Share this page!

DPOdaily Profile picture
Twitter logo
May 31 11 tweets 2 min read
Having seen a few posts about director liability and data protection, I thought it would be worth setting out how it works and how the ICO would prosecute a director for their company’s UK #GDPR misdeeds.

Put simply, they can’t.
Section 198 of the UK DPA says if “an offence under this Act has been committed by a body corporate” and it can be proved that it happened with the consent or connivance or because of the neglect of a director (or similar), they are liable to be prosecuted.
This section doesn’t apply to any contraventions of the UK GDPR, only to *offences* set out in the UK DPA. The offences themselves are a mixed bag, ranging from obtaining personal data without the authorisation of the controller to unauthorised reidentification.
There are also offences over subject access and its portability and law enforcement cousins, where deliberate destruction or concealment of personal data is criminalised, as is enforced subject access for health or criminal data.
Separately, it’s an offence to make false statements in response to an ICO information notice, or to delete or conceal data relevant to an information notice.
A quirk of the DP offences is that they’re prosecuted by the ICO – there’s no point reporting a possible offence to the police because it’s not their role to investigate them. ICO is the equivalent of both police and CPS for the offences.
The opportunities for prosecuting directors are rare. The offences cover a narrow range of data misuses and ICO must prove two things: that a company committed the offence, and that a director either approved it or it happened because of their neglect.
ICO can’t prosecute a director because their company doesn’t provide transparency information or doesn’t answer subject access requests because these are GDPR contraventions, not criminal offences.
Possibly because of the pandemic, prosecutions have dried up. ICO also suffered an embarrassing loss in the Shepherd case in 2019 where it seemed that they had misunderstood how the DPA 1998 worked in offence cases.
The test for DPA 2018 is clear, so that shouldn’t be a barrier, but ICO hasn’t reported a successful conviction in more than two years. This is for any offence, not just ones that can be pinned on a director.
I don't know what the future holds for this part of UK DP; in the past those copying and misusing data from employers have been held to account, but nothing has happened for years. The idea that directors have much to fear seems very tenuous.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with DPOdaily

DPOdaily Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @theDPOdaily

DPOdaily Profile picture
May 30
If you’re a dinosaur like me, you’ve seen certain issues come around again and again, with different people coming at them with different perspectives. When I was a boy, the use of live data for testing systems or training was generally unacceptable.
There are ways to avoid it – you might take real data and anonymise it (a risk in itself but much better than letting staff loose with the live stuff), or you might create fake data from scratch (safer but more laborious).
Either way, the risk of making real data available to staff who didn’t need to see it or exposing it inadvertently was too great. The same went for testing things using a live system; you didn’t do it. The alternatives were being rejected because of they were time consuming.
Read 10 tweets
DPOdaily Profile picture
Oct 22, 2021
An individual used the #FOI website What Do They Know to ask @ICOnews about complaints made about the Met Police; effectively, they wanted to know how many of the complaints were upheld. The info was disclosed, but the response also contained an interesting statement. (1/7)
The ICO reply said: “Please keep in mind that there is no requirement to produce a formal decision in data protection cases such as the Decision Notices issued in FOIA ones.” whatdotheyknow.com/request/795467… (2/7)
There’s a solid argument that this is true – there isn’t a line in the Data Protection Act 2018 which is as unambiguous as S50(2) of the FOI Act (the Commissioner “shall” make a decision unless certain conditions are met. (3/7)
Read 7 tweets
DPOdaily Profile picture
Oct 21, 2021
Last week, I posted about the Niebel case, highlighting Judge Warren’s scepticism about the harm caused by spam, and I wondered what this might mean about the current fad for data compensation claims. This week, I received a concrete example. (1/8)
In pursuit of unpaid school fees, a law firm employee emailed the Rolfe family, but alas, the sender got one letter wrong in the email address, resulting in the email being sent to someone else. The someone else was contacted and deleted the email. (2/8)
Claiming the incident caused sleepless nights and made them feel ill, the Rolfes (both parents and daughter) sued the firm for “misuse of confidential information, breach of confidence, negligence, damages under s82 of the GDPR and s169 Data Protection Act 2013”. (3/8)
Read 8 tweets
DPOdaily Profile picture
Oct 20, 2021
On Saturday, two tiny drips of water appeared on the ceiling of my front room (I believe some of you will call this the lounge or the living room). We called a plumber and he said it won't be a serious problem and would get to us after the weekend. (1/7)
The very slow moving drip continued but by Sunday, it had stopped. By Monday morning, nothing was happening. Perhaps there had been an escape of water that had stopped. Perhaps someone had got out of the bath too quickly. It happens, come on. (2/7)
Our problem was seemingly gone, and I faced waiting in for and then dealing with the plumber. From previous experience, this would take many hours (the plumber is methodical and meticulous). Couldn't we gamble that the leak was over? And then that thought passed. (3/7)
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(