July 14, 2024 · 11:34 am

Based

For reasons I found myself browsing the privacy notices on the websites of some data protection consultancies this morning. In a large number of cases, where they address the situation of a potential client (which is highly likely to be a corporate entity) instructing them, they say/imply that they will process the personal data of people working for that potential client under the lawful basis of “contract”.

As well as this being, er, wrong, it concerns me for a couple of reasons.

First, why it’s wrong.

Article 5(1)(a) of the UK GDPR obliges a controller to process personal data lawfully. Article 6(1) provides a list of bases of which at least one must be met for processing to be lawful. The basis at Article 6(1)(b) is “processing is necessary for the performance of a contract…”.

I fear that many people stop there (in fact, I fear more that they don’t look at the actual law, and merely refer to some template or notes that were wrong in the first place). But there’s a reason I put an ellipsis: the full lawful basis is “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

A service contract with a corporate entity does not constitute the sort of contract which is dealt with by Article 6(1)(b).

The reason this really concerns me is that if these consultancies can’t get this fundamental point right in their own documentation, they are presumably advising clients along similar lines.

Such advice might well be negligent. Assuming the consultancies have professional indemnity insurance, it might be affected by matters like this. And there might be notification obligations arising if they become aware of the fact that they’ve given incorrect, and possibly negligent, advice.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, privacy notice, UK GDPR

Tagged as , ,

July 12, 2024 · 7:05 am

Unreasonably accessible – ICO and misapplication of s21?

I’ll start with a simple proposition: if a dataset is made publicly available online by a public authority, but some information on it is withheld – by a deliberate decision – from publication, then the total dataset is not reasonably accessible to someone making an FOI request for information from it.

I doubt that any FOI practitioners or lawyers would disagree.

Well, sit back and let me tell you a story.

In November 2023 the Information Commissioner’s Office (ICO) refused to disclose information in response to a Freedom of Information request, on the grounds that the exemption at section 21 of the Freedom of Information Act 2000 (FOIA) applied: the information was “reasonably accessible to the applicant” without his needing to make a FOIA request.

The request was, in essence, for “a list…of the names of all the UK parish councils that have received 20 or more ICO Decision Notices (for FOIA cases only) since 1st January 2014”. The refusal by the ICO was on the basis that

the search function on the decision notice section of the ICO website returned 415 decision notices falling within the scope of the complainant’s request…[therefore] it is possible to place the names of the parish councils into an Excel sheet and then establish quickly how many decision notices relate to each individual parish council.

The ICO noted that, when it comes to the application of section 21

It is reasonable for a public authority to assume that information is reasonably accessible to the applicant as a member of the general public until it becomes aware of any particular circumstances or evidence to the contrary [emphasis added]

On appeal to the Information Tribunal, the ICO maintained reliance on the exemption, saying that all the applicant needed to do was to go to the ICO website and “look at each entry and count-up [sic] the numbers of [Decision Notices] against each parish council”. The Tribunal agreed: the ICO had provided the requester

with a link to the correct page of the ICO website, and instructing him how to use the search function. These instructions have enabled him to identify from the tens of thousands of published decision notices those 415-420 notices which have been issued to parish councils over the past decade or so

All straightforward, if one’s analysis is predicated on an assumption that the ICO’s public Decision Notice database is a complete record of all decision notices.

But it isn’t.

I made an FOI request of my own to the ICO; for how many Decision Notices do not appear on the database. And the answer is 45. A number of possible reasons are given (such as that sensitive information was involved, or that there was agreement by the parties not to publish). But the point is stark: the Decision Notice database is not a complete record of all Decision Notices issued. And I do not see how it is possible for the ICO to rely on section 21 FOIA in circumstances like those in this case. It is plainly the case that the ICO knew (or was likely reckless in not knowing) that there were “particular circumstances or evidence” which showed that the information could not have been reasonably accessible to the applicant.

Of course, it is quite likely (perhaps inevitable) that the 45 unpublished Decision Notices would make no difference at all to a calculation of how many UK parish councils have received 20 or more Decision Notices since 1st January 2014. But that really isn’t the point. The ICO could have come clean – could have done the search itself and added in the 45 unpublished notices. It knew they existed, but for some reason thought it didn’t matter.

The ICO is the regulator of FOIA, as well as being a public authority itself under FOIA. It has to get these things right. Otherwise, why should any other public authority feel the need to comply?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under access to information, datasets, Freedom of Information, Information Commissioner, Information Tribunal, section 21

Tagged as , ,

July 6, 2024 · 10:45 am

FOI and government/ministerial WhatsApps

[reposted from LinkedIn]

An important Information Tribunal (T) judgment on a FOIA request, by Times journalist George Greenwood, to DHSC for gov-related correspondence between Matt Hancock (MH) and Gina Coladangelo (GC), grappling with issues regarding modern messaging methods in government and how they fit into the FOIA scheme.

