August 6, 2013 · 2:11 pm

Let’s blame Data Protection (a new series): Part One

Data Protection is to blame for many things (sleepness nights for Data Protection officers, hits to the public purse,  a proportionate measure of respect and security for people’s sensitive private information, bulging wallets for lawyers) and many people like to criticise it. In this occasional series I want to come to its defence, by pointing out examples where data protection has been wrongly blamed for a failure elsewhere. The Information Commissioner used to do something similar but seems to have given up with that (and, after all, “data protection duck out” is a cringemaking phrase).

So here’s my first example: “Vague” Data Protection Act blights fraud detection, say insurers

The facts of the article itself are fine, as one would expect if the author is Pete Swabey, but it’s the message itself that grates. According to the Chartered Insurance Institute (CII), there is a problem with section 29 of the Data Protection Act 1998 (DPA), which permits the disclosure of personal data by a data controller, whereby the general presumption against non-disclosure is disapplied if applying it would be likely to prejudice any of the following purposes: the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty or of any imposition of a similar nature. Normally the question whether to disclose will arise in response to a specific request from another person or body (normally one with crime detection or prosection powers, or tax collection powers). This comes down to a matter of applying a balancing test to specific facts: if I don’t disclose this information, would it be likely to cause prejudice to those purposes?

This is often a difficult decision for a data controller (it’s about serious matters – why should it always be easy?). But the CII complain that

the vagueness of Section 29…has led to an extremely high volume of information requests, with little consistency or clarity. This, it says, is hindering investigations. 

“Certain companies, particularly the lawyers, are sending requests out without thinking about them,” [says] David Clements, motor investigations manager at Zurich

Bad Data Protection Act! Making people ask for disclosure of personal data without giving it much thought!

Also, the fact that requests and responses are made in a haphazard, non-standard fashion creates unnecessary work for fraud investigators.

Silly Data Protection Act! Making an industry incapable of standardizing procedures!

And, indeed, the article says that the industry is trying to sort itself out

The New Generation Claims Board is working on a voluntary code of best practice to help insurance providers both improve the efficacy of their fraud investigations and reduce their risk of non-compliance. 

“We’re going to provide the industry with a best practice protocol plus a template for sending and receiving requests,” Clements explains.

But the evil Data Protection Act is still lurking about causing trouble, because this is only a voluntary scheme

as insurance companies are not even obliged to respond to Section 29(3) requests

Come on Data Protection Act, sort yourself out!

Leave a comment

Filed under Data Protection, Information Commissioner, Let's Blame Data Protection, Uncategorized

July 31, 2013 · 7:40 am

An error of judgment

A very brief post, on something in a High Court judgment which may merely be a slip.

On 6 June 2013 a renewed application to appeal to the Employment Appeal Tribunal was heard in the High Court. The applicant, Flynn, is seeking compensation for detriment suffered by reason of the making of a public interest disclosure (the “whistle-blowing claim”) and for arrears for holiday pay. The respondent, Warrior Square Recoveries Limited (“Warrior”) made an initially unsuccessful attempt to have the claims struck out. On appeal the Employment Appeal Tribunal refused to strike out the holiday arrears claim, but struck out the whistle-blowing claim because it had not been brought within the requisite three-month time-limit. Flynn now sought to reinstate the whistle blowing claim.

Lord Justice Rimer was not impressed by the arguments to reinstate, but, rather reluctantly, found one sufficiently compelling to justify permission

The only argument that appeared to me arguably to have some legs to it was that on 21 May 2010 the applicant made a subject access disclosure application to Warrior under the Freedom of Information Act 2000, the purpose being the provision to him of information as to whether or not the defamation claim was being pursued. Warrior had 40 days to comply with the request, but it did not do so. It is said that the expiration of the 40 days marked another deliberate failure by Warrior to act, following which the tribunal proceedings were issued within three months.

