By email to [log in to unmask] 10 December 2018

Dear Elizabeth Denham

I am writing further to complaint reference RFA0819618 for two reasons:

a)	To set out the reasons why your letter of response of 28 May 2019 was wrong in law and contrary to your own Guidance and that of the Data Protection Board.
b)	To provide you with further background information on the data protection issues that are relevant to my complaint and your risk assessment of the data protection practices of London & Country Mortgages Limited.

As there is a strong public interest in effective enforcement action by the Information Commissioner I have copied part a) of this letter to other parties that have an interest in upholding GDPR.

a)	The ICO response to the complaint that London & Country have breached Articles 38 & 39 GDPR

Your response to my complaint was that “the letter references the decision to terminate your employment relating to performance and expectations. As this evidence appears to address concerns outside of the scope of article 38 and 39 the ICO cannot investigate this.”  I imagine what this is meant to mean is that the ICO cannot investigate matters that fall outside the scope of data protection legislation and based solely on what London & Country allege in their letter of termination, that appears to be the case here.

But the GDPR makes clear this is the wrong starting point.  Article 38 provides three safeguards to make sure that a data protection officer (DPO) is able to act in an independent manner as described in Recital 97:

o	no instructions by the controllers or the processors regarding the exercise of the DPO’s tasks
o	no dismissal or penalty by the controller for the performance of the DPO’s tasks
o	no conflict of interest with possible other tasks and duties

It follows that the correct question to ask is whether the matters complained of, namely the employer’s expectations and concerns about performance, relate to any extent to the tasks of the DPO.  The safeguards mean that the DPO cannot be assessed or performance managed in relation to those tasks and that the DPO cannot be put in a position where he/she is required to weigh or balance those tasks and duties with other non-data protection considerations.   These safeguards are of course subject to the common law test of reasonableness.  They do not license a DPO to act unreasonably. 
 
The Data Protection Board’s Guidelines on Data Protection Officers (16/ENWP 243 rev.01) clarifies that the safeguards rule out all forms of detriment and include both direct and indirect penalties.

“Penalties ………….could consist, for example, of absence or delay of promotion; prevention from career advancement; denial from benefits that other employees receive. It is not necessary that these penalties be actually carried out, a mere threat is sufficient as long as they are used to penalise the DPO on grounds related to his/her DPO activities.”

Penalties are only prohibited under the GDPR if they are imposed as a result of the DPO carrying out the DPO’s tasks as set out in the GDPR, but the Guidelines helpfully illustrate the limited types of issues that will fall outside of these protections; “ (for instance, in case of theft, physical, psychological or sexual harassment or similar gross misconduct).”

There was nothing in the evidence supplied to you with my complaint to suggest that any of the matters complained of fell outside the statutory protections provided to the DPO.  In fact, that evidence revealed that all four of the issues identified by the Company were about the DPO’s data protection advice.  Two related to separate Privacy Impact Assessments (PIAs).  The Guidelines are very clear that a DPO may not be penalised for the advice he or she provides in relation to a PIA.  

Your response letter states that your assessment has been made on the balance of probabilities.  However, the termination letter itself is self-evidently in breach of the prohibitions where it states:

“It is clear from those conversations that we have different expectations of what a DPO should deliver.”
“As discussed with you last Friday and today your view of your role and the deliverables is different to that required by the Company.”
“Further to our conversation today there remains a considerable gap in expectations of both you and the business which we do not believe can be addressed…..”

Advice on the position and tasks of the DPO as set out in Articles 38 and 39 GDPR and related provisions is covered by the safeguards at Article 38(3).  Any penalty imposed in consequence of that difference of view is therefore a clear breach of GDPR. 

In your response to me you advised that 

“you would like the ICO and FCA to liaise and decide if the decision to terminate your employment has been dealt with appropriately. As I have outlined above we consider this to be a business decision and you should seek the advice of legal counsel or ACAS.”

