Author: Robin Hopkins

CPR disclosure applications: ignore the DPA; balance Articles 6 and 8 instead

Posted on | by Robin Hopkins

It is increasingly common for requests for disclosure in pre-action or other litigation correspondence to include a subject access request under section 7 of the Data Protection Act 1998. Litigants dissatisfied with the response to such requests often make applications for disclosure. Where an application is made in the usual way (i.e. under the CPR, rather than as a claim under section 7 of the DPA), how should it be approached? As a subject access request, with the “legal proceedings” exemption (section 35) arising for consideration, or as an “ordinary” disclosure application under CPR Rule 31? If the latter, what role (if any) do data protection rights play in the analysis of what should be disclosed?

As the Court of Appeal in Durham County Council v Dunn [2012] EWCA Civ 1654 observed in a judgment handed down today, there is much confusion and inconsistency of approach to these questions. Difficulties are exacerbated when the context is particularly sensitive – local authority social work records being a prime example. Anyone grappling with disclosure questions about records of that type will need to pay close attention to the Dunn judgment.

Background to the disclosure application

Mr Dunn alleged that he had suffered assaults and systemic negligence while in local authority care. He named individual perpetrators. He also said he had witnessed similar acts of violence being suffered by at other boys. He brought proceedings against the local authority. His solicitors asked for disclosure of various documents; included in the list of requested disclosure was the information to which Mr Dunn was entitled under section 7 of the DPA. Some documents were withheld from inspection, apparently on data protection grounds.

Mr Dunn made a disclosure application in the usual way, i.e. he did not bring a section 7 DPA claim. The District Judge assessed the application in data protection terms. He ordered disclosure with the redaction of names and addresses of residents of the care facility – but not those of staff members and other agents, who would not suffer the same stigmas or privacy incursions from such disclosure.

Mr Dunn said he could not pursue his claim properly without witnesses and, where appropriate, their contact details. He appealed successfully against the disclosure order. The order for redaction was overturned. The judge’s approach was to consider this under the CPR (this being a civil damages claim) – but to take the DPA into account as a distinct consideration in reaching his disclosure decision.

The relevance of the DPA

The Court of appeal upheld the use of the CPR as the correct regime for the analysis. It also upheld the appeal judge’s ultimate conclusion. It said, however, that he went wrong in treating the DPA as a distinct consideration when considering a disclosure application under the CPR. With such applications, the DPA is a distraction (paragraphs 21 and 23 of the judgment of Maurice Kay LJ). It is potentially “misleading to refer to a duty to protect data as if it were a category of exemption from disclosure or inspection. The true position is that CPR31, read as a whole, enables and requires the court to excuse disclosure or inspection on public interest grounds” (paragraph 21).

This was not to dismiss the usefulness of a subject access request to those contemplating litigation. See paragraph 16:

“I do not doubt that a person in the position of the claimant is entitled – before, during or without regard to legal proceedings – to make an access request pursuant to section 7. I also understand that such a request prior to the commencement of proceedings may be attractive to prospective claimants and their solicitors. It is significantly less expensive than an application to the Court for disclosure before the commencement of proceedings pursuant to CPR31.16. Such an access may result in sufficient disclosure to satisfy the prospective claimant’s immediate needs. However, it has its limitations. For one thing, the duty of the data controller under section 7 is not expressed in terms of disclosure of documents but refers to communication of “information” in “an intelligible form”. Although this may be achieved by disclosure of copies of original documents, possibly redacted pursuant to section 7(5), its seems to me that it may also be achievable without going that far. Secondly, if the data subject is dissatisfied by the response of the data controller, his remedy is by way of proceedings pursuant to section 7 which would be time-consuming and expensive in any event. They would also engage the CPR at that stage: Johnson v Medical Defence Union [2005] 1 WLR 750; [2004] EWCH 2509 (Ch).”

Instead, the CPR disclosure analysis should balance Article 6 and Article 8 rights in the context of the particular litigation.

