Category: Information law

Personal data: Tribunal analyses the ‘relates to’ and ‘identification’ limbs

Posted on | by Robin Hopkins

I have commented in previous posts on how infrequently the Data Protection Act 1998 has been the subject of substantive litigation before the courts. One consequence of this is persistent uncertainty over how pivotal concepts such as ‘personal data’ are to be analysed and approached.

Last year, the High Court in Kelway v The Upper Tribunal, Northumbria Police and the Information Commissioner (2013) EWHC 2575 (Admin) considered how ‘personal data’ issues should be approached – see for example this piece by Cynthia O’Donoghue of Reed Smith.

The Kelway approach is rather complicated; it remains to be seen whether it is picked up as any sort of guiding test. The imminent Court of Appeal judgment in the Edem case is also likely to add to the picture on how to determine whether information is personal data.

As things stand, such determinations are not always straightforward. Oates v IC and DWP (EA/2013/0040) is a recent example at First-Tier Tribunal level. Mr Oates was medically examined by in connection with his incapacity benefit claim by a doctor engaged by Atos Healthcare. He was dissatisfied and complained to Atos. At the ‘independent tier’ of its complaint investigation, Atos engaged an independent medical practitioner and also an external company tasked with reviewing Atos’ handling of the initial complaint. Mr Oates wanted to know, inter alia, the names of the medical practitioner and of the company.

The DWP refused, relying on FOIA exemptions (section 40(2) and section 43(2)). The ICO decided that the withheld names should have been handled under the DPA rather than FOIA. This was because, in the ICO’s view, the withheld names constituted Mr Oates’ personal data –thus, by section 40(1) of FOIA, it was exempt under FOIA. Mr Oates had to seek it by a subject access request under the DPA instead.

The DWP said these names were not Mr Oates’ personal data. The Tribunal agreed. As to the ‘relates to’ limb of the definition of personal data, it applied Durant v FSA [2003] EWCA Civ 1746: it found there to be sufficient distance between the complaints review procedure and Mr Oates’ personal privacy to mean that the information did not ‘relate to’ him for DPA purposes.

As to the ‘identification’ limb of the definition of personal data, the DWP had argued that Mr Oates could not be identified from these names alone and that it was not in possession of information to link Mr Oates to the requested names. The ICO argued that the request itself provided that link. In other words, by asking for information about his own assessment and complaint, Mr Oates was providing the DWP with information which linked him to the requested names and allowed him to be identified as the person who had been assessed and who had complained.

Its argument was this: “at the moment when the DWP received the Request, it was put into possession of all the information it needed to relate the information requested to an identifiable individual, namely Mr Oates himself. The fact that he sought information about individuals who had been involved in the assessment of his particular complaint created the necessary connection between himself and the requested information – it both related to him and he could be identified from it.”

The Tribunal did not agree with that ‘linking’ argument. It said this:

“… we reject the Information Commissioner’s suggestion that we should take into account the Request itself. We are satisfied that the correct approach is to consider the body of relevant information held by the public authority in question immediately before the request was received. If that information can be seen to relate to the individual, and to identify him or her, then the case for characterising it as that individual’s personal data is made out. But if it does not do so then it is not appropriate, in our view, to close the circle by taking into account the additional information (as to the name of the individual who is both requester and data subject) which is set out in the request itself, in order to.”

Therefore, the ‘identification’ limb of the definition of personal data was not met either. The requested names did not comprise Mr Oates’ own personal data and fell to be dealt with under FOIA rather than through the subject access provisions of the DPA.

The decision in Oates raises a number of questions. For example, on ‘relates to’, the Durant principles are intended to offer guidance in ‘borderline’ cases – implicitly therefore, the Tribunal in Oates appears to have considered this to be a borderline situation.

On ‘identification’, the Tribunal did not mention the principle from Common Services Agency v Scottish Information Commissioner [2008] UKHL 47; [2011] 1 Info LR 184 that the ‘other information’ which can assist with identification of the individual encompasses not only information held by the data controller, but also information held by any person.

This is not to comment on whether the Tribunal reached the right decision or not – rather, it illustrates that the definition and limits of ‘personal data’ continues to raise tricky questions.

