Author Archives: Jon Baines

December 12, 2013 · 5:44 pm

Restrictions on use of information in litigation

Rule 31.22 of the Civil Procedure Rules provides in terms that a party to litigation can only use a document disclosed to him/her by another party (in the course of those proceedings) for the purposes of those proceedings:

A party to whom a document has been disclosed may use the document only for the purpose of the proceedings in which it is disclosed…

The exceptions to this rule are where the document has been read to or by the court or referred to, at a public hearing, or where the other party consents to its use, or by permission of the court.

A recent judgment of Mr Justice Tugendhat deals with this rule, but also has a rather odd appearance in the wings by the Information Commissioner’s Office (ICO). The case involves an application for a strike-out of a claim by a company (“IG Index”) engaged in spread betting on financial products, which had been the defendant in proceedings in the Employment Tribunal (ET). In the course of those ET proceedings the then claimant (“Cloete” – now defendant), a former network services engineer (who, it was said, had previously raised with his then employer concerns about data security at the company) had provided the defendant company (pursuant to a disclosure order of the ET judge) with a USB stick containing lists of clients of the company (including bank payment details), which it appeared to the company had been copied or retained by the claimant in breach of covenants protecting confidential information.

Separately to the ET proceedings the company claimed orders requiring the delivery up of the documents, and was successful in gaining interim relief for this, and for destruction by Cloete of any electronic copies, ordering him at the same time to pay IG Index’s costs. Cloete complied with these Orders, while at the same time withdrawing his ET claims.

At the full hearing, at which, as Tugendhat J observed, nothing of substance was still sought by IG Index (their substantive relief having been achieved by the delivery up and destruction of the information) what remained in dispute between the parties was, effectively, costs.

However, Cloete now sought strike out on the basis that the only reason IG Index had come to know of the contents of the USB stick was through the disclosure in the ET proceedings. Accordingly, he argued, the use of that information was in breach of CPR 31.22. Tugendhat J agreed, noting, importantly, that the rule applies

to protect not only the documents themselves, but also the contents of those documents, that is to say, the information derived from the disclosed documents

So IG Index’s knowledge that Cloete had, or had had, the documents, was information derived from the disclosed documents. Accordingly, the strike out claim succeeded:

The use of the information in the present proceedings cannot be said to be for the purposes of the Employment Tribunal Proceedings…Nor is the relevant information in this case the property of the Claimant…in my judgment the use of this information for the purpose of advancing a claim for damages is plainly and obviously a breach of the prohibition

There might, it was observed, be cases where to bar a claim in circumstances such as these would give rise to an injustice, but this was not one of those cases, and, in any event, sub-rule (b) (whereby a court can grant permission for use of the material) was available to avoid any such injustice.

The Information Commissioner

What I refer to as the “rather odd” appearance in these proceedings of the Information Commissioner’s Office (ICO) arises because Cloete claimed that he hadn’t retained the information at the centre of the case from the time when he had been employed by IG Index. Rather, while he was employed, he had passed it to the ICO, to express concerns about IG Index’s data security. He only got the documents back, according to his statement to the court, when they were

sent to him by the Information Commissioner six months after his employment had been terminated…following a subject access request he made to the Information Commissioner’s Office on 17 December 2012. On 16 January 2013 the Listed Items were attached to an e-mail he received in response to that request. However, he stated that he did not appreciate at the time he received the e-mail that the Listed Items were attached

One must be careful not to make unwarranted criticism of the ICO – I note that they were not involved in the proceedings at all, and had no opportunity to challenge or clarify Cloete’s statement. However, if that statement accurately reflected what happened it would be odd, to say the least, for the ICO to return this confidential information to someone who had no apparent lawful reason to have it, and also odd that it would have been sent in response to a subject access request under the Data Protection Act 1998, which entitles someone, in broad terms, to copies of their own personal data (not that of clients of their former employer). It would be interesting to know more about this.

Leave a comment

Filed under Data Protection, employment, Information Commissioner

Tagged as ,

December 7, 2013 · 8:00 am

The Kids all have Rights

Chapter 2 of Part 1 of The Protection of Freedom Act 2012 was commenced on 1 September this year, to little publicity. It contains quite radical provisions regarding use of children’s biometric information.

(…One for the no doubt thousands of younger readers of this blog…)

Hey kids – want to annoy your teachers and your parents while at the same time asserting your rights to autonomous decisions about your privacy? Then put down your tamagotchis, or whatever it is you play with these days, and have a look at Chapter 2 of Part 1 of The Protection of Freedoms Act 2012 (POFA). Bear in mind (as I know you will, as you guzzle your ginger beer) that, by virtue of The Protection of Freedoms Act 2012 (Commencement No. 9) Order 2013, sections 26, 27 and 28 of POFA are now in effect.