Two requests were made. The first was for government-related correspondence between MH and GC using departmental email accounts, and any private email account MH had used for government business. The second was for all correspondence between them using other methods, such as WhatsApp.

Request 1

DHSC had found four emails and by the time of the hearing had disclosed them. It maintained that no further info was held.

However DHSC argued that emails sent by MH’s private secretaries and not by MH himself were out of scope. Not so, said the T: “even if a private office email account is operated by a private secretary…correspondence with a private office email account ought to be regarded as correspondence with the relevant minister”. Accordingly, they upheld that part of the appeal and ordered further searches.

Request 2

DHSC had initially said, and ICO had agreed(!), that government-related WhatsApp messages sent from MH’s personal device were not “held” for the purposes of FOIA because they were not held “as part of the official record”. By the time of the hearing, all of the parties were agreed that this was an error, and the T ruled that section 3(2)(b) FOIA applied, and that “WhatsApp messages from Mr Hancock’s personal device were held [by MH] on a computer system on [DHSC’s] behalf”.

DHSC then sought to argue that WhatsApp messages in a group were not “correspondence” between MH and GC, saying (in the T’s formulation of DHSC’s argument) “unless correspondence consists of one person corresponding directly with another, it is not ‘true’ correspondence”. The T was dismissive of this: “correspondence in the age of multiple methods of electronic communication can take different forms…the fact that simply because one or other of the relevant parties did not respond or may not have responded to a particular message does not mean that communications within a WhatsApp group cannot be considered to be correspondence”. The T also rejected the related submission that a person posting a message to a WhatsApp group is “broadcasting”, rather than “corresponding”

(I have to say that I think the T probably overstepped here. I would tend to think that whether information in a WhatsApp group is correspondence or not should be determined on the facts, and not as a matter of general principle.)

Finally, the T did not warm to the evidence from an otherwise unidentified “Mr Harris” for the DHSC, to the effect that the request was vexatious on grounds of the burden. They therefore held that it was not. (As the messages were subsequently disclosed into the public domain during the Covid inquiry, not much turns on this.)

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner, Information Tribunal, journalism

Tagged as , ,

July 3, 2024 · 8:05 pm

Data protection v Defamation

[Sometimes I will upload posts I make on LinkedIn to this blog, because they’re easier to archive here: however they’re a bit more “conversational” than usual]

Can (or in what circumstances can) a data protection claim be brought on the basis that processing involves harm to reputation of a sort which, more orthodoxically*, would be brought in defamation?

His Honour Justice Parkes has refused an application by Dow Jones to strike out a data protection erasure claim (with an associated compensation claim) on the grounds that in reality it is a “statute-barred defamation complaint dressed up as a claim in data protection, and brought in data protection to avoid the rules which apply to defamation claims” (the application was also on Jameel grounds).

The judge says he “cannot see how [the claimants] can be summarily denied access to the court to make [their] case, employing a cause of action which is legitimately open to them… simply because in the past they have repeatedly threatened to claim in defamation, or because the claim is heavily based (as it is) on considerations of harm to reputation, or because, had they brought the claim in defamation, it would have faced very difficult obstacles”.

HHJ Parkes notably (ie this needs to go to trial) says that “the state of the law on the recoverability of damages for injury to reputation in non-defamation claims is uncertain and in flux” and that it is “unsuitable for determination on a summary application and probably requires the attention of an appellate court”.

It will be very interesting if this now makes it to trial. But never hold your breath on that folks.

[*yes, I did intend to coin the most awkward adverb possible]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, defamation, erasure, journalism, judgments, Uncategorized

Tagged as ,

July 1, 2024 · 10:57 am

Can you stop election candidates sending you post?

During every recent general election campaign I can remember, there have been social media posts where people complain that they’ve received campaign material sent to them, by name, in the post. Electoral law (whether one likes it or not) permits a candidate to send, free of charge, one such item of post regardless of whether the recipient has objected to postal marketing, in general or specific terms. This right is contained in section 91 of The Representation of the People Act 1983. So, if you don’t like it, lobby your new MP in a few weeks’ time to get it changed.

Given that it’s always a topic of contention, I welcome the Information Commissioner’s Office’s publishing of guidance (including on the “one item of post” point) for the public on “The General Election and my personal data – what should I expect?