11KBW’s Tom Cross appeared for the ICO in Oates.

Robin Hopkins @hopkinsrobin

Just When You Thought it was Safe to Go Back into the Water – The CJEU Gives Judgment in Fish Legal

Posted on | by Christopher Knight

Earlier this year, a video went viral. It was a clip of the Ellen DeGeneres talk show in the US, on which she announced – after years of campaigning – that there would be a Finding Nemo 2. The world rejoiced. In an entirely dissimilar way, there is likely to be a strong clamour for the CJEU to produce Fish Legal 2 (although it is likely to be less fun, let alone involve a shark named Bruce). One Fish Legal judgment will not be enough, not for those pesky pescatarians who like judgments to provide answers.

If Julie Andrews has taught us anything, it is that the beginning is a very good place to start. The history of the Fish Legal case, and the AG’s Opinion in it, are covered in my Socratic post here. In short form, the question for the CJEU was whether or not privatised water companies are public authorities such that they owe obligations under the Environmental Information Regulations 2004 (implementing Directive 2003/4).

In its judgment of 19 December 2013, the Grand Chamber of the Court in Case C-279/12 Fish Legal v Information Commissioner opined on this topic. It readily dismissed the suggestions of the case being hypothetical and resolved to deal with the referred questions. At [48] it held that “only entities which, by virtue of a legal basis specifically defined in the national legislation which is applicable to them, are empowered to perform public administrative functions are capable of falling within the category of public authorities that is referred to in Article 2(2)(b) of Directive 2003/4.” It recognised that that did not answer what “public administrative functions” were. In classic CJEU style it set out the tests in the Directive and the facts:

51        Entities which, organically, are administrative authorities, namely those which form part of the public administration or the executive of the State at whatever level, are public authorities for the purposes of Article 2(2)(a) of Directive 2003/4. This first category includes all legal persons governed by public law which have been set up by the State and which it alone can decide to dissolve.

52      The second category of public authorities, defined in Article 2(2)(b) of Directive 2003/4, concerns administrative authorities defined in functional terms, namely entities, be they legal persons governed by public law or by private law, which are entrusted, under the legal regime which is applicable to them, with the performance of services of public interest, inter alia in the environmental field, and which are, for this purpose, vested with special powers beyond those which result from the normal rules applicable in relations between persons governed by private law.

53      In the present instance, it is not in dispute that the water companies concerned are entrusted, under the applicable national law, in particular the WIA 1991, with services of public interest, namely the maintenance and development of water and sewerage infrastructure as well as water supply and sewage treatment, activities in relation to which, as the European Commission has observed, a number of environmental directives relating to water protection must indeed be complied with.

54      It is also clear from the information provided by the referring tribunal that, in order to perform those functions and provide those services, the water companies concerned have certain powers under the applicable national law, such as the power of compulsory purchase, the power to make byelaws relating to waterways and land in their ownership, the power to discharge water in certain circumstances, including into private watercourses, the right to impose temporary hosepipe bans and the power to decide, in relation to certain customers and subject to strict conditions, to cut off the supply of water.”

It then declined to provide any sort of answer, leaving it to the Upper Tribunal to determine on the case’s return from the stratosphere: at [55]. The key question, at [56], is whether the body is vested under national law with “special powers“. This will not be an easy test to apply. Spiderman and Superman obviously have special powers. Batman does not; he just has a lot of money. Which comic-book hero do privatised industries more closely resemble, and is there a difference of principle between them? Answer came there none.

The second stage of the analysis was whether, because water companies are regulated by Ofwat and the Secretary of State, they are under the control of bodies which are subject to the EIR and so themselves subject. Is an ‘emanation of the State’ in EU law terms (as water companies are) necessarily caught by Article 2(2)(c) of Directive 2003/4? The CJEU gave a fairly strong hint that it normally would be (at [60]), but in the light of the Aarhus Convention basis of the Directive reformulated its analysis:

68      Those factors lead to the adoption of an interpretation of ‘control’, within the meaning of Article 2(2)(c) of Directive 2003/4, under which this third, residual, category of public authorities covers any entity which does not determine in a genuinely autonomous manner the way in which it performs the functions in the environmental field which are vested in it, since a public authority covered by Article 2(2)(a) or (b) of the directive is in a position to exert decisive influence on the entity’s action in that field.

