Tag Archives: journalism

ICO discloses names of Operation Motorman journalists

In August this year the Upper Tribunal dismissed an appeal by the Information Commissioner’s Office (ICO) of a prior ruling that he must disclose the names of certain journalists who appeared on a list 305 names seized by the ICO during a raid in 2003 on the home of private investigator Steve Whittamore. The raid was part of “Operation Motorman”, an investigation which forms part of the background to the various civil and criminal proceedings generated by the phone-hacking scandals, and to the establishment of the Leveson Inquiry.

The names which have been ordered to be disclosed have now been provided by the ICO to the requester, the clearly indefatigable Chris Colenso-Dunne. Chris has kindly given the list to me, and I make it available in the attachment below. One name stands out in particular: Rebekah Wade (as she then was), now Brooks, who has always denied knowledge of the phone-hacking which took place while she was editor of the now defunct News of the World (and who was, of course, acquitted in 2014 of conspiring to hack phones when editor of that paper and of making corrupt payments to public officials when editor of The Sun, as well as of all other charges).

It is important to be aware, as the Upper Tribunal said, that presence on the list means nothing more than that the journalists in question

had commissioned Mr Whittamore to obtain information… The information did not carry with it any assertion as to the actual or alleged commission of any crime by those journalists [para 38]

No doubt the list will generate further comment, though.

ICO Motorman List

[this post was edited to remove a paragraph where I’d mistakenly taken the list to mean that Wade was working for “Femail” at the time]

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.


7 Comments

Filed under Data Protection, Freedom of Information, Information Commissioner, Information Tribunal, journalism, Upper Tribunal

FOI, data protection and rogue landlords 

On 23rd July the Chartered Institute of Environmental Health (CIEH), in conjunction with the Guardian, published a database of landlords who have been convicted of offences under the Housing Act 2004. This showed, for example, that one landlord has been prosecuted seven times for issues relating to disrepair and poor state of properties rented out. It also showed apparent regional discrepancies regarding prosecutions, with some councils carrying out only one prosecution since 2006.

This public interest investigative journalism was, however not achieved without a fight: in September last year the information Commissioners office (ICO) issued a decision notice finding that the journalists request for this information had been correctly refused by the Ministry of Justice on the grounds that the information was sensitive personal data and disclosure under the Freedom of Information Act 2000 (FOIA) would contravene the MoJ’s obligations under the Data Protection Act 1998 (DPA). Section 40(2) of FOIA provides that information is exempt from disclosure under FOIA if disclosure would contravene any of the data protection principles in Schedule One of the DPA (it also provides that it would be exempt if disclosure would contravene section 10 of the DPA, but this is rarely invoked). The key data protection principle is the first, which says that personal data must be processed fairly and lawfully, and in particular that the processing must meet one of the conditions in Schedule Two, and also – for sensitive personal data – one of the conditions in Schedule Three.

The ICO, in its decision notice, after correctly determining that information about identifiable individuals (as opposed to companies) within the scope of the request was sensitive personal data (because it was about offences committed by those individuals) did not accept the requester’s submission that a Schedule Three condition existed which permitted disclosure. The only ones which could potentially apply – condition 1 (explicit consent) or condition 5 (information already made public by the individual) – were not engaged.

However, the ICO did not at the time consider the secondary legislation made under condition 10: the Data Protection (Processing of Sensitive Personal Data) Order 2000 provides further bases for processing of sensitive personal data, and, as the the First-tier Tribunal (Information Rights) (FTT) accepted upon appeal by the applicant, part 3 of the Schedule to that Order permits processing where the processing is “in the substantial public interest”, is in connection with “the commission by any person of any unlawful act” and is for journalistic purposes and is done with a “view to the publication of those data by any person and the data controller reasonably believes that such publication would be in the public interest”. In fairness to the ICO, this further condition was identified by them in their response to the appeal.

In this case, the information was clearly sought with a view to the future publication in the CIEH’s Magazine, “Environmental Health News” and the requester was the digital editor of the latter. This, the FTT decided, taken with the (objective) substantial public interest in the publication of the information, was sufficient to make disclosure under FOIA fair and lawful. In a passage (paras 28-30) worth quoting in full the FTT said

Unfit housing is a matter of major public concern and has a significant impact on the health of tenants.  The Housing Act is a key mechanism for local authorities to improve housing standards and protect the health of vulnerable tenants.  One mechanism for doing this is by means of prosecution, another is licensing schemes for landlords.  Local authorities place vulnerable families in accommodation outside their areas tenants seek accommodation, The publication of information about convictions under the Housing Act would be of considerable value to local authorities in discharge of their functions and assist prospective tenants and those assisting them in avoiding landlords with a history of breaches of the Housing Act.

The sanctions under the Housing Act are comparatively small and the  opprobrium of a conviction may well not rank with other forms of criminal misbehaviour, however the potential for harm to others from such activity is very great, the potential for financial benefit from the misbehaviour is also substantial.  Breaches of the Housing Act are economically motivated and what is proposed is a method of advancing the policy objective of the Housing Act by increasing the availability of relevant information to key actors in the rented housing market – the local authorities as regulator and purchaser and the tenants themselves.  Any impact on the data subjects will overwhelmingly be on their commercial reputations rather than more personal matters.

The Tribunal is therefore satisfied that not only is the disclosure of this information in the substantial public interest, but also any reasonably informed data controller with  knowledge of the social needs and the impact of such disclosure would so conclude.

It is relatively rare that sensitive personal data will be disclosed, or ordered to be disclosed, under FOIA, but it is well worth remembering the 2000 Order, particularly when it comes to publication or proposed publication of such data under public interest journalism.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with..

