Category Archives: journalism

Brooks Newmark, the press, and “the other woman”

UPDATE: 30.09.14 Sunday Mirror editor Lloyd Embley is reported by the BBC and other media outlets to have apologised for the use of women’s photos (it transpires that two women’s images appropriated), saying

We thought that pictures used by the investigation were posed by models, but we now know that some real pictures were used. At no point has the Sunday Mirror published any of these images, but we would like to apologise to the women involved for their use in the investigation

What I think is interesting here is the implicit admission that (consenting) models could have been used in the fake profiles. Does this mean therefore, the processing of the (non-consenting) women’s personal data was not done in the reasonable belief that it was in the public interest?

Finally, I think it’s pretty shoddy that former Culture Secretary Maria Miller resorts to victim-blaming, and missing the point, when she is reported to have said that the story “showed why people had to be very careful about the sorts of images they took of themselves and put on the internet”


With most sex scandals involving politicians, there is “the other person”. For every Profumo, a Keeler;  for every Mellor, a de Sancha; for every Clinton, a Lewinsky. More often than not the rights and dignity of these others are trampled in the rush to revel in outrage at the politicians’ behaviour. But in the latest, rather tedious, such scandal, the person whose rights have been trampled was not even “the other person”, because there was no other person. Rather, it was a Swedish woman* whose image was appropriated by a journalist without her permission or even her knowledge. This raises the question of whether such use, by the journalist, and the Sunday Mirror, which ran the exposé, was in accordance with their obligations under data protection and other privacy laws.

The story run by the Sunday Mirror told of how a freelance journalist set up a fake social media profile, purportedly of a young PR girl called Sophie with a rather implausible interest in middle-aged Tory MPs. He apparently managed to snare the Minister for Civil Society and married father of five, Brooks Newmark, and encourage him into sending explicit photographs of himself. The result was that the newspaper got a lurid scoop, and the Minister subsequently resigned. Questions are being asked about the ethics of the journalism involved, and there are suggestions that this could be the first difficult test for IPSO, the new Independent Press Standards Organisation.

But for me much the most unpleasant part of this unpleasant story was that the journalist appears to have decided to attach to the fake twitter profile the image of a Swedish woman. It’s not clear where he got this from, but it is understood that the same image had apparently already appeared on several fake Facebook accounts (it is not suggested, I think, that the same journalist was responsible for those accounts). The woman is reported to be distressed at the appropriation:

It feels really unpleasant…I have received lot of emails, text messages and phone calls from various countries on this today. It feels unreal…I do not want to be exploited in this way and someone has used my image like this feels really awful, both for me and the others involved in this. [Google translation of original Swedish]

Under European and domestic law the image of an identifiable individual is their personal data. Anyone “processing” such data as a data controller (“the person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed”) has to do so in accordance with the law. Such processing as happened here, both by the freelance journalist, when setting up and operating the social media account(s), and by the Sunday Mirror, in publishing the story, is covered by the UK Data Protection Act 1998 (DPA). This will be the case even though the person whose image was appropriated is in Sweden. The DPA requires, among other things, that processing of personal data be “fair and lawful”. It affords aggrieved individuals the right to bring civil claims for compensation for damage and distress arising from contraventions of data controllers’ obligations under the DPA. It also affords them the right to ask the Information Commissioner’s Office (ICO) for an assessment of the likelihood (or not) that processing was in compliance with the DPA.

However, section 32 of the DPA also gives journalism a very broad exemption from almost all of the Act, if the processing is undertaken with a view to publication, and the data controller reasonably believes that publication would be in the public interest and that compliance with the DPA would be incompatible with the purposes of journalism. As the ICO says

The scope of the exemption is very broad. It can disapply almost all of the DPA’s provisions, and gives the media a significant leeway to decide for themselves what is in the public interest

The two data controllers here (the freelancer and the paper) would presumably have little problem satisfying a court, or the ICO, that when it came to processing of Brooks Newmark’s personal data, they acted in the reasonable belief that the public interest justified the processing. But one wonders to what extent they even considered the processing of (and associated intrusion into the private life of) the Swedish woman whose image was appropriated. Supposing they didn’t even consider this processing – could they reasonably say they that they reasonably believed it to have been in the public interest?

These are complex questions, and the breadth and ambit of the section 32 exemption are likely to be tested in litigation between the mining and minerals company BSG and the campaigning group Global Witness (currently stalled/being considered at the ICO). But even if a claim or complaint under DPA would be a tricky one to make, there are other legal issues raised. Perhaps in part because of the breadth of the section 32 DPA exemption (and perhaps because of the low chance of significant damages under the DPA), claims of press intrusion into private lives are more commonly brought under the cause of action of “misuse of private information “, confirmed – it would seem – as a tort, in the ruling of Mr Justice Tugendhat in Vidal Hall and Ors v Google Inc [2014] EWHC 13 (QB), earlier this year. Damage awards for successful claims in misuse of private information have been known to be in the tens of thousands of pounds – most notably recently an award of £10,000 for Paul Weller’s children, after photographs taken covertly and without consent had been published in the Mail Online.

IPSO expects journalists to abide by the Editor’s Code, Clause 3 of which says

i) Everyone is entitled to respect for his or her private and family life, home, health and correspondence, including digital communications.

ii) Editors will be expected to justify intrusions into any individual’s private life without consent. Account will be taken of the complainant’s own public disclosures of information

and the ICO will take this Code into account when considering complaints about journalistic processing of personal data. One notes that “account will be taken of the complainant’s own public disclosures of information”, but one hopes that this would not be seen to justify the unfair and unethical appropriation of images found elsewhere on the internet.

