Niebel v Information Commissioner is the first Tribunal decision about penalties under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).  Mr.Niebel successfully appealed against a penalty of £300,000.

The First-tier Tribunal stated that the material before them showed that Mr. Niebel and his company, Tetrus, had sent hundreds of thousands of unsolicited text messages seeking out potential claims for the mis-selling of PPI or for accidents.  There was no dispute that he had breached the requirements under PECR regulation 22, relating to the sending of text messages for direct marketing.  Until 26th May 2011 there was no power to impose penalties for such a breach, but with effect from that date the monetary penalty provisions in the Data Protection Act 1998 (sections 55A-E of the Act) had been extended to cover breaches of PECR.

In the present case, the monetary penalty notice was imposed on 26th November 2011, requiring payment of £300,000.  The Tribunal emphasised the importance of a clear statement in the notice identifying the contravention for which a penalty was imposed.  At the very least this should indicate the regulation contravened, the content of the contravention, and its scale, including roughly how many individual acts there were and how many people were affected.

In this case the Tribunal considered that the notice had failed clearly to identify the contravention.  The notice seemed to be confined to 411 cases, involving a total of 732 texts, in which the recipient had complained to the ICO.  However, some parts of the penalty notice referred to contravention on a much wider scale.

A further difficulty was that the ICO subsequently discovered that most of the 732 texts referred to had been sent before 26th May 2011 (the date when the power to issue penalties came into effect); and the ICO accepted that these earlier texts could not properly be taken into account.  The ICO therefore relied at the Tribunal hearing on 286 texts, not 732:  the number of affected individuals was not stated, but the Tribunal indicated (if the ratio of texts to complaints was consistent) that this would be about 160.

The appeal was brought on one short point.  It was argued that the contravention was not of a kind likely to cause substantial damage or substantial distress, since it was now described as relating to just 286 texts; therefore one of the statutory preconditions for a monetary penalty was not satisfied.

The Tribunal proceeded on the basis that the likelihood of damage and distress should be assessed by reference to the 286 texts now relied upon by the ICO as constituting the contravention, rather than by reference to other evidence showing very large numbers of unsolicited text messages.  On this basis, the requirement that the contravention was not likely to cause substantial damage or substantial distress was not satisfied.  As far as damage was concerned, recipients might incur charges for replying “stop”, and there might be a small charge if texts were received abroad, but none of this was likely to cause substantial damage.  As to distress, the Tribunal considered that the effect of the contravention was likely to be widespread irritation rather than substantial distress.  The Tribunal allowed the appeal and cancelled the penalty notice.

The decision leaves open one very important question.  Would the sending of hundreds of thousands of unwanted marketing messages be likely to give rise to substantial damage or substantial distress?  Could one say that, in aggregate, the small costs imposed on a very large number of individuals amounted to substantial damage? Or that the irritation caused to such a large number constituted substantial distress? This issue will no doubt be of great importance in future appeals about monetary penalties under PECR.

Two of my colleagues appeared in this case:  James Cornwell for the ICO, and Robin Hopkins for the Appellant.  Neither of them, of course, bears any responsibility for the content of this blog post.

Timothy Pitt-Payne

Anya Proops addresses the above question, prompted by the recent revelations about the US Prism programme, in an article in today’s Guardian.  She discusses the main legal constraints on surveillance in the UK  – Article 8, the Data Protection Act, and the Regulation of Investigatory Powers Act.  And she even manages a name check for Panopticon – both the Benthamite version, and this blog.  The article is at page 32 of today’s print edition, and it’s online here.  It’s already attracted a lot of attention, both by way of comments on the online version, and on Twitter.

Employment programmes for welfare recipients – often referred to as “workfare” – are highly controversial.  In Department for Work and Pensions v Information Commissioner and Zola (EA/2012/0207,0232 and 0233), the First-tier Tribunal considered three FOIA requests for information about companies participating in such programmes.  The Tribunal ordered disclosure, rejecting the Department’s reliance on the exemptions in FOIA section 43(2) (prejudice to commercial interests) and section 36(2)(c) (prejudice to the effect conduct of public affairs).

