December 2011 – Panopticon

GOOGLE

Posted on 20th December 2011 | by James Goudie KC

Tugendhat J ended in his Judgment on 19 December 2011 in AB v Barristers Benevolent Association Ltd [2011] EWHC 3413 (QB) by saying: “This judgment may alert practitioners to the possibility that information stored on a cache by Google may take several days to have removed”.

The BBA provides support to barristers in many different circumstances, including by way of loans. AB is a barrister who sought a loan from the BBA about six or seven years ago. On 5 December 2011 it was brought to her attention that confidential correspondence between herself and the BBA was available on the internet. She conducted a search through Google and found the information herself.

On 6 and 7 December 2011 the judge on out of hours duty granted an injunction without notice to the BBA. The injunction was discharged because an injunction against the BBA was unnecessary. There was no dispute that the documents in question contained confidential information, and that its confidentiality should be preserved.

On 5 December AB had contacted the BBA. The official she spoke to was already aware of the problem. The BBA assured AB that the BBA’s IT consultant was addressing the issue as a matter of urgency.

The information remained accessible on Google throughout 6 December. The IT consultant said he was doing everything he could. He explained that the problem lay with Google, and that it might take some time for all their servers to be synchronised so as to remove the information from the caches. He explained he had been calling Google offices all over the world to try to get action, without success.

What had happened to give rise to this affair was explained by the IT consultant in a witness statement. In 2005 or 2006 his firm had been asked by the BBA to assist in removing data from one hard drive to a new one. The process was carried out by copying data to a temporary file, which should have been deleted, but was not. It was retained inadvertently on a server. At the time that did no harm, because the server was not publicly available. However a technical change by the firm’s broadband supplier O2 led to the server becoming available to Google to pick up the data without the firm knowing that that was happening.

On Friday 2 December 2011 the BBA became aware that the information was available through Google. The BBA immediately contacted the IT consultant and asked him to deal with it as a matter of extreme urgency. The IT consultant’s firm identified what had happened. He removed the source of information from its server and disconnected the server from the internet. All the data that had been inadvertently stored was deleted. He then contacted Google via the webmaster tools requesting the removal of the material from the Google cache. This is where the problem arose.

On 5 and 6 December the IT consultant made numerous further attempts to contact Google to have the information removed from the caches as a matter of urgency. According to his evidence, and the e-mails that he has exhibited, he could not have expressed himself more forcefully, or more urgently, but he received no prompt response from Google. It was not until 10 pm on Tuesday 6 December that he found some files had been removed by Google.

On the morning of 7 December the IT consultant discovered that there was still information that had not been removed from the caches. He contacted Google again on more than one occasion. It was not until Friday 9 December that Google had fully complied with his request to remove the information in its entirety.

Courting Disclosure under Section 32

Posted on 17th December 2011 | by Christopher Knight

The Institute of Chartered Accountants (“ICA”) has a policy of seeking the Certificate of Conviction of any of its members who have been found guilty of an offence which may relate to their appropriateness to act as a chartered accountant. However, the Courts Service (“HMCTS”) refused to confirm or deny holding an individual’s Certificate under section 32 FOIA because it was a document created by the court for the purpose of proceedings. A Certificate of Conviction is currently governed by section 73 of the Police and Criminal Evidence Act 1984, but has existed since the mid-nineteenth century. It acts as conclusive proof of conviction.

In ICAEW v IC & Ministry of Justice (EA/2011/0148, judgment of 8 December 2011) the Tribunal upheld the Commissioner’s decision notice that the HMCTS was not required to confirm or deny holding the information. The Tribunal followed the decision of the Court of Appeal in Kennedy v IC [2011] EWCA Civ 367 that the protection of section 32 was ongoing after the conclusion of proceedings, and that it could not logically matter whether the court created the document before or after the verdict because it was for the purpose of the proceedings. The ICA’s attempt to construe “proceedings” as excluding the issuing of a Certificate of Conviction was said to be “narrow and artificial” by the Tribunal: at [42].

The Tribunal also reiterated the section 32 jurisprudence that the purpose of the exemption is to ensure that the court can regulate access to its own files. Access to court records can be sought under the Civil Procedure Rules, but the Criminal Procedure Rules do not provide for access to a Certificate and the Tribunal considered this to be very relevant. A Certificate is not itself publicly accessible, even if the information it contains may be reported publicy elsewhere. (Section 32 being an absolute exemption, this fact provided the ICA with no assistance.)

There is not a large amount of case law on the application of section 32 – and my involvement on behalf of the Commissioner precludes analysis of the Tribunal’s judgment – but the ICAEW case does provide some helpful reiteration of the purpose and scope of the absolute exemption, stressing that access to court records is very much a matter for that court and is not to be circumvented by FOIA.

Christopher Knight

PRIVATE EMAILS AND TEXTS SUBJECT TO FOIA

Posted on 15th December 2011 | by Robin Hopkins

Following the emergence earlier this year that Department for Education officials had, apparently routinely, used personal email accounts for the conducting of official business, the ICO has considered this issue. It has today issued guidance that many FOI officers and lawyers will find notable, to say the least.

