Author Archives: Jon Baines

August 8, 2013 · 4:00 pm

The loophole to avoid enforcement?

Cabinet Office, FOI, Financial Times, Christopher Graham, blah blah blah

To recap. The Financial Times recently ran a resounding editorial on FOI, the ICO and the Cabinet Office, lauding the first, criticising the second’s lack of enforcement against the first, and lambasting the third. The Information Commissioner himself, Christopher Graham, replied in rather hurt tones, defending his office. Both Paul Gibbons (FOIMan) and Tim Turner have blogged on this. Here are my oar-sticking-in-coattail-hanging observations.

A key measure used by the Information Commissioner’s Office (ICO) to assess public authorities’ compliance with the Freedom of Information Act 2000 (FOIA) is the percentage of requests which are responded to within the statutory twenty day timescales. The guidance on this says

The ICO is may contact authorities [sic] if…(for those authorities which publish data on timeliness) – it appears that less than 85% of requests are receiving a response within the appropriate timescales.

Let’s ignore the obvious and worrying point that this is an encouragement not to publish such data. Fortunately for our purposes, government departments do commit to doing so, and quarterly reports covering the whole of central government are published. I can’t actually find them all on one page, so here are the reports for the last four quarters

April-June 2012
July-September 2012
October-December 2012
January-March 2013 

If you scroll through those datasets you’ll see that, over the last four quarters, the Cabinet Office has managed to respond to FOI requests within the statutory time limit or with a permitted extension in 92, 93, 95 and 86% of cases. Pretty good eh? This keeps them out of reach of the ICO radar. And, in fact, just prior to this, the Cabinet Office had been monitored by the ICO, and been required to sign an undertaking to improve, after appalling previous statistics had showed compliance in only 42 and 55% of cases in two quarters. After this monitoring period (the MoD were also monitored) the ICO announced

Both authorities have now improved their response times with over 85% of information requests being answered within the time limit of 20 working days and are working hard to deal with outstanding requests where responses have been unduly delayed. The ICO will continue to offer support and advice to help both Departments to ensure that outstanding requests are cleared as soon as possible.

However, what does “with a permitted extension” mean? It means, that in complex cases where a public authority needs more time to consider whether the public interest favours disclosure, it can disapply the twenty-working-day deadline and extend its time for compliance indefinitely, subject to reasonableness (although the ICO says it should be no more than an extra 20 days, he cannot enforce that). So let’s go back to those figures and see how the Cabinet Office would do if there wasn’t this potential loophole. If one simply asks “what percentage of requests were responded to within 20 working days?”, the figures are in fact 77, 77, 79 and 74%. Of course, without access to individual cases it is impossible to say whether these multiple extensions to consider public interest were made legitimately or not. However, the Cabinet Office appears to claim the extension much more than most other departments (the Foreign and Commonwealth Office has similar figures, however).

I am sure the Cabinet Office will claim that the reason it does this is because it has to deal with more complex cases. Maybe that’s the case, but it would be nice if someone could look into it. And, of course, the ICO could. The guidance on how authorities are selected for monitoring doesn’t stop at the 85%-compliance measure. It also says they may contact authorities if 

our analysis of complaints received by the ICO suggests that we have received three or more complaints citing delays within a specific authority within a six month period [or if there is] Evidence of a possible problem in the media or other external sources.

To which I say, ICO, the evidence is clear (look at Tim’s analysis, look at Paul’s, even look again at Chris Cook’s). Compliance stats are not the only measure (and even then they may hide the true picture). The triggers for enforcement are there, but is there a will?

And finally.

3 Comments

Filed under Cabinet Office, Freedom of Information, Information Commissioner, transparency

Tagged as , ,

August 6, 2013 · 4:11 pm

On the tweet where you live

Do Home Office tweets of people arrested on suspicion of committing immigration offences engage data protection law?

The recent sordid campaign by the Home Office to publicise their “crackdown on illegal immigration” involved the tweeting of pictures of people apparently arrested in connection with immigration offences. I’m loath to post links because any further publicity risks undermining my point in this piece, but suffice to say that two pictures in particular were posted, one of a man being escorted (police officers at either side of him, holding his arms) from what look like retail premises, and one of a man being led by other officers into a cage in the back of a van. In both cases, the person’s face has been blurred by pixelation. There have been suggestions that the broader aspects of the campaign (disgracefully, vans have been deployed displaying advertisements saying “In the UK illegally? Go home or face arrest“) might be unlawful for breach of the Public Sector Equality Duty, and some have argued that to use the hashtag #immigrationoffenders to accompany pictures of people only suspected of crime might be to prejudge a trial, and could even constitute contempt of court. However, I would argue that the tweets also engage, and potentially breach, data protection law.