*I’ve deliberately, although rather pointlessly – given their proliferation in other media – avoided naming the woman in question, or posting her photograph


Filed under Confidentiality, consent, Data Protection, Information Commissioner, journalism, Privacy, social media

We’re looking into it

The news is awash with reports that the UK Information Commissioner’s Office (ICO) is “opening an investigation” into Facebook’s rather creepy research experiment, in conjunction with US universities, in which it apparently altered the users’ news feeds to elicit either positive or negative emotional responses. Thus, the BBC says “Facebook faces UK probe over emotion study”, SC Magazine says “ICO probes Facebook data privacy” and the Financial Times says “UK data regulator probes Facebook over psychological experiment”.

As well as prompting one to question some journalists’ obsession with probes, this also leads one to look at the basis for these stories. It appears to lie in a quote from an ICO spokesman, given I think originally to the online IT news outlet The Register

The Register asked the office of the UK’s Information Commissioner if it planned to probe Facebook following widespread criticism of its motives.

“We’re aware of this issue, and will be speaking to Facebook, as well as liaising with the Irish data protection authority, to learn more about the circumstances,” a spokesman told us.
So, the ICO is aware of the issue and will be speaking to Facebook and to the Irish Data Protection Commissioner’s office. This doesn’t quite match up to the rather hyperbolic news headlines. And there’s a good reason for this – the ICO is highly unlikely to have any power to investigate, let alone take action. Facebook, along with many other tech/social media companies, has its non-US headquarters in Ireland. This is partly for taxation reasons and partly because of access to high-skilled, relatively low cost labour. However, some companies – Facebook is one, LinkedIn another – have another reason, evidenced by the legal agreements that users enter into: because the agreement is with “Facebook Ireland”, then Ireland is deemed to be the relevant jurisdiction for data protection purposes. And, fairly or not, the Irish data protection regime is generally perceived to be relatively “friendly” towards business.
These jurisdictional issues are by no means clear cut – in 2013  a German data protection authority tried to exercise powers to stop Facebook imposing a “real name only” policy.
Furthermore, as the Court of Justice of the European Union recognised in the recent Google Spain case, the issue of territorial responsibilities and jurisdiction can be highly complex. The Court held there that, as Google had
[set] up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State
it was processing personal data in that Member State (Spain). Facebook does have a large UK corporate office with some responsibility for sales. It is just possible that this could give the ICO, as domestic data protection authority, some power to investigate. And if or when the draft European General Data Protection Regulation gets passed, fundamental shifts could take place, extending even, under Article 3(2) to bringing data controllers outside the EU within jurisdiction, where they are offering goods or services to (or monitoring) data subjects in the EU.
But the question here is really whether the ICO will assert any purported power to investigate, when the Irish DPC is much more clearly placed to do so (albeit it with terribly limited resources). I think it’s highly unlikely, despite all the media reports. In fact, if the ICO does investigate, and it leads to any sort of enforcement action, I will eat my hat*.
*I reserve the right to specify what sort of hat

Leave a comment

Filed under Data Protection, Directive 95/46/EC, enforcement, facebook, journalism, social media, Uncategorized

Data Protection for Baddies

Should Chris Packham’s admirable attempts to expose the cruelties of hunting in Malta be restrained by data protection law? And who is protected by the data protection exemption for journalism?

I tend sometimes to lack conviction, but one thing I am pretty clear about is that I am not on the side of people who indiscriminately shoot millions of birds, and whose spokesman tries to attack someone by mocking their well-documented mental health problems. So, when I hear that the FNKF, the Maltese “Federation for Hunting and Conservation” has

presented a judicial protest against the [Maltese] Commissioner of Police and the Commissioner for Data Protection, for allegedly not intervening in “contemplated” or possible breaches of privacy rules

with the claim being that they have failed to take action to prevent

BBC Springwatch presenter Chris Packham [from] violating hunters’ privacy by “planning to enter hunters’ private property” and by posting his video documentary on YouTube, which would involve filming them without their consent

My first thought is that this is an outrageous attempt to manipulate European privacy and data protection laws to try to prevent legitimate scruting of activities which sections of society find offensive and unacceptable. It’s my first thought, and my lasting one, but it does throw some interesting light on how such laws can potentially be used to advance or support causes which might not be morally or ethically attractive. (Thus it was that, in 2009, a former BNP member was prosecuted under section 55 the UK Data Protection Act 1998 (DPA 1998) for publishing a list of party members on the internet. Those members, however reprehensible their views or actions, had had their sensitive personal data unlawfully processed, and attracted the protection of the DPA (although the derisory £200 fine the offender received barely served as a deterrent)).

I do not profess to being an expert in Maltese Data Protection law, but, as a member state of the European Union, Malta was obliged to implement Directive EC/95/46 on the Protection of Individuals with regard to the Processing of Personal Data (which it did in its Data Protection Act of 2001). The Directive is the bedrock of all European data protection law, generally containing minimum standards which member states must implement in domestic law, but often allowing them to legislate beyond those minimum standards.

It may well be that the activities of Chris Packham et al do engage Maltese data protection law. In fact, if, for instance, film footage or other information which identifies individuals is recorded and broadcast in other countries in the European Union, it would be likely to constitute an act of “processing” under Article 2(b) of the Directive which would engage data protection law in whichever member state it was processed.

Data protection law at European level has a scope whose potential breadth has been described as “breath-taking”. “Personal data” is “any information relating to an identified or identifiable natural person” (that is “one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”), and “processing” encompasses “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction”.

However, the broad scope does not necessarily means broad prohibitions on activities involving processing. Personal data must be processed “fairly and lawfully”, and can (broadly) be processed without the data subject’s consent in circumstances where there is a legal obligation to do so, or where it is necessary in the public interest, or necessary where the legitimate interests of the person processing it, or of a third party, outweigh the interests for fundamental rights and freedoms of the data subject. These legitimising conditions are implemented into the Maltese Data Protection Act 2001 (at section 9), so it can be seen that the FKNF’s claim that Packham requires the hunters’ consent to film might not have legs.

