In proceedings before the First-tier Tribunal, Doorstep Dispensaree Ltd ("the company") appealed an Information Notice served on it by the Information Commissioner under section 142 of the Data Protection Act 2018 ("DPA18"). This was, as the Tribunal noted, the first such appeal to reach final determination under the new regime introduced by the DPA18.
An Information Notice is a legal notice by which the ICO can require a controller or processor to provide the Commissioner with information that she reasonably requires for the purposes of carrying out her functions under the data protection legislation. In this instance, the Commissioner had requested certain information from the Appellant in connection with her investigation into its compliance with the General Data Protection Regulation ("GDPR") (an investigation prompted by a report to the Commissioner from the Medicines and Healthcare Products Regulatory Agency, about the manner in which the company was apparently processing personal data).
The company challenged the Notice (under the appeal provisions at section 162 DPA18) on the main grounds (as refined in oral submissions) that 1) it was void for breach of s. 143(6) DPA18, which provides that an Information Notice does not require a person to provide the Commissioner with information if doing so would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence, and, if it was not so void, 2) the Tribunal should amend it to remove certain questions which would have the effect of compelling self-incrimination.
The Tribunal agreed with the Commissioner's submission that section 143(6) did not constrain the Commissioner from requiring that specified information be provided – rather, it meant that the recipient could raise the issue of s. 143(6) (and the risk of self-incrimination) in response to the service of an Information Notice, and the Commissioner would then have to have regard to that response. The Tribunal held that it was
"…satisfied that the effect of s. 143 (6) DPA 2018 is to permit the recipient of an Information Notice to raise the issue of risk of self-incrimination with the Commissioner on receipt of the Notice. The Commissioner must then take those submissions into account in deciding whether to apply to a court to enforce the Information Notice or to cancel the Information Notice (possibly serving an amended Notice in its stead)"
In this instance, the Company had "provided very limited information to the Commissioner and to the Tribunal about…the scope for self-incrimination" but the Tribunal was of the view that there was clearly "an issue as to GDPR compliance which warrants further investigation". Accordingly, the information requested was reasonably required for the Commissioner’s investigation and the Notice was in accordance with the law. The appeal was, therefore dismissed.
Recipients of Information Notices (and other legal notices) served by the Commissioner should note from this case that the contents of their response to such notices may well be crucial in determining whether information can be withheld for risk of self-incrimination. More generally, they should note that the Commissioner must, and will, take their submissions into account and it is correspondingly important to draft those submissions carefully and comprehensively. Mishcon de Reya's expert data protection lawyers have expertise in and experience of drafting robust and effective responses to Information Commissioner legal notices.