Category Archives: Uncategorized

July 3, 2024 · 8:05 pm

Data protection v Defamation

[Sometimes I will upload posts I make on LinkedIn to this blog, because they’re easier to archive here: however they’re a bit more “conversational” than usual]

Can (or in what circumstances can) a data protection claim be brought on the basis that processing involves harm to reputation of a sort which, more orthodoxically*, would be brought in defamation?

His Honour Justice Parkes has refused an application by Dow Jones to strike out a data protection erasure claim (with an associated compensation claim) on the grounds that in reality it is a “statute-barred defamation complaint dressed up as a claim in data protection, and brought in data protection to avoid the rules which apply to defamation claims” (the application was also on Jameel grounds).

The judge says he “cannot see how [the claimants] can be summarily denied access to the court to make [their] case, employing a cause of action which is legitimately open to them… simply because in the past they have repeatedly threatened to claim in defamation, or because the claim is heavily based (as it is) on considerations of harm to reputation, or because, had they brought the claim in defamation, it would have faced very difficult obstacles”.

HHJ Parkes notably (ie this needs to go to trial) says that “the state of the law on the recoverability of damages for injury to reputation in non-defamation claims is uncertain and in flux” and that it is “unsuitable for determination on a summary application and probably requires the attention of an appellate court”.

It will be very interesting if this now makes it to trial. But never hold your breath on that folks.

[*yes, I did intend to coin the most awkward adverb possible]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, defamation, erasure, journalism, judgments, Uncategorized

Tagged as ,

June 24, 2024 · 12:51 pm

NADPO June webinar – subject access requests and political party data use

NADPO’s next lunchtime webinar is tomorrow 25 June at 12:30:

Jenna Corderoy – “Investigation into the state of Subject Access Requests” 

Duncan McCann – “Election deepfakes and political data use”

As always, members can attend for free.

Leave a comment

Filed under Uncategorized

June 12, 2024 · 6:14 pm

A violation of the presumption of innocence

This may not be a post directly related to information rights (although it does involve disclosure of information in response to a parliamentary question – which is a potential route to access to information which should never be underestimated). But I’m writing more because it’s on a topic of considerable public interest, and because the efforts and the campaigning of the applicants, and of Appeal, deserve support.

The Grand Chamber of the European Court of Human Rights (ECtHR) has held that the scheme in England and Wales for assessing whether people whose criminal convictions are subsequently overturned is compatible with the European Convention on Human Rights (the “Convention”).

Regardless of whether the ECtHR was correct or not, the underlying issue is, in my view, a national scandal and one that any incoming government should set right as a matter of priority.

Under Section 133(1ZA) of the Criminal Justice Act 1988 (as amended in 2018) the state must pay compensation where a new or newly discovered fact shows beyond reasonable doubt that there has been a miscarriage of justice. But a miscarriage of justice will only have occurred “if and only if the new or newly discovered fact shows beyond reasonable doubt that the person did not commit the offence”. This reverses what would be the normal burden of proof in criminal justice matters, and in effect requires the wrongfully convicted person to prove their innocence to gain compensation, despite the fact that their conviction has been overturned.

Figures given in response to a parliamentary question last year revealed that an extraordinary 93% of cases did not warrant compensation under the scheme. 

At the ECtHR, the applicants contended that the domestic scheme infringed Article 6(2) of the Convention, which provides that “Everyone charged with a criminal offence shall be presumed innocent until proved guilty according to law”. Although the ECtHR noted “the potentially devastating impact of a wrongful conviction” it also held that the UK was

free to decide how “miscarriage of justice” should be defined for these purposes, and to thereby draw a legitimate policy line as to who out of the wider class of people who had had their convictions quashed on appeal should be eligible for compensation…, so long as the policy line was not drawn in such a way that the refusal of compensation in and of itself imputed criminal guilt to an unsuccessful applicant

It was not, said the ECtHR, its role “to determine how States should translate into material terms the moral obligation they may owe to persons who have been wrongfully convicted”.

Although there was a strong dissenting opinion which would have held that the compensation scheme resulted in a violation of the presumption of innocence, it must now fall to the next Parliament to take forward the “moral obligation” and put right where a previous Parliament went wrong. This does not, and should not, need to wait for the outcome of the Malkinson Inquiry. That inquiry may well have things to find out, and things to say, in general, about miscarriages of justice but it is not in its remit to consider the compensation point: that can, and should, be resolved sooner.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Article 6, Europe, human rights, Ministry of Justice, parliament, Uncategorized

Tagged as

June 4, 2024 · 6:16 pm

How far can a legal fiction go?

When the Information Commissioner, as a public authority subject to the Freedom of Information Act 2000 (FOIA), is required to consider, as regulator, his own handling of a FOIA request, he enters into a legal fiction, whereby he separates himself into two, along these lines (taken from a decision notice):

This decision notice concerns a complaint made against the Information Commissioner (‘the Commissioner’). The Commissioner is both the regulator of FOIA and a public authority subject to FOIA. He’s therefore under a duty as regulator to make a formal determination of a complaint made against him as a public authority…In this notice the term ‘ICO’ is used to denote the ICO dealing with the request, and the term ‘Commissioner’ denotes the ICO dealing with the complaint.

It’s a legal fiction because the Information Commissioner is a corporation sole: every single function he has vests in him (and he has powers of delegation).

With this in mind, it is interesting to consider section 132(1) of the Data Protection Act 2018. This provides that

A person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner, must not disclose information which— (a) has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions, (b) relates to an identified or identifiable individual or business, and (c) is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources. (Unless the disclosure is made with lawful authority.)

