November 26, 2013 · 1:24 pm

Knowing what to overlook

The Upper Tribunal has allowed an appeal by an appellant whose pre-hearing language and allegations had led the First-tier Tribunal to strike out his case.

In a recently handed down judgment Upper Tribunal Judge Jacobs says

Most appellants correspond with the tribunal only when necessary, make moderate criticisms and allegations, and express themselves politely. There is, however, a small body of appellants who are persistent in their correspondence which contains wild allegations that are expressed in an intemperate or aggressive tone…

What gave rise to the proceedings in question was an appeal, by a certain Mr Dransfield, of a decision by the First-tier Tribunal (Information Rights) (FTT) to strike out proceedings remitted to it by a decision of Judge Wikely in the Upper Tribunal (UT). That remittal decision was case reference GIA/1053/2011 – unhelpfully not currently available on the UT website – and is not to be confused with another (leading) decision by Wikely J in relation to an unsuccessful appeal by Mr Dransfield (reference GIA/3037/2011).

The FTT struck out the remitted case using powers conferred by rule 8(3)(b) of Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (SI No 1976) (“the Rules”), which permits a strike-out if

the appellant has failed to co-operate with the Tribunal to such an extent that the Tribunal cannot deal with the proceedings fairly and justly

It appears that Mr Dransfield was warned by the FTT judge by a direction on 11 January 2012 (I think this should say “2013”, but I quote from paragraph 4 of the UT’s judgment) about the unfortunate, although perhaps unintentional “hectoring tone” of his emails, and rule 8(3)(b) was specifically cited to Mr Dransfield, with the observation that

Co-operation, in this context, includes using moderate language and an appropriate tone 

The warning was reinforced orally, and repeated on 29 April 2013.

Despite this, Mr Dransfield then sent an email on 12 May 2013, which the UT declines to quote in full but which is described thus

Mr Dransfield accused the Commissioner and Council of ‘conniving and colluding to pervert the Course of Justice’ and of producing ‘a pack of lies and deception’. He later referred twice to a ‘wider conspiracy to pervert the course of justice’ and said that there was sufficient evidence to justify arresting the Commissioner’s legal representative and Judge Wikeley for conspiracy to pervert the course of justice

Accordingly, the proceedings were struck out, the same day.

Interestingly (and no doubt to the frustration of some of those involved), Mr Dransfield’s appeal of this strike out has succeeded. Jacobs J  follows the words I quote at the start of this piece with

It is usually possible to deal with that small minority of appellants without resorting to the power to strike out proceedings. It is possible to ban a party from using emails and direct that any that are sent will be ignored. Another way is to limit a party to communicating in writing and only when requested, with other letters being filed but ignored. At a hearing, it is possible to limit the time allowed to a party or, if necessary, to require a party to leave the hearing room. In my experience, measures such as this are usually effective

In short, Jacobs J says that case management powers can be properly used to manage a potentially difficult litigant, and should not in this case have led to the “draconian step” of striking out Mr Dransfield’s appeal. The type of allegation made by Mr Dransfield is “regularly made in appeals before this Chamber and just as regularly ignored by the judges”.  The power to strike out and the duty to cooperate are in a “reciprocal relationship” with the overriding objective “to enable the Tribunal to deal with cases fairly and justly” at Rule 2, and specifically those parts of Rule 2 which require flexibility in the proceedings (2(2)(b)) and that the parties are able to participate fully in the proceedings (2(2)(c)).

Jacobs J ends his judgment by noting that the FTT could have employed more flexible responses “without depriving Mr Dransfield of his right of appeal” and observes, by quoting William James

‘the art of being wise is the art of knowing what to overlook.’

Very true, but I think I would just add a general point that – sometimes – some things can be too big to overlook. There will still be some cases where the failure to comply with the duty to cooperate properly merits the striking out of proceedings.

77 Comments

Filed under Freedom of Information, Information Tribunal, Upper Tribunal, vexatiousness

Tagged as

November 20, 2013 · 3:19 pm

THIS is the purpose of subject access requests

In a recent blogpost the rather excellent Bilal Ghafoor (who goes by the handle of “FOIKid”, although I note he’s now extended this to “FOI (and DP) Kid”, evidently having rather belatedly discovered the joys of data protection) asked “What is the purpose of subject access requests?“. He drew attention to the potential discord between approaches by the Information Commissioner and by the courts (in cases such as Durant  v Financial Services Authority [2003] EWCA Civ 1746) to such requests (made under section 7 of the Data Protection Act 1998 (DPA)).

