Category Archives: Data Protection

January 2, 2014 · 1:33 pm

Shaming the not guilty

UPDATE
9 January 2014, after a bit of prompting, the Information Commissioner’s Office have confirmed to me that they are looking into whether Staffordshire Police’s twitter campaign was compliant with the Data Protection Act
END UPDATE

Is Staffordshire Police’s social media campaign naming those charged with drink-driving offences fair and lawful?

A month ago I wrote about media coverage of Sussex Police’s crackdown on drink-driving. I was concerned that the impression was being given by the media that the police were “naming and shaming” people who had merely been charged – not convicted – with the offence. I asked Sussex Police if they were happy with the words attributed to them by the Eastbourne Herald but they chose not to reply (which I suppose is one way of dealing with enquiries from the public).

I have to concede that, in that instance, it was not clear whether the police themselves were suggesting people were guilty of an offence before any conviction. However, I heard today (thanks @primlystable) that Staffordshire Police have been running a campaign which is much more overt in its suggestion that people who have been charged with drink-driving offences can be called “drink drivers”. They have been running a social media campaign using the hashtag #drinkdriversnamedontwitter, and, they announce, there has been “overwhelming support” for it

Overwhelming support #drink drivers named on twitter

Staffordshire Police has received tremendous support for its name and shame tactic to reduce the number of drink-drivers.

Nearly 500 people completed an on-line survey asking whether they supported naming people charged with drink-drive offences and whether it would help people think about the consequences of this type of offence.

But the blurring of the line in that press release between the guilty and the not-proven-guilty is highly problematic. If someone has merely been charged with an offence, it is contrary to the ancient and fundamental presumption of innocence to shame them for that fact. Indeed, I struggle to understand how it doesn’t constitute contempt of court to do so, or to suggest that someone who has not been convicted of drink-driving is a drink driver. Being charged with an offence does not inevitably lead to conviction. I haven’t been able to find statistics relating to drink-driving acquittals, but in 2010 16% of all defendants dealt with by magistrates’ courts were either acquitted or not proceeded against 1.

I asked the Attorney General’s Office (by twitter) what it thought of the use of the hashtag against the names of those merely charged with an offence, but, in saying

Tweets are same details automatically given to Magistrates’court and made public at hearing – not contempt in this case

I think they rather missed the point – it wasn’t the naming of charged people which concerned me, it was the association of the name with the hashtag. And, in an excellent response on twitter @richgreenhill said

You’d be similarly sanguine about tweeting certain names and “#phonehacker” right now?

But I’ve also asked the Information Commissioner’s Office (ICO) whether the practice is compliant with Staffordshire Police’s obligations under the first data protection principle (Schedule 1 of the Data Protection Act 1998 (DPA)) to process personal data fairly and lawfully. The ICO has shown itself commendably willing recently to challenge unfair processing, and has, for instance, served DPA enforcement notices against Southampton City Council for making it a licensing requirement that taxi drivers have continuous CCTV-with-audio in their cabs, and against Hertfordshire Police for its automatic number-plate recognition “ring of steel” around Royston. I would urge the ICO to consider whether this current campaign warrants some regulatory action.

As I was writing this piece I saw a news item in which a traffic lawyer has called for the Staffordshire Police and Crime Commissioner (PCC) to resign as a result of the campaign, saying

By his comments he is now presuming that everyone named by his officers are guilty as charged even before they have appeared before a court. In other words he is demonstrating a cavalier disregard for the presumption of innocence.

His comments have potentially prejudiced every drink driving case before it is heard.

This pitches it stronger than I have, but I also note that Matthew Ellis, the PCC, has said in response

No-one will be named where there is any doubt

That is deeply concerning: it is no part of the police’s role to determine or pronounce on someone’s guilt or innocence.

1.Ministry of Justice, Criminal Justice Statistics, Quarterly Update to December 2010

16 Comments

Filed under Data Protection, human rights, Information Commissioner, police, social media

Tagged as , ,

December 30, 2013 · 1:47 pm

Making Motorman names public

UPDATE: 7 January 2014

In the comments to this piece the requester has informed me that the ICO is appealing this decision. Given how long the Upper Tribunal takes to turn things round, I don’t think we’ll be seeing these names for some time (if at all – if the ICO succeeds). I’ll keep the original post up though for the time being

END UPDATE.

So…will we get to see the names of the Operation Motorman journalists within the next week? Or will there need to be a bit of an extra push?

