Author: Rachel Kamm

CALL FOR EVIDENCE ON THE EUROPEAN COMMISSION’S DATA PROTECTION PROPOSALS

Posted on | by Rachel Kamm

The Government is seeking evidence on the  new legislative proposals for data protection, which were published by the European Commission on 25 January 2012. Responses are due by 6 March 2012 and can be submitted online here. The European Commission aims to have a final agreed legislative framework by 2014.

The European Commission has published in draft both a Regulation and a Directive. The proposed Regulation will set out a general EU framework for data protection to replace the 1995 Data Protection Directive, which is implemented into UK law by the Data Protection Act 1998. The proposed Directive will cover the protection of personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities (to replace the existing Data Protection Framework Decision).  For those of you who have not looked  at the proposals yet, the Government’s Call for Evidence is a good place to start for a summary.

Rachel Kamm

UPDATE ON RECENT TRIBUNAL DECISIONS

Posted on | by Rachel Kamm

The First Tier Tribunal (Information Rights) has had a busy start to 2012, with 7 decisions on its website already.

The first judgment out was Herbert v ICO and West Dorset District Council, EA/2011/0157. The appellant sought correspondence concerning the transfer to the Council of property previously owned by Lyme Regis Borough Council. The Council refused the request on ground that it was vexatious. The history of this case related to incidents and disputes regarding a different matter, between the appellant and the Council dating back to 1992, which culminated in 1996 when the Council revoked a license held by the appellant. The ICO agreed that the request was vexatious. The appellant submitted that he had a genuine interest in the history of Lyme Regis and that he believed that some historical documents were missing from the National Archives and that they had been retained by the Council because they related to illegally acquired property. The Council had previously allowed him to research their archives on another matter and he wished to be able to do so again to look for these missing documents. He said that he had expected the ICO to contact him so that he could put forward further arguments. The FTT agreed with the ICO and the Council that the request had been made under FOIA (and not the EIRs). The FTT set out the key principles that have been applied by Tribunals in considering whether requests were vexatious under s14 FOIA. The FTT considered the background and found that the appellant’s request was obsessive. Further, the request had the effect of harassing the Council (even though the language was not hostile), as allegations of illegality and impropriety were made at the same time as the requests and there was a context of a high volume of correspondence. The Council had made extraordinary efforts to accommodate the appellant’s requests over a considerable period of time and valuable resources of time and effort have been used which could otherwise have been used more productively. In the view of the FTT, to accommodate this request would constitute a further and significant burden on the Council. The FTT concluded that the request was vexatious.

The next decision to be promulgated was King v ICO, EA/2010/0126. The appellant sought from the ICO records of complaints where Crawley Borough Council had failed to comply with FOIA/EIRs and the ICO never served a ‘decision notice’. The ICO refused the request on ground that the information  consisted of ‘third party information’ that was exempt from the requirements of disclosure. It did not identify the exemption relied on for refusing to disclose the information. However, it did provide the appellant with a summary of the information requested. Further information was provided by the ICO in response to the appellant’s request for a review of the decision. The appellant then asked for the information with just the personal details of individuals removed. The ICO refused, citing s.44 FOIA, as exempting information that is prohibited from disclosure under another Act, namely s.59 DPA (which prevents disclosure of information collected in the course of an investigation where there is no lawful authority to do so). The appellant requested  review of this decision. In subsequent correspondence, the ICO  relied on s.40 FOIA (the data protection exemption). The appellant then asked the ICO to make a decision under s.50 FOIA as to whether it had complied with the Act. Having previously been acting in its capacity as a body which was itself subject to FOIA, the ICO then changed back to its normal hat. The ICO said that it was reversing its decision and it provided the appellant with the  letters which had been sent to the Council in the cases alleging non-compliance with FOIA, with personal data redacted. The appellant disputed that this resolved his request; he also wanted the documents from the individuals making complaints and from the Council. The ICO denied that these had been within the scope of his original request. The ICO subsequently issued a decision notice stating that it had provided the appellant with the information requested, but that it had breached FOIA (including by not holding an internal review at the right stage, by not providing the information at the outcome of the internal review and by not acting within the time-scales in the Act). The appellant appealed, arguing that the ICO had not provided all information which fell within the scope of his request, had misinterpreted his request and had breached the duty to provide advice and assistance. In relation to the scope of the request, the FTT criticised the ICO for not having properly analysed the request but found that in fact it had provided all information that fell within the scope of the request. The appeal therefore failed. The FTT also found that the ICO was not in breach of the duty to provide advice and assistance; the appellant argued that the ICO should have asked him to clarify his request, but the FTT found that this was not necessary because the request was in any event clear and adequately specified the information sought. This case very much turned on its facts, but it is interesting to see the application of FOIA to the ICO as a public authority and it is also a useful reminder to carefully read the request from the outset.