Maurice Kay LJ summed up the requisite approach as follows:

“What does that approach require? First, obligations in relation to disclosure and inspection arise only when the relevance test is satisfied. Relevance can include “train of inquiry” points which are not merely fishing expeditions. This is a matter of fact, degree and proportionality. Secondly, if the relevance test is satisfied, it is for the party or person in possession of the document or who would be adversely affected by its disclosure or inspection to assert exemption from disclosure or inspection. Thirdly, any ensuing dispute falls to be determined ultimately by a balancing exercise, having regard to the fair trial rights of the party seeking disclosure or inspection and the privacy or confidentiality rights of the other party and any person whose rights may require protection. It will generally involve a consideration of competing ECHR rights. Fourthly, the denial of disclosure or inspection is limited to circumstances where such denial is strictly necessary. Fifthly, in some cases the balance may need to be struck by a limited or restricted order which respects a protected interest by such things as redaction, confidentiality rings, anonymity in the proceedings or other such order. Again, the limitation or restriction must satisfy the test of strict necessity.”

How to approach disclosure of social work records in litigation

This issue was dealt with by Munby LJ. In short, the main question was whether those seeking to withhold or redact social work records in litigation should analyse the issue in terms of public interest immunity (as some textbooks, older authorities and even the White Book appeared to suggest) or in terms of a balancing between competing rights under the ECHR (in particular, Articles 6 and 8).

Munby LJ made clear that the right answer is the latter. Where information contained in social work records is to be withheld in legal proceedings, this should not now be on the basis of a claim to public interest immunity; we are “a world away from 1970 or even 1989” (paragraph 43). This was despite the fact that “the casual reader of the White Book” (paragraph 31.3.33 in particular) could be forgiven for thinking that PII applies to local authority social work records. Here Munby LJ said he “would respectfully suggest that the treatment of this important topic in the White Book is so succinct as to be inadvertently misleading” (paragraph 48).

Importantly, Munby LJ also went on to explain how (and with what stringency) Article 8 rights to privacy and the protection of personal information should be approached when disclosing information pursuant to litigation. At paragraph 50, he gave the following guidance:

“… particularly in the light of the Convention jurisprudence, disclosure is never a simply binary question: yes or no. There may be circumstances, and it might be thought that the present is just such a case, where a proper evaluation and weighing of the various interests will lead to the conclusion that (i) there should be disclosure but (ii) the disclosure needs to be subject to safeguards. For example, safeguards limiting the use that may be made of the documents and, in particular, safeguards designed to ensure that the release into the public domain of intensely personal information about third parties is strictly limited and permitted only if it has first been anonymised. Disclosure of third party personal data is permissible only if there are what the Strasbourg court in Z v Finland (1998) 25 EHRR 373, paragraph 103, referred to as “effective and adequate safeguards against abuse.” An example of an order imposing such safeguards can be found in A Health Authority v X (Discovery: Medical Conduct) [2001] 2 FLR 673, 699 (appeal dismissed A Health Authority v X [2001] EWCA Civ 2014, [2002] 1 FLR 1045).”

Robin Hopkins

Redacting for anonymisation: Article 8 v Article 10 in child protection context

Posted on | by Robin Hopkins

Panopticon has reported recently on the ICO’s new Code of Practice on Anonymisation: see Rachel Kamm’s post here. That Code offers guidance for ensuring data protection-compliant disclosure in difficult cases such as those involving apparently anonymous statistics, and situations where someone with inside knowledge (or a ‘motivated intruder’) could identify someone referred to anonymously in a disclosed document. The Upper Tribunal in Information Commissioner v Magherafelt District Council [2012] UKUT 263 AAC grappled with those issues earlier this year in the context of disclosing a summarised schedule of disciplinary action.

Redaction is often crucial in achieving anonymisation. Getting redaction right can be difficult: too much redaction undermines transparency, too much undermines privacy. The Court of Appeal’s recent judgment In the matter of X and Y (Children) [2012] EWCA Civ 1500 is a case in point. It involved the publication of a summary report from a serious case review by a Welsh local authority’s Safeguarding Children Board. The case involved very strong competing interests in terms of Article 8 and Article 10 ECHR. For obvious reasons (anonymity being the key concern here) little could be said of the underlying facts, but the key points are these.

A parent was convicted in the Crown Court of a serious offence relating to one of the children of the family (X). The trial received extensive coverage in the local media. The parent was named. The parent’s address was given. The fact that there were other siblings was reported, as also their number. All of this coverage was lawful.

The local authority’s Safeguarding Children Board conducted a Serious Case Review in accordance with the provisions of the Children Act 2004 and The Local Safeguarding Children Boards (Wales) Regulations 2006. Those Regulations require the Board to produce an “overview report” and also an anonymised summary of the overview report. The relevant Guidance provides that the Board should also “arrange for an anonymised executive summary to be prepared, to be made publicly available at the principal offices of the Board”.

Here two features of the draft Executive Summary were pivotal.