For the sake of this argument I will work on the presumption that, because the images of their faces have been obscured no third party can recognise the individuals concerned (I think this is actually probably wrong – potential identifying features, such as location and clothing are still displayed, and it is quite likely that friends, relative, colleagues could identify them). However, this does not mean that the images are outwith the Data Protection Act 1998 (DPA) and the European Data Protection Directive 95/46/EC to which it gives effect. The former defines personal data as

data which relate to a living individual who can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller [emphasis added]

In this instance the Home Office (or its agents) must itself know who the people in the images are (they will have had sufficient identifying information in order to effect an arrest) so, in their hands, the images constitute the personal data of the people in them. As the Information Commissioner’s Office (ICO) explains

It is important to remember that the same piece of data may be personal data in one party’s hands while it may not be personal data in another party’s hands…data may not be personal data in the hands of one data controller…but the same data may be personal data in the hands of another data controller…depending on the purpose of the processing and the potential impact of the processing on individuals

So the taking, retaining and publishing of images of people whose identities are obscured but who can be identified by the data controller will constitute the processing of personal data by that data controller. Consequently, the legal obligations for fair and lawful processing apply: section 4(4) of the DPA imposes a duty on a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller. Lord Hoffman explained this, in the leading FOI (and DPA) case on identification 

As the definitions in section 1(1) DPA make clear, disclosure is only one of the ways in which information or data may be processed by the data controller. The duty in section 4(4) is all embracing. He must comply with the data protection principles in relation to all “personal data” with respect to which he is the data controller and to everything that falls within the scope of the word “processing”. The primary focus of the definition of that expression is on him and on everything that he does with the information. He cannot exclude personal data from the duty to comply with the data protection principles simply by editing the data so that, if the edited part were to be disclosed to a third party, the third party would not find it possible from that part alone without the assistance of other information to identify a living individual. Paragraph (b) of the definition of “personal data” prevents this. It requires account to be taken of other information which is in, or is likely to come into, the possession of the data controller. Common Services Agency v Scottish Information Commissioner (Scotland) [2008] UKHL 47

So the Home Office cannot merely edit the data (by pixelation) and thus exclude it from the duty to process it in accordance with the data protection principles: these images are personal data. Moreover, they will come under the subset known as sensitive personal data, because they consist of information as to the commission or alleged commission by the data subject of any offence (they might also fall into this subset because they show the racial or ethnic origin of the data subject, but this is less certain).

The first data protection principle requires that

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
As this is sensitive personal data, a Schedule 3 condition must be met in order for the processing to be fair and lawful. Try as I might, I cannot find one that is (I adopt the list as explicated by the ICO)

  • The individual who the sensitive personal data is about has given explicit consent to the processing.
  • The processing is necessary so that you can comply with employment law.
  • The processing is necessary to protect the vital interests of: – the individual (in a case where the individual’s consent cannot be given or reasonably obtained), or- another person (in a case where the individual’s consent has been unreasonably withheld).
  • The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents. Extra limitations apply to this condition.
  • The individual has deliberately made the information public.
  • The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights.
  • The processing is necessary for administering justice, or for exercising statutory or governmental functions.
  • The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality.
  • The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.

It will be noted that the two conditions emphasised by me in italics might be thought to apply, but one notes the word “necessary”. In no way were these tweets “necessary” for the purposes to which those conditions relate. By contrast, when authorities publish photographs of wanted criminals, the necessity test will normally be made out. It is, I suppose, just possible that the data subjects gave their explicit consent to the tweets, but that’s vanishingly unlikely. (A question does arise as to what conditions permit the processing by the police of pixelated images of potential offenders in programmes such as “Police, Camera, Action” and “Motorway Cops”: it may be that this has never been challenged, but it may also be that the data controller is in fact the film company, who might be protected by the exemption from much of the DPA if the processing of data is for journalistic purposes).

(I would observe, in passing, that many customary practices to do with publication of information about crimes or suspicion of criminal behaviour are potentially in breach of these provisions of the DPA if they are construed strictly. Although there is the journalistic exemption mentioned above, those to whom that exemption arguably does not apply (bloggers, tweeters, police, other public authorities) are at risk of breach if they, for instance, publish identifying information about people who have criminal convictions or are suspected of having committed a crime. This area of the law, and its implications for open justice, have not, I think, been fully played out yet. For discussions about it see my post and others linked here.)

