By me, on the Mishcon de Reya website.
Harassment of terrorism victims
[reposted from LinkedIn]
It is impossible to imagine claimants with whom one has more sympathy than Martin Hibbert and his daughter Eve, who each suffered grave, life-changing injuries in the 2017 Manchester Arena attack, and who then found themselves targeted by the bizarre and ghoulish actions of Richard Hall, a “conspiracy theorist” who has claimed the attack was in fact a hoax.
Martin and Eve brought claims in harassment and data protection against Hall, and, in a typically meticulous judgment Mrs Justice Steyn DBE yesterday gave judgment comprehensively in their favour on liability in the harassment claim. Further submissions are now invited on remedies.
The data protection claim probably adds nothing, but for those pleading and defending such claims it is worth reading Steyn J’s (mild) criticisms of the flaws, on both sides, at paragraphs 246-261. She has also invited further submissions on the data protection claim, although one wonders if it will be pursued.
Other than that, though, one hopes this case consigns Hall to the dustbin of history.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Data Protection, judgments, UK GDPR
The missing page about the missing PhD
[reposted from LinkedIn]
[EDIT: you win some, you get the wrong end of the stick on some. It was pointed out to me that the ICO removes items from its disclosure log after two years, which is why the document no longer shows up, and in the comments below I was taken to a copy of the document at WhatDoTheyKnow. Both these points have been confirmed to me in an FOI response from the ICO. What mislead me into thinking there was something more going on was probably the Tribunal’s reference to a “new policy”: it clearly wasn’t so much a policy, as a statement that the ICO would rely on s17(6) FOIA to refuse to reply to future requests, on the grounds that a vexatious campaign was being pursued.]
This is plain odd.
For several years the The London School of Economics and Political Science (LSE), and, consequently, the Information Commissioner’s Office has had to deal to with FOI requests about former Taiwanese president Tsai Ing-wen’s “missing PhD dissertation” (for some background, see here (I don’t vouch for its accuracy)).
A number of these requests have been refused on the grounds of vexatiousness, with many upheld on referral to the ICO.
The Information Tribunal has recently given judgment on one of these, and ruled in favour of the appellant, holding that the request was not vexatious. But what struck me was the fact that both the appellant and the ICO cited in evidence a page (a hosted pdf, going by the URL) on the ICO’s website. The judgment says this
The Appellant stated in his grounds of appeal that after he had complained to the Commissioner about the Authority’s response to the Request, the Commissioner published on the ICO’s website (by reference to a disclosure log) a new policy of not processing FOIA requests seeking information on President Tsai Ing-wen’s PhD.
But a footnote (screenshotted here) correctly notes that the link does not go to this page, and further, I can’t find any sign of it on the UK government web archive or the Wayback Machine. An advanced Google search on the ICO website throws no light.
So I’ve made an FOI request to the ICO, and will update when I get a response.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Third party rights under FOIA
[reposted from LinkedIn]
In a Freedom of Information Act (FOIA) matter there are two parties with express rights and obligations – the requester and the public authority (PA) – with the potential for the regulator – the Information Commissioner’s Office – to become involved if there is a dispute.
But there is often a third party involved, and one who has no express rights under FOIA – the person to whom requested information relates. This can be a corporate, but sometimes it will be an individual (think, for example of MPs whose expense claims were sought from the Commons many years ago).
The code of practice issued by the Cabinet Office under section 45 of FOIA recommends as best practice that, where a PA receives a request for information where a third party’s interests are engaged, the third party should be consulted, and given the opportunity to make representations. But the Code is clear that those representations cannot bind the PA, and that the decision on disclosure is ultimately for the PA to make.
All of this should, of course, run its course within the 20 working days that FOIA allows for responding to a request. So quite how a request from 2019, to the Legal Services Agency (LSA) for Northern Ireland, regarding the grant of legal aid to a self-styled peace campaigner, has only just been determined in the High Court is a pressing question. Nonetheless, the judgment (though slightly odd) is worth reading.
The man in question, Raymond McCord, was invited to make representations on the request (made by a unionist MP), having been informed of the LSA’s intention to disclose. He brought immediate judicial review proceedings to prevent disclosure and the LSA undertook not to disclose until the ICO had given a view on the lawfulness of processing (I pause to note that the LSA’s suggestion that McCord had an alternative remedy by way of a complaint to the ICO after disclosure for a determination as to whether FOIA had been complied with was wrong in law, and flawed in logic).
The ICO gave an opinion in June 2020 that disclosure would likely be both unfair and unlawful, but stressed that the opinion “is in no way legally binding in this case, however, it should be of assistance to the court in making a final decision.”
No explanation is given in the judgment of why it then took over four years for the court to rule on the application. This is simply ridiculous.
Nevertheless, the court conducted a rather eccentric analysis of the authorities on disclosure of personal data under FOIA (and of various non-authoritative prior ICO decision notices) before determining, five whole years (rather than twenty working days) after the FOIA request, that the information should be disclosed, holding that “the applicant cannot complain of any breach of privacy in respect of his pursuit of high‑profile public interest litigation in circumstances where he himself has commented publicly on the issues”.
