NADPO’s next lunchtime webinar is tomorrow 25 June at 12:30:
Jenna Corderoy – “Investigation into the state of Subject Access Requests”
Duncan McCann – “Election deepfakes and political data use”
As always, members can attend for free.
A violation of the presumption of innocence
This may not be a post directly related to information rights (although it does involve disclosure of information in response to a parliamentary question – which is a potential route to access to information which should never be underestimated). But I’m writing more because it’s on a topic of considerable public interest, and because the efforts and the campaigning of the applicants, and of Appeal, deserve support.
The Grand Chamber of the European Court of Human Rights (ECtHR) has held that the scheme in England and Wales for assessing whether people whose criminal convictions are subsequently overturned is compatible with the European Convention on Human Rights (the “Convention”).
Regardless of whether the ECtHR was correct or not, the underlying issue is, in my view, a national scandal and one that any incoming government should set right as a matter of priority.
Under Section 133(1ZA) of the Criminal Justice Act 1988 (as amended in 2018) the state must pay compensation where a new or newly discovered fact shows beyond reasonable doubt that there has been a miscarriage of justice. But a miscarriage of justice will only have occurred “if and only if the new or newly discovered fact shows beyond reasonable doubt that the person did not commit the offence”. This reverses what would be the normal burden of proof in criminal justice matters, and in effect requires the wrongfully convicted person to prove their innocence to gain compensation, despite the fact that their conviction has been overturned.
Figures given in response to a parliamentary question last year revealed that an extraordinary 93% of cases did not warrant compensation under the scheme.
At the ECtHR, the applicants contended that the domestic scheme infringed Article 6(2) of the Convention, which provides that “Everyone charged with a criminal offence shall be presumed innocent until proved guilty according to law”. Although the ECtHR noted “the potentially devastating impact of a wrongful conviction” it also held that the UK was
free to decide how “miscarriage of justice” should be defined for these purposes, and to thereby draw a legitimate policy line as to who out of the wider class of people who had had their convictions quashed on appeal should be eligible for compensation…, so long as the policy line was not drawn in such a way that the refusal of compensation in and of itself imputed criminal guilt to an unsuccessful applicant
It was not, said the ECtHR, its role “to determine how States should translate into material terms the moral obligation they may owe to persons who have been wrongfully convicted”.
Although there was a strong dissenting opinion which would have held that the compensation scheme resulted in a violation of the presumption of innocence, it must now fall to the next Parliament to take forward the “moral obligation” and put right where a previous Parliament went wrong. This does not, and should not, need to wait for the outcome of the Malkinson Inquiry. That inquiry may well have things to find out, and things to say, in general, about miscarriages of justice but it is not in its remit to consider the compensation point: that can, and should, be resolved sooner.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under access to information, Article 6, Europe, human rights, Ministry of Justice, parliament, Uncategorized
Drones and freedom of expression
Article 10 of the European Convention on Human Rights provides that everyone has the (qualified) right to freedom of expression, which includes the freedom to receive and impart information. And section 12(4) of the Human Rights Act 1998 requires a court: i) to have regard to the importance of freedom of expression, when considering whether to grant any relief which, if granted, might affect the exercise of the right to freedom of expression, and ii) where the proceedings relate to material which appears to the court, to be journalistic, literary or artistic material (or to conduct connected with such material), to have regard to the extent to which the material has, or is about to, become available to the public, or the extent to which it is, or would be, in the public interest for the material to be published.
In a recent case in the High Court – sitting in Manchester – an application for an interim injunction was granted against one named and a number of unknown respondents preventing them from entering the site of the former St Joseph’s seminary in Up Holland, but also preventing the flying of drones over the site. There is already a large amount of footage taken previously by such drones on the various online video-sharing sites, and some of them are fascinating and informative. The future of the site is evidently a matter of significant local interest.
The concerns of the applicants for the injunction are compelling: there have been numerous incidents of trespass on the site, and it is in a very dangerous condition.
