Court of Appeal Declares Criminal Records Regime Incompatible with Article 8

Posted on | by Christopher Knight

The Court of Appeal has today handed down an important judgment in R (T & others) v Chief Constable of Greater Manchester & others [2013] EWCA Civ 25. The case concerned the blanket requirement in the Rehabilitation of Offenders Act 1974, section 113B of the Police Act 1997 and articles 3 and 4 of the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 that criminal convictions and cautions must be disclosed in an enhanced criminal record check (“ECRC”) in the context of particular types of employment (such as with children or vulnerable adults), even if those convictions or cautions would otherwise be deemed spent by the 1974 Act. (For a summary of the issues prior to the hearing, see Hannah Slarks’ post here.)

The Cases

The Court heard three conjoined cases. The lead case, T, was an appeal against a judgment of Kenneth Parker J: [2012] EWHC 147 (Admin) (upon which Robin Hopkins blogged here). T had received two cautions in relation to two stolen bicycles when he was 11 years old, which was disclosed as part of his participation in a sports studies degree course because he was required to work with children. T was not in fact prevented from completing his degree following the ECRC. JB was a lady who had been refused employment as a care home worker following the revelation in her ECRC that she had a caution for theft of some false nails eight years previously. Permission to judicially review the legislative scheme had been refused by HHJ Gosnell. A third case was also joined, that of AW, who when 16 had received custodial sentences for manslaughter and robbery arising out of a car-jacking and who wished to join the Army. Permission had been refused in her case by HHJ Gosnell, and unlike JB, permission to appeal had also been refused on the papers by the Court of Appeal.

Interference with Article 8

Lord Dyson MR, Richards and Davis LJJ accepted the written concession of the Secretary of State that there was an interference with the Article 8 rights of the claimants. There are two possible forms of interference. First, it may occur where there is disclosure of personal information which individuals wish to keep to themselves. Cautions are generally given in private and will fade into the past. Secondly, disclosure may lead to an individual’s exclusion from employment. For T, the first of these was clearly engaged, but Court also considered the second to be in play, holding that it was sufficient that disclosure “was liable to affect his ability to obtain employment”, even though it did not in fact do so: at [31]-[32].

Justification

The Court had no difficulty in finding that the criminal records regime pursued a legitimate aim, generally of protecting employers and children or vulnerable adults in their care, and particularly of enabling employers to make an assessment as to whether an individual is suitable for a particular kind of work. However, the Court held that that the disclosure of all convictions and cautions relating to recordable offences was disproportionate to that aim: at [37].

The fact that a bright-line rule had been adopted did not save the regime, where there was no attempt to control disclosure by reference to the information’s relevance to the legitimate aim. Nor did the Court accept an argument based upon resource implications. It was not necessary to consider every case individually; bright-line sub-rules could be used. The Court was particularly struck by a Criminal Records Review carried out an Independent Advisor to the Government, which had recommended the introduction of a filter to remove minor and old convictions where appropriate, which the Government had not rejected. The Independent Advisory Panel for the Disclosure of Criminal Records, set up following the Review, has been considering the issue. In short, the Court considered that there was a range of possible filter mechanisms which could have been adopted and which were, at the least, less disproportionate than the blanket requirement imposed by s.113B of the 1997 Act.

The Court drew further support from the recent decision of the Strasbourg Court in MM v UK (App. No. 24029/07) (on which see Charles Bourne’s post here), although it accepted that the judgment did not go to proportionality in terms but was a finding that the interference was not in accordance with the law. However, the Strasbourg Court had identified the blanket nature of the Northern Irish system in issue as a shortcoming and had directly relied upon the Supreme Court’s decision in R (F) v Secretary of State for Justice [2010] UKSC 17, [2011] 1 AC 331 (blanket notification requirements imposed on sex offenders without possibility of review incompatible with Article 8, a judgment which the Prime Minister described as “appalling“): at [53].

