Author: Robin Hopkins

Local authorities and NHS Trusts (2): unusual appeals ahead

Posted on | by Robin Hopkins

I blogged earlier (see below) about the sorts of information law issues that arise routinely for local authorities and NHS Trusts. On a more unusual note, it is worth noting that the First-Tier Tribunal is due to hear appeals against notices other than the usual decision notices issued by the Information Commissioner under s. 50 of FOIA.

The first ever appeal against a monetary penalty notice issued for breaches of the Data Protection Act 1998 will be heard on 3-5 December of this year: Central London Community Healthcare NHS Trust v IC (EA/2012/0111). The Trust was fined £90,000 for faxing patient lists containing sensitive personal data to the wrong number. The Commissioner’s press release is available here.

Secondly, Southampton City Council is appealing against a decision by the Commissioner that a licensing policy under which all licensed taxis must use surveillance equipment consisting of CCTV and audio-recording facilities, both of which must operate whenever the vehicle is in motion, breached the first data protection principle. The Commissioner issued an enforcement notice against the Council (his press release is here).

The appeals will feature my fellow Panopticonners Anya Proops (for the Commissioner in both cases) and Tim Pitt-Payne QC (for the appellants in both cases).

Robin Hopkins

Local authorities and NHS Trusts (1): compromise agreements, officers’ identities and gagging clauses

Posted on | by Robin Hopkins

From a FOIA perspective, local authorities and NHS Trusts have this in common: both frequently receive requests for details of compromise agreements and other details about individual officers’ employment and disciplinary records. Three recent cases before the Tribunal confirm the general trend that – absent case-specific and well-evidenced arguments – the Commissioner and Tribunal re reluctant to order disclosure of such personal data, notwithstanding the context of public sector employees.

First, Trago Mills v IC and Teignbridge DC (EA/2012/0028) involved a request for the details of the severance package of a senior planning officer. Based on his dealings with that officer during a number of planning applications, the requester suspected that the stated reason for the officer’s departure from the Council (i.e. early retirement/redundancy) was in fact a ‘shield’, and that the officer had left for reasons of misconduct. The requester had also asked for information on that officer’s handling of planning applications in 2007.

The Council refused the request for the severance information on s. 40(2) grounds. The Commissioner and the Tribunal agreed: the requester’s suspicions were not borne out by the evidence, and the Council had a duty to respect its former employee’s reasonable expectation of privacy. The Tribunal also found that the Council held no further information within the scope of the request given the thoroughness of its searches. I represented the Council in this case, so no further commentary from me. For a detailed analysis of the issues, see the Local Government Lawyer’s article here. 11KBW’s Chris Knight represented the Information Commissioner.

Second, McFerran v IC (EA/2012/0030) involved a police search of a Council residence owned by Shropshire County Council. At the police’s request, two junior Council officers were present, but they had not been involved in any of the decision-making. The requester had concerns about the search and about what the Council may have told the police in the lead-up to the search. He requested the names of the two junior officers as well as their immediate superior. The Council refused, relying on s. 40(2).

The Commissioner ordered disclosure of the name of the more senior officer, but not of the two juniors. The requester’s appeal against the latter finding was dismissed, with the Tribunal observing that “although… there is clearly a legitimate public interest in transparency of activity by public authorities, which impinges on the personal freedom of householders, there is insufficient information provided to add significant weight to the general public interest in transparency in public affairs. The Appellant has not satisfied us, either, that his attempts to have the matter investigated are being thwarted by the absence of the names of the individuals in question. If there is sufficient information about the event to interest those responsible for an investigation the absence of names will not deter them.”

The McFerran decision illustrates that, when it comes to junior officials, general transparency considerations will usually not suffice for the disclosure of personal data: case-specific factors will be needed. Local authorities should, however, avoid the blanket non-disclosure of the names of all officers below a certain level of seniority. What matters is what work they have done, rather than what grade or band they are at.

McFerran also illustrates that requesters will often face the following sorts of objection: even if you have valid grounds for concern or complaint about individuals, there are ways of addressing those without disclosure of personal data to the world at large.

The third recent s. 40(2) arose in the context of NHS Trusts and allegations of Trusts using “gagging clauses” in compromise agreements to silence criticism or whistleblowing from departing employees. In Bousfield v IC and Six NHS Trusts (EA/2011/0212; 0213; 0247; 0250; 0251; 0252), the requester was interested not in any specific individual’s compromise agreement, but in the use of such agreements by NHS Trusts more generally. He asked: “Please provide copies of all compromise agreements you have entered into with doctors of any grade. Please also provide a list of exploratory or illustrator issues covered by the compromise agreements (ie the reasons the compromise agreements were entered into)”. One Trust refused to confirm or deny whether it held such information, relying on s. 40(5) (the argument being that there was a risk of identifying any individuals involved, which would breach the first data protection principle) and s. 43(3) (the argument being that confirmation or denial would prejudice the Trust’s commercial interests). Other Trusts also refused the requests, relying on a combination of s. 40(2) (personal data), s. 41 (actionable breach of confidence), 42 (legal professional privilege) and 36(2) (prejudice to the effective conduct of public affairs).

