Category Archives: Confidentiality

September 28, 2013 · 8:44 am

It’s our Right to Know, Mr ICO

On 29 August the Information Commisioner’s Office (ICO) served a monetary penalty notice (MPN) of £100,000 on Aberdeen City Council. MPNs can be served on a data controller under section 55A of the Data Protection Act 1998 (DPA) for a serious contravention of the Act of a sort likely to cause serious damage or serious distress. In this instance, the ICO explained

sensitive information relating to social services involvement with several individuals [was] published online. The information included details relating to the care of vulnerable children.

The circumstances under which this happened were

a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website

Many people in the field of information rights have concerns that there is a significant lack of understanding on the part of many about the risk of inadvertently disclosing personal data on the web. In view of this, I though I would simply ask the ICO, and the Council, what website was involved, in order to inform my understanding. So I tweeted

What “website” were the files uploaded to?

I reminded the ICO and the Council on several occasions about this, and pointed out it was a valid request under the Freedom of Information Act 2000 (FOIA) and Freedom of Information (Scotland) Act 2002 (FOI(S)A), even though I had really only wanted a quick factual reply. The Council have asked me to contact them separately to make the FOI(S)A request, and I’m aware the Scottish Information Commissioner takes a different view on tweeted requests to her counterpart for the rest of the UK, so I’ve banged in a request at WhatDoTheyKnow. The ICO, by contrats, did treat my tweet as a valid request (although I got no acknowledgment of this, contrary to their good practice guidance) and responded yesterday on the twentieth working day, with a link to their disclosure log

Those who know me will be unsurprised to know that I don’t accept the refusal, and also unsurprised to know that, on International Right to Know Day 2013 I’ve submitted a crashingly pompous request for ICO to conduct an internal review. Here it follows, in all said crashing pomposity:

Please review your refusal to disclose information.

On 29 August you served a Monetary Penalty Notice on Aberdeen City Council

“after a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website, publishing sensitive information about several vulnerable children and their families, including details of alleged criminal offences”

I asked, on 30 August, “What ‘website’ were the files uploaded to?”

You have refused to disclose, claiming the exemption at section 44 of the Freedom of Information Act 2000, which provides an exemption “if disclosure [of the information] (otherwise than under this Act) by the public authority holding it…is prohibited by or under any enactment”. You say disclosure is prohibited, because “the information was provided to the ICO in confidence as part of our regulatory activities” and that the provisions of section 59(1) of the Data Protection Act 1998 forbid disclosure. Section 59(1) says

“No person who is or has been the Commissioner, a member of the Commissioner’s staff or an agent of the Commissioner shall disclose any information which—

(a)has been obtained by, or furnished to, the Commissioner under or for the purposes of the information Acts [of which FOIA is one],

(b)relates to an identified or identifiable individual or business, and

(c)is not at the time of the disclosure, and has not previously been, available to the public from other sources

unless the disclosure is made with lawful authority”

I am happy to concede that a) and b) are met here, but not c). This is because section 59(2) explains what “with lawful authority” means. Firstly, and largely as an aside, section 59(2)(a) says that a disclosure is made with lawful authority if

“the disclosure is made with the consent of the individual or of the person for the time being carrying on the business”

I am surprised you do not feel that, in your role as a public authority but also as the regulator for Freedom of Information, it would be prudent and transparent simply to ask the Council whether it consents. Nonetheless, on a strict reading of the law, I concede that you do not have an obligation to do so.

Secondly (and I note you do not even address this important provision), section 59(2)(e) says that disclosure is made with lawful authority if

“having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”

I would argue that analysis of whether this provision permits disclosure requires a two-fold test. Firstly, is disclosure necessary in the public interest? Secondly, if it is, do the rights and freedoms or legitimate interests of any person militate against this public-interest disclosure?

