Tag Archives: FOI

November 29, 2013 · 5:07 pm

ICO must disclose Motorman journalists’ names

The ICO has been ordered to disclose the names of some of the journalists referred to in “What Price Privacy” as having engaged the services of rogue private investigator Steve Whittamore

In April 2006 the Information Commissioner’s Office (ICO) published “What Price Privacy?” on what it described as “the unlawful trade in personal information”. The report revealed

evidence of systematic breaches in personal privacy that amount to an unlawful trade in confidential personal information

Those breaches were potential criminal offences under section 55 of the Data Protection Act 1998 (DPA), and the report – which drew on the findings of documentation seized during Operation Motorman, arising from the activities of private investigator Steve Whittamore, said

Among the ‘buyers’ are many journalists looking for a story. In one major case investigated by the ICO, the evidence included records of information supplied to 305 named journalists working for a range of newspapers

In December 2006 the six-month follow-up report “What Price Privacy Now?” was published. This gave further details about the 305 journalists mentioned in the first report, and broke the data down into “Publication”, “Number of transactions positively identified” and “Number of journalists/clients using the services”.

And of course, this trade in personal information formed the basis of the first module (“The relationship between the press and the public and looks at phone-hacking and other potentially illegal behaviour”) of part one of Lord Justice (as he was then) Leveson’s inquiry into the culture, practices and ethics of the press.

In 2011 a request was made under the Freedom of Information Act 2000 (FOIA) to the ICO, for (1) “the number of transactions per journalist of each of the 305 identified journalists for each of the 32 identified publications” and (2) the journalists’ identities. The first request was refused by the ICO, on the basis that it would require a search through 17000 documents, and, therefore, section 12 of FOIA provided a statutory cost limit which meant it did not have to comply. Having been given these apparent facts the requester dropped his first request, but pursued the second. This was also refused, on the basis that the information was exempt under section 40(2) and section 44 of FOIA (the latter by virtue of the statutory bar on disclosure at section 59 of the Data Protection Act 1998 (DPA)), in both cases because disclosure would be an unfair and unlawful disclosure of personal data of the journalists involved.

Because the ICO is the regulator of FOIA, a complaint about its handling of a FOIA request falls to be determined by the same office (a statutory arrangement which was to be described as an “unusual, and unsatisfactory, feature” of the law by the First-tier Tribunal (Information Rights) (FTT)). Accordingly, the office (describing itself as “the Commissioner”, as distinct from the “ICO”, which was the authority refusing the request) issued a Decision Notice which held that

the ICO correctly withheld the information by virtue of section 40(2). He has also found that the information could also be correctly withheld by virtue of section 44(1)

This decision was appealed to the FTT, which has today, after what has clearly been complex and strongly argued litigation, handed down three judgments (1, 2, 3) (two of which were preliminary or interim rulings, publication of which has been held back until now) which are, taken together, extraordinary, both for their criticism of the ICO, and for the outcome.

Taken as a whole the judgments find that, regarding some of the journalists named in the information held by the ICO, the balance of the public interest in receiving the information outweighs the legitimate interest of an individual to protect his or her privacy.

The FTT found that the information wasn’t sensitive personal data (which is afforded a greater level of protection by the DPA). This is at first blush rather surprising: section 2(2) of the DPA provides that sensitive data will be, inter alia, “data consisting of information as to…the commission or alleged commission by [the data subject] of any offence”. However, the FTT found that, although the information

does contain evidence that the investigator [Whittamore] engaged by the journalist committed, or contemplated committing, criminal activity. And, self-evidently, it discloses that the investigator received some form of instruction from the journalist. But there is no suggestion…that the journalist had instructed the investigator to use unlawful methods or that he or she had turned a blind eye to their adoption or, indeed, whether he or she had in fact expressly forbidden the investigator from doing anything that was not strictly legal [para 11 of third ruling]

The FTT had also invited submissions from the parties on the significance to the instant case of some of the passages from the Leveson inquiry, and, having received them, took note from those passages of

the issues of impropriety (which, while very possibly not involving criminality on journalists’ part, is nevertheless serious) and corporate governance in the context of the privacy rights of the [journalists]. We believe that, together, they give rise to a very substantial interest in the public knowing the identities of those who instructed the investigators [para 18 of third ruling]

But also tending towards favouring disclosure in the public interest was Leveson’s suggested criticisms of the ICO

We also give some weight to the public interest in knowing more about the information which was in the possession of the ICO and which the Leveson Report suggested it failed adequately to pursue [para 18 of third ruling]

The FTT noted the interests of the journalists, for instance that they would have had an expectation that details of their day-to-day professional activities would remain confidential, and that the Commissioner had argued that

publication of information indicating that they had engaged the services of the investigators concerned would be so unfair as to outweigh the factors in favour of disclosure [para 19 of third ruling]

but the FTT also noted, in effect, that the journalists involved must have had some idea of what was going on when they engaged Whittamore

it must have been well known within the profession what types of information could be obtained with the help of investigators, even if the means of obtaining it were not fully understood. The rights of individuals under data protection laws would also have been widely known at the time. In those circumstances those engaging the particular services…should have known that they ran the risk of becoming involved in behaviour that fell short of acceptable standards. This seriously dilutes the weight to be attributed to their privacy rights and leads us to conclude that the balance tips in favour of disclosure [para 19 of third ruling]

Accordingly, and, unless there is an appeal (Iwould be surprised if there isn’t) the names of some of the journalists who engaged Whittamore must be disclosed.