The third decision out in 2012 was Newcastle Upon Tyne Hospital NHS Foundation Trust v ICO, EA/2011/0236. This appeal was struck out because the judge considered that there was no reasonable prospect of it succeeding. The disputed information was statistics about the number of people dismissed over a three year period. The Trust refused to provide the information, on ground that it was reasonably accessible (s.21 FOIA) by way of an application in the employment tribunal litigation. The Trust subsequently provided the information voluntarily. The ICO found that the Trust had misapplied s.21 FOIA. The Trust appealed, arguing that “The point at issue is one of prioritising the correct forum by which information is provided. The Trust point is that once proceedings are issued, the correct forum lies within the proceedings that have been issued, in this case the Employment Tribunal“. Not surprisingly, the judge found that this argument had no reasonable prospect of success. FOIA rights are not put on hold if there is litigation between the parties. Further, information obtained under FOIA can be used for any purpose whereas information obtained in litigation can only be used for that purpose and so litigation disclosure is not an answer.

Cross v ICO, EA/2011/025 is also a strike out decision. The appellant sought from Havant Borough Council a building control decision notice, plans and inspection records relating to a loft conversion to his home carried out in 1987. The Council refused the request under the EIRs, on ground that it was not held at the time of receipt of the request. The appellant believed that he had seen these documents on a visit to the Council and that, whilst it was possible that they had subsequently disappeared, his appeal should not be struck out. However, the Council had conducted a six day trawl for the information and the judge found that it was obviously willing to provide the information if it could be found. The appeal was therefore struck out as having no reasonable prospect of success.

Finally, in Martyres v ICO and NHS Cambridgeshire, EA/2011/020, the FTT dismissed an appeal by an appellant who sought all information held by NHS Cambridgeshire (and its relevant community services provider), in respect of her deceased mother who had died on 29 August 2009 including information about the care received by her mother at a care home she was staying at prior to her death. The appellant argued that she was the next of kin, proposed executor and trustee of one of the Wills and had a valid claim against her mother’s estate under the intestacy  rules. In relation to s.41 (FOIA), the FTT found that the information was obtained from another person (social care professionals), it possessed the necessary quality of confidence and disclosure would constitute such an actionable breach of confidence. The FTT further concluded that s.21 FOIA did not apply, in that the appellant would not have been able to obtain the disputed information under the Access to Health Record Act 1980 (as the appellant claimed); whilst she was the nearest relative, she was not the personal representative. The FTT also dismissed the appellant’s arguments under the Human Rights Act 1998.

Rachel Kamm

LATE RELIANCE ON EIR EXEMPTIONS AS OF RIGHT

Posted on | by Rachel Kamm

Readers will recall that the Upper Tribunal decided in early 2011 that public authorities are entitled as of right to rely on any exception / exemption under either the Freedom of Information Act 2000 or the Environmental Information Regulations 2004 at any stage of the proceedings.

In that case, the Upper Tribunal considered two appeals together. The first was an appeal brought by DEFRA, challenging the Tribunal’s decision that it could not now seek to rely on additional exemptions under the EIRs and that it was limited to the exemption that it had relied on at the time of its refusal to disclose environmental information to Mr Birkett (the founder of the cross-party Campaign for Clean Air in London). The second was an appeal brought by the Information Commissioner, challenging the Tribunal’s decision that the Home Office was entitled as of right to rely on new exemptions under FOIA.  At the hearing of the appeals before the Upper Tribunal, DEFRA submitted that it was entitled as of right to rely on the new exceptions/exemptions, Mr Birkett said that a public authority could not lawfully rely on new exceptions/exemptions before the Commissioner and the Tribunal, and the Commissioner adopted a middle course (namely that while there was no right to rely on new exceptions/exemptions, a public authority could be permitted to do so at the discretion of either the Commissioner or the Tribunal). The Upper Tribunal agreed with the public authorities that they could rely on a new exception/exemption at any time under either FOIA or the EIRs.

Mr Birkett appealed against this decision about the EIRs to the Court of Appeal: Birkett v The Department for the Environment, Food and Rural Affairs [2011] EWCA Civ 1606.

