Tag Archives: Human Rights

January 31, 2014 · 4:55 pm

The care.data leaflet campaign – legally necessary?

Readers of this blog [sometimes I imagine them1] may well be fed up with posts about care.data (see here, here and here). But this is my blog and I’ll cry if I want to. So…

Doyen of information rights bloggers, Tim Turner, has written in customary analytic detail on how the current NHS care.data leafleting campaign was not necessitated by data protection law, and on how, despite some indications to the contrary, GPs will not be in the Information Commissioner’s firing line if they fail adequately to inform patients about what will be happening to their medical data.

He’s right, of course: where a data controller is subject to a legal obligation to disclose personal data (other than under a contract) then it is not obliged, pace the otherwise very informative blogpost by the Information Commissioner’s Dawn Monaghan, to give data subjects a privacy, or fair processing notice.

(In passing, and in an attempt to outnerd the unoutnerdable, I would point out that Tim omits that, by virtue of The Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000, if a data subject properly requests a privacy notice in circumstances where a data controller is subject to a legal obligation to disclose personal data (other than under a contract) and would, thus, otherwise not be required to issue one, the data controller must comply2.)

Tim says, though

The leaflet drop is no way to inform people about such a significant step, but I don’t think it is required

That appears to be true, under data protection law, but, under broader obligations imposed on the relevant authorities under Article 8 of the European Convention on Human Rights (ECHR), as incorporated in domestic law in the Human Rights Act 1998, it might not be so (and here, unlike with data protection law, we don’t have to consider the rigid controller/processor dichotomy in order to decide who the relevant, and liable, public authority is, and I would suggest that NHS England (as the “owner of the care.data programme” in Dawn Monaghan’s words) seems the obvious candidate, but GPs might also be caught).

In 1997 the European Court of Human Rights addressed the very-long-standing concept of the confidentiality of doctor-patient relations, in the context of personal medical data, in Z v Finland (1997) 25 EHRR 371, and said

the Court will take into account that the protection of personal data, not least medical data, is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention (art. 8). Respecting the confidentiality of health data is a vital principle in the legal systems of all the Contracting Parties to the Convention. It is crucial not only to respect the sense of privacy of a patient but also to preserve his or her confidence in the medical profession and in the health services in general…Without such protection, those in need of medical assistance may be deterred from revealing such information of a personal and intimate nature as may be necessary in order to receive appropriate treatment and, even, from seeking such assistance, thereby endangering their own health and, in the case of transmissible diseases, that of the community

This, I think, nicely encapsulates why so many good and deep-thinking people have fundamental concerns about care.data.

Now, I am not a lawyer, let alone a human rights lawyer, but it does occur to me that a failure to inform patients about what would be happening with their confidential medical records when GP’s were required to upload them, and a failure to allow them to opt-out, would have potentially infringed patients’ Article 8 rights. We should not forget that, initially, there was no intention to inform patients at all (there had no attempt to inform patients about the similar upload of hospital medical data, which has been going on for over twenty years). It is, surely, possible therefore, that NHS England is not just “helping” GPs to inform patients without having any responsibility to do so (as Dawn Monaghan suggests), but that it recognises its potential vulnerability to an Article 8 challenge, and is trying to avoid or mitigate this. Whether the leaflets themselves, and the campaign to deliver them, are adequate to achieve this aim is another matter. As has been noted, the leaflet contains no opt out form, and there seem to be numerous examples of people (often vulnerable people, for instance in care homes, or refuges) who will have little or no chance of receiving a copy.

At the launch of the tireless MedConfidential campaign last year, Shami Chakrabarti, of Liberty, spoke passionately about the potential human rights vulnerabilities of the care.data programme. Notifying patients of what is proposed might not have been necessary under data protection law, but it is quite possible that the ECHR aspect of doing so was one of the things on which the Health and Social Care Information Centre (HSCIC) has been legally advised. Someone made an FOI request for this advice last year, and it is notable that HSCIC seem never to have completed their response to the request.

1I make no apologies for linking to one of Larkin’s most beautiful, but typically bleak and dystopian, pieces of prose, but I would add that it finishes “…These have I tried to remind of the excitement of jazz, and tell where it may still be found.”