69      The manner in which such a public authority may exert decisive influence pursuant to the powers which it has been allotted by the national legislature is irrelevant in this regard. It may take the form of, inter alia, a power to issue directions to the entities concerned, whether or not by exercising rights as a shareholder, the power to suspend, annul after the event or require prior authorisation for decisions taken by those entities, the power to appoint or remove from office the members of their management bodies or the majority of them, or the power wholly or partly to deny the entities financing to an extent that jeopardises their existence.

70      The mere fact that the entity in question is, like the water companies concerned, a commercial company subject to a specific system of regulation for the sector in question cannot exclude control within the meaning of Article 2(2)(c) of Directive 2003/4 in so far as the conditions laid down in paragraph 68 of the present judgment are met in the case of that entity.

71      If the system concerned involves a particularly precise legal framework which lays down a set of rules determining the way in which such companies must perform the public functions related to environmental management with which they are entrusted, and which, as the case may be, includes administrative supervision intended to ensure that those rules are in fact complied with, where appropriate by means of the issuing of orders or the imposition of fines, it may follow that those entities do not have genuine autonomy vis-à-vis the State, even if the latter is no longer in a position, following privatisation of the sector in question, to determine their day-to-day management.

On this topic at least the CJEU may not have answered the question – it again left it for the Upper Tribunal to determine – but it made its feelings as to the likely outcome pretty clear.

In relation to hybrid public authorities, the CJEU was distinctly unkeen on the importation of such an uncertain test: at [76]. The rejection of hybridity in Smartsource is therefore approved. Instead, it concluded that “Article 2(2)(b) of Directive 2003/4 must be interpreted as meaning that a person falling within that provision constitutes a public authority in respect of all the environmental information which it holds. Commercial companies, such as the water companies concerned, which are capable of being a public authority by virtue of Article 2(2)(c) of the directive only in so far as, when they provide public services in the environmental field, they are under the control of a body or person falling within Article 2(2)(a) or (b) of the directive are not required to provide environmental information if it is not disputed that the information does not relate to the provision of such services“: at [83]. So there can be limits in particular types of case (control cases), but otherwise all environmental information is accessible.

Quite what the result of the judgment is going to be is unclear. Hybridity is dead, and there is some greater clarity on when a body can be said to be under the control of a public authority, but the more general test of when public administrative functions are being exercised remains distinctly murky. It is not likely to be very long before a further reference is sought from somewhere, although it probably will not be announced on the Ellen show.

11KBW’s Anya Proops appeared for the Commissioner in the CJEU, and Rachel Kamm did the same before the Upper Tribunal.

A Merry Christmas to all Panopticon’s readers, and may your 2014 bring you boundless information law litigation.

Christopher Knight

 

Royal Wills and JR of the Upper Tribunal

Posted on | by Christopher Knight

Mr Brown became a well-known figure in litigation circles when he sought to unseal the Will of Princess Margaret in the belief that it might reveal information showing him to be her illegitimate son. In the course of his unsuccessful litigation, it was revealed that there existed what had been described orally during the court proceedings as a “Practice Direction in respect of the handling of Royal Wills” (although there is dispute over precisely what form this document takes), produced by the-then President of the Family Division following liaison with the Royal Household.

Having failed to unseal the Will, Mr Brown requested a copy of the document from the Attorney General. He was refused, under section 37 FOIA. The First-tier Tribunal upheld that refusal (on which see Robin’s blog here). Mr Brown appealed to the Upper Tribunal on the grounds of inadequacy of the Tribunal’s reasons and a failure to properly apply the public interest test. The Upper Tribunal refused permission at an oral hearing.

Under the revised CPR procedure in rule 54.7A, Mr Brown sought permission to judicially review the refusal of permission to appeal by the Upper Tribunal. Following an oral hearing, Phillips J granted permission. It will now be a matter for the Attorney General (as respondent/defendant in the proceedings) to decide whether to defend the judicial review at a substantive hearing, or simply to defend the substantive appeal in the Upper Tribunal.

For a news report on the decision, see here.