Moreover, Article 9 of the Directive, transposed in part at section 6 of the 2001 Maltese Act, provides for an exemption to most of the general data protection obligations where the processing is for journalistic purposes, which almost certainly be engaged for Packham’s activities. Whether, however, any other Maltese laws might apply is, I’m afraid, well outside my area of knowledge.

But what about activists who might not normally operate under the banner of “journalism”? What if Packham were, rather than a BBC journalist/presenter, “only” a naturalist? Would he be able to claim the journalistic data protection exemption?

Some of these sorts of issues are currently edging towards trial in litigation brought in the UK, under the DPA 1998, by a mining corporation (or, in its own words, a “diversified natural resources business”), BSG Resources, against Global Witness, an NGO one of whose stated goals is to “expose the corrupt exploitation of natural resources and international trade systems”. BSGR’s claims are several, but are all made under the DPA 1998, and derive from the fact they have sought to make subject access requests to Global Witness to know what personal data of the BSGR claimants is being processed, for what purposes and to whom it is being or may be disclosed. Notably, BSGR have chosen to upload their grounds of claim for all to see. For more background on this see the ever-excellent Panopticon blog, and this article in The Economist.

This strikes me as a potentially hugely significant case, firstly because it illustrates how data protection is increasingly being used to litigate matters more traditionally seen as being in the area of defamation law, or the tort of misuse of private information, but secondly because it goes to the heart of questions about what journalism is, who journalists are and what legal protection (and obligations) those who don’t fit the traditional model/definition of journalism have or can claim.

I plan to blog in more detail on this case in due course, but for the time being I want to make an observation. Those who know me will not have too much trouble guessing on whose side my sympathies would tend to fall in the BSGR/Global Witness litigation, but I am not so sure how I would feel about extending journalism privileges to, say, an extremist group who were researching the activities of their opponents with a view to publishing those opponents’ (sensitive) personal data on the internet. If society wishes to extend the scope of protection traditionally afforded to journalists to political activists, or citizen bloggers, or tweeters, it needs to be very careful that it understands the implications of doing so. Freedom of expression and privacy rights coexist in a complex relationship, which ideally should be an evenly balanced one. Restricting the scope of data protection law, by extending the scope of the exemption for journalistic activities, could upset that balance.


Filed under Data Protection, Europe, human rights, journalism, Privacy, Uncategorized

Making Motorman names public

UPDATE: 7 January 2014

In the comments to this piece the requester has informed me that the ICO is appealing this decision. Given how long the Upper Tribunal takes to turn things round, I don’t think we’ll be seeing these names for some time (if at all – if the ICO succeeds). I’ll keep the original post up though for the time being


So…will we get to see the names of the Operation Motorman journalists within the next week? Or will there need to be a bit of an extra push?

I tweeted earlier today to the effect that time is nearly up for the Information Commissioner’s Office (ICO) to disclose names of some of the journalists named in the ICO “What Price Privacy” report as having engaged the services of rogue private investigator Steve Whittamore, who was convicted in 2005  under the Data Protection Act 1998 (DPA) of offences of illegally obtaining personal data.

My blog post from earlier this month describes how the First-tier Tribunal ordered on 29 November 2013, after a rather convoluted series of hearings on the papers, that the ICO disclose within 35 days

many, but not all, of the names of journalists recorded…as clients of the investigator at the heart of Operation Motorman…together with the names of the media outlet with which [they were recorded as having been] associated at the time

By my calculations, those 35 days are up at 17:00 next Monday (see part 2.8 of Civil Procedure Rules and rule 12(1) of The Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009). This is, of course, unless the ICO has appealed the decision, but, as at 19 December, no such appeal appeared to have been lodged.

It is possible, however – bear in mind that the Order was for disclosure within 35 days – that the information has already been disclosed to the applicant – a Mr Christopher Colenso-Dunne. If that is the case, and if the applicant chooses not to make it public, then we may not yet see those names (it has been suggested to me that the person by that name for whom Google gives a search return may not be the applicant here). The Freedom of Information Act 2000 (FOIA) does not, in strict terms, oblige a public authority to make information public. Rather, it must “communicate” information to a person who has requested it (subject to the application of any exemptions). Although it is often said that disclosure under FOIA is to be taken as disclosure to the world at large, this operates as a concept, not a requirement. Some public authorities do, however, operate a “disclosure log” where some or all information disclosed under FOIA is made publicly available.

The ICO itself has a disclosure log, although it restricts this to responses “which we feel are of wider public interest”. There also appears to be a bit of lag in uploading responses (the last was one from 18 October).

One would certainly hope that, if the ICO is not appealing the decision, it will proactively disclose the information ordered to be disclosed. But, just in case, I’ve made a FOIA request for the same information, via, where it would be available for anyone to see (and which, of course, I’ll withdraw if the information becomes public in the interim).


Filed under Data Protection, Freedom of Information, Information Commissioner, Information Tribunal, journalism

For Shame

A newspaper says police are “naming and shaming” drivers who have been charged with, but not convicted, of drink-driving offences. Sussex Police say they are merely “naming” the drivers, but do not appear to feel the need to correct the media reports.

The risk for social media users of being held in contempt of court was highlighted this week by the Attorney General, who has said that, in future, the advisory notes issued to “traditional” media on individual cases will now be made more widely available (published on the website and twitter).