Leave a comment

Filed under Data Protection, Freedom of Information, Information Commissioner, Information Tribunal, journalism, Open Justice

Is an FOI request from an investigative journalist ever vexatious?

Last week, in the Court of Appeal, the indefatigable, if rather hyperbolic, Mr Dransfield was trying to convince three judges that his request, made long ago, to Devon County Council, for information on Lightning Protection System test results relating to a pedestrian bridge at Exeter Chiefs Rugby Ground, was not vexatious. If he succeeds in overturning what was a thorough, and, I think, pretty unimpeachable ruling in the Upper Tribunal, then we may, at last, have some finality on how to interpret section 14(1) of the Freedom of Information Act 2000 (FOIA):

a public authority [is not obliged] to comply with a request for information if the request is vexatious

But what is certain is that the Court of Appeal will not hand down a ruling which would allow a public authority to feel able merely to state that a request is vexatious, and do nothing more to justify reliance on it. But that is what the Metropolitan Police appear to have done in an extraordinary response to FOIA requests from the Press Gazette. The latter has been engaging in a campaign to expose what it believes to be regular use of surveillance powers to monitor or investigate actions of journalists. This is both a serious subject and a worthy campaign. Investigative journalism, by definition, is likely to involve the making of enquiries, sometimes multiple ones, sometimes speculative, “to discover the truth and to identify lapses from it”. It is inevitable that an investigative journalist will from time to time need to make use of FOIA, and the Information Commissioner’s Office (ICO) advises that

[public] authorities must take care to differentiate between broad requests which rely upon pot luck to reveal something of interest and those where the requester is following a genuine line of enquiry

The ICO doesn’t (and couldn’t) say that a FOIA request from an investigative journalist could never be classed as vexatious, but I think the cases when that would happen would be exceptional. The Upper Tribunal ruling by Wikeley J that Mr Dransfield is seeking to overturn talked of “vexatious” as connoting

a manifestly unjustified, inappropriate or improper use of a formal procedure

and

It may be helpful to consider the question of whether a request is truly vexatious by considering four broad issues or themes – (1) the burden (on the public authority and its staff); (2) the motive (of the requester); (3) the value or serious purpose (of the request) and (4) any harassment or distress (of and to staff)

although it was stressed that these were neither exhaustive, nor a “formulaic checklist”.

It is difficult to imagine that the motive of the Press Gazette journalists can be anything but well-intended, and similarly difficult to claim there is no value or serious purpose to the request, or the other requests which need to be considered for context. Nor has there been, as far as I am aware, any suggestion that the requests have caused Met staff any harassment or distress. So we are (while noting and acknowledging that we are not following a checklist) only likely to be talking about “the burden on the public authority and its staff”. It is true that some requests, although well-intentioned and of serious value, and made in polite terms, have been accepted either by the ICO or the First-tier Tribunal (FTT), as being so burdensome to comply with that (even before considering whether FOIA costs limits are engaged) they merit rejection on vexatiousness grounds. In 2012 the FTT upheld an appeal from the Independent Police Complaints Commission, saying that

A request may be so grossly oppressive in terms of the resources and time demanded by compliance as to be vexatious, regardless of the intentions or bona fides of the requester. If so, it is not prevented from being vexatious just because the authority could have relied instead on s.12 [costs limits]

and last year the FTT similarly allowed a late submission by the Department of Education that a request from the journalist Laura McInerney for information about Free School applications was vexatious because of the burden it would impose:

There is no question here of anything in the tone of the request tending towards vexatiousness; nor does anyone doubt Ms McInerney’s genuine motives…There is value in openness and transparency in respect of departmental decision making. That value would be increased by the academic scrutiny which the disclosed material would receive…In our judgment, however, these important considerations are dwarfed by the burden which implementation of the request places on DFE.

But it does not appear that the request in question from the Press Gazette was likely to go any way towards being grossly oppressive, or to being a burden which would “dwarf” the other considerations.

Moreover, and it does not appear to have been a point argued in the DfE case, there is an argument, explored through a series of cases in the Court of Justice of the European Union, and, domestically, in the Supreme Court, in Kennedy v ICO and Charity Commission, that Article 10 of the European Convention on Human Rights, providing as it does in part a right “to receive and impart information and ideas without interference by public authority” (subject to limitations that are prescribed by law, necessary and proportionate, and pursue a legitimate aim) might sometimes need to read down into FOIA, particularly where a journalist is the requester. Although the Supreme Court, by a majority, and on the facts (specifically in the context of a FOIA absolute exemption), rejected the submission in Kennedy, the argument in the abstract still has some weight – someone engaging in investigative journalism is clearly generally acting as a “social watchdog”, and the likelihood that they are making a FOIA request with bad motives, or without serious purpose, or in a way likely to harass or cause distress is correspondingly low. It seems to me that, absent the sort of “excessive burden” argument explored in the IPCC and DfE cases – and, as I say, the Met don’t seem to have advanced any such argument – to label a request from an investigative journalist as vexatious is to stand at the top of a slippery slope. One hopes that the Met review and reverse this decision.

p.s. In a world in which we are all journalists, this all has the potential to get very complicated.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

149 Comments

Filed under Article 10, Freedom of Information, journalism, police

Are we all journalists?

The ICO has said that Global Witness can claim the data protection exemption for journalism, regarding their investigations in BSGR. This fascinating case continues to raise difficult and important questions.

Data protection law rightly gives strong protection to journalism; this is something that the 2012 Leveson inquiry dealt with in considerable detail, but, as the inquiry’s terms of reference were expressly concerned with “the press”, with “commercial journalism”, it didn’t really grapple with the rather profound question of “what is journalism?” But the question does need to be asked, because in the balancing exercise between privacy and freedom of expression too much weight afforded to one side can result in detriment to the other. If personal privacy is given too much weight, freedom of expression is weakened, but equally if “journalism” is construed too widely, and the protection afforded to journalism is consequently too wide, then privacy rights of individuals will suffer.

