Category Archives: Uncategorized

August 22, 2013 · 5:28 pm

Academic Freedom and FOI

Pointed observations in a judgment which are not directly related to the matters pleaded are usually worth noting. Those in a recent case involving the PACE trial and Queen Mary, University of London, are essential reading for academics and support staff who deal with FOI

In a ruling handed down this week the First-tier Tribunal (Information Rights) (“FTT”) has upheld the Information Commissioner’s (IC) decision that Queen Mary, University of London, was entitled to rely on the exemption at section 36(2)(b)(1) and (2) of the Freedom of Information Act 2000 in refusing to disclose minutes of the Trial Steering Committee and Trial Management Groups of the Pace Trial. The trial had been set up to compare and test the effectiveness of four of the main treatments currently available for people suffering from chronic fatigue syndrome (CFS), also known as myalgic encephalomyelitis (ME), but it attracted considerable criticism from some quarters. In the words of the FTT

There has been a storm of comments about this study. There had been deeply wounding personal criticisms of individuals concerned and over the years individuals in this field of research and treatment have withdrawn from research in the face of hostile irrational criticism and threats.

The FTT found that the exemption was engaged:

it is pellucidly clear that the progress and conduct of research in this area would be hampered by the publication of minutes of meetings such as sought by this request because individuals would be less willing to engage in research, participate in steering committees, provide guidance, debate issues about the conduct of research as fully and frankly as they otherwise would; as fully and frankly as would most benefit the research and the patients it is intended to help

and the public interest favoured maintaining the exemption:

the appellant’s arguments in favour of disclosure of the minutes when so much has been made available publicly in relation to this research and been subjected to such high levels of independent scrutiny do not outweigh the considerable weight to be given to the public interest in maintaining the safe space for academic research

But the FTT then made wide-ranging and significant observations about the concept of academic freedom and its relation to FOI. The decision cites Article 13 of The Charter of Fundamental Rights of the European Community:

Freedom of the arts and sciences The arts and scientific research shall be free of constraint. Academic freedom shall be respected.

and section 202 of the Education Reform Act 1988 which places an obligation on the University Commissioners to

ensure that academic staff have freedom within the law to question and test received opinion, and to put forward new ideas and controversial or unpopular opinions, without placing themselves in jeopardy of losing their jobs or privileges they may have their institutions

and the FTT stresses the “profound importance” of academic freedom, noting that the IC has an obligation, as an emanation of the state, to give effect to Article 13. The judgment notes that the purpose of universities is to disseminate and generate knowledge and that disclosure of information is their primary purpose (“the activity which imbues the University with its moral significance”). In rather remarkable terms, the seeking of and disclosure of information (from academic institutions) under FOIA is unfavourably compared to this academic dissemination:

A parallel process of dissemination through FOIA is unlikely to be as effective or robust as the process of lectures, seminars, conferences and publications which are the lifeblood of the University. They are likely to be a diversion from the effective evaluation, publication and scrutiny of research through the academic processes. All too often such requests are likely to be motivated by a desire not to have information but a desire to divert and improperly undermine the research and publication process – in football terminology – playing the man and not the ball

One might pause to question whether this unfairly overplays the likelihood of FOIA requests being detrimental to academia, and also overstates the amount of information which is disseminated to the general public through academic research. Part of the reason for FOIA is that it enables the public to access information that public authorities specifically choose not to proactively disclose. One sees similar arguments at play in the apparent prioritising of the “transparency agenda” over FOIA disclosure.

There follows, though, a sensible suggestion for what researchers might consider at the outset of projects. With a view to the obligation to publish and maintain a publication scheme, institutions are advised that

it might well be worth considering at the start of a major project such as this setting out a publication strategy identifying what materials will be produced in the course of the project, which materials will be published and when (this will enable s22 to be considered if FOIA requests are received for such material), and which are unlikely to be published under FOIA as exemptions may be engaged

and the IC is (again with a nod to his Article 13 obligations) prompted to issue guidance on this.

Finally, the judgment suggests that the University missed a trick with this specific request

properly viewed in its context, this request should have been seen as vexatious- it was not a true request for information-rather its function was largely polemical and as such in the light of recent Upper Tribunal judgements might have been more efficiently and effectively handled if treated as vexatious

The Tribunal Judge, Christopher Hughes, has a wealth of experience in the field of academic and medical research. These are crucial observations about the relationship between FOI and academia. We already have a new exemption on its way specifically for academic research (by way of clause 19 of the Intellectual Property Bill) but this decision appears to reinforce the protection that academic research and associated information will be given from FOIA disclosure.

Postscript:

The BMJ has an article on this judgment (behind the paywall, but letters in response are here (thanks to Zuton who has commented below for drawing this to my attention).

8 Comments

Filed under Freedom of Information, Further education, Information Commissioner, Information Tribunal, Uncategorized

Tagged as ,

August 14, 2013 · 8:00 am

Poor judgement?

Public authorities need to be cautious when disclosing performance figures of their staff under Freedom of Information (FOI) laws. They need to be even more cautious when disclosing performance figures of third parties.

Imagine if your employer, or, worse, a third party, disclosed under FOI that, of all your peers, you made the most decisions in the exercise of your employment which were subsequently found to be wrong, and which had to be overturned. If in fact those figures turned out to be incorrect, you would probably rightly feel aggrieved, and perhaps question whether the failure of data quality was in fact a breach of your rights under the Data Protection Act 1998 (DPA) and of your employment rights.

That is what appears to have happened to certain judges in Scotland, according to a letter in The Scotsman today, from the Chief Executive of the Scottish Court Service. The letter points out that a previous (29 July) article in The Scotsman – “Meet the judge with the highest number of quashed convictions” (now no longer available, for obvious reasons) – was, although published in good faith, based on inaccurate information disclosed to the paper under FOI. The letter contains an apology to

Lord Carloway and Lord Hardie, who featured prominently in 
this article, for misrepresenting their position in relation to 
appeal decisions

because the erroneous disclosed statistics suggested they had had more judgments overturned on appeal than was actually the case.