Anya Proops appeared for Mr Brown before the High Court and Upper Tribunal. Jonathan Swift QC and Joanne Clement appeared for the Attorney General. Robin Hopkins appeared for the Commissioner at first instance.

Christopher Knight

Legal analysis of individual’s situation is not their personal data, says Advocate General

Posted on | by Robin Hopkins

YS, M and S were three people who applied for lawful residence in the Netherlands. The latter two had their applications granted, but YS’ was refused. All three wanted to see a minute drafted by an official of the relevant authority in the Netherlands containing internal legal analysis on whether to grant them residence status. They made subject access requests under Dutch data protection law, the relevant provisions of which implement Article 12 of Directive 95/46/EC. They were given some of the contents of the minutes, but the legal analysis was withheld. This was challenged before the Dutch courts. Questions were referred to the CJEU on the application of data protection law to such information. In Joined Cases C‑141/12 and C‑372/12, Advocate General Sharpston has given her opinion, which the CJEU will consider before giving its judgment next year. Here are some important points from the AG’s opinion.

The definition of personal data

The minutes in question contained inter alia: the name, date of birth, nationality, sex, ethnicity, religion and language of the applicant; information about the procedural history; information about declarations made by the applicant and documents submitted; the applicable legal provisions and an assessment of the relevant information in the light of the applicable law.

Apart from the latter – the legal advice – the AG’s view is that this information does come within the meaning of personal data under the Directive. She said this:

“44. In general, ‘personal data’ is a broad concept. The Court has held that the term covers, for example, ‘the name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies’, his address, his daily work periods, rest periods and corresponding breaks and intervals, monies paid by certain bodies and the recipients, amounts of earned or unearned incomes and assets of natural persons.

45. The actual content of that information appears to be of no consequence as long as it relates to an identified or identifiable natural person. It can be understood to relate to any facts regarding that person’s private life and possibly, where relevant, his professional life (which might involve a more public aspect of that private life). It may be available in written form or be contained in, for example, a sound or image.”

The suggestion in the final paragraph is that the information need not have a substantial bearing on the individual’s privacy in order to constitute their personal data.

The AG also observed that “Directive 95/46 does not establish a right of access to any or every document or file in which personal data are listed or used” (paragraph 71). This resonates with the UK’s long-established Durant ‘notions of assistance’.

Legal analysis is not personal data

AG Sharpston’s view, however, was that the legal analysis of the individuals’ situations did not constitute their personal data. Her reasoning – complete with illustrative examples – is as follows:

“55. I am not convinced that the phrase ‘any information relating to an identified or identifiable natural person’ in Directive 95/46 should be read so widely as to cover all of the communicable content in which factual elements relating to a data subject are embedded.

56. In my opinion, only information relating to facts about an individual can be personal data. Except for the fact that it exists, a legal analysis is not such a fact. Thus, for example, a person’s address is personal data but an analysis of his domicile for legal purposes is not.

57. In that context, I do not find it helpful to distinguish between ‘objective’ facts and ‘subjective’ analysis. Facts can be expressed in different forms, some of which will result from assessing whatever is identifiable. For example, a person’s weight might be expressed objectively in kilos or in subjective terms such as ‘underweight’ or ‘obese’. Thus, I do not exclude the possibility that assessments and opinions may sometimes fall to be classified as data.

58. However, the steps of reasoning by which the conclusion is reached that a person is ‘underweight’ or ‘obese’ are not facts, any more than legal analysis is.”

Interestingly, her conclusion did touch upon the underlying connection between personal data and privacy. At paragraph 60, she observed that “… legal analysis as such does not fall within the sphere of an individual’s right to privacy. There is therefore no reason to assume that that individual is himself uniquely qualified to verify and rectify it and ask that it be erased or blocked. Rather, it is for an independent judicial authority to review the decision for which that legal analysis was prepared.”

In any event, legal analysis does not amount to “processing” for data protection purposes

The AG considered that legal analysis such as this was neither ‘automatic’ nor part of a ‘relevant filing system’. “Rather, it is a process controlled entirely by individual human intervention through which personal data (in so far as they are relevant to the legal analysis) are assessed, classified in legal terms and subjected to the application of the law, and by which a decision is taken on a question of law. Furthermore, that process is neither automatic nor directed at filing data” (paragraph 63).