The key points:

FOIA applies to official information held in private email accounts when held on behalf of the public authority. So too text messages. This much is obvious from the definition of ‘held’ in s. 3 of FOIA. The question is exactly what this means, and what to do about it.
There will be occasions on which, having searched its own systems, the public authority will be expected to ask employees (or contractors etc) to search their personal email accounts/text messages for information described in a FOIA request.
The ICO expects such occasions to be ‘rare’. I think this means that the ICO will not expect the public authority to do so simply because a requester asks it to; something more will be required.
What is that ‘something more’? The ICO recommends public authorities look out for ‘relevant factors’ which may trigger the duty to ask.
These factors include the nature, wording and subject matter of the request.
They also include “how the issues to which the request relates have been handled within the public authority”. This may be another way of asking: is the public authority aware that this sort of thing has been going on?
Another relevant factor is “by whom and to whom the information was sent and in what capacity, e.g. public servant or political party member”. This is often a blurred line, one imagines. Not sure how this could be scrutinised (other than hacking into private systems, which is not nice, not fashionable and not legal).
Public authorities should establish procedures for dealing with such situations.
They should keep records of any private email account/text message searches they have requested.
Public authorities should remind staff that, where a request for information to which the requester would be entitled has been made, it is a criminal offence to erase or conceal that information with the intention of preventing disclosure (see s. 77 of FOIA).
‘Concealment’ would include denying that anything of an ‘official capacity’ nature is (or, at the time of the request, was) in one’s private email inbox or text message folder.
Public authorities should tell their employees not to use private channels for official business in the first place.

Panopticon understands from some of its friends in the media that requests aiming at exactly this sort of information were fired off this morning (or earlier this week, in anticipation of the new ICO line).

Meanwhile, a decision on the complaint against the Department for Education is in the pipeline.

Panopticon will be keeping its Benthamite eye on how these matters unfold.

Robin Hopkins

THE INFORMATION COMMISSIONER’S ROLE UNDER THE DPA

Posted on 13th December 2011 | by Rachel Kamm

An interesting issue about the scope of the DPA arose in The Law Society and others v Rick Kordowski [2011] EWHC 3185 (QB). The Law Society and a number of firms of solicitors sought an injunction requiring the Defendant, the publisher of the “Solicitors from Hell” website, to cease publication of the website in its entirety and to restrain him from publishing any similar website. The causes of action relied upon were libel, harassment under the Protection from Harassment Act 1997 and breach of the Data Protection Act 1998.

The Defendant was the data controller of personal data, including sensitive personal data (for example, allegations made by a third party on the Defendant’s website about the alleged commission of an offence by a solicitor). Mr Justice Tugendhat did not mince his words in finding that the Defendant was in breach of the DPA:

“In breach of the First Data Protection Principle the Defendant has not processed the personal data of the solicitors and other individuals named on the Website fairly and lawfully. The Defendant has processed the said personal data in a grossly unfair and unlawful way by, in particular, (a) publishing highly offensive defamatory allegations about these solicitors and other individuals on the Website; (b) pursuing a course of conduct against these solicitors and other individuals that amounts to harassment contrary to the PHA; (c) on numerous occasions refusing to remove the posting about a solicitor or other individual unless the Defendant is paid a fee. This is not permitted by law and is disreputable. (d) None of the conditions in Schedule 2 of the DPA 1998 is met by the Defendant in respect of the processing of the said personal data on the Website.

…In breach of the Fourth Data Protection Principle the personal and sensitive personal data about solicitors and other individuals processed by the Defendant and published on the Website is not accurate, indeed it is usually seriously inaccurate. The Claimants rely upon the following, amongst other matters: (a) The wholly inaccurate and untrue allegations processed and published by the Defendant via the Website about the Third Claimant; (b) The Schedule of Complaints which sets out and describes how the personal data of solicitors and other individuals processed and published by the Defendant via the Website is inaccurate. (c) The Defendant’s failed attempts to justify defamatory allegations in the many cases brought against him for libel in respect of the defamatory publications on the Website as evidence of inaccurate information; in breach of the Sixth Data Protection Principle the Defendant did (and does) not process personal data of the solicitors and other individuals who are Individual Complainants in accordance with their rights, as he has failed to comply with the request made in the Complaints’ solicitor’s letter dated 12 August 2011.

…on 12 August 2011 the Claimants’ solicitor gave the Defendant formal notice under section 10(1) of the DPA that the individual complainants, who include the Third Claimant, required the Defendant to cease the processing of their personal data (i.e. to remove the offending material from the Website and destroy any copies retained elsewhere) as the processing of this data was (and continues) causing them unwarranted damage and distress. Additionally, the Claimants’ solicitor required the Defendant to agree not to process any data in the manner complained of in the future. As a result of the Defendant’s failure to comply with the Notice, he has breached the Sixth Data Protection Principle. The Defendant did not state that he considered the notice to be unjustified (as he could have done under section 10(3)(b) of the DPA).”

