Author Archives: Jon Baines

March 12, 2025 · 4:50 am

Cabinet Office wins Covid face masks FOIA appeal

The Information Tribunal has overturned a decision of the Information Commissioner’s Office and ruled that the Cabinet Office is not required to disclose minutes of meetings in June and July 2020 at which policy decisions were taken to make mandatory the wearing of face masks in shops and on public transport.

It is a shame that, for a decision of some import, the judgment reads like a stream-of-consciousness draft, and that it is infused with unnecessary sarcasm at various points.

The ICO had determined that although the exemption at s35 FOIA (for information relating to the formulation of government policy) was engaged. He acknowledged the importance of a protected space for government decision-making, and of the principle of collective responsibility, but decided that the “exceptionally weighty” public interest favoured disclosure.

The Tribunal, however, via reasoning which is – frankly – very difficult to follow, appears to have focused on the issue of “accountability”, something that the requester had mentioned rather in passing in support of his request, but which was not a matter expressly mentioned in the ICO’s decision. Having fixed on this concept, the Tribunal appears to have decided that as those in government at the time have since been held accountable in various ways, there was diminished public interest in achieving accountability by way of disclosure of the requested information. The key passage is probably this (at 57):

In considering the context of this request there is a stark contrast between the salience and effectiveness of other multiple forms of accountability…and the value of the information sought – in contrast with the risk of harm to the functioning of government caused by its release disproportionate to any benefit.

I do not say the Tribunal has necessarily got this wrong, but I do say that this a FOIA case of some significance, and that it warranted a clearer judgment.

Whether the judgment is amenable to an appeal is not entirely clear, but it’s worth pointing out that the original requester was not a party to, and was not joined to, these proceedings, and so I do not believe he himself has a right of appeal to the Upper Tribunal, and one wonders whether the ICO will have the enthusiasm to do so, given the costs involved.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Cabinet Office, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as , ,

March 11, 2025 · 8:47 am

An offence of unlawful access to records of the dead?

I’m starting to wonder whether Parliament should consider a new offence of accessing and/or retaining records of the deceased without lawful excuse.

The BBC, and others, are reporting concerns that there may have been unauthorised access to medical records of the victim of killer Valdo Calocane. In the last few years we have also seen similar stories emerging in relation to police files on the murders of Sarah Everard, Bibaa Henry and Nicole Smallman (and I am sure there are many others).

The offence at section 170 of the Data Protection Act 2018 cannot be engaged when the records in question relate to someone who is dead, and although there is the potential for prosecutions for misconduct in a public office, or under the Computer Misuse Act 1990, there will be times when these do not apply.

Such unwarranted access seems to be a serious risk which arises wherever there is a high profile killing, and it must cause immense extra distress for the families and friends of the victims.

I wonder if now is the time for a debate on the topic, with an agenda item of whether there is need for a new criminal offence.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Confidentiality, crime, parliament

Tagged as

March 11, 2025 · 6:04 am

Why is the ICO so quiet about prosecutions?

Not infrequently, I get contacted (personally and professionally) by individuals who are concerned that their personal data has been compromised in circumstances that may constitute the criminal offence of “obtaining” or “retaining”, under section 170 of the Data Protection Act 2018.

In many cases, there is not much I can bring to the table. If an offence has been committed then this is a matter for the prosecutor. Normally, for data protection offences, this is the Information Commissioner’s Office.

But what strikes me is that there appears to be no information on the ICO website for anyone who wants to report an alleged or potential offence. Their “For the public” pages don’t cover the scenario, and all of the data protection complaints information there is predicated on the assumption that the individual will be complaining about the data controller’s compliance (whereas, in a section 170 offence, the controller is more of the status of “victim”).

In fact, the best I can find is one brief reference (at page 61) of a lengthy guide to the DPA 2018, aimed at “organisations and individuals who are already familiar with data protection law”, and which doesn’t even actually explain that the offences described can be prosecuted by the ICO.

Dr David Erdos has recently highlighted both the low number of ICO prosecutions, and the rather slapdash way in which the ICO appears to be handling information about them. But the section 170 provisions are criminal ones for a reason: they will sometimes involve the most distressing and serious interferences with people’s data protection and privacy rights.

Surely the ICO should pay more attention to such incidents, and assist concerned data subjects (or others) who might want to report potential offences?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, Information Commissioner, offences

Tagged as ,

March 8, 2025 · 6:31 am

Can a data subject inspect withheld information in court proceedings?

When a controller, in response to a subject access request, has withheld personal data on the grounds of an exemption or exemptions, the data subject can apply to the court for a compliance order, under section 167 of the Data Protection Act 2018. That application will be determined by a judge who must determine whether the personal data was properly withheld or not. But general rules in adversarial proceedings do not permit one side and the judge to have access to material when the other side does not. So can the claimant and his/her lawyers therefore have access to the withheld information? Of course not – you all say – that would be absurd. However, the picture is not quite as clear as one might think.

