Yesterday I posted about a new and important High Court judgment on the application of the subject access regime. As it happens, yesterday was also the day on which the Information Commissioner published his new ‘Subject Access Code of Practice’. This is an important document which requires careful consideration by anyone working in the DPA field. Points which are particularly worthy of note include the following:

• subject access a ‘fundamental right’ – The Commissioner identifies the data subject’s right to access his or her personal data as a ‘fundamental right’ (p. 7). However, interestingly the code does not examine in any detail why this is such an important right. Instead, it simply says: ‘Enabling individuals to find out what personal data you hold about them, why you hold it and who you disclose it to is fundamental to good information-handling practice. The Data Protection Act 1998 (DPA) gives individuals the right to require you to do this.’  (p. 5). However, it is important that data controllers understand why the subject access right is such a fundamental right. The answer to this question lies very clearly in the recitals to the EU Directive from which the DPA is derived, Data Protection Directive 95/46/EC. Those recitals make clear that the underlying objective of the data protection regime is to ensure that personal data is handled in a way that properly protects the privacy of data subjects. The subject access regime is designed to support the privacy rights of individuals by ensuring that they are, in effect, able to monitor how data controllers are processing their data.

 

• requests made by social media – applicants are entitled in principle to make subject access requests via the data controller’s Facebook page, its Twitter account or any other social media sites to which it subscribes, although the Commissioner accepts that this may not be the most effective way to deliver a request in a form which will enable the data controller to respond to it easily and quickly (p. 10).

 

• a child’s right of access – Data about a child belongs to that child, rather than to any parent or guardian. It is therefore the child which enjoys the right of access to their data, albeit that that right may be exercised on their behalf by their parent or guardian. A variety of considerations come into play when a data controller is asked to respond to a request made by a child directly (p. 11).

 

• purpose of the request not a relevant consideration at the stage when requests are being responded to – The Commissioner continues to take the position that an applicant’s purpose or motive in making a subject access request does not affect the request’s validity or the data controller’s duty to respond to it (p. 20). This is an important consideration because very often subject access requests are not made for the purpose of ensuring that a data controller is processing the data subject’s data in a manner which safeguards their privacy but rather in order to afford a data subject an advantage in litigation which they are conducting, usually against the data controller. It should be noted that the Commissioner’s position on this issue has yet to be tested by the High Court or any appellate court (cf. the Southern Pacific Personal Loans case I blogged about yesterday and compare the conclusion reached by the Court of Appeal in Abadir, which you can read about here). See further the discussion of the Commissioner’s enforcement powers below.

 

• scope of the data controller’s search obligations – A key consideration for data controllers when they are responding to subject access requests is how far they have to go when searching their complex, multi-layered information systems for potentially relevant data. The Commissioner has now made clear that considerations of reasonableness and proportionality can properly come into play as and when a data controller is considering how to discharge its search obligations. Thus, the code states that, whilst there are ‘no express limits’ on the search obligation provided for under the DPA, data controllers are: ‘not required to do things that would be unreasonable or disproportionate to the importance of providing subject access to the information’. That said, the code goes on to attenuate the effect of this conclusion by stating that: data controllers should still ‘be prepared to make extensive efforts to find and retrieve the requested information’; any decision as to the scope of the data controller’s search obligations should take into account the fundamental nature of the right afforded under s. 7 and, further, requests cannot be refused simply because they are ‘labour-intensive or inconvenient’ (p. 22). This analysis will give little comfort to small and medium sized businesses where wide-ranging subject access requests may have commercially crippling effects.

 

• Commissioner’s enforcement functions – The code alludes to the Commissioner’s power to issue an enforcement notice in cases where a data controller has failed to comply with its obligations under the subject access provisions. It makes clear that: a notice will not necessarily be served ‘simply because an organisation has failed to comply with the subject access provisions’; the Commissioner will consider whether the failure is likely to cause or has caused the data subject to suffer damage or distress (as per the requirements of s. 40(2) DPA); whilst he can serve a notice in the absence of  damage or distress, ‘it must be reasonable, in all the circumstances, for him to do so’; and importantly ‘he will not require organisations to take unreasonable or disproportionate steps to comply with the law on subject access’ (p. 53).

 

• Importantly, the code goes on to allude to the fact that, where an applicant seeks to enforce their subject access rights by going to the court under s. 7(9) DPA, the court may treat the application as an abuse of process if the request has been made against a backdrop of litigation and as a means of accessing information which ought properly to be dealt with through the disclosure process. However, somewhat unhelpfully the code is entirely unclear on whether the Commissioner would regard this as a relevant consideration in the context of the discharge of his statutory enforcement functions. Instead, it simply refers the reader back to the point made in chapter 9 of the code that request cannot be refused based on the purpose for which it was made (p. 59). Of course from the data controllers point of view, it would obviously be entirely unsatisfactory if there were to be an asymmetry in the enforcement regime, with a data subject being able to get a better result if they seek enforcement from the Commissioner under s. 40 as opposed to the result they would get if they went to court under s. 7(9). Query whether the Commissioner ought in the circumstances to be striving to achieve an approach to enforcement which is aligned with the approach adopted by the courts.

