STOLEN PRIVATE AND CONFIDENTIAL INFORMATION

November 30th, 2010 by James Goudie QC

In KJH v HGF [2010] EWHC 3064 (QB) Sharp J held that it was appropriate to continue an interim injunction and grant anonymity to protect the victim of blackmail which involved the threat of the revelation of stolen private and confidential information.  The evidence established to a high degree of probability that H was the victim of blackmail involving the threat of the revelation of stolen private and confidential information.  H was therefore likely to establish at trial that publication of the information should not be allowed.  There had also been no waiver of H’s privacy rights and there was no public interest justification for the publication of the information. The privacy interests engaged and the claim in breach of confidence were strong.  There was also a continuing risk that the private and confidential information stolen from H would be made public.  Strong public policy considerations which justified the protection of the identity of victims of blackmail arose in criminal and civil proceedings: such persons should not be deterred from seeking the courts’ protection for fear that the information which the blackmailer had threatened to reveal would be exposed or that their identity as the victim of blackmail would be made known.  A final determination of the matter had to await trial, granting anonymity at the interim stage served the interest of such an applicant in protecting his or her rights under ECHR Art 8 and the public interest in promoting the prevention and punishment of blackmail.  As a result it had also been necessary to derogate from the principle of open justice by holding the hearing in private and to anonymise the names of H and F.

James Goudie QC

 

WATER UTILITY COMPANIES NOT ‘PUBLIC AUTHORITIES’ UNDER THE EIR

November 25th, 2010 by Anya Proops

The Upper Tribunal has this week handed down an important decision on the question of whether privatised water utility companies are ‘public authorities’ for the purpose of the Environmental Information Regulations 2004 (EIR): Smartsource v IC & 19 Water Companies (case no. GI/2458/2010). The background to the appeal was that Smartsource had submitted near identical requests for disclosure of information to some 19 water utility companies. It was not in dispute that the requests fell to be addressed under the EIR. The companies refused to provide the requested information on the basis that they were not ‘public authorities’ for the purposes of r. 2(2) EIR and, hence, were not subject to the disclosure obligations provided for in r. 5 EIR. The Commissioner rejected Smartsource’s complaint about the refusal on the basis that he accepted that the companies were not public authorities under r. 2(2). Smartsource appealed the Commissioner’s decision to the tribunal. The importance of the issues at stake in the case resulted in the appeal being transferred to the Upper Tribunal. The central issues which the Upper Tribunal was called upon to determine were as follows: (1) did the companies ‘carry out functions of public administration’ such that they fell within limb 2(2)(c) of the r. 2 definition of public authority; (2) alternatively, were they ‘under the control’ of a relevant public authority such that they fell within limb 2(2)(d) of the r. 2 definition.

With respect to the first issue, the Tribunal held that the companies did not carry out functions of public administration. It reached this conclusion applying a multifactoral approach akin to the approach adopted in the earlier cases of Network Rail v IC (EA/2006/0061) and Port of London Authority v IC & Hibbert (EA/2006/0083). Notably, the Tribunal rejected arguments advanced by Smartsource that the companies fell within limb 2(2)(d) of the definition because they: were appointed as statutory undertakers; were subject to a range of conditions imposed under statute; were subject to a comprehensive regulatory regime; were unable to choose their own customers or set their own prices; were obliged to provide a universal service; and would be subject to State intervention in the event that they failed. With respect to the second issue, the Tribunal held that that the companies were not ‘under the control’ of a relevant public authority for the purposes of r. 2(2)(d). In reaching this conclusion, the Tribunal accepted arguments advanced on behalf of the Commissioner and the companies that: the concept of ‘control’ in this context meant something more than that the body in question was merely subject to a stringent regime of statutory regulation; the aim of r. 2(2)(d) was to capture State/Executive functions in all their various guises and not the activities of privatised companies of the sort which were in issue in the instant case.

Importantly, the Tribunal also rejected ‘hybridity’ arguments to the effect that a body can be a public authority under the EIR for some purposes but not for others. According to the Tribunal, the way in which r. 2 was formulated meant that the body either was or was not a public authority (cf. the approach adopted in Port of London v IC).

 

COMMISSIONER HANDS DOWN FIRST MONETARY PENALTIES FOR DPA BREACHES

November 24th, 2010 by Robin Hopkins

Up to now, the Commissioner has not exercised his powers under sections 55A-E of the Data Protection Act 1998 to impose monetary penalties on data controllers for breaches of the Act. Today, he imposed his first two financial penalties.

Hertfordshire County Council has been handed a penalty of £100,000 for twice sending faxes containing sensitive personal data to members of the public in error. The first fax, which is the subject of an injunction preventing further details being disclosed, was intended for a barrister but sent to a member of the public. The second fax, which concerned child protection matters, was intended for a County Court. The errors both occurred in June 2010, and were both reported to the Commissioner by the Council itself.

Secondly, the employment services company A4e has been fined £60,000 after an unencrypted laptop containing personal details of 24,000 users of community law centres was stolen from an employee’s home. This too was reported to the Commissioner by A4e itself.