In a comment on that post I argued that the Court of Appeal in Durant was perhaps not as out-of-step with, at least, the EC data protection Directive 95/46/EC as is sometimes thought

it’s important to note that the Court of Appeal were keen to stress the fact that the Act gives effect to the Directive, and that the Directive and its recitals have a “primary objective” to “protect individuals’ fundamental rights, notably the right to privacy and accuracy of their personal data held by others…

This particular primary objective is illustrated quite starkly by the news from the Press Gazette that comedian/journalist Mark Thomas discovered, through submitting a subject access request, that his name is on a “domestic extremist database”:

police held a file of seven pages containing more than 60 individual items of intelligence…”a bizarre list of events monitored by the police, lectures given, panels attended, even petitions I have supported…the police have monitored public interest investigations in my case since 1999″

Thomas says he is taking legal action to have his name removed. This will be an interesting case if it reaches court, joining a line of cases where people try to effect removal of records from police systems.

What is also interesting though is that Thomas, and the National Union of Journalists (NUJ), are encouraging journalists to submit subject access requests to the police. As Thomas says

I know of other NUJ members on the database….Which is why I am asking NUJ members to take action. If your work brings you into contact with the police whether covering riots or climate camp, from Plebgate to the NSA, then the police could have you on their database

and the NUJ general secretary Michelle Stanistreet adds

we want as many other members as possible to find out what information the Met is holding

In answer to Bilal’s question, then, I think that this – the investigation of how an arm of the UK state monitors and records the activities of the free press – is a vitally important example of what the purpose is of subject access requests.

1 Comment

Filed under Data Protection, police, Privacy, surveillance

Tagged as , ,

November 20, 2013 · 7:47 am

Data Protection concerns and Article 6

Article 6(1) of the European Convention on Human Rights provides inter alia that “everyone is entitled to a fair and public hearing”. An interesting case in the Upper Tribunal shows how failure to comply with tribunal rules (in this case The Tribunal Procedure (First-tier Tribunal) (Social Entitlement Chamber) Rules 2008 (“the TPR”) ) can render tribunal proceedings unfair and – arguably – in breach of Article 6(1). And although the case was not dealing substantively with an “information rights” matter, data protection played a small part.

This was a successful appeal, in which the Upper Tribunal held there had been a material error of law by the FTT. Upper Tribunal Judge Wright’s basis for permitting the appeal had been

that it seems arguable from the papers before me that the appeal was decided by the First-tier Tribunal without [the appellant] having had sight of the HMRC’s appeal response or the documents it relied on

and this was accepted by the respondent, HMRC.

It appears that HMRC had declined to comply with Rule 24(5) of the Rules (that it must provide a copy of the response and any accompanying documents to each other party at the same time as it provides the response to the Tribunal) because of “data security issues”…”because it was concerned that [the appellant] was not living at the address he was relying on”. It had conveyed its intention not to comply with Rule 24(5) in a letter to the FTT, but had not referred to any other Rule which permitted the action, and, although the letter sought directions from a judge there was no evidence

either on the Upper Tribunal file or the First-tier Tribunal file – to indicate either (a) that this letter was ever put before a Judge of the First tier-Tribunal, or (b) that directions were issued either requiring disclosure or precluding it, or (c) that the appeal response and evidence was ever sent to [the appellant] before the appeal was decided on 23.04.12

Accordingly, HMRC erred in law in not providing the appeal response and evidence, and the FTT, in not addressing this, made a material error of law in coming to its decision.

The Upper Tribunal judge also noted that HMRC’s concerns about data security could well have been met by section 35 of the Data Protection Act 1998 (which provides an exemption from the bars elsewhere in the DPA against disclosure of personal data if the “disclosure is required by or under any enactment, by any rule of law or by order of the court”). As the judge observed, “those words would seem to encompass rule 24 of the TPR”.

Lawyers and practitioners (and indeed litigants) should be aware that data protection concerns regarding disclosure of evidence, or serving of required papers, should not get in the way of tribunals’ overrriding objectives to deal with cases fairly and justly, because if they do, a potential breach of parties’ Article 6 rights may occur. They should also make sure (as should, I suspect, tribunal clerks) that letters seeking directions are put before a judge.