Contrary to the position taken by Kenneth Parker J, the Court of Appeal refused to consider themselves bound to find the regime compatible with Article 8 following the Supreme Court’s judgment in R (L) v Commissioner of Police for the Metropolis [2009] UKSC 3, [2010] 1 AC 410 because it had been concerned with the discretionary disclosure of police information rather than the mandatory disclosure convictions and cautions, and any assumptions made by the Supreme Court as to the compatibility of the disclosure regime had not been part of the ratio of the decision: at [62].

The 1975 Order

Kenneth Parker J had also accepted an argument from the Secretary of State that the 1975 Order could not be impugned on Article 8 grounds because to do so would presuppose that the State had a positive obligation to intervene in private employment relationships to permit individuals to conceal information about their criminal records. The Court of Appeal declined to engage in distinguishing between positive and negative obligations where the State had already “altered the legal landscape” by enacting the 1974 Act and 1975 Order. The real question was one of fair balance, which had not been struck and it would be absurd if the ECRC regime in the 1997 Act was incompatible with Article 8 so that the State could not disclose the record but that the individual, under the 1975 Order, must do so or face civil liability: at [68].

Relief

In the case of both T and JB the Court of Appeal declared the regime implemented by the 1997 Act incompatible with Article 8 ECHR, and in the case of T, that articles 3 and 4 of the 1975 Order were ultra vires because they had been made incompatibly with Article 8. However, in the case of AW permission to appeal was refused because the disclosure of convictions for manslaughter and robbery because such offences could never be spent fell within the area of discretionary judgment open to Parliament.

The Court held that it was necessary for Parliament to decide what filtering mechanism would most effectively balance the Article 8 rights of the individual with the interests of employers and vulnerable individuals. There were a number of potential approaches, and the Court declined to proscribe or provide guidance: at [69], [75]. Although it rejected a request by the Secretaries of State to narrowly limit the declarations it in respect of the 1975 Order, the Court stayed the effect of their judgment pending any application by the Secretaries of State for permission to appeal to the Supreme Court. The Court refused permission itself, and the Government has indicated that it will seek to appeal.

The judgment raises difficult questions for Parliament as to how to proceed, as well – prior to the legislation being amended – as for employers and others who wish to rely upon spent convictions or cautions as a ground for excluding employment etc. in the circumstances spelled out in the 1975 Order (such as, notably, employment involving responsibility for children and vulnerable adults).

Jason Coppel appeared for the Secretaries of State for the Home Department and Justice; Timothy Pitt-Payne QC appeared for Liberty as an intervener.

Christopher Knight

Camden squatters case – back in the first-tier tribunal

Posted on | by Anya Proops KC

Last year I blogged about a decision of the Upper Tribunal in the vacant properties case, Voyias v IC & Camden LBC, where the Upper Tribunal overturned the decision of the First Tier Tribunal (FTT) in favour of Mr Voyias and remitted the case to a differently constituted FTT (see my post here). The FTT’s decision on the remitted case has just been handed down – see the decision here. The issue which the FTT had to decide upon remission was whether was whether the Camden LBC (the Council) had correctly concluded that it was entitled to refuse to disclose to Mr Voyias information identifying vacant properties in its area on the ground that the requested information was exempt from disclosure under s. 31(1)((a) FOIA (the prevention and detection of crime exemption). The particular issues the FTT had to decide were: (a) whether the requested information engaged the exemption provided for under s. 31(1)(a) and (b) whether the public interest balance weighed in favour of the exemption being maintained. In a decision which was very robustly in favour of the Council, the FTT held that the requested information had been lawfully withheld. This decision is in stark contrast with the decision reached by the original FTT which upheld Mr Voyias’ appeal in respect of the Council’s refusal.

In deciding that the requested information was lawfully withheld, the FTT was plainly mindful of the guidance given by the Upper Tribunal that, when determining whether the public interest balance weighed in favour of maintaining the s. 31(1)(a) exemption, regard should be had, not merely to the direct adverse consequences of the disclosure but also to any indirect consequences which arose as ‘realistic possibilities’. Ultimately, the FTT concluded that ‘the small weight that the public interest in disclosure bears does not come close to equalling the public interest in preventing the categories of crime we have identified in this decision’ (§55). Thus, a very strong decision in favour of the Council. No doubt the former Housing Minister, Grant Schapps MP, who scathingly described the original FTT decision as a ‘squatters’ charter’, will be substantially relieved by the new decision.