Section 15(2) of the Data Protection Act 1998 specifically dealt with this issue: it said that the information should “be made available for [the judge’s] own inspection but shall not, pending the determination of that question in the applicant’s favour, require the information sought by the applicant to be disclosed to him or his representatives”.

But no such provision is contained in the equivalent sections of the 2018 Act. That appears to have been a drafting error.

The issue came up in X -v- The Transcription Agency LLP [2024] 1 WLR 33, and the court there held that

it would defeat the purpose of the legislation if a person challenging the application of an exemption were to be given sight of the material for the purpose of advancing his or her arguments…It would bring about a situation in which a party seeking personal data “would have obtained the very thing which the hearing was designed to decide”

As a result, I imagine, of the X case, Parliament moved to address the lacuna in the law: the Data Protection and Digital Information Bill contained a clause which would have given the court the express power contained in section 15(2) of the 1998 Act. That Bill was, of course, dropped just before the 2024 General Election, but the Data (Use and Access) Bill, now speeding through the Commons, contains something similar, at clause 103.

And so it was that the issue again arose in recent proceedings – Cole v Marlborough College [2024] EWHC 3575 (KB) – involving a former pupil who is seeking information through subject access regarding an investigation into a disciplinary matter in his former school.

As in X, the judge noted the absence of any express power to inspect the materials without permitting their disclosure to the claimant. But, relying on X, the judge held that there was an implied power (either implied within section 167) and/or in exercise of the court’s inherent jurisdiction.

Given the impending amendment of the statute to make the power express, rather than implied, these cases will probably just become footnotes, rather than landmark judgments. But they’re interesting for illustrating how courts will find implied powers and procedures where justice demands it.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under access to information, Data Protection Act 2018, judgments, subject access

Tagged as ,

March 1, 2025 · 9:20 am

Concerns over the Public Authorities (Fraud, Error and Recovery) Bill

When it comes to proposed legislation, most data protection commentary has understandably been on the Data (Use and Access) Bill, but it’s important also to note some of the provisions of the Public Authorities (Fraud, Error and Recovery) Bill, introduced in the Commons on 25 January.

The abandoned Tory Data Protection and Digital Information Bill would have conferred powers on the DWP to inspect bank accounts for evidence of fraud. To his credit, the Information Commissioner John Edwards, in evidence given on that earlier Bill, had warned about the “significant intrusion” those powers would have created, and that he had not seen evidence to assure him that they were proportionate. This may be a key reason why they didn’t reappear in the DUA Bill.

The Public Authorities (Fraud, Error and Recovery) Bill does, however, at clause 74 and schedule 3, propose that the DWP will be able to require banks to search their own data to identify whether recipients of Universal Credit, ESA and Pension Credit meet criteria for investigation for potential fraud.

But such investigative powers are only as good as the data, and the data governance, in place. And as the redoubtable John Pring of Disability News Service reports, many disabled activists are rightly concerned about the potential for damaging errors. In evidence to the Bill Committee one activist noted that “even if there was an error rate of just 0.1 per cent during this process, that would still mean thousands of people showing up as ‘false positives’, even if it just examined those on means-tested benefits”.

The Bill does not appear to confer any specific role on the Information Commissioner in this regard, although there will be an independent reviewer, and – again, creditably – the Commissioner has said that although he could not be the reviewer himself, he would expect to be involved.

It is worth also reading the concerns of the Public Law Project, contained in written evidence to the Bill committee.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, data sharing, Information Commissioner

Tagged as ,

February 19, 2025 · 1:03 pm

FOI doesn’t need a “purpose”

[reposted from my LinkedIn account]

At the close of an otherwise unobjectionable and unsurprising refusal of a Freedom of Information Act 2000 appeal (on the issue of a vexatious request), the Information Tribunal judge says this:

“FOIA exists to safeguard freedom of information. It was not enacted to serve as a tool for furthering personal campaigns and causes, however heartfelt they may be.”

When Parliament enacted FOIA it expressly declined to insert a “purpose clause”. As its explanatory notes say “A request for information can be made by any individual or body, regardless of the purpose of the application.” So if someone wants to use FOIA as a tool for furthering personal campaigns and causes, then (as long as their requests are not, as they were here, vexatious) they jolly well can. And judges should respect this.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Information Tribunal, judgments, Uncategorized

Tagged as

February 19, 2025 · 9:41 am

The state of central government transparency

[reposted from my LinkedIn account]

This is one of the most extraordinary FOIA judgments I’ve ever seen, and it says an awful lot about the approach to transparency at the centre of the civil service.

The Cabinet Office have been trying to resist disclosure under FOIA of copies of blank ministerial declaration of interest forms, on grounds that to do so would be prejudicial to the conduct of public affairs, because among other things [checks notes] “Disclosure may lead to speculative scrutiny regarding why certain elements are included in the forms, potentially leading to amendments to the form which undermines its effectiveness”.