Other matters – criticism of ICO

In its preliminary ruling (November 2012) the FTT makes some trenchant criticism of the ICO’s handling of the requester’s first request (even though, as the requester did not pursue it, it was outwith the FTT’s jurisdiction). The refusal on costs grounds had been made, based upon a statement that the information requested had not been recorded in a database. Yet less than two months later the Leveson inquiry began, and, at that inquiry, evidence presented by the ICO effectively, in the FTT’s view, contradicted this statement

 we do not understand how the Appellant could have been given such a misleading response to the First Information Request…as a result of the misleading information given to the Appellant, he was not able to pursue his request…We only became aware of the ICO’s error after the Appellant drew our attention to the evidence presented to the Leveson Inquiry regarding the Spreadsheets. We assume (and certainly hope) that those in the Commissioner’s office handling this appeal had not become aware sooner [para 28 of first ruling]

The ICO clearly did not take well to this criticism, because the second interim ruling records that

the Commissioner has complained about part of the decision which he believes includes unfair criticism of his office and has asked us to correct the impression given [para 3 of second ruling]

but the FTT stood firm, saying

We continue to believe that our criticism was justified. The Appellant was told that he was wrong to assume that any database of information existed that could be interrogated…However, it is now known that the ICO held the Spreadsheets at the time…[and although the information in them] may not have provided the Appellant with precisely the information he requested, but it would have come close. Against that background we believe that the ICO was open to criticism for asserting, without further qualification, that it would be necessary to search through the 17,000 documents in order to respond to the request. [para 6 of second ruling]

5 Comments

Filed under Confidentiality, Data Protection, Freedom of Information, Information Commissioner, Information Tribunal, journalism, Leveson, Privacy

Tagged as , , ,

November 27, 2013 · 4:46 pm

Reducing regulation…by clogging up the courts

The only thing that made me stop laughing about the Cabinet Office’s arguments in a doomed Tribunal appeal was thinking about the cost to the public purse.

Soon after it was formed the coalition government made an admirable commitment to cut government red tape, by reducing the amount of domestic regulation

Through eliminating the avoidable burdens of regulation and bureaucracy, the Government aims to promote growth, innovation and social action

A Cabinet sub-committee – the Reducing Regulation Committee (RRC) – was set up, to “take strategic oversight of the delivery of the Government’s regulatory framework”.

Around the same time the government was also trumpeting its transparency agenda, with the Prime Minister saying, in an Observer article in September 2010

For too long those in power made decisions behind closed doors, released information behind a veil of jargon and denied people the power to hold them to account. This coalition is driving a wrecking ball through that culture – and it’s called transparency

One might not have supposed, therefore, that it would have been necessary in August 2012 for a request under the Freedom of Information Act 2000 (FOIA) to be made, for (merely) the number of times the RRC had met. Surely this is the sort of information which should be made public as a matter of course? But it was necessary. Moreover, this particular door stayed shut, despite the gentle tapping of transparency’s wrecking ball, when the Cabinet Office refused the request, citing the FOIA exemption which applies to information held by a government department which relates to a) the formulation or development of government policy, or (b) Ministerial communications (section 35(1)(a) and (b)).

The Cabinet Office continued to argue that this exemption was engaged, and that the public interest favoured non-disclosure, when the requester complained to the Information Commissioner’s Office (ICO). And when the ICO held that, yes, the exemption was engaged, but, no, the public interest favoured disclosure , the Cabinet Office appealed the decision.

The First-tier Tribunal (Information Rights) (FTT) has now handed down its judgment, and it makes amusing if dispiriting reading. Wholly unsurprisingly, the ICO’s decision is upheld, and it seems that the Cabinet Office’s argument boils down to two main points: “if we tell you how often the RRC has met then it might mislead you into missing all the great work being done elsewhere, and as a result that great work elsewhere might be adversely affected” (my apologies to the Cabinet Office if this misrepresents their position, but I’ve really tried my best).

The FTT had very little time for these arguments. The only thing vaguely in the Cabinet Office’s favour was that, as a lot of information about “reducing regulation” processes was already publicly available, the public interest in disclosure was small. But, rather devastatingly, the FTT says

the public interest in maintaining the exemption is so weak that it does not equal, let alone outweigh, the, admittedly light, public interest in disclosure (para 27) [emphasis added]

It is worth reading the judgment (which I won’t dissect in detail), as an example of a particularly weak argument against FOIA disclosure, but I would add three closing observations from which you might deduce my level of approval of the Cabinet Office’s conduct:

1. this was a request simply and merely for the number of times a government committee has met (how “transparent” is a refusal to disclose that?)
2. taking a case to FTT is not without significant costs implications (bear in mind this was an oral hearing, with a witness, and with counsel instructed on both sides)
3. the whole litigation in any case carries a huge hint as to the nature/substance of the information held (if the RRC had met often, would the Cabinet Office really want to withhold that fact?)