In 2008 the Court of Justice of the European Union (CJEU) was asked, in the Satamedia case, to consider the extent of the exemption from a large part of data protection law for processing of personal data for “journalistic” purposes. Article 9 of the European Data Protection Directive (the Directive) provides that

Member States shall provide for exemptions or derogations…for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.

and recital 37 says

Whereas the processing of personal data for purposes of journalism or for purposes of literary of artistic expression, in particular in the audiovisual field, should qualify for exemption from the requirements of certain provisions of this Directive in so far as this is necessary to reconcile the fundamental rights of individuals with freedom of information and notably the right to receive and impart information

In Satamedia one of the questions the CJEU was asked to consider was whether the publishing of public-domain taxpayer data by two Swedish companies could be “regarded as the processing of personal data carried out solely for journalistic purposes within the meaning of Article 9 of the directive”. To this, the Court replied “yes”

Article 9 of Directive 95/46 is to be interpreted as meaning that the activities [in question], must be considered as activities involving the processing of personal data carried out ‘solely for journalistic purposes’, within the meaning of that provision, if the sole object of those activities is the disclosure to the public of information, opinions or ideas [emphasis added]

One can see that, to the extent that Article 9 is transposed effectively in domestic legislation, it affords significant and potentially wide protection for “journalism”. In the UK it is transposed as section 32 of the Data Protection Act 1998 (DPA). This provides that

Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if—

(a)the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,

(b)the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c)the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.

where “the special purposes” are one or more of “the purposes of journalism”, “artistic purposes”, and “literary purposes”. Section 32 DPA exempts data processed for the special purposes from all of the data protection principles (save the 7th, data security, principle) and, importantly from provisions of sections 7 and 10. Section 7 is the “subject access” provision, and normally requires a data controller, upon receipt of written request by an individual, to inform them if their personal data is being processed, and, if it is, to give the particulars and to “communicate” the data to the individual. Section 10 broadly allows a data subject to object to processing which is likely to cause substantial damage or substantial distress, and to require the data to controller to cease (or not begin) processing (and the data controller must either comply or state reasons why it will not). Personal data processed for the special purposes are, therefore, exempt from subject access and from the right to prevent processing likely to cause damage or distress. It is not difficult to see why – if the subject of, say, investigative journalism, could find out what a journalist was doing, and prevent her from doing it, freedom of expression would be inordinately harmed.

The issue of the extent of the journalistic data protection exemption came into sharp focus towards the end of last year, when Benny Steinmetz and three other claimants employed by or associated with mining and minerals group Benny Steinmetz Group Resources (BSGR) brought proceedings in the High Court under the DPA seeking orders that would require campaigning group Global Witness to comply with subject access requests by the claimants, and to cease processing their data. The BSGR claimants had previously asked the Information Commissioner’s Office (ICO), pursuant to the latter’s duties under section 42 DPA, to assess the likelihood of the lawfulness of Global Witness’s processing, and the ICO had determined that it was unlikely that Global Witness were complying with their obligations under the DPA.

However, under section 32(4) DPA, if, in any relevant proceedings, the data controller claims (or it appears to the court) that the processing in question was for the special purposes and with a view to publication, the court must stay the proceedings in order for the ICO to consider whether to make a specific “special purposes” determination by the ICO. Such a determination would be (under section 45 DPA) that the processing was not for the special purposes nor was it with a view to publication, and it would result in a “special information notice”. Such a stay was applied to the BSGR proceedings and, on 15 December, after some considerable wait, the ICO conveyed to the parties that it was “satisfied that Global Witness is only processing the personal data requested … for the purposes of journalism”. Accordingly, no special information notice was served, and the proceedings remain stayed. Although media reports (e.g. Guardian and Financial Times) talk of appeals and tribunals, no direct appeal right exists for a data subject in these circumstances, so, if as seems likely, BSGR want to revive the proceedings, they will presumably either have to apply to have the stay lifted or/and issue judicial review proceedings against the ICO.

The case remains fascinating. It is easy to applaud a decision in which a plucky environmental campaign group claims journalistic data protection exemption regarding its investigations of a huge mining group. But would people be so quick to support, say, a fascist group which decided to investigate and publish private information about anti-fascist campaigners? Could that group also gain data protection exemption claiming that the sole object of their processing was the disclosure to the public of information, opinions or ideas? Global Witness say that

The ruling confirms that the Section 32 exemption for journalism in the Data Protection Act applies to anyone engaged in public-interest reporting, not just the conventional media

but it is not immediately clear from where they import the “public-interest” aspect – this does not appear, at least not in explicit terms, in either the Directive or the DPA. It is possible that it can be inferred, when one considers that processing for special purposes which is not in the public interest might constitute an interference with respect for data subjects’ fundamental rights and freedoms (per recital 2 of the Directive). And, of course, with talk about public interest journalism, we walk straight back into the arguments provoked by the Leveson inquiry.

Furthermore, one notes that the Directive talks about exemption for processing of personal data carried out solely for journalistic purposes, and the DPA says “personal data which are processed only for the special purposes are exempt…”. This was why I emphasised the words in the Satamedia judgment quoted above, which talks similarly of the exemption applying if the “sole object of those activities is the disclosure to the public of information, opinions or ideas”. One might ask whether a campaigning group’s sole or only purpose for processing personal data is for journalism. Might they not, in processing the data, be trying to achieve further ends? Might, in fact, one say that the people who engage solely in the disclosure to public of information, opinions or ideas are in fact those we more traditionally think of in these terms…the press, the commercial journalists?