With this in mind I was concerned to see that Sussex Police were reported by the Eastbourne Herald to be “naming and shaming” drivers arrested and charged with drink-driving

Police have said this year they are ‘naming and shaming’ everyone they arrest in connection with drink driving

The report goes on to quote Chief Inspector Natalie Moloney as saying

It is sad that so many people ignored the warnings that we would be looking for drink-drivers and have been charged with offences within hours of the start of the campaign. The arrests and the naming of those charged with offences will continue across the county throughout the month

This seemed to me potentially to engage the provisions of the Contempt of Court Act 1981 of an offence of strict liability “whereby conduct may be treated as a contempt of court as tending to interfere with the course of justice in particular legal proceedings regardless of intent to do so”, because it is a publication addressed to the public at large, about active proceedings. For an offence to be committed the publication must give rise to a substantial risk that the course of justice in the proceedings in question will be seriously impeded or prejudiced. I am not convinced that would be the case, but, nonetheless, I was surprised to see a police force effectively being reported as saying that  naming someone only charged with an offence gives rise to “shame” (it does nothing of the sort, of course, given the legal maxim of “innocent until proven guilty”). So I asked the Sussex Police twitter account

Are you really running a policy of “shaming” people by naming them prior to a trial?

to which they replied

We are not “shaming” anyone. We are naming those charged with a drink-related driving offence as we do for a range of offences

That was fair enough, (although one might ask Chief Inspector Moloney why an innocent person would heed a warning that police were looking for drink- drivers) but, as it appeared that this “naming-not-shaming” initiative had been launched in conjunction with the media, I wondered if they would be asking the Herald to correct its misleading article. Sussex Police replied

The campaign doesn’t aim to ‘shame’, but rather to deter & the article does not attribute the phrase to us

but this is simply not true: the article may not directly attribute the phrase to the police, but it does so indirectly

Police have said this year they are ‘naming and shaming’…

I have had no response yet to my further tweet pointing this out.

So, in a week when contempt via social media is very much in the headlines, we appear to have an online newspaper report which suggests there is shame attached to being charged with an offence, and which attributes this phrase to a police force, who seem unconcerned about correcting it. Odd.

For the avoidance of doubt, I should say that I have no sympathy whatsoever with people convicted of drink driving offences, but, to suggest there is “shame” in being charged with an offence prior to trial, is to go against centuries of presumption of innocence.


Filed under human rights, journalism, police, social media

ICO must disclose Motorman journalists’ names

The ICO has been ordered to disclose the names of some of the journalists referred to in “What Price Privacy” as having engaged the services of rogue private investigator Steve Whittamore

In April 2006 the Information Commissioner’s Office (ICO) published “What Price Privacy?” on what it described as “the unlawful trade in personal information”. The report revealed

evidence of systematic breaches in personal privacy that amount to an unlawful trade in confidential personal information

Those breaches were potential criminal offences under section 55 of the Data Protection Act 1998 (DPA), and the report – which drew on the findings of documentation seized during Operation Motorman, arising from the activities of private investigator Steve Whittamore, said

Among the ‘buyers’ are many journalists looking for a story. In one major case investigated by the ICO, the evidence included records of information supplied to 305 named journalists working for a range of newspapers

In December 2006 the six-month follow-up report “What Price Privacy Now?” was published. This gave further details about the 305 journalists mentioned in the first report, and broke the data down into “Publication”, “Number of transactions positively identified” and “Number of journalists/clients using the services”.

And of course, this trade in personal information formed the basis of the first module (“The relationship between the press and the public and looks at phone-hacking and other potentially illegal behaviour”) of part one of Lord Justice (as he was then) Leveson’s inquiry into the culture, practices and ethics of the press.

In 2011 a request was made under the Freedom of Information Act 2000 (FOIA) to the ICO, for (1) “the number of transactions per journalist of each of the 305 identified journalists for each of the 32 identified publications” and (2) the journalists’ identities. The first request was refused by the ICO, on the basis that it would require a search through 17000 documents, and, therefore, section 12 of FOIA provided a statutory cost limit which meant it did not have to comply. Having been given these apparent facts the requester dropped his first request, but pursued the second. This was also refused, on the basis that the information was exempt under section 40(2) and section 44 of FOIA (the latter by virtue of the statutory bar on disclosure at section 59 of the Data Protection Act 1998 (DPA)), in both cases because disclosure would be an unfair and unlawful disclosure of personal data of the journalists involved.

Because the ICO is the regulator of FOIA, a complaint about its handling of a FOIA request falls to be determined by the same office (a statutory arrangement which was to be described as an “unusual, and unsatisfactory, feature” of the law by the First-tier Tribunal (Information Rights) (FTT)). Accordingly, the office (describing itself as “the Commissioner”, as distinct from the “ICO”, which was the authority refusing the request) issued a Decision Notice which held that

the ICO correctly withheld the information by virtue of section 40(2). He has also found that the information could also be correctly withheld by virtue of section 44(1)

This decision was appealed to the FTT, which has today, after what has clearly been complex and strongly argued litigation, handed down three judgments (1, 2, 3) (two of which were preliminary or interim rulings, publication of which has been held back until now) which are, taken together, extraordinary, both for their criticism of the ICO, and for the outcome.

Taken as a whole the judgments find that, regarding some of the journalists named in the information held by the ICO, the balance of the public interest in receiving the information outweighs the legitimate interest of an individual to protect his or her privacy.