Leave a comment

Filed under Cabinet Office, Freedom of Information, Information Commissioner, Information Tribunal, transparency

Tagged as ,

November 26, 2013 · 1:24 pm

Knowing what to overlook

The Upper Tribunal has allowed an appeal by an appellant whose pre-hearing language and allegations had led the First-tier Tribunal to strike out his case.

In a recently handed down judgment Upper Tribunal Judge Jacobs says

Most appellants correspond with the tribunal only when necessary, make moderate criticisms and allegations, and express themselves politely. There is, however, a small body of appellants who are persistent in their correspondence which contains wild allegations that are expressed in an intemperate or aggressive tone…

What gave rise to the proceedings in question was an appeal, by a certain Mr Dransfield, of a decision by the First-tier Tribunal (Information Rights) (FTT) to strike out proceedings remitted to it by a decision of Judge Wikely in the Upper Tribunal (UT). That remittal decision was case reference GIA/1053/2011 – unhelpfully not currently available on the UT website – and is not to be confused with another (leading) decision by Wikely J in relation to an unsuccessful appeal by Mr Dransfield (reference GIA/3037/2011).

The FTT struck out the remitted case using powers conferred by rule 8(3)(b) of Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (SI No 1976) (“the Rules”), which permits a strike-out if

the appellant has failed to co-operate with the Tribunal to such an extent that the Tribunal cannot deal with the proceedings fairly and justly

It appears that Mr Dransfield was warned by the FTT judge by a direction on 11 January 2012 (I think this should say “2013”, but I quote from paragraph 4 of the UT’s judgment) about the unfortunate, although perhaps unintentional “hectoring tone” of his emails, and rule 8(3)(b) was specifically cited to Mr Dransfield, with the observation that

Co-operation, in this context, includes using moderate language and an appropriate tone 

The warning was reinforced orally, and repeated on 29 April 2013.

Despite this, Mr Dransfield then sent an email on 12 May 2013, which the UT declines to quote in full but which is described thus

Mr Dransfield accused the Commissioner and Council of ‘conniving and colluding to pervert the Course of Justice’ and of producing ‘a pack of lies and deception’. He later referred twice to a ‘wider conspiracy to pervert the course of justice’ and said that there was sufficient evidence to justify arresting the Commissioner’s legal representative and Judge Wikeley for conspiracy to pervert the course of justice

Accordingly, the proceedings were struck out, the same day.

Interestingly (and no doubt to the frustration of some of those involved), Mr Dransfield’s appeal of this strike out has succeeded. Jacobs J  follows the words I quote at the start of this piece with

It is usually possible to deal with that small minority of appellants without resorting to the power to strike out proceedings. It is possible to ban a party from using emails and direct that any that are sent will be ignored. Another way is to limit a party to communicating in writing and only when requested, with other letters being filed but ignored. At a hearing, it is possible to limit the time allowed to a party or, if necessary, to require a party to leave the hearing room. In my experience, measures such as this are usually effective

In short, Jacobs J says that case management powers can be properly used to manage a potentially difficult litigant, and should not in this case have led to the “draconian step” of striking out Mr Dransfield’s appeal. The type of allegation made by Mr Dransfield is “regularly made in appeals before this Chamber and just as regularly ignored by the judges”.  The power to strike out and the duty to cooperate are in a “reciprocal relationship” with the overriding objective “to enable the Tribunal to deal with cases fairly and justly” at Rule 2, and specifically those parts of Rule 2 which require flexibility in the proceedings (2(2)(b)) and that the parties are able to participate fully in the proceedings (2(2)(c)).

Jacobs J ends his judgment by noting that the FTT could have employed more flexible responses “without depriving Mr Dransfield of his right of appeal” and observes, by quoting William James

‘the art of being wise is the art of knowing what to overlook.’

Very true, but I think I would just add a general point that – sometimes – some things can be too big to overlook. There will still be some cases where the failure to comply with the duty to cooperate properly merits the striking out of proceedings.

77 Comments

Filed under Freedom of Information, Information Tribunal, Upper Tribunal, vexatiousness

Tagged as

November 18, 2013 · 4:46 pm

In which I ask the ICO for a Decision Notice

In September of this year I blogged about a request I made to the Information Commissioner’s Office (ICO) for details of which website some personal data had been inadvertently uploaded to, by a council employee, which had led to a monetary penalty notice. I have now had the ICO’s response to my internal review. I do not have (and haven’t sought) permission to upload that response, but suffice to say it doesn’t uphold my complaint. For those of you still awake I append my response to it here:

I am reluctantly now applying to the Commissioner for a decision whether my request for information has been dealt with in accordance with the requirements of Part I of the Freedom of Information Act 2000 (FOIA).
 
I am of the view that you do have lawful authority to disclose the information, and, therefore, section 59(1) of the Data Protection Act 1998 (DPA) is not engaged (and by extension nor is the substantive exemption claimed: section 44 of FOIA). Before I give my reasons I would just like to clarify an error on my part: I erred in my request for internal review when I queried whether section 59(1)(c) DPA was met. What I meant was that I accepted that sections 59(1)(a-c) were met, but I doubted whether there was a lack of lawful authority for the ICO to disclose.
 
