Have the ICO got it in for the deaf?

Table of Contents

The ignorance some organisations have towards data protection is breathtaking. Too many of them see it as nothing more than a blanket excuse to stonewall customers from accessing their own personal information.

This is where the Information Commissioner’s Office (ICO) are supposed to come in. Part of their function is to help the public overcome data protection abuses. But a large number of people who work for the ICO seem to believe it’s their job to misinform the public and come down on the side of obstructive organisations every time.

I’m referring specifically to the ICO’s livechat service where its badly trained agents hand out duff advice by the bucketload, misinforming customers, deliberately dropping calls and generally prejudicing data subjects’ rights. The livechat service caters for anyone that wishes to use it, but it is essential for the hearing impaired or those who are otherwise physically unable to use the telephone.

I complained about this defective service when I first tested it in 2021. The ICO responded with the usual platitudes and empty promises to improve. That clearly has not happened. The service is so bad, it actually threatens the public’s data protection rights, not strengthens them.

Let me show you what I mean with chat example number one. I used the pseudonym Tony with every chat as Crimebodge seemed too much of a giveaway.

Tony: Hi

Nazmah: Good Morning, how can I help you today?

Tony: I had an accident with another vehicle in a supermarket car park. The supermarket tell me I can’t have the CCTV of the incident and I have to go to my insurers and ask them to request it. Is that right?

Tony: Hello? Are you there?

Tony: Hello?

Tony: Hello?

At that moment, I was inexplicably cut-off. Something that happens a lot with questions on livechat. Especially awkward ones.

So I tried again. This time I was served by a different agent.

Robynne: Good morning Tony, how can I help?

Tony: Hi, I just tried using this chat service 10 minutes ago. I was connected to Nazmah. He responded to my greetings and then ignored my question entirely.

Boom!

Cut off again!

Now it’s starting to seem deliberate. After all, the chat agents are working from home and it’s not like anyone at the ICO is overseeing what they are doing.

Let’s try a third time…

Tony: Hi

Robynne: Goof (sic) morning Tony – sorry for the wait I’m having internet issues. How can I help?

Tony: I had an accident with another vehicle in a supermarket car park. The supermarket tell me I can’t have the CCTV of the incident and I have to go to my insurers and ask them to request it. Is that right?

Robynne: I see. Did they explain why they wont give the footage to you directly?

Tony: They said it is company policy. They have a process in place to send CCTV automatically to the police and to insurers.

Robynne: Ok – that sounds like they will provide to them if they ask for it. I imagine they are concerned that the footage has more than just your personal data in it and could put others at risk.

Tony: How does sending it to the insurance company instead of me minimize that risk?

Robynne: They would use the footage to process the claim and not for other purposes. The law doesn’t give direct instruction on what they should do with the footage. However, the law only entitles you to your own personal data and allows them to withhold the data of other people if they feel it is inappropriate to share it.

Tony: How would they know that the footage is inappropriate to share. If they are acting on a blanket policy then clearly they haven’t even viewed it.

Robynne: I can’t answer that for you but it sounds like a lot of people ask for footage from the car parks. If they gave to you would you just be sending it to the police or insurer?

Tony: Probably both. Why?

Robynne: Then you could tell them that and see what they say, But it sounds like they have a system set up that would be faster than responding to a request made by you. The would give them 30days to respond to you and they may well remove everything but you in the footage – you are only entitled to the footage of you not the other person/car.

Tony: Can’t they blur out the other person?

Robynne: Yes but then how would it be useful to you?

Tony: Because it would show the vehicle hitting mine.

Robynne: I would recommend that you follow their instructions and ask your insurer to get the footage. You are entitled to push it back to the supermarket and bring a complaint to us to make a decision on. However, it feels like you will achieve your end aim quicker by following their system where they hand over the footage to the place it needs to go.

Tony: Oh dear.

The advice that Robynne gives is typical of livechat agents inasmuch as it is completely wrong. Car insurers do not have exclusive access to third party data in lieu of the data subject. Not that it matters because the livechat agent leaps to the defence of the organisation and makes presumptions they are not entitled to make. CCTV is not the preserve of insurance companies and law enforcement – as so much of the general public erroneously believe – and the ICO agents are negligently furthering that myth.

Anyone would think Robynne has a stake in the hypothetical insurance company I refer to, by jumping to their defence:

“it sounds like they have a system set up that would be faster than responding to a request made by you.”

What does that have to do with fulfilling the requestors’ subject access rights? It’s not speed that’s the issue. It’s the organisation’s refusal to hand over the CCTV that’s the problem.

“I would recommend that you follow their instructions and ask your insurer to get the footage.”