First, reference was made to the proceedings in the Crown Court in such a way as would enable many readers to recognise immediately which family was being referred to and would enable anyone else so inclined to obtain that information by only a few minutes searching of the internet.

Second, it referred, and in some detail, to the fact, which had not emerged during the proceedings in the Crown Court and which is not in the public domain, that another child in the family (Y), had also been the victim of parental abuse.

The local authority wanted to publish the Executive Summary, seeking to be transparent about its efforts to put right what went wrong and that it has learned lessons from X’s death. It recognised the impact on Y, but argued for a relaxtion of a restricted reporting order to allow it to publish the Executive Summary with some redactions. It was supported by media organisations who were legally represented.

The judge (Peter Jackson J) undertook a balance of interests under Articles 8 and 10. He allowed publication, with redactions which were (in the Court of Appeal’s words) “in substance confined to three matters: the number, the gender and the ages of the children.”

In assessing the adequacy of these redaction, the Court of Appeal considered this point from the judgment of Baroness Hale in ZH (Tanzania) v Secretary of State for the Home Department [2011] UKSC 4, [2011] 2 AC 166, at paragraph 33:

“In making the proportionality assessment under article 8, the best interests of the child must be a primary consideration. This means that they must be considered first. They can, of course, be outweighed by the cumulative effect of other considerations.”

Munby LJ thus concluded (paragraph 47 of this judgment) that “it will be a rare case where the identity of a living child is not anonymised”.

He recognised, on the other hand, that Article 10 factors always retained their importance: “there could be circumstances where the Article 8 claims are so dominant as to preclude publication altogether, though I suspect that such occasions will be very rare.”

On the approach to anonymisation through redaction, Munby LJ had this to say (paragraph 48):

“In some cases the requisite degree of anonymisation may be achieved simply by removing names and substituting initials. In other cases, merely removing a name or even many names will be quite inadequate. Where a person is well known or the circumstances are notorious, the removal of other identifying particulars will be necessary – how many depending of course on the particular circumstances of the case.”

In the present case, the redactions had been inadequate. They did not “address the difficulty presented by the two key features of the draft, namely, the reference to the proceedings in the Crown Court and the reference to the fact that Y had also been the victim of parental abuse” (paragraph 53).

Far more drastic redaction was required in these circumstances: to that extent, privacy trumped transparency, notwithstanding the legislation and the Guidance’s emphasis on disclosure. In cases such as this (involving serious incidents with respect to children), those taking disclosure decisions should err on the side of heavy redaction.

Robin Hopkins

 

Internet traffic data and debt collection: privacy implications

Posted on | by Robin Hopkins

Mr Probst was a subsriber to the internet service provider (ISP) Verizon. He failed to pay his bill. A company called ‘nexnet’, the assignee of Verizon’s debt, sought to collect the sums due. In doing so, it obtained and used his internet traffic data in accordance with its ‘data protection and confidentiality agreement’ with Verizon. Disinclined to pay up, Mr Probst argued that nexnet had processed his personal data unlawfully and that the relevant terms of its agreement with Verizon purporting to sanction that processing were void. The first-instance German court agreed with him, but the appellate court did not.

It referred a question to the CJEU concerning Directive 2002/58 (the privacy and electronic communications Directive), which seeks to “particularise and complement” the Data Protection Directive 95/46/EC.

Article 5(1) of the 2002 Directive provides confidentiality in respect of electronic communications and traffic data. Article 6(1) says that traffic data must be “erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication”, unless one of the exceptions in that Article applies. The relevant provisions here were Articles 6(2) and (5). The first allows traffic data to be processed for subscriber billing purposes – but only within a specified time period. The second allows for processing of such data by an ISP’s authorised agent only for specified activities and only insofar as is necessary for those activities. The provisions are worded as follows:

(2) Traffic data necessary for the purposes of subscriber billing and interconnection payments may be processed. Such processing is permissible only up to the end of the period during which the bill may lawfully be challenged or payment pursued.

(5) Processing of traffic data, in accordance with paragraphs 1, 2, 3 and 4, must be restricted to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added service, and must be restricted to what is necessary for the purposes of such activities.

In Probst v mr.nexnet GmbH (Case C‑119/12), the Third Chamber of the CJEU essentially had to decide whether, and in what circumstances, Articles 6(2) and (5) allow an ISP to pass traffic data to the assignee of its claims for payment such that the latter may process those data. Its starting point was that Articles 6(2) and (5) were exceptions to the general principle of confidentiality with respect to one’s internet traffic data. They therefore needed to be construed strictly.

