Public bodies often run public consultations on proposals for policy changes – but is it appropriate to publish a list of individual respondents’ names by default? And how does the Right to Object apply to processing based on the public task basis? I discuss this in this case study of my data protection complaint to the Sentencing Council, which constructively took action to resolve my concerns. Photo ID demands and unnecessary cookies also make an appearance – again.
The Sentencing Council for England and Wales is an independent body that publishes sentencing guidelines for criminal courts to follow. As part of its work, the Sentencing Council (the “SC” from now on) regularly consults on adjusting the sentencing guidelines. Having participated in a number of such consultations, I was surprised to later discover that my name had been published in a list of respondents for the consultations. This allowed search engines and other online trackers to pick up that I had responded to the consultations. I wasn’t happy with this – people should be able to respond to public consultations without having their personal data published on a public web page. As such, I intended to object to my data being published pursuant to Article 21(1) of the UK GDPR.
Upon reviewing the SC’s privacy notice to find out how to do so, however, I noted that it demanded a copy of photo ID and a utility bill before it would comply with a Subject Access Request. Because no separate information was provided about the Right to Object, I assumed this policy also applied to the Right to Object. As I had no intention of providing a copy of my photo ID and utility bill to have my data removed from a public webpage, the time had arrived to draft another full data protection complaint.
Publishing individual consultation respondents’ names by default
Upon reviewing the SC’s privacy notice, I had not been able to identify which lawful basis it relied on for publishing individual consultation respondents’ names on its website. I did note that, in the SC’s consultation documents, it was stated: “We will treat all responses as public documents in accordance with the Freedom of Information Act and we may attribute comments and include a list of all respondents’ names in any final report we publish.” However, respondents’ names and other personal data are covered by the exemption in Section 40(2) of the FOI Act. Section 40 places some strict conditions on the disclosure of personal data under the FOI Act. Public bodies must take into account, among other things, whether disclosing personal data would infringe the data protection principles (e.g. lawfulness, fairness, transparency) and whether the data subject to which it relates has exercised their right to object to the personal data being disclosed. So, the SC would still need to identify a lawful basis under which personal data about consultation respondents could be disclosed.
As I had not consented to my name being published and no legitimate interest appeared to have been identified in the SC’s privacy notice, the most likely lawful basis upon which the SC might have relied was ‘public task’ (Article 6(1)(e) of the UK GDPR). However, I do not consider that the ‘public task’ lawful basis is applicable to publishing the names of individual respondents. Section 120 of the Coroners and Justice Act 2009 provides that the SC must prepare sentencing guidelines and consult on the draft guidelines it prepares. It is not necessary to publish the names of all individual respondents on the internet for the SC to consult on its draft guidelines. Individuals should generally be free to respond to public consultations without having their personal data published and this is particularly important to ensure that individuals can be open and frank in their responses, key points for assessing the fairness of the data processing. Unnecessarily publishing individual consultation respondents’ names by default is also contrary to the data protection by design & default principle in my view (see Article 25 of the UK GDPR).
Therefore, if a public body wishes to publish the names of individual respondents, I consider that consent is the only appropriate lawful basis for doing so. Individuals/members of the public would not generally expect to have their full name published on the internet after responding to a government-related consultation. If a public body wishes to publish the individual respondents’ names, individuals should be given a clear, opt-in choice as to whether they wish to be included in the list. Indeed, this is the approach that the ICO itself has taken for its own consultations. Other public bodies do not publish the names of individual respondents at all.
Right to Object for public task processing & photo ID
The Right to Object under Article 21(1) of the UK GDPR applies to processing based on the public task basis. As such, in my complaint, I objected to my data being published on the SC’s website. I also specifically objected to my data being included in any disclosure under the FOI Act, pursuant to Section 40(3A) of the FOI Act.
Addressing the apparent requirement for copies of photo ID and a utility bill, I made clear that I considered it to be vastly disproportionate to include copies of my photo ID or bills, given that the SC only processed my name and email address. However, as the ‘sent from’ field in an email can easily be spoofed, I suggested that the SC reply to my complaint email and that I would reply back, quoting the SC’s email, so as to proportionately satisfy the SC that I was indeed the person in control of my email address. For a more in-depth look at photo ID demands in response to data subject requests, see my post here.