2Unless the data controller does not have sufficient information about the individual in order readily to determine whether he is processing personal data about that individual, in which case the data controller shall send to the individual a written notice stating that he cannot provide the requisite information because of his inability to make that determination, and explaining the reasons for that inability

2 Comments

Filed under care.data, Confidentiality, Data Protection, data sharing, Europe, human rights, Information Commissioner, NHS, Privacy

Tagged as , ,

January 23, 2014 · 11:22 am

Staffs Police to drop controversial naming “drink drivers” twitter campaign

ICO confirms hashtag campaign prior to conviction was unlikely to be compliant with the Data Protection Act. Other forces to be advised via ACPO of issues raised by the case

Over the Christmas period Staffordshire Police ran a social media campaign, in which drivers arrested and charged with drink-driving offences were named on twitter with the “hashtag” #drinkdriversnamedontwitter. It seemed to me, and others, that this practice arguably suggested guilt prior to any trial or conviction. As I said at the time

If someone has merely been charged with an offence, it is contrary to the ancient and fundamental presumption of innocence to shame them for that fact. Indeed, I struggle to understand how it doesn’t constitute contempt of court to do so, or to suggest that someone who has not been convicted of drink-driving is a drink driver

and I asked the Information Commissioner’s Office (ICO)

whether the practice is compliant with Staffordshire Police’s obligations under the first data protection principle (Schedule 1 of the Data Protection Act 1998 (DPA)) to process personal data fairly and lawfully

The ICO have now issued a statement. Their spokesman says

The ICO spoke to Staffordshire Police following its #DrinkDriversNamedOnTwitter campaign. Our concern was that naming people who have only been charged alongside the label ‘drink driver’ strongly implies a presumption of guilt for the offence, which we felt wouldn’t fit with the Data Protection Act’s fair and lawful processing principle.

We have received reassurances from Staffordshire Police that the hashtag will no longer be used in this way, and are happy with the procedures they have in place. As a result, we will be taking no further action. We’ve also spoken with ACPO about making other police forces aware of the issues raised by this case.

I think this is a very satisfactory result. The ICO have, as I said previously, shown that they are increasingly willing to investigate contraventions of the DPA not limited to security breaches. No one would defend drink driving (and it was not the naming itself that was objectionable, but the tweeting of the names in conjunction with the hashtag) but the police should not be free to indicate or imply guilt prior to conviction – that is quite simply contrary to the rule of law.

What I still think is disappointing though, is that after an initial prompt response from the Attorney General’s twitter account (which missed my point), there has been no word from them as to whether the practice was potentially prejudicial to any forthcoming trial. Maybe they’d like to rethink this, in light of the statement from the ICO?

1 Comment

Filed under Data Protection, human rights, Information Commissioner, police, Uncategorized

Tagged as , , ,

January 2, 2014 · 1:33 pm

Shaming the not guilty

UPDATE
9 January 2014, after a bit of prompting, the Information Commissioner’s Office have confirmed to me that they are looking into whether Staffordshire Police’s twitter campaign was compliant with the Data Protection Act
END UPDATE

Is Staffordshire Police’s social media campaign naming those charged with drink-driving offences fair and lawful?

A month ago I wrote about media coverage of Sussex Police’s crackdown on drink-driving. I was concerned that the impression was being given by the media that the police were “naming and shaming” people who had merely been charged – not convicted – with the offence. I asked Sussex Police if they were happy with the words attributed to them by the Eastbourne Herald but they chose not to reply (which I suppose is one way of dealing with enquiries from the public).

I have to concede that, in that instance, it was not clear whether the police themselves were suggesting people were guilty of an offence before any conviction. However, I heard today (thanks @primlystable) that Staffordshire Police have been running a campaign which is much more overt in its suggestion that people who have been charged with drink-driving offences can be called “drink drivers”. They have been running a social media campaign using the hashtag #drinkdriversnamedontwitter, and, they announce, there has been “overwhelming support” for it

Overwhelming support #drink drivers named on twitter

Staffordshire Police has received tremendous support for its name and shame tactic to reduce the number of drink-drivers.

Nearly 500 people completed an on-line survey asking whether they supported naming people charged with drink-drive offences and whether it would help people think about the consequences of this type of offence.

But the blurring of the line in that press release between the guilty and the not-proven-guilty is highly problematic. If someone has merely been charged with an offence, it is contrary to the ancient and fundamental presumption of innocence to shame them for that fact. Indeed, I struggle to understand how it doesn’t constitute contempt of court to do so, or to suggest that someone who has not been convicted of drink-driving is a drink driver. Being charged with an offence does not inevitably lead to conviction. I haven’t been able to find statistics relating to drink-driving acquittals, but in 2010 16% of all defendants dealt with by magistrates’ courts were either acquitted or not proceeded against 1.