11KBW’s Ben Hooper was for the Council and Chris Knight was for the Commissioner.

Anya Proops

Central London NHS Trust: key points from the Tribunal’s first MPN case

Posted on | by Robin Hopkins

I reported earlier this week on the outcome of the first case of this type to reach the Tribunal. Here is my analysis of the key points.

Factual background

Central London Community Healthcare NHS Trust v IC (EA/2012/00111) concerned the first monetary penalty notice (MPN) to be appealed to the First-Tier Tribunal. The Trust’s appeal has been dismissed by the Tribunal (Professor Angel, Rosalind Tatam and Paul Taylor). The decision can be accessed here: Central London NHS Trust v IC EA20120111.

The background is that the Trust had, on some 45 occasions, faxed a list of palliative care in-patients to the wrong fax number (namely to that of a member of the public who notified the Trust and said he had destroyed the faxes – but he was never traced and destruction could not be confirmed). This was sensitive personal data: it included names as well as information about patients’ medical diagnoses, treatment and domestic situations.

The MPN

The IC found that the Trust had breached the seventh data protection principle, which requires that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The IC decided that the three preconditions for the exercise of his discretion to issue a MPN under section 55A of the Data Protection Act 1998 had been met here. These conditions are (i) there was a serious contravention of the DPA, (ii) this contravention was of a kind likely to cause substantial damage or substantial distress, and (iii) the contravention was either deliberate, or the data controller knew or ought to have known that there was a serious risk that a contravention would occur and would be of a kind likely to cause substantial damage or distress, but failed to take reasonable steps to prevent it happening.

The IC is empowered to impose MPNs of up to £500,000. In this case, the amount was £90,000.

The Tribunal’s jurisdiction

On the Trust’s appeal, one of the first issues for the Tribunal was the extent of its statutory powers under section 49 of the DPA (which mirrors section 58 of FOIA): the Tribunal agreed with the Trust that, as with appeals under FOIA, the Tribunal had jurisdiction to consider the matter de novo; it was not restricted to a review along public law lines. It also found that it could either allow the appeal, or substitute an alternative MPN (including one imposing a higher penalty than that imposed by the IC), or substitute an enforcement notice instead (paragraphs 36-39).

Alleged indication that no MPN would be issued

The only point of evidence in dispute was the Trust’s contention that the IC’s enforcement team had indicated during the investigation that no MPN would be issued. The Tribunal found that the Commissioner’s enforcement officer “did not give any serious indication or assurance that there would be no fine or MPN in this case which in any way excluded the IC from deciding to issue an MPN” (paragraph 46).

The IC’s decision-making process

The decision to impose a penalty is taken by a Deputy Commissioner, in consultation with an internal working party comprising various senior managers within the ICO and one of the ICO’s enforcement lawyers. Having decided that an MPN should be issued, the ICO determined the amount by reference to an internal, unpublished framework as follows:

(i) Serious = £40,000 to £100,000

(ii) Very serious = more than £100,000 but less than £250,000

(iii) Most serious = more than £250,000 up to the maximum of £500,000.

It decided that this case was in the “serious” category. Its methodology was then to take the midpoint of that band and consider any aggravating or mitigating circumstances.

As required by the DPA, the ICO then issued the Trust with a Notice of Intent to issue a MPN to the value of £90,000. The Trust accepted that a financial penalty was warranted, but disputed the amount, making submissions on mitigating factors. The ICO maintained its position and issued the MPN.

‘Assessments’ and the statutory bar under section 55(3A)

By section 55(3A) of the DPA, the IC may not use anything which came to his attention pursuant to his carrying out an ‘assessment’ under section 51(7) when deciding on whether an MPN can be imposed. The Trust argued that the IC’s investigation of its voluntarily-reported breach constituted an ‘assessment’.

