July 10, 2013 · 5:48 pm

Substantial distress or just a nuisance?

Can a large number of nuisance calls to a large number of people, none of whom inidividually suffers substantial distress, still equate to cumulative substantial distress, for the purposes of the PECR (and the DPA)?

I blogged recently in praise of the enforcement action taken by the Information Commissioner’s Office (ICO) against nuisance-caller companies, and I see that a further penalty notice has been served this week, on a “marketing company”. With considerable reluctance, though, I am drawn to a view that the ICO might be taking a flawed, or at least questionable approach to the enforcement. I say “reluctance” because I think the problem of nuisance calls is one that calls out for strong enforcement powers and the will to exercise those powers (I also think it’s a problem, by the way, that the BBC should, without apparent comment, continue to broadcast a programme which provides a platform for two companies who have received penalties totalling £225,000 for engaging in the practice).

The enforcement action is taken under the ICO’s powers conferred the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. The latter imported into the former the powers conferred on the ICO by the Data Protection Act 1998 (DPA) to serve, in appropriate circumstances, a civil monetary penalty notice (MPN) on a data controller where

there has been a serious contravention of section 4(4) by the data controller,

(b)the contravention was of a kind likely to cause substantial damage or substantial distress, and

(c)subsection (2) or (3) applies.

(2)This subsection applies if the contravention was deliberate.

(3)This subsection applies if the data controller—

(a)knew or ought to have known —

(i)that there was a risk that the contravention would occur, and

(ii)that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but

(b)failed to take reasonable steps to prevent the contravention.

(emphasis added)

What all this means, effectively, is that the ICO has two powers available to serve an MPN (to a maximum of £500,000): firstly, for a qualifying breach of the DPA, secondly for a qualifying breach of the PECR. He has exercised the former several times over the last three years, but has only exercised the latter more recently (the first time was in November last year). MPNs under the DPA have been for egregious breaches (e.g. highly sensitive information faxed numerous times to the wrong recipients, loss of unencrypted memory stick with details of people linked to serious crimes). In these circumstances it has not been difficult for the ICO to be satisfied that

such a contravention would be of a kind likely to cause substantial damage or substantial distress

However, what about when hundreds of nuisance calls have been made to hundreds of individuals? It is surely in the nature of nuisance calling that it is rarely (although not never) going to cause an individual substantial distress. The ICO says, in what appears effectively to be standard wording in PECR MPNs

The Commissioner is satisfied that the contravention is of a kind likely to cause substantial damage or substantial distress as required by section 55 (1) (b) because of the large numbers of individuals who complained about these unsolicited calls and the nature of some of the complaints they gave rise to…Although the distress in every individual complainant’s case may not always have been substantial, the cumulative amount of distress suffered by the large numbers of individuals affected, coupled with the distress suffered by some individuals, with some receiving multiple calls, means that overall the level was substantial.

In adopting this “cumulative distress” approach the ICO refers to his own guidance about the issuing of monetary penalties issued under section 55C (1) of the DPA. This guidance (which applies to PECR as well as DPA) says

The Commissioner does…consider that if damage or distress that is less than considerable in each individual case is suffered by a large number of individuals the totality of the damage or distress can nevertheless be substantial.

As far as I am aware this approach has only been used in when issuing PECR MPNs, not DPA ones. But is it the correct approach? I’m not so sure. The law requires the contravention (of the PECR or DPA) to have been of a kind likely to cause “substantial distress”, not “substantial instances of distress” and one could argue that, if the latter is what Parliament intended, Parliament would have said that (although, as is often the case, one can turn that around and say, if Parliament had not intended the ICO to cumulate instances of distress it would have restrained him from so doing). To me, though, the ICO’s approach seems wrong. But when I put the scenario to two lawyers, they agreed with the ICO, and to two lay-people, they agreed with me. I’m not sure what the lesson to be drawn there is.

I suspect this will be tested, and I note that Christopher Niebel’s appeal of his PECR MPN is listed for a five-day hearing before the First-tier Tribunal in October. And Sony’s appeal of their DPA MPN is listed for a four-day hearing before the First-tier Tribunal in November. Although the “cumulative distress” approach was not explicitly cited by the ICO in Sony’s MPN, one could argue that finding out that a data controller has lost one’s name, address, email address, date of birth and account password is unlikely to be capable of causing individual substantial distress.

I should stress that I think there should be sanctions for organisations which commit serious contraventions affecting large numbers of people, even where individual distress is not subtantial. I think that nuisance caller companies are, er, a nuisance, and deserve to be targetted robustly by a regulator. And I actually hope I’m wrong on the meaning of “substantial distress”.

Postscript:

Very interestingly (well I think so) there are reports that the government is considering proposing legislative changes to alter the threshold whereby substantial damage or substantial threat must be demonstrated. Whether this is simply to bring larger numbers of nuisance-calling companies into the ICO’s sights, or whether it is to address perceived weaknesses in current legislation remains to be seen (it might be both, of course).

Postscript 2:

Recently-published minutes from the ICO’s Management Board of 22 July support my view. They say

Civil monetary penalties for offences under PECR were discussed further. There are concerns about the requirement to show substantial damage and distress when what was happening was minor inconvenience to many people; ie in receiving spam texts.

Niebel’s appeal is happening this week (Sony dropped theirs). We will know soon whether the laudable attempts by the ICO to punish nuisance calling will be defeated by what was perhaps inadequate legislative drafting.

9 Comments

Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, monetary penalty notice, PECR, Uncategorized

July 9, 2013 · 5:15 pm

Who’s to blame for the Ministerial Veto?

The people to blame for our not being able to see Prince Charles’ lobbying correspondence with the government are not the judges – it’s the people who passed the FOI Act.

So, perhaps to no one’s great surprise, the judicial review application by the Guardian’s Rob Evans of the Attorney General’s ministerial veto has failed. As three of 11KBW’s array of brilliant information law advocates were instructed in the proceedings, I am sure we will see a Panopticon blog post shortly, and I wouldn’t try to compete with what will be the usual clear and percipient legal analysis (for which, also, see this excellent post from Mark Elliott). However, I wanted to address what I see as a potential misapprehension that this was an expression by the High Court that it agreed that the Attorney General was correct to issue a certificate vetoing disclosure of correspondence between Prince Charles and government departments. While the natural outcome of the court’s judgment is that the correspondence will not be disclosed, what was actually to be decided, and ultimately was decided in the Attorney General’s favour, was whether the exercise of his powers was lawful.

