Category Archives: human rights

A balanced view on Optic Nerve

As I’m keen always to take a balanced view of important privacy issues, and not descend into the sort of paranoid raving which always defines, say, the state as the enemy, capable of almost anything, I sometimes think I end up being a bit naive, or at least having naive moments.

So, when outgoing Chair of Ofcom Dame Colette Bowe recently gave evidence to the House of Lords Select Committee on Communications, and said about consumers that

their smart TV may well have a camera and a microphone embedded in it there in their living room. What is that smart TV doing? Do people realise that this is a two-way street?

I thought for a moment “Oh come on, don’t be so scaremongering”. Sure, we saw the stories about Smart TVs and cookies, which is certainly an important privacy issue, but the idea that someone would use your TV to spy on you…?!

And then, of course, I quickly remembered – with a feeling of nausea – that that is exactly the sort of thing that GCHQ are alleged to have done, by jumping on the unencrypted web cam streams of Yahoo users, as part of the Optic Nerve program. And each time I remember this, it makes me want to scream “THEY WERE INDISCRIMINATELY SPYING ON PEOPLE…IN THEIR HOMES, IN THEIR BEDROOMS, FOR ****’S SAKE!”

And they were doing it just because they could. Because they’d notice a way – a vulnerability – and taken advantage of it to slurp masses of intensely private data, just in case it might prove useful in the future.

The intrusion, the prurience, the violation do indeed make me feel like raving against the state and its agents who, either through direct approval, or tacit acceptance, or negligence, allowed this to happen. Although *balance alert* GCHQ do, of course, assure us that “GCHQ insists all of its activities are necessary, proportionate, and in accordance with UK law”. So that’s OK. And yes, they really did call it “proportionate”. 

I know the web cam grabbing was by no means the only such intrusion, but for me it exemplifies the “something” which went wrong, at some point, which led to this. I don’t know what that something was, or even how to fix it, and I’ve never used a web cam, so have no direct interest, but I will closely watch the progress of Simon Davies’ request for the Attorney General to refer the matter to the police.

Leave a comment

Filed under Confidentiality, Data Protection, human rights, interception, Privacy, RIPA, surveillance

Reflections on the monetary penalty notice served on British Pregnancy Advisory Service

On 28 February the Information Commissioner’s Office (ICO) served a Monetary Penalty Notice (MPN), pursuant to powers under section 55A of the Data Protection Act 1998 (DPA), on the British Pregnancy Advisory Service, in the sum of £200,000 (which would be reduced to £160,000 if promptly paid). The ICO’s new release explains

An ICO investigation found the charity didn’t realise its own website was storing the names, address, date of birth and telephone number of people who asked for a call back for advice on pregnancy issues. The personal data wasn’t stored securely and a vulnerability in the website’s code allowed [a] hacker to access the system and locate the information.

The hacker threatened to publish the names of the individuals whose details he had accessed, though that was prevented after the information was recovered by the police following an injunction obtained by the BPAS

The back story to this is that the hacker in question was subsequently jailed for 32 months for offences under the Computer Misuse Act 1990 (no doubt the prosecutors recognised that the criminal sanctions under the DPA were too weedy to bother with).

The section 55A DPA powers are triggered where there has been a qualifying serious contravention by a data controller of its obligations under section 4(4) to comply with the data protection principles in Schedule One. The most pertinent of these in the instant case (and in the large majority of ICO MPNs) was the seventh

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

which extends to the need to, when contracting with someone to process data on your behalf, require them to take equivalent security measures and evidence this contractual provision in writing. As the ICO’s MPN says

BPAS failed to take appropriate technical and organisational measures against the unauthorised processing of personal data stored on the BPAS website such as having a detailed specification about the parameters of the CMS to ensure that either the website did not store any personal data or alternatively, that effective and appropriate security measures were applied such as storing administrative passwords securely; ensuring stated standards of communication confidentiality were met; carrying out appropriate security testing on the website which would have alerted them to the vulnerabilities that were present or ensuring that the underlying software supporting the website was kept up to date

(Interestingly, the MPN also makes clear that there was a contravention of the fifth principle – which provides that “personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”. This was because “the call back details were kept for five years longer than was necessary for [BPAS’s] purposes”).

