Recovery Board  : RfM
Recovery from Mormonism (RfM) discussion forum. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Posted by: londonuk ( )
Date: January 30, 2011 02:07PM
Taking Action Against The Church

I am waiting for an update from the Information Commissioner's Office case worker assigned to my case. I said before that the case worker is waiting for correspondance from their internal legal department. The Church responded to the ICO's initial letter via their soliciors and they did not accept the ICO's assessment of the case. The ICO may wish to take regulatory action. This is part of their policy on taking action against an organisation with my comments added in response to some of the questions. I do not care if the Church sees this and I will push until my rights are no longer denied.

Data Protection Regulatory Action Policy 

Decision making

We will ensure that regulatory action we take is proportionate to the 
mischief it seeks to address. Both good regulatory practice and the efficient 
use of our limited resources require us to be selective. In determining whether to take action, the form of any action and how far to pursue it, we  will apply the following criteria:  

Is the past, current or prospective 
detriment for a single individual 
resulting from a ‘breach’ so serious 
that action needs to be taken?

The Church of Jesus Christ of Latter-day Saints (Great Britain) refuses to answer a subject access request despite being made aware of the ICO's assessment. The breach therefore applies to the Sixth Data Protection Principle and section 7 of the Act. As the personal data had been transferred overseas, not only does the breach relate to the Sixth Data Protection Principle but to Principle 8 of the Act as well as the 2004 data controller to data controller model clauses. While the UK Church has provided information in subject access requests directly linked to the UK Church (i.e. Church membership records for individuals in the UK, records of monetary contributions to the Church as a UK Chatity and Temple Records for a UK Temple) it denies the right of access to any personal information transferred overseas. 

Are so many individuals adversely 
affected, even if to a lesser extent, 
that action is justified?

There are 186,082 members of the Church in the United Kingdom (Statistics from the 2011 Deseret News Church Almanac) who's personal data is transferred overseas to Church Headquarters. The view expressed by the UK Church would deny them the right of access to any transferred information. This breaches The Sixth and Eighth Data Protection Principle as well as the contractual model clauses.  

Is action justified by the need to clarify 
an important point of law or principle?

Action would clarify that the UK Church cannot simply say that it cannot fulfill a subject access request because it no longer has the information. It would clarify The Eighth Data Protection Principle in relation to transferring personal data overseas. 

Is action justified by the likelihood that 
the adverse impact of a breach will 
have an ongoing effect or that a 
breach will recur if action is not taken?

If no action is taken, it is likely that the UK Church will continue to state that transferred personal data is no longer under their control or jurisdiction. Mr William F. Atkin, General Counsel-International for the Church in the USA, states that requests for personal information, membership and disciplinary records in particular, are a "problem" and that it viewed as having an "adverse impact" on the Church (Addressing Issues for Good Around the World - William F. Atkin. Video available at: http://www.law2.byu.edu/news/item.php?num=676). This shows that it is likely that the Church is unwilling to comply with data privacy laws and that a breach of access rights will be an ongoing issue. 

Is the organisation and its practices 
representative of a particular sector or 
activity to the extent that the case for action is supported by the need to set an example? 

Is the likely cost to the organisation of 
taking the remedial action required 
reasonable in relation to the issue at 
stake?

The Church had spent almost $80,000 in February 2010 on legal fees responding to subject access requests from two individuals in the UK. "...two former members of the church... have filed complaints with the regulatory authorities in the UK and I've spent close to 80,000 dollars in legal fees to respond to these." (Addressing Issues for Good Around the World - William F. Atkin. Video available at: http://www.law2.byu.edu/news/item.php?num=676). If the Church is willing to pay $80,000 as of February 2010 to avoid compliance with the Data Protection Act then I would label any likely costs as 'reasonable'.

Does a failure by the organisation to 
follow relevant guidance, a code of
practice or accepted business practice
support the case for action?

Guidance was provided by the Information Commissioner but the Church did not accept the formal legal view of the ICO's legal department. The data subject also informed the Church of relevant laws and how they applied to the information requested. Whilst the Church provided the data subject with a copy of the contractual model clauses, they failed to accept a data subjects right of access as explained in the clauses.  

Does the attitude and conduct of the 
organisation both in relation to the 
case in question and more generally in 
relation to compliance issues suggest a 
deliberate, wilful or cavalier approach?

The conduct of the Church suggests a deliberate approach to witholding personal data and denying individuals their rights of access to that information. The individual in the UK who first responded to the subject access request, was later instructed not to speak with the data subject and was unable to say who was dealing with the request. The UK Church's lawyers, Devinshires Solicitors, were also unable to refer the data subject to an individual dealing with his request. Upon calling Mr Atkin's office in Salt Lake, Utah, the data subject learned that it was in fact Mr Atkin, the in-house lawyer for international affairs, that was dealing with the subject access request. The Church has refused to comment on the model clauses granting individuals with a right of access to information held on them. Instead they have continued to claim that the information is not subject to the UK legislation and out of the control and jurisdiction of the UK Church.   

How far do we have a responsibility to 
organisations that comply with the law to take action against those that do not? 

Would it be more appropriate or 
effective for action to be taken by 
other means (e.g. another regulator, 
legal action through the courts)?

There is no other regulator I know of, other than the ICO, who can take appropriate, effective action.  Legal action could be taken through the courts, however considering the amount of money the Church has spent on answering the data subjects request it seems they would go to any length in attempting to withold the data. This course of action would also place the data subject in financial difficulty so would be less appropriate and ineffective. This issue not only relates to the data subjects access rights and any action should reflect this bringing the UK Church's compliance in line with the UK legislation concerning data transferred overseas.    

Is the level of public interest in the 
case so great as to support the case 
for action? 

Given the extent to which pursuing the
case will make demands on our 
resources, can this be justified in the 
light of other calls for regulatory 
action? 

What is the risk to the credibility of the law or to our reputation and influence of taking or not taking action?

If no action is taken, the ICO will be allowing the UK Church to continue transfering data overseas, without any concern for it's obligations under the Data Protection Act. The UK Church has not taken into account the European Commission's decisions concerning transferring data outside the European Economic Area and if no action is taken this may have an effect on the ICO's reputation.

Regulatory action examples

The following are some examples of the types of conduct which will lead 
the ICO to consider using its formal regulatory powers. The examples are 
intended to be illustrative rather than exhaustive or binding. In practice all 
the relevant circumstances of a case will be taken into account and, in the 
case of criminal conduct, the Code for Crown Prosecutors will be followed. 

Likely (especially after warning)

- Denial of subject access where it is reasonable to suppose significant information is held.

The UK Church has already stated that the information requested was transferred to Church Headquarters. Also much of the information in a later subject access request was not provided as it had been sent overseas.   

Options: ReplyQuote
Posted by: londonuk ( )
Date: February 01, 2011 03:44AM
Re: Taking Action Against The Church (n/t)


Options: ReplyQuote
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In


Screen Name: 
Your Email (optional): 
Subject: 
Spam prevention:
Please, enter the code that you see below in the input field. This is for blocking bots that try to post this form automatically.
 **    **   *******   **    **  ********    ******   
 **   **   **     **  ***   **  **     **  **    **  
 **  **           **  ****  **  **     **  **        
 *****      *******   ** ** **  **     **  **   **** 
 **  **           **  **  ****  **     **  **    **  
 **   **   **     **  **   ***  **     **  **    **  
 **    **   *******   **    **  ********    ******