Under section 53(2) of the Freedom of Information Act 2000 (FOIA) a decision notice issued by the Information Commissioner (IC) (or later remade by a tribunal) ceases to have effect if an “accountable person” (effectively, either a Cabinet Minister or the government’s senior law officer) issues a certificate stating that he has “on reasonable grounds” decided that there was in fact no prior failure by the government department in question to comply with a request for information under FOIA. It is a power of executive override of a decision made by the statutory regulator (the IC). Its place in the statutory, and constitutional, scheme is what people should be objecting to, particularly in light of what the court in this case found.

The case dates back to the earliest days of the commencement of FOIA. Evans had requested correspondence between Prince Charles and various government departments, but those departments had refused to disclose. In a detailed and complex analysis the Upper Tribunal (the case having been transferred from the First-tier Tribunal) last September decided that, although the FOIA exemption (at section 37) relating to communications with the Royal Household was engaged, the public interest fell in favour of disclosure of the information (two points of note: first, the section 37 exemption, which was at the time of the request a qualified one, subject to the application of the public interest, has since been amended to make it absolute; second, there were other exemptions engaged, but the section 37 was the focal one). 

There was potentially further right of appeal, to the Court of Appeal and, ultimately, the Supreme Court. So why did the government not follow this route? The Campaign for Freedom of Information have issued a press release in which their Director Maurice Frankel says “Ministers should have to appeal against decisions they dislike and not be able simply to overturn them”. I agree (of course) but the reason the government departments did not appeal in this case is because any appeal would have had to have been on a point of law – the more senior courts could not have substituted different findings of fact, or decided whether an exercise of discretion should have been exercised differently. In short, I suspect the government did not appeal because they knew they would have been unsuccessful (or rather, their lawyers would presumably have advised, as lawyers do, that the chances of success were low).

Davis LJ, giving the leading judgment in the High Court, identified that

The underlying submission on behalf of the claimant is, in effect, that the accountable person is not entitled simply to prefer his own view to that of the tribunal

to which he countered

why not? It is inherent in the whole operation of s.53 that the accountable person will have formed his own opinion which departs from the previous decision (be it of Information Commissioner, tribunal or court) and may certify without recourse to an appeal. As it seems to me, therefore, disagreement with the prior decision…is precisely what s.53 contemplates, without any explicit or implicit requirement for the existence of fresh evidence or of irrationality etc. in the original decision which the certificate is designed to override. Of course the accountable person both must have and must articulate reasons for that view…[It] is for the accountable person in practice to justify the certification. But if he does so, and that justification comprises “reasonable grounds”, then the power under s.53(2) is validly exercised. Accordingly, the fact the certificate involves, in this case, in effect reasserting the arguments that had not prevailed before the Upper Tribunal does not of itself mean that it is thereby vitiated

 The power to issue a certificate exists under section 53(2), even if, as Lord Judge said, such a power “appears to be a constitutional aberration”. If it exists, it can be exercised, subject to it being done so lawfully. To admit of another interpretation, says David LJ, would be (taken with the claimant’s other arguments) to 

greatly [narrow] the ostensible ambit of s.53. As a matter of statutory interpretation I can see no justification for such a limitation, either on linguistic grounds or on purposive grounds

Parliament chose to enact s53, and any potential inherent constitutional imbalance or threat to the rule of law in its having done so is overcome by the availability of judicial review:

for the purposes of s.53 of FOIA, Parliament has provided the procedure by which this statutory provision is to be mediated. It is to be mediated, on challenge by way of judicial review, by the courts assessing whether the Secretary of State has certified “on reasonable grounds”. That involves no derogation from the fundamental principle of the rule of law: on the contrary, it is an affirmation of it.

For the same reasons, any challenge as to whether the exercise of the veto (as applied to environmental information under the Environmental Information Regulations 2004) offends the relevant sections of the originating EC Directive and the Aarhus Convention (specifically, those that deal with the need to have a “review procedure”) could also be met by reference to the availability of judicial review (although one wonders, along with the Aarhus Convention Compliance Committee, whether judicial review meets the requirement to be not “prohibitively expensive”).

And ultimately, and  relatively straighforwardly, it fell to the court to

consider whether the Attorney General has shown in the present case reasonable grounds for certifying as he did…[and] the Statement of Reasons appended to the certificate, once carefully read and analysed, does indeed demonstrate such “reasonable grounds”. The views and reasons expressed as to where the balance of public interest lies are proper and rational. They make sense. In fact, I have no difficulty in holding them to be “cogent”. Indeed – especially given that the Attorney General’s reasons and conclusions are in many respects to the like effect as those previously provided by the Information Commissioner – it will be recalled that the Upper Tribunal had itself, in paragraph 4 of its decision, acknowledged that there are “cogent arguments for nondisclosure”

So, if you want to criticise the fact that the Attorney General was allowed to veto disclosure of Prince Charles’ correspondence with the government, don’t criticise the judges, don’t even criticise (too much, at least) the Attorney General himself – rather, criticise Parliament which passed the law.

UPDATE: 25 July 2013

The Guardian reports that permission has been granted to appeal to the Court of Appeal.

 

Leave a comment

Filed under Environmental Information Regulations, Europe, Freedom of Information, Information Commissioner, transparency, Uncategorized

Tagged as ,

June 28, 2013 · 5:00 pm

Privacy in the workplace – Employment Appeal Tribunal ruling

The boundary between a person’s private life and their public activities is not easy to mark, and its position has shifted with development of human rights jurisprudence. Thus, a person attempting to commit suicide in public, captured on CCTV, was held to have had his rights under Article 8 of the European Convention on Human Rights breached when the footage was subsequently broadcast (Peck v UK [2003] ECHR 44).

