Surveillance and RIPA: Radio 4 discussion

I took part in what will hopefully prove to be an interesting discussion of surveillance and RIPA in an episode of Clive Anderson’s “Unreliable Evidence” that will be broadcast at 8pm today on Radio 4 (and available on the iplayer thereafter). The show was recorded prior to the recent leaks regarding US surveillance activities, and so focuses on the UK perspective. The other panel members were Eric Metcalfe (former director of human rights policy at Justice, now a barrister at Monckton Chambers) and solicitor Simon McKay.

Ben Hooper

Breach of confidence: the latest from the Supreme Court

The Supreme Court gave judgment today in Vestergaard Frandsen A/S v. Bestnet Europe Limited [2013] UKSC 31. The appeal concerned whether a company (Vestergaard) could sue a former employee – who had helped to establish a rival business – for breach of confidence in circumstances where the former employee (i) had never herself acquired the confidential information in question and (ii) did not know at the time that the rival business was using the confidential information. The sole judgment was given by Lord Neuberger, who held that (i) and (ii) precluded liability in breach of confidence on the part of the former employee.

The judgment does not contain any novel or radical principles. But information lawyers will wish to note the useful overview of the types of cases in which liability will arise (paragraphs 22-27), and Lord Neuberger’s analysis of the limits of liability based on common design (paragraphs 32-39).

Ben Hooper

Charity served with monetary penalty notice

Today, the Commissioner served – for the first time – a monetary penalty notice on a charity. The charity in question, Norwood Ravenswood Ltd, is a social care charity. One of its social workers had attempted to deliver to the home of prospective adopters certain background reports containing highly confidential sensitive personal data on four young children. Finding the couple out, and unable to fit the package through the letterbox, the social worker left the package in a concealed area at the side of the house. When the prospective adopters returned home, the package had disappeared. It was never recovered.

At the time of the incident, the charity had no specific guidance on sending personal data to prospective adopters. Further, and in breach of the charity’s data protection policy, the social worker in question had not received any data protection training.

The Commissioner found that there had been a “serious contravention” of the seventh data protection principle (i.e. that appropriate technical and organisational measures shall be taken … against accidental loss … of … personal data). Perhaps unsurprisingly, the contravention was also found to be “of a kind likely to cause … substantial distress” (for the purposes of the second limb of the test, in s. 55A(1)(b) of the DPA). In addition, the Commissioner concluded that the charity knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial distress, but failed to take reasonable steps to prevent the contravention within the meaning of s. 55A(3) of the DPA.

Although the Commissioner was not aware of any previous similar security breach, and the charity had voluntarily reported the incident to the Commissioner and had fully cooperated thereafter, the Commissioner nevertheless set the penalty at £70,000. Interestingly, the Commissioner does not appear to have taken the data controller’s charitable status to be a factor of any significance in this regard, on the basis that it had “substantial reserves”. Although the penalty is at the lower end of the spectrum of penalties awarded to date this year, it remains a substantial sum.

Overall, today’s decision serves as a useful reminder both of the potential consequences of inadequate data protection procedures and of the fact that even charitable bodies may face heavy penalties if serious contraventions occur.

There is still no monetary penalty case law to offer guidance. But, as regular readers of this blog may recall, the first appeal against a monetary penalty notice (brought by London Community Healthcare NHS Trust) is in the pipeline. It will be heard in December this year (with Tim Pitt-Payne QC and Anya Proops of 11KBW acting for the opposing parties).

One final thought, or, rather, question. The vast majority of the monetary penalty notices concern public authorities. Are public authorities really committing many more “serious contraventions” than private persons, or are they simply more likely to be reporting such contraventions to the Commissioner?

Ben Hooper

UK interception regime upheld in Strasbourg

The European Court of Human Rights handed down a significant judgment today in Kennedy v. UK (application no. 26839/05).

A warrant under s. 8(1) of the Regulation of Investigatory Powers Act 2000 permits the interception of the communications of a particular person (or particular set of premises). Mr Kennedy sought to challenge the Art. 8 compatibility of the s. 8(1) warrant regime, and in particular sought to criticise its foreseeability. The Court unanimously rejected his challenge and, in a relatively detailed judgment, upheld the compatibility of the domestic law.

The case is also interesting for the Court’s analysis of Mr Kennedy’s Art. 6 complaint. Mr Kennedy had brought domestic proceedings in the Investigatory Powers Tribunal, which had resulted in two public decisions on legal issues, together with a final ruling that no determination had been made in his favour (i.e. that there had either been no interception, or that any interception that had taken place had been lawful). In Strasbourg, Mr Kennedy complained that the restrictive procedures of the Tribunal had breached Art. 6. In its judgment, the Court avoided deciding whether Art. 6 applied to such proceedings, but went on to confirm that if Art. 6 did apply then the Tribunal’s procedures satisfied its requirements.

Civil penalty notices: consultation

When the new monetary penalties regime under sections 55A-E of the DPA comes fully into force, the Information Commissioner will have power to impose a civil penalty on a data controller for a serious contravention of any of the data protection principles if – in essence – the contravention is (1) deliberate or reckless and (2) of a kind likely to cause substantial damage or distress.

 

The Ministry of Justice is currently consulting on what the maximum penalty under section 55A should be. £500,000 is proposed. Whilst this is clearly not an insubstantial sum, it needs to be compared with the fact that many other regulators have power to impose a penalty of up to 10% of an organisation’s turnover. If the data controller at issue has a turnover that is significantly above £5m, and – for example – a serious contravention has caused damage or distress to a very large number of people, the maximum penalty of £500,000 may begin to look a little on the small side. Indeed, the Commissioner may not even be able to go that far: the ICO’s draft guidance on the monetary penalty powers indicates at paragraph 7.4 that swift payment of the penalty will lead to a 20% reduction. So a data controller that decides not to contest the penalty may end up only paying a maximum of £400,000.

 

One final point. The penalties are to be paid into the consolidated fund (section 55A(8)). Thus, where the data controller is a central government body, the imposition of any size of penalty will have a slightly unreal quality to it, as the sum involved will simply return to the financial pot from which the body in question drew its funding in the first place.

 

The application of FOIA to public service broadcasters

Two High Court judgments were handed down last week on what has become known as the BBC’s “derogation” – its limited entry in Sch. 1 to FOIA, under which FOIA applies to the BBC only “in respect of information held for purposes other than those of journalism, art or literature”. Channel 4 and S4C (the Welsh television channel) have entries in Sch. 1 to the same effect.

 

The cases were Sugar v. BBC and BBC v. Information Commissioner. The former concerned a request for an internal BBC report into Middle East reporting, the latter concerned four sets of requests for various items of financial information relating to the BBC’s programme output. In both cases, Irwin J rejected the submission advanced by all parties that a test of dominant purpose should be used when applying the derogation (i.e. that where information was held for a variety of purposes, it would outside FOIA if it was predominantly held for the purposes of “journalism, art of literature”). Instead, Irwin J applied a de minimis approach and held that, on a proper construction of the derogation, “the BBC has no obligation to disclose information which they hold to any significant extent for the purposes of journalism, art or literature, whether or not the information is also held for other purposes.” (See para. 65 of Sugar).

 

It is as yet unclear whether this aspect of the judgments will be challenged on appeal. Unless and until it is, it would seem that the scope for applying FOIA to information held by the public service broadcasters is more limited than was previously thought to be the case.