Anya Proops

It is a strange feature of the DPA subject access regime that, despite having extremely far reaching legal effects, to date it only rarely been the subject of judicial analysis. This is in no small part because the costs of bringing disputes over the application of the legislation before the courts are generally prohibitive. As readers of this blog will know, there have been some fairly recent county court judgments which have considered the application of the regime (see in particular the posts on the judgments in Elliott and Abadir here and here). However, jurisprudence emanating from the High Court has been decidedly thin on the ground. Today however the High Court has handed down an important judgment on the application of the regime: In the Matter of the Southern Pacific Personal Loans Limited [2013] EWHC 2485 (Admin). Readers will want to note in particular that part of the judgment where the court considered the relevance of the applicant’s purpose or motive in making a subject access request (SAR) – as discussed below.

The background to the case is somewhat unusual. In summary, a company which is a member of the Lehman Brothers group of companies, Southern Pacific Loans Limited (C), had gone into voluntary liquidation. Prior to the liquidation proceedings, C had been in the business of offering loans to customers, secured by means of a second mortgage on the customer’s property. C had used a third party company (A) to process data relating to certain of the loans and indeed A continues today to hold data relating to tens of thousands of redeemed loans (“the data”). C had received and was continuing to receive numerous subject access requests in respect of the data. The requests had principally been made by claims handling companies which were using the SARs as a device to obtain data relevant to claims which might potentially be brought by C’s customers. In effect therefore the data was being sought in order to advance the customers’ position in the context of prospective litigation rather than for the purposes of ensuring that the customers’ privacy was being properly protected in the context of the processing of their data by C. The costs to C of dealing with the requests was very substantial, averaging at least £40,000 per month (or £455 per request). The liquidators were concerned that a continuation of such costs would potentially have a material impact on the distribution of funds to creditors of C in the liquidation. In a sense this raised the question of whether the right of data subject’s under the DPA could trump those of creditors in a liquidation. The liquidators, seeking to protect the position of the creditors, made an application to the court for declaratory relief which would have the effect of: (a) enabling further subject access requests to be refused and, further, (b) enabling the liquidators to dispose of the data, which were no longer required by C for business purposes.

The following important points emerge from the ratio of the judgment of David Richard J:

• liquidators cannot be regarded themselves as ‘data controllers’ in respect of data processed by a company in liquidation. This is because liquidators do not act as ‘principals’ in respect of the data but rather as ‘agents’ acting on behalf of the company in liquidation. This is the case irrespective of whether liquidators are acting in the context of voluntary of compulsory liquidations. Thus, liquidators are not personally responsible for ensuring compliance with s. 7 DPA (paras. 17-35)

 

• so far as the disposal of data is concerned, regard should be had to the fifth data protection principle which obliges data controllers to ensure that data is not processed longer than is necessary for the purposes for which it was processed. Looked at from a DPA perspective, this meant data should be ‘disposed of as soon as possible’ (para. 39). The question was therefore whether there were any legal requirements which, in the present case, acted as impediments on the disposal of the data. There were two impediments potentially in play in the present case:

 

• first, data could not be disposed of if retention of that data was required in order to enable C to fulfil its statutory subject access obligations in respect of extant SARs (s. 8(6) DPA)

 

• second, data could not be disposed of if retention of that data was necessary in order for the liquidators to be able to discharge properly their statutory duties as liquidators. In the present case, that meant that particular data could not be disposed of if retention of the data was required in order to deal with claims which may be lodged against C.

Importantly, however: ‘The liquidators are not under a duty to retain data so that it can remain available to be mined by former customers or claims handling companies with a view to making claims against third parties’ (para. 40). The liquidators were at liberty to dispose of all the data, subject to the two qualifications outlined above (para. 41).

The court also made a number of obiter comments which are particularly worthy of note

• data subjects are not entitled to use the SAR to demand disclosure of documents. Their entitlements extend merely to data rather than to documents (para. 43). (This is of course an important consideration as and when applicants are using the SAR regime to obtain advantages in litigation against the data controller or a third party)

 

•  properly understood, the Court of Appeal’s judgment in Durant v Financial Services Authority is not authority for the proposition that requests under s. 7 DPA may be refused by the data controller if they are being made for the purposes of furthering the data subject’s position in litigation, as opposed to protecting their privacy. The question of whether SARs could lawfully be refused in these circumstances was a question for another day. However, following Durant, the question of the applicant’s purpose was a factor which was relevant to the exercise of the court’s discretion in the context of an application for enforcement made by the applicant under s. 7(9) DPA (para. 46). This last point will come as some relief to the data controller who is facing a heavily litigation-preoccupied data subject.