Similarly, the question as to the extent to which an employer must respect an employee’s privacy rights in the workplace, or the working environment, is no longer simply answered by reference to the terms of the employment contract. In addition to the employee’s Article 8 rights, the employer must have regard to the Data Protection Act 1998 (DPA) for which there is guidance, in the form of the Employment Practices Code, published by the Information Commissioner’s Office under section 51(2) of the DPA (“the ICO Code”).

All of these issues are addressed in an interesting recent judgment handed down in the Employment Appeal Tribunal (EAT). The case – Swansea Council v Gayle – was an appeal from an earlier Employment Tribunal (ET) decision, which had found that Mr Gayle had been unfairly dismissed (although it also found that he had not been wrongfully dismissed, nor racially discriminated against). He had twice been observed at a leisure centre during working hours and was subsequently covertly filmed several times by an investigator while leaving, or being in the process of leaving, the same leisure centre at times when he was claiming to be working.

The ET determined that, even before the covert filming had begun, the employer had had sufficient evidence to support its suspicions that its employee had been untruthful about his activities during working hours:

There was no longer a legitimate reason (or for Article 8 purposes, a legitimate aim) to place him under covert surveillance.  Even if there was a legitimate aim the Council’s manner of doing so was disproportionate and unjustified

Accordingly

the process by which the Council dismissed Mr Gayle involved an unjustified interference with his Article 8 right to a private life…the circumstances of his dismissal fell within the ambit of Article 8; the state had a positive obligation to safeguard his Article 8 right (as, indeed, did the Council as a public body); in all the circumstances, the Council’s interference with that right was unnecessary and disproportionate; the fact that the Council had a permissible reason to dismiss Mr Gayle is not by itself sufficient since it could have fairly dismissed him without such interference

As the EAT said, this amounted to the rather odd proposition that

the dismissal was unfair because the investigation was too thorough

Therefore they accepted the three-part submission that there could be no breach of Article 8(1) (“Everyone has the right to respect for his private and family life, his home and his correspondence”) because

First, the photography was in a public place of somebody in a public place…Next…this was at a time when the Claimant was “on the clock”; it was in his employer’s time…An employee can have no reasonable expectation that he can keep those matters private and secret from his employer at such a time…Thirdly…the Claimant here was a fraudster; he was busily engaged on his own business whilst receiving his employer’s money for his employer’s business…a person in such circumstances can have no reasonable expectation that their conduct is entitled to privacy

Because no breach of Article 8(1) had occured, there was no need for the EAT to consider arguments for justification under Article 8(2). However, had they had to, they would have held that interference was justified in pursuance of two legitimate aims. Firstly the prevention of crime, and secondly

the protection of the rights and freedoms of others, the “others” here being the employers whose money was at stake and who had contractual rights in agreement with the Claimant that he would behave in a way in which as it happened he did not

The EAT was particularly critical of the ET’s reliance on an apparent breach by the Council of the ICO Employment Practices Code. The ET had found that the Council’s apparent ignorance of the Code, in conducting the covert filming as it did, constituted a breach of the DPA which rendered the dismissal unfair. The EAT attacked the logic of this approach

[the ET says] that that ignorance would be such that the result would be that its investigation could no longer be considered reasonable; it does not say why.  It is not obvious to see why ignorance of a code which the employer was not bound in law to have regard to in any event would render an investigation into the wrongdoing of the Claimant unreasonable when it would otherwise have been reasonable

The EAT notably did not say that the Council’s actions were or were not permissible under DPA, or the Code, but rather that the ET

in criticising the employer for covertly filming the Claimant was not dealing with any matter relevant to the fairness of the dismissal

This case does not break any new ground, but the EAT did observe that no authority had been drawn to their attention which suggested that covert filming in a public place of claimants in personal injury cases had been held to be in breach of Article 8 (provided there were no alleged breach of the Regulation of Investigatory Powers Act 2000). And this case suggests that an Article 8 complaint about covert recording in a public place within an employment context is similarly unlikely to have much chance of success, despite what might be (in the EAT’s description of the ET’s feelings) “the Tribunal’s distaste for the employer’s use of covert surveillance”.

1 Comment

Filed under Data Protection, employment, human rights, Privacy, surveillance

June 21, 2013 · 7:50 am

ICO Social Media Guidance – Shirking Responsibility?

The Information Commissioner has issued guidance on when the Data Protection Act is held to apply to Social Networking and Online Forums. While I recognise the pragmatic approach it takes, it appears to be in conflict with the leading legal authorities.

The Guidance

Apparently without much fanfare, unless I’ve missed it or am ahead of it, the Information Commissioner’s Office (ICO) has issued guidance for the public on Social networking and online forums when does the DPA apply? The short answer, applying European law, should be “always”. But this would a) make the guidance rather short, and b) not be in line with the ICO’s persistent line that his office should not have to regulate what people say about each other on the internet.

The guidance says

The DPA contains an exemption for personal data that is processed by an individual for the purposes of their personal, family or household affairs. This exemption is often referred to as the ‘domestic purposes’ exemption. It will apply whenever an individual uses an online forum purely for domestic purposes

There are several interesting things about this position statement. First, it omits that the Data Protection Act 1998 (DPA) says that personal data only processed for domestic purposes is exempt from the obligations under the Act. Second, it also, strangely, omits the phrase “including recreational purposes” which arguably supports the ICO’s position (although, as I will mention later, it is controversial wording). Third, it is in direct contradiction of the leading European judicial authority on the exemption.

The guidance goes on to accept that some forms of individual self-expression on the internet will not be caught by the domestic purposes exemption, but as a whole (see the section entitled “ICO involvement in complaints against those running social network sites, organisations and individuals”) it appears to be an exercise in saying “don’t come to us if you don’t like what someone is saying about you on the internet”.

This subject is, of course, of considerable current relevance, given concerns expressed that a regulatory scheme imposed subsequent to the Leveson inquiry might end up applying to the blogosphere, or even to social media in general. I’ve written previously on this, arguing that existing data protection law already applies to such activities.