I tweeted earlier today to the effect that time is nearly up for the Information Commissioner’s Office (ICO) to disclose names of some of the journalists named in the ICO “What Price Privacy” report as having engaged the services of rogue private investigator Steve Whittamore, who was convicted in 2005  under the Data Protection Act 1998 (DPA) of offences of illegally obtaining personal data.

My blog post from earlier this month describes how the First-tier Tribunal ordered on 29 November 2013, after a rather convoluted series of hearings on the papers, that the ICO disclose within 35 days

many, but not all, of the names of journalists recorded…as clients of the investigator at the heart of Operation Motorman…together with the names of the media outlet with which [they were recorded as having been] associated at the time

By my calculations, those 35 days are up at 17:00 next Monday (see part 2.8 of Civil Procedure Rules and rule 12(1) of The Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009). This is, of course, unless the ICO has appealed the decision, but, as at 19 December, no such appeal appeared to have been lodged.

It is possible, however – bear in mind that the Order was for disclosure within 35 days – that the information has already been disclosed to the applicant – a Mr Christopher Colenso-Dunne. If that is the case, and if the applicant chooses not to make it public, then we may not yet see those names (it has been suggested to me that the person by that name for whom Google gives a search return may not be the applicant here). The Freedom of Information Act 2000 (FOIA) does not, in strict terms, oblige a public authority to make information public. Rather, it must “communicate” information to a person who has requested it (subject to the application of any exemptions). Although it is often said that disclosure under FOIA is to be taken as disclosure to the world at large, this operates as a concept, not a requirement. Some public authorities do, however, operate a “disclosure log” where some or all information disclosed under FOIA is made publicly available.

The ICO itself has a disclosure log, although it restricts this to responses “which we feel are of wider public interest”. There also appears to be a bit of lag in uploading responses (the last was one from 18 October).

One would certainly hope that, if the ICO is not appealing the decision, it will proactively disclose the information ordered to be disclosed. But, just in case, I’ve made a FOIA request for the same information, via whatdotheyknow.com, where it would be available for anyone to see (and which, of course, I’ll withdraw if the information becomes public in the interim).

3 Comments

Filed under Data Protection, Freedom of Information, Information Commissioner, Information Tribunal, journalism

Tagged as , ,

December 24, 2013 · 2:20 pm

The seriousness of personal data breaches

Our privacy is, for good reason, important to all of us.

What a person has in his or her bank account, what a person chooses to write and to whom, what telephone calls a person chooses to make and to whom and other matters of that kind are, save in exceptional circumstances, the business of the individual and of nobody else.

The law recognises that right and protects it.

So begin the sentencing remarks of His Honour Judge McCreath in the Southwark Crown Court on 20 December. The sentences in question were imposed on three men who had been found guilty of offences under section 55 of the Data Protection Act 1998 (DPA). They took place against the background of the bidding for tenancy of the Olympic Stadium. The fines given were not insignificant: £100,000 for Howard Hill, £13,250 for Lee Stewart and £10,000 for Richard Forrest.

It is often said that the sanctions for a criminal breach of the DPA are inadequate. The Information Commissioner regularly recommends the commencement of statutory provisions which would allow a custodial sentence to be imposed in appropriate circumstances, and, indeed, after Lord Justice Leveson made the same recommendation, the government announced it would consult on whether to make the necessary Order to effect this.

It is certainly true that some sentences for the offence (of knowingly or recklessly, without the consent of the data controller, obtaining or disclosing personal data or the information contained in personal data) seem derisory. One stark example was the meagre £150 fine for a probation officer who revealed a domestic abuse victim’s new address to the alleged perpetrator. However, it should be noted, and the Olympic Stadium offenders’ sentences illustrate this, that the offence is, by virtue of section 60(2) of the DPA, an either-way offence. The always illuminating ukcriminallawblog has an excellent post explaining what this means:

[either way offences] are offences that can be tried either (hence their name) in the Magistrates’ or the Crown Court. These are generally cases where the culpability (the harm caused to society) is wide ranging and therefore sometimes they will be very minor offences and sometimes very serious ones…For example, theft is either way. It can vary from someone who shoplifts a packet of crisps up to somebody who steals millions of pounds from a bank.

On a plea of non-guilty to a section 55 charge the prosecution will be transferred to a crown court if it appears to the magistrates’ court that the likely sentence exceeds their maximum sentencing power of a £5000 fine. Once transferred, the fine is potentially unlimited. This is why the fines were so high in these cases.