My reasons why I believe you do have lawful authority to disclose are substantially the same as I gave in the rest of my request for internal review. I will repeat them here for completeness’ sake:
 
Section 59(2)(e) says that disclosure is made with lawful authority if “having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”. I would argue that analysis of whether this provision permits disclosure requires a two-fold test. Firstly, is disclosure necessary in the public interest? Secondly, if it is, do the rights and freedoms or legitimate interests of any person militate against this public-interest disclosure?

On the first point, I am not aware of any direct authority on what “necessary” means in section 59(2)(e) of DPA, but I would argue that it imports the meaning adopted by leading European authorities. Thus, as per the high Court in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 “‘necessary”…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends”. It is my view that there is a pressing social need to recognise the risks of indavertent uploading to the internet, by public authorities and others, of sensitive personal data, especially when this is by automatic means. Other examples of recent incidents and enforcement action illustrate this. For instance, as your office is aware, there have been reports that a regional Citizens’ Advice Bureau has indavertently made available on the internet very large amounts of such data, probably because of a lack of technical knowledge or security which resulted in automatic caching by Google of numerous files https://informationrightsandwrongs.com/2013/09/24/citizens-advice-bureaucracy/. Also for instance, as you are aware, there have been many many examples of indavertent internet publishing of personal data in hidden cells in spreadsheets http://www.ico.org.uk/news/blog/2013/the-risk-of-revealing-too-much. There is a clear lack of public understanding of the risks of such indavertent disclosures, with a consequent risk to the privacy of individuals’ often highly sensitive personal data. Any information which the regulator of the DPA can disclose which informs and improves public understanding of these risks serves a pressing social need and makes the disclosure “necessary”.

On the second point, I simply fail to see what rights and freedoms or legitimate interests of any person can be engaged, let alone suffer a detriment by disclosing what public website the Council employee uploaded this to. If there are any, it would be helpful if your response to this Internal Review could address this. It may be that you would point to the information having been provided to you in confidence, but I similarly fail to see how that can be: was this an express obligation of confidence, or have you inferred it? In either case, I would question (per one the elements of the classic formulation for a cause of action in breach of confidence given by Megarry J in Coco v A.N.Clark (Engineers) Ltd [1969] R.P.C. 41) whether the information even has the necessary quality of confidence (this was a public website after all).

However, I make the following further observations.

You say “I consider that the public interest here has been largely, if not entirely, met by the issuing and publication of the Monetary Penalty Notice dated 27 August 2013, the publication of the ICO News release dated 30 August 2013, and other press coverage concerning this particular data breach and how it occurred. I do not consider that disclosure of the name of the website would further this to any significant extent”. However, these sources of information were noticeably lacking in detail about how exactly the rather bizarre and worrying circumstances described in the Monetary Penalty Notice (MPN) could have happened: automatic upload to cloud storage can happen, but normally this will be to private storage – automatic upload to a “public website” is rather alarming.

I note, in passing, some recent criticism of the level of detail, or lack of clarity, in MPNs made by the First-tier Tribunal (see para 17 of the Scottish Borders case, and, the Niebel case, effectively throughout).

I also note that you say “when considering the balance of the public interest in relation to section 59(2)(e) it has to be borne in mind that the threshold is very high because disclosure in contravention of section 59, by the Commissioner or a member of ICO staff may/will constitute a criminal offence under section 59(3)”. With respect, whether the Commissioner or a member of his staff might commit a criminal offence is not relevant to whether the public interest means disclosure is necessary. If disclosure is necessary section 59(1) does not apply, and no suggestion of a criminal offence can arise. Moreover, you say “unless there is ‘lawful authority’ to disclose the information, to do so would constitute a criminal offence” and “disclosure in contravention of section 59, by the Commissioner or a member of ICO staff may/will constitute a criminal offence under section 59(3)”, and “Releasing information of this nature without lawful authority would not only constitute a criminal offence…”: all of these omit the crucial mens rea aspect of that offence, which is that the disclosure would have to be made knowingly or recklessly.

You go on to say “There is a strong public interest in information being provided to the Commissioner in confidence, to enable him to carry out his statutory duty, remaining confidential and that this information will not be disclosed without lawful authority. Releasing information of this nature without lawful authority would not only constitute a criminal offence but would also undermine the regulatory function and powers of the ICO. It would damage public trust in the Commissioner’s processes and make organisations less willing to share information on a voluntary basis making it difficult for the ICO to operate an efficient and effective regulatory system”. This repeats the earlier assertions, or implications, that the information in question is “confidential” or has been “provided…in confidence”, which I continue to dispute for reasons previously given (and not controverted), and makes further assertions that disclosing such information now would “make organisations less willing to share information on a voluntary basis making it difficult for the ICO to operate an efficient and effective regulatory system”. There appears simply to be no basis for this “chilling effect” assertion (is there, for instance, evidence to back it up?).