As regards Article 6(2), Mr Probst had argued that nexnet was not in the business of ‘billing’, but in the business of debt collection. The referring court’s view was that, for data protection purposes, those activities were sufficiently closely connected to be treated indentically. The Third Chamber agreed. It found that, by authorising traffic data processing ‘up to the end of the period during which the bill may lawfully be challenged or payment pursued’, Article 6(2) relates not only to data processing at the time of billing but also to the processing necessary for securing payment thereof.

As to Article 6(5), the Court held “that a persons acts under the authority of another where the former acts on instructions and under the control of the latter”.

The next question was essentially: what does a data protection-compliant contract between an ISP and a third party (an agent, assignee or someone to whom an activity is outsourced) look like? Must the ISP actually be able to determine the use of the data by the third party, including on a case-by-case basis, throughout the duration of the data processing? Or is it sufficient that its contract with the third party contains general rules about the privacy of telecommunications and data protection and provides for data to be erased or returned on request?

The Court emphasised that outsourcing or assignment may not result in lower levels of protection for individuals’ personal data (paragraph 26). The contract must be sufficiently specific. It must, for example, provide for the immediate and irreversible erasure or return of data as soon as knowledge thereof is no longer necessary for the recovery of the claims concerned. The controller (here, the ISP) must be in a position to check and ensure compliance with the privacy and data protection measures agreed under the contract, and the contract must provide for the ISP to be able to request the return or erasure of the data.

The issue in the Probst case (how to balance privacy and legal rights to monies owed) has obvious parallels with measures to combat copyright infringement (how to balance privacy and legal rights to intellectual property). I have blogged on copyright and privacy issues here and here.

The Probst judgment is an important confirmation of general principles about privacy with respect to one’s internet data. The implications for all sorts of contracts involving such data are clear – cloud computing arrangements, for example (on which, see Panopticon’s post here).

It is increasingly important that those contracts provide for specific and enforceable safeguards against unlawful processing of personal data. The Data Protection Directive will change before too long, but these principles will not.

Robin Hopkins

Update on recent Tribunal decisions part 4: qualified exemptions and the public interest

Posted on | by Robin Hopkins

In the final part of our round-up of recent decisions of the First-Tier Tribunal, Panopticon looks at the qualified exemptions, the public interest and a few other loose ends.

Section 36: Cherie Booth, Ryanair and Council emails

Sutton v IC and Nottingham City Council (EA/2012/0044) concerned the Council’s decision to amend its internal ‘sign off’ procedures for responses to FOIA requests, following an incident in which its response to a request about the cost of Councillors’ refreshments was considered to have been inadvertently misleading and lacking in context. The requester asked for internal emails about the proposed change. The Council withheld some of those emails, contending that they contained the sort of robust, free and frank exchange of views for which a safe decision-making space was needed. In a decision which many local authorities will find heartening, the Tribunal agreed.

The background to Sittampalam v IC and Ministry of Justice (EA/2011/0277) is the comments made by Cherie Booth QC, sitting as a recorder, when sentencing a Muslim defendant. Her comments appeared to suggest that his faith was a mitigating factor in his defence. They caused a stir, were reported in the media and attracted complaints, including by the National Secular Society, to the Office for Judicial Complaints. The OJC concluded that Ms Booth’s comments did not constitute judicial misconduct, though she was to receive “informal advice” on the issue.

A request under FOIA was made for all information about this OJC investigation and any action taken. The public authority relied on s. 36 – prejudice to the free and frank exchange of views, provision of advice or conduct of public affairs. The ‘reasonable opinion of the qualified person’ (the prerequisite for engaging s. 36) was obtained after the public authority’s holding reply to the request and after the statutory time for compliance – but before the public authority’s formal notice of refusal. The Tribunal rejected the requester’s contention that s. 36 was not engaged because of the timing of the opinion. As to the public interest, the Tribunal was satisfied us that the requester’s suspicions about the OJC ‘covering up’ the complaint or trying to minimise the impact of its conclusions on account of Ms Booth being the wife of Tony Blair were unfounded. Nor were the OJC’s press statements inconsistent with its letters to the National Secular Society. The appeal was dismsised.

