1)(a) GDPR states that.
Moreover, the Commissioner also stated that confirmation or denial, would involve the processing of the criminal offence data in the scope of the request. Referring to the article 10 of GDPR, as well as domestic legislation, the Commissioner underlines that by indirectly confirming or denying that it had taken steps to establish whether a breach of Section 216 had occurred, the Insolvency Service processed criminal offeces data.


Providing a confirmation or a denial whether it holds information falling within the scope of the request, the Insolvency Service disclosed the personal data, and therefore, by doing so, it breached data protection principles. Here, the Commissioner referred to Article 5(1)(a) GDPR.


== Comment ==
Moreover, the Commissioner also stated that confirmation or denial, would involve the processing of the criminal offence data in the scope of the request. Referring to Article 10 GDPR, as well as domestic legislation, the Commissioner underlined that by indirectly confirming or denying the information, it confirmed that it had taken steps to establish whether a breach of Section 216 had occurred, by doing so, the Insolvency Service processed and disclosed criminal offence data.
==Comment==




== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the English original. Please refer to the English original for more details.
The decision below is a machine translation of the English original. Please refer to the English original for more details.



Latest revision as of 21:38, 21 April 2021

ICO - FS50897723
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 5(1)(a) GDPR
Article 10 GDPR
216 (4) of the Insolvency Act 1986
3(2) of the DPA
Type: Complaint
Outcome: Rejected
Started:
Decided: 14.04.2020
Published:
Fine: None
Parties: The Insolvency Service
The individual/ Complainant
National Case Number/Name: FS50897723
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: n/a

On April 14, 2020, the ICO supported the decision of the Insolvency Service to withold the information it held about insolvent companies. Furthermore, it stated that the confirmation or denial by the Insolvency Serivce that it held more information about the companies within the scope of the request invovled the disclosure of personal data itself.

English Summary

Facts

The Insolvency Services received a request to provide all information regarding two companies it holds on record. The complainant believed that the Director of an insolvent company had set up a second company with a prohibited name and had requested information about both companies.

Article 216 Insolvency Act prohibits the Director of an insolvent company to use the name of that company in the 12 months leading up to the liquidation.

The Insolvency Service noted that the information it held was already public and that it could not disclose the remainder as it falls under the personal data of an individual (the Director). However, in its communication with the complainant, the Insolvency Services indirectly confirmed that it held more information, by mentioning that the legislation only prevented the directors of the insolvent company from being involved with another company using the same or similar name.

The complainant challenged the way his request was handled by the Insolvency Service before the Information Commission Office.

Dispute

The Commissioner had to determine whether the Insolvency Service dealt appropriately with the request to the extent that it covered information not already in the public domain.

But first, the Commissioner considered whether the Insolvency Service should have confirmed or denied holding further information within the scope of the request as providing the confirmation or denial involves the disclosure of personal data itself.

Moreover, Commissioner considered as well whether the Insolvency Service would be disclosing information relating to the criminal convictions and offences of a third party by confirming or denying that it holds further information within the scope of the request.

Holding

The Commissioner stated that the information, specifically the confirmation or denial about having more information, in the scope of the request, would fall within the definition of ‘personal data’ defined in section 3(2) DPA: “Any information relating to an identified or identifiable living individual”. The Commissioner explains that an identifiable living individual is one who can be identified, directly or indirectly, by reference to an identifier such as a name, location data, etc. The confirmation or denial that information was held by the Insolvency Service, not arleady in the public, either way, would involve the disclosure of something about the Director – who is indirectly identifiable from the request.

Providing a confirmation or a denial whether it holds information falling within the scope of the request, the Insolvency Service disclosed the personal data, and therefore, by doing so, it breached data protection principles. Here, the Commissioner referred to Article 5(1)(a) GDPR.

Moreover, the Commissioner also stated that confirmation or denial, would involve the processing of the criminal offence data in the scope of the request. Referring to Article 10 GDPR, as well as domestic legislation, the Commissioner underlined that by indirectly confirming or denying the information, it confirmed that it had taken steps to establish whether a breach of Section 216 had occurred, by doing so, the Insolvency Service processed and disclosed criminal offence data.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.