Tag Archives: ICO

December 14, 2013 · 9:28 am

Data protection compensation – an alternative route?

Compensation for data protection breaches can be difficult to secure – but if the data controller is a public authority there may be an alternative to legal claims

One of the outcomes of what was by any standards a disastrous breach of the Data Protection Act 1998 (DPA) was announced this week, when Hodge Jones & Allen LLP (who might want to proofread their press releases a bit better) issued a statement saying that they had secured compensation payments totalling £43,000 for fourteen residents who had brought claims against Islington Council. They were among fifty residents whose personal data was mistakenly given to ten people upon whom the Council was serving anti-social behaviour orders (ASBOs). As the Islington Gazette reported at the time

council staff passed details of 51 people, many of whom had complained about antisocial behaviour (ASB) on the council’s flagship ASB hotline, to 10 thugs who had been causing trouble on the Andover estate, off Seven Sisters Road, Holloway…The gang, who had been smoking drugs and abusing passers-by, now have the names, street names and phone numbers where given of the residents, after the information was inadvertently attached to injunctions banning them from the estate…Police activity has been stepped up on the Andover, but many victims of the breach are from other areas.

The Gazette also reported that six families were to be rehoused, no doubt at considerable cost to the Council.

The law firm’s announcement (which also appears to relate to claims made by people who, in a separate incident involving the same council, had their personal data inadvertently exposed on a website) means, of course, that any claims will not go to trial, and we will not get the chance of a judicial determination of whether, or to what extent it is possible for claimants in these circumstances to gain compensation for pure distress, in the absence of actual damage.

Data Protection lawyers and practitioners will be well aware of this issue, and I wrote about it earlier this year. To crib my own post:

Section 13(1) of the Data Protection Act (DPA) provides a right to compensation for a data subject who has suffered damage by reason of any contravention by a data controller of any of the requirements of the Act.  The domestic authorities are clear that “damage” in this sense consists of pecuniary loss. Thus, section 13(1) is a “gateway” to a further right of compensation under section 13(2)(a), for distress. The right to distress compensation cannot be triggered unless section 13(1) damage has been suffered….[the position is unclear as to] whether nominal, as opposed to substantial, damages under section 13(1), could suffice to be a gateway to distress compensation, and, indeed, whether the DPA effectively transposes the requirements of the European Data Protection Directive to which it gives effect

In the instant cases, it is actually possible that substantial actual damage could have been suffered, but, more probably, these again were cases where (no doubt very high levels of) distress would have lacked compensation for want of the section 13(1) gateway.

In terms of the Council itself, as data controller, it was served by the Information Commissioner’s Office (ICO) with a monetary penalty notice (MPN) of £70,000 for the DPA contravention which led to the “website incident”, and it appears that enforcement action may well result from the ASBO incident (one wonders if the ICO was awaiting the outcome of these legal claims). The ICO will need to determine whether it was a serious contravention of the DPA, of a kind likely to cause substantial damage or substantial distress (for analysis of what this requires, see my recent post here). Such MPNs do not though, in any case, compensate victims, but serve to punish the data controller (and the money goes into the government’s consolidated fund).

The Local Government Ombudsman

One does not know what the specific arrangements were between the claimants and their lawyers, but, unless the work was pro bono some fees will no doubt be owed from the former to the latter. It does occur to me that the claimants had an alternative way of seeking a remedy. The Local Government Ombudsman (LGO) investigates complaints made by people alleging administrative fault (“maladministration”) causing injustice, arising from actions or inactions of local authorities. In 2008 the LGO issued a report following investigation of a complaint that Basildon Council had

published personal and sensitive information about traveller families and their children on its website and in a report that was considered in the open part of a Council committee meeting, where copies were available to members of the public and the press who attended. The information included medical details, and the names and ages of all the children living on the site

But what is particularly interesting is that the LGO’s investigation was informed by a prior finding by the ICO in this matter (uncontested at the time by the Council) that the Council had been likely to have contravened the first data protection principle. The LGO has the power to recommend compensation payments, and in this case recommended each complainant be paid £300. Those payments were eventually effected, albeit after judicial review proceedings (an LGO recommendation is not actually binding on a council, although in the vast majority of cases they are complied).

It does seem to me that the Islington claimants could possibly have gained similar, or more compensation, by making a complaint to the LGO. It also seems to me that – where a DPA contravention by a local authority causes distress but no damage – aggrieved data subjects could consider whether the LGO could assist. And on a similar basis, where the contravention has been by a government department, or the NHS, or some other public bodies, whether the Parliamentary and Health Service Ombudsman could assist.

Leave a comment

Filed under damages, Data Protection, Information Commissioner, monetary penalty notice, ombudsman

Tagged as ,

December 13, 2013 · 7:18 am

Implications of the Home Office data breach

What sanctions might result from the recent Home Office data breach, and how does it relate to the transparency agenda?