And note that, if your school processes your biometric information (for instance, if you have to provide your fingerprints in order to register, or to access libraries (to read the latest Enid Blyton, no doubt) or get school meals) then (after September 1 this year) the school has to have informed your parents that it is going to do this (or continue to do this). If your parents object, then the school has to stop (and almost certainly give you an alternative way of registering/accessing the library/getting school meals etc). The school

must ensure that a child’s biometric information is not processed unless—

(a)at least one parent of the child consents to the information being processed, and

(b)no parent of the child has withdrawn his or her consent, or otherwise objected, to the information being processed….

The relevant authority must ensure that reasonable alternative means are available by which the child may do, or be subject to, anything which the child would have been able to do, or be subject to, had the child’s biometric information been processed.

But also note (here’s the totally rad bit) that, even if your parents are OK with it, you have the right to object, and if you do, that trumps what your parents, and your school, think. Cool eh?

if, at any time, the child—

(a)refuses to participate in, or continue to participate in, anything that involves the processing of the child’s biometric information, or

(b)otherwise objects to the processing of that information,

the relevant authority must ensure that the information is not processed, irrespective of any consent given by a parent of the child

Now, kids, you will have your own views, and some of you may approve of administrative systems which rely on the gathering, use and retention of personal information. You may think that the potential time- and costs-saving benefits are the most important factors at play. But some of you might well object, on perfectly reasonable grounds. You might be worried about what might happen if, for instance, this information fell into the wrong hands, or was simply kept too long, and was misused to your detriment. You might even object in principle to this sort of private information being used in this sort of way, when there are less intrusive methods available.

And you might want to consider that, if sufficient of your classmates object, under what is an admirable and rather radical statutory scheme which gives priority to the wishes of children, then the whole purpose of having this sort of system (convenience and cost benefits for the school) might fall away.

12 Comments

Filed under Uncategorized

December 6, 2013 · 4:00 pm

For Shame

A newspaper says police are “naming and shaming” drivers who have been charged with, but not convicted, of drink-driving offences. Sussex Police say they are merely “naming” the drivers, but do not appear to feel the need to correct the media reports.

The risk for social media users of being held in contempt of court was highlighted this week by the Attorney General, who has said that, in future, the advisory notes issued to “traditional” media on individual cases will now be made more widely available (published on the gov.uk website and twitter).

With this in mind I was concerned to see that Sussex Police were reported by the Eastbourne Herald to be “naming and shaming” drivers arrested and charged with drink-driving

Police have said this year they are ‘naming and shaming’ everyone they arrest in connection with drink driving

The report goes on to quote Chief Inspector Natalie Moloney as saying

It is sad that so many people ignored the warnings that we would be looking for drink-drivers and have been charged with offences within hours of the start of the campaign. The arrests and the naming of those charged with offences will continue across the county throughout the month

This seemed to me potentially to engage the provisions of the Contempt of Court Act 1981 of an offence of strict liability “whereby conduct may be treated as a contempt of court as tending to interfere with the course of justice in particular legal proceedings regardless of intent to do so”, because it is a publication addressed to the public at large, about active proceedings. For an offence to be committed the publication must give rise to a substantial risk that the course of justice in the proceedings in question will be seriously impeded or prejudiced. I am not convinced that would be the case, but, nonetheless, I was surprised to see a police force effectively being reported as saying that  naming someone only charged with an offence gives rise to “shame” (it does nothing of the sort, of course, given the legal maxim of “innocent until proven guilty”). So I asked the Sussex Police twitter account

Are you really running a policy of “shaming” people by naming them prior to a trial?

to which they replied

We are not “shaming” anyone. We are naming those charged with a drink-related driving offence as we do for a range of offences

That was fair enough, (although one might ask Chief Inspector Moloney why an innocent person would heed a warning that police were looking for drink- drivers) but, as it appeared that this “naming-not-shaming” initiative had been launched in conjunction with the media, I wondered if they would be asking the Herald to correct its misleading article. Sussex Police replied

The campaign doesn’t aim to ‘shame’, but rather to deter & the article does not attribute the phrase to us

but this is simply not true: the article may not directly attribute the phrase to the police, but it does so indirectly

Police have said this year they are ‘naming and shaming’…

I have had no response yet to my further tweet pointing this out.

So, in a week when contempt via social media is very much in the headlines, we appear to have an online newspaper report which suggests there is shame attached to being charged with an offence, and which attributes this phrase to a police force, who seem unconcerned about correcting it. Odd.