The FTT found that the information wasn’t sensitive personal data (which is afforded a greater level of protection by the DPA). This is at first blush rather surprising: section 2(2) of the DPA provides that sensitive data will be, inter alia, “data consisting of information as to…the commission or alleged commission by [the data subject] of any offence”. However, the FTT found that, although the information

does contain evidence that the investigator [Whittamore] engaged by the journalist committed, or contemplated committing, criminal activity. And, self-evidently, it discloses that the investigator received some form of instruction from the journalist. But there is no suggestion…that the journalist had instructed the investigator to use unlawful methods or that he or she had turned a blind eye to their adoption or, indeed, whether he or she had in fact expressly forbidden the investigator from doing anything that was not strictly legal [para 11 of third ruling]

The FTT had also invited submissions from the parties on the significance to the instant case of some of the passages from the Leveson inquiry, and, having received them, took note from those passages of

the issues of impropriety (which, while very possibly not involving criminality on journalists’ part, is nevertheless serious) and corporate governance in the context of the privacy rights of the [journalists]. We believe that, together, they give rise to a very substantial interest in the public knowing the identities of those who instructed the investigators [para 18 of third ruling]

But also tending towards favouring disclosure in the public interest was Leveson’s suggested criticisms of the ICO

We also give some weight to the public interest in knowing more about the information which was in the possession of the ICO and which the Leveson Report suggested it failed adequately to pursue [para 18 of third ruling]

The FTT noted the interests of the journalists, for instance that they would have had an expectation that details of their day-to-day professional activities would remain confidential, and that the Commissioner had argued that

publication of information indicating that they had engaged the services of the investigators concerned would be so unfair as to outweigh the factors in favour of disclosure [para 19 of third ruling]

but the FTT also noted, in effect, that the journalists involved must have had some idea of what was going on when they engaged Whittamore

it must have been well known within the profession what types of information could be obtained with the help of investigators, even if the means of obtaining it were not fully understood. The rights of individuals under data protection laws would also have been widely known at the time. In those circumstances those engaging the particular services…should have known that they ran the risk of becoming involved in behaviour that fell short of acceptable standards. This seriously dilutes the weight to be attributed to their privacy rights and leads us to conclude that the balance tips in favour of disclosure [para 19 of third ruling]

Accordingly, and, unless there is an appeal (Iwould be surprised if there isn’t) the names of some of the journalists who engaged Whittamore must be disclosed.

Other matters – criticism of ICO

In its preliminary ruling (November 2012) the FTT makes some trenchant criticism of the ICO’s handling of the requester’s first request (even though, as the requester did not pursue it, it was outwith the FTT’s jurisdiction). The refusal on costs grounds had been made, based upon a statement that the information requested had not been recorded in a database. Yet less than two months later the Leveson inquiry began, and, at that inquiry, evidence presented by the ICO effectively, in the FTT’s view, contradicted this statement

 we do not understand how the Appellant could have been given such a misleading response to the First Information Request…as a result of the misleading information given to the Appellant, he was not able to pursue his request…We only became aware of the ICO’s error after the Appellant drew our attention to the evidence presented to the Leveson Inquiry regarding the Spreadsheets. We assume (and certainly hope) that those in the Commissioner’s office handling this appeal had not become aware sooner [para 28 of first ruling]

The ICO clearly did not take well to this criticism, because the second interim ruling records that

the Commissioner has complained about part of the decision which he believes includes unfair criticism of his office and has asked us to correct the impression given [para 3 of second ruling]

but the FTT stood firm, saying

We continue to believe that our criticism was justified. The Appellant was told that he was wrong to assume that any database of information existed that could be interrogated…However, it is now known that the ICO held the Spreadsheets at the time…[and although the information in them] may not have provided the Appellant with precisely the information he requested, but it would have come close. Against that background we believe that the ICO was open to criticism for asserting, without further qualification, that it would be necessary to search through the 17,000 documents in order to respond to the request. [para 6 of second ruling]


Filed under Confidentiality, Data Protection, Freedom of Information, Information Commissioner, Information Tribunal, journalism, Leveson, Privacy

Leveson, LJ – defender of the press

Lord Justice Leveson, new President of the Queen’s Bench Division, is not the most popular judge amongst journalists and press barons.

So, in the week before the Privy Council meets to decide which system of press regulation will prevail, his detractors might take a moment to read a recent judgment of his in the Court of Appeal (Jolleys, R. v [2013] EWCA Crim 1135).

The appeal, by the Press Association, represented by the formidable Mike Dodd, was from a decision of a Recorder in Swindon Crown Court, purporting to have been made under section 39 of the Children and Young Persons Act 1933 preventing media reporting of information relating to the youngest (15-year-old) child of the defendant in the case (despite the fact that some of the information had been in the public domain prior to the making of the order). It was said that the court specifically prevented a reporter present from making representations prior to its making:

the order was put into place until it would be “properly argued” by counsel and “by somebody from the press if need be” [para 4]

This was, as Leveson LJ identified, in breach of rule 16 of the Criminal Procedure Rules, which provides that the court must not impose a rerporting restriction “unless each party and any other person affected…is present; or has had an opportunity (i) to attend, or (ii) to make representations”:

It cannot be suggested that the press were not affected by the order; indeed, it was specifically to restrict what could be reported that the order was made. This failure to allow representations at that stage represented a serious inroad into the respect owed to the press concerned to report criminal proceedings. [para 6]

Section 39 of the Children and Young Persons Act 1933 provides that

In relation to any proceedings in any court the court may direct that –

a. no newspaper report of the proceedings shall reveal the name, address, or school, or include any particulars calculated to lead to the identification, of any child or young person concerned in the proceedings, either, as being the person by or against, or in respect of whom proceedings are taken, or as being a witness therein;

b. no picture shall be published in any newspaper as being or including a picture of any child or young person so concerned in the proceedings as aforesaid;

except in so far (if at all) as may be permitted by the court.