The case related to three programmes run by the DWP:  Mandatory Work Activity (MWA); Work Experience (WE); and the Work Programme (WP).  MWA provided short term work placements in the local community, usually with a charitable organisation.  WE provided placements for 18-21 year old Jobseekers’ Allowance claimants.  WP was aimed at those considered to be at risk of becoming long-term unemployed.  For each programme, the Government entered into contracts with providers, and these (or their sub-contractors) in turn arranged work placements with various organisations.  The three requests sought information as to the identity of organisations that had hosted placements.

The Information Commissioner required the DWP to provide the requested information.

The Commissioner rejected the DWP’s reliance on section 43(2), holding that the exemption was not engaged.  The Commissioner considered that the risk of providers withdrawing from the scheme as a result of disclosure would have been capable of engaging section 43(2), but that on the evidence any risk of this nature was speculative.  Any harm consisting of increased welfare costs was financial rather than commercial in nature, and did not engage section 43(2).  The Commissioner noted the existence of campaign groups and websites opposed to workfare, but said that the extent to which these had influenced any past withdrawals from the scheme was unclear.  In order to establish that section 43(2) was engaged, the Commissioner considered that the DWP would have had to indicate how many organisations would have been likely to withdraw as a result of disclosure, and what it would have cost to find alternative work placements; this had not been done.

The Commissioner also rejected the DWP’s reliance on section 36(2)(c).  Although the exemption was engaged, on the basis of the opinion of the qualified person (the then Minister for Employment), the public interest in maintaining the exemption was outweighed by the public interest in disclosure.

Before the Tribunal, the DWP disputed the Commissioner’s categorisation of higher welfare and related costs as being “financial” rather than “commercial” in nature.  It contended that the Commissioner had required an undue level of detail from the DWP in support of its claim that section 43(2) was engaged.  In relation to section 36(2)(c), the DWP argued that disclosure would have been likely to lead to the collapse of the MWA scheme.  As to the public interest in disclosure, the DWP contended that this had been greatly over-estimated by the Commissioner: there was already information in the public domain as to the kinds of employers that were participating; there was little public interest in knowing which specific organisations were taking part within any particular area.

The DWP placed evidence before the Tribunal about a survey carried out by the DWP in October and November 2012.  The DWP had sought information from contractors, their sub-contractors, and organisations that had hosted placements; the DWP had asked for information about the perceived impact of public awareness of their involvement in the programmes.  In March 2013 some organisations had provided further information in support of the DWP’s stance of not releasing the names of placement hosts, and this was also put before the Tribunal by the DWP.

The Tribunal’s conclusion was that section 43(2) was not engaged; and that, although section 36(2)(c) was engaged, the public interest balance favoured disclosure.  The Tribunal would have reached the same conclusion as to the public interest under section 43(2), had that exemption been engaged.

In relation to section 43(2), any prejudice relating to increased cost of welfare payments was held to be financial rather than commercial in nature, and irrelevant to the exemption.  The Tribunal therefore focused instead on the risk that disclosure would lead participating organisations to withdraw from the schemes.  It referred to the “Boycott Workface” website, and various news articles, concluding that media coverage and comment were inevitable and that there was always an inherent risk that participants would be identified.  At the time of the requests there were some 200 names of participating organisations already in the public domain.  There had not been a “media frenzy” as a result of publication of these names.  At most, seven of the 200 names had come in for criticism which had perhaps resulted, or could have resulted, in their withdrawal; but the evidence even in these cases was unpersuasive.  The speculative views elicited by the DWP’s survey carried considerably less weight than these real-life examples of what had actually happened where specific organisations had been named.