For the avoidance of doubt, I should say that I have no sympathy whatsoever with people convicted of drink driving offences, but, to suggest there is “shame” in being charged with an offence prior to trial, is to go against centuries of presumption of innocence.

4 Comments

Filed under human rights, journalism, police, social media

Tagged as ,

November 29, 2013 · 5:07 pm

ICO must disclose Motorman journalists’ names

The ICO has been ordered to disclose the names of some of the journalists referred to in “What Price Privacy” as having engaged the services of rogue private investigator Steve Whittamore

In April 2006 the Information Commissioner’s Office (ICO) published “What Price Privacy?” on what it described as “the unlawful trade in personal information”. The report revealed

evidence of systematic breaches in personal privacy that amount to an unlawful trade in confidential personal information

Those breaches were potential criminal offences under section 55 of the Data Protection Act 1998 (DPA), and the report – which drew on the findings of documentation seized during Operation Motorman, arising from the activities of private investigator Steve Whittamore, said

Among the ‘buyers’ are many journalists looking for a story. In one major case investigated by the ICO, the evidence included records of information supplied to 305 named journalists working for a range of newspapers

In December 2006 the six-month follow-up report “What Price Privacy Now?” was published. This gave further details about the 305 journalists mentioned in the first report, and broke the data down into “Publication”, “Number of transactions positively identified” and “Number of journalists/clients using the services”.

And of course, this trade in personal information formed the basis of the first module (“The relationship between the press and the public and looks at phone-hacking and other potentially illegal behaviour”) of part one of Lord Justice (as he was then) Leveson’s inquiry into the culture, practices and ethics of the press.

In 2011 a request was made under the Freedom of Information Act 2000 (FOIA) to the ICO, for (1) “the number of transactions per journalist of each of the 305 identified journalists for each of the 32 identified publications” and (2) the journalists’ identities. The first request was refused by the ICO, on the basis that it would require a search through 17000 documents, and, therefore, section 12 of FOIA provided a statutory cost limit which meant it did not have to comply. Having been given these apparent facts the requester dropped his first request, but pursued the second. This was also refused, on the basis that the information was exempt under section 40(2) and section 44 of FOIA (the latter by virtue of the statutory bar on disclosure at section 59 of the Data Protection Act 1998 (DPA)), in both cases because disclosure would be an unfair and unlawful disclosure of personal data of the journalists involved.

Because the ICO is the regulator of FOIA, a complaint about its handling of a FOIA request falls to be determined by the same office (a statutory arrangement which was to be described as an “unusual, and unsatisfactory, feature” of the law by the First-tier Tribunal (Information Rights) (FTT)). Accordingly, the office (describing itself as “the Commissioner”, as distinct from the “ICO”, which was the authority refusing the request) issued a Decision Notice which held that

the ICO correctly withheld the information by virtue of section 40(2). He has also found that the information could also be correctly withheld by virtue of section 44(1)

This decision was appealed to the FTT, which has today, after what has clearly been complex and strongly argued litigation, handed down three judgments (1, 2, 3) (two of which were preliminary or interim rulings, publication of which has been held back until now) which are, taken together, extraordinary, both for their criticism of the ICO, and for the outcome.

Taken as a whole the judgments find that, regarding some of the journalists named in the information held by the ICO, the balance of the public interest in receiving the information outweighs the legitimate interest of an individual to protect his or her privacy.

The FTT found that the information wasn’t sensitive personal data (which is afforded a greater level of protection by the DPA). This is at first blush rather surprising: section 2(2) of the DPA provides that sensitive data will be, inter alia, “data consisting of information as to…the commission or alleged commission by [the data subject] of any offence”. However, the FTT found that, although the information

does contain evidence that the investigator [Whittamore] engaged by the journalist committed, or contemplated committing, criminal activity. And, self-evidently, it discloses that the investigator received some form of instruction from the journalist. But there is no suggestion…that the journalist had instructed the investigator to use unlawful methods or that he or she had turned a blind eye to their adoption or, indeed, whether he or she had in fact expressly forbidden the investigator from doing anything that was not strictly legal [para 11 of third ruling]

The FTT had also invited submissions from the parties on the significance to the instant case of some of the passages from the Leveson inquiry, and, having received them, took note from those passages of

the issues of impropriety (which, while very possibly not involving criminality on journalists’ part, is nevertheless serious) and corporate governance in the context of the privacy rights of the [journalists]. We believe that, together, they give rise to a very substantial interest in the public knowing the identities of those who instructed the investigators [para 18 of third ruling]

But also tending towards favouring disclosure in the public interest was Leveson’s suggested criticisms of the ICO