If no Schedule 3 condition can be met, the processing will not be in accordance with the first data protection principle, and the data controller will be in breach of section 4(4) of the DPA. What flows? Well, probably very little – the data subjects have a right to serve a notice (under section 10 of the DPA) requiring the cessation of processing which is causing or likely to cause substantial unwarranted damage or distress. Additionally, they have a right either to bring a civil claim for damages (very difficult to show) or to complain to the ICO. However, data subjects like this are not necessarily going to want to assert their rights in a strident way. The ICO himself could intervene – he has the power to take enforcement action if he is satisfied a data controller has contravened or is contravening the data protection principles (and, much to his credit, he has recently issued notices against a Council which was requiring taxi drviers to instal CCTV/audio recording facilities in all cabs, and against a Police force which was operating a “ring of steel” ANPR network). It appears though that the Home Office twitter account has gone quiet (it hasn’t tweeted in several days). Perhaps there have been second thoughts not just about the legality, but also the morality, of the campaign. I am always the optimist.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Home Office, human rights, Information Commissioner, journalism, police

Tagged as , ,

August 6, 2013 · 2:11 pm

Let’s blame Data Protection (a new series): Part One

Data Protection is to blame for many things (sleepness nights for Data Protection officers, hits to the public purse,  a proportionate measure of respect and security for people’s sensitive private information, bulging wallets for lawyers) and many people like to criticise it. In this occasional series I want to come to its defence, by pointing out examples where data protection has been wrongly blamed for a failure elsewhere. The Information Commissioner used to do something similar but seems to have given up with that (and, after all, “data protection duck out” is a cringemaking phrase).

So here’s my first example: “Vague” Data Protection Act blights fraud detection, say insurers

The facts of the article itself are fine, as one would expect if the author is Pete Swabey, but it’s the message itself that grates. According to the Chartered Insurance Institute (CII), there is a problem with section 29 of the Data Protection Act 1998 (DPA), which permits the disclosure of personal data by a data controller, whereby the general presumption against non-disclosure is disapplied if applying it would be likely to prejudice any of the following purposes: the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty or of any imposition of a similar nature. Normally the question whether to disclose will arise in response to a specific request from another person or body (normally one with crime detection or prosection powers, or tax collection powers). This comes down to a matter of applying a balancing test to specific facts: if I don’t disclose this information, would it be likely to cause prejudice to those purposes?

This is often a difficult decision for a data controller (it’s about serious matters – why should it always be easy?). But the CII complain that

the vagueness of Section 29…has led to an extremely high volume of information requests, with little consistency or clarity. This, it says, is hindering investigations. 

“Certain companies, particularly the lawyers, are sending requests out without thinking about them,” [says] David Clements, motor investigations manager at Zurich

Bad Data Protection Act! Making people ask for disclosure of personal data without giving it much thought!

Also, the fact that requests and responses are made in a haphazard, non-standard fashion creates unnecessary work for fraud investigators.

Silly Data Protection Act! Making an industry incapable of standardizing procedures!

And, indeed, the article says that the industry is trying to sort itself out

The New Generation Claims Board is working on a voluntary code of best practice to help insurance providers both improve the efficacy of their fraud investigations and reduce their risk of non-compliance. 

“We’re going to provide the industry with a best practice protocol plus a template for sending and receiving requests,” Clements explains.

But the evil Data Protection Act is still lurking about causing trouble, because this is only a voluntary scheme

as insurance companies are not even obliged to respond to Section 29(3) requests

Come on Data Protection Act, sort yourself out!

Leave a comment

Filed under Data Protection, Information Commissioner, Let's Blame Data Protection, Uncategorized

July 31, 2013 · 7:40 am

An error of judgment

A very brief post, on something in a High Court judgment which may merely be a slip.

On 6 June 2013 a renewed application to appeal to the Employment Appeal Tribunal was heard in the High Court. The applicant, Flynn, is seeking compensation for detriment suffered by reason of the making of a public interest disclosure (the “whistle-blowing claim”) and for arrears for holiday pay. The respondent, Warrior Square Recoveries Limited (“Warrior”) made an initially unsuccessful attempt to have the claims struck out. On appeal the Employment Appeal Tribunal refused to strike out the holiday arrears claim, but struck out the whistle-blowing claim because it had not been brought within the requisite three-month time-limit. Flynn now sought to reinstate the whistle blowing claim.

Lord Justice Rimer was not impressed by the arguments to reinstate, but, rather reluctantly, found one sufficiently compelling to justify permission

The only argument that appeared to me arguably to have some legs to it was that on 21 May 2010 the applicant made a subject access disclosure application to Warrior under the Freedom of Information Act 2000, the purpose being the provision to him of information as to whether or not the defamation claim was being pursued. Warrior had 40 days to comply with the request, but it did not do so. It is said that the expiration of the 40 days marked another deliberate failure by Warrior to act, following which the tribunal proceedings were issued within three months.

With some hesitation, I regard this ground as sufficient to justify permission to appeal…

The perspicacious among you might have noticed something. Subject access, and the 40 day time for compliance, are terms not from the Freedom of Information Act 2000 (FOIA), but from section 7 of the Data Protection Act 1998 (DPA). FOIA only applies to public authorities, of which Warrior is not one. If a public authority receives a request seeking subject access under FOIA it should apply the exemption at section 40(1) and “the public authority will need to deal with it in accordance with the DPA” (Information Commissioner guidance). An employer, such as Warrior, which is not a public authority, has no such obligations under FOIA. It probably should have still, on receipt of a letter purporting to be a FOIA request, have read it and recognised it as being, rather, a subject access request under DPA (under which it does have obligations to respond). But I’m not sure I would criticise it too much for seeing the words “Freedom of Information Act”, and thinking it didn’t need a response. I’m also not sure that the failure to respond to a non-existent obligation under an Act to which the company was not subject should have counted for the purposes of deciding when the time for lodging a claim started.