Of course, the principle of judicial independence means that judges are, strictly, not employed. But as Carswell LCJ said

All judges, at whatever level, share certain common characteristics. They all must enjoy independence of decision without direction from any source, which the respondents quite rightly defended as an essential part of their work. They all need some organisation of their sittings, whether it be prescribed by the president of the industrial tribunals or the Court Service, or more loosely arranged in collegiate fashion between the judges of a particular court. They are all expected to work during defined times and periods, whether they be rigidly laid down or managed by the judges themselves with a greater degree of flexibility. They are not free agents to work as and when they choose, as are self-employed persons. Their office accordingly partakes of some of the characteristics of employment . .. [Perceval-Price v Department of Economic Development [2000] IRLR 380]

and the Supreme Court took this further in O’Brien v Ministry of Justice [2010] UKSC 34 by saying “Indeed judicial office partakes of most of the characteristics of employment” (emphasis added).

Whatever their employment status, judges’ performance figures are clearly an important matter to them, and the Scottish Court Service has a duty to maintain accurate figures (particularly when disclosing them publicly). As Wodehouse said, “it has never been difficult to distinguish between a Scotsman with a grievance and a ray of sunshine”. I imagine that the office of Mr McQueen, the day after the first article, was not filled with sunshine.

Leave a comment

Filed under Data Protection, employment, FOISA, Freedom of Information, Uncategorized

Tagged as ,

August 6, 2013 · 2:11 pm

Let’s blame Data Protection (a new series): Part One

Data Protection is to blame for many things (sleepness nights for Data Protection officers, hits to the public purse,  a proportionate measure of respect and security for people’s sensitive private information, bulging wallets for lawyers) and many people like to criticise it. In this occasional series I want to come to its defence, by pointing out examples where data protection has been wrongly blamed for a failure elsewhere. The Information Commissioner used to do something similar but seems to have given up with that (and, after all, “data protection duck out” is a cringemaking phrase).

So here’s my first example: “Vague” Data Protection Act blights fraud detection, say insurers

The facts of the article itself are fine, as one would expect if the author is Pete Swabey, but it’s the message itself that grates. According to the Chartered Insurance Institute (CII), there is a problem with section 29 of the Data Protection Act 1998 (DPA), which permits the disclosure of personal data by a data controller, whereby the general presumption against non-disclosure is disapplied if applying it would be likely to prejudice any of the following purposes: the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty or of any imposition of a similar nature. Normally the question whether to disclose will arise in response to a specific request from another person or body (normally one with crime detection or prosection powers, or tax collection powers). This comes down to a matter of applying a balancing test to specific facts: if I don’t disclose this information, would it be likely to cause prejudice to those purposes?

This is often a difficult decision for a data controller (it’s about serious matters – why should it always be easy?). But the CII complain that

the vagueness of Section 29…has led to an extremely high volume of information requests, with little consistency or clarity. This, it says, is hindering investigations. 

“Certain companies, particularly the lawyers, are sending requests out without thinking about them,” [says] David Clements, motor investigations manager at Zurich

Bad Data Protection Act! Making people ask for disclosure of personal data without giving it much thought!

Also, the fact that requests and responses are made in a haphazard, non-standard fashion creates unnecessary work for fraud investigators.

Silly Data Protection Act! Making an industry incapable of standardizing procedures!

And, indeed, the article says that the industry is trying to sort itself out

The New Generation Claims Board is working on a voluntary code of best practice to help insurance providers both improve the efficacy of their fraud investigations and reduce their risk of non-compliance. 

“We’re going to provide the industry with a best practice protocol plus a template for sending and receiving requests,” Clements explains.

But the evil Data Protection Act is still lurking about causing trouble, because this is only a voluntary scheme

as insurance companies are not even obliged to respond to Section 29(3) requests

Come on Data Protection Act, sort yourself out!

Leave a comment

Filed under Data Protection, Information Commissioner, Let's Blame Data Protection, Uncategorized

July 31, 2013 · 7:40 am

An error of judgment

A very brief post, on something in a High Court judgment which may merely be a slip.

On 6 June 2013 a renewed application to appeal to the Employment Appeal Tribunal was heard in the High Court. The applicant, Flynn, is seeking compensation for detriment suffered by reason of the making of a public interest disclosure (the “whistle-blowing claim”) and for arrears for holiday pay. The respondent, Warrior Square Recoveries Limited (“Warrior”) made an initially unsuccessful attempt to have the claims struck out. On appeal the Employment Appeal Tribunal refused to strike out the holiday arrears claim, but struck out the whistle-blowing claim because it had not been brought within the requisite three-month time-limit. Flynn now sought to reinstate the whistle blowing claim.

Lord Justice Rimer was not impressed by the arguments to reinstate, but, rather reluctantly, found one sufficiently compelling to justify permission

The only argument that appeared to me arguably to have some legs to it was that on 21 May 2010 the applicant made a subject access disclosure application to Warrior under the Freedom of Information Act 2000, the purpose being the provision to him of information as to whether or not the defamation claim was being pursued. Warrior had 40 days to comply with the request, but it did not do so. It is said that the expiration of the 40 days marked another deliberate failure by Warrior to act, following which the tribunal proceedings were issued within three months.