We also give some weight to the public interest in knowing more about the information which was in the possession of the ICO and which the Leveson Report suggested it failed adequately to pursue [para 18 of third ruling]

The FTT noted the interests of the journalists, for instance that they would have had an expectation that details of their day-to-day professional activities would remain confidential, and that the Commissioner had argued that

publication of information indicating that they had engaged the services of the investigators concerned would be so unfair as to outweigh the factors in favour of disclosure [para 19 of third ruling]

but the FTT also noted, in effect, that the journalists involved must have had some idea of what was going on when they engaged Whittamore

it must have been well known within the profession what types of information could be obtained with the help of investigators, even if the means of obtaining it were not fully understood. The rights of individuals under data protection laws would also have been widely known at the time. In those circumstances those engaging the particular services…should have known that they ran the risk of becoming involved in behaviour that fell short of acceptable standards. This seriously dilutes the weight to be attributed to their privacy rights and leads us to conclude that the balance tips in favour of disclosure [para 19 of third ruling]

Accordingly, and, unless there is an appeal (Iwould be surprised if there isn’t) the names of some of the journalists who engaged Whittamore must be disclosed.

Other matters – criticism of ICO

In its preliminary ruling (November 2012) the FTT makes some trenchant criticism of the ICO’s handling of the requester’s first request (even though, as the requester did not pursue it, it was outwith the FTT’s jurisdiction). The refusal on costs grounds had been made, based upon a statement that the information requested had not been recorded in a database. Yet less than two months later the Leveson inquiry began, and, at that inquiry, evidence presented by the ICO effectively, in the FTT’s view, contradicted this statement

 we do not understand how the Appellant could have been given such a misleading response to the First Information Request…as a result of the misleading information given to the Appellant, he was not able to pursue his request…We only became aware of the ICO’s error after the Appellant drew our attention to the evidence presented to the Leveson Inquiry regarding the Spreadsheets. We assume (and certainly hope) that those in the Commissioner’s office handling this appeal had not become aware sooner [para 28 of first ruling]

The ICO clearly did not take well to this criticism, because the second interim ruling records that

the Commissioner has complained about part of the decision which he believes includes unfair criticism of his office and has asked us to correct the impression given [para 3 of second ruling]

but the FTT stood firm, saying

We continue to believe that our criticism was justified. The Appellant was told that he was wrong to assume that any database of information existed that could be interrogated…However, it is now known that the ICO held the Spreadsheets at the time…[and although the information in them] may not have provided the Appellant with precisely the information he requested, but it would have come close. Against that background we believe that the ICO was open to criticism for asserting, without further qualification, that it would be necessary to search through the 17,000 documents in order to respond to the request. [para 6 of second ruling]

5 Comments

Filed under Confidentiality, Data Protection, Freedom of Information, Information Commissioner, Information Tribunal, journalism, Leveson, Privacy

Tagged as , , ,

November 27, 2013 · 4:46 pm

Reducing regulation…by clogging up the courts

The only thing that made me stop laughing about the Cabinet Office’s arguments in a doomed Tribunal appeal was thinking about the cost to the public purse.

Soon after it was formed the coalition government made an admirable commitment to cut government red tape, by reducing the amount of domestic regulation

Through eliminating the avoidable burdens of regulation and bureaucracy, the Government aims to promote growth, innovation and social action

A Cabinet sub-committee – the Reducing Regulation Committee (RRC) – was set up, to “take strategic oversight of the delivery of the Government’s regulatory framework”.

Around the same time the government was also trumpeting its transparency agenda, with the Prime Minister saying, in an Observer article in September 2010

For too long those in power made decisions behind closed doors, released information behind a veil of jargon and denied people the power to hold them to account. This coalition is driving a wrecking ball through that culture – and it’s called transparency

One might not have supposed, therefore, that it would have been necessary in August 2012 for a request under the Freedom of Information Act 2000 (FOIA) to be made, for (merely) the number of times the RRC had met. Surely this is the sort of information which should be made public as a matter of course? But it was necessary. Moreover, this particular door stayed shut, despite the gentle tapping of transparency’s wrecking ball, when the Cabinet Office refused the request, citing the FOIA exemption which applies to information held by a government department which relates to a) the formulation or development of government policy, or (b) Ministerial communications (section 35(1)(a) and (b)).

The Cabinet Office continued to argue that this exemption was engaged, and that the public interest favoured non-disclosure, when the requester complained to the Information Commissioner’s Office (ICO). And when the ICO held that, yes, the exemption was engaged, but, no, the public interest favoured disclosure , the Cabinet Office appealed the decision.