The only published judgment I have been able to find is on the website of the chambers of the barrister representing the applicant. It appears to be a transcript of an ex tempore judgment. The judge notes that section 76 of the Civil Aviation Act 1982 provides that
No action shall lie in respect of trespass or in respect of nuisance, by reason only of the flight of an aircraft over any property at a height above the ground which, having regard to wind, weather and all the circumstances of the case is reasonable
A piece on the website of the solicitors acting for the applicants indicates that the judge proceeded on the assumption that section 76 applied to drones and that the drone operator had complied with the requirements of the Air Navigation Order 2016. He then said that either i) section 76 did not apply, because the flight involved the taking of footage for its presumed purpose of encouraging trespass (and presumably therefore it was not “by reason of the flight only” for section 76 purposes), or, ii) if section 76 did apply, then the height of the drones could not be reasonable, because of the taking of the footage.
However, nowhere in the judgment is there any indication that the judge has had regard to the court’s duties under section 12 of the Human Rights Act. It strikes me that there are clear freedom of expression issues raised. A large number of people are interested in general in abandoned buildings, and there is an enormous amount of online attention to this subject, and, more locally, there is clearly notable interest in the fate of a grade 2 listed building: the drone footage must, surely, play a part in meeting this public interest.
So it strikes me that it was incumbent on the court to conduct the balancing exercise inherent in Article 10, which provides that the exercise of freedom of expression may be
subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial disorder or crime [and] for the protection of health…
The respondents in this case did not attend the hearing but the judge was satisfied that notice had been given to them (although the judgment does not explain how notice was given to the persons unknown). Perhaps, though, if they had attended, and been represented, their counsel might have drawn the court’s attention to its section 12 duty.
In a letter to The Times in 1987 (quoted here), Lord Scarman deprecated a decision of the House of Lords, and commented that
their Lordships have, with great respect, overlooked the more fundamental law providing the right of the public to access to information … and the public right of free speech…Old ingrained habits die hard. We are not yet able to abandon the traditional emphasis of our law on private rights …
Might he have found himself writing a similar letter today?
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under access to information, Article 10, drones, human rights, journalism
Subject access: recipients, and motive
A very significant subject access judgment has been handed down in the High Court. Key rulings have been made to the effect that 1) requesters are entitled, in principle, to be informed of the identities of the recipients of their personal data (not just the categories of recipient), and 2) the subject access regime has a “specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her personal data unlawfully infringes privacy rights and, if so, to take such steps as the data protection law provides.
The underlying details of the case are interesting and alarming in themselves. A director of a gardening company (Mr Cameron) had covertly recorded threatening calls made by a wealthy homeowner working in the property investment industry (Mr Harrison) with whom the company was coming into dispute, and subsequently circulated the recordings to a limited number of unnamed family members and others.
The recordings found their way to a wider circle of people, including some of Mr Harrison’s peers and competitors in the property investment sector. Mr Harrison contended that the circulation of the recordings had caused his own company to lose out on a significant property acquisition. Accordingly, he made subject access requests, under Article 15 of the UK GDPR both to and Cameron and to Mr Cameron’s company (“ACL”). Those requests were rejected on the grounds that i) Mr Cameron, when circulating the recordings, was processing Mr Harrison’s personal data in a “purely personal and household” context, and so the processing was out of scope of the UK GDPR, ii) Mr Cameron was not personally a controller under the UK GDPR, iii) ACL could rely on the exemption to disclosure where it would involve disclosing information relating to another individual who did not consent to disclosure, and where – in the absence of such consent – it was not reasonable in the circumstances to disclose (see Article 15(4) UK GDPR and paragraph 16 of Schedule 2 to the Data Protection Act 2018).
