Supplementary evidence submitted by Elizabeth Denham, Information Commissioner
I was grateful to be given the opportunity to appear before your inquiry on Fake News on Tuesday. During my session I promised to follow up in writing with further information on three points raised by your Committee.
Information Notices
During my evidence session you asked me whether there were any gaps in my current powers. I said that my current investigation into the use of data analytics by political campaigns had shone a light on a gap in my information notice powers. As I explained, an information notice is a formal demand for information. If an organisation chooses not to comply they can be prosecuted under the current Data Protection Act (or issued with a Civil Monetary Penalty under the Data Protection Bill currently before Parliament) but they are not compelled to disclose the information requested.
As I told the Committee, whilst many organisations have freely cooperated with my investigation, I have found it necessary to issue a number of information notices in order to illicit the information I require to carry out an effective investigation. Without the power to compel it is difficult to secure the desired outcome.
As I made clear to the Committee, I have had constructive discussions with the Minister for Digital about remedying this gap and I am hopeful that a resolution can be reached.
Further background on this issue can be found in my latest Parliamentary Briefing on the Data Protection Bill to accompany second reading in the Commons:
Enforcement Action in relation to ‘Blagging’
I also said that I would send the Committee details of our recent prosecutions for ‘blagging’ offences (attached[1]). The most significant of these is from January this year, where loss adjustors Woodgate Clark Ltd, one of the company’s directors, a senior member of staff and two private investigators were successfully prosecuted for breaches of s55 of the Data Protection Act. This is the first prosecution resulting from a major ongoing investigation called ‘Operation Spruce’ into alleged data protection offences committed by corporate clients suspected of using the services of rouge private investigators. I have also included details of the £400K fine we issued to Talk Talk in September 2016 – our largest fine to date under the Data Protection Act – to give you a flavour of the breadth of our enforcement action.
The Right to Erasure (Also known as The ‘Right to be Forgotten’)
During my evidence session I referred to the ICO’s guidance on The Right to Erasure under the GDPR and said I would send the Committee a link to our existing guidance on this issue:
The guidance forms part of our wider ‘Guide to the GDPR’ which has had over 3 Million hits since its publication earlier this year.
The Committee might also be interested in our guidance for the public on the Right to be Forgotten and search engines:
https://ico.org.uk/for-the-public/online/internet-search-results/.
I appreciate that I was somewhat constrained in what I could say publicly about my live investigation in the use of data analytics in political campaigns given that it is now at a crucial stage. However, I appreciate that this is of great interest to the Committee and I would be happy to discuss further in a closed session if that would be helpful. In addition, I would of course be very happy to appear before the Committee again to discuss my findings once my report is published in the spring.
Elizabeth Denham
Information Commissioner
March 2018
[1] http://www.parliament.uk/documents/commons-committees/culture-media-and-sport/ICO-appendix-DPA-blagging-PI-enforcement-info.xlsx