Lord Justice Sullivan (with whose judgment Lord Justices Lloyd and Carnworth agreed) started by considering the Aarhus Convention on Access to Information, Public Participation in Decision Making and Access to Justice in Environmental Matters. The Council Directive 2003/4/EC on public access to environmental information implements the Aarhus Convention and is itself implemented in domestic law by the EIRs. Mr Birkett argued that it was necessary to interpret the Directive (and in turn the EIRs) as preventing a public authority from relying on a new or different exemption after the internal review stage; otherwise the complainant would not have an effective remedy because they would not know the reasons for the public authority’s refusal of their request for information.

Lord Justice Sullivan rejected Mr Birkett’s argument. He took into account that the Directive does not proceed upon “the unlikely premise” that within the prescribed “tight timescale the public authority will always “get it right the first time”, hence the review process provided for by Article 6. While some decisions may be relatively straightforward, the question whether some information, and if so how much of that information, falls within one or more of the exceptions may well be a question of some complexity. Are documents protected by legal advice or litigation privilege, are there intellectual property rights in certain information, etc.? The exceptions are concerned with important public interests.” (paragraph 21). He held that “The Court or other legal body conducting the review under Article 6(2) is not reviewing the decision made by the administrative reviewer under Article 6(1), it is reviewing “the acts or omissions of the public body concerned.” Thus, the court must consider de novo the propriety of releasing the information. Such a process is bound to discover errors and omissions in the exceptions relied upon in initial decisions, and it would be surprising, given the balancing exercise required by the Directive, if those errors were incapable of subsequent correction.” (paragraph 23).

Lord Justice Sullivan went on to give a hypothetical example of a public authority which mistakenly fails to rely in its refusal notification upon an adverse effect upon public security or national defence. Mr Birkett considered that this would happen rarely and that the solution was for the Commissioner / Tribunal to refuse to allow the public authority to rely on that exception / exemption late but to exercise its discretion to refuse to order disclosure of the information where that was necessary to avoid a breach of human rights (paragraphs 24 and 25).

Lord Justice Sullivan rejected Mr Birkett’s proposed solution. The public interests protected by the exemptions in the EIRs were not just human rights. Further, the Commissioner and the Tribunal were able to exercise effective judicial control, for example by requiring an appellant to set out his grounds at an early stage in the grounds of appeal. “Any application by the public authority to rely upon a new exception made after the time limit for its grounds of appeal/response would be subject to the Tribunal’s case management powers under rule 5; see also rules 22(4) and 23(5) which deal with the submission of notices of appeal and responses out of time.” (paragraph 28). He concluded that the public authority was entitled to rely as of right on new EIR exemptions in the notice of appeal to the Tribunal.

Note that there was no appeal from the Upper Tribunal’s decision in the Home Office case about FOIA, which remains good law. It is also noteworthy that the Commissioner chose not to participate in the appeal, which meant that the Court of Appeal did not hear submissions on the middle course which it had proposed to the Upper Tribunal in the Home Office case. Lord Justice Carnworth commented that “There would have been attractions in an alternative approach, which could have reconciled the need for urgency, implicit in the CJEU case-law, with the need for flexibility in the operation of the scheme” (paragraph 31).

As a result of this decision, the general rule is that public authorities can rely on any exception / exemption at any time under the EIRs or FOIA. However, note that there is still a different approach where the public authority seeks to rely on the cost exception in FOIA after its initial decision; see our post on this topic here.

Rachel Kamm

THE INFORMATION COMMISSIONER’S ROLE UNDER THE DPA

Posted on | by Rachel Kamm

An interesting issue about the scope of the DPA arose in The Law Society and others v Rick Kordowski [2011] EWHC 3185 (QB). The Law Society and a number of firms of solicitors sought an injunction requiring the Defendant, the publisher of the “Solicitors from Hell” website, to cease publication of the website in its entirety and to restrain him from publishing any similar website. The causes of action relied upon were libel, harassment under the Protection from Harassment Act 1997 and breach of the Data Protection Act 1998.

The Defendant was the data controller of personal data, including sensitive personal data (for example, allegations made by a third party on the Defendant’s website about the alleged commission of an offence by a solicitor). Mr Justice Tugendhat did not mince his words in finding that the Defendant was in breach of the DPA:

In breach of the First Data Protection Principle the Defendant has not processed the personal data of the solicitors and other individuals named on the Website fairly and lawfully. The Defendant has processed the said personal data in a grossly unfair and unlawful way by, in particular, (a) publishing highly offensive defamatory allegations about these solicitors and other individuals on the Website; (b) pursuing a course of conduct against these solicitors and other individuals that amounts to harassment contrary to the PHA; (c) on numerous occasions refusing to remove the posting about a solicitor or other individual unless the Defendant is paid a fee. This is not permitted by law and is disreputable. (d) None of the conditions in Schedule 2 of the DPA 1998 is met by the Defendant in respect of the processing of the said personal data on the Website.