I asked the Attorney General’s Office (by twitter) what it thought of the use of the hashtag against the names of those merely charged with an offence, but, in saying

Tweets are same details automatically given to Magistrates’court and made public at hearing – not contempt in this case

I think they rather missed the point – it wasn’t the naming of charged people which concerned me, it was the association of the name with the hashtag. And, in an excellent response on twitter @richgreenhill said

You’d be similarly sanguine about tweeting certain names and “#phonehacker” right now?

But I’ve also asked the Information Commissioner’s Office (ICO) whether the practice is compliant with Staffordshire Police’s obligations under the first data protection principle (Schedule 1 of the Data Protection Act 1998 (DPA)) to process personal data fairly and lawfully. The ICO has shown itself commendably willing recently to challenge unfair processing, and has, for instance, served DPA enforcement notices against Southampton City Council for making it a licensing requirement that taxi drivers have continuous CCTV-with-audio in their cabs, and against Hertfordshire Police for its automatic number-plate recognition “ring of steel” around Royston. I would urge the ICO to consider whether this current campaign warrants some regulatory action.

As I was writing this piece I saw a news item in which a traffic lawyer has called for the Staffordshire Police and Crime Commissioner (PCC) to resign as a result of the campaign, saying

By his comments he is now presuming that everyone named by his officers are guilty as charged even before they have appeared before a court. In other words he is demonstrating a cavalier disregard for the presumption of innocence.

His comments have potentially prejudiced every drink driving case before it is heard.

This pitches it stronger than I have, but I also note that Matthew Ellis, the PCC, has said in response

No-one will be named where there is any doubt

That is deeply concerning: it is no part of the police’s role to determine or pronounce on someone’s guilt or innocence.

1.Ministry of Justice, Criminal Justice Statistics, Quarterly Update to December 2010

16 Comments

Filed under Data Protection, human rights, Information Commissioner, police, social media

Tagged as , ,

December 6, 2013 · 4:00 pm

For Shame

A newspaper says police are “naming and shaming” drivers who have been charged with, but not convicted, of drink-driving offences. Sussex Police say they are merely “naming” the drivers, but do not appear to feel the need to correct the media reports.

The risk for social media users of being held in contempt of court was highlighted this week by the Attorney General, who has said that, in future, the advisory notes issued to “traditional” media on individual cases will now be made more widely available (published on the gov.uk website and twitter).

With this in mind I was concerned to see that Sussex Police were reported by the Eastbourne Herald to be “naming and shaming” drivers arrested and charged with drink-driving

Police have said this year they are ‘naming and shaming’ everyone they arrest in connection with drink driving

The report goes on to quote Chief Inspector Natalie Moloney as saying

It is sad that so many people ignored the warnings that we would be looking for drink-drivers and have been charged with offences within hours of the start of the campaign. The arrests and the naming of those charged with offences will continue across the county throughout the month

This seemed to me potentially to engage the provisions of the Contempt of Court Act 1981 of an offence of strict liability “whereby conduct may be treated as a contempt of court as tending to interfere with the course of justice in particular legal proceedings regardless of intent to do so”, because it is a publication addressed to the public at large, about active proceedings. For an offence to be committed the publication must give rise to a substantial risk that the course of justice in the proceedings in question will be seriously impeded or prejudiced. I am not convinced that would be the case, but, nonetheless, I was surprised to see a police force effectively being reported as saying that  naming someone only charged with an offence gives rise to “shame” (it does nothing of the sort, of course, given the legal maxim of “innocent until proven guilty”). So I asked the Sussex Police twitter account

Are you really running a policy of “shaming” people by naming them prior to a trial?

to which they replied

We are not “shaming” anyone. We are naming those charged with a drink-related driving offence as we do for a range of offences

That was fair enough, (although one might ask Chief Inspector Moloney why an innocent person would heed a warning that police were looking for drink- drivers) but, as it appeared that this “naming-not-shaming” initiative had been launched in conjunction with the media, I wondered if they would be asking the Herald to correct its misleading article. Sussex Police replied

The campaign doesn’t aim to ‘shame’, but rather to deter & the article does not attribute the phrase to us

but this is simply not true: the article may not directly attribute the phrase to the police, but it does so indirectly

Police have said this year they are ‘naming and shaming’…

I have had no response yet to my further tweet pointing this out.