The Tribunal considered the rival submissions on the legislative intent behind the bar imposed by section 55(3A) (though on this point it rejected the Trust’s invitation to take ministerial statements into account, on Pepper v Hart principles) and on the range of powers open to the IC. It preferred those of the IC: section 51(7) is directed at educating and advising data controllers, on the basis of a consensual engagement, with a view to avoiding future breaches of the DPA. The aim of the statutory bar provided for under section 55A(3A) is to prevent the IC from using information he obtains via the educational/advisory process provided for under section 51(7) to impose an MPN on a data controller. This case did not involve such an educational/advisory process. There was no assessment under section 51(7) (paragraphs 87-91).

The IC’s adherence to its own policy

The Trust did not contend that the IC failed to apply the statutory guidance on MPNs. It did, however, argue that it failed to consider or adhere to its own non-statutory policy on the reporting of breaches, which said that “the Commissioner will not normally take regulatory action unless a data controller declines to take any recommended action, he has other reasons to doubt future compliance or there is a need to provide reassurance to the public”.

Again, the Tribunal found for the IC: the statutory guidance was what really mattered, but in any event the IC had not departed from its own policies (paragraphs 102-103).

The IC’s exercising of its discretion

Where the conditions for the issuing of an MPN are met, the ICO still has a discretion as to whether or not to issue one. The Trust argued that the ICO had failed to exercise its discretion lawfully: there was no evidence of it taking into account relevant considerations.

The particular considerations relied upon by the Trust were (i) the ICO failed to take proper account of the overriding policy objective to encourage cooperative working between it and data controllers and failed to give sufficient credit for the Trust’s transparency and its co-operative stance, (ii) the effect of the ICO’s policy to impose high profile fines on data controllers who voluntarily report incidents and cooperate with its investigations is to discourage other controllers from being open and transparent, and (iii) the ICO’s approach to cases of this nature creates an unfair and unsustainable distinction between those data controllers who, when suspected of being in breach of the DPA, are required to submit to assessment notices or are requested to undergo consensual audits and those, like the Trust in this case, who voluntarily submit themselves to regulatory scrutiny. The Trust argued that the ICO had failed to think about these points.

The Tribunal rejected these criticisms as misconceived (paragraph 122). While the ICO’s process could have been more comprehensible, it could not be said to have overlooked relevant matters.

Consideration of mitigating factors

Next, the Trust contended that the ICO had failed properly to consider the mitigating factors on which it made submissions. Again, the Tribunal disagreed. The ICO had not erred in this way. In any event, the Tribunal did not seem to find the mitigating factors to be particularly forceful. It said:

“The fact that there was a voluntary notification cannot be given much weight when the Trust was under, in effect, an obligation to report (both to the ICO and to the NHS regionally). In any case it was reported over a month after the breach was discovered. Co-operation was the least that could be expected for such a serious breach. By the time the Trust informed the patients over three quarters were dead. There is still no absolute guarantee the sensitive information has been destroyed. The Trust’s mitigating features are therefore features to which we find the IC could not give much weight. In any case they are almost all post facto events and nothing about the wrongdoing” (paragraph 128).

The Trust’s criticisms of the IC’s decision on the amount of the MPN

The Trust said that the IC never explained its methodology for calculating the amount of the MPN – the three categories of seriousness, for example, were never mentioned, nor was the means of calculation. Once again, the Tribunal did not agree. It considered that the IC had made the principles behind its approach clear to the Trust prior to issuing the MPN.

Notable the Tribunal observed that “We find it interesting that the contravention is only categorised as “serious” and not “very serious” as it seems to us on the facts of this case the IC could have taken a more penal approach to the amount in question” (paragraph 138) and concluded that “We are satisfied that the ICO has reached a figure within a range of reasonable figures it could have considered” (paragraph 139). It also rejected the submission that the IC failed to take the mitigating factors into account when deciding on the amount of the MPN (paragraph 148).