P.S. Global Witness have uploaded a copy of the ICO’s decision letter. This clarifies that the latter was satisfied that the former was processing for the special purposes because it was part of “campaigning journalism” even though the proposed future publication of the information “forms part of a wider campaign to promote a particular cause”. This chimes with the ICO’s data protection guidance for the media, but it will be interesting if it is challenged on the basis that it doesn’t support a view that the processing is “only” or “solely” for the special purposes.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

5 Comments

Filed under Data Protection, Directive 95/46/EC, Information Commissioner, journalism, Leveson

Brooks Newmark, the press, and “the other woman”

UPDATE: 30.09.14 Sunday Mirror editor Lloyd Embley is reported by the BBC and other media outlets to have apologised for the use of women’s photos (it transpires that two women’s images appropriated), saying

We thought that pictures used by the investigation were posed by models, but we now know that some real pictures were used. At no point has the Sunday Mirror published any of these images, but we would like to apologise to the women involved for their use in the investigation

What I think is interesting here is the implicit admission that (consenting) models could have been used in the fake profiles. Does this mean therefore, the processing of the (non-consenting) women’s personal data was not done in the reasonable belief that it was in the public interest?

Finally, I think it’s pretty shoddy that former Culture Secretary Maria Miller resorts to victim-blaming, and missing the point, when she is reported to have said that the story “showed why people had to be very careful about the sorts of images they took of themselves and put on the internet”

END UPDATE.

With most sex scandals involving politicians, there is “the other person”. For every Profumo, a Keeler;  for every Mellor, a de Sancha; for every Clinton, a Lewinsky. More often than not the rights and dignity of these others are trampled in the rush to revel in outrage at the politicians’ behaviour. But in the latest, rather tedious, such scandal, the person whose rights have been trampled was not even “the other person”, because there was no other person. Rather, it was a Swedish woman* whose image was appropriated by a journalist without her permission or even her knowledge. This raises the question of whether such use, by the journalist, and the Sunday Mirror, which ran the exposé, was in accordance with their obligations under data protection and other privacy laws.

The story run by the Sunday Mirror told of how a freelance journalist set up a fake social media profile, purportedly of a young PR girl called Sophie with a rather implausible interest in middle-aged Tory MPs. He apparently managed to snare the Minister for Civil Society and married father of five, Brooks Newmark, and encourage him into sending explicit photographs of himself. The result was that the newspaper got a lurid scoop, and the Minister subsequently resigned. Questions are being asked about the ethics of the journalism involved, and there are suggestions that this could be the first difficult test for IPSO, the new Independent Press Standards Organisation.

But for me much the most unpleasant part of this unpleasant story was that the journalist appears to have decided to attach to the fake twitter profile the image of a Swedish woman. It’s not clear where he got this from, but it is understood that the same image had apparently already appeared on several fake Facebook accounts (it is not suggested, I think, that the same journalist was responsible for those accounts). The woman is reported to be distressed at the appropriation:

It feels really unpleasant…I have received lot of emails, text messages and phone calls from various countries on this today. It feels unreal…I do not want to be exploited in this way and someone has used my image like this feels really awful, both for me and the others involved in this. [Google translation of original Swedish]

Under European and domestic law the image of an identifiable individual is their personal data. Anyone “processing” such data as a data controller (“the person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed”) has to do so in accordance with the law. Such processing as happened here, both by the freelance journalist, when setting up and operating the social media account(s), and by the Sunday Mirror, in publishing the story, is covered by the UK Data Protection Act 1998 (DPA). This will be the case even though the person whose image was appropriated is in Sweden. The DPA requires, among other things, that processing of personal data be “fair and lawful”. It affords aggrieved individuals the right to bring civil claims for compensation for damage and distress arising from contraventions of data controllers’ obligations under the DPA. It also affords them the right to ask the Information Commissioner’s Office (ICO) for an assessment of the likelihood (or not) that processing was in compliance with the DPA.

However, section 32 of the DPA also gives journalism a very broad exemption from almost all of the Act, if the processing is undertaken with a view to publication, and the data controller reasonably believes that publication would be in the public interest and that compliance with the DPA would be incompatible with the purposes of journalism. As the ICO says

The scope of the exemption is very broad. It can disapply almost all of the DPA’s provisions, and gives the media a significant leeway to decide for themselves what is in the public interest

The two data controllers here (the freelancer and the paper) would presumably have little problem satisfying a court, or the ICO, that when it came to processing of Brooks Newmark’s personal data, they acted in the reasonable belief that the public interest justified the processing. But one wonders to what extent they even considered the processing of (and associated intrusion into the private life of) the Swedish woman whose image was appropriated. Supposing they didn’t even consider this processing – could they reasonably say they that they reasonably believed it to have been in the public interest?

These are complex questions, and the breadth and ambit of the section 32 exemption are likely to be tested in litigation between the mining and minerals company BSG and the campaigning group Global Witness (currently stalled/being considered at the ICO). But even if a claim or complaint under DPA would be a tricky one to make, there are other legal issues raised. Perhaps in part because of the breadth of the section 32 DPA exemption (and perhaps because of the low chance of significant damages under the DPA), claims of press intrusion into private lives are more commonly brought under the cause of action of “misuse of private information “, confirmed – it would seem – as a tort, in the ruling of Mr Justice Tugendhat in Vidal Hall and Ors v Google Inc [2014] EWHC 13 (QB), earlier this year. Damage awards for successful claims in misuse of private information have been known to be in the tens of thousands of pounds – most notably recently an award of £10,000 for Paul Weller’s children, after photographs taken covertly and without consent had been published in the Mail Online.