With some hesitation, I regard this ground as sufficient to justify permission to appeal…

The perspicacious among you might have noticed something. Subject access, and the 40 day time for compliance, are terms not from the Freedom of Information Act 2000 (FOIA), but from section 7 of the Data Protection Act 1998 (DPA). FOIA only applies to public authorities, of which Warrior is not one. If a public authority receives a request seeking subject access under FOIA it should apply the exemption at section 40(1) and “the public authority will need to deal with it in accordance with the DPA” (Information Commissioner guidance). An employer, such as Warrior, which is not a public authority, has no such obligations under FOIA. It probably should have still, on receipt of a letter purporting to be a FOIA request, have read it and recognised it as being, rather, a subject access request under DPA (under which it does have obligations to respond). But I’m not sure I would criticise it too much for seeing the words “Freedom of Information Act”, and thinking it didn’t need a response. I’m also not sure that the failure to respond to a non-existent obligation under an Act to which the company was not subject should have counted for the purposes of deciding when the time for lodging a claim started.

As I say, this may be a transcription error, or the judge might have mistakenly cited FOIA when he meant DPA, but the fact that this point was determinative of whether to allow permission to appeal means the error (whether it was an actual one, or just in the handed down judgment) is very odd.

Leave a comment

Filed under Data Protection, employment, Freedom of Information, Uncategorized

Tagged as ,

July 30, 2013 · 5:22 pm

It’s still not fine

Last week I blogged about enforcement notices served on three Midlands police forces by the Information Commissioner (IC). I was surprised that the circumstances hadn’t merited stronger sanctions, in the form of monetary penalty notices (MPNs), and I tweeted to ask why.

As you can perhaps see, the IC’s office has kindly replied to my tweet. I had asked

I would really like to know why the IC did not see fit to issue Monetary Penalty Notices. Can you advise?

and their reply says

enforcement notices best means of improving compliance. Considered details of the case inc limited involvement of each force

I have to say I think this is a questionable response (although I take the point that a 140-character limit is restrictive).

Firstly, enforcement activities are not mutually exclusive – it is not uncommon for an enforcement notice and an MPN to be served in tandem on a data controller. thus, as recently as June this year, Glasgow City Council was served an MPN of £150,000 by the IC following the loss of, er, unencrypted laptops, and at the same time was served an enforcement notice requiring certain corrective actions to be undertaken.

Secondly, and I may be misinterpreting, but the reply seems to say that the “limited involvement of each force” was a determining factor in a decision not to serve an MPN. However, there were three data controllers involved. If each of them had a “limited” involvement, one is led to ask “wasn’t that the main problem?”. Derbyshire and Leicestershire both “did not carry out a risk assessment before they joined [the collaboration unit]…relying on the security measures taken by Nottinghamshire“, but those security measures were inadequate (lack of encryption, laptops not physically secured). Meanwhile, none of the forces properly monitored its officers while they were seconded.

It seems to me that the limited involvement of each of the forces might, instead of excusing it, have in fact been the key factor why the security breach happened.

Principle seven of the first schedule to the Data Protection Act 1998 (DPA) requires that

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

Many many public (and private) sector data controllers are undertaking collaborative and partnership working, or are taking steps to do so. All responsible organisations are very aware, where they continue, either jointly or in common with other organisations, to determine the purposes for which and the manner in which any personal data are, or are to be, processed, that they remain a data controller, with the consequent responsibilities and liabilities. They are very aware of the IC’s Data Sharing Code of Practice.

And they are very aware that, if things go wrong with data-sharing, it will not normally be sufficient to point at a partner, and say “it was their fault”, or, even less, for all partners to shrug their shoulders and say, “that wasn’t our responsibility”.

Leave a comment

Filed under Data Protection, data sharing, enforcement, Information Commissioner, monetary penalty notice, police, Uncategorized

Tagged as ,

July 29, 2013 · 1:29 pm

An Unnecessary FOI Appeal?

South Lanarkshire Council have lost what seems to me to have been a rather unnecessary, and surely rather costly, FOI case in the Supreme Court. That said, the judgment is important reading.

It is well-established that, for disclosure of personal data to be lawful under Freedom of Information law (both the Freedom of Information Act 2000 (FOIA and the Freedom of Information (Scotland) Act 2002 (FOI(S)A) it will normally be necessary to satisfy the test in the sixth condition of Schedule Two of the Data Protection Act 1998 (DPA)

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Disclosure is, by section 1(1) of the DPA, an act of “processing”.

