How far can we rely on Information Commissioner’s Office (ICO) Guidance?
I recently commented on the issue of schools internally publicising the performance of pupils. But what about publishing to the world? The concerns expressed below may be more serious than those I referred to last time as they directly involve the guidance issued by the Information Commissioner’s Office (“ICO”).
It’s nearly exam season and the ICO was mindful last year (14th August) to publicise via its Twitter account guidance updated as recently as February 2014 on publishing results:
“#DPA does not stop exam results being published in local paper, but objections must be considered ico.org.uk/for_the_public…”
The guidance which can be found from the above link, is quite clear in its conclusion:
“The DPA does not stop the publishing of examination results by schools, e.g. in the local press. But schools have to act fairly when publishing results and must take seriously any concerns raised.”
As is apparent ICO takes the view that the issue is essentially one of fairness and the rest of the guidance deals with this issue, as well as dealing with objections, in some detail. In effect the guidance is that providing schools make every effort to tell parents and pupils that they intend to publish, and there is no valid objection, the school will not be in breach of the Data Protection Act by so publishing.
Since an individual’s results are clearly personal data, this is in accordance with the first data protection principle that “Personal data shall be processed fairly and lawfully…” For many this may seem quite in accord with common sense. I can (just) recall a time when I was taking school exams and it was quite routine for my local paper to publish the individual O’ and A’ Level Results for all pupils and schools in the city where I lived. No-one batted an eyelid in those more innocent days.
But hang on a moment. Principle 1 also requires that “… at least one of the conditions in Schedule 2 is met.” The ICO guidance makes no mention of this at all. It only deals with fairness. A quick consideration of the available conditions shows that only conditions 1 or 6 could possibly be available.
1. The data subject has given his consent to the processing.
6. The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
It is not obvious which condition ICO thinks applies in this case although it is likely that he is adopting condition 6 as the guidance does say that, “In general, schools do not need peoples’ consent to publish examination results”.
If he considers condition 1 applies he is falling into the fundamental error of confusing the giving of adequate privacy / fair processing notice with consent. But condition 1 surely does not apply here. Consent, as the ICO Guide to Data Protection tells us is “…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”. The guide goes on to warn that there must be some active communication of consent and this means that a school, however much notice it has given, cannot lawfully infer consent from a failure to respond or object.
If he considers condition 6 applies, it is strongly arguable that publishing fails to meet this condition on a number of grounds.
Where is the legitimate interest in the school publishing identifiable pupil information, as opposed to the alternative of publishing anonymous school performance results? Closely related one can ask, “Where is the necessity?” Case law clearly establishes that when considering “necessity” one must consider Article 8 Human Rights and that in doing so “necessity” requires that there be a pressing social need to infringe the individual’s basic right to privacy. One can accept that there may be a pressing social need to have clear information about the overall performance of a school but that clearly does not extend to the individual’s data. In concentrating on fairness ICO appears to totally ignore the other requirements of condition 6.
Also in November 2012 ICO published an Anonymisation Code of Practice. This makes the succinct point: “However, where the use of personal data is not necessary, then the objective should generally be to use anonymised data instead.” The Guidance on exam results does not seem to accord with his own principle expressed here.
This may seem a complex analysis for processing which does not, it is conceded, seem particularly unfair. But there are two important points to note.
Firstly it is precisely these areas of the interface between fairness, anonymisation and consent which in practice cause the most difficulty for data protection officers and advisers. Whilst there is an element of risk management involved, such issues need to be solved by a rigorous analysis and application of the law. To omit or ignore such analysis when the opposite conclusion feels right is a recipe for potential disaster. In the present case it may not cause much damage. On another occasion and in different circumstances the same approach may leave a data controller open to enforcement, damages and fines.
Secondly, a hard pressed data controller needs to be able to rely on sound guidance from the ICO as regulator. If guidance is as incomplete in its analysis as this appears to be then a struggling data controller has a right to be a little aggrieved.