With some hesitation, I regard this ground as sufficient to justify permission to appeal…

The perspicacious among you might have noticed something. Subject access, and the 40 day time for compliance, are terms not from the Freedom of Information Act 2000 (FOIA), but from section 7 of the Data Protection Act 1998 (DPA). FOIA only applies to public authorities, of which Warrior is not one. If a public authority receives a request seeking subject access under FOIA it should apply the exemption at section 40(1) and “the public authority will need to deal with it in accordance with the DPA” (Information Commissioner guidance). An employer, such as Warrior, which is not a public authority, has no such obligations under FOIA. It probably should have still, on receipt of a letter purporting to be a FOIA request, have read it and recognised it as being, rather, a subject access request under DPA (under which it does have obligations to respond). But I’m not sure I would criticise it too much for seeing the words “Freedom of Information Act”, and thinking it didn’t need a response. I’m also not sure that the failure to respond to a non-existent obligation under an Act to which the company was not subject should have counted for the purposes of deciding when the time for lodging a claim started.

As I say, this may be a transcription error, or the judge might have mistakenly cited FOIA when he meant DPA, but the fact that this point was determinative of whether to allow permission to appeal means the error (whether it was an actual one, or just in the handed down judgment) is very odd.

Leave a comment

Filed under Data Protection, employment, Freedom of Information, Uncategorized

Tagged as ,

July 30, 2013 · 5:22 pm

It’s still not fine

Last week I blogged about enforcement notices served on three Midlands police forces by the Information Commissioner (IC). I was surprised that the circumstances hadn’t merited stronger sanctions, in the form of monetary penalty notices (MPNs), and I tweeted to ask why.

As you can perhaps see, the IC’s office has kindly replied to my tweet. I had asked

I would really like to know why the IC did not see fit to issue Monetary Penalty Notices. Can you advise?

and their reply says

enforcement notices best means of improving compliance. Considered details of the case inc limited involvement of each force

I have to say I think this is a questionable response (although I take the point that a 140-character limit is restrictive).

Firstly, enforcement activities are not mutually exclusive – it is not uncommon for an enforcement notice and an MPN to be served in tandem on a data controller. thus, as recently as June this year, Glasgow City Council was served an MPN of £150,000 by the IC following the loss of, er, unencrypted laptops, and at the same time was served an enforcement notice requiring certain corrective actions to be undertaken.

Secondly, and I may be misinterpreting, but the reply seems to say that the “limited involvement of each force” was a determining factor in a decision not to serve an MPN. However, there were three data controllers involved. If each of them had a “limited” involvement, one is led to ask “wasn’t that the main problem?”. Derbyshire and Leicestershire both “did not carry out a risk assessment before they joined [the collaboration unit]…relying on the security measures taken by Nottinghamshire“, but those security measures were inadequate (lack of encryption, laptops not physically secured). Meanwhile, none of the forces properly monitored its officers while they were seconded.

It seems to me that the limited involvement of each of the forces might, instead of excusing it, have in fact been the key factor why the security breach happened.

Principle seven of the first schedule to the Data Protection Act 1998 (DPA) requires that

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

Many many public (and private) sector data controllers are undertaking collaborative and partnership working, or are taking steps to do so. All responsible organisations are very aware, where they continue, either jointly or in common with other organisations, to determine the purposes for which and the manner in which any personal data are, or are to be, processed, that they remain a data controller, with the consequent responsibilities and liabilities. They are very aware of the IC’s Data Sharing Code of Practice.

And they are very aware that, if things go wrong with data-sharing, it will not normally be sufficient to point at a partner, and say “it was their fault”, or, even less, for all partners to shrug their shoulders and say, “that wasn’t our responsibility”.

Leave a comment

Filed under Data Protection, data sharing, enforcement, Information Commissioner, monetary penalty notice, police, Uncategorized

Tagged as ,

July 29, 2013 · 1:29 pm

An Unnecessary FOI Appeal?

South Lanarkshire Council have lost what seems to me to have been a rather unnecessary, and surely rather costly, FOI case in the Supreme Court. That said, the judgment is important reading.

It is well-established that, for disclosure of personal data to be lawful under Freedom of Information law (both the Freedom of Information Act 2000 (FOIA and the Freedom of Information (Scotland) Act 2002 (FOI(S)A) it will normally be necessary to satisfy the test in the sixth condition of Schedule Two of the Data Protection Act 1998 (DPA)

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Disclosure is, by section 1(1) of the DPA, an act of “processing”.

It is also well-established (indeed, one might almost say it is trite law), that “necessary” in that condition is to be construed in accordance with the relevant European authorities. As the High Court held, in the MPs’ expenses case

‘necessary’ within para 6 of Sched 2 to the DPA should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends. Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 (Admin)

For reasons which are not entirely clear to me (but I’m not a Scottish lawyer) (in fact, I’m neither Scottish, nor a lawyer) the Court of Session in Scotland said, when hearing an appeal from South Lanarkshire Council of a decision by the Office of the Scottish Information Commissioner (OSIC) to order disclosure of information on how many of the total number of a certain post were placed at specific points in the pay scale, that it saw the force of a submission by counsel for the Council that

the word “necessary” should be accorded its ordinary and natural meaning, with the opening phrase being understood as imposing a distinct requirement

and that

but for the authority [of the MPs expenses case], we would have had little hesitation in giving effect to it

but they didn’t even need to reach a concluded view on this, because it was clear that, in this case, whatever construction was given to “necessary”

the Commissioner could only have concluded that necessity was made out. In particular, he held that the Requester’s own interest coincided with a widespread public interest in the matter of gender equality and that it was important to achieve transparency on the subject of Equal Pay. No better means existed to achieve that goal than by releasing the information in question

Apparently grabbing at that tiny bone thrown them by the Court of Session, the Council appealed to the Supreme Court. The hearing was three weeks ago, and judgment has been handed down today (which strikes me as rather quick) unanimously dismissing the Council’s appeal. At the time of the hearings The Herald reported that the Supreme Court had “slapped down” the Council

A cash-strapped Labour council has been scolded by one of the UK’s most senior judges for “dancing on the head of a pin” with “Alice In Wonderland” legal arguments, which have cost taxpayers thousands of pounds.