The Commissioner agreed, and the Tribunal has dismissed the requesters appealed. One Trust had conceded that, if there was evidence of gagging clauses being used to prevent former employees from raising any issues concerning patient safety, there would be enormous public interest in disclosing such practices. The decisive issue in this case, however, was that the Tribunal was satisfied on the evidence that no such clauses were being used by these Trusts. Therefore, it concluded that “it is entirely sympathetic to the overall concern that the Appellant feels with regard to the apparently increasing prevalence of gagging clauses but does not find that issue or concern in any way material to the matters which the Tribunal in fact has had to consider”.

It seems that, if the evidence had borne out the requester’s concerns, the analysis may have been very different. This ‘gagging clause’ issue has been considered at Tribunal level before: Bousfield v IC (EA/2009/0113). It may yet resurface.

Robin Hopkins

Meaning of ‘public authority’ under the EIRs: ECJ to consider

Posted on | by Robin Hopkins

The leading authority on the meaning of “public authority” under regulation 2 of the EIR is Smartsource v IC and a Group of 19 additional water companies [2010] UKUT 415 (AAC). In that case, the Upper Tribunal found that the water companies were not public authorities for EIR purposes. Smartsource has been applied in, for example, Bruton v IC and Duchy of Cornwall and Montford v IC and BBC.

The issue has returned to the Upper Tribunal in Fish Legal v IC [2012] UKUT 177 (AAC), again in the context of water companies. As the Upper Tribunal has noted, however, the principles are relevant to other privatised, regulated industries that deliver a once publicly-owned service: electricity, gas, rail and telecoms. As the EIR implement European legislation, the meaning of “public authority” has been referred to the ECJ, which has recently published the questions it will be considering.

These involve the meaning of ‘performing public administrative functions under national law’ (is the applicable law and analysis purely a national one? If not, what EU law criteria should be used?), what does ‘control’ mean (in the context of one person/body controlling another) and does an ‘emanation of the state’ necessarily come within the definition? Another crucial issue is the so-called ‘hybrid authority’ question: if a body falls partly within the definition, do EIR rights apply only to those parts (functions, activities etc) that do, or to the whole of the person/body?

Those are, of course, paraphrases. The actual questions can be found here. The ECJ’s answers will be enormously important to information access rights in the UK.

11KBW’s Rachel Kamm represented the Information Commissioner before the Upper Tribunal.

Robin Hopkins

The Equitable Life collapse: strong public interests needed to trump s. 30

Posted on | by Robin Hopkins

Wynn v IC and Serious Fraud Office (EA/2011/0185) concerned the dramatic closure in late 2000 of the insurer Equitable Life. Both the Ombudsman and the Penrose Inquiry examined the collapse and published their reports. Attempts to compensate those who lost money have been pursued through the courts and considered by parliament.

The Serious Fraud Office became involved to consider whether any criminal charges should be brought against those involved in the collapse. Pursuant to its functions under the Criminal Justice Act 1987, it analysed the material and took legal advice in order to decide whether or not to commence a criminal investigation. In effect, it investigated whether or not to investigate. In December 2005, the SFO announced that it would not commence an investigation.

Mr Wynn was dissatisfied with that decision. Eventually, in 2009, he asked the SFO for all of the information it held on Equitable Life. It provided him with some information – importantly, this included (pursuant to a direction from the ICO) a ‘vetting note’, which summarised the SFO’s reasoning on why successful prosecutions were unlikely. The SFO withheld the remainder of the voluminous information it held, relying on s. 12 (cost of compliance) for some it and ss. 30(1) (investigations) and 42 (legal professional privilege) for the rest. The ICO agreed.

Mr Wynn’s appeal to the Tribunal was dismissed. The Tribunal was satisfied that the s. 12 estimate was reasonable and well evidenced. S. 30(1) was engaged: a preliminary investigation (or, as I have put it above, an investigation into whether to investigate) was an investigation for s. 30(1) purposes nonetheless.

The public interest favoured maintaining that exemption. Case-specific points included the substantial transparency delivered by the Ombudsman and Penrose Inquiry reports and the SFO’s vetting note. There was nothing to suggest that the SFO had got things wrong.

The decision also contains a number of points of more general application. The Tribunal endorsed the account given in Breeze v Information Commissioner (EA/2011/0057) of the concerns protected by s. 30(1): protecting witnesses and informants (including their confidentiality), maintaining the integrity of the prosecution and judicial process, and ensuring that the court remained the sole forum for determining guilt. The ‘safe space’ point was also important: prosecutors need a safe space in which to make their decisions without any fear their frank assessments being publicised too soon after the event.