 The original crime was a particularly nasty one – the offender appears to have had an ideological, or at least personal, opposition to abortion in general, and the apparently very real threat to publish people’s details, given to BPAS in highly sensitive circumstances, is probably what elevated the BPAS contravention to a level which justifies such a high sum being served on a charity. However, BPAS have announced that they intend to appeal, and their press release about this is interesting. It suggests that the appeal will be not about the issuing of the MPN, but about its amount (section 55B(5) DPA permits appeals on either basis):

We accept that no hacker should have been able to steal our data but we are horrified by the scale of the fine

but it goes on to make the valid point that, by serving an MPN of this large amount, the ICO potentially gives the offender something that he wanted – to harm the charity:

 It is appalling that a hacker who acted on the basis of his opposition to abortion should see his actions rewarded in this way

This, though, seems to be a matter of ethics, rather than law, but it will be interesting to note if the argument makes it in some form into the grounds of appeal. More likely, if the challenge is to be made solely on the amount (under section 55B(5)(b)), focus will fall on to the suggestion that

This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime

Of course, by a circular argument, the “fine” would not have been served, if the data controller had not, by its omissions, permitted itself to be a victim of the crime.

An extra frisson is caused when one considers the compelling argument by the solicitor-advocates for Scottish Borders Council, who successfully helped the latter win an appeal of an MPN last year. Although their argument – that MPNs were more correctly to be considered criminal, as opposed to civil, penalties – did not fall to be decided by the First-tier Tribunal, it did observe that

One general question hovering over this appeal is whether proceedings in respect of monetary penalties are “criminal” in nature. There are certainly enough indications, not least in the title of the amending statute, [the Criminal Justice and Immigration Act 2008] to make an arguable case for them being so…We have concluded that there is no need for us to make any decision or pronouncement in the abstract; but there is a need for us to be vigilant to ensure that the proceedings are fair

If this line of argument continues to be developed – that recipients of MPNs are entitled to be afforded the equivalent rights to fairness, of hearing under Article 6 of the European Convention on Human Rights, afforded to those accused of crimes – then MPNs, and the circumstances and manner in which they are served, may be subject to a much greater level of scrutiny, and the cash-strapped ICO may find itself under even more pressure from legal challenges.

These issues may be aired, and possibly determined, in the forthcoming appeal on the Upper Tribunal of the MPN served on Christopher Niebel, and subsequently overturned by the First-tier Tribunal.

2 Comments

Filed under Data Protection, human rights, Information Commissioner, Information Tribunal, monetary penalty notice

The care.data leaflet campaign – legally necessary?

Readers of this blog [sometimes I imagine them1] may well be fed up with posts about care.data (see here, here and here). But this is my blog and I’ll cry if I want to. So…

Doyen of information rights bloggers, Tim Turner, has written in customary analytic detail on how the current NHS care.data leafleting campaign was not necessitated by data protection law, and on how, despite some indications to the contrary, GPs will not be in the Information Commissioner’s firing line if they fail adequately to inform patients about what will be happening to their medical data.

He’s right, of course: where a data controller is subject to a legal obligation to disclose personal data (other than under a contract) then it is not obliged, pace the otherwise very informative blogpost by the Information Commissioner’s Dawn Monaghan, to give data subjects a privacy, or fair processing notice.

(In passing, and in an attempt to outnerd the unoutnerdable, I would point out that Tim omits that, by virtue of The Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000, if a data subject properly requests a privacy notice in circumstances where a data controller is subject to a legal obligation to disclose personal data (other than under a contract) and would, thus, otherwise not be required to issue one, the data controller must comply2.)

Tim says, though

The leaflet drop is no way to inform people about such a significant step, but I don’t think it is required

That appears to be true, under data protection law, but, under broader obligations imposed on the relevant authorities under Article 8 of the European Convention on Human Rights (ECHR), as incorporated in domestic law in the Human Rights Act 1998, it might not be so (and here, unlike with data protection law, we don’t have to consider the rigid controller/processor dichotomy in order to decide who the relevant, and liable, public authority is, and I would suggest that NHS England (as the “owner of the care.data programme” in Dawn Monaghan’s words) seems the obvious candidate, but GPs might also be caught).

In 1997 the European Court of Human Rights addressed the very-long-standing concept of the confidentiality of doctor-patient relations, in the context of personal medical data, in Z v Finland (1997) 25 EHRR 371, and said

the Court will take into account that the protection of personal data, not least medical data, is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention (art. 8). Respecting the confidentiality of health data is a vital principle in the legal systems of all the Contracting Parties to the Convention. It is crucial not only to respect the sense of privacy of a patient but also to preserve his or her confidence in the medical profession and in the health services in general…Without such protection, those in need of medical assistance may be deterred from revealing such information of a personal and intimate nature as may be necessary in order to receive appropriate treatment and, even, from seeking such assistance, thereby endangering their own health and, in the case of transmissible diseases, that of the community

This, I think, nicely encapsulates why so many good and deep-thinking people have fundamental concerns about care.data.

