Author: Robin Hopkins

Redacting for anonymisation: Article 8 v Article 10 in child protection context

Posted on | by Robin Hopkins

Panopticon has reported recently on the ICO’s new Code of Practice on Anonymisation: see Rachel Kamm’s post here. That Code offers guidance for ensuring data protection-compliant disclosure in difficult cases such as those involving apparently anonymous statistics, and situations where someone with inside knowledge (or a ‘motivated intruder’) could identify someone referred to anonymously in a disclosed document. The Upper Tribunal in Information Commissioner v Magherafelt District Council [2012] UKUT 263 AAC grappled with those issues earlier this year in the context of disclosing a summarised schedule of disciplinary action.

Redaction is often crucial in achieving anonymisation. Getting redaction right can be difficult: too much redaction undermines transparency, too much undermines privacy. The Court of Appeal’s recent judgment In the matter of X and Y (Children) [2012] EWCA Civ 1500 is a case in point. It involved the publication of a summary report from a serious case review by a Welsh local authority’s Safeguarding Children Board. The case involved very strong competing interests in terms of Article 8 and Article 10 ECHR. For obvious reasons (anonymity being the key concern here) little could be said of the underlying facts, but the key points are these.

A parent was convicted in the Crown Court of a serious offence relating to one of the children of the family (X). The trial received extensive coverage in the local media. The parent was named. The parent’s address was given. The fact that there were other siblings was reported, as also their number. All of this coverage was lawful.

The local authority’s Safeguarding Children Board conducted a Serious Case Review in accordance with the provisions of the Children Act 2004 and The Local Safeguarding Children Boards (Wales) Regulations 2006. Those Regulations require the Board to produce an “overview report” and also an anonymised summary of the overview report. The relevant Guidance provides that the Board should also “arrange for an anonymised executive summary to be prepared, to be made publicly available at the principal offices of the Board”.

Here two features of the draft Executive Summary were pivotal.

First, reference was made to the proceedings in the Crown Court in such a way as would enable many readers to recognise immediately which family was being referred to and would enable anyone else so inclined to obtain that information by only a few minutes searching of the internet.

Second, it referred, and in some detail, to the fact, which had not emerged during the proceedings in the Crown Court and which is not in the public domain, that another child in the family (Y), had also been the victim of parental abuse.

The local authority wanted to publish the Executive Summary, seeking to be transparent about its efforts to put right what went wrong and that it has learned lessons from X’s death. It recognised the impact on Y, but argued for a relaxtion of a restricted reporting order to allow it to publish the Executive Summary with some redactions. It was supported by media organisations who were legally represented.

The judge (Peter Jackson J) undertook a balance of interests under Articles 8 and 10. He allowed publication, with redactions which were (in the Court of Appeal’s words) “in substance confined to three matters: the number, the gender and the ages of the children.”

In assessing the adequacy of these redaction, the Court of Appeal considered this point from the judgment of Baroness Hale in ZH (Tanzania) v Secretary of State for the Home Department [2011] UKSC 4, [2011] 2 AC 166, at paragraph 33:

“In making the proportionality assessment under article 8, the best interests of the child must be a primary consideration. This means that they must be considered first. They can, of course, be outweighed by the cumulative effect of other considerations.”

Munby LJ thus concluded (paragraph 47 of this judgment) that “it will be a rare case where the identity of a living child is not anonymised”.

He recognised, on the other hand, that Article 10 factors always retained their importance: “there could be circumstances where the Article 8 claims are so dominant as to preclude publication altogether, though I suspect that such occasions will be very rare.”

On the approach to anonymisation through redaction, Munby LJ had this to say (paragraph 48):

“In some cases the requisite degree of anonymisation may be achieved simply by removing names and substituting initials. In other cases, merely removing a name or even many names will be quite inadequate. Where a person is well known or the circumstances are notorious, the removal of other identifying particulars will be necessary – how many depending of course on the particular circumstances of the case.”

In the present case, the redactions had been inadequate. They did not “address the difficulty presented by the two key features of the draft, namely, the reference to the proceedings in the Crown Court and the reference to the fact that Y had also been the victim of parental abuse” (paragraph 53).

Far more drastic redaction was required in these circumstances: to that extent, privacy trumped transparency, notwithstanding the legislation and the Guidance’s emphasis on disclosure. In cases such as this (involving serious incidents with respect to children), those taking disclosure decisions should err on the side of heavy redaction.