Leave a comment

Filed under Data Protection, human rights, Upper Tribunal

Tagged as

November 18, 2013 · 4:46 pm

In which I ask the ICO for a Decision Notice

In September of this year I blogged about a request I made to the Information Commissioner’s Office (ICO) for details of which website some personal data had been inadvertently uploaded to, by a council employee, which had led to a monetary penalty notice. I have now had the ICO’s response to my internal review. I do not have (and haven’t sought) permission to upload that response, but suffice to say it doesn’t uphold my complaint. For those of you still awake I append my response to it here:

I am reluctantly now applying to the Commissioner for a decision whether my request for information has been dealt with in accordance with the requirements of Part I of the Freedom of Information Act 2000 (FOIA).
 
I am of the view that you do have lawful authority to disclose the information, and, therefore, section 59(1) of the Data Protection Act 1998 (DPA) is not engaged (and by extension nor is the substantive exemption claimed: section 44 of FOIA). Before I give my reasons I would just like to clarify an error on my part: I erred in my request for internal review when I queried whether section 59(1)(c) DPA was met. What I meant was that I accepted that sections 59(1)(a-c) were met, but I doubted whether there was a lack of lawful authority for the ICO to disclose.
 
My reasons why I believe you do have lawful authority to disclose are substantially the same as I gave in the rest of my request for internal review. I will repeat them here for completeness’ sake:
 
Section 59(2)(e) says that disclosure is made with lawful authority if “having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”. I would argue that analysis of whether this provision permits disclosure requires a two-fold test. Firstly, is disclosure necessary in the public interest? Secondly, if it is, do the rights and freedoms or legitimate interests of any person militate against this public-interest disclosure?

On the first point, I am not aware of any direct authority on what “necessary” means in section 59(2)(e) of DPA, but I would argue that it imports the meaning adopted by leading European authorities. Thus, as per the high Court in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 “‘necessary”…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends”. It is my view that there is a pressing social need to recognise the risks of indavertent uploading to the internet, by public authorities and others, of sensitive personal data, especially when this is by automatic means. Other examples of recent incidents and enforcement action illustrate this. For instance, as your office is aware, there have been reports that a regional Citizens’ Advice Bureau has indavertently made available on the internet very large amounts of such data, probably because of a lack of technical knowledge or security which resulted in automatic caching by Google of numerous files https://informationrightsandwrongs.com/2013/09/24/citizens-advice-bureaucracy/. Also for instance, as you are aware, there have been many many examples of indavertent internet publishing of personal data in hidden cells in spreadsheets http://www.ico.org.uk/news/blog/2013/the-risk-of-revealing-too-much. There is a clear lack of public understanding of the risks of such indavertent disclosures, with a consequent risk to the privacy of individuals’ often highly sensitive personal data. Any information which the regulator of the DPA can disclose which informs and improves public understanding of these risks serves a pressing social need and makes the disclosure “necessary”.

On the second point, I simply fail to see what rights and freedoms or legitimate interests of any person can be engaged, let alone suffer a detriment by disclosing what public website the Council employee uploaded this to. If there are any, it would be helpful if your response to this Internal Review could address this. It may be that you would point to the information having been provided to you in confidence, but I similarly fail to see how that can be: was this an express obligation of confidence, or have you inferred it? In either case, I would question (per one the elements of the classic formulation for a cause of action in breach of confidence given by Megarry J in Coco v A.N.Clark (Engineers) Ltd [1969] R.P.C. 41) whether the information even has the necessary quality of confidence (this was a public website after all).

However, I make the following further observations.

You say “I consider that the public interest here has been largely, if not entirely, met by the issuing and publication of the Monetary Penalty Notice dated 27 August 2013, the publication of the ICO News release dated 30 August 2013, and other press coverage concerning this particular data breach and how it occurred. I do not consider that disclosure of the name of the website would further this to any significant extent”. However, these sources of information were noticeably lacking in detail about how exactly the rather bizarre and worrying circumstances described in the Monetary Penalty Notice (MPN) could have happened: automatic upload to cloud storage can happen, but normally this will be to private storage – automatic upload to a “public website” is rather alarming.

I note, in passing, some recent criticism of the level of detail, or lack of clarity, in MPNs made by the First-tier Tribunal (see para 17 of the Scottish Borders case, and, the Niebel case, effectively throughout).