Unnecessary Cookies
Upon visiting the SC’s website, I had noted that unnecessary Google and Twitter analytics/tracking cookies had been immediately placed on my device. There was a ‘cookie banner’ at the bottom of the page stating the following: “This website uses cookies to improve your experience. We’ll assume you’re ok with this, but you can opt-out if you wish. [Accept] [Read more]”. However, there was no way to refuse unnecessary cookies and they had been placed anyway before the banner even appeared. Regulation 6 of PECR requires consent before unnecessary cookies can be placed on a device and any processing that takes place based on personal data contained in or derived using such cookies is unlikely to have a valid lawful basis under the UK GDPR. I also included this in my data protection complaint to the SC. For a more in-depth look at the rules around cookies, see my post here.
The cause of the Twitter cookies was Twitter’s very unhelpful Publish embed feature. Any website that uses Twitter’s copy-and-paste embed feed code is unlikely to comply with PECR and the UK GDPR in my view, as the embed allows Twitter to track visitors to the parent website and can place unnecessary tracking cookies through that website.
Data Protection Complaints
Under Article 5(2) of the UK GDPR, data controllers shall be responsible for, and be able to demonstrate compliance with, the data protection principles (‘accountability’). The ICO considers that the ‘accountability’ principle includes a requirement for data controllers to respond to data protection complaints made to them. Indeed, the ICO goes so far as to suggest it cannot deal with complaints until a data subject has made a data protection complaint and chased up directly with the data controller. This is a position that is not underpinned by the current legislation, as Section 165 of the Data Protection Act 2018 includes no such obligation on a data subject. However, I do agree that it is generally good practice to raise a matter with the controller first.
Furthermore, the statutory position may soon change with the introduction of the Data Protection and Digital (No. 2) Bill, which includes provisions allowing the ICO to refuse complaints where the data subject has not raised them with a data controller first. In positive news, the Bill also includes a requirement for data controllers to operate an effective data protection complaints process, with the ICO able to impose fines where controllers do not have an effective complaints process in place.
This will hopefully ensure data controllers will take data protection complaints more seriously than is currently the norm. Many data controllers simply don’t respond to data protection complaints at all or provide late, unhelpful responses that simply link to their non-compliant privacy notice.
The Sentencing Council’s exemplary response
The Sentencing Council responded the day after my data protection complaint email, confirming receipt and immediately taking action to comply with my objection. The SC also indicated it would consider my wider data protection complaint and follow up with me separately. Excellent so far – this is exactly what is meant by the ‘without undue delay’ provision in the UK GDPR for responding to data subject requests. Where individual parts of the request can be actioned immediately, they should be, with other, more complex matters that require more time dealt with separately.
Two weeks later, the SC sent an update stating it had changed its cookie notice and implemented a proper cookie consent mechanism. I was happy to see this mechanism contained a ‘reject all’ button (a requirement if an ‘accept all’ button is present for the consent to be valid). However, there were some remaining issues surrounding the Twitter embed cookies which were not covered by the new consent mechanism. After I pointed this out, the SC replaced the default Twitter embed feed with an alternative embed feed that does not set Twitter cookies. The effect of this is that visitors to the SC’s website no longer automatically have their data sent to Twitter for their commercial purposes.
The SC also revised its privacy notice to remove the blanket requirement for copies of photo ID and utility bills to be provided when making a data subject request.
Finally, the SC indicated it is planning to give individual consultation respondents a choice as to whether they would like their name to be published. It sounds like the SC is therefore changing its lawful basis for such processing to consent – fantastic. Of course, for consent to be valid, it must be as easy to withdraw/reject consent as it is to give. This means that respondents should be able to change their mind and easily withdraw their consent later if they wish do to so.
Overall, the SC engaged constructively to resolve the matters I raised in my data protection complaint and did so in a timely manner. Because of this, I did not consider it necessary to escalate my complaint any further.
It is worth highlighting case studies like this, even (or perhaps particularly) where the data controller takes appropriate action to resolve matters. This sets a clear example to data controllers that can’t be bothered, particularly ahead of the new controller complaints procedure provisions in the Data Protection and Digital Information (No. 2) Bill. If a data controller is non-compliant and receives a complaint about this, it shouldn’t bury its head in the sand or pretend everything is fine. Where non-compliance is clear, data controllers should take responsibility for this and engage constructively with complainants to resolve matters promptly. By taking ownership of compliance issues and demonstrating that they actually care about data protection and privacy beyond putting a meaningless slogan on a non-compliant cookie banner, data controllers are likely to avoid complaints to supervisory authorities and indeed litigation by disgruntled data subjects.