Not surprisingly, given these findings, Mr Justice Tugendhat concluded that the Third Claimant was entitled to an order under section 10(4), requiring the Defendant to comply with the Notice. He went on to comment on the scope of the DPA and the Information Commissioner’s powers. The background was that the Chief Executive of the Law Society had written to the Information Commissioner to complain about the website. The Information Commissioner had responded that the DPA was not designed to deal with this kind of case. The Commissioner considered that it was “not the purpose of the DPA to regulate an individual right to freedom of expression – even where the individual uses a third party website, rather than his own facilities, to exercise this“. He relied on section 36 DPA, which provides that “Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the Data Protection principles under provisions of Parts II [rights of data subjects and others] and III [Notification by data controllers]”. The Commissioner also highlighted the practical difficulties of trying to use the DPA to regulate material posted on websites.

Mr Justice Tugendhat expressed considerable sympathy with the Commissioner’s comments about the practical difficulties in cases such as this. However, his starting point was that the offensive comments on the website in question were unlawful and that the DPA required that data be processed lawfully. He did not see how the exemption in section 36 DPA could apply in this case. Mr Justice Tugendhat commented that had the Defendant been publishing information in the public interest on his website, he could have relied on the exemption relating to journalism in section 32 DPA. Further, the fact that a claimant may have claims under common law torts or the Human Rights Act 1998, did not prevent enforcement under the DPA. He concluded by commenting that where there is any room for argument as to whether processing is unlawful under the general law, it may be more appropriate that a complainant should be required to pursue his remedy in the courts and further that there be many grounds on which the Commissioner may properly decline to exercise his powers under Part V DPA. However, where there is no room for argument that processing is unlawful, it was more difficult to say that the matter was not one which could be dealt with under Part V DPA. This ruling potentially has significant implications for the Commissioner in practice.

Rachel Kamm

REASONABLE OPINION OF A QUALIFIED PERSON: GUIDANCE FOR USERS

Posted on 6th December 2011 | by Robin Hopkins

In William Thackeray v IC (EA/2011/0069), the requester asked the Home Office for information it holds about Scientology. The resultant appeal to the Tribunal is the latest consideration of the FOIA exemptions for prejudice to the effective conduct of public affairs (s. 36) and legal professional privilege (s. 42). The appeal failed, and reliance on both these exemptions was upheld.

The s. 42 point was short: can litigation privilege be relied upon where judicial proceedings which have been formally instituted are subsequently withdrawn? Answer: yes. The established test with regard to the application of this kind of privilege is whether there is a reasonable prospect of litigation existing at the time of the creation of the document.

Thackeray is an important decision for its review of the general principles underpinning reliance on s. 36. Public authorities often run into difficulty in seeking to obtain the opinion of the qualified person (the precondition for engaging that exemption). Particular issues arise as to the timing of and basis for the QP’s opinion, i.e. when is the latest an opinion can be obtained, and what material must the QP consider if his or her opinion is to be reasonable?

The Tribunal in Thackeray considered these two issues. As to timing, it addressed this particular question: can the opinion of the QP be obtained after the statutory 20-day period for responding to a request, but before the conducting of the public authority’s internal review? In part, this is about whether an internal review is capable of remedying flaws in an original refusal notice. Here there was a refusal in June 2009, and the QP’s opinion was obtained in November 2009. The Appellant argued that this delay undermined the reasonableness of that opinion.

In answering that question, the Tribunal made the following general observations about the use of s. 36:

There is a strong argument for saying that the qualified person should be at or towards the very top level of accountability.
This responsibility cannot be delegated.
The precise role of the opinion is to state whether, in that person’s view, the prejudices under s. 36 are likely to arise from disclosure. An opinion is not about the public interest.
The Commissioner’s role is to assess that opinion for reasonableness, akin to a Wednesbury analysis in judicial review claims. The Commissioner can only reject the substance of the opinion if it was one that no reasonably qualified person would have taken.
The manner and timing of the obtaining of that opinion can be considered as part of that scrutiny of reasonableness.
To obtain the opinion ‘late’ (i.e. after the initial refusal) is not akin to ‘late reliance’ upon an exemption.
The provision of the opinion by the internal review stage is sufficient. The Tribunal endorsed the approach in McIntyre v IC and MoD (EA/2007/0061), where it was held that an opinion can suffice to engage s. 36 where it is reasonable in substance, even if it was arrived at in a flawed or unreasonable manner.

As to content (i.e. the question of what must be before the QP when he or she forms her opinion), the Tribunal considered whether the QP must give consideration to the application of that FOI exemption, and whether he or she must consider the actual disputed information before reaching their opinion. This arises particularly in relation to government ministers, who in practice often make such decisions based on submissions from civil servants, rather than on the basis of actual consideration of the underlying material for themselves.

Does such an approach undermine reliance on s. 36? No, said the Tribunal. Failure to inspect the disputed information will not without more render the opinion redundant or unreasonable. It is sufficient if it is shown that the qualified person’s opinion was based on a proper understanding of the disputed information. The civil service approach, and other such approaches to obtaining the opinion of a QP, survives intact.