And the Press Association successfully argued that “concerned in the proceedings” in section 39(a) could not be extended to a child who was merely the son of a defendant, but otherwise unconnected:

In relation to criminal proceedings, this can only include a child or young person who is the victim of an alleged offence, or the defendant or a witness; in civil proceedings, it could also include a child or young person on behalf of whom an action was being brought, for example, in relation to a road traffic accident or medical negligence. [para 12]

and this was supported by the unanimous view of the House of Lords in Re S (A Child) (Identification: Restrictions on Publication) [2005] AC 593  and the Court of Appeal in Re Trinity Mirror and others (A and another intervening) [2008] EWCA Crim 50 in which latter case the court had also rejected the proposition that a court’s inherent jurisdiction justified the making of an order to similar effect on Article 8 grounds

We must however add that we respectfully disagree with the judge’s further conclusion that the proper balance between the rights of these children under Article 8 and the freedom of the media and public under article 10 should be resolved in favour of the interests of the children. In our judgment, it is impossible to over emphasise the importance to be attached to the ability of the media to report criminal trials…If the court were to uphold this ruling so as to protect the rights of the defendant’s children under article 8, it would be countenancing a substantial erosion of the principle of open justice to the overwhelming disadvantage of public confidence in the criminal justice system, the free reporting of criminal trials and the proper identification of those convicted and sentenced in them [paras 32 and 33 of Re Trinity Mirror and others]

Leveson LJ identified other problems with the Recorder’s approach

he [also] approached the issue from the wrong direction. It was for anyone seeking to derogate from open justice to justify that derogation by clear and cogent evidence…The order was made when defence counsel asserted the likelihood of the defendant’s son suffering “the most extraordinary stigma through no fault of his own” which caused the Recorder to ask the reporter what the need for identifying the son was, rather than whether it was necessary to restrict his identification. [para 16]

and the point was made that a section 39 order, although generally obeyed in spirit as well as letter by the press, may not be the most appropriate form of order, applying as it does only to reports in newspapers, and in sound and television broadcasts: social media are not caught by it (“any further developments in this area of the law must be for Parliament”). This purported order had been “loosely” made, and Leveson LJ stressed that

Where such orders are made, they should be restricted to the language of the legislation

Mike Dodd had stated that the problems identified by this case were not uncommon, and the appeal was brought to

highlight what he contends is a continuing problem for journalists and the media, namely the willingness of courts to make unnecessary orders or to assume powers that they do not have. He submits that the courts all too often seem unaware of the guidance that is available and leave it to individual reporters (who will not be as versed in the law as the court, with the assistance of counsel, should be) to attempt to challenge the approach.

This concern was recognised

The requirements of open justice demand that judges are fully mindful of the underlying principles which this judgment has sought to elucidate

and Leveson LJ calls for – in those cases where “there is the slightest doubt, or any novel approach is suggested” regarding the appropriateness of a section 39 order being made – notice to be given in good time but also (without prejudice to the right of the press to advance its own arguments) for counsel “to research and develop the arguments to assist the court in a balanced way”.

Who said Leveson was an enemy of the press?

Leave a comment

Filed under human rights, journalism, Leveson, Open Justice

Pornography and its Frustrations

For those who have never worked with “basic” versions of web-filtering software, let me describe typical frustrations.

Researching the subject of malicious communications? Found what looks like a helpful search return via google? *CLICK*…

Access Blocked

Access to the requested web page ( has been blocked as it is categorised as PROFANITY, which is considered unsuitable for access using this equipment. If you have any queries, please contact your system administrator

 Researching defamation? Found what looks like a helpful search return via google? *CLICK*…

Access Blocked

Access to the requested web page ( has been blocked as it is categorised as GAMBLING, which is considered unsuitable for access using this equipment. If you have any queries, please contact your system administrator

Doing some local history research on Scunthorpe? Found what looks like a helpful search return via google? *CLICK*…

Access Blocked

Access to the requested web page ( has been blocked as it is categorised as PORNOGRAPHY, which is considered unsuitable for access using this equipment. If you have any queries, please contact your system administrator

Each of these failed hits will be logged by some sysadmins as “attempt to access PROFANITY/GAMBLING/PORNOGRAPHY”. 

I suggest people bear this in mind when reading the numerous delighted shocked commentators who have picked up on the Huffington Post story which says that a Freedom of Information request apparently revealed that

MPs, Lords and parliamentary staff have been trying to access porn websites potentially thousands of times, official figures reveal.

The story goes on to say that users of the parliamentary network, over a period of one year

have repeatedly attempted to access websites classed on Parliament’s network as pornographic [emphasis added]

So, they haven’t tried to access pornography; they’ve tried to access sites that web-filtering software classes as pornography. A further clue to the fact that this outrageous story of parliamentary loucheness might not be as it’s being presented is the fact that in October 2012 there were 3391 “attempts”, in the following month there were 114,844 and in the month after that there were 6918. Either November that year coincided with rampant horniness on the part of politicians and their staff, or there’s another reason for the spike.

I suspect some new definitions were added to the software, which drastically increased the “false positive” hits, and these crappy new definitions were tweaked for the following months.

In fact, as I drafted this post Sky News’ Roddy Mansfield, and the Guardian’s James Ball have pointed out on twitter that that November 2012 spike coincided with intense political and media interest in the topic of sexual offences, following as the scandal involving Jimmy Savile broke. This is very plausible, and suggests that, far from users of parliamentary systems shirking their responsibilities by browsing for smut, they were actually trying – apparently unsuccessfully, and probably with no small frustration – to find out more about a serious and current news item.

But that makes for a dull story.


As several people have pointed out, if this is a case of poor filtering, it provides a nice lesson in irony for those who propose ISP filtering as some sort of solution to the alleged “corroding” influence of online pornography.