It is also well-established (indeed, one might almost say it is trite law), that “necessary” in that condition is to be construed in accordance with the relevant European authorities. As the High Court held, in the MPs’ expenses case

‘necessary’ within para 6 of Sched 2 to the DPA should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends. Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 (Admin)

For reasons which are not entirely clear to me (but I’m not a Scottish lawyer) (in fact, I’m neither Scottish, nor a lawyer) the Court of Session in Scotland said, when hearing an appeal from South Lanarkshire Council of a decision by the Office of the Scottish Information Commissioner (OSIC) to order disclosure of information on how many of the total number of a certain post were placed at specific points in the pay scale, that it saw the force of a submission by counsel for the Council that

the word “necessary” should be accorded its ordinary and natural meaning, with the opening phrase being understood as imposing a distinct requirement

and that

but for the authority [of the MPs expenses case], we would have had little hesitation in giving effect to it

but they didn’t even need to reach a concluded view on this, because it was clear that, in this case, whatever construction was given to “necessary”

the Commissioner could only have concluded that necessity was made out. In particular, he held that the Requester’s own interest coincided with a widespread public interest in the matter of gender equality and that it was important to achieve transparency on the subject of Equal Pay. No better means existed to achieve that goal than by releasing the information in question

Apparently grabbing at that tiny bone thrown them by the Court of Session, the Council appealed to the Supreme Court. The hearing was three weeks ago, and judgment has been handed down today (which strikes me as rather quick) unanimously dismissing the Council’s appeal. At the time of the hearings The Herald reported that the Supreme Court had “slapped down” the Council

A cash-strapped Labour council has been scolded by one of the UK’s most senior judges for “dancing on the head of a pin” with “Alice In Wonderland” legal arguments, which have cost taxpayers thousands of pounds.

Anyone with any experience of litigation knows that it is a dangerous game to predict the outcome on the basis of the apparent approval or disapproval of your argument by the judge – often the strongest argument will be given the heaviest interrogation – but it does appear that, in this case, The Herald wasn’t taking too much of a gamble in anticipating the outcome. Lady Hale, giving the leading judgment, agreed with the Council that

the word “necessary” has to be considered in relation to the processing to which it relates. If that processing would involve an interference with the data subject’s right to respect for his private life, then [Rechnungshof v Ősterreichischer Rundfunk (Joined Cases C-465/00, C-138/01 and C-139/01) [2003] 3 CMLR 265] is clear authority for the proposition that the requirements of article 8(2) of the European Convention on Human Rights must be fulfilled

but in this instance, although disclosure of the information would be “processing” of “personal data” by the Council (as the Council itself could identify those to whom the data related), the requester (nor any other third party) would not be able to identify the data subjects. Accordingly

as the processing requested would not enable Mr Irvine or anyone else to discover the identity of the data subjects, it is quite difficult to see why there is any interference with their right to respect for their private lives

And Lady Hale disagreed with the Council on the construction of “necessary”

all that has to be asked is whether the requester is pursuing a legitimate interest in seeking the information…and whether he needs that information in order to pursue it. It is well established in community law that, at least in the context of justification rather than derogation, “necessary” means “reasonably” rather than absolutely or strictly necessary…necessity is well established in community law as part of the proportionality test. A measure which interferes with a right protected by community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less 

As the requester was clearly pursuing a legitimate interest, and this could only be met by disclosure under FOI(S)A the appeal had to fail, and the information falls to be disclosed. It is difficult to see how any other outcome, following the domestic and European authorities, could have ensued.

This does leave unanswered what the outcome would be if, for instance, no legitimate interest were advanced by a requester and/or the data subjects could be identified. In this instance, the OSIC had sought clarification of the requester’s purposes, in an investigation which the Supreme Court held was not in breach of the rules of natural justice, despite a failure to involve the Council in the correspondence. As a blogger activist the requester, Mr Irvine, could clearly point to a legitimate interest – a “serious, ongoing interest in equal pay matters”, but Lady Hale observed that

for example, if Mr Irvine had asked for the names and addresses of the employees concerned, not only would article 8 have clearly been engaged, but the Commissioner would have had to ask himself whether his legitimate interests could have been served by a lesser degree of disclosure

 In European Commission & United Kingdom v Bavarian Lager (Case C-28/08 P) the European Court of Justice found that the European Commission had not erred in refusing to disclose, under the EU Access Regulation, the identities of people attending a meeting, because the company requesting it had not been able to advance a legitimate interest in disclosure (see the excellent Panopticon post on this). FOI was traditionally said to be “applicant blind”, with a requester not needing to advance a purpose for asking for information, but, as these “personal data” cases (and others not relating to personal data – the “social watchdog” argument in the ongoing litigation involving Dominic Kennedy and the Charity Commission) show that motivation can be a determining point when it comes to disclosure under FOI.