News emerged yesterday, through the rather unusual route of a statement to Parliament by Mark Harper, Minister for Immigration, that a spreadsheet containing the personal information of almost 1600 people had been inadvertently published by the Home Office on a government website. The minister’s statement says

between 15 and 28 October 2013 some personal data was available on the Home Office website as part of a spreadsheet alongside the regular data set in error. This was identified by Home Office officials on 28 October 2013 and the personal information was  removed immediately. The personal data related to the names of 1,598 main applicants in the family returns process, their date of birth and limited details about their immigration case type and status

On these conceded facts this would appear to be a clear breach of the Data Protection Act 1998 (DPA), and, specifically, the principles of Schedule 1 to the Act which require that processing be fair and lawful, and that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data. But what are the implications of this?

By virtue of section 4(4) of the DPA a data controller – in this instance the Home Office – must comply with those principles. A serious contravention of them, of a kind which is likely to cause substantial damage or substantial distress, can (by section 55A) invoke the powers of the Information Commissioner’s Office (IC) to serve a monetary penalty notice, to a maximum of £500,000. Whether the IC would exercise his discretion to do so would depend on various factors. Firstly, he would need to satisfy himself whether the personal data involved was “sensitive”. Sensitive personal data is afforded greater protection by the DPA, and breaches involving it are accordingly more serious. We are told that the information involved here consisted of people’s names, dates of birth, and their immigration status. Information about a person’s racial or ethnic origin is sensitive personal data – could one derive or infer that from the mistakenly disclosed information? This will be an important question to answer. But, additionally and more simply, it seems that these were “illegal immigrants” – the data was related to immigration family returns, and this would certainly seem to imply either the commission or alleged commission of an offence by those whose data was exposed, and this would also move the data into the category of “sensitive”.

Whether the apparent contravention was likely to cause substantial damage or substantial distress is less clear. The minister points out that there appear to have been fewer than thirty page views, but that we don’t know whether any of those people accessed or downloaded the data. But this perhaps overlooks the part of the statutory scheme which talks about whether the contravention was “of a kind likely” to cause the damage or distress. If for instance, this incident, which we are told is being investigated by the IC, is a symptom of inappropriate or insufficient data security measures, then that factor, rather than this discrete incident, could potentially give rise to sanctions. Also relevant might be what efforts the Home Office has taken to ensure that cached versions of the data have been removed from the internet – it is remarkably easy for information quickly to be captured and mirrored elsewhere, by automated web services.

The IC’s powers are not limited, however, to issuing monetary penalties. He can also issue enforcement notices requiring data controllers to take specified actions, and a breach of an enforcement notice can be a criminal offence. Less seriously, he can simply make a determination as to whether there is likely to have been a breach of the DPA. And he can take informal action, requiring a responsible person at the ministry to sign an undertaking to improve compliance.

The transparency agenda

What I also find noteworthy is that the minister prefaces his statement with remarks about the government’s commitment

to openness and transparency to enable the public to hold the government and other public bodies to account. This government has made more data available than ever before…

These are laudable aims and actions, but, I have written before that the transparency agenda carries with it risks that, in the rush to publish more and more data, there will be privacy and data protection breaches. And if the government and the IC, as regulator, do not do more to alert people to these risks they must be aware that they risk being seen as complicit in such breaches. As I said in my piece for The Guardian

The IC must work with the government to offer advice direct to chief executives and those responsible for risk…So far these disclosure errors do not appear to have led to harm to those individuals whose private information was compromised, but, without further action, I fear it is only a matter of time.

1 Comment

Filed under Data Protection, enforcement, Home Office, Information Commissioner, monetary penalty notice, parliament, transparency

Tagged as ,

December 12, 2013 · 5:44 pm

Restrictions on use of information in litigation

Rule 31.22 of the Civil Procedure Rules provides in terms that a party to litigation can only use a document disclosed to him/her by another party (in the course of those proceedings) for the purposes of those proceedings:

A party to whom a document has been disclosed may use the document only for the purpose of the proceedings in which it is disclosed…

The exceptions to this rule are where the document has been read to or by the court or referred to, at a public hearing, or where the other party consents to its use, or by permission of the court.

A recent judgment of Mr Justice Tugendhat deals with this rule, but also has a rather odd appearance in the wings by the Information Commissioner’s Office (ICO). The case involves an application for a strike-out of a claim by a company (“IG Index”) engaged in spread betting on financial products, which had been the defendant in proceedings in the Employment Tribunal (ET). In the course of those ET proceedings the then claimant (“Cloete” – now defendant), a former network services engineer (who, it was said, had previously raised with his then employer concerns about data security at the company) had provided the defendant company (pursuant to a disclosure order of the ET judge) with a USB stick containing lists of clients of the company (including bank payment details), which it appeared to the company had been copied or retained by the claimant in breach of covenants protecting confidential information.