Finally, I note that you say “we did consult with Aberdeen City Council and we do not have explicit consent for disclosure”. You do not say when this consultation took place, but it appears that Aberdeen at some point changed their mind on this, because on 15 October they disclosed the information to me under FOIA (see https://www.whatdotheyknow.com/request/ico_monetary_penalty_notice#outgoing-307019). Clearly, this means that I do not continue to seek disclosure. It also explains why I say I make this application reluctantly (I have no wish to have you, or me, epxend time and resources unnecessarily). But I do wish to dispute that my request to you was handled according to requirements in part 1 of FOIA.

I am happy to provide any further information you might need.
with best wishes

etc

Leave a comment

Filed under Confidentiality, Freedom of Information, Information Commissioner, monetary penalty notice

Tagged as ,

November 4, 2013 · 2:24 pm

Walberswick Vexatiousness

Back in August of this year I blogged about an interesting decision by the First-tier Tribunal (Information Rights) (FTT) which approached the subject of “vexatiousness” (section 14(1) of the Freedom of Information Act 2000 (FOIA) by observing that what might be an excessively burdensome to a small public authority (such as a rural parish council) might not be so to a large public authority.

The public authority in question was Walberswick Parish Council, and, since that decision, there have been two others, meaning that Walberswick now has more experience in the FTT than most county councils and many other huge public authorities.

All three cases relate to refusals to disclose information on the grounds that the requests were vexatious, and the most recent – McCarthy v IC & Walberswick Parish Council – is no different: and, indeed, they all follow the line of authority on vexatiousness laid down by the Upper Tribunal earlier this year in ICO v Devon County Council and Dransfield GIA/3037/2011. What is noteworthy, however, is the disapproval with which the judge clearly views the continuing vexatious requests being made to Walberswick:

WPC is a parish council, not a department of state. The limits on its resources were well-known to the Appellant and to everybody else involved in this unhappy saga…It is plain that FOIA requests, both those made by the Appellant and the others of which he was concurrently aware, reduced WPC to paralysis…Furthermore, it was perfectly plain to any sensible individual and without doubt to one of the Appellant`s sophistication and social awareness that such pressure would drive elected and ultimately appointed councillors from office, as well as their clerk, who was at the centre of the battle.

Indeed, so concerned was the FTT that, very unusually, it put future requesters on warning on potential costs

WPC will not function as a democratically elected body until this bombardment by FOIA requests ceases. That may well mean that, as here, intrinsically reasonable requests for information are treated as vexatious if part and parcel of a sustained assault motivated by a desire to disrupt. Crippling a parish council by subjecting it to ceaseless interrogation is not a sensible way to improve its service to local residents nor to fulfil its duties under FOIA…it is highly unlikely that any future appeal from this parish council will be decided on different principles or without regard to the outcome of this and earlier appeals relating to Walberswick. Unsuccessful appeals by campaigning requesters may well attract the unusual sanction of orders for costs

(In passing, I would query whether this statement is potentially prejudicial to future cases in the FTT, and could actually deter people from making legitimate requests. In fact, it seems to suggest that any FOIA request to Walberswick could be considered to be prima facie vexatious. In fairness to the FTT though, this is merely the outcome of the “sustained assault” by the current campaigners).

Awards of costs in the FTT are very rare (I can only recall three cases). To put as-yet-unknown requesters, who haven’t yet made requests, on notice is a measure of how seriously the FTT view the harm caused by a campaign such as that experienced by Walberswick. In administrative law we already have the concept of Wednesbury Unreasonableness – one wonders if, in this particular branch of administrative law, we should start using Walberswick Vexatiousness as a term of art?

1 Comment

Filed under Freedom of Information, Information Tribunal, Upper Tribunal, vexatiousness

Tagged as

October 25, 2013 · 4:02 pm

One for the insomniacs – Upper Tribunal on EIRs and commercial confidentiality

In May 2012 I blogged about a case in the First-tier Tribunal (Information Rights) (FTT).  It was an appeal by  Swansea Friends of the Earth against a decision of the Information Commissioner (IC) not to require the Environment Agency to disclose  information relating to financial guarantee arrangements put in place a landfill site operator, as a condition for obtaining a permit to operate a waste landfill site near Swansea.

I was critical of the FTT’s approach to breach of confidence, as it applies to the Environmental Information Regulations 2004 (EIR). However, with the handing down of judgment by the Upper Tribunal, following an appeal by Natural Resources Wales, as successor to the Environment Agency, I see I was wrong on two points (one minor, one major), right on another, and my key point was left undecided. Exciting stuff folks – hold on to your hats!

My minor error was to repeat the FTT’s description of Megarry J’s classic tri-partite breach of confidence test in Coco v A N Clark (Engineers) Ltd [1969] RPC 44 as being a common law doctrine. As the Upper Tribunal points out

That, to be correct, is a decision about the equitable doctrine of confidential communication (not the common law) that may arise otherwise than by contract between the parties

Silly me. Silly FTT.

Natural Resources Wales argued before the Upper Tribunal that

there was a statutory obligation in place [militating against disclosure], so that the Agency did not have to rely on equitable grounds

And this goes to my major error, which was to overlook, in striving to make a point of general application about the modern development of the law of confidence, that in this specific case the IC’s original Decision Notice had found that information in question was confidential for the purposes of Regulation 12(5)(e) of the EIR firstly because the provisions of the Pollution Prevention and Control (England and Wales) Regulations 2000 (PPCR) (which were the regulations – since revoked and remade – which applied to the licence in question) effectively made it so, and only secondly because the information and the circumstances by which it came into the Environment Agency’s control met the Coco v Clark tests.

