April 27, 2024 · 6:41 am

Douglas Adams and the EIR

[I tend to do a lot my posting these days on LinkedIn, and less here. But the combination of LinkedIn’s poor search capability and my memory means I forget about some things I’ve written about that I’d quite like to remember. So I’m going to put some of them on this blog to remind me. This one is on a doozy of a Tribunal judgment.]

This Information Tribunal judgment about whether photographs of planning notices should be disclosed begins with a long quote from The Hitchhiker’s Guide to the Galaxy, and gets even more extraordinary as it goes on.

By the end of the judgment the judge has called the Information Commissioner’s Office’s decision a “pitiful failure to understand the scope and significance of material in the public domain and the role of data protection in protecting rights”, uses the term “bankruptcy” to describe the approach to the matter by both the ICO and Shropshire Council, and appears to have declared the Council’s handling of not just the individual planning application, but its planning policy as a whole unlawful (the judgment says, for instance that the council’s implementation of The Town and Country Planning (Development Management Procedure) (England) Order 2015 “failed to accord local residents their rights”).

This last point surely illustrates the Tribunal straying well beyond its jurisdiction, and it is difficult to see how it will escape having its judgment appealed. That’s actually a pity, because the underlying point in it is that the ICO’s approach failed to understand that data protection law has to be considered “in relation to its function in society and be balanced against other fundamental rights” (recital 4 GDPR) and failed to consider the Environmental Information Regulations’ context, whereby access to environmental information is one of the three pillars of the Aarhus Convention – the others being public participation in decision-making, and access to justice in environmental matters.

And even if the judgment gets appealed, I would hope the ICO acknowledges the key point that data protection rights don’t automatically trump all other rights.

https://www.bailii.org/uk/cases/UKFTT/GRC/2024/330.html

Leave a comment

Filed under Data Protection, Environmental Information Regulations, LinkedIn Post

Tagged as

April 12, 2024 · 1:37 pm

8000% in people affected by central government data breaches

Yes, you read that correctly. Here’s what we’ve just published on the Mishcon de Reya website:

https://www.mishcon.com/news/data-breach-crisis-in-central-government-time-for-ico-to-act

Leave a comment

Filed under Uncategorized

March 20, 2024 · 4:31 pm

Princess Kate and data protection

I’ve written a piece on the Mishcon de Reya website on the data protection implications of reports that staff at the London might have inappropriately accessed her patient notes.

https://www.mishcon.com/news/the-princess-of-wales-and-possible-data-protection-offences-and-infringements

Leave a comment

Filed under Uncategorized

March 9, 2024 · 11:02 am

A sad procedural judgment

In 1973, Pat Campbell, a Catholic factory worker from Banbridge, Northern Ireland, was shot and killed in front of his wife and children, at their family home.

No one was ever convicted of Pat Campbell’s murder, but for many years it has been believed that the killer was senior Ulster Volunteer Force member Robin “The Jackal” Jackson. Jackson – suspected of being responsible for, but never convicted of, at least 50 killings during the Troubles – was also suspected of having links with British military intelligence agencies.

In 2022 Pat Campbell’s widow reached a settlement with the Police Service of Northern Ireland, or PSNI (successor to the Royal Ulster Constabulary, or RUC) of a civil claim for damages, in which she alleged negligence and misfeasance in public office. The BBC reported at the time that “a former RUC officer and two ex-military intelligence officers were set to give evidence about Jackson’s alleged role”.

In the same year as Pat Campbell was murdered, a British intelligence officer wrote a report which is understood to have proposed increasing the RUC’s special branch’s intelligence gathers capabilities.

In 2021 journalist Phil Miller took a case under the Freedom of Information Act 2000 (FOIA) to the Information Tribunal, seeking disclosure by the PSNI of the Morton Report. However, the Tribunal upheld the Information Commissioner’s decision that PSNI were entitled to withhold the report because of the FOIA absolute exemption in relation to information supplied to a public authority by the Security Service.

Mrs Campbell, herself, however, still sought to get hold of the Morton Report. I know this because of a sad procedural judgment from the Information Tribunal.