Robin Hopkins

 

Internet traffic data and debt collection: privacy implications

Posted on | by Robin Hopkins

Mr Probst was a subsriber to the internet service provider (ISP) Verizon. He failed to pay his bill. A company called ‘nexnet’, the assignee of Verizon’s debt, sought to collect the sums due. In doing so, it obtained and used his internet traffic data in accordance with its ‘data protection and confidentiality agreement’ with Verizon. Disinclined to pay up, Mr Probst argued that nexnet had processed his personal data unlawfully and that the relevant terms of its agreement with Verizon purporting to sanction that processing were void. The first-instance German court agreed with him, but the appellate court did not.

It referred a question to the CJEU concerning Directive 2002/58 (the privacy and electronic communications Directive), which seeks to “particularise and complement” the Data Protection Directive 95/46/EC.

Article 5(1) of the 2002 Directive provides confidentiality in respect of electronic communications and traffic data. Article 6(1) says that traffic data must be “erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication”, unless one of the exceptions in that Article applies. The relevant provisions here were Articles 6(2) and (5). The first allows traffic data to be processed for subscriber billing purposes – but only within a specified time period. The second allows for processing of such data by an ISP’s authorised agent only for specified activities and only insofar as is necessary for those activities. The provisions are worded as follows:

(2) Traffic data necessary for the purposes of subscriber billing and interconnection payments may be processed. Such processing is permissible only up to the end of the period during which the bill may lawfully be challenged or payment pursued.

(5) Processing of traffic data, in accordance with paragraphs 1, 2, 3 and 4, must be restricted to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added service, and must be restricted to what is necessary for the purposes of such activities.

In Probst v mr.nexnet GmbH (Case C‑119/12), the Third Chamber of the CJEU essentially had to decide whether, and in what circumstances, Articles 6(2) and (5) allow an ISP to pass traffic data to the assignee of its claims for payment such that the latter may process those data. Its starting point was that Articles 6(2) and (5) were exceptions to the general principle of confidentiality with respect to one’s internet traffic data. They therefore needed to be construed strictly.

As regards Article 6(2), Mr Probst had argued that nexnet was not in the business of ‘billing’, but in the business of debt collection. The referring court’s view was that, for data protection purposes, those activities were sufficiently closely connected to be treated indentically. The Third Chamber agreed. It found that, by authorising traffic data processing ‘up to the end of the period during which the bill may lawfully be challenged or payment pursued’, Article 6(2) relates not only to data processing at the time of billing but also to the processing necessary for securing payment thereof.

As to Article 6(5), the Court held “that a persons acts under the authority of another where the former acts on instructions and under the control of the latter”.

The next question was essentially: what does a data protection-compliant contract between an ISP and a third party (an agent, assignee or someone to whom an activity is outsourced) look like? Must the ISP actually be able to determine the use of the data by the third party, including on a case-by-case basis, throughout the duration of the data processing? Or is it sufficient that its contract with the third party contains general rules about the privacy of telecommunications and data protection and provides for data to be erased or returned on request?

The Court emphasised that outsourcing or assignment may not result in lower levels of protection for individuals’ personal data (paragraph 26). The contract must be sufficiently specific. It must, for example, provide for the immediate and irreversible erasure or return of data as soon as knowledge thereof is no longer necessary for the recovery of the claims concerned. The controller (here, the ISP) must be in a position to check and ensure compliance with the privacy and data protection measures agreed under the contract, and the contract must provide for the ISP to be able to request the return or erasure of the data.

The issue in the Probst case (how to balance privacy and legal rights to monies owed) has obvious parallels with measures to combat copyright infringement (how to balance privacy and legal rights to intellectual property). I have blogged on copyright and privacy issues here and here.

The Probst judgment is an important confirmation of general principles about privacy with respect to one’s internet data. The implications for all sorts of contracts involving such data are clear – cloud computing arrangements, for example (on which, see Panopticon’s post here).

It is increasingly important that those contracts provide for specific and enforceable safeguards against unlawful processing of personal data. The Data Protection Directive will change before too long, but these principles will not.

Robin Hopkins

Update on recent Tribunal decisions part 4: qualified exemptions and the public interest

Posted on | by Robin Hopkins

In the final part of our round-up of recent decisions of the First-Tier Tribunal, Panopticon looks at the qualified exemptions, the public interest and a few other loose ends.