I also note that you say “when considering the balance of the public interest in relation to section 59(2)(e) it has to be borne in mind that the threshold is very high because disclosure in contravention of section 59, by the Commissioner or a member of ICO staff may/will constitute a criminal offence under section 59(3)”. With respect, whether the Commissioner or a member of his staff might commit a criminal offence is not relevant to whether the public interest means disclosure is necessary. If disclosure is necessary section 59(1) does not apply, and no suggestion of a criminal offence can arise. Moreover, you say “unless there is ‘lawful authority’ to disclose the information, to do so would constitute a criminal offence” and “disclosure in contravention of section 59, by the Commissioner or a member of ICO staff may/will constitute a criminal offence under section 59(3)”, and “Releasing information of this nature without lawful authority would not only constitute a criminal offence…”: all of these omit the crucial mens rea aspect of that offence, which is that the disclosure would have to be made knowingly or recklessly.

You go on to say “There is a strong public interest in information being provided to the Commissioner in confidence, to enable him to carry out his statutory duty, remaining confidential and that this information will not be disclosed without lawful authority. Releasing information of this nature without lawful authority would not only constitute a criminal offence but would also undermine the regulatory function and powers of the ICO. It would damage public trust in the Commissioner’s processes and make organisations less willing to share information on a voluntary basis making it difficult for the ICO to operate an efficient and effective regulatory system”. This repeats the earlier assertions, or implications, that the information in question is “confidential” or has been “provided…in confidence”, which I continue to dispute for reasons previously given (and not controverted), and makes further assertions that disclosing such information now would “make organisations less willing to share information on a voluntary basis making it difficult for the ICO to operate an efficient and effective regulatory system”. There appears simply to be no basis for this “chilling effect” assertion (is there, for instance, evidence to back it up?).

Finally, I note that you say “we did consult with Aberdeen City Council and we do not have explicit consent for disclosure”. You do not say when this consultation took place, but it appears that Aberdeen at some point changed their mind on this, because on 15 October they disclosed the information to me under FOIA (see https://www.whatdotheyknow.com/request/ico_monetary_penalty_notice#outgoing-307019). Clearly, this means that I do not continue to seek disclosure. It also explains why I say I make this application reluctantly (I have no wish to have you, or me, epxend time and resources unnecessarily). But I do wish to dispute that my request to you was handled according to requirements in part 1 of FOIA.

I am happy to provide any further information you might need.
with best wishes

etc

Leave a comment

Filed under Confidentiality, Freedom of Information, Information Commissioner, monetary penalty notice

Tagged as ,

November 15, 2013 · 12:45 pm

Will there be blood?

The First-tier Tribunal (Information Rights) (FTT) has overturned a decision by the Information Commissioner that the Northern Ireland Department for Health, Social Services and Public Safety (DHSSPS) should disclose advice received by the Minister of that Department from the Attorney General for Northern Ireland regarding a policy of insisting on a lifetime ban on males who have had sex with other males (“MSM”) donating blood.

On 11 October 2013 the Northern Ireland High Court handed down judgment in a judicial review application, challenging the decision of the Minister and the DHSSPS maintain the lifetime ban. The challenge arose because, in 20011, across the rest of the UK, the blanket ban which had existed since 1985 had been lifted.

DHSSPS lost the judicial review case, and lost relatively heavily: the decision of the Minister was unlawful for reasons that i) the Secretary of State, and not the Minister, by virtue of designation under the Blood Safety and Quality Regulations 2005, was responsible for whether to maintain or not the lifetime ban, ii) similarly, as (European) Community law dictated that this was a reserved matter (an area of government policy where the UK Parliament keeps the power to make legislate in Scotland, Northern Ireland and Wales), the decision was an act which was incompatible with Community law, iii) the Minister had taken a decision in breach of the Ministerial Code, by failing to refer the matter, under Section 20 of the Northern Ireland Act 1998, to the Executive Committee, and iv) although a ban in itself might have been defensible, the fact that blood was then imported from the rest of the UK (where the ban had been lifted) rendered the decision irrational.

Running almost concurrently with the judicial review proceedings was a request, made under the Freedom of Information Act 2000 (FOIA), for advice given to the Minister by the Attorney General for Ireland. The FOIA exemption, at section 42, for information covered by legal professional privilege (LPP) was thus engaged. The original decision notice by the Information Commissioner had rather surprisingly found that it was advice privilege, as opposed to litigation privilege. The IC correctly observed that for litigation privilege to apply

at the time of the creation of the information, there must have been a real prospect or likelihood of litigation occurring, rather than just a fear or possibility

and, because the information was dated October 2011, and leave for judicial review had not been sought until December 2011

at the time the information was created, ltigation was nothing more than a possibility

But one questions whether this can be correct, when one learns from the FTT judgment that DHSSPS had been sent a pre-action protocol letter on 27 September 2011. Again rather surprisingly, though, the FTT does not appear to have made a clear decision one way or the other which type of privilege applied, but its observation that

when the request was made judicial review proceedings…were already underway

would imply that they disagreed with the IC.

