ICO - Monetary penalty to CRDNN

From GDPRhub
Revision as of 14:01, 3 March 2020 by AL (talk | contribs) (Created page with "{{DPAdecisionBOX <!--Information about the DPA--> |Jurisdiction=United Kingdom |DPA-BG-Color= |DPAlogo=logoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) <!--Informa...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ICO - Enforcement notice to CRDNN
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 10 GDPR
Type: Investigation
Outcome: Violation found
Started:
Decided: n/a
Published: 2. 3. 2020
Fine: 500,000 £
Parties: n/a
National Case Number/Name: Enforcement notice to CRDNN
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: n/a

On 6 February 2020, ICO adopted a decision, stating that the Northamptonshire Police acted lawfully by refusing to confirm or deny whether it held information requested by the complainant. However, ICO found that the Northamptonshire Police’s failure to specify the exemption on which it was relying constituted a breach. These conclusions were made based on the relevant provisions of the Freedom of Information Act 2000 ("FOIA"), Data Protection Act 2018 and the General Data Protection regulation ("GDPR").

English Summary

Facts

ICO examined a complaint submitted against the Northamptonshire Police regarding the way in which it handled a request for information. Namely, the complainant requested information from the Northamptonshire Police on whether it forcibly entered a property that he owns, but leases to a tenant, on suspicion that the property contained drugs. The complainant stated in the request that he could not obtain the information from the tenant itself. The Northamptonshire Police responded that it will neither confirm nor deny whether the entry took place, as sharing any information without the tenant’s consent would be contrary to the Data Protection Act 2018.

Dispute

Based on the complaint, ICO examined whether the Northamptonshire Police had the right to apply the section 40 of the FOIA ("neither confirm nor deny" provisions), which would allow it to neither confirm nor deny whether or not it held the requested information. These provisions are applied when confirming or denying would in itself disclose sensitive or potentially exempt information. In this regard, ICO considered whether the Northamptonshire Police complied with the criteria prescribed for relying on the "neither confirm nor deny" provisions, namely: (i) whether confirming or denying would constitute the disclosure of a third party’s personal data, and (ii) whether confirming or denying would contravene one of the data protection principles.

Holding

Regarding the first criteria, ICO concluded that confirming or denying whether Northamptonshire Police forced entry at a specific property would involve the disclosure of a third party’s personal data (i.e. the tenant’s). Although the request for information relates to the residential address and no individual is explicitly named, it is possible to identify the tenant as the occupant of the property. ICO therefore concluded that the information on whether Northamptonshire Police forced entry at the property is in fact information which relates to the tenant, withing the meaning of the GDPR.

As for the second criteria, ICO concluded that confirming or denying whether forced entry took place (i.e. disclosing data) constitutes data processing. Therefore, such disclosure must be done in a lawful, fair and transparent manner in accordance with Article 5(1)(a) and Article 6(1) of the GDPR. Specifically, ICO found that the processing in this case constitutes processing of "criminal offence data" within the meaning of Article 10 of the GDPR. This is because confirming or denying would disclose that that the tenant’s house either had, or had not, been raided by Northampton Police in connection with the presence of drugs in the property. Since such "criminal offence data" are sensitive data, they can only be processed (i) if there is a consent of the data subject, or (ii) if the data were made manifestly public by the data subject. None of these conditions were satisfied in the case in question (on the contrary, the tenant refused to provide the complainant with any information), which is why ICO found that there was no legal basis for the disclosure of data. Therefore, the Northampton Police had the right to rely on the "neither confirm nor deny" provisions.

Finally, although the Northampton Police had the right to rely on said provisions, ICO found that it nonetheless breached section 17(1)(b) of the FOIA by failing to specify, in its response to the complainant, the exemption on which it was relying.

Comment

Feel free to add your comment here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

Not applicable. Please see the English original.