Judicially Reviewing the Information Rights Tribunal

The Supreme Court today handed down its long-awaited (at least by some) judgment in R (Cart) v The Upper Tribunal [2011] UKSC 28. The case concerns the circumstances in which the ordinary courts will entertain an application to judicially review a decision of the First-Tier or Upper Tribunals. Although the case did not directly involve a challenge to the Information Rights division of the Tribunals, the judgment is of general application.

The Upper Tribunal is a “superior court of record” by virtue of section 3(5) of the Tribunals, Courts and Enforcement Act 2007. Under section 13, there is a right of appeal to the Court of Appeal from the Upper Tribunal, subject to permission being granted by either body, unless the decision falls within the category of excluded decisions. The most generally relevant excluded decision is a refusal of permission to appeal from the First-Tier Tribunal to the Upper Tribunal by the Upper Tribunal. Where permission is refused that is, in the eyes of the 2007 Act structure, the end of the line. Unless one can judicially review the decision to refuse permission.

The Divisional Court roundly rejected the argument that the designation of the Upper Tribunal as a superior court of record rendered it immune from judicial review ([2009] EWHC 3052 (Admin); [2010] 2 WLR 1012) and the absolutist position was not resurrected on appeal. The Court of Appeal agreed with the Divisional Court that judicial review should be available only in circumscribed cases ([2010] EWCA Civ 859; [2011] 2 WLR 36). The Supreme Court unanimously dismissed the appeal, but for different reasons.

The leading judgment of the Supreme Court was given by Lady Hale, with whom the rest of their Lordships more or less completely agreed, albeit in their own words. Rejecting the application of an unrestricted judical review jurisdiction over all decisions in the Tribunal structure, and the application of an exceptional circumstances test limited to an excess of jurisdiction and denial of fundamental justice, the Court settled on a more easily described approach. Where an application is made for judicial review of a Tribunal decision the High Court should apply the second appeals criteria, namely that (a) the proposed case would raise some important point of principle or practice, or (b) there is some other compelling reason for the court to hear the case.

It was considered by Lady Hale and the other members of the Court that this test was a proportionate and rational restriction on the availability of judicial review which nonetheless recognised the importance of correcting errors in the Tribunal’s case load. The exceptionality test would have been too narrow, and applying judicial review without limitation would have lead to the courts being swamped with applications in respect of a system designed to make the process easier, quicker and cheaper (especially in the light of its application to immigration and asylum cases).

Interestingly, there were a number of comments from Lady Hale, Lord Phillips, Lord Clarke and Lord Dyson to the effect that the situation would be made clearer by an amendment to the CPR remove the potential four stages of judicial review permission applications in these quasi-second appeal cases. Whether the Rules Committee is paying attention remains to be seen.

The upshot of the decision in Cart is that if the Upper Tribunal refuses permission to appeal to it, that decision can be judicially reviewed, but only on the restrictive second appeals criteria. The tenor of the judgments as a whole do not provide much appetite for leave to be readily granted, and in both cases under appeal the Supreme Court roundly rejected their compliance with the second appeal test.

For those reading north of the border, the Supreme Court applied the same approach to the Tribunal structure in Scotland in Eba v Advocate General for Scotland [2011] UKSC 29.

PERSONAL DATA: CRUCIAL POINTS FROM THE ‘ABORTION STATISTICS’ CASE

Judgment in Department of Health v IC [2011] EWHC 1430 (Admin) – the ‘abortion statistics’ appeal – was handed down on 20 April this year. Cranston J’s judgment has now been made available. The following salient points from that judgment may be of use to those interested in the concept and extent of ‘personal data’ under s. 40 FOIA and the DPA – especially when looking at the grey area of statistics or other anonymous data which is rooted in or derived from other data which is more overtly personal. The judgment is also essential reading for anyone grappling with the application of the leading House of Lords decision on this subject, Common Services Agency v Scottish Information Commissioner [2008] UKHL47, [2008] 1 WLR 1550 (‘CSA’). (‘Grappling’ is probably apt: even Cranston J conceded that “it would be wrong to pretend that the interpretation of the CSA case is an easy matter”).