The judgment, ultimately, is rather unsatisfactory. The interim judgment (in 2020(!)) of Keegan J, which noted the undertaking by the LSA not to disclose pending the ICO’s ruling, discusses alternative remedies, and implies that McCord would have a right to appeal the ICO’s decision to the First tier Tribunal. However, this predates the Killock and Delo cases which make clear that there is no substantive data subject right of appeal from an ICO data protection decision through the tribunal system. In Killock the Upper Tribunal made clear that a substantive data subject challenge (rather than a procedural one) to the ICO should, indeed, be by way of judicial review proceedings.
And it remains the case that, if you are a third party who has an interest (maybe a profound interest) in information which a public authority is proposing to disclose, in response to a FOIA request, your rights are unclear and limited.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Data Protection, FOIA, Information Commissioner, judgments, judicial review
Still no clearer on reprimands
[reposted from LinkedIn]
What is a reprimand, and how does the ICO decide to issue one? This, bizarrely, remains a bit of a mystery – apparently even to the ICO themselves.
Under Article 58(2)(b) of the UK GDPR the Information Commissioner’s Office has the power to issue reprimands to a controller or a processor where processing operations have infringed provisions of the UK GDPR.
Since January 2022 the ICO has issued 84 reprimands that it has made public (it’s possible there are others it hasn’t published – that’s certainly happened in the past). Yet there is still no clearly documented process that the ICO will follow to decide what might trigger the decision to issue a reprimand.
In February 2023 I was informed by the ICO that “there is no specific written policy or procedure covering the issuing of reprimands [but that they were] currently working on putting together a formalised process specifically for reprimands, which will be added to our Investigations Manual once finalised”.
So I followed this up recently (18 months on from the previous request). And I’ve had a couple of documents disclosed to me, one a checklist that begins “Once reprimand agreed…” and another on how to apply redactions, but, otherwise, there appears still to be no way of an organisation – or even the ICO themselves(!) – knowing what might lead to a reprimand being issued, and how the decision will be made.
So, six years on from the ICO getting the power, those organisations placed on the naughty step appear to be no clearer to understanding what exactly they did to deserve it.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Data Protection, Information Commissioner, reprimand, UK GDPR
Is the purchase of a watch “private information”?
[reposted from LinkedIn]
An interesting (if it gets to trial) Northern Ireland case of Frampton and Van Der Horst [2024] NIMaster 17, in which the plaintiff former boxer (P) has sought damages in, variously, passing off, copyright, breach of confidence, misuse of private information and data protection, as a result of the defendant watch seller’s (D) publication of a YouTube video revealing that P had bought a watch from D.
P had obtained judgment in default and D sought to set this aside. In deciding to do so the master only had to determine whether the D has an arguable defence.
The analyses of whether the MOPI and data protection defences are arguable are interesting (and in the latter case, flawed).
On MOPI, the master noted that the “Murray factors” (“the attributes of the claimant, the nature of the activity in which the claimant was engaged, the place at which it was happening, the nature and purpose of the intrusion, the absence of consent and whether it was known or could be inferred, the effect on the claimant, and the circumstances in which and the purposes for which the information came into the hands of the publisher”) will require consideration at trial, and also noted that the authoritative law books on the topic identify “personal financial and tax related information” as one of the types of information that will normally (but not invariably) be regarded as giving rise to a reasonable expectation of privacy. All these points could only, said the master, be determined by a trial judge, having heard all the evidence.
On the data protection claim, the defence consisted in an argument that D’s processing was based on his legitimate interests. Here, the master seems to have erred, in assessing that “This would appear a particularly weak argument as there was no express consent from the plaintiff and the purported legitimate reason for processing the data was effectively to make money, which is not an exemption under UK General Data Protection Regulations [sic]”. But, of course, reliance on Article 6(1)(f) UK GDPR legitimate interests does not (cannot) require the consent of the data subject; rather, it requires the controller’s legitimate interests to be balanced against the interests, rights and freedoms of the data subject. Nor is there any authority for the proposition that an interest or interests cannot be “legitimate” because they are commercial interests (indeed, the CJEU, in a finding which I am certain would be followed by the domestic courts, only last week ruled that a commercial interest is capable of being a legitimate interest).
This, of course, was not a fully argued case (the master only had affidavits and draft pleadings to go on). If the case goes to trial we may well see all of the claims more properly argued and considered.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Data Protection, judgments, misuse of private information
Join NADPO, get free Tim Turner training
If I told you that you could secure attendance at two half-day online training sessions on data protection, with one of the UK’s leading experts and trainers, for the meagre sum of £130 and that payment bought you two years’ membership of NADPO, with all the other benefits that brings (regular webinars, a stellar annual conference, regular newsletters, discounts on training), you would snap it up, wouldn’t you?
Well, dear friends, that’s what we’re offering our members. On Wednesday 9 October and Wednesday 16 October the fantastic Tim Turner of 2040 Training will be delivering sessions exclusively for NADPO members. So, if you purchase a membership in the next few days you’ll be entitled to attend both sessions (plus get all those other benefits).