On the first point, I am not aware of any direct authority on what “necessary” means in section 59(2)(e) of DPA, but I would argue that it imports the meaning adopted by leading European authorities. Thus, as per the high Court in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 “‘necessary”…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends”. It is my view that there is a pressing social need to recognise the risks of indavertent uploading to the internet, by public authorities and others, of sensitive personal data, especially when this is by automatic means. Other examples of recent incidents and enforcement action illustrate this. For instance, as your office is aware, there have been reports that a regional Citizens’ Advice Bureau has indavertently made available on the internet very large amounts of such data, probably because of a lack of technical knowledge or security which resulted in automatic caching by Google of numerous files https://informationrightsandwrongs.com/2013/09/24/citizens-advice-bureaucracy/. Also for instance, as you are aware, there have been many many examples of indavertent internet publishing of personal data in hidden cells in spreadsheets http://www.ico.org.uk/news/blog/2013/the-risk-of-revealing-too-much. There is a clear lack of public understanding of the risks of such indavertent disclosures, with a consequent risk to the privacy of individuals’ often highly sensitive personal data. Any information which the regulator of the DPA can disclose which informs and improves public understanding of these risks serves a pressing social need and makes the disclosure “necessary”.

On the second point, I simply fail to see what rights and freedoms or legitimate interests of any person can be engaged, let alone suffer a detriment by disclosing what public website the Council employee uploaded this to. If there are any, it would be helpful if your response to this Internal Review could address this. It may be that you would point to the information having been provided to you in confidence, but I similarly fail to see how that can be: was this an express obligation of confidence, or have you inferred it? In either case, I would question (per one the elements of the classic formulation for a cause of action in breach of confidence given by Megarry J in Coco v A.N.Clark (Engineers) Ltd [1969] R.P.C. 41) whether the information even has the necessary quality of confidence (this was a public website after all).

I hope you can reconsider your decision.

best wishes

1 Comment

Filed under Confidentiality, Data Protection, FOISA, Freedom of Information, human rights, Information Commissioner, monetary penalty notice, transparency

Tagged as , ,

August 16, 2013 · 5:13 pm

An unshared perspective

Paul Gibbons, FOI Man, has blogged about data-sharing, questioning whether an over-cautious approach to sharing of health data is damaging. Paul says

What I’m increasingly worried about is what appears to be a widely held and instinctive view that any sharing of personal data – and even data that has been anonymised – is necessarily a “bad thing”.

I’ve got to say, in all the time I’ve worked in the field of information rights I’ve never come across anyone who actually thinks that, let alone articulates it (in my experience the only people who say it are those who seek to misrepresent it). The Data Protection Act 1998 (DPA) and EC Directive 95/46/EC to which it gives effect do not act as a default bar to sharing of data. There may be circumstances under which compliance with the law means that sharing of personal data cannot happen, but the converse is true – there will be times when sharing is lawful, necessary and proportionate.

Paul’s prime example of what he sees as (to adopt the title of his piece) “a disproportionate fear of ‘Big Brother’” preventing us from seeing the big picture” is the “predictable outcry” about the care:data programme, whereby the Health and Social Care Information Centre will, through the exercise of certain provisions in the Health and Social Care Act 2012, extract enormous amounts of health and social care information from local systems to centralised ones. The first step in this is the GP Extraction Service (GPES) whereby information relating to medical conditions, treatments and diagnosis, with each patient’s NHS number, date of birth, postcode, gender, ethnicity and other information will be uploaded routinely. The information will then be made available to a range of organisations, sometimes including private companies, sometimes in ostensibly anonymised, sometimes in identifiable, form, for a variety of purposes. This will happen to your medical records unless you opt-out (and if you think you’ve already done so, you probably haven’t – those who objected to the creation of a summary care record will have to go through another opt-out process). And this week we were informed that there will be no national campaign to alert patients to the GPES – the responsibility (and liability) will lie with GP practices themselves. (Anyone wanting to understand this complex and less-than-transparent process must read and follow the superb MedConfidential).