Briefly by way of background: the Department refused a request for detailed statistics on the number of late-term abortions carried out on prescribed grounds. It relied on s. 40 FOIA, basing its case on the risk that, given the ‘low cell counts’ in these categories, the relevant patients and/or doctors might be identified by those sufficiently motivated to do so. The Commissioner found that these statistics were not personal data. The Information Tribunal agreed with the Department that they did constitute personal data, but was not satisfied that s. 40 was effective, as there was insufficient risk of identification.

On the Department’s appeal to the High Court, Cranston J agreed with the Commissioner that these statistics are not personal data.

One route to that conclusion was that advocated by the Commissioner, namely to adopt the approach of Baroness Hale in CSA: anonymised statistics remain personal data and therefore subject to the protection of the DPA in the hands of the data controller (who possesses the underlying data from which individuals could be identified) but not in the hands of the general public (who do not). This approach commended itself to the Upper Tribunal in the recent case of All Parliamentary Group on Extraordinary Rendition v Information Commissioner [2011] UKUT 153 AAC (on which, see my post here).

Cranston J, however, rejected that route, as it was the reasoning of Lord Hope rather than Baroness Hale in CSA which had attracted the majority’s support in that case. Lord Hope’s approach can be paraphrased as follows. The definition of personal data under s. 1 DPA provides for two means of identification: either from the data itself (inapplicable in the case of anonymous statistics) or from “from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”. Lord Hope’s approach to situations such as this is to ask: does the ‘other information’ (if provided to the hypothetical member of the public) add anything to the statistics which would enable them to identify the underlying individuals? If the answer is no, the statistics are not personal data. The underlined words are important: if identification can be achieved from the ‘other information’ in isolation (rather than when added to the statistics) then the statistics themselves are truly anonymous, and are not personal data. The statistics in this case failed Lord Hope’s test, and were thus not personal data.

Cranston J’s conclusion was that the Tribunal had been correct to conclude that the data was ‘truly anonymised’ – but it had erred in treating this as personal data which had been truly anonymised. The Department contended that, because it held the underlying identification data, the abortion statistics remained personal data in all circumstances. Cranston J rejected this submission, stating that:

“If that were the case, any publication would amount to the processing of sensitive personal data…  Thus, the statistic that 100,000 women had an abortion in a particular year would constitute personal data about each of those women, provided that the body that publishes this statistic has access to information which would enable it to identify each of them.  That is not a sensible result and would seriously inhibit the ability of healthcare organisations and other bodies to publish medical statistics”.

In going on to dismiss the Department’s other grounds of appeal, Cranston J made a number of other points of general application. For example, in rejecting the criticism that the Tribunal had failed adequately to engage with the Department’s expert evidence, Cranston J said this:

“To begin, the issue before the Tribunal was one of assessment: the likelihood that a living individual could be identified from the statistics.  That was in my judgment only partly a question of statistical expertise, as regards matters such as the sensitivity of the data.  Partly, also, it was a matter of assessing a range of every day factors, such as the likelihood that particular groups, such as campaigners, and the press, will seek out information of identity and the types of other information, already in the public domain, which could inform the search.  These are factors which the Tribunal was in as good a position to evaluate as the statistical experts, a point which one of the Department of Health’s experts conceded.  The analysis also applies to the evidence of senior civil servants.”

As regards the Department’s contentions that conditions from Schedules 2 and 3 of the DPA were not met, their points were “wounding” to the Tribunal’s judgment, but not “fatal”, in light of the evidence at the Tribunal hearing. Finally, Cranston J described the Department’s argument based on Article 8 ECHR as “very much a jury argument”.