So, in a week when contempt via social media is very much in the headlines, we appear to have an online newspaper report which suggests there is shame attached to being charged with an offence, and which attributes this phrase to a police force, who seem unconcerned about correcting it. Odd.

For the avoidance of doubt, I should say that I have no sympathy whatsoever with people convicted of drink driving offences, but, to suggest there is “shame” in being charged with an offence prior to trial, is to go against centuries of presumption of innocence.

4 Comments

Filed under human rights, journalism, police, social media

Tagged as ,

November 20, 2013 · 3:19 pm

THIS is the purpose of subject access requests

In a recent blogpost the rather excellent Bilal Ghafoor (who goes by the handle of “FOIKid”, although I note he’s now extended this to “FOI (and DP) Kid”, evidently having rather belatedly discovered the joys of data protection) asked “What is the purpose of subject access requests?“. He drew attention to the potential discord between approaches by the Information Commissioner and by the courts (in cases such as Durant  v Financial Services Authority [2003] EWCA Civ 1746) to such requests (made under section 7 of the Data Protection Act 1998 (DPA)).

In a comment on that post I argued that the Court of Appeal in Durant was perhaps not as out-of-step with, at least, the EC data protection Directive 95/46/EC as is sometimes thought

it’s important to note that the Court of Appeal were keen to stress the fact that the Act gives effect to the Directive, and that the Directive and its recitals have a “primary objective” to “protect individuals’ fundamental rights, notably the right to privacy and accuracy of their personal data held by others…

This particular primary objective is illustrated quite starkly by the news from the Press Gazette that comedian/journalist Mark Thomas discovered, through submitting a subject access request, that his name is on a “domestic extremist database”:

police held a file of seven pages containing more than 60 individual items of intelligence…”a bizarre list of events monitored by the police, lectures given, panels attended, even petitions I have supported…the police have monitored public interest investigations in my case since 1999″

Thomas says he is taking legal action to have his name removed. This will be an interesting case if it reaches court, joining a line of cases where people try to effect removal of records from police systems.

What is also interesting though is that Thomas, and the National Union of Journalists (NUJ), are encouraging journalists to submit subject access requests to the police. As Thomas says

I know of other NUJ members on the database….Which is why I am asking NUJ members to take action. If your work brings you into contact with the police whether covering riots or climate camp, from Plebgate to the NSA, then the police could have you on their database

and the NUJ general secretary Michelle Stanistreet adds

we want as many other members as possible to find out what information the Met is holding

In answer to Bilal’s question, then, I think that this – the investigation of how an arm of the UK state monitors and records the activities of the free press – is a vitally important example of what the purpose is of subject access requests.

1 Comment

Filed under Data Protection, police, Privacy, surveillance

Tagged as , ,

October 4, 2013 · 12:58 pm

Photographing sleeping people – data protection implications

Is it ever OK to photograph strangers on a train? asks Nell Frizzell, in a balanced, and nuanced, article in the Guardian

one new public transport phenomenon has recently crashed into my consciousness. Tumblr accounts dedicated to secretly photographing, uploading and then critiquing fellow commuters, have spored like bed bugs on a bus seat.

She correctly points out that domestic law, even to the extent that it gives effect to Article 8 of the European Convention on Human Rights, does not prevent, in general terms, the act of photographing an individual without their consent.

However, the practice she describes, of uploading photographs to social media sites, does engage, and, I would argue, breach, the Data Protection Act 1998 (DPA).

An image of a person is potentially (and in these specific cases almost certainly) their personal data (particularly bearing in mind the observation by the Court of Appeal in Durant v Financial Services Authority [2003] EWCA Civ 1746 that for information to be personal data it “should have the putative data subject as its focus”). The DPA contains an exemption (at section 36) from all the provisions of the DPA for processing of personal data by an individual for the purposes of that individual’s personal, family or household affairs (including recreational purposes) (the “domestic purposes exemption”). It is possible, although arguable, that the mere taking (and no more) of a photograph of someone on a train, would be caught by this exemption. However, once such a photograph is uploaded to the internet, the exemption falls away. This is because the European Court of Justice held, in a 2003 ruling that binds all inferior courts, that personal data posted on the internet could not be caught by the domestic purposes exemption (Lindqvist (Approximation of laws) [2003] EUECJ C-101/01).