But there’s also an extraordinary citation of a piece of evidence given by a Cabinet Office witness – the “Director of Propriety and Ethics” – to the effect that the system for Minister declaring interests relies heavily on the trust and candour of Ministers, and the effect of disclosure would be that they “may be reluctant to provide the same level of detail” than they do currently.

Let’s just think about that. Ministers have a constitutional and ethical duty to declare interests, but this relies on trust and candour, and disclosure of a blank declaration form might mean that those we trust to be candid in their ethical duty to declare those interests might decide to be less trustworthy and candid as a result? What a sorry state of affairs.

Fortunately, the Information Tribunal, like the Information Commissioner’s Office before, had no truck with these arguments, and refused the Cabinet Office’s appeal.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Cabinet Office, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as ,

February 12, 2025 · 9:45 am

RIP ePrivacy Regulation

[reposted from my LinkedIn account]

The ePrivacy Regulation is dead (as is – also very notably – the AI Liability Directive). The former has been a long time dying: it was first proposed in 2017, and then was subject to almost unprecedented lobbying by tech interests, which lobbying seems to have finally prevailed.

For the time being at least, then, the EU will continue to operate under a crucial law dealing with privacy of online (and telephonic) behaviour and communications which emanates from 2002 (Directive 2002/58/EC), an era when the internet as we now know it was unimaginable.

And in the UK, still effectively tied legislatively for reasons of trade and security to the EU, we will similarly (unless there’s a major jolt to our laws) still be working under the PEC Regulations of 2003 (which implemented Directive 2002/58/EC).

A slight irony is that the Data (Use and Access) Bill will almost certainly pass into UK law one of the key planned provisions of the now-shelved ePrivacy Regulation: to bring financial penalties for ePrivacy infringements onto the same level as those for GDPR/UK GDPR infringements.

So, in that regard at least, the UK will be able to say we have a stricter regime than the EU.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under DUAB, Europe, PECR

Tagged as ,

February 7, 2025 · 4:17 am

Clarity needed on NHS publication of reports into homicides

[reposted from my LinkedIn account]

Does the law need clarifying on the publication of reviews into homicides by those receiving mental health services from the NHS?

The Times led recently on stories that NHS England was refusing to publish the full independent report into the health care and treatment of Valdo Calocane prior to his manslaughter of three people in Nottingham in 2023. NHSE apparently argued that data protection and patient confidentiality concerns prevented them publishing anything but a summary. Under pressure from victims’ families, and the media, NHSE about-turned, and the full report is reported to contain damning details of failings in Calocane’s treatment which were not in the summary version.

Now The Times reports that this is part of a pattern, since last year, of failure to publish full reviews of homicides by mental health patients, contrary to previous practice. It says that NHSE received legal advice that the practice “could breach data protection rules and the killers’ right to patient confidentiality”. The charity Hundred Families talks of cases where the names of victims are not published, or even the identity of the NHS Trust involved.

Of course, without seeing the advice, it is difficult to comment with any conviction, but I did write in recent days about how the law can justify publication where it is “necessary for a protective function” such as exposing malpractice, or failures in services. And it’s important to note that, in many cases, such reports show failings that mean that killers themselves have been let down by the adequacy of treatment: publication can surely, in some cases, cast light on this so that similar failings don’t happen in the future. In any case, guidance says that those preparing reports should do so with a view to their being published, and so confidentiality concerns should be taken into account in the drafting.

However, if NHSE remains concerned about the legality of publication, and if its legal advice continues to say that data protection and medical confidentiality law militated against disclosure, it strikes me that this might call for Parliament to legislate. I also believe that it would be welcomed if the Information Commissioner’s Office issued a statement on the legal issues arising.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Confidentiality, Data Protection, Information Commissioner, NHS

Tagged as , ,

February 6, 2025 · 7:47 am

Is the legal sector really suffering a flood of databreaches?

[reposted from my LinkedIn account]

There have been various articles in the media recently, reporting a significant rise in personal data breaches reported by the legal sector to the Information Commissioner’s Office. I have some real doubts about the figures.

An example article says

A new analysis of data from the Information Commissioner’s Office (ICO) by NetDocuments has revealed a sharp increase in data breaches across the UK legal sector. In the period between Q3 2023 and Q2 2024, the number of identified data breaches in the UK legal sector rose by 39% (2,284 cases were reported to the ICO, compared to 1,633 the previous year)

But something didn’t seem right about those numbers. The ICO say that they have received 60,607 personal data breach reports since their current reporting methods began in Q2 2019 (see their business intelligence visualised database), so it seemed remarkable to suggest that the legal sector was scoring so highly. And, indeed, when I look at the ICO BI data for self-reported personal data breaches, filtered for the legal sector, I see only 197 reported in Q3 2023, and, coincidentally, 197 in Q2 2024 (see attached visuals) – an increase from one relatively low number to another relatively low number of precisely 0%.

A serious question to those more proficient with data than I am – am I missing something?

If I’m not, I really think the ICO should issue some sort of corrective statement.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, data security, Information Commissioner, personal data breach

Tagged as , ,