What the guidance does not address, however, is a conflict of laws point. Article 21(2-3) of the UK GDPR create an absolute right to object to direct marketing and a consequent absolute obligation on a person not to process personal data for direct marketing purposes upon receipt of an objection. So how does this talk with the right given to electoral candidates to send one such communication?

Tim Turner has written on this point, in his “DPO Daily”, and says “I don’t think the Representation of the People Act trumps the DP opt-out right”, but – on this rare occasion – I think I disagree with him. This is because section 3(1) of the Retained EU Law (Revocation and Reform) Act 2023 provides that retained direct EU legislation – such as the UK GDPR – must be read and given effect in a way which is compatible with all domestic enactments, and, insofar as it is incompatible with them, those domestic enactments prevail.

So, the short answer to the title of this blog is “no” (although they can only send you just one personally addressed item).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, elections, Information Commissioner, marketing, political parties, UK GDPR

Tagged as , , ,

June 29, 2024 · 10:16 am

An EIR judgment as long as a novel

Those who think the data protection statutory regime is complex might want to consider how it compares to that under the Environmental Information Regulations 2004 (EIR).

So if you fancy spending the day reading a judgment that is (by my calculations) longer than George Orwell’s 1984, now’s your chance.

A number of personal search companies, who undertake different types of searches for use in real property sale and purchase transactions, are bringing a claim in restitution regarding the charges they’ve paid to defendant water companies for reports under the CON29DW Drainage and Water Enquiry process. Their argument is that information responsive to a CON29DW is “environmental information” (EI) within the meaning of the EIR and that the water companies in question were obliged to make EI available for free or for no more than a reasonable charge. Accordingly, the charges levied by the water companies were unlawful and/ or paid under a mistake of law and that the water companies have been unjustly enriched to the extent of those charges.

The water companies, in turn, say that information responsive to a CON29DW was not EI, and/or that the information was not ‘held’ by them at the time the relevant request was made and/or that they were otherwise entitled under the EIR to refuse its disclosure.

Mr Justice Richard Smith’s magnum opus of a judgment bears close reading (closer than I’ve yet been able to give it), but it contains some notable findings, such as: not all of the information responsive to a CON29DW is EI; not all of the information was held for the purposes of the EIR and not by all of the defendants; information responsive to a CON29DW about internal flooding to a property is personal data (there’s an interesting discussion on the definition of personal data, touching on Durant, Edem, Ittihadieh and Aven v Orbis – but I think this part of the judgment is flawed – just because information about internal flooding could be personal data doesn’t mean it always is (which is what the judge appears to hold) – what about where a residential property is unoccupied and owned by a company?)

It seems to me that the effect of the judgment is to fracture the claim into small bits – some of the info is EI, some is held, by some defendants, some is exempt, etc. – and may well have the effect of damaging the chances of the claim progressing.

The judge ends by imploring the parties to try to resolve the issue other than through the court process. So let’s see if there’s an appeal.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, Environmental Information Regulations, judgments

Tagged as ,

June 24, 2024 · 12:51 pm

NADPO June webinar – subject access requests and political party data use

NADPO’s next lunchtime webinar is tomorrow 25 June at 12:30:

Jenna Corderoy – “Investigation into the state of Subject Access Requests” 

Duncan McCann – “Election deepfakes and political data use”

As always, members can attend for free.

Leave a comment

Filed under Uncategorized

June 12, 2024 · 6:14 pm

A violation of the presumption of innocence

This may not be a post directly related to information rights (although it does involve disclosure of information in response to a parliamentary question – which is a potential route to access to information which should never be underestimated). But I’m writing more because it’s on a topic of considerable public interest, and because the efforts and the campaigning of the applicants, and of Appeal, deserve support.

The Grand Chamber of the European Court of Human Rights (ECtHR) has held that the scheme in England and Wales for assessing whether people whose criminal convictions are subsequently overturned is compatible with the European Convention on Human Rights (the “Convention”).

Regardless of whether the ECtHR was correct or not, the underlying issue is, in my view, a national scandal and one that any incoming government should set right as a matter of priority.

Under Section 133(1ZA) of the Criminal Justice Act 1988 (as amended in 2018) the state must pay compensation where a new or newly discovered fact shows beyond reasonable doubt that there has been a miscarriage of justice. But a miscarriage of justice will only have occurred “if and only if the new or newly discovered fact shows beyond reasonable doubt that the person did not commit the offence”. This reverses what would be the normal burden of proof in criminal justice matters, and in effect requires the wrongfully convicted person to prove their innocence to gain compensation, despite the fact that their conviction has been overturned.

