Month: November 2010

Application of the first data protection principle

Posted on | by Edward Capewell

Ms Alison Ince worked in a further education institute in Northern Ireland. She was dismissed from her employment in June 1999 and, from around 2002, had alleged on a number of occasions that her managers had been engaged in a fairly widespread fraud against the public purse in 1997. These allegations were investigated first by the Department for Education and Learning (DEL), and then by the Police Service of Northern Ireland. No criminal or disciplinary charges were brought and the investigation was not taken any further. Ms Ince had also raised the matter with her local MLA, with the chairman of the public accounts committee in Westminster and before an Industrial Tribunal (as they are still called in Northern Ireland). The IT held that there were no grounds for finding that any fraud had been committed.

Ms Ince was not satisfied with this finding. In October 2007 she made a request for information from the DEL with respect to her allegations of fraud at the institute. The information she sought included the transcripts of certain interviews held with other employees during the fraud investigation by the DEL. DEL provided some of the information, but withheld the transcripts pursuant to the personal data exemption in section 40(2) FOIA. The Information Commissioner agreed with DEL’s reliance on the exemption.

The Information Tribunal in Ince v Information Commissioner (EA/2010/0089) agreed – for the most part – with the Commissioner’s decision. Save in respect of one of the transcripts – that belonging to a friend of Ms Ince who gave evidence at a late stage in the hearing in which he consented to disclosure – the Tribunal found that it would not be fair for DEL to disclose the information and that disclosure would therefore breach the first data protection principle. Ms Ince had made four contentions in respect of the information:

(i)                  That because it related to the individual’s employment for a public sector organisation it related to their public, not private life;

(ii)                That no harm or distress would have been caused to the individuals by disclosure of the transcripts;

(iii)               That the interviewees’ objections to disclosure were outweighed by other considerations; and

(iv)              That the interviewees did not have a reasonable expectation of privacy in respect of the transcripts

The Tribunal disagreed on all counts. As to (i), following the reasoning in Corporate Officer of the House of Commons v IC and Baker it unanimously rejected the notion that anything said or done by a public sector employee was public information and could therefore be disclosed. It found by a majority that “the disputed information in the case related to the individual’s employment but was not information so directly connected with their public role that its disclosure would automatically be fair”. As to (ii), the Tribunal found that harm or distress would be caused by disclosure generally, and would also be caused by Ms Ince’s own ‘disproportionate’ method of pursuing her allegations –  which included threatening to bring private prosecutions for fraud against certain individuals. The Tribunal further considered that the Commissioner had given appropriate weight to the interviewees’ clearly expressed objections, and that they also had a reasonable expectation of privacy in respect of the transcripts. There was moreover no common law public interest in disclosure – fraud in the education sector generally was obviously of legitimate concern, but would not be helped by disclosure of the information sought by Ms Ince.

ICO’S SURVEILLANCE REPORT 2010: ‘SLEEPWALKING’ RISK REMAINS; ‘PRIVACY IMPACT ASSESSMENTS’ PROPOSED FOR NEW LEGISLATION

Posted on | by Robin Hopkins

The Information Commissioner has delivered his latest report to the Home Affairs Select Committee on “the state of surveillance” in the UK. The report traces privacy-related developments since the Commissioner’s 2006 report on the same theme, which memorably observed that the UK may be “sleepwalking into a surveillance society”. According to the November 2010 report, that warning

 “… is no less cogent in 2010 than it was several years ago. It is not being suggested that the UK is a ‘police state’ or that there are surveillance conspiracies afoot against the public. Neither the 2006 report nor this one supports such an assumption, and evidence for it is lacking. Much of what is taken to be surveillance is done for benign reasons and has beneficial effects on individuals and society. But much surveillance also goes beyond the limits of what is tolerable in a society based on the rule of law and human rights, one of which is the right to privacy.”