I accept that, on one view, this amassing of health and social care data could be seen as a good thing: as Paul suggests, medical research, for instance is a hugely important area. And the NHS Commissioning Board identifies the following desired outcomes from care:data

– support patients’ choice of service provider and treatment by making comparative data publicly available
– advance customer services, with confidence that services are planned around the patient
– promote greater transparency, for instance in support of local service planning
– improve outcomes, by monitoring against the Outcomes Frameworks
– increase accountability in the health service by making data more widely available
– drive economic growth through the effective use of linked data

But how realistic are these? And what are the attendant risks or detriments? Paul says

central medical records for all NHS patients…would mean that when you turned up at a hospital far from home, as I have done myself, doctors would have access to your medical records and history. Believe me, when you are in pain and desperate to be treated, the last thing that you want to do is to answer questions about your medical history

With great respect, the ideal of a centralised system whereby medics can provide emergency treatment to patients by accessing electronic records is never going to be more than a myth. Put another way – would Paul be happy trusting his life to the accuracy of an electronic record that might or might not say, for instance, whether he is allergic to aspirin? Treatment of patients is a matter of diagnosis, and emergency diagnoses will never be made solely, if at all, on the basis of records.

Security of information, and risks of identification of individuals are other key concerns. Paul says Daniel Barth-Jones identifies “deficiencies in [reidentification] studies” but I think what Barth-Jones is actually arguing is that the risks of reidentification are real, but they must be accurately reported and balanced against the likelihood of their happening.

But ultimately I have two major conceptual concerns about care:data and what it implies. The first is that, yes, I am instinctively distrusting of agglomeration of sensitive personal data in identifiable form in mass processing systems: history has taught us to be this way so I don’t see this, as Paul appears to, as a “fashionable” mistrust (and, for instance, the Joseph Rowntree Foundations’ exemplary Database State report is now over six years old). The second is that patient-medic confidentiality exists, and has existed for a very long time, for a reason: if patients are not certain that their intimate medical details are confidential, they might be reluctant to speak candidly to their doctor. In fact, they might not even visit their doctor at all.

3 Comments

Filed under Confidentiality, Data Protection, data sharing, human rights, Let's Blame Data Protection

July 13, 2013 · 9:17 am

Sony and confidentiality of proceedings

Why I think Sony are wrong to claim they withdrew their databreach fine appeal because of concerns about disclosing sensitive information

So, Sony have withdrawn their appeal of the £250,000 Monetary Penalty Notice served on them by the Information Commissioner (ICO), following the 2011 hack of the Playstation Network which exposed the details of millions of subcribers. I blogged at the time

my suspicious nature makes me wonder if they will ultimately pursue the appeal. Although it will cost them nothing, this isn’t about cost, but reputation, and do Sony really want to risk another day of bad headlines about their data security, in the event that they lose the appeal?

Whether the fear of further publicity was a factor in the withdrawal is impossible to say, but Sony’s public statements about the withdrawal hark back to another point I noted at the time. The ICO’s notice was heavily redacted,  clearly to avoid disclosing commercially confidential or sensitive aspects of Sony’s network security, in line with ICO commitment to do so (7.3 in his Monetary Penalty Guidance). However Sony, in withdrawing their appeal to the First-tier Tribunal, now say

After careful consideration we are withdrawing our appeal. This decision reflects our commitment to protect the confidentiality of our network security from disclosures in the course of the proceeding. We continue to disagree with the decision on the merits

This rather disingenuously overlooks the fact that the Rules which govern tribunal proceedings expressly allow for parts of the hearing to be in private (Rule 35.2 of The Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009). So, while they are entitled to continue to disagree with the decision on the merits (reminds me of the cricket umpire who, when confronted with a batsman saying “That wasn’t out!” replied “Oh no? Let’s see what the newspapers say in the morning”) everyone else can be satisfied that Sony were correctly served a £250,000 Monetary Penalty Notice for a serious contravention of the Data Protection Act 1998, and that they chose not to pursue their right of appeal. And they’ve missed their chance for a 20% early payment discount (although that’s hardly going to worry their financial backers).