In a lengthy judgment (dealing mostly with the facts and evidence) Mrs Justice Steyn held that Mr Cameron’s processing was not for purely personal and household reasons: he was clearly acting as a director of ACL in making the recordings and circulating them. However, she agreed that he was not a controller – he was acting in his capacity as a director, and – following Ittihadieh and In re Southern Pacific Loans – a director processing data in the course of their duties for their company is not a controller; the company is.
A crucial part of the judgment, in terms of wider relevance, is on the interpretation of Article 15(1)(c) of the UK GDPR. This provides that a data subject should be given information on “the recipients or categories of recipient” to whom personal data have been or will be disclosed. Many practitioners, and lawyers, have taken this be an option available to the controller (i.e. the controller can decide whether to provide information on the specific recipient or just on categories thereof). Not so, said Steyn J, agreeing with the CJEU in the Austrian Post case (which, as a post-Brexit case, wasn’t binding on her, but to which she could have regard, so far as it was relevant to the issues (see section 6(2) of the EU (Withdrawal) Act 2018)): the choice lies with the data subject, and, if the data subject chooses to receive information on individual recipients, he or she is entitled, in principle, to that information (unless it would be impossible or manifestly excessive to do so).
Notwithstanding this, Mr Harrison was not entitled in this case to have the identities. Mr Harrison had previously sent subject access requests individually to at least 23 employees of ACL and ACL, and he had an intention to pursue further legal options other than under the UK GDPR, if he was to identify potential claimants. ACL believed that disclosing identities of recipients of the recordings would put them at “significant risk of being the object of intimidating, harassing and hostile legal correspondence and litigation”. The judge agreed that it was “not unreasonable for the Defendants to give significant weight to [Mr Harrison’s] sustained and menacing behaviour in considering whether to protect or disclose the identities of friends, colleagues and family members”. The fact that “hostile litigation”, against the third parties to whom the recordings were disclosed, was being contemplated was a relevant factor to take into account when balancing their interests with Mr Harrison’s access rights, under paragraph 16 of Schedule 2. The judge held that
[Although there] is no general principle that the interests of the request should be treated as devalued by reason of a motive to obtain information to assist the requester in litigation…as Farbey J observed in X v Transcription Agency…the SAR regime “has a specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her ‘personal data’ unlawfully infringes privacy rights and, if so, to take such steps as the DPA 2018 provides“…[and so] it was reasonable for the Defendants to give weight to their desire to protect family, friends and colleagues from hostile litigation going beyond the exercise of rights under the UK GDPR and the DPA 2018
So, the perennial question of the extent to which a requester’s motive is relevant when responding to a subject access request rears its head again. Steyn J’s analysis is compelling, and so it certainly appears that – at the very least when it comes to the balancing test implied by paragraph 16 of Schedule 2 – the motive is capable of being taken into account.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Data Protection, Data Protection Act 2018, judgments, subject access, UK GDPR
The demise of portmanteau data breach claims
Many defendants in data protection proceedings will have experienced claims which also plead a misuse of private information (MPI). Often, on the face of things, the latter appears to add nothing to the data protection claim, but there can be procedural and costs/other financial implications. Importantly, where claimants have secured after-the-event (ATE) insurance, premiums can be recovered from losing defendants (as there is an exception for certain claims, including MPI ones, to the general rule introduced by the Legal Aid, Sentencing and Punishment of Offenders Act 2012, by which ATE premiums became generally irrecoverable between parties). This can be perceived as a factor which might impel defendants to settle otherwise weak claims.
The practice of bundling data protection and MPI claims (sometimes with a bonus breach of confidence claim) in “data breach” proceedings was struck a blow in 2021, when Mr Justice Saini, in Warren v DSG, held that, as both MPI and breach of confidence require there to have been a “use”, a “positive action”, they do not impose a data security obligation on a defendant, or create liability where the defendant was, instead, alleged to have failed to do something.