She is identified as the appellant in case EA/2023/0276, an appeal from ICO decision notice IC-173342-D4D8. But as the judgment explains, she has since died, and the Tribunal has accordingly struck out the proceedings, under rule 8(2) of the procedure Rules, for want of jurisdiction. This is because, although The Law Reform (Miscellaneous Provisions) Act 1934 permits a “cause of action” to proceed after a claimant has died, for the benefit of the deceased’s estate, the Tribunal held, applying the same approach the Upper Tribunal took in a previous case in relation to data protection rights, a FOIA appeal is not a “cause of action” (Letang v Cooper [1965] 1 QB 232 applied). Instead, “‘[the] procedure is no more than a statutory appeal route, a procedural mechanism, for challenging’, in this case, the issue of the decision notice by the Information Commissioner”.

It seems doubtful, in any case, that Mrs Campbell would have succeeded: the exemption at section 23 is effectively insuperable.

But, of course, the PSNI has discretion to disclose information. As the ICO’s decision notice notes, the PSNI previously decided to disclose a redacted version of the 1980 Walker Report on RUC Special Branch informant handling, after the Committee on Administration of Justice took another FOIA case to the Information Tribunal.

There is no reason to suggest the same would happen if another case involving a request for the Morton Report reached the Tribunal again, but someone might consider it worth trying.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner, Information Tribunal, police

Tagged as , , ,

March 1, 2024 · 7:02 am

John Edwards evidence to the Angiolini inquiry

On 29 February Lady Elish Angiolini published the first report from her inquiry into how off-duty Metropolitan police officer Wayne Couzens was able to abduct, rape and murder Sarah Everard.

Information Commissioner John Edwards contributed to the inquiry, and his evidence is cited at 4.320 (the paragraph is quoted below). It deals with the profoundly important (and perennially misunderstood) issue of data-sharing within and between police forces.

Although for obvious reasons the identity and content of some witness evidence to the inquiry is being kept anonymous, there should be no obvious reason that Mr Edwards’s is, and I hope that the Information Commissioner’s Office will, in addition to publishing his press statement, also publish any written evidence he submitted. It would also be good to know the details of the work Mr Edwards says his office is doing, and continuing, with the police, in this context.

In discussions with senior leaders of relevant organisations, the Inquiry was told that gaps in information-sharing between human resources, recruitment, professional
standards and vetting teams – and, indeed, between forces themselves – were a
significant barrier to capturing a clear picture of officers. The Inquiry heard from different sources, including senior leaders, that there are significant barriers to
information-sharing. Some cite data privacy and protection laws as a reason not to
share information. However, in a discussion with the Information Commissioner, John Edwards, the Inquiry was assured that data protection law recognises that there are legitimate reasons for information-sharing, particularly given the powers attributed to police officers. Indeed, Mr Edwards suggested that data protection law is widely misunderstood and misconstrued, and highlighted a failure of training in this regard.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, data sharing, Information Commissioner, police

Tagged as , , ,

March 1, 2024 · 6:48 am

How did George Galloway come to send different canvassing info to different electors?

As electors went to the polls in the Rochdale by-election on 29 February, a few posts were made on social media showing the disparity between letters sent to different electors by candidate George Galloway. An example is here

On the face of it, Galloway appears to have hoped to persuade Muslim voters to vote for him based on his views on a topic or topics he felt would appeal to them, and others to vote for him based on his views on different topics.

It should be stressed that there is nothing at all wrong that in principle.

What interests me is how Galloway identified which elector to send which letter to.

It is quite possible that a candidate might identify specific roads which were likely to contain properties with Muslim residents. And that, also would not be wrong.

But an alternative possibility is that a candidate with access to the full electoral register, might seek to identify individual electors, and infer their ethnicity and religion from their name. A candidate who did this would be processing special categories of personal data, and (to the extent any form of automated processing was involved) profiling them on that basis.