Figures given in response to a parliamentary question last year revealed that an extraordinary 93% of cases did not warrant compensation under the scheme. 

At the ECtHR, the applicants contended that the domestic scheme infringed Article 6(2) of the Convention, which provides that “Everyone charged with a criminal offence shall be presumed innocent until proved guilty according to law”. Although the ECtHR noted “the potentially devastating impact of a wrongful conviction” it also held that the UK was

free to decide how “miscarriage of justice” should be defined for these purposes, and to thereby draw a legitimate policy line as to who out of the wider class of people who had had their convictions quashed on appeal should be eligible for compensation…, so long as the policy line was not drawn in such a way that the refusal of compensation in and of itself imputed criminal guilt to an unsuccessful applicant

It was not, said the ECtHR, its role “to determine how States should translate into material terms the moral obligation they may owe to persons who have been wrongfully convicted”.

Although there was a strong dissenting opinion which would have held that the compensation scheme resulted in a violation of the presumption of innocence, it must now fall to the next Parliament to take forward the “moral obligation” and put right where a previous Parliament went wrong. This does not, and should not, need to wait for the outcome of the Malkinson Inquiry. That inquiry may well have things to find out, and things to say, in general, about miscarriages of justice but it is not in its remit to consider the compensation point: that can, and should, be resolved sooner.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Article 6, Europe, human rights, Ministry of Justice, parliament, Uncategorized

Tagged as

June 9, 2024 · 7:31 am

Drones and freedom of expression

Article 10 of the European Convention on Human Rights provides that everyone has the (qualified) right to freedom of expression, which includes the freedom to receive and impart information. And section 12(4) of the Human Rights Act 1998 requires a court: i) to have regard to the importance of freedom of expression, when considering whether to grant any relief which, if granted, might affect the exercise of the right to freedom of expression, and ii) where the proceedings relate to material which appears to the court, to be journalistic, literary or artistic material (or to conduct connected with such material), to have regard to the extent to which the material has, or is about to, become available to the public, or the extent to which it is, or would be, in the public interest for the material to be published.

In a recent case in the High Court – sitting in Manchester – an application for an interim injunction was granted against one named and a number of unknown respondents preventing them from entering the site of the former St Joseph’s seminary in Up Holland, but also preventing the flying of drones over the site. There is already a large amount of footage taken previously by such drones on the various online video-sharing sites, and some of them are fascinating and informative. The future of the site is evidently a matter of significant local interest.

The concerns of the applicants for the injunction are compelling: there have been numerous incidents of trespass on the site, and it is in a very dangerous condition.

The only published judgment I have been able to find is on the website of the chambers of the barrister representing the applicant. It appears to be a transcript of an ex tempore judgment. The judge notes that section 76 of the Civil Aviation Act 1982 provides that

No action shall lie in respect of trespass or in respect of nuisance, by reason only of the flight of an aircraft over any property at a height above the ground which, having regard to wind, weather and all the circumstances of the case is reasonable

A piece on the website of the solicitors acting for the applicants indicates that the judge proceeded on the assumption that section 76 applied to drones and that the drone operator had complied with the requirements of the Air Navigation Order 2016. He then said that either i) section 76 did not apply, because the flight involved the taking of footage for its presumed purpose of encouraging trespass (and presumably therefore it was not “by reason of the flight only” for section 76 purposes), or, ii) if section 76 did apply, then the height of the drones could not be reasonable, because of the taking of the footage.

However, nowhere in the judgment is there any indication that the judge has had regard to the court’s duties under section 12 of the Human Rights Act. It strikes me that there are clear freedom of expression issues raised. A large number of people are interested in general in abandoned buildings, and there is an enormous amount of online attention to this subject, and, more locally, there is clearly notable interest in the fate of a grade 2 listed building: the drone footage must, surely, play a part in meeting this public interest.

So it strikes me that it was incumbent on the court to conduct the balancing exercise inherent in Article 10, which provides that the exercise of freedom of expression may be

subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial disorder or crime [and] for the protection of health…

The respondents in this case did not attend the hearing but the judge was satisfied that notice had been given to them (although the judgment does not explain how notice was given to the persons unknown). Perhaps, though, if they had attended, and been represented, their counsel might have drawn the court’s attention to its section 12 duty.