The Law

Article 3(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“the Directive”) says that

This Directive shall not apply to the processing of personal data…by a natural person in the course of a purely personal or household activity

and recital 12 to the Directive says that the data protection principles contained therein do not apply to the processing

of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses

These provisions are given domestic effect in section 36 of the DPA, which says

Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III [emphasis added]

In the leading European case on the provisions of the Directive, Lindqvist (Approximation of laws) [2003] EUECJ C-101/01, the European Court of Justice held that

[the] exception must…be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people

Lest there be any doubt as to the meaning of this, the ECJ issued a press release to accompany the judgment, which said

the act of referring, on an internet page, to various persons and identifying them by name…does not fall within the category of activities for the purposes…of purely personal or domestic activities, which are outside the scope of the directive [emphasis in original]

Lindqvist is, I would submit, unequivocal authority for the proposition that referring to an identifiable person or persons on the internet constitutes the processing of personal data, and is processing which is not exempt under Article 3(2) of the Directive.

The ICO has never accepted that Lindqvist has general application to internet publication of personal data. For instance, the ICO’s internal 2011 guidance on “Dealing with complaints about information published online” says

the Lindqvist judgement [sic]…related to a specific set of circumstances and cannot be applied to all cases of online publication

Try as I might I cannot square this with ECJ’s authority in Lindqvist. Still less can I square with it the comment, in an ICO paper on the proposed General Data Protection Regulation that

There has been some suggestion the Regulation should be used to ‘implement’ the Lindqvist decision – in short meaning that information posted openly on the internet necessarily falls outside the law’s personal or household processing exemption. We never wholly accepted the reasoning in Lindqvist…
One might take a moment to reflect on what is being said here. The paper’s author appears to understand the meaning of Lindqvist, regarding the lack of exemption for information posted openly on the internet, but says the ICO doesn’t (wholly) accept what is the binding decision of the ECJ.
One possible justification for the position lies in the additional wording Parliament inserted into section 36 of the DPA relating to “recreational purposes” (although, as I note above, the new guidance doesn’t put much emphasis on this). It is perhaps possible to construe – as the ICO clearly does – this to permit the section 36 exemption to extend to internet publication of personal data. Indeed, the apparently interminable infraction proceedings brought against the UK by the European Commission (tracked doggedly by Dr Chris Pounder) for numerous examples of apparent lack of proper domestic implementation of the Directive include criticism that
the inclusion of “recreational purposes” in the Data Protection Act…in the Commission’s view appeared to be broader than household activities.
However, even if this addition of “recreational purposes” to the UK statutory scheme arguably extends – perhaps impermissibly – the ambit of the exemption, the ICO was told in unequivocal terms in The Law Society & Ors v Kordowski [2011] EWHC 3185 (QB) that
The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully
In Kordowski the ICO had been asked by the Law Society to intervene to prevent the publication of defamatory and unfair postings on a website called “Solicitors from Hell”. The ICO had declined, citing – in a letter to the Law Society – the domestic purposes exemption as the reason for not investigating
I do sympathise with solicitors and others who may find it extremely difficult, and in many cases impossible, to have offensive material about them removed from the internet. Perhaps this is a case where the law is out of step with technology. However, I am afraid the DPA is simply not designed to deal with the sort of problem that you have brought to my attention.
Tugendhat J expressed his sympathy
with the Commissioner in what he says about the practical difficulties raised by cases such as the present. It is also beyond doubt that the DPA was not designed to deal with the way in which the internet now works
but said that the ICO had an obligation to investigate a complaint “where there is no room for argument that processing is unlawful”.
The ICO (in the form of David Smith, the Deputy Commissioner responsible for data protection) has argued that the mistake the ICO made in the Kordowski matter was in holding that the site owner and administrator (Kordowski himself) was covered by the section 32 exemption. He does not appear to accept that the people submitting the “ratings” and comments about solicitors were not covered by the same
we took the view, quite rightly I think, that the individuals who posted the comments on the Solicitors from Hell website are just individuals, they are acting in their personal, domestic capacity…I think where we actually went a bit wrong in our analysis…we said the Solicitors from Hell website doesn’t exercise control, is not a data controller and so is not caught by the law. When this case came to court, quite rightly the court looked in more detail at what the operators of the site did, the notice board and it was a lot more than just a notice board, they were actually charging people to put information there and charging solicitors to have information taken down…The intermediary there was clearly a data controller. But this establishing who is a data controller and who isn’t in this whole environment is extremely difficult. [from a transcript of an oral presentation]
While this is an interesting argument, that the site owner, as clearly the primary data controller, holds some sort of primary liability for publication on his or her site, while those posting on it are exempt because of the domestic purposes exemptions, it is hugely problematic. This is because, firstly, it is inconsistent with the judgment in Lindqvist and, secondly, becuase it tends towards an illogical argument that an individual commenter on a site, perhaps a social media site, posting a defamatory, or even a criminal, statement, does so only for domestic purposes.
European developments
In Kordowski the judge’s sympathy rested in part on the fact that the DPA, and the ICO who must regulate it, are creatures of the 1995 Directive
In 1995 search engines were in their infancy. Google was incorporated in 1998. There have been many developments since that time, including the increasing use of third party facilities
In Janaury 2012 the European Commission began the lengthy process of introducing a new European data protection framework. The draft General Data Protection Regulation (GDPR) retains exemption provisions for domestic activities, and introduces new concepts: Article 2(2) states
This Regulation does not apply to the processing of personal data…by a natural person without any gainful interest in the course of its own exclusively personal or household activity [emphasis added]
and Recital 15 explains
This Regulation should not apply to processing of personal data by a natural person, which are exclusively personal or domestic, such as correspondence and the holding of addresses, and without any gainful interest and thus without any connection with a professional or commercial activity [emphasis added]
This might shift the scenery set by Lindqvist to a degree, and it is possible that the ICO’s guidance, although dealing with the current DPA, was written with an eye on the European developments. Indeed, the rest of Recital 15 says
the exemption should also not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities.
However, it is to be noted that Peter Hustinx, the European Data Protection Supervisor, did not think the draft domestic purposes provisions of the GDPR were adequate
Recital 15 indicates that the exception applies in the absence of gainful interest, but it does not address the common issue of processing of data for personal purposes ona wider scale, such as the publication of personal information within a social network…In line with the rulings of the Court of Justice in Lindquist and Satamedia, the EDPS suggests that a criterion be inserted to differentiate public and domestic activities based on the indefinite number of individuals who can access the information. This criterion should be understood as an indication that an indefinite number of contacts shall in principle mean that the household exemption does no longer apply. It is without prejudice to a stricter requirement for a genuine personal and private link, to prevent that individuals making data available to several hundreds or even thousands of individuals would automatically fall underthe exemption.
But a final development has occurred with the release on 31 May of Irish Presidency of the Council of the European Union’s Justice and Home Affairs draft compromise text which adds to Recital 15 the following words
Personal and household activities include social networking and on-line activity undertaken within the context of such personal and household activities.
One wonders if the ICO was aware, when drafting his Social Media Guidance, of this development. However, and while it remains to be seen what the GDPR will ultimately say, much could still turn on what “undertaken within the context” means within Recital 15.
And we should not get ahead of ourselves. The ICO regulates the DPA, and as the (European) law currently stands, the act of referring to a person on the internet does not attract the domestic purpose exemption. The ICO guidance implies it might. Will this be challenged?

