June 6, 2024 · 7:45 am

The demise of portmanteau data breach claims

Many defendants in data protection proceedings will have experienced claims which also plead a misuse of private information (MPI). Often, on the face of things, the latter appears to add nothing to the data protection claim, but there can be procedural and costs/other financial implications. Importantly, where claimants have secured after-the-event (ATE) insurance, premiums can be recovered from losing defendants (as there is an exception for certain claims, including MPI ones, to the general rule introduced by the Legal Aid, Sentencing and Punishment of Offenders Act 2012, by which ATE premiums became generally irrecoverable between parties). This can be perceived as a factor which might impel defendants to settle otherwise weak claims.

The practice of bundling data protection and MPI claims (sometimes with a bonus breach of confidence claim) in “data breach” proceedings was struck a blow in 2021, when Mr Justice Saini, in Warren v DSG, held that, as both MPI and breach of confidence require there to have been a “use”, a “positive action”, they do not impose a data security obligation on a defendant, or create liability where the defendant was, instead, alleged to have failed to do something.

This inevitably led to a drop in claims pleading MPI (and breach of confidence) in data security cases, but not a complete stop: after all – I imagine some claimant lawyers thought, a claim can still be pleaded as a MPI claim – even if it might not look like one (following Warren v DSG).

However, in a costs judgment from September last year, but only recently published, Deputy Costs Judge Roy held that a “spurious” (as opposed to a “genuine”) MPI claim (in Saini J’s characterisation “an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI”) can’t avail itself of the ATE premium irrecoverability exception. (The claim was against Equiniti, but seems to be separate to the recent attempted group litigation against the same defendant.)

I suspect the story is not entirely over. Claimants will quite possibly say “yes, spurious MPI claims can’t be shoehorned into data protection claims, but this one – Judge – is not spurious on the facts”. Nonetheless, the days of portmanteau data breach claims seem to disappearing into the past.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, data security, judgments, litigation

Tagged as ,

June 4, 2024 · 6:16 pm

How far can a legal fiction go?

When the Information Commissioner, as a public authority subject to the Freedom of Information Act 2000 (FOIA), is required to consider, as regulator, his own handling of a FOIA request, he enters into a legal fiction, whereby he separates himself into two, along these lines (taken from a decision notice):

This decision notice concerns a complaint made against the Information Commissioner (‘the Commissioner’). The Commissioner is both the regulator of FOIA and a public authority subject to FOIA. He’s therefore under a duty as regulator to make a formal determination of a complaint made against him as a public authority…In this notice the term ‘ICO’ is used to denote the ICO dealing with the request, and the term ‘Commissioner’ denotes the ICO dealing with the complaint.

It’s a legal fiction because the Information Commissioner is a corporation sole: every single function he has vests in him (and he has powers of delegation).

With this in mind, it is interesting to consider section 132(1) of the Data Protection Act 2018. This provides that

A person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner, must not disclose information which— (a) has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions, (b) relates to an identified or identifiable individual or business, and (c) is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources. (Unless the disclosure is made with lawful authority.)

When partaking in the legal fiction described above, can it be said that the Commissioner, or the Commissioner’s staff, have obtained, or been provided with, information, when the Commissioner is the person who holds the information? I think not. And if I’m right, that should mean that the Commissioner cannot rely on the exemption at section 44 of FOIA, on the grounds that there is a statutory bar on disclosure. But that’s what he does in response to this recent FOIA request. It will be interesting if the applicant asks for a decision notice.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection Act 2018, Freedom of Information, Information Commissioner, Uncategorized

Tagged as , ,

June 1, 2024 · 10:43 am

EIR and sewage discharges: a shift in the ICO’s position

It’s interesting (and encouraging) to see that, in a notable shift of position, the Information Commissioner’s Office (ICO) is now ordering water companies to disclose data relating to allegedly unlawful discharges of dry spillage sewage.

Previously, the ICO had tended to agree with the companies’ arguments that disclosure would adversely affect investigations by Ofwat and the Environment Agency, and the information was, therefore, exempt from disclosure under regulation 12(5)(b) of the Environmental Information Regulations 2004 (EIR). Those arguments were rather forcefully undermined by a statement to the Public Accounts Committee by the CEO of Ofwat last November that

We do not think that the investigation itself is a good reason for companies not to provide data. They have some legal obligations to disclose information, and there is a process for working that through. That process does not involve Ofwat directly, but we would encourage companies to be open and transparent about their environmental performance.

Additionally, the ICO has taken note of the judgment of the Information Tribunal in the recent Lavelle case.

This Decision Notice neatly summarises the issues and the ICO’s new position.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Information Commissioner, Uncategorized

Tagged as ,

June 1, 2024 · 8:36 am

Disastrous data protection advice in child protection proceedings

I am only going to link at the foot of this post to the recent judgment in the Family Court, as it is long, contains distressing and graphic references to alleged sexual offences and how a school and a local authority dealt with the allegations and only deals in passing with the issue I raise in this post. Please be aware of that.