It’s a victory for the ICO, as well: he is often criticised for failing to take on the big private sector tech and social media companies. In this case, he did, and he won.

2 Comments

Filed under Confidentiality, Data Protection, enforcement, Information Commissioner, Information Tribunal, monetary penalty notice

Tagged as ,

June 7, 2013 · 12:26 pm

Transparency and the ICO

It is axiomatic that, under the Freedom of Information Act 2000 (FOIA), a requester is unlikely to know precisely what the information requested consists of. This means that a requester is at a (natural and fair) disadvantage if he or she wishes to challenge a refusal. How to argue, for instance, that the public interest favours disclosure of information, if you don’t know what the information is?

A requester will often be reliant, therefore, on the Information Commissioner (ICO), as independent regulator, or the judicial system, thoroughly to interrogate a public authority’s basis for non-disclosure.

Last year I made a FOIA request to the ICO’s office itself for copies of all Undertakings (not currently on their website) agreed by the ICO and data controllers following investigation of serious breaches of the Data Protection Act 1998.

The ICO kindly disclosed to me a large number of Undertakings, but withheld three, citing the exemption at section 22 of FOIA. This section provides an exemption to the general FOIA obligation to disclose information, if the information is held, at the time of the request, with a view to its publication at some future date (whether determined or not). Furthermore it must be reasonable in all the circumstances that the information should be withheld from disclosure until that future date. Section 22 is a qualified exemption, and, therefore, subject to the application of a public interest test. I was told by the ICO that the Undertakings

were not published at the time due to a risk of prejudice, in one case to a criminal trial and in the others to commercial interests. In light of your request we have revisited these considerations and find that they are still relevant

I’m a reasonable chap, and accepted that the ICO was well-placed to determine that the public interest did not favour disclosure. However, I thought they might be able to disclose the identities of the data controllers involved. So I made a FOIA request for that information.

This was also refused. I was told that one of the data controllers was News Group Newspapers and the Undertaking was

in connection with a cyber-security attack perpetrated against NGN for which criminal proceedings are ongoing. As we have previously indicated, the Undertaking will be published once the proceedings have been concluded

This was the case relating to a criminal trial, and it has now been published.

I was told though that the names of the other two data controllers were still exempt under section 22, as, even though the ICO accepted my argument

that prejudice is “unlikely to occur simply by disclosing the identity of the data controllers”, having consulted with the organisations involved, I am satisfied that there is a possibility that the release of even the identities could potentially damage the commercial interests of the Data Controllers

Well, after I waited a while, and then made a further FOI request, the names and Undertakings have now been disclosed. And I fail to see what the fuss was about: they related to some issues with residual data on legacy systems. I also fail completely to understand how, in any conceivable way, disclosure of the names of the Councils involved could have caused prejudice to their commercial interests, and I’d invite anyone else to explain to me how it could. If I am right, the argument that it was reasonable in all the circumstances that the information should be withheld from disclosure until a later date, and, indeed, the argument that the public interest favoured maintaining the section 22 exemption falls away.

I could, of course, have appealed at the time, but the point is that I did not know what information was being suppressed, or why. I trusted the ICO to apply the law properly.

It is interesting to consider this matter of “trust” in light of an important recent Upper Tribunal (UT) case. Although that case was concerned with the use of “closed material” and “closed proceedings” in FOIA cases in the First-tier Tribunal (FTT) some points are arguably of general application to public authorities. One strikes me in particular

The other side of the coin concerning the application of the FOIA exemptions is of course that the requester may want to challenge the reasons and evidence which are advanced to establish them and thereby show that the requested information should be provided to him or her pursuant to FOIA…This competing right and interest within the FOIA scheme is founded on the right of access to information held by public authorities that is given by FOIA.  So it is one of the starting points for the need for a decision-making process to weigh competing rights and interests [emphasis added]

I would argue (knowing now what I didn’t know then) that as one of the prime reasons for DPA Undertakings is to draw attention to serious breaches of the DPA (see ICO Guidance: Communicating Enforcement Activities) withholding this information under section 22 potentially is seen to undermine the regulatory functions of the ICO. I struggle to understand how the refusal to disclose the Undertakings, let alone the mere identities of the recipients, shows proper weighing of competing rights and interests.