The court expressly declined to consider the question of the impact of s. 8(2) DPA (the ‘disproportionate effort’ provision). Thus, it did not examine the question previously considered in Ezsias v Welsh Ministers as to whether data controllers can lawfully limit their searches for personal data by reference to what is reasonable and proportionate in all the circumstances (paras. 47-49).

11KBW’s Robin Hopkins acted for the Information Commissioner.

Anya Proops

The theory that there is no smoke without fire is one which often looms large where teachers are accused of sexual offences against pupils. Even in the face of a decision by the CPS that there is insufficient evidence to proceed with a prosecution or an acquittal following a criminal trial, a teacher who has been accused of sexual offences may find it hard to escape the tainting effects of the allegations. Of course, a critically important issue for the teacher in question is whether the allegations will ultimately find their way into any enhanced criminal record certificate (ECRC). This is an issue which has been considered by the High Court in two recent cases.

In the first, R (L) v Chief Constable of Cumbria Constabulary [2013] EWHC 869 (Admin), L, a teacher, had been accused of having improperly propositioned and hugged an 18 year old pupil whilst at a pub. L had denied the allegations and no criminal prosecution had ultimately been mounted. The High Court held that inclusion in the ECRC of information relating to the allegations was unlawful as it constituted a disproportionate and hence unjustified interference with L’s Article 8 rights (see further Rachel Kamm’s more detailed post on this judgment here).

This week, the High Court has given judgment in the case of RK v (1) Chief Constable of South Yorkshire (2) Disclosure and Banning Service [2013] EWHC 1555 (Admin). RK had previously been acquitted of six counts of indecent assault and sexual activity with a child (in essence it was alleged that RK had repeatedly touched the bottoms of teenage girls in his care). Nine years later RK sought disclosure of a draft ECRC from the Constabulary. The draft included information about the allegations and referred to them as ‘offenses’. RK sought a judicial review of the draft certificate.

In a fairly damning judgment, Coulson J held that inclusion of this information was unlawful as constituting a breach of RK’s Article 8 rights. Fundamental to the court’s judgment was the conclusion that the Constabulary had impermissibly treated the allegations as if they had been proven, notwithstanding the fact that RK had been acquitted. Indeed the court lamented the ‘unblinking equation’ between the unproven allegations with the so-called sexual offences (para. 61). Whilst the judgment makes clear that an acquittal does not automatically bar the police from referencing the original allegations in the ECRC (see para. 37), it does confirm that an acquittal is likely to be an important factor weighing heavily in the balance when it comes to determining whether or not a particular disclosure should be made. On the facts of the case before him, Coulson J found that inclusion of information about the allegations relating to RK was unlawful having regard to the fact of the acquittal; the fact that, even if proven, the incidents would not have been particularly grave or serious and further the fact that there were aspects of the prosecution case which raised serious questions about the reliability of the information.

Critically the judgments in both L and RK highlight the dangers attendant on the police unthinkingly substituting their own view of an individual’s guilt or innocence in the face of an acquittal by the criminal courts or other important evidence raising questions about the reliability of the information in issue.

Anya Proops

Last year I blogged about a decision of the Upper Tribunal in the vacant properties case, Voyias v IC & Camden LBC, where the Upper Tribunal overturned the decision of the First Tier Tribunal (FTT) in favour of Mr Voyias and remitted the case to a differently constituted FTT (see my post here). The FTT’s decision on the remitted case has just been handed down – see the decision here. The issue which the FTT had to decide upon remission was whether was whether the Camden LBC (the Council) had correctly concluded that it was entitled to refuse to disclose to Mr Voyias information identifying vacant properties in its area on the ground that the requested information was exempt from disclosure under s. 31(1)((a) FOIA (the prevention and detection of crime exemption). The particular issues the FTT had to decide were: (a) whether the requested information engaged the exemption provided for under s. 31(1)(a) and (b) whether the public interest balance weighed in favour of the exemption being maintained. In a decision which was very robustly in favour of the Council, the FTT held that the requested information had been lawfully withheld. This decision is in stark contrast with the decision reached by the original FTT which upheld Mr Voyias’ appeal in respect of the Council’s refusal.

In deciding that the requested information was lawfully withheld, the FTT was plainly mindful of the guidance given by the Upper Tribunal that, when determining whether the public interest balance weighed in favour of maintaining the s. 31(1)(a) exemption, regard should be had, not merely to the direct adverse consequences of the disclosure but also to any indirect consequences which arose as ‘realistic possibilities’. Ultimately, the FTT concluded that ‘the small weight that the public interest in disclosure bears does not come close to equalling the public interest in preventing the categories of crime we have identified in this decision’ (§55). Thus, a very strong decision in favour of the Council. No doubt the former Housing Minister, Grant Schapps MP, who scathingly described the original FTT decision as a ‘squatters’ charter’, will be substantially relieved by the new decision.