I won’t rehash what is in the very clear and instructive sentencing remarks. But what I will say is that the seriousness with which a section 55 DPA offence is viewed by a court is inherently tied up with what value society attaches to privacy and security of personal data.

That value changes over time, and varies according to the evidence of the impact DPA contraventions have on the individuals affected.

4 Comments

Filed under Data Protection, Information Commissioner

Tagged as , ,

December 14, 2013 · 9:28 am

Data protection compensation – an alternative route?

Compensation for data protection breaches can be difficult to secure – but if the data controller is a public authority there may be an alternative to legal claims

One of the outcomes of what was by any standards a disastrous breach of the Data Protection Act 1998 (DPA) was announced this week, when Hodge Jones & Allen LLP (who might want to proofread their press releases a bit better) issued a statement saying that they had secured compensation payments totalling £43,000 for fourteen residents who had brought claims against Islington Council. They were among fifty residents whose personal data was mistakenly given to ten people upon whom the Council was serving anti-social behaviour orders (ASBOs). As the Islington Gazette reported at the time

council staff passed details of 51 people, many of whom had complained about antisocial behaviour (ASB) on the council’s flagship ASB hotline, to 10 thugs who had been causing trouble on the Andover estate, off Seven Sisters Road, Holloway…The gang, who had been smoking drugs and abusing passers-by, now have the names, street names and phone numbers where given of the residents, after the information was inadvertently attached to injunctions banning them from the estate…Police activity has been stepped up on the Andover, but many victims of the breach are from other areas.

The Gazette also reported that six families were to be rehoused, no doubt at considerable cost to the Council.

The law firm’s announcement (which also appears to relate to claims made by people who, in a separate incident involving the same council, had their personal data inadvertently exposed on a website) means, of course, that any claims will not go to trial, and we will not get the chance of a judicial determination of whether, or to what extent it is possible for claimants in these circumstances to gain compensation for pure distress, in the absence of actual damage.

Data Protection lawyers and practitioners will be well aware of this issue, and I wrote about it earlier this year. To crib my own post:

Section 13(1) of the Data Protection Act (DPA) provides a right to compensation for a data subject who has suffered damage by reason of any contravention by a data controller of any of the requirements of the Act.  The domestic authorities are clear that “damage” in this sense consists of pecuniary loss. Thus, section 13(1) is a “gateway” to a further right of compensation under section 13(2)(a), for distress. The right to distress compensation cannot be triggered unless section 13(1) damage has been suffered….[the position is unclear as to] whether nominal, as opposed to substantial, damages under section 13(1), could suffice to be a gateway to distress compensation, and, indeed, whether the DPA effectively transposes the requirements of the European Data Protection Directive to which it gives effect

In the instant cases, it is actually possible that substantial actual damage could have been suffered, but, more probably, these again were cases where (no doubt very high levels of) distress would have lacked compensation for want of the section 13(1) gateway.

In terms of the Council itself, as data controller, it was served by the Information Commissioner’s Office (ICO) with a monetary penalty notice (MPN) of £70,000 for the DPA contravention which led to the “website incident”, and it appears that enforcement action may well result from the ASBO incident (one wonders if the ICO was awaiting the outcome of these legal claims). The ICO will need to determine whether it was a serious contravention of the DPA, of a kind likely to cause substantial damage or substantial distress (for analysis of what this requires, see my recent post here). Such MPNs do not though, in any case, compensate victims, but serve to punish the data controller (and the money goes into the government’s consolidated fund).

The Local Government Ombudsman

One does not know what the specific arrangements were between the claimants and their lawyers, but, unless the work was pro bono some fees will no doubt be owed from the former to the latter. It does occur to me that the claimants had an alternative way of seeking a remedy. The Local Government Ombudsman (LGO) investigates complaints made by people alleging administrative fault (“maladministration”) causing injustice, arising from actions or inactions of local authorities. In 2008 the LGO issued a report following investigation of a complaint that Basildon Council had

published personal and sensitive information about traveller families and their children on its website and in a report that was considered in the open part of a Council committee meeting, where copies were available to members of the public and the press who attended. The information included medical details, and the names and ages of all the children living on the site

But what is particularly interesting is that the LGO’s investigation was informed by a prior finding by the ICO in this matter (uncontested at the time by the Council) that the Council had been likely to have contravened the first data protection principle. The LGO has the power to recommend compensation payments, and in this case recommended each complainant be paid £300. Those payments were eventually effected, albeit after judicial review proceedings (an LGO recommendation is not actually binding on a council, although in the vast majority of cases they are complied).