As I say, this may be a transcription error, or the judge might have mistakenly cited FOIA when he meant DPA, but the fact that this point was determinative of whether to allow permission to appeal means the error (whether it was an actual one, or just in the handed down judgment) is very odd.

Leave a comment

Filed under Data Protection, employment, Freedom of Information, Uncategorized

Tagged as ,

July 30, 2013 · 5:22 pm

It’s still not fine

Last week I blogged about enforcement notices served on three Midlands police forces by the Information Commissioner (IC). I was surprised that the circumstances hadn’t merited stronger sanctions, in the form of monetary penalty notices (MPNs), and I tweeted to ask why.

As you can perhaps see, the IC’s office has kindly replied to my tweet. I had asked

I would really like to know why the IC did not see fit to issue Monetary Penalty Notices. Can you advise?

and their reply says

enforcement notices best means of improving compliance. Considered details of the case inc limited involvement of each force

I have to say I think this is a questionable response (although I take the point that a 140-character limit is restrictive).

Firstly, enforcement activities are not mutually exclusive – it is not uncommon for an enforcement notice and an MPN to be served in tandem on a data controller. thus, as recently as June this year, Glasgow City Council was served an MPN of £150,000 by the IC following the loss of, er, unencrypted laptops, and at the same time was served an enforcement notice requiring certain corrective actions to be undertaken.

Secondly, and I may be misinterpreting, but the reply seems to say that the “limited involvement of each force” was a determining factor in a decision not to serve an MPN. However, there were three data controllers involved. If each of them had a “limited” involvement, one is led to ask “wasn’t that the main problem?”. Derbyshire and Leicestershire both “did not carry out a risk assessment before they joined [the collaboration unit]…relying on the security measures taken by Nottinghamshire“, but those security measures were inadequate (lack of encryption, laptops not physically secured). Meanwhile, none of the forces properly monitored its officers while they were seconded.

It seems to me that the limited involvement of each of the forces might, instead of excusing it, have in fact been the key factor why the security breach happened.

Principle seven of the first schedule to the Data Protection Act 1998 (DPA) requires that

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

Many many public (and private) sector data controllers are undertaking collaborative and partnership working, or are taking steps to do so. All responsible organisations are very aware, where they continue, either jointly or in common with other organisations, to determine the purposes for which and the manner in which any personal data are, or are to be, processed, that they remain a data controller, with the consequent responsibilities and liabilities. They are very aware of the IC’s Data Sharing Code of Practice.

And they are very aware that, if things go wrong with data-sharing, it will not normally be sufficient to point at a partner, and say “it was their fault”, or, even less, for all partners to shrug their shoulders and say, “that wasn’t our responsibility”.

Leave a comment

Filed under Data Protection, data sharing, enforcement, Information Commissioner, monetary penalty notice, police, Uncategorized

Tagged as ,

July 29, 2013 · 1:29 pm

An Unnecessary FOI Appeal?

South Lanarkshire Council have lost what seems to me to have been a rather unnecessary, and surely rather costly, FOI case in the Supreme Court. That said, the judgment is important reading.

It is well-established that, for disclosure of personal data to be lawful under Freedom of Information law (both the Freedom of Information Act 2000 (FOIA and the Freedom of Information (Scotland) Act 2002 (FOI(S)A) it will normally be necessary to satisfy the test in the sixth condition of Schedule Two of the Data Protection Act 1998 (DPA)

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Disclosure is, by section 1(1) of the DPA, an act of “processing”.

It is also well-established (indeed, one might almost say it is trite law), that “necessary” in that condition is to be construed in accordance with the relevant European authorities. As the High Court held, in the MPs’ expenses case

‘necessary’ within para 6 of Sched 2 to the DPA should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends. Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 (Admin)

For reasons which are not entirely clear to me (but I’m not a Scottish lawyer) (in fact, I’m neither Scottish, nor a lawyer) the Court of Session in Scotland said, when hearing an appeal from South Lanarkshire Council of a decision by the Office of the Scottish Information Commissioner (OSIC) to order disclosure of information on how many of the total number of a certain post were placed at specific points in the pay scale, that it saw the force of a submission by counsel for the Council that

the word “necessary” should be accorded its ordinary and natural meaning, with the opening phrase being understood as imposing a distinct requirement

and that

but for the authority [of the MPs expenses case], we would have had little hesitation in giving effect to it

but they didn’t even need to reach a concluded view on this, because it was clear that, in this case, whatever construction was given to “necessary”

the Commissioner could only have concluded that necessity was made out. In particular, he held that the Requester’s own interest coincided with a widespread public interest in the matter of gender equality and that it was important to achieve transparency on the subject of Equal Pay. No better means existed to achieve that goal than by releasing the information in question

Apparently grabbing at that tiny bone thrown them by the Court of Session, the Council appealed to the Supreme Court. The hearing was three weeks ago, and judgment has been handed down today (which strikes me as rather quick) unanimously dismissing the Council’s appeal. At the time of the hearings The Herald reported that the Supreme Court had “slapped down” the Council

A cash-strapped Labour council has been scolded by one of the UK’s most senior judges for “dancing on the head of a pin” with “Alice In Wonderland” legal arguments, which have cost taxpayers thousands of pounds.