One a final note, the guidance above also says

We will not risk damage to the reputation of the ICO by agreeing with an organisation that we won’t publicise our action or that we will give advance warning

I’m not sure how to square that with what I was told last year that

the Undertakings were signed on the understanding that they would not be publicised in the usual manner

2 Comments

Filed under Breach Notification, Confidentiality, Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice, transparency

Tagged as , ,

May 28, 2013 · 6:58 pm

Pondlife: privacy obligations and privacy rights

Anonymous has threatened the EDL with a campaign of exposure and disruption. However, disclosure – and onward dissemination – of private information, such as lists of members of a group can be unlawful under data protection (and other) laws. Failure to take adequate steps to prevent such disclosure can also put such groups at risk of breaching the same laws.

In 2010 the law firm ACS:Law was victim of a concerted campaign to disrupt its activities through denial of service attacks (DDOS) and other means. The “Hacktivist” network Anonymous claimed responsibility for the attacks, stating that they were in response to the firm’s aggressive litigation tactics in claims against alleged file-sharers. For a short time after the firm’s website was restored after the DDOS attacks a file was exposed which contained large amounts of personal data of individuals who were suspected of file-sharing. This file was rapidly spread by Anonymous activists, and others.

As a result of this data security breach the Information Commissioner (IC) subsequently served a civil Monetary Penalty Notice of £1000 on Andrew Crossley, who operated the firm. At the time the IC said that

Were it not for the fact that ACS:Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach.

The IC found that the firm’s website security was utterly inadequate and constituted a serious breach of the seventh principle of the Data Protection Act 1998 (DPA).

The security measures ACS:Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details

This point has current relevance because “Anonymous” have announced a campaign to disrupt the activities of the English Defence League. The Guardian reports that

A list of what were said to be mobile phone numbers for senior named EDL figures were published online on Tuesday evening along with addresses of what were said to be donors to the far-right group

Twitter accounts also re-published leaked details of hundreds of names and addresses linked to the EDL which were circulated on the web in 2010 after hackers broke in to one of the organisation’s websites
I confess I wasn’t aware of the 2010 hack. One wonders if the IC investigated this at the time. Nonetheless, any further hacks which reveal personal data of members and donors raise potential issues of liability for the EDL under the DPA, for the same reason that ACS:Law attracted enforcement action.
 
I found it notable at the time of the ACS:Law case that there was a lack of action or censure for the many people who happily publicised and distributed the file in question, thus exacerbating the already serious breach. It seemed to me, and still does, that those who originally downloaded the file and made it freely available, and those who continued to publicise it and make it available, were arguably guilty of an offence under section 55 of DPA, which provides that disclosing personal data knowingly or recklessly, without the consent of the data controller can be an offence.
 
The chances of an offence being committed are even more pronounced when concerted efforts are made to hack into a website. The offence under s55 DPA remains (through lack of a ministerial Order implementing the custodial provisions) only punishable by a maximum £5000 fine. However, other potential offences are enaged, including those under the Computer Misuse Act 1990, which are punishable by a maximum of five years’ imprisonment.
 
Anonymous have their reasons for the campaign, and they are perhaps difficult to argue against. But concerted efforts to gather and disclose private information raise worrying issues, which should not be avoided simply because of who the intended victims are.
 
