Privacy Law

Home Office Data Subject Access Request: Part One

Clicky Steve, , , , , , , , , 1 Comment

Data Subject Access Requests (under Article 10 of the Data Protection Act 1998) are powerful tools that allowed people to request a copy of any information held on them by organisations (with some exceptions). In order to provide a response, a fee of up to £10 could be charged.

With the new GDPR era, these fees are no longer going to apply, and the access requests will now be covered by Section 94 of the Data Protection Act 2018 (which is set for Royal Assent today). As a result, I suspect we will be seeing far more of these requests… and given how underprepared most organisations have proven to be with the DPA 98’s mechanisms, it will be interesting to see how they cope.

I decided to investigate the process myself with none other than the UKVI. Formerly known as the UKBA. The visas and immigration people. I’m pretty sure they must have some interesting information on me, especially given that my spouse is a foreign national.

Handily, they have a page where you can submit your request for information on gov.uk. The process is, as you would expect, fairly convoluted. There are three categories of information you can request: Basic, Specific, or Detailed. For the ‘Detailed’ request, they are still asking for the £10 fee. However, in order to verify your identity, they require a host of information, including:

  • Your passport number.
  • A copy of your passport.
  • Written confirmation that your passport is a ‘true likeness’ of you.

Interestingly, they ask for a lot more information, including your parents’ date of birth, etc. This is noted as being ‘optional’, but still presents itself in such a way that it seems like it might be required. Let’s repeat after me: Data Subject Access Requests should not be an excuse to mine more data. I chose not to provide any more details than was necessary.

Back to what was required: Data controllers have an obligation to take ‘reasonable measures’ to verify the identity of a person making a request, and so some of this is fair enough. However, the passport number alone should be sufficient, since the UKVI hold all of the information anyway. A copy of the passport seems unnecessary, and the written confirmation of the likeness just seems bonkers – especially since the list of people who can give this certification is prohibitively small:

 

  • a legal representative, registered with the Office for the Immigration Services Commissioner (OISC)
  • a solicitor, barrister or chartered legal executive
  • a commissioner for oaths
  • a registered charity

Now, I am not one to suggest that the UKVI may well be trying to make it as difficult as possible for somebody to make a subject access request, but it certainly seems like this is not in the spirit of the GDPR, or the DPA 2018. The list above is even more restrictive than the categories of people who can countersign photos to get a passport in the first place. To illustrate the point, here are the professions of folks who can counter-sign your initial passport application:

Examples of recognised professions include:

  • accountant
  • airline pilot
  • articled clerk of a limited company
  • assurance agent of recognised company
  • bank/building society official
  • barrister
  • chairman/director of limited company
  • chiropodist
  • commissioner for oaths
  • councillor, eg local or county
  • civil servant (permanent)
  • dentist
  • director/manager/personnel officer of a VAT-registered company
  • engineer – with professional qualifications
  • financial services intermediary, eg a stockbroker or insurance broker
  • fire service official
  • funeral director
  • insurance agent (full time) of a recognised company
  • journalist
  • Justice of the Peace
  • legal secretary – fellow or associate member of the Institute of Legal Secretaries and PAs
  • licensee of public house
  • local government officer
  • manager/personnel officer of a limited company
  • member, associate or fellow of a professional body
  • Member of Parliament
  • Merchant Navy officer
  • minister of a recognised religion – including Christian Science
  • nurse – RGN or RMN
  • officer of the armed services
  • optician
  • paralegal – certified paralegal, qualified paralegal or associate member of the Institute of Paralegals
  • person with honours, eg an OBE or MBE
  • pharmacist
  • photographer – professional
  • police officer
  • Post Office official
  • president/secretary of a recognised organisation
  • Salvation Army officer
  • social worker
  • solicitor
  • surveyor
  • teacher, lecturer
  • trade union officer
  • travel agent – qualified
  • valuer or auctioneer – fellows and associate members of the incorporated society
  • Warrant Officers and Chief Petty Officers

This means that the requirements for verifying ‘likeness’ are higher to get information held on you by the UKVI, than they are to get a passport in the first place.