Article 9(1) of the UK GDPR introduces a general prohibition on the processing of special categories of personal data, which can only be set aside if one of the conditions in Article 9(2) is met. None of these immediately would seem available to a candidate who processes religious and/or ethnic origin data for the purposes of sending targeted electoral post. Article 9(2)(g) provides a condition for processing necessary for reasons of substantial public interest, and Schedule One to the Data Protection Act 2018 gives specific examples, but, again, none of these would seem to be available: paragraph 22 of the Schedule permits such processing by a candidate where it is of “personal data revealing political opinions”, but there is no similar condition dealing with religious or ethnic origin personal data.

If such processing took place in contravention of the prohibition in Article 9, it would be likely to be a serious infringement of a candidate’s obligations under the data protection law, potentially attracting regulatory enforcement from the Information Commissioner, and exposure to the risk of complaints or legal claims from electors.

To be clear, I am not saying that I know how Galloway came to send different letters to different electors, and I’m not accusing him of contravening data protection law. But it strikes me as an issue the Information Commissioner might want to look into.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Data Protection, Data Protection Act 2018, data sharing, Information Commissioner, political parties, UK GDPR

Tagged as , , ,

February 9, 2024 · 8:39 am

When is a breach of FOIA not a breach of FOIA?

I posted about this originally on LinkedIn, but I found it so nerdily interesting I wanted to preserve it better by putting it on this blog.

In 4 December 2023 the Information Commissioner’s Office (ICO) issued a decision notice under section 50 of the Freedom of Information Act 2000 (FOIA) finding that its own office did not deal with a FOIA request within the statutory time limit. Subsequently, however, as the ICO website has it, “Following a review of this case it has been noted that the Commissioner erred in citing a breach of section 17(1) of FOIA, having omitted to include the Scottish bank holiday of 7 August 2023 in his calculation of the 20 working day deadline. Therefore, the ICO did not breach section 17(1) of FOIA.”

However, merely staring on its website that “the ICO did not breach FOIA” is not sufficient. As a matter of law, the decision notice itself stands, unless it is substituted by another notice made by the Information Tribunal upon appeal. The ICO cannot withdraw/amend a decision notice, in the absence of an appeal (under the doctrine of “functus officio”, but see also IC v Bell [2014] UKUT 0106)).

So merely saying on its website “we didn’t breach the time limits” cannot cancel or overturn the decision notice.

In some analogous circumstances of “wrong” legal decisions by public authorities bound by functus officio, the authority will consent to judicial review proceedings quashing the decision. But here, the only person with any interest in quashing the decision is the ICO itself, and I don’t believe it could apply for judicial review of its own decision (although there have been cases, I believe, where local authorities have judicially reviewed decisions of their own planning committees).

What the ICO could have done though (and I give a nod to Ganesh Sittampalam here) is appeal the decision itself to the Tribunal. It would seem to be the case that the ICO, as the public authority on whom the decision notice was served, would have had a right of appeal to the Tribunal, even though it would be both the appellant and the respondent. This would, obviously, be rather an odd situation, but it’s one that the ICO already faces when it has to rule (as it did here) on its own compliance with the laws it regulates and enforces (for these purposes it effectively creates a fictional divide between “the ICO” and the “Commissioner” – see for example paragraph four in the decision notice linked above).

However, for whatever reason, the right of appeal was not exercised. But, given that that was the statutory route for challenge, why was the purported correction of the error instead subject to an internal, non-binding and unsatisfactory “review” within the ICO?

One wonders how this will be recorded within the ICO’s datasets: will the ICO accept the point that, as a matter of law, the decision is and remains that it breached the time limits? I doubt it.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal

Tagged as ,

January 17, 2024 · 7:26 am

NADPO January webinar – a focus on the DPDI Bill

As we hurtle into an election year there may be a rush to get parliamentary bills over the line. The signs are that there is a) a momentum behind the Data Protection and Digital Information Bill*, and b) little notable opposition opposition, so I’m expecting it to pass.

Accordingly, the NADPO executive have asked two experts to speak about the Bill at our next webinar, on Tuesday 23 January: Dr Chris Pounder and Ibrahim Hasan are preeminent in the field, and will be talking, respectively, about “New Data Sharing rules under the DPDI Bill” and “Proposed changes to UK GDPR”.