4 Comments

Filed under Data Protection, defamation, Europe, GDPR, Information Commissioner, social media

Tagged as ,

June 19, 2013 · 7:22 pm

CQC allegations and data protection

Data Protection laws have been said to be behind the decision not to name CQC officials alleged to have covered-up a damning internal report. Oh really? Well, yes, perhaps, I argue.

News bulletins today lead with the story that the Care Quality Commission apparently engaged in a cover-up of an internal review report critical of its oversight of University Hospitals Morecambe Bay in 2010, an NHS Trust now subject to investigations over the deaths of at least eight mothers and babies. The allegations of a cover-up were made by a whistleblower interviewed as part of an investigation by Grant Thornton, who were commissioned by CQC to look into its own activites. Potentially particularly damning are remarks at the time attributed to a senior manager at CQC regarding the alleged suppression on the original internal review report

Are you kidding me? This can never be in a public domain, nor subject to FOI

The Grant Thornton report, as published, has redacted the name of this senior manager and a colleague. And the Data Protection Act 1998 (DPA) is pleaded in defence of the redaction. As the Telegraph reports

The names of two individuals who ordered the destruction of evidence of the Care Quality Commission’s failure to investigate the University Hospitals of Morecambe Bay NHS Trust have been redacted from an official report…David Prior, the new chairman of the CQC, said that the names had been redacted because of “data protection concerns” and because the watchdog fears being sued…”to publish it with the names would breach the Data Protection Act.We would have been open to being sued on that basis”

As a number of people have pointed out, this is certainly questionable. Ben Bradshaw MP is reported by the Guardian as saying in Parliament that

the [Data Protection Act] allows exceptions in cases where protecting the public is an issue

and, in a thundering editorial, Health Policy Insight say the decision

is, quite simply, bullshit…Nor is it just a minor pellet of bullshit. This is epic, hog-whimpering and noxious bullshit…The Data Protection Act affords specific exemption at Section 55 2(d) “to a person who shows … that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest”…Moreover, the Information Commissioner’s Office, which enforces the Data Protection Act, is explicit in its advice on Principles One and Two (those dealing with an individual personal data) that fairness is crucial: “it depends on whether it would be fair to do so … personal data must not be processed for any purpose that is incompatible with the original purpose or purposes”

While I admire the level of polemic, HPI are rather mistaken in their analysis of the DPA. And I submit that it was not necessarily wrong for David Prior to be advised that disclosure of the name of the person might breach the DPA. I would stress that I am not suggesting that those responsible for failures at CQC should not be accountable for those failure, nor, if it is true that the original internal review report was suppressed, that those who did so should not also be accountable. What I do suggest is that, on the information currently available, there is perhaps a lack of hard evidence to establish to an appropriate level of certainty that the person or persons alleged to have suppressed the report did so, or did so in the way they are alleged to have done. For that reason, it could indeed be a breach of the DPA to disclose the names at this stage. I say this despite the parliamentary statement by the Secretary of State for Health, to the effect that he had not wanted the redactions, and that

There should be no anonymity, no hiding place, no opportunity to get off scot free for anyone at all who was responsible for this

(On this, we should perhaps remember the unlawful decision by Mr Bollocks [ed: Balls] peremptorily to require the dismissal of Sharon Shoesmith. Politicians are first and foremost politicians. They are not generally there to be lawyers or employers.)

The name of the person involved is clearly going to constitute “personal data” according the definition in section 1(1) of the DPA. And, for these purposes, the “data controller” (with whom lies the decision as to whether to disclose or redact, and to whom liability for a breach of DPA attracts) is CQC itself. HPI cite section 55(2)(d) of the DPA, which broadly provides that the offence of unlawfully obtaining personal data does not apply if it has been done in the public interest. This provision deals with a criminal offence of inter alia disclosing personal data without the consent of the data controller. This clearly does not apply here.

HPI are correct, however, in pointing to the first principle (as listed in Schedule One) of the DPA, and its reference to fairness (although they are talking nonsense when they refer to the first two principles being those “dealing with an individual personal data” [sic] – the whole of the DPA applies to an individual’s personal data). The first principle provides that the processing (and disclosure of a name will be “processing” under the DPA) of personal data must be fair and lawful.

When deciding whether names of public officials should be disclosed (albeit in response to a Freedom of Information request) the Information Commissioner (ICO) says

[the public authority] must decide whether disclosure would breach Principle 1 of the Data Protection Act (the DPA), ie whether it would be fair and lawful to disclose the information.

Whether the disclosure is fair will depend on a number of factors including:

the consequences of disclosure;

the reasonable expectations of the employees; and

the balance between any legitimate public interest in disclosure and the rights and freedoms of the employees concerned…

These are the factors CQC would need to take into account, and one can see that a balancing exercise would ensue. The consequences of disclosure – of what appear merely to be allegations – for the person or persons involved could be grave, and be an important factor in identifying what his or her rights and freedoms are. On the other side, there would be appear to be a clear public interest in disclosure, notwithstanding that, I repeat, these are mere allegations, on the basis that someone taking such a significant decision as to try (allegedy) to suppress publication of the adverse report should be accountable (as should the CQC as their employer) for such actions. The issue as to reasonable expectations is more difficult however. If the person or persons has been told in explicit terms that their name will not be disclosed, they may have very strong expectations that this will not happen. As to whether those expectations are reasonable, one would need to know the terms upon which any undertaking might have been given. Employment rights might well be engaged

Also to be considered is that the naming of the person or persons in circumstances in which it might subsequently transpire that the allegations were not true could give rise to a successful claim in defamation. Indeed, as Robin Hopkins has observed, DPA is increasingly used as a primary claim in actions involving defamatory publications.