It does seem to me that the Islington claimants could possibly have gained similar, or more compensation, by making a complaint to the LGO. It also seems to me that – where a DPA contravention by a local authority causes distress but no damage – aggrieved data subjects could consider whether the LGO could assist. And on a similar basis, where the contravention has been by a government department, or the NHS, or some other public bodies, whether the Parliamentary and Health Service Ombudsman could assist.

Leave a comment

Filed under damages, Data Protection, Information Commissioner, monetary penalty notice, ombudsman

Tagged as ,

December 13, 2013 · 7:18 am

Implications of the Home Office data breach

What sanctions might result from the recent Home Office data breach, and how does it relate to the transparency agenda?

News emerged yesterday, through the rather unusual route of a statement to Parliament by Mark Harper, Minister for Immigration, that a spreadsheet containing the personal information of almost 1600 people had been inadvertently published by the Home Office on a government website. The minister’s statement says

between 15 and 28 October 2013 some personal data was available on the Home Office website as part of a spreadsheet alongside the regular data set in error. This was identified by Home Office officials on 28 October 2013 and the personal information was  removed immediately. The personal data related to the names of 1,598 main applicants in the family returns process, their date of birth and limited details about their immigration case type and status

On these conceded facts this would appear to be a clear breach of the Data Protection Act 1998 (DPA), and, specifically, the principles of Schedule 1 to the Act which require that processing be fair and lawful, and that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data. But what are the implications of this?

By virtue of section 4(4) of the DPA a data controller – in this instance the Home Office – must comply with those principles. A serious contravention of them, of a kind which is likely to cause substantial damage or substantial distress, can (by section 55A) invoke the powers of the Information Commissioner’s Office (IC) to serve a monetary penalty notice, to a maximum of £500,000. Whether the IC would exercise his discretion to do so would depend on various factors. Firstly, he would need to satisfy himself whether the personal data involved was “sensitive”. Sensitive personal data is afforded greater protection by the DPA, and breaches involving it are accordingly more serious. We are told that the information involved here consisted of people’s names, dates of birth, and their immigration status. Information about a person’s racial or ethnic origin is sensitive personal data – could one derive or infer that from the mistakenly disclosed information? This will be an important question to answer. But, additionally and more simply, it seems that these were “illegal immigrants” – the data was related to immigration family returns, and this would certainly seem to imply either the commission or alleged commission of an offence by those whose data was exposed, and this would also move the data into the category of “sensitive”.

Whether the apparent contravention was likely to cause substantial damage or substantial distress is less clear. The minister points out that there appear to have been fewer than thirty page views, but that we don’t know whether any of those people accessed or downloaded the data. But this perhaps overlooks the part of the statutory scheme which talks about whether the contravention was “of a kind likely” to cause the damage or distress. If for instance, this incident, which we are told is being investigated by the IC, is a symptom of inappropriate or insufficient data security measures, then that factor, rather than this discrete incident, could potentially give rise to sanctions. Also relevant might be what efforts the Home Office has taken to ensure that cached versions of the data have been removed from the internet – it is remarkably easy for information quickly to be captured and mirrored elsewhere, by automated web services.

The IC’s powers are not limited, however, to issuing monetary penalties. He can also issue enforcement notices requiring data controllers to take specified actions, and a breach of an enforcement notice can be a criminal offence. Less seriously, he can simply make a determination as to whether there is likely to have been a breach of the DPA. And he can take informal action, requiring a responsible person at the ministry to sign an undertaking to improve compliance.

The transparency agenda

What I also find noteworthy is that the minister prefaces his statement with remarks about the government’s commitment

to openness and transparency to enable the public to hold the government and other public bodies to account. This government has made more data available than ever before…

These are laudable aims and actions, but, I have written before that the transparency agenda carries with it risks that, in the rush to publish more and more data, there will be privacy and data protection breaches. And if the government and the IC, as regulator, do not do more to alert people to these risks they must be aware that they risk being seen as complicit in such breaches. As I said in my piece for The Guardian

The IC must work with the government to offer advice direct to chief executives and those responsible for risk…So far these disclosure errors do not appear to have led to harm to those individuals whose private information was compromised, but, without further action, I fear it is only a matter of time.