Section 36: Cherie Booth, Ryanair and Council emails

Sutton v IC and Nottingham City Council (EA/2012/0044) concerned the Council’s decision to amend its internal ‘sign off’ procedures for responses to FOIA requests, following an incident in which its response to a request about the cost of Councillors’ refreshments was considered to have been inadvertently misleading and lacking in context. The requester asked for internal emails about the proposed change. The Council withheld some of those emails, contending that they contained the sort of robust, free and frank exchange of views for which a safe decision-making space was needed. In a decision which many local authorities will find heartening, the Tribunal agreed.

The background to Sittampalam v IC and Ministry of Justice (EA/2011/0277) is the comments made by Cherie Booth QC, sitting as a recorder, when sentencing a Muslim defendant. Her comments appeared to suggest that his faith was a mitigating factor in his defence. They caused a stir, were reported in the media and attracted complaints, including by the National Secular Society, to the Office for Judicial Complaints. The OJC concluded that Ms Booth’s comments did not constitute judicial misconduct, though she was to receive “informal advice” on the issue.

A request under FOIA was made for all information about this OJC investigation and any action taken. The public authority relied on s. 36 – prejudice to the free and frank exchange of views, provision of advice or conduct of public affairs. The ‘reasonable opinion of the qualified person’ (the prerequisite for engaging s. 36) was obtained after the public authority’s holding reply to the request and after the statutory time for compliance – but before the public authority’s formal notice of refusal. The Tribunal rejected the requester’s contention that s. 36 was not engaged because of the timing of the opinion. As to the public interest, the Tribunal was satisfied us that the requester’s suspicions about the OJC ‘covering up’ the complaint or trying to minimise the impact of its conclusions on account of Ms Booth being the wife of Tony Blair were unfounded. Nor were the OJC’s press statements inconsistent with its letters to the National Secular Society. The appeal was dismsised.

Whereas alleged ‘late reliance’ on s. 36 succeeded in Sittampalam, it was unsuccessful before the Tribunal (at the preliminary hearing stage) in Ryanair v IC and Office of Fair Trading (EA/2012/0088). The opinion was obtained prior to the internal review. The Tribunal concluded that:

“Considering issues of reasonableness it is difficult for the Tribunal to be satisfied that the section 36 opinion of the qualified person – given its timing in respect of this appeal – is not an ex post facto conclusion or, more accurately, not tainted with the perception that that could be the case. That goes to the heart of its reasonableness.”

Sections 41 and 43: casinos and vikings

London Borough of Newham v IC (EA/2011/0288) concerned the Council’s award of the licence to operate a large casino at Westfield shopping centre in Stratford. The requester, a law firm acting on behalf of the unsuccessful bidder, made a request under FOIA for documents relating to the successful bid. The Council withheld some of those, relying on s. 44 (statutory bar on disclosure under the Code of Practice for the Gambling Act 2005), s. 41 (information obtained in confidence) and s. 43 (prejudice to commercial interests). The Commissioner was unpersuaded and ordered disclosure.

The Council’s appeal was partially upheld and partially dismissed. The statutory bar was held not to extend beyond the conclusion of the tender process. S. 43(2) was engaged, with the public interest favouring disclosure of some (relating for example to security arrangements and the financial guarantee offered by the winning bidder, as well as records of some of the negotiation discussions, which the Tribunal found would be unsurprising to any commercial rival) but not others (tender details which were deemed more commercially sensitive). Similarly, s. 41 succeeded for some information but not all (some, for example, was effectively in the public domain; some had not been obtained from outside the Council). Bidders could reasonably expect confidentiality not permanently, but for a reasonable time following the bidding process – here the request was made within that reasonable time, which counted in the Council’s favour.

The disputed information in Pim v IC and Down DC (EA/2012/0078) was a business plan submitted by the Magnus Viking Association in respect of their proposed Viking re-enactment centre, and correspondence between the Council and Magnus. The Council relied on regulation 12(5)(e) of the EIR (confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest). The Commissioner and Tribunal agreed: extensive research and consultation had gone into the specialist information, which could be used by Magnus’ competitors in a viking re-enactment market which, while not flooded with competition, was growing. There was a strong interest in maintaining trust between the commercial parties.

Prejudice to the course of justice

In McCullough v IC and Northern Ireland Water (EA/2012/0082), the requester sought detailed technical information about vibrations measurements relating to sewer upgrade works in Belfast. The Commissioner agreed with the public authority that regulation 12(5)(b) of the EIR (adverse effects on the course of justice) was engaged and that the public interest favoured its maintenance. A key issue was that disclosure, it was argued, would prejudice NI Water’s position when defending prospective legal claims about the sewer works vibrations, including by the requester (though there was a dispute as to whether the requester did in fact intend such proceedings).