Whereas alleged ‘late reliance’ on s. 36 succeeded in Sittampalam, it was unsuccessful before the Tribunal (at the preliminary hearing stage) in Ryanair v IC and Office of Fair Trading (EA/2012/0088). The opinion was obtained prior to the internal review. The Tribunal concluded that:

“Considering issues of reasonableness it is difficult for the Tribunal to be satisfied that the section 36 opinion of the qualified person – given its timing in respect of this appeal – is not an ex post facto conclusion or, more accurately, not tainted with the perception that that could be the case. That goes to the heart of its reasonableness.”

Sections 41 and 43: casinos and vikings

London Borough of Newham v IC (EA/2011/0288) concerned the Council’s award of the licence to operate a large casino at Westfield shopping centre in Stratford. The requester, a law firm acting on behalf of the unsuccessful bidder, made a request under FOIA for documents relating to the successful bid. The Council withheld some of those, relying on s. 44 (statutory bar on disclosure under the Code of Practice for the Gambling Act 2005), s. 41 (information obtained in confidence) and s. 43 (prejudice to commercial interests). The Commissioner was unpersuaded and ordered disclosure.

The Council’s appeal was partially upheld and partially dismissed. The statutory bar was held not to extend beyond the conclusion of the tender process. S. 43(2) was engaged, with the public interest favouring disclosure of some (relating for example to security arrangements and the financial guarantee offered by the winning bidder, as well as records of some of the negotiation discussions, which the Tribunal found would be unsurprising to any commercial rival) but not others (tender details which were deemed more commercially sensitive). Similarly, s. 41 succeeded for some information but not all (some, for example, was effectively in the public domain; some had not been obtained from outside the Council). Bidders could reasonably expect confidentiality not permanently, but for a reasonable time following the bidding process – here the request was made within that reasonable time, which counted in the Council’s favour.

The disputed information in Pim v IC and Down DC (EA/2012/0078) was a business plan submitted by the Magnus Viking Association in respect of their proposed Viking re-enactment centre, and correspondence between the Council and Magnus. The Council relied on regulation 12(5)(e) of the EIR (confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest). The Commissioner and Tribunal agreed: extensive research and consultation had gone into the specialist information, which could be used by Magnus’ competitors in a viking re-enactment market which, while not flooded with competition, was growing. There was a strong interest in maintaining trust between the commercial parties.

Prejudice to the course of justice

In McCullough v IC and Northern Ireland Water (EA/2012/0082), the requester sought detailed technical information about vibrations measurements relating to sewer upgrade works in Belfast. The Commissioner agreed with the public authority that regulation 12(5)(b) of the EIR (adverse effects on the course of justice) was engaged and that the public interest favoured its maintenance. A key issue was that disclosure, it was argued, would prejudice NI Water’s position when defending prospective legal claims about the sewer works vibrations, including by the requester (though there was a dispute as to whether the requester did in fact intend such proceedings).

The Tribunal disagreed. It was “not persuaded that purely factual information such as this could ever adversely affect the course of justice” and did “not accept that early disclosure of this technical information would prejudice NI Water in any way that they would not be prejudiced in the normal course of discovery in litigation by such information”. Regulation 12(5)(b) was therefore not engaged, in the Tribunal’s view.

It also did not think that information could be withheld just because of potential prejudice to a public authority’s litigation position: “The implications of implementing such a policy could, in some circumstances amount to a cover up, and in our view would be contrary to the spirit and intent of the FOIA and EIR legislation and further, contrary to the public interest. We are of the view that it is in the public interest that justice is done and that the correct result emerges from litigation, not that a public authority should necessarily be successful, just because it is a public authority.” The exact meaning of these last words is not clear, but the decision will nonetheless raise many a public authority eyebrow.

Robin Hopkins

Update on recent Tribunal decisions part 3: personal data of public officials and relating to court proceedings

Posted on | by Robin Hopkins

I posted a few days ago about some recent decisions of the First-Tier Tribunal on requests under FOIA and the EIR for personal data. There have been a number of decisions on this issue of late. The following are of note, as they illustrate the types of issues very frequently encountered by public authorities. They also illustrate the nuanced and forensic approach taken by some Tribunals. There may not be a presumption in favour of disclosing personal data, but public authorities should beware assuming that Tribunals will be equally cautious about disclosing all types of personal data.

Chief Constable appointments: partial disclosure ordered

The Appointments Committee of Dyfed Powys Police Authority assessed and interviewed the candidates for the office of Chief Constable. There were two candidates. The Committee was advised by a representative from HM Inspector of Constabulary who was very critical of one of the candidates, leaving the Committee feeling that it had no option but to appoint the other. Committee members complained about the HMIC representative, including to the Home Office. The issue entered the public domain. The unsuccessful candidate requested copies of relevant correspondence.