Now, I am not a lawyer, let alone a human rights lawyer, but it does occur to me that a failure to inform patients about what would be happening with their confidential medical records when GP’s were required to upload them, and a failure to allow them to opt-out, would have potentially infringed patients’ Article 8 rights. We should not forget that, initially, there was no intention to inform patients at all (there had no attempt to inform patients about the similar upload of hospital medical data, which has been going on for over twenty years). It is, surely, possible therefore, that NHS England is not just “helping” GPs to inform patients without having any responsibility to do so (as Dawn Monaghan suggests), but that it recognises its potential vulnerability to an Article 8 challenge, and is trying to avoid or mitigate this. Whether the leaflets themselves, and the campaign to deliver them, are adequate to achieve this aim is another matter. As has been noted, the leaflet contains no opt out form, and there seem to be numerous examples of people (often vulnerable people, for instance in care homes, or refuges) who will have little or no chance of receiving a copy.

At the launch of the tireless MedConfidential campaign last year, Shami Chakrabarti, of Liberty, spoke passionately about the potential human rights vulnerabilities of the care.data programme. Notifying patients of what is proposed might not have been necessary under data protection law, but it is quite possible that the ECHR aspect of doing so was one of the things on which the Health and Social Care Information Centre (HSCIC) has been legally advised. Someone made an FOI request for this advice last year, and it is notable that HSCIC seem never to have completed their response to the request.

1I make no apologies for linking to one of Larkin’s most beautiful, but typically bleak and dystopian, pieces of prose, but I would add that it finishes “…These have I tried to remind of the excitement of jazz, and tell where it may still be found.”

2Unless the data controller does not have sufficient information about the individual in order readily to determine whether he is processing personal data about that individual, in which case the data controller shall send to the individual a written notice stating that he cannot provide the requisite information because of his inability to make that determination, and explaining the reasons for that inability

2 Comments

Filed under care.data, Confidentiality, Data Protection, data sharing, Europe, human rights, Information Commissioner, NHS, Privacy

Staffs Police to drop controversial naming “drink drivers” twitter campaign

ICO confirms hashtag campaign prior to conviction was unlikely to be compliant with the Data Protection Act. Other forces to be advised via ACPO of issues raised by the case

Over the Christmas period Staffordshire Police ran a social media campaign, in which drivers arrested and charged with drink-driving offences were named on twitter with the “hashtag” #drinkdriversnamedontwitter. It seemed to me, and others, that this practice arguably suggested guilt prior to any trial or conviction. As I said at the time

If someone has merely been charged with an offence, it is contrary to the ancient and fundamental presumption of innocence to shame them for that fact. Indeed, I struggle to understand how it doesn’t constitute contempt of court to do so, or to suggest that someone who has not been convicted of drink-driving is a drink driver

and I asked the Information Commissioner’s Office (ICO)

whether the practice is compliant with Staffordshire Police’s obligations under the first data protection principle (Schedule 1 of the Data Protection Act 1998 (DPA)) to process personal data fairly and lawfully

The ICO have now issued a statement. Their spokesman says

The ICO spoke to Staffordshire Police following its #DrinkDriversNamedOnTwitter campaign. Our concern was that naming people who have only been charged alongside the label ‘drink driver’ strongly implies a presumption of guilt for the offence, which we felt wouldn’t fit with the Data Protection Act’s fair and lawful processing principle.

We have received reassurances from Staffordshire Police that the hashtag will no longer be used in this way, and are happy with the procedures they have in place. As a result, we will be taking no further action. We’ve also spoken with ACPO about making other police forces aware of the issues raised by this case.

I think this is a very satisfactory result. The ICO have, as I said previously, shown that they are increasingly willing to investigate contraventions of the DPA not limited to security breaches. No one would defend drink driving (and it was not the naming itself that was objectionable, but the tweeting of the names in conjunction with the hashtag) but the police should not be free to indicate or imply guilt prior to conviction – that is quite simply contrary to the rule of law.

What I still think is disappointing though, is that after an initial prompt response from the Attorney General’s twitter account (which missed my point), there has been no word from them as to whether the practice was potentially prejudicial to any forthcoming trial. Maybe they’d like to rethink this, in light of the statement from the ICO?

1 Comment

Filed under Data Protection, human rights, Information Commissioner, police, Uncategorized

Shaming the not guilty

UPDATE
9 January 2014, after a bit of prompting, the Information Commissioner’s Office have confirmed to me that they are looking into whether Staffordshire Police’s twitter campaign was compliant with the Data Protection Act
END UPDATE

Is Staffordshire Police’s social media campaign naming those charged with drink-driving offences fair and lawful?