The Tribunal disagreed. It was “not persuaded that purely factual information such as this could ever adversely affect the course of justice” and did “not accept that early disclosure of this technical information would prejudice NI Water in any way that they would not be prejudiced in the normal course of discovery in litigation by such information”. Regulation 12(5)(b) was therefore not engaged, in the Tribunal’s view.

It also did not think that information could be withheld just because of potential prejudice to a public authority’s litigation position: “The implications of implementing such a policy could, in some circumstances amount to a cover up, and in our view would be contrary to the spirit and intent of the FOIA and EIR legislation and further, contrary to the public interest. We are of the view that it is in the public interest that justice is done and that the correct result emerges from litigation, not that a public authority should necessarily be successful, just because it is a public authority.” The exact meaning of these last words is not clear, but the decision will nonetheless raise many a public authority eyebrow.

Robin Hopkins

Update on recent Tribunal decisions part 3: personal data of public officials and relating to court proceedings

Posted on | by Robin Hopkins

I posted a few days ago about some recent decisions of the First-Tier Tribunal on requests under FOIA and the EIR for personal data. There have been a number of decisions on this issue of late. The following are of note, as they illustrate the types of issues very frequently encountered by public authorities. They also illustrate the nuanced and forensic approach taken by some Tribunals. There may not be a presumption in favour of disclosing personal data, but public authorities should beware assuming that Tribunals will be equally cautious about disclosing all types of personal data.

Chief Constable appointments: partial disclosure ordered

The Appointments Committee of Dyfed Powys Police Authority assessed and interviewed the candidates for the office of Chief Constable. There were two candidates. The Committee was advised by a representative from HM Inspector of Constabulary who was very critical of one of the candidates, leaving the Committee feeling that it had no option but to appoint the other. Committee members complained about the HMIC representative, including to the Home Office. The issue entered the public domain. The unsuccessful candidate requested copies of relevant correspondence.

The issues in Roberts v IC and Dyfed Powys Police Authority (EA/2012/0032) were whether s. 40(1) or alternatively s. 40(2) applied.

The IC raised s. 40(1) belatedly, arguing that the withheld documents were the requester’s own personal data: the lateness “vexed” the Tribunal, and in any event the s. 40(1) argument was rejected, as the Durant conditions of biographical significance and focus were not met. The IC had sought to apply the definition of “personal data” too widely in a way that went beyond the Durant restrictions.

The s. 40(2) argument concerned the personal data of (a) members of the Appointments Committee (the Tribunal’s answer: disclosure would breach the data protection principles, as they were unpaid public representatives who were not at fault), and (b) the HMIC representative (the Tribunal’s answer: disclosure was for the most part ordered, given the representative’s role, the publicised allegations about her conduct and the fact that disclosure would result in minimal incremental distress).

The case illustrates the ongoing dominance of Durant, the need to distinguish between types of data subject and the relevance of well-founded allegations of wrongdoing or poor conduct by public officials.

Redacting officials’ names: lack of legitimate interest in disclosure

Armit v IC and Home Office (EA/2012/0041) is one of two appearance by the UK Border Agency in this post. The request was for copies of guidance relating to which light vehicles/drivers should be stopped and interviewed and what circumstance should lead to the vehicle being detained whilst a search is undertaken and identity checks undertaken, as well as for statistics about such ‘stops and searches’ carried out at Dover Port. UKBA’s refusal was based in part on s. 40(2): it sought to redact the names of the officials in a document entitled ‘Tourist Selection Indicators and Selection Techniques’. The Tribunal was not very impressed by the arguments that officials would not have expected public disclosure of their names. However, fatal to the requester’s case was the failure to identify a legitimate interest in public disclosure of the names of those officials. The Tribunal concluded that:

“We do not accept the argument that the officials would not have expected their names within the document to be made public and were not given compelling evidence of this. We were given no information as to their specific grading but they were described in the document as ‘lead contributer’ and ‘lead postholder’. They clearly have some responsibility in relation to the work.  We were given no compelling evidence that disclosing their names would result in victimisation, insult or any form of danger.  However, we do accept that the officials would prefer not to have their names identified and that might in itself represent a certain right and freedom or legitimate interests in itself. In any event, to process personal data, it needs to be necessary to pursue the purposes of legitimate interests pursued by others.  In this case, we do not find that the Appellant has shown any legitimate interest in the names of the officials being disclosed to the public under FOIA. We conclude that the information is therefore exempt from disclosure.”