The issues in Roberts v IC and Dyfed Powys Police Authority (EA/2012/0032) were whether s. 40(1) or alternatively s. 40(2) applied.

The IC raised s. 40(1) belatedly, arguing that the withheld documents were the requester’s own personal data: the lateness “vexed” the Tribunal, and in any event the s. 40(1) argument was rejected, as the Durant conditions of biographical significance and focus were not met. The IC had sought to apply the definition of “personal data” too widely in a way that went beyond the Durant restrictions.

The s. 40(2) argument concerned the personal data of (a) members of the Appointments Committee (the Tribunal’s answer: disclosure would breach the data protection principles, as they were unpaid public representatives who were not at fault), and (b) the HMIC representative (the Tribunal’s answer: disclosure was for the most part ordered, given the representative’s role, the publicised allegations about her conduct and the fact that disclosure would result in minimal incremental distress).

The case illustrates the ongoing dominance of Durant, the need to distinguish between types of data subject and the relevance of well-founded allegations of wrongdoing or poor conduct by public officials.

Redacting officials’ names: lack of legitimate interest in disclosure

Armit v IC and Home Office (EA/2012/0041) is one of two appearance by the UK Border Agency in this post. The request was for copies of guidance relating to which light vehicles/drivers should be stopped and interviewed and what circumstance should lead to the vehicle being detained whilst a search is undertaken and identity checks undertaken, as well as for statistics about such ‘stops and searches’ carried out at Dover Port. UKBA’s refusal was based in part on s. 40(2): it sought to redact the names of the officials in a document entitled ‘Tourist Selection Indicators and Selection Techniques’. The Tribunal was not very impressed by the arguments that officials would not have expected public disclosure of their names. However, fatal to the requester’s case was the failure to identify a legitimate interest in public disclosure of the names of those officials. The Tribunal concluded that:

“We do not accept the argument that the officials would not have expected their names within the document to be made public and were not given compelling evidence of this. We were given no information as to their specific grading but they were described in the document as ‘lead contributer’ and ‘lead postholder’. They clearly have some responsibility in relation to the work.  We were given no compelling evidence that disclosing their names would result in victimisation, insult or any form of danger.  However, we do accept that the officials would prefer not to have their names identified and that might in itself represent a certain right and freedom or legitimate interests in itself. In any event, to process personal data, it needs to be necessary to pursue the purposes of legitimate interests pursued by others.  In this case, we do not find that the Appellant has shown any legitimate interest in the names of the officials being disclosed to the public under FOIA. We conclude that the information is therefore exempt from disclosure.”

The case illustrates the importance of requesters making out a legitimate public interest in knowing the identity of officials whose names appear in requested documents where those officials are not obviously senior enough for a general accountability argument to suffice.

Neither confirm nor deny: involvement in court proceedings

In Mahajan v IC (EA/2011/0240), the requester sought information about the conduct of criminal proceedings in which he was involved, in particular relating to note-taking, recording, legal aid payments, contributions made by the judge during the hearing and communications between the requester and the court’s administrative staff.

The IC found that the request could be refused on the grounds of s. 40(5) FOIA, the “neither confirm nor deny” exemption for personal data. The argument was that the individuals identified in the requested information would have a legitimate expectation that information that might or might not confirm whether they had been part of an investigation and/or court proceedings would not be released.  A confirmation or denial would, it was argued, reveal some information which was not already in the public domain and was not reasonably accessible to the general public. It would also publicise the existence or otherwise of an investigation and court proceedings involving those named parties.

For some parts of the request, the Tribunal agreed: any answer would reveal personal data the public disclosure of which would breach a data protection principle. For the most part, however, the Tribunal disagreed with the IC. A major aspect of its reasoning was that much of the information related to a public court hearing: therefore, disclosing that an individual had been a judge in that hearing, or had appeared as an advocate would not breach any of the data protection principles. In addition, some of the “data subjects” were in fact not living individuals but commercial entities.

This case illustrates the importance, when taking a “neither confirm nor deny” stance, of assessing why mere confirmation or denial of whether the requested information is held (as opposed to disclosure of that information itself, if held) would breach a data protection principle.

Interestingly, while the Tribunal disagreed with the IC on a number of the s. 40(5) FOIA arguments, it went on to agree with the public authority that those parts of the request were plainly vexatious and could be refused on s. 14(1) FOIA grounds.