However, the issue is of real importance.

The reason for referring to it is the extraordinary, and extraordinarily worrying, references in the judgment to a discussion a deputy head teacher had with the nine year old child in question. The judgment records the teacher’s evidence that, although

she took notes of the discussion she destroyed any notes that she had made. This appeared to be in accordance with a school-wide misunderstanding of data protection guidance. She fairly admitted that after a year she could only guess at those notes now

The judge stresses that she

“[does] not criticise GG – she was a caring and conscientious teacher who was doing her best and believed she was following advice and good practice. She lacked specialist training and some of the advice was unhelpful. I have carefully considered the problems with her record of this discussion, and I am mindful that these challenges add to the difficulty of appraising the reliability of what she recorded.”

[nb, this was said not solely in the context of the destruction of the notes]

The London Borough involved recognised, during the course of the proceedings, “the importance of addressing a wide range of gaps and concerns that emerged during the course of this hearing”, and the judge invited the parties to draw up an agreed list of issues for the Council to consider and provide a response to as a positive problem-solving exercise. Among these agreed issues was this

“Contemporaneous notes need to be taken when a child makes any allegation of physical, sexual or emotional abuse against a third party…. It needs to be made clear within the policy that contemporaneous notes ought to be kept and stored securely (electronically if possible). This includes any handwritten notes even if, only key words are noted down and later entered onto any electronic system. THIS DOES NOT INFRINGE GDPR.”

Those final words resound, even if they shouldn’t need saying.

Prior to GDPR, there were certainly a multitude of misunderstandings about data protection, but the idea that personal data should not be recorded, or should be quickly destroyed, is one of the most pernicious of misunderstandings that seems to have emerged since GDPR – in part from terrible advice and training given by people who shouldn’t have ever been engaged to train the public sector. I implore those involved in training and advising in these complex areas of social care and education to consider the import and impact of the advice they give.

Finally, the importance and meaning of the first word of the third data protection principle is often overlooked. Yes, it’s the “data minimisation” principle, but personal data must still be adequate.

This is the judgment.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, GDPR, local government, retention, UK GDPR

Tagged as , ,

May 24, 2024 · 8:48 am

Dead as a dodo – the DPDI Bill is no more

I’ve written on the Mishcon de Reya website on the news that the Data Protection and Digital Information Bill will not now be enacted, following the calling of the general election on 4 July.

https://www.mishcon.com/news/the-end-of-the-data-protection-and-digital-information-bill

Leave a comment

Filed under Uncategorized

April 30, 2024 · 5:58 am

ICO applies public sector fine approach to charity

The Information Commissioner’s Office has fined the CENTRAL YOUNG MEN’S CHRISTIAN ASSOCIATION (YMCA) of London £7500.

The penalty notice is not published at the time of writing (nor anything else yet on the ICO website), although the fine is said to have already been paid, and the press release issued by the ICO says the fine was issued for “a data breach where emails intended for those on a HIV support programme were sent to 264 email addresses using CC instead of BCC, revealing the email addresses to all recipients. This resulted in 166 people being identifiable or potentially identifiable”.

The press release also says that the fine was reduced from an initially-recommended £300,000, “in line with the ICO’s public sector approach”. When I queried the rather obvious point that a charity is not a public authority, an ICO spokesman initially told me that “as Central YMCA is a charity that does a lot of good work, they engaged with us in good faith after the incident happened, recognised their mistake immediately and have made amends to their processing activities and they paid the fine in full straight away, we applied the spirit of the public sector approach to them even though they’re not strictly a public sector body”.

This led to a further follow-up query from me because as a matter of logic and timing, how could the fact that a controller “paid the fine in full straight away” be a mitigating factor in reducing the amount of the fine to be paid? The further response was “The point was that they engaged fully and subsequently paid the fine in full, thus confirming our position that they were engaging and taking the breach seriously. The calculation comes before the payment which has no bearing on the assessed amount.”

I’m not quite sure what to make of this. Can any controller which “does a lot of good work”, engages with the ICO in good faith and remedies processing activities also benefit from a 3900% decrease in fine from an originally-recommended sum? What does “a lot of good work” mean? Is it something only charities do? What about private companies with a strong ESG ethos, or who make significant charitable contributions?

[this post was originally published on my LinkedIn page.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, fines, Information Commissioner, LinkedIn Post, monetary penalty notice, Uncategorized

Tagged as ,

April 27, 2024 · 6:41 am

Douglas Adams and the EIR

[I tend to do a lot my posting these days on LinkedIn, and less here. But the combination of LinkedIn’s poor search capability and my memory means I forget about some things I’ve written about that I’d quite like to remember. So I’m going to put some of them on this blog to remind me. This one is on a doozy of a Tribunal judgment.]

This Information Tribunal judgment about whether photographs of planning notices should be disclosed begins with a long quote from The Hitchhiker’s Guide to the Galaxy, and gets even more extraordinary as it goes on.

