Category Archives: judiciary

High Court muddle over data protection regime

A relatively common error by those unaccustomed to the rather odd structure of the data protection statutory regime in the UK, is to look first to the Data Protection Act 2018 (“DPA”) for the applicable law, instead of the UK GDPR. This is despite the fact that the very first section of the DPA instructs us in how the regime works. Section 1(2) provides that “most processing of personal data is subject to the UK GDPR”, and then sections 1(4) and (5) explain that Parts 3 and 4 of the DPA deal with those parts of the regime (law enforcement processing and intelligence services processing) which are out of the scope of UK GDPR.

“Put me to one side” – says the DPA tactfully – “you should have picked up your copy of the UK GDPR first, and not me”.

Accordingly, the key provisions, and the basic principles, applying to most processing, are to be found in the UK GDPR.

The result of this relatively common error, is that people will sometimes cite, say, section 45 of the DPA in relation to a generic subject access request, when in fact, the applicable provision is Article 15 of the UK GDPR (section 45 applies to subject access requests to competent authorities for the purposes of law enforcement).

Occasionally, I have seen non-specialist lawyers make this mistake.

And now, I have seen a high court judge do the same. In a judicial review case in the High Court of Northern Ireland, challenging the accuracy of a child’s social care records, part of the claim (which was primarily an Article 8 human rights claim) was pleaded as also a breach of Article 5(1) and (6) of the “GDPR” (the correct pleading should have been, and maybe was, by reference to the UK GDPR) and Part 1 of the DPA. Article 5(1) of the UK GDPR contains the data protection principles.

The judge, however, stated that

It seems to the court that in fact the relevant part of the 2018 Act are sections 86 to 91 which set out the six data protection principles in relation to data processing.

This is simply wrong. Sections 86 to 91 of the DPA lay out the data protection principles only in relation to intelligence services processing (i.e. processing of personal data by the Security Service, the Secret Intelligence Service or by the Government Communications Headquarters).

It isn’t clear whether there was any discussion about this in the court (quite possibly not), but it appears not to have been picked up when the judgment was circulated in draft or published to the parties. As it is, it seems very likely that nothing turns on it. This is because the Part 4 DPA principles, like the Part 3 DPA principles, effectively mirror the principles in Article 5(1) UK GDPR, and so the analysis, for the purposes of the substantive matter, was sound.

So this was an error of form, more than substance.

However, there are some differences between the UK GDPR regime, the Part 3 DPA regime and the Part 4 DPA regime, and in different circumstances an error like this could result in an outcome which is wrong, and harmful.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, Data Protection Act 2018, GDPR, human rights, Ireland, judiciary, UK GDPR

ICO’s power to refuse to decide cases is rarely used

The “filter” of section 50(2)(c) of the FOI Act allows the Information Commissioner to refuse to make a decision on frivolous or vexatious applications. It is rarely used. What an exciting intro to a blog post eh?

The First-tier Tribunal (Information Rights) (FTT), recently refused an application by Leeds City Council for an award of costs against a requester whose requests had been held by the Information Commissioner (IC), and the FTT itself, as vexatious under section 14(1) of the Freedom of Information Act 2000 (FOIA). Alistair Sloan has blogged about the decision itself, and I would commend his piece to readers, but an observation by the judge led me make an FOI request of my own.

After noting that

it must be possible, depending on the circumstances, for the maker of a request regarded by everyone else as vexatious, to defend his or her position on that point without automatically being treated under the costs Rules as behaving unreasonably

the judge adverted to section 50(2)(c) of FOIA. This permits to IC to not make a decision whether a public authority has complied with its FOIA obligations if the application for the decision is itself “frivolous or vexatious”. (This must be distinguished from a decision as to whether the original FOI request to the public authority was, pursuant to section 14(1), vexatious). It gives the IC an exception to the general requirement to make a formal decision on all cases where the applicant asks for one. The judge said

it is right to remember the protections which already exist for public authorities in the context of vexatious requests or hopeless appeals. Before a right of appeal is even a gleam in the Tribunal’s eye, there must be a complaint to the Information Commissioner (ICO). If the complaint to the ICO appears to be “frivolous or vexatious,” then there is no need for him even to make any decision appealable to the Tribunal. See Section 50(2) FIA

but then went on to note that he was

not aware of any published information about the extent to which the ICO makes use of this important provision.

 Ever keen to help our judiciary, I asked the IC, via What Do They Know. With admirable promptness they disclosed to me that, in the years for which records are retained (2007 onwards), the IC has declined to serve a decision notice because he considers the application vexatious or frivolous only 18 times (which breaks down into 16 frivolous and 2 vexatious).

Clearly, the IC considers this exceptional power to be just that – one that should be used only in exceptional cases, and maybe its use in 0.3% of cases accords with that. But in my research for this piece I did dig up again the IC’s submission to the Justice Committee for the latter’s 2012 post-legislative scrutiny of FOIA, and I noticed that there was this comment

For some reason Parliament made a distinction between this provision [section 50(2)(c)] and that in section 14(1) applying to requests to public authorities.