Qualifications of legal advisor

In Hodson v IC (EA/2012/0084), the Tribunal decided that information about the professional qualification of an individual fulfilling the role of Legal Adviser to Scunthorpe Magistrates’ Court should be disclosed but that he was not entitled to receive information about the Adviser’s other academic qualifications. Its nuanced approach (i.e. approaching different types of personal data differently) is summarised at its paragraphs 18 and 19:

“In view of the functions performed by Legal Advisers in a Magistrate’s Court, and the impact they are capable of having on those appearing before the court, we believe that there is a strong public interest in knowing that anyone fulfilling the role has the qualification of barrister or solicitor. That is to say the qualification that the Ministry of Justice holds out Legal Advisers as possessing. We believe that, were that information not to be a matter of public record, there would be strong public interest in its disclosure and that this would outweigh the individual’s right to privacy.

It follows that, were the position of Legal Adviser to be held by a person having any other qualification, there would be an equally strong public interest in that qualification also being publicly known. And that would apply whether the qualification was a non-legal one or a legal one that was less than full qualification as a barrister or solicitor. Examples of the latter would include a law degree, Chartered Institute of Legal Executives qualification, or completion of a Legal Practice Course or Bar Professional Training Course. But if the Legal Adviser holds the professional qualification of barrister or solicitor then the public interest in information about any other qualification, whether legal or non-legal, academic or professional, is greatly reduced. Disclosure, in those circumstances would constitute an unwarranted interference with the individual’s rights and freedoms.”

Nationality of opponent in litigation

Someone referred to as AF brought legal proceedings against Mr Philip Brown. Mr Brown incurred considerable costs as a result. He hoped to recover those costs if he won the case. In practice, he could only do so if AF was a British national; if he was a Nigerian national, he was thought likely to return there, putting him effectively beyond the reach of UK jurisdiction for enforcing any costs order. Mr Brown asked the UK Border Agency for “official information showing whether or not [Mr AF] is a UK citizen, or whether he is a Nigerian citizen who is in the UK on some sort of temporary permission”. The request was refused on s. 40(2) FOIA grounds; the Commissioner agreed.

The Tribunal in Philip Brown v IC (EA/2012/0094) also agreed. The requester argued that this was not “personal data”: Mr AF cannot be identified by his immigration status alone since that simply discloses whether he is one of 60  million people (if he is a UK national), or one of 120 million people (if he is a Nigerian national). The Tribunal rejected this as misconceived:

“What he is saying, in effect, is that if an individual is already known to the requester and

can be identified by him through information already held, then any additional information such as his immigration status, cannot be personal data because that does not identify him. Taken to its logical conclusion, it would mean that the Appellant could ask a public authority to disclose a range of information about Mr AF (for example, whether he is gay or straight, a Christian or a Muslim, divorced or single), on the basis that such information would only disclose the category of people to which Mr AF belongs and would not itself identify him.”

The requested information was “personal data” in Durant terms.

The requester also sought to rely on s. 35(2)(a) of the DPA, arguing that disclosure is “necessary for the purposes of, or in connection with, legal proceedings” and therefore that the data protection principles would not be breached. He said he needed the information in order to seek a protective costs order in accordance with the CPR.

The Tribunal considered the meaning of “necessary” in this context: it rejected the IC’s argument that “necessary” means “relevant and proportionate”, preferring Mr Brown’s view that it meant “indispensable, requisite, needful, that which cannot be done without”. The problem was that the requested information would not help with any application for a protective costs order. Condition 6(1) would not be met and s. 40(2) was upheld.

Robin Hopkins

Update on recent Tribunal decisions part 2: personal data of “low inherent sensitivity”

Posted on | by Robin Hopkins

The “personal data” provisions under s. 40(2) FOIA and regulation 13 EIR can often be very difficult to apply, particularly in light of the Durant “notions of assistance”, namely biographical significance and focus. It is correspondingly difficult to predict how such arguments will fare before the Tribunal. Two recent cases offer good illustrations. Both saw the Tribunal order disclosure of property-related personal data which was deemed to be of “low inherent sensitivity”.

Council housing

Exeter CC v IC and Guagliardo (EA/2012/0073) concerned a request for the addresses of all residential properties owned by or leased or rented to the Council. The Council refused the request. It was accepted that addresses constitute “personal data”, but the Commissioner considered it to be personal data of “low inherent sensitivity”. He found that disclosure would not breach any of the data protection principles. He ordered disclosure, subject to an exemption for addresses of properties allocated for housing those in need of protection.