Filed under Freedom of Information, journalism, parliament

ICO – no Code of Practice for data protection and the press

On the 12th of August the Information Commissioner’s Office (ICO) announced that, following a period of consultation, it would not – contrary to previously-stated intentions – be issuing a Code of Practice on Data Protection and the Press. The proposed Code had been in response to Lord Justice Leveson’s recommendations that the ICO produce

comprehensive good practice guidelines and advice on appropriate principles and standards to be observed by the press in the processing of personal data

As the ICO’s Steve Wood says in the blogpost

Leveson did not stipulate a code but we proposed it as a possible vehicle for the guidance

Indeed they did, stating at the time that it was not

the ICO’s intention to purport to set ethical standards for journalists, or to interfere with the standards which already apply under relevant industry guidance, such as the Editors’ Code of Practice, the Ofcom Broadcasting Code, and the BBC Producers’ Guidelines. Nevertheless, the existing industry guidance does not consider the requirements of data protection law in any detail, and the ICO’s code will complement existing industry standards by providing additional coverage of this issue

However, the latest announcement – that the ICO is “looking to produce a guidance document” rather than carrying through with the issuing of a Code of Practice – is accompanied by the publishing of a summary of consultation responses to the draft Code of Practice. In fairness to the ICO, those who responded appeared not to want a Code, and, as any public authority will be aware, a consultation in name only (e.g. one with a predetermined outcome) is unlikely to be a lawful one. We are not told specifically who these responses were from, but that they were from “several media companies, individuals, regulators and representative bodies” (although there were only 16 responses overall, a figure which perhaps shames us all, or, alternatively, supports a view that not that many people were particularly aware of or bothered about the consultation). Seven responses specifically rejected the idea of a Code of Practice, with some concerns being

a code of practice implies a new set of rules or regulations;
risk of the ICO becoming a ‘mainstream de facto regulator of the press’;
risk of a proliferation of codes; and
risk of potential confusion with existing codes such as the Editors’ Code.

After pausing to note that the now-proposed ICO guidance will apparently be issued in draft (for further consultation) before the end of the year, which is a long, long way from meeting Leveson’s recommendation that any guidance be implemented within six months of his report,  it might be helpful to look at just why some respondents might have been unhappy with a Code of Practice, as opposed to “mere” guidance.

As is well-known, there is a very broad exemption, at section 32, from most of the obligations of the Data Protection Act 1998 (DPA) where:

(a)the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,
(b)the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and
(c)the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes [emphasis added]

This, broadly, means that, as long as personal data is processed with a view to journalistic publication (note: not that it has to be published) it is exempt from effectively all of the DPA (although not the 7th “security” principle) as long as the press body “reasonably believes” publication would be in the public interest. This has generally been taken to mean that it will be extremely difficult for a data subject to enforce her rights against, or for the ICO to regulate the activities of, the press. And, indeed, instances of successful DPA claims, or successful enforcement, against the press, are rare (privacy cases against the press, where they have included DPA claims, have tended to see the latter sidelined or dropped in favour of meatier claims in tort – see e.g. Douglas v Hello [2005] EWCA Civ 595 (where the DPA claim did succeed in the first instance, but only resulted in nominal damages) and Campbell v MGN [2002] EWCA Civ1373 (where, by contrast, the section 32 defence succeeded)). As Leveson LJ says

the effect of the development of the case law has been to push personal privacy law in media cases out of the data protection regime and into the more open seas of the Human Rights Act [page 1070 of Leveson Report]

 As everyone knows, the press kicked back strongly against parliament’s proposal of a Royal Charter for the press (that proposed Charter itself being the result of a rowing back by the political parties from Leveson’s proposal for some form of direct statutory underpinning of any regulatory scheme (“Guaranteed independence, long-term stability, and genuine benefits for the industry, cannot be realised without legislation”)). Both proposed Charters (the parliamentary-backed one and the Pressbof-backed one ) are to be considered by the Privy Council.

What has perhaps not been so widely-known, or widely-understood was that an ICO Code of Practice, if it had been designated by the Secretary of State (by means of an Order pursuant section 32(3)(b) of the DPA), would itself have constituted a form of statutory underpinning. This is because a Code designated in this way could have been taken into account by a court, or by the ICO, when determining whether personal data had been processed (for the special purposes) by the data controller in the reasonable belief that it had been in the public interest. The now-proposed “mere” guidance will not have the same status.

This might seem a minor point, and perhaps it is (bear in mind that there are already other Codes of Practice designated pursuant to section 32(3)(b), including the Press Complaints Commission Code of Practice) but, although we don’t know specifically who responded to the ICO’s consultation, it is safe to say that those who did included in their number organisations strongly opposed to (and alive to the threat of) any form of what they perceive to be statutory regulation of the press.

In this post I draw heavily on previous posts by Chris Pounder, on his Hawktalk blog, and if, as he suggested earlier this year, the then-proposed ICO Code raised the prospect of enhanced protection for ordinary data subjects, it is perhaps the case that the dropping of the proposal means no such enhanced protection.

1 Comment

Filed under Data Protection, human rights, Information Commissioner, journalism, Leveson

On the tweet where you live

Do Home Office tweets of people arrested on suspicion of committing immigration offences engage data protection law?

The recent sordid campaign by the Home Office to publicise their “crackdown on illegal immigration” involved the tweeting of pictures of people apparently arrested in connection with immigration offences. I’m loath to post links because any further publicity risks undermining my point in this piece, but suffice to say that two pictures in particular were posted, one of a man being escorted (police officers at either side of him, holding his arms) from what look like retail premises, and one of a man being led by other officers into a cage in the back of a van. In both cases, the person’s face has been blurred by pixelation. There have been suggestions that the broader aspects of the campaign (disgracefully, vans have been deployed displaying advertisements saying “In the UK illegally? Go home or face arrest“) might be unlawful for breach of the Public Sector Equality Duty, and some have argued that to use the hashtag #immigrationoffenders to accompany pictures of people only suspected of crime might be to prejudge a trial, and could even constitute contempt of court. However, I would argue that the tweets also engage, and potentially breach, data protection law.