 

THE FREEDOM OF INFORMATION (TIME FOR COMPLIANCE WITH REQUEST) REGULATIONS 2010

November 24th, 2010 by Rachel Kamm

These Regulations are made under FOIA and extend the time limit for Academies to respond to requests for information. The normal time limit for responding is twenty working days of date of receipt of the request. However, where the information is requested from an Academy, then any working day which is not a school day for that Academy is disregarded (subject to a long stop of sixty working days). These are  the same timeframes as apply to schools covered by The Freedom of Information (Time for Compliance with Request) Regulations 2004 (S.I. 2004/3364) and The Freedom of Information (Time for Compliance with Request) Regulations 2009 (S.I. 2009/1369).

This post is also on 11KBW’s education blog: http://www.education11kbw.com/.

 

DISCLOSING DATA FOR PURPOSES OF MEDICAL RESEARCH – NEW ECHR JUDGMENT

November 23rd, 2010 by Anya Proops

Many readers of this blog will be familiar with the stringent protections which the Data Protection Act 1998 (DPA) affords in respect of personal health data (see further the definition of ‘sensitive personal data’ in s. 2 DPA). Thus, for example, if a data controller wishes to avoid contravening the first data protection principle (the fair and lawful processing principle) as and when it is processing health data, it must ensure that: (a) the particular processing is fair and lawful; (b) that it meets one of the conditions provided for in schedule 2 to the DPA and (c) that it meets one of the very narrowly drawn conditions provided for in schedule 3 to the DPA. If the processing is intended to serve the interests of medical research, the data controller will doubtless wish to look in particular at the condition provided for in paragraph 8 of schedule 3. That condition stipulates that the processing must be ‘necessary for medical purposes’ (which includes the purposes of medical research) and be undertaken either be ‘a health processional’ or ‘a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if the person were a health professional’. Of course, the principle which underpins this particular condition is that it is very much in the public interest that, subject to the test of necessity, health data be shared by medical researchers. A recent judgment of the European Court of Human Rights (ECHR) has highlighted the importance of this particular public interest: Gillberg v Sweden (application no. 41723/06).

In Gillberg, two researchers requested access to health data which had been accumulated by Professor Gillberg as part of a long-term project on hypheractivity and attention deficit disorders in children which he was running out of the University of Gothenburg in Sweden. The University refused access on the basis that assurances had been given to the parents of the children and later the children themselves concerning the confidentiality of the data. The researchers challenged the University’s decision relying on Sweden’s long-established and generous rules on access to official documents. The Swedish administrative court upheld the researchers’ claim and ordered that the University disclose the data to them, subject to the imposition of strict conditions on their handling and use of the data. In reaching the conclusion that the data should be disclosed to the researchers, the Swedish court took into account not least the public interest in ensuring the independent and critical evaluation of medical research in the important field of neuropsychiatry. The data was subsequently destroyed by certain of Professor Gillberg’s colleagues. Thereafter, Professor Gillberg was convicted of misuse of office by the Swedish Parliamentary Ombudsman. Having lost his appeals against conviction in the national courts, Professor Gillberg took his case to the ECHR claiming that the conviction breached his Article 8 and 10 rights, particularly in view of the assurances of confidentiality which he had given to the data subjects and their parents. The ECHR dismissed Professor Gillberg’s appeal. It found that, even if the conviction interfered with Professor Gillberg’s Article 8 right to privacy (i.e. his right to privacy in the context of his professional affairs), that interference was justified in the circumstances. It also found that there was no interference with Professor Gillberg’s Article 10 right to freedom of expression as he was convicted not for giving assurances of confidentiality but rather because he misused his office in response to the judgments of the court.

The ECHR’s judgment is interesting not least because it confirms that, at least for the purposes of human rights jurisprudence, the fact that promises of confidentiality have been given to individual patients/research subjects does not create an automatic bar on disclosures which may breach those promises, particularly where the disclosures serve important public interests such as the interests in protecting the integrity and progress of medical research. Query whether the same result would have obtained on an application of the principles embodied in the DPA, particularly in view of the relatively permissive approach to disclosures for the purposes of medical research contained in paragraph 8 of schedule 3.

 

ICO SIGNS UNDERTAKING WITH GOOGLE AND DEFENDS ITS STANCE

November 22nd, 2010 by Robin Hopkins

I reported in a recent post that the Information Commissioner had instructed Google to sign an undertaking aimed at any repeat of the breaches of the Data Protection Act 1998 committed during Google’s information-gathering for its Street View feature. That undetaking has now been signed, and a copy can be viewed here. It requires Google engineers to maintain a “privacy design document” for each new Google project prior to launch. It provides for further training and data protection awareness for Google engineers and other employees. The undertaking also assures the deletion of all personal data which had been gathered unlawfully, and provides for the Commissioner to audit Google’s revamped data protection procedures nine months from now. Interestingly, the undertaking applies to Google’s global activities and not just its UK ones.

The ICO has come under fire for being soft on Google. The Commissioner, Christopher Graham, has defended his stance, including in an interview with the Daily Telegraph which can be found here. In that interview, the Commissioner remarks that “a lot of people out there want somebody – probably not me – to be the privacy tsar. But that’s not what the Information Commissioner is”. Recent indications suggest, however, that the ICO could potentially take on a “privacy tsar” role – see the recommendations from its recent surveillance report, summarised here.