Interestingly, on the same day as judgment was given in this case, the High Court (Kenneth Parker J) gave judgment in R (BT & Anor) v The Secretary of State for Business, Innovation and Skills [2011] EWHC 1021 (Admin)  – BT’s unsuccessful application for judicial review of the Digital Economy Act 2010 (on which, see my piece here). One of the grounds of challenge was alleged non-compliance with the Data Protection Directive. In that judgment, IP addresses (anonymous strings of numbers linked to internet subscribers’ accounts) were treated as personal data even in the hands of copyright owners who possessed only those IP addresses. This was by application of the definition of personal data under the Directive: here copyright owners were deemed likely to come into possession of the underlying personal data when taking legal action against the individual internet subscribers who downloaded content in breach of copyright. This conclusion was reached independently of the Lord Hope test. Note, however, that it seems from the judgment that this question – are IP addresses always personal data or not – was not argued in full before Kenneth Parker J. There is talk of a potential appeal, so the application of these principles to IP addresses might be considered in the courts again before too long.

Robin Hopkins

PERSONAL DATA, REPEAT AND VEXATIOUS REQUESTS AND INVESTIGATIONS

In Jeffery Lampert v IC and Financial Services Authority EA/2010/0203, the appellant was involved in a long running dispute with a bank, which had called on his guarantee of a loan and commenced bankruptcy proceedings against him. His MP had raised the matter with the FSA and the appellant believed that this had led to at least one investigation of the bank. The appellant subsequently made a freedom of information request for information held by the FSA recording the outcome of investigations into the bank about the matter and the calculation of the bank’s loss. The Information Commissioner found that any information falling within the scope of the request was the appllant’s personal data and therefore absolutely exempt from disclosure under FOIA. The First-Tier Tribunal found that:

  • there had been no investigation by the FSA of the bank and there was no document in existence which contained a calculation of the bank’s loss;
  • any information falling within the scope of the request would not have been the appellant’s personal data; applying Durantthe Commissioner was wrong to decide, in effect, that, merely because the information requested arose from the appellant’s complaints, it all constituted his personal data;
  • the FSA was entitled to rely on section 14(1) FOIA, in that this was a repeat request and a reasonable interval had not elapsed since the previous substantially similar request; and, further
  • there was ample material from which it could be found that the appellant’s request was vexatious.

In Public Prosecution Service for Northern Ireland v IC and John Collins EA/2010/0109, Mr Collins requested the PPS documentation (excluding names and addresses) relating to a particular criminal damage case. It was not in dispute that section 30(1) FOIA was engaged and the only issue for the First-Tier Tribunal was whether the public interest in maintaining the exemption outweighed the public interest in disclosure. The Tribunal accepted that it had to take into account the need for prosecutors to have a safe space in which to decide whether or not a case met the threshold for pursuing a prosecution, without fear of frank assessments being publicised after the event. Eroding this safe space would undermine the independence of prosecution authorities, compromise the quality of decision making, potentially deter witnesses from co-operating and undermine (without good reason) public confidence in those authorities. The Tribunal held that these factors attracted very substantial weight. The Tribunal found, having considered the disputed information, that there was no reason to suspect that the prosecuting authority had made substantial mistakes in this case. The public interest in maintaining the exemption therefore clearly outweighed the public interest in disclosure.

COOKIE MONSTER

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into force on 26 May 2011 and amend the Privacy and Electronic Communications (EC Directive) Regulations 2003, which cover direct marketing by electronic means and the use of cookies.  

The amendments give the Information Commissioner new powers to  serve a monetary penalty on an organisation when very serious breaches of the 2003 Regulations occur and to investigate breaches of the 2003 Regulations by obtaining information from certain third party organisations.

They also introduce an additional requirement where a website uses ‘cookies’, which are small files of letters and numbers downloaded on to a device when the user accesses certain websites, which allow the website to recognise the device. Except where a ‘cookie’ is strictly necessary, websites will now have to obtain the consent of the user or subscriber before ‘cookies’ can be placed on machines.  The Information Commissioner has published guidance on the change to the rules. Organisations have 12 months from 26 May 2011 to make sure they comply with the new rules.  

The Information Commissioner has issued this statement about how he intends to approach enforcing the new rules and using the new powers.