Discount for early payment

The final issue considered by the Tribunal is of significant importance. MPNs provide for a discount (here: 20%) for early payment. If a data controller appeals an MPN and loses, can it still claim the discount? The Trust argued that, by refusing to keep the discount offer open pending the outcome of the appeal, the IC was penalising it for exercising its legal right to have its cased tested by a Tribunal. The Tribunal disagreed: “The purpose of the scheme would appear to us to encourage early payment and also to ensure there is an early resolution to the matter. There is no provision for a without prejudice payment” (paragraph 153). The IC did not err in refusing to keep the discount offer alive, and the Tribunal refused to restore that offer.

Data controllers who contravene the DPA in a serious or potentially serious way should take note of this last point, and indeed of the Tribunal’s first excursion into the new MPN appeal territory.

First-Tier Tribunal decisions are of course not binding on other First-Tier Tribunals. There will be more appeals against MPNs later this year. Panopticon will report on whether the principles from the Central London NHS Trust case are borne out by future decisions. For now, this decision is the best data controllers have to go on.

Tim Pitt-Payne QC appeared for the Trust. Anya Proops appeared for the IC.

Robin Hopkins

Tribunal dismisses first appeal against Monetary Penalty Notice

Posted on | by Robin Hopkins

One of the most notable features of the information rights landscape in 2012 was the issuing by the Information Commissioner of a number of Monetary Penalty Notices for breaches of (primarily, but not exclusively) the Data Protection Act 1998.

The First-Tier Tribunal has today given its decision in the first appeal against such a notice. Central London Community Healthcare NHS Trust v IC (EA/2012/00111) saw the Trust appeal against a £90,000 MPN for the Trust’s repeated faxing of sensitive patient data to the wrong fax number (see Panopticon’s earlier reports here and here).

A summary of the key points from this landmark decision will follow as soon as possible. For now, Panopticon can confirm that the Trust’s appeal has been dismissed.

Robin Hopkins

Information Commissioner responds to Leveson

Posted on | by Holly Stout

The Information Commissioner’s Office (“ICO”) has published its response to the recommendations that Lord Justice Leveson made to the ICO and the Ministry of Justice (“MoJ”) in his Inquiry Report on the Culture, Practices and Ethics of the Press.  See here for the full response.

The ICO begins its response by reminding us of the leading role that the ICO played in revealing the press involvement in the unlawful trade in personal data in 2003 (Operation Motorman) which ultimately led to the Leveson Inquiry.

The ICO also emphasises that the Leveson Inquiry focused on events that took place between 2003 and 2007 and so Leveson’s Report does not take into account the significant strides that the ICO has made in recent years, in particular in its Regulatory Action Division and Enforcement Department and through its power to impose civil monetary penalties.

Nonetheless, the ICO is broadly welcoming of the vast majority of Leveson’s recommendations.  See Rachel Kamm’s post of 29 November 2012 for details of those recommendations.

In response to Leveson, the ICO will be:

  • Revising its Data Protection Regulatory Action Policy so that it specifically addresses how the ICO will use its regulatory powers to ensure that the press complies with the legal requirements of the data protection regime (by March 2013);
  • Developing a new Code of Practice on appropriate principles and standards to be observed by the press in the processing of personal data (hopefully within 6 months) – watch out for consultation on this;
  • Developing guidance to the public on their individual rights in relation to the obtaining and use by the press of their personal data, and how to exercise those rights (by May 2013) – watch out for a new dedicated media data rights advice on the ICO’s website;
  • Providing regular reports to Parliament (through its statutory Annual Report) on the effectiveness of the new measures and on the culture, practices and ethics of the press in relation to the processing of personal data;
  • Continuing to work with other prosecuting authorities in relation to alleged media crime (the ICO has already adopted the CPS Guidelines for Prosecutors);
  • Allocating specific responsibility for managing relations with the press and key stakeholders to the Government and Society team in its Strategic Liaison Dept and looking to establishing a media reference panel along similar lines to its existing Technology Reference Panel to ensure that a ready source of expertise is available to the ICO on key media issues;
  • Establishing an Intelligence Hub to make sure that the ICO identifies existing and emerging large-scale issues more quickly, as well as refining its process for handling high profile cases with significant policy or political implications;
  • Ensuring that its Management Board comprises people with suitable expertise from a range of backgrounds, including the media.