The First-tier Tribunal (Information Rights) (FTT) has now handed down its judgment, and it makes amusing if dispiriting reading. Wholly unsurprisingly, the ICO’s decision is upheld, and it seems that the Cabinet Office’s argument boils down to two main points: “if we tell you how often the RRC has met then it might mislead you into missing all the great work being done elsewhere, and as a result that great work elsewhere might be adversely affected” (my apologies to the Cabinet Office if this misrepresents their position, but I’ve really tried my best).

The FTT had very little time for these arguments. The only thing vaguely in the Cabinet Office’s favour was that, as a lot of information about “reducing regulation” processes was already publicly available, the public interest in disclosure was small. But, rather devastatingly, the FTT says

the public interest in maintaining the exemption is so weak that it does not equal, let alone outweigh, the, admittedly light, public interest in disclosure (para 27) [emphasis added]

It is worth reading the judgment (which I won’t dissect in detail), as an example of a particularly weak argument against FOIA disclosure, but I would add three closing observations from which you might deduce my level of approval of the Cabinet Office’s conduct:

1. this was a request simply and merely for the number of times a government committee has met (how “transparent” is a refusal to disclose that?)
2. taking a case to FTT is not without significant costs implications (bear in mind this was an oral hearing, with a witness, and with counsel instructed on both sides)
3. the whole litigation in any case carries a huge hint as to the nature/substance of the information held (if the RRC had met often, would the Cabinet Office really want to withhold that fact?)

Leave a comment

Filed under Cabinet Office, Freedom of Information, Information Commissioner, Information Tribunal, transparency

Tagged as ,

November 26, 2013 · 4:56 pm

The weakest link

I am a big fan of Bruce Hallas‘s The Analogies Project, and I’ve been promising him for a while that I will send him a proposal for a privacy analogy for possible inclusion in the Project. For the time being, and because I’m suffering from a bit of writer’s block on that piece, I’ll post a little – and obvious – analogy here.

The recent news that the Information Commissioner’s Office (ICO) had required Great Ormond Street Hospital  for Children NHS Foundation Trust (“GOSH”) to sign an undertaking (to improve data protection compliance) made me think of the famous quotation by William James from The Varities of Religious Experience

A chain is no stronger than its weakest link

The ICO noted that, at GOSH,

Although data protection training was in place, it was not required for temporary members of staff

By their nature, temporary staff are often subject to different procedures and obligations (or lack thereof) to permanent staff. It is, consequently, all too easy for data controllers to ask temporary to handle personal data without applying the appropriate safeguards which they would always apply where permanent staff are concerned.

Data security and data protection within an organisation can, indeed, be seen as a chain. By that I don’t mean that it should tightly bind or shackle the organisation. Rather, what I mean is that – ideally – all parts should link together, and no part be isolated: thus, data, and risks, are appropriately contained.  But if a weak link is in place, the potential exists for the whole chain to be broken.

This is not profound, and I strongly suspect it’s not even a new analogy, but I think it’s one worth making.

And it gives me the chance to quote William James for the second time today.

Leave a comment

Filed under Data Protection, Information Commissioner

Tagged as ,

November 26, 2013 · 1:24 pm

Knowing what to overlook

The Upper Tribunal has allowed an appeal by an appellant whose pre-hearing language and allegations had led the First-tier Tribunal to strike out his case.

In a recently handed down judgment Upper Tribunal Judge Jacobs says

Most appellants correspond with the tribunal only when necessary, make moderate criticisms and allegations, and express themselves politely. There is, however, a small body of appellants who are persistent in their correspondence which contains wild allegations that are expressed in an intemperate or aggressive tone…

What gave rise to the proceedings in question was an appeal, by a certain Mr Dransfield, of a decision by the First-tier Tribunal (Information Rights) (FTT) to strike out proceedings remitted to it by a decision of Judge Wikely in the Upper Tribunal (UT). That remittal decision was case reference GIA/1053/2011 – unhelpfully not currently available on the UT website – and is not to be confused with another (leading) decision by Wikely J in relation to an unsuccessful appeal by Mr Dransfield (reference GIA/3037/2011).

The FTT struck out the remitted case using powers conferred by rule 8(3)(b) of Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (SI No 1976) (“the Rules”), which permits a strike-out if

the appellant has failed to co-operate with the Tribunal to such an extent that the Tribunal cannot deal with the proceedings fairly and justly

It appears that Mr Dransfield was warned by the FTT judge by a direction on 11 January 2012 (I think this should say “2013”, but I quote from paragraph 4 of the UT’s judgment) about the unfortunate, although perhaps unintentional “hectoring tone” of his emails, and rule 8(3)(b) was specifically cited to Mr Dransfield, with the observation that

Co-operation, in this context, includes using moderate language and an appropriate tone 

The warning was reinforced orally, and repeated on 29 April 2013.

