Data Protection Officer + conflict of interest
Dear Information Commissioner's Office,
"On 28 April 2020, the Belgian Data Protection Authority (“DPA”), fined a Belgian company 50,000 EUR for breach of article 38 (6) of the GDPR. The DPA’s Litigation Chamber found that the DPO was not in a position that is sufficiently free from conflict of interest because the DPO also fulfilled the function of director of audit, risk and compliance."
https://edpo.com/news/dpo-and-conflict-o...
1. If you have investigated any public authority because of suspected conflict of interest with the role of the DPO, please provide the number of authorities investigated.
2. If you have fined any public authority because its DPO was not sufficiently free from conflict of interest, please provide the number of authorities fined and the size of the fines.
3. If you have created any information to assist public authorities protect against a conflict of interest with the role of DPO, please provide.
Yours faithfully,
J Roberts
Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.
If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:
[1]https://ico.org.uk/about-the-ico/our-inf...
If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.
If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.
If you have requested advice - we aim to respond within 14 days.
If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.
Copied correspondence - we do not respond to correspondence that has been
copied to us.
For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.
For information about what we do with personal data see our [2]privacy
notice.
If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.
Yours sincerely
The Information Commissioner’s Office
Our newsletter
Details of how to sign up for our monthly e-newsletter can be found
[3]here.
Find us on Twitter [4]here.
References
Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews
10 November 2020
Case Reference: IC-59229-Y8B6
Dear J
Please see the attached response to your recent information request.
Yours sincerely,
Jessica Lalor
Senior Information Access Officer
Information Commissioner's Office
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6497 [1]ico.org.uk [2]twitter.com/iconews
Please consider the environment before printing this email.
For information about what we do with personal data see our privacy notice
at [3]www.ico.org.uk/privacy-notice.
References
Visible links
1. https://ico.org.uk/
2. https://twitter.com/iconews
3. https://www.ico.org.uk/privacy-notice
Jonathan Baines left an annotation ()
This is a bizarre refusal by ICO, which suggests that a DPO conflict of interest is potentially a criminal offence. It's not, and I've written about this here: https://informationrightsandwrongs.com/2...
For the original requester's info, please note the points in that blog to the effect that no fines have been issued for conflicts of interest, and that the ICO's guidance on the subject is readily available on their website.
Dear Information Commissioner's Office,
Please pass this on to the person who conducts Freedom of Information reviews.
I am writing to request an internal review of Information Commissioner's Office's handling of my FOI request 'Data Protection Officer + conflict of interest'.
My request does not relate to any individual or public authority in particular, yet your response is framed in such a way as to suggest that it does.
Jonathan Baines, the chair of NADPO, has commented on your response:
https://informationrightsandwrongs.com/2...
'However, the ICO’s response to the FOI request is, let’s say, odd. They have refused to disclose (in fact, have refused even to confirm or deny whether they hold) the requested information, citing the FOI exemption that applies to information held for the purposes of investigations into whether someone should be charged with a criminal offence: remarkably, the ICO seems to think that a conflict of interest such as envisaged by Article 38(6) of the General Data Protection Regulation (GDPR) would amount to a criminal offence – “it is likely that, if proven, an offence under the DPA [Data Protection Act 2018] may have been committed”. This cannot be the case though – there are no offence provisions under the DPA which come close to criminalising a potential conflict of interest regarding a DPO role, and it would be extraordinary if parliament had decided to make it an offence.
Why the ICO should suggest that there are such provisions is not at all clear, and – if it is not just a stray error – might indicate a rather worrying lack of understanding of both data protection and FOI law.
One final point to note – even the part of the FOI response which didn’t mistakenly assume criminal law provisions were engaged, said, in respect of the part of the request which asked for any information the ICO holds “to assist public authorities protect [sic] against a conflict of interest with the role of the DPO”, that staff at the ICO had been consulted and “there is no information held”. However, on the ICO’s website, in plain view, is guidance on the subject (admittedly not in any detail, but clearly in scope of this request)."