That said, the Information Commissioner’s Office (ICO), which regulates the DPA in the UK, has shown reluctance to accept this authoritative statement of the law regarding the online processing of personal data. I have previously written about this, in the context of the ICO’s social media DPA guidance, which sidesteps (or, rather, ignores) the point. However, it might be more difficult for a domestic court (bound by the authority of Lindqvist) to ignore it in the same way, in the event that any case came before one for determination.

But therein lies the (lack of) rub. Uploading a photograph, without consent, of someone sleeping on a train is unfair, and therefore in breach of the first Data Protection Principle (because no Schedule 2 condition exists which permits the processing). But I struggle to imagine the chain of events which could give rise to a claim (for instance, the data subject would have to contact the photographer, or the site, to require them to cease processing on the grounds that doing so was causing, or was likely to cause, substantial damage or substantial distress, and the photographer, or site, would have to refuse).

So, ultimately, even though I’d argue that these sites, and those who upload to them, breach the DPA, the unwillingness of the ICO to exercise jurisdiction, and the unlikelihood of any legal claim emerging, mean that they can probably continue with impunity, unfairness notwithstanding.

As photographer Paul Clarke said in an excellent blogpost on the subject earlier this year

Sticking to rigid rules of law won’t help us very much. This might feel (it does to me) like gross intrusion on privacy. But being offensive is not enough to make something an offence.

6 Comments

Filed under Data Protection, human rights, Information Commissioner, Privacy, social media

Tagged as , ,

August 30, 2013 · 5:30 pm

ICO – no Code of Practice for data protection and the press

On the 12th of August the Information Commissioner’s Office (ICO) announced that, following a period of consultation, it would not – contrary to previously-stated intentions – be issuing a Code of Practice on Data Protection and the Press. The proposed Code had been in response to Lord Justice Leveson’s recommendations that the ICO produce

comprehensive good practice guidelines and advice on appropriate principles and standards to be observed by the press in the processing of personal data

As the ICO’s Steve Wood says in the blogpost

Leveson did not stipulate a code but we proposed it as a possible vehicle for the guidance

Indeed they did, stating at the time that it was not

the ICO’s intention to purport to set ethical standards for journalists, or to interfere with the standards which already apply under relevant industry guidance, such as the Editors’ Code of Practice, the Ofcom Broadcasting Code, and the BBC Producers’ Guidelines. Nevertheless, the existing industry guidance does not consider the requirements of data protection law in any detail, and the ICO’s code will complement existing industry standards by providing additional coverage of this issue

However, the latest announcement – that the ICO is “looking to produce a guidance document” rather than carrying through with the issuing of a Code of Practice – is accompanied by the publishing of a summary of consultation responses to the draft Code of Practice. In fairness to the ICO, those who responded appeared not to want a Code, and, as any public authority will be aware, a consultation in name only (e.g. one with a predetermined outcome) is unlikely to be a lawful one. We are not told specifically who these responses were from, but that they were from “several media companies, individuals, regulators and representative bodies” (although there were only 16 responses overall, a figure which perhaps shames us all, or, alternatively, supports a view that not that many people were particularly aware of or bothered about the consultation). Seven responses specifically rejected the idea of a Code of Practice, with some concerns being

a code of practice implies a new set of rules or regulations;
risk of the ICO becoming a ‘mainstream de facto regulator of the press’;
risk of a proliferation of codes; and
risk of potential confusion with existing codes such as the Editors’ Code.

After pausing to note that the now-proposed ICO guidance will apparently be issued in draft (for further consultation) before the end of the year, which is a long, long way from meeting Leveson’s recommendation that any guidance be implemented within six months of his report,  it might be helpful to look at just why some respondents might have been unhappy with a Code of Practice, as opposed to “mere” guidance.