I repeat, none of this is to defend the actions of CQC, nor, if the allegations are shown to be true, to defend the actions of anyone who suppressed the report. It is simply to say that the claim that the DPA might be engaged at this point, and potentially breached if disclosure of names happened. Disclosure, in a clearly fair and lawful way, might follow in due course.

I note that the Deputy Information Commissioner is reported tonight as saying

The Data Protection Act does not specifically prevent people being named publicly, but instead talks about using information fairly and considering what expectations of confidentiality people may have had when providing their personal information.

It is important the Data Protection Act is not used as a barrier to keep information out of the public domain where there is an overriding public interest in disclosure.

David Smith is a clever and astute man. He did not say the names should be revealed. That is revealing.

UPDATE 20.06.2013

My attention has been drawn to last night’s episode of BBC’s Newsnight on which David Smith’s boss, Information Commissioner Christopher Graham. As the BBC itself reports, he said

“This feels like a public authority hiding behind the Data Protection Act – it’s very common but you have to go by what the law says and the law is very clear.

“You have to process data fairly, you have to take into account people’s expectation of confidentiality.”

He said that was “obviously” the case with patient data in particular.

But when it came to officials, “there you have to apply a public interest test”, he added.

He said he was “not convinced” the CQC had been correctly advised.

He ended his short interview by saying “I think [the CQC] are going to have to look at this again”.

Fair enough. He’s right and I’m wrong then? Well, no – he still didn’t by any means say that disclosure now had to happen (and, in his role, he would have been be very ill-advised to have done so).

And, prompted by further coverage, and a comment below by Dr Chris Pounder, who probably knows more about Data Protection than the entire staff at the ICO (and that’s not intended as an insult to the latter), I now feel that two other factors might be at play. First, if the allegations quoted in the Grant Thornton report amount to allegations of possible criminal offences (e.g. misconduct in a public office) then there is an arguable need to avoid prejudice to any police investigation. Second, if the person or persons referred to in the report have already taken steps to challenge its veracity – either as a whole, or in respect of specific comments attributed to the whistleblower – then it would be prudent of CQC not to disclose until that challenge (whether it be made informally, or as part of or precursor to legal proceedings) has played out.

That said, when the combined forces of the government and the Information Commissioner are leaning on the CQC at least to review the decision not to disclose names, it would be a bold move to continue to resist. They will though, no doubt, be advised that there remain potential legal risks in doing so, unless they are completely satisfied about the veracity of allegations in the report.

UPDATE 2, 20.06.2013

The CQC has now published the names previously redacted. The letter to the Secretary of State makes clear that

We have reviewed the issues again with our legal advisers (and taken into account the comments of the Information Commissioner). In light of this further consideration, we have come to the view that the overriding public interest in transparency and accountability gives us sufficient grounds to disclose the names of the individuals who were anonymised in the report.

None of this changes my view that there was a clearly arguable legal basis for redaction. Data Protection is wrongly blamed for a lot of things but it was engaged in this instance.

This outcome also raises the rather interesting (if unlikely) possibility that the persons now named could complain to the ICO for a determination as to whether disclosure was in fact in breach of their rights under the DPA. Am I wrong to hope that happens?

14 Comments

Filed under Data Protection, Information Commissioner, Uncategorized

Tagged as ,

June 18, 2013 · 12:10 pm

Cold Comfort for Cold Callers

In which I praise the ICO, and implore people to report nuisance callers.

I was in conversation with a group of friends recently, and the topic of nuisance calls came up. Each of my friends described continually receiving  unsolicited, often agressive, calls, despite the fact that they were registered with the Telephone Preference Scheme. I said they must complain to the Information Commissioner’s dedicated service because the ICO was now taking breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) seriously (actually, I didn’t say it in quite those terms, because although my friends like to deride me, I try not to give them too much ammunition). I got a lot of replies of “I might”, but also some of “it won’t do any good”. In support of the fact that it might do some good I was able point to the three recent civil Monetary Penalty Notices (MPNs) for breaches of PECR issued to Christopher Niebel and Gary McNeish, joint owners of Tetrus Telecoms and DM Design Bedroom Ltd.

And today, two more MPNs have been issued, to two companies owned by “Save Britain Money Ltd” a company which, in what appear to be rather embarrassing circumstances for the BBC, is currently featuring in a fly-on-the-wall documentary series about call centres.

We need a regulator to take firm and public action for breaches of privacy laws, and it is pleasing to see the ICO doing so with nuisance callers. However, in order for practices to really change, nuisance callers need to be reported to the ICO, at every opportunity. The principle of a penalty pour encourager les autres only works if les autres are scared about what legal non-compliance can lead to.

And I note from a recent internal ICO report that, as at 10 June, both the DM Design and the McNeish MPNs were overdue for payment (Niebel has appealed his Notice). Penalties in the tens of thousands of pounds can potentially be ruinous for businesses. The ICO statutory guidance on MPNs provides that

a monetary penalty notice will not impose undue financial hardship on an otherwise responsible person

But this leaves open the possibility that an MPN might some times impose due hardship, on an otherwise irresponsible person. If future nuisance callers wilfully act irresponsibly, a financially-crippling MPN might not constitute undue hardship.

As someone who works in the public sector, and who trains other public sector partners in their obligations under the Data Protection Act 1998 (DPA), I can attest to the beneficial effect MPNs for DPA breaches (added to the willingness of the ICO to impose them) have had on data security and knowledge (it doesn’t half focus the minds of senior managers when you remind them that security vulnerabilities carry a risk of a £500,000 “fine”). Enforcement of the law does change things, and we should praise the ICO for what he is doing with nuisance callers, while continuing to report miscreants.