IPSO expects journalists to abide by the Editor’s Code, Clause 3 of which says

i) Everyone is entitled to respect for his or her private and family life, home, health and correspondence, including digital communications.

ii) Editors will be expected to justify intrusions into any individual’s private life without consent. Account will be taken of the complainant’s own public disclosures of information

and the ICO will take this Code into account when considering complaints about journalistic processing of personal data. One notes that “account will be taken of the complainant’s own public disclosures of information”, but one hopes that this would not be seen to justify the unfair and unethical appropriation of images found elsewhere on the internet.

*I’ve deliberately, although rather pointlessly – given their proliferation in other media – avoided naming the woman in question, or posting her photograph

4 Comments

Filed under Confidentiality, consent, Data Protection, Information Commissioner, journalism, Privacy, social media

Data Protection for Baddies

Should Chris Packham’s admirable attempts to expose the cruelties of hunting in Malta be restrained by data protection law? And who is protected by the data protection exemption for journalism?

I tend sometimes to lack conviction, but one thing I am pretty clear about is that I am not on the side of people who indiscriminately shoot millions of birds, and whose spokesman tries to attack someone by mocking their well-documented mental health problems. So, when I hear that the FNKF, the Maltese “Federation for Hunting and Conservation” has

presented a judicial protest against the [Maltese] Commissioner of Police and the Commissioner for Data Protection, for allegedly not intervening in “contemplated” or possible breaches of privacy rules

with the claim being that they have failed to take action to prevent

BBC Springwatch presenter Chris Packham [from] violating hunters’ privacy by “planning to enter hunters’ private property” and by posting his video documentary on YouTube, which would involve filming them without their consent

My first thought is that this is an outrageous attempt to manipulate European privacy and data protection laws to try to prevent legitimate scruting of activities which sections of society find offensive and unacceptable. It’s my first thought, and my lasting one, but it does throw some interesting light on how such laws can potentially be used to advance or support causes which might not be morally or ethically attractive. (Thus it was that, in 2009, a former BNP member was prosecuted under section 55 the UK Data Protection Act 1998 (DPA 1998) for publishing a list of party members on the internet. Those members, however reprehensible their views or actions, had had their sensitive personal data unlawfully processed, and attracted the protection of the DPA (although the derisory £200 fine the offender received barely served as a deterrent)).

I do not profess to being an expert in Maltese Data Protection law, but, as a member state of the European Union, Malta was obliged to implement Directive EC/95/46 on the Protection of Individuals with regard to the Processing of Personal Data (which it did in its Data Protection Act of 2001). The Directive is the bedrock of all European data protection law, generally containing minimum standards which member states must implement in domestic law, but often allowing them to legislate beyond those minimum standards.

It may well be that the activities of Chris Packham et al do engage Maltese data protection law. In fact, if, for instance, film footage or other information which identifies individuals is recorded and broadcast in other countries in the European Union, it would be likely to constitute an act of “processing” under Article 2(b) of the Directive which would engage data protection law in whichever member state it was processed.

Data protection law at European level has a scope whose potential breadth has been described as “breath-taking”. “Personal data” is “any information relating to an identified or identifiable natural person” (that is “one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”), and “processing” encompasses “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction”.

However, the broad scope does not necessarily means broad prohibitions on activities involving processing. Personal data must be processed “fairly and lawfully”, and can (broadly) be processed without the data subject’s consent in circumstances where there is a legal obligation to do so, or where it is necessary in the public interest, or necessary where the legitimate interests of the person processing it, or of a third party, outweigh the interests for fundamental rights and freedoms of the data subject. These legitimising conditions are implemented into the Maltese Data Protection Act 2001 (at section 9), so it can be seen that the FKNF’s claim that Packham requires the hunters’ consent to film might not have legs.

Moreover, Article 9 of the Directive, transposed in part at section 6 of the 2001 Maltese Act, provides for an exemption to most of the general data protection obligations where the processing is for journalistic purposes, which almost certainly be engaged for Packham’s activities. Whether, however, any other Maltese laws might apply is, I’m afraid, well outside my area of knowledge.

But what about activists who might not normally operate under the banner of “journalism”? What if Packham were, rather than a BBC journalist/presenter, “only” a naturalist? Would he be able to claim the journalistic data protection exemption?

Some of these sorts of issues are currently edging towards trial in litigation brought in the UK, under the DPA 1998, by a mining corporation (or, in its own words, a “diversified natural resources business”), BSG Resources, against Global Witness, an NGO one of whose stated goals is to “expose the corrupt exploitation of natural resources and international trade systems”. BSGR’s claims are several, but are all made under the DPA 1998, and derive from the fact they have sought to make subject access requests to Global Witness to know what personal data of the BSGR claimants is being processed, for what purposes and to whom it is being or may be disclosed. Notably, BSGR have chosen to upload their grounds of claim for all to see. For more background on this see the ever-excellent Panopticon blog, and this article in The Economist.

This strikes me as a potentially hugely significant case, firstly because it illustrates how data protection is increasingly being used to litigate matters more traditionally seen as being in the area of defamation law, or the tort of misuse of private information, but secondly because it goes to the heart of questions about what journalism is, who journalists are and what legal protection (and obligations) those who don’t fit the traditional model/definition of journalism have or can claim.

