March 03, 2013

University of Leicester defies Information Commissioner (and gets away with it)

The University of Leicester has refused to implement a decision issued by the Information Commissioner's Office (ICO) recommending that the University should provide me with my personal data held in manual files, which the ICO has found to constitute a relevant filing system containing a single category of information, namely, employment matters pertaining to me. 

The data includes job application material such as references, and documentation related to grievances lodged by me and the associated legal proceedings against the University and others.  (On my legal proceedings, see on this website:  'About the University of Leicester', 21 January 2010;  'Legal and other costs - the University of Leicester and others', 17 April 2010;  'Professor Bob Burgess (Vice-Chancellor, University of Leicester) and the honours system', 23 January 2011.)

The ICO's recommendation was issued after investigation of a complaint received from me in 2012, the ICO concluding that the University was likely to have breached the Data Protection Act in withholding the personal data when I presented a subject access request.  The ICO also asked the University to take steps to prevent the situation from happening again.

The University responded by requesting a review of the ICO's decision, arguing that the information was unstructured personal data related to personnel matters and as such was exempt from disclosure by virtue of section 33A of the Data Protection Act.  Having informed the ICO that since it did not agree with the ICO's assessment it did not intend to disclose the information to me, the University subsequently promised that it would 'clearly implement any final decision fully'.  But when the final decision, upholding the earlier decision, was delivered, the University reneged on that promise, informing me by letter that it would not supply the data.

The ICO's hands are not tied in such a situation:  it could serve an enforcement notice on the data controller requiring it to disclose the information to the data subject.  (Failure to comply with an enforcement notice is a criminal offence.)  But the ICO has chosen not to do this, also not responding to certain of my representations about its position in this regard or to questions about the content of a telephone conversation between it and the University just before the University sent me the letter mentioned above advising that it would not disclose the data.  (How can the ICO promote openness if it struggles to apply the concept to its own operations?)

In addition, the ICO has not adequately addressed other problems such as apparent unlawful disclosure by the University of my sensitive personal data.

The strength of the ICO's commitment to promoting the relevant standards has been questioned by Members of Parliament and others in various contexts.  Matters raised by MPs have included concerns relating to the ICO's investigation into blacklisting in the construction industry.

Glynis M. Truter


Anonymous said...

The University's failure to supply the information in light of the ICO's decisions can be powerful evidence in a civil/tribunal claim against the University.

Anonymous said...

I am surprised that U of Leicester could deny an ICO decision. As far as I know, in this respect ICO can impose strong punitive measures if wished so.

I have seen the University of Ulster and UKBA took enormous time in disclosing personal information in respect to my case. These will be revealed in a new blog:

Anonymous said...

Most certainly, you should consider issuing a civil claim against the University. I strongly urge you to consult with a good solicitor, armed with a copy of the ICOs decisions. You may find a solicitor more receptive after seeing such decisions, even if the ICO is being toothless in its enforcement duties. Another route could be a Judicial Review of the ICOs failure to act following its decisions against the University.