The data protection watchdog in the UK, the Information Commissioner’s Office (ICO) may issue an information notice under the Data Protection Act 2018 in circumstances where an organisation does not provide information which the ICO reasonably requires to carry out its functions.
In a recent case the ICO investigated an organisation’s compliance with the General Data Protection Regulation (GDPR) following a report from the Medicines and Healthcare Products Regulatory Agency (MHRA) to the ICO concerning the organisations personal data processing. The ICO made a request for information on a voluntary basis as part of its investigation but the organisation, Doorstep Dispensaree, a pharmacy delivery service provider, refused the request. The ICO subsequently issued a formal information notice which Doorstep appealed.
Doorstep’s main argument was that as the MHRA were doing a criminal investigation into the organisation, (which the ICO had knowledge of) they did not have to provide the information due to a risk of self-incrimination.
The Tribunal also had to decide whether the information notice was invalid if compliance with its terms involved a risk of self-incrimination. In terms of the law an information notice "does not require" a person to provide information which would expose them to criminal proceedings.
The Tribunal concluded that it did not render a notice carrying a risk of self-incrimination invalid, but simply permitted the recipient to raise the issue of that risk with the commissioner upon receipt. The commissioner must then take those submissions into account in deciding whether to apply to a court to enforce the information notice, to cancel the information notice or possibly serving an amended notice in its stead.
As a result, the information notice was in accordance with the law and there was no basis for finding that the ICO should have exercised its discretion differently.