I’ve written up my thoughts for the Mishcon de Reya website, on the baffling decision by the ICO to take no action in response to the most catastrophic data breach in UK history, which exposed many thousands of people to immediate risk to their lives.
https://www.mishcon.com/news/data-protection-risks-to-life-should-more-be-done
The Information Tribunal has ruled that the Nuclear New Build Generation Company, a subsidiary of EDF Energy, created to construct s new nuclear power plant at Hinkley Point C (HPC), is a public authority for the purposes of the Environmental Information Regulations 2004 (EIR)
In the last fifteen years or so, a very interesting body of case law has been built up regarding the extent to which certain private persons have accrued, or have been conferred upon them, the status of a public authority for the purposes of the EIR. Some of the bodies who have been held to be public authorities (at least in a limited EIR sense) are water companies, BT, public gas transporters, and port authorities. Some which have not been held to be include Heathrow Airport and housing associations.
The EIR create a scheme for public access to environmental information held by public authorities, which runs in parallel to the scheme under the Freedom of Information Act 2000 (FOIA). Where FOIA, though, specifically designates public authorities, the EIR (which implemented an EU Directive, emanating in turn from the 1998 UNECE Aarhus Convention) define a public authority by virtue of its actions and powers.
Whether a person is a public authority will often turn on whether it “carries out functions of public administration”. The tests for this derive from the “Fish Legal ” in the CJEU: whether they are “entrusted, under the legal regime which is applicable to them, with the performance of services of public interest, inter alia in the environmental field, and…are, for this purpose, vested with special powers beyond those which result from the normal rules applicable in relations between persons governed by private law”
In NNB Generation Company (HPC) Ltd v Information Commissioner & Anor [2025] UKFTT 634 (GRC), the Tribunal, considering an appeal by HPC from a decision by the Information Commissioner’s Office that it was an EIR public authority (and in which Fish Legal were again the applicant), held that the relevant Development Consent Order, and the electricity and nuclear licences granted to HPC constituted entrustment with the performance of public services in relation to the environment, and the powers accruing from that entrustment “go far beyond what a private person without the benefit of such powers would be able to do in those circumstances, for example in empowering HPC to make byelaws, even if it opts not to do so”.
Decisions of this sort are nuanced and complex, and for that reason, often amenable to appeal. I would not be surprised if this one goes to the Upper Tribunal.
The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.
The issue of the legality of the making of, and subsequent use of, covert audio and/or visual recordings of individuals is a complex one – even more so when it comes to whether such recordings can be adduced as evidence in court proceedings.
I’m not going to try to give an answer here, but what I will do is note that the Family Justice Council has recently produced guidance on cover recordings in family law proceedings concerning children, and it contains some rather surprising sections dealing with data protection law.
Firstly, I should say what it gets right: I think it is correct when it indicates that processing consisting of the taking of and use of covert recordings for the purpose of proceedings will not normally be able to avail itself of the carve-out from the statutory scheme under Article 2(2)(a) UK GDPR (for purely personal or household purposes).
However, throughout, when addressing the issue of the processing of children’s data, it refers to the Information Commissioner’s Office’s Children’s Code, but doesn’t note (or notice?) that that Code is drafted specifically to guide online services on the subject of age appropriate design of such services. Although some of its general comments about children’s data protection rights will carry over to other circumstances, the Children’s Code is not directly relevant to the FJC’s topic.
It also goes into some detail about the need for an Article 6(1) UK GDPR lawful basis if footage is shared with another person. Although strictly true, this is hardly the most pressing point (there are a few potential bases available, or exemptions to the need to identify one). But it also goes on to say that a failure to identify a lawful basis will be a “breach of the DPA 2018” (as well as the UK GDPR): I would like its authors to say what specific provisions of the DPA it would breach (hint: none).
It further, and incorrectly, suggests that a person making a covert recording might commit the offence of unlawfully obtaining personal data at section 170 DPA 2018. However, it fails to recognise that the offence only occurs where the obtaining is done without the consent of the controller, and, here, the person making and using the recording will be the controller (as the “lawful basis” stuff above indicates).
Finally, when it deals with developing policies for overt recording, it suggests that consent of all the parties would be the appropriate basis, but gives no analysis of how that might be problematic in the context of contentious and fraught family law proceedings.
The data protection aspects of the guidance are only one small part of it, and it may be that it is otherwise sound and helpful. However, it says that the ICO were consulted during its drafting, and gave “helpful advice”. Did the ICO see the final version?
The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.
When a public authority receives a request for information it must, under the Freedom of Information Act 2000, determine and communicate whether the information is held (subject to any exemption which removes the obligation to confirm or deny whether it is held), and then determine whether any exemptions to disclosure apply. These latter exemptions include the procedural ones at ss12 and 14 of FOIA (costs grounds and vexatiousness or repeatedness) and the substantive ones at Part II (ss21 to 44). It is only then that, if the requester has requested the information in a specific format (such as a specific software format) the public authority must, under s11, consider whether it must “so far as reasonably practicable” give effect to that preference.