Separately to the ET proceedings the company claimed orders requiring the delivery up of the documents, and was successful in gaining interim relief for this, and for destruction by Cloete of any electronic copies, ordering him at the same time to pay IG Index’s costs. Cloete complied with these Orders, while at the same time withdrawing his ET claims.

At the full hearing, at which, as Tugendhat J observed, nothing of substance was still sought by IG Index (their substantive relief having been achieved by the delivery up and destruction of the information) what remained in dispute between the parties was, effectively, costs.

However, Cloete now sought strike out on the basis that the only reason IG Index had come to know of the contents of the USB stick was through the disclosure in the ET proceedings. Accordingly, he argued, the use of that information was in breach of CPR 31.22. Tugendhat J agreed, noting, importantly, that the rule applies

to protect not only the documents themselves, but also the contents of those documents, that is to say, the information derived from the disclosed documents

So IG Index’s knowledge that Cloete had, or had had, the documents, was information derived from the disclosed documents. Accordingly, the strike out claim succeeded:

The use of the information in the present proceedings cannot be said to be for the purposes of the Employment Tribunal Proceedings…Nor is the relevant information in this case the property of the Claimant…in my judgment the use of this information for the purpose of advancing a claim for damages is plainly and obviously a breach of the prohibition

There might, it was observed, be cases where to bar a claim in circumstances such as these would give rise to an injustice, but this was not one of those cases, and, in any event, sub-rule (b) (whereby a court can grant permission for use of the material) was available to avoid any such injustice.

The Information Commissioner

What I refer to as the “rather odd” appearance in these proceedings of the Information Commissioner’s Office (ICO) arises because Cloete claimed that he hadn’t retained the information at the centre of the case from the time when he had been employed by IG Index. Rather, while he was employed, he had passed it to the ICO, to express concerns about IG Index’s data security. He only got the documents back, according to his statement to the court, when they were

sent to him by the Information Commissioner six months after his employment had been terminated…following a subject access request he made to the Information Commissioner’s Office on 17 December 2012. On 16 January 2013 the Listed Items were attached to an e-mail he received in response to that request. However, he stated that he did not appreciate at the time he received the e-mail that the Listed Items were attached

One must be careful not to make unwarranted criticism of the ICO – I note that they were not involved in the proceedings at all, and had no opportunity to challenge or clarify Cloete’s statement. However, if that statement accurately reflected what happened it would be odd, to say the least, for the ICO to return this confidential information to someone who had no apparent lawful reason to have it, and also odd that it would have been sent in response to a subject access request under the Data Protection Act 1998, which entitles someone, in broad terms, to copies of their own personal data (not that of clients of their former employer). It would be interesting to know more about this.

Leave a comment

Filed under Data Protection, employment, Information Commissioner

Tagged as ,

November 29, 2013 · 5:07 pm

ICO must disclose Motorman journalists’ names

The ICO has been ordered to disclose the names of some of the journalists referred to in “What Price Privacy” as having engaged the services of rogue private investigator Steve Whittamore

In April 2006 the Information Commissioner’s Office (ICO) published “What Price Privacy?” on what it described as “the unlawful trade in personal information”. The report revealed

evidence of systematic breaches in personal privacy that amount to an unlawful trade in confidential personal information

Those breaches were potential criminal offences under section 55 of the Data Protection Act 1998 (DPA), and the report – which drew on the findings of documentation seized during Operation Motorman, arising from the activities of private investigator Steve Whittamore, said

Among the ‘buyers’ are many journalists looking for a story. In one major case investigated by the ICO, the evidence included records of information supplied to 305 named journalists working for a range of newspapers

In December 2006 the six-month follow-up report “What Price Privacy Now?” was published. This gave further details about the 305 journalists mentioned in the first report, and broke the data down into “Publication”, “Number of transactions positively identified” and “Number of journalists/clients using the services”.

And of course, this trade in personal information formed the basis of the first module (“The relationship between the press and the public and looks at phone-hacking and other potentially illegal behaviour”) of part one of Lord Justice (as he was then) Leveson’s inquiry into the culture, practices and ethics of the press.

In 2011 a request was made under the Freedom of Information Act 2000 (FOIA) to the ICO, for (1) “the number of transactions per journalist of each of the 305 identified journalists for each of the 32 identified publications” and (2) the journalists’ identities. The first request was refused by the ICO, on the basis that it would require a search through 17000 documents, and, therefore, section 12 of FOIA provided a statutory cost limit which meant it did not have to comply. Having been given these apparent facts the requester dropped his first request, but pursued the second. This was also refused, on the basis that the information was exempt under section 40(2) and section 44 of FOIA (the latter by virtue of the statutory bar on disclosure at section 59 of the Data Protection Act 1998 (DPA)), in both cases because disclosure would be an unfair and unlawful disclosure of personal data of the journalists involved.

