Mr Justice Cranston has suggested that there is a public interest factor when considering whether disclosure of personal data would be “fair” processing. I’m not sure that is right.
The first data protection principle (DPP1) in Schedule 1 of the Data Protection Act 1998 (DPA) says that personal data must be processed “fairly” (and lawfully). But what does “fairly” mean?
In an interesting recent case (AB v A Chief Constable  EWHC 1965 (QB)) the High Court determined that, on the very specific facts, it would not be fair, in terms of DPP1, and common law legitimate expectation, for a Chief Constable to send a second, non-standard, reference to the new employer of a senior police officer who was subject to disciplinary investigation. (The judgment merits close reading – this was by no means a statement of general principle about police references). The reason it would not be fair was because the officer in question had tendered his resignation upon the sending of the initial, anodyne, reference, and the force had terminated misconduct proceedings:
He was thus in the position that for the Force to send the second reference would most likely leave him without employment and without the opportunity to refute the gross misconduct allegations. In these special circumstances it would be a breach of the Data Protection Act 1998 and undermine his legitimate expectations for the second reference to be sent [¶94]
Something in particular struck me about the judge’s analysis of DPP1, although, given the outcome, it was not determinative. He rejected a submission from the claimant officer that the duty of fairness in the DPP1 and the European Data Protection Directive was a duty to be fair primarily to the data subject. Rather, correctly identifying that the privacy rights in the Directive and the DPA are grounded in article 8 of the European Convention on Human Rights and in general principles of EU law, he held that
The rights to private and family life in Article 8 are subject to the countervailing public interests set out in Article 8(2). So it is here: assessing fairness involves a balancing of the interests of the data subject in non-disclosure against the public interest in disclosure [¶75]
I am not sure this is right. Recital 28 of the Directive says
Whereas any processing of personal data must be lawful and fair to the individuals concerned [emphasis added]
and recital 38 suggests that whether processing is “fair” is in large part dependent on whether the data subject is made aware of the processing and the circumstances under which it takes place. These recitals give way to the descriptions in Articles 10 and 11 which both talk about “fair processing in respect of the data subject” (again, emphasis added). Similarly Part II of Schedule One to the DPA provides interpretation to DPP1, and says that in determining whether personal data are processed fairly
regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed
Admittedly this introduces “any person”, which could be someone other than the data subject, but more general considerations of public interest are absent. It is also notable that the Information Commissioner’s position in guidance seems predicated solely on the belief that it is the data subject’s interests that are engaged in an analysis of “fairness”, although the guidance does conceded that processing might cause some detriment to the individual without it being unfair, but I do not think this is the same as taking into account public interest in disclosure.
To the extent that a public interest test does manifest itself in DPP1, it is normally held to be in the conditions in Schedules 2 and 3. DPPP1 says that, in addition to the obligation to process personal data fairly and lawfully, a condition in Schedule 2 (and, for sensitive personal data, Schedule 3) must be met. Many of these conditions contain tests as to whether the processing is “necessary”, and that “necessity test” constitutes a proportionality test, as described by Latham LJ in Corporate Officer of the House of Commons v The Information Commissioner & Ors  EWHC 1084 (Admin)
‘necessary’…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends
To import a public interest test into the word “fairly” in DPP1 seems to me to be a potentially radical step, especially when disclosures of personal data under the Freedom of Information Act 2000 (FOIA) are being considered. As I say – I doubt that this is correct, but I would welcome any contrary (or concurring) opinions.
(By the way, I at first thought there was a more fundamental error in the judgment: the judge found that a rule of law was engaged which ordinarily would have required the Chief Constable to send the second reference:
the public law duty of honesty and integrity would ordinarily have demanded that the Chief Constable send the Regulatory Body something more than the anodyne reference about the claimant [¶93]
If a rule of law necessitates disclosure of personal data, then the exemption at section 35 DPA removes the requirement to process that data fairly and lawfully. However, I think the answer lies in the use of the word “ordinarily”: in this instance the doctrine of legitimate expectation (which the claimant could rely upon) meant that the public law duty to send the second reference didn’t apply. So section 35 DPA wasn’t engaged.)
7 responses to “A public interest test in the Data Protection Act?”
I can’t say definitively that importing public interest into ‘fair’ is wrong, but it goes against all of my instincts. From the start, I understood that fair was about the treatment of the subject and their data, not any other consideration. I’ve never heard anyone interpret it in any other way until now, and I don’t agree with it.
Thanks for a thorough analysis of the issues. I will take up your offer of presenting an alternative view on the issue.
What you have described strikes me as the judge being imprecise in describing the process, or trying to create a process, as a public interest test. Any time we consider fairness we have to test it. We cannot see this simply as a balance nor can we see it as a public interest test, which brings into it a different context.
The issue her is complex because the data subject is a police officer (a public office holder) and even though the data protection act is for any living identifiable individual, one has to consider that the professional and private life are merged for a police officer that does not exist for other employees.
Thus, the use of public interest would appear to try to draw that distinction and yet make us aware that fairness has to be tested. We would not want to deny public office holders (legally different from a public official) their rights simply and solely because they hold office.
From what you have described, this appears a singular event for regular approach to DPA. However, it will need careful thought for those dealing with police and public office DPA issues because I see it as setting a procedure (although I do not think it is yet a precedent because it has not been tested (yet)) that others will have consider.I do not see it the specific procedure as a precedent nor do I see the decision as a precedent given the Corporate Officer of the House of Commons decision.
The danger of this approach, without further decisions, is two track DPA begins to emerge. We see a different DPA for different people (public office holders vs citizens). We are some way away from that happening but the ground work is emerging.
Thanks again for a stimulating and thoughtful post.
Thanks Lawrence – I’m by no means certain I’m right but I do still tend towards a view that the proper place for the broader public interest factors is in the identification of relevant Schedule 2 (and 3) conditions. I’m still mulling on this though.
If someone at the Regulatory Body reads the judgement, won’t it be easy for them to identify that it’s them and who the claimant is (thus defeating the primary purpose of anonymisation)?
I think there are probably a lot of people who can identify people in this judgment, but yes, that’s a great point.
I sometimes doubt whether judges understand how easy it can be to identify “anonymised” parties to proceedings. That said, if all identifying factors in anonymised judgments were removed it would defeat the purposes of open justice.
Dear Jon Thanks for another really interesting post. I think the argument that in interpreting “fairness” you can’t take into account the public interest where relevant must be wrong. Even though a balance of interests is most explicit in the legitimating conditions provisions in the Schedule 2 of the UK legislation, the open-textured nature of fairness does not exclude this either. In this context it is relevant that neither the Council of Europe Data Protection Convention nor many Data Protection laws around the world have a concept of legitimating conditions but they generally do have a concept of fairness. This was also the case under the UK’s 1984 Act. One point of controversy is whether in assessing the interests present “first and paramount” consideration must be given to the interests of the data subject given the whole purpose of Data Protection. Early decisions of the then Data Protection Tribunal in the UK supported such a notion (e.g. CCN Systems (1991)) but there has been a shift away from this is later domestic jurisprudence – notably in the MP expenses case.
Pingback: FOI disclosure of personal data: balancing of interests | informationrightsandwrongs