A month ago I wrote about media coverage of Sussex Police’s crackdown on drink-driving. I was concerned that the impression was being given by the media that the police were “naming and shaming” people who had merely been charged – not convicted – with the offence. I asked Sussex Police if they were happy with the words attributed to them by the Eastbourne Herald but they chose not to reply (which I suppose is one way of dealing with enquiries from the public).

I have to concede that, in that instance, it was not clear whether the police themselves were suggesting people were guilty of an offence before any conviction. However, I heard today (thanks @primlystable) that Staffordshire Police have been running a campaign which is much more overt in its suggestion that people who have been charged with drink-driving offences can be called “drink drivers”. They have been running a social media campaign using the hashtag #drinkdriversnamedontwitter, and, they announce, there has been “overwhelming support” for it

Overwhelming support #drink drivers named on twitter

Staffordshire Police has received tremendous support for its name and shame tactic to reduce the number of drink-drivers.

Nearly 500 people completed an on-line survey asking whether they supported naming people charged with drink-drive offences and whether it would help people think about the consequences of this type of offence.

But the blurring of the line in that press release between the guilty and the not-proven-guilty is highly problematic. If someone has merely been charged with an offence, it is contrary to the ancient and fundamental presumption of innocence to shame them for that fact. Indeed, I struggle to understand how it doesn’t constitute contempt of court to do so, or to suggest that someone who has not been convicted of drink-driving is a drink driver. Being charged with an offence does not inevitably lead to conviction. I haven’t been able to find statistics relating to drink-driving acquittals, but in 2010 16% of all defendants dealt with by magistrates’ courts were either acquitted or not proceeded against 1.

I asked the Attorney General’s Office (by twitter) what it thought of the use of the hashtag against the names of those merely charged with an offence, but, in saying

Tweets are same details automatically given to Magistrates’court and made public at hearing – not contempt in this case

I think they rather missed the point – it wasn’t the naming of charged people which concerned me, it was the association of the name with the hashtag. And, in an excellent response on twitter @richgreenhill said

You’d be similarly sanguine about tweeting certain names and “#phonehacker” right now?

But I’ve also asked the Information Commissioner’s Office (ICO) whether the practice is compliant with Staffordshire Police’s obligations under the first data protection principle (Schedule 1 of the Data Protection Act 1998 (DPA)) to process personal data fairly and lawfully. The ICO has shown itself commendably willing recently to challenge unfair processing, and has, for instance, served DPA enforcement notices against Southampton City Council for making it a licensing requirement that taxi drivers have continuous CCTV-with-audio in their cabs, and against Hertfordshire Police for its automatic number-plate recognition “ring of steel” around Royston. I would urge the ICO to consider whether this current campaign warrants some regulatory action.

As I was writing this piece I saw a news item in which a traffic lawyer has called for the Staffordshire Police and Crime Commissioner (PCC) to resign as a result of the campaign, saying

By his comments he is now presuming that everyone named by his officers are guilty as charged even before they have appeared before a court. In other words he is demonstrating a cavalier disregard for the presumption of innocence.

His comments have potentially prejudiced every drink driving case before it is heard.

This pitches it stronger than I have, but I also note that Matthew Ellis, the PCC, has said in response

No-one will be named where there is any doubt

That is deeply concerning: it is no part of the police’s role to determine or pronounce on someone’s guilt or innocence.

1.Ministry of Justice, Criminal Justice Statistics, Quarterly Update to December 2010

16 Comments

Filed under Data Protection, human rights, Information Commissioner, police, social media

For Shame

A newspaper says police are “naming and shaming” drivers who have been charged with, but not convicted, of drink-driving offences. Sussex Police say they are merely “naming” the drivers, but do not appear to feel the need to correct the media reports.

The risk for social media users of being held in contempt of court was highlighted this week by the Attorney General, who has said that, in future, the advisory notes issued to “traditional” media on individual cases will now be made more widely available (published on the gov.uk website and twitter).