Now, how about some FOI enforcement…?

1 Comment

Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, monetary penalty notice, PECR

Tagged as , ,

June 15, 2013 · 9:30 am

Information Rights and Wrongs Alternative Honours List

Martin Hoskins muses today on why – apart from those who’ve worked for the Information Commissioner’s Office – no data protection professionals have ever received royal honours. I can certainly think of a few information rights people whose selflessness and length of practice deserve recognition – Dr Chris Pounder, for instance, whose career in data protection spans five decades, or Maurice Frankel, without whom we might not even have an FOI Act. But, given that there’s little chance of this happening, I am today announcing an alternative

Information Rights and Wrongs Birthday Honours List

First up…

For services to the DfE, the Financial Times’ Chris Cook. Without Chris’s sterling efforts we would have little understanding of the devotion to the cause of ministers and SpAds at the Department for Education. Chris revealed that, such was this devotion, they spend much of their time and resources using their own home email accounts to do government work.

For services to public authorities in general, Alan M Dransfield, whose FOI campaigns mean there is now much greater clarity about how and when to treat FOI requests as vexatious.

For apparent defiance of in the face of the law, Jim Shannon MP, who – as well as holding the title of least sexy MP – does not appear to have been registered with the Information Commissioner for at least three years, despite the fact that processing personal data without a registration is a criminal offence (unless there is an exemption).

For donations to the legal profession Brighton and Sussex University Hospital Trust, who paid lawyers £178,000 in fees seeking to challenge an Information Commissioner monetary penalty, before withdrawing their appeal before it went to a hearing.

But there is one candidate which stands out above all others. A group honour, because no single individual could have (not) achieved all that they have (not) achieved. They are the inspiration behind a great new website, and they are the winner of the highest accolade, the Information Rights and Wrongs Arcana Imperii honour…

my_medal(1)

For sheer jaw-dropping contempt of the law, the Cabinet Office, who have decided to dispense with the need to observe the FOI Act. They are an inspiration for all of us and for as long as no effective enforcement is taken to ensure compliance, they will continue to be the shining beacon for all public authorities.

5 Comments

Filed under Uncategorized

June 13, 2013 · 2:04 pm

Savile and Dishonourable Information

The Cabinet Office is required by the Information Commissioner to disclose internal correspondence about the conferring of honours on Jimmy Savile. Despite there being strong public interest arguments in favour of non-disclosure, they are outweighed by those in favour of disclosure.

There is an odd phenomenon, when considering the application of qualified exemptions under the Freedom of Information Act 2000 (FOIA),  that I like to think of as “the escalation of public interest factors”: if something is of great sensitivity, the corresponding public interest in disclosure is also great, with the result that the public interest in maintaining the exemption increases. This, is, of course, strictly, nonsense, but it is a phenomenon that public authorities can sometimes find themselves experiencing.

I note the phenomenon in the Cabinet Office’s handling of a recent request for disclosure of information relating to the conferring of honours on the benighted, and sadly still beknighted, Jimmy Savile. The requester sought

any correspondence [that] exists between either civil servants or ministers discussing the award either of an OBE in 1971 or a knighthood in 1996 [the knighthood was actually awarded in 1990] to Mr Savile, prior to either award being made

The information was, said the Cabinet Office, exempt from disclosure under sections 37(1)(b) (the conferring by the Crown of any honour or dignity) and 36 (effective conduct of public affairs. They

…acknowledged that this was an exceptional case in light of the information that had come to light in 2012 concerning Jimmy Savile [but] precisely because this was an exceptional case…the public interest favoured maintaining the exemption

The Information Commissioner’s Office, in a well-argued (n.b. I don’t always criticise the ICO) decision notice, has rejected the Cabinet Office’s arguments. The relevant exemptions are engaged, says the ICO, and there is public interest in maintaining them. So, in relation to section 37, the ICO

accepts that disclosure of the information would, to some degree, undermine the confidentiality of the honours system. The Commissioner accepts that this presents some risk of creating a chilling effect for contributions to future discussions in relation to honours nominees

however

disclosure would enable the public to be better informed about the matters taken into account at times when the award of honours to Jimmy Savile was under consideration. In the Commissioner’s opinion disclosure of the withheld information that is the focus of this request would go a significant way to serving the public interest, the nature of which is unique to this particular case

The ICO

wishes to emphasise that in reaching this decision he does not dispute the argument that disclosure would to some degree undermine the confidentiality of the honours system, simply that the public interest arguments in favour of disclosure attract more weight

Similar factors obtain in relation to section 36. So, while ongoing inquiries into the scandal mean that officials involved need a safe space to discuss relevant issues

the Commissioner does not accept that the safe space…will be significantly encroached by disclosure of this particular information…This is because the information focuses on one, relatively narrow, issue, namely Jimmy Savile’s receipt of two honours. In contrast the terms of reference for the investigations are wide ranging and cover matters of a wholly different nature

and while

the Commissioner accepts that it can be argued that the effective conduct of public affairs could be materially affected if disclosure of information under FOIA undermined the confidentiality of the honours system…the significant weight that the Commissioner considers should be attributed to the public interest arguments in favour of disclosure [mean that] the Commissioner has concluded that the public interest…favours disclosing the withheld information

Finally, although the ICO agreed that names of junior officials involved in the discussion regarding the conferring of honours were exempt under the Data Protection Act 1998 provisions of FOIA, the same did not apply to more senior officials and others. Even though

the individuals would have had a reasonable – and indeed weighty – expectation that such information would not be made public…the Commissioner believes that the legitimate public interest is only met, or, perhaps more accurately, best met, by revealing not only the comments of the individuals but also revealing who made them so that the recorded deliberations about the awarding of the honours can be fully and accurately understood

When finely balanced decisions on matters of public interest result in a recommendation for public disclosure it is common for an appeal to the First-tier Tribunal to follow. The Cabinet Office will have to consider now whether it wants to be seen to be trying to suppress information about the conferring on a serial sexual offender of an honour which the Prime Minister himself has questioned.

2 Comments

Filed under Cabinet Office, Freedom of Information, Information Commissioner

Tagged as ,

June 12, 2013 · 4:25 pm

Schools and Children’s Privacy

Parents, when confronted with the familiar complaint by a child that a parental decision “isn’t fair”, are entitled to say “I don’t care – what I say goes”.

