June 17th, 2009 by Anya Proops
Yesterday, the High Court handed down an important judgment on the application of the law of privacy to anonymous bloggers. The case involved a detective constable, Mr Horton, whose anonymous blog, ‘Night Jack’, gave a behind-the-scenes insight into modern policing. The prize-winning blog attracted a huge following. When a journalist at the time discovered Mr Horton’s identity by carrying out his own detective work, Mr Horton sought and was granted an injunction restraining the Times from revealing his identity. However, that injunction was lifted in a judgment handed down on 16 June 2009 by Eady J: The Author of a Blog v Times Newspapers Ltd  EWHC 1358 (QB).
The central issue in the case was whether the developing law of privacy entitled Mr Horton to retain anonymity in respect of the blog. Eady J held that the injunction should be lifted because Mr Horton had failed to demonstrate that there was a legally enforceable right to maintain anonymity in respect of his identity. In reaching this conclusion, Eady J applied a two stage test: first, he considered whether Mr Horton had established that he had a reasonable expectation of privacy in respect of his blogging activities; second, he considered whether, if there was a reasonable expectation of privacy, that expectation was nonetheless overridden by the public interest in disclosure. Eady J found that Mr Horton lost on the first limb of the test because the essentially public nature of his blogging activity meant that, judged objectively, Mr Horton could not reasonably expect that his identity would be treated as private information. Having decided the case against Mr Horton on this basis, Eady J nonetheless went on to consider the public interest arguments. With respect to those arguments, he held that there was in any event an overwhelming public interest in disclosure of the information. This was the case particularly given the public interest in revealing that the person making critical and politically controversial comments about the force through the blog was himself a particular serving police officer. In reaching these conclusions, Eady J rejected arguments to the effect that the injunction should be maintained given the risk that disclosure of his identity would increase the risk that Mr Horton would face disciplinary action.
June 16th, 2009 by Anya Proops
The Tribunal has recently handed down a decision in which it reached a number of important conclusions on the application of s. 32 FOIA (the courts records exemption) – Dominic Kennedy v IC & Charity Commissioners (EA/2008/0083). The appeal was concerned with a request which had been made to the Charity Commissioners for disclosure of information as to its inquiry into ‘the Mariam Appeal’. The appeal had been set up by George Galloway MP and its purposes were stated to include providing medical support to the Iraqi people. The Charity Commissioners refused disclosure of the requested information on the basis that it amounted to a court record and, hence, was absolutely exempt from disclosure under s. 32 FOIA.
The first issue which the Tribunal was called upon to determine was whether the word ‘document’ as it appears in s. 32 included electronic documents or merely hard copy documents. This was an issue in the appeal because, in contrast with all other exemptions, s. 32 focuses on information contained in ‘documents’. The Tribunal decided that the word ‘documents’ as it appears in s. 32 should be given an expansive interpretation so as to include both electronic documents and hard copy documents, not least because this is the result which Parliament must plainly have intended in enacting s. 32 (paras. 58-60). The Tribunal also held that s. 32 can apply, not merely to records relating to on-going inquiries, but also to inquiries that are closed (paras. 86-92).
In the course of its decision, the Tribunal accepted that it was giving s. 32 ‘a very wide scope’, which contrasted with the approach taken by the Tribunals to other exemptions in FOIA. However, it concluded that this was the required result given the need to respect the autonomy of the courts and those bodies which conduct statutory inquiries and arbitrations (para. 92).
The Tribunal went on to find that the general implications of its findings were that
a) If after a court decision or an inquiry closes then anyone can ask for the leave of the court or person conducting the inquiry for documents and the judge or authority can consider this but outside the realms of FOIA. Courts have rules for this and government inquiries also envisage similar rules. Therefore we would recommend that the Charity Commission considers adopting such rules; and
b) If documents are provided by other public authorities then a person can always make an FOIA request to them and they would not be able to rely on s.32(2)’ (para. 95)
The approach adopted by the Tribunal was consistent with the approach adopted in the earlier case of Szucs v Information Commissioner (EA/2007/0075). 11KBW’s Clive Sheldon appeared on behalf of the Commissioner in Kennedy.
June 16th, 2009 by Anya Proops
The Information Tribunal has recently handed down a decision in which it upheld the Commissioner’s conclusion that information as to judges’ serious misconduct was exempt from disclosure under the personal data exemption provided for under s. 40(2)(c) FOIA – Guardian Newspapers v IC (EA/2008/0084). The decision is interesting not least because it highlights the Tribunal’s continuing reluctance to treat personal data concerning disciplinary matters as being disclosable under FOIA (see further on this point the earlier cases of Waugh v IC & Doncaster College (EA/2007/0060) and Roger Salmon v IC & King’s College (EA/2007/0135)). Notably, the Tribunal also held that the information in question was exempt under s. 31(1)(c) FOIA (administration of justice exemption).
