The Environmental Information Regulations 2004 contain an exception from the duty to disclose information where disclosure would adversely affect “the confidentiality of the proceedings of that or any other public authority where such confidentiality is provided by law” (regulation 12(5)(d)). There is an equivalent provision in Directive 2003/4/EC. What is meant by the “proceedings” of a public authority? Continue reading →

If you work in data protection, I bet you love questions like this:

I have some information which looks anonymous – but is it nonetheless ‘personal data’? (If it is, it saddles me with plenty of otherwise inapplicable legal duties blah moan). The test is whether there is a realistic prospect of someone being identified, but how do I apply that test? How do I tell whether the risk of someone being identified from this apparently anonymous information is sufficiently high?

And I bet you especially love questions like this:

I have some information which is anonymous in my hands: it would be absolutely impossible for me to identify anyone from this information. But someone else could – there is someone else who has the key which can unlock the identities behind this apparently anonymous (or pseudonymised) data. What now? Is it personal data or not? Continue reading →

In my post on the TLT case last week, I mentioned a second recent judgment awarding compensation for a DPA breach. This is the judgment of the Central London County Court (HHJ Luba QC) in Andrea Brown v Commissioner of Police for the Metropolis and Chief Constable of Greater Manchester Police (judgment available via Inforrm here).

Whereas TLT concerned a data breach (accidental public disclosure), Brown concerned the unfair use of policing powers to obtain information for an employment disciplinary matter. The Court awarded £9,000 in compensation, arising as follows. Continue reading →

By way of update to my post below on the TLT matter, and in particular for interested readers who have asked, here is a copy of Mitting J’s judgment: tlt-v-sshd.

Robin

One of the major evolving issues in privacy and data protection law concerns the assessment of damages: when someone suffers a breach of their privacy or DP rights, how do you go about deciding how much money to award them by way of compensation?

Courts have to date taken a number of approaches to this question. In Halliday v Creation Consumer Finance [2013] EWCA Civ 333, Arden LJ suggested that awards in DP cases should be “relatively modest” and that the Vento bands used in discrimination law were not suitable comparators in this arena; Mr Halliday was given £750.

Arden LJ was then one of the Court of Appeal judges in Gulati v MGN Ltd. [2016] 2 WLR 1217, where damages for privacy breaches committed via phone-hacking ranged between £85,000 and £260,250. That judgment contained an important analysis of the nature of privacy and the impact of its violation.

Lastly, a personal injury approach was adopted in CR19 v Chief Constable of the Police Service of Northern Ireland [2014] NICA 54, where a data loss causing psychiatric injury saw a £20,000 award.

The last week has seen two notable contributions to the evolving jurisprudence on the ultimate privacy issue, namely money. Continue reading →

Quite a lot of the time, when a public authority refuses a request for information based on vexatiousness (under FOIA) or manifest unreasonableness (under the EIRs), its thinking is something like this:

‘We are not saying there is zero public interest in the information you seek; rather, we are saying that – in light of everything that has passed between us – the burden imposed by compliance with your request is disproportionate to the good it would do’.

That rationale is sensible. Isn’t it? Continue reading →