The case illustrates the importance of requesters making out a legitimate public interest in knowing the identity of officials whose names appear in requested documents where those officials are not obviously senior enough for a general accountability argument to suffice.

Neither confirm nor deny: involvement in court proceedings

In Mahajan v IC (EA/2011/0240), the requester sought information about the conduct of criminal proceedings in which he was involved, in particular relating to note-taking, recording, legal aid payments, contributions made by the judge during the hearing and communications between the requester and the court’s administrative staff.

The IC found that the request could be refused on the grounds of s. 40(5) FOIA, the “neither confirm nor deny” exemption for personal data. The argument was that the individuals identified in the requested information would have a legitimate expectation that information that might or might not confirm whether they had been part of an investigation and/or court proceedings would not be released.  A confirmation or denial would, it was argued, reveal some information which was not already in the public domain and was not reasonably accessible to the general public. It would also publicise the existence or otherwise of an investigation and court proceedings involving those named parties.

For some parts of the request, the Tribunal agreed: any answer would reveal personal data the public disclosure of which would breach a data protection principle. For the most part, however, the Tribunal disagreed with the IC. A major aspect of its reasoning was that much of the information related to a public court hearing: therefore, disclosing that an individual had been a judge in that hearing, or had appeared as an advocate would not breach any of the data protection principles. In addition, some of the “data subjects” were in fact not living individuals but commercial entities.

This case illustrates the importance, when taking a “neither confirm nor deny” stance, of assessing why mere confirmation or denial of whether the requested information is held (as opposed to disclosure of that information itself, if held) would breach a data protection principle.

Interestingly, while the Tribunal disagreed with the IC on a number of the s. 40(5) FOIA arguments, it went on to agree with the public authority that those parts of the request were plainly vexatious and could be refused on s. 14(1) FOIA grounds.

Qualifications of legal advisor

In Hodson v IC (EA/2012/0084), the Tribunal decided that information about the professional qualification of an individual fulfilling the role of Legal Adviser to Scunthorpe Magistrates’ Court should be disclosed but that he was not entitled to receive information about the Adviser’s other academic qualifications. Its nuanced approach (i.e. approaching different types of personal data differently) is summarised at its paragraphs 18 and 19:

“In view of the functions performed by Legal Advisers in a Magistrate’s Court, and the impact they are capable of having on those appearing before the court, we believe that there is a strong public interest in knowing that anyone fulfilling the role has the qualification of barrister or solicitor. That is to say the qualification that the Ministry of Justice holds out Legal Advisers as possessing. We believe that, were that information not to be a matter of public record, there would be strong public interest in its disclosure and that this would outweigh the individual’s right to privacy.

It follows that, were the position of Legal Adviser to be held by a person having any other qualification, there would be an equally strong public interest in that qualification also being publicly known. And that would apply whether the qualification was a non-legal one or a legal one that was less than full qualification as a barrister or solicitor. Examples of the latter would include a law degree, Chartered Institute of Legal Executives qualification, or completion of a Legal Practice Course or Bar Professional Training Course. But if the Legal Adviser holds the professional qualification of barrister or solicitor then the public interest in information about any other qualification, whether legal or non-legal, academic or professional, is greatly reduced. Disclosure, in those circumstances would constitute an unwarranted interference with the individual’s rights and freedoms.”

Nationality of opponent in litigation

Someone referred to as AF brought legal proceedings against Mr Philip Brown. Mr Brown incurred considerable costs as a result. He hoped to recover those costs if he won the case. In practice, he could only do so if AF was a British national; if he was a Nigerian national, he was thought likely to return there, putting him effectively beyond the reach of UK jurisdiction for enforcing any costs order. Mr Brown asked the UK Border Agency for “official information showing whether or not [Mr AF] is a UK citizen, or whether he is a Nigerian citizen who is in the UK on some sort of temporary permission”. The request was refused on s. 40(2) FOIA grounds; the Commissioner agreed.

The Tribunal in Philip Brown v IC (EA/2012/0094) also agreed. The requester argued that this was not “personal data”: Mr AF cannot be identified by his immigration status alone since that simply discloses whether he is one of 60  million people (if he is a UK national), or one of 120 million people (if he is a Nigerian national). The Tribunal rejected this as misconceived:

“What he is saying, in effect, is that if an individual is already known to the requester and

can be identified by him through information already held, then any additional information such as his immigration status, cannot be personal data because that does not identify him. Taken to its logical conclusion, it would mean that the Appellant could ask a public authority to disclose a range of information about Mr AF (for example, whether he is gay or straight, a Christian or a Muslim, divorced or single), on the basis that such information would only disclose the category of people to which Mr AF belongs and would not itself identify him.”