Anyone with any experience of litigation knows that it is a dangerous game to predict the outcome on the basis of the apparent approval or disapproval of your argument by the judge – often the strongest argument will be given the heaviest interrogation – but it does appear that, in this case, The Herald wasn’t taking too much of a gamble in anticipating the outcome. Lady Hale, giving the leading judgment, agreed with the Council that

the word “necessary” has to be considered in relation to the processing to which it relates. If that processing would involve an interference with the data subject’s right to respect for his private life, then [Rechnungshof v Ősterreichischer Rundfunk (Joined Cases C-465/00, C-138/01 and C-139/01) [2003] 3 CMLR 265] is clear authority for the proposition that the requirements of article 8(2) of the European Convention on Human Rights must be fulfilled

but in this instance, although disclosure of the information would be “processing” of “personal data” by the Council (as the Council itself could identify those to whom the data related), the requester (nor any other third party) would not be able to identify the data subjects. Accordingly

as the processing requested would not enable Mr Irvine or anyone else to discover the identity of the data subjects, it is quite difficult to see why there is any interference with their right to respect for their private lives

And Lady Hale disagreed with the Council on the construction of “necessary”

all that has to be asked is whether the requester is pursuing a legitimate interest in seeking the information…and whether he needs that information in order to pursue it. It is well established in community law that, at least in the context of justification rather than derogation, “necessary” means “reasonably” rather than absolutely or strictly necessary…necessity is well established in community law as part of the proportionality test. A measure which interferes with a right protected by community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less 

As the requester was clearly pursuing a legitimate interest, and this could only be met by disclosure under FOI(S)A the appeal had to fail, and the information falls to be disclosed. It is difficult to see how any other outcome, following the domestic and European authorities, could have ensued.

This does leave unanswered what the outcome would be if, for instance, no legitimate interest were advanced by a requester and/or the data subjects could be identified. In this instance, the OSIC had sought clarification of the requester’s purposes, in an investigation which the Supreme Court held was not in breach of the rules of natural justice, despite a failure to involve the Council in the correspondence. As a blogger activist the requester, Mr Irvine, could clearly point to a legitimate interest – a “serious, ongoing interest in equal pay matters”, but Lady Hale observed that

for example, if Mr Irvine had asked for the names and addresses of the employees concerned, not only would article 8 have clearly been engaged, but the Commissioner would have had to ask himself whether his legitimate interests could have been served by a lesser degree of disclosure

 In European Commission & United Kingdom v Bavarian Lager (Case C-28/08 P) the European Court of Justice found that the European Commission had not erred in refusing to disclose, under the EU Access Regulation, the identities of people attending a meeting, because the company requesting it had not been able to advance a legitimate interest in disclosure (see the excellent Panopticon post on this). FOI was traditionally said to be “applicant blind”, with a requester not needing to advance a purpose for asking for information, but, as these “personal data” cases (and others not relating to personal data – the “social watchdog” argument in the ongoing litigation involving Dominic Kennedy and the Charity Commission) show that motivation can be a determining point when it comes to disclosure under FOI.

2 Comments

Filed under Data Protection, FOISA, Freedom of Information, human rights, Uncategorized

Tagged as , ,

July 12, 2013 · 10:16 am

The future of the ICO’s funding and functions

In February of this year the House of Commons Justice Committee took evidence from the Information Commissioner and his two deputies, and in March published a lengthy, sympathetic and wide-ranging report on The functions, powers and resources of the Information Commissioner. The Committee has now published the government response, which was in the form of a letter from Lord McNally, Minister of State for Justice. With the greatest of respect for the Ministry of Justice, the response seems to be little more than a deft kick into touch. Here are some examples.

Funding

The report raised various concerns about future funding for the Information Commissioner’s Office (ICO). Firstly, it noted that the ICO cannot use the money it receives for FOI work in the form of grant-in-aid for Data Protection work, and not can it use the funding it receives for Data Protection work from notification fees for FOI work. The report recommended that

The Government should consider relaxing the governing rules around virement and overheads

Lord McNally’s response says

…my officials have been working with the ICO to explore the potential for greater flexibility in the way the ICO apportions shared costs between the Freedom of Information (FOI) and Data Protection (DP) funding streams, in line with the Committee’s recommendation

Which adds little, if any, new information.

The report also noted that, if the European draft General Data Protection Regulation (GDPR) is passed in its current form, the ICO’s main funding for Data Protection work – notification fees – will be removed. It recommended

The Government needs to find a way of retaining a feebased self-financing system for the data protection work of the Information Commissioner, if necessary by negotiating an option for the UK to retain the notification fee or introduce an alternative fee. If the Government fails to achieve this, the unappealing consequence will be that funding of the ICO’s data protection work will have to come from the taxpayer.

To which Lord McNally replied

The work we intend to undertake in partnership with the ICO will include drawing upon research commissioned by the ICO into future funding options, and analysis they have done into the effectiveness of the tiered notification fee system which has been in place since 2009. I would like to reassure the Committee that the Government is committed to ensuring that the Information Commissioner is appropriately resourced.

Er, OK, but does that really say anything at all?

