Compliance with Data Protection by ACS:Law

The request was successful.

Dear Information Commissioner’s Office,

In accordance with the Freedom of Information Act 2000 I am formally requesting that you please provide any records, including but not limited to letters, notes, minutes of meetings or emails related to enquiries, complaints, action or discussion concerned with Data Protection compliance (or otherwise) by ACS:Law (Law Society ID: 513065) made by, or sent to or from the Information Commissioner's Office.

This is expressly to include, but not limited to, any records related to information exchanged between the Information Commissioner's Office and:

(a) members of Parliament;
(b) the Solicitors Regulation Authority;
(c) ACS:Law;
(d) any other relevant parties (for example companies processing data ‘on behalf’ of ACS:Law)

Additionally please supply any internal communications circulated within the ICO regarding this matter and the current progress of the investigations.

I accept that some redaction of personal details may be necessary to comply with data protection legislation.

Finally, please provide any documentation setting out internal guidelines or procedures related to standard practice within the ICO when acting in respect of complaints received regarding companies which have failed to correctly register or otherwise comply with Data Protection legislation.

Yours faithfully,

Kevin Howard

Information Commissioner's Office

Link: [1]File-List

27 May 2010

Case Reference Number IRQ0314689

Dear Mr Howard

Thank you for your e-mail of 26 May 2010 in which you have asked us to
provide you with information relating to ACS Law.

Your request has been passed to the Internal Compliance Team, and is being
dealt with in accordance with the Freedom of Information Act 2000 under
the reference number shown above.  We will therefore respond to your
request by 24 June 2010 which (allowing for the May bank holiday) is 20
working days from the day after we received your request.

If you wish to add further information to your case please reply to this
email, being careful not to amend the information in the ‘subject’
field. This will ensure that the information is added directly to your
case. However, please be aware that this is an automated process; the
information will not be read by a member of our staff until your case is
allocated to a request handler.

Yours sincerely

Helen Ward

Internal Compliance Officer

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/radCE5D4_files/filelist.xml

Dear Information Commissioner’s Office,

Re. Case Reference Number IRQ0314689

I note that 19 working days have now elapsed on my request for information. As you have requested no clarification, nor cited any exemptions I look forward to receiving this information in full by the close of business tomorrow (24 June 2010).

Many thanks.

Yours faithfully,

Kevin Howard

Internal Compliance Team,

5 Attachments

24 June 2010

Case Reference Number IRQ0314689

Dear Mr Howard

Further to our acknowledgement of 27 May 2010 we are now in a position to
provide a response to your request.

As previously stated we are treating your request as a request under the
Freedom of Information Act 2000.

Your request read:

"In accordance with the Freedom of Information Act 2000 I am
formally requesting that you please provide any records, including
but not limited to letters, notes, minutes of meetings or emails
related to enquiries, complaints, action or discussion concerned
with Data Protection compliance (or otherwise) by ACS:Law (Law
Society ID: 513065) made by, or sent to or from the Information
Commissioner's Office.

This is expressly to include, but not limited to, any records
related to information exchanged between the Information
Commissioner's Office and:

(a) members of Parliament;
(b) the Solicitors Regulation Authority;
(c) ACS:Law;
(d) any other relevant parties (for example companies processing
data 'on behalf' of ACS:Law)

Additionally please supply any internal communications circulated
within the ICO regarding this matter and the current progress of
the investigations.

I accept that some redaction of personal details may be necessary
to comply with data protection legislation.

Finally, please provide any documentation setting out internal
guidelines or procedures related to standard practice within the
ICO when acting in respect of complaints received regarding
companies which have failed to correctly register or otherwise
comply with Data Protection legislation."

We have 54 recorded complaints and enquiries on our case management system
relating to ACS Law which are now all closed. Please note there are 2
other cases; both of which were closed as duplicates. Please also be aware
that casework figures and outcomes are fluid and may change where further
information is provided or new complaints are made.

We have exempted the documentation provided to us by complainants in the
course of making their complaint under section 40 of the Freedom of
Information Act 2000. We consider that when individuals make complaints to
the ICO they do not anticipate or expect the details of their complaints,
to be disclosed to anyone else. Therefore, we consider that such a
disclosure would be unfair and in breach of the first Data Protection
principle which states that - "Personal data shall be processed fairly and
lawfully".