2 Comments

Filed under Data Protection, FOISA, Freedom of Information, human rights, Uncategorized

Tagged as , ,

July 27, 2013 · 8:57 am

Back to Blacklists

Could action taken by the ICO in 2009 still have a part to play if construction industry blacklisting has continued? (acknowledgement: Tim Turner made some of these points back in January this year)

In 2009 the Information Commissioner prosecuted Ian Kerr, the then chief officer of a body called the Consulting Association. The Consulting Association had been holding a blacklist of people within the construction industry seen as “troublemakers” (a blacklist inherited from the Economic League, as detailed in Tim Turner’s superb post on the subject) and making this information available to clients on payment of a fee. The fall-out from this continues to this day, with, on the one hand civil claims being pursued, for what I understand to be common law “unlawful means conspiracy” and defamation, and on the other hand, the reports that the Information Commissioner’s Office (ICO) has been asked by Business Secretary, Vince Cable, to investigate allegations that the practice has continued to this day, on major construction projects like the Olympic Park and Crossrail (by the way, the extraordinary testimony of Gail Cartmail of Unite, in that last link, is essential reading).

The ICO’s prosecution of Kerr was for the relatively minor (and relatively rarely enforced) offence under the Data Protection Act 1998 (DPA) of failing to register with the ICO for his processing of personal data. No other sanction was, apparently, open to the ICO at the time. This was because the current regime of civil Monetary Penalty Notices (MPNs) for serious contraventions of the DPA had not then commenced.

As Chris Pounder pointed out at the time, there is even a query, applying the strict definitions of “data” in section 1(1), whether a blacklist held solely on paper, and arranged in, say, date order (rather than by reference to individuals), is even caught by the DPA. If not, then enforcement by the ICO would not be possible. This is because “data” broadly applies only to electronically-processed information or information held as part of a filing system structured by reference to individuals or criteria relating to individuals. One hopes that any alleged blacklisters haven’t made a habit of reading Chris’s blog and subsequently exploited a loophole that remains open.

Putting to one side this “loophole” point, it is likely that any processing of personal data which unfairly and unlawfully deprived someone of employment would constitute a serious contravention of the DPA, probably causing substantial damage and distress, and thus potentially attracting an MPN. An MPN is a relatively powerful weapon in the ICO’s armoury, and in my opinion one that has been used well to drive up data protection standards and drive home the importance of data security. Whether a huge construction firm would notice a (maximum) £500,000 penalty is another matter.

And, of course, none of the money paid under an MPN goes to the victim of a serious DPA contravention (it goes to the government consolidated fund). However, it is open to a data subject in such circumstances to bring a claim in the county court under section 13 of the DPA. Compensation is available if specific damage can be shown, and, if damage can be shown, further compensation for distress can follow. It is not clear to me whether the current claims from the 2009 events contain DPA claims, but the fact that they are being reported primarily as claims for tortious conspiracy suggests that even if so, they are subsidiary to the latter.

However, there is one further sanction which Tim Turner alludes to, which might possibly be in play. When the ICO prosecuted Kerr it also took steps to close down the practice, by issuing DPA enforcement notices against fourteen construction companies who had been proved to have used the list or supplied information: Balfour Beatty Civil Engineering Limited; Balfour Beatty Construction Northern Limited; Balfour Beatty Construction Scottish & Southern Limited; Balfour Beatty Engineering Services (HY) Limited; Balfour Beatty Engineering Services Limited; Balfour Beatty Infrastructure Services limited; CB&I UK Limited; Emcor Engineering Services Limited; Emcor Rail Limited; Kier Limited; NG Bailey Limited; Shepherd Engineering Services Limited; SIAS Building Services Limited; Whessoe Oil & Gas Limited. An example of one of the enforcement notices is archived here. It required the company broadly to

Refrain from using, disclosing or otherwise processing any personal data obtained from Mr Kerr

but also to

Ensure that if any personal data relating to recruitment is obtained from a source other than the data subject, the data subject is, in so far as is practicable, provided with the information specified in paragraph 2(3) at Part II of Schedule 1 to the [DPA] in accordance with the First Data Protection Principle.