I plan to blog in more detail on this case in due course, but for the time being I want to make an observation. Those who know me will not have too much trouble guessing on whose side my sympathies would tend to fall in the BSGR/Global Witness litigation, but I am not so sure how I would feel about extending journalism privileges to, say, an extremist group who were researching the activities of their opponents with a view to publishing those opponents’ (sensitive) personal data on the internet. If society wishes to extend the scope of protection traditionally afforded to journalists to political activists, or citizen bloggers, or tweeters, it needs to be very careful that it understands the implications of doing so. Freedom of expression and privacy rights coexist in a complex relationship, which ideally should be an evenly balanced one. Restricting the scope of data protection law, by extending the scope of the exemption for journalistic activities, could upset that balance.

7 Comments

Filed under Data Protection, Europe, human rights, journalism, Privacy, Uncategorized

Why no prison sentences for misuse of medical data?

So, the government, roused from its torpor by the public outrage at the care.data proposals, and the apparent sale of 47 million patient records to actuaries, is said to be proposing, as a form of reassurance, amendments to the Care Bill. The Telegraph reports that

Jeremy Hunt will unveil new laws to ensure that medical records can only be released when there is a “clear health benefit” rather than for “purely commercial” use by insurers and other companies.

Ministers will also bolster criminal sanctions for organisations which breach data protection laws by disclosing people’s personal data. Under a “one strike and you’re out” approach, they will be permanently banned from accessing NHS data

One needs to be aware that this is just a newspaper report, and as far as I know it hasn’t been confirmed by the minister or anyone else in the government, but if it is accurate, I fear it shows further contempt for public concerns about the risks to the confidentiality of their medical records.

The first of the reported amendments sounds like a statutory backing to the current assurances that patient data will only be made available to third parties if it is for the purposes that will benefit the health and social care system (see FAQ 39 on the Guide for GP Practices). It also sounds like a very difficult piece of legislation to draft, and it will be very interesting to see what the proposed amendment actually says – will it allow secondary use for commercial purposes, as long as the primary use is for a “clear health benefit”? and, crucially, how on earth will it be regulated and enforced? (will properly resourced regulators be allowed to audit third parties’ use of data? – I certainly hope so).

The second amendment implies that the Data Protection Act 1998 (DPA) will also be amended. This also sounds like a difficult provision to draft: the Telegraph says

Those that have committed even one prior offence involving patient data will be barred from accessing NHS medical records indefinitely as part of a “one strike and you’re out” approach

But what do we mean by “offence”? The Telegraph falls into the common error of thinking that the Information Commissioner’s Office’s (ICO’s) powers to serve monetary penalty notices (MPNs) to a maximum of £500,000 are criminal justice powers; they are not – MPNs are civil notices, and the money paid is not a “fine” but a penalty. The only relevant current criminal offence in the DPA is that of (in terms) deliberately or recklessly obtaining or disclosing personal data without authority of the data controller. This is an either-way offence, which means it currently carries a maximum sanction of a £5000 fine in a magistrates court, or an unlimited fine in Crown Court (it is very rare for cases to be tried in the latter though). Prosecutions under this section (55) are generally brought against individuals, because the offence involves obtaining or disclosing the data without the authority of the data controller. It is unlikely that a company would commit a section 55 offence. More likely is that a company would seriously contravene the DPA in a manner which would lead to a (civil) MPN, or more informal ICO enforcement action. More likely still is simply that the ICO would have made a finding of “unlikely to have complied” with the DPA, under section 42 – a finding which carries little weight. Are prior civil or informal action, or a section 42 “unlikely to have complied” assessment going to count for the “one strike and you’re out” approach? And even if they are, what is to stop miscreant individuals or companies functioning through proxies, or agents? or even simply lying to get access to the data?

Noteworthy by its absence in the Telegraph reports of the proposed amendments was any reference to the one change to data protection law which actually might have a deterrent effect on those who illegally obtain or disclose personal data – the possibility of being sent to prison. As I and others have written before, all that is needed to achieve this is for the government to commence Section 77 of the Criminal Justice and Immigration Act 2008, which would create the power to alter the penalty (including a custodial sentence) for a section 55 DPA offence. However, the government has long been lobbied by certain sections of the press industry not to do so, because of apparent fears that it would give the state the power to imprison investigative journalists (despite the fact that section 78 of the Criminal Justice Act 2008 – also uncommenced – creating a new defence for journalistic, literary or artistic purposes). The Information Commissioner has repeatedly called for the law to be changed so that there is a real sanction for serious criminal data protection offences, but to no avail.

Chris Pounder has argued that the custodial sentence provisions (discussion of which was kicked into the long grass which grew up in the aftermath of the Leveson inquiry) might never be introduced. Despite the calls for such strong penalties for misuse of medical data, from influential voices such as Ben Goldacre, the proposals for change outlined by the Telegraph seem to support Dr Pounder’s view.

One of the main criticisms of the disastrous public relations and communications regarding the care.data initiative is that people’s acute concerns about the security of their medical records have been dismissed with vague or misleading reassurances. With the announcement of these vague and probably ineffectual proposed legal sanctions, what a damned shame that that looks to be continuing.

3 Comments

Filed under care.data, Data Protection, data sharing, Information Commissioner, Leveson, monetary penalty notice, NHS

For Shame

A newspaper says police are “naming and shaming” drivers who have been charged with, but not convicted, of drink-driving offences. Sussex Police say they are merely “naming” the drivers, but do not appear to feel the need to correct the media reports.

The risk for social media users of being held in contempt of court was highlighted this week by the Attorney General, who has said that, in future, the advisory notes issued to “traditional” media on individual cases will now be made more widely available (published on the gov.uk website and twitter).