In relation to section 36(2)(c), the public interest in disclosure outweighed any interest in maintaining the exemption.  The schemes were controversial; it was important for the public to see and examine the schemes and how participants performed.

Overall, the case is an example of the Tribunal’s readiness to scrutinise closely any reliance on section 43(2).  Speculation about what might happen following disclosure – even when presented in the form of a survey – carried little weight.  The Tribunal was much more interested in the specific examples of providers that had been named in the past; and in these cases, the Tribunal considered that the evidence did not support the DWP’s position.  Overall, the Tribunal’s approach seems to be that private sector bodies that become involved in a controversial Government programme can expect to be exposed to a degree of scrutiny and criticism; and the Tribunal is reluctant to use this as a basis for protecting those organisations from the effect of disclosure under FOIA.

Timothy Pitt-Payne QC

… and then two come along at once.

On 21st March 2013 the House of Commons Justice Committee published a report about the ICO (see our earlier post here), recommending, among other matters, that the ICO should be given the power to carry out compulsory data protection audits of NHS Trusts and local authorities. With uncanny speed, on 25th March 2013 the Ministry of Justice (MOJ) published a consultation document on the proposed extension of the ICO’s compulsory audit powers to cover NHS bodies. Despite the coincidence of timing, the MOJ’s proposal is not in fact a response to the Justice Committee’s report, but is prompted by a recommendation from the ICO itself.

The MOJ’s consultation document asserts that significant data protection compliance problems exist within the NHS. Over the last six calendar years (2007-2012) the ICO has received over 5,000 data protection complaints from individuals about the health sector: the only sectors that have generated more complaints over that period are lenders, local government, and general business. During the same period, the NHS self-reported over 500 data security breaches to the ICO. The MOJ document gives six examples of monetary penalty notices against NHS bodies, for amounts ranging between £60,000 and £325,000.

The ICO can already carry out consensual audits of NHS bodies; the MOJ document refers to a number of issues that have been highlighted as a result of these, including the use of unencrypted mobile media holding sensitive personal data. Most NHS consensual audits have come about as a result of referrals from the ICO’s Enforcement team, but of the NHS organisations referred for audit by Enforcement only 53% have agreed. This compares unfavourably to the 71% level of agreement for the public sector as a whole.

A compulsory audit can be initiated by the ICO serving an “assessment notice” under DPA section 41A. Where this power exists, data controllers can still agree to consensual audits; and according to the MOJ report, no assessment notices have yet been served, because 100% of data controllers covered by the existing scope of section 41A have agreed to an audit when asked to do so by the ICO. In other words, the mere existence of the power of compulsory audit has been enough to secure compliance, meaning that so far there has been no need for the ICO to use the power.

The MOJ’s proposal to extend the power of compulsory audit does not require primary legislation: it would be given effect by an order made by the Secretary of State under section 41A(2)(b) of the Data Protection Act 1998. All public authority data controllers in the NHS would be covered, throughout the UK. In other words, the proposal would cover all NHS bodies listed in Part III of Schedule 1 to the Freedom of Information Act 2000 (likely to be amended following NHS reforms in England), and all Health Service data controllers in Scotland listed in Part 4 of Schedule 1 to the Freedom of Information (Scotland) Act 2002. Note that the proposals will not cover private or third sector health bodies providing services to the NHS, though the MOJ document refers to the possibility of a further order to include these bodies at a later date.

The consultation will remain open until 17th May 2013.

Timothy Pitt-Payne QC

 

On 21^st March 2013 the House of Commons Justice Committee published a report (HC 962) on the functions, powers and resources of the Information Commissioner.  It is essential reading for anyone interested in understanding the current role and future prospects of the Information Commissioner’s Office (ICO).

 

The Committee monitors the Ministry of Justice’s associated public bodies, and as part of this remit it maintains a close interest in the ICO.  On 5th February 2013 the Committee held an oral evidence session with the Commissioner and his two deputies; it also received written evidence and supplementary information from the ICO.  The report reflects this oral and written evidence.