Notwithstanding the passage of time between the conclusion of that investigation and the request under FOIA, those factors counted very heavily in favour of maintaining the exemption under s. 30(1). The Tribunal endorsed this general proposition from Public Prosecutor of Northern Ireland v IC (EA/2010/0109): “in order for disclosure to be ordered in such cases public interest factors of at least equal weight would have to be adduced. A general interest in transparency as to a prosecution authority’s decisions will not be sufficient. Something substantial and particular to the information would be required” (paragraph 35).

The general upshot is that, in recent years, s. 30(1) has grown into a ‘strong’ exemption, i.e. one that requires weighty and particular factors to ‘defeat’. ‘Safe space’ arguments have also fared somewhat better in the prosecution context than the policy-making
context (under s. 35 of FOIA) in Tribunal decisions over the last year or two.

Finally, it is long-established that s. 42(1) is a ‘strong’ exemption, requiring weighty factors if disclosure of privileged information is to ordered. None were forthcoming in Wynn.

Robin Hopkins

Section 7(9) DPA is about privacy, not employment disputes

Posted on | by Robin Hopkins

Disputes about subject access requests under section 7 of the Data Protection Act 1998 only rarely make their way to the Higher Courts. The leading – and often bedevilling – case of Durant is, for example, now 9 years old. Given this scarcity of precedent from the High Court and Court of Appeal, up-to-date illustrations of the judiciary’s approach to the DPA are most usefully sought in County Court judgments – see for example Panopticon’s post on the case of Elliot v Lloyds TSB Bank from earlier this year.

The most recent notable judgment is that of the County Court (HHJ May QC) in Professor Karim Abadir v Imperial College.

The applicant is an eminent econometrics professor employed by Imperial and has been since 2005. In 2011, Professor Abadir took issue when another professor at Imperial began to assess the academic staff by means of subjective metrics. The applicant objected to this, considering those metrics to be inappropriate for the academic staff in his department, and sought disclosure of the discussions that had taken place prior to their implementation.  Aggrieved, he made a subject access request. He was given some information, apparently of the human resources variety in the main. He objected to the nature of some of the comments which had been circulated about him and took the view that some of the emails he sought had been deleted. Imperial informed him in July that it would be implementing an email system upgrade and change of server in August. The applicant feared that some of the emails he wished to obtain would be permanently deleted. He sought an injunction preventing the systems work and requiring Imperial to search for and disclose to him “every document where reference is made” to him, including in deleted files.

Professor Abadir’s application was refused for a number of reasons.

Two reasons were matters of form, in that they related to what was missing from the application. The application was “objectionable” on the grounds that the applicant had not specified the nature of the underlying claim he would bring in due course. Also, assuming the underlying intended claim to be under section 7(9) of the DPA, the Judge expected the applicant to provide a draft order specifying exactly what information or searches he sought. The applicant had not done so. Instead, he asked for “generalised search of all computer systems, to include deleted data”.

Two further reasons were fatal in substantive terms. One was that there was no evidence to support the claim that the systems work would lead to the permanent loss of relevant emails. In fact, Imperial’s evidence contradicted that. There was thus no urgency to justify granting an injunction.

The final reason concerned the purpose or motive behind Professor Abadir’s claim. It was confirmed that his purpose was “to obtain disclosure of documents for purposes of deciding how to frame and pursue against Imperial College employment grievances which Prof Abadir believes he has. Put this way, the process by which documents are sought, given the purpose to which they are intended to be put, is much more akin to an application for pre-action disclosure.  It is disclosure, not right of access to personal data, which Prof Abadir is really seeking from Imperial College.”

On this point, HHJ May QC concluded that “disclosure is sought is not for the purposes of protecting Prof Abadir’s privacy but for the purposes of pursuing a claim against his employer.  To use the provisions of the DPA to pursue such a purpose is an abuse: Ezsias v The Welsh Ministers”.

Unusually, the Judge also awarded the University costs on an indemnity basis. In part, this was because the applicant had failed to identify the underlying cause of action, or to contact Imperial to make enquiries about its server changes before issuing his application for an injunction. HHJ May QC also concluded as follows: “to the extent that the injunction was sought for the purposes of supporting an intended action for DPA disclosure, it was clearly misconceived.  To seek disclosure under the DPA for the purposes of considering an employment claim is an abuse.  In any event, as DPA proceedings are for the purposes of protecting privacy, deletion/destruction of documents would not be contrary to those purposes, quite the reverse.”

It is apparent, therefore, that Courts continue to be unimpressed by the pursuit of subject access requests motivated by prospective litigation, and that they tend to see privacy concerns (rather than employment grievances) as the underlying rationale for the right of access to personal data. This will be welcomed by many data controllers.