For my subject access request, I have been told I have 15 days to submit the relevant documentation, including the above:

UKVI Requirements

Despite making the application online, I also apparently can’t submit the evidence online – so I’m not sure what the point of offering such a service is in the first place.

In my opinion, the requirements are not ‘reasonable’, and providing my passport number alone should be enough. As a result, I will not be submitting statements from a solicitor or charity at this point to support my request. I am going to operate on the assumption that the online system is not properly equipped to deal with subject access requests properly, and that the evidential standard is being confused with actual visa applications. I have contacted the UKVI directly with these concerns. Here’s what I said:

Reference: [redacted]

Hi,

I have just submitted a Data Subject Access Request under s.10 of the DPA 98 and s.94 of the DPA 2018 (which just received Royal Assent). This should further be considered in light of Article 15 of the GDPR.

As part of the evidential requirements listed on your site, I must provide:

1. A copy of my passport.
2. A ‘written confirmation of true likeness’ from a third party.
3. A letter of permission.

Firstly, I want to point out that there is no way to provide these documents online, despite the initial application being made online. I therefore request that you agree to receive items 1 and 3 electronically, rather than by post.

Secondly, I object to the requirement to provide a written confirmation of true likeness. As you will be aware, data controllers are required to undertake ‘reasonable measures’ to verify the identity of the person making the Data Subject Access Request. I submit that by providing a copy of my passport, and the passport number, that this more than satisfies the legal requirement.

Further, I submit that since the list of those who are considered appropriate to provide this written confirmation is less extensive than those who can act as a counter-signatory for a passport application in the first place, that this requirement is demonstrably disproportionate, and as such not required to respond to my request.

To summarise, please advise that:

1. You will accept items 1 and 2 from the above electronically.
2. That the written confirmation of true likeness is not required to give effect to the request under the relevant law.

Yours sincerely,

We will see what happens. Should my subject access request be denied, then it would appear that the UKVI really are requiring a disproportionately high standard to verify people for their Data Subject Access Requests, and I’ll need to revisit it at that point. Stay tuned.

Issues with Article 17 (‘Right to be Forgotten’) of the GDPR

Clicky Steve, , , , , , , , , , , , , , , , , , Leave a comment

With the GDPR’s deadline now almost upon us, one of the most talked about provisions has been the ‘Right to Erasure’ contained within Article 17.

Significantly expanding the ‘Right to be Forgotten’ doctrine established in the Google Spain case, Article 17 allows data subjects (i.e. you and I) to submit takedown requests to any organisation that collects and controls information on them.

There are a number of grounds under which people may seek to have data deleted, which cover a broad variety of circumstances. These include situations where the data is no longer necessary for the reasons it was collected; where it was unlawfully processed; where the subject withdraws their consent; as well as some others. The right is not unlimited, with exceptions where the collection and processing of the data is necessary in the exercise of the right to freedom of expression; where there is a specific legal obligation to retain the information; for reasons of public interest; etc.

Issues with Article 17

Despite some initial reservations, the GDPR (and Article 17 in particular) has generally been lauded as a victory for European citizens, who will gain far more control over what information companies hold on them than they ever previously have had. This is especially true given the arguably extra-territorial applicability, where any organisation that handles European data will be expected to comply.

However, there are a few specific issues arising from the construction of Article 17 that bear some further scrutiny. Rather than analyse the philosophical criticisms of the Right to Erasure, below I briefly look at some of the practical considerations that will need to be taken by data controllers when they receive such a Request for Erasure:

  1. Verification.
  2. Abuse, and a lack of formal requirements for removal requests.
  3. Article 85: Freedom of expression.

Verification of the Data Subject

Before giving effect to an Article 17 request, the controller must use all ‘reasonable measures’ to identify the identity of the requesting party. It is perhaps obvious that an organisation should not be deleting the accounts or other data of somebody without checking first to make sure that the person making that request is authorised to do so. However, this leaves open a number of questions about what this kind of verification will look like. In other words, what steps will be considered ‘reasonable’ under the terms of the law? Will courts begin to see arguments over online platforms account recovery procedures as a result of a denial of access to the fundamental right of privacy via the GDPR? What metrics will a data subject be able/expected to provide in order to discover their associated data? i.e. while it might be easy to request information relating to your e-mail address, what about other identifiers such as IP addresses, or names? These are questions that do not have clear answers, and will inevitably lead to an uneven application of the law, dependent on the situation.