Entitlement to data, but not in a set form

The AG also says that what matters is that individuals are provided with their data – data controllers are not, under the Directive, required to provide it in any particular form. For example, they can extract or transcribe rather than photocopy the relevant minute:

“74. Directive 95/46 does not require personal data covered by the right of access to be made available in the material form in which they exist or were initially recorded. In that regard, I consider that a Member State has a considerable margin of discretion to determine, based on the individual circumstances in case, the form in which to make personal data accessible.

75. In making that assessment, a Member State should take account of, in particular: (i) the material form(s) in which that information exists and can be made available to the data subject, (ii) the type of personal data and (iii) the objectives of the right of access.”

If the legal analysis is personal data, then the exemptions do not apply

Under the Directive, Article 12 provides the subject access right. Article 13 provides exemptions. The AG’s view was that if, contrary to her opinion, the legal analysis is found to be personal data, then exemptions from the duty to communicate that data would not be available. Of particular interest was her view concerning the exemption under Article 13(1)(g) for the “protection of the data subject or of the rights and freedoms of others”. Her view is that (paragraph 84):

“the protection of rights and freedoms of others (that is, other than the data subject) cannot be read as including rights and freedoms of the authority processing personal data. If a legal analysis is to be categorised as personal data, that must be because it is related to the private interests of an identified or identifiable person. Whilst the public interest in protecting internal advice in order to safeguard the administration’s ability to exercise its functions may indeed compete with the public interest in transparency, access to such advice cannot be restricted on the basis of the first of those two interests, because access covers only what falls within the private interest.”

If the Court agrees with the AG’s view, the case will be an important addition to case law offering guidance on the limits of personal data. It would also appear to limit, at least as regards the exemption outlined above, the data controller’s ability to rely on its own interests or on public interests to refuse subject access requests. That said, there is of course the exemption under Article 9 of the Directive for freedom of expression.

Robin Hopkins @hopkinsrobin

APPGER in the Upper Tribunal

Posted on | by Christopher Knight

The Upper Tribunal has finally handed down its judgment in All Party Parliamentary Group on Extraordinary Rendition v IC & Foreign and Commonwealth Office [2013] UKUT 560 (AAC). It is a judgment of Charles and Burnett JJ and Judge Wikeley. The appeal was from an FTT judgment which is analysed in detail by Rachel Kamm here. That post also contains the background to the case. In essence, the request was made by the APPGER for information relating to the participation of the UK in the practice of extraordinary rendition. The judgment is long, and will be blogged on in more detail in due course. But in brief, there were five broad grounds of appeal:

1) That the FTT erred in its approach to Article 10 ECHR;

2) That the FTT erred in its construction of section 23(1) FOIA (information relating to a security body);

3) That the FTT failed to provide adequate reasons for its conclusions on section 23(1);

4) That the FTT erred in its approach to the control principle (put simply, that information acquired through diplomatic or security channels is not disclosed without consent) and so failed to carry out the balancing process correctly under section 27 FOIA (international relations);

5) That the FTT erred in its approach to the section 35(1)(a) FOIA exemption (formulation and development of policy).

Grounds 1 and 2 have not been decided. They are stayed pending the judgment of the Supreme Court in Kennedy v Charity Commission (see here).

The Upper Tribunal rejected grounds 3 and 5. They held that the reasons provided by the FTT were sufficient when read as a whole, and that their approach to section 35(1)(a) had been in accordance with the authorities.

The bulk of the judgment concerns ground 4, and the appeal on section 27. The Upper Tribunal held that the APPGER had been rendered ignorant of the FCO’s primary case on the relevant harm caused by disclosure, and that the FCO, the ICO and the FTT had failed to identify or explain this in open session: at [89]-[90]. There was no good reason for this failure, and it resulted in avoidance substantive and procedural unfairness: at [95]-[96]. The failure of the FTT to hold a further hearing or allow further submissions to be made to consider alterations made to the draft judgment at the behest of the FCO was an error of law which perpetuated unfairness: at [113].

Although obiter, the Tribunal also concluded that the FTT’s approach meant that it did not properly understand the underlying reasoning of the arguments advanced and its conclusions did not have a proper evidential and reasoned foundation under section 27: at [118].