That this is the correct order of things is confirmed by an important (albeit quite niche) judgment of the Upper Tribunal, in Walawalker v The Information Commissioner & Anor [2023] UKFTT 1084 (GRC). Both the ICO, and the First Tier Tribunal, had elided/confused the staged process above, with the result that the appeal before the Upper Tribunal was on the meaning of s11, despite prior findings not having been fully made on the application of exemptions.
Nonetheless, what the Upper Tribunal had to decide was, where (for instance as was the case here) a request was for transcripts of a 50-odd audio recordings of distress calls at sea, and the act of transcribing them would be very resource-heavy, did the obligation to give effect to the preference for transcripts “so far as reasonably practicable” impose an “all or nothing” or a “sliding scale duty”? In this example, did the Maritime and Coast Agency have to transcribe as many of the calls as it could before it became no longer reasonably practicable, or did the exercise as a whole constitute something that was not reasonably practicable?
It was the latter, said the judge: s11 applies to “the information” requested (what the ICO in its submissions, described as being a “unitary concept” – and the judge said this was a “helpful perspective”) not a subset of extract of the information. What Mr Walaker had requested was “all calls”, and it was that “unitary concept” which as at issue in the s11 analysis. It was not reasonably practicable to transcribe all calls, and so the s11 duty did not apply.
The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.
[reposted from my LinkedIn account]
When a public authority receives a Freedom of Information Act request and the requested information contains personal data (of someone other than the requester) it must first consider whether it can even confirm or deny that the information is held. For instance “Dear NHS Hospital Trust – please say whether you hold a list of embarrassing ailments suffered by Jon Baines, and if you do, disclose the list to me”. To confirm (or deny) even holding the information would tell the requester something private about me, and would contravene the data protection principles at Article 5(1) of the UK GDPR. Therefore, the exemption at s40 of FOIA kicks in – specifically, the exemption at s40(5A): the hospital can refuse to confirm or deny whether the information is held.
But suppose that, mistakenly, the hospital had perhaps confirmed it held the information, but refused to disclose it? The cork, surely, is for ever out of the bottle.
Upon appeal by the requester (this requester really has it in for me) to the ICO, I could understand the latter saying that the hospital should have applied s40(5A) and failure to do so was a failure to comply with FOIA. However, certainly of late, the ICO has engaged in what to me is a strange fiction: it says in these circumstances that it will “retrospectively apply s40(5A)” itself. It will pretend to put the cork back in the bottle, after the wine has been consumed.
And now, the Information Tribunal has upheld an ICO decision to do so, albeit with no argument or analysis as to whether it’s the correct approach. But even more bizarre it says
We are satisfied that the Commissioner was correct to apply section 40(5B) FOIA proactively, notwithstanding the information that has previously been provided by the Trust, to prevent the Trust from providing confirmation or denial that the information is held.
But the Trust had already done so! It can’t retrospectively be prevented from doing something it has already done. The cork is out, the wine all gone.
Am I missing something? Please excuse the sudden mix of metaphor, but can no one else see that the Emperor has no clothes?
The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Data Protection, FOIA, Freedom of Information, Information Commissioner, UK GDPR
This is a quite extraordinary data protection story, by Jamie Roberton and Amelia Jenne of Channel 4 News , involving a mother of a woman who died in suspicious circumstances.
It appears that a “Victims’ Right to Review” exercise was undertaken by Gloucestershire Police, at the request of the family of Danielle Charters-Christie, who was found dead inside the caravan that she shared with her partner – who had been accused of domestic abuse – in Gloucestershire on 26 February 2021.
Officers then physically handed a 74-page document to Danielle’s mother, and the contents of it were subsequently reported by Channel 4 News. But, now, the police say that the Review report was “inadvertently released”, are demanding that Danielle’s mother destroy it, and have referred her apparent refusal to do so to the Information Commissioner’s Office as a potential offence under s170(3) of the Data Protection Act 2018.
That provision creates an offence of “knowingly,…after obtaining personal data, [retaining] it without the consent of the person who was the controller in relation to the personal data when it was obtained”.
But here’s a thing: it is a defence, under s170(3)(c) for a person charged with the offence to show that they acted (and here, the retention of the data would be the “action”) for the purposes of journalism, with a view to the publication by a person of any journalistic material, and in the reasonable belief that in the particular circumstances the retaining was justified as being in the public interest.
The ICO is tasked as a prosecutor for various data protection offences, including the one at s170 DPA. No doubt whoever at the ICO is handed this file will be having close regard to whether this statutory defence would apply, but will also, in line with the ICO’s duty as a prosecutor, to consider evidential factors, but also whether a prosecution would be in the public interest.
At the same time, of course, the ICO has civil enforcement powers, and might well be considering what were the circumstances under which the police, as a controller, wrongly disclosed personal data in such apparently serious circumstances.
The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.