This discrepancy might lie behind the fact that the FTT afforded greater weight to the public interest in favour of maintaining the exemption. It was observed that

[the existence of the proceedings] at the time of the request seems to us to be an additional specific factor in favour of maintaining the exemption. It seems unfair that a public authority engaged in litigation should have a unilateral duty to disclose its legal advice [para 19]

Additionally, the fact that the advice was sought after the decision had been taken meant that it could give “no guide to the Minister’s motives or reasoning”.

Ultimately – and this is suggestive that the issue was finely balanced – it was the well-established inherent public interest in the maintenance of LPP which prevailed (para 21). This was a factor of “general importance” as found in a number of cases summarised by the Upper Tribunal in DCLG v The Information Commissioner and WR (2012) UKUT 103 (AAC).

Because the appeal succeeded on the grounds that the section 42 exemption applied, the FTT did not go on to consider the other exemptions pleaded by DHSSPS and the Attorney General – sections 35(1)(a) and 35(1)(c), although it was very likely that the latter at least would have also applied.

Aggregation of public interest factors

Because the other exemptions did not come into play, the FTT’s observation on the IC’s approach to public interest factors where more than one exemption applies are strictly obiter, but they are important nonetheless. As all good Information Rights people know, the European Court of Justice ruled in 2011, that when more than one exception applies to disclosure of information under the Environmental Information Regulations 20040 (EIR), the public authority may (not must)  weigh the public interest in disclosure against the aggregated weight of the public interest arguments for maintaining all the exceptions. The IC does not accept that this aggregation approach extends to FOIA, however (see para 73 of his EIR exceptions guidance) and this was reflected in his decision notice in this matter, which considered separately the public interest balance in respect of the two exemptions he took into account. He invited the FTT to take the same approach, but, said the FTT, had the need arisen, the IC would have needed to justify how this “piecemeal approach” tallied with the requirement at section 2(2)(b) of FOIA to consider “all the circumstances of the case”. Moreover, the effect of the IC’s differing approaches under EIR and FOIA means that

there will be a large number of cases in which public authorities, the ICO and the Tribunal will be required to make a sometimes difficult decision about which disclosure regime applies in order to find out how to conduct the public interest balancing exercise

I am not aware of anywhere that the IC has explained his reasoning that aggregation does not apply in FOIA, and it would be helpful to know, before the matter becomes litigated (as it surely will).

And I will just end this rather long and abstruse piece with two personal observations. Firstly, donating blood is simple, painless and unarguably betters society – anyone who can, should donate. Secondly, denying gay men the ability, in this way, to contribute to this betterment of society is absurd, illogical and smacks of bigotism.

Leave a comment

Filed under Environmental Information Regulations, Europe, Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

November 4, 2013 · 2:24 pm

Walberswick Vexatiousness

Back in August of this year I blogged about an interesting decision by the First-tier Tribunal (Information Rights) (FTT) which approached the subject of “vexatiousness” (section 14(1) of the Freedom of Information Act 2000 (FOIA) by observing that what might be an excessively burdensome to a small public authority (such as a rural parish council) might not be so to a large public authority.

The public authority in question was Walberswick Parish Council, and, since that decision, there have been two others, meaning that Walberswick now has more experience in the FTT than most county councils and many other huge public authorities.

All three cases relate to refusals to disclose information on the grounds that the requests were vexatious, and the most recent – McCarthy v IC & Walberswick Parish Council – is no different: and, indeed, they all follow the line of authority on vexatiousness laid down by the Upper Tribunal earlier this year in ICO v Devon County Council and Dransfield GIA/3037/2011. What is noteworthy, however, is the disapproval with which the judge clearly views the continuing vexatious requests being made to Walberswick:

WPC is a parish council, not a department of state. The limits on its resources were well-known to the Appellant and to everybody else involved in this unhappy saga…It is plain that FOIA requests, both those made by the Appellant and the others of which he was concurrently aware, reduced WPC to paralysis…Furthermore, it was perfectly plain to any sensible individual and without doubt to one of the Appellant`s sophistication and social awareness that such pressure would drive elected and ultimately appointed councillors from office, as well as their clerk, who was at the centre of the battle.

