Another day, another email from the #ICO to tell me that they have closed my complaint about an organisation not responding to my Subject Access Request because they too couldn't contact anyone there... I mean, what's the point of the ICO?
@NAB This is pretty standard for the ICO. If they get no response to their emails you can prompt them to try again, but ultimately they hide behind "we don't pursue complaints for individuals, we'll keep this on file but this complaint is now closed." If you make a complaint about the ICO's handling of the case they just say that it was handled correctly. So, unless you've done something really bad, if the ICO contact you the best course of action seems to be ignore them and they will go away
@NAB They also make a habit of making nonsensical rulings which appear to have no basis in law and then saying "if you disagree with us, you can take the other party to court". The problem with this, of course, is the ICO's opinion carries a lot of weight and its pretty hard to argue in court that they are wrong. (I'm actually in court this week arguing exactly that point - the ICO are claiming my email address is not personal data, which seems to be totally at odds with GDPR!)
@steve Cross fingers that goes OK for you - let me know what happens.
I've heard other people say before that they take the law, throw it away and then apply whatever they think the law should be instead. Not good.
@NAB The problem with going to (small claims) court over data protection things is that if the defendant argues that you can't show a financial loss, that's often where it ends. In this case the defendant has spammed me (breach of PECR) and refused to answer an SAR on grounds that they don't hold any personal data. ICO has supported this because my email address doesn't contain my name and they therefore say not personal data. But GDPR says it is personal data if a natural person can be
1/
@NAB identified from the "online identifier". If you Google for my email address you get exactly 1 hit, which clearly identifies me by name. So I argue that my email is clearly personal data since I can be identified by it. ICO argue that it would only be personal data if the defendant is actually identifying me with it.
2/
@NAB The argument that data only needs protection if you are using it to identify individuals seems nonsense to me - were you not to protect that data and leak it to another party, you have no control over how they use it. So failing to protect it is surely a threat to the data subject.
3/3
Add comment