None of this is to be seen as defending, or sympathising with, the views of the EDL, who are scum. But even scum have rights. Furthermore, it might be worth bearing in mind that when a list of apparent members of the BNP was leaked in 2009 – an incident which led to the prosecution of an individual under the DPA (at the sentencing of whom the judge said that he was obliged to impose a “fine…so low as to be ridiculous”) – there were strong indications that a number of people were wrongly named as members. Lists can be dangerous things, and I can think of few things more unpleasant than being wrongly associated with groups like this.

2 Comments

Filed under Breach Notification, Confidentiality, Data Protection, human rights, Information Commissioner, Privacy

Tagged as ,

February 21, 2013 · 12:59 pm

We still have judgment here

Mr Justice Tugendhat makes very interesting observations about reserved judgments and open justice,  in a judgment on whether a defendant is in breach of prior undertakings relating to tawdry publications about the parents of Madeline McCann:

The decision not to identify in a reserved judgment a fact or person that has been identified in open court is not a reporting restriction, nor any other derogation from open justice. The hearing of this committal application was in public in the usual way. The decision not to set out everything in a judgment is simply a decision as to how the judge chooses to frame the judgment (¶86)

I have previously written about discussions taking place about the privacy and data protection implications of electronic publication of lists from magistrates’ courts, and I also wrote a thesis (NEVER to see the light of day thank you very much) which attempted in part to deal with the difficulties of anonymisation in court documents. These seem to me to be very urgent, and tremendously difficult, considerations for the subject of open justice in the digital era (the title of the initiative, led by Judith Townend, to “make recommendations for the way judicial information and legal data are communicated in a digital era”).

The judgment continues with Tugendhat J observing that, in previous cases where he has referred to parties by initials in reserved judgments this has sometimes been misinterpreted as his having made an anonymity order. Not true: the proceedings themselves were in open court, but

what happens in court, if not reported at the time, may be ephemeral, and may soon be forgotten and become difficult to recover, whereas a reserved judgment may appear in law reports, or on the internet, indefinitely (¶87)

This is a crucial point. My concern has always been about the permanence of information published on the internet, and the potential for it to be used, and abused, in ways and under jurisdictions, which would make a mockery of, for instance, the Rehabilitation of Offenders Act 1974, and the Data Protection Act 1998.

I haven’t noted the judge’s comments for any particular reason, other than I think they helpfully illustrate some important points, and might provoke some discussion.

1 Comment

Filed under Confidentiality, court lists, Data Protection, Open Justice, Privacy, Rehabilitation of offenders

August 25, 2012 · 11:20 am

What the Papers Say

It appears that a police officer has inadvertently disclosed operational notes regarding arrangements for the arrest of Julian Assange. This is not the first time a blunder like this has happened, and it should serve as a reminder that physical data needs to handled just as securely as electronic data.

In 2009 Britain’s then most senior counter-terrorism officer, Bob Quick, arrived at Downing Street for an important meeting. He’d probably been reading up on the issues during the journey there, and was clutching a file as he emerged from his car. Unfortunately for him, photographers were able to capture the contents of the document he was holding face up. Marked “Secret” (the second highest category in the government protective marking Security Policy Framework) it contained information some of which still cannot be disclosed because a DA-Notice applies. It led to anti-terror raids being brought forward, and it also led to his resignation.

Now we learn that a rather less senior police officer has been photographed in similar circumstances, outside the Ecuadorian Embassy wherein lies the persecuted activist/suspected rapist (delete according to your leanings) Julian Assange. Apparently the information relates to possible arrest plans.

Now, when I have to carry papers from one building to another at work, I make damn sure that they’re secured in an opaque binder, and as far as I know the eyes of the world’s press are not on me when I’m doing so. Information security and data protection are not just about taking care with electronic data: I recently did a quick analysis of the monetary penalty notices handed down by the Information Commissioner, and found that around two-thirds arose from a breach of security involving physical data*.