The requested information was “personal data” in Durant terms.

The requester also sought to rely on s. 35(2)(a) of the DPA, arguing that disclosure is “necessary for the purposes of, or in connection with, legal proceedings” and therefore that the data protection principles would not be breached. He said he needed the information in order to seek a protective costs order in accordance with the CPR.

The Tribunal considered the meaning of “necessary” in this context: it rejected the IC’s argument that “necessary” means “relevant and proportionate”, preferring Mr Brown’s view that it meant “indispensable, requisite, needful, that which cannot be done without”. The problem was that the requested information would not help with any application for a protective costs order. Condition 6(1) would not be met and s. 40(2) was upheld.

Robin Hopkins

Update on recent Tribunal decisions part 2: personal data of “low inherent sensitivity”

Posted on | by Robin Hopkins

The “personal data” provisions under s. 40(2) FOIA and regulation 13 EIR can often be very difficult to apply, particularly in light of the Durant “notions of assistance”, namely biographical significance and focus. It is correspondingly difficult to predict how such arguments will fare before the Tribunal. Two recent cases offer good illustrations. Both saw the Tribunal order disclosure of property-related personal data which was deemed to be of “low inherent sensitivity”.

Council housing

Exeter CC v IC and Guagliardo (EA/2012/0073) concerned a request for the addresses of all residential properties owned by or leased or rented to the Council. The Council refused the request. It was accepted that addresses constitute “personal data”, but the Commissioner considered it to be personal data of “low inherent sensitivity”. He found that disclosure would not breach any of the data protection principles. He ordered disclosure, subject to an exemption for addresses of properties allocated for housing those in need of protection.

The decision notice was upheld on appeal. The following aspects of its decision are notable (Tribunal comments appearing in italics).

As to the Council’s arguments for withholding the addresses:

  • The Council had conducted a survey of residents’ attitudes to such disclosures, but the particular questions and answers did not assist the Tribunal.
  • There was no clear evidence on the extent to which Council properties were already visually identifiable as such.
  • “The Tribunal observes that who owns property is not a private  matter. It has to be publicly recorded and available by way of Land Registry Records (although there is a fee for this information). There are many other ways that the ownership becomes public (e.g. local knowledge, press articles when properties are constructed, news articles and planning records).The Tribunal is satisfied that a tenant cannot therefore have a legitimate expectation that this information would not be disclosed.”
  • The Council argued that disclosure of the list of addresses would identify the residents as Council tenants and, as such, vulnerable, for example to being targeted by those wishing to prey upon individuals who were in financial difficulty. There was, however, no evidence before the Tribunal that disclosure would add to the pre-existing risk of such behaviour.
  • The only information (additional to the fact of the address) that can be discerned about any particular data subject by the disclosure of the disputed information was that they or their predecessor may have been financially unable to meet their housing needs at some time.

As to the arguments for disclosure:

  • “Additionally we are satisfied that there is a proper distinction to be drawn between those living in a Council owned asset and private accommodation, because the Council are accountable to the public for the way  they manage those assets and execute housing policy whereas a private landlord has no such additional public responsibility and that this must impact upon the reasonableness of any expectation that the Council would not publish this information.”
  • Disclosure would enhance transparency in allowing the public to be aware of the Council’s assets (i.e. its housing stock). By knowing how many properties the Council owns and where, the public would be enabled to scrutinise the distribution of Council properties between localities, analyse whether factors (such as levels of educational attainment) are correlated with the extent of Council owned housing in a given area.
  • Knowing the individual addresses would enable the public to see how Council properties are maintained, their state of repair and assess whether areas are under or over provided for.
  • “The Tribunal adds that such disclosure would also enable the public to review the type of housing stock owned and used by the Council and ascertain whether it could be used more efficiently to meet better the      needs of those in housing need. Analysis of the extent to which private      rentals are over or under used and whether this provides value for money      would also be enabled by disclosure of this information.”

Overall, the Tribunal agreed that addresses constitute personal data of “low inherent sensitivity”.