This inevitably led to a drop in claims pleading MPI (and breach of confidence) in data security cases, but not a complete stop: after all – I imagine some claimant lawyers thought, a claim can still be pleaded as a MPI claim – even if it might not look like one (following Warren v DSG).
However, in a costs judgment from September last year, but only recently published, Deputy Costs Judge Roy held that a “spurious” (as opposed to a “genuine”) MPI claim (in Saini J’s characterisation “an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI”) can’t avail itself of the ATE premium irrecoverability exception. (The claim was against Equiniti, but seems to be separate to the recent attempted group litigation against the same defendant.)
I suspect the story is not entirely over. Claimants will quite possibly say “yes, spurious MPI claims can’t be shoehorned into data protection claims, but this one – Judge – is not spurious on the facts”. Nonetheless, the days of portmanteau data breach claims seem to disappearing into the past.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Data Protection, data security, judgments, litigation
How far can a legal fiction go?
When the Information Commissioner, as a public authority subject to the Freedom of Information Act 2000 (FOIA), is required to consider, as regulator, his own handling of a FOIA request, he enters into a legal fiction, whereby he separates himself into two, along these lines (taken from a decision notice):
This decision notice concerns a complaint made against the Information Commissioner (‘the Commissioner’). The Commissioner is both the regulator of FOIA and a public authority subject to FOIA. He’s therefore under a duty as regulator to make a formal determination of a complaint made against him as a public authority…In this notice the term ‘ICO’ is used to denote the ICO dealing with the request, and the term ‘Commissioner’ denotes the ICO dealing with the complaint.
It’s a legal fiction because the Information Commissioner is a corporation sole: every single function he has vests in him (and he has powers of delegation).
With this in mind, it is interesting to consider section 132(1) of the Data Protection Act 2018. This provides that
A person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner, must not disclose information which— (a) has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions, (b) relates to an identified or identifiable individual or business, and (c) is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources. (Unless the disclosure is made with lawful authority.)
When partaking in the legal fiction described above, can it be said that the Commissioner, or the Commissioner’s staff, have obtained, or been provided with, information, when the Commissioner is the person who holds the information? I think not. And if I’m right, that should mean that the Commissioner cannot rely on the exemption at section 44 of FOIA, on the grounds that there is a statutory bar on disclosure. But that’s what he does in response to this recent FOIA request. It will be interesting if the applicant asks for a decision notice.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
EIR and sewage discharges: a shift in the ICO’s position
It’s interesting (and encouraging) to see that, in a notable shift of position, the Information Commissioner’s Office (ICO) is now ordering water companies to disclose data relating to allegedly unlawful discharges of dry spillage sewage.
Previously, the ICO had tended to agree with the companies’ arguments that disclosure would adversely affect investigations by Ofwat and the Environment Agency, and the information was, therefore, exempt from disclosure under regulation 12(5)(b) of the Environmental Information Regulations 2004 (EIR). Those arguments were rather forcefully undermined by a statement to the Public Accounts Committee by the CEO of Ofwat last November that
We do not think that the investigation itself is a good reason for companies not to provide data. They have some legal obligations to disclose information, and there is a process for working that through. That process does not involve Ofwat directly, but we would encourage companies to be open and transparent about their environmental performance.
Additionally, the ICO has taken note of the judgment of the Information Tribunal in the recent Lavelle case.
This Decision Notice neatly summarises the issues and the ICO’s new position.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Disastrous data protection advice in child protection proceedings
I am only going to link at the foot of this post to the recent judgment in the Family Court, as it is long, contains distressing and graphic references to alleged sexual offences and how a school and a local authority dealt with the allegations and only deals in passing with the issue I raise in this post. Please be aware of that.
However, the issue is of real importance.