As is well-known, there is a very broad exemption, at section 32, from most of the obligations of the Data Protection Act 1998 (DPA) where:

(a)the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,
(b)the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and
(c)the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes [emphasis added]

This, broadly, means that, as long as personal data is processed with a view to journalistic publication (note: not that it has to be published) it is exempt from effectively all of the DPA (although not the 7th “security” principle) as long as the press body “reasonably believes” publication would be in the public interest. This has generally been taken to mean that it will be extremely difficult for a data subject to enforce her rights against, or for the ICO to regulate the activities of, the press. And, indeed, instances of successful DPA claims, or successful enforcement, against the press, are rare (privacy cases against the press, where they have included DPA claims, have tended to see the latter sidelined or dropped in favour of meatier claims in tort – see e.g. Douglas v Hello [2005] EWCA Civ 595 (where the DPA claim did succeed in the first instance, but only resulted in nominal damages) and Campbell v MGN [2002] EWCA Civ1373 (where, by contrast, the section 32 defence succeeded)). As Leveson LJ says

the effect of the development of the case law has been to push personal privacy law in media cases out of the data protection regime and into the more open seas of the Human Rights Act [page 1070 of Leveson Report]

 As everyone knows, the press kicked back strongly against parliament’s proposal of a Royal Charter for the press (that proposed Charter itself being the result of a rowing back by the political parties from Leveson’s proposal for some form of direct statutory underpinning of any regulatory scheme (“Guaranteed independence, long-term stability, and genuine benefits for the industry, cannot be realised without legislation”)). Both proposed Charters (the parliamentary-backed one and the Pressbof-backed one ) are to be considered by the Privy Council.

What has perhaps not been so widely-known, or widely-understood was that an ICO Code of Practice, if it had been designated by the Secretary of State (by means of an Order pursuant section 32(3)(b) of the DPA), would itself have constituted a form of statutory underpinning. This is because a Code designated in this way could have been taken into account by a court, or by the ICO, when determining whether personal data had been processed (for the special purposes) by the data controller in the reasonable belief that it had been in the public interest. The now-proposed “mere” guidance will not have the same status.

This might seem a minor point, and perhaps it is (bear in mind that there are already other Codes of Practice designated pursuant to section 32(3)(b), including the Press Complaints Commission Code of Practice) but, although we don’t know specifically who responded to the ICO’s consultation, it is safe to say that those who did included in their number organisations strongly opposed to (and alive to the threat of) any form of what they perceive to be statutory regulation of the press.

In this post I draw heavily on previous posts by Chris Pounder, on his Hawktalk blog, and if, as he suggested earlier this year, the then-proposed ICO Code raised the prospect of enhanced protection for ordinary data subjects, it is perhaps the case that the dropping of the proposal means no such enhanced protection.

1 Comment

Filed under Data Protection, human rights, Information Commissioner, journalism, Leveson

Tagged as , , ,

July 29, 2013 · 1:29 pm

An Unnecessary FOI Appeal?

South Lanarkshire Council have lost what seems to me to have been a rather unnecessary, and surely rather costly, FOI case in the Supreme Court. That said, the judgment is important reading.

It is well-established that, for disclosure of personal data to be lawful under Freedom of Information law (both the Freedom of Information Act 2000 (FOIA and the Freedom of Information (Scotland) Act 2002 (FOI(S)A) it will normally be necessary to satisfy the test in the sixth condition of Schedule Two of the Data Protection Act 1998 (DPA)

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Disclosure is, by section 1(1) of the DPA, an act of “processing”.

It is also well-established (indeed, one might almost say it is trite law), that “necessary” in that condition is to be construed in accordance with the relevant European authorities. As the High Court held, in the MPs’ expenses case

‘necessary’ within para 6 of Sched 2 to the DPA should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends. Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 (Admin)

For reasons which are not entirely clear to me (but I’m not a Scottish lawyer) (in fact, I’m neither Scottish, nor a lawyer) the Court of Session in Scotland said, when hearing an appeal from South Lanarkshire Council of a decision by the Office of the Scottish Information Commissioner (OSIC) to order disclosure of information on how many of the total number of a certain post were placed at specific points in the pay scale, that it saw the force of a submission by counsel for the Council that

the word “necessary” should be accorded its ordinary and natural meaning, with the opening phrase being understood as imposing a distinct requirement

and that

but for the authority [of the MPs expenses case], we would have had little hesitation in giving effect to it

but they didn’t even need to reach a concluded view on this, because it was clear that, in this case, whatever construction was given to “necessary”

the Commissioner could only have concluded that necessity was made out. In particular, he held that the Requester’s own interest coincided with a widespread public interest in the matter of gender equality and that it was important to achieve transparency on the subject of Equal Pay. No better means existed to achieve that goal than by releasing the information in question

Apparently grabbing at that tiny bone thrown them by the Court of Session, the Council appealed to the Supreme Court. The hearing was three weeks ago, and judgment has been handed down today (which strikes me as rather quick) unanimously dismissing the Council’s appeal. At the time of the hearings The Herald reported that the Supreme Court had “slapped down” the Council

A cash-strapped Labour council has been scolded by one of the UK’s most senior judges for “dancing on the head of a pin” with “Alice In Wonderland” legal arguments, which have cost taxpayers thousands of pounds.