Despite this, Mr Dransfield then sent an email on 12 May 2013, which the UT declines to quote in full but which is described thus

Mr Dransfield accused the Commissioner and Council of ‘conniving and colluding to pervert the Course of Justice’ and of producing ‘a pack of lies and deception’. He later referred twice to a ‘wider conspiracy to pervert the course of justice’ and said that there was sufficient evidence to justify arresting the Commissioner’s legal representative and Judge Wikeley for conspiracy to pervert the course of justice

Accordingly, the proceedings were struck out, the same day.

Interestingly (and no doubt to the frustration of some of those involved), Mr Dransfield’s appeal of this strike out has succeeded. Jacobs J  follows the words I quote at the start of this piece with

It is usually possible to deal with that small minority of appellants without resorting to the power to strike out proceedings. It is possible to ban a party from using emails and direct that any that are sent will be ignored. Another way is to limit a party to communicating in writing and only when requested, with other letters being filed but ignored. At a hearing, it is possible to limit the time allowed to a party or, if necessary, to require a party to leave the hearing room. In my experience, measures such as this are usually effective

In short, Jacobs J says that case management powers can be properly used to manage a potentially difficult litigant, and should not in this case have led to the “draconian step” of striking out Mr Dransfield’s appeal. The type of allegation made by Mr Dransfield is “regularly made in appeals before this Chamber and just as regularly ignored by the judges”.  The power to strike out and the duty to cooperate are in a “reciprocal relationship” with the overriding objective “to enable the Tribunal to deal with cases fairly and justly” at Rule 2, and specifically those parts of Rule 2 which require flexibility in the proceedings (2(2)(b)) and that the parties are able to participate fully in the proceedings (2(2)(c)).

Jacobs J ends his judgment by noting that the FTT could have employed more flexible responses “without depriving Mr Dransfield of his right of appeal” and observes, by quoting William James

‘the art of being wise is the art of knowing what to overlook.’

Very true, but I think I would just add a general point that – sometimes – some things can be too big to overlook. There will still be some cases where the failure to comply with the duty to cooperate properly merits the striking out of proceedings.

77 Comments

Filed under Freedom of Information, Information Tribunal, Upper Tribunal, vexatiousness

Tagged as

November 20, 2013 · 3:19 pm

THIS is the purpose of subject access requests

In a recent blogpost the rather excellent Bilal Ghafoor (who goes by the handle of “FOIKid”, although I note he’s now extended this to “FOI (and DP) Kid”, evidently having rather belatedly discovered the joys of data protection) asked “What is the purpose of subject access requests?“. He drew attention to the potential discord between approaches by the Information Commissioner and by the courts (in cases such as Durant  v Financial Services Authority [2003] EWCA Civ 1746) to such requests (made under section 7 of the Data Protection Act 1998 (DPA)).

In a comment on that post I argued that the Court of Appeal in Durant was perhaps not as out-of-step with, at least, the EC data protection Directive 95/46/EC as is sometimes thought

it’s important to note that the Court of Appeal were keen to stress the fact that the Act gives effect to the Directive, and that the Directive and its recitals have a “primary objective” to “protect individuals’ fundamental rights, notably the right to privacy and accuracy of their personal data held by others…

This particular primary objective is illustrated quite starkly by the news from the Press Gazette that comedian/journalist Mark Thomas discovered, through submitting a subject access request, that his name is on a “domestic extremist database”:

police held a file of seven pages containing more than 60 individual items of intelligence…”a bizarre list of events monitored by the police, lectures given, panels attended, even petitions I have supported…the police have monitored public interest investigations in my case since 1999″

Thomas says he is taking legal action to have his name removed. This will be an interesting case if it reaches court, joining a line of cases where people try to effect removal of records from police systems.

What is also interesting though is that Thomas, and the National Union of Journalists (NUJ), are encouraging journalists to submit subject access requests to the police. As Thomas says

I know of other NUJ members on the database….Which is why I am asking NUJ members to take action. If your work brings you into contact with the police whether covering riots or climate camp, from Plebgate to the NSA, then the police could have you on their database

and the NUJ general secretary Michelle Stanistreet adds

we want as many other members as possible to find out what information the Met is holding

In answer to Bilal’s question, then, I think that this – the investigation of how an arm of the UK state monitors and records the activities of the free press – is a vitally important example of what the purpose is of subject access requests.