1 Comment

Filed under Data Protection, enforcement, Home Office, Information Commissioner, monetary penalty notice, parliament, transparency

Tagged as ,

December 12, 2013 · 5:44 pm

Restrictions on use of information in litigation

Rule 31.22 of the Civil Procedure Rules provides in terms that a party to litigation can only use a document disclosed to him/her by another party (in the course of those proceedings) for the purposes of those proceedings:

A party to whom a document has been disclosed may use the document only for the purpose of the proceedings in which it is disclosed…

The exceptions to this rule are where the document has been read to or by the court or referred to, at a public hearing, or where the other party consents to its use, or by permission of the court.

A recent judgment of Mr Justice Tugendhat deals with this rule, but also has a rather odd appearance in the wings by the Information Commissioner’s Office (ICO). The case involves an application for a strike-out of a claim by a company (“IG Index”) engaged in spread betting on financial products, which had been the defendant in proceedings in the Employment Tribunal (ET). In the course of those ET proceedings the then claimant (“Cloete” – now defendant), a former network services engineer (who, it was said, had previously raised with his then employer concerns about data security at the company) had provided the defendant company (pursuant to a disclosure order of the ET judge) with a USB stick containing lists of clients of the company (including bank payment details), which it appeared to the company had been copied or retained by the claimant in breach of covenants protecting confidential information.

Separately to the ET proceedings the company claimed orders requiring the delivery up of the documents, and was successful in gaining interim relief for this, and for destruction by Cloete of any electronic copies, ordering him at the same time to pay IG Index’s costs. Cloete complied with these Orders, while at the same time withdrawing his ET claims.

At the full hearing, at which, as Tugendhat J observed, nothing of substance was still sought by IG Index (their substantive relief having been achieved by the delivery up and destruction of the information) what remained in dispute between the parties was, effectively, costs.

However, Cloete now sought strike out on the basis that the only reason IG Index had come to know of the contents of the USB stick was through the disclosure in the ET proceedings. Accordingly, he argued, the use of that information was in breach of CPR 31.22. Tugendhat J agreed, noting, importantly, that the rule applies

to protect not only the documents themselves, but also the contents of those documents, that is to say, the information derived from the disclosed documents

So IG Index’s knowledge that Cloete had, or had had, the documents, was information derived from the disclosed documents. Accordingly, the strike out claim succeeded:

The use of the information in the present proceedings cannot be said to be for the purposes of the Employment Tribunal Proceedings…Nor is the relevant information in this case the property of the Claimant…in my judgment the use of this information for the purpose of advancing a claim for damages is plainly and obviously a breach of the prohibition

There might, it was observed, be cases where to bar a claim in circumstances such as these would give rise to an injustice, but this was not one of those cases, and, in any event, sub-rule (b) (whereby a court can grant permission for use of the material) was available to avoid any such injustice.

The Information Commissioner

What I refer to as the “rather odd” appearance in these proceedings of the Information Commissioner’s Office (ICO) arises because Cloete claimed that he hadn’t retained the information at the centre of the case from the time when he had been employed by IG Index. Rather, while he was employed, he had passed it to the ICO, to express concerns about IG Index’s data security. He only got the documents back, according to his statement to the court, when they were

sent to him by the Information Commissioner six months after his employment had been terminated…following a subject access request he made to the Information Commissioner’s Office on 17 December 2012. On 16 January 2013 the Listed Items were attached to an e-mail he received in response to that request. However, he stated that he did not appreciate at the time he received the e-mail that the Listed Items were attached

One must be careful not to make unwarranted criticism of the ICO – I note that they were not involved in the proceedings at all, and had no opportunity to challenge or clarify Cloete’s statement. However, if that statement accurately reflected what happened it would be odd, to say the least, for the ICO to return this confidential information to someone who had no apparent lawful reason to have it, and also odd that it would have been sent in response to a subject access request under the Data Protection Act 1998, which entitles someone, in broad terms, to copies of their own personal data (not that of clients of their former employer). It would be interesting to know more about this.