11KBW’s Ben Hooper was for the Council and Chris Knight was for the Commissioner.

Anya Proops

Last week I blogged about an important High Court judgment concerning the legality of the Government’s Child Sex Offender Disclosure Scheme: X(South Yorkshire) v Secretary of State for the Home Department. In that judgment, the court held that, in order to be lawful, the scheme would need to build in a requirement that, in general, registered sex offenders be given an opportunity to make representations prior to the disclosure of their data to third parties. It is worth noting that the approach adopted in X chimes very closely with the approach adopted in a case concerning enhanced CRB checks which was decided on 18 October 2012: R (on the Application of J) V Chief Constable Of Devon & Cornwall [2012] EWHC 2996 (Admin).

The case of J involved a nurse who objected to the fact that information had been recorded in her enhanced criminal record certificate (EHRC) without her knowledge. The information concerned allegations which had been made against J in connection with incidents in which she had apparently been heavy handling elderly patients. J claimed that the information, which was contained within the ‘certain other information’ section of the certificate, was partial and did not give a complete picture of the circumstances surrounding the incidents in question. She claimed that inclusion of the information in the EHRC, which had been provided to J’s prospective employers, was disproportionate and constituted an unlawful interference with her right to privacy under Article 8. The court agreed. The court went on to make clear that the decision-making process relating to the EHRC had in any event been fatally flawed as a result of the fact that J had not been given an opportunity to make representations about the information prior to its inclusion in the certificate.

What we see emerging from both X and J is a re-affirmation of the importance of the principle of natural justice in the context of the disclosures of information about individuals which are designed in principle to protect vulnerable third parties against the risk of harm.

Anya Proops

The High Court has today handed down an important judgment on the legality of the Government’s Child Sex Offender Disclosure Scheme (CSOD): X(South Yorkshire) v Secretary of State for the Home Department [2012] EWHC 2954 (Admin). CSOD is a non statutory scheme which police forces nationally have been free to adopt since 2010. It enables members of the public to ask the police to provide details of a person who has some form of contact with children with a view to ascertaining whether that person had convictions for sexual offences against children or whether there is other relevant information about him or her which ought to be made available.

X is a registered child sex offender. In February 2011, South Yorkshire Police contacted X and informed him that it had adopted CSOD and that its adoption might affect him. X went on to mount a judicial review challenge to the guidance under which CSOD had been constituted (the guidance). The challenge was brought on two separate grounds. First, it was argued that the guidance did not adequately recognise the imperative for police forces to consult with individual sex offenders prior to disclosing information about them under CSOD. Second, it was argued that because, in its opening paragraphs, the guidance provided that there was a presumption in favour of disclosure, the guidance did not properly reflect the need for a balancing exercise to be conducted prior to any decision to disclose being taken.

On the first of these issues, the High Court, presided over by the QB President and Hickenbottom J, accepted that the guidance did not sufficiently reflect the need to consult with individual sex offenders prior to effecting disclosure. In particular, the court held that:

In the light of the considerations we have set out, it follows, in our judgment, that the CSOD Guidance ought to have set out a requirement that the decision maker consider, in the case of any person about whom disclosure might be made, whether that person be asked if he wishes to make representations.  In the generality of cases without that person being afforded such an opportunity, the decision maker might not have all the information necessary to conduct the balancing exercise which he is required to perform justly and fairly.  Whilst each case will turn on its own facts, it is difficult to foresee cases where it would be inappropriate to seek representations, unless there was an emergency or seeking the representations might itself put the child at risk´(§41)

On the second issue, the court held that, notwithstanding the allusion to a ‘presumption’ in favour of disclosure in its opening paragraphs, the guidance did properly incorporate a requirement that the police undertake a balancing exercise which took into account both the rights of the sex offender not to have the information disclosed and the need to protect individual children from harm. The court held that the regime embodied in the guidance properly complied with the approach which was approved
in R v Chief Constable of North Wales ex p Thorpe [1999] QB 396.

The judgment is interesting and important not least because it suggests that the current legal regime governing the disclosure of information relating to sex offenders is still far removed from a ‘Megan’s law’ US-style approach to disclosure. Thus, in contrast with Megan’s law, where the general public are allowed access to details of convicted sex offenders living in a particular area, sex offenders in this country retain a right to privacy in respect of information relating to their offences, albeit that that right may lawfully be interfered with on a case by case basis. 11KBW’s Jason Coppel appeared on behalf of the Home Secretary.

Anya Proops