In a letter to The Times in 1987 (quoted here), Lord Scarman deprecated a decision of the House of Lords, and commented that

their Lordships have, with great respect, overlooked the more fundamental law providing the right of the public to access to information … and the public right of free speech…Old ingrained habits die hard. We are not yet able to abandon the traditional emphasis of our law on private rights …

Might he have found himself writing a similar letter today?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under access to information, Article 10, drones, human rights, journalism

Tagged as ,

June 7, 2024 · 4:52 pm

Subject access: recipients, and motive

A very significant subject access judgment has been handed down in the High Court. Key rulings have been made to the effect that 1) requesters are entitled, in principle, to be informed of the identities of the recipients of their personal data (not just the categories of recipient), and 2) the subject access regime has a “specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her personal data unlawfully infringes privacy rights and, if so, to take such steps as the data protection law provides.

The underlying details of the case are interesting and alarming in themselves. A director of a gardening company (Mr Cameron) had covertly recorded threatening calls made by a wealthy homeowner working in the property investment industry (Mr Harrison) with whom the company was coming into dispute, and subsequently circulated the recordings to a limited number of unnamed family members and others.

The recordings found their way to a wider circle of people, including some of Mr Harrison’s peers and competitors in the property investment sector. Mr Harrison contended that the circulation of the recordings had caused his own company to lose out on a significant property acquisition. Accordingly, he made subject access requests, under Article 15 of the UK GDPR both to and Cameron and to Mr Cameron’s company (“ACL”). Those requests were rejected on the grounds that i) Mr Cameron, when circulating the recordings, was processing Mr Harrison’s personal data in a “purely personal and household” context, and so the processing was out of scope of the UK GDPR, ii) Mr Cameron was not personally a controller under the UK GDPR, iii) ACL could rely on the exemption to disclosure where it would involve disclosing information relating to another individual who did not consent to disclosure, and where – in the absence of such consent – it was not reasonable in the circumstances to disclose (see Article 15(4) UK GDPR and paragraph 16 of Schedule 2 to the Data Protection Act 2018).

In a lengthy judgment (dealing mostly with the facts and evidence) Mrs Justice Steyn held that Mr Cameron’s processing was not for purely personal and household reasons: he was clearly acting as a director of ACL in making the recordings and circulating them. However, she agreed that he was not a controller – he was acting in his capacity as a director, and – following Ittihadieh and In re Southern Pacific Loans – a director processing data in the course of their duties for their company is not a controller; the company is.

A crucial part of the judgment, in terms of wider relevance, is on the interpretation of Article 15(1)(c) of the UK GDPR. This provides that a data subject should be given information on “the recipients or categories of recipient” to whom personal data have been or will be disclosed. Many practitioners, and lawyers, have taken this be an option available to the controller (i.e. the controller can decide whether to provide information on the specific recipient or just on categories thereof). Not so, said Steyn J, agreeing with the CJEU in the Austrian Post case (which, as a post-Brexit case, wasn’t binding on her, but to which she could have regard, so far as it was relevant to the issues (see section 6(2) of the EU (Withdrawal) Act 2018)): the choice lies with the data subject, and, if the data subject chooses to receive information on individual recipients, he or she is entitled, in principle, to that information (unless it would be impossible or manifestly excessive to do so).

Notwithstanding this, Mr Harrison was not entitled in this case to have the identities. Mr Harrison had previously sent subject access requests individually to at least 23 employees of ACL and ACL, and he had an intention to pursue further legal options other than under the UK GDPR, if he was to identify potential claimants. ACL believed that disclosing identities of recipients of the recordings would put them at “significant risk of being the object of intimidating, harassing and hostile legal correspondence and litigation”. The judge agreed that it was “not unreasonable for the Defendants to give significant weight to [Mr Harrison’s] sustained and menacing behaviour in considering whether to protect or disclose the identities of friends, colleagues and family members”. The fact that “hostile litigation”, against the third parties to whom the recordings were disclosed, was being contemplated was a relevant factor to take into account when balancing their interests with Mr Harrison’s access rights, under paragraph 16 of Schedule 2. The judge held that

[Although there] is no general principle that the interests of the request should be treated as devalued by reason of a motive to obtain information to assist the requester in litigation…as Farbey J observed in X v Transcription Agency…the SAR regime “has a specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her ‘personal data’ unlawfully infringes privacy rights and, if so, to take such steps as the DPA 2018 provides“…[and so] it was reasonable for the Defendants to give weight to their desire to protect family, friends and colleagues from hostile litigation going beyond the exercise of rights under the UK GDPR and the DPA 2018

So, the perennial question of the extent to which a requester’s motive is relevant when responding to a subject access request rears its head again. Steyn J’s analysis is compelling, and so it certainly appears that – at the very least when it comes to the balancing test implied by paragraph 16 of Schedule 2 – the motive is capable of being taken into account.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Data Protection Act 2018, judgments, subject access, UK GDPR

Tagged as , , ,