The report provides an illuminating summary of trends in (amongst others) the use of CCTV, body scanning and border control (including ‘ethnic targeting’ for security searches), workplace monitoring, social networking, ‘crowdsourcing’, the monitoring of protest activities and even the use of unmanned drones. Scrutiny is also given to a number of governmental policy tools, such as databases and the use of ‘social sorting’ (eg into groups such as ‘high cost, high risk’ social groups who are vulnerable to social exclusion’) to develop targeted welfare strategies.

As regards private-sector online commerce, the Commissioner recommends a number of measures to correct what he describes as the “worrying trend particularly with those who provide on-line services not to have thought through the privacy implications of their activities and given users robust privacy settings as a default”.

What to do about the risks identified in the report? The ICO’s recommendations focus principally on overhauling the legislative process insofar as it affects privacy, by introducing: 

  • a requirement for a privacy impact assessment to be presented during the parliamentary process where legislative measures have a particular impact on privacy;
  • an opportunity for the Information Commissioner to provide a reasoned opinion to Parliament on measures that engage concerns within his areas of competence, and
  • a legal requirement to make sure all new laws that engage significant privacy concerns undergo post-legislative scrutiny to ensure they are being implemented and used as intended by Parliament.

If implemented, these measures would add substantially to the ICO’s clout as the guardian of privacy.

The report can be found here, with the accompanying press release from the ICO here.

Digital Economy Act to be judicially reviewed for compliance with EU privacy law

Posted on | by Julian Wilson

Internet Service Providers Talk Talk and Virgin were today granted permission by the High Court for a judicial review of whether the Digital Economy Act 2010 complies with existing EU legislation on data protection and privacy. For more on their application, see Julian Wilson’s earlier post: Privacy of internet users, internet file-sharing and copyright: the present “Wild West” and the Digital Economy Act 2010

EC COMMISSION PROPOSES STRENGTHENING EU DATA PROTECTION LEGISLATION

Posted on | by Anya Proops KC

On 4 November 2010, the European Commission published a communication in which it set out its vision for the future of EU data protection legislation. The communication makes clear that the Commission is intending to propose new legislation in 2011. You can find the communication here. Notable points emerging from the communication include that the Commission is considering:

       introducing a ‘general principle of transparent processing’ aimed at ensuring that data controllers are more transparent as to how they are processing personal data;

 

       whether the definition of sensitive personal data should be expanded so that it includes for example genetic data;

 

       clarifying and strengthening the rules on consent so that it will be clearer when a data subject can be taken to have consented to processing of his or her personal data;

 

       extending powers of enforcement to civil society associations as well as other associations representing the interests of data subjects;

 

       strengthening existing sanctions for non-compliance, including providing explicitly for criminal sanctions in the case of serious violations;

 

       requiring data controllers to appoint independent data protection officers (subject to a recognition of the need not to overburden small enterprises);

 

       requiring data controllers to carry out data protection impact assessments in certain cases; and

 

       imposing new rules designed to strengthen, clarify and harmonise the status and powers of national data protection authorities.

ELECTORAL COMMISSION’S INVESTIGATION INTO UNLAWFUL POLITICAL DONATIONS: PERSONAL AND NON-PERSONAL DATA

Posted on | by Robin Hopkins

Wendy Alexander MSP became leader of the Labour Party group in the Scottish Parliament in September 2007. In the course of her leadership election campaign, someone in her team recorded a donation of £950 as coming from a domestically-based company, whereas it in fact came (unlawfully) from an overseas-based individual. The Electoral Commission investigated two potential criminal offences that arose under the Political Parties, Elections and Referendums Act 2000. In February 2008, it issued what the Information Tribunal described as a “meagre statement”. It said that there was insufficient evidence of an offence under section 61 (knowingly facilitating, concealing or disguising an impermissible donation), but it acknowledged – implicitly – that an offence under section 56(3) (failure to return an impermissible donation within 30 days). Nonetheless, the case was not referred to the Procurator Fiscal. Many were dissatisfied with the investigation.

 

The requester in this case sought further information. Answers to a number of his questions were withheld. The Tribunal in Ferguson v IC and The Electoral Commission (EA/2010/0085) has today handed down a decision which is notable both for its commentary on the interaction between personal data and the inherent publicity of political life, and for a number of distinctions it draws between types of information which, at first glance, may appear to be personal.