Independence of ICO

The Committee had linked the issue of adequacy of resources to the ICO’s relationship with the executive. If the regulator is reliant on government grant, can it be truly sufficiently independent? Their recommendation was

With the potential removal of the notification fee through the EU Regulation, we reiterate our recommendation that the Information Commissioner should become directly responsible to, and funded by, Parliament
Previously, during a Westminster Hall debate in January, justice minister Helen Grant had been clear that the government did not think this was appropriate. Lord McNally though was – again – equivocal
Whilst there are currently no plans for the Information Commissioner to be a Parliamentary body or to be funded by Parliament, the work we are taking forward on the ICO’s long-term funding and operating model will consider the range of recommendations that have been made by your Committee and others, including Lord Justice Leveson in relation to the future powers, governance and accountability arrangements of the ICO. I look forward to updating the Committee in due course.
Custodial data protection offences
On the subject of whether, finally, custodial sanctions for section 55 data protection offences should be commenced (see Pounder et al, passim), the Committee was clear
We call on the Government to adopt our previous recommendation, as well as that of the Home Affairs Committee, the Joint Committee on the Draft Communications Data Bill and the Leveson Inquiry, and commence sections 77 and 78 of the Criminal Justice and Immigration Act 2008 to allow for custodial sentences for breach of section 55 of the Data Protection Act 1998.
On this at least Lord McNally had a small piece of actual news. The government is to consult on Lord Justice Leveson’s proposals on data protection arising from his inquiry into the culture, practices and ethics of the press
It is…the Government’s view that the recommendations require careful consideration by a wide audience. We therefore intend to conduct a public consultation on the full range of data protection proposals, including on whether to make an Order introducing custodial sentences under section 77 CJIA (a statutory requirement), which will seek views on their impact and how they might be approached.
Compulsory data protection audits
Finally, the Committee had noted the reluctance of some public sector organisations to submit to the offer of a data protection audit by the ICO. They found it “shocking” that this should be the case (sensitive souls eh?) and recommended that the power of compulsory audit should be extended (it currently applies to government departments)
We recommend the Secretary of State bring forward an order under section 41 A of the Data Protection Act to meet the recommendation of the Information Commissioner that his power to serve Assessment Notices be extended to NHS Trusts and local councils.
Lord McNally confirmed that consultation was already under way regarding the extension of this ICO audit power to compel NHS bodies to submit, but he was – you’ve guessed it – equivocal on whether local government would be similarly compelled
There are currently no plans to extend the Information Commissioner’s powers of compulsory audit to local government but the Department for Communities and Local Government are taking a partnership approach to improving local government’s compliance with data protection principles.
I can’t help seeing Lord McNally’s response as little more than a polite nod to the Justice Committee. It promises very little (other than a consultation on Leveson’s data protection proposals, which, given the continuing wrangles over the GDPR, I can’t see achieving much quickly) and delivers nothing immediate. However, the ICO tweeted this morning that it welcomed the response regarding funding and powers, so maybe the future of the independent regulator of transparency and privacy is being decided behind closed doors.

1 Comment

Filed under Data Protection, Europe, Freedom of Information, Information Commissioner, transparency, Uncategorized

Tagged as , , ,

July 10, 2013 · 5:48 pm

Substantial distress or just a nuisance?

Can a large number of nuisance calls to a large number of people, none of whom inidividually suffers substantial distress, still equate to cumulative substantial distress, for the purposes of the PECR (and the DPA)?

I blogged recently in praise of the enforcement action taken by the Information Commissioner’s Office (ICO) against nuisance-caller companies, and I see that a further penalty notice has been served this week, on a “marketing company”. With considerable reluctance, though, I am drawn to a view that the ICO might be taking a flawed, or at least questionable approach to the enforcement. I say “reluctance” because I think the problem of nuisance calls is one that calls out for strong enforcement powers and the will to exercise those powers (I also think it’s a problem, by the way, that the BBC should, without apparent comment, continue to broadcast a programme which provides a platform for two companies who have received penalties totalling £225,000 for engaging in the practice).

The enforcement action is taken under the ICO’s powers conferred the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. The latter imported into the former the powers conferred on the ICO by the Data Protection Act 1998 (DPA) to serve, in appropriate circumstances, a civil monetary penalty notice (MPN) on a data controller where

there has been a serious contravention of section 4(4) by the data controller,

(b)the contravention was of a kind likely to cause substantial damage or substantial distress, and

(c)subsection (2) or (3) applies.

(2)This subsection applies if the contravention was deliberate.

(3)This subsection applies if the data controller—

(a)knew or ought to have known —

(i)that there was a risk that the contravention would occur, and

(ii)that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but

(b)failed to take reasonable steps to prevent the contravention.

(emphasis added)

What all this means, effectively, is that the ICO has two powers available to serve an MPN (to a maximum of £500,000): firstly, for a qualifying breach of the DPA, secondly for a qualifying breach of the PECR. He has exercised the former several times over the last three years, but has only exercised the latter more recently (the first time was in November last year). MPNs under the DPA have been for egregious breaches (e.g. highly sensitive information faxed numerous times to the wrong recipients, loss of unencrypted memory stick with details of people linked to serious crimes). In these circumstances it has not been difficult for the ICO to be satisfied that

such a contravention would be of a kind likely to cause substantial damage or substantial distress

However, what about when hundreds of nuisance calls have been made to hundreds of individuals? It is surely in the nature of nuisance calling that it is rarely (although not never) going to cause an individual substantial distress. The ICO says, in what appears effectively to be standard wording in PECR MPNs

The Commissioner is satisfied that the contravention is of a kind likely to cause substantial damage or substantial distress as required by section 55 (1) (b) because of the large numbers of individuals who complained about these unsolicited calls and the nature of some of the complaints they gave rise to…Although the distress in every individual complainant’s case may not always have been substantial, the cumulative amount of distress suffered by the large numbers of individuals affected, coupled with the distress suffered by some individuals, with some receiving multiple calls, means that overall the level was substantial.

In adopting this “cumulative distress” approach the ICO refers to his own guidance about the issuing of monetary penalties issued under section 55C (1) of the DPA. This guidance (which applies to PECR as well as DPA) says

The Commissioner does…consider that if damage or distress that is less than considerable in each individual case is suffered by a large number of individuals the totality of the damage or distress can nevertheless be substantial.

