As the Data Protection and Digital Information Bill (DPDIB) is a substantial piece of legislation, there are some changes within it that may go unnoticed. One example is the introduction of broader powers for the ICO to investigate through the request for documents, information, and attendance at interviews.
Summary
Current position – Data Protection Act 2018 (DPA 2018) | Proposed amendments - Data Protection and Digital Information Bill | Impact | |
Information Requests | S142 to 145 DPA 2018: the Commissioner may require a controller or processor to provide information that is reasonably required for the purposes of the Commissioner carrying out its functions (subject to the restrictions set out in the DPA 2018). | N/A | N/A |
Document Requests | Limited to circumstances where an assessment notice has been issued. | S34 of the DPDIB expands S142 of the DPA 2018 to allow the Commissioner to request documents as well as information. | Clarifies ICO's power to ask for copies of primary documents. |
Interviews | Limited to circumstances where an assessment notice has been issued. | New S148A of the DPA 2018 which will give the Commissioner the power to interview individuals, which could be on 24 hours' notice. | New power to interview in broader circumstances. |
Change of approach?
Under the current DPA 2018, the ICO had to clear the hurdle of issuing an assessment notice in order to seek documents and interviews. This hurdle is proposed to be removed by the DPDIB, giving the ICO wider powers to call for documents and request interviews in the course of any general investigation.
In practice, most ICO investigations are conducted without it deploying its formal investigation powers. Most controllers and processors voluntarily provide information (meaning answers to questions) and documents. It is rare for the ICO to interview people during an investigation as most are conducted through exchange of written questions and answers. The ICO has typically reserved using its powers to situations where a controller or processor is not cooperating.
Other UK regulators take a different approach, using their statutory powers more widely and routinely as part of their work. There is no requirement in the DPA 2018 for the ICO to show a lack of cooperation before serving an Information Notice or, in the future under the DPDIB, to call for an interview. It is therefore unknown whether these new powers will continue to only be used in fringe cases or whether this marks a change of investigation approach by the ICO.
Impact
The introduction and use of these new powers may create additional resourcing burdens on organisations and ICO. Non-compliance with an Information or Interview Notice could in itself lead to a penalty and for this reason they are capable of being appealed to the Information Tribunal before taking effect. This could lead to satellite litigation about the scope and lawfulness of any notice.
Even simple requests for documents could become highly contentious. Most requests for disclosure of documents within legal processes either need to be highly specific (e.g. a known report by a person on a specified date) or phrased in terms of conducting a reasonable search for a category of documents. This will then engage questions as to the reasonableness of the search and whether that could be challenged by the ICO.
An example is the best way to highlight these issues. Imagine there has been a ransomware attack and the ICO is investigating whether the controller had appropriate security measures in place. An Information Notice asking for "all documents relevant to the data breach" would cast a very wide net.
- It would certainly cover the incident response documents, but would that extend to documents held by third party forensic investigators?
- Would an organisation need to go through the emails and Teams messages of every person involved in the incident and provide all of them?
- Would this extend to security audit and penetration tests of the breached systems?
- What about internal IT service tickets and patching logs?
This rabbit hole could get very deep very quickly. We imagine that, in practice, there would likely need to be some negotiation with the ICO as to the scope of any wide requests so to make them proportionate. This would also avoid any later complaint that relevant documents were not disclosed because they were outside the scope of the search for documents.
Similarly, interviews of persons involved in data breaches could be time consuming and difficult to manage. A response to a major incident is often a team effort; pulling out one or two people for interviews is unlikely to ventilate the full story. One can imagine the ICO initially asking the CISO or CTO to attend an interview, but finding that they actually need a wider range of people lower down the organisation. It is often fairly standard practice to immediately instruct lawyers to oversee the incident response, which means that key information could be privileged. Lawyers would likely need to attend the interview in order to ensure that privileged material is protected.
It is awaited to see how the Commissioner will use these new powers. Making formal document requests and conducting interviews will require the Commissioner to have the capacity to review the provided materials and prepare for interviews – as such this may be restricted to the most serious cases. However, we anticipate that when dealing with the ICO in the future there will be a greater need to give careful consideration from the outset as to the documents being produced by internal compliance teams and data protection officers, as they are the teams most likely to be targeted by these new powers.
Further information
WBD's Data Privacy and Investigations team have extensive experience in providing advice on data breaches and best practices in the management of regulatory investigations.
Further information can be found on our Investigations and Data and Privacy pages.