Ensure that if any personal data relating to recruitment is disclosed to a third party for use in connection with the recruitment of workers, the data subject is, in so far as is practicable, provided with the information specified in paragraph 2(3) at Part II of Schedule 1 to the [DPA] in accordance with the First Data Protection Principle.

The notices do not appear to have been effective only for a fixed period, so one is to assume that they remain effective*. If any of the firms upon which they were served have sinced breached the terms of the notice they could potentially have committed an offence under section 47(1) of the DPA. That offence is triable either-way, and anyone found guilty is liable on summary conviction, to a fine not exceeding £5000, or on conviction on indictment, to an unlimited fine. And, by section 61 of the DPA, where, as here, the notices were served on bodies corporate, the bodies’ directors and some other officers can also be guilty of the offence of failing to comply with an enforcement notice if the offence is proved to have been committed with their consent or connivance or to be attributable to their neglect.

One wonders if the ICO’s 2009 enforcement proceedings may still have some part to play.

UPDATE: 15 August 2013

*The ICO has confirmed to me that they have no record of any of the Enforcement Notices being cancelled or varied, nor of any applications to cancel or vary being received. The ICO considers that the Enforcement Notices are still effective.

5 Comments

Filed under damages, Data Protection, employment, enforcement, Information Commissioner, monetary penalty notice

Tagged as ,

July 26, 2013 · 6:49 pm

It’s not fine.

About the rather odd Friday afternoon news that the ICO has served enforcement notices, not monetary penalties, on three police forces

In February 2011 the Information Commissioner (IC) served civil Monetary Penalty Notices (MPNs) under section 55A-E of the Data Protection Act 1998 (DPA) on Ealing and Hounslow Councils (£80,000 and £70,000 respectively), after two unencrypted laptops containing sensitive personal data of approximately 1700 individuals were stolen. The Councils had a joint working arrangement whereby Ealing would provide an out-of-hours service on behalf of both councils. The MPNs were fair enough – the IC and others had been saying for some time that encryption of hardware was a necessary data security measure, and even though Ealing Council had a policy on this, it issued the laptops to an employee in breach of it. Hounslow took the hit because they didn’t have a written contract in place to describe and prescribe the collaborative working arrangements it had entered into with Ealing.

One might have wondered, more than two years further on, what size of monetary penalty a data controller would receive if it had also entered into a joint working arrangement in the absence of a written contract, but had failed to carry out a risk assessment, simply relying on what turned out to have been inadequate security measures taken by one of parties, and several unencrypted laptops containing the sensitive personal data of approximately 4500 individuals were stolen.

The answer (unless MPNs are to follow) based on the IC’s news release and blog today about three police forces, appears to be that no MPNs of any size will be served. Rather, enforcement notices have been issued, requiring the police forces to appoint Senior Risk Information Owners (you mean they haven’t got them already?), encrypt all portable devices (you mean they don’t already?), ensure appropriate security measures are taken to protect personal data (you mean they aren’t already?), and ensure officers have received training on the security requirements of the DPA (you mean…etc, etc, etc).

Don’t get me wrong, enforcement notices are an important part of the IC’s regulatory weaponry (I just wish he’d use them on FOI miscreants) but they are a step down from MPNs, and they don’t really serve as a punishment for serious contraventions of the DPA, but merely act as a warning.

Clearly, considerable discretion is conferred on the IC as to what sort of enforcement action is appropriate, but, on the facts, and on comparison with previous MPNs, it is very hard to avoid the conclusion that: the contraventions of the DPA were serious; they were likely to cause damage or distress which was significant; and the police forces knew or ought to have known that there was a risk that a contravention of this kind would occur but failed to take reasonable steps to prevent it. In those circumstances, the relevant conditions for an MPN exist, and I struggle to understand why none transpired.