Because the ICO is the regulator of FOIA, a complaint about its handling of a FOIA request falls to be determined by the same office (a statutory arrangement which was to be described as an “unusual, and unsatisfactory, feature” of the law by the First-tier Tribunal (Information Rights) (FTT)). Accordingly, the office (describing itself as “the Commissioner”, as distinct from the “ICO”, which was the authority refusing the request) issued a Decision Notice which held that

the ICO correctly withheld the information by virtue of section 40(2). He has also found that the information could also be correctly withheld by virtue of section 44(1)

This decision was appealed to the FTT, which has today, after what has clearly been complex and strongly argued litigation, handed down three judgments (1, 2, 3) (two of which were preliminary or interim rulings, publication of which has been held back until now) which are, taken together, extraordinary, both for their criticism of the ICO, and for the outcome.

Taken as a whole the judgments find that, regarding some of the journalists named in the information held by the ICO, the balance of the public interest in receiving the information outweighs the legitimate interest of an individual to protect his or her privacy.

The FTT found that the information wasn’t sensitive personal data (which is afforded a greater level of protection by the DPA). This is at first blush rather surprising: section 2(2) of the DPA provides that sensitive data will be, inter alia, “data consisting of information as to…the commission or alleged commission by [the data subject] of any offence”. However, the FTT found that, although the information

does contain evidence that the investigator [Whittamore] engaged by the journalist committed, or contemplated committing, criminal activity. And, self-evidently, it discloses that the investigator received some form of instruction from the journalist. But there is no suggestion…that the journalist had instructed the investigator to use unlawful methods or that he or she had turned a blind eye to their adoption or, indeed, whether he or she had in fact expressly forbidden the investigator from doing anything that was not strictly legal [para 11 of third ruling]

The FTT had also invited submissions from the parties on the significance to the instant case of some of the passages from the Leveson inquiry, and, having received them, took note from those passages of

the issues of impropriety (which, while very possibly not involving criminality on journalists’ part, is nevertheless serious) and corporate governance in the context of the privacy rights of the [journalists]. We believe that, together, they give rise to a very substantial interest in the public knowing the identities of those who instructed the investigators [para 18 of third ruling]

But also tending towards favouring disclosure in the public interest was Leveson’s suggested criticisms of the ICO

We also give some weight to the public interest in knowing more about the information which was in the possession of the ICO and which the Leveson Report suggested it failed adequately to pursue [para 18 of third ruling]

The FTT noted the interests of the journalists, for instance that they would have had an expectation that details of their day-to-day professional activities would remain confidential, and that the Commissioner had argued that

publication of information indicating that they had engaged the services of the investigators concerned would be so unfair as to outweigh the factors in favour of disclosure [para 19 of third ruling]

but the FTT also noted, in effect, that the journalists involved must have had some idea of what was going on when they engaged Whittamore

it must have been well known within the profession what types of information could be obtained with the help of investigators, even if the means of obtaining it were not fully understood. The rights of individuals under data protection laws would also have been widely known at the time. In those circumstances those engaging the particular services…should have known that they ran the risk of becoming involved in behaviour that fell short of acceptable standards. This seriously dilutes the weight to be attributed to their privacy rights and leads us to conclude that the balance tips in favour of disclosure [para 19 of third ruling]

Accordingly, and, unless there is an appeal (Iwould be surprised if there isn’t) the names of some of the journalists who engaged Whittamore must be disclosed.

Other matters – criticism of ICO

In its preliminary ruling (November 2012) the FTT makes some trenchant criticism of the ICO’s handling of the requester’s first request (even though, as the requester did not pursue it, it was outwith the FTT’s jurisdiction). The refusal on costs grounds had been made, based upon a statement that the information requested had not been recorded in a database. Yet less than two months later the Leveson inquiry began, and, at that inquiry, evidence presented by the ICO effectively, in the FTT’s view, contradicted this statement

 we do not understand how the Appellant could have been given such a misleading response to the First Information Request…as a result of the misleading information given to the Appellant, he was not able to pursue his request…We only became aware of the ICO’s error after the Appellant drew our attention to the evidence presented to the Leveson Inquiry regarding the Spreadsheets. We assume (and certainly hope) that those in the Commissioner’s office handling this appeal had not become aware sooner [para 28 of first ruling]

The ICO clearly did not take well to this criticism, because the second interim ruling records that

the Commissioner has complained about part of the decision which he believes includes unfair criticism of his office and has asked us to correct the impression given [para 3 of second ruling]

but the FTT stood firm, saying

We continue to believe that our criticism was justified. The Appellant was told that he was wrong to assume that any database of information existed that could be interrogated…However, it is now known that the ICO held the Spreadsheets at the time…[and although the information in them] may not have provided the Appellant with precisely the information he requested, but it would have come close. Against that background we believe that the ICO was open to criticism for asserting, without further qualification, that it would be necessary to search through the 17,000 documents in order to respond to the request. [para 6 of second ruling]

5 Comments

Filed under Confidentiality, Data Protection, Freedom of Information, Information Commissioner, Information Tribunal, journalism, Leveson, Privacy

Tagged as , , ,

November 27, 2013 · 4:46 pm

Reducing regulation…by clogging up the courts

The only thing that made me stop laughing about the Cabinet Office’s arguments in a doomed Tribunal appeal was thinking about the cost to the public purse.