Leave a comment

Filed under Data Protection, employment, Information Commissioner

Tagged as ,

November 29, 2013 · 5:07 pm

ICO must disclose Motorman journalists’ names

The ICO has been ordered to disclose the names of some of the journalists referred to in “What Price Privacy” as having engaged the services of rogue private investigator Steve Whittamore

In April 2006 the Information Commissioner’s Office (ICO) published “What Price Privacy?” on what it described as “the unlawful trade in personal information”. The report revealed

evidence of systematic breaches in personal privacy that amount to an unlawful trade in confidential personal information

Those breaches were potential criminal offences under section 55 of the Data Protection Act 1998 (DPA), and the report – which drew on the findings of documentation seized during Operation Motorman, arising from the activities of private investigator Steve Whittamore, said

Among the ‘buyers’ are many journalists looking for a story. In one major case investigated by the ICO, the evidence included records of information supplied to 305 named journalists working for a range of newspapers

In December 2006 the six-month follow-up report “What Price Privacy Now?” was published. This gave further details about the 305 journalists mentioned in the first report, and broke the data down into “Publication”, “Number of transactions positively identified” and “Number of journalists/clients using the services”.

And of course, this trade in personal information formed the basis of the first module (“The relationship between the press and the public and looks at phone-hacking and other potentially illegal behaviour”) of part one of Lord Justice (as he was then) Leveson’s inquiry into the culture, practices and ethics of the press.

In 2011 a request was made under the Freedom of Information Act 2000 (FOIA) to the ICO, for (1) “the number of transactions per journalist of each of the 305 identified journalists for each of the 32 identified publications” and (2) the journalists’ identities. The first request was refused by the ICO, on the basis that it would require a search through 17000 documents, and, therefore, section 12 of FOIA provided a statutory cost limit which meant it did not have to comply. Having been given these apparent facts the requester dropped his first request, but pursued the second. This was also refused, on the basis that the information was exempt under section 40(2) and section 44 of FOIA (the latter by virtue of the statutory bar on disclosure at section 59 of the Data Protection Act 1998 (DPA)), in both cases because disclosure would be an unfair and unlawful disclosure of personal data of the journalists involved.

Because the ICO is the regulator of FOIA, a complaint about its handling of a FOIA request falls to be determined by the same office (a statutory arrangement which was to be described as an “unusual, and unsatisfactory, feature” of the law by the First-tier Tribunal (Information Rights) (FTT)). Accordingly, the office (describing itself as “the Commissioner”, as distinct from the “ICO”, which was the authority refusing the request) issued a Decision Notice which held that

the ICO correctly withheld the information by virtue of section 40(2). He has also found that the information could also be correctly withheld by virtue of section 44(1)

This decision was appealed to the FTT, which has today, after what has clearly been complex and strongly argued litigation, handed down three judgments (1, 2, 3) (two of which were preliminary or interim rulings, publication of which has been held back until now) which are, taken together, extraordinary, both for their criticism of the ICO, and for the outcome.

Taken as a whole the judgments find that, regarding some of the journalists named in the information held by the ICO, the balance of the public interest in receiving the information outweighs the legitimate interest of an individual to protect his or her privacy.

The FTT found that the information wasn’t sensitive personal data (which is afforded a greater level of protection by the DPA). This is at first blush rather surprising: section 2(2) of the DPA provides that sensitive data will be, inter alia, “data consisting of information as to…the commission or alleged commission by [the data subject] of any offence”. However, the FTT found that, although the information

does contain evidence that the investigator [Whittamore] engaged by the journalist committed, or contemplated committing, criminal activity. And, self-evidently, it discloses that the investigator received some form of instruction from the journalist. But there is no suggestion…that the journalist had instructed the investigator to use unlawful methods or that he or she had turned a blind eye to their adoption or, indeed, whether he or she had in fact expressly forbidden the investigator from doing anything that was not strictly legal [para 11 of third ruling]

The FTT had also invited submissions from the parties on the significance to the instant case of some of the passages from the Leveson inquiry, and, having received them, took note from those passages of

the issues of impropriety (which, while very possibly not involving criminality on journalists’ part, is nevertheless serious) and corporate governance in the context of the privacy rights of the [journalists]. We believe that, together, they give rise to a very substantial interest in the public knowing the identities of those who instructed the investigators [para 18 of third ruling]

But also tending towards favouring disclosure in the public interest was Leveson’s suggested criticisms of the ICO

We also give some weight to the public interest in knowing more about the information which was in the possession of the ICO and which the Leveson Report suggested it failed adequately to pursue [para 18 of third ruling]