The decision notice was upheld on appeal. The following aspects of its decision are notable (Tribunal comments appearing in italics).

As to the Council’s arguments for withholding the addresses:

  • The Council had conducted a survey of residents’ attitudes to such disclosures, but the particular questions and answers did not assist the Tribunal.
  • There was no clear evidence on the extent to which Council properties were already visually identifiable as such.
  • “The Tribunal observes that who owns property is not a private  matter. It has to be publicly recorded and available by way of Land Registry Records (although there is a fee for this information). There are many other ways that the ownership becomes public (e.g. local knowledge, press articles when properties are constructed, news articles and planning records).The Tribunal is satisfied that a tenant cannot therefore have a legitimate expectation that this information would not be disclosed.”
  • The Council argued that disclosure of the list of addresses would identify the residents as Council tenants and, as such, vulnerable, for example to being targeted by those wishing to prey upon individuals who were in financial difficulty. There was, however, no evidence before the Tribunal that disclosure would add to the pre-existing risk of such behaviour.
  • The only information (additional to the fact of the address) that can be discerned about any particular data subject by the disclosure of the disputed information was that they or their predecessor may have been financially unable to meet their housing needs at some time.

As to the arguments for disclosure:

  • “Additionally we are satisfied that there is a proper distinction to be drawn between those living in a Council owned asset and private accommodation, because the Council are accountable to the public for the way  they manage those assets and execute housing policy whereas a private landlord has no such additional public responsibility and that this must impact upon the reasonableness of any expectation that the Council would not publish this information.”
  • Disclosure would enhance transparency in allowing the public to be aware of the Council’s assets (i.e. its housing stock). By knowing how many properties the Council owns and where, the public would be enabled to scrutinise the distribution of Council properties between localities, analyse whether factors (such as levels of educational attainment) are correlated with the extent of Council owned housing in a given area.
  • Knowing the individual addresses would enable the public to see how Council properties are maintained, their state of repair and assess whether areas are under or over provided for.
  • “The Tribunal adds that such disclosure would also enable the public to review the type of housing stock owned and used by the Council and ascertain whether it could be used more efficiently to meet better the      needs of those in housing need. Analysis of the extent to which private      rentals are over or under used and whether this provides value for money      would also be enabled by disclosure of this information.”

Overall, the Tribunal agreed that addresses constitute personal data of “low inherent sensitivity”.

This is the second such case before the Tribunal. The Tribunal in Neath Port Talbot v IC (EA/2011/0037) ordered disclosure of the same type of information in another, less fully reasoned decision last year. While no First-Tier Tribunal decision is binding, the case for withholding such information seems nonetheless increasingly difficult to make out.

Building control applications

Martin and Karen Sharples v IC (EA/2012/0076) is a second recent case in the disclosure of personal data has been ordered in light of its “low inherent sensitivity”. The requesters sought information about building control applications made to Bolton MBC relating to roof conversions to residential properties in a specific cul-de-sac. The Council refused to provide the building control records and site visit notes, relying upon regulation 13 EIR (personal data). The issue was whether the residents/owners involved in those applications could be identified from the redacted records and notes and, if so, whether disclosure would breach any of the data protection principles.

The requesters argued that while they knew enough to identify the property owners from the requested information, a member of the public would not. The Tribunal was satisfied, however, that the owners could be identified – particularly given the availability of Land Registry searches, Google Earth and other ways to find out who lives where.

Like the Council residence addresses in the Exeter CC case however, this application information was considered to be personal data of “low inherent sensitivity”. Disclosure would not breach the data protection principles, in light of the following factors:

  • The information was similar to the sort of information routinely provided to estate agents and in planning applications (which are made public)
  • It would be discernible to a surveyor when the house changes hands
  • Some of the information was visible to the naked eye
  • Much of the information constituted confirmation of normal practice of construction to a fixed standard
  • The data subjects had not been told they could expect confidentiality
  • There was a legitimate public interest in transparency, in particular in being assured that the Council had properly assessed compliance whether the relevant regulations had been complied with

Many requests for personal data fail because the requester has not made out any or any sufficient legitimate interest in public disclosure of information impacting upon privacy. Sharples is interesting in that the emphasis worked the other way: the public interest does not appear to have been very pressing, but the personal data was sufficiently anodyne for disclosure to be the order of the day.

Robin Hopkins