With this in mind I was concerned to see that Sussex Police were reported by the Eastbourne Herald to be “naming and shaming” drivers arrested and charged with drink-driving

Police have said this year they are ‘naming and shaming’ everyone they arrest in connection with drink driving

The report goes on to quote Chief Inspector Natalie Moloney as saying

It is sad that so many people ignored the warnings that we would be looking for drink-drivers and have been charged with offences within hours of the start of the campaign. The arrests and the naming of those charged with offences will continue across the county throughout the month

This seemed to me potentially to engage the provisions of the Contempt of Court Act 1981 of an offence of strict liability “whereby conduct may be treated as a contempt of court as tending to interfere with the course of justice in particular legal proceedings regardless of intent to do so”, because it is a publication addressed to the public at large, about active proceedings. For an offence to be committed the publication must give rise to a substantial risk that the course of justice in the proceedings in question will be seriously impeded or prejudiced. I am not convinced that would be the case, but, nonetheless, I was surprised to see a police force effectively being reported as saying that  naming someone only charged with an offence gives rise to “shame” (it does nothing of the sort, of course, given the legal maxim of “innocent until proven guilty”). So I asked the Sussex Police twitter account

Are you really running a policy of “shaming” people by naming them prior to a trial?

to which they replied

We are not “shaming” anyone. We are naming those charged with a drink-related driving offence as we do for a range of offences

That was fair enough, (although one might ask Chief Inspector Moloney why an innocent person would heed a warning that police were looking for drink- drivers) but, as it appeared that this “naming-not-shaming” initiative had been launched in conjunction with the media, I wondered if they would be asking the Herald to correct its misleading article. Sussex Police replied

The campaign doesn’t aim to ‘shame’, but rather to deter & the article does not attribute the phrase to us

but this is simply not true: the article may not directly attribute the phrase to the police, but it does so indirectly

Police have said this year they are ‘naming and shaming’…

I have had no response yet to my further tweet pointing this out.

So, in a week when contempt via social media is very much in the headlines, we appear to have an online newspaper report which suggests there is shame attached to being charged with an offence, and which attributes this phrase to a police force, who seem unconcerned about correcting it. Odd.

For the avoidance of doubt, I should say that I have no sympathy whatsoever with people convicted of drink driving offences, but, to suggest there is “shame” in being charged with an offence prior to trial, is to go against centuries of presumption of innocence.

4 Comments

Filed under human rights, journalism, police, social media

Data Protection concerns and Article 6

Article 6(1) of the European Convention on Human Rights provides inter alia that “everyone is entitled to a fair and public hearing”. An interesting case in the Upper Tribunal shows how failure to comply with tribunal rules (in this case The Tribunal Procedure (First-tier Tribunal) (Social Entitlement Chamber) Rules 2008 (“the TPR”) ) can render tribunal proceedings unfair and – arguably – in breach of Article 6(1). And although the case was not dealing substantively with an “information rights” matter, data protection played a small part.

This was a successful appeal, in which the Upper Tribunal held there had been a material error of law by the FTT. Upper Tribunal Judge Wright’s basis for permitting the appeal had been

that it seems arguable from the papers before me that the appeal was decided by the First-tier Tribunal without [the appellant] having had sight of the HMRC’s appeal response or the documents it relied on

and this was accepted by the respondent, HMRC.

It appears that HMRC had declined to comply with Rule 24(5) of the Rules (that it must provide a copy of the response and any accompanying documents to each other party at the same time as it provides the response to the Tribunal) because of “data security issues”…”because it was concerned that [the appellant] was not living at the address he was relying on”. It had conveyed its intention not to comply with Rule 24(5) in a letter to the FTT, but had not referred to any other Rule which permitted the action, and, although the letter sought directions from a judge there was no evidence

either on the Upper Tribunal file or the First-tier Tribunal file – to indicate either (a) that this letter was ever put before a Judge of the First tier-Tribunal, or (b) that directions were issued either requiring disclosure or precluding it, or (c) that the appeal response and evidence was ever sent to [the appellant] before the appeal was decided on 23.04.12

Accordingly, HMRC erred in law in not providing the appeal response and evidence, and the FTT, in not addressing this, made a material error of law in coming to its decision.

The Upper Tribunal judge also noted that HMRC’s concerns about data security could well have been met by section 35 of the Data Protection Act 1998 (which provides an exemption from the bars elsewhere in the DPA against disclosure of personal data if the “disclosure is required by or under any enactment, by any rule of law or by order of the court”). As the judge observed, “those words would seem to encompass rule 24 of the TPR”.

Lawyers and practitioners (and indeed litigants) should be aware that data protection concerns regarding disclosure of evidence, or serving of required papers, should not get in the way of tribunals’ overrriding objectives to deal with cases fairly and justly, because if they do, a potential breach of parties’ Article 6 rights may occur. They should also make sure (as should, I suspect, tribunal clerks) that letters seeking directions are put before a judge.