I do note that the laptop thefts were in August 2010, but this was after DPA provisions conferring the power on the IC to serve MPNs were commenced. I also note that the data subjects appear to have been criminals, but information about criminality is sensitive personal data under the DPA and accorded a higher level of protection.

I’ve asked the ICO on twitter if they can tell me why MPNs were not served. I don’t really expect an answer – it’s a thorny question, and probably doesn’t qualify as an FOI request, but I am, genuinely, interested to know. If anyone has any ideas, I’d like to hear them.

2 Comments

Filed under Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice, police

Tagged as ,

July 20, 2013 · 8:30 am

Good Lord!

On Lord Selsdon and the subject of criminal offending under the Data Protection Act

There was much astonishment yesterday, after a peer of the realm, the 3rd Baron Selsdon, claimed in a debate about littering in the House of Lords that he sometimes gets private information about people throwing litter from cars, and later telephones them to admonish them:

I have followed them occasionally and, for a bit of fun, have taken a note of their vehicle registration numbers. Occasionally, because I have friends in the DVLA, I manage to find their telephone number and I give them a ring

Several media outlets point out that, if this were true, it could be a breach of the Data Protection Act 1998. For instance, the Independent says

If Lord Selsdon did access information from the DVLA in this way, there may have been a breach of the Data Protection Act 1998, which requires organisations such as the DVLA to keep personal information secure

This isn’t wrong, but it overlooks that not only could it be a DPA breach, it could also be a criminal offence committed by the noble Lord and his “friends in the DVLA”. I note that the Telegraph touches on this, but doesn’t clearly explain why the criminal law might be engaged (it focuses on the DPA requirement that organisations should keep data secure).

(It should be noted that I am not accusing Lord Selsdon or his friends of committing an offence – nothing has been proven and he has so far declined to comment, while the DVLA are said to be investigating. Additionally, it does occur to me that sometimes one exaggerates when one is trying to impress one’s P̶e̶e̶r̶s̶ peers – the 3rd Baron might simply have been gilding his oratory lily.)

Nonetheless, under section 55 of the DPA a criminal offence is committed if, “without the consent of the data controller” (which here is the DVLA itself, not its individual employees), a person “knowingly or recklessly…obtain[s] or disclose[s] personal data or the information contained in personal data”. An offence will not be committed if the obtaining or procuring was necessary “for the purpose of preventing or detecting crime” or if the person acted in the reasonable belief that he had the legal right to obtain or disclose the data, or that he had the consent of the data controller, or if the obtaining or disclosing were in the public interest. What “necessary”, “reasonable belief” and “public interest” mean must be considered in light of the purposes for which the obtaining or disclosing occurred. So, for instance, if a serious crime were averted by such an action the elements of the offence might not be made out, but, distasteful and irritating as some of us find it, littering is certainly not a serious crime. Equally, someone who mistakenly thinks he has the right to obtain or disclose data might avoid the offence, but someone who says that he did it “for a bit of fun” by contacting “friends” might not.

Examples of successful prosecutions for this offence are: a letting agent and one of its directors who obtained details about a tenant’s finances from a rogue council employee; a gambling industry worker who obtained and sold gamblers’ personal details; a GP’s receptionist who obtained medical data about her ex-husband’s new wife.

The offence is also very much in the headlines following Lord Justice Leveson’s inquiry into the culture, practices and ethics of the press, which recommended strengthening of prosecution and sentencing powers under the DPA. Some journalists are perhaps understandably concerned that the practice of investigative reporting could be compromised by too robust a statutory scheme which criminalises the obtaining or disclosure of information by unofficial means.

Lord Selsdon will no doubt be regretting his apparent throwaway remarks.

1 Comment

Filed under Data Protection, journalism

Tagged as

July 19, 2013 · 12:11 pm

Bank-bashing by the Court of Appeal

The conduct was…intimidatory and controlling…If that amounts to good banking practice, that is a very sorry misassessment by the banks of what commercial morality and indeed legality requires

The Court of Appeal has held that the Bank of Scotland is liable for harassment in making hundreds of calls to  someone who exceeded her overdaft limit.