The FTT noted the interests of the journalists, for instance that they would have had an expectation that details of their day-to-day professional activities would remain confidential, and that the Commissioner had argued that

publication of information indicating that they had engaged the services of the investigators concerned would be so unfair as to outweigh the factors in favour of disclosure [para 19 of third ruling]

but the FTT also noted, in effect, that the journalists involved must have had some idea of what was going on when they engaged Whittamore

it must have been well known within the profession what types of information could be obtained with the help of investigators, even if the means of obtaining it were not fully understood. The rights of individuals under data protection laws would also have been widely known at the time. In those circumstances those engaging the particular services…should have known that they ran the risk of becoming involved in behaviour that fell short of acceptable standards. This seriously dilutes the weight to be attributed to their privacy rights and leads us to conclude that the balance tips in favour of disclosure [para 19 of third ruling]

Accordingly, and, unless there is an appeal (Iwould be surprised if there isn’t) the names of some of the journalists who engaged Whittamore must be disclosed.

Other matters – criticism of ICO

In its preliminary ruling (November 2012) the FTT makes some trenchant criticism of the ICO’s handling of the requester’s first request (even though, as the requester did not pursue it, it was outwith the FTT’s jurisdiction). The refusal on costs grounds had been made, based upon a statement that the information requested had not been recorded in a database. Yet less than two months later the Leveson inquiry began, and, at that inquiry, evidence presented by the ICO effectively, in the FTT’s view, contradicted this statement

 we do not understand how the Appellant could have been given such a misleading response to the First Information Request…as a result of the misleading information given to the Appellant, he was not able to pursue his request…We only became aware of the ICO’s error after the Appellant drew our attention to the evidence presented to the Leveson Inquiry regarding the Spreadsheets. We assume (and certainly hope) that those in the Commissioner’s office handling this appeal had not become aware sooner [para 28 of first ruling]

The ICO clearly did not take well to this criticism, because the second interim ruling records that

the Commissioner has complained about part of the decision which he believes includes unfair criticism of his office and has asked us to correct the impression given [para 3 of second ruling]

but the FTT stood firm, saying

We continue to believe that our criticism was justified. The Appellant was told that he was wrong to assume that any database of information existed that could be interrogated…However, it is now known that the ICO held the Spreadsheets at the time…[and although the information in them] may not have provided the Appellant with precisely the information he requested, but it would have come close. Against that background we believe that the ICO was open to criticism for asserting, without further qualification, that it would be necessary to search through the 17,000 documents in order to respond to the request. [para 6 of second ruling]

5 Comments

Filed under Confidentiality, Data Protection, Freedom of Information, Information Commissioner, Information Tribunal, journalism, Leveson, Privacy

Tagged as , , ,

November 26, 2013 · 4:56 pm

The weakest link

I am a big fan of Bruce Hallas‘s The Analogies Project, and I’ve been promising him for a while that I will send him a proposal for a privacy analogy for possible inclusion in the Project. For the time being, and because I’m suffering from a bit of writer’s block on that piece, I’ll post a little – and obvious – analogy here.

The recent news that the Information Commissioner’s Office (ICO) had required Great Ormond Street Hospital  for Children NHS Foundation Trust (“GOSH”) to sign an undertaking (to improve data protection compliance) made me think of the famous quotation by William James from The Varities of Religious Experience

A chain is no stronger than its weakest link

The ICO noted that, at GOSH,

Although data protection training was in place, it was not required for temporary members of staff

By their nature, temporary staff are often subject to different procedures and obligations (or lack thereof) to permanent staff. It is, consequently, all too easy for data controllers to ask temporary to handle personal data without applying the appropriate safeguards which they would always apply where permanent staff are concerned.

Data security and data protection within an organisation can, indeed, be seen as a chain. By that I don’t mean that it should tightly bind or shackle the organisation. Rather, what I mean is that – ideally – all parts should link together, and no part be isolated: thus, data, and risks, are appropriately contained.  But if a weak link is in place, the potential exists for the whole chain to be broken.

This is not profound, and I strongly suspect it’s not even a new analogy, but I think it’s one worth making.

And it gives me the chance to quote William James for the second time today.

Leave a comment

Filed under Data Protection, Information Commissioner

Tagged as ,

November 20, 2013 · 3:19 pm

THIS is the purpose of subject access requests

In a recent blogpost the rather excellent Bilal Ghafoor (who goes by the handle of “FOIKid”, although I note he’s now extended this to “FOI (and DP) Kid”, evidently having rather belatedly discovered the joys of data protection) asked “What is the purpose of subject access requests?“. He drew attention to the potential discord between approaches by the Information Commissioner and by the courts (in cases such as Durant  v Financial Services Authority [2003] EWCA Civ 1746) to such requests (made under section 7 of the Data Protection Act 1998 (DPA)).