By the end of the judgment the judge has called the Information Commissioner’s Office’s decision a “pitiful failure to understand the scope and significance of material in the public domain and the role of data protection in protecting rights”, uses the term “bankruptcy” to describe the approach to the matter by both the ICO and Shropshire Council, and appears to have declared the Council’s handling of not just the individual planning application, but its planning policy as a whole unlawful (the judgment says, for instance that the council’s implementation of The Town and Country Planning (Development Management Procedure) (England) Order 2015 “failed to accord local residents their rights”).

This last point surely illustrates the Tribunal straying well beyond its jurisdiction, and it is difficult to see how it will escape having its judgment appealed. That’s actually a pity, because the underlying point in it is that the ICO’s approach failed to understand that data protection law has to be considered “in relation to its function in society and be balanced against other fundamental rights” (recital 4 GDPR) and failed to consider the Environmental Information Regulations’ context, whereby access to environmental information is one of the three pillars of the Aarhus Convention – the others being public participation in decision-making, and access to justice in environmental matters.

And even if the judgment gets appealed, I would hope the ICO acknowledges the key point that data protection rights don’t automatically trump all other rights.

https://www.bailii.org/uk/cases/UKFTT/GRC/2024/330.html

Leave a comment

Filed under Data Protection, Environmental Information Regulations, LinkedIn Post

Tagged as

April 12, 2024 · 1:37 pm

8000% in people affected by central government data breaches

Yes, you read that correctly. Here’s what we’ve just published on the Mishcon de Reya website:

https://www.mishcon.com/news/data-breach-crisis-in-central-government-time-for-ico-to-act

Leave a comment

Filed under Uncategorized

March 20, 2024 · 4:31 pm

Princess Kate and data protection

I’ve written a piece on the Mishcon de Reya website on the data protection implications of reports that staff at the London might have inappropriately accessed her patient notes.

https://www.mishcon.com/news/the-princess-of-wales-and-possible-data-protection-offences-and-infringements

Leave a comment

Filed under Uncategorized

March 9, 2024 · 11:02 am

A sad procedural judgment

In 1973, Pat Campbell, a Catholic factory worker from Banbridge, Northern Ireland, was shot and killed in front of his wife and children, at their family home.

No one was ever convicted of Pat Campbell’s murder, but for many years it has been believed that the killer was senior Ulster Volunteer Force member Robin “The Jackal” Jackson. Jackson – suspected of being responsible for, but never convicted of, at least 50 killings during the Troubles – was also suspected of having links with British military intelligence agencies.

In 2022 Pat Campbell’s widow reached a settlement with the Police Service of Northern Ireland, or PSNI (successor to the Royal Ulster Constabulary, or RUC) of a civil claim for damages, in which she alleged negligence and misfeasance in public office. The BBC reported at the time that “a former RUC officer and two ex-military intelligence officers were set to give evidence about Jackson’s alleged role”.

In the same year as Pat Campbell was murdered, a British intelligence officer wrote a report which is understood to have proposed increasing the RUC’s special branch’s intelligence gathers capabilities.

In 2021 journalist Phil Miller took a case under the Freedom of Information Act 2000 (FOIA) to the Information Tribunal, seeking disclosure by the PSNI of the Morton Report. However, the Tribunal upheld the Information Commissioner’s decision that PSNI were entitled to withhold the report because of the FOIA absolute exemption in relation to information supplied to a public authority by the Security Service.

Mrs Campbell, herself, however, still sought to get hold of the Morton Report. I know this because of a sad procedural judgment from the Information Tribunal.

She is identified as the appellant in case EA/2023/0276, an appeal from ICO decision notice IC-173342-D4D8. But as the judgment explains, she has since died, and the Tribunal has accordingly struck out the proceedings, under rule 8(2) of the procedure Rules, for want of jurisdiction. This is because, although The Law Reform (Miscellaneous Provisions) Act 1934 permits a “cause of action” to proceed after a claimant has died, for the benefit of the deceased’s estate, the Tribunal held, applying the same approach the Upper Tribunal took in a previous case in relation to data protection rights, a FOIA appeal is not a “cause of action” (Letang v Cooper [1965] 1 QB 232 applied). Instead, “‘[the] procedure is no more than a statutory appeal route, a procedural mechanism, for challenging’, in this case, the issue of the decision notice by the Information Commissioner”.

It seems doubtful, in any case, that Mrs Campbell would have succeeded: the exemption at section 23 is effectively insuperable.

But, of course, the PSNI has discretion to disclose information. As the ICO’s decision notice notes, the PSNI previously decided to disclose a redacted version of the 1980 Walker Report on RUC Special Branch informant handling, after the Committee on Administration of Justice took another FOIA case to the Information Tribunal.

There is no reason to suggest the same would happen if another case involving a request for the Morton Report reached the Tribunal again, but someone might consider it worth trying.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner, Information Tribunal, police

Tagged as , , ,