As always, attendance is free for NADPO members, and Data Protection Forum members can also attend for free under our mutual agreement with the Forum. If anyone else fancies testing the NADPO waters please drop me a line at chair at nadpo dot co dot uk and I’ll see if we can accommodate you.

[*the Bill is no longer titled “No.2”, despite what I’ve seen from many experts, including *cough* myself, albeit a few months ago now]

Leave a comment

Filed under Uncategorized

January 2, 2024 · 6:20 pm

UK GDPR amended

Three years ago, at the end of the Brexit Implementation Period, I helped prepare a version of the UK GDPR for the Mishcon de Reya website. At the time, it was difficult to find a consolidated version of the instrument, and the idea was to offer a user-friendly version showing the changes made to the retained version of the GDPR, as modified by the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2019, and the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2020.

Since then, the main legislation.gov.uk has offered a version. However, with respect to that site, it’s not always the easiest to use.

The burden now, though, falls to me and Mishcon, of updating our pages as and when the UK GDPR itself gets amended. Major changes are likely to made when the Data Protection and Digital Information Bill gets enacted, but, first, we have the minor amendments (minor in number, of not in significance) effected by The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 (which came into force at 23:59:59 on 31.12.23).

The changes have been made to Articles 1, 4, 9, 50, 85 and 86.

The Mishcon pages have been very well used, and we’ve had some great feedback on them. They don’t profess to be an authoritative version (and certainly should not be relied on as such) but we hope they’ll continue to be a useful resource.

Leave a comment

Filed under Data Protection, GDPR, UK GDPR

Tagged as , ,

November 17, 2023 · 6:35 am

EIR you sure you got that right?

Someone said they’d read this post if I wrote it. That’s miles more encouragement than I normally need, so here goes.

The other day, Tim Turner’s FOIDaily account pointed out how, after twenty-odd years, some public authorities still fail to identify when a request for information should be dealt with under the Environmental Information Regulations 2004 (EIR), rather than the Freedom of Information Act 2000 (FOIA). An example was given of Information Commissioner’s Office (ICO) identifying where a public authority had got this wrong.

As any fule kno, the two laws operate in parallel to create a regime for access to information held by public authorities, and it’s Regime 101 for a public authority to be able to know, and identify, when each applies. But, in short, if requested information is on, for instance, “measures (including administrative measures), such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect…the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape…” then the EIR, and not FOIA, apply.

I pointed out in the comments to the FOIDaily post that I’d seen a case where everyone, from the requester, to the public authority, to the ICO, to the First-tier Tribunal, had failed to deal with a case under the correct scheme.

This was it.

The case was about a request to a district council for information about whether a councillor had (in a private capacity) been required to pay any money to the council in relation to a fly-tipping incident or incidents. The request itself even referred to the Environmental Protection Act 1990, which was a very big hint that environmental information might be at issue.

What appears to have happened is that everyone jumped to the issue of whether disclosure of the requested information would contravene the councillor’s data protection rights. As most similar discussions take place in relation to the provisions of section 40 FOIA, the public authority, the ICO and the Tribunal (and presumably even the requester) all appear to have gravitated towards FOIA, without asking the correct first question: what is the applicable law? The answer to which was, clearly, EIR.

Regulation 13 of the EIR deals with personal data, and is cast in very similar terms to section 40 FOIA. It is, then, strongly arguable that, given that similarity, both the ICO and the Tribunal would have arrived at the same decision whichever regime applied. But Parliament has chosen to have two separate laws, and this is because they have a different genesis (EIR emanate from EU law which in turn emanates from international treaty obligations). Additionally, where all things are otherwise equal, the EIR contain an express presumption in favour of disclosure (something that is not the case in relation to personal data under the FOIA regime – see Lord Hope’s opinion in Common Services Agency v Scottish Information Commissioner).

As Tim implies in his post, the EIR have always been seen as somehow inferior, or subservient, to FOIA. No doubt this is because they are in the form of secondary legislation, rather than statute. This is more an accident of history, rather than of constitutional significance, and is never going to be relevant in most practice. But if the ICO and the courts continue to miss their relevance, it shouldn’t be that surprising that some public authorities will also do so.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal

Tagged as , , ,