This is the second such case before the Tribunal. The Tribunal in Neath Port Talbot v IC (EA/2011/0037) ordered disclosure of the same type of information in another, less fully reasoned decision last year. While no First-Tier Tribunal decision is binding, the case for withholding such information seems nonetheless increasingly difficult to make out.

Building control applications

Martin and Karen Sharples v IC (EA/2012/0076) is a second recent case in the disclosure of personal data has been ordered in light of its “low inherent sensitivity”. The requesters sought information about building control applications made to Bolton MBC relating to roof conversions to residential properties in a specific cul-de-sac. The Council refused to provide the building control records and site visit notes, relying upon regulation 13 EIR (personal data). The issue was whether the residents/owners involved in those applications could be identified from the redacted records and notes and, if so, whether disclosure would breach any of the data protection principles.

The requesters argued that while they knew enough to identify the property owners from the requested information, a member of the public would not. The Tribunal was satisfied, however, that the owners could be identified – particularly given the availability of Land Registry searches, Google Earth and other ways to find out who lives where.

Like the Council residence addresses in the Exeter CC case however, this application information was considered to be personal data of “low inherent sensitivity”. Disclosure would not breach the data protection principles, in light of the following factors:

  • The information was similar to the sort of information routinely provided to estate agents and in planning applications (which are made public)
  • It would be discernible to a surveyor when the house changes hands
  • Some of the information was visible to the naked eye
  • Much of the information constituted confirmation of normal practice of construction to a fixed standard
  • The data subjects had not been told they could expect confidentiality
  • There was a legitimate public interest in transparency, in particular in being assured that the Council had properly assessed compliance whether the relevant regulations had been complied with

Many requests for personal data fail because the requester has not made out any or any sufficient legitimate interest in public disclosure of information impacting upon privacy. Sharples is interesting in that the emphasis worked the other way: the public interest does not appear to have been very pressing, but the personal data was sufficiently anodyne for disclosure to be the order of the day.

Robin Hopkins

Update on recent Tribunal decisions part 1: the evolving approach to vexatiousness and manifest unreasonableness

Posted on | by Robin Hopkins

In recent months, the major information law issues have involved the government’s vetoing disclosure of the Prince Charles ‘black spider’ letters, its response to the draft new EU Data Protection Regulation, a number of Article 8 decisions concerning police and criminal records and changes to RIPA. On this last point, note that as of last Thursday, local authorities require a magistrate’s approval for authorising directed surveillance.

There have also been a number of First-Tier Tribunal decisions of late, touching on some of the issues most commonly encountered by public authorities and requesters. Over the next week, Panopticon brings you a summary of these recent decisions, beginning with insights into “vexatious” (s. 14(1) of FOIA) or “manifestly unreasonable” requests (regulation 12(4)(b) of the EIR). These are cases in which the underlying concepts appear straightforward, but their practical application can often be tricky. These provisions are important for those – local authorities in particular – who need to make robust judgment calls about persistent and burdensome exercises of rights to information.

Requests by members of groups: aggregate with caution

The potential pitfalls for public authorities are illustrated by Pringle v IC and Bury MBC (EA/2012/0062), where the Tribunal overturned a s. 14(1) decision. The case concerned a prominent site, the Longfield Suite in Prestwich, to which the local “Save our Suite” group was committed. Mr Pringle was a member of that group; his one and only request for information had 11 parts, some of which apparently chimed with the group’s history of requests about business plans for the Suite.

The Council’s s. 14 decision was based on this collective pattern of requests and its resultant burden. On the evidence, however, the Tribunal found that the Council and the IC had too readily treated Mr Pringle’s requests together with those of the campaign group, and had given too much weight to questions asked through other fora, such as public meetings, the Audit Commission and the local MP. These were “legitimate avenues of enquiry, outside of the Freedom of Information Act and necessary in a democratic society.” The Council had also failed to ask Mr Pringle to narrow his request, and had not sought to answer as much of the 11-part request as possible.

One-man investigations can cross the line

In contrast, in Bragg v IC and Babergh DC (EA/2012/0107), the Tribunal upheld a refusal based on regulation 12(4)(b) of the EIR. The Council had taken enforcement action, culminating in an injunction and consent order, against a landowner (not the requester) for impermissible use of a private airfield.

The requester sought information about the enforcement and associated legal actions, his belief being that information was improperly withheld during disclosure for a planning inquiry. He questioned the “honesty and integrity” of the witnesses and argued that there was nothing in the EIR to prevent it being used as an investigative tool for the exposing of what the requester alleged was unlawful conduct which the public authority had covered up.