Indeed, so concerned was the FTT that, very unusually, it put future requesters on warning on potential costs

WPC will not function as a democratically elected body until this bombardment by FOIA requests ceases. That may well mean that, as here, intrinsically reasonable requests for information are treated as vexatious if part and parcel of a sustained assault motivated by a desire to disrupt. Crippling a parish council by subjecting it to ceaseless interrogation is not a sensible way to improve its service to local residents nor to fulfil its duties under FOIA…it is highly unlikely that any future appeal from this parish council will be decided on different principles or without regard to the outcome of this and earlier appeals relating to Walberswick. Unsuccessful appeals by campaigning requesters may well attract the unusual sanction of orders for costs

(In passing, I would query whether this statement is potentially prejudicial to future cases in the FTT, and could actually deter people from making legitimate requests. In fact, it seems to suggest that any FOIA request to Walberswick could be considered to be prima facie vexatious. In fairness to the FTT though, this is merely the outcome of the “sustained assault” by the current campaigners).

Awards of costs in the FTT are very rare (I can only recall three cases). To put as-yet-unknown requesters, who haven’t yet made requests, on notice is a measure of how seriously the FTT view the harm caused by a campaign such as that experienced by Walberswick. In administrative law we already have the concept of Wednesbury Unreasonableness – one wonders if, in this particular branch of administrative law, we should start using Walberswick Vexatiousness as a term of art?

1 Comment

Filed under Freedom of Information, Information Tribunal, Upper Tribunal, vexatiousness

Tagged as

November 4, 2013 · 12:06 pm

NADPO annual conference

In what little spare time I have I perform the role of Secretary of NADPO – the National Association of Data Protection and Freedom of Information Officers. NADPO holds its annual conference in London on 22 November. The call to members has gone out, and also to members of the Data Protection Forum, with whom we have informal reciprocal arrangements.  Now, for the first time, we have decided to make any spare places publicly available.

The line-up is as impressive as ever (if not more so): we have Jonathan Bamford, from the Information Commissioner’s Office, the BBC’s Martin Rosenbaum , Dr Ian Brown, from the Oxford Internet Institute, David Allen Green, author of the highly regarded Jack of Kent blog, and legal commentator for The Financial Times, S A Mathieson, senior analyst for EHI Intelligence and a freelance journalist and Antonis Patrikios, Director at Field Fisher Waterhouse’s Privacy and Information team. We also have the Law Commission, who will be talking about, and seeking attendees’ views on, their scoping project on Data Sharing between public bodies.

Spare places, if any are available, will be offered to those who express interest on a first-come-first-served basis, at a ridiculous bargain rate of £50.

The conference takes place at Field Fisher Waterhouse’s offices in Vine Street, EC3N.

If you’re interested in attending feel free to contact me using the form on this page.

← Back

Thank you for your response. ✨

Leave a comment

Filed under Uncategorized

October 25, 2013 · 4:02 pm

One for the insomniacs – Upper Tribunal on EIRs and commercial confidentiality

In May 2012 I blogged about a case in the First-tier Tribunal (Information Rights) (FTT).  It was an appeal by  Swansea Friends of the Earth against a decision of the Information Commissioner (IC) not to require the Environment Agency to disclose  information relating to financial guarantee arrangements put in place a landfill site operator, as a condition for obtaining a permit to operate a waste landfill site near Swansea.

I was critical of the FTT’s approach to breach of confidence, as it applies to the Environmental Information Regulations 2004 (EIR). However, with the handing down of judgment by the Upper Tribunal, following an appeal by Natural Resources Wales, as successor to the Environment Agency, I see I was wrong on two points (one minor, one major), right on another, and my key point was left undecided. Exciting stuff folks – hold on to your hats!

My minor error was to repeat the FTT’s description of Megarry J’s classic tri-partite breach of confidence test in Coco v A N Clark (Engineers) Ltd [1969] RPC 44 as being a common law doctrine. As the Upper Tribunal points out

That, to be correct, is a decision about the equitable doctrine of confidential communication (not the common law) that may arise otherwise than by contract between the parties

Silly me. Silly FTT.

Natural Resources Wales argued before the Upper Tribunal that

there was a statutory obligation in place [militating against disclosure], so that the Agency did not have to rely on equitable grounds

And this goes to my major error, which was to overlook, in striving to make a point of general application about the modern development of the law of confidence, that in this specific case the IC’s original Decision Notice had found that information in question was confidential for the purposes of Regulation 12(5)(e) of the EIR firstly because the provisions of the Pollution Prevention and Control (England and Wales) Regulations 2000 (PPCR) (which were the regulations – since revoked and remade – which applied to the licence in question) effectively made it so, and only secondly because the information and the circumstances by which it came into the Environment Agency’s control met the Coco v Clark tests.

