Below is my response to the Information Commissioner’s Office flawed investigation by Elia Mennecillo who started their investigation by stating the wrong date, later naming the incorrect local council, and ignored prejudiced, negligent handling of communication by Herefordshire Council.
I’m writing this somewhat lengthy, post in the hope it may help anybody else who faces a similar challenge regarding council tax dispute or appeal, the mishandling of personal data and the ICO’s disregard, bias or flawed investigation.
As a responsible organisation, Herefordshire Council should have been committed to addressing their breach and consequences promptly and transparently, not taking weeks to do so nor leaving it until I was forced to raise concern with the Information Commissioner’s Office (ICO) myself. Later finding, Herefordshire Council repeated the mishandling, loss and destruction of personal data after claiming rectification from this happening again.
Similarly, the ICO should have conducted an adequate and impartial investigation. My confidence in the abilities and knowledge of the person (Elia Mennecillo) investigating diminished when they started their investigation by stating the incorrect local council name, and attempted to defend with feeble and flawed reasoning, part of such being that because I did not receive an autoreply from the council, they did not receive my email. Ms Mennecillo disregarded the fact the mail was sent. The council later admitting they had received my emails in a separate complaint.
While this incident does not involve a traditional security breach, such as a cyber security incident, it was of their making through prejudiced, carelessness and negligent handling of communications. Herefordshire Council should have acknowledged their obligations under the GDPR.
I firmly believe that this incident qualifies as a breach of the GDPR, and I’m confident that any jurist person would conclude similarly, in part due to the prejudice and negligent handling of communication data and personal data for the following reasons:
Unfair Processing: The mishandling and destruction of email which included personal information, can be viewed as unfair processing under the GDPR (Article 5(1)(a)). Fairness in processing is a fundamental principle of data protection, and any action that unfairly prejudices data subjects can be considered a breach.
My emails are purposely and prejudicially filtered by Herefordshire Council, and have been for some years. The ICO knowing this fact.
Failure to Ensure Data Availability: The incident represents a failure on Herefordshire Council’s part to ensure the availability of personal data, which is a fundamental principle of the GDPR (Article 5(1)(d)).
Timely access to personal data is essential for data subjects to exercise their rights under the GDPR, and prejudiced handling prevented this.
Data Loss: The mishandling of the email resulted in the permanent loss of personal data.
Article 4(12) of the GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.”
Lack of Data Protection Measures: Herefordshire Council did not have adequate measures in place to prevent the accidental loss of personal data, which is also a requirement under the GDPR (Article 32).
Herefordshire Council’s prejudice against my communication resulted in the creation of a security breach. The carelessness, mishandling, unavailability, loss and destruction of my data, which I believe violates GDPR Principles, in particular, Article 5 1 (f).
Under Article 33 of the GDPR, Herefordshire Council were obligated to notify the supervisory authority (in this case, The Information Commissioner’s Office) of this data breach due to prejudiced handling, without undue delay.
They should have also taken steps to initiate this notification process promptly and within 72 hours.
Additionally, it could be debated that the conditions of Article 34 of the GDPR were not promptly met as no evidence whatsoever was provided to demonstrate measures were taken to protect the data as soon as the incident occurred.
Neither organisation informing the data subject (myself) promptly, a requirement when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
With regard to email and personal data being classed as spam, I present the following.
Violation of GDPR and DPA: Mishandling and Destruction of Personal Data in Mistakenly Filtered Spam Email
The General Data Protection Regulation (GDPR) and Data Protection Act (DPA) aim to safeguard individuals’ data privacy rights within the European Union (EU). Any organization processing personal data, even in the form of email communications, is obligated to adhere to strict data protection standards. Mishandling and destruction of an important email containing personal data, erroneously filtered as spam, can still constitute a violation of GDPR and DPA.
A. GDPR Article 5: Principles Relating to Processing of Personal Data
- Principle (f): Personal data shall be processed in a manner that ensures appropriate security, including protection against accidental loss, destruction, or damage.
B. DPA (UK) Schedule 1: The Data Protection Principles
Principle 5: Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
Mistakenly Filtered Spam Email
A. Erroneous Spam Classification
- The organization’s email filtering system mistakenly categorizes an important email containing personal data as spam.
- This misclassification is a technical error or oversight, and the email should not have been subjected to spam treatment.
B. Subsequent Mishandling and Destruction
- The organization’s email system, following standard protocol, automatically deletes emails classified as spam after a set duration.
- Personal data within the email is consequently destroyed without proper review or consideration of its content.
Violation of GDPR and DPA
A. Lack of Proper Security (GDPR Article 5(f))
- Mishandling of the email, even if mistakenly classified as spam, reveals a failure to ensure appropriate security measures.
- Personal data within the email is left vulnerable to accidental loss or destruction, which contravenes GDPR’s security principles.
B. Failure to Preserve Data (DPA Principle 5)
- Destruction of the email, despite its importance and without a proper review, breaches the principle that personal data should not be kept longer than necessary.
- The organization is obligated to take reasonable steps to preserve important emails containing personal data.
Consequences of Violation
A. GDPR Penalties
- GDPR allows for significant fines, up to €20 million or 4% of the organization’s global annual turnover, for data protection violations.
- Mishandling and destruction of personal data, even when mistakenly classified as spam, can result in substantial financial penalties.
B. Reputational Damage
- Violations can lead to loss of trust and reputational harm for the organization.
- Customers and stakeholders may lose confidence in the organization’s commitment to data protection.
Mishandling and destruction of an important email containing personal data, mistakenly filtered as spam by an organization, can still constitute a violation of GDPR and DPA. It is crucial for organizations to implement robust email management systems that prevent such technical errors and to adhere to data protection principles, even in cases of mistaken classification, to avoid legal consequences and protect individuals’ privacy rights.
Please note that the application of GDPR and DPA can vary based on specific circumstances and competent supervisory authorities, so consulting legal experts for tailored guidance is advisable.
I may post, below, my ICO case emails, attachments and Herefordshire Council’s erroneous response at a later date