 

Broadly, there were two types of question in dispute. One type sought the names of those who provided the Electoral Commission with answers to certain questions. Applying Durant, the Tribunal held that this was not personal data. Even if it were personal data, a Schedule 2 condition would be met, and the processing would be lawful and fair because there was no indication that interviewees had an expectation of confidentiality. The Tribunal emphasised that fairness does involve a balance of competing interests. Section 30(1) was engaged, but the public interest favoured disclosure. Here the Tribunal rejected the submission that disclosure would undermine voluntary co-operation with the Electoral Commission’s investigations: “politicians and their supporters have strong incentives to co-operate with the Commission”.

 

The second type was about who had misrecorded the donation and why. This was held to be sensitive personal data. The Tribunal cautioned against generalising about FOIA being purpose-blind: an applicant’s identity and motives may sometimes shed light on the public interests involved, and on whether conditions from Schedules 2 and 3 are met. In this case, however, a Schedule 3 condition was not met: the Tribunal was not persuaded that, at the relevant time, the answers the appellant sought were necessary for him to obtain legal advice on a possible application for judicial review of the Electoral Commission.

 

The Tribunal remarked that the appellant would have had a “strongly arguable case” under condition 6(1) of Schedule 2, and made a number of observations on fairness. It commented that “politics is an inherently public activity. The extent and manner of compliance with the rules should be expected to be subject to public scrutiny”. The Tribunal did, however, distinguish between the section 56 offence (implicit finding of guilt) and the section 61 offence (explicit finding of insufficient evidence). Disclosure concerning the former would not be unfair: Ms Alexander “would be well able to say in mitigation anything that she wished by making public statements, as any serious politician would”. Disclosure concerning the latter would be unfair: it “would risk placing the data subjects under a cloud of suspicion, in circumstances where there might be no definitive termination of speculation and where, as a result, undue distress would be likely to ensue”.

 

GOOGLE ESCAPES FINE OVER STREET VIEW CARS, BUT MUST SIGN UNDERTAKING

Posted on | by Robin Hopkins

Google used cars equipped with cameras to gather material for its much-publicised Street View feature. The material was not confined to photographs, but also included data by which wi-fi hotspots could be located. Earlier in 2010, the ICO investigated this ‘payload data’. It concluded that the information it had inspected was not personal data, in that it could not be linked to identifiable individuals. The ICO stated, however, that it would continue to work with its international counterparts, such as the Canadian authorities, in investigating Google. This co-operation has now shown the payload data to include URLs, passwords and email details.

 

The ICO today announced that:

 

“The Commissioner has concluded that there was a significant breach of the Data Protection Act when Google Street View cars collected payload data as part of their wi-fi mapping exercise in the UK. He has instructed Google UK to sign an undertaking in which the company commits to take action to ensure that breaches of this kind cannot happen again. An audit of Google UK’s Data Protection practices will also be undertaken. The Commissioner has rejected calls for a monetary penalty to be imposed but is well placed to take further regulatory action if the undertaking is not fully complied with”.

 

This follows the ICO’s press release on Monday, in which it commented that:

 

“It is also important to note that none of the regulators currently investigating Google Street View have taken direct enforcement action at this stage, with the US investigation led by the US Federal Trade Commission for example ruling out direct action, although mirroring our own concern that this data was allowed to be collected by an organisation who showed such disregard for international data protection legislation. This week the Metropolitan Police have also closed their case believing it would not be appropriate to pursue a criminal case against Google under the Regulation of Investigatory Powers Act (RIPA). Whilst we continue to work with our other international counterparts on this issue we will not be panicked into a knee jerk response to an alarmist agenda.”

 

The latter press release also explained the ICO is “keen to discuss with MPs and Ministers how we can further defend privacy on the internet as technologies and applications develop”. In this regard, the Guardian reports today that culture minister Ed Vaizey is proposing a new internet code of conduct and a mediation mechanism to resolve complaints by individuals against data controllers. He is reportedly meeting with the ICO today to discuss these matters. Watch this space.