Schools*, and their teachers, although acting in loco parentis, cannot necessarily do the same. Particularly in their role as public authorities they have obligations to act fairly and lawfully at common law, and under various statutes – not least the Human Rights Act 1998 (HRA). Article 8 of the European Convention on Human Rights, incorporated into domestic law by the HRA, famously provides everyone a qualified right

to respect for his private and family life, his home and his correspondence

Parents do not have to respect this in their dealings with their children: the latter cannot enforce the Article 8 right against a parent who demands access to their private correspondence, or who sends them to their bedroom for a spurious reason, or who uploads personal information to a dodgy cloud storage provider. Schools do have to respect the right – in loco parentis only goes so far.

I make this observation in light of research published by SafeGov.org and Ponemon Institute into the views of school staff on the use of cloud services in the education sector and the potential risks to student privacy. Among generally encouraging results (rejection of data-mining, seeing threats to student privacy as the top risk of cloud) was something less happy

Some schools admit to a conflict of interest regarding student privacy…47% say they might be tempted to trade student privacy for lower costs

If I were a child, or a parent, I would be tempted, in turn, to say “my (or my child’s) privacy is not yours to trade”. Rather, it is the school’s duty to protect that privacy, to the extent required by the law. Levels of privacy protection should not be related to cost (or only to the limited extent permitted by the second part of Article 8). Relatedly, the seventh principle of Schedule One of the Data Protection Act 1998 (DPA) requires a school, as data controller, to take

Appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

I would query whether a decision to adopt a software provider at lower cost, at the expense of student privacy, would be compliant with a school’s obligations under the DPA, or the HRA.

*I am talking about non-independent state schools

Leave a comment

Filed under Data Protection, human rights, Privacy, Uncategorized

Tagged as

June 7, 2013 · 12:26 pm

Transparency and the ICO

It is axiomatic that, under the Freedom of Information Act 2000 (FOIA), a requester is unlikely to know precisely what the information requested consists of. This means that a requester is at a (natural and fair) disadvantage if he or she wishes to challenge a refusal. How to argue, for instance, that the public interest favours disclosure of information, if you don’t know what the information is?

A requester will often be reliant, therefore, on the Information Commissioner (ICO), as independent regulator, or the judicial system, thoroughly to interrogate a public authority’s basis for non-disclosure.

Last year I made a FOIA request to the ICO’s office itself for copies of all Undertakings (not currently on their website) agreed by the ICO and data controllers following investigation of serious breaches of the Data Protection Act 1998.

The ICO kindly disclosed to me a large number of Undertakings, but withheld three, citing the exemption at section 22 of FOIA. This section provides an exemption to the general FOIA obligation to disclose information, if the information is held, at the time of the request, with a view to its publication at some future date (whether determined or not). Furthermore it must be reasonable in all the circumstances that the information should be withheld from disclosure until that future date. Section 22 is a qualified exemption, and, therefore, subject to the application of a public interest test. I was told by the ICO that the Undertakings

were not published at the time due to a risk of prejudice, in one case to a criminal trial and in the others to commercial interests. In light of your request we have revisited these considerations and find that they are still relevant

I’m a reasonable chap, and accepted that the ICO was well-placed to determine that the public interest did not favour disclosure. However, I thought they might be able to disclose the identities of the data controllers involved. So I made a FOIA request for that information.

This was also refused. I was told that one of the data controllers was News Group Newspapers and the Undertaking was

in connection with a cyber-security attack perpetrated against NGN for which criminal proceedings are ongoing. As we have previously indicated, the Undertaking will be published once the proceedings have been concluded

This was the case relating to a criminal trial, and it has now been published.

I was told though that the names of the other two data controllers were still exempt under section 22, as, even though the ICO accepted my argument

that prejudice is “unlikely to occur simply by disclosing the identity of the data controllers”, having consulted with the organisations involved, I am satisfied that there is a possibility that the release of even the identities could potentially damage the commercial interests of the Data Controllers

Well, after I waited a while, and then made a further FOI request, the names and Undertakings have now been disclosed. And I fail to see what the fuss was about: they related to some issues with residual data on legacy systems. I also fail completely to understand how, in any conceivable way, disclosure of the names of the Councils involved could have caused prejudice to their commercial interests, and I’d invite anyone else to explain to me how it could. If I am right, the argument that it was reasonable in all the circumstances that the information should be withheld from disclosure until a later date, and, indeed, the argument that the public interest favoured maintaining the section 22 exemption falls away.

I could, of course, have appealed at the time, but the point is that I did not know what information was being suppressed, or why. I trusted the ICO to apply the law properly.

It is interesting to consider this matter of “trust” in light of an important recent Upper Tribunal (UT) case. Although that case was concerned with the use of “closed material” and “closed proceedings” in FOIA cases in the First-tier Tribunal (FTT) some points are arguably of general application to public authorities. One strikes me in particular

The other side of the coin concerning the application of the FOIA exemptions is of course that the requester may want to challenge the reasons and evidence which are advanced to establish them and thereby show that the requested information should be provided to him or her pursuant to FOIA…This competing right and interest within the FOIA scheme is founded on the right of access to information held by public authorities that is given by FOIA.  So it is one of the starting points for the need for a decision-making process to weigh competing rights and interests [emphasis added]

I would argue (knowing now what I didn’t know then) that as one of the prime reasons for DPA Undertakings is to draw attention to serious breaches of the DPA (see ICO Guidance: Communicating Enforcement Activities) withholding this information under section 22 potentially is seen to undermine the regulatory functions of the ICO. I struggle to understand how the refusal to disclose the Undertakings, let alone the mere identities of the recipients, shows proper weighing of competing rights and interests.

One a final note, the guidance above also says

We will not risk damage to the reputation of the ICO by agreeing with an organisation that we won’t publicise our action or that we will give advance warning

I’m not sure how to square that with what I was told last year that

the Undertakings were signed on the understanding that they would not be publicised in the usual manner

2 Comments

Filed under Breach Notification, Confidentiality, Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice, transparency

Tagged as , ,