Regulation 12(5)(e) provides that

a public authority may refuse to disclose information to the extent that its disclosure would adversely affect…the confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest

The Upper Tribunal held that the FTT had erred in law, saying (paragraphs 51-52), as had the IC in the first instance, that relevant provisions of the PPCR meant that confidentiality was “provided by law to protect a legitimate economic interest”:

disclosure of the relevant information would adversely affect confidentiality “where such confidentiality is provided by law to protect a legitimate economic interest”… Here that must be regarded as a reference across to regulation 31 of the 2000 Regulations. Regulation 31(1)(a) makes an express reference to commercial confidentiality. The factual background to these appeals makes it plain that the figures in question here were figures produced within the 2000 Regulations framework and were subject to the necessary application and ruling to protect confidentiality of them

So it was not necessary to consider whether the information was also covered by the equitable doctrine of confidence.

The point on which I was right (in my original post) was regarding whether, or the extent to which, regulation 12(5)(e) of the EIR was directly comparable to the similar section 41 of the Freedom of Information Act 2000 (FOIA). I said

This extension of the FOIA confidentiality principles into the EIR is controversial…

and the Upper Tribunal judge says

the tests in section 41 and regulation 12 are separate and cannot be read together to include in one something in the other simply because they deal with similar issues

which is pretty unequivocal (and see also Chichester District Council v IC and Friel (GIA 1253 2011), cited as authority for the lack of analogy between the two).

Finally, another point I hadn’t addressed (although Phil Bradshaw did, in the comments to my original post) concerns the failure by the FTT to distinguish between the location of information in documents, with the information itself. The FTT had said

the information came into existence through a process of negotiation between the parties

but this surely was not the case – rather, documents, containing information, came into existence through a process of negotiation. But the information itself was caught by regulation 12(5)(e)

the focus is on this information, not on any particular document or form in which those figures are recorded or any process by which they emerged. I accordingly agree with the challengers that in so far as the First-tier Tribunal concerned itself with the specific location of those figures in specific documents produced as part of the licensing process rather than the information itself it was wrong in law

So there you have it. A rip-roaring convoluted run-through of why an obscure old blog post by me was slightly wrong and slightly right. I aim to please.

Leave a comment

Filed under Confidentiality, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

Tagged as ,

October 11, 2013 · 4:06 pm

The Moanliness of the Long-distance Runner

Another in the Let’s Blame Data Protection series, in which I waste a lot of energy on something not really worth the effort

The Bournemouth Daily Echo reports that

Hundreds of disgruntled runners who took part in the inaugural Bournemouth Marathon Festival have accused event organisers of withholding information by failing to provide full race results.

and, with rather dull predicability, there’s a familiar apparent culprit

GSi Events Ltd, the team behind the BMF, has published the top ten runners in the various age categories, but is refusing to publish all the results on the grounds of data protection.

But does data protection law really prevent publication of this sort of information? The answer, I think, is “no”, and the reason for this is tied to issues of fairness and consent

The first data protection principle, in Schedule One of the Data Protection Act 1998 (DPA) says that personal data (broadly, information relating to an identifiable individual) must be “processed” (publication is one form of processing) fairly and lawfully.

The concept of fairness is not an easy one to grasp or define, but helpfully the DPA provides a gloss on it, which, to paraphrase, is that if people are properly informed about how their data is going to be processed (who is doing the processing, and for what purpose)  then a key element of “fairness” is met. The Information Commissioner’s Privacy Notices Code of Practice explains

A privacy notice should be genuinely informative. Properly and thoughtfully drawn up, it can make your organisation more transparent and should reassure people that they can trust you with their personal information

The first data protection principle goes on to say that (in particular) personal data shall not be processed at least one of the conditions in Schedule 2 of the Act is met (and Schedule 3, in the case of higher-category sensitive personal data). One of those conditions is

The data subject has given his consent to the processing.

“Consent” is not defined in the DPA, but it is given a definition in the EC Data Protection Directive, to which the DPA gives domestic effect. The Directive says that consent

shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed

“Specific” and “signifies” are generally taken to mean that implied consent is not valid in this context, (although the practice of implying consent to processing is widespread). Nonetheless, it seems clear that, with a privacy notice, sensibly drafted, the organisers of the Bournemouth Marathon could easily have said to those registering to race “your race result/time will be published, unless you object”. When one looks at the actual privacy notice, however, such a term is absent. 