Anyone with any experience of litigation knows that it is a dangerous game to predict the outcome on the basis of the apparent approval or disapproval of your argument by the judge – often the strongest argument will be given the heaviest interrogation – but it does appear that, in this case, The Herald wasn’t taking too much of a gamble in anticipating the outcome. Lady Hale, giving the leading judgment, agreed with the Council that

the word “necessary” has to be considered in relation to the processing to which it relates. If that processing would involve an interference with the data subject’s right to respect for his private life, then [Rechnungshof v Ősterreichischer Rundfunk (Joined Cases C-465/00, C-138/01 and C-139/01) [2003] 3 CMLR 265] is clear authority for the proposition that the requirements of article 8(2) of the European Convention on Human Rights must be fulfilled

but in this instance, although disclosure of the information would be “processing” of “personal data” by the Council (as the Council itself could identify those to whom the data related), the requester (nor any other third party) would not be able to identify the data subjects. Accordingly

as the processing requested would not enable Mr Irvine or anyone else to discover the identity of the data subjects, it is quite difficult to see why there is any interference with their right to respect for their private lives

And Lady Hale disagreed with the Council on the construction of “necessary”

all that has to be asked is whether the requester is pursuing a legitimate interest in seeking the information…and whether he needs that information in order to pursue it. It is well established in community law that, at least in the context of justification rather than derogation, “necessary” means “reasonably” rather than absolutely or strictly necessary…necessity is well established in community law as part of the proportionality test. A measure which interferes with a right protected by community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less 

As the requester was clearly pursuing a legitimate interest, and this could only be met by disclosure under FOI(S)A the appeal had to fail, and the information falls to be disclosed. It is difficult to see how any other outcome, following the domestic and European authorities, could have ensued.

This does leave unanswered what the outcome would be if, for instance, no legitimate interest were advanced by a requester and/or the data subjects could be identified. In this instance, the OSIC had sought clarification of the requester’s purposes, in an investigation which the Supreme Court held was not in breach of the rules of natural justice, despite a failure to involve the Council in the correspondence. As a blogger activist the requester, Mr Irvine, could clearly point to a legitimate interest – a “serious, ongoing interest in equal pay matters”, but Lady Hale observed that

for example, if Mr Irvine had asked for the names and addresses of the employees concerned, not only would article 8 have clearly been engaged, but the Commissioner would have had to ask himself whether his legitimate interests could have been served by a lesser degree of disclosure

 In European Commission & United Kingdom v Bavarian Lager (Case C-28/08 P) the European Court of Justice found that the European Commission had not erred in refusing to disclose, under the EU Access Regulation, the identities of people attending a meeting, because the company requesting it had not been able to advance a legitimate interest in disclosure (see the excellent Panopticon post on this). FOI was traditionally said to be “applicant blind”, with a requester not needing to advance a purpose for asking for information, but, as these “personal data” cases (and others not relating to personal data – the “social watchdog” argument in the ongoing litigation involving Dominic Kennedy and the Charity Commission) show that motivation can be a determining point when it comes to disclosure under FOI.

2 Comments

Filed under Data Protection, FOISA, Freedom of Information, human rights, Uncategorized

Tagged as , ,

July 27, 2013 · 8:57 am

Back to Blacklists

Could action taken by the ICO in 2009 still have a part to play if construction industry blacklisting has continued? (acknowledgement: Tim Turner made some of these points back in January this year)

In 2009 the Information Commissioner prosecuted Ian Kerr, the then chief officer of a body called the Consulting Association. The Consulting Association had been holding a blacklist of people within the construction industry seen as “troublemakers” (a blacklist inherited from the Economic League, as detailed in Tim Turner’s superb post on the subject) and making this information available to clients on payment of a fee. The fall-out from this continues to this day, with, on the one hand civil claims being pursued, for what I understand to be common law “unlawful means conspiracy” and defamation, and on the other hand, the reports that the Information Commissioner’s Office (ICO) has been asked by Business Secretary, Vince Cable, to investigate allegations that the practice has continued to this day, on major construction projects like the Olympic Park and Crossrail (by the way, the extraordinary testimony of Gail Cartmail of Unite, in that last link, is essential reading).

