Category Archives: ombudsman

The slings and arrows of FOI

“…investigation by and even adverse comment from the Ombudsman is one of the slings and arrows of local government misfortune with which broad shouldered officials have to cope…” (Feld v London Borough of Barnet [2004] EWCA Civ 1307)

Ombudsmen loom over the actions of many public authorities. Particularly, the NHS and local authorities are subject to the scrutiny of respectively, the Parliamentary and Health Service Ombudsman (PHSO), and the Local Government Ombudsman (LGO). The Ombudsmen themselves must have broad shoulders, subject as they are to the oversight of both parliament, and, because they are public authorities subject to the Freedom of Information Act 2000 (FOIA), the Information Commissioner’s Office (ICO).

The PHSO was recently asked, under FOIA, for the email address and telephone number of the Ombudsman herself, Dame Julie Mellor. The request was refused, on the basis of the exemption at section 40(2) of FOIA – namely that the requested information was Dame Julie’s personal data, and disclosure would breach the first data protection principle in the Data Protection Act 1998. This refusal has now been upheld by the ICO, in a decision notice which explains that

the data requested relates to a living individual who may be identified from that data and that [therefore] it constitutes personal data

That much is uncontroversial: a person’s email address and telephone number will generally be held to be their personal data, even in a professional context, providing that they can be identified from that data. However, the ICO goes on to say

the Commissioner considers that the Ombudsman would have a reasonable expectation that her email address and direct telephone number would not be placed into the public domain by disclosure under the FOIA…

…The Commissioner is aware that the requested email address and telephone number are personal to the Ombudsman but are professional contact details. He considers that their disclosure is unlikely to cause the Ombudsman distress on a personal level. However the Commissioner is satisfied that disclosure would disrupt the running of the organisation and it is apparent that the consequences would have a negative impact upon the PHSO

This seems to conflate two quite separate issues – personal privacy, and organisational impact. As far as I can understand it the argument is that, because this is personal data, and because disclosure would disrupt the running of the organisation, disclosure would not be “fair”, in line with the requirements of the first data protection principle. But, as the ICO’s own guidance on disclosure of personal data under FOIA explains (paragraph 44), the consequences to be taken into account are those to the data subject, not to their organisation, or a third party.

If disclosure of information would disrupt the running of a public authority, there are other, more appropriate FOIA exemptions which might apply. Specifically, section 36(2)(c), for situations where disclosure would prejudice, or would be likely otherwise to prejudice, the effective conduct of public affairs.

But even then I struggle to see how disclosure of such innocuous information would really cause sufficient prejudice to warrant keeping this information secret – shouldn’t the Ombudsman be able to implement systems to deal with a possible increase in emails and calls if the email address and phone number were made public? Isn’t this sort of potential irritation one of the slings and arrows of administrative misfortune with which broad shouldered officials have to cope?

(As a footnote to this piece, neither the section 40(2), nor the section 36(2)(c) are going to carry much weight when the information is readily available online already. I will not link to it, because I’m a cautious soul, but Dame Julie’s email address, at least, has been published on the internet as part of a document created by her, and hosted by a reputable academic institution.)

 

 

 

17 Comments

Filed under Data Protection, Freedom of Information, Information Commissioner, ombudsman, transparency

Data protection compensation – an alternative route?

Compensation for data protection breaches can be difficult to secure – but if the data controller is a public authority there may be an alternative to legal claims

One of the outcomes of what was by any standards a disastrous breach of the Data Protection Act 1998 (DPA) was announced this week, when Hodge Jones & Allen LLP (who might want to proofread their press releases a bit better) issued a statement saying that they had secured compensation payments totalling £43,000 for fourteen residents who had brought claims against Islington Council. They were among fifty residents whose personal data was mistakenly given to ten people upon whom the Council was serving anti-social behaviour orders (ASBOs). As the Islington Gazette reported at the time

council staff passed details of 51 people, many of whom had complained about antisocial behaviour (ASB) on the council’s flagship ASB hotline, to 10 thugs who had been causing trouble on the Andover estate, off Seven Sisters Road, Holloway…The gang, who had been smoking drugs and abusing passers-by, now have the names, street names and phone numbers where given of the residents, after the information was inadvertently attached to injunctions banning them from the estate…Police activity has been stepped up on the Andover, but many victims of the breach are from other areas.

