Environmental information: the exception for ‘proceedings of public authorities’

October 20th, 2016 by Robin Hopkins

The Environmental Information Regulations 2004 contain an exception from the duty to disclose information where disclosure would adversely affect “the confidentiality of the proceedings of that or any other public authority where such confidentiality is provided by law” (regulation 12(5)(d)). There is an equivalent provision in Directive 2003/4/EC. What is meant by the “proceedings” of a public authority? Read more »


Anonymous information, or personal data? Keys, chains and IP addresses

October 20th, 2016 by Robin Hopkins

If you work in data protection, I bet you love questions like this:

I have some information which looks anonymous – but is it nonetheless ‘personal data’? (If it is, it saddles me with plenty of otherwise inapplicable legal duties blah moan). The test is whether there is a realistic prospect of someone being identified, but how do I apply that test? How do I tell whether the risk of someone being identified from this apparently anonymous information is sufficiently high?

And I bet you especially love questions like this:

I have some information which is anonymous in my hands: it would be absolutely impossible for me to identify anyone from this information. But someone else could – there is someone else who has the key which can unlock the identities behind this apparently anonymous (or pseudonymised) data. What now? Is it personal data or not? Read more »


Ingenuous but not Ingenious: Confidentiality in the Supreme Court

October 20th, 2016 by Rupert Paines

In 2012 HMRC’s then Permanent Secretary for Tax, Dave Hartnett, had an ‘off the record’ (but audio-recorded) meeting with two Times financial journalists, intended as a background briefing on tax avoidance. One topic of discussion was film investment schemes, designed to utilise tax relief for film production partnerships. Mr Hartnett made a number of comments about one agency, Ingenious Media, and its founder Patrick McKenna, including that Mr McKenna had “never left [Mr Hartnett’s] radar”, that “he’s a big risk”, that HMRC “would like to recover lots of the tax relief” from Ingenious’ schemes and that “we’ll clean up on film schemes over the next few years”. Read more »


Compensation awarded for misuse of data processing powers

October 17th, 2016 by Robin Hopkins

In my post on the TLT case last week, I mentioned a second recent judgment awarding compensation for a DPA breach. This is the judgment of the Central London County Court (HHJ Luba QC) in Andrea Brown v Commissioner of Police for the Metropolis and Chief Constable of Greater Manchester Police (judgment available via Inforrm here).

Whereas TLT concerned a data breach (accidental public disclosure), Brown concerned the unfair use of policing powers to obtain information for an employment disciplinary matter. The Court awarded £9,000 in compensation, arising as follows. Read more »


TLT judgment on data protection damages

October 14th, 2016 by Robin Hopkins

By way of update to my post below on the TLT matter, and in particular for interested readers who have asked, here is a copy of Mitting J’s judgment: tlt-v-sshd.



New High Court judgment on privacy and data protection damages

October 10th, 2016 by Robin Hopkins

One of the major evolving issues in privacy and data protection law concerns the assessment of damages: when someone suffers a breach of their privacy or DP rights, how do you go about deciding how much money to award them by way of compensation?

Courts have to date taken a number of approaches to this question. In Halliday v Creation Consumer Finance [2013] EWCA Civ 333, Arden LJ suggested that awards in DP cases should be “relatively modest” and that the Vento bands used in discrimination law were not suitable comparators in this arena; Mr Halliday was given £750.

Arden LJ was then one of the Court of Appeal judges in Gulati v MGN Ltd. [2016] 2 WLR 1217, where damages for privacy breaches committed via phone-hacking ranged between £85,000 and £260,250. That judgment contained an important analysis of the nature of privacy and the impact of its violation.

Lastly, a personal injury approach was adopted in CR19 v Chief Constable of the Police Service of Northern Ireland [2014] NICA 54, where a data loss causing psychiatric injury saw a £20,000 award.

The last week has seen two notable contributions to the evolving jurisprudence on the ultimate privacy issue, namely money. Read more »