This statement sums up the ICO’s overall attitude toward data protection. When in doubt, side with the organisation. Robynne is suggesting here that an organisation can dictate the terms of subject access, and I am somehow obligated to go along with it. But it is the GDPR and the Data Protection Act 2018 that dictates the terms of subject access. And it is the ICO’s function to ensure organisations comply with the law, not provide them with excuses to get out of it.

A few days later, I tried again. This time I’ve changed my name to Harry just in case I get the same agents as before. The question remains the same, but the responses I get are even more idiotic than the last:

Jan: Hello, how can I help?

Harry: Somebody hit my car in a supermarket car park. I’m fairly certain it could have been captured on the shop’s CCTV. I asked them to confirm it and send me a copy but they say I must ask my insurer to make the request as this is the standard process. Is this right?

Jan: You’re asking for someone else’s information. By default, they wouldn’t have to give it to you.

Harry: By default? Are there no exceptions to that rule then? I wasn’t asking for someone else’s information. I was asking for mine.

Jan: You want to know who hit your car, or I misunderstood?

Harry: Yes, I want to know whose car hit my car.

Jan: If they’re willing to give you that information through your insurance company, why not try?

Harry: Because I want to make the request myself.

Jan: In that case, you know the answer alredy.
Jan: Sorry, already.

Harry: No I don’t know the answer already. Why am I not entitled to it?

Jan: Why would you be entitled to someone else’s information under data protection legislation? If you want only your own data, explain that to the supermarket. But don’t be surprised you won’t get anything else.

Harry: Wow! You’re not much help.

Jan: That is a very unjust statement. If you go to a dentist and ask for a tire change, and they refuse, and you say, you’re not much help, is that fair of you?
If you want this information, please use the advice provided above.

Harry: I don’t recall asking you for a ‘tire’ (sic) change. I asked you for advice regarding a subject access request. Perhaps you are in the wrong job.

Jan: You asked for information of others, that goes outside of subject access. I have explained that to you. You don’t have to like the guidance.

Harry: Wow! Just wow!

Jan: I understand that I have exhausted your questions. Thank you for using our livechat. Have a nice day.

Again, the livechat agents’ default position is to defend the organisation and make assumptions on their behalf.

“You asked for information of others, that goes outside of subject access. I have explained that to you. You don’t have to like the guidance.”

It’s clear from my opening question that I have asked for my information, not for someone else’s. It’s true that in some disclosure cases, the information can contain mixed data. Some belonging to the data requestor, some belonging to other subjects. In those situations, the data controller – in this case the hypothetical supermarket – is required to balance the requestors’ rights to receive the data, against other subjects’ right to privacy. But there should always be a strong presumption in favour of disclosure. The livechat agents seem to favour non-disclosure by default.

In any event, the data controller has the option to redact other people’s information. In the case of CCTV video, public authorities and big business can blur the faces of other data subjects. This shouldn’t even be necessary in this instance, as there is no expectation of privacy in a public place. A supermarket car park is considered a public place by law. A car licence plate cannot be considered sensitive personal information as it is in public view and it cannot be readily used to ascertain a driver’s identity. In the example given, there is no reason that the information shouldn’t be disclosed.

But why should any of this matter? The ICO aren’t the data controllers, so why are they speaking on the supermarket’s behalf? They haven’t even seen the footage. And if they haven’t seen it, then how can they make an assessment as to whether or not the footage is being rightly denied? They are also refusing to take into account that data controllers are obligated to consider requests on a case by case basis. And the ICO is obliged to consider complaints in the same way. By automatically favouring a random business in favour of the customer, the livechat agents are providing a blanket exemption to CCTV requests. Something I’m sure corporations will happily leap on if it means never having to fulfil pesky subject access requests again.

If all that wasn’t bad enough, I hit the motherload of stupid with the next agent. Once again, a change of identity, as I become Mike. Who is deaf by the way.

Daniel: Good afternoon how can I help?

Mike: Somebody hit my car in a supermarket car park. I’m fairly certain it could have been captured on the shop’s CCTV. I asked them to confirm it and send me a copy but they say I must ask my insurer to make the request as this is the standard process. Is this right?

Daniel: Yes it would be, under data protection legislation individuals are entitled to copies of their own personal data but not the personal data of other individuals. This means that you would not be able to request the footage under data protection legislation.However if your insurer contacts them for the footage as part of a claim they would be able to provide this.

Mike: But wouldn’t the insurer see the same personal data as me? How is it that a bloke that works at the office of an insurance company can look at it but I can’t?

Daniel: Yes but they would be entitled to it because the information is necessary as part of a claim, so the supermarket would be able to rely on a lawful basis for providing the information.