Modern photographic developments mean that millions of people have the ability quickly to capture compromising or damaging information, and internet publishing means that the same information can be uploaded and circulated within seconds. The European Association for Visual Data Security (yep, there is one) recently produced a white paper on the subject. In its article about the white paper The Register gave some examples of shoulder-surfing, in addition to Bob Quick’s infamous incident

a senior UK civil servant at the department of Business, Innovation and Skills fell asleep on a commuter train, leaving highly sensitive information displayed on his screen. A fellow passenger took two photographs of the information while it was displayed on the screen, which made their way into a Daily Mail story about the breach…[and] in August 2011 the UK’s International Development Secretary was photographed leaving Number 10 Downing Street with sensitive government papers relating to Afghanistan on display. These papers were caught on camera by news photographers and film crews.

Any organisation which needs to handle data outside its own office walls should make very sure it can’t be seen by prying eyes.

 

 

 

*It’s difficult accurately to categorise them. For instance, a fax is both electronic and physical, and a lost hard-drive is loss of physical data, but seriousness is tied to the electronic contents of said drive.

Leave a comment

Filed under Confidentiality, Data Protection, Information Commissioner, monetary penalty notice, police, Uncategorized

May 23, 2012 · 8:54 am

I should (not) Coco? EIRs and common law of confidence

Has the Information Tribunal once again followed too slavishly the principles of a 44-year-old expression of the doctrine of common law confidentiality?

In 2008 the then Information Tribunal held that the Home Office had not been entitled to rely on exemptions in the Freedom of Information Act 2000 (FOIA) when dealing with a request from the British Union of Anti-Vivisectionists (BUAV). Specifically, the Tribunal held that some of the information in question did not attract the protection of the common law of confidence (which, for complex reasons was invoked through the interplay of section 24 of the Animals (Scientific Procedures) Act 1986, and section 44 of FOIA, rather than section 41 FOIA, which deals in explicit terms with confidential information). The Tribunal relied heavily in its analysis of the law of confidence on the principles in the landmark case of Coco v AN Clark (Engineers) Ltd (1968) FSR 415 Ch D. On appeal to the High Court, Mr Justice Eady was critical of this reliance, pointing out that there had been significant developments in the law since Coco v Clark:

The Tribunal rather proceeded on the assumption that “the law of confidence” was to be found only in the principles explained by Sir Robert Megarry in Coco v Clark. It assumed that this authority provided an exclusive definition such that, whenever the phrase “in confidence” was to be found in a statute, the legislature must be taken to have had those principles in mind. With respect, however, this does not seem to me to be necessarily the case. Much will depend on context.

It is clear, for example, that the law of confidence is not confined to the principles governing the circumstances in which an equitable duty of confidence will arise; nor to the specialist field of commercial secrets. An obligation of confidence can arise by reason of an agreement, express or implied, and presumably also by the imposition of a statutory duty. (Secretary of State for the Home Office v BUAV & Anor [2008] EWHC 892 (QB))

It is thus important to bear in mind, for the present case, the broad principle, stated by Buxton LJ in McKennitt at [11], that ” … in order to find the rules of the English law of breach of confidence we now have to look in the jurisprudence of articles 8 and 10″. The Tribunal did not address these developments at all and thus proceeded on an incomplete understanding of the present law.

(emphasis added)

It is somewhat surprising, therefore, to read the recent judgment of a differently consituted First-Tier Tribunal (Information Rights), considering the extent to which environmental information was exempt from disclosure under regulation 12(5)(e) of the Environmental Information Regulations 2004 (EIR). Regulation 12(5)(e) provides that

a public authority may refuse to disclose information to the extent that its disclosure would adversely affect…the confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest

The case – Jones (on behalf of Swansea Friends of the Earth) v IC & Environment Agency  – involved a request for information relating to financial guarantee arrangements put in place a landfill site operator, as a condition for obtaining a permit to operate a waste landfill site near Swansea. It was common ground that the request for enviromental information, and that it was commercial in nature, so the main question which fell to be decided by the Tribunal was whether the information was

subject to a duty of confidence provided by law because the information was created and provided in circumstances giving rise to an obligation of confidence

At paragraph 35 of its judgment, the Tribunal says

The well-established test in Coco v Clark is that, apart from contract, for a common law breach of confidence claim to succeed, three elements must be
present:
(a) the information itself must “have the necessary quality of confidence about it;
(b) the information must have been imparted in circumstances importing an obligation of confidence; and
(c) there must be an unauthorised use of that information, to the detriment of the party communicating it.