The ICO’s prosecution of Kerr was for the relatively minor (and relatively rarely enforced) offence under the Data Protection Act 1998 (DPA) of failing to register with the ICO for his processing of personal data. No other sanction was, apparently, open to the ICO at the time. This was because the current regime of civil Monetary Penalty Notices (MPNs) for serious contraventions of the DPA had not then commenced.

As Chris Pounder pointed out at the time, there is even a query, applying the strict definitions of “data” in section 1(1), whether a blacklist held solely on paper, and arranged in, say, date order (rather than by reference to individuals), is even caught by the DPA. If not, then enforcement by the ICO would not be possible. This is because “data” broadly applies only to electronically-processed information or information held as part of a filing system structured by reference to individuals or criteria relating to individuals. One hopes that any alleged blacklisters haven’t made a habit of reading Chris’s blog and subsequently exploited a loophole that remains open.

Putting to one side this “loophole” point, it is likely that any processing of personal data which unfairly and unlawfully deprived someone of employment would constitute a serious contravention of the DPA, probably causing substantial damage and distress, and thus potentially attracting an MPN. An MPN is a relatively powerful weapon in the ICO’s armoury, and in my opinion one that has been used well to drive up data protection standards and drive home the importance of data security. Whether a huge construction firm would notice a (maximum) £500,000 penalty is another matter.

And, of course, none of the money paid under an MPN goes to the victim of a serious DPA contravention (it goes to the government consolidated fund). However, it is open to a data subject in such circumstances to bring a claim in the county court under section 13 of the DPA. Compensation is available if specific damage can be shown, and, if damage can be shown, further compensation for distress can follow. It is not clear to me whether the current claims from the 2009 events contain DPA claims, but the fact that they are being reported primarily as claims for tortious conspiracy suggests that even if so, they are subsidiary to the latter.

However, there is one further sanction which Tim Turner alludes to, which might possibly be in play. When the ICO prosecuted Kerr it also took steps to close down the practice, by issuing DPA enforcement notices against fourteen construction companies who had been proved to have used the list or supplied information: Balfour Beatty Civil Engineering Limited; Balfour Beatty Construction Northern Limited; Balfour Beatty Construction Scottish & Southern Limited; Balfour Beatty Engineering Services (HY) Limited; Balfour Beatty Engineering Services Limited; Balfour Beatty Infrastructure Services limited; CB&I UK Limited; Emcor Engineering Services Limited; Emcor Rail Limited; Kier Limited; NG Bailey Limited; Shepherd Engineering Services Limited; SIAS Building Services Limited; Whessoe Oil & Gas Limited. An example of one of the enforcement notices is archived here. It required the company broadly to

Refrain from using, disclosing or otherwise processing any personal data obtained from Mr Kerr

but also to

Ensure that if any personal data relating to recruitment is obtained from a source other than the data subject, the data subject is, in so far as is practicable, provided with the information specified in paragraph 2(3) at Part II of Schedule 1 to the [DPA] in accordance with the First Data Protection Principle.

Ensure that if any personal data relating to recruitment is disclosed to a third party for use in connection with the recruitment of workers, the data subject is, in so far as is practicable, provided with the information specified in paragraph 2(3) at Part II of Schedule 1 to the [DPA] in accordance with the First Data Protection Principle.

The notices do not appear to have been effective only for a fixed period, so one is to assume that they remain effective*. If any of the firms upon which they were served have sinced breached the terms of the notice they could potentially have committed an offence under section 47(1) of the DPA. That offence is triable either-way, and anyone found guilty is liable on summary conviction, to a fine not exceeding £5000, or on conviction on indictment, to an unlimited fine. And, by section 61 of the DPA, where, as here, the notices were served on bodies corporate, the bodies’ directors and some other officers can also be guilty of the offence of failing to comply with an enforcement notice if the offence is proved to have been committed with their consent or connivance or to be attributable to their neglect.

One wonders if the ICO’s 2009 enforcement proceedings may still have some part to play.

UPDATE: 15 August 2013

*The ICO has confirmed to me that they have no record of any of the Enforcement Notices being cancelled or varied, nor of any applications to cancel or vary being received. The ICO considers that the Enforcement Notices are still effective.

5 Comments

Filed under damages, Data Protection, employment, enforcement, Information Commissioner, monetary penalty notice

Tagged as ,

July 26, 2013 · 6:49 pm

It’s not fine.

About the rather odd Friday afternoon news that the ICO has served enforcement notices, not monetary penalties, on three police forces

In February 2011 the Information Commissioner (IC) served civil Monetary Penalty Notices (MPNs) under section 55A-E of the Data Protection Act 1998 (DPA) on Ealing and Hounslow Councils (£80,000 and £70,000 respectively), after two unencrypted laptops containing sensitive personal data of approximately 1700 individuals were stolen. The Councils had a joint working arrangement whereby Ealing would provide an out-of-hours service on behalf of both councils. The MPNs were fair enough – the IC and others had been saying for some time that encryption of hardware was a necessary data security measure, and even though Ealing Council had a policy on this, it issued the laptops to an employee in breach of it. Hounslow took the hit because they didn’t have a written contract in place to describe and prescribe the collaborative working arrangements it had entered into with Ealing.