For the sake of this argument I will work on the presumption that, because the images of their faces have been obscured no third party can recognise the individuals concerned (I think this is actually probably wrong – potential identifying features, such as location and clothing are still displayed, and it is quite likely that friends, relative, colleagues could identify them). However, this does not mean that the images are outwith the Data Protection Act 1998 (DPA) and the European Data Protection Directive 95/46/EC to which it gives effect. The former defines personal data as

data which relate to a living individual who can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller [emphasis added]

In this instance the Home Office (or its agents) must itself know who the people in the images are (they will have had sufficient identifying information in order to effect an arrest) so, in their hands, the images constitute the personal data of the people in them. As the Information Commissioner’s Office (ICO) explains

It is important to remember that the same piece of data may be personal data in one party’s hands while it may not be personal data in another party’s hands…data may not be personal data in the hands of one data controller…but the same data may be personal data in the hands of another data controller…depending on the purpose of the processing and the potential impact of the processing on individuals

So the taking, retaining and publishing of images of people whose identities are obscured but who can be identified by the data controller will constitute the processing of personal data by that data controller. Consequently, the legal obligations for fair and lawful processing apply: section 4(4) of the DPA imposes a duty on a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller. Lord Hoffman explained this, in the leading FOI (and DPA) case on identification 

As the definitions in section 1(1) DPA make clear, disclosure is only one of the ways in which information or data may be processed by the data controller. The duty in section 4(4) is all embracing. He must comply with the data protection principles in relation to all “personal data” with respect to which he is the data controller and to everything that falls within the scope of the word “processing”. The primary focus of the definition of that expression is on him and on everything that he does with the information. He cannot exclude personal data from the duty to comply with the data protection principles simply by editing the data so that, if the edited part were to be disclosed to a third party, the third party would not find it possible from that part alone without the assistance of other information to identify a living individual. Paragraph (b) of the definition of “personal data” prevents this. It requires account to be taken of other information which is in, or is likely to come into, the possession of the data controller. Common Services Agency v Scottish Information Commissioner (Scotland) [2008] UKHL 47

So the Home Office cannot merely edit the data (by pixelation) and thus exclude it from the duty to process it in accordance with the data protection principles: these images are personal data. Moreover, they will come under the subset known as sensitive personal data, because they consist of information as to the commission or alleged commission by the data subject of any offence (they might also fall into this subset because they show the racial or ethnic origin of the data subject, but this is less certain).

The first data protection principle requires that

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
As this is sensitive personal data, a Schedule 3 condition must be met in order for the processing to be fair and lawful. Try as I might, I cannot find one that is (I adopt the list as explicated by the ICO)

  • The individual who the sensitive personal data is about has given explicit consent to the processing.
  • The processing is necessary so that you can comply with employment law.
  • The processing is necessary to protect the vital interests of: – the individual (in a case where the individual’s consent cannot be given or reasonably obtained), or- another person (in a case where the individual’s consent has been unreasonably withheld).
  • The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents. Extra limitations apply to this condition.
  • The individual has deliberately made the information public.
  • The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights.
  • The processing is necessary for administering justice, or for exercising statutory or governmental functions.
  • The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality.
  • The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.

It will be noted that the two conditions emphasised by me in italics might be thought to apply, but one notes the word “necessary”. In no way were these tweets “necessary” for the purposes to which those conditions relate. By contrast, when authorities publish photographs of wanted criminals, the necessity test will normally be made out. It is, I suppose, just possible that the data subjects gave their explicit consent to the tweets, but that’s vanishingly unlikely. (A question does arise as to what conditions permit the processing by the police of pixelated images of potential offenders in programmes such as “Police, Camera, Action” and “Motorway Cops”: it may be that this has never been challenged, but it may also be that the data controller is in fact the film company, who might be protected by the exemption from much of the DPA if the processing of data is for journalistic purposes).

(I would observe, in passing, that many customary practices to do with publication of information about crimes or suspicion of criminal behaviour are potentially in breach of these provisions of the DPA if they are construed strictly. Although there is the journalistic exemption mentioned above, those to whom that exemption arguably does not apply (bloggers, tweeters, police, other public authorities) are at risk of breach if they, for instance, publish identifying information about people who have criminal convictions or are suspected of having committed a crime. This area of the law, and its implications for open justice, have not, I think, been fully played out yet. For discussions about it see my post and others linked here.)

If no Schedule 3 condition can be met, the processing will not be in accordance with the first data protection principle, and the data controller will be in breach of section 4(4) of the DPA. What flows? Well, probably very little – the data subjects have a right to serve a notice (under section 10 of the DPA) requiring the cessation of processing which is causing or likely to cause substantial unwarranted damage or distress. Additionally, they have a right either to bring a civil claim for damages (very difficult to show) or to complain to the ICO. However, data subjects like this are not necessarily going to want to assert their rights in a strident way. The ICO himself could intervene – he has the power to take enforcement action if he is satisfied a data controller has contravened or is contravening the data protection principles (and, much to his credit, he has recently issued notices against a Council which was requiring taxi drviers to instal CCTV/audio recording facilities in all cabs, and against a Police force which was operating a “ring of steel” ANPR network). It appears though that the Home Office twitter account has gone quiet (it hasn’t tweeted in several days). Perhaps there have been second thoughts not just about the legality, but also the morality, of the campaign. I am always the optimist.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Home Office, human rights, Information Commissioner, journalism, police