With the Information Commissioner taking recent robust action we all know that the making of unwanted calls by commercial organisations can be a breach of The Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998.

However, a recent Court of Appeal judgment has held that this practice can also constitute harassment, even when the calls are made by one’s own bank, in pursuit of a debt.

In Roberts v Bank of Scotland the claimant – a valiant litigant in person – had sought and was awarded damages in the County Court in the sum of £7500, under section 3 of the Protection from Harassment Act 1997. The Bank appealed, both on liability and quantum, and I suspect they wish they hadn’t.

The claim was made after the Bank made 547 calls in little more than a year, arising from minor instances of exceeding overdraft limits. Ms Roberts did not want to speak to call centre operatives, and had apparently sought unsuccessfully to speak to her local branch manager. Many of the calls were intimidatory, albeit couched in polite language. Despite Ms Roberts repeatedly asking for them to cease, she was told the calls would continue.

The Appeal Court had no hesitation in dismissing the Bank’s appeal, and did so in extraordinarily disapproving terms.

This was, undoubtedly, a course of conduct which amounted to harassment and which the bank knew or ought to have known amounted to harassment:

…the bank’s conduct in the present case easily crosses the threshold. It was harassment which could have been prosecuted in the criminal courts. In the event, and fortunately for the bank, this matter simply comes before the civil courts as a claim for damages [¶45]… The bank must have been perfectly well aware of the phone calls which it was making [¶47]

and the Bank could not fall back on the fact that it was pursuing a debt – there were other ways to do this, given that Ms Roberts had repeatedly asked for calls to cease. Although initially “it made perfectly good sense for the bank to write to the claimant and also to telephone her” this did not mean that all future calls were legitimised

The existence of a debt…does not give the creditor the right to bombard the debtor with endless and repeated telephone calls. The debtor is fully entitled to say that he does not wish to talk to the creditor. In those circumstances, the creditor is thrown back upon his full legal remedies. That is what the courts are there to provide…the claimant made it abundantly plain that she did not wish to receive telephone calls from the bank. She was perfectly entitled to adopt this position. Once the bank had tried to telephone the claimant a few times and had received the same response on each occasion, it was obvious that telephoning the claimant would achieve nothing. Thereafter, there was no possible justification for continuing to ring the claimant up [¶32-33]

All three judges were clearly very unsympathetic to the Bank’s arguments. A selection of their asides:

If [counsel for the Bank] is right in saying that the only practicable means by which a bank can contact defaulting customers is the method adopted in this case, then banks had better build into their costings the damages which from time to time they will be called upon to pay to those customers.[¶50]

The conduct was, as the judge said, intimidatory and controlling. In short, it was, in my judgment, obviously unlawful harassment. If that amounts to good banking practice, that is a very sorry misassessment by the banks of what commercial morality and indeed legality requires [¶62]

The bank should respect the rule of law and therefore it should, in the light of the judgments of this court, revise its systems and desist from any tortious conduct, and not simply factor into its working and operating costs the fact that from time to time the bank will have to pay damages for harassment [¶65]

That last comment, and indeed the judgment as a whole,  is pretty ominous for any organisation seeking to pursue and persuade debtors by a process of repeated phone calls (for which, now read “potential harassment”) when the recipient has asked them to desist. Lord Justice Jackson suspects his comments might be greeted with “derision in the boardrooms of the banks”: I suspect they may be also be greeted with consternation, and concern about the future of an element of banking practice which has effectively gone on unchecked for years. They would hardly have brought this appeal, over for what is for them a minute sum of money, unless they thought the case had wider implications which threatened their business practices.

They now will need to lick their wounds, and reconsider their approach to commercial morality and legality.

postscript

From this post on the excellent choptheknot blog it appears that similar principles were followed in another case involving the Bank of Scotland: Johnson v Bank of Scotland plc [2013] All ER (D) 193

2 Comments

Filed under damages, Data Protection, harassment, nuisance calls, PECR, Privacy

July 18, 2013 · 2:21 pm

FOI timescales decisive for public law claim

An FOI request is used to show when the clock for bringing a claim starts ticking

As I am neither Scottish, not a lawyer, I make a foray into Scottish law with a distinct lack of confidence. However, I notice an interesting* case in the Scottish Court of Session, where the dates relating to a request for information were crucial in deciding whether a claim could continue.