In a comment on that post I argued that the Court of Appeal in Durant was perhaps not as out-of-step with, at least, the EC data protection Directive 95/46/EC as is sometimes thought

it’s important to note that the Court of Appeal were keen to stress the fact that the Act gives effect to the Directive, and that the Directive and its recitals have a “primary objective” to “protect individuals’ fundamental rights, notably the right to privacy and accuracy of their personal data held by others…

This particular primary objective is illustrated quite starkly by the news from the Press Gazette that comedian/journalist Mark Thomas discovered, through submitting a subject access request, that his name is on a “domestic extremist database”:

police held a file of seven pages containing more than 60 individual items of intelligence…”a bizarre list of events monitored by the police, lectures given, panels attended, even petitions I have supported…the police have monitored public interest investigations in my case since 1999″

Thomas says he is taking legal action to have his name removed. This will be an interesting case if it reaches court, joining a line of cases where people try to effect removal of records from police systems.

What is also interesting though is that Thomas, and the National Union of Journalists (NUJ), are encouraging journalists to submit subject access requests to the police. As Thomas says

I know of other NUJ members on the database….Which is why I am asking NUJ members to take action. If your work brings you into contact with the police whether covering riots or climate camp, from Plebgate to the NSA, then the police could have you on their database

and the NUJ general secretary Michelle Stanistreet adds

we want as many other members as possible to find out what information the Met is holding

In answer to Bilal’s question, then, I think that this – the investigation of how an arm of the UK state monitors and records the activities of the free press – is a vitally important example of what the purpose is of subject access requests.

1 Comment

Filed under Data Protection, police, Privacy, surveillance

Tagged as , ,

November 20, 2013 · 7:47 am

Data Protection concerns and Article 6

Article 6(1) of the European Convention on Human Rights provides inter alia that “everyone is entitled to a fair and public hearing”. An interesting case in the Upper Tribunal shows how failure to comply with tribunal rules (in this case The Tribunal Procedure (First-tier Tribunal) (Social Entitlement Chamber) Rules 2008 (“the TPR”) ) can render tribunal proceedings unfair and – arguably – in breach of Article 6(1). And although the case was not dealing substantively with an “information rights” matter, data protection played a small part.

This was a successful appeal, in which the Upper Tribunal held there had been a material error of law by the FTT. Upper Tribunal Judge Wright’s basis for permitting the appeal had been

that it seems arguable from the papers before me that the appeal was decided by the First-tier Tribunal without [the appellant] having had sight of the HMRC’s appeal response or the documents it relied on

and this was accepted by the respondent, HMRC.

It appears that HMRC had declined to comply with Rule 24(5) of the Rules (that it must provide a copy of the response and any accompanying documents to each other party at the same time as it provides the response to the Tribunal) because of “data security issues”…”because it was concerned that [the appellant] was not living at the address he was relying on”. It had conveyed its intention not to comply with Rule 24(5) in a letter to the FTT, but had not referred to any other Rule which permitted the action, and, although the letter sought directions from a judge there was no evidence

either on the Upper Tribunal file or the First-tier Tribunal file – to indicate either (a) that this letter was ever put before a Judge of the First tier-Tribunal, or (b) that directions were issued either requiring disclosure or precluding it, or (c) that the appeal response and evidence was ever sent to [the appellant] before the appeal was decided on 23.04.12

Accordingly, HMRC erred in law in not providing the appeal response and evidence, and the FTT, in not addressing this, made a material error of law in coming to its decision.

The Upper Tribunal judge also noted that HMRC’s concerns about data security could well have been met by section 35 of the Data Protection Act 1998 (which provides an exemption from the bars elsewhere in the DPA against disclosure of personal data if the “disclosure is required by or under any enactment, by any rule of law or by order of the court”). As the judge observed, “those words would seem to encompass rule 24 of the TPR”.

Lawyers and practitioners (and indeed litigants) should be aware that data protection concerns regarding disclosure of evidence, or serving of required papers, should not get in the way of tribunals’ overrriding objectives to deal with cases fairly and justly, because if they do, a potential breach of parties’ Article 6 rights may occur. They should also make sure (as should, I suspect, tribunal clerks) that letters seeking directions are put before a judge.

Leave a comment

Filed under Data Protection, human rights, Upper Tribunal

Tagged as