1 Comment

Filed under Data Protection, police, Privacy, surveillance

Tagged as , ,

November 20, 2013 · 7:47 am

Data Protection concerns and Article 6

Article 6(1) of the European Convention on Human Rights provides inter alia that “everyone is entitled to a fair and public hearing”. An interesting case in the Upper Tribunal shows how failure to comply with tribunal rules (in this case The Tribunal Procedure (First-tier Tribunal) (Social Entitlement Chamber) Rules 2008 (“the TPR”) ) can render tribunal proceedings unfair and – arguably – in breach of Article 6(1). And although the case was not dealing substantively with an “information rights” matter, data protection played a small part.

This was a successful appeal, in which the Upper Tribunal held there had been a material error of law by the FTT. Upper Tribunal Judge Wright’s basis for permitting the appeal had been

that it seems arguable from the papers before me that the appeal was decided by the First-tier Tribunal without [the appellant] having had sight of the HMRC’s appeal response or the documents it relied on

and this was accepted by the respondent, HMRC.

It appears that HMRC had declined to comply with Rule 24(5) of the Rules (that it must provide a copy of the response and any accompanying documents to each other party at the same time as it provides the response to the Tribunal) because of “data security issues”…”because it was concerned that [the appellant] was not living at the address he was relying on”. It had conveyed its intention not to comply with Rule 24(5) in a letter to the FTT, but had not referred to any other Rule which permitted the action, and, although the letter sought directions from a judge there was no evidence

either on the Upper Tribunal file or the First-tier Tribunal file – to indicate either (a) that this letter was ever put before a Judge of the First tier-Tribunal, or (b) that directions were issued either requiring disclosure or precluding it, or (c) that the appeal response and evidence was ever sent to [the appellant] before the appeal was decided on 23.04.12

Accordingly, HMRC erred in law in not providing the appeal response and evidence, and the FTT, in not addressing this, made a material error of law in coming to its decision.

The Upper Tribunal judge also noted that HMRC’s concerns about data security could well have been met by section 35 of the Data Protection Act 1998 (which provides an exemption from the bars elsewhere in the DPA against disclosure of personal data if the “disclosure is required by or under any enactment, by any rule of law or by order of the court”). As the judge observed, “those words would seem to encompass rule 24 of the TPR”.

Lawyers and practitioners (and indeed litigants) should be aware that data protection concerns regarding disclosure of evidence, or serving of required papers, should not get in the way of tribunals’ overrriding objectives to deal with cases fairly and justly, because if they do, a potential breach of parties’ Article 6 rights may occur. They should also make sure (as should, I suspect, tribunal clerks) that letters seeking directions are put before a judge.

Leave a comment

Filed under Data Protection, human rights, Upper Tribunal

Tagged as

November 18, 2013 · 4:46 pm

In which I ask the ICO for a Decision Notice

In September of this year I blogged about a request I made to the Information Commissioner’s Office (ICO) for details of which website some personal data had been inadvertently uploaded to, by a council employee, which had led to a monetary penalty notice. I have now had the ICO’s response to my internal review. I do not have (and haven’t sought) permission to upload that response, but suffice to say it doesn’t uphold my complaint. For those of you still awake I append my response to it here:

I am reluctantly now applying to the Commissioner for a decision whether my request for information has been dealt with in accordance with the requirements of Part I of the Freedom of Information Act 2000 (FOIA).
 
I am of the view that you do have lawful authority to disclose the information, and, therefore, section 59(1) of the Data Protection Act 1998 (DPA) is not engaged (and by extension nor is the substantive exemption claimed: section 44 of FOIA). Before I give my reasons I would just like to clarify an error on my part: I erred in my request for internal review when I queried whether section 59(1)(c) DPA was met. What I meant was that I accepted that sections 59(1)(a-c) were met, but I doubted whether there was a lack of lawful authority for the ICO to disclose.
 
My reasons why I believe you do have lawful authority to disclose are substantially the same as I gave in the rest of my request for internal review. I will repeat them here for completeness’ sake:
 
Section 59(2)(e) says that disclosure is made with lawful authority if “having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”. I would argue that analysis of whether this provision permits disclosure requires a two-fold test. Firstly, is disclosure necessary in the public interest? Secondly, if it is, do the rights and freedoms or legitimate interests of any person militate against this public-interest disclosure?