In breach of the Fourth Data Protection Principle the personal and sensitive personal data about solicitors and other individuals processed by the Defendant and published on the Website is not accurate, indeed it is usually seriously inaccurate. The Claimants rely upon the following, amongst other matters: (a) The wholly inaccurate and untrue allegations processed and published by the Defendant via the Website about the Third Claimant; (b) The Schedule of Complaints which sets out and describes how the personal data of solicitors and other individuals processed and published by the Defendant via the Website is inaccurate. (c) The Defendant’s failed attempts to justify defamatory allegations in the many cases brought against him for libel in respect of the defamatory publications on the Website as evidence of inaccurate information; in breach of the Sixth Data Protection Principle the Defendant did (and does) not process personal data of the solicitors and other individuals who are Individual Complainants in accordance with their rights, as he has failed to comply with the request made in the Complaints’ solicitor’s letter dated 12 August 2011.

…on 12 August 2011 the Claimants’ solicitor gave the Defendant formal notice under section 10(1) of the DPA that the individual complainants, who include the Third Claimant, required the Defendant to cease the processing of their personal data (i.e. to remove the offending material from the Website and destroy any copies retained elsewhere) as the processing of this data was (and continues) causing them unwarranted damage and distress. Additionally, the Claimants’ solicitor required the Defendant to agree not to process any data in the manner complained of in the future. As a result of the Defendant’s failure to comply with the Notice, he has breached the Sixth Data Protection Principle. The Defendant did not state that he considered the notice to be unjustified (as he could have done under section 10(3)(b) of the DPA).”

Not surprisingly, given these findings, Mr Justice Tugendhat concluded that the Third Claimant was entitled to an order under section 10(4), requiring the Defendant to comply with the Notice. He went on to comment on the scope of the DPA and the Information Commissioner’s powers.  The background was that the Chief Executive of the Law Society had written to the Information Commissioner to complain about the website. The Information Commissioner had responded that the DPA was not designed to deal with this kind of case. The Commissioner considered that it was “not the purpose of the DPA to regulate an individual right to freedom of expression – even where the individual uses a third party website, rather than his own facilities, to exercise this“. He relied on section 36 DPA, which provides that “Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the Data Protection principles under provisions of Parts II [rights of data subjects and others] and III [Notification by data controllers]”. The Commissioner also highlighted the practical difficulties of trying to use the DPA to regulate material posted on websites.

Mr Justice Tugendhat expressed considerable sympathy with the Commissioner’s comments about the practical difficulties in cases such as this. However, his starting point was that the offensive comments on the website in question were unlawful and that the DPA required that data be processed lawfully. He did not see how the exemption in section 36 DPA could apply in this case.  Mr Justice Tugendhat commented that had  the Defendant been publishing information in the public interest on his website, he could have relied on the exemption relating to journalism in section 32 DPA. Further, the fact that a claimant may have claims under common law torts or the Human Rights Act 1998, did not prevent enforcement under the DPA. He concluded by commenting that where there is any room for argument as to whether processing is unlawful under the general law, it may be more appropriate that a complainant should be required to pursue his remedy in the courts and further that there be many grounds on which the Commissioner may properly decline to exercise his powers under Part V DPA. However, where there is no room for argument that processing is unlawful, it was more difficult to say that the matter was not one which could be dealt with under Part V DPA. This ruling potentially has significant implications for the Commissioner in practice.

Rachel Kamm

CAMPAIGN AGAINST ARMS TRADE – SECTION 27

Posted on | by Rachel Kamm

The First Tier Tribunal (Information Rights) has been considering international relations in Campaign Against Arms Trade v Information Commissioner and Ministry of Defence, EA/2011/0109.

The Campaign Against Arms Trade contacted The National Archive by email on 22 May 2009 to request access to files held under reference nos. DEFE68/133 and DEFE68/136. File 133 was entitled or described as relating to the “[MOD]: Central Staff: Registered Files and Branch Folders: sale of arms to Saudi Arabia”. The file was said to be made up predominantly of “telegrams, memos and general correspondence to deal with the negotiations which took place during 1971/72 regarding the Saudi Arabian Air Defence Program (SADAP)”. File 136 was stated as dealing with the follow-up to the Saudi decision not to renew a contract for the training and maintenance of aircraft operated by the Royal Saudi Air Force with the British firm, Airwork, but to give it to the Pakistani Air Force instead.