Soon after it was formed the coalition government made an admirable commitment to cut government red tape, by reducing the amount of domestic regulation

Through eliminating the avoidable burdens of regulation and bureaucracy, the Government aims to promote growth, innovation and social action

A Cabinet sub-committee – the Reducing Regulation Committee (RRC) – was set up, to “take strategic oversight of the delivery of the Government’s regulatory framework”.

Around the same time the government was also trumpeting its transparency agenda, with the Prime Minister saying, in an Observer article in September 2010

For too long those in power made decisions behind closed doors, released information behind a veil of jargon and denied people the power to hold them to account. This coalition is driving a wrecking ball through that culture – and it’s called transparency

One might not have supposed, therefore, that it would have been necessary in August 2012 for a request under the Freedom of Information Act 2000 (FOIA) to be made, for (merely) the number of times the RRC had met. Surely this is the sort of information which should be made public as a matter of course? But it was necessary. Moreover, this particular door stayed shut, despite the gentle tapping of transparency’s wrecking ball, when the Cabinet Office refused the request, citing the FOIA exemption which applies to information held by a government department which relates to a) the formulation or development of government policy, or (b) Ministerial communications (section 35(1)(a) and (b)).

The Cabinet Office continued to argue that this exemption was engaged, and that the public interest favoured non-disclosure, when the requester complained to the Information Commissioner’s Office (ICO). And when the ICO held that, yes, the exemption was engaged, but, no, the public interest favoured disclosure , the Cabinet Office appealed the decision.

The First-tier Tribunal (Information Rights) (FTT) has now handed down its judgment, and it makes amusing if dispiriting reading. Wholly unsurprisingly, the ICO’s decision is upheld, and it seems that the Cabinet Office’s argument boils down to two main points: “if we tell you how often the RRC has met then it might mislead you into missing all the great work being done elsewhere, and as a result that great work elsewhere might be adversely affected” (my apologies to the Cabinet Office if this misrepresents their position, but I’ve really tried my best).

The FTT had very little time for these arguments. The only thing vaguely in the Cabinet Office’s favour was that, as a lot of information about “reducing regulation” processes was already publicly available, the public interest in disclosure was small. But, rather devastatingly, the FTT says

the public interest in maintaining the exemption is so weak that it does not equal, let alone outweigh, the, admittedly light, public interest in disclosure (para 27) [emphasis added]

It is worth reading the judgment (which I won’t dissect in detail), as an example of a particularly weak argument against FOIA disclosure, but I would add three closing observations from which you might deduce my level of approval of the Cabinet Office’s conduct:

1. this was a request simply and merely for the number of times a government committee has met (how “transparent” is a refusal to disclose that?)
2. taking a case to FTT is not without significant costs implications (bear in mind this was an oral hearing, with a witness, and with counsel instructed on both sides)
3. the whole litigation in any case carries a huge hint as to the nature/substance of the information held (if the RRC had met often, would the Cabinet Office really want to withhold that fact?)

Leave a comment

Filed under Cabinet Office, Freedom of Information, Information Commissioner, Information Tribunal, transparency

Tagged as ,

November 26, 2013 · 4:56 pm

The weakest link

I am a big fan of Bruce Hallas‘s The Analogies Project, and I’ve been promising him for a while that I will send him a proposal for a privacy analogy for possible inclusion in the Project. For the time being, and because I’m suffering from a bit of writer’s block on that piece, I’ll post a little – and obvious – analogy here.

The recent news that the Information Commissioner’s Office (ICO) had required Great Ormond Street Hospital  for Children NHS Foundation Trust (“GOSH”) to sign an undertaking (to improve data protection compliance) made me think of the famous quotation by William James from The Varities of Religious Experience

A chain is no stronger than its weakest link

The ICO noted that, at GOSH,

Although data protection training was in place, it was not required for temporary members of staff

By their nature, temporary staff are often subject to different procedures and obligations (or lack thereof) to permanent staff. It is, consequently, all too easy for data controllers to ask temporary to handle personal data without applying the appropriate safeguards which they would always apply where permanent staff are concerned.

