Malnick: section 36 reasonableness and the functus ICO

March 5th, 2018 by Robin Hopkins

The Upper Tribunal’s most recent judgment – IC v Malnick and ACOBA (GIA/447/2017) – is a rare thing these days: a binding decision that makes a meaningful and general (rather than fact-specific) contribution to FOIA jurisprudence. In particular, it tells us (1) how to assess the reasonableness of a qualified person’s opinion for section 36 FOIA purposes, and (2) whether the FTT can remit a case to the ICO for a fresh decision if it allows an appeal. Read more »


Remembering the Right to be Forgotten

February 21st, 2018 by Christopher Knight

It all seems a long time ago that the CJEU handed down its judgment in Google Spain and inculcated the right to be forgotten doesn’t it? Commentators – including here and here – opined with varying degrees of wailing and gnashing of teeth about the implications of it, and how endless litigation was anticipated. But there hasn’t been all that much. The lion has been sleeping so far.  Read more »


Procuring GDPR Compliance

February 21st, 2018 by Christopher Knight

Only the most selective readers working in the legal sector (and no readers of this blog) can have failed to hear something about the impending changes to data protection law, the most significant in 20 years. From 25 May 2018, the new General Data Protection Regulation (“GDPR”) will take effect across the EU. The equivalent directive applicable to data protection in the law enforcement context will take effect on 6 May. Both are to be implemented and given effect in domestic law by the Data Protection Act 2018, which is currently making its way through Parliament and will replace the Data Protection Act 1998.

There will be few contracts for the provision of procured services which will not involve the supplier engaging in some processing of personal data, be that of end-user customers or of employees of the procuring public body. All public contracts ought to contain some treatment of data protection issues, which outline the allocation of responsibilities between the parties and the standards required of the supplier. Read more »


Hiscox cleared of offences under s. 56 DPA 1998

February 20th, 2018 by Anya Proops QC

It appears from recent media reports that a prosecution brought by the ICO against Hiscox under s. 56 DPA 1998 collapsed last week after the ICO’s key prosecution witness fell ill. – see the FT’s coverage here and the report in Insurance Age here. The prosecution was apparently brought under s. 56 DPA(2) which makes it an offence for goods or service providers to make the provision of goods or services conditional upon the supply of convictions/cautions data. The background to the case is that it was alleged that Hiscox had required one of its policy holders, Mr Irfan Hussain, to supply convictions data about himself in the context of a claim made by Mr Hussain under his insurance policy over the loss of a £30,000 Swiss watch. Read more »


New FOIA Public Authorities

February 20th, 2018 by Christopher Knight

As a result of the Freedom of Information (Additional Public Authorities) Order 2018 (SI 2018/173), a series of new public authorities have been added to Schedule 1 of FOIA from 1 May 2018. Read more »


Data protection in the Court of Appeal & the right to be forgotten

January 31st, 2018 by Anya Proops QC

For all those of you who are currently wading through the quagmire of GDPR compliance and are pining for some diverting news, you might like to note that the Court of Appeal will be hearing a number of important data protection appeals over the course of this year. They include appeals in the following cases:

  • DB v General Medical Council (application of mixed data provisions in s. 7 DPA) – due to be heard in March 2018,
  • TLT v Home Office (accidental online disclosure of information relating to asylum seekers) – due to be heard in April 2018 – (note, the appeal does not address the quantum of the awards made in that case but instead focuses on the question of whether compensation ought in principle to have been awarded to individuals who were not referred to by name in the disclosed spreadsheet but who were nonetheless affected by the disclosure);
  • Stunt v Associated Newspapers (challenge to the stay mechanism under s. 32 DPA) – due to be heard in June 2018 and, last but most certainly not least,
  • Various Claimants v WM Morrison Supermarket PLC (group litigation data breach case) – due to be heard by the Court of Appeal before the end of 2018.

Read more »