Anyone with any experience of litigation knows that it is a dangerous game to predict the outcome on the basis of the apparent approval or disapproval of your argument by the judge – often the strongest argument will be given the heaviest interrogation – but it does appear that, in this case, The Herald wasn’t taking too much of a gamble in anticipating the outcome. Lady Hale, giving the leading judgment, agreed with the Council that

the word “necessary” has to be considered in relation to the processing to which it relates. If that processing would involve an interference with the data subject’s right to respect for his private life, then [Rechnungshof v Ősterreichischer Rundfunk (Joined Cases C-465/00, C-138/01 and C-139/01) [2003] 3 CMLR 265] is clear authority for the proposition that the requirements of article 8(2) of the European Convention on Human Rights must be fulfilled

but in this instance, although disclosure of the information would be “processing” of “personal data” by the Council (as the Council itself could identify those to whom the data related), the requester (nor any other third party) would not be able to identify the data subjects. Accordingly

as the processing requested would not enable Mr Irvine or anyone else to discover the identity of the data subjects, it is quite difficult to see why there is any interference with their right to respect for their private lives

And Lady Hale disagreed with the Council on the construction of “necessary”

all that has to be asked is whether the requester is pursuing a legitimate interest in seeking the information…and whether he needs that information in order to pursue it. It is well established in community law that, at least in the context of justification rather than derogation, “necessary” means “reasonably” rather than absolutely or strictly necessary…necessity is well established in community law as part of the proportionality test. A measure which interferes with a right protected by community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less 

As the requester was clearly pursuing a legitimate interest, and this could only be met by disclosure under FOI(S)A the appeal had to fail, and the information falls to be disclosed. It is difficult to see how any other outcome, following the domestic and European authorities, could have ensued.

This does leave unanswered what the outcome would be if, for instance, no legitimate interest were advanced by a requester and/or the data subjects could be identified. In this instance, the OSIC had sought clarification of the requester’s purposes, in an investigation which the Supreme Court held was not in breach of the rules of natural justice, despite a failure to involve the Council in the correspondence. As a blogger activist the requester, Mr Irvine, could clearly point to a legitimate interest – a “serious, ongoing interest in equal pay matters”, but Lady Hale observed that

for example, if Mr Irvine had asked for the names and addresses of the employees concerned, not only would article 8 have clearly been engaged, but the Commissioner would have had to ask himself whether his legitimate interests could have been served by a lesser degree of disclosure

 In European Commission & United Kingdom v Bavarian Lager (Case C-28/08 P) the European Court of Justice found that the European Commission had not erred in refusing to disclose, under the EU Access Regulation, the identities of people attending a meeting, because the company requesting it had not been able to advance a legitimate interest in disclosure (see the excellent Panopticon post on this). FOI was traditionally said to be “applicant blind”, with a requester not needing to advance a purpose for asking for information, but, as these “personal data” cases (and others not relating to personal data – the “social watchdog” argument in the ongoing litigation involving Dominic Kennedy and the Charity Commission) show that motivation can be a determining point when it comes to disclosure under FOI.

2 Comments

Filed under Data Protection, FOISA, Freedom of Information, human rights, Uncategorized

Tagged as , ,

June 12, 2013 · 4:25 pm

Schools and Children’s Privacy

Parents, when confronted with the familiar complaint by a child that a parental decision “isn’t fair”, are entitled to say “I don’t care – what I say goes”.

Schools*, and their teachers, although acting in loco parentis, cannot necessarily do the same. Particularly in their role as public authorities they have obligations to act fairly and lawfully at common law, and under various statutes – not least the Human Rights Act 1998 (HRA). Article 8 of the European Convention on Human Rights, incorporated into domestic law by the HRA, famously provides everyone a qualified right

to respect for his private and family life, his home and his correspondence

Parents do not have to respect this in their dealings with their children: the latter cannot enforce the Article 8 right against a parent who demands access to their private correspondence, or who sends them to their bedroom for a spurious reason, or who uploads personal information to a dodgy cloud storage provider. Schools do have to respect the right – in loco parentis only goes so far.