The central issue in the appeal was whether disclosure of the information would contravene the first data protection principle (DPP1) contained in Schedule 1 to the Data Protection Act 1998 (DPA) and, hence, render the information absolutely exempt from disclosure under s. 40(2)(c) FOIA. The Tribunal held that DPP1 would be contravened. In reaching this conclusion, the Tribunal took into account in particular the facts that:
· the DPA contained an exclusion which prevented judicial office holders themselves gaining access to data which revealed assessments of their ‘suitability to hold judicial office’ and it would be an odd result if third parties could access such data under FOIA but the data subjects themselves could not (para. 91);
· some of the information would amount to sensitive personal data which would require that one of the stringent conditions contained in Schedule 3 be met in order for the disclosure to be in accordance with DPP1 (para. 92);
· some information was already in the public domain as to the fact and scope of reprimands or serious actions (para. 93);
· the judges themselves would have a reasonable expectation that their disciplinary record would be kept confidential (para. 96);
· there would a risk that judges would suffer great distress if the information were to be disclosed and, further, that their future authority and their future employment prospects would be jeopardised (para. 97).
In addition the Tribunal held that s. 31(1)(c) FOIA was engaged in respect of the information and that the public interest weighed in favour of maintaining that exemption. In reaching this conclusion, the Tribunal took into account in particular the fact that, in its view, disclosure of the information would undermine a judge’s authority while carrying out his or her judicial function and would otherwise disrupt the judicial process by encouraging legal representatives to seek adjournments by reason of alleged concerns about the judge’s good standing (para. 106). 11KBW’s Karen Steyn appeared on behalf of the Ministry of Justice.
June 10th, 2009 by Anya Proops
The House of Lords has today handed down an important judgment on the rights of individuals who are subject to control orders (“controlees”) to access information which has been relied upon by the Home Office as justifying the imposition of the orders – Secretary of State for the Home Department v AF & Ors  UKHL 28. The judgment was concerned, in particular, with whether the process by which the courts supervise the application of control orders under section 3(10) of the Prevention of Terrorism Act 2005 was compliant with the controlee’s rights under Article 5(4) (right to take proceedings to determine lawfulness of detention) and Article 6 (right to a fair trial). That judicial supervision process had historically operated so as to a create a situation where the Secretary of State could put before the court information relating to the imposition of the control order but the controlee would not himself be able to access that information. The justification for operating the process in this way was that there would be cases where disclosing the particular information to the controlee would itself be contrary to the public interest, particularly by reason of the risks to national security posed by the disclosure.
The House of Lords has now held that denying the controlee access to information which is relied upon by the Secretary of State in the context of the section 3(10) process is incompatible with the controlee’s rights under Article 5(4) and 6. In reaching this conclusion, the House of Lords clearly considered themselves to be bound by a recent judgment of the ECtHR in A and Others v United Kingdom (Application No 3455/05 – cf. the earlier judgment of the House of Lords in Secretary of State for the Home Department v MB and AF  UKHL 46;  AC 440 which was decided before the A case). The result of their Lordship’s judgment is that section 3(10) must now be read down so as to produce a result whereby controlees are entitled to access information relied upon by the Secretary of State in the course of the judicial process. In light of the judgment, there must be serious questions as to whether the control orders regime can continue to operate, at least in its existing form. 11KBW’s Cecilia Ivimy appeared on behalf of the Secretary of State for the Home Office. Michael Supperstone QC appeared as a Special Advocate.
June 5th, 2009 by Timothy Pitt-Payne QC
The importance of ensuring the security of personal data has been highlighted in a recent press release from the ICO dated 4 June 2009. The ICO has found Salford Royal NHS Foundation Trust in breach of the Data Protection Act, after a desktop computer containing sensitive personal information relating to around 3,500 patients was stolen. Although the computer was password protected, it was not encrypted or secured to a desk.
A formal undertaking has been signed by the Trust. It will ensure that: appropriate security measures are in place to restrict access to areas where personal information is stored; desktop computers are secured to desks to prevent easy removal; any personal data required to be held on a portable device is suitably encrypted; and personal details are not retained on any computer for longer than is required.
Mick Gorrill, Assistant Information Commissioner at the ICO, emphasised that the worrying trend of personal data losses must be rectified. He said:
“I am increasingly concerned about the way some NHS organisations are failing to securely hold people’s health and personal information. Organisations must implement appropriate safeguards to ensure personal details about patients do not fall into the wrong hands.”
Many thanks to Andrew Smith, currently a pupil at 11KBW, for preparing a first draft of this post.
June 5th, 2009 by Timothy Pitt-Payne QC
The Information Commissioner’s Office has today announced the latest version of the Privacy Impact Assessment Handbook. As the title indicates, its purpose is to help organisations to identify and address the privacy risks of their activities.
Following the HMRC data breach in November 2007, the Cabinet Office introduced a requiring for all central Government departments and their agencies to conduct Privacy Impact Assessments (PIAs) when developing new systems. The ICO encourages all organisations to incorporate data protection safeguards into any new project involving personal information.
The handbook is in two parts: Part I (the first two chapters) gives an overview of the PIA process, with detailed information about privacy, common risks, and possible solutions; Part II then gives a practical guide to conducing a PIA. There are also four appendices, with examples of screening questions, checklist templates, and privacy strategies.
The handbook should help organisations to make reasoned judgments about the privacy implications of new projects or technological innovations. Some of the recommendations may overlap with privacy work already being done by organisations. A PIA does not have to be conducted as a totally separate exercise; indeed, it may be helpful to look at privacy issues in a broader policy context.
Many thanks to Andrew Smith, currently a pupil at 11KBW, for researching this post and preparing a first draft.