As a result we are not in a position to provide you with all of the
information you have requested. However we can inform you that the
complaints focused on whether ACS Law were notified with the ICO and
regarding the fact they had obtained personal details from Internet
Service Providers via a court order. A couple of the complaints also
raised Principle 7 issues (security).

However, we have provided you with copies of the letters sent by the ICO
to the complainants in response to the matters they raised. You will see
that we have redacted the names and addresses of complainants and any
details specific to an individual complaint, for example which ISP
provided the details to ACS Law. Again, we consider this information to be
exempt under section 40 FOIA for the reasons set out above. *Please see
note at end of email regarding this attachment.

Some of the letters mention another data controller apart from ACS Law;
this information falls outside the scope of your request and so has been
redacted. We have also redacted information that is outside the scope of
your request on the third page of complaint RFA0251405.

You will see that much of the content of our letters is repetitious but it
does set out the ICO position.

There is no correspondence recorded on the cases between the ICO and ACS
Law.

I have also included a copy of the ICO line to take devised by our policy
department which is largely the same as the content of many of the
letters. Please see attached.

Further, as requested, please also see attached copies of internal emails
relating to this matter. You will see that an email, name and contact
details have been redacted. Again, this information has been redacted as
it is exempt under section 40 FOIA, we do not consider that it would be in
the reasonable expectation of the author for this email to be released
into the public domain and therefore would constitute a breach of the
first principle of the Data Protection Act 1998. The email was from a
member of the public setting out their complaint. Please see attached.

Another data controller is also mentioned in these emails and information
relating to them has also been redacted as it falls outside the scope of
your request.

The following is a paragraph from an internal email which falls within the
scope of your request:

"Around 30-40 about [redacted] and ACS Law (most people mention both) I've
got 17 in my own queue that I haven't done yet which are from the last
couple of months. I've asked one of my officers to deal with the rest of
the straightforward/standard ones this week so if there is anything new
that means we shouldn't send what we already have I'd be grateful if you'd
let me know!

Katherine

Katherine Vander

Casework Manager

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Tel: 01625 545843

Email: [1][email address]

www.ico.gov.uk"

The redaction here is because another data controller is mentioned and
this information falls outside of the scope of your request.

You have also requested copies of internal guidelines/procedures. Please
see the relevant extracts from our Casework and Advice Procedures manual.
This manual is available to all staff and I have included the section of
the procedure about making a notification check. I have also included the
section setting out the procedure regarding Requests for Assessment
(RFAs). Please see attached.

Section 42 of the DPA allows an individual to make a request for
assessment in order to reach a `compliance likely' or `compliance
unlikely' decision in respect of whether or not a data controller is
complying with the Data Protection legislation.

Please be aware that these procedures are subject to change.

This is a link to the ICO [2]data protection strategy which can be found
on our website. It may also be of interest.

In relation to the specific records you have set out at points (a) - (d)
of your request; we do not hold any of this information and are therefore
unable to consider it for release under the FOI regime.

I hope this information is of use to you; however if you are dissatisfied
with the response you have received and wish to request a review of our
decision or make a complaint about how your request has been handled you
should write to the Internal Compliance Team at the address below or
e-mail [3][email address]

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request
received after this time will only be considered at the discretion of the
Commissioner.

If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please write
to the Case Reception Team, at the address below or visit the `Complaints'
section of our website to make a Freedom of Information Act or
Environmental Information Regulations complaint online.

*I am unable to send the attachment containing copies of ICO letters with
this email due to the constraints of our system so I will send it in a
separate email.

A copy of our review procedure is attached.

Yours sincerely

Helen Ward

Lead Internal Compliance Officer

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. blocked::mailto:[email address]
mailto:[email address]
2. http://www.ico.gov.uk/upload/documents/l...
3. mailto:[email address]

Internal Compliance Team,

1 Attachment

  • Attachment

    R ACS Law complaints.zip

    7.8M Download

24 June 2010

Case Reference Number IRQ0314689

Dear Mr Howard

Further to my previous email please see the attachment containing ICO
letters regarding ACS Law.

Yours sincerely

Helen Ward

Lead Internal Compliance Officer

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

Dear Helen Ward,

Thank you for your comprehensive and thorough reply.