As to Leveson’s suggestions for amendments to the Data Protection Act 1998 (“DPA”) (see Rachel Kamm’s previous post), the ICO says that he can “see the merit in certain changes but not all of them” and emphasises that it is a matter for Parliament to determine whether the ICO should have a wider role in press regulation – the ICO is not actively seeking such a role.  Thus, while apparently

  • broadly in favour of ‘tightening up’ the current exemption from the provisions of the DPA for data processed for journalistic purposes,
  • strongly in favour of allowing individuals to claim damages for any breach of the DPA, even if it does not result in pecuniary loss, and
  • strongly in favour of bringing in ss 77 and 78 of the Criminal Justice and Immigration Act 2008 (increased sentences for criminal breaches of the DPA and enhanced defence for public interest journalism),

the ICO nevertheless sounds some notes of caution:

  • The ICO observes that Leveson’s proposed amendments to s 32 of the DPA would move the ICO much closer to being a general regulator of the press.  Section 32 currently provides an exemption from most of the requirements of the DPA for data processing undertaken ‘with a view to the publication’ of journalistic material, provided that the data controller reasonably believes would be in the public interest, ‘having regard … to the special importance of the public interest in freedom of expression’ and the data controller reasonably believes that compliance with the relevant part of the DPA would be ‘incompatible’ with the journalistic purpose.  Leveson proposes amending the exemption so that the processing must be ‘necessary’ for publication, so that no special weight is given to freedom of expression and so that the decision on whether the exemption applies is to be taken objectively rather than on the basis of the data controller’s reasonable belief.  The latter proposed change is most significant in terms of the role of the ICO.

 

  • The ICO points out that the new draft European Data Protection Regulation will require a number of changes to UK data protection law and therefore suggests that the Government may wish to consider how far it is sensible and practicable to introduce legislative changes ahead of the adoption of the new European Regulation.

 

  • The ICO says that Leveson’s recommendation that the press should never be exempt from the subject access rights in the DPA raises legitimate concerns about the ‘chilling effect’ that this might have on investigative journalism and says this area will need very careful consideration.

 

  • The ICO questions whether it is necessary to include specific provisions in the DPA requiring the IC to have special regard to the legal obligation to balance the public interest in freedom of expression alongside the public interest in upholding the data protection regime, pointing out that he is already subject to that duty by virtue of s 6 of the Human Rights Act 1998.

 

  • Similarly, the ICO suggests that there is no need to enshrine in statute a duty to consult with the CPS and other enforcement agencies, but that is already something done as a matter of course.  The ICO became a signatory to the Prosecutor’s Convention in July 2012 (an agreement between all the main government related prosecuting bodies to collaborate on cases that overlap jurisdictional areas).

 

  • The ICO points out that Leveson’s proposal to widen the ICO’s powers of prosecution to include any crimes that are likely to involve breaches of data protection principles, e.g. phone hacking, computer hacking, etc would substantially increase the ICO’s role as an investigatory and prosecuting authority which would bring with it significant resource implications.

 

  • While agreeing that the opportunity should be taken to consider the structure of the ICO and whether it would be better to have an Information Commission (i.e. a Board of Commissioners leading the organisation) rather than a single Information Commissioner, the ICO indicates that such a change would risk losing certain virtues of the current arrangements, which include the ability for the organisation to take decisions quickly where necessary and the higher degree of accountability that comes from having a single figurehead.

 Holly Stout

 

EIR Exemptions and Aggregation : a round trip

Posted on | by Charles Bourne

The First-Tier Tribunal (Information Rights) has ruled on the appeal by the Office of Communications (Ofcom) which was remitted following the Supreme Court’s judgment in Ofcom v IC [2010] UKSC 3, [2011] 1 Info LR 1288 (which itself followed the decision of the Court of Justice of the European Union in Ofcom v IC [2011] 2 Info LR 1). By its new decision of 12 December 2012 the Tribunal declined to depart from its previous decision which was made back on 4 September 2007.