Regulation 12(5)(e) provides that

a public authority may refuse to disclose information to the extent that its disclosure would adversely affect…the confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest

The Upper Tribunal held that the FTT had erred in law, saying (paragraphs 51-52), as had the IC in the first instance, that relevant provisions of the PPCR meant that confidentiality was “provided by law to protect a legitimate economic interest”:

disclosure of the relevant information would adversely affect confidentiality “where such confidentiality is provided by law to protect a legitimate economic interest”… Here that must be regarded as a reference across to regulation 31 of the 2000 Regulations. Regulation 31(1)(a) makes an express reference to commercial confidentiality. The factual background to these appeals makes it plain that the figures in question here were figures produced within the 2000 Regulations framework and were subject to the necessary application and ruling to protect confidentiality of them

So it was not necessary to consider whether the information was also covered by the equitable doctrine of confidence.

The point on which I was right (in my original post) was regarding whether, or the extent to which, regulation 12(5)(e) of the EIR was directly comparable to the similar section 41 of the Freedom of Information Act 2000 (FOIA). I said

This extension of the FOIA confidentiality principles into the EIR is controversial…

and the Upper Tribunal judge says

the tests in section 41 and regulation 12 are separate and cannot be read together to include in one something in the other simply because they deal with similar issues

which is pretty unequivocal (and see also Chichester District Council v IC and Friel (GIA 1253 2011), cited as authority for the lack of analogy between the two).

Finally, another point I hadn’t addressed (although Phil Bradshaw did, in the comments to my original post) concerns the failure by the FTT to distinguish between the location of information in documents, with the information itself. The FTT had said

the information came into existence through a process of negotiation between the parties

but this surely was not the case – rather, documents, containing information, came into existence through a process of negotiation. But the information itself was caught by regulation 12(5)(e)

the focus is on this information, not on any particular document or form in which those figures are recorded or any process by which they emerged. I accordingly agree with the challengers that in so far as the First-tier Tribunal concerned itself with the specific location of those figures in specific documents produced as part of the licensing process rather than the information itself it was wrong in law

So there you have it. A rip-roaring convoluted run-through of why an obscure old blog post by me was slightly wrong and slightly right. I aim to please.

Leave a comment

Filed under Confidentiality, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

Tagged as ,

October 3, 2013 · 12:35 pm

Unintended FOI consequences

A nice little example of how a Freedom of Information (FOI) request can sometimes bring about an unexpected change, and advance a cause which has little to do with FOI.  Although in this instance I’m undecided whether this was a good thing or not.

On 3 January this year the Information Commissioner’s Office (ICO) issued a decision notice in respect of two requests for information made to Thames Valley Police (TVP) relating to

an incident in which the complainant’s driveway was blocked by the vehicle of someone he believes was visiting TVP headquarters

The ICO was satisfied, on the correct test of the balance of probabilities that TVP did not hold this information.

Nonetheless, the requester appealed that decision to the First-tier Tribunal (Information Rights), which has just issued a decision, in the form of a Consent Order disposing of the proceedings. The Schedule to the Consent Order explains

Thames Valley Police will give full and reasonable consideration to the reinstatement of 6 monthly liaison meetings with residents living in the vicinity of TVP HQ South with the objective of avoiding any unreasonable impact of operational activities on local residents

In consequence of this (and the agreement of the ICO) the request and the appeal have been withdrawn by the requester. So, a satisfactory outcome for the parties was achieved (although one notes that if the meetings are not arranged to the satisfaction of the requester, he will submit a further FOI request about the original incident!).

Of course, it would be have been preferable if this compromise could have been agreed in February 2011, when the requests first started. And a large amount of public money has been expended on something which is only very loosely, if at all, related to the aim of FOI (as stated in the explanatory notes to the Act): to provide a right of access to recorded information held by public authorities.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal

Tagged as ,

September 28, 2013 · 8:44 am

It’s our Right to Know, Mr ICO

On 29 August the Information Commisioner’s Office (ICO) served a monetary penalty notice (MPN) of £100,000 on Aberdeen City Council. MPNs can be served on a data controller under section 55A of the Data Protection Act 1998 (DPA) for a serious contravention of the Act of a sort likely to cause serious damage or serious distress. In this instance, the ICO explained

sensitive information relating to social services involvement with several individuals [was] published online. The information included details relating to the care of vulnerable children.

The circumstances under which this happened were

a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website

Many people in the field of information rights have concerns that there is a significant lack of understanding on the part of many about the risk of inadvertently disclosing personal data on the web. In view of this, I though I would simply ask the ICO, and the Council, what website was involved, in order to inform my understanding. So I tweeted

What “website” were the files uploaded to?