I suppose that means one could argue that, under the current privacy notice, publishing the race details would be in breach of the DPA. I suppose I could also construct a counter-argument to that to the effect that publication is necessary in pursuance of legitimate interests of the race organisers (for instance to show that it was a real flipping race) when balanced against the legitimate interests of the racers.

But ultimately, come on, it’s just silly to blame data protection: the vast, vast majority of people take part in a marathon knowing that it’s a public event, where they’ll gather plaudits or attract ridicule. Any expectation of privacy of race results is effectively non-existent.

Publish the damn race results, take the infinitesimal risk of someone complaining (a complaint which no one, i.e. the Information Commissioner and the courts, will take seriously or be able to offer a remedy to) and sort your privacy notice out for next year.

Leave a comment

Filed under Data Protection, Let's Blame Data Protection

Tagged as

October 10, 2013 · 8:55 am

Let’s Blame Data Protection – the Gove files

Thanks to Tim Turner, for letting me blog about the FOI request he made which gives rise to this piece

On the 12th September the Education Secretary, Michael Gove, in an op-ed piece in the Telegraph, sub-headed “No longer will the quality, policies and location of care homes be kept a secret” said

A year ago, when the first shocking cases of sexual exploitation in Rochdale were prosecuted, we set up expert groups to help us understand what we might do better…Was cost a factor? Did we need to spend more? There was a lack of clarity about costs. And – most worrying of all – there was a lack of the most basic information about where these homes existed, who was responsible for them, and how good they were….To my astonishment, when I tried to find out more, I was met with a wall of silence

And he was in doubt about where the blame lay (no guesses…)

The only responsible body with the information we needed was Ofsted, which registers children’s homes – yet Ofsted was prevented by “data protection” rules, “child protection” concerns and other bewildering regulations from sharing that data with us, or even with the police. Local authorities could only access information via a complex and time-consuming application process – and some simply did not bother…[so] we changed the absurd rules that prevented information being shared

This seemed a bit odd. Why on earth would “data protection” rules prevent disclosure of location, ownership and standards of children’s homes? I could understand that there were potentially child protection concerns in the too-broad-sharing of information about locations (and I don’t find that “bewildering”) but data protection rules, as laid out in the Data Protection Act 1998 (DPA), only apply to information relating to identifiable individuals. This seemd odd, and Tim Turner took it upon himself to delve deeper. He made a freedom of information request to the Department for Education, asking

1) Which ‘absurd’ rules was Mr. Gove referring to in the first
statement?

2) What changes were made that Mr. Gove referred to in the second
statement?

3) Mr Gove referred to ‘Data Protection’ rules. As part of the
process that he is describing, has any problem been identified with
the Data Protection Act?

Fair play to the DfE – they responded within the statutory timescales, explaining

Regulation 7(5) of the Care Standards Act 2000 (Registration) (England) Regulations 2010 …prohibited Ofsted from disclosing parts of its register of children’s homes to any body other than to a local authority where a home is located. Whatever the original intention behind this limitation, it represented a barrier preventing Ofsted from providing information about homes’ locations to local police forces, which have explicit responsibilities for safeguarding all children in their area…we introduced an amendment to Regulation 7 with effect from April 2013

But their response also revealed what had been very obvious all along: this had nothing to do with data protection rules:

the reference to “data protection” rules in Mr Gove’s article involved the Regulations discussed above, made under section 36 of the Care Standards Act 2000. His comments were not intended as a reference to the Data Protection Act 1998

This is disingenuous: “data protection” has a very clear and statutory context, and to extend it to more broadly mean “information sharing” is misleading and pointless. One could perhaps understand it if Gove had said this in an oral interview, but his piece will have been checked carefully before publication, and personally I am in no doubt that blaming data protection has a political dimension. The government is determined, for some right reasons, and some wrong ones, to make the sharing of public sector data more easy, and data protection does, sometimes – and rightly – present an obstacle to this, when the data in question is personal data and the sharing is potentially unfair or unlawful. Anything which associates “data protection” with a risk to child safety, serves to represent it as bureaucratic and dangerous, and serves the government agenda.

And the rather delicious irony of all this – as pointed out on twitter by Rich Greenhill – is that the “absurd rules” (the Care Standards Act 2000 (Registration) (England) Regulations 2010) criticised by Gove were made on 24 August 2010. And the Secretary of State who made these absurd rules was, of course, the Right Honourable Michael Gove MP.

How absurd.

Leave a comment

Filed under Data Protection, data sharing, Freedom of Information, Let's Blame Data Protection, transparency