Abuse, and a Lack of Formal Procedural Requirements for Erasure Requests

It should be self-evident at this stage that any statutory removal mechanisms will be open to abuse by parties determined to have content removed from the Internet, and in that regard, Article 17 is no different. However, there is a common misconception that the Right to Erasure gives people the right to stop any mention of them online – especially speech that is critical of them, or that they disagree with. This is not the case, and Article 17 is not crafted as a dispute resolution mechanism for defamation claims (that would be the E-Commerce Directive). These facts don’t stop people from citing the GDPR incorrectly though, and it can quickly become difficult to deal with content removal demands as a result.

The problem is compounded by the fact that there are no formal procedural requirements for an Article 17 request to be valid, unlike the notice and takedown procedure of the DMCA, or even the ECD. Requests do not have to mention the GDPR, or even Right to be Erasure specifically, and perhaps even more surprisingly, the requests don’t have to be made in writing, as verbal expressions are acceptable.

While the reasons for the lack of specific notice requirements is clearly in order to give the maximum amount of protection to data subjects (the lack of requirement for writing was apparently in order to allow people to easily ask for the removal of their data from call centres over the phone), it seems to ignore the accompanying problems with such an approach. The lack of clarity for the general public around what exactly the Right to Erasure includes, along with the lack of procedural checks and balances means that it will be increasingly difficult for organisations to identify and give effect to legitimate notices. This is especially true for online platforms that already receive a high number of reports. While many of these are often nonsense or spam, they will require far greater scrutiny in order to ensure that they aren’t actually badly worded Article 17 requests that might lead to liability.

If we look at the statistics on other notice and takedown processes such as that in the DMCA (the WordPress.com transparency report, for example), we can see that the levels of incomplete or abusive notices received are high. The implementation of even basic formal requirements would provide some minimum level of quality control over the requests, and allow organisations identifiers to efficiently categorise and give effect to legitimate Article 17 requests, rather than the prospect of having to consider any kind of report received through the lens of the GDPR.

Article 85: Freedom of expression

As mentioned earlier, a controller is not obliged to remove data where its continued retention is ‘necessary for reasons of freedom of expression and information’. The obvious question then becomes under what grounds this should be interpreted, and we find some guidance in Article 85 of the GDPR. Unfortunately however, it doesn’t say all that much:

‘Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.’

This appears to leave the task of determining how the balance will be made to individual Member States. Whilst this isn’t unusual in European legislation, it means that the standard will vary depending on where the organisation is based, and or where the data subject resides. At the time of writing, it isn’t clear how different Member States will address this reconciliation. Despite freedom of expression’s status as a fundamental right in European law, it is afforded scant consideration, and thus weak protection under the GDPR, preferring to defer to national law, which simply isn’t good enough. Far stronger statements and guarantees should have been provided.

Over Compliance

Unfortunately, the amount of extra work required to analyse and deal with these requests as a result of the law’s construction – along with the high financial penalties detailed in Article 83 – mean that it is likely that many organisations will simply resort to removing data, even where there is no lawful basis for the request, or requirement for them to do so.

We may fairly confidently speculate that the response from many data controllers will be to take a conservative approach to the GDPR’s requirements, and thus be less likely to push back on any potentially dubious requests as a result. Insistent complainants may find that they are able to have speech silenced without any legitimate legal basis simply out of fear or misunderstanding on the part of third party organisations.

With a well publicised and generally misunderstood right to removal, lack of procedural requirements, and a reliance on intermediaries to protect our rights to freedom of expression, we may find ourselves with more control over our own data, but with far less control over how we impart and receive information online.

Header image by ‘portal gda‘ on Flickr. Used under CC BY NC-SA 2.0 license.