The redaction of the name of the other 'data controller' mentioned is quite acceptable. In any case it is public knowledge that the law firm Davenport Lyons preceded ACS:Law's activity in this particular field of copyright exploitation. The work of Tilly Bailey & Irvine seems not to have been brought to the ICO’s attention - at least not in the same correspondence as the two other firms.

I found it interesting that "there is no correspondence recorded on the cases between the ICO and ACS:Law". I would have expected that, given the scale of complaints received, the serious nature of these and the ease with which some of the facts cited could have been established, some enquiries might have been made of the law firms in question.

It is apparent from the response sent by the ICO that it will not act against ACS:Law unless very clear evidence is provided of:

** ACS:Law’s non-compliance with principle 7 of the DPA.

Despite ACS:Law stating in writing to individuals in contact with the ICO that they have used a third party to process data, the Office’s response has been that “it is not clear… that ACSL are using a data processor to process personal data on their behalf or that they do not have a contract in place governing this relationship in the event that they were.”

** ACS:Law’s non-compliance with part 16(3)(b) of the DPA 1988, in that they had not correctly registered using the address of their principal place of business.

The ICO’s response was that “the address of 18 Hanover Square is the address given on the website and, without evidence to suggest that this is not the principle place of business, we would be unable to pursue this further with them.” I hope that information may make its way to the ICO making clear that ACS:Law’s use of the facilities at 18 Hanover Square does not constitute it being the firm’s principle place of business.

** Regarding non-registration as a data controller prior to 14 May 2009

The ICO’s position on IP addresses is that, in the context of these cases, they are deemed personal data. Internal documentation states:

“It is … clear that the IP address is personal data. The Data Protection Act 1998 (DPA98) and the Privacy and Electronic Communications Regulations 2003 (PECR) are engaged at the point the rights holder makes (or even intends to make if they have a reasonable and likely chance of success) the link even where they harvest ‘suspect’ IP addresses using the services of third party.”

Clear evidence exists that ACS:Law were processing personal data (including in the form of IP addresses) prior to their registration with the ICO on 14 May 2009 (reg no. Z1760545) and that the ICO has been made aware of this breach of the Data Protection Act 1998. Despite this, at the present time, the absence of communication between the ICO and ACS:Law makes clear that no action has yet been taken to address this unlawful behaviour. The ICO has replied to several complainants that, “in light of the fact that they are now notified we would be unlikely to pursue this issue further with them.”

I am happy to see that such action is only _unlikely_.

I am certain that the valuable information you have kindly supplied will be of considerable public interest and it may be that the ICO will receive further communications from members of the public regarding the various breaches of the DPA which have been raised by the complainants in the letters you supplied.

I hope that the ICO will be spurred on to act appropriately against the firm and individuals responsible for these unlawful activities and I am sure that the public will endeavour to supply it with the evidence it requires to launch an action against the firm in this regard.

I would like to thank you once more for the efforts you have clearly expended in gathering this information – but if I could please make one final request. This should correctly be considered a part of my original request.

In the document comprising the internal ICO emails there is one dated 7 September 2009 from Katherine Vander to Traci Shirley and Jill Walker enquiring regarding the ‘principal place of business’ of ACS:Law. I would be grateful if you would please provide the rest of this email string – as no response is apparent from either of the recipients. It is evident from the responses to complainants that some advice was sent in response to the email.

I fully appreciate that it is quite possible that these particular few emails may have been overlooked in which is clearly a high volume of complex correspondence. As this does form part of my original request and hopefully only involves a fairly simple retrieval I would be grateful if this additional information could please be provided in the next day or two.

With very best wishes and - again - thanks.

Yours sincerely,

Kevin Howard

Information Commissioner's Office

Link: [1]File-List

29 June 2010

Case Reference Number IRQ0314689

Dear Mr Howard

Thank you for your further email concerning clarification of the
information provided in response to your request.

Unfortunately, we are unable to provide a copy of the email you have
requested as we do not hold it and so are unable to consider it for
release under the freedom of information regime.

I contacted the three relevant individuals who each confirmed they do not
hold a copy of a response and that any response may have been given
verbally.

I understand this may not be the response you were hoping for but I hope
you it is clear why we can not provide the information you have requested.

Yours sincerely

Helen Ward

Lead Internal Compliance Officer

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/rad50176_files/filelist.xml

Dear Helen Ward,

That's fair enough. Thank you for this additional response in any case.

Kind regards,

Kevin Howard