Data security and data protection within an organisation can, indeed, be seen as a chain. By that I don’t mean that it should tightly bind or shackle the organisation. Rather, what I mean is that – ideally – all parts should link together, and no part be isolated: thus, data, and risks, are appropriately contained.  But if a weak link is in place, the potential exists for the whole chain to be broken.

This is not profound, and I strongly suspect it’s not even a new analogy, but I think it’s one worth making.

And it gives me the chance to quote William James for the second time today.

Leave a comment

Filed under Data Protection, Information Commissioner

Tagged as ,

November 18, 2013 · 4:46 pm

In which I ask the ICO for a Decision Notice

In September of this year I blogged about a request I made to the Information Commissioner’s Office (ICO) for details of which website some personal data had been inadvertently uploaded to, by a council employee, which had led to a monetary penalty notice. I have now had the ICO’s response to my internal review. I do not have (and haven’t sought) permission to upload that response, but suffice to say it doesn’t uphold my complaint. For those of you still awake I append my response to it here:

I am reluctantly now applying to the Commissioner for a decision whether my request for information has been dealt with in accordance with the requirements of Part I of the Freedom of Information Act 2000 (FOIA).
 
I am of the view that you do have lawful authority to disclose the information, and, therefore, section 59(1) of the Data Protection Act 1998 (DPA) is not engaged (and by extension nor is the substantive exemption claimed: section 44 of FOIA). Before I give my reasons I would just like to clarify an error on my part: I erred in my request for internal review when I queried whether section 59(1)(c) DPA was met. What I meant was that I accepted that sections 59(1)(a-c) were met, but I doubted whether there was a lack of lawful authority for the ICO to disclose.
 
My reasons why I believe you do have lawful authority to disclose are substantially the same as I gave in the rest of my request for internal review. I will repeat them here for completeness’ sake:
 
Section 59(2)(e) says that disclosure is made with lawful authority if “having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”. I would argue that analysis of whether this provision permits disclosure requires a two-fold test. Firstly, is disclosure necessary in the public interest? Secondly, if it is, do the rights and freedoms or legitimate interests of any person militate against this public-interest disclosure?

On the first point, I am not aware of any direct authority on what “necessary” means in section 59(2)(e) of DPA, but I would argue that it imports the meaning adopted by leading European authorities. Thus, as per the high Court in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 “‘necessary”…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends”. It is my view that there is a pressing social need to recognise the risks of indavertent uploading to the internet, by public authorities and others, of sensitive personal data, especially when this is by automatic means. Other examples of recent incidents and enforcement action illustrate this. For instance, as your office is aware, there have been reports that a regional Citizens’ Advice Bureau has indavertently made available on the internet very large amounts of such data, probably because of a lack of technical knowledge or security which resulted in automatic caching by Google of numerous files https://informationrightsandwrongs.com/2013/09/24/citizens-advice-bureaucracy/. Also for instance, as you are aware, there have been many many examples of indavertent internet publishing of personal data in hidden cells in spreadsheets http://www.ico.org.uk/news/blog/2013/the-risk-of-revealing-too-much. There is a clear lack of public understanding of the risks of such indavertent disclosures, with a consequent risk to the privacy of individuals’ often highly sensitive personal data. Any information which the regulator of the DPA can disclose which informs and improves public understanding of these risks serves a pressing social need and makes the disclosure “necessary”.

On the second point, I simply fail to see what rights and freedoms or legitimate interests of any person can be engaged, let alone suffer a detriment by disclosing what public website the Council employee uploaded this to. If there are any, it would be helpful if your response to this Internal Review could address this. It may be that you would point to the information having been provided to you in confidence, but I similarly fail to see how that can be: was this an express obligation of confidence, or have you inferred it? In either case, I would question (per one the elements of the classic formulation for a cause of action in breach of confidence given by Megarry J in Coco v A.N.Clark (Engineers) Ltd [1969] R.P.C. 41) whether the information even has the necessary quality of confidence (this was a public website after all).

However, I make the following further observations.

You say “I consider that the public interest here has been largely, if not entirely, met by the issuing and publication of the Monetary Penalty Notice dated 27 August 2013, the publication of the ICO News release dated 30 August 2013, and other press coverage concerning this particular data breach and how it occurred. I do not consider that disclosure of the name of the website would further this to any significant extent”. However, these sources of information were noticeably lacking in detail about how exactly the rather bizarre and worrying circumstances described in the Monetary Penalty Notice (MPN) could have happened: automatic upload to cloud storage can happen, but normally this will be to private storage – automatic upload to a “public website” is rather alarming.

I note, in passing, some recent criticism of the level of detail, or lack of clarity, in MPNs made by the First-tier Tribunal (see para 17 of the Scottish Borders case, and, the Niebel case, effectively throughout).