This lengthy circular journey began with a request in January 2005 by a representative of Health Protection Scotland for a list of mobile phone base stations held on the “Sitefinder” website  and for information that was not publically accessible through Sitefinder such as grid references for each base station. The information was requested under the Environmental Information Regulations 2004 (EIR).

 Ofcom refused and relied on the exemption under regulation 12(5)(a), contending that the public interest favoured withholding the information since public safety would be adversely affected by the precise disclosure of the base sites. In particular, this would reveal the locations of the relevant database and thereby assist possible criminal activity. Ofcom also relied on regulation 12(5)(c), contending that the public interest favoured withholding the information because the intellectual property rights of the mobile network operators (MNOs) would thereby be adversely affected giving competitors an undue advantage.

 On 11 September 2006 the Information Commissioner (ICO) ordered disclosure, ruling that public safety would not be put at risk and also that regulation 12(5)(c) was not engaged. Ofcom appealed.

 In its 2007 decision the Tribunal upheld the ICO’s decision, taking the view that the purpose of Sitefinder was to permit important health research and that this comfortably outweighed any risk to the public from disclosing the information sought and any adverse effect to the public interest arising from prejudice to MNOs’ intellectual property rights. In particular it took the view that the exception would be made unworkable if it had regard to disadvantages the public might suffer if the MNOs, piqued by disclosure, decided permanently to withdraw their co-operation with Sitefinder.

 Ofcom appealed unsuccessfully to the Administrative Court on a number of issues but, on a further appeal to the Court of Appeal, succeeded on one i.e. whether the public interest in maintaining the two relevant exemptions could be aggregated – as opposed to the public interest balance being struck on each exemption separately.

 The ICO, undeterred, appealed this question to the Supreme Court. The Justices, unable to agree on the answer, referred it to the European Court which ruled that a public authority in these circumstances “may, when weighing the public interests served by disclosure against the interests served by refusal to disclose, in order to assess a request for that information to be made available to a natural or legal person, take into account cumulatively a number of the grounds for refusal set out in that provision.” The word “may” would prove to be rather important.

 The Supreme Court remitted the case so that the Tribunal could reconsider the public interest balance. And there this eventful journey ended with a second decision which largely echoed the first.

 The Tribunal (chaired by Tribunal Judge Marks QC) endorsed the ICO’s approach that aggregation is a right, not  a duty, so a decision maker will consider whether to aggregate but is not bound to do so. Aggregation may not always be appropriate, e.g. where the exemptions relied upon are so different that the exercise would not be feasible. The aggregation exercise is “impressionistic” rather than “mathematical”.

 What undid Ofcom was that the weight given to the exemptions was very limited. In respect of public safety, despite references to possibilities of crimes ranging from metal theft to terrorist attack, it was held that such risks already existed as a result of information already available so that disclosure of further information would not make much difference. As to intellectual property rights, the interests in question were held to be more private than public. And in each case, either they were already at risk or “the enhanced risk is so small as to be given no significance”. Once again the Tribunal ruled that it would not be appropriate to ascribe weight to any ongoing non-participation by MNOs.

 Aggregation did not alter these conclusions. The two exemptions were characterised as “apples and pears”, with no real link and thus no “sensible way of extracting or recognising, let alone applying, any common content as to public interest or interests”. But even when aggregated, the overall weight to be given to them was adjudged to be minimal. Where such minimal harm was difficult to identify and characterise in view of the large amount of information already in the public domain, an “impressionistic” approach would not lead to a different result.

 This case, believed to contain the first full consideration of aggregation, therefore does not give the impression that aggregation will be an especially powerful tool. The emphasis was on the ruling that a decision maker or tribunal may, but not must, aggregate.

 However, it remains to be seen whether future cases may bring further analysis of the “apples and pears” approach. Whilst different exemptions may protect quite different aspects of the public interest, it does not necessarily follow that the value of protecting the public in two different ways is not cumulatively greater than the value of protecting them in only one. If aggregation for some reason is “not feasible”, that is the end of the matter, but debate can be expected to continue on how often it will actually not be feasible to conduct a suitably “impressionistic” comparison of the totality of interests for and against disclosure.

Charles Bourne