One might have wondered, more than two years further on, what size of monetary penalty a data controller would receive if it had also entered into a joint working arrangement in the absence of a written contract, but had failed to carry out a risk assessment, simply relying on what turned out to have been inadequate security measures taken by one of parties, and several unencrypted laptops containing the sensitive personal data of approximately 4500 individuals were stolen.

The answer (unless MPNs are to follow) based on the IC’s news release and blog today about three police forces, appears to be that no MPNs of any size will be served. Rather, enforcement notices have been issued, requiring the police forces to appoint Senior Risk Information Owners (you mean they haven’t got them already?), encrypt all portable devices (you mean they don’t already?), ensure appropriate security measures are taken to protect personal data (you mean they aren’t already?), and ensure officers have received training on the security requirements of the DPA (you mean…etc, etc, etc).

Don’t get me wrong, enforcement notices are an important part of the IC’s regulatory weaponry (I just wish he’d use them on FOI miscreants) but they are a step down from MPNs, and they don’t really serve as a punishment for serious contraventions of the DPA, but merely act as a warning.

Clearly, considerable discretion is conferred on the IC as to what sort of enforcement action is appropriate, but, on the facts, and on comparison with previous MPNs, it is very hard to avoid the conclusion that: the contraventions of the DPA were serious; they were likely to cause damage or distress which was significant; and the police forces knew or ought to have known that there was a risk that a contravention of this kind would occur but failed to take reasonable steps to prevent it. In those circumstances, the relevant conditions for an MPN exist, and I struggle to understand why none transpired.

I do note that the laptop thefts were in August 2010, but this was after DPA provisions conferring the power on the IC to serve MPNs were commenced. I also note that the data subjects appear to have been criminals, but information about criminality is sensitive personal data under the DPA and accorded a higher level of protection.

I’ve asked the ICO on twitter if they can tell me why MPNs were not served. I don’t really expect an answer – it’s a thorny question, and probably doesn’t qualify as an FOI request, but I am, genuinely, interested to know. If anyone has any ideas, I’d like to hear them.

2 Comments

Filed under Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice, police

Tagged as ,

July 20, 2013 · 8:30 am

Good Lord!

On Lord Selsdon and the subject of criminal offending under the Data Protection Act

There was much astonishment yesterday, after a peer of the realm, the 3rd Baron Selsdon, claimed in a debate about littering in the House of Lords that he sometimes gets private information about people throwing litter from cars, and later telephones them to admonish them:

I have followed them occasionally and, for a bit of fun, have taken a note of their vehicle registration numbers. Occasionally, because I have friends in the DVLA, I manage to find their telephone number and I give them a ring

Several media outlets point out that, if this were true, it could be a breach of the Data Protection Act 1998. For instance, the Independent says

If Lord Selsdon did access information from the DVLA in this way, there may have been a breach of the Data Protection Act 1998, which requires organisations such as the DVLA to keep personal information secure

This isn’t wrong, but it overlooks that not only could it be a DPA breach, it could also be a criminal offence committed by the noble Lord and his “friends in the DVLA”. I note that the Telegraph touches on this, but doesn’t clearly explain why the criminal law might be engaged (it focuses on the DPA requirement that organisations should keep data secure).

(It should be noted that I am not accusing Lord Selsdon or his friends of committing an offence – nothing has been proven and he has so far declined to comment, while the DVLA are said to be investigating. Additionally, it does occur to me that sometimes one exaggerates when one is trying to impress one’s P̶e̶e̶r̶s̶ peers – the 3rd Baron might simply have been gilding his oratory lily.)

Nonetheless, under section 55 of the DPA a criminal offence is committed if, “without the consent of the data controller” (which here is the DVLA itself, not its individual employees), a person “knowingly or recklessly…obtain[s] or disclose[s] personal data or the information contained in personal data”. An offence will not be committed if the obtaining or procuring was necessary “for the purpose of preventing or detecting crime” or if the person acted in the reasonable belief that he had the legal right to obtain or disclose the data, or that he had the consent of the data controller, or if the obtaining or disclosing were in the public interest. What “necessary”, “reasonable belief” and “public interest” mean must be considered in light of the purposes for which the obtaining or disclosing occurred. So, for instance, if a serious crime were averted by such an action the elements of the offence might not be made out, but, distasteful and irritating as some of us find it, littering is certainly not a serious crime. Equally, someone who mistakenly thinks he has the right to obtain or disclose data might avoid the offence, but someone who says that he did it “for a bit of fun” by contacting “friends” might not.

Examples of successful prosecutions for this offence are: a letting agent and one of its directors who obtained details about a tenant’s finances from a rogue council employee; a gambling industry worker who obtained and sold gamblers’ personal details; a GP’s receptionist who obtained medical data about her ex-husband’s new wife.