The pursuer (equivalent to the claimant in England and Wales) was Nationwide Gritting Services (NGS), and it is aggrieved at, as it claims, missing out on the opportunity in 2010 and 2011 to tender to supply de-icing salt to Transport Scotland. The preliminary matter before Lord Woolman was whether the claim for breach of the then-in-force Public Contracts (Scotland) Regulations 2006 (“the Regulations”) was time-barred. The key issue, for the purposes of deciding when the time limits for making the claim began (applying the authority of the European Court of Justice in Uniplex (UK) Ltd v NHS Business Services Authority), was to determine the date on which NGS knew or ought to have known of the alleged infringement.

The claim had to be brought within three months of the date when the grounds for bringing the proceedings first arose. NGS served the summons in the present action on 28 August 2012. Accordingly, the critical date is 28 May 2012. The Scottish Ministers contend that NGS had the grounds to bring proceedings prior to that date (¶5)

Although there had been media coverage of salt-procurement matters in 2010, and some contact between an agent of NGS and Transport Scotland in 2010, it was only when another customer stated that Transport Scotland had purchased de-icing salt that NGS decided to make enquiries. On 30 April 2012 it sent an email headed “Formal Request for Information on Procurement Process for Salt” to Transport Scotland. It is not clear whether it cited the Freedom of Information (Scotland) Act 2002 (FOISA) but it appears that Transport Scotland properly treated it as a request under the same, because they replied on 30 May 2012 – the twentieth working day following receipt. Thus, contended NGS, 30 May was the date on which it had the requisite knowledge to bring a claim under the Regulations.

The judge agreed. Although NGS might have had “suspicions” in 2010 and 2011 that Transport Scotland had acquired salt, it had no “hard information”. When it received “hearsay evidence” from its customer it acted to enquire whether this was correct. The wording of its FOISA request (even though it had stated that NGS was “of the opinion” that proper process had not been followed) should not be taken to mean that it had “sufficient information to make an informed decision”. Only on 30 May 2012 had NGS’s suspicions “ripened into hard knowledge”.

Consequently, the claim can proceed:

as at 28 May 2012, NGS only suspected that an infringement has occurred. That suspicion was unsupported. Accordingly the grounds for bringing proceedings had not arisen by that date (¶30)

Of course, on one view this make perfect sense and is uncontroversial. People don’t normally make FOI requests unless they want to receive new information.

I don’t for a second claim the case is ground-breaking, but it is interesting for showing that the strict deadlines applying to FOI requests can potentially be useful for drawing a line in the sands of litigation.

(*Indulge me – happen to find judicial analysis of salt procurement interesting.)

Leave a comment

Filed under FOISA, Freedom of Information

Tagged as

July 17, 2013 · 5:07 pm

The Fog of War (on Drugs)

A recent Freedom of Information (FOI) request to Nottinghamshire police by a local newspaper resulted in the press headline

Police winning war on production of cannabis in county

The request was apparently for “the number of cannabis farms discovered” in the county, and the number of arrests in relation to production of the drug. Over a five year period the data showed that both were down, by 19% and 25% respectively. The paper reported that

Police say the figures prove a crackdown on cannabis production is having an impact

Do the figures prove that? I don’t think so. In fact, I think you could just as reasonably extrapolate that, for instance, police are actually “losing the war on drugs” and have chosen to expend fewer resources in discovering the farms, or, that producers have got a lot better at hiding them. The figures don’t “prove” these assertions either, but each seems to me to be as valid a conclusion as the one reported.

I read the article in light of an exchange on twitter about whether public authorities, when responding to FOI requests, were entitled to include a statement to be used in the event that the requester wished to publish an article.

Provided that the response to the FOI request itself is compliant with legal requirements I see no problem with this approach, which is really only an extension of the practice of providing explanatory comment to FOI disclosures.

What I would be critical of, though, is an unquestioning approach by journalists to such accompanying statements.

Leave a comment

Filed under Freedom of Information, journalism

Tagged as ,