Leave a comment

Filed under Data Protection, human rights, Upper Tribunal

Photographing sleeping people – data protection implications

Is it ever OK to photograph strangers on a train? asks Nell Frizzell, in a balanced, and nuanced, article in the Guardian

one new public transport phenomenon has recently crashed into my consciousness. Tumblr accounts dedicated to secretly photographing, uploading and then critiquing fellow commuters, have spored like bed bugs on a bus seat.

She correctly points out that domestic law, even to the extent that it gives effect to Article 8 of the European Convention on Human Rights, does not prevent, in general terms, the act of photographing an individual without their consent.

However, the practice she describes, of uploading photographs to social media sites, does engage, and, I would argue, breach, the Data Protection Act 1998 (DPA).

An image of a person is potentially (and in these specific cases almost certainly) their personal data (particularly bearing in mind the observation by the Court of Appeal in Durant v Financial Services Authority [2003] EWCA Civ 1746 that for information to be personal data it “should have the putative data subject as its focus”). The DPA contains an exemption (at section 36) from all the provisions of the DPA for processing of personal data by an individual for the purposes of that individual’s personal, family or household affairs (including recreational purposes) (the “domestic purposes exemption”). It is possible, although arguable, that the mere taking (and no more) of a photograph of someone on a train, would be caught by this exemption. However, once such a photograph is uploaded to the internet, the exemption falls away. This is because the European Court of Justice held, in a 2003 ruling that binds all inferior courts, that personal data posted on the internet could not be caught by the domestic purposes exemption (Lindqvist (Approximation of laws) [2003] EUECJ C-101/01).

That said, the Information Commissioner’s Office (ICO), which regulates the DPA in the UK, has shown reluctance to accept this authoritative statement of the law regarding the online processing of personal data. I have previously written about this, in the context of the ICO’s social media DPA guidance, which sidesteps (or, rather, ignores) the point. However, it might be more difficult for a domestic court (bound by the authority of Lindqvist) to ignore it in the same way, in the event that any case came before one for determination.

But therein lies the (lack of) rub. Uploading a photograph, without consent, of someone sleeping on a train is unfair, and therefore in breach of the first Data Protection Principle (because no Schedule 2 condition exists which permits the processing). But I struggle to imagine the chain of events which could give rise to a claim (for instance, the data subject would have to contact the photographer, or the site, to require them to cease processing on the grounds that doing so was causing, or was likely to cause, substantial damage or substantial distress, and the photographer, or site, would have to refuse).

So, ultimately, even though I’d argue that these sites, and those who upload to them, breach the DPA, the unwillingness of the ICO to exercise jurisdiction, and the unlikelihood of any legal claim emerging, mean that they can probably continue with impunity, unfairness notwithstanding.

As photographer Paul Clarke said in an excellent blogpost on the subject earlier this year

Sticking to rigid rules of law won’t help us very much. This might feel (it does to me) like gross intrusion on privacy. But being offensive is not enough to make something an offence.

6 Comments

Filed under Data Protection, human rights, Information Commissioner, Privacy, social media

Leveson, LJ – defender of the press

Lord Justice Leveson, new President of the Queen’s Bench Division, is not the most popular judge amongst journalists and press barons.

So, in the week before the Privy Council meets to decide which system of press regulation will prevail, his detractors might take a moment to read a recent judgment of his in the Court of Appeal (Jolleys, R. v [2013] EWCA Crim 1135).

The appeal, by the Press Association, represented by the formidable Mike Dodd, was from a decision of a Recorder in Swindon Crown Court, purporting to have been made under section 39 of the Children and Young Persons Act 1933 preventing media reporting of information relating to the youngest (15-year-old) child of the defendant in the case (despite the fact that some of the information had been in the public domain prior to the making of the order). It was said that the court specifically prevented a reporter present from making representations prior to its making:

the order was put into place until it would be “properly argued” by counsel and “by somebody from the press if need be” [para 4]

This was, as Leveson LJ identified, in breach of rule 16 of the Criminal Procedure Rules, which provides that the court must not impose a rerporting restriction “unless each party and any other person affected…is present; or has had an opportunity (i) to attend, or (ii) to make representations”:

It cannot be suggested that the press were not affected by the order; indeed, it was specifically to restrict what could be reported that the order was made. This failure to allow representations at that stage represented a serious inroad into the respect owed to the press concerned to report criminal proceedings. [para 6]

Section 39 of the Children and Young Persons Act 1933 provides that

In relation to any proceedings in any court the court may direct that –

a. no newspaper report of the proceedings shall reveal the name, address, or school, or include any particulars calculated to lead to the identification, of any child or young person concerned in the proceedings, either, as being the person by or against, or in respect of whom proceedings are taken, or as being a witness therein;

b. no picture shall be published in any newspaper as being or including a picture of any child or young person so concerned in the proceedings as aforesaid;

except in so far (if at all) as may be permitted by the court.