As far as I am aware this approach has only been used in when issuing PECR MPNs, not DPA ones. But is it the correct approach? I’m not so sure. The law requires the contravention (of the PECR or DPA) to have been of a kind likely to cause “substantial distress”, not “substantial instances of distress” and one could argue that, if the latter is what Parliament intended, Parliament would have said that (although, as is often the case, one can turn that around and say, if Parliament had not intended the ICO to cumulate instances of distress it would have restrained him from so doing). To me, though, the ICO’s approach seems wrong. But when I put the scenario to two lawyers, they agreed with the ICO, and to two lay-people, they agreed with me. I’m not sure what the lesson to be drawn there is.

I suspect this will be tested, and I note that Christopher Niebel’s appeal of his PECR MPN is listed for a five-day hearing before the First-tier Tribunal in October. And Sony’s appeal of their DPA MPN is listed for a four-day hearing before the First-tier Tribunal in November. Although the “cumulative distress” approach was not explicitly cited by the ICO in Sony’s MPN, one could argue that finding out that a data controller has lost one’s name, address, email address, date of birth and account password is unlikely to be capable of causing individual substantial distress.

I should stress that I think there should be sanctions for organisations which commit serious contraventions affecting large numbers of people, even where individual distress is not subtantial. I think that nuisance caller companies are, er, a nuisance, and deserve to be targetted robustly by a regulator. And I actually hope I’m wrong on the meaning of “substantial distress”.

Postscript:

Very interestingly (well I think so) there are reports that the government is considering proposing legislative changes to alter the threshold whereby substantial damage or substantial threat must be demonstrated. Whether this is simply to bring larger numbers of nuisance-calling companies into the ICO’s sights, or whether it is to address perceived weaknesses in current legislation remains to be seen (it might be both, of course).

Postscript 2:

Recently-published minutes from the ICO’s Management Board of 22 July support my view. They say

Civil monetary penalties for offences under PECR were discussed further. There are concerns about the requirement to show substantial damage and distress when what was happening was minor inconvenience to many people; ie in receiving spam texts.

Niebel’s appeal is happening this week (Sony dropped theirs). We will know soon whether the laudable attempts by the ICO to punish nuisance calling will be defeated by what was perhaps inadequate legislative drafting.

9 Comments

Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, monetary penalty notice, PECR, Uncategorized

July 9, 2013 · 5:15 pm

Who’s to blame for the Ministerial Veto?

The people to blame for our not being able to see Prince Charles’ lobbying correspondence with the government are not the judges – it’s the people who passed the FOI Act.

So, perhaps to no one’s great surprise, the judicial review application by the Guardian’s Rob Evans of the Attorney General’s ministerial veto has failed. As three of 11KBW’s array of brilliant information law advocates were instructed in the proceedings, I am sure we will see a Panopticon blog post shortly, and I wouldn’t try to compete with what will be the usual clear and percipient legal analysis (for which, also, see this excellent post from Mark Elliott). However, I wanted to address what I see as a potential misapprehension that this was an expression by the High Court that it agreed that the Attorney General was correct to issue a certificate vetoing disclosure of correspondence between Prince Charles and government departments. While the natural outcome of the court’s judgment is that the correspondence will not be disclosed, what was actually to be decided, and ultimately was decided in the Attorney General’s favour, was whether the exercise of his powers was lawful.

Under section 53(2) of the Freedom of Information Act 2000 (FOIA) a decision notice issued by the Information Commissioner (IC) (or later remade by a tribunal) ceases to have effect if an “accountable person” (effectively, either a Cabinet Minister or the government’s senior law officer) issues a certificate stating that he has “on reasonable grounds” decided that there was in fact no prior failure by the government department in question to comply with a request for information under FOIA. It is a power of executive override of a decision made by the statutory regulator (the IC). Its place in the statutory, and constitutional, scheme is what people should be objecting to, particularly in light of what the court in this case found.

The case dates back to the earliest days of the commencement of FOIA. Evans had requested correspondence between Prince Charles and various government departments, but those departments had refused to disclose. In a detailed and complex analysis the Upper Tribunal (the case having been transferred from the First-tier Tribunal) last September decided that, although the FOIA exemption (at section 37) relating to communications with the Royal Household was engaged, the public interest fell in favour of disclosure of the information (two points of note: first, the section 37 exemption, which was at the time of the request a qualified one, subject to the application of the public interest, has since been amended to make it absolute; second, there were other exemptions engaged, but the section 37 was the focal one). 

There was potentially further right of appeal, to the Court of Appeal and, ultimately, the Supreme Court. So why did the government not follow this route? The Campaign for Freedom of Information have issued a press release in which their Director Maurice Frankel says “Ministers should have to appeal against decisions they dislike and not be able simply to overturn them”. I agree (of course) but the reason the government departments did not appeal in this case is because any appeal would have had to have been on a point of law – the more senior courts could not have substituted different findings of fact, or decided whether an exercise of discretion should have been exercised differently. In short, I suspect the government did not appeal because they knew they would have been unsuccessful (or rather, their lawyers would presumably have advised, as lawyers do, that the chances of success were low).