Mike: Would I not be enitled to it for the same reasons, because the information is necessary for a claim. I might want to take him to a small claims court rather than my insurer. The CCTV I’m requesting does contain my personal data after all.

Daniel: Well if that is your wish you should explain that to them. If they thought you were making a subject access request, which is how I would interpret your request, then you would not be entitled to it.
It may contain your personal data in the form of your registration number, but it would also contain the other individuals

Mike: Is there no exception to this rule then? If the information contains other people’s personal information then they can flatly reject my request?

Daniel: Under data protection legislation individuals are only entitled to their own personal data under a subject access request.

Mike: Are you absolutely sure there is no exceptions to this rule. As I’m deaf I have to rely upon this Livechat service as I can’t phone the ICO and speak to them.

Daniel: Under a subject access request there is no exception.

Daniel: If you made a subject access request to the supermarket, you would most probably receive redacted footage, so the information of the third party would be blurred out

Daniel: which would not necessarily help in the situation.

Mike: You said I wasn’t entitled to the request and now you are saying I am. Which is it?

Daniel: I said you are not entitled to someone else’s personal data

Mike: Im not asking for someone else’s personal data. I’m asking for MY personal data.

Daniel: So what is the personal data you want? footage of your car parked in the lot? or you exiting it? or footage of someone else hitting your car?

Mike: We don’t have ‘lots’ in England. We have car parks. I want the footage of my car parked in the car park and to find out the other car that hit it.

Daniel: If the camera does not view your registration plate there would be no personal data of yours to obtain because there would be nothing to identify you. footage of someone else hitting your car would also include their personal data so what I have said above would apply.
My advice, which is what I am here to provide, is that you contact your insurer and ask them to obtain the footage.

Mike: I don’t know what the footage contains because I haven’t seen it. They haven’t seen it either. They are telling me that they will only view and submit it when my insurer makes a request.

Daniel: My advice remains the same for the reasons I have given.

Mike: Are you sure you are correct? I’m deaf you see, so I can’t telephone the ICO. I have to rely on this Livechat service to be accurate.

Daniel: How would you like me to convince you?

Daniel: I am absolutely positive I am correct as it is my job to know what data protection law states, however if you doubt that, I do not know how I could convince you otherwise.

Mike: That’s a very bold assertion Daniel. Let’s hope you are willing to stand by that.

Daniel: I am

Mike: Well, give a week or so. I’m sure you’ll think differently.

Daniel: I’m sure I will not.

Daniel: Is there anything further I can help you with?

Mike: I don’t recall you helping me at all. But you can give me the name of your boss so I can make a complaint.

Daniel: Well I recall providing you with the advice on the law you had requested, I am sorry it was not the answer you wanted, but I have advised you on how you can proceed.

Mike: Are you a lawyer then?

Daniel: Of course, you can make a formal complaint to us using the following link https://ico.org.uk/make-a-complaint/complaints-and-compliments-about-us/complain-about-us/
I am not a lawyer, but I am trained in data protection law, if you want to speak to a lawyer you have the right to do so.

Daniel: As we appear to have exhausted this conversation I will now be closing the chat. Have a nice day.

The ignorance of these livechat agents is matched only by their arrogance. Daniel is not a data protection officer. He is a poorly trained intermediary. It’s clear that his training is so superficial as to be useless. He should not be reasserting the misinformation he gives as the final word. At the very least, he should have suggested that I further my complaint to the ICO. Something that not a single one of these agents bothered to do.

There are only two conclusions I can draw from all this. Either liveagents have been told to avoid referring complaints to the ICO, or they are worried that if they do refer complainants, there is a danger that somebody higher up will see the appalling answers they have been dishing out. 

The reason this matters is because it demonstrates that the ICO are giving corporations and public authorities an unlawful advantage over the way personal data is handled. If all of the agents are so quick to side with businesses in this way, it makes you wonder just who the ICO are really serving. It sure as hell isn’t the public. The question I put to these agents was relatively simple. I shudder to think what answers they have been giving to more complicated questions. They know that everyone who uses the service will assume the liveagents know what they are talking about. They’re endorsed by the ICO for christ-sakes, and if you can’t have confidence in them, then who can you trust to help uphold your data protection rights? As Daniel says himself:

I am absolutely positive I am correct as it is my job to know what data protection law states

The conclusion to all this is simple: The ICO’s livechat service is unfit for service. It is so bad it places customers in an even worse place than if they had never bothered to use it all. Don’t go near it!

I have forwarded this article by way of complaint to the ICO. I will update you with their response if I get one.

LATEST ARTICLES