I also note that you say “when considering the balance of the public interest in relation to section 59(2)(e) it has to be borne in mind that the threshold is very high because disclosure in contravention of section 59, by the Commissioner or a member of ICO staff may/will constitute a criminal offence under section 59(3)”. With respect, whether the Commissioner or a member of his staff might commit a criminal offence is not relevant to whether the public interest means disclosure is necessary. If disclosure is necessary section 59(1) does not apply, and no suggestion of a criminal offence can arise. Moreover, you say “unless there is ‘lawful authority’ to disclose the information, to do so would constitute a criminal offence” and “disclosure in contravention of section 59, by the Commissioner or a member of ICO staff may/will constitute a criminal offence under section 59(3)”, and “Releasing information of this nature without lawful authority would not only constitute a criminal offence…”: all of these omit the crucial mens rea aspect of that offence, which is that the disclosure would have to be made knowingly or recklessly.

You go on to say “There is a strong public interest in information being provided to the Commissioner in confidence, to enable him to carry out his statutory duty, remaining confidential and that this information will not be disclosed without lawful authority. Releasing information of this nature without lawful authority would not only constitute a criminal offence but would also undermine the regulatory function and powers of the ICO. It would damage public trust in the Commissioner’s processes and make organisations less willing to share information on a voluntary basis making it difficult for the ICO to operate an efficient and effective regulatory system”. This repeats the earlier assertions, or implications, that the information in question is “confidential” or has been “provided…in confidence”, which I continue to dispute for reasons previously given (and not controverted), and makes further assertions that disclosing such information now would “make organisations less willing to share information on a voluntary basis making it difficult for the ICO to operate an efficient and effective regulatory system”. There appears simply to be no basis for this “chilling effect” assertion (is there, for instance, evidence to back it up?).

Finally, I note that you say “we did consult with Aberdeen City Council and we do not have explicit consent for disclosure”. You do not say when this consultation took place, but it appears that Aberdeen at some point changed their mind on this, because on 15 October they disclosed the information to me under FOIA (see https://www.whatdotheyknow.com/request/ico_monetary_penalty_notice#outgoing-307019). Clearly, this means that I do not continue to seek disclosure. It also explains why I say I make this application reluctantly (I have no wish to have you, or me, epxend time and resources unnecessarily). But I do wish to dispute that my request to you was handled according to requirements in part 1 of FOIA.

I am happy to provide any further information you might need.
with best wishes

etc

Leave a comment

Filed under Confidentiality, Freedom of Information, Information Commissioner, monetary penalty notice

Tagged as ,

October 4, 2013 · 12:58 pm

Photographing sleeping people – data protection implications

Is it ever OK to photograph strangers on a train? asks Nell Frizzell, in a balanced, and nuanced, article in the Guardian

one new public transport phenomenon has recently crashed into my consciousness. Tumblr accounts dedicated to secretly photographing, uploading and then critiquing fellow commuters, have spored like bed bugs on a bus seat.

She correctly points out that domestic law, even to the extent that it gives effect to Article 8 of the European Convention on Human Rights, does not prevent, in general terms, the act of photographing an individual without their consent.

However, the practice she describes, of uploading photographs to social media sites, does engage, and, I would argue, breach, the Data Protection Act 1998 (DPA).

An image of a person is potentially (and in these specific cases almost certainly) their personal data (particularly bearing in mind the observation by the Court of Appeal in Durant v Financial Services Authority [2003] EWCA Civ 1746 that for information to be personal data it “should have the putative data subject as its focus”). The DPA contains an exemption (at section 36) from all the provisions of the DPA for processing of personal data by an individual for the purposes of that individual’s personal, family or household affairs (including recreational purposes) (the “domestic purposes exemption”). It is possible, although arguable, that the mere taking (and no more) of a photograph of someone on a train, would be caught by this exemption. However, once such a photograph is uploaded to the internet, the exemption falls away. This is because the European Court of Justice held, in a 2003 ruling that binds all inferior courts, that personal data posted on the internet could not be caught by the domestic purposes exemption (Lindqvist (Approximation of laws) [2003] EUECJ C-101/01).

That said, the Information Commissioner’s Office (ICO), which regulates the DPA in the UK, has shown reluctance to accept this authoritative statement of the law regarding the online processing of personal data. I have previously written about this, in the context of the ICO’s social media DPA guidance, which sidesteps (or, rather, ignores) the point. However, it might be more difficult for a domestic court (bound by the authority of Lindqvist) to ignore it in the same way, in the event that any case came before one for determination.

But therein lies the (lack of) rub. Uploading a photograph, without consent, of someone sleeping on a train is unfair, and therefore in breach of the first Data Protection Principle (because no Schedule 2 condition exists which permits the processing). But I struggle to imagine the chain of events which could give rise to a claim (for instance, the data subject would have to contact the photographer, or the site, to require them to cease processing on the grounds that doing so was causing, or was likely to cause, substantial damage or substantial distress, and the photographer, or site, would have to refuse).