I make this observation in light of research published by SafeGov.org and Ponemon Institute into the views of school staff on the use of cloud services in the education sector and the potential risks to student privacy. Among generally encouraging results (rejection of data-mining, seeing threats to student privacy as the top risk of cloud) was something less happy

Some schools admit to a conflict of interest regarding student privacy…47% say they might be tempted to trade student privacy for lower costs

If I were a child, or a parent, I would be tempted, in turn, to say “my (or my child’s) privacy is not yours to trade”. Rather, it is the school’s duty to protect that privacy, to the extent required by the law. Levels of privacy protection should not be related to cost (or only to the limited extent permitted by the second part of Article 8). Relatedly, the seventh principle of Schedule One of the Data Protection Act 1998 (DPA) requires a school, as data controller, to take

Appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

I would query whether a decision to adopt a software provider at lower cost, at the expense of student privacy, would be compliant with a school’s obligations under the DPA, or the HRA.

*I am talking about non-independent state schools

Leave a comment

Filed under Data Protection, human rights, Privacy, Uncategorized

Tagged as

September 29, 2012 · 9:04 am

Private emails, FOI and Criminality

Private emails are subject to FOI searches, and it’s a crime intentionally to conceal relevant information.

So, it appears that the Department of Education (DfE) has conceded that business emails sent by private email accounts are subject to the Freedom of Information Act 2000 (FOIA), thus accepting what the right-thinking world, and, indeed, anyone with a glimmer of common sense knew all along.

Plaudits, or brickbats, according to your position on the merits of FOIA, should go to Christopher Cook of the Financial Times, who has pursued the Department of Education (DfE) on this with the enthusiasm of a Jack Russell terrier faced with a scurrying rat. Fellow hacks at the Independent had also joined themselves to the proceedings listed (but now withdrawn) in the First-tier Tribunal (Information Rights). The DfE had had the balls to launch a challenge to a previous decision by the Information Commissioner (ICO) that the information (held in private email accounts) requested by Chris should be released. The decision notice itself was clear, and difficult to argue with, as is the advice on the subject published by the ICO around the same time. One wondered what possible grounds the DfE had to base a successful appeal on, and the withdrawal of the appeal probably answers that point, although it appears the withdrawal was actually prompted by the imminent publication of Cabinet Office guidance.

Some are now predicting that there will be a deluge of FOI requests specifically targeted at information held in private emails, or text messages, and I think this is probably right. What is not clear is how they will be handled. The ICO’s guidance suggests that, faced with requests for information that could be held in private emails, public authorities should restrict themselves to asking the person to search their account and keeping a record to show that this was asked:

The public authority will then be able to demonstrate, if required, that appropriate searches have been made in relation to a particular request. The Commissioner may need to see this in the event of a…complaint

This suggests that, when investigating a complaint about refusal to disclose information, the ICO will restrict himself merely to satisfying himself that an authority has asked its staff to check emails. Absent any evidence that those staff have not been honest about the contents of those private emails, the ICO will take no further action. The reasons for this are, really, quite obvious: the powers open to a public authority to access private email accounts are limited. Although the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 allow an employer to “intercept” an employee’s private emails  (if sent using the employer’s systems) to determine whether they are business-related, those powers must be exercised with due regard to the employee’s privacy rights. The interception of private emails in a private email account (sent using the employer’s systems) must be necessary and proportionate. If an employee has told his or employer that their private emails contain no information caught by an FOI request it is doubtful, absent any evidence to the contrary, that a “trawl” of emails without the employee’s consent would be lawful (I’ve written for PDP journals on this subject – subscription needed).

On one view, then, nothing much has changed with the concession by the DfE, although no doubt many new FOI requests will be made as a result. What has changed, perhaps, is the focus on individuals’ personal responsiblity under FOIA. Currently, section 77 creates an offence if a person alters, defaces, blocks, erases, destroys or conceals a record in response to an FOI request. If a trawl of emails on a public authority’s systems is required this will normally fall to IT, or similar, and employees have little say – or, if you like, given the existence of back-up systems – limited opportunity to commit a section 77 offence. Now, if the same employee is asked whether private emails contain specific information, and he or she untruthfully says “no”, criminality – the mens rea – will be relatively easy to make out.

The question is, how would we find out?

6 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal, Privacy, RIPA, Uncategorized

Tagged as , ,