I reminded the ICO and the Council on several occasions about this, and pointed out it was a valid request under the Freedom of Information Act 2000 (FOIA) and Freedom of Information (Scotland) Act 2002 (FOI(S)A), even though I had really only wanted a quick factual reply. The Council have asked me to contact them separately to make the FOI(S)A request, and I’m aware the Scottish Information Commissioner takes a different view on tweeted requests to her counterpart for the rest of the UK, so I’ve banged in a request at WhatDoTheyKnow. The ICO, by contrats, did treat my tweet as a valid request (although I got no acknowledgment of this, contrary to their good practice guidance) and responded yesterday on the twentieth working day, with a link to their disclosure log

Those who know me will be unsurprised to know that I don’t accept the refusal, and also unsurprised to know that, on International Right to Know Day 2013 I’ve submitted a crashingly pompous request for ICO to conduct an internal review. Here it follows, in all said crashing pomposity:

Please review your refusal to disclose information.

On 29 August you served a Monetary Penalty Notice on Aberdeen City Council

“after a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website, publishing sensitive information about several vulnerable children and their families, including details of alleged criminal offences”

I asked, on 30 August, “What ‘website’ were the files uploaded to?”

You have refused to disclose, claiming the exemption at section 44 of the Freedom of Information Act 2000, which provides an exemption “if disclosure [of the information] (otherwise than under this Act) by the public authority holding it…is prohibited by or under any enactment”. You say disclosure is prohibited, because “the information was provided to the ICO in confidence as part of our regulatory activities” and that the provisions of section 59(1) of the Data Protection Act 1998 forbid disclosure. Section 59(1) says

“No person who is or has been the Commissioner, a member of the Commissioner’s staff or an agent of the Commissioner shall disclose any information which—

(a)has been obtained by, or furnished to, the Commissioner under or for the purposes of the information Acts [of which FOIA is one],

(b)relates to an identified or identifiable individual or business, and

(c)is not at the time of the disclosure, and has not previously been, available to the public from other sources

unless the disclosure is made with lawful authority”

I am happy to concede that a) and b) are met here, but not c). This is because section 59(2) explains what “with lawful authority” means. Firstly, and largely as an aside, section 59(2)(a) says that a disclosure is made with lawful authority if

“the disclosure is made with the consent of the individual or of the person for the time being carrying on the business”

I am surprised you do not feel that, in your role as a public authority but also as the regulator for Freedom of Information, it would be prudent and transparent simply to ask the Council whether it consents. Nonetheless, on a strict reading of the law, I concede that you do not have an obligation to do so.

Secondly (and I note you do not even address this important provision), section 59(2)(e) says that disclosure is made with lawful authority if

“having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”

I would argue that analysis of whether this provision permits disclosure requires a two-fold test. Firstly, is disclosure necessary in the public interest? Secondly, if it is, do the rights and freedoms or legitimate interests of any person militate against this public-interest disclosure?

On the first point, I am not aware of any direct authority on what “necessary” means in section 59(2)(e) of DPA, but I would argue that it imports the meaning adopted by leading European authorities. Thus, as per the high Court in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 “‘necessary”…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends”. It is my view that there is a pressing social need to recognise the risks of indavertent uploading to the internet, by public authorities and others, of sensitive personal data, especially when this is by automatic means. Other examples of recent incidents and enforcement action illustrate this. For instance, as your office is aware, there have been reports that a regional Citizens’ Advice Bureau has indavertently made available on the internet very large amounts of such data, probably because of a lack of technical knowledge or security which resulted in automatic caching by Google of numerous files https://informationrightsandwrongs.com/2013/09/24/citizens-advice-bureaucracy/. Also for instance, as you are aware, there have been many many examples of indavertent internet publishing of personal data in hidden cells in spreadsheets http://www.ico.org.uk/news/blog/2013/the-risk-of-revealing-too-much. There is a clear lack of public understanding of the risks of such indavertent disclosures, with a consequent risk to the privacy of individuals’ often highly sensitive personal data. Any information which the regulator of the DPA can disclose which informs and improves public understanding of these risks serves a pressing social need and makes the disclosure “necessary”.

On the second point, I simply fail to see what rights and freedoms or legitimate interests of any person can be engaged, let alone suffer a detriment by disclosing what public website the Council employee uploaded this to. If there are any, it would be helpful if your response to this Internal Review could address this. It may be that you would point to the information having been provided to you in confidence, but I similarly fail to see how that can be: was this an express obligation of confidence, or have you inferred it? In either case, I would question (per one the elements of the classic formulation for a cause of action in breach of confidence given by Megarry J in Coco v A.N.Clark (Engineers) Ltd [1969] R.P.C. 41) whether the information even has the necessary quality of confidence (this was a public website after all).

I hope you can reconsider your decision.

best wishes

1 Comment

Filed under Confidentiality, Data Protection, FOISA, Freedom of Information, human rights, Information Commissioner, monetary penalty notice, transparency

Tagged as , ,

September 4, 2013 · 1:34 pm

Pornography and its Frustrations

For those who have never worked with “basic” versions of web-filtering software, let me describe typical frustrations.