(emphasis added)

With respect, the Tribunal here appears to have had no regard to Eady J’s dicta, and the many recent authorities he cited, in Home Office v BUAV.

Accordingly, the Tribunal went on hold (para 36) that it

[did] not see that it can be said that the [financial guarantee arrangement] information was imparted in circumstances importing an obligation of confidence…[because] the information came into existence through a process of negotiation between the parties

The Tribunal drew support for this from the findings of a (differently-constituted) tribunal in a case concerning the analagous (but differently-worded) section 41 exemption in FOIA concerning confidential information:

We recognise that section 41 refers more explicitly to information being “obtained” by the public authority from any other person. That is not the language of regulation 12(5)(e). However, we consider that the same element is imported by the incorporation of the common law test of breach of confidence into regulation 12(5)(e) of the EIR. In short, we find that the second element of the test in Coco v Clark has not been met and the information is not subject to a duty of confidence provided by law. (para 38)

This extension of the FOIA confidentiality principles into the EIR is controversial in itself. It becomes even more so when compared with a previous Tribunal decision on regulation 12(5)(e). In South Gloucestershire CC v IC & Bovis Homes (EA/2009/32) the more restrictive language of section 41 FOIA was explicitly contrasted with that of regulation 12(5)(e). The Tribunal held there that the Council’s own information could attract the protection of the law of confidence, without the necessity of its having been provided by a third party. See this helpful article by Practical Law Company for further on this, and for reference to the rather regrettable fact that South Gloucestershire v IC & Bovis Homes was not mentioned by the Tribunal in the instant case.

The slavish adherence to the Coco v Clark principles also risks – as Eady J alluded to when citing Buxton LJ –  overlooking the significance of the jurisprudence of the European Convention on Human Rights as it applies to confidential information. In Veolia ES Nottinghamshire Ltd v Nottinghamshire County Council & Ors [2010] EWCA Civ 1214 the Court of Appeal considered, in a case under the Audit Commission Act 1998 (ACA), whether commercially confidential information could constitute a “possession” protected by article 1 of the First Protocol of the Convention, and, potentially, by extension, Article 8. Lord Justice Rix said

 I can see no reason, in the light of the Strasbourg jurisprudence which does exist, why valuable commercial confidential information, such as the evidence in this case demonstrates is in question here, particularly with respect to the second disputed documents, cannot fall within the concept of “possessions”

I am not entirely convinced that English common law has always regarded the preservation of confidential information as a fundamental human right, although I accept that it has been recognised and accepted by our common law. Nevertheless, in the light of at least article 1 of the first protocol, it can now be seen that it is a species of “possessions”, with which the state cannot interfere without justification

Disclosure of information under a regime such as the EIR (or FOIA) is different to the potential unfettered disclosure proposed under the ACA, and the public interest provisions might provide the “justification” for state interference discussed by Rix LJ. Nonetheless, it seems surprising to say the least that Jones v IC & Environment Agency proceeded without reference to any of the more recent authorities of confidentiality.

It is notable that Jones v IC & Environment Agency was determined on the papers, without the benefit of oral argument. It would greatly assist both public authorities, and the commercial organisations with whom they interact, if these points were fully argued, and a reasonably definitive position laid down, by an appellate court.

 

1 Comment

Filed under Confidentiality, Environmental Information Regulations, Information Tribunal