The Post Office Scandal and Data Protection

The Post Office scandal, which saw hundreds of subpostmasters wrongly convicted of fraud, is one of the UK’s biggest miscarriages of justice. Thanks largely to the ITV drama, Mr Bates vs the Post Office, parliamentarians are finally taking action and passing legislation that will quash the convictions of post office workers who were prosecuted during the Horizon scandal.

ORG believes that the subpostmasters’ long campaign could have suffered further setbacks if the Data Protection and Digital Information (DPDI) Bill had been law. In November 2015, the Justice for Subpostmasters Alliance urged its members to submit Subject Access Requests to find out what information the Post Office held about them. The information that they received was instrumental to exposing that the Post Office knew about flaws in the Horizon system.

The DPDI Bill gives the State and companies more access to our data with fewer limitations. If it is passed, it will be easier for companies like the Post Office to refuse to provide people with the data they hold about them. The subpostmasters’ campaign for justice highlights how important it is that we have strong data protection rights.

An attack on the right to access our information

Under the UK GDPR, individuals the right to access and receive a copy of their data by making a Subject Access Request (SAR). SARs give the public control over personal data, allowing them to see what is being held about them, and understand how their data is being processed, the consequences of such processing, and to verify the legitimacy of data uses. Currently, individuals do not need to justify the reason for their request, and organisations cannot charge individuals for exercising their rights unless they can prove that their request is “manifestly unfounded or excessive”.

The DPDI Bill lowers the threshold for refusing SARs, allowing organisations to refuse requests that they consider to be “vexatious”. The criteria for determining whether a list is vexatious include “the resources available to the controller” and “the extent to which the request repeats a previous request made by the data subject to the controller”. A lack of resources or organisational preparedness to deal with a request should not be used as an excuse for not fulfilling an individual’s data protection rights. Individuals may also need repeat their requests more than once in response to similar violations of their right, or to compare the two responses. In practice organisations could use these grounds as a loophole to refuse a request to their advantage.

The Bill also allows organisations to inquire or make assumptions about the reasons for requests and refuse to act upon requests that “are intended to cause distress” or “are not made in good faith”. We have the right to access our data and it is not appropriate for organisations to consider the intent behind these requests.

Given how Post Office executives tried to conceal information from the subpostmasters, it is entirely plausible that they would have taken advantages of these loopholes had they been able to ask those submitting SARs about the intent of their requests.

Comparison with the Freedom of Information regime

The Government has argued that the vexatious threshold “will bring [subject access requests] in line with the Freedom of Information regime” (FOIA). However, FOIA are broader in scope, as they enable individuals to seek access to “information held by public authorities or by persons providing services”. Instead, data protection rights empower individuals to make requests only in relation to their personal data, making the scope of these requests inherently narrower. Again, the Post Office scandal highlights flaws within the FOI regime. While FOI requests did help to expose wrongdoing by the Post Office, there are numerous examples of requests being refused. For example, a request for six months correspondence between Department for Business, Energy and Industrial Strategy (then BIS) and Paula Vennells was refused on grounds of cost even though a previous request for a longer period of correspondence had been fulfilled. In addition, several FOI requests by campaigner Alan Bates were refused or only partially answered.

As companies and organisations gather more and more information about us, we need parliamentarians to strength our data protection rights not weaken them. If we can’t access our data then it is almost impossible for us to exercise other data protection rights such as the right to erasure. While we believe the DPDI Bill should be completely scrapped, we are urging parliamentarians to adopt amendments put forward by Lord Clement-Jones that would protect our right to access information that organisations hold about us. This will help us to retain some control over our data and stem the shift in power from individuals to government and corporations that the DPDI Bill will enable. If you want to help support this call you can email your MP using the link below and feel free to share this blog with them.