Respect My Data.

Enforcing respect for data, privacy & consumer rights | 2021-2024

Transport for London criticised by ICO, but can withhold graffiti damage compensation figures under FOIA

Transport for London (TfL) refused to disclose annual compensation recovery information regarding damage caused by graffiti in response to my FOI request. But TfL had already published a press release about civil proceedings for compensation against a named individual on its own website. TfL also initially appeared to confirm it held policies for recovering compensation for graffiti, but months later revised its position to Neither Confirm Nor Deny (NCND) following criticism by the ICO. In this post, I explore the route to challenging TfL’s Freedom of Information (FOI) refusals through the ICO and the First-Tier Tribunal, as well as how TfL was ultimately allowed to keep the information secret following a private, closed evidence session.

Political Parties: Conservatives & Labour improve cookie consent mechanisms

The Conservative Party adds an equivalent ‘Reject’ button after my email to their DPO. But Labour initially refused to acknowledge their non-compliance and invited me to complain to the ICO. After the ICO gets involved, the Labour Party also makes the changes I requested – and the ICO records the matter as an infringement of the law.

Cookie banner on conservatives.com in February 2024

Autoriteit Persoonsgegevens (AP / Dutch DPA) Open Day

‘Consent or pay’ is likely unlawful and must not be entertained by regulators

ICO opens call for views on “consent or pay” business models after adtech industry engagement. But allowing this legally flawed concept would have serious consequences in many areas beyond cookies “accept marketing emails or pay £4.99 per month to refuse” would be on the cards.

Dutch police kept emergency caller on hold for 23 minutes: FOI request

Response to request under the Dutch equivalent of the Freedom of Information Act (‘Wet Open Overheid’) reveals lacklustre monitoring and reporting was in place for the time it takes to connect emergency callers to a police call handler. Response also reveals over 15,000 callers hung up while waiting to be connected to a call handler between January and August 2023, with the longest waiting time for an emergency caller in 2023 being over 23 minutes.

Sentencing Council revises data practices after complaint

Public bodies often run public consultations on proposals for policy changes – but is it appropriate to publish a list of individual respondents’ names by default? And how does the Right to Object apply to processing based on the public task basis? I discuss this in this case study of my data protection complaint to the Sentencing Council, which constructively took action to resolve my concerns. Photo ID demands and unnecessary cookies also make an appearance – again.

Erasure Requests: Do Controllers Always Delete What They Should?

Under Article 17 of the GDPR, you have the right to have most of your personal data deleted. Data controllers must usually comply with your erasure request within one month. But what data can companies typically keep about you after your request – what about invoices, for example? And what can you do if they don’t comply with your request? I discuss the civil court remedies that were available to me when I found out that a company stealthily kept my sensitive personal data, even though I’d asked for it to be deleted months earlier.

Page 1 of 2

Powered by WordPress & Theme by Anders Norén