Davis LJ, giving the leading judgment in the High Court, identified that

The underlying submission on behalf of the claimant is, in effect, that the accountable person is not entitled simply to prefer his own view to that of the tribunal

to which he countered

why not? It is inherent in the whole operation of s.53 that the accountable person will have formed his own opinion which departs from the previous decision (be it of Information Commissioner, tribunal or court) and may certify without recourse to an appeal. As it seems to me, therefore, disagreement with the prior decision…is precisely what s.53 contemplates, without any explicit or implicit requirement for the existence of fresh evidence or of irrationality etc. in the original decision which the certificate is designed to override. Of course the accountable person both must have and must articulate reasons for that view…[It] is for the accountable person in practice to justify the certification. But if he does so, and that justification comprises “reasonable grounds”, then the power under s.53(2) is validly exercised. Accordingly, the fact the certificate involves, in this case, in effect reasserting the arguments that had not prevailed before the Upper Tribunal does not of itself mean that it is thereby vitiated

 The power to issue a certificate exists under section 53(2), even if, as Lord Judge said, such a power “appears to be a constitutional aberration”. If it exists, it can be exercised, subject to it being done so lawfully. To admit of another interpretation, says David LJ, would be (taken with the claimant’s other arguments) to 

greatly [narrow] the ostensible ambit of s.53. As a matter of statutory interpretation I can see no justification for such a limitation, either on linguistic grounds or on purposive grounds

Parliament chose to enact s53, and any potential inherent constitutional imbalance or threat to the rule of law in its having done so is overcome by the availability of judicial review:

for the purposes of s.53 of FOIA, Parliament has provided the procedure by which this statutory provision is to be mediated. It is to be mediated, on challenge by way of judicial review, by the courts assessing whether the Secretary of State has certified “on reasonable grounds”. That involves no derogation from the fundamental principle of the rule of law: on the contrary, it is an affirmation of it.

For the same reasons, any challenge as to whether the exercise of the veto (as applied to environmental information under the Environmental Information Regulations 2004) offends the relevant sections of the originating EC Directive and the Aarhus Convention (specifically, those that deal with the need to have a “review procedure”) could also be met by reference to the availability of judicial review (although one wonders, along with the Aarhus Convention Compliance Committee, whether judicial review meets the requirement to be not “prohibitively expensive”).

And ultimately, and  relatively straighforwardly, it fell to the court to

consider whether the Attorney General has shown in the present case reasonable grounds for certifying as he did…[and] the Statement of Reasons appended to the certificate, once carefully read and analysed, does indeed demonstrate such “reasonable grounds”. The views and reasons expressed as to where the balance of public interest lies are proper and rational. They make sense. In fact, I have no difficulty in holding them to be “cogent”. Indeed – especially given that the Attorney General’s reasons and conclusions are in many respects to the like effect as those previously provided by the Information Commissioner – it will be recalled that the Upper Tribunal had itself, in paragraph 4 of its decision, acknowledged that there are “cogent arguments for nondisclosure”

So, if you want to criticise the fact that the Attorney General was allowed to veto disclosure of Prince Charles’ correspondence with the government, don’t criticise the judges, don’t even criticise (too much, at least) the Attorney General himself – rather, criticise Parliament which passed the law.

UPDATE: 25 July 2013

The Guardian reports that permission has been granted to appeal to the Court of Appeal.

 

Leave a comment

Filed under Environmental Information Regulations, Europe, Freedom of Information, Information Commissioner, transparency, Uncategorized

Tagged as ,

June 19, 2013 · 7:22 pm

CQC allegations and data protection

Data Protection laws have been said to be behind the decision not to name CQC officials alleged to have covered-up a damning internal report. Oh really? Well, yes, perhaps, I argue.

News bulletins today lead with the story that the Care Quality Commission apparently engaged in a cover-up of an internal review report critical of its oversight of University Hospitals Morecambe Bay in 2010, an NHS Trust now subject to investigations over the deaths of at least eight mothers and babies. The allegations of a cover-up were made by a whistleblower interviewed as part of an investigation by Grant Thornton, who were commissioned by CQC to look into its own activites. Potentially particularly damning are remarks at the time attributed to a senior manager at CQC regarding the alleged suppression on the original internal review report

Are you kidding me? This can never be in a public domain, nor subject to FOI

The Grant Thornton report, as published, has redacted the name of this senior manager and a colleague. And the Data Protection Act 1998 (DPA) is pleaded in defence of the redaction. As the Telegraph reports

The names of two individuals who ordered the destruction of evidence of the Care Quality Commission’s failure to investigate the University Hospitals of Morecambe Bay NHS Trust have been redacted from an official report…David Prior, the new chairman of the CQC, said that the names had been redacted because of “data protection concerns” and because the watchdog fears being sued…”to publish it with the names would breach the Data Protection Act.We would have been open to being sued on that basis”

As a number of people have pointed out, this is certainly questionable. Ben Bradshaw MP is reported by the Guardian as saying in Parliament that

the [Data Protection Act] allows exceptions in cases where protecting the public is an issue

and, in a thundering editorial, Health Policy Insight say the decision

is, quite simply, bullshit…Nor is it just a minor pellet of bullshit. This is epic, hog-whimpering and noxious bullshit…The Data Protection Act affords specific exemption at Section 55 2(d) “to a person who shows … that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest”…Moreover, the Information Commissioner’s Office, which enforces the Data Protection Act, is explicit in its advice on Principles One and Two (those dealing with an individual personal data) that fairness is crucial: “it depends on whether it would be fair to do so … personal data must not be processed for any purpose that is incompatible with the original purpose or purposes”

While I admire the level of polemic, HPI are rather mistaken in their analysis of the DPA. And I submit that it was not necessarily wrong for David Prior to be advised that disclosure of the name of the person might breach the DPA. I would stress that I am not suggesting that those responsible for failures at CQC should not be accountable for those failure, nor, if it is true that the original internal review report was suppressed, that those who did so should not also be accountable. What I do suggest is that, on the information currently available, there is perhaps a lack of hard evidence to establish to an appropriate level of certainty that the person or persons alleged to have suppressed the report did so, or did so in the way they are alleged to have done. For that reason, it could indeed be a breach of the DPA to disclose the names at this stage. I say this despite the parliamentary statement by the Secretary of State for Health, to the effect that he had not wanted the redactions, and that

There should be no anonymity, no hiding place, no opportunity to get off scot free for anyone at all who was responsible for this

(On this, we should perhaps remember the unlawful decision by Mr Bollocks [ed: Balls] peremptorily to require the dismissal of Sharon Shoesmith. Politicians are first and foremost politicians. They are not generally there to be lawyers or employers.)