 

The report begins by looking at the finances of the ICO in an era of public sector austerity.   The ICO performs two separate areas of work, differently funded.  Freedom of information (FOI) work is paid for by grant-in-aid from the Ministry of Justice, while data protection work is financed by the notification fee payable by data controllers under the Data Protection Act 1998 (DPA).  The Commissioner is restricted in terms of “virement” – i.e. in general he cannot use DPA resources to fund FOI work, or vice versa.

 

As one would expect, freedom of information funding has been affected by the general pressures on public expenditure:  the income for this work has been cut from £5.5 million in 2011-12 to £4.25 million in 2012-13, with the ICO planning for further cuts in 2013-14.  Despite these cuts, the ICO has increased the amount of FOI casework completed, and reduced its backlog in this area.  The Committee is impressed by the ICO’s success in this regard, while warning that further budget cuts would risk adversely affecting performance.  The Committee suggests that the rules about virement should be relaxed.

 

The suggestion that DPA income might be used to subsidise FOI work seems a sensible one.  There is considerable overlap – FOI cases about personal data are a very important source of DPA case law.  However, it is disappointing that the Committee did not tackle more directly the question of whether FOI budget cuts make sense.  An effective FOI regime is a weapon against waste and fraud, and can help keep public expenditure under control.  The sums involved are modest, in the overall expenditure context – even the 2011-12 figure represents less than 10p per head of UK population.  It is, at the very least, worth considering whether cutting FOI funding is a false economy.

 

At first sight the funding position for DPA work seems significantly better.  The notification fee generates an annual income of some £15 million, over three times the FOI grant-in-aid.  The problem is that the EU’s proposed Data Protection Regulation would abolish the notification fee, while at the same time imposing a wide range of additional functions on the ICO.  The Committee suggests that the combined effect of these proposals would leave the ICO with a DPA funding shortfall of over £42 million.  The position is made yet more difficult by the recommendations in the Leveson Report as to the future role of the ICO in relation to the press, which are a further source of potential demands on the ICO’s budget.  The Committee suggests that the Government needs to find a way of retaining a fee-based self-financing system for ICO work, despite the current EU proposals.

 

Turning to the structure of the ICO, the Committee discusses the suggestion in the Leveson report that there should be an Information Commission led by a Board of Commissioners, rather than a single Information Commissioner.  The Committee disagrees:  it prefers the current model, with a single Commissioner taking personal accountability for the ICO’s work.  The Committee also addresses the independence of the ICO.  It recommends that the ICO should become directly responsible to and funded by Parliament, so as to guarantee its independence from the Executive.  However, the Committee does not suggest that the ICO’s independence has in fact been compromised in the past by its institutional relationship with the Ministry of Justice.

 

As to the ICO’s statutory powers under the DPA, the Committee makes recommendations in two areas.

 

In relation to the criminal offence under DPA section 55, the Committee suggests that this should be made recordable – that is, convictions should be recorded on the Police National Computer and hence included in any future checks relating to the individual’s criminal record.  The Committee also calls on the Government to bring into force section 77 of the Criminal Justice and Immigration Act 2008, so as to allow custodial sentences to be imposed for breach of DPA section 55.  The Committee sets out  – at §43 of its report – a list of other offences carrying custodial penalties for which those who breach DPA section 55 might be convicted:  for instance, there is the offence of unauthorised access to computer material, under the Computer Misuse Act 1990.  The Committee does not, however, regard the existence of these other offences as an adequate substitute for custodial penalties under DPA section 55.

 

In relation to the Commissioner’s audit powers, the Committee considers that as a general rule public sector organisations should accept an offer of a free DPA audit from the Commissioner.  It recommends that the Commissioner’s power of compulsory audit under DPA section 41A should be extended to NHS Trusts and local authorities.

Timothy Pitt-Payne QC