From: Paul C
Sent: 15 August 2013 13:12
Dear ICO blog,
I’ve just been reading the ICO blog post dated 9th August 2013 by Sally Anne-Poole, and how enforcement action often follows on from accidental breaches – or breaches where the data controller would have been expected to be more rigorous and security-minded.
My last employer quite deliberately sought to ban me, within a compromise agreement, from making Data Protection queries (and FoI ones) back in 2009. Although this was not accidental, was a calculated move, was enforced via a penalty clause, and was never scrutinised by a panel of sitting members, it has never been addressed by the ICO – in spite of your full knowledge. Here’s a link to the legal opinion provided by Hugh Tomlinson QC:
I’d be very grateful if you could respond and explain the inconsistency that arises here.
1. A data controller faxes a person’s financial records to the wrong number and is fined £75,000
2. A data controller aims to remove an individual’s statutory DP querying rights, which is successful for 20 months… nothing
In light of the Tomlinson opinion, which appears to make more likely the prospect of data controllers circumventing their statutory data and information obligations, and of the tendency for some data controllers to conceal their behaviour using threatening penalty clauses within compromise agreements, please let me know how the ICO is planning to respond.
Was Cheshire West and Chester Council’s behaviour, in the words of your Head of Enforcement Stephen Eckersley, “unforgiveable”?
20th August 2013
There’s been no response yet…
25th August 2013
Still no response from the ICO blog…
4th September 2013
I’ve had a “response” from the ICO. Why the inverted commas? Because they’ve treated my message to their blog as a ‘complaint’.
I’m not sure about internal ICO processes and how they operate, but this message to their blog ended up on Case Officer Caroline Thompson’s desk, who appears to have been instructed to treat it as a complaint and some sort of request for action or investigation….
It was intended hopefully for publication on the blog of Sally-Ann Poole in response to her post of 9th August 2013.
That’s how blogs work isn’t it?
As you can read in my email, I was highlighting a stark inconsistency between the way the ICO treats data breaches (six figure fines) and the way it treats data controllers who seek to ban and remove data subjects’ querying rights (not even a slap on the wrist).
Maybe the personage of Sally-Ann Poole is just too important and too vital to the cause to spend time building a dialogue with a member of the public that she serves…
But what a perplexing response. To assume that after extended but unsuccessful queries in the past, indeed years ago, I’m now trying to restart the whole thing in order to obtain a different outcome !
Here’s the puzzling response from Caroline Thompson… who I should add… is only obeying orders…
From: firstname.lastname@example.org [mailto:email@example.com]
Sent: 04 September 2013 13:55
Subject: ICO Response to Enquiry[Ref. ENQ0509298]
4th September 2013
Case Reference Number ENQ0509298
Dear Mr Cardin
I write with regard to your recent response to Sally-Anne Poole’s blog entry of 9th August concerning a DPA breach where financial records had been sent to the wrong fax number.
Any decision as to whether or not to pursue regulatory action against an organisation is made on a case by case basis, in line with our Data Protection Regulatory Action Policy which is available from the following link:-
As you will be aware, we have responded to you several times regarding the issue of the “gagging clause” included in the compromise agreement with your former employer, under three separate case reference numbers:- [ Copy of ICO response to previous enquiry case ENQ0304117 (16_02_11), Copy of ICO previous response under ENQ0414665 and Copy of previous response under case reference no RFA0412997 ]. I attach our responses to each of these cases for your information as they explain why we have not been able to make a formal assessment in this case.
I do not believe that there is anything further that I can add at this stage. However, if you would like to request a review of your case by a manager, I would ask you to complete and return our case review form which is available from the link:-
I hope that the above and attached are helpful in clarifying the position. Please quote the above case reference number in any future correspondence about this matter as failure to do so may result in the processing of your complaint being delayed.
First Contact Group
From: Paul C
Sent: 05 September 2013 21:54
Subject: RE: ICO Response to Enquiry[Ref. ENQ0509298]
Dear Ms Thompson,
Thank you for your email.
Forgive me but please read my email of 15th August 2013 again. It was sent [in] response to a blog post and was intended for potential publication on the ICO blog, done in order to highlight what I regard as an inconsistency, and to promote debate.
I’d be very grateful if you could confirm whether my message was passed on to Sally-Ann Poole, for whom it was intended. It was in response to her blog post after all.
In other words, this was not a complaint. My original complaint was unsuccessful in that the ICO, after extended deliberation (concluding in February 2012) failed to reach a formal decision on this case. Why would I want to wait 18 months and then attempt to change that outcome?
I’d be very grateful if you could forward my original email to the person for whom it was intended i.e. Sally-Ann Poole, and ask her to read it and consider including it in the ICO blog.
I’d appreciate your assistance with this,