I can’t think how any rational person could turn such an offer down.
Filed under Data Protection, NADPO, Uncategorized
You must be taking the PSNI
[Reposted from LinkedIn]
The Information Commissioner’s Office has fined the Police Service of Northern Ireland £750,000 for the failings that led to the public disclosure of the surnames, initials, ranks and roles of all 9,483 PSNI officers and staff, putting countless people’s lives at risk from dissident republicans. The fine would have been £5.6m if the ICO’s “public sector approach” had not been applied.
The disclosure was made in a spreadsheet attached to a Freedom of Information Act response. The spreadsheet was intended to disclose some information, but also contained a hidden tab, where the offending information was situated.
Eleven years ago I was asked to write a piece in The Guardian about the risks of hidden data in spreadsheets. At the time, as many of you will remember, these sort of incidents were prevalent in councils and the NHS. I called for the ICO to do more to warn, and, in fairness, they did. But the fact that this sort of incident was allowed to happen is shocking: the ICO notice points out that there PSNI would regularly create pivot tables to prepare information for disclosure, where the risk of data being hidden (but easily revealed) is particularly high.
The ICO announcement is unusual in that it also allows the Chief Constable of PSNI to comment, and – extraordinarily – to express that he is “extremely disappointed at the level of the fine” (despite the massive reduction over what it would have been if he was in charge of a private sector organisation).
Chief Constable Boucher – you got off lightly.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Can a nullity be deemed a legal notice?
[reposted from LinkedIn]
I wrote recently about the fact that the Information Commissioner’s Office appeared to have served countless decision notices under section 50 of the Freedom of Information Act 2000 on the wrong legal person:
Someone recently made an FOI request to ask why the Commissioner had changed… terminology, because some decision notices are addressed to, say, the “University of Exeter”, while others are addressed to the “Governing Body of the University of Exeter”. The answer given by the Information Commissioner’s Office is that was not a change of approach, but, rather, that the examples of the former were “due to an error.”
Obviously I’ve not had any response to that from the ICO, and didn’t really expect one. But I do note a recent Information Tribunal case where the ICO argued that the Tribunal did not have jurisdiction to hear an appeal from a decision notice, because the ICO had discovered it had been served on the wrong body, and it was therefore a “nullity” – it wasn’t, and never had been a proper legal notice:
the IC submitted the DN was served upon [Harrogate Integrated Facilities Ltd] a trading name of [Harrogate Healthcare Facilities Management Ltd] and that [the latter] was the correct legal entity upon which the DN should have been served. As the DN was not served upon the correct public authority it should be deemed a nullity. An application was made to strike out the appeal under 8(2)(a) of the Rules due to lack of jurisdiction in relation to the proceedings.
Interestingly, although the Tribunal did not dispute the fact that the notice had been served on the wrong person, it skirted over (or, rather, avoided totally) the “nullity” submission. Instead, the Tribunal decided that it would itself “deem” the notice to have been served on Harrogate Healthcare Facilities Management Ltd (rather than on the wrong entity).
The Tribunal’s reasoning is sound on a common sense approach (they noted that if the proceedings were struck out the ICO would then just serve an identical notice on the correct body, and the whole process would need to restart, which would involve a disproportionate use of resources). However, it seems to me very dubious from a legal point of view, and there may be strong grounds to argue that its decision to treat what was argued to be a nullity as a decision notice for reasons of expediency (and not dealing with the nullity point) was ultra vires.
It will be interesting to see if the ICO appeal. Especially as if they do, it may open up a floodgate of other cases which – on their submission – might also be nullities.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under FOIA, Information Commissioner, Information Tribunal, rule of law
Exempt from FOI? Hoyle say it is
[reposted from LinkedIn]
Although the Information Commissioner’s Office is tasked with enforcing the Freedom of Information Act 2000, the Act contains some provisions which have the effect of ousting the ICO’s jurisdiction. A little-seen one appears in a recent decision notice about a request to the House of Commons for information and correspondence in relation to events at the controversial Opposition Day Debate on 21 February 2024. Much of the controversy turned on the actions of the Speaker of the House, Sir Lindsay Hoyle, who later apologised.
Section 34 of FOIA creates an absolute exemption (i.e. not subject to a public interest test) if the exemption is required for the purpose of avoiding an infringement of the privileges of either House of Parliament. But section 34(3) goes further, and says that
A certificate signed by the appropriate authority certifying that exemption…is, or at any time was, required for the purpose of avoiding an infringement of the privileges of either House of Parliament shall be conclusive evidence of that fact.
Such a certificate closes things down: it is not open to the ICO (or a court) to say “we disagree – the exemption is not required to avoid informing the privilege of House Houses”.
All very interesting, and the decision notice is still worth reading, to see how it all works.
But, who, you might ask, is the “appropriate authority” who signed this certificate?
Well, dear friends, section 34(4) FOIA says that, when the privilege of the Commons is at issue, the appropriate authority is the Speaker of the House – a certain Sir Lindsay Hoyle MP.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 