The name of the person involved is clearly going to constitute “personal data” according the definition in section 1(1) of the DPA. And, for these purposes, the “data controller” (with whom lies the decision as to whether to disclose or redact, and to whom liability for a breach of DPA attracts) is CQC itself. HPI cite section 55(2)(d) of the DPA, which broadly provides that the offence of unlawfully obtaining personal data does not apply if it has been done in the public interest. This provision deals with a criminal offence of inter alia disclosing personal data without the consent of the data controller. This clearly does not apply here.

HPI are correct, however, in pointing to the first principle (as listed in Schedule One) of the DPA, and its reference to fairness (although they are talking nonsense when they refer to the first two principles being those “dealing with an individual personal data” [sic] – the whole of the DPA applies to an individual’s personal data). The first principle provides that the processing (and disclosure of a name will be “processing” under the DPA) of personal data must be fair and lawful.

When deciding whether names of public officials should be disclosed (albeit in response to a Freedom of Information request) the Information Commissioner (ICO) says

[the public authority] must decide whether disclosure would breach Principle 1 of the Data Protection Act (the DPA), ie whether it would be fair and lawful to disclose the information.

Whether the disclosure is fair will depend on a number of factors including:

the consequences of disclosure;

the reasonable expectations of the employees; and

the balance between any legitimate public interest in disclosure and the rights and freedoms of the employees concerned…

These are the factors CQC would need to take into account, and one can see that a balancing exercise would ensue. The consequences of disclosure – of what appear merely to be allegations – for the person or persons involved could be grave, and be an important factor in identifying what his or her rights and freedoms are. On the other side, there would be appear to be a clear public interest in disclosure, notwithstanding that, I repeat, these are mere allegations, on the basis that someone taking such a significant decision as to try (allegedy) to suppress publication of the adverse report should be accountable (as should the CQC as their employer) for such actions. The issue as to reasonable expectations is more difficult however. If the person or persons has been told in explicit terms that their name will not be disclosed, they may have very strong expectations that this will not happen. As to whether those expectations are reasonable, one would need to know the terms upon which any undertaking might have been given. Employment rights might well be engaged

Also to be considered is that the naming of the person or persons in circumstances in which it might subsequently transpire that the allegations were not true could give rise to a successful claim in defamation. Indeed, as Robin Hopkins has observed, DPA is increasingly used as a primary claim in actions involving defamatory publications.

I repeat, none of this is to defend the actions of CQC, nor, if the allegations are shown to be true, to defend the actions of anyone who suppressed the report. It is simply to say that the claim that the DPA might be engaged at this point, and potentially breached if disclosure of names happened. Disclosure, in a clearly fair and lawful way, might follow in due course.

I note that the Deputy Information Commissioner is reported tonight as saying

The Data Protection Act does not specifically prevent people being named publicly, but instead talks about using information fairly and considering what expectations of confidentiality people may have had when providing their personal information.

It is important the Data Protection Act is not used as a barrier to keep information out of the public domain where there is an overriding public interest in disclosure.

David Smith is a clever and astute man. He did not say the names should be revealed. That is revealing.

UPDATE 20.06.2013

My attention has been drawn to last night’s episode of BBC’s Newsnight on which David Smith’s boss, Information Commissioner Christopher Graham. As the BBC itself reports, he said

“This feels like a public authority hiding behind the Data Protection Act – it’s very common but you have to go by what the law says and the law is very clear.

“You have to process data fairly, you have to take into account people’s expectation of confidentiality.”

He said that was “obviously” the case with patient data in particular.

But when it came to officials, “there you have to apply a public interest test”, he added.

He said he was “not convinced” the CQC had been correctly advised.

He ended his short interview by saying “I think [the CQC] are going to have to look at this again”.

Fair enough. He’s right and I’m wrong then? Well, no – he still didn’t by any means say that disclosure now had to happen (and, in his role, he would have been be very ill-advised to have done so).

And, prompted by further coverage, and a comment below by Dr Chris Pounder, who probably knows more about Data Protection than the entire staff at the ICO (and that’s not intended as an insult to the latter), I now feel that two other factors might be at play. First, if the allegations quoted in the Grant Thornton report amount to allegations of possible criminal offences (e.g. misconduct in a public office) then there is an arguable need to avoid prejudice to any police investigation. Second, if the person or persons referred to in the report have already taken steps to challenge its veracity – either as a whole, or in respect of specific comments attributed to the whistleblower – then it would be prudent of CQC not to disclose until that challenge (whether it be made informally, or as part of or precursor to legal proceedings) has played out.

That said, when the combined forces of the government and the Information Commissioner are leaning on the CQC at least to review the decision not to disclose names, it would be a bold move to continue to resist. They will though, no doubt, be advised that there remain potential legal risks in doing so, unless they are completely satisfied about the veracity of allegations in the report.

UPDATE 2, 20.06.2013

The CQC has now published the names previously redacted. The letter to the Secretary of State makes clear that

We have reviewed the issues again with our legal advisers (and taken into account the comments of the Information Commissioner). In light of this further consideration, we have come to the view that the overriding public interest in transparency and accountability gives us sufficient grounds to disclose the names of the individuals who were anonymised in the report.

None of this changes my view that there was a clearly arguable legal basis for redaction. Data Protection is wrongly blamed for a lot of things but it was engaged in this instance.

This outcome also raises the rather interesting (if unlikely) possibility that the persons now named could complain to the ICO for a determination as to whether disclosure was in fact in breach of their rights under the DPA. Am I wrong to hope that happens?

14 Comments

Filed under Data Protection, Information Commissioner, Uncategorized

Tagged as ,