With this in mind I was concerned to see that Sussex Police were reported by the Eastbourne Herald to be “naming and shaming” drivers arrested and charged with drink-driving

Police have said this year they are ‘naming and shaming’ everyone they arrest in connection with drink driving

The report goes on to quote Chief Inspector Natalie Moloney as saying

It is sad that so many people ignored the warnings that we would be looking for drink-drivers and have been charged with offences within hours of the start of the campaign. The arrests and the naming of those charged with offences will continue across the county throughout the month

This seemed to me potentially to engage the provisions of the Contempt of Court Act 1981 of an offence of strict liability “whereby conduct may be treated as a contempt of court as tending to interfere with the course of justice in particular legal proceedings regardless of intent to do so”, because it is a publication addressed to the public at large, about active proceedings. For an offence to be committed the publication must give rise to a substantial risk that the course of justice in the proceedings in question will be seriously impeded or prejudiced. I am not convinced that would be the case, but, nonetheless, I was surprised to see a police force effectively being reported as saying that  naming someone only charged with an offence gives rise to “shame” (it does nothing of the sort, of course, given the legal maxim of “innocent until proven guilty”). So I asked the Sussex Police twitter account

Are you really running a policy of “shaming” people by naming them prior to a trial?

to which they replied

We are not “shaming” anyone. We are naming those charged with a drink-related driving offence as we do for a range of offences

That was fair enough, (although one might ask Chief Inspector Moloney why an innocent person would heed a warning that police were looking for drink- drivers) but, as it appeared that this “naming-not-shaming” initiative had been launched in conjunction with the media, I wondered if they would be asking the Herald to correct its misleading article. Sussex Police replied

The campaign doesn’t aim to ‘shame’, but rather to deter & the article does not attribute the phrase to us

but this is simply not true: the article may not directly attribute the phrase to the police, but it does so indirectly

Police have said this year they are ‘naming and shaming’…

I have had no response yet to my further tweet pointing this out.

So, in a week when contempt via social media is very much in the headlines, we appear to have an online newspaper report which suggests there is shame attached to being charged with an offence, and which attributes this phrase to a police force, who seem unconcerned about correcting it. Odd.

For the avoidance of doubt, I should say that I have no sympathy whatsoever with people convicted of drink driving offences, but, to suggest there is “shame” in being charged with an offence prior to trial, is to go against centuries of presumption of innocence.

4 Comments

Filed under human rights, journalism, police, social media

ICO must disclose Motorman journalists’ names

The ICO has been ordered to disclose the names of some of the journalists referred to in “What Price Privacy” as having engaged the services of rogue private investigator Steve Whittamore

In April 2006 the Information Commissioner’s Office (ICO) published “What Price Privacy?” on what it described as “the unlawful trade in personal information”. The report revealed

evidence of systematic breaches in personal privacy that amount to an unlawful trade in confidential personal information

Those breaches were potential criminal offences under section 55 of the Data Protection Act 1998 (DPA), and the report – which drew on the findings of documentation seized during Operation Motorman, arising from the activities of private investigator Steve Whittamore, said

Among the ‘buyers’ are many journalists looking for a story. In one major case investigated by the ICO, the evidence included records of information supplied to 305 named journalists working for a range of newspapers

In December 2006 the six-month follow-up report “What Price Privacy Now?” was published. This gave further details about the 305 journalists mentioned in the first report, and broke the data down into “Publication”, “Number of transactions positively identified” and “Number of journalists/clients using the services”.

And of course, this trade in personal information formed the basis of the first module (“The relationship between the press and the public and looks at phone-hacking and other potentially illegal behaviour”) of part one of Lord Justice (as he was then) Leveson’s inquiry into the culture, practices and ethics of the press.

In 2011 a request was made under the Freedom of Information Act 2000 (FOIA) to the ICO, for (1) “the number of transactions per journalist of each of the 305 identified journalists for each of the 32 identified publications” and (2) the journalists’ identities. The first request was refused by the ICO, on the basis that it would require a search through 17000 documents, and, therefore, section 12 of FOIA provided a statutory cost limit which meant it did not have to comply. Having been given these apparent facts the requester dropped his first request, but pursued the second. This was also refused, on the basis that the information was exempt under section 40(2) and section 44 of FOIA (the latter by virtue of the statutory bar on disclosure at section 59 of the Data Protection Act 1998 (DPA)), in both cases because disclosure would be an unfair and unlawful disclosure of personal data of the journalists involved.

Because the ICO is the regulator of FOIA, a complaint about its handling of a FOIA request falls to be determined by the same office (a statutory arrangement which was to be described as an “unusual, and unsatisfactory, feature” of the law by the First-tier Tribunal (Information Rights) (FTT)). Accordingly, the office (describing itself as “the Commissioner”, as distinct from the “ICO”, which was the authority refusing the request) issued a Decision Notice which held that

the ICO correctly withheld the information by virtue of section 40(2). He has also found that the information could also be correctly withheld by virtue of section 44(1)

This decision was appealed to the FTT, which has today, after what has clearly been complex and strongly argued litigation, handed down three judgments (1, 2, 3) (two of which were preliminary or interim rulings, publication of which has been held back until now) which are, taken together, extraordinary, both for their criticism of the ICO, and for the outcome.

Taken as a whole the judgments find that, regarding some of the journalists named in the information held by the ICO, the balance of the public interest in receiving the information outweighs the legitimate interest of an individual to protect his or her privacy.