The offence is also very much in the headlines following Lord Justice Leveson’s inquiry into the culture, practices and ethics of the press, which recommended strengthening of prosecution and sentencing powers under the DPA. Some journalists are perhaps understandably concerned that the practice of investigative reporting could be compromised by too robust a statutory scheme which criminalises the obtaining or disclosure of information by unofficial means.

Lord Selsdon will no doubt be regretting his apparent throwaway remarks.

1 Comment

Filed under Data Protection, journalism

Tagged as

July 19, 2013 · 12:11 pm

Bank-bashing by the Court of Appeal

The conduct was…intimidatory and controlling…If that amounts to good banking practice, that is a very sorry misassessment by the banks of what commercial morality and indeed legality requires

The Court of Appeal has held that the Bank of Scotland is liable for harassment in making hundreds of calls to  someone who exceeded her overdaft limit.

With the Information Commissioner taking recent robust action we all know that the making of unwanted calls by commercial organisations can be a breach of The Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998.

However, a recent Court of Appeal judgment has held that this practice can also constitute harassment, even when the calls are made by one’s own bank, in pursuit of a debt.

In Roberts v Bank of Scotland the claimant – a valiant litigant in person – had sought and was awarded damages in the County Court in the sum of £7500, under section 3 of the Protection from Harassment Act 1997. The Bank appealed, both on liability and quantum, and I suspect they wish they hadn’t.

The claim was made after the Bank made 547 calls in little more than a year, arising from minor instances of exceeding overdraft limits. Ms Roberts did not want to speak to call centre operatives, and had apparently sought unsuccessfully to speak to her local branch manager. Many of the calls were intimidatory, albeit couched in polite language. Despite Ms Roberts repeatedly asking for them to cease, she was told the calls would continue.

The Appeal Court had no hesitation in dismissing the Bank’s appeal, and did so in extraordinarily disapproving terms.

This was, undoubtedly, a course of conduct which amounted to harassment and which the bank knew or ought to have known amounted to harassment:

…the bank’s conduct in the present case easily crosses the threshold. It was harassment which could have been prosecuted in the criminal courts. In the event, and fortunately for the bank, this matter simply comes before the civil courts as a claim for damages [¶45]… The bank must have been perfectly well aware of the phone calls which it was making [¶47]

and the Bank could not fall back on the fact that it was pursuing a debt – there were other ways to do this, given that Ms Roberts had repeatedly asked for calls to cease. Although initially “it made perfectly good sense for the bank to write to the claimant and also to telephone her” this did not mean that all future calls were legitimised

The existence of a debt…does not give the creditor the right to bombard the debtor with endless and repeated telephone calls. The debtor is fully entitled to say that he does not wish to talk to the creditor. In those circumstances, the creditor is thrown back upon his full legal remedies. That is what the courts are there to provide…the claimant made it abundantly plain that she did not wish to receive telephone calls from the bank. She was perfectly entitled to adopt this position. Once the bank had tried to telephone the claimant a few times and had received the same response on each occasion, it was obvious that telephoning the claimant would achieve nothing. Thereafter, there was no possible justification for continuing to ring the claimant up [¶32-33]

All three judges were clearly very unsympathetic to the Bank’s arguments. A selection of their asides:

If [counsel for the Bank] is right in saying that the only practicable means by which a bank can contact defaulting customers is the method adopted in this case, then banks had better build into their costings the damages which from time to time they will be called upon to pay to those customers.[¶50]

The conduct was, as the judge said, intimidatory and controlling. In short, it was, in my judgment, obviously unlawful harassment. If that amounts to good banking practice, that is a very sorry misassessment by the banks of what commercial morality and indeed legality requires [¶62]

The bank should respect the rule of law and therefore it should, in the light of the judgments of this court, revise its systems and desist from any tortious conduct, and not simply factor into its working and operating costs the fact that from time to time the bank will have to pay damages for harassment [¶65]

That last comment, and indeed the judgment as a whole,  is pretty ominous for any organisation seeking to pursue and persuade debtors by a process of repeated phone calls (for which, now read “potential harassment”) when the recipient has asked them to desist. Lord Justice Jackson suspects his comments might be greeted with “derision in the boardrooms of the banks”: I suspect they may be also be greeted with consternation, and concern about the future of an element of banking practice which has effectively gone on unchecked for years. They would hardly have brought this appeal, over for what is for them a minute sum of money, unless they thought the case had wider implications which threatened their business practices.

They now will need to lick their wounds, and reconsider their approach to commercial morality and legality.

postscript

From this post on the excellent choptheknot blog it appears that similar principles were followed in another case involving the Bank of Scotland: Johnson v Bank of Scotland plc [2013] All ER (D) 193

2 Comments

Filed under damages, Data Protection, harassment, nuisance calls, PECR, Privacy