This is not the position taken by the Data Protection Board at page 16 of their Guidelines. Here they recognise that whilst GDPR does not specify how or when a DPO can be dismissed or replaced by another person they note that the more stable a DPO’s contract is, and the more guarantees exist against unfair dismissal, the more likely they will be able to act in an independent manner.  This suggests firstly that any deficiencies in how a DPO is dismissed signals a potential breach and should be a cause for concern and secondly, that these matters are well within the supervisory authority’s remit to promote good practice and awareness by data controllers of their legal obligations.  The ICOs Regulatory Action Policy states that you will work with other organisations such as the FCA to deliver your remit.

In summary, the conclusion that the ICO was unable to investigate my complaint was wrong in law.  The Information Commissioner has given the following assurance in the Foreward to her Regulatory Action Policy:

“I always try to select the most suitable regulatory tool by assessing the nature and seriousness of a failure, the sensitivity of the subject matter, whether and how individuals have been affected, the novelty and duration of the concerns, the public interest, and whether other regulatory authorities are already taking action on the matter.”

The prima facie evidence of breaches creates a legitimate expectation that the ICO would initiate an investigation in accordance with Article 57(1)(f) and(h) GDPR.  Such an investigation is necessary to establish the facts and circumstances and determine what regulatory action is necessary and appropriate in accordance with the ICOs statutory duty to enforce the Regulation.
Your letter states that “the fact that you are no longer in post adds additional difficulty to assessing whether the data controller is complying with their data protection obligations.”  Whilst this is true the timeliness and scale of any investigation should be proportionate to the interests at stake and guaranteeing that individuals’ information rights are properly protected[1].   The very fact that a data controller has dismissed a DPO without notice should itself indicate that serious investigation is warranted.

So, applying the Commissioner’s tests potentially how serious is a breach of Article 38(3)?   The first point to make is that all data subjects are adversely affected by a breach of Article 38(3), not just the DPO.  A breach of Article 38(3) is a systemic breach.  This is because a DPO is part of the system or framework for protecting subject rights.  Whether required or designated voluntarily, an important purpose of a DPO is to provide assurance to the data subjects affected that the data controller has an unbiased and independent source of expert advice, knowledge and skills to help it meet its data protection obligations.  In these circumstances data subjects have a right to an independent DPO to the same extent that they are granted rights under Chapter 3 GDPR.  The legislation also provides the DPO with a right to consult with the supervisory authority on any relevant matter.  The ICO should be particularly concerned that it was the intention to refer this matter to the ICO that appears to have triggered the dismissal.

Although the Commissioner has a discretion whether to take enforcement action in any particular case, that discretion must be exercised reasonably and in pursuit of the objectives set out in the Regulatory Action Policy and consistent with its duty to enforce the Regulations in ways that are effective, proportionate and act as a deterrent.  There is no discretion to choose which parts of the Regulation to enforce.  The matters which require investigation will, if shown to be true, mean that as well as affecting all data subjects the breach of Article 38(3) was also intentional, wilful, neglectful and continuing.   The Regulatory Action Policy indicates that breaches of this nature can expect stronger regulatory action.

Far from acting as a deterrent, failure to take any action whatsoever in response to the complaint will have the opposite effect.  The news that a data controller was able to dismiss a DPO on the basis that it did not agree with his/her advice will embolden wrongdoing.  Knowledge that the ICO refused to investigate the breach will undermine the confidence of other DPOs that the ICO will take effective action to support their independence.  Without that reassurance the safeguards are likely to have little practical effect.  Legal action by DPOs or others where they have the means are no substitute for effective enforcement action and lack the same deterrent effect.  Refusal to enforce the safeguards provided to DPOs will seriously undermine an important element of GDPR.  There is a clear public interest in the independence and autonomy of DPOs being upheld.

This complaint is concerned with the breach of the safeguards that apply to DPOs, but the underlying data protection issues will be relevant to any investigation insofar as they shed light on the aggravating and mitigating factors that the ICO cites in its Regulatory Action Policy.    The information set out in Part 2 of this letter indicates that some of the background data protection issues are also potentially very serious breaches of GDPR.

Yours sincerely

Stephen Williams

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^