The FTT found that the information wasn’t sensitive personal data (which is afforded a greater level of protection by the DPA). This is at first blush rather surprising: section 2(2) of the DPA provides that sensitive data will be, inter alia, “data consisting of information as to…the commission or alleged commission by [the data subject] of any offence”. However, the FTT found that, although the information

does contain evidence that the investigator [Whittamore] engaged by the journalist committed, or contemplated committing, criminal activity. And, self-evidently, it discloses that the investigator received some form of instruction from the journalist. But there is no suggestion…that the journalist had instructed the investigator to use unlawful methods or that he or she had turned a blind eye to their adoption or, indeed, whether he or she had in fact expressly forbidden the investigator from doing anything that was not strictly legal [para 11 of third ruling]

The FTT had also invited submissions from the parties on the significance to the instant case of some of the passages from the Leveson inquiry, and, having received them, took note from those passages of

the issues of impropriety (which, while very possibly not involving criminality on journalists’ part, is nevertheless serious) and corporate governance in the context of the privacy rights of the [journalists]. We believe that, together, they give rise to a very substantial interest in the public knowing the identities of those who instructed the investigators [para 18 of third ruling]

But also tending towards favouring disclosure in the public interest was Leveson’s suggested criticisms of the ICO

We also give some weight to the public interest in knowing more about the information which was in the possession of the ICO and which the Leveson Report suggested it failed adequately to pursue [para 18 of third ruling]

The FTT noted the interests of the journalists, for instance that they would have had an expectation that details of their day-to-day professional activities would remain confidential, and that the Commissioner had argued that

publication of information indicating that they had engaged the services of the investigators concerned would be so unfair as to outweigh the factors in favour of disclosure [para 19 of third ruling]

but the FTT also noted, in effect, that the journalists involved must have had some idea of what was going on when they engaged Whittamore

it must have been well known within the profession what types of information could be obtained with the help of investigators, even if the means of obtaining it were not fully understood. The rights of individuals under data protection laws would also have been widely known at the time. In those circumstances those engaging the particular services…should have known that they ran the risk of becoming involved in behaviour that fell short of acceptable standards. This seriously dilutes the weight to be attributed to their privacy rights and leads us to conclude that the balance tips in favour of disclosure [para 19 of third ruling]

Accordingly, and, unless there is an appeal (Iwould be surprised if there isn’t) the names of some of the journalists who engaged Whittamore must be disclosed.

Other matters – criticism of ICO

In its preliminary ruling (November 2012) the FTT makes some trenchant criticism of the ICO’s handling of the requester’s first request (even though, as the requester did not pursue it, it was outwith the FTT’s jurisdiction). The refusal on costs grounds had been made, based upon a statement that the information requested had not been recorded in a database. Yet less than two months later the Leveson inquiry began, and, at that inquiry, evidence presented by the ICO effectively, in the FTT’s view, contradicted this statement

 we do not understand how the Appellant could have been given such a misleading response to the First Information Request…as a result of the misleading information given to the Appellant, he was not able to pursue his request…We only became aware of the ICO’s error after the Appellant drew our attention to the evidence presented to the Leveson Inquiry regarding the Spreadsheets. We assume (and certainly hope) that those in the Commissioner’s office handling this appeal had not become aware sooner [para 28 of first ruling]

The ICO clearly did not take well to this criticism, because the second interim ruling records that

the Commissioner has complained about part of the decision which he believes includes unfair criticism of his office and has asked us to correct the impression given [para 3 of second ruling]

but the FTT stood firm, saying

We continue to believe that our criticism was justified. The Appellant was told that he was wrong to assume that any database of information existed that could be interrogated…However, it is now known that the ICO held the Spreadsheets at the time…[and although the information in them] may not have provided the Appellant with precisely the information he requested, but it would have come close. Against that background we believe that the ICO was open to criticism for asserting, without further qualification, that it would be necessary to search through the 17,000 documents in order to respond to the request. [para 6 of second ruling]

5 Comments

Filed under Confidentiality, Data Protection, Freedom of Information, Information Commissioner, Information Tribunal, journalism, Leveson, Privacy

THIS is the purpose of subject access requests

In a recent blogpost the rather excellent Bilal Ghafoor (who goes by the handle of “FOIKid”, although I note he’s now extended this to “FOI (and DP) Kid”, evidently having rather belatedly discovered the joys of data protection) asked “What is the purpose of subject access requests?“. He drew attention to the potential discord between approaches by the Information Commissioner and by the courts (in cases such as Durant  v Financial Services Authority [2003] EWCA Civ 1746) to such requests (made under section 7 of the Data Protection Act 1998 (DPA)).

In a comment on that post I argued that the Court of Appeal in Durant was perhaps not as out-of-step with, at least, the EC data protection Directive 95/46/EC as is sometimes thought

it’s important to note that the Court of Appeal were keen to stress the fact that the Act gives effect to the Directive, and that the Directive and its recitals have a “primary objective” to “protect individuals’ fundamental rights, notably the right to privacy and accuracy of their personal data held by others…

This particular primary objective is illustrated quite starkly by the news from the Press Gazette that comedian/journalist Mark Thomas discovered, through submitting a subject access request, that his name is on a “domestic extremist database”:

police held a file of seven pages containing more than 60 individual items of intelligence…”a bizarre list of events monitored by the police, lectures given, panels attended, even petitions I have supported…the police have monitored public interest investigations in my case since 1999″

Thomas says he is taking legal action to have his name removed. This will be an interesting case if it reaches court, joining a line of cases where people try to effect removal of records from police systems.

What is also interesting though is that Thomas, and the National Union of Journalists (NUJ), are encouraging journalists to submit subject access requests to the police. As Thomas says

I know of other NUJ members on the database….Which is why I am asking NUJ members to take action. If your work brings you into contact with the police whether covering riots or climate camp, from Plebgate to the NSA, then the police could have you on their database

and the NUJ general secretary Michelle Stanistreet adds

we want as many other members as possible to find out what information the Met is holding

In answer to Bilal’s question, then, I think that this – the investigation of how an arm of the UK state monitors and records the activities of the free press – is a vitally important example of what the purpose is of subject access requests.

1 Comment

Filed under Data Protection, police, Privacy, surveillance