So, ultimately, even though I’d argue that these sites, and those who upload to them, breach the DPA, the unwillingness of the ICO to exercise jurisdiction, and the unlikelihood of any legal claim emerging, mean that they can probably continue with impunity, unfairness notwithstanding.

As photographer Paul Clarke said in an excellent blogpost on the subject earlier this year

Sticking to rigid rules of law won’t help us very much. This might feel (it does to me) like gross intrusion on privacy. But being offensive is not enough to make something an offence.

6 Comments

Filed under Data Protection, human rights, Information Commissioner, Privacy, social media

Tagged as , ,

October 4, 2013 · 8:20 am

CQC and data protection, redux

In June this year I blogged about the furore caused when the Care Quality Commission (CQC) initially refused, citing data protection law, to identify four members of staff who were alleged to have tried to cover up an critical internally-commissioned report into its oversight of the University Hospitals Morecambe Bay NHS Trust.

Even Christopher Graham, the Information Commissioner got involved, saying

This feels like a public authority hiding behind the Data Protection Act – it’s very common but you have to go by what the law says and the law is very clear

and, perhaps as a result of his intervention, the day after the news broke, the CQC changed position, saying

We have reviewed the issues again with our legal advisers (and taken into account the comments of the Information Commissioner). In light of this further consideration, we have come to the view that the overriding public interest in transparency and accountability gives us sufficient grounds to disclose the names of the individuals who were anonymised in the report.

I had wondered if the reason for the initial non-disclosure was because of doubt as to the veracity of the reported cover-up comments, perhaps in conjunction with a challenge by the data subjects, on the basis that publishing that they had made those comments was untrue, and potentially defamatory and, therefore, in breach of the Data Protection Act 1998 (DPA):

on the information currently available, there is perhaps a lack of hard evidence to establish to an appropriate level of certainty that the person or persons alleged to have suppressed the report did so, or did so in the way they are alleged to have done. For that reason, it could indeed be a breach of the DPA to disclose the names at this stage

Yesterday, news emerged that the CQC had published a statement on its website exonerating one of the people named

  • Anna Jefferson had not used “any inappropriate phrases” as attributed to her by one witness quoted in the Grant Thornton report; and

  • Anna Jefferson had not supported any instruction to delete an internal report prepared by a colleague – Louise Dineley.

The CQC regrets any distress Anna Jefferson has suffered as a consequence of this matter

So, it looks like someone was wrongly identified as committing an act of misconduct. Ms Jefferson is said to have been “deeply upset” by the allegations, and describes it as having been a “difficult time”.

In a postscript to my original blog post I wondered idly about

the rather interesting (if unlikely) possibility that the persons now named could complain to the ICO for a determination as to whether disclosure was in fact in breach of their rights under the DPA

It is possible that the statement on the CQC website is in fact an attempt to avoid this, or alternative, legal action. I wonder if Christopher Graham is going to revisit his comments.

1 Comment

Filed under Confidentiality, Data Protection, defamation, Information Commissioner

Tagged as , ,

October 3, 2013 · 2:34 pm

Two more years for Chris Graham?

I think one mark of a true information rights nerd is whether they read minutes of meetings at the Information Commissioner’s Office (ICO), which are published, with a generally admirable commitment to transparency, on their website.

While browsing some recent minutes (of the Management Board meeting of 22 July) I noticed something interesting, which I wasn’t aware of (and haven’t seen anyone else pick up on?). Under a heading of “Major issues affecting the ICO” is

The Ministry of Justice has confirmed the Government’s intention to recommend to HM The Queen that Christopher Graham is reappointed as Information Commissioner [IC] for a period of two years following his current tenure ending in June next year.

The IC is a Crown appointment and his or her tenure is set at five years (paragraph 2(1) of Schedule 5 of the Data Protection Act 1998) but, by virtue of paragraph 2(5) he or she may be reappointed, provided he or she is not over 65, or has not already served for fifteen years. The reappointment of Christopher Graham (born 1950) will (if it happens) take him to that retirement age of of 65.

This is hardly shock news: all three of Graham’s predecessors as IC (formerly “Data Protection Registrar”) were reappointed after their initial terms of office, and he has, on most objective analyses, performed well in office: he got rid of the appalling backlog of Freedom of Information cases he inherited, and has been an effective stern-faced enforcer of data protection breaches. What he hasn’t done, yet, is see the implementation of the General Data Protection Regulation – the updating of the creaking 18-year-old current European data protection regime. But, given the apparently interminable wrangling about that instrument, one wonders whether an extra two years, starting in June 2014, will even help him achieve that.

Leave a comment

Filed under Data Protection, Freedom of Information, Information Commissioner

Tagged as ,