Researching the subject of malicious communications? Found what looks like a helpful search return via google? *CLICK*…

Access Blocked

Access to the requested web page (http://www.helpfullookingcommentary.com/) has been blocked as it is categorised as PROFANITY, which is considered unsuitable for access using this equipment. If you have any queries, please contact your system administrator

 Researching defamation? Found what looks like a helpful search return via google? *CLICK*…

Access Blocked

Access to the requested web page (http://www.interestinganalysis.com/) has been blocked as it is categorised as GAMBLING, which is considered unsuitable for access using this equipment. If you have any queries, please contact your system administrator

Doing some local history research on Scunthorpe? Found what looks like a helpful search return via google? *CLICK*…

Access Blocked

Access to the requested web page (http://www.scunthorpematters.com/) has been blocked as it is categorised as PORNOGRAPHY, which is considered unsuitable for access using this equipment. If you have any queries, please contact your system administrator

Each of these failed hits will be logged by some sysadmins as “attempt to access PROFANITY/GAMBLING/PORNOGRAPHY”. 

I suggest people bear this in mind when reading the numerous delighted shocked commentators who have picked up on the Huffington Post story which says that a Freedom of Information request apparently revealed that

MPs, Lords and parliamentary staff have been trying to access porn websites potentially thousands of times, official figures reveal.

The story goes on to say that users of the parliamentary network, over a period of one year

have repeatedly attempted to access websites classed on Parliament’s network as pornographic [emphasis added]

So, they haven’t tried to access pornography; they’ve tried to access sites that web-filtering software classes as pornography. A further clue to the fact that this outrageous story of parliamentary loucheness might not be as it’s being presented is the fact that in October 2012 there were 3391 “attempts”, in the following month there were 114,844 and in the month after that there were 6918. Either November that year coincided with rampant horniness on the part of politicians and their staff, or there’s another reason for the spike.

I suspect some new definitions were added to the software, which drastically increased the “false positive” hits, and these crappy new definitions were tweaked for the following months.

In fact, as I drafted this post Sky News’ Roddy Mansfield, and the Guardian’s James Ball have pointed out on twitter that that November 2012 spike coincided with intense political and media interest in the topic of sexual offences, following as the scandal involving Jimmy Savile broke. This is very plausible, and suggests that, far from users of parliamentary systems shirking their responsibilities by browsing for smut, they were actually trying – apparently unsuccessfully, and probably with no small frustration – to find out more about a serious and current news item.

But that makes for a dull story.

UPDATE:

As several people have pointed out, if this is a case of poor filtering, it provides a nice lesson in irony for those who propose ISP filtering as some sort of solution to the alleged “corroding” influence of online pornography.

4 Comments

Filed under Freedom of Information, journalism, parliament

Tagged as

August 23, 2013 · 6:56 am

Pivot tables and databreaches

About a year ago I first became aware of reports of disturbing inadvertent disclosures of personal data (often highly sensitive) by public authorities who had intended only to disclose anonymous and/or aggregate data. These incidents were occurring both in the context of disclosures under the Freedom of Information Act 2000 (FOIA) and in the context of proactive disclosure of datasets. Mostly they were when what had been disclosed was not just raw data, but the spreadsheet in which the data was presented. Spreadsheet software is often very powerful, and not all users necessarily understand its capabilities (I don’t think I do). By use of pivot tables data can be sorted, summarised etc, but also, from the uninitiated or unwary, hidden. If the person who created or maintained a spreadsheet containing a pivot table is not involved in the act of publicly disclosing it it is possible that an apparently innocuous disclosure will contain hidden personal data.

Clearly such errors are likely to constitute breaches – sometimes very serious breaches – of the Data Protection Act 1998 (DPA) Those of us who were aware of a number of these inadvertent breaches were also aware that, if public authorities were not alerted to the risk a) the practice would continue and b) potentially large numbers of “disclosive” datasets would remain out in the open (in disclosure logs, on WhatDoTheyKnow, in open data sets etc). But we were also aware that, if the situation was not managed well and quietly, with authorities given the opportunity to correct/withdraw errors, inquisitive or even malicious sorts might go trawling open datasets for disclosures which could potentially be very damaging and distressing to data subjects.

It was with some relief, therefore that, following an earlier announcement by WhatDoTheyKnow, the Information Commissioner’s Office (ICO) finally gave a warning, and good guidance, on 28 June (although this relief was tempered by finding out, via Tim Turner, that the ICO had known about, and apparently done nothing about, the problem for three years). At the same time the ICO announced that it was “actively considering a number of enforcement cases on this issue”.

It appears that, according to an announcement on its own website, Islington Council is the first recipient of this enforcement. The Council says it has

accepted a £70,000 fine from the Information Commissioner’s Office (ICO) after a mistake led to personal data being released

after it

responded to a Freedom of Information (FOI) request asking for information including the ethnicity and gender of people the council had rehoused. The response, in the form of Excel spreadsheet tables, included personal information concealed behind the summary tables

Fair play to Islington for acknowledging this and agreeing immediately to pay the monetary penalty notice. And if some of the other reported breaches I heard about were as bad as they sounded £70,000 will be at the lower end of the scale.

(thanks to @owenboswarva on twitter for flagging this up)

UPDATE:

The ICO has now posted details of the MPN, and this clarifies that the disclosure was made on WhatDoTheyKnow and was only identifed when one of their site administrators noticed it.

Leave a comment

Filed under Breach Notification, Data Protection, Freedom of Information, Information Commissioner, monetary penalty notice, transparency

Tagged as , ,