TL:DR? there’s a difference between something bad happening that you couldn’t have anticipated and failing to risk assess what you're planning to do. That difference is often what determines whether an incident is a #GDPR breach. Now here’s a weird analogy. I love movies and unlike some cinematic snobs, that includes horror movies. Last weekend, I went to see ‘Late Night With The Devil’, a great little shocker. Even if horror’s not your thing, this has relatively little violence (rated 15), strong characters and a dynamite ending.

I didn’t know which of my two posts this should be, so it’s both.

In May, the Information Commissioner made a decision about a case where a person who had made a subject access request to the Financial Ombudsman and then followed it up with an #FOI request. The #SAR was clear: ““Please could I have a copy of any personal information the FOS holds about me? I would expect this to be any information relating to me held in case files associated with my name and email address.”

The Department for Business, Energy & Industrial Strategy recently published a privacy notice covering their intention to gather data related to gas and electricity consumption. Data gathered includes the meter number and postcode of the house, plus the level of consumption. This is, by any standard, a vast data grab, covering millions of households. Although the purpose of the scheme is the Energy Price guarantee, there are huge risks here. Energy consumption can tell you an enormous amount about how a household behaves.

Instead of a post today, I have a request for your assistance and a plug. The request for assistance is for the best, most authoritative definition of personally identifiable information (PII) - what is it, and where does it come from. I've seen a few examples over the years but none of the ones I can currently find seem like *the* definition. Maybe there isn't one, it's just an industry term with no real basis, but I don't want to make that assertion.

If this decision (first spotted by @DataCorrection) gets any traction, the myth will become that the First Tier Tribunal said that a dog’s name was personal data. To be fair, I don’t think they did that, but it’s their fault if people come to that conclusion. The dog in question bit a woman on the leg when police were breaking up an illegal rave in Bristol causing what sound like very severe injuries. The description in the original ICO decision is grisly. This post is a lot less jokey that it would have been had I not read it.

In Manchester, we have a brown bin for bottles, cans and assorted other recyclables. They collect it every other Tuesday, and fortunately, next week is brown bin week. I say fortunately, because mine is full. Friends, it’s brimming. The whole thing is loaded with 2L bottles of Frosty Jack cider and a variant of Strongbow that comes in purple cans. There’s a bunch of Stella cans, a brace of Carling, and tins of something called Hollandia that looks like a fake brand from a soap opera.

Having seen a few posts about director liability and data protection, I thought it would be worth setting out how it works and how the ICO would prosecute a director for their company’s UK #GDPR misdeeds.

Put simply, they can’t. Section 198 of the UK DPA says if “an offence under this Act has been committed by a body corporate” and it can be proved that it happened with the consent or connivance or because of the neglect of a director (or similar), they are liable to be prosecuted.

If you’re a dinosaur like me, you’ve seen certain issues come around again and again, with different people coming at them with different perspectives. When I was a boy, the use of live data for testing systems or training was generally unacceptable. There are ways to avoid it – you might take real data and anonymise it (a risk in itself but much better than letting staff loose with the live stuff), or you might create fake data from scratch (safer but more laborious).

An individual used the #FOI website What Do They Know to ask @ICOnews about complaints made about the Met Police; effectively, they wanted to know how many of the complaints were upheld. The info was disclosed, but the response also contained an interesting statement. (1/7) The ICO reply said: “Please keep in mind that there is no requirement to produce a formal decision in data protection cases such as the Decision Notices issued in FOIA ones.” whatdotheyknow.com/request/795467… (2/7)

Last week, I posted about the Niebel case, highlighting Judge Warren’s scepticism about the harm caused by spam, and I wondered what this might mean about the current fad for data compensation claims. This week, I received a concrete example. (1/8) In pursuit of unpaid school fees, a law firm employee emailed the Rolfe family, but alas, the sender got one letter wrong in the email address, resulting in the email being sent to someone else. The someone else was contacted and deleted the email. (2/8)

On Saturday, two tiny drips of water appeared on the ceiling of my front room (I believe some of you will call this the lounge or the living room). We called a plumber and he said it won't be a serious problem and would get to us after the weekend. (1/7) The very slow moving drip continued but by Sunday, it had stopped. By Monday morning, nothing was happening. Perhaps there had been an escape of water that had stopped. Perhaps someone had got out of the bath too quickly. It happens, come on. (2/7)