The Information Commissioner’s Office has published its response to the government’s consultation on Copyright and AI. There’s an interesting example in it of a “oh really?!” statement.
The government proposes that, when it comes to text and data-mining (TDM) of datasets that contain copyright works) a broad exception to copyright protection should apply, under which “AI developers would be able to train on material to which they have lawful access, but only to the extent that right holders had not expressly reserved their rights”. Effectively, rights holders would have to opt out of “allowing” their works to be mined.
This is highly controversial, and may be the reason that the Data (Use and Access) Bill has stalled slightly in its passage through Parliament. When the Bill was in the Lords, Baroness Kidron successfully introduced a number of amendments in relation to use of copyright info for training AI models, saying that she feared that the government’s proposals in its consultation “would transfer [rights holders’] hard-earned property from them to another sector without compensation, and with it their possibility of a creative life, or a creative life for the next generation”. Although the government managed to get the Baroness’s amendments removed in Commons’ committee stage, the debate rumbles on.
The ICO’s response to the consultation notes the government’s preferred option of a broad TDM exception, with opt-out, but says that, where personal data is contained in the training data, such an exception would not “in and of itself constitute a determination of the lawful basis for any personal data processing that may be involved under data protection law”. This must be correct: an Article 6(1) UK GDPR lawful basis will still be required. But it goes on to say “the lawfulness of processing would need to be evaluated on a case-by-case basis”. A straightforward reading of this is that for each instance of personal data processing when training a model on a dataset, a developer would have to identify a lawful basis. But this, inevitably, would negate the whole purpose of using machine learning on the data. What I imagine the ICO intended to mean was that a developer should identify a broad, general lawful basis for each dataset. But a) I don’t think that’s what the words used mean, and b) I struggle to reconcile that approach with the fact that a developer is very unlikely to know exactly what personal data is in a training dataset, before undertaking TDM – so how can they properly identify a lawful basis?
I should stress that these are complex and pressing issues. I don’t have answers. But opponents of the consultation will be likely to jump on anything they can.
The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under AI, Data Protection, datasets, DUAB, Information Commissioner, Lawful basis, parliament, Uncategorized
When a public authority relies on an exemption to refuse to disclose information in response to a Freedom of Information Act request, the requester can ask the Information Commissioner’s Office for a decision as to whether the refusal was in accordance with the law. In order to make such a decision, the ICO may often need to see the information withheld by the public authority. Where the public authority is unwilling to provide this, or perhaps drags its heels over it, the ICO may serve, under section 51 of FOIA, an “information notice”, requiring the information to be provided. Failure to comply with an Information Notice can be certified as contempt of court, but there is a right of appeal to the First-tier Tribunal.
And so it was that the Tribunal recently found itself hearing appeals by the Cabinet Office in relation to two Information Notices served on it by the ICO, who is investigating whether FOIA requests for information relating to Rishi Sunak’s declarations of interest when he was Prime Minister.
The Cabinet Office sought to argue, among other things, that access by the ICO was not necessary, was unfair and damaging to the process of handling ministerial declarations of interest, and would constitute unlawful processing of personal data. All of these arguments got short shrift from the Tribunal – ultimately, it held that it would not be possible to determine whether any of the exemptions prayed in aid by the Cabinet Office were made out without an examination of the material, and the appeals were dismissed.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
The Information Tribunal has overturned a decision of the Information Commissioner’s Office and ruled that the Cabinet Office is not required to disclose minutes of meetings in June and July 2020 at which policy decisions were taken to make mandatory the wearing of face masks in shops and on public transport.
It is a shame that, for a decision of some import, the judgment reads like a stream-of-consciousness draft, and that it is infused with unnecessary sarcasm at various points.
The ICO had determined that although the exemption at s35 FOIA (for information relating to the formulation of government policy) was engaged. He acknowledged the importance of a protected space for government decision-making, and of the principle of collective responsibility, but decided that the “exceptionally weighty” public interest favoured disclosure.
The Tribunal, however, via reasoning which is – frankly – very difficult to follow, appears to have focused on the issue of “accountability”, something that the requester had mentioned rather in passing in support of his request, but which was not a matter expressly mentioned in the ICO’s decision. Having fixed on this concept, the Tribunal appears to have decided that as those in government at the time have since been held accountable in various ways, there was diminished public interest in achieving accountability by way of disclosure of the requested information. The key passage is probably this (at 57):
In considering the context of this request there is a stark contrast between the salience and effectiveness of other multiple forms of accountability…and the value of the information sought – in contrast with the risk of harm to the functioning of government caused by its release disproportionate to any benefit.
I do not say the Tribunal has necessarily got this wrong, but I do say that this a FOIA case of some significance, and that it warranted a clearer judgment.
Whether the judgment is amenable to an appeal is not entirely clear, but it’s worth pointing out that the original requester was not a party to, and was not joined to, these proceedings, and so I do not believe he himself has a right of appeal to the Upper Tribunal, and one wonders whether the ICO will have the enthusiasm to do so, given the costs involved.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 