The Upper Tribunal also made general observations on the nature of closed sessions; the need for cases advanced in closed to be identified with clarity; the need to make a record of closed sessions; the need to identify in open the competing public interests wherever possible; and the need to limit material adduced only in closed session, along with the utility of schedules identifying the issues: at [144]-[156].

There is much to be taken from the Upper Tribunal decision, and of course the APPGER litigation is some way off being over. Further analysis will doubtless be forthcoming, but you can read the judgment here:

GIA 2230 2012 Upper Tribunal decision

Tim Pitt-Payne QC and Joanne Clement (11KBW) acted pro bono to represent APPGER; Robin Hopkins (11KBW) acted for the Information Commissioner; and Karen Steyn (also of 11KBW) and Julian Blake represented the FCO.

Christopher Knight

The Upper Tribunal’s first consideration of monetary penalty notices

Posted on | by Julian Milford

The Upper Tribunal has just issued judgment in Central London Community Healthcare NHS Trust v Information Commissioner [2013] UKUT 0551. This significant decision is the first time the Upper Tribunal has considered an appeal against a monetary penalty notice (“MPN”), issued by the Commissioner under section 55A Data Protection Act 1998 (“DPA”).

The Commissioner is empowered to issue an MPN under section 55A DPA, where he is satisfied that there has been a serious contravention of the data protection principles by a data controller, the contravention was of a kind likely to cause substantial damage or distress, and other relevant conditions are met. The amount of an MPN may be up to £500,000. In this case, the Trust had repeatedly faxed sensitive medical details of patients to a member of the public by mistake, believing that it was faxing them to a hospice. The Trust had “self-reported” its own contravention to the Commissioner, who had issued an MPN of £90,000.

The Trust appealed against the MPN under section 49 DPA, first to the First-Tier Tribunal, which rejected the appeal, and then to the Upper Tribunal. The grounds of appeal were fourfold: (1) the Commissioner failed to recognise he had a discretion as to whether to issue a MPN, and failed to consider how it should be exercised; (2) the Tribunal should have concluded that the Commissioner was barred from serving an MPN, because the Trust had self-reported its breach; (3) the Commissioner had acted unlawfully in offering the Trust a discount of £18,000 for early payment of the MPN, but refusing to allow the Trust to benefit from the discount if it decided to appeal; and (4) the quantum of the award was unsustainably high.

The Upper Tribunal rejected all four grounds of appeal. Along the way, it made some useful general observations about the way in which the MPN regime works. In particular, it stated as follows:

(1)    The fact that a public authority has self-reported a breach does not prevent the Commissioner from issuing an MPN. Among other matters, the logical implication of that argument would be that a data controller responsible for a deliberate and very serious breach of the DPA could avoid an MPN simply by self-reporting. That could not be correct.

(2)    As a matter of principle, the Commissioner has discretion whether to issue an MPN where the statutory conditions for its issue are met, as well as discretion as to the amount. On appeal, the First-Tier Tribunal (“FTT”) must conduct a full merits review of the Commissioner’s exercise of his discretion. The nature of the FTT’s jurisdiction on an appeal under section 49 DPA was akin to the nature of its jurisdiction in an appeal against a decision notice of the Commissioner under section 58 Freedom of Information Act 2000 (“FOIA”). In other words, the FTT’s function under section 49 DPA was to decide whether the Commissioner’s decision to issue an MPN and the amount of the penalty was right.

(3)    It was permissible for the Commissioner to operate a scheme which gave a discount for early payment, if and only if the public authority did not appeal. There was a strong public policy argument justifying such a scheme – the early payment and early resolution of the issue. The proper analogy was with discount schemes operated for fixed penalty notices e.g. for minor motoring contraventions.

(4)    The Upper Tribunal did in principle have the power to increase a penalty under section 55A DPA, although that issue did not arise on the facts of this case.

The decision is an important validation of the way in which the Commissioner presently approaches the issuance of MPNs, and usefully clarifies the nature of appeals against MPNs.

Timothy Pitt-Payne QC of 11KBW acted for the Trust; Anya Proops of 11KBW acted for the Commissioner.

Julian Milford