And the Press Association successfully argued that “concerned in the proceedings” in section 39(a) could not be extended to a child who was merely the son of a defendant, but otherwise unconnected:

In relation to criminal proceedings, this can only include a child or young person who is the victim of an alleged offence, or the defendant or a witness; in civil proceedings, it could also include a child or young person on behalf of whom an action was being brought, for example, in relation to a road traffic accident or medical negligence. [para 12]

and this was supported by the unanimous view of the House of Lords in Re S (A Child) (Identification: Restrictions on Publication) [2005] AC 593  and the Court of Appeal in Re Trinity Mirror and others (A and another intervening) [2008] EWCA Crim 50 in which latter case the court had also rejected the proposition that a court’s inherent jurisdiction justified the making of an order to similar effect on Article 8 grounds

We must however add that we respectfully disagree with the judge’s further conclusion that the proper balance between the rights of these children under Article 8 and the freedom of the media and public under article 10 should be resolved in favour of the interests of the children. In our judgment, it is impossible to over emphasise the importance to be attached to the ability of the media to report criminal trials…If the court were to uphold this ruling so as to protect the rights of the defendant’s children under article 8, it would be countenancing a substantial erosion of the principle of open justice to the overwhelming disadvantage of public confidence in the criminal justice system, the free reporting of criminal trials and the proper identification of those convicted and sentenced in them [paras 32 and 33 of Re Trinity Mirror and others]

Leveson LJ identified other problems with the Recorder’s approach

he [also] approached the issue from the wrong direction. It was for anyone seeking to derogate from open justice to justify that derogation by clear and cogent evidence…The order was made when defence counsel asserted the likelihood of the defendant’s son suffering “the most extraordinary stigma through no fault of his own” which caused the Recorder to ask the reporter what the need for identifying the son was, rather than whether it was necessary to restrict his identification. [para 16]

and the point was made that a section 39 order, although generally obeyed in spirit as well as letter by the press, may not be the most appropriate form of order, applying as it does only to reports in newspapers, and in sound and television broadcasts: social media are not caught by it (“any further developments in this area of the law must be for Parliament”). This purported order had been “loosely” made, and Leveson LJ stressed that

Where such orders are made, they should be restricted to the language of the legislation

Mike Dodd had stated that the problems identified by this case were not uncommon, and the appeal was brought to

highlight what he contends is a continuing problem for journalists and the media, namely the willingness of courts to make unnecessary orders or to assume powers that they do not have. He submits that the courts all too often seem unaware of the guidance that is available and leave it to individual reporters (who will not be as versed in the law as the court, with the assistance of counsel, should be) to attempt to challenge the approach.

This concern was recognised

The requirements of open justice demand that judges are fully mindful of the underlying principles which this judgment has sought to elucidate

and Leveson LJ calls for – in those cases where “there is the slightest doubt, or any novel approach is suggested” regarding the appropriateness of a section 39 order being made – notice to be given in good time but also (without prejudice to the right of the press to advance its own arguments) for counsel “to research and develop the arguments to assist the court in a balanced way”.

Who said Leveson was an enemy of the press?

Leave a comment

Filed under human rights, journalism, Leveson, Open Justice

It’s our Right to Know, Mr ICO

On 29 August the Information Commisioner’s Office (ICO) served a monetary penalty notice (MPN) of £100,000 on Aberdeen City Council. MPNs can be served on a data controller under section 55A of the Data Protection Act 1998 (DPA) for a serious contravention of the Act of a sort likely to cause serious damage or serious distress. In this instance, the ICO explained

sensitive information relating to social services involvement with several individuals [was] published online. The information included details relating to the care of vulnerable children.

The circumstances under which this happened were

a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website

Many people in the field of information rights have concerns that there is a significant lack of understanding on the part of many about the risk of inadvertently disclosing personal data on the web. In view of this, I though I would simply ask the ICO, and the Council, what website was involved, in order to inform my understanding. So I tweeted

What “website” were the files uploaded to?