The Gazette also reported that six families were to be rehoused, no doubt at considerable cost to the Council.

The law firm’s announcement (which also appears to relate to claims made by people who, in a separate incident involving the same council, had their personal data inadvertently exposed on a website) means, of course, that any claims will not go to trial, and we will not get the chance of a judicial determination of whether, or to what extent it is possible for claimants in these circumstances to gain compensation for pure distress, in the absence of actual damage.

Data Protection lawyers and practitioners will be well aware of this issue, and I wrote about it earlier this year. To crib my own post:

Section 13(1) of the Data Protection Act (DPA) provides a right to compensation for a data subject who has suffered damage by reason of any contravention by a data controller of any of the requirements of the Act.  The domestic authorities are clear that “damage” in this sense consists of pecuniary loss. Thus, section 13(1) is a “gateway” to a further right of compensation under section 13(2)(a), for distress. The right to distress compensation cannot be triggered unless section 13(1) damage has been suffered….[the position is unclear as to] whether nominal, as opposed to substantial, damages under section 13(1), could suffice to be a gateway to distress compensation, and, indeed, whether the DPA effectively transposes the requirements of the European Data Protection Directive to which it gives effect

In the instant cases, it is actually possible that substantial actual damage could have been suffered, but, more probably, these again were cases where (no doubt very high levels of) distress would have lacked compensation for want of the section 13(1) gateway.

In terms of the Council itself, as data controller, it was served by the Information Commissioner’s Office (ICO) with a monetary penalty notice (MPN) of £70,000 for the DPA contravention which led to the “website incident”, and it appears that enforcement action may well result from the ASBO incident (one wonders if the ICO was awaiting the outcome of these legal claims). The ICO will need to determine whether it was a serious contravention of the DPA, of a kind likely to cause substantial damage or substantial distress (for analysis of what this requires, see my recent post here). Such MPNs do not though, in any case, compensate victims, but serve to punish the data controller (and the money goes into the government’s consolidated fund).

The Local Government Ombudsman

One does not know what the specific arrangements were between the claimants and their lawyers, but, unless the work was pro bono some fees will no doubt be owed from the former to the latter. It does occur to me that the claimants had an alternative way of seeking a remedy. The Local Government Ombudsman (LGO) investigates complaints made by people alleging administrative fault (“maladministration”) causing injustice, arising from actions or inactions of local authorities. In 2008 the LGO issued a report following investigation of a complaint that Basildon Council had

published personal and sensitive information about traveller families and their children on its website and in a report that was considered in the open part of a Council committee meeting, where copies were available to members of the public and the press who attended. The information included medical details, and the names and ages of all the children living on the site

But what is particularly interesting is that the LGO’s investigation was informed by a prior finding by the ICO in this matter (uncontested at the time by the Council) that the Council had been likely to have contravened the first data protection principle. The LGO has the power to recommend compensation payments, and in this case recommended each complainant be paid £300. Those payments were eventually effected, albeit after judicial review proceedings (an LGO recommendation is not actually binding on a council, although in the vast majority of cases they are complied).

It does seem to me that the Islington claimants could possibly have gained similar, or more compensation, by making a complaint to the LGO. It also seems to me that – where a DPA contravention by a local authority causes distress but no damage – aggrieved data subjects could consider whether the LGO could assist. And on a similar basis, where the contravention has been by a government department, or the NHS, or some other public bodies, whether the Parliamentary and Health Service Ombudsman could assist.

Leave a comment

Filed under damages, Data Protection, Information Commissioner, monetary penalty notice, ombudsman