The Tribunal was unimpressed by his allegations. It concluded that:

“The Appellant has not challenged the High Court decision… by way of any of the routes of challenge such as judicial review or even direct complaint to the police and/or the Crown Prosecution Service. He appears to have set himself up as an investigator of wrongdoing that he perceives but he has not allowed other more appropriate bodies to investigate and consider any of the issues he believes lie at the heart of his information requests.”

The Tribunal found that he had crossed the thin line between persistence and obsession, straying into unreasonableness and becoming hectoring in his tone of enquiry in his 14 requests to the Council.

The Tribunal also took into account that Babergh District Council is a small public authority, with limited resources to devote to information requests.

Interestingly, the Commissioner submitted that, because this request was vexatious, the requester was not entitled to seek the same information in future requests. Here the Tribunal disagreed: “If the request is made several years from the date of the original there may well be entirely different considerations in play. At the very least, whether the request could be regarded as manifestly unreasonable after the passage of several years without other requests on the same matter in the intervening period would have to be re-examined and judged on the facts at that time”.

Conspiracy theories: groups and individuals

The Tribunal’s decision in Beswick v IC and Thames Valley Police (EA/2012/0040) draws together some of the themes discussed above. The requester sought information about the position in which the body of Dr David Kelly, the weapons inspector whose death in 2003 was investigated by the Hutton Inquiry, was found. He contributed to online discussion groups focusing on suspicions about Dr Kelly’s death and dissatisfaction with the conclusions of the Hutton Inquiry. Some other members of those groups had also made requests for related information to the same police authority. It contended that these requests were made in concert, and that this reinforced its reliance on s. 14 in refusing Mr Beswick’s request.

The Tribunal’s approach was first to consider Mr Beswick’s request in isolation. It noted the Commissioner’s long-standing five-part guidance on applying s. 14, but “felt that there was a compelling counter-argument that the Commissioner’s guidance should not even guide the Tribunal’s deliberations since this might have the appearance of giving  the approach of one party a higher status than those from the other parties”. The same point was made by the Tribunal in E Rex Makin v IC and Legal Services Commission (EA/2011/0163).

The Tribunal in Beswick did, however, derive assistance from the sorts of questions considered by the Tribunal in the oft-cited case of Rigby v IC and Blackpool NHS Trust (EA/2009/0103); [2011] 1 Info LR 643. These questions include: whether the request formed part of an extended and unfounded campaign to expose alleged improper or illegal behaviour, whether there was a tendentious and haranguing tone, whether the request indicated obsessiveness and the overall burden imposed (by Mr Beswick’s requests only, excluding those of the other members of the online discussion groups). By applying these factors and in light of the Hutton Inquiry’s conclusions, the police’s reliance on s. 14 was upheld.

Unreasonable burden can suffice for a s. 14 finding

Historically, the Commissioner and Tribunal have been reluctant to support reliance on s. 14(1) for reasons solely attributable to the cost and burden of compliance with the request. It was felt that s. 12 was intended to cater for those concerns. The costs of redaction, however, cannot be taken into account for s. 12 purposes. In Salford CC v IC and TieKey Accounts (EA/2012/0075), the Council sought to rely on s. 14 to argue that the burden imposed by the redactions that were likely to be required in order to comply with the request was unreasonable and disproportionate. The Commissioner initially disagreed, but – following the decision Independent Police Complaints Commission v IC (EA/2011/0222) – agreed that cost burden alone could support reliance on s. 14. The Tribunal in Salford agreed, and the Council’s appeal was allowed.

The evolving approach

As the above decisions illustrate, there is no uniform approach to s. 14 at a Tribunal level. The Commissioner’s five guiding questions remain helpful, but Tribunals are increasingly disinclined to give them much weight at all. A broader, dictionary-definition approach is preferred by some Tribunals, who ask simply whether the request tends to cause unjustified trouble or interference (see for example Graham and Ainslie). The questions posed in Rigby can, depending on the case, be very instructive. There is an increasingly strong case for giving the cost burden serious weight under s. 14.

Two upcoming developments should be followed with care. First, the Commissioner is in the process of revising his guidance on how to approach s. 14. Secondly, the Upper Tribunal is to hear a number of appeals on these issues together in the coming weeks: Ainslie, Dransfield and Craven. Its decision will hopefully bring some clarity to these issues.

In general however, most cases of this type turn on the quality of the evidence and the public authority’s efforts to be reasonable. That is likely to remain true whatever these new developments bring.

Robin Hopkins