The reason for referring to it is the extraordinary, and extraordinarily worrying, references in the judgment to a discussion a deputy head teacher had with the nine year old child in question. The judgment records the teacher’s evidence that, although
she took notes of the discussion she destroyed any notes that she had made. This appeared to be in accordance with a school-wide misunderstanding of data protection guidance. She fairly admitted that after a year she could only guess at those notes now
The judge stresses that she
“[does] not criticise GG – she was a caring and conscientious teacher who was doing her best and believed she was following advice and good practice. She lacked specialist training and some of the advice was unhelpful. I have carefully considered the problems with her record of this discussion, and I am mindful that these challenges add to the difficulty of appraising the reliability of what she recorded.”
[nb, this was said not solely in the context of the destruction of the notes]
The London Borough involved recognised, during the course of the proceedings, “the importance of addressing a wide range of gaps and concerns that emerged during the course of this hearing”, and the judge invited the parties to draw up an agreed list of issues for the Council to consider and provide a response to as a positive problem-solving exercise. Among these agreed issues was this
“Contemporaneous notes need to be taken when a child makes any allegation of physical, sexual or emotional abuse against a third party…. It needs to be made clear within the policy that contemporaneous notes ought to be kept and stored securely (electronically if possible). This includes any handwritten notes even if, only key words are noted down and later entered onto any electronic system. THIS DOES NOT INFRINGE GDPR.”
Those final words resound, even if they shouldn’t need saying.
Prior to GDPR, there were certainly a multitude of misunderstandings about data protection, but the idea that personal data should not be recorded, or should be quickly destroyed, is one of the most pernicious of misunderstandings that seems to have emerged since GDPR – in part from terrible advice and training given by people who shouldn’t have ever been engaged to train the public sector. I implore those involved in training and advising in these complex areas of social care and education to consider the import and impact of the advice they give.
Finally, the importance and meaning of the first word of the third data protection principle is often overlooked. Yes, it’s the “data minimisation” principle, but personal data must still be adequate.
This is the judgment.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Data Protection, GDPR, local government, retention, UK GDPR
Dead as a dodo – the DPDI Bill is no more
I’ve written on the Mishcon de Reya website on the news that the Data Protection and Digital Information Bill will not now be enacted, following the calling of the general election on 4 July.
https://www.mishcon.com/news/the-end-of-the-data-protection-and-digital-information-bill
Filed under Uncategorized
ICO applies public sector fine approach to charity
The Information Commissioner’s Office has fined the CENTRAL YOUNG MEN’S CHRISTIAN ASSOCIATION (YMCA) of London £7500.
The penalty notice is not published at the time of writing (nor anything else yet on the ICO website), although the fine is said to have already been paid, and the press release issued by the ICO says the fine was issued for “a data breach where emails intended for those on a HIV support programme were sent to 264 email addresses using CC instead of BCC, revealing the email addresses to all recipients. This resulted in 166 people being identifiable or potentially identifiable”.
The press release also says that the fine was reduced from an initially-recommended £300,000, “in line with the ICO’s public sector approach”. When I queried the rather obvious point that a charity is not a public authority, an ICO spokesman initially told me that “as Central YMCA is a charity that does a lot of good work, they engaged with us in good faith after the incident happened, recognised their mistake immediately and have made amends to their processing activities and they paid the fine in full straight away, we applied the spirit of the public sector approach to them even though they’re not strictly a public sector body”.
This led to a further follow-up query from me because as a matter of logic and timing, how could the fact that a controller “paid the fine in full straight away” be a mitigating factor in reducing the amount of the fine to be paid? The further response was “The point was that they engaged fully and subsequently paid the fine in full, thus confirming our position that they were engaging and taking the breach seriously. The calculation comes before the payment which has no bearing on the assessed amount.”
I’m not quite sure what to make of this. Can any controller which “does a lot of good work”, engages with the ICO in good faith and remedies processing activities also benefit from a 3900% decrease in fine from an originally-recommended sum? What does “a lot of good work” mean? Is it something only charities do? What about private companies with a strong ESG ethos, or who make significant charitable contributions?
[this post was originally published on my LinkedIn page.]
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 