Maybe you have made a 'stray error' that can easily be rectified.
A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/d...
Yours faithfully,
J Roberts
Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.
If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:
[1]https://ico.org.uk/about-the-ico/our-inf...
If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.
If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.
If you have requested advice - we aim to respond within 14 days.
If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.
Copied correspondence - we do not respond to correspondence that has been
copied to us.
For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.
For information about what we do with personal data see our [2]privacy
notice.
If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.
Yours sincerely
The Information Commissioner’s Office
Our newsletter
Details of how to sign up for our monthly e-newsletter can be found
[3]here.
Find us on Twitter [4]here.
References
Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews
J Roberts left an annotation ()
Jonathan,
Thank you for your incisive critique of the ICO's response. When I first read the response I assumed it was a case of 'cut and paste' gone wrong.
16 November 2020
Our reference: IC-59229-Y8B6
Dear J Roberts,
Please find attached a re-issue of my recent response to your information
request.
Yours sincerely
Jessica Lalor
Senior Information Access Officer
Information Commissioner’s Office
0330 414 6497
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0303 123 1113 [1]ico.org.uk [2]twitter.com/iconews
Please consider the environment before printing this email
Please be aware we are often asked for copies of the correspondence we
exchange with third parties. We are subject to all of the laws we deal
with, including the data protection laws and the Freedom of Information
Act 2000. You can read about these on our website ([3]www.ico.org.uk).
Please say whether you consider any of the information you send us is
confidential. You should also say why. We will withhold information where
there is a good reason to do so.
For information about what we do with personal data see our privacy notice
at [4]www.ico.org.uk/privacy-notice
References
Visible links
1. https://ico.org.uk/
2. https://twitter.com/iconews
3. https://www.ico.org.uk/
4. https://www.ico.org.uk/privacy-notice
Jonathan Baines left an annotation ()
It appears the ICO has withdrawn its bizarre assertion that a DPO conflict of interest would be a criminal matter. I still think the refusal is poor though https://informationrightsandwrongs.com/2...
16 December 2020
Case Reference: IC-59229-Y8B6
Dear J Roberts
Thank you for your request for review which we received 15 November 2020.
I apologise for the delay in responding.
I can see that my colleague Jessica Lalor provided a re-issue of her
original response owing to a typographical error. I am therefore writing
today to establish whether you still require a review on the response
provided to your request for information given this correction?
Yours sincerely,
Alexis Karlsson-Jones
Senior Information Access Officer
Information Commissioner's Office
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 313 1886 [1]ico.org.uk [2]twitter.com/iconews
Please consider the environment before printing this email.
For information about what we do with personal data see our privacy notice
at [3]www.ico.org.uk/privacy-notice.
References
Visible links
1. https://ico.org.uk/
2. https://twitter.com/iconews
3. https://www.ico.org.uk/privacy-notice
We work to defend the right to FOI for everyone
Help us protect your right to hold public authorities to account. Donate and support our work.
Donate Now
J Roberts left an annotation ()
'The Article 29 Working Party Guidelines for Data Protection Officers[6] explain that the Data Protection Officer cannot hold a position within the organisation in which he or she has to determine the purposes and means of processing personal data. This is thus an essential conflict of interest. 'The role of departmental manager is thus inconsistent with the function of DPO who must be able to perform his or her tasks independently. The cumulation of the function of data controller for each of the three departments concerned on the one hand, and the function of Data Protection Officer on the other, on the basis of the same physical person, lacks any possible independent supervision by the Data Protection Officer for each of these three departments. Moreover, the cumulation of these functions may lead to an insufficient guarantee of secrecy and confidentiality vis-à-vis staff members in accordance with Article 38.5 of the GDPR. Consequently, the Litigation Chamber is of the opinion that the infringement of Article 38.6 GDPR has been proven.'
https://edpo.com/news/dpo-and-conflict-o...