Anya Proops appeared for Imperial College.

Robin Hopkins

The Data Protection Act in defamation cases: increasingly relevant, potentially primary?

Posted on | by Robin Hopkins

The Data Protection Act 1998 is increasingly being deployed as part of a claimant’s arsenal in defamation claims. The Information Commissioner has historically resisted policing DPA breaches in the context of allegedly defamatory expressions of opinion by one person about another.

Courts, on the other hand, have accepted that expressions of opinion about individuals are (as the definition at section 1 of the DPA makes clear) personal data, and that the DPA can therefore bite. This has arisen, for example, in the context of Norwich Pharmacal claims seeking the disclosure of the identities of users posting allegedly defamatory material. See for example Applause Store Productions Ltd and another v Raphael [2008] EWHC 1781 (QB), on which Anya posted here.

The use of the DPA in defamation claims (or cases which, though brought under the DPA, look in substance like defamation claims) has, it seems, gathered momentum. In late 2011, Tugendhadt J gave judgment in a case about the ‘solicitors from hell’ website:  The Law Society and others v Rick Kordowski [2011] EWHC 3185 (QB), on which Rachel Kamm posted here.

Last month, the DPA was again successfully relied upon as founding an arguable defamation-type claim. Desmond v Foreman, Shenton, Elliott, Cheshire West and Cheshire Council and Cheshire East Council [2012] EWHC 1900 (QB), involved a cover teacher who was suspended and ultimately dismissed following allegations that he had conducted himself in an inappropriate sexual manner towards a sixth-form student. The case involved a number of communications: meetings to discuss the allegations; requests for information from the police and previous employers; referrals to the Independent Safeguarding Authority, and queries about his home situation made by an officer of one local authority to an officer at another.

The claimant contended that a number of these communications implied that he was actually guilty of and had actually committed various serious offences (including rape, of which he had been accused in 2001 but exonerated through court proceedings). He brought a defamation claim, also contending that the allegedly defamatory statements infringed his rights under Article 8 and the DPA (in particular, breaches of data protection principles 1, 2, 3, 4 and 6).

The defendants – two local authorities, a headmaster and two local authority officers – sought summary judgment. They said the communications complained of were no more than expressions of concern that matters needed investigating, they asserted qualified privilege (based on the performance of their public duties) and justification.

The judge – as in Kordowski, Tugendhadt J – dismissed the application for summary judgment in part, finding that the claimant’s case under Article 8 and the DPA had a real prospect of success in relation to some of the communications complained of.

The judgment is of interest not only as an illustration of the difficulties of lawfully sharing sensitive information (including opinions) in the context of safeguarding children. It also illustrates that the DPA is increasingly – and realistically – being pressed into the service of types of complaint traditionally brought under other heads. The DPA and Article 8 are, of course, long-standing and natural complements to each other. Defamation, however, is slightly more alien territory for the DPA. Copyright infringement (on which, see a post of mine from last year here) is another area to which the DPA is increasingly relevant.

What, it is sometimes wondered, does a claim under the DPA add which is not already covered by claims under Article 8, defamation and so on? After all, as the defendants in Desmond argued, if someone is aggrieved at DPA breaches, then he has another remedy available, namely a complaint to the ICO. Interestingly, Tugendhadt J’s judgment in Desmond reverses this: what, he asked, would an Article 8 or defamation claim add to the DPA claim – at least with respect to one of the communications complained of? In particular, he was concerned with how best to deal with the claim that information about the 2001 rape allegation had been processed (retained, communicated) without reference to the judgments exonerating the claimant.

This last point about fair and accurate records of serious allegations is important: see an older post of mine here.

For the moment, back to Desmond and how best to deal with legal claims about this sort of complaint. Tugendhadt J said this:

“81. How and why it is that the references to the 2001 incident came to be recorded, but recorded without mentioning the public judgments of the court containing the police’s explanation for not charging the Claimant, is a question for which the proceedings under the DPA may provide the most appropriate form of investigation (as the Court of Appeal suggested in para 51 of their judgment). It is for consideration whether claims under the HRA or in defamation would add any benefit to the Claimant over and above a claim under the DPA. And as noted above, a claim under the DPA appears to raise no issues of limitation.

82. I invited the parties to consider why the Court should not direct that the claim under the DPA proceed first and separately from the other two claims, and give directions as to the filing of evidence (or agreed statements of facts) so that the matter could be determined in accordance with the overriding objective, and in particular with the objective of allotting to the case an appropriate share of the court’s resources.”

This demonstrates that, at least in some circumstances, the DPA may appropriately play the lead role rather than a supporting one in a complaint about unjustifiable and damaging communications about individuals. It looks as if the DPA will continue to flex muscles it did not even know it had.

Robin Hopkins