The National Archive released the files with redactions and invoked section 27(1) and section 27(2) of the Freedom of Information Act 2000 (FOIA).  Section 27(1) provides that “Information is exempt information if its disclosure under this Act would, or would be likely to, prejudice –(a) relations between the United Kingdom and any other State, (b) relations between the United Kingdom and any international organisation or international court, (c) the interests of the United Kingdom abroad, or (d) the promotion or protection by the United Kingdom of its interests abroad.” The MoD relied on (a), (c) and (d) of section 27(1). They also relied section 27(2), which provides that  “Information is also exempt information if it is confidential information obtained from a State other than the United Kingdom or from an international organisation or international court”. Both of these are qualified exemptions.

The Information Commissioner found that the exemptions in sections 27(1)(a), (c) and (d) and also section 27(2) were engaged. Having considered the balance of the public interest, he ordered limited disclosure of the previously redacted material. The appellant did not challenge this decision with respect to section 27(2) and therefore the Tribunal’s decision is only concerned with section 27(1).

The Tribunal considered the decision of Gilby v Information Commissioner and Foreign & Commonwealth Office (EA/2007/0071, 0078 and 0079).  The Tribunal commented that it was not bound by Gilby but that it was following the same general approach: “If corrupt activities on the part of UK officials are evident from the papers, as defined in paragraph 59 of the Gilby decision, there is a strong public interest in disclosure“. However, it had “real difficulty in applying a workable and justifiable approach to partial disclosure of documents through redaction“.

The Tribunal concluded that section 27(1) was engaged and that the Commissioner had properly applied the public interest considerations. It rejected the argument that, given the level and extent of disclosure in the wake of the Gilby decision and indeed in another context, disclosure of much although not all of the requested information would not necessarily lead to an unfavourable reaction on the part of Saudi Arabia.

Interestingly, the Tribunal commented on its approach where the parties have agreed to an appeal being determined on the papers without a hearing. Where the parties so consent, the Tribunal “is firmly of the view that it must therefore approach this appeal with a proper sense of proportion and also with a due sense and degree of proportionality. The costs which would be attendant on a more protracted exercise means that a minute dissection of what is a substantial body of information cannot properly be justified at least in the present case and the Tribunal so finds“. The parties should bear this comment in mind, when deciding whether or not to request an oral hearing of an appeal.

DATABASE RIGHTS AND BREACH OF CONFIDENCE

Posted on | by Rachel Kamm

The Chancery Division has considered the scope of the database rights in the Copyright, Designs and Patent Act 1998  in Forensic Telecommunications Services Ltd v Chief Constable of West Yorkshire [2011] EWHC 2892 (Ch).

The Claimant was a forensic services company, which recovered digital evidence from mobile phones for criminal investigations. It had a list of the permanent memory absolute addresses for different types of phone (known as PM Abs addresses) and it created software from this list. The Claimant had granted the security service a licence to use the software, but this did not extent to law enforcement agencies. A police officer (who was the Second Defendant to the claim) received several PM Abs addresses from a security operative and he posted them on the internet. Other law enforcement officers added to the list. The police officer created a list which contained 32 of the Claimant’s 33 PM Abs addresses. The police officer used this list to create software that was similar to the Claimant’s software.

The Claimant issued a claim against the police officer’s force (the Chief Constable of West Yorkshire) and the police officer personally, alleging infringement of its copyright and database rights.

The Court found that no copyright subsisted in the individual PM Abs addresses because the skill, judgement and labour expended in ascertaining the addresses was not of the right kind to attract copyright protection. The PM Abs list was however a database because the addresses were systematically arranged and individually accessible (meeting the test in section 3A of the Copyright, Designs and Patents Act 1988) and therefore it was not protected by copyright. The Claimant had made a substantial investment in obtaining and verifying the data on the list and therefore a database right subsisted in the list. The police officer had extracted and re-utilised a substantial part of the database and thereby infringed the Claimant’s database right. The police force was vicariously liable for this act of infringement.

The Claimant also succeeded in a claim for breach of confidence against both Defendants. The PM Abs list had the necessary quality of confidence, since it was valuable information collated by  the Claimant through the exercise of skill, judgement and labour which was not in the public domain. The police officer had misused this confidential information by posting the list on the website forum and making copies of it for his own use. The police force was again vicariously liable for the police officer’s actions.