This strikes me as odd. It is quite clear that there is an important distinction between a vexatious request to a public authority and a frivolous or vexatious application for a decision. A requester could make a request to a public authority which was not in any way vexatious, yet choose to pursue the matter by applying for a decision in a way that made that application frivolous or vexatious. And it seems to me that this was what Judge Warren in the FTT was alluding to, and why it would be highly unusual – and potentially oppressive – to award costs against someone appealing a refusal of a vexatious request. Rule 10(1)(b) of the relevant tribunal rules does allow for the award of costs for unreasonably bringing (as opposed to conducting) the proceedings, but the availability of the filter of section 50(2)(c) FOIA should mean that it would be extraordinarily unusual for such an award ever to be made.

A final observation from me. The wording of section 50(2)(c) seems to make it clear that, as the IC would make no decision in a case where the application is frivolous or vexatious, then no possible right of appeal to the FTT could exist (and, therefore, judicial review would be the only legal remedy available). This would be in contrast to cases such as Sugar and (currently at case management stage in the Upper Tribunal) Cross v IC  where what is at issue is whether a decision by the IC that an organisation is not a public authority for the purposes of FOIA constitutes an appealable “decision”.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal, judiciary, vexatiousness

Data Protection in the Court System

The Lord Chief Justice’s welcome call for a modern ICT system for the courts of England and Wales does, at the same time, raise concerns about the data protection compliance of the current systems

If a representative of a public sector data controller, responsible for processing huge amounts of manual and electronic sensitive data (of all categories), were to concede that their systems for handling this data “were recognised as outdated more than 15 years ago” it would – one imagines – raise a few eyebrows in Wilmslow. Outdated systems are, by default, systems which are unlikely to indicate compliance by the relevant data controller with the seventh data protection principle:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

A serious contravention of the obligation to comply with that principle can lead to monetary penalty notices to a maximum sum of £500,000, as many data controllers know to their cost.

But such a concession is just what the Lord Chief Justice of England and Wales appeared to make at the Annual Lecture of the Society of Computers and Law on 20 May in London. In his lecture he referred to

 re-entering information on different systems, using and holding paper files, diaries that are manual and unreliable telephonic and video communications

He spoke of how

Once papers are misfiled they are lost. In a number of parts of the country it is difficult to find people to do the filing at a wage which HMG is prepared to pay

and that

Save for using Outlook, judges have no electronic filing system for their administration. Outside the most senior Judiciary, very little clerical support is available for the judges

 All of this is enough to make most data security and data protection officers have sleepless (and screamful) nights.

In fairness to Lord Thomas, a) he was reflecting his own personal views, and b) his lecture, which laid out the history of how things had got to this state, was admirably aimed at seizing an opportunity to modernise. However, it did make me wonder how the judicial system appears to have largely avoided the steely enforcement glare of the Information Commissioner. I think this is probably, in part, because it is highly complicated when looked at through the lens of the Data Protection Act 1998 (DPA). The DPA distinguishes between data controllers and data processors, with former attracting all the legal obligations and liabilities under the Act. A data controller is, by section 1(1) of the DPA

a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed

Applying this to the situations which obtain in the court system is not an easy task (although it isn’t uniquely difficult – the distinction between data controller and processor is a notoriously complex, and perhaps increasingly artificial, one to establish). It seems to me that, with the sorts of personal data being processed as part of a legal claim or trial before a court, there may be multiple data controllers doing different things with the same or similar data – the parties, their legal representatives, the court staff, and the judiciary are those which immediately come to mind. In such circumstances we are probably talking about data controllers in common (“where data controllers share a pool of personal data, each processing independently of the other”*).

What is certain is that the Judicial Office for England and Wales considers the judiciary to be data controllers at least for some personal data and some acts of processing which take place within the court system. In a document entitled “Judicial Responsibilities and the Data Protection Act 1998” it says that

It is now acknowledged that individual judicial office-holders are data controllers in circumstances in which they determine the purpose for which and the manner in which any personal data is processed. This is so in relation to data processed in the exercise of any judicial functions

And another document “IT and Information Security Guidance for the Judiciary” contains generally sensible advice to judiciary on ICT security, but fine words butter no parsnips, and if the reality, as suggested by the Lord Chief Justice’s lecture (and, indeed, anecdotal evidence I have seen and heard) does not match up to the intentions of that document, then it would point to potentially serious contraventions of the DPA.

In April 2013 the Information Commissioner’s Office published the summary outcome of a data protection audit it had performed – by consent – on HM Courts and Tribunals Service. The audit gave the ICO “reasonable assurance” but one notes that it focused on data protection governance, training, and subject access requests, and did not appear to encompass security. And, for the reasons discussed earlier in this post, HMCTS are only one of the data controllers in play in the court system. In the rather unlikely event that the ICO decided to seek to audit them, would judges pass so easily?

*ICO Data Protection Legal Guidance, page 16

Leave a comment

Filed under Data Protection, Information Commissioner, judiciary, monetary penalty notice