When partaking in the legal fiction described above, can it be said that the Commissioner, or the Commissioner’s staff, have obtained, or been provided with, information, when the Commissioner is the person who holds the information? I think not. And if I’m right, that should mean that the Commissioner cannot rely on the exemption at section 44 of FOIA, on the grounds that there is a statutory bar on disclosure. But that’s what he does in response to this recent FOIA request. It will be interesting if the applicant asks for a decision notice.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection Act 2018, Freedom of Information, Information Commissioner, Uncategorized

Tagged as , ,

June 1, 2024 · 10:43 am

EIR and sewage discharges: a shift in the ICO’s position

It’s interesting (and encouraging) to see that, in a notable shift of position, the Information Commissioner’s Office (ICO) is now ordering water companies to disclose data relating to allegedly unlawful discharges of dry spillage sewage.

Previously, the ICO had tended to agree with the companies’ arguments that disclosure would adversely affect investigations by Ofwat and the Environment Agency, and the information was, therefore, exempt from disclosure under regulation 12(5)(b) of the Environmental Information Regulations 2004 (EIR). Those arguments were rather forcefully undermined by a statement to the Public Accounts Committee by the CEO of Ofwat last November that

We do not think that the investigation itself is a good reason for companies not to provide data. They have some legal obligations to disclose information, and there is a process for working that through. That process does not involve Ofwat directly, but we would encourage companies to be open and transparent about their environmental performance.

Additionally, the ICO has taken note of the judgment of the Information Tribunal in the recent Lavelle case.

This Decision Notice neatly summarises the issues and the ICO’s new position.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Information Commissioner, Uncategorized

Tagged as ,

May 24, 2024 · 8:48 am

Dead as a dodo – the DPDI Bill is no more

I’ve written on the Mishcon de Reya website on the news that the Data Protection and Digital Information Bill will not now be enacted, following the calling of the general election on 4 July.

https://www.mishcon.com/news/the-end-of-the-data-protection-and-digital-information-bill

Leave a comment

Filed under Uncategorized

April 30, 2024 · 5:58 am

ICO applies public sector fine approach to charity

The Information Commissioner’s Office has fined the CENTRAL YOUNG MEN’S CHRISTIAN ASSOCIATION (YMCA) of London £7500.

The penalty notice is not published at the time of writing (nor anything else yet on the ICO website), although the fine is said to have already been paid, and the press release issued by the ICO says the fine was issued for “a data breach where emails intended for those on a HIV support programme were sent to 264 email addresses using CC instead of BCC, revealing the email addresses to all recipients. This resulted in 166 people being identifiable or potentially identifiable”.

The press release also says that the fine was reduced from an initially-recommended £300,000, “in line with the ICO’s public sector approach”. When I queried the rather obvious point that a charity is not a public authority, an ICO spokesman initially told me that “as Central YMCA is a charity that does a lot of good work, they engaged with us in good faith after the incident happened, recognised their mistake immediately and have made amends to their processing activities and they paid the fine in full straight away, we applied the spirit of the public sector approach to them even though they’re not strictly a public sector body”.

This led to a further follow-up query from me because as a matter of logic and timing, how could the fact that a controller “paid the fine in full straight away” be a mitigating factor in reducing the amount of the fine to be paid? The further response was “The point was that they engaged fully and subsequently paid the fine in full, thus confirming our position that they were engaging and taking the breach seriously. The calculation comes before the payment which has no bearing on the assessed amount.”

I’m not quite sure what to make of this. Can any controller which “does a lot of good work”, engages with the ICO in good faith and remedies processing activities also benefit from a 3900% decrease in fine from an originally-recommended sum? What does “a lot of good work” mean? Is it something only charities do? What about private companies with a strong ESG ethos, or who make significant charitable contributions?

[this post was originally published on my LinkedIn page.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, fines, Information Commissioner, LinkedIn Post, monetary penalty notice, Uncategorized

Tagged as ,

April 12, 2024 · 1:37 pm

8000% in people affected by central government data breaches

Yes, you read that correctly. Here’s what we’ve just published on the Mishcon de Reya website:

https://www.mishcon.com/news/data-breach-crisis-in-central-government-time-for-ico-to-act

Leave a comment

Filed under Uncategorized

March 20, 2024 · 4:31 pm

Princess Kate and data protection

I’ve written a piece on the Mishcon de Reya website on the data protection implications of reports that staff at the London might have inappropriately accessed her patient notes.

https://www.mishcon.com/news/the-princess-of-wales-and-possible-data-protection-offences-and-infringements

Leave a comment

Filed under Uncategorized

January 17, 2024 · 7:26 am

NADPO January webinar – a focus on the DPDI Bill

As we hurtle into an election year there may be a rush to get parliamentary bills over the line. The signs are that there is a) a momentum behind the Data Protection and Digital Information Bill*, and b) little notable opposition opposition, so I’m expecting it to pass.

Accordingly, the NADPO executive have asked two experts to speak about the Bill at our next webinar, on Tuesday 23 January: Dr Chris Pounder and Ibrahim Hasan are preeminent in the field, and will be talking, respectively, about “New Data Sharing rules under the DPDI Bill” and “Proposed changes to UK GDPR”.

As always, attendance is free for NADPO members, and Data Protection Forum members can also attend for free under our mutual agreement with the Forum. If anyone else fancies testing the NADPO waters please drop me a line at chair at nadpo dot co dot uk and I’ll see if we can accommodate you.

[*the Bill is no longer titled “No.2”, despite what I’ve seen from many experts, including *cough* myself, albeit a few months ago now]

Leave a comment

Filed under Uncategorized