I reminded the ICO and the Council on several occasions about this, and pointed out it was a valid request under the Freedom of Information Act 2000 (FOIA) and Freedom of Information (Scotland) Act 2002 (FOI(S)A), even though I had really only wanted a quick factual reply. The Council have asked me to contact them separately to make the FOI(S)A request, and I’m aware the Scottish Information Commissioner takes a different view on tweeted requests to her counterpart for the rest of the UK, so I’ve banged in a request at WhatDoTheyKnow. The ICO, by contrats, did treat my tweet as a valid request (although I got no acknowledgment of this, contrary to their good practice guidance) and responded yesterday on the twentieth working day, with a link to their disclosure log

Those who know me will be unsurprised to know that I don’t accept the refusal, and also unsurprised to know that, on International Right to Know Day 2013 I’ve submitted a crashingly pompous request for ICO to conduct an internal review. Here it follows, in all said crashing pomposity:

Please review your refusal to disclose information.

On 29 August you served a Monetary Penalty Notice on Aberdeen City Council

“after a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website, publishing sensitive information about several vulnerable children and their families, including details of alleged criminal offences”

I asked, on 30 August, “What ‘website’ were the files uploaded to?”

You have refused to disclose, claiming the exemption at section 44 of the Freedom of Information Act 2000, which provides an exemption “if disclosure [of the information] (otherwise than under this Act) by the public authority holding it…is prohibited by or under any enactment”. You say disclosure is prohibited, because “the information was provided to the ICO in confidence as part of our regulatory activities” and that the provisions of section 59(1) of the Data Protection Act 1998 forbid disclosure. Section 59(1) says

“No person who is or has been the Commissioner, a member of the Commissioner’s staff or an agent of the Commissioner shall disclose any information which—

(a)has been obtained by, or furnished to, the Commissioner under or for the purposes of the information Acts [of which FOIA is one],

(b)relates to an identified or identifiable individual or business, and

(c)is not at the time of the disclosure, and has not previously been, available to the public from other sources

unless the disclosure is made with lawful authority”

I am happy to concede that a) and b) are met here, but not c). This is because section 59(2) explains what “with lawful authority” means. Firstly, and largely as an aside, section 59(2)(a) says that a disclosure is made with lawful authority if

“the disclosure is made with the consent of the individual or of the person for the time being carrying on the business”

I am surprised you do not feel that, in your role as a public authority but also as the regulator for Freedom of Information, it would be prudent and transparent simply to ask the Council whether it consents. Nonetheless, on a strict reading of the law, I concede that you do not have an obligation to do so.

Secondly (and I note you do not even address this important provision), section 59(2)(e) says that disclosure is made with lawful authority if

“having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”

I would argue that analysis of whether this provision permits disclosure requires a two-fold test. Firstly, is disclosure necessary in the public interest? Secondly, if it is, do the rights and freedoms or legitimate interests of any person militate against this public-interest disclosure?

On the first point, I am not aware of any direct authority on what “necessary” means in section 59(2)(e) of DPA, but I would argue that it imports the meaning adopted by leading European authorities. Thus, as per the high Court in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 “‘necessary”…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends”. It is my view that there is a pressing social need to recognise the risks of indavertent uploading to the internet, by public authorities and others, of sensitive personal data, especially when this is by automatic means. Other examples of recent incidents and enforcement action illustrate this. For instance, as your office is aware, there have been reports that a regional Citizens’ Advice Bureau has indavertently made available on the internet very large amounts of such data, probably because of a lack of technical knowledge or security which resulted in automatic caching by Google of numerous files https://informationrightsandwrongs.com/2013/09/24/citizens-advice-bureaucracy/. Also for instance, as you are aware, there have been many many examples of indavertent internet publishing of personal data in hidden cells in spreadsheets http://www.ico.org.uk/news/blog/2013/the-risk-of-revealing-too-much. There is a clear lack of public understanding of the risks of such indavertent disclosures, with a consequent risk to the privacy of individuals’ often highly sensitive personal data. Any information which the regulator of the DPA can disclose which informs and improves public understanding of these risks serves a pressing social need and makes the disclosure “necessary”.

On the second point, I simply fail to see what rights and freedoms or legitimate interests of any person can be engaged, let alone suffer a detriment by disclosing what public website the Council employee uploaded this to. If there are any, it would be helpful if your response to this Internal Review could address this. It may be that you would point to the information having been provided to you in confidence, but I similarly fail to see how that can be: was this an express obligation of confidence, or have you inferred it? In either case, I would question (per one the elements of the classic formulation for a cause of action in breach of confidence given by Megarry J in Coco v A.N.Clark (Engineers) Ltd [1969] R.P.C. 41) whether the information even has the necessary quality of confidence (this was a public website after all).

I hope you can reconsider your decision.

best wishes

1 Comment

Filed under Confidentiality, Data Protection, FOISA, Freedom of Information, human rights, Information Commissioner, monetary penalty notice, transparency