The information commissioner has powers under data protection law to require organisations that process personal data to provide it with information the commissioner “reasonably requires for the purposes of carrying out” her functions under the law, subject to restrictions contained in the legislation. The information commissioner is responsible for monitoring and enforcing compliance in the UK with the Data Protection Act (DPA) 2018 and the overarching General Data Protection Regulation (GDPR).
Last year, the information commissioner served an information notice on Doorstep Dispensaree, a pharmacy delivery service provider that operates in the south east of England, in connection with an investigation it had opened into the company’s compliance with the GDPR. The information commissioner decided to open its investigation after receiving a report from UK medicines regulator the Medicines and Healthcare Products Regulatory Agency (MHRA) last July concerning the company’s processing of personal data.
The information commissioner had initially asked for the information to be voluntarily provided by the company, but this request was refused. Its decision to follow up with a formal information notice was contested by Doorstep Dispensaree in an appeal to the first-tier information rights tribunal. It is the first time the tribunal has considered the information commissioner’s information notice powers under the DPA 2018.
Doorstep Dispensaree’s main argument before the tribunal was that there were criminal investigations ongoing into the company by the MHRA which the information commissioner knew about and that its right not to self-incriminate meant it did not have to provide the commissioner with the information she was looking for.
The tribunal held, though, that the information commissioner is entitled to issue information notices to businesses in circumstances where the companies are subject to criminal investigations by other authorities. However, it said businesses may not be obliged to provide the information the information commissioner seeks in such circumstances.
“An information notice ‘does not require’ a person to provide information which would expose them to criminal proceedings,” said judge Alison McKenna, who headed a three-personal panel deciding the case before the tribunal. “The Act does not say that the commissioner may not serve an information notice in such circumstances, or that it is invalid if she does so. It is difficult to see how parliament could have intended such an interpretation given that the commissioner would not generally be privy to the relevant information to allow her to make that prospective judgement.”
“We are satisfied that the effect of [the provisions in the DPA 2018] is to permit the recipient of an information notice to raise the issue of risk of self-incrimination with the commissioner on receipt of the notice. The commissioner must then take those submissions into account in deciding whether to apply to a court to enforce the information notice or to cancel the information notice (possibly serving an amended notice in its stead),” the judge said.
The tribunal said that while Doorstep Dispensaree had provided “very limited information to the commissioner and to the tribunal about the scope of the criminal investigation” facing it “and thus the scope for self-incrimination”, it was “clear” from information the MHRA passed to the information commissioner that there is “an issue as to GDPR compliance which warrants further investigation” and that the information the commissioner requested was “reasonably required” for its investigation.
“The role of the tribunal is to consider whether the commissioner’s notice is not in accordance with the law and/or whether she should have exercised her discretion to serve it differently,” the judge said. “The tribunal has power to substitute a fresh information notice if it allows the appeal. We are satisfied in this case that the information notice is in accordance with the law and that [Doorstep Dispensaree] has shown no basis for finding that the commissioner should have exercised her discretion differently. For these reasons, we dismiss the appeal.”
The tribunal said, though, that the information commissioner could have more clearly stated in its information notice or accompanying letter to Doorstep Dispensaree to provisions in the DPA 2018 that an information notice does not need to be complied with if providing the information sought “would, by revealing evidence of the commission of an offence expose the person to proceedings for that offence”.
The Information Commissioner’s Office (ICO) told Out-Law.com that its investigation into Doorstep Dispensaree is still ongoing.
Data protection law expert Michele Voznick of Pinsent Masons, the law firm behind Out-Law.com, said: “The ICO has stated in its regulatory action plan that it will work with other regulators, and that this includes to ‘refer relevant cases where they fall within their jurisdiction as well as our own’. The referral of Doorstep Dispensaree by the MHRA to the ICO shows that such referrals are likely to happen in both directions.”
“This should be a cautionary tale for companies and businesses, particularly those in regulated sectors; activities attracting the attention of one regulator, may be of interest to another. It also demonstrates that a single complaint can be enough to have the ICO not only ask questions about a company’s data protection practices, but insist on getting answers,” she said.