Fifteen months on from the implementation of GDPR legislation, there has been a considerable tightening of expectations around data protection activity. At the time of writing, the ICO has noted 68 cases of Data Protection Act (DPA 2018) enforcement: most notably, this includes a £184 million fine for British Airways, and a £99 million fine for Marriott International after 383 million guests had their information stolen by hackers. In the last quarter of 2018-19 alone, there have been over 600 cyber and over 2,500 non-cyber data breaches reported to the ICO. Whether we like it or not, data protection is becoming an increasingly prominent issue for organisations and employees alike.
And a recent case has highlighted another right of employees which we should be aware of, albeit a limited one. Being hidden away in a dark corner of the DPA 2018 until now, is the right of employees to appeal ICO decisions on their complaints if they feel the proper procedure was not followed. This subtle point was demonstrated in a recent case whereby one Mr Tabidi complained to the ICO that he had not received a response to a Data Subject Access Request (DSAR) made to the Employment Tribunal: he had asked for copies of the judge and panel members’ notes. After consideration, the ICO deemed that the Tribunal need not respond to the DSAR because of an exemption in the DPA 2018 relating to information held by those acting in judicial capacity.
The ICO communicated as much to Mr Tabidi, deciding that he was unlikely to be entitled to the requested data. However, Tabidi referred the matter to the First Tier Tribunal (Information Rights) (FTT (IR)) due to his opinion that the ICO’s investigation into his complaint was procedurally unsuitable. We should note here that employees do not have a general right to appeal ICO decisions; only if there has been a perceived procedural failing. Likewise, the FTT (IR) only have the authority to rule on failings of the ICO’s procedure. On this occasion, the FTT (IR) determined that the ICO had in fact undertaken the appropriate steps, and so there was no basis on which to overturn their original decision.
Examples such as the one above, although unsuccessful here, serve to publicise the growing rights of employees under the new social context of data protection and the DPA 2018. The right to appeal procedural steps taken by the ICO is connected to other rights of employees, including the following:
- the right to access records held about them, including the right to correct, block or destroy inaccurate information;
- the right to ask a data controller not to process information about them if it could result in harm (although note this does not always have to be complied with);
- the right to object to automatic decisions made without human involvement; and
- the right to ask the ICO to investigate a breach.
Employers may wish to treat this recent development as a reminder of their responsibility to employees, and to ensure they are GDPR compliant to protect against potential employee claims in the future.
If you have any queries or comments on the above article, please get in touch with firstname.lastname@example.org.
For more information on recent data protection developments one year on from GDPR and DPA 2018, alongside further updates on cases in the public eye, sign up to our 3C’s Workshop – GDPR One Year On in Edinburgh on 28th August. This half day ‘Coffee, Cake and Compliance’ session provides a refresher of data protection legislation, updates on what’s new over a year later, real life case studies and new takeaway practical resources.
If you are responsible for data protection in your organisation and are interested in coming along, contact email@example.com to book your place. Alternatively, if you would like this session run in a location closer to you, please get in touch.