On the first point, I am not aware of any direct authority on what “necessary” means in section 59(2)(e) of DPA, but I would argue that it imports the meaning adopted by leading European authorities. Thus, as per the high Court in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 “‘necessary”…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends”. It is my view that there is a pressing social need to recognise the risks of indavertent uploading to the internet, by public authorities and others, of sensitive personal data, especially when this is by automatic means. Other examples of recent incidents and enforcement action illustrate this. For instance, as your office is aware, there have been reports that a regional Citizens’ Advice Bureau has indavertently made available on the internet very large amounts of such data, probably because of a lack of technical knowledge or security which resulted in automatic caching by Google of numerous files https://informationrightsandwrongs.com/2013/09/24/citizens-advice-bureaucracy/. Also for instance, as you are aware, there have been many many examples of indavertent internet publishing of personal data in hidden cells in spreadsheets http://www.ico.org.uk/news/blog/2013/the-risk-of-revealing-too-much. There is a clear lack of public understanding of the risks of such indavertent disclosures, with a consequent risk to the privacy of individuals’ often highly sensitive personal data. Any information which the regulator of the DPA can disclose which informs and improves public understanding of these risks serves a pressing social need and makes the disclosure “necessary”.

On the second point, I simply fail to see what rights and freedoms or legitimate interests of any person can be engaged, let alone suffer a detriment by disclosing what public website the Council employee uploaded this to. If there are any, it would be helpful if your response to this Internal Review could address this. It may be that you would point to the information having been provided to you in confidence, but I similarly fail to see how that can be: was this an express obligation of confidence, or have you inferred it? In either case, I would question (per one the elements of the classic formulation for a cause of action in breach of confidence given by Megarry J in Coco v A.N.Clark (Engineers) Ltd [1969] R.P.C. 41) whether the information even has the necessary quality of confidence (this was a public website after all).

However, I make the following further observations.

You say “I consider that the public interest here has been largely, if not entirely, met by the issuing and publication of the Monetary Penalty Notice dated 27 August 2013, the publication of the ICO News release dated 30 August 2013, and other press coverage concerning this particular data breach and how it occurred. I do not consider that disclosure of the name of the website would further this to any significant extent”. However, these sources of information were noticeably lacking in detail about how exactly the rather bizarre and worrying circumstances described in the Monetary Penalty Notice (MPN) could have happened: automatic upload to cloud storage can happen, but normally this will be to private storage – automatic upload to a “public website” is rather alarming.

I note, in passing, some recent criticism of the level of detail, or lack of clarity, in MPNs made by the First-tier Tribunal (see para 17 of the Scottish Borders case, and, the Niebel case, effectively throughout).

I also note that you say “when considering the balance of the public interest in relation to section 59(2)(e) it has to be borne in mind that the threshold is very high because disclosure in contravention of section 59, by the Commissioner or a member of ICO staff may/will constitute a criminal offence under section 59(3)”. With respect, whether the Commissioner or a member of his staff might commit a criminal offence is not relevant to whether the public interest means disclosure is necessary. If disclosure is necessary section 59(1) does not apply, and no suggestion of a criminal offence can arise. Moreover, you say “unless there is ‘lawful authority’ to disclose the information, to do so would constitute a criminal offence” and “disclosure in contravention of section 59, by the Commissioner or a member of ICO staff may/will constitute a criminal offence under section 59(3)”, and “Releasing information of this nature without lawful authority would not only constitute a criminal offence…”: all of these omit the crucial mens rea aspect of that offence, which is that the disclosure would have to be made knowingly or recklessly.

You go on to say “There is a strong public interest in information being provided to the Commissioner in confidence, to enable him to carry out his statutory duty, remaining confidential and that this information will not be disclosed without lawful authority. Releasing information of this nature without lawful authority would not only constitute a criminal offence but would also undermine the regulatory function and powers of the ICO. It would damage public trust in the Commissioner’s processes and make organisations less willing to share information on a voluntary basis making it difficult for the ICO to operate an efficient and effective regulatory system”. This repeats the earlier assertions, or implications, that the information in question is “confidential” or has been “provided…in confidence”, which I continue to dispute for reasons previously given (and not controverted), and makes further assertions that disclosing such information now would “make organisations less willing to share information on a voluntary basis making it difficult for the ICO to operate an efficient and effective regulatory system”. There appears simply to be no basis for this “chilling effect” assertion (is there, for instance, evidence to back it up?).

Finally, I note that you say “we did consult with Aberdeen City Council and we do not have explicit consent for disclosure”. You do not say when this consultation took place, but it appears that Aberdeen at some point changed their mind on this, because on 15 October they disclosed the information to me under FOIA (see https://www.whatdotheyknow.com/request/ico_monetary_penalty_notice#outgoing-307019). Clearly, this means that I do not continue to seek disclosure. It also explains why I say I make this application reluctantly (I have no wish to have you, or me, epxend time and resources unnecessarily). But I do wish to dispute that my request to you was handled according to requirements in part 1 of FOIA.

I am happy to provide any further information you might need.
with best wishes

etc

Leave a comment

Filed under Confidentiality, Freedom of Information, Information Commissioner, monetary penalty notice

Tagged as ,